The document discusses the importance of searchable encryption in the context of data breaches and privacy concerns. It covers various encryption schemes, including Order Preserving Encryption (OPE), Order Revealing Encryption (ORE), and Partial Order Preserving Encryption (POPE), highlighting their functionalities, security notions, and limitations. The work emphasizes the need for secure and efficient search capabilities in encrypted data storage.

1. Searchable Encryption
Nagendra Posani
Georgia Institute of Technology
December 12, 2016
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 1 / 24

2. Data breaches
Become the norm rather than the exception!

3. Data breaches
Become the norm rather than the exception!

4. Data breaches
Become the norm rather than the exception!

5. Data breaches
Become the norm rather than the exception!

6. Data breaches
Become the norm rather than the exception!
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24

7. Motivation
Data can be sensitive.
Server may be untrusted or subject to attacks.
Obvious solution is encryption
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 3 / 24

8. Goals
Search Functionality
Efficiency
Security
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 4 / 24

9. How to encrypt data?
Encrypting with ”good” encryption schemes solves privacy, but
functionality?
Search query becomes problematic since good encryption schemes
encrypt plaintext differently (randomize ciphertexts)
Figure: Searchable Database
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 5 / 24

10. Literature
Order Preserving Encryption (OPE) [1], [2]
Variants of OPE [3]
Partical Order Preserving Encryption (POPE) [4]
Order Revealing Encryption (ORE) [5], [6]
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 6 / 24

11. Order Preserving Encryption
A symmetric encryption scheme is order preserving if encryption
maintains order relations
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 7 / 24

12. Range Queries in OPE
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 8 / 24

13. Security Notion for OPE
Provable security notions: IND-CPA?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 9 / 24

14. Security Notion for OPE
Provable security notions: IND-CPA? No
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 10 / 24

15. Security Notion for OPE
Provable security notions: IND-CPA? No
IND-OrderedCPA?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 11 / 24

16. Security Notion for OPE
Provable security notions: IND-CPA? No
IND-OrderedCPA? No
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 12 / 24

17. Alternative Security Notions for OPE
Provable security notions: IND-CPA? No
IND-OCPA? No
POPF Secure? PRF style definition
No, reveals half of the plaintext bits.
ROPF - (r,z) Window One-Wayness Secure?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 13 / 24

18. Alternative Security Notions for OPE
Provable security notions: IND-CPA? No
IND-OCPA? No
POPF Secure? PRF style definition
No, reveals half of the plaintext bits.
ROPF - (r,z) Window One-Wayness Secure
Secure for small r, and insecure for large r (Corresponding lower
boundaries and upper boundaries are defined)
Similarly, (r, z) Distance Window One-Wayness Secure.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 14 / 24

19. Order Revealing Encryption
Generalized form of OPE
Lets define for small domain messages {0,1,2,...,N}
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 15 / 24

20. How to encrypt in ORE?
Defined for small plaintext space, keys k1, K2, ...KN are derived from
PRF.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 16 / 24

21. Encryption in ORE
Encrypt with the keys
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 17 / 24

22. Encryption in ORE
For comparison we give the key, but security?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 18 / 24

23. Encryption in ORE
Solution: apply random permutation π (part of the secret key) to the
slots
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 19 / 24

24. Encryption in ORE
Extending it to large domain plaintext space.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 20 / 24

25. Partial Order Preserving Encryption (POPE)
Server stores a partially ordered B-tree
Every node contains an unordered buffer of key/value pairs
Non-leaf nodes also have a small ordered list of ciphertexts
Encryption uses any (randomized) symmetric cipher
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 21 / 24

26. Landscape comparision
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 22 / 24

27. References I
Y. Lee A. Boldyreva, N. Chenette and A. O’Neill.
Order-preserving symmetric encryption.
EUROCRYPT 2009, volume 5479, 2009.
N. Chenette A. Boldyreva and A. O’Neill.
Order-preserving encryption revisited: Improved security analysis and
alternative solutions.
CRYPTO 2011.
David Cash F. Betl Durak, Thomas M. DuBuisson.
What else is revealed by order-revealing encryption?
ACM CCS, 2016.
Seung Geol Choi Daniel S. Roche, Daniel Apon.
Pope: Partial order preserving encoding.
ACM CCS, 2016.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 23 / 24

28. References II
M. Raykova A. Sahai M. Zhandry D. Boneh, K. Lewi and
J. Zimmerman.
Semantically secure order-revealing encryption: Multi-input functional
encryption without obfuscation.
EUROCRYPT 2015.
Kevin Lewi and David J. Wu.
Order-revealing encryption: New constructions, applications, and
lower bounds.
ACM CCS, 2016.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 24 / 24