Hongyi Qiao,Cong Peng,Qi Feng,Min Luo,Debiao He

DOI: https://doi.org/10.1109/jiot.2024.3360141

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Range query is commonly used to support ciphertext retrieval on encrypted databases in a cloud-based environment, and order-revealing encryption (ORE) plays an increasingly important role in range query for ciphertext field processing. Specifically, one can utilize ORE to facilitate comparators to determine whether the order of ciphertext(s) corresponds to the associated plaintext(s). Newer ORE designs include those that are resistant to common attacks (e.g., spectral attacks) and those that are capable of supporting both multi-client and single-client settings. However, in the scenario of cross-database range queries, existing multi-client ORE approaches generally pass the data owner’s query key to the searcher during the authorization process. Consequently, this results in agent transfer and permission extension, which can be exploited to facilitate unauthorized access to the database data. To solve these limitations, we propose om-ORE. The latter uses the oblivious pseudorandom function (OPRF) protocol to further enhance the security of token generation mechanism in ORE, and is designed to ensure that neither the data owner nor the authorized client reveals any secret key or expected query range to each other. Using the proposed om-ORE scheme as a building block, we design a secure multi-client ciphertext range query scheme that is resilient to both agent transfer and permission extension attacks. The performance evaluation shows that om-ORE inherits the advantages of state-of-the-art multi-client ORE approaches, in terms of ciphertext size and comparison efficiency, as well as having comparable performance in the token generation process.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ce Yang,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/DSC.2017.49

2017-01-01

Abstract:Order-revealing encryption (ORE) is a kind of encryption designed to support searches on ciphertexts. ORE enables efficient range query on ciphertexts, and it has been used in systems aimed at practical use. However, ORE has weaker security than conventional cryptography. To assess the security of ORE, researchers proposed concepts such as indistinguishability and one-wayness. Our work discusses the security of ORE when multiple columns are encrypted with ORE. This paper addresses two issues. First, we show an attacker can use quantile attack to distinguish two plaintext distributions with background information. Simulations show the attack succeed with high probability. Second, we propose a scheme to resist the quantile attack by adding dummy data. The proposed scheme calculates the number and position of dummy data based on the plaintext distribution and expected security level. We conduct experiments on a real dataset to show the performance of proposed scheme.

Chunyang Lv,Jianfeng Wang,Shi-Feng Sun,Yunling Wang,Saiyu Qi,Xiaofeng Chen

DOI: https://doi.org/10.1007/978-3-030-88428-4_3

2021-01-01

Abstract:Order-revealing encryption (ORE) is a cryptographic primitive that enables ciphertext comparison while leaking nothing about the underlying plaintext beyond their lexicographic ordering. However, how to achieve efficient and secure ciphertext comparison for multi-user settings is still a challenging problem. In this work, we propose an efficient multi-client order-revealing encryption scheme (named m-ORE) by introducing a new token-based comparison method. Specifically, data owner is enabled to delegate token generation ability to some authorized users without revealing his secret key, and then each authorized user can perform comparison on ciphertexts from multiple data owners by generating the associated comparison tokens. Benefiting from our new method, m-ORE can not only reduce ciphertext size but also improve comparison efficiency, compared with the state-of-the-art (Cash et al. Asiacrypt 2018). Further, we present a non-interactive multi-client range query scheme by extending m-ORE. Finally, we show a formal security analysis and implement our scheme. The evaluation result demonstrates that mORE outperforms the scheme by Cash et al. in terms of both query and storage cost while achieving the same level of security.

Chunyang Lv,Jianfeng Wang,Shi-Feng Sun,Yunling Wang,Saiyu Qi,Xiaofeng Chen

DOI: https://doi.org/10.1109/tdsc.2023.3268652

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Order-revealing encryption (ORE) enables the untrusted server to perform greater-than-comparison over ciphertext without compromising data privacy, which allows anyone to evaluate the lexicographic ordering of two arbitrary ciphertexts with a public comparison algorithm. However, most ORE constructions merely support ciphertext comparison for single-user. Recently, a variant of ORE named delegatable ORE has been introduced, which achieves cross-user ciphertext comparison by employing token mutual authorization technique at the cost of weak security, i.e., reveals the most significant differing bit of underlying plaintexts. To tackle this problem, we first present a deterministic property-preserving hash called DPPH with short-size hash value, and then propose a novel multi-client ORE scheme (m-ORE) from DPPH that supports ciphertext comparison among multiple users while hiding the most significant differing bits. Furthermore, we present an enhanced construction dubbed m-H-ORE by introducing a two-phase comparison method, which can achieve supper-efficient comparison in some cases, i.e., two ciphertexts with different bit-length. Finally, we provide formal security proofs of the proposed schemes and run extensive experiments to evaluate their performance on real-world and synthetic datasets. The results demonstrate that both of the proposed schemes can achieve a speedup of 47× and 138× in comparison cost to that of parameter-hiding ORE, respectively.

Anselme Tueno,Florian Kerschbaum

DOI: https://doi.org/10.48550/arXiv.1802.01138

2018-02-04

Cryptography and Security

Abstract:Order-preserving encryption allows encrypting data, while still enabling efficient range queries on the encrypted data. Moreover, it does not require any change to the database management system, because comparison operates on ciphertexts as on plaintexts. This makes order-preserving encryption schemes very suitable for data outsourcing in cloud computing scenarios. However, all order-preserving encryption schemes are necessarily symmetric limiting the use case to one client and one server. Imagine a scenario where a Data Owner encrypts its data before outsourcing it to the Cloud Service Provider and a Data Analyst wants to execute private range queries on this data. This scenario occurs in many cases of collaborative machine learning where data source and processor are different entities. Then either the Data Owner must reveal its encryption key or the Data Analyst must reveal the private queries. In this paper, we overcome this limitation by allowing the equivalent of a public-key order-preserving encryption. We present a secure multiparty protocol that enables secure range queries for multiple users. In this scheme, the Data Analyst cooperates with the Data Owner and the Cloud Service Provider in order to order-preserving encrypt the private range queries without revealing any other information to the parties. We implemented our scheme and observed that if the database size of the Data Owner has 1 million entries it takes only about 0.3 s on average via a loopback interface (1.3 s via a LAN) to encrypt an input of the Data Analyst.

Hongcheng Xie,Xiaohua Jia,Yu Guo,Mingyu Wang

DOI: https://doi.org/10.1109/TCC.2022.3208711

IF: 5.697

2023-07-01

IEEE Transactions on Cloud Computing

Abstract:Encrypted range query schemes that enable range-based searches over encrypted data have become an effective solution for secure data outsourcing services. However, existing schemes are still inadequate on desired functionality and security. Specifically, supporting efficient multi-range queries while hiding the data ordering leakage remains a challenging research problem. Existing works on order-hiding query schemes only work for encrypted single-range search and incur significant computational overhead due to the protection of the ordering information. In this article, we present a privacy-preserving multi-range query scheme that can address the above problems simultaneously. It not only enables efficient multi-range queries over encrypted data but also guarantees the privacy of ordering information. To protect the ordering leakage, our design adopts an Order-hiding Encoding (OHE) scheme to support multi-range obfuscation. In addition, a novel order-hiding K-Dimensional tree (KD-tree) index structure is designed as the core technique underlying our scheme, which accelerates efficient multi-range queries and obfuscates ordering information of encrypted values. Finally, the formal security analysis confirms that our proposed multi-range query scheme is secure in the random oracle model. The extensive experimental results conducted on real-world datasets demonstrate the practicality of our design.

Computer Science

Ning-duo PENG,Guang-chun LUO,Ke QIN,Ai-guo CHEN

DOI: https://doi.org/10.3969/j.issn.1001-3695.2014.10.049

2014-01-01

Abstract:To make up the information leakage of the order preserving encryption( OPE),based on the core concept of searchable encryption,this paper proposed a novel privacy preserving range query algorithm. In the algorithm,it transformed the queried range to a specific keyword which recorded in a bloom filter,and the querying became the searching for a match.The information of the ciphertext was only related to the domain,and therefore it guaranteed the semantic security. Experiments show that the algorithm is linear for the computational overhead. Overall,the algorithm is both secure and efficient.

Li Yuan,Wang Xing-Chen,Huang Lin,State Key Laboratory of Cryptology

DOI: https://doi.org/10.1007/s11390-020-0060-y

IF: 1.871

2021-01-01

Journal of Computer Science and Technology

Abstract:Order-preserving encryption (OPE) and order-revealing encryption (ORE) are among the core ingredients for encrypted databases (EDBs). In this work, we study the leakage of OPE and ORE and their forward security. We propose generic yet powerful file-injection attacks (FIAs) on OPE/ORE, aimed at the situations of possessing order by and range queries. Our FIAs only exploit the ideal leakage of OPE/ORE (in particular, no need of data denseness or frequency). We also improve their efficiency with the frequency statistics using a hierarchical idea such that the high-frequency values will be recovered more quickly. We conduct some experiments on real datasets to test the performance, and the results show that our FIAs can cause an extreme hazard on most of the existing OPEs and OREs with high efficiency and 100% recovery rate. We then formulate forward security of ORE, and propose a practical compilation framework for achieving forward secure ORE to resist the perniciousness of FIA. The compilation framework can transform most of the existing OPEs/OREs into forward secure OREs, with the goal of minimizing the extra burden incurred on computation and storage. We also present its security proof, and execute some experiments to analyze its performance. The proposed compilation is highly efficient and forward secure.

Bharath K. Samanthula,Wei Jiang,Elisa Bertino

DOI: https://doi.org/10.48550/arXiv.1401.3768

2014-01-15

Cryptography and Security

Abstract:With the many benefits of cloud computing, an entity may want to outsource its data and their related analytics tasks to a cloud. When data are sensitive, it is in the interest of the entity to outsource encrypted data to the cloud; however, this limits the types of operations that can be performed on the cloud side. Especially, evaluating queries over the encrypted data stored on the cloud without the entity performing any computation and without ever decrypting the data become a very challenging problem. In this paper, we propose solutions to conduct range queries over outsourced encrypted data. The existing methods leak valuable information to the cloud which can violate the security guarantee of the underlying encryption schemes. In general, the main security primitive used to evaluate range queries is secure comparison (SC) of encrypted integers. However, we observe that the existing SC protocols are not very efficient. To this end, we first propose a novel SC scheme that takes encrypted integers and outputs encrypted comparison result. We empirically show its practical advantage over the current state-of-the-art. We then utilize the proposed SC scheme to construct two new secure range query protocols. Our protocols protect data confidentiality, privacy of user's query, and also preserve the semantic security of the encrypted data; therefore, they are more secure than the existing protocols. Furthermore, our second protocol is lightweight at the user end, and it can allow an authorized user to use any device with limited storage and computing capability to perform the range queries over outsourced encrypted data.

Jieun Eom,Dong Hoon Lee,Kwangsu Lee

DOI: https://doi.org/10.1109/ACCESS.2018.2864991

2018-09-05

Abstract:Order-revealing encryption is a useful cryptographic primitive that provides range queries on encrypted data since anyone can compare the order of plaintexts by running a public comparison algorithm. Most studies on order-revealing encryption focus only on comparing ciphertexts generated by a single client, and there is no study on comparing ciphertexts generated by multiple clients. In this paper, we propose the concept of multi-client order-revealing encryption that supports comparisons not only on ciphertexts generated by one client but also on ciphertexts generated by multiple clients. We also define a simulation-based security model for multi-client order-revealing encryption. The security model is defined with respect to the leakage function which quantifies how much information is leaked from the scheme. Next, we present two specific multi-client order-revealing encryption schemes with different leakage functions in bilinear maps and prove their security in the random oracle model. Finally, we give the implementation of the proposed schemes and suggest methods to improve the performance of ciphertext comparisons.

Cryptography and Security

Yuan Li,Hongbing Wang,Yunlei Zhao

DOI: https://doi.org/10.1145/3321705.3329829

2019-01-01

Abstract:Order-revealing encryption (ORE) is a basic cryptographic primitive for ciphertext comparisons based on the order relationship of plaintexts while maintaining the privacy of them. In the data era we are experiencing, cross-dataset transactions become ubiquitous in practice. However, almost all the previous ORE schemes can only support comparisons on ciphertexts from the same user, which does not meet the requirement for the multi-user environment. In this work, we introduce and design ORE schemes with delegation functionality, which is referred to as delegatable ORE (DORE). The "delegation" here is an authorization that allows for efficient ciphertext comparisons among different users. To the best of our knowledge, it is the first ORE that allows an user to delegate the comparison privilege for his ciphertexts, which also opens the door for future explorations. At the heart of the construction and analysis of DORE is a new building tool proposed in this work, named delegatable equality-revealing encoding (DERE), which might be of independent interest.

Songrui Wu,Qi Li,Guoliang Li,Dong Yuan,Xingliang Yuan,Cong Wang

DOI: https://doi.org/10.1109/icde.2019.00062

2019-01-01

Abstract:Data outsourcing to cloud has been a common IT practice nowadays due to its significant benefits. Meanwhile, security and privacy concerns are critical obstacles to hinder the further adoption of cloud. Although data encryption can mitigate the problem, it reduces the functionality of query processing, e.g., disabling SQL queries. Several schemes have been proposed to enable one-dimensional query on encrypted data, but multi-dimensional range query has not been well addressed. In this paper, we propose a secure and scalable scheme that can support multi-dimensional range queries over encrypted data. The proposed scheme has three salient features: (1) Privacy: the server cannot learn the contents of queries and data records during query processing. (2) Efficiency: we utilize hierarchical cubes to encode multi-dimensional data records and construct a secure tree index on top of such encoding to achieve sublinear query time. (3) Verifiability: our scheme allows users to verify the correctness and completeness of the query results to address server's malicious behaviors. We perform formal security analysis and comprehensive experimental evaluations. The results on real datasets demonstrate that our scheme achieves practical performance while guaranteeing data privacy and result integrity.

Wentao Wang,Yuxuan Jin,Bin Cao

DOI: https://doi.org/10.1109/pst55820.2022.9851989

2022-01-01

Abstract:The growing power of cloud computing prompts data owners to outsource their databases to the cloud. In order to meet the demand of multi-dimensional data processing in big data era, multi-dimensional range queries, especially over cloud platform, have received extensive attention in recent years. However, since the third-party clouds are not fully trusted, it is popular for the data owners to encrypt sensitive data before outsourcing. It promotes the research of encrypted data retrieval. Nevertheless, most existing works suffer from single-dimensional privacy leakage which would severely put the data at risk. Up to now, although a few existing solutions have been proposed to handle the problem of single-dimensional privacy, they are unsuitable in some practical scenarios due to inefficiency, inaccuracy, and lack of support for diverse data. Aiming at these issues, this paper mainly focuses on the secure range query over encrypted data. We first propose an efficient and private range query scheme for encrypted data based on homomorphic encryption, which can effectively protect data privacy. By using the dual-server model as the framework of the system, we not only achieve multi-dimensional privacy-preserving range query but also innovatively realize similarity search based on MinHash over ciphertext domains. Then we perform formal security analysis and evaluate our scheme on real datasets. The result shows that our proposed scheme is efficient and privacy-preserving. Moreover, we apply our scheme to a shopping website. The low latency demonstrates that our proposed scheme is practical.

Yanguo Peng,Long Wang,Jiangtao Cui,Ximeng Liu,Hui Li,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2020.2974218

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In the era of cloud computing, to achieve convenient location-based service (LBS), consumers such as users, companies, and organizations prefer subcontracting massive geographical data to public clouds after encryption for privacy and security. However, numerous harmful cyber-attacks happen on those public clouds in an unpredicted and hourly manner. To alleviate those concerns, various secure query schemes on the encrypted data have been proposed in the literature. As a fundamental query of LBSs, forward-secure range query has not been well investigated. To address this issue, we propose a lightweight and forward-secure range query (LS-RQ) on geographically encrypted data, which soundly balances between security and efficiency. Promisingly, we design an index mechanism to manage geographical data on the public clouds, while not compromising the privacy of data. Moreover, our LS-RQ schemes provide a convenient approach to range query on geographically encrypted data on-the-fly. We also rigorously prove that LS-RQ is forward-secure. Finally, extensive experimental studies are performed on both real and synthetic datasets. By observation, our LS-RQ schemes are highly efficient in realistic environments. Particularly, on encrypted datasets with about 1000000 geographical data, our solution to secure range query takes strictly less than a second.

computer science, information systems, software engineering, hardware & architecture

Qinyuan Liu,Zidong Wang,Xiao He,Donghua Zhou

DOI: https://doi.org/10.1109/cns.2018.8433179

2018-01-01

Abstract:Encryption, a powerful tool for data security, has been widely applied to protect sensitive data stored on untrusted cloud servers. One important problem in such an environment is how to support advanced query predicates, such as range queries, over an encrypted data set in an efficient and secure way. Order-preserving encryption (OPE) produces ciphertexts that preserve the order of their plaintexts and performs range queries directly on ciphertexts. However, ideally secure OPE schemes are inefficient (interactive and stateful), because they either ask for extensive client-to-server interactions or require a large persistent client storage that relates to the size of the data set. In this paper, we propose a comparable inner product encoding (CIPE) scheme to support multi-attribute range queries over encrypted data. Our main idea is to encode data and query values as encrypted vectors so that order comparison is realized by calculating the vector's inner product. Compared with existing OPE schemes, our scheme has the following merits: 1) High $e$ ficiency. It allows a client to retrieve data of interest in one round without maintaining any local state. 2) Enhanced security. It achieves ideal security while effectively resisting inference attacks that existing OPE schemes are vulnerable to. Extensive experiments conducted on a real- world, large-scale data set verify the effectiveness of our scheme.

Zhuolin Mei,Huilai Zou,Jinzhou Huang,Caicai Zhang,Bin Wu,Jiaoli Shi,Zhengxiang Cheng

DOI: https://doi.org/10.4018/ijwsr.340391

2024-03-12

International Journal of Web Services Research

Abstract:In recent years, more and more data has been stored on the cloud to provide various services. These data often contain users' private information, which inevitably raises concerns about data security. Encryption before outsourcing is a direct solution to mitigate these concerns. However, traditional encryption schemes such as block encryption make basic data services hard to support. Therefore, this paper proposes a secure and fast range query scheme for encrypted multi-dimensional data, called SFRQ. The scheme constructs a secure index over the ciphertexts of multi-dimensional data, utilizing the R-tree index, Bloom filter, and 0-1 encoding techniques. This secure index enables the cloud to provide fast range query services over the ciphertexts of multi-dimensional data. The authors have evaluated SFRQ through extensive experiments, which demonstrate its high efficiency. Additionally, the security analysis shows that no external entity, including the cloud, can obtain additional information during the entire query process.

computer science, information systems, software engineering

Wei Yang,Yang Xu,Yiwen Nie,Yao Shen,Liusheng Huang

DOI: https://doi.org/10.1007/978-3-319-91458-9_8

2018-01-01

Abstract:With the prevalence of cloud computing, data owners are motivated to outsource their databases to the cloud. However, sensitive information has to be encrypted to preserve the privacy, which inevitably makes effective data utilization a challenging task. Existing work either focuses on keyword searches, or suffers from inadequate security guarantees or inefficiency. In this paper, we focus on the problem of multi-dimensional range queries over dynamic encrypted cloud data. We propose a Tree-based private Range Query scheme over dynamic Encrypted cloud Data (TRQED), which enables faster-than-linear range queries and supports data dynamics while preserving the query privacy and single-dimensional privacy simultaneously. TRQED achieves provable security against semi-honest adversaries under known background model. Extensive experiments on real-world datasets show that the overhead of TRQED is desirable, and TRQED is more efficient compared with existing work.

Zhiqiang Yang,Sheng Zhong,Rebecca N. Wright

DOI: https://doi.org/10.1007/11863908_29

2006-01-01

Abstract:Data confidentiality is a major concern in database systems. Encryption is a useful tool for protecting the confidentiality of sensitive data. However, when data is encrypted, performing queries becomes more challenging. In this paper, we study efficient and provably secure methods for queries on encrypted data stored in an outsourced database that may be susceptible to compromise. Specifically, we show that, in our system, even if an intruder breaks into the database and observes some interactions between the database and its users, he only learns very little about the data stored in the database and the queries performed on the data.Our work consists of several components. First, we consider databases in which each attribute has a finite domain and give a basic solution for certain kinds of queries on such databases. Then, we present two enhanced solutions, one with a stronger security guarantee and the other with accelerated queries. In addition to providing proofs of our security guarantees, we provide empirical performance evaluations. Our experiments demonstrate that our solutions are fast on large-sized real data.

Yao Shen,Wei Yang,Lu Li,Liusheng Fitiang

DOI: https://doi.org/10.1016/j.pmcj.2017.04.008

IF: 3.848

2017-01-01

Pervasive and Mobile Computing

Abstract:With the prevalence of cloud computing, data owners are motivated to outsource their databases to the cloud server. However, to preserve data privacy, sensitive private data have to be encrypted before outsourcing, which makes data utilization a very challenging task. Existing work either focus on keyword searches and single-dimensional range query, or suffer from inadequate security guarantees and inefficiency. In this paper, we consider the problem of multidimensional private range queries over encrypted cloud data. To solve the problem, we systematically establish a set of privacy requirements for multidimensional private range queries, and propose a multidimensional private range query (MPRQ) framework based on private block retrieval (PBR), in which data owners keep the query private from the cloud server. To achieve both efficiency and privacy goals, we present an efficient and fully privacy-preserving private range query (PPRQ) protocol by using batch codes and multiplication avoiding technique. To our best knowledge, PPRQ is the first to protect the query, access pattern and single-dimensional privacy simultaneously while achieving efficient range queries. Moreover, PPRQ is secure in the sense of cryptography against semi-honest adversaries. Experiments on real-world datasets show that the computation and communication overhead of PPRQ is modest.

Xu Yang,Jiahe Yu,Saiyu Qi,Qiuhao Wang,Jianfeng Wang,Yanan Qiao,Yong Qi

DOI: https://doi.org/10.1016/j.comnet.2023.110108

IF: 5.493

2023-01-01

Computer Networks

Abstract:Searchable symmetric encryption (SSE) has recently been under the spotlight in a cloud data storage system due to its high efficiency. SSE allows a client to outsource his private data while maintaining data searchability. To ensure the correctness of query results, verifiable SSE has attracted a lot of attention from both academia and industry to enable reliable encrypted search over the untrusted cloud server. However, most traditional verifiable SSE schemes focus on point queries instead of range queries. Moreover, no effective countermeasures are available to prevent clients from maliciously rejecting the correct result for denying the payment. In this paper, we take the first step to study verifiable range queries with fairness and forward security. First, to support efficient range query over numerical values, we propose Prefix Tree-like Keyword Set (PTKS), a novel data structure to largely reduce the number of search tokens. Specifically, the number of search tokens is up to a logarithmic value (e.g., 7) of the query range width (e.g., [0, 1000]) with PTKS. Then, we propose a double-layer verification mechanism including client-side verification and on-chain verification via the smart contract on the blockchain to achieve cost-effective fair verification. In addition, our range query scheme supports forward-secure update operations. Based on these, we propose a blockchain-based verifiable, fair and forward-secure range query scheme. Finally, extensive experiments demonstrate the efficiency of our scheme.