 So, the next talk will be Order Preserving Encryption Revisited, Improved Security Analysis and Alternative Solutions by Aleksandra Borreira, Nathan Chenette, and Adam O'Neill, and the speaker will be Nathan Chenette. Hello. Hi, I'm Nathan Chenette, and I'm here to share a few new results in order-preserving encryption. This is joint work with Sasha Boldreva and Adam O'Neill. So, as order-preserving encryption is a relatively new topic of interest, I'd like to start out with some background and motivation for its use. And I'll start by recalling the definition of order-preserving encryption. So we say that a symmetric encryption scheme is order-preserving if encryption is deterministic and strictly increasing. So in the picture, you can see an example of an order-preserving encryption function on some key where if M0 is less than M1, then the encryption of M0 is less than the encryption of M1 for that key, so hence order-preserving. So you might be wondering why something as limited and seemingly insecure as this could be useful. And that brings me to the canonical application for OPE. And the canonical application is range queries, supporting efficient range queries on encrypted data, specifically for outsourced databases. This application was noted in the database community back in 2004, and essentially the idea is that the client stores an OPE encrypted database on an outsourced server. And in order to access range-specified data on that database, it's as easy as if the database were encrypted or were not encrypted at all. He simply encrypts the two ends of the range that he's interested in, sends those ciphertexts to the server, and the server returns all the records for which the ciphertext falls between those two values. So it's quite simple. So that application spawned the first study of OPE back in 2004 in the database community. However, the first cryptographic study of OPE did not occur until 2009, and this was due to my coauthors and myself along with Yoon-Ho Lee. And in that paper, we defined a secure OPE to be a pseudo-random order-preserving function or POPF. Now, this is a similar definition to that of a pseudo-random function. And the security experiment is as follows. The adversary is given black box query access to an order-preserving function, and he's tasked with or deciding whether that function is, in fact, the OPE scheme on a random key, or if it's a random order-preserving function from the set of all order-preserving functions on the same domain and range. This latter object, we call the ideal object for this definition as it's what an OPE should emulate if it's trying to be POPF secure. So in that paper, we also designed a POPF secure scheme. And since those results came out, we've heard from many people who want to implement our scheme as it has been proven POPF secure, and in any case, it's better than no encryption for applications where you do desire only range queries. However, as we emphasized in our old paper, there are still some unanswered questions about the security of our scheme, and they stem from the idea that we are unsure about the security guarantees of the ideal object itself, that is, a random order-preserving function. In particular, it's not clear exactly what information is necessarily leaked by a random order-preserving function and what information is secure. To elaborate on this situation, let's compare it to the case of a pseudo-random function and its ideal object, a random function. So the case of a random function is pretty clear. On any input, or for distinct inputs, the output looks random and uniform, or looks uniformly random. And so for a random function, the output leaks only equality information about input because the function is deterministic, but nothing else. However, the case for a random order-preserving function is slightly less clear. On any input, the output leaks definitely order because it's order-preserving, but it also leaks things like the approximate location. For example, if you see a small ciphertext, it likely came from a small input. It also leaks approximate distance. For instance, if you see ciphertexts that are very far apart, they likely came from inputs that are very far apart. And maybe there's more that is leaked by output. And these questions about what random order-preserving function leaks in its ciphertext about input are what held us back from recommending people implement our scheme from our old paper. And we left it as an open problem to characterize this leakage. So this brings us to our current contributions. So our main result is to address this open question of analyzing the security guarantees of a random order-preserving function. And to do this, the first thing we do is we suggest several notions of one-wayness to analyze OPE security. We then analyze the one-wayness of a random order-preserving function using those notions. And by extension, these results then apply to the POPF secure scheme of our old paper. And finally, we have a couple tangential results where we talk about two variations of the OPE primitive that support range queries in only particular circumstances but with improved one-wayness. And we'll get to those at the end. But first I'd like to talk about our main results. And before that, I need to talk about our new notions of security. Now we need new security notions because traditional notions of security are in general too strong to be satisfied by an OPE scheme. And so in coming up with new security notions, we'd like to address the central concern of the open question from the old paper, which is to ask what do random order-preserving functions ciphertexts reveal and or hide about location of plaintexts and distance between plaintexts? To answer these questions, we propose several varieties of one-wayness. The first being RZ window one-wayness. So this is parameterized by two variables, R and Z. R is the window size and Z is the challenge set size. And security experiment is as follows. First we sample Z uniformly random messages from the message space and we sample a random key from the key generator. We then encrypt each of these messages and send those ciphertexts to the adversary. And the adversary is tasked with outputting a plaintext window of size R. The adversary's advantage is then the probability at the event that one of these messages, the challenge messages, occurs within that plaintext window. So this is essentially measuring the probability that an adversary can invert one of Z encryptions of random plaintexts to within a window of size R. The second notion of one-wayness we talk about is window distance one-wayness. So this is the distance version of what I just talked about where again we're parameterized by R and Z. R is now the distance window size and Z is still the challenge set size. The security experiment is exactly as before except now the adversary is supposed to output a distance window of size R. And his advantage is the probability at the event that for some two distinct messages their distance lies in the distance window. So this is essentially measuring the probability that an adversary can find the distance between any two of the challenge messages to within a window of size R. Okay so now let's look at how random order preserving function stacks up to our notions of one-wayness. Here's an overview of our results. So it turns out that for small window one-wayness and small window distance one-wayness we find that a random order preserving function is secure meaning that we find an upper bound on any adversary's advantage. On the other hand for large window one-wayness and large distance window one-wayness whereby large I mean R is approximately Z the number of challenge messages over square root of the size of the message space. We find that ROPF is insecure that is we construct an adversary that and lower bound its advantage very close to one. So let's delve into these results a little bit here. So the first result is a random order preserving function is secure under small window one-wayness. And to do this we prove an upper bound on the one Z window one-wayness advantage against ROPF. So the upper bound is as shown in this theorem. It's a very interesting bound. It's actually quite clean and it doesn't even have to do with N the size of the ciphertext space. And the interpretation of this result is that any adversary's probability of inverting one of Z encryptions of random plaintexts is bounded by approximately a constant time Z over root M. And for reasonable Z this is small so that's why I would say secure. So as this result is the technical meat of our paper I wanted to look a little bit into the proof which is non-trivial. So remember that the idea is that we want to prove an upper bound on the one Z window one-wayness advantage against ROPF. So the first thing we do in the proof is we reduce to the problem of bounding one one window one-wayness advantage. So we've reduced it to the problem of bounding the adversary's success in inverting a single random message or the encryption of a single random message with only one guess, window size one. So if you think about it, this is in fact an information theoretic question because the adversary is given no query ability. He's simply given a ciphertext and he has to choose, he has to guess a message that's the most likely plain text for that ciphertext knowing that encryption was a random order preserving function. So yeah, so given this ciphertext, the adversary's best option is to output this most likely plain text and in this graph you can see that I've plotted the most likely plain text probability for each ciphertext C across the ciphertext space. So essentially what this is telling you is whatever C is given to the adversary, the function value is the probability that the adversary wins by submitting the most likely plain text for that ciphertext. So it turns out that, recall that the challenge messages were selected uniformly at random from the message space and it turns out that since we encrypted via random order preserving function the ciphertext, the challenge ciphertext given to the adversary actually looks uniformly random in the ciphertext space. So to find an upper bound on the adversary's advantage, we simply need to find the average most likely plain text probability across the ciphertext space and this equals the area under this curve over the number of ciphertexts. So we've reduced the problem to finding the area under this curve, which by the way is a non-trivial task as this curve looks smooth from here but on a minute level it's a little bit bumpy and there's no easy function that defines it. So my task is to find the area under this curve and I find it in several steps. So the first step is that we find, we calculate exactly the probability of the middle ciphertext on a small fixed space, which we can do because the space is small and fixed. The second step is that we relate the probability of a middle ciphertext in a large space to the probability of a middle ciphertext in that small space. The third step is that we relate the probability of any point in this large space to the probability of the middle ciphertext and then this comes up with a function that is relatively clean that we can in fact integrate and that gives us the approximate area under the curve. So the area under the curve divided by the number of ciphertexts gives us the approximate average most likely plain text probability which is the bound in this there. So remarkably it turns out to be very clean. So moving on, our second main result is that random order preserving function is insecure under large window one-wayness and to show this we construct an adversary and lower bound its window one-wayness advantage against ROPF. And in this case the proof has to do with some tail inequalities on a probability distribution so I should read our paper if you're interested in that proof and the result, the lower bound on the adversary's advantage is as shown in this theorem where B is a constant and notice that R is approximately this constant times root m. So notice that if B is we say a medium sized constant say 8 or something then this value is very close to 1 so for a window size 8 root m adversary is almost certain to win all the time. Yes, the interpretation is that given z-encryptions of random plain text the adversary that we construct can with high probability invert one of them to within a size B root m window or B is a medium sized constant say 8. Now what about distance window one-wayness? Well in fact in this case we find analogous results to the window one-wayness cases and the interpretations of these results are that guessing the exact distance between encryptions of two random plain texts is hard while guessing the approximate distance is easy. Okay next we have a few supplementary security considerations for ROPF one being that if some plain text ciphertext pairs are known to the adversary then the adversary's view and our analysis applies to the subspaces between these points. So in this picture if the orange points are known plain text ciphertext pairs then our analysis applies to these gray subspaces as if there's an ROPF scheme on each of those. Secondly, we show in the paper why choosing ciphertext space size at least seven times the plain text space size should be sufficient for our analysis to hold and finally we insert a caution about the assumption we made at the beginning of our security definitions which is that the challenge messages come from a uniformly random distribution and of course could come from another distribution and is an open problem to extend this to other distributions however I find it unlikely that you'd be able to say something in general for all distributions that's very clean at least. So finally I'd like to look at these variants to order preserving encryption that I mentioned in the introduction. The first being modular order preserving encryption. So this is a variant of OPE in which modular order is preserved and it supports modular range queries. You can see in this picture that a modular OPE encryption function looks a lot like an OPE encryption function except that there's a wraparound point and so this function still supports range queries although it's not order preserving per se. So in fact the OPE scheme of our earlier paper can be extended to a modular OPE scheme by prepending a random secret shift and what does this do to one wayness? Well in fact this modular OPE scheme is now optimally RZ window one way secure while distance window one wayness security is equivalent to that of the OPE scheme and in fact knowledge of a single plant and tech cypher techs pair essentially reduces the M OPE to OPE so in a sense this is really just a small step beyond OPE. Finally our second variant is we call committed OPE so some past results have implemented schemes for range queries on predetermined static databases and this is a situation where key generation is allowed to take the databases input and all cypher techs are revealed in the database. This may seem like a very naive situation but in fact it's just the order preserving version of secure searchable index schemes which have been widely studied in the literature. And in our paper we can straight forwardly construct an optimally secure OPE scheme it turns out this is very easy to do if you have a function that sorry a constant time function that sends the ith element of your database to index I and these functions have a name which is monotone minimal perfect hash functions and such functions were studied recently by this reference paper and their constructions in fact have near space optimal complexity so it seems like a reasonable solution. So in conclusion we made significant progress in addressing the open question from our earlier paper of analyzing the security of a random order preserving function and to do this we introduced new security models using one way in this notions and analyzed ROPF under these models. We also introduced two variations of OPE that could be useful in some settings and we believe that taking with certain precautions our results may help practitioners determine whether the security versus functionality tradeoff of OPE is acceptable for their applications. So there's certainly more room for more results in security of OPE so thank you very much. We have time for questions okay let's thank the speaker again.