TY - GEN
T1 - A Formal Information-Theoretic Leakage Analysis of Order-Revealing Encryption
AU - Jurado, Mireya
AU - Palamidessi, Catuscia
AU - Smith, Geoffrey
N1 - Publisher Copyright:
© 2021 IEEE Computer Society. All rights reserved.
PY - 2021/1/1
Y1 - 2021/1/1
N2 - Order-Revealing Encryption (ORE) allows deriving the order of two plaintexts to facilitate database functions such as range queries and sorting. Ideally, nothing is observable to an adversary beyond the order of the messages. Unfortunately, Ideal ORE is challenging to implement, and a variation of it has then been developed. This variation, referred to as CLWW ORE, reveals the first differing bit position between every two plaintexts, in addition to the order. We provide a formal leakage analysis of these two ORE variations by applying the information-theoretic quantitative information flow (QIF) framework. We evaluate two threat models: (1) the Bayes scenario in which an adversary wishes to guess the secret entirely and (2) a bucketing scenario in which an adversary is content to simply guess the range of the plaintext. We provide security implications, usage guidelines, and a mitigation technique that improves the security of Ideal ORE. We find that while Ideal and CLWW ORE perform similarly under the Bayes scenario, CLWW ORE is fundamentally insecure under the bucketing scenario.
AB - Order-Revealing Encryption (ORE) allows deriving the order of two plaintexts to facilitate database functions such as range queries and sorting. Ideally, nothing is observable to an adversary beyond the order of the messages. Unfortunately, Ideal ORE is challenging to implement, and a variation of it has then been developed. This variation, referred to as CLWW ORE, reveals the first differing bit position between every two plaintexts, in addition to the order. We provide a formal leakage analysis of these two ORE variations by applying the information-theoretic quantitative information flow (QIF) framework. We evaluate two threat models: (1) the Bayes scenario in which an adversary wishes to guess the secret entirely and (2) a bucketing scenario in which an adversary is content to simply guess the range of the plaintext. We provide security implications, usage guidelines, and a mitigation technique that improves the security of Ideal ORE. We find that while Ideal and CLWW ORE perform similarly under the Bayes scenario, CLWW ORE is fundamentally insecure under the bucketing scenario.
KW - Cloud Computing Security
KW - Formal Security Models
KW - Order-Revealing Encryption
KW - Quantitative Information Flow
U2 - 10.1109/CSF51468.2021.00046
DO - 10.1109/CSF51468.2021.00046
M3 - Conference contribution
AN - SCOPUS:85125364263
T3 - Proceedings - IEEE Computer Security Foundations Symposium
BT - Proceedings - 2021 IEEE 34th Computer Security Foundations Symposium, CSF 2021
PB - IEEE Computer Society
T2 - 34th IEEE Computer Security Foundations Symposium, CSF 2021
Y2 - 21 June 2021 through 25 June 2021
ER -