An Efficient Update Algorithm for Mutable Order-Preserving Encryption

Order-preserving encryption (OPE) produces ciphertexts that preserve the numerical order of plaintexts. Many researchers have focused on designing ideally-secure OPE schemes. This security notion, known as IND-OCPA, has been shown to be achievable by the mutability of ciphertexts and interaction between a database server and a client. This implies that the ciphertexts stored on the server can be updated. Unfortunately, existing update algorithms of mutable OPE schemes are designed to generate ciphertexts uniformly regardless of the distribution of the plaintexts. This leads to inefficiency that requires frequent ciphertext updates for a certain input data pattern (e.g., sequential data). In this paper, we propose a more efficient ciphertext update algorithm that is suitable for mutable OPE schemes. This algorithm makes it possible to reduce the number of updates by considering the input pattern of encrypted data without loss of security. Our experimental results show that, when applied to existing mutable OPE schemes, our update algorithm delivers significantly improved performance on a variety of datasets.

and sort on an encrypted database, because the ciphertexts 23 of OPE preserve the numerical ordering of the corresponding 24 plaintexts. 25 In a situation where the numerical ordering information 26 of a plaintext is exposed, the previous works have been 27 focused on designing schemes that achieve the best possible 28 security. According to this security notion, known as IND- 29 OCPA, ciphertexts reveal no additional information except 30 for the order of the underlying plaintexts. This has also been 31 The associate editor coordinating the review of this manuscript and approving it for publication was Mohamad Afendee Mohamed .
shown to be achievable by assuming that the OPE scheme 32 is interactive and mutable, that is, the stored ciphertexts are 33 updated under a certain condition. The efficiency and practi-34 cality of the mutable OPE schemes are thus obviously closely 35 related to the frequency of updates. Because these updates are 36 time and resource intensive with respect to re-encrypting and 37 sending the data to the server, the shorter the update cycle, 38 the greater the burden on the database system. However, 39 despite its importance, research on the efficient construction 40 of update algorithms has received relatively less attention 41 compared with OPE encryption. 42 Existing update algorithms uniformly re-encrypt stored 43 ciphertexts regardless of the distribution of input data. 44 However, with the exception of uniform distributions, this 45 approach is inefficient when the input data follow a specific 46 (unique) distribution. For example, when encrypting sequen-47 tially increasing data, instead of uniformly re-encrypting 48 ciphertexts, densely re-encrypting them with a small values 49 could reduce the number of updates. Therefore, a new cipher-50 text update algorithm that updates ciphertexts by considering 51 the input pattern of the encrypted data is necessary. Nonethe-52 less, it should be noted that, to ensure that the security of 53 VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ OPE remains unaffected, only the ordering information of The generalized version of OPE, order-revealing encryp-110 tion (ORE), provides a public function that takes two 111 encrypted plaintexts as inputs and outputs their numeri-112 cal ordering. In 2015, Boneh et al. [17] provided the first 113 ideally-secure ORE using multilinear maps. Thereafter, 114 Chenette et al. [18] designed a practical ORE with the leak-115 age of the most significant difference bits of two plaintexts. 116 They also presented a simulation-based security definition 117 to more accurately quantify the information leakage in 118 ORE schemes. Lewi  The rest of this paper is organized as follows. In Section II, 150 we review the formal notion of (stateful) OPE and its secu-151 rity model. In Section III, we review the previous mutable 152 OPE schemes and ciphertext update algorithms described in 153 these schemes. Section IV presents our new ciphertext update 154 algorithm and Section V evaluates the performance of our 155 algorithm on various datasets. Finally, we conclude this paper 156 in Section VI.

158
In this section, we briefly review order-preserving encryption 159 and its security model. 1) The adversary A prepares two plaintext sequences 1 ≤ i, j ≤ n and sends them to the challenger C. and i = j ⇒ γ i = γ j for all i and j, of sequence X holds that: and X 1 = {2, 2, 3, 3}, the common randomized order Γ can 210 be {1, 2, 3, 4} or {1, 2, 4, 3}.

211
IND-FA-OCPA security is strictly stronger than that of 212 IND-OCPA and it is defined as the following game. The 213 security game Game IND−FH −OCPA (λ) between adversary A 214 and challenger C for security parameter λ proceeds as follows: 215 1) The adversary A prepares two plaintext sequences 216 These sequences have at least 217 one common randomized order Γ . He sends them to 218 the challenger C.

219
2) The challenger C randomly chooses b ← {0, 1}, exe-220 cutes Setup(1 λ ), and runs ( Then, the challenger 222 C sends y 1≤i≤n,b to the adversary A. can be explained as a work of inserting plaintext into a binary 243 search tree. In other words, the client may store state S using 244 a data structure such as a binary search tree. We denote the 245 binary search tree as the set T of nodes {t}. For node t ∈ T , 246 we use t.left and t.right to represent the child nodes of t on 247 the left and right, respectively. Kerschbaum [11] presented 248 an efficient compression techniques to reduce the amount of 249 information stored on the client, which in certain cases can 250 lead to compression ratios of 15.

251
A. OPE SCHEME OF KERSCHBAUM et al.

252
The main idea of [10] to achieve IND-OCPA security was 253 to generate the ciphertext as a median value of the possible 254 ciphertext space corresponding to the input plaintext. For 255 example, assuming that five plaintexts 3, 7, 2, 5, and 10 are 256 sequentially encrypted in the ciphertext space M = 128, the 257 first plaintext 3 is encrypted as 64, which is the median value 258 of the possible ciphertext space (−1, 128). As shown in Fig. 1, 259 if encryption proceeds in this way, ciphertexts of 96, 32, 80, 260 and 112 are sequentially generated. If the ciphertext space is 261 no longer halved, re-encryption is executed according to the 262          Fig. 4 shows that the ciphertext space (−1, M ) is divided 357 by y 1 into two sub-spaces (−1, y 1 ) and (y 1 , M ). It also shows 358 that space (y 1 , M ) is divided again by y 2 into two subspaces 359 (y 1 , y 2 ) and (y 2 , M ) where x 1 < x 2 . Here, we assign a weight 360 w i to each ciphertext y i according to the number of times the 361 ciphertext space on the left is divided; this is, w 1 = 1 of y 1 , 362 w 2 = 2 of y 2 , and additionally define w 3 as 2 of M .  w 1 ), . . . , (y n , w n ), (y n+1 = M , w n+1 )} is defined as 367 follows. Let k be the index of the first ciphertext inserted 368 after the last ciphertext update. For i ≤ k −1, w i and w n+1 are 369 initialized as 1. For k ≤ i ≤ n, first finds index j ∈ {1, . . . , n} 370 such that y i < y j and |y j − y i | are the smallest in W , then 371 updates w i and w j as follows: . . , y n } from Y by using system log Compute w 1≤i≤n+1 by building W (see Def. 6) on − → Y Sort W in ascending order by the first element  We analyzed our construction by comparing it with the 413 algorithm we previously reviewed in terms of efficiency.

414
• The outstanding feature of the proposed algorithm is that 415 the server can proceed with ciphertext updates without 416 any help from the client. Therefore, sufficient computing 417 power of the server can be utilized, providing evidence 418 that it does not adversely affect the security of the 419 underlying OPE scheme. The client can update the state 420 S by executing the update algorithm independently of 421 the server or by receiving the updated results from the 422 server.

423
• Because the previous algorithms internally call the 424 encryption algorithm underlying the OPE, the cost of 425 calling the function is added, and the update efficiency 426 is dependent on the underlying OPE. However, our pro-427 posed algorithm does not present this problem at all.

428
• In the previous update process, the cost of communica-429 tion between the client and server was O(n), considering 430 that the client had to send all the updated ciphertexts to 431 the server. However, in our proposed algorithm, because 432 the server and client can perform the update opera-433 tion independently, these communications costs can be 434 saved.       others. However, in real-world datasets, data duplication is 496 actually a very common, thus using these datasets, we com-497   Table 1. 503 Fig. 10 shows that the data in both of the two chosen 504 data fields follow Gaussian distributions. In the uniformly 505   a unique distribution rather than a uniform distribution, the 526 proposed algorithm improves the performance noticeably.

528
Our analysis of the update algorithms of existing mutable 529 (FH)OPE schemes indicated that these algorithms are ineffi-530 cient. We subsequently proposed a new efficient update algo-531 rithm for any mutable OPE schemes with the main objective 532 of reducing the total number of updates by considering the 533 input pattern of the encrypted data. Our algorithm enables 534 the server to proceed with ciphertext updates without any 535 help from the client and without any security loss because 536 the algorithm can operate using only system logs and stored 537 ciphertexts. Our experimental results showed a significant 538 performance improvement on a variety of datasets when the 539 algorithm was applied to existing mutable OPE schemes.