Practical Order-Revealing Encryption with Limited Leakage

Abstract

In an order-preserving encryption scheme, the encryption algorithm produces ciphertexts that preserve the order of their plaintexts. Order-preserving encryption schemes have been studied intensely in the last decade, and yet not much is known about the security of these schemes. Very recently, Boneh et al. (Eurocrypt 2015) introduced a generalization of order-preserving encryption, called order-revealing encryption, and presented a construction which achieves this notion with best-possible security. Because their construction relies on multilinear maps, it is too impractical for most applications and therefore remains a theoretical result.
In this work, we build efficiently implementable order-revealing encryption from pseudorandom functions. We present the first efficient order-revealing encryption scheme which achieves a simulation-based security notion with respect to a leakage function that precisely quantifies what is leaked by the scheme. In fact, ciphertexts in our scheme are only about 1.6 times longer than their plaintexts. Moreover, we show how composing our construction with existing order-preserving encryption schemes results in order-revealing encryption that is strictly more secure than all preceding order-preserving encryption schemes.

Full text

Practical Order-Revealing Encryption with Limited Leakage
Nathan Chenette1, Kevin Lewi2, Stephen A. Weis3, and David J. Wu2
1Rose-Hulman Institute of Technology
2Stanford University
3Facebook, Inc.
Abstract
In an order-preserving encryption scheme, the encryption algorithm produces ciphertexts that
preserve the order of their plaintexts. Order-preserving encryption schemes have been studied
intensely in the last decade, and yet not much is known about the security of these schemes.
Very recently, Boneh et al. (Eurocrypt 2015) introduced a generalization of order-preserving
encryption, called order-revealing encryption, and presented a construction which achieves this
notion with best-possible security. Because their construction relies on multilinear maps, it is
too impractical for most applications and therefore remains a theoretical result.
In this work, we build efficiently implementable order-revealing encryption from pseudoran-
dom functions. We present the first efficient order-revealing encryption scheme which achieves
a simulation-based security notion with respect to a leakage function that precisely quantifies
what is leaked by the scheme. In fact, ciphertexts in our scheme are only about 1
.
6 times
longer than their plaintexts. Moreover, we show how composing our construction with existing
order-preserving encryption schemes results in order-revealing encryption that is strictly more
secure than all preceding order-preserving encryption schemes.
1 Introduction
A symmetric encryption scheme is order-preserving if the ciphertexts preserve the numeric ordering
of their underlying plaintexts. The notion of order-preserving encryption (OPE) was introduced
by Agrawal et al. [
AKSX04
] who showed how it could be used to efficiently answer range queries
over encrypted data, as well as sorting queries, searching queries, and more. Indeed, existing OPE
solutions have been implemented in practice [
Sky
,
PRZB11
] for these exact purposes. Since the
introduction of OPE, there has been a plethora of work on analyzing the security of various OPE
schemes, found both in the cryptography community and the database community. However, it
is troubling that in spite of the numerous practical applications of OPE, the security of the best
candidate OPE schemes is still not well understood.
Prior work.
The first OPE construction by Agrawal et al. [
AKSX04
] relied on heuristics and
lacked a formal security analysis. Subsequently, Boldyreva et al. [
BCLO09
] gave the first formal
security definitions for OPE schemes. Boldyreva et al. introduced two primary notions for security
of an OPE scheme. The first notion of security for an OPE scheme is called indistinguishability
under an ordered chosen plaintext attack (IND-OCPA). The IND-OCPA definition can be viewed as
1

a generalization of semantic security [
GM84
], and effectively says that encryptions of a sequence of
messages should reveal nothing about the underlying messages other than their ordering. However,
in the same work, Boldyreva et al. showed that no efficient order-preserving encryption scheme can
be IND-OCPA secure, even in settings where the size of the ciphertext space is exponentially larger
than the size of the plaintext space.
In light of this lower bound for OPE schemes that satisfy IND-OCPA security, Boldyreva et al.
introduced a weaker notion of security (POPF-CCA security) where the encryption function for the
OPE scheme is compared to a random order-preserving function—that is, the encryption algorithm
for an OPE scheme behaves like a truly random order-preserving function. Under this definition,
an OPE scheme inherits the properties of a random order-preserving function.
1
In the same work,
Boldyreva et al. gave an explicit construction of an OPE scheme that satisfies POPF-CCA security.
However, the POPF-CCA security definition does not precisely specify the information that is
leaked by an OPE scheme that achieves this definition. In fact, a scheme that achieves this notion
of security does not even satisfy semantic security for a single encryption, and indeed, in subsequent
work, Boldyreva et al. [
BCO11
] showed that ciphertexts in their OPE scheme leak approximately
the first half of the bits of the underlying plaintexts. In addition, they introduce several new security
definitions in order to better quantify the information leakage of OPE schemes that are POPF-CCA
secure.
Recently, Boneh et al. [
BLR+15
] proposed a generalization of OPE called order-revealing
encryption (ORE). In an OPE scheme, the ciphertexts are numeric-valued, and the ordering of the
underlying plaintexts is determined by numerically comparing the ciphertexts. In contrast, in an
ORE scheme, the ciphertexts are not constrained to any particular form, and instead, there is a
publicly computable comparison function which takes two ciphertexts and outputs the numeric
ordering of the underlying plaintexts.
2
Although this generalization may at first seem subtle, Boneh
et al. constructed an ORE scheme from multilinear maps that achieves the “best-possible” notion
of security, which is equivalent to the IND-OCPA security notion for order-preserving encryption.
The main drawback of the Boneh et al. ORE construction is that it relies on complicated tools
and strong assumptions on these tools, and as such, is currently impractical to implement.
1.1 Our Contributions
We now summarize the main contributions of this work, which include a new simulation-based
security notion for ORE, along with a practical construction of an ORE scheme which achieves this
security notion. We also show how our new construction can be used to achieve a strictly stronger
notion of security compared to other stateless and efficiently implementable (e.g., constructions that
do not rely on powerful primitives such as multilinear maps and indistinguishability obfuscation)
OPE and ORE encryption schemes.
Security model.
In our work, we take the general approach of Boneh et al. in constructing
an ORE scheme, except we take a more efficient route. Our first contribution is a new security
definition for order-revealing encryption schemes that both allows for and explicitly models the
leakage in the scheme. Our design goals for introducing this new security model are twofold: first,
1
This definition is inspired by the similar definition for PRF security [
GGM84
], which compares the output of a keyed
function to that of a truly random function.
2
This application was also observed and independently achieved by Goldwasser et al. [
GGG+14
] using indistinguisha-
bility obfuscation.
2

the security model should enable constructions that are efficiently implementable, and second, it
should provide a precise quantification of any information leaked by the scheme. The two primary
notions of security, IND-OCPA and POPF-CCA, introduced by Boldyreva et al. [
BCLO09
] each
satisfy one of these two properties. In particular, all non-interactive, stateless
3
ORE schemes that
achieve IND-OCPA security require strong cryptographic primitives such as multilinear maps or
indistinguishability obfuscation [
GGG+14
,
BLR+15
], and thus, are not efficiently implementable
today. At the other end of the spectrum, it is difficult to precisely quantify the leakage of schemes
that satisfy POPF-CCA security. The work by Boldyreva et al. [
BCO11
] provides some concrete
lower and upper bounds for the leakage under the strong assumption that the plaintexts are drawn
from a uniform distribution. For more general distributions, the leakage remains unclear.
In our work, we give a simulation-based definition of security for ORE with respect to a leakage
function
L
. In other words, our definition states that whatever an adversary is able to deduce from
seeing encryptions of messages
m1, . . . , mt
, it could also deduce given only the leakage
L
(
m1, . . . , mt
).
The “best-possible” security for ORE would correspond to the case where the leakage function
simply outputs whether
mi< mj
for all pairs of messages
mi
and
mj
. By allowing for the possibility
of additional leakage, it becomes possible to construct practical ORE schemes from standard
assumptions. Thus, our constructions provide a concrete trade-off between security and efficiency.
Our security definitions are similar to the simulation-based definitions that have been considered
previously in the searchable symmetric encryption literature [CM05, CGKO06].
Constructions.
In our main construction, we show how to construct an ORE scheme from
one-way functions (more precisely, from pseudorandom functions (PRFs) [
GGM84
]). This particular
ORE scheme reveals slightly more information than just the ordering of the underlying messages.
Specifically, two ciphertexts encrypting messages
m1
and
m2
also reveal the index of the first bit in
m1
and
m2
that differ. In other words, our ORE scheme leaks some information about the relative
distance between the underlying messages.
We give a brief overview of our PRF-based construction. The secret key in our scheme consists
of a PRF key
k
. The output space of the PRF is the set
{0,1,2}
. Each ciphertext consists of the
bits of the message blinded by the outputs of the PRF evaluated on the prefixes of the message.
More precisely, to encrypt an
n
-bit message
m
=
m1m2···mn
, the encryption algorithm effectively
computes the following for each i∈[n]:
ui=F(k, m1m2···mi−1) + mi(mod 3).
Note that to support variable-length PRF inputs, we simply pad the input. We describe our
construction in greater detail in Section 3. The ciphertext is then the tuple
ct
= (
u1, . . . , un
) of
blinded values.
To compare encryptions
ct
= (
u1, . . . , un
) and
ct0
= (
u0
1, . . . , u0
n
) of messages
m
and
m0
, the
evaluator first finds the first index
i
for which
ui6
=
u0
i
. Since
ui
and
u0
i
are functions of just the first
i
bits of
m
and
m0
, respectively, the first index
i
for which
ui6
=
u0
i
is the first bit of
m
and
m0
that
differ. After identifying the
ith
bit that differs, the evaluator uses
ui
and
u0
i
to determine which
message has 0 as the
ith
bit and which message has 1.
4
Conversely, if
ui
=
u0
i
for all
i
, then
cti
=
ct0
i
,
and so
m
=
m0
. Security of this construction follows from the security of the PRF (Theorems 3.2).
3
There are “mutable” order-preserving encryption schemes [
PLZ13
,
KS14
,
Ker15
] that do satisfy IND-OCPA, but
they require stateful encryption, and oftentimes, an interactive protocol to “update” ciphertexts. We survey some of
these constructions in Section 1.2.
4Either ui+ 1 = u0
i(mod 3), in which case m < m0, or ui−1 = u0
i(mod 3), in which case m > m0.
3

Ciphertexts in our candidate scheme are
dn·log2
3
e≈d
1
.
6
ne
bits, where
n
is the bit-length of
the message. As a point of comparison, ciphertexts in the OPE scheme of Boldyreva et al. [
BCLO09
]
are only
n
+ 1 bits long. While the ciphertexts in our scheme are longer (by a multiplicative factor
log2
3), the authors of [
BCO11
] note that even if the size of the ciphertext space is increased beyond
n
+ 1 bits in the Boldyreva et al. scheme, the security of their construction does not improve by
any noticeable amount.
We then explain in Section 3.2 how to convert our ORE scheme into an OPE scheme, at the
expense of longer ciphertexts. This is useful for applications where it is more convenient to have a
numeric ciphertext space and for order relations to be computable without a “custom” comparison
function. The transformation we describe is natural and does not reduce the security of the original
ORE scheme. In particular, we note that the resulting OPE scheme does not behave like a random
order-preserving function (the ideal object from the POPF-CCA security notion). Thus, the scheme
is able to achieve stronger security than the Boldyreva et al. OPE scheme.
Comparison with existing schemes.
First, we note in Section 2.3 that the security of any
OPE scheme can be “augmented” by applying ORE encryption on top of OPE encryption. The
resulting scheme is at least as secure as the underlying OPE scheme, and moreover, inherits the
security properties of the ORE scheme. Hence, by composing our ORE construction with existing
OPE constructions, we obtain ORE schemes that are at least as secure.
While composing an OPE scheme with an ORE scheme yields a scheme that is at least as
secure as the underlying OPE scheme, we show that even without this composition, our basic ORE
scheme still achieves stronger security guarantees according to the one-wayness metrics introduced
by Boldyreva et al. [
BCO11
] for analyzing the leakage of random order-preserving functions (and
by extension, any OPE scheme that is POPF-CCA secure). In our work, we introduce two
generalized one-wayness notions and show that under a uniform plaintext distribution,
5
our basic
ORE scheme achieves strictly stronger security compared to OPE schemes that are POPF-CCA
secure. Specifically, Boldyreva et al. [
BCO11
] show that a random order-preserving function leaks
half of the most-significant bits of the messages with probability close to 1. In contrast, under the
same settings, we can show that our basic ORE scheme will not leak any constant fraction of the
message bits with overwhelming probability.
1.2 Related Work
In recent years, there have been numerous works on order-preserving encryption and related
notions [
AKSX04
,
BCLO09
,
BCO11
,
PR12
,
PLZ13
,
TYM14
,
KS14
,
Ker15
,
MCO+15
,
RACY15
].
In this section, we survey some of these works.
Security definitions.
Though the POPF-CCA security definition introduced by Boldyreva
et al. [
BCLO09
] is similar in flavor to PRF security, it is not immediately evident what kind of
information the output of a random order-preserving function leaks about its input. In a follow-up
work [
BCO11
], Boldyreva et al. introduce several notions (based on definitions of one-wayness [
Gol01
]
for one-way functions) to capture the information leakage in schemes that are POPF-CCA secure.
They show that a random order-preserving function leaks at least half of the bits in each message.
5This is the only distribution for which we have concrete analysis of the leakage in any POPF-CCA secure scheme.
4

Teranishi et al. [
TYM14
] also introduce a stronger indistinguishability-based notion (stronger
than the one-wayness definitions from [
BCO11
], but weaker than IND-OCPA) for OPE schemes,
as well as a construction that achieves these stronger notions. Notably, their definition ensures
that under a uniform message distribution, any fraction of the low-order bits of the messages being
encrypted are hidden.
Recently, Naveed et al. [
NKW15
] analyzed the information leaked by order-preserving encryption
used in practical scenarios.
Modular OPE.
Boldyreva et al. also introduced the notion of modular OPE as a possible
extension of standard OPE [
BCO11
]. In modular OPE, a modular shift is applied to each plaintext
before applying OPE—so the scheme is not order-preserving, but naturally supports “wrap-around”
range queries. Their modular OPE scheme adds an extra layer of security to vanilla OPE, but it is
worth noting that leakage of a small amount of information (say, a single plaintext-ciphertext pair)
reveals the shift value and nullifies this added security. Subsequently, Mavroforakis et al. [
MCO+15
]
designed several protocols to avoid leaking the shift value while using modular OPE schemes in
practice.
Mutable OPE.
Popa et al. [
PLZ13
] introduced a related notion of a mutable order-preserving
encoding scheme which can be viewed as a two-party protocol that allows a user to insert and
store encrypted values in a database such that the database is able to perform comparisons and
range queries on the encrypted values without learning anything more about the values. Their
construction is interactive and leverages stateful encryption. By working in this setting, the authors
are able to circumvent the Boldyreva et al. [
BCLO09
] lower bound for order-preserving encryption
and show that their scheme is IND-OCPA secure.
In subsequent work, Kerschbaum and Schr¨opfer [
KS14
] improved on the communication com-
plexity of the Popa et al. construction at the expense of increasing the amount of client-side state.
Specifically, in their construction, the amount of persistent state the client has to maintain increases
linearly in the number of elements inserted into the database. More recently, Kerschbaum [Ker15]
introduced a new notion of frequency-hiding OPE that introduces additional randomness to hide
whether multiple ciphertexts encrypt the same value. Their notions provide a strictly stronger
guarantee than IND-OCPA.
Very recently, Roche et al. [
RACY15
] introduced the notion of partial order-preserving encodings,
which optimizes for the setting where there are a huge number of insertion queries but only a
moderate number of range queries. Their protocol improves upon the round-complexity for insertions
compared to the Popa et al. protocol [
PLZ13
], and requires the client to maintain less state than
the Kerschbaum-Schr¨opfer construction [
KS14
]. All of the schemes described here require stateful
encryption and employ an interactive encryption procedure.
ORE.
Order-revealing encryption schemes, as introduced by Boneh et al. [
BLR+15
] provide
another method of circumventing the Boldyreva et al. lower bound [
BCLO09
]. In an ORE scheme,
the public comparison operation is not required to correspond to numerically comparing the
ciphertexts, and in fact, the ciphertexts themselves need not be elements of a numeric, well-ordered
set. This type of relaxation was previously considered by Pandey and Rouselakis [
PR12
] in the
context of property-preserving encryption. In a property-preserving encryption scheme, there is
a publicly computable function that can be evaluated on ciphertexts to determine the value of
5

some property on the underlying plaintexts. Order-revealing encryption can thus be viewed as
a property-preserving encryption scheme for the comparison operation. Pandey and Rouselakis
introduce and explore several indistinguishability-based notions of security for property-preserving
encryption; however, they do not construct an order-revealing encryption scheme.
To the best of our knowledge, all existing ORE schemes that provide IND-OCPA security either
rely on very strong (and currently impractical) cryptographic primitives such as indistinguishability
obfuscation [
GGG+14
] and cryptographic multilinear maps [
BLR+15
], or only achieve a weaker
notion of security [
AJ15
,
BKS15
] when instantiated with simple cryptographic primitives such as
public key cryptography. For the constructions based on indistinguishability obfuscation or multilin-
ear maps [
GGG+14
,
BLR+15
], security of the ORE scheme is conditional on the conjectured security
of cryptographic multilinear maps [
BS03
,
GGH13a
,
CLT13
,
LSS14
,
GGH15
,
CLT15
,
AFH+16
].
6
However, in the last few months, numerous attacks [
CHL+15
,
BWZ14
,
CGH+15
,
HJ15
,
CLR15
,
MF15
,
Cor15
] on these multilinear maps have emerged, raising some doubts about the security of
constructions that leverage them.
To avoid multilinear maps in favor of more well-studied number-theoretic or lattice-based
assumptions, one can apply arity-amplification techniques [
AJ15
,
BKS15
] to a single-input func-
tional encryption scheme based on simpler assumptions such as learning with errors [
GKP+13
]
or semantically-secure public-key encryption [
SS10
,
GVW12
]. However, due to limitations of the
underlying functional encryption schemes, the resulting ORE scheme only provides “bounded-
message” security—that is, security only holds if there is an a priori (polynomial) bound on the
maximum number of messages that will be encrypted. Moreover, the length of the ciphertexts in this
scheme grows polynomially in the bound on the number of messages that will be encrypted. These
constraints severely limit the practicality of the resulting ORE scheme. To obtain full semantic
security, it would be necessary to apply the arity-amplification transformation to a more powerful
functional encryption scheme, but to date, the only known candidates of such schemes rely again on
indistinguishability obfuscation [GGH+13b] or multilinear maps [GGHZ14].
Recently, Bun and Zhandry [
BZ15
] investigated the connection between order-revealing encryp-
tion and problems in learning theory.
Other schemes.
Numerous ad hoc or heuristic order-preserving encryption schemes [
BHF09
,
KAK10, XYH12] have been proposed in the literature, but most lack formal security analysis.
2 Order-Revealing Encryption
In this section, we establish and review some conventions that we use in this work, and also formally
define our security notions for our encryption schemes.
Preliminaries.
For
n∈N
, we write [
n
] to denote the set of integers
{1, . . . , n}
, and
Zn
to denote
the additive group of integers modulo
n
. If
P
(
x
) is a predicate on
x
, we write
1
(
P
(
x
)) to denote
the indicator function for
P
: that is,
1
(
P
(
x
)) = 1 if and only if
P
(
x
) = 1, and 0 otherwise. If
x, y ∈ {
0
,
1
}∗
are bit-strings, we write
xky
to denote the concatenation of
x
and
y
. For a finite set
S
, we write
Unif
(
S
) to denote the uniform distribution on
S
. We say a function
f
(
λ
) is negligible
in a security parameter
λ
if
f
=
o
(1
/λc
) for all
c∈N
. We write
negl
(
λ
) to denote a negligible
6
To date, the only concrete instantiations of indistinguishability obfuscation [
GGH+13b
,
BGK+14
,
AB15
,
Zim15
]
leverage multilinear maps.
6

function in
λ
and
poly
(
λ
) to denote a polynomial in
λ
. We say an event occurs with negligible
probability if the probability of the event is
negl
(
λ
), and it occurs with overwhelming probability if
the complement of the event occurs with negligible probability. Finally, we review the definition of
a pseudorandom function (PRF) [
GGM84
]. Let
Funs
[
D,R
] denote the set of all functions from a
domain Dto a range R. In this paper, we specialize the domain of our PRFs to {0,1}n.
Definition 2.1
(Pseudorandom Function [
GGM84
])
.
Fix a security parameter
λ
. A PRF
F
:
K × {
0
,
1
}n→ R
with key space
K
, domain
{
0
,
1
}n
, and range
R
is secure if for all efficient
adversaries A,


Pr hkr
←− K :AF(k,·)(1λ) = 1i−Pr hfr
←− Funs[{0,1}n,R] : Af(·)(1λ)=1i

= negl(λ).
2.1 Order-Revealing Encryption
An order-revealing encryption (ORE) scheme is a tuple of algorithms Π = (
ORE.Setup,ORE.Encrypt,
ORE.Compare) defined over a well-ordered domain Dwith the following properties:
•ORE.Setup
(1
λ
)
→sk
. On input a security parameter
λ
, the setup algorithm
ORE.Setup
outputs
a secret key sk.
•ORE.Encrypt
(
sk, m
)
→ct
. On input the secret key
sk
and a message
m∈ D
, the encrypt
algorithm ORE.Encrypt outputs a ciphertext ct.
•ORE.Compare
(
ct1,ct2
)
→b
. On input two ciphertexts
ct1
,
ct2
, the compare algorithm
ORE.Compare outputs a bit b∈ {0,1}.
Remark 2.2
(Public Parameters)
.
In general, the setup algorithm of an ORE scheme can also
output public parameters
pp
which are then passed as an additional input to the comparison
algorithm, as is done in Boneh et al. [
BLR+15
]. However, none of our constructions require these
public parameters, so we omit them in this work for simplicity.
Remark 2.3
(Support for Decryption)
.
As described, our definition of an order-revealing encryption
scheme does not include a “decryption” function. However, this omission is without loss of generality.
To decrypt a message, the holder of the secret key can use the secret key to encrypt messages of her
choosing, apply the comparison algorithm, and perform binary search to recover the message. An
alternative method that avoids the need for binary search is to augment each ORE encryption of a
message
m
with an encryption of
m
under a CPA-secure symmetric encryption scheme. The secret
key of the ORE scheme would also include the key for the symmetric encryption scheme. As long
as the underlying encryption scheme is CPA-secure, including this additional ciphertext does not
compromise security. For the remainder of this work, we use the schema described above that does
not explicitly specify a decryption function.
Correctness.
Fix a security parameter
λ
. An ORE scheme Π = (
ORE.Setup,ORE.Encrypt,
ORE.Compare
) over a well-ordered domain
D
is correct if for
sk ←ORE.Setup
(1
λ
), and all messages
m1, m2∈ D,
Pr[ORE.Compare(ct1,ct2) = 1(m1< m2)] = 1 −negl(λ),
where
ct1←ORE.Encrypt
(
sk, m1
) and
ct2←ORE.Encrypt
(
sk, m2
), and the probability is taken over
the random coins in ORE.Setup and ORE.Encrypt.
7

Security.
We now give our simulation-based notion of security for an ORE scheme. As described
in Section 1.1, our security definition is parameterized by a leakage function
L
, which exactly
specifies what is leaked by an ORE scheme.
Definition 2.4
(Security of ORE with Leakage)
.
Fix a security parameter
λ∈N
. Let Π
ore
=
(
ORE.Setup,ORE.Encrypt,ORE.Compare
) be an ORE scheme. Let
A
= (
A1,...,Aq
) be an adversary
for some
q∈N
. Let
S
= (
S0,S1,...,Sq
) be a simulator, and let
L
(
·
) be a leakage function. We
define the experiments REALore
A(λ) and SIMore
A,S,L(λ) as follows:
REALore
A(λ):
1. sk ←ORE.Setup(1λ)
2. (m1,stA)← A1(1λ)
3. c1←ORE.Encrypt(sk, m1)
4. for 2 ≤i≤q:
(a) (mi,stA)← Ai(stA, c1, . . . , ci−1)
(b) ci←ORE.Encrypt(sk, mi)
5. output (c1, . . . , cq) and stA
SIMore
A,S,L(λ):
1. stS← S0(1λ)
2. (m1,stA)← A1(1λ)
3. (c1,stS)← S1(stS,L(m1))
4. for 2 ≤i≤q:
(a) (mi,stA)← Ai(stA, c1, . . . , ci−1)
(b) (ci,stS)← Si(stS,L(m1, . . . , mi))
5. output (c1, . . . , cq) and stA
We say that Π
ore
is a secure ORE scheme with leakage function
L
(
·
) if for all polynomial-size
adversaries
A
= (
A1,...,Aq
) where
q
=
poly
(
λ
), there exists a polynomial-size simulator
S
=
(
S0,S1,...,Sq
) such that the outputs of the two distributions
REALore
A
(
λ
) and
SIMore
A,S,L
(
λ
) are
computationally indistinguishable.
Remark 2.5
(IND-OCPA Security)
.
We briefly note how the IND-OCPA definition of security is
captured by this definition. Let Lbe the following leakage function:
L(m1, . . . , mt) = {1(mi< mj) : 1 ≤i<j≤t}.
If an ORE scheme is secure with leakage L, then it is IND-OCPA secure.
2.2 Order-Preserving Encryption (OPE)
An OPE scheme [
AKSX04
,
BCLO09
] is a special case of an ORE scheme, where the ciphertext
space is required to be a well-ordered range
R
and moreover, for two ciphertexts
ct1,ct2∈ R
, the
comparison algorithm outputs 1 if
ct1<ct2
. For simplicity, we can write an OPE scheme as a tuple
of algorithms Π = (
OPE.Setup,OPE.Encrypt
) defined over a well-ordered domain
D
and well-ordered
range Rwith the following properties:
•ORE.Setup
(1
λ
)
→sk
. On input a security parameter
λ
, the setup algorithm
ORE.Setup
outputs
a secret key sk.
•ORE.Encrypt
(
sk, m
)
→ct
. On input the secret key
sk
and a message
m∈ D
, the encrypt
algorithm OPE.Encrypt outputs a ciphertext ct ∈ R.
8

Correctness.
An OPE scheme Π = (
OPE.Setup,OPE.Encrypt
) over a well-ordered domain
D
and
well-ordered range Ris correct if sk ←OPE.Setup(1λ), and all messages m1, m2∈ D,
m1< m2⇐⇒ OPE.Encrypt(sk, m1)<OPE.Encrypt(sk, m2)
with overwhelming probability.
2.3 Composing OPE with ORE
By composing an ORE scheme with an OPE scheme, we obtain an ORE scheme whose security is at
least as strong as the security of the underlying OPE scheme. Let Π
ope
= (
OPE.Setup,OPE.Encrypt
)
be an OPE scheme and Π
in
ore
= (ORE
in.
Setup
,
ORE
in.
Encrypt
,
ORE
in.
Compare) be an ORE scheme.
Consider the following composed construction Π
ore
= (ORE
.
Setup
,
ORE
.
Encrypt
,
ORE
.
Compare) of
an ORE scheme with an OPE scheme:
•
ORE
.
Setup(1
λ
). The setup algorithm runs
sk1←OPE.Setup
(1
λ
) and
sk2←
ORE
in.
Setup(1
λ
).
The secret key is sk = (sk1,sk2).
•
ORE
.
Encrypt(
sk,
m). The encryption algorithm outputs ORE
in.
Encrypt(
sk2,OPE.Encrypt
(
sk1,
m)).
•ORE.Compare(ct1,ct2). The compare algorithm outputs OREin.Compare(ct1,ct2).
Correctness of Π
ore
follows immediately from the correctness of Π
in
ore
and Π
ope
. Furthermore, we
note that under our simulation-based definition of security, the composed scheme Π
ore
is at least as
secure as Π
ope
. This intuition is formalized in the following remark, whose proof follows immediately
by construction.
Remark 2.6
(Security of Composed Scheme)
.
For any leakage function
L
(
·
), if the OPE scheme
Π
ope
is secure with leakage function
L
(
·
), then the ORE scheme Π
ore
is also secure with leakage
function L(·).
3 Main Construction
In this section, we give a construction of an ORE scheme for the set of
n
-bit positive integers with
the following leakage function:
Lf(m1, . . . , mt) := {(inddiff (mi, mj),1(mi< mj)) : 1 ≤i<j≤t},(3.1)
where
inddiff
(
x, y
) gives the index of the first bit where
x
and
y
differ. If
x
=
y
, we set
inddiff
(
x, y
) =
n
+ 1. In other words, for
x6
=
y
, if
x
=
x1···xn
and
y
=
y1···yn
, then
inddiff
(
x, y
) is the smallest
index `∈[n] for which x`6=y`.
Construction.
Fix a security parameter
λ∈N
, and take an integer
M≥
3. Let
F
:
K ×
([
n
]
×
{
0
,
1
}n−1
)
→ZM
be a secure PRF. We define our ORE scheme Π
ore
= (
ORE.Setup,ORE.Encrypt,
ORE.Compare) as follows:
•ORE.Setup
(1
λ
). The setup algorithm chooses a uniformly random PRF key
k
for
F
. The
secret key is sk =k.
9

•ORE.Encrypt
(
sk, m
). Let
b1···bn
be the binary representation of
m
and let
sk
=
k
. For each
i∈[n], the encryption algorithm computes
ui=F(k, (i, b1b2···bi−1k0n−i)) + bi(mod M),
and outputs the tuple (u1, u2...,un).
•ORE.Compare(ct1,ct2). The compare algorithm first parses
ct1= (u1, u2, . . . , un)
ct2= (u0
1, u0
2, . . . , un),
where
u1, . . . , un, u0
1, . . . , u0
n∈ZM
. Let
i
be the smallest index where
ui6
=
u0
i
. If no such index
exists, output 0. If such an index exists, output 1 if u0
i=ui+ 1 (mod M), and 0 otherwise.
3.1 Correctness and Security
We now show that the above ORE scheme Π
ore
is correct and secure against the leakage function
Lf
from Equation (3.1). We give the proof of the following theorem in Appendix A.
Theorem 3.1. The ORE scheme Πore is correct.
Next, we state and prove the security theorem for Πore.
Theorem 3.2.
The order-revealing encryption scheme Π
ore
is secure with respect to leakage function
Lf(Definition 2.4) under the PRF security of F.
Proof.
Fix a security parameter
λ
and let
A
= (
A1,...,Aq
) where
q
=
poly
(
λ
) be an efficient
adversary for the ORE security game (Definition 2.4). To prove security, we give an efficient
simulator
S
= (
S0,...,Sq
) for which the outputs of the distributions
REALore
A
(
λ
) and
SIMore
A,S,Lf
(
λ
)
are computationally indistinguishable.
We use a hybrid argument. We begin by defining the hybrid experiments:
•Hybrid H0: This is the real experiment REALore
A(λ).
•Hybrid
H
1
: Same as H
0
, except during
ORE.Setup
, a random function
fr
←− Funs
[([
n
]
×
{
0
,
1
}n−1
)
,ZM
] is chosen. In all invocations of
ORE.Encrypt
, the function
F
(
k, ·
) is replaced
by f(·).
Hybrids H
0
and H
1
are computationally indistinguishable under the PRF security of
F
. Thus,
it suffices to show that there exists a simulator
S
such that the distribution of outputs in H
1
is
computationally indistinguishable from SIMore
A,S,Lf(λ).
Description of the simulator.
We now describe the simulator
S
= (
S0,...,Sq
). First,
S0
initializes an empty lookup tables L: [
q
]
×
[
n
]
→ZM
. It then outputs
stS
=L. Then, for each
t∈
[
q
],
after the adversary outputs a query
mt
, the simulation algorithm
St
is invoked on input
stS
=Land
Lf
(
m1, . . . , mt
). In particular,
Lf
(
m1, . . . , mt
) contains the values
1
(
mj< mt
) and
inddiff
(
mj, mt
)
for all
j∈
[
t−
1], where
inddiff
(
mj, mt
) is the index of the first bit in
mj
and
mt
that differ. For
each s∈[n], there are three cases to consider:
10

•Case 1:
There exists a
j∈
[
t−
1] such that
inddiff
(
mj, mt
)
> s
. If there are multiple
j
for
which inddiff (mj, mt)> s, let jbe the smallest one. Then, the simulator sets us=L(j, s).
•Case 2:
For each
`∈
[
t−
1],
inddiff
(
m`, mt
)
≤s
, and there exists a
j∈
[
t−
1] for which
inddiff
(
mj, mt
) =
s
. If there are multiple
j
for which
inddiff
(
mj, mt
) =
s
, let
j
be the smallest
one. Then, the simulator sets us=L(j, s)−(1 −2·1(mj< mt)) (mod M).
•Case 3:
For each
`∈
[
t−
1],
inddiff
(
m`, mt
)
< s
. In this case, the simulator samples
yr
←− ZM
and sets us=y.
For each
s∈
[
n
], the simulator adds the mapping (
t, s
)
7→ us
to L. Finally, the simulator
St
outputs
the ciphertext
ctt
= (
u1, u2, . . . , un
) and the updated state
stS
=L. This completes the description
of the simulator S.
Correctness of the simulation.
We show that the simulator
S
= (
S0,...,Sq
) perfectly simulates
the distribution in hybrid H
2
. Let (
ct1,...,ctq
) be the joint distribution of the ciphertexts output in
hybrid H
2
, and let (
ct1,...,ctq
) be the joint distribution of the ciphertexts output by the simulator.
We proceed inductively in the number of queries q. The base case (q= 0) follows trivially.
Suppose now that (
ct1,...,ctt−1
)
≡
(
ct1,...,ctt−1
) for some
t∈
[
q
]. We show that the statement
holds for
t
+ 1. Consider the distributions of
ctt
and
ctt
. First, for any
j∈
[
t
], write ciphertext
ctj
as (
uj,1, uj,2, . . . , uj,n
) and
ctj
as (
uj,1, uj,2, . . . , uj,n
). In addition, for
j∈
[
t
], we write
bj,s
to denote
the sth bit of mj. For each s∈[n], we consider three cases:
•Case 1:
There exists a
j∈
[
t−
1] such that
inddiff
(
mj, mt
)
> s
. If there are multiple
j
for
which
inddiff
(
mj, mt
)
> s
, let
j
be the smallest one. This means that
mj
and
mt
share a prefix
of length at least
s
. Let
p∈ {
0
,
1
}s−1
be the first
s−
1 bits of this common prefix. Then, in
hybrid H1, we have
ut,s =f(s, pk0n−s) + bt,s =uj,s.
In the simulation,
ut,s
=L(
j, s
) =
uj,s
. Since
j < t
, we conclude from the induction hypothesis
that ut,s and ut,s are identically distributed.
•Case 2:
For each
`∈
[
t−
1],
inddiff
(
m`, mt
)
≤s
, and there exists a
j∈
[
t−
1] such that
inddiff
(
mj, mt
) =
s
. If there are multiple
j
for which
inddiff
(
mj, mt
) =
s
, let
j
be the smallest
one. This means that
mj
and
mt
share a prefix
p∈ {
0
,
1
}s−1
of length
s−
1. Then, in hybrid
H1, we have
ut,s =f(s, pk0n−s) + bt,s (mod M).
In the simulation,
ut,s =L(j, s)−(1 −2·1(mj< mt)) = uj,s −(1 −2·1(mj< mt)) (mod M).
In hybrid H
2
,
uj,s
=
f
(
s, pk
0
n−s
) +
bj,s
. By assumption,
bj,s 6
=
bt,s
, so we can write
bt,s
=
bj,s −(1 −2·1(mj< mt)). Thus, in hybrid H2, we have
ut,s =f(s, pk0n−s+1) + bt,s =uj,s −(1 −2·1(mj< mt)) (mod M).
By the inductive hypothesis,
uj,s
and
uj,s
are identically distributed, so we conclude that
ut,s
and ut,s are identically distributed.
11

•Case 3:
For each
`∈
[
t−
1],
inddiff
(
m`, mt
)
< s
. Let
p∈ {
0
,
1
}s−1
be the first
s−
1 bits of
mt. In hybrid H1, we have
ut,s =f(s, pk0n−s) + bt,s (mod M),
while in the simulation
ut,s
is a uniformly random string. By assumption, none of the messages
m1, . . . , mt−1
begin with the prefix
p
. Since
f
is a truly random function, the value of
f
(
s, pk
0
n−s
) is uniform in
ZM
and independent of all other ciphertexts. Thus,
ut,s
and
ut,s
are identically distributed.
We conclude that for all
s∈
[
n
],
ut,s ≡ut,s
. Since the components of each ciphertext are constructed
independently in both hybrid H
1
and in the simulation, this suffices to show that
ctt
and
ctt
are
identically distributed. The claim then follows by induction on t.
Space usage. The order-revealing encryption scheme Πore on n-bit inputs produces encryptions
of size
dn·log2Me
. By setting
M
= 3, an encryption of an
n
-bit message under Π
ore
consists of only
dn·log23e ≈ 1.59 nbits. In Appendix B, we describe a “d-ary” generalization of Πore that further
reduces the size of the ciphertexts in the ORE scheme, but with a slight loss in security. Specifically,
we construct an ORE scheme where an encryption of an
n
-bit message has length approximately
n·logd
(2
d−
1) for any integer
d≥
2. Since
logd
(2
d−
1) is a monotonically decreasing function in
d
,
larger values of dyield shorter ciphertexts, but increased leakage.
3.2 Conversion to OPE
In this section, we explain how to convert Π
ore
, an ORE scheme, into an OPE scheme. This means
that ciphertexts of the resulting OPE scheme can be compared using the normal comparison function
on numbers. To do this, we apply a simple transformation of any ciphertext
ct
of Π
ore
into a number
c
that lies in the range [0
, M n−
1] for which direct numeric comparisons of two numbers
c1
and
c2
reveal the order relation of the underlying plaintexts.
Recall that in Π
ore
, ciphertexts are of the form
ct
= (
u1, u2...,un
), where for each
i∈
[
n
],
ui
lies in the range
ZM
. The ciphertext in the resulting OPE scheme is taken to be the
dn·log2Me
-bit
number
c=
n
X
i=1
ui·Mn−i∈[0, M n−1].(3.2)
Intuitively, we view
u1u2···un
as a base-
M
representation of the OPE ciphertext. Correctness
follows similarly to Π
ore
, except here, there is a non-zero probability of error (as opposed to Π
ore
where correctness held with probability 1). We claim that for any two messages
m1, m2∈
[0
,
2
n−
1],
m1< m2⇐⇒ c1< c2,
with probability 1
−
1
/M
, where
c1, c2∈
[0
, M n−
1] are the ciphertexts obtained by first invoking
ORE.Encrypt
on
m1, m2
, respectively, and then applying the transformation in Equation
(3.2)
. To
see this, let
i∈
[
n
] be the first bit position on which
m1
and
m2
differ. Observe that the numeric
comparison of the OPE ciphertexts behaves identically as the ORE comparison procedure, except
when the output of the PRF on the first
i−
1 bits of the messages is the value
M−
1.
7
However, by
7
If no reduction modulo
M
occurs in the
ORE.Encrypt
encryption, then numerically comparing the transformed
ciphertexts is identical to evaluating the ORE.Compare procedure (since all relations hold over the integers).
12

PRF security, this event happens with probability 1
/M
, and thus, correctness holds with probability
1
−
1
/M
. For instance, if
M
= 2
λ
(that is,
λ
bits), correctness holds with overwhelming probability.
For practical scenarios, it may be suitable to only take
M≈
2
40
(the failure probability in this case
is 2−40).
Security of the resulting OPE scheme follows identically from security of Π
ore
, as the transforma-
tion from ciphertexts
ct
to numbers
c
is bijective. We note that while this scheme is order-preserving,
it does not behave like a random order-preserving function, and thus, does not inherit the security
limitations associated with such OPE schemes [
BCO11
]. In fact, our simulation-based security
model and associated security theorem (Theorem 3.1) enables us to precisely specify the information
leakage in this order-preserving encryption scheme.
In Appendix B, we describe a “
d
-ary” generalization of Π
ore
. While this generalization does not
reduce the size of the resulting ciphertexts in the ORE scheme, it does yield shorter ciphertexts
in the OPE instantiation (by approximately a
log2d
multiplicative factor), with a slight loss in
security. Correctness in this generalized scheme holds with probability 1 −d/M.
4 Comparison to Existing OPE Schemes
We now compare the leakage of our order-revealing encryption scheme to that of existing order-
preserving encryption schemes by Boldyreva et al. [
BCLO09
,
BCO11
]. As explained in Section 2.3,
composing any existing OPE scheme with an ORE scheme results in a new ORE scheme which is
at least as secure as the underlying OPE scheme.
8
In this section, we show that even without the
composition, our construction still achieves stronger security according to the metrics proposed by
Boldyreva et al.
The security definition achieved by an order-preserving encryption scheme is that the encryption
function behaves like a random order-preserving function (ROPF) from the plaintext space to
the ciphertext space. While this definition has the same flavor as that for PRFs, the behavior
of a truly random function is very different from that of a random order-preserving function. In
particular, the output of an order-preserving function is not independent of its input, and thus,
reveals some information about the input. It turns out that quantifying the exact information
leakage is a non-trivial task in general. However, under certain assumptions (for example, if the
messages are drawn from a uniform distribution), it is possible to obtain concrete upper bounds
on the information leakage [
BCO11
]. In particular, Boldyreva et al. propose two security notions,
window one-wayness and window distance one-wayness, to analyze the security of an OPE scheme.
In our setting, the nature of our security definition allows us to analyze the construction under
a more generalized set of definitions compared to [
BCO11
]. We present our analysis for window
one-wayness here, and defer the analysis of window distance one-wayness to Appendix D.
4.1 One-Wayness
One of the most basic requirements of an encryption scheme is that it is one-way. Given a ciphertext,
an adversary that does not have the secret key should not be able to recover the underlying message.
In the standard definition of one-wayness [
Gol01
], the adversary is given the encryption of a random
message, and its goal is to guess the message. This is a very weak notion of security, and even if
8
In most cases, the security of the composed scheme is strictly greater than that of the base OPE scheme since our
ORE construction provides semantic security for a single ciphertext, whereas existing OPE schemes generally do not.
13

an encryption is one-way, the adversary might still be able to deduce nontrivial information about
the message given only the ciphertext. To address this, Boldyreva et al. [
BCLO09
] introduce a
more general notion of one-wayness where the adversary is allowed to guess a contiguous interval (a
window) in the one-wayness challenge. The adversary succeeds if the message is contained within the
interval. Moreover, the adversary is given multiple encryptions (of random messages) and succeeds
if it outputs an interval that contains at least one of the messages.
The notion of window one-wayness is useful for arguing that an adversary does not learn many
of the most significant bits of the message, but if all bits of the message are equally sensitive, then
this definition is less useful. In our work, we present a more general definition of one-wayness, where
instead of outputting an interval, the adversary is allowed to specify a set of guesses. To allow the
adversary to specify a super-polynomially-sized set of guesses, we instead require the adversary
to submit a circuit
C
that encodes its set (
C
(
x
) = 1 if and only if
x
is in the set). By requiring
that the circuit encodes a contiguous interval, we recover the window one-wayness definition by
Boldyreva et al. [BCO11]. We now give our generalized definition.
Definition 4.1
(Generalized One-Wayness)
.
Fix a plaintext space
D
and let Π = (
ORE.Setup,
ORE.Encrypt,ORE.Compare
) be an ORE over
D
. The (
r, z
)-generalized one-wayness advantage of
an adversary Aagainst Π is given by
Advgow
r,z,Π(A)def
= Pr[Exptgow
r,z,Π,A(1λ) = 1],
where the (r, z)-generalized one-wayness experiment Exptgow
r,z,Π,A(1λ) is defined as follows:
Experiment Exptgow
r,z,Π,A(1λ):
1. sk ←ORE.Setup(1λ)
2. sample m1, . . . , mzuniformly from Dwithout replacement
3. for i∈[z], cti←ORE.Encrypt(sk, mi)
4. C← A(ct1,...,ctz), where C:D → {0,1}is a circuit of size poly(λ)
5.
output 1 if
C
(
mi
) = 1 for some
i∈
[
z
] and
|{x∈ D :C(x) = 1}| ≤ r
; otherwise, output 0
Remark 4.2
(Comparison with Existing One-Wayness Notions)
.
By restricting the parameters
(
r, z
) and the classes of circuits the adversary is allowed to output, Definition 4.1 captures many
existing notions of one-wayness. For example, when
r
=
z
= 1, we recover the usual notion of
one-wayness [
Gol01
]. When the underlying plaintext space is the ring
ZM
for some integer
M
and
we require that the circuit output by the adversary encodes a contiguous interval of length at most
r
in
ZM
, our definition corresponds to the notion of window one-wayness introduced by Boldyreva
et al. [BCO11].
We now state our security theorem, but defer the proof to Appendix C.
Theorem 4.3.
Fix a security parameter
λ
and a plaintext space
{
0
,
1
}n
where
n
=
ω
(
log λ
). Let
Π
ore
be the ORE scheme given at the beginning of Section 3. Then, for any constant
ε∈
(0
,
1], any
z= poly(λ), and all efficient adversaries A,
Advgow
r,z,Πore,A(1λ) = negl(λ),
where r= 2n(1−ε).
14

Comparison to existing schemes.
When discussing the notion of one-wayness, we will always
assume that the message-space is super-polynomial in the security parameter. Otherwise, the trivial
adversary that just guesses a random point in the message space will succeed with non-negligible
probability.
In [
BCO11
], Boldyreva et al. give an upper bound on the one-wayness advantage of any
(possibly computationally unbounded) adversary
A
against a random order-preserving function
ROPF. This corresponds to setting
r
= 1 in our definition. They show [
BCO11
, Theorem 4.1] that
for
z
=
poly
(
λ
),
Advgow
1,z,ROPF,A
=
negl
(
λ
). The same statement holds for our ORE construction
assuming a computationally bounded adversary: simply instantiate Theorem 4.3 with ε= 1.
In addition to giving an upper bound on an adversary’s ability to guess the plaintext from the
ciphertext, Boldyreva et al. also give a lower bound on the advantage for the case when
r
is large.
In particular, they exhibit an efficient adversary
A
against an ROPF such that
Advgow
r,z,ROPF,A
(1
λ
) =
1
−
2
e−b2/2
for a constant
b
when
r
=
O
(
√2n
) and for any
z
[
BCO11
, Theorem 4.2].
9
In other
words, the authors describe a concrete adversary that is able to break the generalized one-wayness
of any POPF-CCA-secure scheme (with probability close to 1) if the adversary is allowed to specify
a set with
r
=
O
(
√2n
) elements, even when
z
= 1. An intuitive way to understand this result
is that given the output of an ROPF, an adversary can deduce roughly half of the bits of the
associated input. In contrast, in our ORE scheme, if the adversary only sees a polynomial number
of ciphertexts (
z
=
poly
(
λ
)), then invoking Theorem 4.3 with
ε
= 1
/
2, we have that for all efficient
adversaries
A
,
Advgow
r,z,Πore,A
(1
λ
) =
negl
(
λ
) where
r
=
√2n
. In fact, as Theorem 4.3 demonstrates,
the adversary’s advantage remains negligible even if we further increase the size of the sets the
adversary is allowed to submit.
Intuitively, our results show that if the adversary only sees a polynomial number of ciphertexts,
then it does not learn any constant fraction
ε
of the bits in the underlying plaintext from each
ciphertext. In contrast, with an ROPF, and correspondingly, any OPE scheme that realizes a ROPF,
each ciphertext alone leaks half of the most-significant bits of the underlying plaintext.
Similarly, while the OPE scheme by Teranishi et al. [
TYM14
] can be shown to hide any constant
fraction of the least significant bits of the plaintext, no such guarantee exists for the other bits of the
plaintext. Note though that the security notion proposed in [
TYM14
] is indistinguishability-based
and hence, stronger than the one-wayness security notions. In fact, our basic ORE construction (by
itself) does not achieve their indistinguishability-based definition. However, by composing our ORE
construction with their OPE construction, we obtain a resulting ORE scheme which is strictly more
secure, since it inherits the security properties of the underlying OPE scheme as well as semantic
security for a single ciphertext (Section 2.3, Remark 2.6).
5 Conclusions
In this work, we introduced a new notion of security for order-preserving, and more generally,
order-revealing encryption. Our simulation-based security notion is defined with respect to a leakage
function which precisely characterizes what the ciphertexts in the scheme leak about the underlying
messages. We then give a practical order-revealing encryption scheme which achieves this security
notion for a specific leakage function. By composing our ORE construction with existing OPE
9
Strictly speaking, the adversary they describe is for the window one-wayness experiment, but any adversary
that succeeds in the window one-wayness experiment also succeeds in the generalized one-wayness experiment
(Definition 4.1).
15

schemes, we obtain an ORE scheme with increased security. It is our hope that having a concrete
leakage model will enable practitioners to make better-informed decisions on whether an ORE
scheme is appropriate for their particular application. We conclude with several open problems:
1. Can we construct a practical ORE scheme with stronger security guarantees?
2.
Can we reduce the ciphertext length of our ORE scheme while still maintaining a similar level
of security?
3.
Is it possible to build a practical ORE scheme with best-possible security from standard
assumptions?
Acknowledgments
We would like to thank Sam Kim for helpful discussions about ORE, and Adam O’Neill for useful
insights in shrinking the ciphertext size of our main construction. We also thank the anonymous
reviewers for their helpful comments. This work was partially supported by an NSF Graduate
Research Fellowship. Opinions, findings and conclusions or recommendations expressed in this
material are those of the authors and do not necessarily reflect the views of Facebook.
References
[AB15]
Benny Applebaum and Zvika Brakerski. Obfuscating circuits via composite-order
graded encoding. In TCC, pages 528–556, 2015.
[AFH+16]
Martin R. Albrecht, Pooya Farshim, Dennis Hofheinz, Enrique Larraia, and Kenneth G.
Paterson. Multilinear maps from obfuscation. In TCC, 2016.
[AJ15]
Prabhanjan Ananth and Abhishek Jain. Indistinguishability obfuscation from compact
functional encryption. In CRYPTO, pages 308–326, 2015.
[AKSX04]
Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. Order-
preserving encryption for numeric data. In SIGMOD, pages 563–574, 2004.
[BCLO09]
Alexandra Boldyreva, Nathan Chenette, Younho Lee, and Adam O’Neill. Order-
preserving symmetric encryption. In EUROCRYPT, pages 224–241, 2009.
[BCO11]
Alexandra Boldyreva, Nathan Chenette, and Adam O’Neill. Order-preserving encryp-
tion revisited: Improved security analysis and alternative solutions. In CRYPTO, pages
578–595, 2011.
[BGK+14]
Boaz Barak, Sanjam Garg, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. Pro-
tecting obfuscation against algebraic attacks. In EUROCRYPT, pages 221–238, 2014.
[BHF09]
Carsten Binnig, Stefan Hildenbrand, and Franz F¨arber. Dictionary-based order-
preserving string compression for main memory column stores. In ACM SIGMOD,
pages 283–296, 2009.
16

[BKS15]
Zvika Brakerski, Ilan Komargodski, and Gil Segev. From single-input to multi-input
functional encryption in the private-key setting. IACR Cryptology ePrint Archive,
2015:158, 2015.
[BLR+15]
Dan Boneh, Kevin Lewi, Mariana Raykova, Amit Sahai, Mark Zhandry, and Joe
Zimmerman. Semantically secure order-revealing encryption: Multi-input functional
encryption without obfuscation. In EUROCRYPT, pages 563–594, 2015.
[BS03]
Dan Boneh and Alice Silverberg. Applications of multilinear forms to cryptography.
Contemporary Mathematics, 324(1):71–90, 2003.
[BWZ14]
Dan Boneh, David J. Wu, and Joe Zimmerman. Immunizing multilinear maps against
zeroizing attacks. IACR Cryptology ePrint Archive, 2014:930, 2014.
[BZ15]
Mark Bun and Mark Zhandry. Order-revealing encryption and the hardness of private
learning. IACR Cryptology ePrint Archive, 2015:417, 2015.
[CGH+15]
Jean-S´ebastien Coron, Craig Gentry, Shai Halevi, Tancr`ede Lepoint, Hemanta K. Maji,
Eric Miles, Mariana Raykova, Amit Sahai, and Mehdi Tibouchi. Zeroizing without low-
level zeroes: New MMAP attacks and their limitations. In CRYPTO, pages 247–266,
2015.
[CGKO06]
Reza Curtmola, Juan A. Garay, Seny Kamara, and Rafail Ostrovsky. Searchable
symmetric encryption: improved definitions and efficient constructions. In ACM CCS,
pages 79–88, 2006.
[CHL+15]
Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehl´e.
Cryptanalysis of the multilinear map over the integers. In EUROCRYPT, pages 3–12,
2015.
[CLR15]
Jung Hee Cheon, Changmin Lee, and Hansol Ryu. Cryptanalysis of the new CLT
multilinear maps. IACR Cryptology ePrint Archive, 2015:934, 2015.
[CLT13]
Jean-S´ebastien Coron, Tancr`ede Lepoint, and Mehdi Tibouchi. Practical multilinear
maps over the integers. In CRYPTO, pages 476–493, 2013.
[CLT15]
Jean-S´ebastien Coron, Tancr`ede Lepoint, and Mehdi Tibouchi. New multilinear maps
over the integers. In CRYPTO, pages 267–286, 2015.
[CM05]
Yan-Cheng Chang and Michael Mitzenmacher. Privacy preserving keyword searches
on remote encrypted data. In ACNS, pages 442–455, 2005.
[Cor15] Jean-S´ebastien Coron. Cryptanalysis of GGH15 multilinear maps, 2015.
[GGG+14] Shafi Goldwasser, S. Dov Gordon, Vipul Goyal, Abhishek Jain, Jonathan Katz, Feng-
Hao Liu, Amit Sahai, Elaine Shi, and Hong-Sheng Zhou. Multi-input functional
encryption. In EUROCRYPT, pages 578–602, 2014.
[GGH13a] Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal
lattices. In EUROCRYPT, pages 1–17, 2013.
17

[GGH+13b]
Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent
Waters. Candidate indistinguishability obfuscation and functional encryption for all
circuits. In FOCS, pages 40–49, 2013.
[GGH15]
Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps
from lattices. In TCC, pages 498–527, 2015.
[GGHZ14]
Sanjam Garg, Craig Gentry, Shai Halevi, and Mark Zhandry. Fully secure functional
encryption without obfuscation. IACR Cryptology ePrint Archive, 2014:666, 2014.
[GGM84]
Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random
functions (extended abstract). In FOCS, pages 464–479, 1984.
[GKP+13]
Shafi Goldwasser, Yael Tauman Kalai, Raluca A. Popa, Vinod Vaikuntanathan, and
Nickolai Zeldovich. Reusable garbled circuits and succinct functional encryption. In
STOC, pages 555–564, 2013.
[GM84]
Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci.,
28(2):270–299, 1984.
[Gol01]
Oded Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques.
Cambridge University Press, 2001.
[GVW12]
Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Functional encryption
with bounded collusions via multi-party computation. In CRYPTO, pages 162–179,
2012.
[HJ15]
Yupu Hu and Huiwen Jia. Cryptanalysis of GGH map. IACR Cryptology ePrint
Archive, 2015:301, 2015.
[KAK10]
Hasan Kadhem, Toshiyuki Amagasa, and Hiroyuki Kitagawa. A secure and efficient
order preserving encryption scheme for relational databases. In KMIS, pages 25–35,
2010.
[Ker15]
Florian Kerschbaum. Frequency-hiding order-preserving encryption. In ACM CCS,
pages 656–667, 2015.
[KS14]
Florian Kerschbaum and Axel Schr¨opfer. Optimal average-complexity ideal-security
order-preserving encryption. In ACM CCS, pages 275–286, 2014.
[LSS14]
Adeline Langlois, Damien Stehl&apos;e, and Ron Steinfeld. Gghlite: More efficient
multilinear maps from ideal lattices. In EUROCRYPT, 2014.
[MCO+15]
Charalampos Mavroforakis, Nathan Chenette, Adam O’Neill, George Kollios, and Ran
Canetti. Modular order-preserving encryption, revisited. In ACM SIGMOD, pages
763–777, 2015.
[MF15]
Brice Minaud and Pierre-Alain Fouque. Cryptanalysis of the new multilinear map over
the integers. IACR Cryptology ePrint Archive, 2015:941, 2015.
18

[NKW15]
Muhammad Naveed, Seny Kamara, and Charles V. Wright. Inference attacks on
property-preserving encrypted databases. In CCS, 2015.
[PLZ13]
Raluca A. Popa, Frank H. Li, and Nickolai Zeldovich. An ideal-security protocol
for order-preserving encoding. In IEEE Symposium on Security and Privacy, pages
463–477, 2013.
[PR12]
Omkant Pandey and Yannis Rouselakis. Property preserving symmetric encryption. In
EUROCRYPT, pages 375–391, 2012.
[PRZB11]
Raluca A. Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan.
Cryptdb: protecting confidentiality with encrypted query processing. In SOSP, pages
85–100, 2011.
[RACY15]
Daniel Roche, Daniel Apon, Seung Geol Choi, and Arkady Yerukhimovich. POPE:
Partial order-preserving encoding. Cryptology ePrint Archive, Report 2015/1106, 2015.
[Sky] Skyhigh Networks Inc. https://www.skyhighnetworks.com/. Accessed: 2015-11-12.
[SS10]
Amit Sahai and Hakan Seyalioglu. Worry-free encryption: functional encryption with
public keys. In ACM CCS, pages 463–472, 2010.
[TYM14]
Isamu Teranishi, Moti Yung, and Tal Malkin. Order-preserving encryption secure
beyond one-wayness. In ASIACRYPT, pages 42–61, 2014.
[XYH12]
Liangliang Xiao, I-Ling Yen, and Dung T. Huynh. Extending order preserving encryp-
tion for multi-user systems. IACR Cryptology ePrint Archive, 2012:192, 2012.
[Zim15]
Joe Zimmerman. How to obfuscate programs directly. In EUROCRYPT, pages 439–467,
2015.
A Proof of Theorem 3.1
Fix any two messages
m1, m2∈ {
0
,
1
}n
. To show correctness, we show that for
sk ←ORE.Setup
(1
λ
),
and cti←ORE.Encrypt(sk, mi) for i∈ {1,2}, then
Pr[ORE.Compare(ct1,ct2) = 1(m1< m2)] = 1.(A.1)
Let
k
=
sk
be the PRF key output by the setup algorithm. Let
b1···bn
be the binary representation
of
m1
and let
b0
1···b0
n
be the binary representation of
m2
. Next, write
ct1
= (
u1, u2,...un
) and
ct2= (u0
1, u0
2, . . . , u0
n) We now show that m1< m2if and only if ORE.Compare(ct1,ct2) = 1.
•
Suppose
m1< m2
. Then, there exists some index
i∈
[
n
] such that
bi
= 0 and
b0
i
= 1 and for
all j < i,bj=b0
j. By construction of ct1and ct2, for all j < i,
uj=F(k, (j, b1b2···bj−1k0n−j)) + bj
=F(k, (j, b0
1b0
2···b0
j−1k0n−j)) + b0
j=u0
j(mod M).
Since bi= 0 and b0
i= 1, we have that
u0
i=F(k, (i, b0
1b0
2···b0
i−1k0n−i)) + b0
i=ui+ 1 (mod M),
in which case, ORE.Compare(ct1,ct2) outputs 1.
19

•
Suppose that
ORE.Compare
(
ct1,ct2
) = 1. This means that there exists an index
i∈
[
n
] such
that
u0
i
=
ui
+ 1 (
mod M
) and for all
j < i
,
uj
=
u0
j
. We first argue that for all 1
≤j < i
,
bj=b0
j. We proceed inductively on j. For the base case j= 1, we have that
F(k, (1,0n−1)) + b1=u1=u0
1=F(k, (1,0n−1)) + b0
1(mod M),
from which we conclude that b1=b0
1. Next, suppose that b1b2· · · bj=b0
1b0
2···b0
j. Then,
uj+1 =F(k, (j+ 1, b1b2···bjk0n−j−1)) + bj+1 (mod M)
u0
j+1 =F(k, (j+ 1, b0
1b0
2···b0
jk0n−j−1)) + b0
j+1 (mod M).
By the inductive hypothesis,
b1b2···bj
=
b0
1b0
2···b0
j
, and by assumption
uj+1
=
u0
j+1
, so
we conclude that
bj+1
=
b0
j+1
. By induction on
j
, we have that for all
j < i
,
bj
=
b0
j
. To
complete the proof, we argue that
bi
= 0 and
b0
i
= 1. By assumption,
u0
i
=
ui
+ 1 (
mod M
).
Since
b1b2···bi−1
=
b0
1b0
2···b0
i−1
, it follows that
b0
i
=
bi
+ 1 (
mod M
). Because
M≥
3 and
bi, b0
i∈ {0,1}the only solution is for bi= 0 and b0
i= 1. The claim follows.
B Generalizing the Conversion to OPE
In this section, we consider the “
d
-ary” generalization of Π
ore
, which on
`
-bit inputs produces
ciphertexts of size approximately
`·logdM
, for any
M≥
2
d−
1. For ORE, this generalization
yields only a modest decrease in the size of the ciphertexts, but if we apply the conversion to OPE
from Section 3.2 to the generalized scheme, we obtain a
log2d
multiplicative factor reduction in
ciphertext size, but with a slight loss in security. In particular, this
d
-ary generalization of Π
ore
is
secure with respect to the following leakage function:
Ld
f(m1, . . . , mt) := nind(d)
diff (mi, mj),1(mi< mj): 1 ≤i<j≤to,(B.1)
where
ind(d)
diff
(
x, y
) is defined as follows. For two
d
-ary inputs
x
=
x1···xn
and
y
=
y1···yn
where
x6=y, we define
ind(d)
diff (x, y) = (k, xk−yk),
where kis the smallest index where xk6=yk. If x=y, then ind(d)
diff (x, y)=(n+ 1,0).
Generalized construction.
Fix a security parameter
λ∈N
, and take an integer
M≥
2
d−
1. Let
F
:
K×
([
n
]
×
[0
, d−
1]
n−1
)
→ZM
be a secure PRF. We define our ORE scheme Π
gen-ore
= (
ORE.Setup,
ORE.Encrypt,ORE.Compare) as follows:
•ORE.Setup
(1
λ
). The setup algorithm chooses a uniformly random PRF key
k
for
F
. The
secret key is sk =k.
•ORE.Encrypt
(
sk, m
). Let
b1···bn
be the
d
-ary representation of
m
and let
sk
=
k
. For each
i∈[n], the encryption algorithm computes
ui=F(k, (i, b1b2···bi−1k0n−i)) + bi(mod M),
and outputs (u1, u2...,un).
20

•ORE.Compare(ct1,ct2). The compare algorithm first parses
ct1= (u1, u2, . . . , un)
ct2= (u0
1, u0
2, . . . , u0
n),
where
u1, . . . , un, u0
1, . . . , u0
n∈ZM
. Let
i
be the smallest index where
ui6
=
u0
i
. If no such
index exists, output 0. If such an index exists, output 1 if there exists
k∈
[
d−
1] such that
u0
i=ui+k(mod M), and 0 otherwise.
Correctness of the ORE scheme Π
gen-ore
follows almost identically as the correctness of Π
ore
by
adapting the correctness proof to deal with the
d
-ary representation of the message as opposed to
the binary representation. The proof of security for Π
gen-ore
is also similar to that for Theorem 3.2.
Theorem B.1.
The order-revealing encryption scheme Π
gen-ore
is secure with respect to leakage
function Ld
funder the PRF security of F.
Proof.
Fix a security parameter
λ
and let
A
= (
A1,...,Aq
) where
q
=
poly
(
λ
) be an efficient
adversary for the ORE security game (Definition 2.4). To prove security, we give an efficient
simulator
S
= (
S0,...,Sq
) for which the outputs of the distributions
REALore
A
(
λ
) and
SIMore
A,S,Ld
f
(
λ
)
are computationally indistinguishable.
We use a hybrid argument similar to the argument used in the proof of Theorem 3.2. We begin
by defining the hybrid experiments:
•Hybrid H0: This is the real experiment REALore
A(λ).
•Hybrid
H
1
: Same as H
1
, except during
ORE.Setup
, a random function
fr
←− Funs
[([
n
]
×
[0
, d −
1]
n−1
)
,ZM
] is chosen. In all invocations of
ORE.Encrypt
, the function
F
(
k, ·
) is replaced by
f(·).
By the same argument as in the proof of Theorem 3.2, hybrids H
0,
H
1
are computationally indistin-
guishable under the PRF security of
F
. It suffices to show that there exists a simulator
S
such that
the distribution of outputs in H1is computationally indistinguishable from SIMore
A,S,Ld
f
(λ).
Description of the simulator.
We now describe the simulator
S
= (
S0,...,Sq
). First,
S0
initializes an empty lookup tables L: [
q
]
×
[
n
]
→ZM
. It then outputs
stS
=L. Then, for each
t∈
[
q
],
after the adversary outputs a query
mt
, the simulation algorithm
St
is invoked on input
stS
=Land
Ld
f
(
m1, . . . , mt
). In particular,
Ld
f
(
m1, . . . , mt
) contains the values
1
(
mj< mt
) and
ind(d)
diff
(
mj, mt
)
for all
j∈
[
t−
1], where
ind(d)
diff
(
mj, mt
) consists of a pair (
k, w
) where
k∈
[
n
] is the index of the
first
d
-ary chunk in
mj
and
mt
that differ,
w
=
mj,k −mt,k
, and
mj,k
and
mt,k
are the
kth d
-ary
chunks of mjand mt, respectively. For each s∈[n], there are three cases to consider:
•Case 1:
There exists a
j∈
[
t−
1] and (
k, w
)
∈
[
n
]
×
[
−d, d
] such that
ind(d)
diff
(
mj, mt
) = (
k, w
)
and
k > s
. If there are multiple
j
for which the property holds, let
j
be the smallest one.
Then, the simulator sets us=L(j, s).
•Case 2:
For each
`∈
[
t−
1], there exists a (
k, z
)
∈
[
n
]
×
[
−d, d
] for which
ind(d)
diff
(
m`, mt
) = (
k, z
)
and k≤s, and there exists a j∈[t−1] and w∈[−d, d] for which ind(d)
diff (mj, mt)=(s, w). If
there are multiple
j
for which
ind(d)
diff
(
mj, mt
) = (
s, w
) for some
w
, let
j
be the smallest one.
Then, the simulator sets us=L(j, s)−w(mod M).
21

•Case 3:
For each
`∈
[
t−
1], there exist a (
k, z
)
∈
[
n
]
×
[
−d, d
] for which
ind(d)
diff
(
m`, mt
) = (
k, z
)
and k < s. In this case, the simulator samples yr
←− ZMand sets us=y.
For each
s∈
[
n
], the simulator adds the mapping (
t, s
)
7→ us
to L. Finally, the simulator
St
outputs
the ciphertext
ctt
= (
u1, u2, . . . , un
) and the updated state
stS
=L. This completes the description
of the simulator S.
Correctness of the simulation.
We show that the simulator
S
= (
S0,...,Sq
) perfectly simulates
the distribution in hybrid H
1
. Let (
ct1,...,ctq
) be the joint distribution of the ciphertexts output in
hybrid H
1
, and let (
ct1,...,ctq
) be the joint distribution of the ciphertexts output by the simulator.
We proceed inductively in the number of queries q. The base case (q= 0) follows trivially.
Suppose now that (
ct1,...,ctt−1
)
≡
(
ct1,...,ctt−1
) for some
t∈
[
q
]. We show that the statement
holds for
t
+ 1. Consider the distributions of
ctt
and
ctt
. First, for any
j∈
[
t
], write ciphertext
ctj
as (
uj,1, uj,2, . . . , uj,n
) and
ctj
as (
uj,1, uj,2, . . . , uj,n
). In addition, we write
bj,s
to denote the
sth
d-ary chunk of message mj. For each s∈[n], we again consider three cases:
•Case 1:
There exists a
j∈
[
t−
1] and (
k, w
)
∈
[
n
]
×
[
−d, d
] such that
ind(d)
diff
(
mj, mt
) = (
k, w
)
and
k > s
. If there are multiple
j
for which this property holds, let
j
be the smallest one.
This means that
mj
and
mt
share a prefix of length at least
s
. Let
p∈
[0
, d −
1]
s−1
be the
first s−1d-ary chunks of this common prefix. Then, in hybrid H1, we have
ut,s =f(s, pk0n−s) + bt,s =uj,s.
In the simulation,
ut,s
=L(
j, s
) =
uj,s
. Since
j < t
, we conclude from the induction hypothesis
that ut,s and ut,s are identically distributed.
•Case 2:
For each
`∈
[
t−
1], there exists a (
k, z
)
∈
[
n
]
×
[
−d, d
] for which
ind(d)
diff
(
m`, mt
) = (
k, z
)
and k≤s, and there exists a j∈[t−1] and w∈[−d, d] for which ind(d)
diff (mj, mt)=(s, w). If
there are multiple
j
for which
ind(d)
diff
(
mj, mt
) = (
s, w
) for some
w
, let
j
be the smallest one.
This means that
mj
and
mt
share a prefix
p∈ {
0
,
1
}s−1
of length
s−
1. In hybrid H
1
, we have
ut,s =f(s, pk0n−s) + bt,s (mod M).
In the simulation,
ut,s =L(j, s)−w=uj,s −w(mod M).
In hybrid H
1
,
uj,s
=
f
(
s, pk
0
n−s
) +
bj,s
. By definition of
ind(d)
diff
, we have that
w
=
bj,s −bt,s
,
so we can write bt,s =bj,s −w. Thus, in hybrid H1, we have
ut,s =f(s, pk0n−s) + bt,s =uj,s −w(mod M).
By the inductive hypothesis, uj,s and uj,s are identically distributed, and the claim follows.
•Case 3:
For each
`∈
[
t−
1], there exist a (
k, w
)
∈
[
n
]
×
[
−d, d
] for which
ind(d)
diff
(
m`, mt
) = (
k, w
)
and k < s. Let p∈ {0,1}s−1be the first s−1d-ary chunks of mt. In hybrid H1, we have
ut,s =f(s, pk0n−s) + bt,s (mod M),
22

while in the simulation
ut,s
is a uniformly random string. By assumption, none of the messages
m1, . . . , mt−1
begin with the prefix
p
. Since
f
is a truly random function, the value of
f
(
s, pk
0
n−s
) is uniform in
ZM
and independent of all other ciphertexts. Thus,
ut,s
and
ut,s
are identically distributed.
We conclude that for all
s∈
[
n
],
ut,s ≡ut,s
. Since the components of each ciphertext are constructed
independently in both hybrid H
1
and in the simulation, this suffices to show that
ctt
and
ctt
are
identically distributed. The claim then follows by induction on t.
Space usage and conversion to OPE.
The
d
-ary generalized ORE scheme Π
gen-ore
on
n
-bit
inputs produces ciphertexts of length
dlogd
2
ne · log2M≈n·logdM
, where the first term is the
number of blocks in each ciphertext (equal to the number of base-
d
digits needed to represent
an
n
-bit value) and the second term is the number of bits needed to represent each block in the
ciphertext. Since we can set
M
= 2
d−
1, an encryption of an
n
-bit message under Π
gen-ore
is
approximately
n·logd
(2
d−
1) bits. The ciphertext expansion factor
logd
(2
d−
1) is a monotonically
decreasing function in
d
, so generalizing to higher arity allows for shorter ciphertexts. However,
larger values of dalso translate to increased leakage.
The reduction in ciphertext size is much more significant if we apply our ORE-to-OPE conversion
from Section 3.2 to the generalized scheme Π
gen-ore
. When we apply our OPE conversion to Π
gen-ore
,
the resulting OPE scheme is correct with probability 1
−d/M
. Thus, for correctness to hold with
overwhelming probability, we require
M
= 2
ω(log λ)
. In these scenarios where
M
is very large
(say,
M
= 2
40
to obtain a failure probability of 2
−40
), applying the OPE conversion to the
d
-ary
generalized ORE scheme Πgen-ore provides a (log2d)-factor reduction in the size of the ciphertexts.
C Proof of Theorem 4.3
We first define a sequence of hybrid experiments:
•Hybrid H0: This corresponds to experiment Exptgow
r,z,Πore,A(1λ).
•
Hybrid H
1
: Same as H
0
, except
m1, . . . , mz
r
←− {
0
,
1
}n
(rather than sampled without replace-
ment).
•
Hybrid H
2
: Same as H
1
, except the ciphertexts
ct1,...,ctz
are constructed by invoking the sim-
ulator (Theorem 3.2) on
Lf
(
m1, . . . , mz
) where
Lf
is the leakage function from Equation
(3.1)
.
•
Hybrid H
3
: Fix a parameter
k
=
ω
(
log λ
) where
k≤n
. In hybrid H
3
, after sampling the
messages
m1, . . . , mn
r
←− {
0
,
1
}n
, the experiment also samples messages
m0
i
r
←− {
0
,
1
}n
subject
to the restriction that the first
k
bits of
mi
and
m0
i
are equal. The ciphertexts are constructed
by invoking the simulator on
Lf
(
m0
1, . . . , m0
z
), but the success criterion at the end of the
experiment is still checked using m1, . . . , mn.
Lemma C.1. Hybrids H0and H1are statistically indistinguishable.
Proof.
In H
0
, the messages are sampled without replacement from
{
0
,
1
}n
. In particular, this
means that for
i∈
[
z
], the message
mi
is sampled from
Unif
(
{
0
,
1
}n\ {m1, . . . , mi−1}
). But since
z
=
poly
(
λ
) and
n
=
ω
(
log λ
) (so the size of the message space
{
0
,
1
}n
is super-polynomial in
λ
),
23

the distribution
Unif
(
{
0
,
1
}n
) is statistically close to
Unif
(
{
0
,
1
}n\ {m1, . . . , mi−1}
) for all
i∈
[
z
].
Thus, H0and H1are statistically indistinguishable.
Lemma C.2. Hybrids H1and H2are computationally indistinguishable.
Proof. Follows directly by simulation security of Πore (Theorem 3.2).
Lemma C.3. Hybrids H2and H3are statistically indistinguishable.
Proof.
It suffices to argue that
Lf
(
m1, . . . , mn
) =
Lf
(
m0
1, . . . , m0
n
) with overwhelming probability.
Take any distinct pair of indices
i, j
. With overwhelming probability
mi6
=
mj
. Consider the
probability
Pr
[
inddiff
(
mi, mj
) =
k
]. Since
inddiff
(
mi, mj
) gives the first bit on which messages
mi
and
mj
differ,
inddiff
(
mi, mj
) =
k
only if the first
k−
1 bits of
mi
and
mj
match and the
kth
bit of
mi
and
mj
differ. Since
mi
and
mj
are both sampled uniformly and independently from
{
0
,
1
}n
, we
conclude that
Pr
[
inddiff
(
mi, mj
) =
k
] = 2
−k
. Moreover,
Pr
[
inddiff
(
mi, mj
)
≥k
] =
Pn
s=k
2
−s≤
2
−k+1
.
By a union bound, we have that for each i∈[z],
Pr[∀j6=i:inddiff (mi, mj)< k]≥1−z
2k−1.
For
k
=
ω
(
log λ
) we have that
Pr
[
∀j6
=
i
:
inddiff
(
mi, mj
)
< k
]=1
−negl
(
λ
). By another union
bound, we conclude that
inddiff
(
mi, mj
)
< k
for all distinct
i, j
with probability 1
−negl
(
λ
). This
means that all pairs of messages
mi, mj
differ on at least one of the first
k
bits. In H
3
, the messages
mi
and
m0
i
all agree on the first
k
bits for all
i∈
[
q
], and so the first bit on which each pair of
messages
m0
i, m0
j
differ is unaffected. We conclude that
Lf
(
m1, . . . , mz
) =
Lf
(
m0
1, . . . , m0
z
), and the
claim follows.
To complete the proof we bound the adversary’s advantage in hybrid H
3
. Let
C
be the circuit
output by the adversary in H
3
, and let
S
=
{x∈ {0,1}n:C(x)=1}
. Without loss of generality,
assume that
|S| ≤ r
(otherwise, the adversary’s advantage is 0). Take any message
mi
and consider
the probability
Pr
[
mi∈S
]. In hybrid H
3
, the view of the adversary depends only on the first
k
bits
of each message
m1, . . . , mz
, and in fact, it is equivalent to sample the remaining
n−k
bits of the
test messages
m1, . . . , mz
after the adversary has submitted its circuit.
10
If the latter
n−k
bits of
mi
are chosen after the adversary has committed to the circuit
C
, then
Pr
[
mi∈S
]
≤ |S|/
2
n−k
. By
a union bound over each message, we have
Advgow
r,z,Πore,A(1λ) = Pr[∃i∈[z] : mi∈S]≤z|S|
2n−k=z·r
2n−k.
We can set
k
=
εn/
2 =
ω
(
log λ
) since
n
=
ω
(
log λ
). Finally, since
r
= 2
n(1−ε)
, the advantage is
bounded by
Advgow
r,z,Πore,A(1λ)≤z·2n(1−ε)
2n(1−ε/2) =z
2nε/2= negl(λ),
since z= poly(λ).
10
This is equivalent since
mr
←− {
0
,
1
}n
, so each bit of
m
can be viewed as an independent and uniform value in
{
0
,
1
}
.
24

D Distance One-Wayness
Boldyreva et al. [
BCO11
] also introduce an additional metric they use to analyze the security of an
OPE scheme called “window distance one-wayness.” This metric helps quantify the extent to which
an OPE scheme reveals information about the distance between the underlying plaintexts. In a
semantically-secure ORE scheme, recall that no distance information between ciphertexts is revealed
aside from information that can be directly inferred from the ordering of the ciphertexts. As was
the case for one-wayness, we present here a more general notion of window distance one-wayness,
and then show that our proposed ORE scheme is robust under this definition.
Definition D.1
(Generalized Distance One-Wayness)
.
Fix a plaintext space
ZM
and let Π =
(
ORE.Setup,ORE.Encrypt,ORE.Compare
) be an ORE over
ZM
. The (
r, z
)-generalized distance one-
wayness advantage of an adversary Aagainst Π is given by
Advgdow
r,z,Π(A)def
= Pr[Exptgdow
r,z,Π,A(1λ) = 1],
where the (r, z)-generalized distance one-wayness experiment Exptgdow
r,z,Π,A(1λ) is defined as follows:
Experiment Exptgdow
r,z,Π,A(1λ):
1. sk ←ORE.Setup(1λ)
2. sample m1, . . . , mzuniformly from ZMwithout replacement
3. for i∈[z], cti←ORE.Encrypt(sk, mi)
4. C← A(ct1,...,ctz), where C:ZM→ {0,1}is a circuit of size poly(λ)
5.
output 1 if there exists distinct
i, j ∈
[
z
] such that
C
(
dij
) = 1 where
dij
=
mj−mi
(mod M) and |{x∈ZM:C(x) = 1}| ≤ r; otherwise, output 0
Remark D.2
(Comparison with Window Distance One-Wayness [
BCO11
])
.
In Definition D.1, if
we restrict the adversary to outputting circuits
C
that represent a contiguous interval of length at
most rin ZM, then we recover the notion of window distance one-wayness from [BCO11, §3].
Theorem D.3.
Fix a security parameter
λ
and a plaintext space
{
0
,
1
}n
(or equivalently, the ring
Z2n
) where
n
=
ω
(
log λ
). Let Π
ore
be the ORE scheme given at the beginning of Section 3. Then,
for any constant ε∈(0,1], any z= poly(λ), and all efficient adversaries A,
Advgdow
r,z,Πore,A(1λ) = negl(λ),
where r= 2n(1−ε).
Proof.
The proof of this statement proceeds very similarly to that of Theorem 4.3. For completeness,
we describe the set of hybrid arguments we use:
•Hybrid H0: This corresponds to experiment Exptgdow
r,z,Πore,A(1λ).
•Hybrid H1: Same as H0, except m1, . . . , mz
r
←− {0,1}n.
25

•
Hybrid H
2
: Same as H
1
, except the ciphertexts
ct1,...,ctz
are constructed by invoking the
simulator (Theorem 3.2) on Lf(m1, . . . , mz).
•
Hybrid H
3
: Fix a parameter
k
=
ω
(
log λ
) where
k≤n
. In hybrid H
3
, after sampling the
messages
m1, . . . , mn
r
←− {
0
,
1
}n
, the experiment also samples messages
m0
i
r
←− {
0
,
1
}n
subject
to the restriction that the first
k
bits of
mi
and
m0
i
are equal. The ciphertexts are constructed
by invoking the simulator on
Lf
(
m0
1, . . . , m0
z
), but the success criterion at the end of the
experiment is still checked using m1, . . . , mn.
Invoking Lemmas C.1 through C.3 from the proof of Theorem 4.3, we have that hybrids H
0
and H
3
are computationally indistinguishable. Consider the probability that the experiment H
3
outputs 1.
Let
C
be the circuit output by the adversary and let
S
=
{x∈ {0,1}n:C(x)=1}
. It suffices to
assume that
|S| ≤ r
since otherwise, the output of H
3
is 0. Take any distinct pairs of indices
i, j
and
let
dij
=
mj−mi
(
mod
2
n
). Take any
z∈ {
0
,
1
}n
. Since the view of the adversary is independent of
the last
n−k
bits of
mj
and
mj
is sampled uniformly and independently from
{
0
,
1
}n
, we conclude
that
Pr[dij =z] = Pr[mj=z+mi(mod 2n)] ≤1
2n−k.
By a union bound over the elements of
S
, we conclude that
Pr
[
dij ∈S
]
≤r/
2
n−k
. Applying another
union bound to all pairs i, j, we conclude that in H3,
Pr[∀i6=j:dij /∈S]≥1−r·z2
2n−k.
As in the proof of Theorem 4.3, the theorem now follows by setting k=εn/2 = ω(log λ).
Comparison to existing schemes.
As was done with one-wayness, Boldyreva et al. [
BCO11
]
also give a lower and upper bound for the advantage of an adversary for a random order-preserving
function in the distance one-wayness game. Specifically, they show [
BCO11
, Theorem 4.3] that
when
r
= 1 and
z
=
poly
(
λ
), for all (not necessarily efficient) adversaries
A
,
Advgdow
r,z,ROPF,A
=
negl
(
λ
).
A matching upper bound holds for the advantage of all computationally bounded adversaries for
our ORE scheme (simply instantiate Theorem D.3 with
ε
= 1). Intuitively, this statement says that
given encryptions of several uniformly sampled ciphertexts, the adversary cannot guess the exact
distance between any pair of ciphertexts. This does not rule out learning partial information about
the distances between ciphertexts, and as it turns out, some partial information is in fact leaked.
Similar to the case of one-wayness, when
r
is large, there exists an efficient adversary against
any ROPF that can win the generalized distance one-wayness game with advantage close to
1. Specifically, when
r
=
O
(
√2n
), and any
z≥
2, there exists an efficient adversary
A
where
Advgdow
r,z,ROPF,A
(1
λ
) = 1
−c
where
c
is a constant (independent of
λ
) [
BCO11
, Theorem 4.4]. Note that
the results in [
BCO11
] are with respect to adversaries restricted to submitting circuits that encode a
contiguous interval in the ring
Z2n
. Conceptually, this means that two ciphertexts encrypted under
an OPE scheme that implements an ROPF reveal roughly half the bits of the distance between the
underlying plaintext values.
In contrast, instantiating Theorem D.3 with
ε
= 1
/
2, we have that for
r
=
√2n
, and for all
efficient adversaries
A
, the advantage
Advgdow
r,z,Πore,A
is negligible. In fact, Theorem D.3 states that
given polynomially many ciphertexts, no efficient adversary is able to even learn a constant fraction
26

of the bits in the distance between any pair of encrypted messages. Thus, in this setting, our ORE
scheme provides a provably stronger security guarantee.
In the same work [
BCO11
], Boldyreva et al. also introduced the notion of a modular OPE
(MOPE) scheme to obtain stronger security guarantees over a standard OPE scheme. At a high
level, in an MOPE scheme, a secret and fixed modular offset is added to the plaintext value before
encryption with an OPE scheme. On the one hand, an MOPE scheme substantially improves the
one-wayness security of the underlying encryption scheme. Specifically, Boldyreva et al. show that
the (
r, w
) window one-wayness advantage (Remark 4.2) of any adversary is optimal (no better than
the trivial adversary that outputs a random window of size
r
). However, this security guarantee is
unstable in the sense that a small piece of information (such as a single plaintext-ciphertext pair)
reveals the secret offset, reverting the one-wayness security to that of the underlying OPE scheme.
Moreover, information about the secret offset can be inferred from range query distribution in a
na¨ıve practical implementation [BCO11].
Subsequent work [
MCO+15
] proposed strategies to avoid leaking the MOPE secret offset when
the distribution of range query inputs is known, through the use of “dummy queries.” However, if
the distribution is far from uniform, the number of necessary dummy queries can be prohibitive. In
addition, Boldyreva et al. [
BCO11
] show that MOPE schemes do not help to hide the distances
between plaintext values. Like an OPE scheme, an MOPE scheme reveals roughly half of the bits of
the distance between two plaintext values. Thus, for a uniform message distribution, we conclude
that our ORE scheme achieves better hiding properties on the distances between plaintexts, while
retaining direct support for efficiently answering range queries.
27