1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam...
-
date post
20-Dec-2015 -
Category
Documents
-
view
220 -
download
1
Transcript of 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam...
![Page 1: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/1.jpg)
1
Order-Preserving Symmetric Encryption
Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill
EUROCRYPT 2009, LNCS 5479, pp. 224-241
![Page 2: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/2.jpg)
2
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
![Page 3: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/3.jpg)
3
Introduction
Order-persevering symmetric encryption, OPE OPE 以 one-part codes 的形式來使用,具有
相當長的歷史,可追朔到第一次世界大戰。 明文藉由打亂文字順序或數字順序來得到所對
應的密文。 近年比較有價值的研究為應用 OPE 在 databa
se community ,由 Agrawal 等學者於 2004 年提出。
![Page 4: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/4.jpg)
4
Introduction
OPE 機制在加密資料上要有有效率的範圍查詢。 這裡的有效率是指 O(lg n) 時間, n 為 database 的
資料量。 HVE, MRQED 是沒有效率的,進行查詢時必須掃描整個
database.
有關 OPE 的可證明式的安全性證明尚未提出,作者想補強這方面的議題。
OPE 無法滿足所有的安全性定義,如 IND-CPA 。
![Page 5: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/5.jpg)
5
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
![Page 6: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/6.jpg)
6
OPE and Its Security
IND-CPA LR(˙,˙,b) : input m0 and m1, return mb. symmetric encryption scheme SE = (K, ENC, DEC) Adversary A b {0,1} ∈ We require that each query (m0, m1) that A makes to
its oracle satisfies |m0| = |m1|
( , ( , , ))
Exp ( )
K
return
IND CPA bSE
R
R ENC K LR b
A
K
d A
d
1 0Adv ( ) Pr Exp ( ) 1 Pr Exp ( ) 1 IND CPA IND CPA IND CPASE SE SEA A A
![Page 7: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/7.jpg)
7
OPE and Its Security OPE 無法滿足 IND-CPA 。
Deterministic. Leak the order-relations among the plaintext.
IND-CPA 無法滿足,作者想弱化 IND-CPA 試著讓OPE 滿足。 參考 M. Bellare 等學者,在” Authenticated encryption in
SSH: provably fixing the SSH binary packet protocol, CCS ’02, pp. 1-11, 2002.” 一文中所提出的 IND-DCPA (indistinguishability distinct chosen-plaintext attack)
提出 IND-OCPA (indistinguishability ordered chosen-plaintext attack)
![Page 8: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/8.jpg)
8
OPE and Its Security
IND-DCPA Restricted to make only distinct queries. Adversary A makes queries (m0
1, m11), …, (m0
q, m1q)
Require that mb1, mb
2, …, mbq are all distinct for b∈
{0,1}
![Page 9: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/9.jpg)
9
OPE and Its Security
IND-OCPA Adversary A makes queries (m0
1, m11), …, (m0
q, m1q)
m0i < m0
j iff m1i < m1
j for all 1≦i, j≦q.
![Page 10: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/10.jpg)
10
OPE and Its Security IND-OCPA 看起來可行,實際上無用,除非密文空
間大小是明文空間大小的指數倍。 SE = (K, ENC, DEC) be an order-preserving encryptio
n with plaintext-space [M] and ciphertext-space [N] for M, N∈N s.t. 2k-1 ≦ N <2k for some k∈N. Then there exists an IND-OCPA adversary A against SE s.t.
Furthermore, A run in time O(log N) and makes 3 oracle queries.
2Adv ( ) 1
1
IND CPASE
kA
M
![Page 11: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/11.jpg)
11
OPE and Its Security
Big jump and big reverse-jump For an order-preserving function f : [M] →[N] i {3, …, ∈ M-1} is a big jump if the f-distance to the
next point is as big as the sum of all the previous. f(i + 1) - f(i) ≧ f(i) - f(1)
i {2, …, ∈ M-2} is a big reverse-jump if f(i) - f(i-1) ≧ f(M) - f(i)
![Page 12: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/12.jpg)
12
OPE and Its Security
Big jump and big reverse-jump
Big Jump
is big jump if ( 1) ( ) ( ) (1) i f i f i f i f
is big reverse-jump if ( ) ( 1) ( ) ( ) i f i f i f M f i
![Page 13: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/13.jpg)
13
OPE and Its Security
Big jump attack Consider IND-OCPA adversary A against SE
( , ( , , ))
1
2
3
3 2 2 1
Adversary
{1,..., 1}
( , (1, , ))
( , ( , 1, ))
( , ( 1, , ))
return 1 if ( ) ( )
else return 0
ENC K LR b
R
A
m M
c ENC K LR m b
c ENC K LR m m b
c ENC K LR m M b
c c c c
![Page 14: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/14.jpg)
14
OPE and Its Security
Big jump and big reverse-jump
Big Jump
( , ( , , ))
1
2
3
3 2 2 1
Adversary
{1,..., 1}
( , (1, , ))
( , ( , 1, ))
( , ( 1, , ))
return 1 if ( ) ( )
else return 0
ENC K LR b
R
A
m M
c ENC K LR m b
c ENC K LR m m b
c ENC K LR m M b
c c c c
m = 5c1 = 24 or 35c2 = 35 or 36c3 = 36 or 45c3 – c2 = 1 or 9c2 – c1 = 11 or 1if (c3 – c2) > (c2 – c1) adversary A guess b = 1else adversary A guess b = 0
m = 4c1 = 24 or 27c2 = 27 or 35c3 = 35 or 45c3 – c2 = 8 or 10c2 – c1 = 3 or 8if (c3 – c2) > (c2 – c1) adversary A guess b = 1else adversary A guess b = 0
1 ( 1)Pr Exp ( ) 1 1
1 1
IND OCPASE
M k kA
M M
We assume that f has k big jumps.
![Page 15: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/15.jpg)
15
OPE and Its Security
Big jump attack and OPE scheme Distinguish between ciphertext that are very close a
nd far apart. The attack shows that any practical OPE scheme in
herently leaks more information about the plaintext than just their ordering. Some information about their relative distances.
![Page 16: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/16.jpg)
16
OPE and Its Security
作者想試著在 IND-OCPA 中,限制 adversary A 的能力。
透過 pseudorandom functions(PRFs) 或 permutations(PRPs) ,讓 adversary 無法區分 oracle access to ENC of the scheme 或 corresponding ideal object.
Pseudorandom order-preserving function against chosen-ciphertext attack, POPF-CCA.
![Page 17: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/17.jpg)
17
OPE and Its Security
POPF-CCA order-preserving encryption scheme SE = (K, ENC,
DEC) plaintext-space D ciphertext-space R |D| |≦ R| OPFD,R denotes the set of all order-preserving functi
ons from D to R. adversary A against SE with advantage
1(K, ), (K, ) ( ), ( )Adv ( ) Pr K | Pr K |
R RPOPF CCA ENC DEC g gSE A K A K A
![Page 18: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/18.jpg)
18
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
![Page 19: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/19.jpg)
19
Lazy Sampling a Random Order-Preserving Function
Lazy Sampling POPF-CCA is useful. Need a way to implement A’s oracles in the “ideal”
experiment efficiently. How to lazy sample a random order-preserving functio
n and its inverse. A connection between a random order-preserving f
unction and the hypergeometric probability distribution.
![Page 20: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/20.jpg)
20
Lazy Sampling a Random Order-Preserving Function
The set OPFD,R : all order-preserving functions from a domain D of size M to a range R of size N > M.
The set of all possible combinations of M out of N ordered items.
![Page 21: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/21.jpg)
21
Lazy Sampling a Random Order-Preserving Function
Domain
Range
set S = {24, 25, 27, 35, 36, 39, 41, 42, 44, 45}
![Page 22: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/22.jpg)
22
Lazy Sampling a Random Order-Preserving Function
,
, and any , 1 ,
Pr ( ) ( 1) | OPFy N y
R x M xD R N
M
M N x x M y N
C Cf x y f x f
C
![Page 23: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/23.jpg)
23
Lazy Sampling a Random Order-Preserving Function
Hypergeometric distribution Hypergeometric experiment
A random sample of size M is selected without replacement from N items.
y of the N items may be classified as success and N-y are classified as failures.
( ; , , )
y N yx M x
NM
C Ch x N M y
C
![Page 24: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/24.jpg)
24
Lazy Sampling a Random Order-Preserving Function
Hypergeometric distribution
![Page 25: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/25.jpg)
25
Lazy Sampling a Random Order-Preserving Function
Hypergeometric distribution 有一批 40 顆燈泡,品管檢查出 3 顆瑕疵燈
泡就驗退。假設品管隨機挑選 5 顆檢查,請問被檢查出有只有 1 個瑕疵品的機率是多少? N = 40, M = 5, y = 3 X = 檢查出有瑕疵的燈泡數 ~ h(x; N, M, y) =
h(x; 40, 5, 3) 3 37
1 4405
Pr( 1) 0.301y N yx M x
NM
C C C CX
C C
![Page 26: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/26.jpg)
26
Lazy Sampling a Random Order-Preserving Function
,
, and any , 1 ,
Pr ( ) ( 1) | OPFy N y
R x M xD R N
M
M N x x M y N
C Cf x y f x f
C
( ; , , )y N yx M x
NM
C Ch x N M y
C
![Page 27: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/27.jpg)
27
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Algorithms LazySample, LazySampleInv that
lazy sample a random order-preserving function from domain D to range R, |D| |≦ R|, and its inverse, respectively.
![Page 28: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/28.jpg)
28
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Two subroutines
HGD(D, R, y∈R) = x∈D s.t. for each x*∈D we have x=x* with probability h(x - d; |R|, |D|, y - r), where d = min(D) – 1, r = min(R) – 1.
GetCoins(1l, D, R, b||z) = cc {0,1}∈ l, where b {0,∈1} and z∈R if b = 0 and z∈D otherwise.
![Page 29: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/29.jpg)
29
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Joint state: array F and I
Array I: the number of points in D are mapping to range point y
Arrray F: the image of m under the lazy-sampled function.
![Page 30: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/30.jpg)
30
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm LazySample meploys a strategy
Mapping range gaps to domain gaps in a recursive, binary search manner.
By range gap or domain gap An imaginary barrier between two consecutive points i
n the range or domain.
![Page 31: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/31.jpg)
31
Introduction
![Page 32: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/32.jpg)
32
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Support GetCoins returns truly random coins on
each new input. The for any algorithm A we have
where g, g-1 denote an order-preserving function picked at random from OPFD,R and its inverse.
1( ), ( ) ( , , ), ( , , )Pr 1 Pr 1g g LazySample D R LazySampleInv D RA A
![Page 33: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/33.jpg)
33
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
![Page 34: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/34.jpg)
34
OPE Scheme and Its Analysis
The TapeGen PRF LazySample, LazySampleInv 無法直接使用在 ENC
與 DEC 上, LS 與 LSI 分享及更新 joint state , array F 與 I ,用來儲存 HGD 的 output 。
修改 GetCoins ,當呼叫 HGD 時,透過 TapeGen PRF 的輸出結果當 seed ,讓 HGD 產生 F 與 I 的 entries 。
TapeGen PRF 有 3 個 RPFs 組成, VIL-PRF 、 VOL-PRF 、 LF-PRF ,以 LF-PRF 為主要關鍵。
![Page 35: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/35.jpg)
35
OPE Scheme and Its Analysis
The TapeGen PRF For an adversary A, define its LF-PRF-advantag
e against TapeGen as() ()Adv ( ) Pr 1 Pr 1LF PRF TapeGen R
TapeGen A A A
![Page 36: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/36.jpg)
36
Introduction
![Page 37: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/37.jpg)
37
OPE Scheme and Its Analysis
Let OPE[TapeGen] be the OPE scheme define above with plaintext-space of size M and ciphertext-space of size N. Then for any adversary A against OPE[TapeGen] making at most q queries to its oracles combined, there is an adversary B against TapeGen s.t.
[ ]Adv ( ) Adv ( )POPF CCA LF PRFOPE TapeGen TapeGenA B
![Page 38: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/38.jpg)
38
OPE Scheme and Its Analysis
Adversary B makes at most q1 = q(log N + 1) queries if size at most 5logN + 1 to its oracle, whose responses total q1λ’ bits on average, and its running time is that of A. Above, λ and λ’ are constants depending only on HGD.
![Page 39: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/39.jpg)
39
OPE Scheme and Its Analysis
On choosing N 當 [M] 跟 [N] 很大時,大於 280, random order-p
reserving function 才會洩漏訊息
![Page 40: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/40.jpg)
40
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
![Page 41: 1 Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649d435503460f94a1fb3b/html5/thumbnails/41.jpg)
41
Conclusion 作者做了許多推論,從 IND-CPA 一路改進到提出
POPF-CCA 利用 LazySample 與 Hypergeometric distribution 的
巧妙組合,提出了一個 OPE scheme 可證明式的安全性證明 POPE-CCA
如何套用到我的 scheme 作者的 OPE 是數字到數字 我的 OPE 是數字到辮群 直接套用?修改證明方式?修改 scheme ?