1 Introduction

An order-preserving encryption (OPE) scheme is a private-key encryption scheme whose ciphertexts preserve the numerical ordering of their corresponding plaintexts. Such schemes were introduced in the database community by Agrawal et al. [2] for enabling efficient indexing of encrypted data and efficient range queries over encrypted databases. By now, order-preserving encryption has become a key cryptographic ingredient underlying the security of database management systems (see [17] for a long list of OPE-based commercial systems).

The Security of OPE. Given that the ciphertexts of any order-preserving encryption scheme reveal the numerical ordering of their corresponding plaintexts, such schemes clearly cannot satisfy the standard notion of semantic security. This motivated Boldyreva, Chenette, Lee and O’Neill [3, 4] to initiate a foundational study of the security of order-preserving encryption. They introduced two notions of security for such schemes. Their first notion is a “best-possible” relaxation of the standard semantic security notion, allowing ciphertexts to reveal only the numerical ordering of their corresponding plaintexts. Informally, their notion asks that the encryptions of any two sequences of plaintexts should be indistinguishable as long as the two sequences share the same order pattern. Unfortunately, Boldyreva et al. then proved that such a notion cannot be satisfied.

Their second notion asks that an order-preserving encryption scheme should be indistinguishable from a random order-preserving function (similarly to the standard notion of pseudorandomness for pseudorandom functions). Boldyreva et al. provided an efficient scheme that satisfies this notion, but it was later on demonstrated by Boldyreva, Chenette and O’Neill [5, 6] that a random order-preserving function may in fact reveal substantial information on its input (specifically, about half of the bits of a random message) – and thus this notion may not be sufficiently strong for most applications.

Limited-Leakage OPE. The absence of a strong (and realizable) notion of security has somewhat questioned our confidence in the potential security guarantees of order-preserving encryption. This state of affairs, however, has recently changed due to the work of Chenette, Lewi, Weis and Wu [13]. They rigorously relaxed the “best-possible” notion introduced by Boldyreva et al. [3, 4] to allow a limited amount of well-defined “leakage” [11], and constructed a practical scheme that satisfies it, based on pseudorandom functions. Concretely, in addition to revealing the relative ordering of any two encrypted plaintexts, ciphertexts in their scheme reveal the position of the most significant bit on which they differ – but no additional information is revealed. We refer to this specific leakage as “CLWW-leakage”, and to schemes that satisfy their notion as \({\mathcal {L}}_\mathsf{CLWW}\)-secure schemes.

Drawback: Ciphertext Expansion. Incorporating the limited-leakage scheme of Chenette et al. in practical OPE-based systems finally enables to rigorously reason about their security. However, a significant drawback of their scheme is its ciphertext expansion. Roughly speaking, encrypting plaintexts of length m bits using their scheme results in ciphertexts of length \(m \cdot \ell \) bits, where \(\ell \) determines the level of security (i.e., “\(\ell \) bits of security” – we discuss the relation between the ciphertext expansion and the security of their scheme in more detail in Sect. 1.1).

In fact, Chenette et al. first constructed an order-revealing encryption scheme [5, 9] with ciphertexts of length only \(\lceil \log _2 3 \cdot m \rceil \) bits, and then showed that the main ideas underlying their scheme can be used to construct an order-preserving encryption scheme – but with significantly longer ciphertexts (see Sect. 1.2 for more details on the less-strict notion of order-revealing encryption). Given the practical importance of order-preserving encryption, this poses the question of whether or not such a significant expansion is inherent.

Initial evidence indicating that such an expansion is inherent was recently provided by Cash and Zhang [14]. They introduced an information-theoretic variant of the limited-leakage notion of security considered by Chenette et al. (that is, a notion of security with respect to computationally-unbounded adversaries and CLWW-leakage), and showed that any scheme satisfying it must suffer from a significant ciphertext expansion, matching the ciphertext expansion in the scheme of Chenette et al. up to lower-order terms.

As discussed by Cash and Zhang, although no scheme can satisfy their information-theoretic notion in the standard model, they nevertheless capture schemes whose security can be proved in the random-oracle model without relying on any cryptographic assumption. They do not capture, however, schemes whose security is proved in the standard model based on cryptographic assumptions (such as the existence of pseudorandom functions, and specific number-theoretic or combinatorial assumptions).

1.1 Our Contributions

In this paper we prove a tight lower bound on the ciphertext expansion of any order-preserving encryption scheme that satisfies the “limited-leakage” notion of security considered by Chenette et al. [13]. In its weakest form, this notion asks that the encryptions of any two sequences of plaintexts should be indistinguishable as long as the two sequences share the same CLWW-leakage, as discussed above (see Sect. 2 for the formal definition). We prove the following theorem:

Theorem (informal)

Let \(\varPi \) be an order-preserving encryption scheme with m-bit plaintexts and n-bit ciphertexts. Then, there exists a non-uniform polynomial-time adversary \(\mathcal {A}\) that breaks the \({\mathcal {L}}_\mathsf{CLWW}\)-security of the scheme with probability at least \(2^{-n/m}\cdot m^{-1}\).

Under the minimal requirement that the success probability of any efficient adversary in breaking the \({\mathcal {L}}_\mathsf{CLWW}\)-security of the scheme should be negligible, our theorem implies that ciphertexts must be of length at least \(n = m \cdot \omega (\log \lambda )\) bits, where \(\lambda \in \mathbb {N}\) is the security parameter. Practically, when aiming at (say) 80 bits of security (and focusing, for simplicity, on the significant \(2^{-n/m}\) term), this implies that ciphertexts must be of length at least roughly \(n = 80m\) bits.

Comparison to the Cash-Zhang Lower Bound. When compared to the lower bound proved by Cash and Zhang [14], our lower bound and their lower bound are identical in terms of the attacker’s success probability (and, thus, in terms of the implications on the ciphertext expansion). As discussed above, however, their lower bound applies to an information-theoretic variant of the notion of security to which our lower bound applies. Concretely, Cash and Zhang prove their lower bound by analyzing the statistical distance between ciphertext distributions (which translates into a computationally-unbounded adversary), whereas we prove our lower bound by presenting a non-uniform polynomial-time adversaryFootnote 1. Thus, our lower bound applies to any \({\mathcal {L}}_\mathsf{CLWW}\)-secure order-preserving encryption scheme, and most notably to such schemes whose security is proved in the standard model.

The Tightness of Our Lower Bound. Looking into the security of the scheme provided by Chenette et al. [13] (when adapted to offer perfect correctness as suggested by Cash and Zhang), we observe that our lower bound is in fact tight up to low-order terms. Specifically, their scheme is based on the existence of any pseudorandom function \(\mathsf{F}\) mapping inputs of length at most \(m = m(\lambda )\) bits to outputs of length \(\ell =\ell (\lambda )\) bits, and encrypting plaintexts of length m bits using their scheme results in ciphertexts of length \(n = m \cdot \ell \) bits. An analysis of the security of their construction shows that the advantage \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}}\) of any adversary \(\mathcal {A}\) in breaking the \({\mathcal {L}}_\mathsf{CLWW}\)-security of their scheme can be upper bounded as

$$\begin{aligned} \mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}} \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F},{\mathcal {B}}} + \frac{m \cdot q}{2^{\ell }}, \end{aligned}$$

where \(q = q(\lambda )\) denotes the number of encryption queries made by \(\mathcal {A}\), \(\mathsf {Adv}^\mathsf {PRF}_{\mathsf{F},{\mathcal {B}}}\) denotes the advantage of an algorithm \(\mathcal {B}\) (efficiently derived from \(\mathcal {A}\)) in breaking the pseudorandomness of \(\mathsf F\), and recall that \(\ell = n/m\). The above theorem provides a lower bound on the advantage of our specific adversary (which issues only \(q=2\) encryption queries), and this yields

$$\begin{aligned} \frac{1}{2^{n/m} \cdot m} \le \mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}}(\lambda ) \le \mathsf {Adv}^\mathsf {PRF}_{\mathsf{F},{\mathcal {B}}}(\lambda ) + \frac{m \cdot 2}{2^{n/m}} . \end{aligned}$$

Up to the lower-order terms in the above expressionFootnote 2, our lower bound and the security of the scheme constructed by Chenette et al. match.

1.2 Related Work

Boldyreva, Chenette and O’Neill [5] introduced the notion of an order-revealing encryption (ORE) scheme, which is a less-strict variant of order-preserving encryption schemeFootnote 3. Such schemes allow to compare plaintexts by invoking a publicly-computable comparison algorithm on their ciphertexts (no secret key is required), and can be viewed as a specific form of multi-input functional encryption [1, 7, 18, 24]. The notion of order-preserving encryption is then obtained by requiring, in addition, that the comparison algorithm is simply a numerical comparison. Based on assumptions involving multi-linear maps, Boneh et al. [9] presented a (rather theoretical) construction of an ORE scheme that satisfies the aforementioned “best-possible” security notion of Boldyreva et al. [3]. This stands in contrast to the impossibility of Boldyreva et al. for constructing an order-preserving encryption scheme satisfying the same “best-possible” security notion.

As for ORE schemes that satisfy weaker notions of security, as mentioned above Chenette et al. [13] constructed an efficient \(\mathcal {L}_\mathsf {CLWW}\)-secure ORE scheme that has ciphertexts of length only \(\lceil \log _2 3 \cdot m \rceil \), where m is the length of their corresponding plaintexts, and their construction is based on pseudorandom functions.

Finally, when dealing with encryption schemes that inherently leak non-trivial information, one should always pay attention to potential attacks that may be enabled by such leakage. Indeed, such attacks on order-revealing encryption are known in some specific settings (e.g., [15, 21]), but this does not rule out their deployment in other settings.

1.3 Overview of Our Approach

In this section we provide a brief overview of the main ideas underlying the proof of our lower bound. In what follows, let \(\varPi =(\mathsf {KeyGen},\mathsf {Enc})\) be an order-preserving encryption scheme with plaintexts of length m bits and ciphertexts of length n bits (both m and n may be functions of the security parameter \(\lambda \in \mathbb {N}\) – see Sect. 2 for the formal definition of such a scheme). For any plaintext \(i \in \{0,1\}^m\), viewed an integer \(0\le i\le 2^m-1\), we denote by \(X_i=\mathsf {Enc}_K(i)\) the random variable corresponding to an encryption of i with respect to a randomly-generated key \(K\leftarrow \mathsf {KeyGen}(1^\lambda )\). Each such random variable \(X_i\) is distributed over \(\{0,1\}^n\), and is viewed as an integer \(0\le X_i\le 2^n-1\). In addition, we let \(\epsilon =2^{-n/m}\cdot m^{-1}\) (note that this is the success probability stated by our theorem), and let \(\varDelta (X,Y)\) denote the statistical distance between the distributions X and Y.

The Proof of Cash and Zhang. Cash and Zhang [14] observed that for every \(1\le j\le m-1\) it holds that \(\mathcal {L}_\mathsf {CLWW}(0,2^{j+1}-1)= \mathcal {L}_\mathsf {CLWW}(2^j-1,2^j)\), where \(\mathcal {L}_\mathsf {CLWW}\) is the CLWW-leakage as discussed aboveFootnote 4. Assuming towards a contradiction that a scheme \(\varPi \) is \(\mathcal {L}_\mathsf {CLWW}\)-secure in the statistical sense that no computationally-unbounded adversary has advantage larger than \(\epsilon \), then the distributions \((\mathsf {Enc}_K(0), \mathsf {Enc}_K(2^{j+1}-1))\) and \((\mathsf {Enc}_K(2^j-1), \mathsf {Enc}_K(2^j))\) must be statistically close, as both \((0,2^{j+1}-1)\) and \((2^j-1,2^j)\) have the same CLWW-leakage. That is, it must hold that

$$\begin{aligned} \varDelta ((X_0,X_{2^{j+1}-1}),(X_{2^j-1},X_{2^j}))\le \epsilon . \end{aligned}$$

Therefore, denoting \(G^j_1=X_{2^{j+1}-1}-X_0\) and \(G^j_2=X_{2^j}-X_{2^j-1}\), and noting that applying the same function to two distributions cannot increase their statistical distance, it also holds that \(\varDelta (G^j_1,G^j_2)\le \epsilon \). By the order-preserving property of the scheme, it holds that \(G^j_1\ge 0\), \(G^j_2\ge 0\), and that

$$\begin{aligned} G^j_1=X_{2^{j+1}-1}-X_0\ge (X_{2^j}-X_{2^j-1})+(X_{2^j-1}-X_0)=G^j_2+G^{j-1}_1. \end{aligned}$$

This shows that \(G^j_1\) is \(\epsilon \)-statistically-close to \(G^j_2\), and that \(G^j_1\) is larger than \(G^j_2\) by at least \(G^{j-1}_1\). Equipped with this observation, Cash and Zhang inductively proved that the support of \(G^{j-1}_1\) must contain “large” values, and that the support of \(G^j_1\) must contain even larger values. As a final step, note that \(X_{2^m-1}=X_0+G^{m-1}_1\) and also \(\varDelta (X_0,X_{2^m-1})\le \epsilon \) as it trivially holds that \(\mathcal {L}_\mathsf {CLWW}(0)=\mathcal {L}_\mathsf {CLWW}(2^m-1)\). Using their reasoning once again, they deduced that the support of \(X_{2^m-1}\) must contain values larger than \(2^n-1\), which contradicts the definition of \(X_{2^m-1}\) as an integer in the range \(\{0,\dots ,2^n-1\}\).

Our Approach: A Non-uniform Polynomial-Time Adversary. When considering schemes that are \(\mathcal {L}_\mathsf {CLWW}\)-secure in the standard computational sense, we cannot take advantage of the fact that \(\varDelta (G^j_1,G^j_2)\le \epsilon \) and apply the reasoning of Cash and Zhang. Instead, we show that if the consequence of the reasoning of Cash and Zhang does not hold (specifically, if the support of \(G^j_1\) does not contain large values), then there exists a polynomial-time test that distinguishes between \(G^j_1\) and \(G^j_2\): Given a sample y from either \(G^j_1\) or \(G^j_2\), our distinguisher checks whether \(y\le t\) for some fixed threshold value \(0\le t \le 2^n-1\).

Then, assuming that the consequence of the reasoning of Cash and Zhang does hold for every step \(1\le j\le m-1\), we can then prove via an additional step that either there is a threshold test for distinguishing between \(X_0\) and \(X_{2^m-1}\), or it holds that support of \(X_{2^m-1}\) contains values larger than \(2^n-1\). Since the second case contradicts the definition of \(X_{2^m-1}\) as an integer in the range \(\{0,\ldots ,2^n-1\}\), it must be that the first case holds.

As a result, either there exist \(1\le j\le m-1\) and \(0\le t \le 2^n-1\) such that given ciphertexts \((c_1,c_2)\in \{(X_0,X_{2^{j+1}-1}),(X_{2^j-1},X_{2^j})\}\), the test \(c_1-c_2\le t\) distinguishes between the two cases, or there exists \(0\le t \le 2^n-1\) such that given a ciphertext \(c\in \{X_0,X_{2^m-1}\}\), the test \(c\le t\) distinguishes between the two cases. This translates into a non-uniform polynomial-time adversary that breaks the \(\mathcal {L}_\mathsf {CLWW}\)-security of any given scheme with probability at least \(\epsilon \), where the non-uniform advice specifies which test out of the m possible tests to perform, as well as which threshold value \(0\le t\le 2^n-1\) to use. We refer the reader to Sect. 3 for our proof.

2 Preliminaries

In this section we present the notation and definitions that are used in this work. We denote by \(\lambda \in \mathbb {N}\) the security parameter. For a distribution X we denote by \(x \leftarrow X\) the process of sampling a value x from the distribution X. Similarly, for a set \(\mathcal {X}\) we denote by \(x \leftarrow \mathcal {X}\) the process of sampling a value x from the uniform distribution over \(\mathcal {X}\). A function \(\mathsf {negl}:\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) is negligible if for every constant \(c>0\) there exists an integer \(N_c\) such that \(\mathsf {negl}(n) < n^{-c}\) for all \(n > N_c\). All logarithms in this paper are to the base of 2. The statistical distance between two random variables X and Y over a finite domain \(\varOmega \) is \(\varDelta (X, Y) = \frac{1}{2} \sum _{\omega \in \varOmega } | \Pr [X = \omega ] - \Pr [Y = \omega ]|\).

Order-Preserving Encryption [2, 3]. An order-preserving encryption scheme \(\varPi \) is a pair \((\mathsf {KeyGen},\mathsf {Enc})\) of probabilistic polynomial-time algorithms satisfying the following requirements for parameters \(m=m(\lambda )\) and \(n=n(\lambda )\):

  • The key-generation algorithm \(\mathsf {KeyGen}\) takes as input the security parameter \(\lambda \in \mathbb {N}\) in unary representation and outputs a secret key K.

  • The encryption algorithm \(\mathsf {Enc}\) takes as input a secret key K and a plaintext \(x\in \{0,1\}^m\) interpreted as a numerical value \(0\le x \le 2^m-1\), and outputs ciphertext \(c\in \{0,1\}^n\) interpreted as a numerical value \(0\le c\le 2^n-1\).

Note that a decryption algorithm is not required by this definition. We say that \(\varPi \) is correct if for all \(\lambda \in \mathbb {N}\) and \(0\le i<j\le 2^{m(\lambda )}-1\) it holds that \(\Pr [\mathsf {Enc}_K(i)<\mathsf {Enc}_K(j)]=1\), where \(K\leftarrow \mathsf {KeyGen}(1^\lambda )\).

Remark. It is also possible to consider a relaxed game-based correctness notion, where a probabilistic polynomial-time adversary (without explicit access to the secret key) should not be able to come up with plaintexts \(0\le i<j\le 2^{m(\lambda )}-1\) such that \(\mathsf {Enc}_K(i)\ge \mathsf {Enc}_K(j)\), expect with a negligible probability. In Sect. 3, we discuss the effect of such a relaxation on our lower bound.

Security. We prove our lower bound for any scheme that satisfies the following non-adaptive indistinguishability-based security notion. This notion is (tightly) implied by its (stronger) adaptive and/or simulation-based variants, and thus our lower bound applies to those as well.

More concretely, given a scheme \(\varPi = (\mathsf {KeyGen},\mathsf {Enc})\), a leakage function \(\mathcal {L}\), an algorithm \(\mathcal {A}\), a bit \(b\in \{0,1\}\), and a security parameter \(\lambda \), we consider the following experiment.

figure a

The advantage of \(\mathcal {A}\) is defined as

$$\begin{aligned} \mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L},\mathcal {A}}(\lambda ) = \left| \Pr [\mathsf {Ind}^\mathsf {OPE}_{\varPi ,\mathcal {L},\mathcal {A},1}(\lambda )=1]-\Pr [\mathsf {Ind}^\mathsf {OPE}_{\varPi ,\mathcal {L},\mathcal {A},0}(\lambda )=1]\right| . \end{aligned}$$

As discussed above, in this paper we consider security with respect to non-uniform polynomial-time adversaries, captured by the following definition:

Definition 2.1

An order-preserving encryption scheme \(\varPi \) is \(\mathcal {L}\)-secure if for every non-uniform polynomial-time algorithm \(\mathcal {A}\) it holds that \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L},\mathcal {A}}(\lambda )\) is negligible.

In this work we consider the leakage function introduced by Chenette et al. [13]:

$$\begin{aligned} \mathcal {L}_\mathsf {CLWW}(x_1,\dots ,x_q)=\{(i,j,\mathsf {ind}_\mathsf {diff}(x_i,x_j), \mathbf {1}(x_i<x_j)) : 1\le i < j \le q \}, \end{aligned}$$

where \(\mathsf {ind}_\mathsf {diff}(x_i,x_j)\in \{1,\dots ,m,\bot \}\) is the index of the most significant bit on which \(x_i\) and \(x_j\) differ (and is set to \(\bot \) if \(x_i=x_j\)), and \(\mathbf {1}(x_i<x_j) \in \{0,1\}\) indicates whether or not \(x_i < x_j\).

3 Our Lower Bound

In this section we prove the following theorem, and then show that it can be extended to schemes without perfect correctness.

Theorem 3.1

Let \(\varPi \) be an order-preserving encryption scheme with plaintext length \(m=m(\lambda )\) bits and ciphertext length \(n=n(\lambda )\) bits, where \(\lambda \in \mathbb {N}\) is the security parameter. Then, there exists a non-uniform polynomial-time adversary \(\mathcal {A}\) such that \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}}(\lambda )\ge 2^{-n/m}\cdot m^{-1}\) for all \(\lambda \in \mathbb {N}\).

Proof

For any \(1\le j(\lambda )\le m(\lambda )-1\) and \(0\le t(\lambda )\le 2^{n(\lambda )}-1\), we define an adversary \(\mathcal {A}_{j,t}\) that participates in the experiment \(\mathsf {Ind}^\mathsf {OPE}_{\varPi ,\mathcal {L},\mathcal {A},b}(\lambda )\) (see Sect. 2) as follows:

figure b

Additionally, we define an adversary \(\mathcal {B}_t\) as follows:

figure c

It is easy to verify that both \(\mathcal {A}_{j,t}\) and \(\mathcal {B}_t\) output plaintext vectors with the same CLWW-leakage, and thus these are valid adversaries.

From this point on we fix a security parameter \(\lambda \in \mathbb {N}\) and omit it for ease of notation. Denoting \(\epsilon =2^{-n/m}\cdot m^{-1}\), we show that either there exist \(1\le j\le m-1\) and \(0\le t\le 2^{n}-1\) such that \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}_{j,t}}\ge \epsilon \) or there exists \(0\le t\le 2^{n}-1\) such that \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {B}_t}\ge \epsilon \). This guarantees that the following non-uniform polynomial-time adversary \(\mathcal {A}\) satisfies \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}}\ge \epsilon \) as claimed: Given a non-uniform advise \(j\in \{1,\dots ,m-1,\bot \}\) and \(0\le t\le 2^{n}-1\), if \(j\ne \bot \) then \(\mathcal {A}\) invokes \(\mathcal {A}_{j,m}\), and if \(j=\bot \) it invokes \(\mathcal {B}_t\).

For any \(0\le i\le 2^m-1\) let \(X_i=\mathsf {Enc}_K(i)\) where \(K\leftarrow \mathsf {KeyGen}(1^\lambda )\). Then, by the definition of the above adversaries it holds that

$$\begin{aligned} \mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}_{j,t}}=\left| \Pr [X_{2^j}-X_{2^j-1}\le t]-\Pr [X_{2^{j+1}-1}-X_0\le t]\right| \end{aligned}$$

and

$$\begin{aligned} \mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {B}_t}=\left| \Pr [X_0\le t]-\Pr [X_{2^m-1}\le t]\right| . \end{aligned}$$

For a parameter \(1\le j\le m-1\), consider the following property:

figure d

We proceed to consider three cases, according to what values \(1\le j\le m-1\) (if any) satisfy \(\mathsf {Property}(j)\).

Case I: \(\varvec{\mathsf {Property}(1)}\) does not hold. In this case we rely on the following lemma, which we prove in Sect. 4.

Lemma 3.2

Let (XY) be jointly distributed random variables, taking values in \(\mathbb {Z}_{\ge 0}\), such that \(X>Y\), and let \(\epsilon \ge 0\). Then, at least one of the following must hold:

  1. 1.

    For every \(t\in \mathbb {Z}_{\ge 0}\) it holds that \(\Pr [X\le t]\le t\cdot \epsilon \).

  2. 2.

    There exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \).

Observing that \(X_3-X_0>X_2-X_1\) and applying Lemma 3.2 for \(X=X_3-X_0\) and \(Y=X_2-X_1\), since \(\mathsf {Property}(1)\) does not hold the second case of the lemma must hold. That is, there exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [X_2-X_1\le t]-\Pr [X_3-X_0\le t]\ge \epsilon \), and so \(\mathcal {A}_{1,t}\) is an adversary with an advantage of at least \(\epsilon \).

Case II: \(\varvec{\mathsf {Property}(m-1)}\) holds. In this case we rely on the following lemma, which we prove in Sect. 4.

Lemma 3.3

Let (XY) be jointly distributed random variables, taking values in \(\mathbb {Z}_{\ge 0}\), such that \(X\ge Y\). Suppose there exist \(i\in \mathbb {N}\) and \(\epsilon \ge 0\) such that for every \(k\in \mathbb {Z}_{\ge 0}\) it holds that \(\Pr [X\le Y+k]\le (k\cdot i!)^{1/i}\cdot \epsilon \). Then, at least one of the following must hold:

  1. 1.

    For every \(t\in \mathbb {Z}_{\ge 0}\) it holds that \( \Pr [X\le t]\le (t\cdot (i+1)!)^{1/(i+1)}\cdot \epsilon \).

  2. 2.

    There exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \).

Applying Lemma 3.3 for \(X=X_{2^m-1}\) and \(Y=X_0\), the conditions hold since \(X_{2^m-1}\ge X_0\) and \(\mathsf {Property}(m-1)\) holds, and we obtain that either there exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [X_0\le t]-\Pr [X_{2^m-1}\le t]\ge \epsilon \), or for every \(t\in \mathbb {Z}_{\ge 0}\) it holds that \(\Pr [X_{2^m-1}\le t]\le (t\cdot {m}!)^{1/m}\cdot \epsilon \). In the first case we get that \(\mathcal {B}_t\) is an adversary with an advantage of at least \(\epsilon \). In the second case, for \(t=2^n-1\) we get that \(1=\Pr [X_{2^m-1}\le 2^n-1]<(2^n\cdot {m}!)^{1/m}\cdot \epsilon \). But then, using the bound \(m!\le m^m\) which holds for every positive m, we obtain that

$$\begin{aligned} \epsilon> & {} 2^{-n/m} \cdot (m!)^{-1/m} \\\ge & {} 2^{-n/m} \cdot m^{-1}, \end{aligned}$$

which contradicts our definition of \(\epsilon \).

Case III: \(\varvec{\mathsf {Property}(1)}\) holds but \(\varvec{\mathsf {Property}(m-1)}\) does not hold. In this case let \(2\le j\le m-1\) be the smallest j for which \(\mathsf {Property}(j)\) does not hold. Observing that \(X_{2^{j+1}-1}-X_0\ge (X_{2^j}-X_{2^j-1})+(X_{2^j-1}-X_0)\) and applying Lemma 3.3 for \(X=X_{2^{j+1}-1}-X_0\) and \(Y=X_{2^j}-X_{2^j-1}\), the conditions hold since \(\mathsf {Property}(j-1)\) holds, and we obtain that since \(\mathsf {Property}(j)\) does not hold then the second case of the lemma must hold. That is, there exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \), so \(\mathcal {A}_{j,t}\) is an adversary with advantage of at least \(\epsilon \).    \(\blacksquare \)

Extending the Proof to Schemes Without Prefect Correctness. We note that our lower bound is only based on the correctness of the scheme with respect to a polynomial number of pairs of plaintexts, that is, all pairs of plaintexts from the set \(\{2^j:1\le j\le m-1(\lambda )\}\cup \{2^j-1:0\le j\le m(\lambda )\}\). Therefore, even for a scheme that satisfies a relaxed game-based correctness notion, it must hold that the scheme is correct for all those pairs of plaintexts with probability \(1-\mathsf {negl}(\lambda )\), where \(\mathsf {negl}\) is a fixed negligible function. Hence, similarly to Theorem 3.1, there must exist a non-uniform polynomial-time adversary \(\mathcal {A}\) such that \(\mathsf {Adv}^\mathsf {OPE}_{\varPi ,\mathcal {L}_\mathsf {CLWW},\mathcal {A}}(\lambda )\ge 2^{-n/m}\cdot m^{-1}-\mathsf {negl}(\lambda )\) for all \(\lambda \in \mathbb {N}\).

4 Proofs of Lemma 3.2 and Lemma 3.3

We restate and prove Lemma 3.2.

Lemma 3.2. Let (XY) be jointly distributed random variables, taking values in \(\mathbb {Z}_{\ge 0}\) , such that \(X>Y\), and let \(\epsilon \ge 0\). Then, at least one of the following must hold:

  1. 1.

    For every \(t\in \mathbb {Z}_{\ge 0}\) it holds that \(\Pr [X\le t]\le t\cdot \epsilon \).

  2. 2.

    There exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \).

Proof

Assume that there exists \(t\in \mathbb {N}\) such that \(\Pr [X\le t]> t\cdot \epsilon \) (the case \(t=0\) is impossible since then \(Y<0\)), and let \(t_0\) be the first such t. Then, it holds that \(\Pr [X\le t_0-1]\le (t_0-1)\cdot \epsilon \), but \(\Pr [Y\le t_0-1]\ge \Pr [X\le t_0]>t_0\cdot \epsilon \), so it holds that \(\Pr [Y\le t_0-1]-\Pr [X\le t_0-1]\ge \epsilon \).    \(\blacksquare \)

Next, we restate and prove Lemma 3.3.

Lemma 3.3. Let (XY) be jointly distributed random variables, taking values in \(\mathbb {Z}_{\ge 0}\), such that \(X\ge Y\). Suppose there exist \(i\in \mathbb {N}\) and \(\epsilon \ge 0\) such that for every \(k\in \mathbb {Z}_{\ge 0}\) it holds that \(\Pr [X\le Y+k]\le (k\cdot i!)^{1/i}\cdot \epsilon \). Then, at least one of the following must hold:

  1. 1.

    For every \(t\in \mathbb {Z}_{\ge 0}\) it holds that \( \Pr [X\le t]\le (t\cdot (i+1)!)^{1/(i+1)}\cdot \epsilon \).

  2. 2.

    There exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \).

Proof

We make use of the following lemma.

Lemma 4.1

Let (XY) be jointly distributed random variables, taking values in \(\mathbb {Z}_{\ge 0}\), such that \(X\ge Y\), and let \(\epsilon \ge 0\). Then, at least one of the following must hold:

  1. 1.

    For every \(t\in \mathbb {Z}_{\ge 0}\) and (possibly non-integer) \(s>0\) it holds that

    $$\begin{aligned} \Pr [X\le t]\le \frac{t}{s}\cdot \epsilon +\frac{1}{s}\intop _0^s\Pr [X\le Y+k]dk. \end{aligned}$$
  2. 2.

    There exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \).

Assume for now the correctness of Lemma 4.1. We obtain that either there exists \(t\in \mathbb {Z}_{\ge 0}\) such that \(\Pr [Y\le t]-\Pr [X\le t]\ge \epsilon \), or that for every \(t\in \mathbb {Z}_{\ge 0}\) it holds that

$$\begin{aligned} \Pr [X\le t]\le & {} \frac{t}{s}\cdot \epsilon +\frac{1}{s}\intop _0^s\Pr [X\le Y+k]dk \\\le & {} \frac{t}{s}\cdot \epsilon +\frac{1}{s}\intop _0^s(k\cdot i!)^{1/i}\cdot \epsilon dk \\= & {} \left( \frac{t}{s}+\frac{i}{i+1}(s\cdot i!)^{1/i}\right) \cdot \epsilon , \end{aligned}$$

and by choosing \(s=(i+1)/(i+1)!^{1/\left( i+1\right) }\cdot t^{i/(i+1)}\) (which minimizes the above term), we obtain that \(\Pr [X\le t]\le (t\cdot (i+1)!)^{1/(i+1)}\cdot \epsilon \) as claimed.    \(\blacksquare \)

We now prove Lemma 4.1.

Proof of Lemma 4.1

First, for \(t=0\) it always holds that

$$\begin{aligned} \Pr [X\le 0]\le & {} \Pr [X\le Y] \\= & {} \frac{1}{s}\intop _0^s\Pr [X\le Y]dk \\\le & {} \frac{1}{s}\intop _0^s\Pr [X\le Y+k]dk. \end{aligned}$$

Now, for every \(t\in \mathbb {N}\) we show that either it holds that

$$\begin{aligned} \Pr [X\le t]\le \frac{t}{s}\cdot \epsilon +\frac{1}{s}\intop _0^s\Pr [X\le Y+k]dk, \end{aligned}$$

or there exists \(0\le k<t\) such that \(\Pr [Y\le k]-\Pr [X\le k]\ge \epsilon \). We define the random variables (WZ) as follows

$$\begin{aligned} (W,Z)={\left\{ \begin{array}{ll} (X,Y) &{} X \le t\\ (0,0) &{} X > t . \end{array}\right. } \end{aligned}$$

We bound \(\mathbb {E}(W-Z)\) both from above and below. For the lower bound, it holds that

$$\begin{aligned} \mathbb {E}(W-Z)= & {} \sum _{k=0}^{t} k\cdot \Pr [X=Y+k, X\le t] \\\ge & {} s\cdot \sum _{k=0}^{t}\Pr [X=Y+k, X\le t] - \sum _{k=0}^{\lfloor s\rfloor }(s-k)\cdot \Pr [X=Y+k,X\le t]\\\ge & {} s\cdot \Pr [X\le t]- \sum _{k=0}^{\lfloor s\rfloor }(s-k)\cdot \Pr [X=Y+k] \\= & {} s\cdot \Pr [X\le t]- \intop _{0}^{s}\Pr [X\le Y+\lfloor k\rfloor ]dk \\= & {} s\cdot \Pr [X\le t]- \intop _{0}^{s}\Pr [X\le Y+k]dk. \end{aligned}$$

For the upper bound, we make use of the following lemma (a similar lemma appears in [14]).

Lemma 4.2

Let (WZ) be jointly distributed random variables, taking values in \(\{0,\dots ,t\}\). Then, there exists \(0\le k<t\) such that \(\Pr [Z\le k]-\Pr [W\le k]\ge \mathbb {E}(W-Z)/t\).

Assume for now the correctness of Lemma 4.2. We obtain that there exists \(0\le k< t\) such that \(\Pr [Z\le k]-\Pr [W\le k]\ge \mathbb {E}(W-Z)/t\). Note that

$$\begin{aligned} \Pr [Z\le k]-\Pr [W\le k]=\Pr [Y\le k,X\le t]-\Pr [X\le k]\le \Pr [Y\le k]-\Pr [X\le k] . \end{aligned}$$

If \(\Pr [Y\le k]-\Pr [X\le k]\ge \epsilon \) then we are done. Otherwise, it holds that

$$\begin{aligned} t\cdot \epsilon > s\cdot \Pr [X\le t]- \intop _{0}^{s}\Pr [X\le Y+k]dk, \end{aligned}$$

and the lemma follows.    \(\blacksquare \)

We finish by proving Lemma 4.2.

Proof of Lemma 4.2

It holds that

$$\begin{aligned} \mathbb {E}(W-Z)= & {} \mathbb {E}W-\mathbb {E}Z \\= & {} \sum _{k=1}^{t} \Pr [W\ge k]-\sum _{k=1}^{t}\Pr [Z\ge k] \\= & {} \sum _{k=1}^{t} \left( 1-\Pr [W<k]\right) -\sum _{k=1}^{t}\left( 1-\Pr [Z<k]\right) \\= & {} \sum _{k=0}^{t-1} \left( \Pr [Z\le k]-\Pr [W\le k]\right) . \end{aligned}$$

Hence, there exists \(0\le k< t\) such that \(\Pr [Z\le k]-\Pr [W\le k]\ge \mathbb {E}(W-Z)/t\) as claimed.