Efficient Secure Computation of Order-Preserving Encryption

Order-preserving encryption (OPE) allows encrypting data, while still enabling efficient range queries on the encrypted data. Moreover, it does not require any change to the database management system, which makes OPE schemes very suitable for data outsourcing with threats from weak adversaries. However, all OPE schemes are necessarily symmetric limiting the use case to one client and one server. Imagine a scenario where a Data Owner (DO) outsources encrypted data to the Cloud Service Provider (CSP) and a Data Analyst (DA) wants to execute private range queries on this data. Then either the DO must reveal its encryption key or the DA must reveal the private queries. In this paper, we overcome this limitation by allowing the equivalent of a public-key OPE. We present a secure multiparty protocol that enables secure range queries for multiple users. In this scheme, the DA cooperates with the DO and the CSP in order to order-preserving encrypt the private range queries without revealing any other information to the parties. The basic idea of our scheme is to replace encryption with a secure, interactive protocol. In this protocol, we combine OPE based on binary search trees with homomorphic encryption and garbled circuits (GC) achieving security against passive adversaries with sublinear communication and computation complexity. We apply our construction to different OPE schemes including frequency-hiding OPE and OPE based on an efficiently searchable encrypted data structure which can withstand many of the popularized attacks on OPE. We implemented our scheme and observed that if the database size of the DO has 1 million entries it takes only about 0.3 s on average via a loopback interface (1.3 s via a LAN and 15.6 s via a WAN with about 200 ms round-trip time) to encrypt an input of the DA. Moreover, while the related work has an overhead of 10 to 100 seconds compared to a plaintext MySQL range query on a database with 10 million entries, our scheme has an overhead of only 360 milliseconds.