ofrandomcoinsitneedsvariesduringthebinarysearchandalsobecausesuchaconstructionseemsusefulingeneralitshouldbebothvariableinputlengthVILandvariableoutputlengthwhichwecallalength exibleLFPRFW ID: 145559
Download Pdf The PPT/PDF document "insensornetworks[30]andasatoolforapplyin..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
insensornetworks[30]andasatoolforapplyingsignalprocessingtechniquestomultimediacontentprotection[13].YetacryptographicstudyofOPEintheprovable-securitytraditionneverappeared.Ourworkaimstobegintoremedythissituation.RelatedWork.Ourworkextendsarecentlineofresearchinthecryptographiccommunityad-dressingecient(sub-lineartime)searchonencrypteddata,whichhasbeenaddressedby[2]inthesymmetric-keysettingand[6,10,7]inthepublic-keysetting.However,theseworksfocusmainlyonsimpleexact-matchqueries.Developmentandanalysisofschemesallowingmorecomplexquerytypesthatareusedinpractice(e.g.rangequeries)hasremainedopen.Theworkof[24]suggestedenablingecientrangequeriesonencrypteddatanotbyusingOPEbutso-calledprex-preservingencryption(PPE)[31,5].Unfortunately,asdiscussedin[24,2],PPEschemesaresubjecttocertainattacksinthiscontext;particularqueriescancompletelyrevealsomeoftheunderlyingplaintextsinthedatabase.Moreover,theirusenecessitatesspecializeddatastructuresandqueryformats,whichpractitionerswouldprefertoavoid.Allowingrangequeriesonencrypteddatainthepublic-keysettingwasstudiedin[11,28].Whiletheirschemesprovablyprovidestrongsecurity,theyarenotecientinoursetting,requiringtoscanthewholedatabaseoneveryquery.Finally,weclarifythat[1],inadditiontosuggestingtheOPEprimitive,doesprovideaconstruction.However,theconstructionisratherad-hocandhascertainlimitations,namelyitsencryptionalgorithmmusttakeasinputalltheplaintextsinthedatabase.Itisnotalwayspracticaltoassumethatusersknowalltheseplaintextsinadvance,soastatelessschemewhoseencryptionalgorithmcanprocesssingleplaintextsonthe yispreferable.Moreover,[1]doesnotdenesecuritynorprovideanyformalsecurityanalysis.DefiningsecurityofOPE.OurrstgoalistodevisearigorousdenitionofsecuritythatOPEschemesshouldsatisfy.Ofcourse,suchschemescannotsatisfyallthestandardnotionsofsecurity,suchasindistinguishabilityagainstchosen-plaintextattack(IND-CPA),astheyarenotonlydeterministic,butalsoleaktheorder-relationsamongtheplaintexts.So,althoughwecannottargetforthestrongestsecuritylevel,wewanttodenethebestpossiblesecurityundertheorder-preservingconstraintthatthetarget-applicationsrequire.(Suchanapproachwastakenpreviouslyinthecaseofdeterministicpublic-keyencryption[6,10,7],on-lineciphers[5],anddeterministicauthenticatedencryption[27].)WeakeningIND-CPA.OneapproachistotrytoweakentheIND-CPAdenitionappropriately.Indeed,inthecaseofdeterministicsymmetricencryptionthiswasdoneby[8],whichformalizesanotioncalledindistinguishabilityunderdistinctchosen-plaintextattackorIND-DCPA.(ThenotionwassubsequentlyappliedtoMACsin[4].)Sincedeterministicencryptionleaksequalityofplaintexts,theyrestricttheadversaryintheIND-CPAexperimenttomakequeriestoitsleft-right-encryption-oracleoftheform(x10;x11);:::;(xq0;xq1)suchthatx10;:::;xq0arealldistinctandx11;:::;xq1arealldistinct.Wegeneralizethistoanotionwecallindistinguishabilityunderorderedchosen-plaintextattackorIND-OCPA,askingthesesequencesinsteadtosatisfythesameorderrelations.(SeeSection3.2.)Surprisingly,wegoontoshowthatthisplausible-lookingdenitionisnotveryusefulforus,becauseitcannotbeachievedbyanOPEschemeunlessthesizeofitsciphertext-spaceisexponentialinthesizeofitsplaintext-space.Analternativeapproach.InsteadoftryingtofurtherrestricttheadversaryintheIND-OCPAdenition,weturntoanapproachalongthelinesofpseudorandomfunctions(PRFs)orpermutations(PRPs),requiringthatnoadversarycandistinguishbetweenoracleaccesstotheencryptionalgorithmoftheschemeoracorresponding\ideal"object.Inourcasethelatterisarandomorder-preserving2 ofrandomcoinsitneedsvariesduringthebinarysearch,andalsobecausesuchaconstructionseemsusefulingeneral,itshouldbebothvariableinput-length(VIL)andvariableoutput-length,whichwecallalength- exible(LF)-PRF.WeproposeagenericconstructionofanLF-PRFfromaVIL-PRFanda(keyless)VOL-PRG(pseudorandomgenerator).Ecientblockcipher-basedVIL-PRFsareknown,andwesuggestahighlyecientblockcipher-basedVOL-PRGthatisapparentlyfolklore.POPF-CCAsecurityoftheresultingOPEschemecanthenbeeasilyprovedassumingonlystandardsecurity(pseudorandomness)ofanunderlyingblockcipher.SwitchingfromNHGtoHG.Finally,ourschemeneedsanecientsamplingalgorithmfortheNHGdistribution.Unfortunately,theexistenceofsuchanalgorithmseemsopen.ItisknownthatNHGcanbeapproximatedbythenegativebinomialdistribution[26],whichinturncanbesampledeciently[16,14],andthattheapproximationimprovesasMandNgrow.However,quantifyingthequalityofapproximationforxedparametersseemsdicult.Instead,weturntoarelatedprobabilitydistribution,namelythehypergeometric(HG)distribu-tion,forwhichaveryecientexact(notapproximated)samplingalgorithmisknown[22,23].Inourballs-and-binmodelwithMblackandNMwhiteballs,therandomvariableXspecifyingthenumberofblackballsinoursampleassoonasyballsarepickedfollowstheHGdistribution.Theschemebasedonthisdistribution,whichistheonedescribedinthebodyofthepaper,israthermoreinvolved,butnearlyasecient:insteadofO(logM)TNHGDrunning-timeitisO(logN)THGD(whereTNHGD;THGDaretherunning-timesofthesamplingalgorithmsfortherespectivedistributions),butweshowthatitisO(logM)THGDonaverage.Wenotethatthehypergeometricdistributionwasalsousedin[19]forsamplingpseudorandompermutationsandconstructingblockciphersforshortinputs.Theauthorsof[19]wereunawareoftheecientsamplingalgorithmsforHG[22,23]andprovidedtheirownrealizationsbasedongeneralsamplingmethods.Discussion.Itisimportanttorealizethatthe\ideal"objectinourPOPF-CCAdenition(arandomorder-preservingfunction),andcorrespondinglyourOPEconstructionmeetingit,inherentlyleaksomeinformationabouttheunderlyingplaintexts.CharacterizingthisleakageisanimportantnextstepinthestudyofOPEbutisoutsidethescopeofourcurrentpaper.(Althoughwementionthatour\big-jumpattack"ofTheorem3.1mayprovidesomeinsightinthisregard.)ThepointisthatpractitionershaveindicatedtheirdesiretouseOPEschemesinordertoachieveecientrangequeriesonencrypteddataandarewillingtolivewithitssecuritylimitations.Inresponse,weprovideaschememeetingwhatwebelievetobea\best-possible"securitynotionforOPE.Thisbeliefcanbejustiedbynotingthatitisusuallythecasethatasecuritynotionforacryptographicobjectismetbya\random"one(whichissometimesbuiltdirectlyintothedenition,asinthecaseofPRFsandPRPs).Butbeforeonefullyunderstandshowthesecuritypropertiesoftheidealobject,arandomorder-preservingfunction,tthesecurityneedsofapplications,wedonotrecommendthepracticaluseofourconstruction.Onamoregeneralprimitive.Toallowecientrangequeriesonencrypteddata,itissucienttohaveanorder-preservinghashfunctionfamilyH(notnecessarilyinvertible).TheoverallOPEschemewouldthenhavesecretkey(KEnc;KH)whereKEncisakeyforanormal(randomized)encryptionschemeandKHisakeyforH,andtheencryptionofxwouldbeEnc(KEnc;x)kH(KH;x)(cf.ecientlysearchableencryption(ESE)in[6]).Oursecuritynotion(intheCPAcase)canalsobeappliedtosuchH.Infact,therehasbeensomeworkonhashfunctionsthatareorder-preservingorhavesomerelatedproperties[25,15,20].Butnoneoftheseworksareconcernedwithsecurityinanysense.Sinceour4 Werequirethateachquery(m0;m1)thatAmakestoitsoraclesatisesjm0j=jm1j.ForanadversaryA,deneitsind-cpaadvantageagainstSEasAdvind-cpaSE(A)=Pr[Expind-cpa-1SE(A)=1]Pr[Expind-cpa-0SE(A)=1]:Pseudorandomfunctions(PRFs).AfamilyoffunctionsisamapF:KeysD!f0;1g`,whereforeachkeyK2KeysthemapF(K;):D!f0;1g`isafunction.WerefertoF(K;)asaninstanceofF.ForanadversaryA,itsprf-advantageagainstF,AdvprfF(A),isdenedasPrhK$ Keys:AF(K;)=1iPrhf$ FuncD;f0;1g`:Af()=1i;whereFuncD;f0;1g`denotesthesetofallfunctionsfromDtof0;1g`.3OPEanditsSecurity3.1Order-PreservingEncryption(OPE)Weareinterestedindeterministicencryptionschemesthatpreservenumericalorderingontheirplaintext-space.Letusdenewhatwemeanbythis.ForA;BNwithjAjjBj,afunctionf:A!Bisorder-preserving(aka.strictly-increasing)ifforalli;j2A,f(i)f(j)iij.WesaythatdeterministicencryptionschemeSE=(K;Enc;Dec)withplaintextandciphertext-spacesD;Risorder-preservingifEnc(K;)isanorder-preservingfunctionfromDtoRforallKoutputbyK(withelementsofD;Rinterpretedasnumbers,encodedasstrings).Unlessotherwisestated,weassumetheplaintext-spaceis[M]andtheciphertext-spaceis[N]forsomeNM2N.3.2SecurityofOPEAfirsttry.Securityofdeterministicsymmetricencryptionwasintroducedin[8],asanotiontheycallsecurityunderdistinctchosen-plaintextattack(IND-DCPA).(ItwillnotbeimportanttoconsiderCCAnow.)Theideaisthatbecausedeterministicencryptionleaksplaintextequality,theadversaryAintheIND-CPAexperimentdenedinSection2isrestrictedtomakeonlydistinctqueriesoneithersideofitsoracle(asotherwisethereisatrivialattack).Thatis,supposingAmakesqueries(m10;m11);:::;(mq0;mq1),theyrequirethatm1b;:::mqbarealldistinctforb2f0;1g.NotingthatanyOPEschemeanalogouslyleakstheorderrelationsamongtheplaintexts,letusrsttrygeneralizingtheaboveapproachtotakethisintoaccount.Namely,letusfurtherrequiretheabovequeriesmadebyAtosatisfymi0mj0imi1mj1forall1i;jq.WecallsuchanAanIND-OCPAadversaryforindistinguishabilityunderorderedchosen-plaintextattack.IND-OCPAisnotuseful.DeningIND-OCPAadversaryseemslikeaplausiblewaytoanalyzesecurityforOPE.Surprisingly,itturnsoutnottobetoousefulforus.Below,weshowthatIND-OCPAisunachievablebyapracticalorder-preservingencryptionscheme,inthatanOPEschemecannotbeIND-OCPAunlessitsciphertext-spaceisextremelylarge(exponentialinthesizeoftheplaintext-space).Theorem3.1LetSE=(K;Enc;Dec)beanorder-preservingencryptionschemewithplaintext-space[M]andciphertext-space[N]forM;N2Nsuchthat2k1N2kforsomek2N.Thenthere6 Thereasonisthatmispickedindependentlyatrandomandifb=1thenAoutputs1justwhenm+1isnotabigreverse-jumpofEnc(K;),andsinceN2kweknowthatEnc(K;)hasatmostkbigreverse-jumpsbyLemma3.2.Similarly,Pr[Expind-ocpa-0SE(A)=1]k M1becauseifb=0thenAoutputs1justwhenmisabigjumpofEnc(K;),andsinceN2kweknowthatEnc(K;)hasatmostkbigjumpsbyLemma3.2.Subtractingyieldsthetheorem.NotethatAonlyneedstopickarandomelementof[M]anddobasicoperationsonelementsof[N],whichisO(logN)asclaimed. Discussion.TheadversaryintheproofofTheorem3.1useswhatwecallthe\big-jumpattack"todistinguishbetweenciphertextsofmessagesthatare\veryclose"and\farapart."TheattackshowsthatanypracticalOPEschemeinherentlyleaksmoreinformationabouttheplaintextsthanjusttheirordering,namelysomeinformationabouttheirrelativedistances.Wereturntothispointlater.Analternativeapproach.Instead,wetaketheapproachusedindeningsecuritye.g.ofPRPs[17]oron-linePRPs[5],whereoneasksthatoracleaccesstothefunctioninquestionbeindistinguishablefromaccesstothecorresponding\ideal"randomobject,e.g.arandompermutationorarandomon-linepermutation.Asorder-preservingfunctionsareinjective,weconsiderthe\strong"versionofsuchadenitionwhereaninverseoracleisalsogiven.POPF-CCA.Fixanorder-preservingencryptionschemeSE=(K;Enc;Dec)withplaintext-spaceDandciphertext-spaceR,jDjjRj.ForanadversaryAagainstSE,deneitspopf-cca-advantage(orpseudorandomorder-preservingfunctionadvantageunderchosen-ciphertextattack),Advpopf-ccaSE(A),againstSEasPrhK$ K:AEnc(K;);Dec(K;)=1iPrhg$ OPFD;R:Ag();g1()=1i;whereOPFD;Rdenotesthesetofallorder-preservingfunctionsfromDtoR.Lazysampling.Nowinorderforthisnotiontobeuseful,i.e.tobeableshowthataschemeachievesit,wealsoneedawaytoimplementA'soraclesinthe\ideal"experimenteciently.Inotherwords,weneedtoshowhowto\lazysample"(atermfrom[9])arandomorder-preservingfunctionanditsinverse.1Asshownin[9],lazysamplingof\exotic"functionswithmanyconstraintscanbetricky.Inthecaseofarandomorder-preservingfunction,itturnsoutthatstraightforwardprocedures|whichassignarandompointintherangetoaquerieddomainpoint,subjecttotheobviousremainingconstraints|donotwork(thatis,theresultingfunctionisnotuniformlydistributedoverthesetofallsuchfunctions).Sohowcanwelazysamplesuchafunction,ifitispossibleatall?Weaddressthisissuenext.Acaveat.Beforeproceeding,wenotethatashortcomingofourPOPF-CCAnotionisitdoesnotleadtoaniceanswertothequestionofwhatinformationaboutthedataisleakedbyasecureOPEscheme,butonlyreducesthistothequestionofwhatinformationthe\idealobject"(arandomorder-preservingfunction)leaks.Althoughpractitionershaveindicatedthattheyarewillingtolivewith 1Forexample,inthecaseofarandomfunctionfromthesetofallfunctionsonecansimplyassignarandompointfromtherangetoeachnewpointqueriedfromthedomain.Inthecaseofarandompermutation,theformercanbechosenfromthesetofallpreviouslyunassignedpointsintherange,andlazysamplingofitsinversecanbedonesimilarly.Alazysamplingprocedureforarandomon-linePRPanditsinverseviaatree-basedcharacterizationwasgivenin[5].8 wepickisblackthentheleastunmappedpointinthedomainismappedtoyunderf.Ofcourse,thisexperimentistooinecienttobeperformeddirectly.Butwewillusethehypergeometricdistributiontodesignproceduresthatecientlyandrecursivelylazysamplearandomorder-preservingfunctionanditsinverse.4.2TheLazySampleAlgorithmsHerewegiveouralgorithmsLazySample,LazySampleInvthatlazysamplearandomorder-preservingfunctionfromdomainDtorangeR,jDjjRj,anditsinverse,respectively.Thealgorithmsshareandmaintainjointstate.WeassumethatbothDandRaresetsofconsecutiveintegers.Twosubroutines.Ouralgorithmsmakeuseoftwosubroutines.Therst,denotedHGD,takesinputsD;R;andy2Rtoreturnx2Dsuchthatforeachx2Dwehavex=xwithprobabilityPHGD(xd;jRj;jDj;yr)overthecoinsofHGD,whered=min(D)1andr=min(R)1.(Ecientalgorithmsforthisexist,andwediscusstheminSection4.5.)Thesecond,denotedGetCoins,takesinputs1`,D,R,andbkz,whereb2f0;1gandz2Rifb=0andz2Dotherwise,toreturncc2f0;1g`.Thealgorithms.Todeneouralgorithms,letusdenotebywcc SthatwisassignedavaluesampleduniformlyatrandomfromsetSusingcoinsccoflength`S,where`Sdenotesthenumberofcoinsneededtodoso.Let`1=`(D;R;y)denotethenumberofcoinsneededbyHGDoninputsD;R;y.OuralgorithmsaregiveninFigure1.NotethatthearraysF;I,initiallyempty,areglobalandsharedbetweenthealgorithms;also,fornow,thinkofGetCoinsasreturningfreshrandomcoins.WelaterimplementitbyusingaPRFonthesameparameterstoeliminatethejointstate.Overview.Todeterminetheimageofinputm,LazySampleemploysastrategyofmapping\rangegaps"to\domaingaps"inarecursive,binarysearchmanner.By\rangegap"or\domaingap,"wemeananimaginarybarrierbetweentwoconsecutivepointsintherangeordomain,respectively.Whenrun,thealgorithmrstmapsthemiddlerangegapy(thegapbetweenthemiddletworangepoints)toadomaingap.Todeterminethemapping,online11itsets,accordingtothehypergeometricdistribution,howmanypointsinDaremappeduptorangepointyandstoresthisvalueinarrayI.(Inthefuturethearrayisreferencedinsteadofchoosingthisvalueanew.)Thuswehavethatf(x)yf(x+1)(cf.Equation(1)),wherex=d+I[D;R;y]ascomputedonline12.So,wecanviewtherangegapbetweenyandy+1ashavingbeenmappedtothedomaingapbetweenxandx+1.Iftheinputdomainpointmisbelow(resp.above)thedomaingap,thealgorithmrecursesonline19onthelower(resp.upper)halfoftherangeandthelower(resp.upper)partofthedomain,mappingfurther\middle"rangegapstodomaingaps.Thisprocesscontinuesuntilthegapsoneithersideofmhavebeenmappedtobysomerangegaps.Finally,online07,thealgorithmsamplesarangepointuniformlyatrandomfromthe\window"denedbytherangegapscorrespondingtom'sneighboringdomaingaps.TheisresultassignedtoarrayFastheimageofmunderthelazy-sampledfunction.4.3CorrectnessWhenGetCoinsreturnstrulyrandomcoins,itisnothardtoobservethatLazySample,LazySam-pleInvareconsistentandsampleanorder-preservingfunctionanditsinverserespectively.Butweneedastrongerclaim;namely,thatouralgorithmssamplearandomorder-preservingfunctionanditsinverse.Weshowthisbyarguingthatany(evencomputationallyunbounded)adversaryhasno10 advantageindistinguishingoracleaccesstoarandomorder-preservingfunctionanditsinversefromthattothealgorithmsLazySample,LazySampleInv.Thefollowingtheoremstatesthisclaim.Theorem4.2SupposeGetCoinsreturnstrulyrandomcoinsoneachnewinput.Thenforany(evencomputationallyunbounded)algorithmAwehavePr[Ag();g1()=1]=Pr[ALazySample(D;R;);LazySampleInv(D;R;)=1];whereg;g1denoteanorder-preservingfunctionpickedatrandomfromOPFD;Randitsinverse,respectively. Proof:Sinceweconsiderunboundedadversaries,wecanignoretheinverseoracleinouranalysis,sincesuchanadversarycanalwaysqueryallpointsinthedomaintolearnallpointsintheimage.LetM=jDj,N=jRj,d=min(D)1,andr=min(R)1.Wewillsaythattwofunctionsg;h:D!Rareequivalentifg(m)=h(m)forallm2D.(NotethatifD=;,anytwofunctionsg;h:D!Rarevacuouslyequivalent.)LetfbeanyfunctioninOPFD;R.Toprovethetheorem,itisenoughtoshowthatthefunctiondenedbyLazySample(D;R;)isequivalenttofwithprobability1=jOPFD;Rj.WeprovethisusingstronginductiononMandN.ConsiderthebasecasewhereM=1,i.e.,D=fmgforsomem,andNM.Whenitisrstcalled,LazySample(D;R;m)willdetermineanelementcuniformlyatrandomfromRandenteritintoF[D;R;m],whereuponanyfuturecallsofLazySample(D;R;m)willalwaysoutputF[D;R;m]=c.Thus,theoutputofLazySample(D;R;m)isalwaysc,soLazySample(D;R;)isequivalenttofifandonlyifc=f(m).SincecischosenrandomlyfromR,c=f(m)withprobability1=jRj.Thus,LazySample(D;R;m)isequivalenttof(m)withprobability1=jRj=1=jOPFD;Rj.NowsupposeM1,andNM.AsaninductionhypothesisassumethatforalldomainsD0ofsizeM0andrangesR0ofsizeN0M0,whereeitherM0Mor(M0=MandN0N),andforanyfunctionf0inOPFD0;R0,LazySample(D0;R0;)isequivalenttof0withprobability1=jOPFD0;R0j.Thersttimeitiscalled,LazySample(D;R;)rstcomputesI[D;R;y]$ HGD(R;D;yr),wherey=r+dN=2e,r=min(R)1.Henceforth,onthisandfuturecallsofLazySample(D;R;m),thealgorithmsetsx=d+I[D;R;yr]andwillrunLazySample(D1;R1;m)ifmx,orrunLazySample(D2;R2;m)ifm-371;x,whereD1=f1;:::;xg,R1=f1;:::;yg,D2=fx+1;:::;Mg,R2=fy+1;:::;Ng.Letf1befrestrictedtothedomainD1,andletf2befrestrictedtothedomainD2.Letx0betheuniqueintegerinD[fdgsuchthatf(z)yforallz2D,zx0,andf(z)-371;yforallz2D,z-371;x0.NotethenthatLazySample(D;R;)isequivalenttofifandonlyifallthreeofthefollowingeventsoccur:E1:frestrictedtorangeR1stayswithindomainD1,andfrestrictedtorangeR2stayswithindomainD2|thatis,xischosentobex0.E2:LazySample(D1;R1;)isequivalenttof1.E3:LazySample(D2;R2;)isequivalenttof2.Bythelawofconditionalprobability,andsinceE2andE3areindependent,Pr[E1\E2\E3]=Pr[E1]Pr[E2\E3jE1]=Pr[E1]Pr[E2jE1]Pr[E3jE1]:12 Fortheaveragecasebound,weusearesultofChvatal[?]thatthetailofthehypergeometricdistri-butioncanbeboundedsothatMXi=k+1PHGD(i;N;M;c)e2t2M;wheretisafractionsuchthat0t1c=N,andk=(c=N+t)M.Takingc=N=2,thisimpliesanupperboundontheprobabilityofthehypergeometricdistributionassigningourmiddledomaingaptoan\outlying"domaingap:Xi=2SPHGD(i;N;M;N=2)2e2t2M(2)whereSisthesubdomain[(1=2t)M;(1=2+t)M].ForM12,afteratmost12callstoLazySamplewewillreachadomainofsize1,andterminate.SosupposethatM12.Takingt=1=4inEquation(2)impliesthatLazySampleassignsthemiddleciphertextgaptoaplaintextgapinthe\middlesubdomain"[M=4;3M=4]withprobabilityatleast12e2(1=4)2M12e3=2]TJ/;ø 1;.90; T; 26;.318; 0 T; [0;1=2:WhenadomaingapinSischosenitshrinksthecurrentdomainbyafractionofatleast3=4.So,pickinginthemiddlesubdomainlog4=3M=logM log4=32:5logMtimeswillshrinkittosizelessthan12.Sincetheprobabilitytopickinthemiddlesubdomainisgreaterthan1=2oneachrecursivecallofLazySample,weexpectatmost5logMrecursivecallstoreachdomainsizeM12.Therefore,intotalatmost5logM+12recursivecallsareneededonaveragetomapaninputdomainpoint. NotethatthealgorithmsmakeonecalltoHGDoneachrecursion,soanupper-boundontheirrunning-timesisthenatmost(logN+1)THGDintheworst-caseandatmost(5logM+12)THGDonaverage,whereTHGDdenotestherunning-timeofHGDoninputsofsizeatmostlogN.However,thisdoesnottakeintoaccountthefactthatthesizeoftheseinputsdecreaseoneachrecursion.Thus,betterboundsmaybeobtainedbyanalyzingtherunning-timeofaspecicrealizationofHGD.4.5RealizingHGDAnecientimplementationofsamplingalgorithmHGDwasdesignedbyKachitvichyanukulandSchmeiser[22].Theiralgorithmisexact;itisnotanapproximationbyarelateddistribution.ItisimplementedinWolframMathematicaandotherlibraries,andisfastevenforlargeparameters.However,onsmallparametersthealgorithmsof[29]performbetter.SincetheparametersizetoHGDinourLazySamplealgorithmsshrinksacrosstherecursivecallsfromlargetosmall,itcouldbeadvantageoustoswitchalgorithmsatsomethreshold.Wereferthereaderto[29,22,23,14]formoredetails.Wecommentthatthealgorithmsof[22]aretechnicallyonly\exact"whentheunderlying oating-pointoperationscanbeperformedtoinniteprecision.Inpractice,onehastobecarefuloftruncationerror.Forsimplicity,Theorem4.2didnottakethisintoaccount,asintheorytheerrorcanbemadearbitrarilysmallbyincreasingtheprecisionof oating-pointoperations(independentlyofM;N).ButwemakethispointexplicitinTheorem5.3thatanalyzessecurityofouractualscheme.5OurOPESchemeanditsAnalysisAlgorithmsLazySample,LazySampleInvcannotbedirectlyconvertedintoencryptionandde-cryptionproceduresbecausetheyshareandupdateajointstate,namelyarraysFandI,which14 Proposition5.1LetAbeanadversaryagainstTapeGenthatmakesatmostqqueriestoitsoracleoftotalinputlength`inandtotaloutputlength`out.ThenthereexistsanadversaryB1againstFandanadversaryB2againstGsuchthatAdvlf-prfTapeGen(A)2(AdvprfF(B1)+Advvol-prgG(B2)):AdversariesB1;B2makeatmostqqueriesoftotalinputlength`inortotaloutputlength`outtotheirrespectiveoraclesandruninthetimeofA. Proof:Weuseastandardhybridargument,changingtheexperimentwhereAhasoracleTapeGen(K;;)intoonewithoracleOR(;)intwosteps.Namely,rstchangetheformeroracletooninput`;xoutputnotG(`;F(K;x))butG(`;s)foraindependentrandoms2f0;1gk.ThechangeinA'sadvantageisboundedbyAdvprfF(B1),whereB1isthePRFadversaryagainstFthatrunsA,respondingtoaquery`;xbyqueryingitsownoraclewithxtoreceiveresponsey,andthenreturningG(`;y)toA.NextchangeA'soracletooninput`;xreturnOR(`;x).ThistimethechangeinA'sadvantageisboundedbyAdvvol-prgG(B2),whereB2istheVOL-PRGadversaryagainstGthatrunsA,respondingtoaquery`;xwiththeresponseitreceivestoquery`toitsownoracle,andthepropositionfollows. Concretely,wesuggestthefollowingblockcipher-basedconsistentVOL-PRGforG.LetE:f0;1gkf0;1gn!f0;1gnbeablockcipher.DenetheassociatedVOL-PRGG[E]withseed-lengthkandmax-imumoutputlengthn2n,whereG[E]oninputs2f0;1gkand1`outputstherst`bitsofthesequenceE(s;h1i)kE(s;h2i)k:::(Herehiidenotesthen-bitbinaryencodingofi2N.)ThefollowingsaysthatG[E]isaconsistentVOL-PRGifEisaPRF.Proposition5.2LetE:f0;1gkf0;1gn!f0;1gnbeablockcipher,andletAbeanadversaryagainstG[E]makingatmostqoraclequerieswhoseresponsestotalatmostpnbits.ThenthereisanadversaryBagainstEsuchthatAdvvol-prgG[E](A)2qAdvprfE(B):AdversaryBmakesatmostpqueriestoitsoracleandrunsinthetimeofA.Furthermore,G[E]isconsistent. ItiseasytoprovetheaboveforaVOL-PRGadversarymaking1query,andthenthepropositionfollowsbyastandardhybridargument.Now,toinstantiatetheVIL-PRFFintheTapeGenconstruction,wesuggestOMAC(aka.CMAC)[21],whichisalsoblockcipher-basedandintroducesnoadditionalassumption.Thenthesecret-keyforTapeGenconsistsonlyofthatforOMAC,whichinturnconsistsofjustonekeyfortheunderlyingblockcipher(e.g.AES).5.2OurOPESchemeanditsAnalysisThescheme.LetTapeGenbeasabove,withkey-spaceKeys.Ourassociatedorder-preservingencryptionschemeOPE[TapeGen]=(K;Enc;Dec)isdenedasfollows.Theplaintextandciphertext-spacesaresetsofconsecutiveintegersD;R,respectively.AlgorithmKreturnsarandomK2Keys.AlgorithmsEnc;DecarethesameasLazySample,LazySampleInv,respectively,exceptthatHGD16 Proof:Advpopf-ccaOPE[TapeGen](A)=Pr[AEnc(K;);Dec(K;)=1]Pr[Ag();g1()=1]=Pr[AEnc(K;);Dec(K;)=1]Pr[ALazySample(D;R;);LazySampleInv(D;R;)=1]Advlf-prfTapeGen(B)+:Therstequationisbydenition.ThesecondequationisduetoTheorem4.2.Thelastinequalityisjustiedasfollows.AdversaryBisgivenanoracleforeitherTapeGenorarandomfunctionwithcorrespondinginputsandoutputslengths.ItrunsAandrepliestoitsoraclequeriesbysimulatingEncandDecalgorithms.NotethatonlytheprocedureTapeGenusedbythesealgorithmsusesthesecretkey.Bsimulatesitusingitsownoracle.ByconstructionourEncandDecalgorithmsdierfromLazySampleandLazySampleInvrespectivelyonlyintheuseofrandomtape,whichistrulyrandominonecaseandpseudorandominanother.ThusanydierenceintheprobabilitiesinthesecondlinewillresultthedierenceB'soutputdistributionwhichisAdvprfTapeGen(B).Aboverepresentsan\errorterm"duetothefactthatthe\exact"hypergeometricsamplingalgorithmof[22]technicallyrequiresinnite oating-pointprecision,whichisnotpossibleintherealworld.OnewaytoboundwouldbetoboundtheprobabilitythatanadversarycandistinguishtheusedHGDsamplingalgorithmfromtheideal(inniteprecision)one.B'srunningtimeandresourcesarejustiedbyobservingthealgorithmsandtheireciencyanalysis. Efficiency.Theeciencyofourschemefollowsfromourpreviousanalyses.UsingthesuggestedimplementationofTapeGeninSubsection5.1,encryptionanddecryptionrequirethetimeforatmostlogN+1invocationsofHGDoninputsofsizeatmostlogNplusatmost(5logM+12)(5logN+0+1)=128invocationsofAESonaveragefor0inthetheorem.5.3OnChoosingNOnewaytochoosethesizeoftheciphertext-spaceNforourschemeisjusttoensurethenumberoffunctions[M]to[N]isverylarge,saymorethan280.(Weassumethatthesizeoftheplaintext-spaceMisgiven.)Thenumberofsuchfunctions,whichisgivenbyNM,ismaximizedwhenM=N=2.And,since(N=M)MNM,itisgreaterthan280aslongasM=N=280.However,oncewehaveagreaterunderstandingofwhatinformationaboutthedataisleakedbyarandomorder-preservingfunction(the\idealobject"inourPOPF-CCAdenition),moresophisticatedcriteriamightbeusedtoselectN.Infact,itwouldalsobepossibletoviewourschememoreasa\tool"likeablockcipherratherthanafull- edgedencryptionschemeitself,andtotrytouseittodesignanOPEschemewithbettersecurityinsomecases.Weleavetheseasinterestingandimportantdirectionsforfuturework.6OnUsingtheNegativeHypergeometricDistributionIntheballs-and-binsmodeldescribedinSection4.1withMblackandNMwhiteballsinthebin,considertherandomvariableYdescribingthetotalnumberofballsinoursampleafterwepickthex-thblackball.Thisrandomvariablefollowsthenegativehypergeometric(NHG)distribution.Formally,PNHGD(y;N;M;x)=y1x1NyMx NM:18 usethesubroutineGetCoinsfrombefore,whichtakesinputs1`,D,R,andbkz,whereb2f0;1gandz2Rifb=0andz2Dotherwise,toreturncc2f0;1g`.Also,recallthatthearrayI,initiallyempty,isglobalandsharedbetweenthealgorithms.ThealgorithmdescriptionsaregiveninFigure4.LazySample?(D;R;m)01M jDj;N jRj02d min(D)1;r min(R)103x d+dM=2e09IfI[D;R;x]isundenedthen10cc$ GetCoins(1`1;D;R;0kx)11I[D;R;x]$ NHGD(D;R;x;cc)12y I[D;R;x]06Ifm=xthen07Returny08Ifmxthen09D fd+1;:::;x1g10R fr+1;:::;y1g11Else12D fx+1;:::;d+Mg13R fy+1;:::;r+Ng14ReturnLazySample?(D;R;m) LazySampleInv?(D;R;c)15IfjDj=0thenreturn?16M jDj;N jRj17d min(D)1;r min(R)118x d+dM=2e09IfI[D;R;x]isundenedthen10cc$ GetCoins(1`1;D;R;0kx)11I[D;R;x]$ NHGD(D;R;x;cc)12y I[D;R;x]21Ifc=ythen22Returnx23Ifcythen24D fd+1;:::;x1g25R fr+1;:::;y1g26Else27D fx+1;:::;d+Mg28R fy+1;:::;r+Ng29ReturnLazySampleInv?(D;R;c)Figure4:TherevisedLazySample?,LazySampleInv?algorithmsfortheNHGDscheme.WiththeserevisedversionsofLazySample?,LazySampleInv?,wesupplyarevisedversionofTheorem4.2fortheNHGDcase.Theorem6.1SupposeGetCoinsreturnstrulyrandomcoinsoneachnewinput.Thenforany(evencomputationallyunbounded)algorithmAwehavePr[Ag();g1()=1]=Pr[ALazySample?(D;R;);LazySampleInv?(D;R;)=1];whereg;g1denoteanorder-preservingfunctionpickedatrandomfromOPFD;Randitsinverse,respectively. Proof:Sinceweconsiderunboundedadversaries,wecanignoretheinverseoracleinouranalysis,sincesuchanadversarycanalwaysqueryallpointsinthedomaintolearnallpointsintheimage.LetM=jDj,N=jRj,d=min(D)1,andr=min(R)1.Wewillsaythattwofunctionsg;h:D!Rareequivalentifg(m)=h(m)forallm2D.(NotethatifD=;,anytwofunctionsg;h:D!Rarevacuouslyequivalent.)LetfbeanyfunctioninOPFD;R.Toprovethetheorem,itisenoughtoshowthatthefunctiondenedbyLazySample?(D;R;)isequivalenttofwithprobability1=jOPFD;Rj.WeprovethisusingstronginductiononMandN.ConsiderthebasecasewhereM=1,i.e.,D=fmgforsomem,andNM.Whenitisrstcalled,LazySample?(D;R;m)willdeterminerandomcoinscc,thenentertheresultofNHGD(D;R;m;cc)intoI[D;R;m],whereuponthisanyfuturecallsofLazySample?(D;R;m)will20 Therefore,LazySample?(D;R;)isequivalenttofwithprobability1=NM=1=jOPFD;Rj.SincefwasanarbitraryelementofOPFD;R,theresultfollows. Now,itisstraightforwardtoprovetheformalstatementofcorrectnessasbefore.Theorem6.2LetOPE[TapeGen]betheOPEschemedenedabovewithplaintext-spaceofsizeMandciphertext-spaceofsizeN.ThenforanyadversaryAagainstOPE[TapeGen]makingatmostqqueriestoitsoraclescombined,thereisanadversaryBagainstTapeGensuchthatAdvpopf-ccaOPE[TapeGen](A)Advlf-prfTapeGen(B)+:AdversaryBmakesatmostq1=q(logN+1)queriesofsizeatmost5logN+1toitsoracle,whoseresponsestotalq10bitsonaverage,anditsrunning-timeisthatofA.Above,;0areconstantsdependingonlyonNHGDandtheprecisionoftheunderlying oating-pointcomputations(notonM;N). Proof:TheproofofthistheoremisidenticaltothatofTheorem5.3,exceptthatitusesTheorem6.1asalemmaratherthanTheorem4.2. 6.3EciencyoftheNHGDSchemeEciency-wise,itisnothardtoseethattoencryptasingleplaintext,eachalgorithmperformslogM+1recursionsintheworst-case(asopposedtologN+1fortheHG-basedalgorithms),asthealgorithmndsthedesiredplaintextviaabinarysearchovertheplaintextspace,ateachrecursioncallingNHGDtodeterminetheencryptionofthemidpoint(denedasthelastplaintextinthersthalfofthecurrentplaintextdomain).Theexpectednumberofrecursionsiseasilydeducedas1 M"(logM+1)+logMXk=12k1k#:AsimpleinductiveproofshowsthatthisvalueisbetweenlogM1andlogM.Thisfallsinlinewithwhatweexpectfromabinary-searchstrategy,wheretheexpectednumberofiterationsistypicallyonlyabout1fewerthantheworst-casenumberofiterations.ThealgorithmsofthecorrespondingOPEschemecanbeobtainedfollowingthesameideaofeliminatingstatebyusingalength- exiblePRFasdescribedinSection5.2.ThesecuritystatementisthesameasthatofTheorem5.3,wherethelasttermnowcorrespondstotheerrorprobabilityoftheNHGDalgorithm.AcknowledgementsWethankAnnaLysyanskaya,SilvioMicali,LeonidReyzin,RonRivest,PhilRogawayandtheanony-mousreviewersofEurocrypt2009forhelpfulcommentsandreferences.AlexandraBoldyrevaandAdamO'NeillaresupportedinpartbyAlexandra'sNSFCAREERaward0545659andNSFCyberTrustaward0831184.YounhoLeewassupportedinpartbytheKoreaResearchFoundationGrantfundedbytheKoreanGovernment(MOEHRD)(KRF:2007-357-D00243).Also,heissupportedbyProfessorMustaqueAhamadthroughthefundingprovidedbyIBMISSandAT&T.22 [18]O.Goldreich,S.Goldwasser,andA.Nussboim.Ontheimplementationofhugerandomobjects.FOCS'03,IEEE,2003.[19]L.GranboulanandT.Pornin.Perfectblockcipherswithsmallblocks.InFSE'07,pp.452{465.Springer,2007.[20]P.Indyk,R.Motwani,P.Raghavan,andS.Vempala.Locality-preservinghashinginmultidimen-sionalspaces.InSTOC'97,pp.s618{625.ACM,1997.ACM.[21]T.IwataandK.Kurosawa.OMAC:One-KeyCBCMAC.InFSE'03,pp.137{161.Springer,2003.[22]V.KachitvichyanukulandB.W.Schmeiser.Computergenerationofhypergeometricrandomvariates.JournalofStatisticalComputationandSimulation,22(2):127{145,1985.[23]V.KachitvichyanukulandB.W.Schmeiser.Algorithm668:H2PEC:samplingfromthehyper-geometricdistribution.ACMTransactionsonMathematicalSoftware,14(4):397{398,1988.[24]J.LiandE.Omiecinski.Eciencyandsecuritytrade-oinsupportingrangequeriesonencrypteddatabases.InDBSec'05,pp.69{83.Springer,2005.[25]N.LinialandO.Sasson.Non-expansivehashing.InSTOC'96,pp.509{518.ACM,1996.[26]F.Lopez-BlazquezandB.SalamancaMi~no.Exactandapproximatedrelationsbetweennegativehypergeometricandnegativebinomialprobabilities.CommunicationsinStatistics.TheoryandMethods,30(5):957{967,2001.[27]P.RogawayandT.Shrimpton.Aprovable-securitytreatmentofthekey-wrapproblem.InEUROCRYPT'06,pp.373{390.Springer,2006.[28]E.Shi,J.Bethencourt,T-H.H.Chan,D.Song,andA.Perrig.Multi-dimensionalrangequeryoverencrypteddata.InSymposiumonSecurityandPrivacy'07,pp.350{364.IEEE,2007.[29]A.J.Walker.Anecientmethodforgeneratingdiscreterandomvariableswithgeneraldistribu-tions.ACMTransactionsonMathematicalSoftware,3:253{256,1977.[30]D.Westho,J.Girao,andM.Acharya.Concealeddataaggregationforreversemulticasttracinsensornetworks:Encryption,keydistribution,androutingadaptation.IEEETransactionsonMobileComputing,5(10):1417{1431,2006.[31]J.Xu,J.Fan,M.H.Ammar,andS.B.Moon.Prex-preservingIPaddressanonymization:Measurement-basedsecurityevaluationandanewcryptography-basedscheme.InICNP'02,pp.280{289.IEEE,2002.24