Keywords

1 Introduction

The growing reliance on numerous cloud-based services for storing and processing sensitive data demonstrated limitations of traditional encryption techniques. Specifically, traditional encryption is an all-or-nothing notion: informally, an unauthorized user (i.e., who has not access to the decryption key) should not learn any information whatsoever about a plaintext given its encryption. But in many use cases, there is often a need to get a much more fine-grained control of the decryption policy.

(Multi-Input) Functional Encryption. The paradigm of functional encryption [9, 30] is an extension of traditional encryption that enables an authorized user to compute a certain function of the plaintext. Each decryption key \(\mathsf {sk}_f\) corresponds to a specific function f. Informally, this private key \(\mathsf {sk}_f\), given the encryption of a plaintext \(x\), allows her holder to learn f(x), and nothing more. An important subclass of functional encryption is predicate encryption [10, 24]. A plaintext \(x\) is viewed as pair \((I,\dot{x})\) where I is some attribute (associated to the message) and \(\dot{x}\) is the message itself; functionality f is then defined as

$$\begin{aligned} f(I,\dot{x}) = {\left\{ \begin{array}{ll} \dot{x} &{} \text {if }P(I) = 1\text {, and}\\ \bot &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

for a given predicate P.

The function can be defined over multiple plaintexts given their corresponding ciphertexts. This gives rise to multi-input functional encryption introduced in [8, 19]. Of particular interest is the case of two-input functional encryption. Suppose that given two encrypted plaintexts, a cloud-based service wishes to compute their respective ordering. For a public comparison function, such a functionality is offered by order-revealing encryption (ORE) [6, 8]. We note that order-revealing encryption necessarily requires secret-key encryption as otherwise a binary search from the encryption of chosen plaintexts would yield bit-by-bit the decryption of a given target ciphertext using the ORE comparison procedure. ORE can thus be seen as a secret-key two-input functional encryption for (public) comparison. It is a very useful primitive as it allows one to answer queries over encrypted data, including range queries, sorting queries, searching queries, and more [1, 5].

From OPE to ORE. Order-revealing encryption evolved from order-preserving encryption (OPE) [5, 6], an encryption primitive that preserves the relative ordering of the plaintexts. Clearly, an OPE scheme cannot achieve the standard security notion of indistinguishability under chosen-plaintext attacks (\(\mathrm {IND}\)-\(\mathrm {CPA}\)). The best we can hope from an OPE scheme is that the encryption of a sequence of plaintexts reveals nothing beyond their relative ordering, the resulting security notion is termed \(\mathrm {IND}\)-\(\mathrm {OCPA}\). Unfortunately, Boldyreva et al. showed in [5] that it is impossible to efficiently meet this natural security notion of \(\mathrm {IND}\)-\(\mathrm {OCPA}\), even when the size of the ciphertext space is exponentially larger than that of the message space.

The situation for ORE schemes is different. In [8], Boneh et al. present an ORE scheme actually meeting the analogue of \(\mathrm {IND}\)-\(\mathrm {OCPA}\) security. But their construction is mostly of existential nature and as such should be considered as a possibility result. The candidate ORE scheme presented in [8] is hardly implementable since it relies on heavy cryptographic tools, namely \((\ell /2+1)\)-way multilinear maps for comparing \(\ell \)-bit values. Furthermore, and maybe more importantly, the underlying security assumption is questionable owing to the recent attacks mounted against multilinear maps [15, 16].

ORE in Practice. A practical construction for order-revealing encryption is proposed in [14]. It merely requires a pseudorandom function \(F\) with output space \(\{0,1,2\}\). The encryption under secret key K of an \(\ell \)-bit plaintext \(x= m_1 m_2\cdots m_\ell \) with \(m_i \in \{0,1\}\), \(\mathsf {ct}= (c_1, c_2, \cdots , c_\ell )\), is obtained iteratively as

$$\begin{aligned} c_i = \left[ F\bigl (K, (i, m_1m_2\cdots m_{i-1} \Vert 0^{\ell -i})\bigr ) + m_i\right] \bmod 3,\quad \text {for }1 \le i \le \ell . \end{aligned}$$

The comparison of two ciphertexts \(\mathsf {ct}= (c_1, c_2, \cdots , c_\ell )\) and \(\mathsf {ct}' = (c'_1, c'_2, \cdots , c'_\ell )\), corresponding to plaintexts \(x\) and \(x'\), is conducted by finding the first index i, \(1 \le i \le \ell \), such that \(c'_i \ne c_i\). Then,

$$\begin{aligned} {\left\{ \begin{array}{ll} x< x' &{} \text {if there exists such an index }i\text { and if } c'_i \equiv c_i + 1 \pmod {3}\\ x\ge x' &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$

While this construction is very efficient, it has the drawback of leaking an important amount of information, as one obtains immediately, given two ciphertexts, the size of the largest common prefix of the two corresponding plaintexts. In particular, this provides an upper bound on the distance separating the two plaintexts.

Our Contributions. In this work, we investigate a new approach towards building efficient secret-key multi-input functional encryption. We propose the notion of function-revealing encryption, which can be viewed both as a generalization of the notion of property-preserving encryption [13, 29] and as a specialization of the notion of multi-input functional encryption. Basically, a function-revealing encryption scheme is a secret-key encryption scheme associated to a k-ary function f. The encryption algorithm takes as input a secret key, a message, and some index \(i \in [k]\) and outputs a ciphertext. Moreover, there exists a public procedure such that, given k ciphertexts \(\mathsf {ct}_1,\cdots ,\mathsf {ct}_k\), each corresponding to an encryption of a message \(x_i\) at index i, for \(i \in [k]\), one can compute \(f(x_1,\cdots ,x_k)\). In particular, considering the comparison function defined as:

$$\begin{aligned} f_<:(x,y) \mapsto {\left\{ \begin{array}{ll} 1 &{}\text {if }x < y\\ 0 &{}\text {otherwise}\end{array}\right. }, \end{aligned}$$

our notion matches precisely the notion of order-revealing encryption.

We note that our general framework slightly generalizes the definition of order-revealing encryption, since the original definition is “symmetric” and ours is “asymmetric” (in the sense that our definition only allows to compare a ciphertext with index 1 with a ciphertext with index 2). This is without loss of generality since a symmetric scheme results immediately from an asymmetric scheme.

We consider two (indistinguishability-based and simulation-based) security notions that take into account a possible leakage. The leakage comprises at least the information resulting from the evaluation function, which is unavoidable. However, contrary to a perfect solution that would only permit this unavoidable leakage (as the one offered in [8]), we allow for additional leakage, provided it is very limited. Doing so, we are able to devise constructions that can be used in practical applications.

We then focus on the particular case of 2-ary functions (so the index is 1 or 2) and specifically on building efficient order-revealing encryption. Our main construction is an efficient order-revealing encryption scheme with limited leakage, under standard assumptions.

Our Techniques. We first show that one can build an order-revealing encryption scheme given only a function-revealing encryption scheme for the function computing the cardinality of the intersection of two sets \(f_\#{:\;\;}(\mathcal {S},\mathcal {T}) \mapsto \#(\mathcal {S}\cap \mathcal {T})\). This result follows from a fairly simple technique to compare two bitstrings. Consider two bitstrings of same length \(x = x_1 {\,\Vert \,}\dots {\,\Vert \,}x_n\) and \(y = y_1 {\,\Vert \,}\dots {\,\Vert \,}y_n\), then we have \(x < y\) if and only if there exists \(i \in [n]\) such that \(x_j = y_j\) for every \(j < i\) and \(x_i = 0\) and \(y_i = 1\). Thus, we have \(x < y\) if and only if there exists a prefix \(z {\,\Vert \,}0\) of x with \(z \in \{0,1\}^*\) such that \(z {\,\Vert \,}1\) is a prefix of y, and one can then compare x and y by checking if the sets \(\{z {\,\Vert \,}1 \mid z{\,\Vert \,}0 \text { is a prefix of } x\}\) and \(\{z {\,\Vert \,}1 \mid z{\,\Vert \,}1 \text { is a prefix of } y\}\) are disjoint.

The next step is then to construct a function-revealing encryption scheme for intersection cardinality. We show that one can build such a scheme with only limited leakage based on the existence of function-revealing encryption for the function checking the orthogonality of two vectors \(f_\perp {:\;\;}(\vec {a},\vec {b}) \mapsto \langle \vec {a} , \vec {b} \rangle =0\) (this function outputs the value of the predicate \(\langle \vec {a} , \vec {b} \rangle =0\)). This transformation relies on the following technique to compute the cardinality of the intersection. Consider two sets \(A = \{a_1,\dots ,a_n\}\) and \(B = \{b_1,\cdots ,b_m\}\). A simple way to compute \(\#(A \cap B)\) is to evaluate the polynomial \(\prod _{i = 1}^n (X - a_i)\) whose roots are the elements of A on every \(b_j\) for \(j \in [m]\), and to return the number of times this evaluates to 0. This can be done by computing inner products, since \(\prod _{i = 1}^n (X - a_i)\) is a degree n polynomial that can be written as \(\sum _{i = 0}^n \alpha _i X^i\) and thus, we have

$$\begin{aligned} \prod _{i = 1}^n (b - a_i) = \langle (\alpha _0,\dots ,\alpha _n) , (1,b,b^2,\dots ,b^n) \rangle , \end{aligned}$$

so checking if this evaluates to 0 corresponds precisely to checking if the above vectors are orthogonal.

Finally, we show that one can build a function-revealing encryption scheme for \(f_\perp \) under the standard \(\mathrm {DLin}\) assumption. In particular, we show that any fully-secure predicate encryption scheme for a class of predicate \(\mathcal {P} = \{P_a :b \mapsto P(a,b)\}\) can be turned into a function-revealing encryption scheme for the function P.

Yet, there is a small catch in our transform from orthogonality to intersection cardinality. Indeed, the above function-revealing encryption scheme for \(f_\#\) not only reveals the cardinality of the intersection, but also the elements of B that are in A, as each element \(b_i\) of B is encrypted separately (by encrypting the corresponding vector \((1,b_i,b_i^2,\cdots ,b_i^n)\)). In particular, even if \(b_i\) is hidden, intersecting A with B and \(A'\) with B might also reveal some information about the intersection of A and \(A'\) (for instance, if \(b_i \in A\) and \(b_i \in A'\), then we also learn that \(A \cap A' \ne \varnothing \) which should not have been revealed). Thus, our construction reveals a bit more than what we would like ideally. We briefly discuss how one can reduce this leakage by reducing the efficiency of our construction (though the only way to obtain ideal leakage with our technique is by having exponential-size ciphertexts). Also, we note that our leakage is ideal if there is only one set A that is encrypted at index 1, whatever the number of sets \(B,C,\dots \) encrypted at index 2 (or more generally for bounded ciphertexts at index 1 and unbounded ciphertexts at index 2). Finally, since our transformation from intersection cardinality to relative order is generic, any improvement on the security of the underlying scheme for intersection cardinality (both in terms of efficiency and of leakage) would immediately results in an improved construction of order-revealing encryption.

Of independent interest, we also provide a very simple order-revealing encryption scheme achieving the best possible security for short messages, assuming only the existence of one-way functions.

Related Works. Order-revealing encryption has been an subject to several improvements in the last years. In a recent work by Lewi and Wu [27], the authors proposed a similar construction for short messages and extended it to larger domains by adding leakage and using random oracles. Intuitively, for plaintexts of length \(n \cdot k\), they encrypt small blocks of k bits with the perfect scheme (whose complexity is exponential in k), and then compose with the scheme from [14] for each of the n blocks. Thus, the ciphertexts reveal the position of the first differing blocks of k bits.

Another recent work by Durak, DuBuisson, and Cash [18] analyzed what is revealed by perfect order-revealing encryption. They show that the ideal functionality already reveals important information for certain applications of ORE (e.g., when plaintexts come from particular distributions). This work emphasizes that an important leakage could be devastating, so reducing the leakage as much as possible (while preserving good efficiency due to the practical importance of ORE) is of prime interest. Our work proposes a first step towards obtaining smaller leakage (in particular achieving ideal leakage in restricted cases). A recent work by Cash, Liu, O’Neill, and Zhang [12] also makes a step in this direction. In this work, the authors construct an order-revealing encryption scheme with limited leakage under SXDH. Their construction is more efficient than ours (basing our construction on current state-of-the-art fully-secure IPE [25]) but their leakage is slightly worse than ours, our construction beneficing from its asymmetry. They obtain a construction, based on pairings, that only leaks the equality pattern of the most significant differing bit (that is, for any 3 plaintexts \(m_0,m_1,m_2\), whether the most significant differing bit of \(m_0\) and \(m_1\) is the same as the one of \(m_0\) and \(m_2\)), while the construction from [14] reveals the position of the most significant differing bit. Despite the similarity of our results, both constructions are significantly different in terms of techniques, as [12] is based on the work by Chenette et al. [14] while our work opens a new path. In particular, any improvement of our building blocks (e.g., more efficient fully-secure IPE or construction for cardinality of intersection with smaller leakage, or for disjointness, as we explain in Remark 8) would immediately benefit to our ORE scheme.

Concerning multi-input functional encryption, a recent work by Brakerski, Komargodski, and Segev [11], improved in [26], propose a more general approach that allows going from single-input functional encryption to t-input functional encryption in the private key-setting, as long as t is constant (or poly-logarithmic assuming quasi-polynomial security). In particular, this allows one to obtain function-revealing encryption scheme for functions with t-arity from LWE [20] (or from low-complexity PRG and public-key encryption [21]) for a bounded number T of ciphertexts for one index and unbounded ciphertexts for the others (where the size of the ciphertexts grow with T and the depth of the circuit computing the function). A similar result for the case of 2-arity functions can also be obtained directly from the reusable garbled circuits construction from [20]. The general case with unbounded ciphertexts at both indexes remains out of reach since it requires unbounded-collusion functional encryption, which is not known from standard assumptions (and implies \(i\mathcal {O}\) [4, 26] up to subexponential security).

Finally, our notion of function-revealing encryption has also been defined in a recent work (as “revealing encryption”) by Haagh, Ji, Li, Orlandi, and Song [22]. In this paper, the authors also propose a function-revealing scheme for the comparison of two vectors (\(x_i < y_i\) or \(x_i \ge y_i\) for all i or \(\vec {x}\) and \(\vec {y}\) are incomparable). Their construction is obtained by extending the order-revealing construction from [14] and thus implies as well an important leakage.

2 Definitions

2.1 Function-Revealing Encryption

We introduce the paradigm of function-revealing encryption (FRE), as a generalization of property-preserving encryption defined by Pandey and Rouselakis [29] as well as a weakening of the general notion of multi-input functional encryption [8, 19]. Our notion assumes the private-key setting [31] and corresponds to dedicated multi-input functional encryption schemes where the evaluation of the function is public (i.e., no functional secret key is involved).

Definition 1

(Function-Revealing Encryption). A function-revealing encryption scheme for a k-ary function f consists of a tuple of algorithms , defined below.

  • \({\mathsf {Setup}}(1^\kappa )\) is a probabilistic algorithm that takes as input the security parameter \(1^\kappa \) and outputs a secret key \(\mathsf {sk}\) (and public parameters \(\mathsf {pp}\)—including the message space \(\mathcal {M}\)).

  • \({\mathsf {Enc}}(i, \mathsf {sk}, x)\) takes as input an index \(i \in [k]\), a key \(\mathsf {sk}\), and a message \(x\in \mathcal {M}\). It outputs a ciphertext \(\mathsf {ct}\).

    Index i indicates that the output ciphertext \(\mathsf {ct}\) constitutes the i-th input to function f.

  • \(\mathsf {Eval}_f(\mathsf {ct}_{1}, \cdots , \mathsf {ct}_{k})\) takes as input k ciphertexts \(\mathsf {ct}_{1},\cdots ,\mathsf {ct}_{k}\) and outputs a value \(y\) in the range of f.

For correctness, it is required that for all \(\mathsf {sk}{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle {\smash {\$}}}}}{\mathsf {Setup}}(1^\kappa )\) and all \((x_{1}, \cdots ,x_{k}) \in \mathcal {M}^k\):

$$\begin{aligned} \mathsf {Eval}_f(\mathsf {ct}_{1},\cdots ,\mathsf {ct}_{k}) = f(x_1,\cdots ,x_k)\quad \text {where }\mathsf {ct}_{i} = {\mathsf {Enc}}(i,\mathsf {sk},x_{i}). \end{aligned}$$

Remark 2

  1. 1.

    Definition 1 is “asymmetric” in the sense that a given ciphertext is bound to a specific input position in the \(\mathsf {Eval}_f\) procedure. We could define a “symmetric” version of function-revealing encryption where the encryption algorithm \({\mathsf {Enc}}\) no longer takes in an index \(i \in [k]\) so that a ciphertext can be used in any input position for the \(\mathsf {Eval}_f\) procedure. We do not study this symmetric version further since, as stated in Lemma 5, it is implied by the asymmetric version.

  2. 2.

    We choose not to include a decryption algorithm in our definition, since this omission is without loss of generality. Indeed, if necessary, one could just augment the encryption of a message \(x\) with an encryption of \(x\) with a CPA-secure symmetric encryption scheme under a specific secret-key. Via CPA-security, this additional information does not compromise the security of the construction.

  3. 3.

    As specified in the introduction, we focus on the three following functions:

    • \(f_\perp {:\;\;}(\vec {a},\vec {b}) \mapsto {\left\{ \begin{array}{ll}1 &{}\text {if } \langle \vec {a} , \vec {b} \rangle =0 \\ 0 &{}\text {otherwise}\end{array}\right. };\)

    • \(f_\#{:\;\;}(\mathcal {S},\mathcal {T}) \mapsto \#(\mathcal {S}\cap \mathcal {T}) \, ;\)

    • \(f_<{:\;\;}(x,y) \mapsto {\left\{ \begin{array}{ll}1 &{}\text {if } x < y \\ 0 &{}\text {otherwise}\end{array}\right. }.\)

2.2 Two Security Flavors

We examine two different security notions and explore the relations between them. The first notion is defined as an indistinguishability-based security game, while the second (and stronger) one as a simulation-based security game. These are generalizations of classical notions considered in the case of property-preserving encryption, e.g. in [3, 13, 17, 29].

The two notions are defined relatively to a leakage function \(\mathcal {L}\). As a FRE scheme for a function f has to reveal, via the \(\mathsf {Eval}_f\) procedure, at least the values of the function f according to any tuple of k messages \(x_1,\cdots ,x_k\) such that \(x_i\) is encrypted for index \(i \in [k]\), \(\mathcal {L}\) will contain at least this information. This leakage is written \(\mathcal {L}_f\) and is defined below.

Definition 3

(Leakage of a Function). The leakage \(\mathcal {L}_f\) of a k-ary function f with respect to k vectors \({\vec {x}}_{1},\cdots ,{\vec {x}}_{k}\) of \(q_{1},\cdots ,q_{k}\) messages respectively—one vector of messages per position in the input of the function, so \({\vec {x}}_{i} = (x_{i,1},\cdots ,x_{i,q_{i}})\)—is defined as:

$$\begin{aligned} \mathcal {L}_f({\vec {x}}_{1},\cdots ,{\vec {x}}_{k}) = (f(x_{1,i_1},\cdots ,x_{k,i_k}))_{i_1 \in [q_{1}],\cdots ,i_k \in [q_{k}]} . \end{aligned}$$

\(\mathcal {L}\)-Indistinguishability Security. A FRE scheme \(({\mathsf {Setup}},{\mathsf {Enc}},\mathsf {Eval}_f)\) for a k-ary function f is \(\mathcal {L}\)-indistinguishability secure if, for any two sequences of plaintexts with the same leakage, the corresponding sequences of ciphertexts are computationally indistinguishable. Security is defined by a variant of the standard semantic security game and is depicted in Fig. 1.

Specifically, the adversary has black-box access to a left-or-right encryption oracle \(\mathbf{LoR }\). This oracle can be adaptively queried with an index i and a pair of messages \((x^{(0)},x^{(1)})\) to get \({\mathsf {Enc}}(i,\mathsf {sk},x^{(b)})\) with b being a fixed bit and \(\mathsf {sk}\) being a secret key, initialized by the \(\mathbf{Initialize } \) procedure. At the end, the adversary outputs a bit \(b'\) and wins if \(b = b'\); namely, \({\mathbf{Finalize }}(b')=1\). In order to prevent trivial attacks (i.e., attacks resulting from the leakage function), the adversary is restricted as follows. If \(((x_{i,1}^{(0)}, x_{i,1}^{(1)}), \cdots , (x_{i,q_{i}}^{(0)}, x_{i,q_{i}}^{(1)}))\) denotes the sequence of \(q_{i}\) queries made with index i to the \(\mathbf{LoR }\) oracle then, letting \({\vec {x}}_{i}^{(t)} = (x_{i,1}^{(t)}, \cdots , x_{i,q_{i}}^{(t)})\) for \(t \in \{0,1\}\), the sequence of queries made by the adversary has to satisfy:

$$\begin{aligned} \mathcal {L}\bigl ({\vec {x}}_{1}^{(0)},\cdots ,{\vec {x}}_{k}^{(0)}\bigr ) = \mathcal {L}\bigl ({\vec {x}}_{1}^{(1)},\cdots ,{\vec {x}}_{k}^{(1)}\bigr ). \end{aligned}$$
Fig. 1.
figure 1

Game defining the \(\mathcal {L}\)-indistinguishability security of a FRE scheme.

Full size image
Fig. 2.
figure 2

Game defining the \(\mathcal {L}\)-simulation security of a FRE scheme

Full size image

\(\mathcal {L}\)-Simulation Security. A FRE scheme \(({\mathsf {Setup}},{\mathsf {Enc}},\mathsf {Eval}_f)\) for a k-ary function f is \(\mathcal {L}\)-simulation secure if, for any efficient adversary \(\mathcal {A}= (\mathcal {A}_0,\mathcal {A}_1,\cdots ,\mathcal {A}_{q})\) which is given black-box access to encryption oracle \({\mathsf {Enc}}\) that it queries \(q\) times, there exists an efficient stateful simulator \(\mathcal {S}= (\mathcal {S}_0,\mathcal {S}_1,\cdots ,\mathcal {S}_{q})\) such that the outputs of the two distributions and , described in Fig. 2, are computationally indistinguishable.

2.3 Relations Between These Security Notions

As one could expect, simulation security implies indistinguishability security, as stated in the following lemma. Moreover, as already mentioned in Remark 2, for both security notions, the existence of a secure “asymmetric” FRE implies the existence of secure “symmetric” FRE, as stated in Lemma 5. Proofs are detailed in the full version [23].

Lemma 4

Assuming is an \(\mathcal {L}\)-simulation secure function-revealing encryption scheme, then is an \(\mathcal {L}\)-indistinguishability secure function-revealing encryption scheme.

Lemma 5

Assuming there exists an \(\mathcal {L}\)-indistinguishability (resp. \(\mathcal {L}\)-simulation) secure asymmetric function-revealing encryption scheme for a function f, there exists a \(\mathsf {sym}_{\mathcal {L}}\)-indistinguishability (resp. \(\mathsf {sym}_{\mathcal {L}}\)-simulation) secure symmetric function-revealing encryption scheme for the function f, with \(\mathsf {sym}_{\mathcal {L}}({\vec {x}}) = \mathcal {L}({\vec {x}},\cdots ,{\vec {x}})\).

3 Order-Revealing Encryption with Simulation-Security for Polynomial-Size Message Space

Before starting to build our main construction, which is an efficient function-revealing encryption scheme for the function \(f_<\) (i.e., order-revealing encryption scheme) with limited leakage, we would like to start with a simple remark. While it seems extremely hard to obtain an \(\mathcal {L}_{f_<}\)-indistinguishability secure order-revealing encryption scheme from standard assumptions, there is actually a very simple construction that even achieves simulation-based security assuming only one-way functions. However, this construction is only efficient for polynomial-size message space. To improve efficiency, our construction can be instantiated using a pseudorandom permutation, such as AES. This leads to a very efficient construction for small message spaces (e.g., 10-bit integers).

Let \(\{0,\cdots ,N-1\}\) denote the message space, and let \(F {:\;\;}\{0,1\}^\kappa \times \mathcal {D}\rightarrow \mathcal {R}\) be a pseudorandom function such that its domain \(\mathcal {D}\) contains \(\{0,\cdots ,N-1\} \times \{0,\cdots ,2(N-1)\}\).

Construction 1

We define as follows:

  • \({\mathsf {Setup}}_<(1^\kappa )\) picks \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle {\smash {\$}}}}}\{0,1\}^\kappa \) at random and returns it as the secret key \(\mathsf {sk}\);

  • \({\mathsf {Enc}}_<(i,\mathsf {sk},x)\) with \(x \in \{0, \cdots , N-1\}\) is defined as:

    $$\begin{aligned} {{\mathsf {Enc}}}_{<}(i,K,x) = {\left\{ \begin{array}{ll} \mathsf {shuffle}(F_K(x,x+1),\cdots ,F_K(x,x+N-1)) &{}\text {if }i = 1\\ \mathsf {shuffle}(F_K(0,x),\cdots ,F_K(N-1,x)) &{}\text {if }i = 2 \end{array}\right. }; \end{aligned}$$

    [Here \(\mathsf {shuffle}\) is a randomized algorithm that returns a random shuffling of its inputs.]

  • \({\mathsf {Eval}}_{f_<}(\mathsf {ct}_1,\mathsf {ct}_2)\) checks whether there is a common value in \(\mathsf {ct}_1\) and \(\mathsf {ct}_2\). If so, it outputs 1 (“<”); if not, it outputs 0 (“\(\ge \)”).

Correctness. It is clear that if there is no common value, the output of the evaluation algorithm, “\(\ge \)”, is correct. However, it might happen that there is a common value due to a collision. Hence, to ensure that this does not happen, we might want \(F_K\) to be injective (e.g., using a pseudorandom permutation instead of a pseudorandom function, e.g. AES), but one could simply make the range \(\mathcal {R}\) big enough so that the probability of a collision is negligible.

Construction 1 being deterministic, it reveals if two ciphertexts encrypted with the same index corresponds to the same plaintext. This is the only extra information, beyond the relative order, that is leaked. However, this extra-information is always leaked in the “symmetric” case, as one can always check, given two ciphertexts \(\mathsf {ct}_1,\mathsf {ct}_2\) corresponding to plaintexts \(x_1,x_2\), whether \(x_1 \ge x_2\) and \(x_2 \ge x_1\). Thus, if \(x_1 = x_2\), the equality is revealed. For this reason, we claim that Construction 1 achieves ideal security, and we define its leakage \(\mathcal {L}_{<,=}\) as:

$$\begin{aligned} \mathcal {L}_{<,=}(\vec {x}_{1},\vec {x}_{2}) = (\mathcal {L}_{f_<}(\vec {x}_{1},\vec {x}_{2}),\mathcal {L}_=(\vec {x}_{1},\vec {x}_{2})), \end{aligned}$$

with \(\mathcal {L}_=(\vec {x}_{1},\vec {x}_{2}) = (\mathbbm {1}_=(x_{b,i_b},x_{b,j_b}))_{i_b,j_b \in [\vert \vec {x}_b \vert ],b \in \{1,2\} }\) where \(\mathbbm {1}_= (a,b)\) returns 1 if and only if \(a = b\). Precisely, \(\mathcal {L}_{f_<}(\vec {x}_{1},\vec {x}_{2})\) reveals exactly the relative order of messages encrypted with index 1 relatively to messages encrypted with index 2, while \(\mathcal {L}_=(\vec {x}_{1},\vec {x}_{2})\) reveals exactly the pairs of equal messages encrypted with the same index.

Theorem 6

Assuming one-way functions exist, there exists an \(\mathcal {L}_{<,=}\)-simulation secure function-revealing encryption scheme for the function \(f_<\), for polynomial-size message spaces.

The proof of the above theorem is detailed in the full version [23].

4 Order-Revealing Encryption with Limited Leakage

We now describe how to build an order-revealing encryption scheme (a.k.a. function-revealing encryption scheme for \(f_<\)) from any function-revealing encryption scheme for \(f_\#\). As a preliminary, we explain how one can compare two integers by simply checking the disjointness of two sets.

4.1 From Bitstrings to Sets

We define functions \(\varSigma ^{0}\) and \(\varSigma ^{1}\), taking as input an n-bit string x and returning a set of prefixes, as follows:

$$\begin{aligned} \varSigma ^b :x \in \{0,1\}^n \longmapsto \varSigma ^b(x) = \bigl \{ x_{n-1} {\,\Vert \,}\dots {\,\Vert \,}x_{i+1} {\,\Vert \,}1 \mid x_i = b \bigr \}_{0\le i \le n-1}, \end{aligned}$$
(1)

for \(b \in \{0,1\}\). That is, \(\varSigma ^{1}(x)\) returns the set of every prefix of x that ends with a 1, and \(\varSigma ^{0}(x)\) returns the set of every \(z {\,\Vert \,}1\) such that \(z {\,\Vert \,}0\) is a prefix of x. It is easily seen that \(\#\varSigma ^{1}(x) = \mathsf {hw}(x)\) and that \(\#\varSigma ^{0}(x) = \mathsf {hw}(\bar{x})\). In particular, we have \(\varSigma ^{0}(1^n) = \varSigma ^{1}(0^n) = \varnothing \) and thus \(\#\varSigma ^{0}(1^n) = \#\varSigma ^{1}(0^n) = 0\). It is also immediate that \(\#\varSigma ^{1}(x{\,\Vert \,}\bar{x}) = \#\varSigma ^{0}(x{\,\Vert \,}\bar{x}) = n\), for every \(x \in \{0,1\}^n\).

Functions \(\varSigma ^{0}\) and \(\varSigma ^{1}\) are useful as they allow computing the relative order of two integers [28]. More precisely, we have:

Lemma 7

Let xy be two integers such that \(0 \le x,y <2^n\) and viewed as n-bit strings. Then

$$\begin{aligned} x < y \iff \#\bigl (\varSigma ^{0}(x) \cap \varSigma ^{1}(y)\bigr ) = 1 \quad \text {and} \quad x \ge y \iff \#\bigl (\varSigma ^{0}(x) \cap \varSigma ^{1}(y)\bigr ) = 0. \end{aligned}$$

Please refer to the full version [23] for the proof.

Remark 8

Since the cardinality of the intersection is always 0 or 1, one could also base our order-revealing encryption scheme on any function-revealing scheme for the disjointness (i.e., that only reveals if two sets intersect or not).

4.2 A Generic Transform from to

Our transform simply relies on the above technique. Let be a function-revealing encryption scheme for the function \(f_\#\). For simplicity, instead of directly encrypting the sets \(\varSigma ^{0}(x)\) or \(\varSigma ^{1}(x)\), one encrypts the sets \(\varSigma ^{0}(x {\,\Vert \,}\bar{x})\) or \(\varSigma ^{1}(x {\,\Vert \,}\bar{x})\), which are both of size n if x is an n-bit integer. This allows us to assume that the sets encrypted by all have the same size. It is very easy to see that Lemma 7 still holds even if we replace \(\varSigma ^{0}(x)\) and \(\varSigma ^{1}(y)\) by \(\varSigma ^{0}(x {\,\Vert \,}\bar{x})\) and \(\varSigma ^{1}(y {\,\Vert \,}\bar{y})\) respectively.

Construction 2

We build a function-revealing encryption scheme for the function \(f_<\) as follows:

  • \({\mathsf {Setup}}_<\) takes as input the security parameter \(\kappa \) and outputs \({\mathsf {Setup}}_\#(1^\kappa ) = \mathsf {sk}\);

  • \({\mathsf {Enc}}_<\) takes as input an index \(i \in \{1,2\}\), a secret key \(\mathsf {sk}\), and a message \(x\) and outputs:

    $$\begin{aligned} {{\mathsf {Enc}}}_{<} (i,\mathsf {sk},x) = {\left\{ \begin{array}{ll} {\mathsf {Enc}}_\#(1,\mathsf {sk},\varSigma ^{0}(x{\,\Vert \,}\bar{x})) &{}\text {if } i = 1\\ {\mathsf {Enc}}_\#(2,\mathsf {sk},\varSigma ^{1}(x{\,\Vert \,}\bar{x})) &{}\text {if }i = 2 \end{array}\right. }\, ; \end{aligned}$$

  • \({\mathsf {Eval}}_{f_<}\) takes as input a pair of ciphertexts \((\mathsf {ct}_1,\mathsf {ct}_2)\) encrypted with index 1 and 2 respectively, and returns \({\mathsf {Eval}}_{f_\#}(\mathsf {ct}_1, \mathsf {ct}_2)\).

Correctness. The correctness easily follows from the correctness of and from Lemma 7.

Security. Security immediately follows from the security of and the leakage is simply the leakage associated of applied to the encrypted sets, which are either \(\varSigma ^{0}(x{\,\Vert \,}\bar{x})\) or \(\varSigma ^{1}(x {\,\Vert \,}\bar{x})\).

Let \(\mathcal {L}\) denote a leakage such that is \(\mathcal {L}\)-indistinguishability secure. Then, we define the leakage of Construction 2 as:

$$\begin{aligned} \mathscr {L}_{\mathcal {L}}(\vec {x}_1,\vec {x}_2) = \mathcal {L}(\varSigma ^{0}(\vec {x}_1),\varSigma ^{1}(\vec {x}_{2})), \end{aligned}$$

where \(\vec {x}_i = (x_{i,1},\dots ,x_{i,q_{i}})\) is the sequence of integers encrypted with index i, for \(i \in \{1,2\}\), and where \(\varSigma ^{0}(\vec {x}_1) = (\varSigma ^{0}(x_{1,1} {\,\Vert \,}\bar{x}_{1,1}),\dots ,\varSigma ^{0}(x_{1,q_1} {\,\Vert \,}\bar{x}_{1,q_1}))\), and \(\varSigma ^{1}(\vec {x}_{2}) = (\varSigma ^{1}(x_{2,1} {\,\Vert \,}\bar{x}_{2,1}),\cdots ,\varSigma ^{1}(x_{2,q_2} {\,\Vert \,}\bar{x}_{2,q_2}))\).

Theorem 9

Assuming there exists an \(\mathcal {L}\)-indistinguishability secure function-revealing encryption scheme for the function \(f_\#\), then there exists an \(\mathscr {L}_{\mathcal {L}}\)-indistinguishability secure 2-input functional encryption scheme for the function \(f_<\).

Please refer to the full version [23] for the proof.

Remark 10

One could also prove in a very similar manner that the obtained construction is simulation-secure assuming the underlying scheme is simulation-secure.

4.3 Computing Cardinality of Intersection with Limited Leakage

We now describe the second step in building our efficient order-revealing encryption scheme with limited leakage, which is to build a function-revealing encryption scheme for computing the cardinality of intersection. Specifically, the messages are sets of fixed size n and the function f we target is the function \(f_\#{:\;\;}(\mathcal {S}_1,\mathcal {S}_2) \mapsto \#(\mathcal {S}_1 \cap \mathcal {S}_2)\). Our construction relies on the existence of a function-revealing encryption scheme for \(f_\perp \).

In order to ease the reading, we assume that every set in the message space has a fixed size n. One could circumvent this condition as long as the maximal size of a set is known and fixed in advance, but this is not useful for our purpose.

We compute the cardinality of the intersection of two sets as follows: given two sets of integers \(\mathcal {A}= \{a_1,\cdots ,a_n\}\) and \(\mathcal {B}= \{b_1,\cdots ,b_n\}\), one can compute the polynomial \(P_\mathcal {A}(X) = \prod _{i = 1}^{n} (X-a_i)\) such that \(b \in \mathcal {A}\Leftrightarrow P_\mathcal {A}(b) = 0\). The problem is that this technique does not hide anything about elements in \(\mathcal {A}\) and \(\mathcal {B}\). To address this issue, one simply notices that, given \(P_\mathcal {A}(X) = \sum _{i = 0}^{n} \alpha _i \cdot X^i\), testing \(P_\mathcal {A}(b) = 0\) simply consists in checking if \(\langle \vec {\alpha } , \vec {\beta } \rangle = 0\), with \(\vec {\alpha } = (\alpha _0,\dots ,\alpha _{n})\) and \(\vec {\beta } = (1,b,b^2,\dots ,b^{n})\). Therefore, this can be tested privately using a function-revealing encryption for orthogonality testing.

We denote by \(\mathsf {coef}(\mathcal {S})\) the vector \((\alpha _0,\dots ,\alpha _n)\) such that \(\prod _{s \in \mathcal {S}} (X-s) = \sum _{i = 0}^n \alpha _i \cdot X^i\) and by \(\mathsf {exp}(s)\) the vector \((1,s,s^2,\dots ,s^n)\). It is straightforward that, for n being polynomial, computations of \(\mathsf {coef}(\mathcal {S})\) and \(\mathsf {exp}(s)\) are polynomial-time. Let be a function-revealing encryption scheme for orthogonality testing.

Construction 3

We build a function-revealing encryption scheme for the function \(f_\#\) as follows:

  • \({\mathsf {Setup}}_\#\) takes as input the security parameter \(\kappa \) and outputs \({\mathsf {Setup}}_\perp (1^\kappa ) = \mathsf {sk}\);

  • \({\mathsf {Enc}}_\#\) takes as input an index \(i \in \{1,2\}\), a secret key \(\mathsf {sk}\), and a set \(\mathcal {S}= \{s_1,\cdots ,s_n\}\) and outputs:

    $$\begin{aligned} {\mathsf {Enc}}_\#(i,\mathsf {sk},\mathcal {S}) = {\left\{ \begin{array}{ll} {\mathsf {Enc}}_\perp (1,\mathsf {sk},\mathsf {coef}(\mathcal {S})) &{}\text {if }i = 1;\\ \mathsf {shuffle}({\mathsf {Enc}}_\perp (2,\mathsf {sk},\mathsf {exp}(s_1)),\cdots ,\\ \qquad {\mathsf {Enc}}_\perp (2,\mathsf {sk},\mathsf {exp}(s_{n}))) &{}\text {if }i = 2. \end{array}\right. } \end{aligned}$$

  • \({\mathsf {Eval}}_{f_\#}\) takes as input a pair of ciphertexts \((\mathsf {ct}_1,\mathsf {ct}_2)\) encrypted with index 1 and 2 respectively and with \(\mathsf {ct}_2= (\mathsf {ct}_{2,1},\dots ,\mathsf {ct}_{2,n})\), computes \(y_i = \mathsf {Eval}_{f_\perp } (\mathsf {ct}_1,\mathsf {ct}_{2,i})\) for \(i = 1,\dots ,n\) and outputs \(\sum _{i = 1}^n y_i\).

Correctness. Correctness follows immediately from the correctness of .

Security. To compute the size of the intersection of a set \(\mathcal {S}\) encrypted with index 1 with a set \(\mathcal {T}\) encrypted with index 2, one checks, for every element \(t \in \mathcal {T}\), if \(t \in \mathcal {S}\). Therefore, while it clearly allows to compute the size of the intersection, this also leaks more information. Indeed, consider two sets \(\mathcal {S}_1\) and \(\mathcal {S}_2\) encrypted with index 1 and another set \(\mathcal {T}\) encrypted with index 2. Then, for every \(t \in \mathcal {T}\), one can check if \(t \in \mathcal {S}_1\) and if \(t \in \mathcal {S}_2\). Hence, not only the cardinality \(\mathcal {T}\cap \mathcal {S}_1\) and \(\mathcal {T}\cap \mathcal {S}_2\) is revealed, but also the one of \(\mathcal {T}\cap \mathcal {S}_1 \cap \mathcal {S}_2\). More generally, if k sets \(\mathcal {S}_1,\dots ,\mathcal {S}_k\) are encrypted with index 1 and a set \(\mathcal {T}\) is encrypted with index 2, their encryptions reveal the size of the intersection of \(\mathcal {T}\) with any intersection of 1 to k different sets from \(\{\mathcal {S}_1,\dots ,\mathcal {S}_k\}\).

We prove that this is exactly the information that is leaked by our construction and define the leakage of our construction, denoted \(\mathcal {L}_{\#^*}\), as follows. For two sequences of sets \(\vec {\mathcal {S}} = (\mathcal {S}_1,\dots ,\mathcal {S}_{q_1})\) and \(\vec {\mathcal {T}} = (\mathcal {T}_1,\dots ,\mathcal {T}_{q_2})\) encrypted respectively with index 1 and 2, we define:

$$\begin{aligned} \mathcal {L}_{\#^*}(\vec {\mathcal {S}},\vec {\mathcal {T}}) = (\#(\mathcal {I}\cap \mathcal {T}_i))_{\mathcal {I}\in \vec {\mathcal {S}}^\cap ,i \in [q_2]} , \end{aligned}$$
(2)

where \(\vec {\mathcal {S}}^\cap = \{\mathcal {S}_{i_1} \cap \dots \cap \mathcal {S}_{i_j} \mid j \in [q_1], i_j \in [q_1]\}\), so \(\vec {\mathcal {S}}^\cap \) contains every intersection of 1 to \(q_1\) different sets encrypted at index 1. In particular, every set \(\mathcal {S}_i\) is in \(\vec {\mathcal {S}}^\cap \).

Theorem 11

Assuming there exists an \(\mathcal {L}_{\perp }\)-indistinguishability secure function-revealing encryption scheme for orthogonality testing, then there exists an \(\mathcal {L}_{\#^*}\)-indistinguishability secure function-revealing encryption scheme for cardinality of intersection.

The proof of the above theorem is detailed in the full version [23]. Note that, even if \(\mathcal {L}_{\#^*}\) is formally an exponential-size vector, checking whether a query made by an adversary is valid or not remains polynomial.

4.4 Orthogonality Testing and Relation with Predicate Encryption

We finally describe how we obtain a function-revealing encryption for orthogonality testing, namely for the function

$$\begin{aligned} f_\perp {:\;\;}(\vec {a},\vec {b}) \in {{\mathbb Z}}_p^n \mapsto {\left\{ \begin{array}{ll}1 &{}\text {if } \langle \vec {a} , \vec {b} \rangle = 0 \\ 0 &{}\text {otherwise}\end{array}\right. }. \end{aligned}$$

This is the last step in building our efficient order-revealing encryption scheme with limited leakage and from standard assumptions.

The existence of such a scheme is actually implied by the existence of a fully-secure secret-key inner-product encryption scheme, which in particular exists under the \(\mathrm {DLin} \) assumption [7]; e.g., [25]. More generally, we describe a transformation from any fully-secure secret-key predicate encryption for a class of predicate \(\mathcal {F}_f = \{f_a :b \in \mathcal {M}\mapsto f(a,b) \in \{0,1\}\mid a \in \mathcal {M}\}\) to a function-revealing encryption scheme for the function f. A very similar result was already proposed in the case of property-preserving encryption in [2, 13]. For completeness, definitions of the \(\mathrm {DLin} \) assumption and of fully-secure secret-key predicate encryption and inner-product encryption are recalled in the full version [23]. In particular, note that by fully-secure, we mean predicate-hiding and attribute-hiding.

Theorem 12

Let \(f :\mathcal {M}\times \mathcal {M}\rightarrow \{0,1\}\) be any function. Assuming there exists a fully-secure secret-key predicate encryption scheme for the class of predicates \(\mathcal {F}_f = \{f_a :b \in \mathcal {M}\mapsto f(a,b) \in \{0,1\}\mid a \in \mathcal {M}\}\), then there exists an \(\mathcal {L}_f\)-indistinguishability secure function-revealing encryption scheme for the function f.

Please refer to the full version [23] for the proof.

5 Putting Everything Together

We conclude by assembling all our results and obtain an order-revealing encryption scheme with limited leakage assuming the standard \(\mathrm {DLin} \) assumption. We denote by \(\mathcal {L}_{\perp }\) the (ideal) leakage of the function \(f_\perp \) (so \(\mathcal {L}_{\perp }= \mathcal {L}_{f_\perp }\) in the sense of Definition 3).

Corollary 13

Assuming \(\mathrm {DLin} \), there exists an \(\mathcal {L}_{\perp }\)-indistinguishability secure function-revealing encryption scheme for orthogonality testing.

Corollary 14

Assuming \(\mathrm {DLin} \), there exists an \(\mathcal {L}_{\#^*}\)-indistinguishability secure function-revealing encryption scheme for the function \(f_\#\).

Corollary 15

Assuming \(\mathrm {DLin} \), there exists a \(\mathscr {L}_{\mathcal {L}_{\#^*}}\)-indistinguishability secure function-revealing encryption scheme for the function \(f_<\) (a.k.a. order-revealing encryption scheme).

A more detailed explanation of our leakage as well as a detailed comparison with the main concurrent work by Cash et al. [12] are provided in the full version [23].

5.1 Applications

To conclude this paper, we propose two applications of our constructions. In particular, these applications do not suffer much from our additional leakage.

Membership Testing on a Database and Searchable Encryption. Our notion of function-revealing encryption for the function \(f_\#\) naturally yields a solution to test whether some private data is already in a database stored by a given server. Indeed, one could split the database into distinct sets \(\mathcal {S}_1,\dots ,\mathcal {S}_q\) of fixed size n and storing encryptions \({\mathsf {Enc}}_\#(1,\mathsf {sk},\mathsf {coef}(\mathcal {S}_i))\) for \(i \in [q]\). Then, one can simply send to the server \({\mathsf {Enc}}_\#(2,\mathsf {sk},\mathsf {exp}(a))\) so it can learn whether a is already in the database. One could also use this method with a plaintext x being a tag used to ask the server to return every encrypted data with the same tag.

Similarly, one could associate a vector \(\vec {x}\) to a data and perform searchable encryption using our function-revealing encryption scheme for orthogonality (whose leakage is ideal). Doing so, one could query all the data whose tag \(\vec {x}\) is orthogonal to some vector \(\vec {y}\).

Range Queries. Our notion of function-revealing encryption for the function \(f_<\) allows one to perform efficient range queries on a database. One could indeed store encryptions \({\mathsf {Enc}}_{<}(1,\mathsf {sk},x)\) on the server, and makes queries of the form \({\mathsf {Enc}}_{<}(2,\mathsf {sk},a),{\mathsf {Enc}}_{<}(2,\mathsf {sk},b)\) to get encrypted data \(x \in [a;b)\). In particular, as our notion is “asymmetric”, the server learns only a few extra information, while classical order-revealing encryption let the server knows the complete order of the elements. Due to the form of our leakage, the leaked informationis ideal if only one such query is made by the user. Moreover, as explained above, the asymmetry of our construction benefits to this application. In particular, a fully-secure secret-key IPE scheme with constant-size tokens or ciphertexts would imply a very efficient solution for range queries.