Standard encryption solutions for databases protect data at rest [ 1 ], but require database servers to decrypt data at runtime to execute queries. Two decades ago, research began investigating how to encrypt data in use to execute database queries without decrypting data at the server side, such that only (trusted) clients which possess secret keys only decrypt queries results [ 2 ]. First motivated by the advent of database outsourcing and then by public Cloud computing services, encryption of data in use would increase data privacy against potentially curious service providers [ 3 ]. Nowadays, encryption of data in use is also relevant for improving security of on-premise solutions in case of data breaches caused by cyber attacks that subvert the database systems or software applications running on top of them [ 4 ].

Research eforts for encryption of data in use include multifold approaches [ 5 ], such as new cryptographic primitives and schemes [ 6, 7, 8 ], techniques for aggregating and indexing encrypted data for eficient confidential retrieval [ 2, 9, 10 ], key management strategies to support cryptographic access control [ 11, 12 ], and data distribution strategies based on secret sharing techniques [ 13 ]. Practitioners, including researchers and companies, are proposing implementations which combine a mixture of techniques and additional specialized strategies for supporting specific database environments and improving performance for popular workloads [ 14, 15, 16 ]. Parallel research eforts focus on analyzing security, and include novel attack techniques such as inference of statistical information, correlation among multiple data, and analyses of query patterns [ 17, 18, 19, 20, 21, 22, 23 ]. Alternative proposals rely on trusted enclave technologies for fully fledged computation, which theoretically achieve better performance and flexibility [ 24 ], but in practice showed to sufer from side-channel attacks [ 25 ].

We are interested in Property Preserving Encryption (PPE) [ 26 ], which is a family of cryptographic schemes where ciphertexts support the evaluation of some properties related to their corresponding plaintexts, at the cost of exposing “limited” information leakage, such as the result of the evaluation and potentially additional information that is specific for each scheme. The advantage over homomorphic encryption [ 6 ], which produces ciphertexts supporting the execution of computation while guaranteeing at least semantic (IND-CPA) security, is enabling practical performance even for quite complex properties. The disadvantage is that information leakage may allow practical attacks on encrypted data, which may also depend on the characteristics of the datasets [ 19, 20 ] and on query workloads [ 18, 23 ]. Thus, PPE should be carefully adopted or considered as a hardening technique that should not be relied upon as a first defense layer.

We focus on Order Revealing Encryption (ORE) [ 27, 28, 8 ], which denotes a family of PPE schemes specialized on comparison of numerical data (e.g., “greater than” operators), with consequential support for other derived operations of great interest for many database workloads, such as sorting and substring prefix/sufix match. We analyze the ORE scheme proposed by Lewi and Wu (LW-ORE) [ 8 ], which is one of the most important schemes due to good security-performance trade-ofs. The peculiar trait of LW-ORE is to include two types of encryption functions denoted as right encryption and left encryption, each generating a diferent type of ciphertext from the same plaintext: semantically-secure right ciphertexts which are stored in the encrypted database, and deterministic left ciphertexts which are sent when querying the database. LW-ORE uses an evaluation function that compares left and right ciphertexts and output the result (e.g., 0 or 1 if the plaintext used to generate the left ciphertext is equal or greater than that used to generate the right ciphertext). This approach allows to distinguish information leakage against two security models: ofline security , where adversaries only access a snapshot of the database including right ciphertexts, and online security, where adversaries also access queries including left ciphertexts. While an ofline attacker should not learn any information (except for the size of the database and of each plaintext) because right ciphertexts are semantically (IND-CPA) secure, an online attacker could get more information because left ciphertexts are deterministic.

In this paper, we reconsider ofline security of LW-ORE when deployed in real database systems. Although right ciphertexts are proved semantically secure, they have to be maintained sorted to enable sublinear query times via binary search. However, LW-ORE does not describe indexing data structures or other mechanisms. Thus, the scheme can be straightforwardly applied only to a handful of use cases or should be adopted with only support for linear time queries. In any other scenario, LW-ORE must be integrated with indexing data structures, and the risk is to consider this integration a technicality, that is, something that cannot afect the original security guarantees of the scheme. As already experienced many times in applied cryptography and cryptographic engineering, details left open in theoretical designs may open to security vulnerabilities when implemented in real systems. We found relevant literature associated with open source implementations of LW-ORE that indeed adopt standard database indexing techniques based on AVL trees [ 29 ] and B+trees [30]. We also found an additional open implementation of the client-side LW-ORE, which however do not describe indexing techniques at the server side [31].

In this paper, we show that using standard indexing techniques for ORE may introduce at least two classes of vulnerabilities: • the first class of vulnerability is the simpler but also the most severe, and is related to the disclosure of duplicate values: standard indexes store pointers to all duplicate values within the same data structure node, thus ofline security guarantees of the encrypted database fall back to that of a deterministic encryption scheme, reenabling powerful inference attacks. This vulnerability thus breaks one of the major contributions of LW-ORE, that is, of guaranteeing semantic security of ciphertexts. Ad-hoc variants of standard indexing techniques must be implemented to avoid storing duplicate value within the same data structure node while maintaining the data structure eficient. • the second class of vulnerability is related to the disclosure of information regarding the history of the transactions executed on the database. This vulnerability may also cause disclosure of information related to the plaintext distribution if such distribution is not independent of the insertion order (or on derived information, such as insertion time). This requirement has been outlined by literature which denote as history independent the data structure that do not leak any information about the transactions history that generated the data structure [32, 33]. However, to the best of our knowledge, it is not considered by literature related to database outsourcing and PPE.

The two classes of vulnerabilities may not apply depending on the characteristics of the database and of the query workload, but protecting against both may require the design of ad-hoc indexing data structures. The last contribution of the paper is to outline such design, leaving further analyses and evaluations as future work.

The rest of the paper is organized as follows. Section 2 outlines ORE schemes and databases. Section 3 discusses possible information leakage due indexing data structures. Section 4 outlines necessary design choices for secure indexes on ORE databases. Section 5 concludes the paper and discusses future work.

The Order Revealing Encryption scheme by Lewi and Wu [ 8 ] (LW-ORE) is a symmetric encryption scheme for supporting comparison between encrypted data. First, we describe the operations framework of LW-ORE and outline the range query protocol built on top of it as defined in the original paper [ 8 ]. Then, we discuss the limitations of the original models for real database systems and outline better variants.

LW-ORE scheme operations framework. The LW-ORE scheme includes four algorithms: setup (ORE.Setup), left encrypt (ORE.EncryptL), right encrypt (ORE.EncryptR), and compare (ORE.Compare): • sk $ ORE.Setup(1 ) is a probabilistic algorithm which takes security parameter 1 and outputs secret key sk; • cL ORE.EncryptL(sk; p) is a deterministic algorithm which takes key sk and plaintext p and outputs left ciphertext cL; • cR $ ORE.EncryptR(sk; p) is a probabilistic algorithm which takes key sk and plaintext p and outputs right ciphertext cR; • f 1; 0; 1g ORE.Compare(c1L; c2R) is a deterministic algorithm which takes left and right ciphertexts c1L and c2R, and outputs 1, 0, 1 if p1 is less then, equal, or greater than p2, where c1L ORE.EncryptL(sk; p1) and c2R $ ORE.EncryptR(sk; p2), for any sk $ ORE.Setup(1 ).

LW-ORE does not expose a native decryption routine, but decryption can be implemented as a binary search over the plaintext domain via encryption and compare (see [8, Remark 2.1]). In the context of encrypted databases, ORE ciphertexts can be associated with ciphertexts computed with any standard symmetric schemes to enable more eficient decryption.

LW-ORE range query protocol for encrypted databases. LW-ORE scheme allows designing a stateless and single round Range Query protocol (RQ) [8, Section 5.2] among a client and a database server that includes four operations: database setup (RQ.Setup), range query (RQ.Range), insert (RQ.Insert), and delete (RQ.Delete). Without loss of generality, in this paper we omit delete to avoid too much verbosity.

• st $ RQ.Setup(1 ; P ): the client initializes ORE secret key sk $ ORE.Setup(1 ), sorts the database P as P^ = hp1; : : : ; pN i such that pn pn+1 8n 2 [N 1], and encrypts the sorted database P^ as C^ = c1R; : : : ; cRN such that cnR $ ORE.EncryptR(sk; pn) 8n 2 [N ]. The client sends C^ to the server, which sets its state information st = C^. • hpi; : : : ; pj i RQ.Range(sk; q = (x; y); st = C^): the client computes the tuple cLx; cyL such that cLx ORE.EncryptL(sk; x) and cyL ORE.EncryptL(sk; y), and sends it to the server. The server uses cLx (cyL) to find ciR (cjR) within C^ such that i (j) is the smallest (greatest) index of C^ = cnR n2[N] such that ORE.Compare(cLx; ciR) = 1 (ORE.Compare(cyL; cjR) = 1). As suggested in the original protocol [ 8 ], the server can use binary search to compute a number of ORE.Compare operations that is logarithmic in the size of the database N . The server then returns the slice of values within C^ between DciR; : : : ; cjRE, which the client can decrypt to hpi; : : : ; pj i. • st0 $ RQ.Insert(sk; q = x; st = C^): the client computes the tuple cLx; cxR such that cLx ORE.EncryptL(sk; x) and cxR $ ORE.EncryptR(sk; x), and sends it to the server. The server uses cLx to find an insertion position i within C^ such that ORE.Compare(cLx; ciR) = f 1 _ 0g and ORE.Compare(cLx; ciR+1) = f0 _ 1g (or i = N ). As for RQ.Range, binary search can be used to compute a logarithmic number of ORE.Compare operations. Then, the server inserts cxR at the position i within the updated database C^0. The server updates its state to st0 as the new database C^0. Clearly, there may be multiple acceptable values of i if the database includes duplicate values.

Limitations of LW-ORE models. The LW-ORE range query protocol models the encrypted database as state information st = C^ = c1R; : : : ; cRN , which represents the list of right ciphertexts sorted with regard to their corresponding plaintexts, that is, pn pn+1 8n 2 [N 1]. The LW-ORE query protocol assumes that the database server maintains the state information sorted throughout insert operations and thus that binary search can always be executed on st (see [8, Section 5.2]). Moreover, the original paper claims semantic security against snapshot ofline adversaries because right ciphertexts are semantically secure (see [8, Definition 5.2, Theorem 5.5]). We observe that the database model and security analyses proposed in the original LW-ORE paper have two major limitations: • claims about semantic security against snapshot ofline adversaries do not take into account that although right ciphertexts are semantically secure, the encrypted database also leaks the partial sorting order with regard their corresponding plaintexts. It is critical to clearly declare this additional leakage because it may open to known attacks (e.g., correlation attacks on ideal ORE [ 20 ]). Ofline security analyses as proposed in the original paper [ 8 ] may apply only if right ciphertexts are maintained unsorted and thus queried in linear time. Although we point out this gap in the original security claims, in this paper we do not propose improvements in this regard because we do not focus on theoretical security analyses. We leave improvements in this regard as future work. • the database model does not include indexing data structures, which represent auxiliary information that is necessary for adopting the scheme in quite any real database system. As also stated by [ 19 ], a snapshot ofline adversary that operates ciphertext-only inference attacks is able to access to the “steady state” of an encrypted database including all auxiliary information that is needed to perform encrypted searches eficiently (as also reminded in [ 8, see Robustness against ofline inference attacks]). Thus, a proper database model should also include indexing data structures. Indeed, real-world examples of tentative LW-ORE implementations adopted standard indexing techniques, such as AVL trees [ 29 ] and B+trees [30]. However, we show that both implementations leak additional information with regard to the security claims of the LW-ORE scheme. In the following Section 3, we show necessary conditions for designing secure indexing data structures for LW-ORE, that is, that allow to avoid leaking additional information.

We analyze indexing solutions for LW-ORE databases. In Section 3.1 we extend notation proposed by the original LW-ORE paper (see Section 2 and [ 8 ]). In Section 3.2 we discuss information leakage due to duplicate values. In Section 3.3 we discuss information leakage related to transaction history.

We discuss how to design data structures that do not leak information. In Section 4.1 we describe alternative designs for search trees that avoid leaking information related to duplicate values, but that are still history dependent. In Section 4.2 we describe a history independent skip list without duplicates leakage.

----

------------

We analyzed the security guarantees of a state-of-the-art order revealing encryption scheme when deployed in real database systems, and found issues related to information leakage due to gaps within the original security models and analyses. The most severe security issues are related to information leakage due to indexing data structures, including disclosure of duplicate values within the database and context information related to transactions history. These vulnerabilities may allow adversaries accessing a snapshot of the database to break semantic security guarantees claimed by the encryption scheme or, in certain scenarios, to infer information related to the order of the operations executed on the database and related statistical distributions. We described how variant indexing data structures may be modified to prevent both security issues, and outlined a candidate design based on skip lists. We leave a more formal treatment of the proposed analyses and the design of a complete proof of concept as future work.

We thank Mauro Leoncini for discussions on preliminary versions of this work. This work was supported by Doxee SpA in association with the European Regional Development Fund program “Por FESR 2014-2020” of Emilia-Romagna Region.

Internet Services and Applications (2018). [30] D. Bogatov, G. Kollios, L. Reyzin, A Comparative Evaluation of Order-Revealing Encryption Schemes and Secure Range-Query Protocols, in: Proc. Conf. Very Large Data Bases, 2019. [31] CipherStash, Order-revealing encryption library, https://github.com/cipherstash/ ore.rs, Visited Feb. 2023. [32] D. Micciancio, Oblivious data structures: applications to cryptography, in: Proc.

29th ACM Symp. Theory of Computing, 1997. [33] M. Naor, V. Teague, Anti-persistence: History independent data structures, in:

Proc. 33rd ACM Symp. Theory of Computing, 2001. [34] T. Moran, M. Naor, G. Segev, Deterministic history-independent strategies for storing information on write-once memories, in: Int’l Colloquium on Automata, Languages, and Programming, 2007. [35] M. A. Bender, J. W. Berry, R. Johnson, T. M. Kroeger, S. McCauley, C. A. Phillips, B. Simon, S. Singh, D. Zage, Anti-persistence on persistent storage: Historyindependent sparse tables and dictionaries, in: Proc. 35th ACM SIGMOD-SIGACTSIGAI Symp. Principles of Database Systems, 2016. [36] W. Pugh, Skip lists: a probabilistic alternative to balanced trees, Communications of the ACM (1990).