New Order-Revealing Encryption with Shorter Ciphertexts

Abstract

As data outsourcing services have been becoming common recently, developing skills to search over encrypted data has received a lot of attention. Order-revealing encryption (OREnc) enables performing a range of queries on encrypted data through a publicly computable function that outputs the ordering information of the underlying plaintexts. In 2016, Lewi et al. proposed an OREnc scheme that is more secure than the existing practical (stateless and non-interactive) schemes by constructing an ideally-secure OREnc scheme for small domains and a “domain-extension” scheme for obtaining the final OREnc scheme for large domains. They encoded a large message into small message blocks of equal size to apply them to their small-domain scheme, thus their resulting OREnc scheme reveals the index of the first differing message block. In this work, we introduce a new ideally-secure OREnc scheme for small domains with shorter ciphertexts. We also present an alternative message-block encoding technique. Combining the proposed constructions with the domain-extension scheme of Lewi et al., we can obtain a new large-domain OREnc scheme with shorter ciphertexts or with different leakage information, but longer ciphertexts.

1. Introduction

Database encryption has received increased attention recently because of the enormous amount of sensitive data stored in outsourcing cloud databases. One of the promising solutions to protect the confidentiality of sensitive data is to use encryption and perform query evaluation over encrypted data.

Order-Preserving Encryption. Property-preserving encryption, which preserves some property of plaintexts, enables performing query evaluation on ciphertexts. Among them, order-preserving encryption (OPEnc) [1,2,3,4,5], whose ciphertexts preserve the numerical ordering of their underlying plaintexts, has received a lot of attention as it can support efficient query operation on encrypted data such as sorting and range queries using the ordering information. In 2004, Agrawal et al. [1] first proposed the concept of OPEnc. Later, Boldyreva et al. [2] provided the security notions of OPEnc formally and showed that any immutable OPEnc schemes with ideal security must have the ciphertext length that grows exponentially in the plaintext length. Recently, some ideally-secure OPEnc schemes [3,4,5] whose ciphertexts reveal no additional information beyond the order of the underlying plaintexts have been proposed. However, these schemes are stateful and mutable, thus they require large communication and storage complexities.

Order-Revealing Encryption. Boneh et al. [6] introduced order-revealing encryption (OREnc), which can be viewed as a generalization of OPEnc. In the OREnc schemes, anyone can check the ordering information of the underlying plaintexts from ciphertexts through a publicly computable comparison function, thus the encrypted data are not constrained to any particular form. Their construction is the first stateless and non-interactive OREnc scheme that achieves the ideal security. However, their OREnc scheme relies on multilinear maps that require heavy computation and strong assumptions and suffer from security analysis [7], and thus are not efficiently implementable. As part of solving this problem, Chenette et al. [8] presented the first efficiently-implementable OREnc scheme from pseudo-random functions. They also provided a novel security model of OREnc that precisely quantifies what information of the underlying plaintexts is leaked. Later, Lewi et al. [9] proposed a new OREnc scheme with reduced leakage as compared with the scheme of [8]. This result could be achieved by constructing an ideally-secure OREnc for polynomially-sized domains (OREncS) scheme and a “domain-extension” scheme for obtaining OREnc for exponentially-sized domains (OREncL) scheme. They encoded a large message into small message blocks of equal size to apply them to their OREncS scheme, thus their resulting OREncL scheme reveals the index of the first differing message block. The authors of [10] comprehensively analyzed and compared OP(R)Enc schemes described so far and provided their performance results.

Our Contribution. In this work, we begin by reviewing the constructions of [9] and then present a new ideally-secure OREncS scheme with shorter ciphertexts. Combining it with the domain-extension scheme of [9], we can obtain a new OREncL scheme with shorter ciphertexts under the same security level. We also present an alternative message-block encoding technique. In a similar way, we can also obtain a new OREncL scheme with a different security level, but the ciphertext length is getting longer. It is hard to claim that the resulting OREncL scheme is more secure than the scheme of [9]. However, these results provide a clue that there might exist more secure and efficient message-block encoding techniques.

2. Preliminaries

We write λ and [n] as a security parameter and a set of integers {1, …, n} where n is a positive integer, respectively. For any bit strings x, y ∈ {0, 1}^*, x ‖ y means the concatenation of x and y. We write x ← S to denote the sampling of a value x from the distribution S or a uniformly random sampling from the set S. Two distributions D₁ and D₂ are computationally indistinguishable if there is no efficient poly-time adversary to distinguish D₁ from D₂, except with negligible probability. Similarly, if the statistical distance between D₁ and D₂ is negligible, we say that they are statistically indistinguishable. We now review the definition of a secure pseudo-random function F and a secure pseudo-random permutation π. A function F: K × X → Y is a secure pseudo-random function if there is no polynomially-bounded adversary who can distinguish F(k, ·), where k ← K from a truly random function f(·) from X to Y except with negligible probability on arbitrary inputs chosen by the adversary. A secure pseudo-random permutation π: K × X → X can be defined similarly as there is no polynomially-bounded adversary who can distinguish π(k, ·), where k ← K from a truly random permutation on X. All logarithms in this paper are to the base of 2.

2.1. Formal Notion of OREnc

An order-revealing encryption (OREnc) scheme Π consists of three probabilistic polynomial-time algorithms Π = (Π.Setup, Π.Encrypt, Π.Compare) satisfying the following properties on a well ordered domain D and range R.

• Π.Setup(1^λ) → skey: For a security parameter λ, this setup algorithm generates a secret key skey.
• Π.Encrypt(skey, msg) → ctx: For a secret key skey and a message msg ∈ D, this encryption algorithm generates a ciphertext ctx ∈ R.
• Π.Compare(ctx₁, ctx₂) → b: On input two ciphertexts ctx₁ and ctx₂, this comparison algorithm outputs a bit b ∈ {0, 1} (here, b = 1 means msg₁ < msg₂).

Correctness. For a security parameter λ, a given OREnc scheme Π is correct if for skey ← Π.Setup(1^λ), and any messages msg₁, msg₂ ∈ D (msg₁ < msg₂), Π.Compare(ctx₁, ctx₂) = 1 where ctx₁ ← Π.Encrypt(skey, msg₁) and ctx₂ ← Π.Encrypt(skey, msg₂).

2.2. Security of OREnc

In this section, we review a simulation-based OREnc security model of [8] that precisely quantifies what information of plaintexts is leaked by defining a leakage function. We denote an adversary and a simulator for some q = poly(λ) by A = (A₁, …, A_q) and S = (S₀, …, S_q), respectively. Let Π = (Π.Setup, Π.Encrypt, Π.Compare) be an OREnc scheme and L(·) denotes a leakage function of Π. For a security parameter λ, the experiments REAL^Π_A(λ) and SIM^Π_A,S,L(λ) are defined as follows:

REALΠA(λ):   1. skey ← Π.Setup(1λ)   2. (msg1, stateA) ← A1(1λ)   3. ctx1 ← Π.Encrypt(skey, msg1)   4. for 2 ≤ i ≤ q:    (msgi, stateA) ← Ai(stateA, ctx1, …, ctxi−1)    ctxi ← Π.Encrypt(skey, msgi)   5. output (ctx1, …, ctxq) and stateA

SIMΠA,S,L(λ):   1. stateS ← S0(1λ)   2. (msg1, stateA) ← A1(1λ)   3. (ctx1, stateS) ← S1(stateS, L(msg1))   4. for 2 ≤ i ≤ q:    (msgi, stateA) ← Ai(stateA, ctx1, …, ctxi−1)    (ctxi, stateS) ← Si(stateS, L(msg1, …, msgi))   5. output (ctx1, …, ctxq) and stateA

The given OREnc scheme Π is secure with leakage function L(·) if, for all polynomially-bounded adversaries A, there exists a simulator S such that the two distributions REAL^Π_A(λ) and SIM^Π_A,S,L(λ) are computationally indistinguishable. From the security notion, we say that Π is ideally-secure if the leakage function L(·) reveals only the relative order of the underlying plaintexts.

3. OREnc for Small Domains

In 2016, Lewi et al. [9] proposed a new OREnc scheme to solve the problem of [8] “revealing the index of the first bit that differs between two underlying plaintexts”. The starting point of their construction was presenting an ideally-secure OREncS scheme. Now, we review briefly their ideally-secure OREncS scheme. Let H, F, and π denote a hash function with an output space {0, 1, 2}, a secure pseudo-random function, and a fixed random permutation, respectively. The ciphertextct ctx for a given message msg consists of the following two parts:

ctx_L = (F(skey, π(msg)), π(msg)) and

ctx_R = (r, v₁, …, v_N) where v_i = CMP(π⁻¹(i), msg) + H(F(skey, i), r) mod 3 and r ← {0, 1}^λ.

Here, CMP(msg₁, msg₂) outputs −1 if msg₁ < msg₂, 0 if msg₁ = msg₂, and 1 if msg₁ > msg₂. Let ctx¹_L = (a, b) and ctx²_R = (r, v₁, …, v_N) denote the left encryption part of msg₁ and the right encryption part of msg₂, respectively. Then, the Π.Compare algorithm can obtain CMP(msg₁, msg₂) by computing v_b − H(a, r). The main idea of this construction is that ctx_L contains message information hidden by the pseudo-random permutation and ctx_R is the encryption of the all relative order information to each message. Thus, the ciphertext size should grow linearly with the size of the domain space. More specifically, the size of each ciphertext is 2λ + ⌈ log N ⌉ + ⌈ N log 3 ⌉ for a security parameter λ and a domain [N].

3.1. Proposed OREncS Scheme

In this section, we propose a new ideally-secure OREncS scheme with shorter ciphertexts. The main idea of our construction is to reduce the length of ciphertexts by replacing a random value r of ctx_R by F(skey, π(msg)) of ctx_L and by eliminating the π(msg) term of ctx_L using a new ciphertext form. For a fixed security parameter λ and a message space [N], let F: {0, 1}^λ × [N] → {0, 1}^λ be a secure pseudo-random function and H: {0, 1}^λ × {0, 1}^λ → {0, 1} be a 1-bit output hash function modeled as a random oracle. In our scheme, CMP(msg₁, msg₂) outputs 1 if msg₁ ≤ msg₂, and 0 otherwise. As described in [9], the order relation can be clarified by combining of the two results CMP(msg₁, msg₂) and CMP(msg₂, msg₁). The details of our proposed OREncS scheme Π are defined as follows:

• Π.Setup(1^λ) → skey: This setup algorithm draws a pseudo-random function key k ← {0, 1}^λ and a random permutation π on [N]. Then, it outputs skey as (k, π).
• Π.Encrypt(skey, msg) → ctx: For each i ∈ [N], a bit v_i can be computed as

CMP(π⁻¹(i), msg) ⊕ H(F(k, msg), F(k, π⁻¹(i))) where π⁻¹(i) ≠ msg.

This encryption algorithm outputs ctx_L = (F(k, msg), v₁, …, v_π(msg)−1) and ctx_R = (v_π(msg)+1, …,v_N) as a ciphertext ctx.

• Π.Compare(ctx₁, ctx₂) → b: On input two ciphertexts ctx₁ = ((a, v₁, …, v_k1−1), (v_k1+1, …,v_N)) and ctx₂ = ((a’, v’₁, …, v’_k2−1), (v’_k2+1, …,v’_N)), the result of CMP(msg₁, msg₂) can be computed by v’_k1 ⊕ H(a′, a). In a similar way, the result of CMP(msg₂, msg₁) can be obtained.

3.2. Analysis of Proposed OREncS

Theorem 1. (Correctness)

The proposed OREncL Π defined in Section 3.1 is correct.

Proof of Theorem 1. 

We assume that there exists a message pair (msg₁, msg₂) such that the Π.Compare(ctx₁, ctx₂) algorithm does not output 1 where msg₁ < msg₂. For two ciphertexts ctx₁ = ((a, v₁, …, v_k1−1), (v_k1+1, …, v_N)) and ctx₂ = ((a’, v’₁, …, v’_k2−1), (v’_k2+1, …, v’_N)), v’_k0 is computed as CMP(msg₁, msg₂) ⊕ H(F(k, msg₂), F(k, msg₁)) by the Π.Encrypt algorithm. Thus, Π.Compare(ctx₁, ctx₂) can recover CMP(msg₁, msg₂) by the following equation correctly.

v’_k0 ⊕ H(a′, a) = CMP(msg₁, msg₂) ⊕ H(F(k, msg₂), F(k, msg₁)) ⊕ H(a′, a) = CMP(msg₁, msg₂)

By the definition, CMP(msg₁, msg₂) is defined as 1 for msg₁ ≤ msg₂. In the identical way, we can prove that CMP(msg₂, msg₁) = 0 (msg₂ > msg₁) can also be recovered correctly from the ciphertexts. Therefore, Π.Compare(ctx₁, ctx₂) must output 1, which is a contradiction of our assumption. □

Efficiency.

Table 1. Comparison of our order-revealing encryption for polynomially-sized domains (OREncS) scheme defined in Section 3.1 and the existing scheme of [9]. Note that this is the result when the same 1-bit output hash function is applied to their scheme.

OREncS	Bit Size of ctx	Security
[9]	2λ + N + ⌈ log N ⌉	Ideal
Ours (Section 3.1)	λ + N	Ideal

shows some comparison results of our scheme and the OREncS scheme of [9]. The ciphertext of our OREncS consists of a λ-bit output of the pseudo-random function F and N encrypted order information bit, thus the length of the ciphertext is λ + N. Compared with [9], the ciphertext of our scheme does not need to maintain the λ-bit random value and the ⌈log N⌉-bit permuted message information.

Theorem 2. (Security)

The proposed OREncS scheme Π defined in Section 3.1 is ideally-secure.

Proof of Theorem 2. 

To show that our proposed OREncS scheme guarantees the ideal security, it should be shown that the ciphertexts indistinguishable from real can be simulated using only the ordering information of the underlying messages. More formally, we should prove that there exists a simulator S = (S₀, …, S_q) such that two distributions REAL^Π_A(λ) and SIM^Π_A,S,L(λ) are computationally indistinguishable for some q = poly(λ) and an adversary A = (A₁, …, A_q) defined in the OREnc security experiment. □

Simulator Modeling. On input of a security parameter λ, the following two tables are maintained to ensure this simulation consistency throughout the proof.

• The table H_T: (α ∈ {0, 1}^λ, β ∈ {0, 1}^λ, γ ∈ {0, 1}) maintains the simulated input to output mappings of the random oracle.
• The table Fπ _T: (a ∈ [q], b ∈ {0, 1}^λ, c ∈ [N]) maintains the simulated outputs of the pseudo-random function and the fixed random permutation.

The initial state state_S of S₀ consists of the two empty tables (H_T, Fπ _T). For an i (∈ [q])-th message msg_i of encryption query, ctx_j can be returned if msg_i = msg_j for some j < i. Without any loss of generality, only distinct queried messages are considered in the proof. We now describe how to simulate ctx_i responding to the i-th queried message msg_i using state_S and the relative order information of (msg₁, …, msg_i−1).

• Let M be a set of {c₁, …, c_i−1} where each c_i is a third component in the table Fπ _T. The simulator S_i first draws c ← [N]\M and b ← {0, 1}^λ, then stores a tuple (i, b, c) to the table Fπ _T. Here, this experiment is aborted if there already exists a tuple (b, ·, ·) or (·, b, ·) in the table H_T.
• The simulator S_i samples v_i ← {0, 1} where i ≠ c and outputs ((b, v₁, …, v_c−1), (v_c+1, …,v_N)) as a ciphertext ctx_i.

Random Oracle Modeling. We now give a description of the random oracle H. On an i-th input (α, β), and an output bit can be simulated as follows:

• If there already exists (α, β, ·) in the table H_T, then H returns the third component of (α, β, ·).
• Otherwise, if there exist both (a, b = β, c) and (a′, b′ = α, c′) in the table Fπ _T, the simulator first checks CMP(msg_a, msg_a′) from the leakage function L(·) and then searches a′-th previous simulated ciphertext ctx_a′. Finally, it returns CMP(msg_a, msg_a′) ⊕ v′_c as a hash output, where v′_c is an encrypted bit component in ctx_a′, and stores (α, β, CMP(msg_a, msg_a′) ⊕ v′_c) in the table H_T.
• Otherwise, the simulator returns γ where γ ← {0, 1}, then stores (α, β, γ) in the table H_T.

Indistinguishability. To complete our security proof, we now show that two distributions REAL^Π_A(λ) and SIM^Π_A,S,L(λ) are computationally indistinguishable by defining a series of the below hybrid games:

• Game G₀: This game is REAL^Π_A(λ).
• Game G₁: Same as G₀, except the pseudo-random function F is switched by a truly random function f: [N] → {0, 1}^λ.
• Game G₂: Same as G₁, except the game aborts if the adversary queries (f(msg), ·) or (·, f(msg)) to the random oracle H before simulating the ciphertxt of msg.
• Game G₃: This game is SIM^Π_A,S,L(λ).

Lemma 1.

Game G₀ and G₁ are computationally indistinguishable if F is a secure pseudo-random function.

Proof of Lemma 1. 

It is trivial from the definition of the secure pseudo-random functions. □

Lemma 2.

Game G₁ and G₂ are statistically indistinguishable if H is a random oracle.

Proof of Lemma 2. 

To prove lemma 2, we should show that the abort probability of Game G₂ is negligible. We clearly know that all components of the returned ciphertexts are distributed independently from f(π(msg)) before issuing a message msg to the encryption query input. Because f(·) is a truly random function, the probability that the adversary queries (f(msg), ·) or (·, f(msg)) to the random oracle H before simulating the ciphertext of the message msg is at most poly(λ)/2^λ. □

Lemma 3.

Game G₂ and G₃ are statistically indistinguishable if H is a random oracle.

Proof of Lemma 3. 

Let ((a, v₁, …, v_k1−1), (v_k1+1, …, v_N)) and ((a’, v’₁, …, v’_k2−1), (v’_k2+1, …, v’_N)) be the ciphertexts from G₂ and G₃. We now show these two distributions are statistically indistinguishable and the ciphertext under G₃ is valid. The value a is an output of a random function f and a’ is uniformly sampled from {0, 1}^λ, thus they are statistically indistinguishable by the definition of the random functions. A bit v_i is computed as CMP(π⁻¹(i), msg) ⊕ H(f(msg), f(π⁻¹(i)) in Game 2 and the output of H is uniformly random on {0, 1}, thus each v_i is also distributed uniformly in {0, 1}. That is, v_i and v’_i are statistically indistinguishable unless H(f(msg), ·) or H(·, f(msg)) is revealed to the adversary before simulating the ciphertext of msg, but this will never happen by the definition of Game 2 and Game 3. Finally, the bit positions k₁ and k₂ are also statistically indistinguishable because they are the outputs of the random permutation. We now show that the simulated ciphertext in Game 3 is correct. Let ((a, v₁, …, v_k1−1), (v_k1+1, …, v_N)) of msg₁ and ((a’, v’₁, …, v’_k2−1), (v’_k2+1, …, v’_N)) of msg₂ be the two simulated ciphertexts from Game G₃. From the definition of the simulation, H(a′, a) is defined CMP(msg₁, msg₂) ⊕ v’_k1 by the random oracle modeling, thus the Π.Compare algorithm can obtain the correct result as follows:

v’_k1 ⊕ H(a′, a) = v’_k1 ⊕ CMP(msg₁, msg₂) ⊕ v’_k1 = CMP(msg₁, msg₂)

Combining lemmas 1–3, we conclude that our proposed OREncS scheme is ideally-secure. □

4. Alternative Message-Block Encoding Technique

The domain-extension algorithm of [9] is quite straightforward. At a high level, when message msg is represented in x₁ ‖ x₂ ‖ ··· ‖ x_n as the d-ary strings, the corresponding ciphertext can be constructed as ctx₁ ‖ ctx₂ ‖ ··· ‖ctx_n, where each ctx_i is an encryption of x_i by OREncS with a domain size d. One thing to note is that a pseudo-random permutation is applied (not a fixed random permutation) and the key part in the pseudo-random permutation is derived from the prefix of each block x_i to reveal only the index of the first block that differs between two plaintexts. Actually, the construction of [8] can be seen as taking an ideally secure OREnc scheme for 1-bit domains and extending it to the OREnc scheme for n-bit domains. The authors of [9] applied this general extension technique to their OREncS scheme. The ciphertext consists essentially of n ciphertexts of the OREncS scheme with domain size d, thus the total ciphertext size on domain size N ≤ dⁿ is (n + 1)λ + n (⌈ log d⌉ + ⌈d log 3⌉). Interested readers should refer to the paper [8,9] for more details.

4.1. Proposed OREncL Scheme

In this section, we introduce a new message-block encoding technique to construct a new OREncL scheme from our proposed OREncS scheme. We first show how to divide an exponential-size message into polynomial-size blocks to use them as inputs of our proposed scheme. In the construction of [9], it caused the “revealing the index of the first differing block” problem, because a message is divided into small message blocks of equal size. This means that an adversary can infer the approximate distance between the underlying two messages and a message block can be recovered if he obtains d ciphertexts that have the same leakage information. To alleviate these problems, we provide an alternative message-block encoding technique. The main idea of our scheme is that a message is divided by the position and the size of consecutive 1’s. Let 1(i, j) denote the size of j consecutive 1’s staring from the i-th bit position. Here, the index i is counted from the least significant bit. For example, a message 011101, 011100, 111,111 can be represented as {1(5, 3), 1(1, 1), 1(0, 0)}, {1(5, 3), 1(0, 0), 1(0, 0)} and {1(6, 6), 1(0, 0), 1(0, 0)}. We can get the ordering information to check the same level component. In our example, we can know 011,101 > 011,100 from (5 = 5, 3 = 3, 1 > 0). To hide the exact number of 1(i, j), we use 1(0, 0) padding. Note that 3 is the largest possible element number for a 6-bit message space. More formally, an (even) n-bit message containing {1(i₁, j₁), 1(i₂, j₂), …, 1(i_k, j_k)} can be encoded as {i₁, j₁, i₂, j₂, …, i_n/2, j_n/2}, where the elements of i_k+1, j_k+1, …, i_n/2, j_n/2 are 0. Our final ciphertext of a message encoded as {i₁, j₁, i₂, j₂, …, i_n/2, j_n/2} can be computed as follows:

• For a given message msg, we first encode it as {i₁, j₁, i₂, j₂, …, i_n/2, j_n/2} by our proposed technique.
• We generate ciphertext ctx₁, …, ctx_n by n-size domain OREnc scheme for each element in {i₁, j₁, i₂, j₂, …, i_n/2, j_n/2}.
• By applying the domain-extension algorithm of [8,9] to (ctx₁, …, ctx_n), we can obtain our final ciphertext.

4.2. Analysis of Proposed OREncL

Because it is essentially identical to the OREncL scheme of [9], except for the way of generating message blocks, presenting the concrete description of our full OREncL scheme and the details of security proof is not necessarily required. The leakage information “CP of 1(i, j)’s” of our scheme can be defined as the common prefix {1(i₁, j₁), …, 1(i_k−1, j_k−1)} of the underlying two messages where k is the index of the first 1(i, j) that differs. The equality information of i_k and j_k is also revealed. Compared with the leakage information of “revealing the index of the first differing block”, it is difficult to determine which leakage information is more critical, thus we thought that it could be another alternative option. Furthermore, this result provides a clue that there might exist more secure and efficient message-block encoding techniques.

In this analysis chapter, we present the result of the efficiency analysis. The following theorem shows that our message-block encoding technique preserves the order of messages correctly.

Theorem 3.

Our proposed message-block encoding technique preserves ordering information correctly.

Proof of Theorem 3. 

First of all, every between 1(i, j) and 1(i’, j’) requires at least 1-bit 0, thus there is no message that contains more than k−1(i, j) blocks where k > n/2. For any two messages msg₁ encoded as {i₁, j₁, i₂, j₂, …, i_n/2, j_n/2 } and msg₂ encoded as {i’₁, j’₁, i’₂, j’₂, …, i’_n/2, j’_n/2 }, where msg₁ < msg₂, assume that i is the index of the first bit that differs, that is, the i-th bit of msg₁ is 0 and of msg₂ is 1.

• (i − 1)-th bit is 0: Let {i₁, j₁, …, i_k, j_k} be a common part of the encoding of msg₁ and msg₂. Because i-th bit of msg₁ is 0 and of msg₂ is 1, we conclude i_k+1 < i’_k+1.
• (i − 1)-th bit is 1: Let {i₁, j₁, …, i_k, j_k} be a common part of the encoding of msg₁ and msg₂. Similar to the above case, because i-th bit of msg₁ is 0 and of msg₂ is 1, we conclude i_k+1 = i’_k+1 and j_k+1 < j’_k+1.

□

Efficiency.

Table 2. Comparison of our ORE for exponentially-sized domains (OREncL) and the existing scheme.

OREncL	Bit Size of ctx	Leakage
[9]	n(λ + d) + λ + ⌈ log d ⌉	Ideal
Ours I	n(λ + d)	First block that differs
Ours II	n ⌈ log d ⌉ (λ + n ⌈ log d ⌉)	CP of 1(i, j)’s

shows some comparison results our OREncL schemes and the scheme of [9]. Ours I and II denote the OREncL schemes with our OREncS under the normal d-size message-block encoding of [9] and the proposed message-block encoding, respectively. Because a ciphertext of Ours I consists essentially of n ciphertexts of our OREncS whose ctx size is λ + d, as described in Section 3.2, the size of the resulting ciphertext is n(λ + d). In the case of Ours II, the size of the resulting ciphertexts is n ⌈ log d ⌉ (λ + n ⌈ log d ⌉) because the message can be represented in n ⌈ log d ⌉ bits, and thus n ⌈ log d ⌉ ciphertexts of n ⌈ log d ⌉-size domain OREncS are required. Taking ⌈ log d ⌉ = d/n, the size of ciphertexts with our proposed message-block encoding is asymptotically longer by a multiplicative factor Ω(log d) compared with the existing d-bit message-block encoding of [9].

Simple Implementation. Figure 1 shows the percentage of the requiring ciphertext information until obtaining the Π.Compare algorithm output for any two ciphertexts of Ours I and Ours II on two different domain sizes. For example, 98.76% of the ciphertexts of Ours II (N = 2¹⁶) require only 25% of their ciphertext information to check the relative order on average. This result means the relative order information of two messages can be derived with slightly less ciphertext information when applying our proposed message-block encoding technique. However, because the ciphertext size of Ours II is longer, it does not mean our proposed encoding technique can guarantee a more efficient search time.

5. Conclusions

In this work, we introduced a new ideally-secure OREncS scheme with shorter ciphertexts compared with the existing scheme. We also presented an alternative message-block encoding technique for extending our OREncS to large-domains. Combining the proposed constructions with the existing Lewi et al.’s “domain-extension” scheme, we could obtain a new OREncL scheme with shorter ciphertexts whose security is the same as the existing scheme and a new OREncL scheme with longer ciphertexts whose leakage is the information of the common prefix consecutive 1’ before the first differing bit. Moreover, we gave the efficiency and security analysis of our proposed schemes as well as a simple implementation result.