Escolar Documentos
Profissional Documentos
Cultura Documentos
Research Article
A Novel Secure Scheme for Supporting Complex SQL Queries
over Encrypted Databases in Cloud Computing
Guoxiu Liu,1,2 Geng Yang ,1,3 Huaqun Wang,1 Yang Xiang,4 and Hua Dai 1,3
1
Nanjing University of Posts and Telecommunications, Nanjing 210003, China
2
School of Computer and Information Engineering, Chuzhou University, Chuzhou 239000, China
3
Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing 210003, China
4
School of Information Technology, Deakin University, 221 Burwood Highway, Burwood, VIC 3125, Australia
Received 6 January 2018; Revised 5 May 2018; Accepted 30 May 2018; Published 3 July 2018
Copyright © 2018 Guoxiu Liu et al. This is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
With the advance of database-as-a-service (DaaS) and cloud computing, increasingly more data owners are motivated to outsource
their data to cloud database for great convenience and economic savings. Many encryption schemes have been proposed to process
SQL queries over encrypted data in the database. In order to obtain the desired data, the SQL queries contain some statements to
describe the requirement, e.g., arithmetic and comparison operators (+, −, ×, <, >, and =). However, to support different operators
(+, −, ×, <, >, and =) in SQL queries over encrypted data, multiple encryption schemes need to be combined and adjusted to
work together. Moreover, repeated encryptions will reduce the efficiency of execution. This paper presents a practical and secure
homomorphic order-preserving encryption (FHOPE) scheme, which allows cloud server to perform complex SQL queries that
contain different operators (such as addition, multiplication, order comparison, and equality checks) over encrypted data without
repeated encryption. These operators are data interoperable, so they can be combined to formulate complex SQL queries. We
conduct security analysis and efficiency evaluation of the proposed scheme FHOPE. The experiment results show that, compared
with the existing approaches, the FHOPE scheme incurs less overhead on computation and communication. It is suitable for large
batch complex SQL queries over encrypted data in cloud environment.
encrypted by the application. mOPE is an ideal security the cloud server, receives queries results, decrypts the results
scheme, but it has the low efficiency due to the interaction using the corresponding keys, and sends the decrypted result
and tree balancing. Moreover, their works only process order to the users.
comparison on ciphertexts. A FHOPE scheme in this paper involves two different
Some solutions were proposed for querying data over entities which are described below.
the encrypted database [25–27]. One of the most important
fundamental schemes for processing queries on an encrypted Client (CL). The client is data owner. For protecting data
database is proposed by H. Hacig𝑢m ̈ 𝑢s̈ . et al. in [25]. It privacy, it uses the private key to encrypt the sensitive data
encrypts the data at a tuple level, and then a predefined and then outsources the encrypted data to a cloud server. The
set of attributes can be used in queries. Following H. CL can also send the SQL queries to a CS and decrypt the
Hacig𝑢m ̈ 𝑢s̈ . ’s idea, some improvements were proposed [28, queries results from the CS.
29]. The scheme [28] stores redundant data for querying
data over the encrypted database, and B. Hore et al. [29] Cloud Server (CS). A CS is hosted by the service provider that
extended the model of H. Hacig𝑢m ̈ 𝑢s̈ . et al. and added range stores the databases in cloud. It stores and manages the data
queries over the encrypted database. To achieve the vari- of users. A CS also stores the encrypted intermediate and final
ous computations over encrypted data, some Paillier-based results. Furthermore, a CS is able to perform homomorphic
improvements [8, 30–34] were presented. The schemes in addition, homomorphic multiplication, order comparison,
[30, 31] can support homomorphic addition, homomorphic and equality checks over encrypted data and then process
multiplication, and order comparison, but the order compar- complex SQL queries on encrypted data.
ison is realized by converting to subtraction operation; they To describe our scheme, we give the formal definition of
have high computation overhead. Yan et al. [33] can only FHOPE.
support the addition and cannot support other computation
operations. Peter et al. [34] proposed an efficient outsourcing Definition 1 (FHOPE). A FHOPE scheme consists of four
multiparty computation framework under multiple keys, but phases (key generation, encryption, decryption, and compu-
the scheme only supports addition and multiplication and tation). The detailed phases are described below.
cannot support other operations.
CryptDB [35] and SDB [36] are well-known systems for (1) Key generation: 𝑠𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛(1𝑘 ). KeyGen runs at
processing queries over encrypted database. CryptDB uses the CL, takes as input the security 𝑘, and outputs a
onions to support SQL queries over encrypted databases, private key 𝑠𝑘. The CS cannot get access to the private
where range queries and equality condition queries rely on key.
order-preserving encryption [24] and deterministic encryp- (2) Encryption: 𝑐 ← 𝐸𝑛𝑐(𝑠𝑘, V). Enc runs at the CL. The
tion, respectively. It performs specific operations with homo- inputs to the CL are 𝑠𝑘 and the sensitive data V in the
morphic encryption, to support aggregate queries; it imple- SQL queries, and the CL obtains a ciphertext 𝑐 and
mented the Paillier cryptosystem [29], but it cannot sup- then sends the SQL queries to a CS.
port homomorphic multiplication. The CryptDB has the
following limitations: (1) its queries are processed on the (3) Decryption: V ← 𝐷𝑒𝑐(𝑠𝑘, 𝑐). The CL runs Dec on the
lowest-security level of data; (2) the same data needs to private key and a ciphertext 𝑐 and obtains a plaintext
be reencrypted according to different types of computation. V.
For example, it can perform range queries while a column (4) Computation: 𝑟𝑒𝑠 ← 𝐻𝐴𝑀𝑂𝐸(𝑐1 , . . . , 𝑐𝑙 ). HAMOE
is encrypted with order-preserving encryption, and if it runs at the server, takes as input ciphertext 𝑐1 , . . . , 𝑐𝑙 ,
performs aggregate queries, such column is encrypted with and can perform addition, multiplication, order com-
homomorphic encryption. SDB [36] can process queries that parison, and equality checks over the ciphertext and
contain different kinds of operations; nevertheless, it requires then output the result of the computation.
massive computation resources and communication cost.
Thus, it is always necessary to establish an efficient To describe the correctness of our scheme, we define what
scheme to process database queries without involving mul- it means for the scheme to be correct. Intuitively, the scheme
tiple incompatible encryption schemes. should decrypt the correct values and correctly support
homomorphic addition, homomorphic multiplication, and
order comparison on the ciphertext. Suppose that we have
3. System Model and Attack Model a secret key vector 𝐾(𝑛) and that 𝑚 integers V𝑖 ∈ 𝑉(1 ≤
In this section, we describe the system model and the 𝑖 ≤ 𝑚) are encrypted into 𝑚 vectors 𝐶1 , 𝐶2 , . . . , 𝐶𝑚 , where
attack model and give formal definition of the scheme. The 𝐶𝑖 = (𝑐𝑖1 , . . . , 𝑐𝑖𝑛 ).
prototype will be built based on the system model. The
Definition 2 (correctness). A FHOPE scheme for plaintext
security of the proposed scheme will be analyzed in Section 7.
domain Z is correct if, for all security parameters k, for all
𝐾(𝑛) ← 𝐾𝑒𝑦𝐺𝑒𝑛(1𝑘 ),
3.1. System Model. Figure 2 shows the overall architecture.
The client receives queries from users, generates the private (1) for all V ∈ 𝑍 and for every C outcome of
key and encrypts the sensitive data, sends the SQL queries to 𝐹𝐻𝑂𝑃𝐸(V, 𝐾(𝑛)), 𝐷𝑒𝑐(𝐾(𝑛), 𝐶) = V;
4 Security and Communication Networks
Client
Original Query (1) (2) Query over Cloud Server
Encrypted Data(3)
Key generation
Applications
Encrypted Query
Encryption Results(4) Outsourced
Query Results(5) database
Decryption
(2) for all V𝑖 ∈ 𝑍 and for every 𝐶𝑖 outcome of 𝐹𝐻𝑂𝑃𝐸(V𝑖 , which intuitively says that the scheme must not leak anything
𝐾(𝑛)), 𝐷𝑒𝑐(𝐾(𝑛), ∑𝑚 𝑚
𝑖=1 𝐶𝑖 ) = ∑𝑖=1 V𝑖 ; besides order. The homomorphic order-preserving chosen-
(3) for all V𝑖 ∈ 𝑍 and for every 𝐶𝑖 outcome of 𝐹𝐻𝑂𝑃𝐸(V𝑖 , plaintext attack is a restricted chosen-plaintext attack. We
𝐾(𝑛)), 𝐷𝑒𝑐(𝐾(𝑛), 𝐶𝑖 × 𝐶𝑗 ) = V𝑖 × V𝑗 ; remark that the restricted chosen-plaintext attack is used in
literature [10]. We adapt the security definition of literature
(4) for all sequences 𝑠𝑒 = {V1 , . . . , V𝑚 } ∈ 𝑍𝑚 , for all pairs [13] to the syntax of our proposed scheme.
V𝑖 , V𝑗 ∈ 𝑠𝑒, for all 𝐶𝑖 , 𝐶𝑗 obtained as above, we have
V𝑖 < V𝑗 ⇐⇒ 𝐶𝑖 < 𝐶𝑗 ; Definition 3 (IND-HOCPA security). A FHOPE scheme
(5) for all V𝑖 ∈ 𝑍 and for every 𝐶𝑖 outcome of is IND-HOCPA secure, if any probabilistic polynomial
𝐹𝐻𝑂𝑃𝐸(V𝑖 , 𝐾(𝑛)), we have V𝑖 + V𝑗 × V𝑘 > V𝑙 ⇐⇒ time (PPT) adversary 𝐴 has only a negligible advantage
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴
𝐶𝑖 + 𝐶𝑗 × 𝐶𝑘 > 𝐶𝑙 . 𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 to win in the following game. The FHOPE
game between the adversary 𝐴 and the challenger 𝐶𝐻 is given
3.2. Attack Model. In this section, we present the potential below:
threats and the security requirements for database outsourc- (1) For the secure parameter k, the challenger 𝐶𝐻 runs
ing in the cloud. In our scheme, we assume the same security the key generation algorithm KeyGen and generates
model commonly adopted in related literatures in this field 𝑠𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛(1𝑘 ).
(e.g., [35]), where the CL is the data owner. Thus, the CL is
trusted; the CS is honest-but-curious; that is, the computation (2) The challenger 𝐶𝐻 and the adversary 𝐴 engage in
provided by the CS is able to be executed correctly, and it does a polynomial number of rounds of interaction. For
not change the data or query results, but the CS tries its best to round 𝑖,
obtain the privacy information of the processed data. Order-
(1) the adversary 𝐴 chooses two equal-length mes-
preserving encryption is primarily used in databases for
sages V𝑖0 , V𝑖1 ∈ 𝑍 and sends them to the chal-
supporting order comparison on ciphertexts, it exposes the
lenger 𝐶𝐻;
order of data, and then the cloud can learn the statistical prop-
erties (like order) through repeated query requests. Therefore, (2) the challenger 𝐶𝐻 picks 𝑏 ∈ {0, 1} at random
we introduce an adversary 𝐴 in our model, which aims to and leads the interaction for the Enc algorithm
decrypt the ciphertexts of a challenge sent to applications on inputs 𝑠𝑘 and V𝑖𝑏 with the server CS, with the
with the following capabilities: adversary 𝐴 observing all the ciphertexts at CS.
(1) 𝐴 may try to obtain the private key and guess the (3) The adversary 𝐴 outputs 𝑏 , its guess for 𝑏.
plaintext values from ciphertexts outsourced from a
CL. We say that the adversary 𝐴 wins the game if (1) its
(2) 𝐴 may compromise the CS by guessing the plaintext guess is correct (𝑏 = 𝑏 ) and (2) the sequences {V𝑖0 }𝑖 and
values of the computation results received from the {V𝑖1 }𝑖 have the same order relations (namely, for all 𝑖, 𝑗,V𝑖0 <
CS. V𝑗0 ⇐⇒ V𝑖1 < V𝑗1 ). That is, 𝐴 wins the above game if
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴
(3) 𝐴 may compromise the CS to guess the plaintext 𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 (𝑘) is nonnegligible, where the adversary’s
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴
values of the queries results based on statistical advantage 𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 (𝑘) in the above game is defined as
properties (like order).
1
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴
𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 (𝑘) = Pr [𝑤𝑖𝑛𝐴,𝑘 ] − , (1)
For satisfying the security requirements of the FHOPE 2
scheme, we formalize the security definition of a FHOPE
scheme for IND-HOCPA (indistinguishability under a where 𝑤𝑖𝑛𝐴,𝑘 is the random variable indicating the success of
homomorphic order-preserving chosen-plaintext attack), the adversary in the above game.
Security and Communication Networks 5
In order to ensure the validity of decryption steps in (9), 5. Correctness of the FHOPE
it has to satisfy the conditions
A query operation can request arbitrary data with a statement
𝑛
to describe the desired data. In order to obtain the desired
∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) ∗ (𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾 (𝑛) , 𝑅) + 𝜉𝑖 ) = 0, (12) data, the query contains some statements to describe the
𝑖=1
requirement, e.g., arithmetic and comparison operators (×,
𝑛 +, −, =, >, and <). These operators are data interoperable, so
∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) ∗ 𝐸𝑛𝑐𝑖 (𝐾 (𝑛) , V) = V. (13) they can be combined to formulate complex queries, and we
𝑖=1
are concerned with executing queries that contain multiple
Proof of Correctness for Decryption different operations, such as WHERE 𝑎 + 𝑏 × 𝑐 < 𝑑. Our data
model is column-based in a table. In this section, we prove
Proof. To prove correctness of decryption, suppose that any the correctness of additive homomorphism, multiplicative
V1 ∈ 𝑍 is encrypted into 𝐶1 = (𝑐11 , . . . , 𝑐1𝑛 ) with the key 𝐾(𝑛), homomorphism, order-preserving, and data interoperability
as shown below. and describe how these operators are implemented in our
scheme.
𝑐1𝑖 = 𝐸𝑛𝑐𝑖 (𝐾 (𝑛) , V1 ) + 𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾 (𝑛) , 𝑅𝑖1 ) + 𝜉. (14)
Suppose that the first sub-ciphertext (𝑐11 ) has order-pre- 5.1. Addition (AD)/Subtraction. Assuming two sensitive
serving property, and random noise 𝜉 is added to the first and columns 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 of a table 𝑇, their values are integers.
second sub-ciphertext, respectively. Then, we have to prove We use V𝑖 and V𝑗 to denote the values of 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 in
a row t, respectively. Let 𝐶𝑖 and 𝐶𝑗 be the encrypted values
𝐷𝑒𝑐(𝐾 (𝑛) , (𝑐11 , . . . , 𝑐1𝑛 ) = V1 . (15) of V𝑖 and V𝑗 , respectively, where 𝐶𝑖 = (𝑐𝑖1 , . . . , 𝑐𝑖𝑛 ) and 𝐶𝑗 =
(𝑐𝑗1 , . . . , 𝑐𝑗𝑛 ); they share the same secret key vector 𝐾(𝑛).
That is, Given two sensitive columns 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵, if the appli-
𝑛 cation issues the query SELECT ∗ FROM Table 1 WHERE
∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) 𝑐𝑜𝑙 𝐶 = 𝑐𝑜𝑙 𝐴 + 𝑐𝑜𝑙 𝐵, the SQL query processing is as follows.
𝑖=1
(16) Step 1. The CL receives the SQL query, it uses the encryption
∗ (𝐸𝑛𝑐𝑖 (𝐾 (𝑛) , V1 ) + 𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾 (𝑛) , 𝑅) + 𝜉)
algorithm Enc to encrypt the values of 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 with
= V1 , the private key 𝐾(𝑛); their ciphertexts are 𝐶𝑖 = (𝑐𝑖1 , . . . , 𝑐𝑖𝑛 )
and 𝐶𝑗 = (𝑐𝑗1 , . . . , 𝑐𝑗𝑛 ), respectively.
where
1 Step 2. The CS executes the SQL query on the encrypted data
𝐷𝑒𝑐𝑖 (𝑎𝑖 , 𝑏𝑖 ) = . (17) just like on plaintext. Due to additive homomorphism, the
𝑎𝑖 ∗ ∑𝑛𝑖=1 𝑏𝑖
CS can directly add encrypted data one by one as follows: 𝐶𝑖 +
We have 𝐶𝑗 = (𝑐𝑖1 + 𝑐𝑗1 , . . . , 𝑐𝑖𝑛 + 𝑐𝑗𝑛 ), where the homomorphic addition
𝑛 of 𝐶𝑖 and 𝐶𝑗 is defined as a vector addition.
∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) ∗ 𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾 (𝑛) , 𝑅)
𝑖=1 The FHOPE scheme guarantees homomorphic addition
(18) according to the following theorem.
1 𝑝 𝑟 𝑟 𝑝
= ∗ ( 1 − 𝑛 + 1 + ⋅ ⋅ ⋅ − 𝑛−1 ) = 0.
∑𝑛𝑖=1 𝑏𝑖 𝑎2 𝑎𝑛 𝑎1 𝑎𝑛 Theorem 4. The FHOPE scheme supports additive homomor-
phism; i.e., 𝐷𝑒𝑐((∑𝑚 𝑚 𝑚
𝑖=1 𝑐𝑖1 , . . . , ∑𝑖=1 𝑐𝑖𝑛 ), 𝐾(𝑛)) = ∑𝑖=1 V𝑖 .
Because 𝑎2 = −𝑎1 and 𝜉 ≠ 0, then
𝑛 Proof.
1
∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) ∗ 𝜉 = ∗ 𝜉 = 0. (19)
𝑖=1 𝑎𝑖 ∗ ∑𝑛𝑖=1 𝑏𝑖 𝑚 𝑚
𝐷𝑒𝑐 ((∑𝑐𝑖1 , . . . , ∑𝑐𝑖𝑛 ) , 𝐾 (𝑛))
Then 𝑖=1 𝑖=1
𝑛
𝑛 𝑚
∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) ∗ 𝐸𝑛𝑐𝑖 (𝐾 (𝑛) , V1 ) = ∑𝐷𝑒𝑐𝑗 (𝐾 (𝑛)) ∗ (∑𝑐𝑖𝑗 )
𝑖=1
𝑗=1 𝑖=1
(20)
𝑛 (21)
1 𝑛 𝑚
=∑ 𝑛 ∗ 𝑎𝑖 ∗ 𝑏𝑖 ∗ V1 = V1 .
𝑎
𝑖=1 𝑖 ∗ ∑ 𝑖=1 𝑏𝑖 = ∑ (∑ (𝐷𝑒𝑐𝑗 (𝐾 (𝑛)) ∗ 𝑐𝑗𝑖 ))
𝑗=1 𝑖=1
Therefore, the correctness of decryption is proved.
𝑚 𝑛 𝑚
To verify the correctness of operations supported by our = ∑ ( ∑ 𝐷e𝑐𝑗 (𝐾 (𝑛)) ∗ 𝑐𝑗𝑖 ) = ∑V𝑖 .
scheme, suppose that we have a secret key vector 𝐾(𝑛) and 𝑖=1 𝑗=1 𝑖=1
that 𝑚 integers V𝑖 ∈ 𝑉(1 ≤ 𝑖 ≤ 𝑚) are encrypted into 𝑚
vectors 𝐶1 , 𝐶2 , . . . , 𝐶𝑚 , where 𝐶𝑖 = (𝑐𝑖1 , . . . , 𝑐𝑖𝑛 ).
Security and Communication Networks 7
𝑛
The correctness of homomorphic addition is proved.
= ∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) × 𝑐1𝑖 × (𝑐21 , . . . , 𝑐2𝑛 ) )
Subtraction operation can be converted to addition oper- 𝑖=1
ation for processing, so it is omitted.
𝑛
= 𝑐1𝑖 × ∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) × (𝑐21 , . . . , 𝑐2𝑛 ) = 𝑐1𝑖 × V2 ,
5.2. Multiplication (MU). We describe the FHOPE scheme
𝑖=1
for “×”. Given two sensitive columns 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 of a
table 𝑇, let V1 and V2 denote the values of 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 in (24)
a row t, respectively. Let 𝐶1 and 𝐶2 be the encrypted values
then it gives
of V1 and V2 , respectively, where 𝐶1 = (𝑐11 , . . . , 𝑐1𝑛 ) and 𝐶2 =
(𝑐21 , . . . , 𝑐2𝑛 ); they share the same secret key vector 𝐾(𝑛). 𝑐11
If the application issues the query SELECT ∗ FROM
Table 1 WHERE 𝑐𝑜𝑙 𝐶 = 𝑐𝑜𝑙 𝐴 × 𝑐𝑜𝑙 𝐵, the SQL query 𝐷𝑒𝑐 (𝐾 (𝑛) , 𝐶1 × 𝐶2 ) = (. . .) × V2 . (25)
processing is as follows. 𝑐1𝑛
Step 1. The CL receives the SQL query, it uses the encryption Step 2. We have from Step 1:
algorithm Enc to encrypt the values of 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵
with the private key 𝐾(𝑛), and their ciphertexts are 𝐶1 = 𝐷𝑒𝑐 (𝐾 (𝑛) , (𝑐11 × V2 , . . . , 𝑐1𝑛 × V2 ))
(𝑐11 , . . . , 𝑐1𝑛 ) and 𝐶2 = (𝑐21 , . . . , 𝑐2𝑛 ), respectively.
𝑛
Step 2. The CS executes the SQL query on the encrypted data = ∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) × (𝑐11 × V2 , . . . , 𝑐1𝑛 × V2 )
𝑖=1
just like on plaintext. Due to multiplicative homomorphism,
the CS can directly multiply encrypted data one by one as 𝑛
where the multiplication of two ciphertexts can be defined as Hence, 𝐷𝑒𝑐(𝐾(𝑛), 𝐶1 × 𝐶2 ) = V1 × V2 . The correctness of
an outer product. multiplicative homomorphism is proved.
Our objective is to perform multiplication operations 5.3. Order Comparison (OC). We consider two comparison
on the encrypted data just like on plaintext. The FHOPE operators, namely, operator “>” and operator “<”. They are
scheme guarantees homomorphic multiplication according mostly used in select queries. Given two sensitive columns
to the following theorem. 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 of table 𝑇. Let V1 and V2 denote the values
of 𝑐𝑜𝑙 𝐴 and 𝑐𝑜𝑙 𝐵 in a row t, respectively. Let 𝐶1 and 𝐶2
Theorem 5. The FHOPE scheme supports multiplicative be the encrypted values of V1 and V2 , respectively; they share
homomorphism. That means 𝐷𝑒𝑐(𝐾(𝑛), 𝐶1 × 𝐶2 ) = V1 × V2 . the same secret key vector 𝐾(𝑛). For privacy protection, we
calculate V1 > V2 or V1 < V2 , the plaintexts need to be
Proof. To prove this theorem, we first need to show that encrypted, and we need to calculate 𝐶1 > 𝐶2 or 𝐶1 < 𝐶2 .
That is, the goal of FHOPE scheme is that the sort order
𝑐11 of ciphertexts matches the sort order of the correspond-
𝐷𝑒𝑐 (𝐾 (𝑛) , 𝐶1 × 𝐶2 ) = (. . .) × V2 . (23) ing plaintexts. Here we prove that our scheme has order-
preserving property.
𝑐1𝑛 Suppose that any two integers V1 and V2 are encrypted into
𝐶1 = (𝑐11 , . . . , 𝑐1𝑛 ) and 𝐶2 = (𝑐21 , . . . , 𝑐2𝑛 ) with the key 𝐾(𝑛),
Then, we prove 𝐷𝑒𝑐(𝐾(𝑛), (𝑐11 , 𝑐12 , . . . , 𝑐1𝑛 ) × V2 ) = V1 × V2 . as shown below.
The details are given below.
𝑐1𝑖 = 𝐸𝑛𝑐𝑖 (𝐾 (𝑛) , V1 ) + 𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾 (𝑛) , 𝑅𝑖1 ) + 𝜉, (27)
Step 1. Perform the following decryption for i, 1 ≤ 𝑖 ≤ 𝑛.
Because we have 𝑐2𝑖 = 𝐸𝑛𝑐𝑖 (𝐾 (𝑛) , V2 ) + 𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾 (𝑛) , 𝑅𝑖2 ) + 𝜉. (28)
𝐷𝑒𝑐 (𝐾 (𝑛) , (𝑐1𝑖 × 𝑐21 , . . . , 𝑐1𝑖 × 𝑐2𝑛 )) Definition 6. Let 𝑉 = {V1 , V2 , . . . , V𝑛 } be the set of all input
plaintext values. The sensitivity of 𝑉 is the minimum element
𝑛 in the set {|V1 − V2 | | V1 ∈ 𝑉, V2 ∈ 𝑉, V1 ≠ V2 }. That is, the
= ∑𝐷𝑒𝑐𝑖 (𝐾 (𝑛)) × (𝑐1𝑖 × 𝑐21 , . . . , 𝑐1𝑖 × 𝑐2𝑛 ) sensitivity 𝑆 is defined as 𝑆 = min V1 ,V2 ∈𝑉 |V1 − V2 |.
𝑖=1 V1 =V̸ 2
8 Security and Communication Networks
In fact, the sensitivity is the least gap, which was evaluated problem is that this solution needs to modify the ciphertexts
in different privacy protection [38]. And by its definition the in the database to increase the cost of computation; moreover,
sensitivity is always bigger than 0. it makes the ciphertexts in an unsafe state. Hence, we take
the second solution. Given a search keyword 𝑠𝑐𝑜𝑟𝑒 = 100, to
Theorem 7. Given the sensitivity 𝑆 of input value 𝑉, for all search a ciphertext whose plaintext value is 100 in encrypted
V1 ∈ 𝑉, V2 ∈ 𝑉, if V1 > V2 , then 𝐶1 > 𝐶2 . database, the following steps need to be executed.
Proof. We have 𝐶1 > 𝐶2 if 𝑐1𝑖 > 𝑐2𝑖 , where 𝑐1𝑖 and 𝑐2𝑖 (1 ≤ 𝑖 ≤ Step 1. The CL uses FHOPE to encrypt the search keyword
𝑛) are the sub-ciphertext of 𝐶1 and 𝐶2 , respectively. Suppose 𝑠𝑐𝑜𝑟𝑒 into a ciphertext 𝐶 = (𝑐1 , . . . , 𝑐𝑛 ) under the key 𝐾(𝑛);
that the sub-ciphertexts 𝑐1𝑖 and 𝑐2𝑖 have the same random the random noise is 𝜉, which is stored in the CL. Then the CL
noise 𝜉. To prove this theorem, we need to show 𝑐1𝑖 − 𝑐2𝑖 > 0; computes the range of the sub-ciphertext 𝑐𝑖 (1 ≤ 𝑖 ≤ 𝑛) as
that is, follows:
16000 20,000
14000 18,000
12000 16,000
Time cost (ms)
10000 14,000
× 𝐹𝐻𝑂𝑃𝐸 (V3 , 𝐾 (𝑛)) > 𝐹𝐻𝑂𝑃𝐸 (V4 , 𝐾 (𝑛)) → where 𝑛 × 𝑡𝑢 × 𝑃 is generated by inserting the new random
noise; it is the time of updating the existing random noise.
𝐶1 + 𝐶2 × 𝐶3 > 𝐶4 . When we insert 𝑁 encrypted values into the database, we
have
𝑘 = 1,
The correctness of data interoperability is proved. (39)
𝑇 (1) = 𝑡𝑒 + 𝑡𝑖 + 𝑛 × 𝑡𝑢 × 𝑃,
5.6. Improving Efficiency. In encryption algorithm Enc, some
random noise 𝜉𝑖 has been added in each sub-ciphertext 𝑘 = 2,
to augment the security of FHOPE scheme. However, this (40)
𝑇 (2) = 𝑇 (1) + 𝑡𝑒 + 𝑡𝑖 + (𝑛 + 1) × 𝑡𝑢 × 𝑃,
process reduces the efficiency of the scheme. Here, we use
two measures to improve efficiency. One approach is that 𝑘 = 3,
two sub-ciphertexts in a ciphertext have order-preserving (41)
function. For example, the plaintext V1 is encrypted into 𝑇 (3) = 𝑇 (2) + 𝑡𝑒 + 𝑡𝑖 + (𝑛 + 2) × 𝑡𝑢 × 𝑃,
𝐶1 = (𝑐11 , . . . , 𝑐𝑛1 ) under the key 𝐾(𝑛), each sub-ciphertext
is a ciphertext of the plaintext, and the sub-ciphertexts are ⋅⋅⋅ (42)
independent of each other, so any sub-ciphertext of the 𝑘 = 𝑁,
n sub-ciphertexts has order-preserving property; it means (43)
that the ciphertext has order-preserving property. Then, we 𝑇 (𝑘) = 𝑇 (𝑘 − 1) + 𝑡𝑒 + 𝑡𝑖 + (𝑛 + 𝑘 − 1) × 𝑡𝑢 × 𝑃.
can specify that the first sub-ciphertext (𝑐𝑖1 ) of the n sub-
ciphertexts has order-preserving property. Another approach Then,
is to add random noise 𝜉𝑖 with a certain probability 𝑃. Figure 3
𝑇 (𝑁) = 𝑁 × (𝑡𝑒 + 𝑡𝑖 ) + (𝑛 × 𝑁 + 0.5 × 𝑁 × (𝑁 − 1))
shows that, with the growth of probability 𝑃, the time cost (44)
increases while the length of the plaintext is fixed. We will × 𝑡𝑢 × 𝑃.
analyze the relationship between probability 𝑃 and the time
cost of inserting a ciphertext. According to (44), we can infer the approximate linear
The cost of inserting a ciphertext includes encrypting relationship between total time 𝑇(𝑁) and probability 𝑃 when
the plaintext to be inserted, inserting the ciphertext, and 𝑁 is fixed, and it is consistent with Figure 3. Figure 4
updating random noise. Assume that the length of plaintext shows that the total time 𝑇(𝑁) is exponentially related to 𝑁
V is 𝑚 and the plaintext V is encrypted into 𝐶. Let 𝑡𝑒 , 𝑡𝑖 , and when probability 𝑃 is fixed. For efficiency, we can conclude
𝑡𝑢 denote the time of encrypting, the time of inserting opera- that security and efficiency are contradictory; the higher the
tion, and the time of updating random noise, respectively. For security, the lower the efficiency.
10 Security and Communication Networks
6. Using FHOPE in a Database Application integers, the problem is to find the hidden common divisor ℎ.
Note that 𝑞𝑖 and 𝑙𝑖 change in each 𝑑𝑖 . In particular, if 𝑙𝑖 can be
The FHOPE is mainly used in the database; in this section, as large as ℎ, it is impossible to reconstruct ℎ from any number
we describe how to use FHOPE in a database. As mentioned of approximate multiples 𝑑𝑖 [40].
in Section 5, FHOPE allows efficient addition, multiplication, →
→ →
→
order comparison, and equality checks computations on an As we know, 𝐾(𝑛) = [𝑘1 , 𝑘2 , . . . , 𝑘𝑛 ], where 𝑘𝑖 = (𝑎𝑖 , 𝑏𝑖 )
encrypted database in the same way as on unencrypted is a secret vector. In the following, we prove that it is hard
→
database, and the database server software does not need to to recover the secret component 𝑘𝑖 in a key 𝐾(𝑛) from any
be modified. number of ciphertexts.
Setup. Using FHOPE in a database requires the following Theorem 9. Given any number of ciphertexts from the FHOPE
setup: →
encryption with 𝐾(𝑛), it is difficult to recover 𝑘𝑖 in a key 𝐾(𝑛).
(i) A CL uses the FHOPE to encrypt the sensitive data,
and the encrypted data is outsourced to be stored in a Proof. As shown in the FHOPE encryption, a ciphertext 𝐶 =
cloud database. The CL stores the private keys. (𝑐1 , . . . , 𝑐𝑛 ) is defined as
(ii) User-defined functions (UDFs) in the database server 𝑐1 = 𝑎1 ∗ 𝑏1 ∗ V + 𝑁𝑜𝑖𝑠𝑒1 (𝐾 (𝑛) , 𝑅1 ) + 𝜉1 ,
implement FHOPE’s computation function.
... (45)
Insert Queries. To understand how values in a query are
encrypted, consider an application that wants to execute 𝑐𝑛 = 𝑎𝑛 ∗ 𝑏𝑛 ∗ V + 𝑁𝑜𝑖𝑠𝑒𝑛 (𝐾 (𝑛) , 𝑅𝑛 ) .
the query INSERT INTO student VALUES (10). The CL In the first ciphertext element 𝑐1 , 𝑎1 is the common divisor
encrypts 10 using the FHOPE and issues the query INSERT to be recovered. We are going to prove that it is difficult to find
INTO student VALUES (FHOPE(10)), where FHOPE() is a the secret value 𝑎1 from the first element 𝑐1 of any number of
user-defined function that implements the encryption of the ciphertexts.
FHOPE scheme. Let 𝑁1 = 𝑁𝑜𝑖𝑠𝑒1 (𝐾(𝑛), 𝑅1 ) + 𝜉1 . Then, we have 𝑐1 = 𝑎1 ∗
𝑏1 ∗ V + 𝑁1 . Since 𝑏1 ∗ V is random number generated for each
Select Queries. Consider a query: SELECT ∗ FROM T
encryption, 𝑁1 is a number that the adversary does not know,
WHERE 𝑐𝑜𝑙1 × 𝑐𝑜𝑙2 + 1000 > 6800. 𝑐𝑜𝑙1 and 𝑐𝑜𝑙2 denote the
and it randomly changes for each encryption of the plaintext.
sensitive columns in a table 𝑇; their values are encrypted and
Moreover, 𝑎1 can be less than 𝑁1 . Hence, it is difficult
stored in a cloud database. The CL encrypts 1000 and 6800
to recover 𝑎1 from the first element 𝑐1 of any number of
using the FHOPE, and the values of 𝑐𝑜𝑙1 and 𝑐𝑜𝑙2 , 1000 and
ciphertexts according to the hardness of the AGCD problem.
6800, share the same private key and random noise 𝜉. 𝑐𝑜𝑙1 and
The proofs for other secret values 𝑎𝑖 and 𝑏𝑖 in 𝐾(𝑛) are carried
𝑐𝑜𝑙2 are encrypted as 𝑐𝑜𝑙1 𝑐 and 𝑐𝑜𝑙2 𝑐, respectively. It delivers
out similarly.
the query “SELECT ∗ FROM T WHERE 𝑐𝑜𝑙1 𝑐 × 𝑐𝑜𝑙2 𝑐 +
𝐹𝐻𝑂𝑃𝐸(1000) > 𝐹𝐻𝑂𝑃𝐸(6800)” to a CS. The CS executes
the query on encrypted data as if the data were not encrypted 7.2. IND-HOCPA Security. We analyze the semantic security
and returns the query results to CL. The CL decrypts the of the FHOPE scheme by proving the indistinguishability of
query results and returns them to the applications. ciphertexts under a homomorphic order-preserving chosen-
plaintext attack.
7. Security Analysis Theorem 10. A FHOPE encryption scheme is IND-HOCPA
The security analysis of the FHOPE scheme focuses on the secure.
security of the key 𝐾(𝑛), IND-HOCPA (indistinguishability
under a homomorphic order-preserving chosen-plaintext Proof. In the following game, the PPT adversary is denoted
attack) security and the security of FHOPE scheme. Assume as 𝐴 and the challenger is denoted as 𝐶𝐻. Consider any
that a CL sends the SQL query to a CS via a secure channel. adversary 𝐴 and any two sequences of values 𝐴 ask for in the
First, we will prove that it is difficult to recover the secret security game: V0 = (V10 , . . . , V𝑛0 ) and V1 = (V11 , . . . , V𝑛1 ).
→
component 𝑘𝑖 in a key 𝐾(𝑛) from ciphertexts. Then, based (1) The key generation algorithm generates the key
on the difficulty of the key 𝐾(𝑛) recovery problem, we prove →
→ →
𝐾(𝑛) = [𝑘1 , 𝑘2 , . . . , 𝑘𝑛 ] = [(𝑎1 , 𝑏1 ), (𝑎2 , 𝑏1 ), . . . , (𝑎𝑛 ,
the IND-HOCPA security of the scheme. We present the 𝑏𝑛 )], where (𝑎𝑖 , 𝑏𝑖 )(1 ≤ 𝑖 ≤ 𝑛) is a list of pairs of
privacy protection in queries. Finally, we demonstrate that the integers, which are large prime numbers, 𝑎𝑖 ∗ 𝑏𝑖 > 0,
security of FHOPE’s properties is guaranteed by the security 𝑛 > 1, 𝑎𝑖 ≠ 0 for 1 ≤ 𝑖 ≤ 𝑛, 𝑏1 + ⋅ ⋅ ⋅ + 𝑏𝑛−1 ≠ 0, and
of key 𝐾(𝑛) and IND-HOCPA security of FHOPE. 𝑏𝑛 ≠ 0.
7.1. Security of the Key 𝐾(𝑛). The hardness of the key search (2) The adversary 𝐴 chooses two equal-length sequences
problem is based on the approximate greatest common of values V0 and V1 and sends them to the challenger
divisors (AGCD) problem. The AGCD problem was pro- 𝐶𝐻.
posed by Howgrave-Graham [39]. Given any number of the (3) The challenger 𝐶𝐻 randomly encrypts V𝑖0 and V𝑖1 with
approximate multiples 𝑑𝑖 = ℎ∗𝑞𝑖 +𝑙𝑖 of ℎ, where ℎ, 𝑞𝑖 , and 𝑙𝑖 are key 𝐾(𝑛) and outputs the ciphertext 𝐶0 = (𝑐01 , . . . , 𝑐0𝑛 )
Security and Communication Networks 11
or 𝐶1 = (𝑐11 , . . . , 𝑐1𝑛 ), where 𝑐01 = 𝑎1 ∗ 𝑏1 ∗ V𝑖0 + Consider a query SELECT 𝑐𝑜𝑙1 FROM T WHERE 𝑐𝑜𝑙1 >
𝑁𝑜𝑖𝑠𝑒1 (𝑎1 , 𝑟1 , 𝑝1 ) + 𝜉0 , 𝑐11 = 𝑎1 ∗ 𝑏1 ∗ V𝑖1 + 𝑁𝑜𝑖𝑠𝑒1 (𝑎1 , 100. The 𝑐𝑜𝑙1 denotes the sensitive column in a table 𝑇; their
𝑟1 , 𝑝1 ) + 𝜉1 , and 𝜉𝑏 (b ∈ {0, 1})∈ [−∞, +∞]. The values are encrypted and stored in a cloud database. The CL
ciphertext 𝐶𝑏 (b ∈ {0, 1}) is sent to the adversary 𝐴. encrypts 100 using the FHOPE, and the values of 𝑐𝑜𝑙1 , 100,
share the same private key and random noise 𝜉. And 𝑐𝑜𝑙1
(4) If V𝑖0 ≠ 0 and V𝑖1 ≠ 0, then the expressions of is encrypted as 𝑐𝑜𝑙1𝑐. It delivers the query “SELECT 𝑐𝑜𝑙1𝑐
𝑎1 ∗ 𝑏1 ∗ V𝑖0 + 𝑁𝑜𝑖𝑠𝑒1 (𝑎1 , 𝑟1 , 𝑝1 ) + 𝜉0 and 𝑎1 ∗ 𝑏1 ∗ FROM T WHERE 𝑐𝑜𝑙1𝑐 > 𝐹𝐻𝑂𝑃𝐸(100)” to a CS. Since the
V𝑖1 + 𝑁𝑜𝑖𝑠𝑒1 (𝑎1 , 𝑟1 , 𝑝1 ) + 𝜉1 generate the same value data is in the encrypted form and the random noise of each
from −∞ to +∞ with the same probability; since 𝜉𝑏 is ciphertext is different, the adversary cannot get any knowl-
randomly sampled from the range [−∞, +∞], V0 and edge of the order information. The random noise of the same
V1 have the same order relation. Hence, the advantage attribute is continuously updated with the insertion of new
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴 data in the cloud database (that is, the random noise of the
𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 (𝑘) of distinguishing is negligible.
same attribute is the same), and then the order of plaintexts
In the following, we discuss the case where V𝑖0 = 0 and remains in the ciphertexts in the cloud database. Then, the CS
executes the query on encrypted data as if the data were not
V𝑖1 ≠ 0. The case where V𝑖0 ≠ 0 and V𝑖1 = 0 is similar.
encrypted, and the adversary obtains the query results. Since
If V𝑖0 = 0 and V𝑖1 ≠ 0, we have 𝑐01 = 𝑁𝑜𝑖𝑠𝑒1 (𝑎1 , 𝑟1 , 𝑝1 ) + 𝜉0 the random noise is dynamically updated, the order of query
or 𝑐11 = 𝑎1 ∗ 𝑏1 ∗ V𝑖1 + 𝑁𝑜𝑖𝑠𝑒1 (𝑎1 , 𝑟1 , 𝑝1 ) + 𝜉1 ; depending on results loses freshness. In other words, the repeated query is
whether V𝑖0 or V𝑖1 is encrypted, V0 and V1 have the same order issued again, and the returned ciphertexts are different. More-
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴
relation. Then, the advantage 𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 (𝑘) is negligible. over, we used the restrictions of literature [10] for chosen-
The proofs for other sub-ciphertexts 𝑐0𝑖 and 𝑐1𝑖 (2 ≤ 𝑖 ≤ 𝑛) plaintext attack, even if the adversary can get the ciphertext
𝐼𝑁𝐷−𝐻𝑂𝐶𝑃𝐴
are carried out similarly; the advantage 𝐴𝑑V𝐹𝐻𝑂𝑃𝐸,𝐴 (𝑘) is of {V1 , V2 , . . . , V𝑘 }, where {V1 , V2 , . . . , V𝑘 } is a dense one, but the
negligible. ciphertexts are disordered because they are obtained at differ-
ent time. Therefore, previous query requests will not help the
Therefore, the adversary 𝐴 cannot win the above game, adversary to learn the privacy information, and the adversary
and hence a FHOPE is IND-HOCPA secure. cannot gradually find out the order information and get some
useful statistical information after many query requests.
7.3. Privacy Protection in Queries. The adversary can collect
some useful statistical information after receiving query 7.4. The Security of FHOPE Properties. Our security model
requests; it tries to guess the plaintext corresponding to the securely realizes ideal properties in the presence of noncol-
ciphertext based on statistical information. However, we will luding semihonest adversary. For the sake of simplicity, we do
describe that the FHOPE scheme can reduce the privacy it for the specific scenario of our properties, which involves
leakage greatly in this scenario. CL and CS. We need to construct simulator 𝑆𝑖𝑚𝐶𝑆 against
To solve the mentioned problem, we add some random adversary 𝐴 𝐶𝑆 that corrupts CS.
noise in each sub-ciphertext. Let 𝜉𝑖 denote the random noise,
which is randomly sampled from the range [−∞, +∞], and Theorem 11. The AD can securely perform addition operation
𝑎𝑡𝑡𝑢 denote the column attribute of the database table. Then, on ciphertext in the presence of semihonest adversary 𝐴 𝐶𝑆 .
the sub-ciphertext 𝑐𝑖1 (1 ≤ 𝑖 ≤ 𝑛) of V1 is expressed as
Proof. CL receives plaintexts V and V as input and then
𝐸𝑛𝑐𝑖 (𝐾(𝑛), V1 ) + 𝑁𝑜𝑖𝑠𝑒𝑖 (𝐾(𝑛), 𝑅𝑖1 ) + 𝜉1 ; the range of noise is generates ciphertexts 𝐶 of V and 𝐶 of V . Finally, 𝐶 and 𝐶
different for different input values. Suppose 𝜉 (default value are returned to 𝑆𝑖𝑚𝐶𝑆 .
is 0 if there are no sub-ciphertexts of 𝑎𝑡𝑡𝑢 stored on cloud 𝑆𝑖𝑚𝐶𝑆 simulates 𝐴 𝐶𝑆 as follows: it receives 𝐶 and 𝐶 as
server) denotes the latest noise. To store 𝑐𝑖1 in the cloud server, input and generates the sum of 𝐶 and 𝐶 by performing
the following steps need to be executed (if no sub-ciphertexts addition operation. 𝑆𝑖𝑚𝐶𝑆 sends the sum of 𝐶 and 𝐶 to 𝐴 𝐶𝑆 .
of 𝑎𝑡𝑡𝑢 are stored, jump to Step 2). The 𝐴 𝐶𝑆 ’s view contains encrypted data. In the real and
ideal executions, the views of 𝐴 𝐶𝑆 are indistinguishable,
Step 1. Update all the stored sub-ciphertexts (𝑐𝑖𝑚 ) of 𝑎𝑡𝑡𝑢 by
because CL is trusted and the FHOPE is IND-HOCPA
𝑐𝑖𝑚 = 𝑐𝑖𝑚 + 𝜉1 − 𝜉.
secure.
Step 2. Add random noise 𝜉1 in the new sub-ciphertexts by
𝑐𝑖1 = 𝑐𝑖1 + 𝜉1 . The security proofs of MU, OC, EQ, and DI are similar
to that of AD under the semihonest adversary 𝐴 𝐶𝑆 . We give
Step 3. Update the value of 𝜉 by 𝜉 = 𝜉1 . only the theorems here.
Therefore, due to adding random noise, the ciphertext Theorem 12. The MU can securely perform multiplication
value is random. The same plaintexts are mapped to different operation on ciphertext in the presence of semihonest adversary
ciphertexts. The random noise of the same attribute is 𝐴 𝐶𝑆 .
continuously updated with the insertion of new data in the
cloud database, and the adversary cannot guess the random Theorem 13. The OC can securely perform order comparison
noise. on ciphertext in the presence of semihonest adversary 𝐴 𝐶𝑆 .
12 Security and Communication Networks
103 20
18
16
102 14
12
Time (sec)
10
Time (ms)
8
101
6
2
100
0
1000 2000 3000 4000 5000 6000 7000 8000 9000
N
𝑁
Figure 6: Time for running ∑𝑖=1 𝑥𝑖 over encrypted x.
10−1
0.6 0.8 1 1.2 1.4 1.6 1.8 2
Numbers N ×104
of which has 6 digits. Then, we compare our scheme with
FHOPE Encryption FHOPE Decryption
the AES algorithm by testing the time cost of encryption and
AES Encryption AES Decryption
decryption. According to Figure 5, the time cost of AES’s
Figure 5: Performance of encryption and decryption. encryption and decryption exhibits exponential growth with
respect to the number of integers; it costs 230 milliseconds
to encrypt 20000 integers. And the FHOPE scheme costs 4
Theorem 14. The EQ can securely perform equality checks on milliseconds to encrypt 20000 integers, which is about 57
ciphertext in the presence of semihonest adversary 𝐴 𝐶𝑆 . times faster than AES algorithm for encryption. We can see
that FHOPE scheme is also faster than AES for decryption.
Theorem 15. The DI can securely perform complex operation Thus our scheme is practically efficient and suitable for large
on ciphertext in the presence of semihonest adversary 𝐴 𝐶𝑆 . batch of data encryption and decryption.
2000 (2) query “select A from 𝑇𝑎𝑏 where 𝐴 ∗ 𝐵 < 1000”, (3) query
“select B from 𝑇𝑎𝑏 where 𝐴 ∗ (𝐴 + 𝐵) > 100”, and (4) query
1500
“select B from 𝑇𝑎𝑏 where 𝐴 ∗ 𝐵 − 100 > 10”. The FHOPE
can support the above complex SQL queries. Since FHOPE
Time (sec)
than the mOPE scheme. In mOPE scheme, the client and the
9. Conclusion
server side need to interact with each other when encrypting In this paper, we have presented a novel FHOPE scheme that
a message, and the server needs to adjust the encoding tree can support direct homomorphic addition, homomorphic
to achieve balance when adding new nodes. Our scheme is multiplication, order comparison, and equality checks on the
constructed by some linear mathematical functions without ciphertext. The FHOPE scheme can be applied in a cloud
any interaction, and it has a higher efficiency. database environment, which still uses standard SQL state-
ments and allows the cloud server to perform complex SQL
8.4. Comparison with CryptDB [35]. For testing, we select queries over the encrypted data without repeated encryption.
10000 records randomly from table 𝑇𝑎𝑏. Our scheme is We have proved the security of our FHOPE scheme from four
compared with CryptDB by executing three queries. aspects: the security of the key 𝐾(𝑛), IND-HOCPA security,
the privacy protection in queries, and the security of FHOPE
[Range]: select 𝐴 from 𝑇𝑎𝑏 where 𝐴 < 𝑞. properties. The security of the key 𝐾(𝑛) is based on the AGCD
[Sum]: select 𝑠𝑢𝑚(𝐴) from 𝑇𝑎𝑏 where 𝐴 < 𝑞. problem. Moreover, we have implemented a prototype in Java
and evaluated the performance of our scheme in terms of
[Avg]: select 𝑎V𝑔(𝐵) from 𝑇𝑎𝑏 where 𝐴 < 𝑞.
encryption, decryption, and homomorphic operations, and
Let 𝑞 control the queries’ selectivity, which is randomly our scheme is compared with mOPE scheme and CryptDB.
sampled from the range [100, 10000]. Figure 8 shows the Through experiment, we prove that the FHOPE scheme
time cost of FHOPE and CryptDB for performing the three incurs less overhead on computation. It is suitable for large
queries, where the size of the table grows from 1𝐾 to 8𝐾 rows. batch of data encryption and decryption in cloud database
The time cost is displayed as bar graph. systems.
We can get some observations from the experimental
result. (1) CryptDB takes more time to execute the range Data Availability
queries than FHOPE, because the CryptDB uses mOPE
The data used to support the findings of this study are
to implement the comparison operations. The efficiency of
available from the corresponding author upon request.
mOPE is lower than FHOPE as shown in Figure 7. (2) For
the sum and avg queries, the execution time of FHOPE is
lower than CryptDB, because CryptDB employs Paillier’s
Conflicts of Interest
homomorphic encryption scheme and UDFs (user-defined The authors declare that they have no conflicts of interest.
functions) to compute sum aggregates and averages. The
low efficiency of Paillier’s homomorphic encryption scheme Acknowledgments
leads to the low efficiency of CryptDB. (3) To perform range,
sum, and avg queries, CryptDB employs various encryption This work was supported in part by the National Natural
schemes. FHOPE makes up for CryptDB’s shortcoming, Science Foundation of China under Grant 61572263, Grant
which can support homomorphic addition, homomorphic 61502251, Grant 61502243, and Grant 61602263, the Nat-
multiplication, order comparison, and equality checks. ural Science Foundation of Jiangsu Province under Grant
Moreover, CryptDB cannot support some operations, BK20161516 and Grant BK20151511, the Natural Science
such as “𝐴 + 𝐵 < 𝑞” and homomorphic multiplication. There- Foundation of Anhui Province under Grant 1608085MF127,
fore, CryptDB cannot support some complex SQL queries, for the Natural Science Foundation of Educational Commis-
example, (1) query “select 𝑠𝑢𝑚(𝐴∗𝐵) from 𝑇𝑎𝑏 where 𝐴 < 𝑞”, sion of Anhui Province of China under Grant KJ2016B17,
14 Security and Communication Networks
Time (ms)
Time (ms)
1200 100 120
1000 100
800 80 80
600 60 60
400 40 40
200 20 20
0 0 0
1+ 2+ 3+ 4+ 5+ 6+ 7+ 8+ 1+ 2+ 3+ 4+ 5+ 6+ 7+ 8+ 1+ 2+ 3+ 4+ 5+ 6+ 7+ 8+
Figure 8: Execution times of FHOPE and CryptDB for the three sample queries.
Cloud,” IEEE Transactions on Information Forensics and Secu- Privacy Preserving,” IEEE Transactions on Information Forensics
rity, vol. 11, no. 6, pp. 1165–1176, 2016. and Security, vol. 12, no. 7, pp. 1596–1608, 2017.
[15] H. Wang, “Identity-based distributed provable data possession [31] W. Ding, Z. Yan, and R. H. Deng, “Encrypted data processing
in multi-cloud storage,” IEEE Transactions on Services Comput- with Homomorphic Re-Encryption,” Information Sciences, vol.
ing, vol. 8, no. 2, pp. 328–340, 2015. 409-410, pp. 35–55, 2017.
[16] Z. Brakerski and V. Vaikuntanathan, “Efficient fully homo- [32] X. Liu, R. H. Deng, W. DIng, R. Lu, and B. Qin, “Privacy-pre-
morphic encryption from (standard) LWE,” Foundations of serving outsourced calculation on floating point numbers,”
Computer Science IEEE, vol. 2011, pp. 97–106, 2011. IEEE Transactions on Information Forensics and Security, vol. 11,
[17] N. Smart and F. Vercauteren, “Fully Homomorphic Encryption no. 11, pp. 2513–2527, 2017.
with Relatively Small Key and Ciphertext Sizes,” in Proceedings [33] Z. Yan, W. Ding, V. Niemi, and A. V. Vasilakos, “Two schemes
of the International Conference on Practice and Theory in Public of privacy-preserving trust evaluation,” Future Generation Com-
Key Cryptography Springer-Verlag, vol. 6056, pp. 420–443, 2010. puter Systems, vol. 62, pp. 175–189, 2015.
[18] Y. n. Doröz, Y. Hu, and B. Sunar, “Homomorphic AES eval- [34] A. Peter, E. Tews, and S. Katzenbeisser, “Efficiently outsourcing
uation using the modified LTV scheme,” Designs, Codes and multiparty computation under multiple keys,” IEEE Transac-
Cryptography. An International Journal, vol. 80, no. 2, pp. 333– tions on Information Forensics and Security, vol. 8, no. 12, pp.
358, 2016. 2046–2058, 2013.
[19] J. H. Cheon, J.-S. Coron, J. Kim et al., “Batch fully homomorphic [35] R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakr-
encryption over the integers,” in Proceedings of the Advances in ishnan, “CryptDB: Protecting confidentiality with encrypted
Cryptology-EUROCRYPT 2013, vol. 7881, pp. 315–335, Springer, query processing,” in Proceedings of the 23rd ACM Symposium
New York, NY, USA, 2013. on Operating Systems Principles, SOSP 2011, pp. 85–100, prt,
[20] X. Cao, C. Moore, M. O’Neill, E. O’Sullivan, and N. Hanley, October 2011.
“Optimised multiplication architectures for accelerating fully [36] W. K. Wong, B. Kao, D. W. L. Cheung, R. Li, and S. M.
homomorphic encryption,” Institute of Electrical and Electronics Yiu, “Secure query processing with data interoperability in a
Engineers. Transactions on Computers, vol. 65, no. 9, pp. 2794– cloud database environment,” in Proceedings of the 2014 ACM
2806, 2016. SIGMOD International Conference on Management of Data,
[21] J. H. Cheon and D. Stehl’E, “Fully homomophic encryption over SIGMOD 2014, pp. 1395–1406, June 2014.
the integers revisited,” in Advances in Cryptology-EUROCRYPT [37] D. Liu, Homomorphic Encryption for Database Querying:Aus-
2015, vol. 9056, pp. 513–536, Springer, New York, NY, USA, 2015. tralian, WO/2013/188929, 2013.
[22] L. Xiao, I.-L. Yen, and D. T. Huynh, “A note for the ideal order- [38] F. D. McSherry, “Privacy integrated queries: an extensible plat-
preserving encryption object and generalized order-preserving form for privacy-preserving data analysis,” in Proceedings of the
encryption,” in IACR Cryptology Eprint Archive, 2012. 35th SIGMOD international conference on Management of data,
[23] A. Boldyreva, N. Chenette, and A. O’Neill, “Order-preserving SIGMOD’09, pp. 19–30, Providence, Rhode Island, USA, June
encryption revisited: improved security analysis and alternative 2009.
solutions,” in Proceedings of the 31st annual conference on [39] J. H. Silverman, “Cryptography and lattices,” in Lecture Notes
Advances in cryptology, vol. 6841, pp. 578–595, Springer-Verlag, in Computer Science, vol. 2146 of chapter Approximate Integer
2011. Common Divisors, pp. 51–66, 2001.
[24] R. A. Popa, F. H. Li, and N. Zeldovich, “An ideal-security proto- [40] H. Cohn and N. Heninger, “Approximate common divisors via
col for order-preserving encoding,” in Proceedings of the 34th lattices,” in IACR Cryptology Eprint Archive, 2011.
IEEE Symposium on Security and Privacy, SP 2013, pp. 463–477,
May 2013.
[25] H. Hacigümüş, B. Iyer, C. Li, and S. Mehrotra, “Executing SQL
over encrypted data in the database-service-provider model,” in
Proceedings of the ACM SIGMOD International Conference on
Management of Data (SIGMOD ’02), pp. 216–227, New York, NY,
USA, June 2002.
[26] R. Popa, N. Zeldovich, and H. Balakrishnan, “CryptDB: A
Practical Encrypted Relational DBMS,” Tech. Rep. MIT-CSAIL-
TR-2011-005, MIT, 2011.
[27] J. Li, Z. Liu, X. Chen, F. Xhafa, X. Tan, and D. S. Wong, “L-
EncDB: A lightweight framework for privacy-preserving data
queries in cloud computing,” Knowledge-Based Systems, vol. 79,
pp. 18–26, 2015.
[28] Z. Yang, S. Zhong, and R. Wright, “Privacy-preserving queries
on encrypted data,” in Proceedings of the Computer Security
CESORICS, pp. 479–495, 2006.
[29] B. Hore, S. Mehrotra, and G. Tsudik, “A privacypreserving index
for range queries,” in Proceedings of the Thirtieth International
Conference on Very Large Data Bases, VLDB’04, vol. 30, pp. 720–
731, 2004.
[30] K. Xue, S. Li, J. Hong, Y. Xue, N. Yu, and P. Hong, “Two-Cloud
Secure Database for Numeric-Related SQL Range Queries with
International Journal of
Rotating Advances in
Machinery Multimedia
The Scientific
Engineering
Journal of
Journal of
Hindawi
World Journal
Hindawi Publishing Corporation Hindawi
Sensors
Hindawi Hindawi
www.hindawi.com Volume 2018 http://www.hindawi.com
www.hindawi.com Volume 2018
2013 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
Journal of
Control Science
and Engineering
Advances in
Civil Engineering
Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
Journal of
Journal of Electrical and Computer
Robotics
Hindawi
Engineering
Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
VLSI Design
Advances in
OptoElectronics
International Journal of
International Journal of
Modelling &
Simulation
Aerospace
Hindawi Volume 2018
Navigation and
Observation
Hindawi
www.hindawi.com Volume 2018
in Engineering
Hindawi
www.hindawi.com Volume 2018
Engineering
Hindawi
www.hindawi.com Volume 2018
Hindawi
www.hindawi.com www.hindawi.com Volume 2018
International Journal of
International Journal of Antennas and Active and Passive Advances in
Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration
Hindawi Hindawi Hindawi Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018