A Partially Order-Preserving Index Scheme

It has become advantageous in certain scenarios for a database owner to outsource hosting and management of his database to a third party. This approach is known as database as a service or DAS. However, in the case of highly sensitive data, it may be necessary to protect it even from the third party database administrator. As a result, several methods have been proposed that allow for encryption of the relational data in such a way as to permit some limited set of queries to be executed directly on the encrypted data. Most encryption methods, like hashing techniques, tend to diffuse the data, such that two nearby plaintext values may have completely dissimilar ciphertext values. As a result, performing range queries on the encrypted data is particularly challenging. We here propose a new partially order-preserving indexing scheme that permits efficient range queries on encrypted data. This work is largely derived from prior work done by Agrawal et al. on fully order preserving encryption [1] and work by Hore et al. on a bucketization approach for range queries [2]. Our method resembles the bucketization technique used in [2], but enforces an ordering of the ciphertext buckets that correlates with the ordering of the plaintext buckets. A plaintext value may still end up in one of several buckets (diffusion), but instead of selecting the target buckets randomly, they will be selected based on their proximity to the ciphertext bucket corresponding to the plaintext value. (See section 2) This imposes a partial ordering on the ciphertext values, allowing large range queries to yield fewer false positives than they do in [2], while at the same time preserving some of the privacy lost to the total ordering seen in [1].