Secure Storage and Fuzzy Query over Encrypted ... - Springer Link

Secure Storage and Fuzzy Query over Encrypted Databases Zheli Liu1 , Haoyu Ma1 , Jin Li2 , Chunfu Jia1, , Jingwei Li1 , and Ke Yuan1 1

College of Information Technical Science, Nankai University {liuzheli,hyma,cfjia,lijw,keyuan}@nankai.edu.cn 2 School of Computer Science, Guangzhou University [email protected]

Abstract. Outsourcing database has attracted much attention recently due to the emergence of Cloud Computing. However, there are still two problems to solve, 1) how to encipher and protect the sensitive information before outsourcing while keeping the database structure, and 2) how to enable better utilization of the database like fuzzy queries over the encrypted information. In this paper we propose a new solution based on format-preserving encryption, which protects the privacy of the sensitive data and keeps the data structure as well in the encrypted database. We also show how to perform fuzzy queries over such enciphered data. Specially, our scheme supports fuzzy queries by simply exploiting the internal storing and query mechanism of the databases, thus the influence on both the inner relation of databases and the construction of applications are minimized. Evaluation indicates that our scheme is able to efficiently perform fuzzy query on encrypted database.

1

Introduction

In recent years, the blossoming of internet and the rise of cloud computing makes outsourced (or remote) database a popular choice for applications. Meanwhile, since in practice oursourced databases are considered as running on some untrusted servers, privacy of data in such databases has becoming a major concern for network users. An extreme case of the problem is remotely stored sensitive information, for the consequence of leaking such data can be severe. Accordingly, protecting sensitive information in outsourced databases has become a burning problem needed to be solved. To encipher on databases where massive data are processed frequently, symmetry ciphers (or block ciphers) becomes the most obvious choice. The problem is, traditional block ciphers have the following problems: (1) If the length of the plaintext is not a multiple of that of the cipher’s block, the ciphertext will be longer than the plaintext, called ciphertext expansion. (2) All plaintexts, regardless of their types and formats, are simply treated as binary strings. It means that the types and formats of ciphertexts are uncontrollable. 

Corresponding author.

J. Lopez, X. Huang, and R. Sandhu (Eds.): NSS 2013, LNCS 7873, pp. 439–450, 2013. c Springer-Verlag Berlin Heidelberg 2013 

440

Z. Liu et al.

As a result, applying such block ciphers requires changing either the innards of databases or the basic structure of applications (which come at tremendous cost). Otherwise, the enciphered data could not be stored properly. Enciphering will also disrupt characteristics of the original data. In this way, it will be unable to perform many common database operations such as SQL query, data sorting, statistical analysis and data collection. This makes database encryption a disaster for system designing, since anything involves the mentioned database operations cannot work. Conversely, for ensuring availability, such problem becomes a main restriction in providing systematic protection for sensitive information. Related works. The notion of format-preserving encryption (FPE) [4] was proposed to design block ciphers whose output could fit the requirement of different applications like databases. Black and Rogaway (2002) formalized the FPE problem, and proposed three basic methods for implementing such cipher [7]. Several FPE schemes [5, 18, 21, 22, 28] with provable-security have been presented in the last decade, such as FFSEM, Thorp Shuffle, FFX mode and Swap-or-not et al. The idea of FPE is to encipher target data without disrupting their format, which makes it a promising solution for protecting sensitive information on databases. Table 1. A brief summary on the existing cryptographic methods of supporting queries over enciphered data in database method requires index supports exact query supports fuzzy query Hacigumus et. al. [16] Yes Yes No Amanatidis et. al. [2] No Yes No Bao et. al. [3] Yes Yes No Evdokimov et. al. [13] No Yes No Ge et. al. [14] Yes Yes No Wang et. al. [32] No Yes Partial Yang et. al. [34] Yes Yes No Raluca et. al. [26] Yes Yes Partial

On the other hand, several cryptographic tools were also developed in order to provide solutions for operating on encrypted databases, such as order-preserving encryption for sorting enciphered data [1, 8], and homomorphic encryption for performing any function computations [12, 15]. Specifically, researchers have developed schemes for searching keywords over encrypted data [9, 11, 27] and processing queries on encrypted databases [2, 3, 13, 14, 16, 26, 32, 34]. Although these works have provided some methods to solve the outsourcing database problem, as shown in Table 1, they are impractical: (1) the methods from [2],[13] and [32] works without changing innards of databases. However, [2] and [13] provide only equality comparisons, while [32] is only able to acquire a coarse result from fuzzy querying over enciphered data, precise matching still needs to be done over deciphered data ; (2) the symmetry searchable encryption methods (as [9, 11, 20, 27, 29–31]) require severs for data storage to be capable of performing test operations for querying, therefore they are impractical for databases

Secure Storage and Fuzzy Query over Encrypted Databases

441

where such operations are not supported; (3) other methods need to change the innards of databases, due to the need of maintaining indexes on the data at the server, meanwhile fuzzy queries are still not supported. Considering sensitive information (e.g. name, ID, account, password, e-mail and address) exists in the form of character data, and are usually required to be queryable, how to perform SQL queries (especially fuzzy queries due to the practical utility) on enciphered character data is certainly a critical problem in designing protection mechanism for such information. Though many existing work were proposed as mentioned, they are still insufficient to support such complex queries in a practical and efficient way. Our contributions. In this paper, we propose a secure system model for outsourced database by introducing the cryptographic notions of FPE and universal hashing. We also show how to support fuzzy query over the enciphered data. Unlike existing work, the proposed model is database-independent since: (1) we exploit FPE to ensure the encipherment do not change the format of data; (2) we maintain the assistant messages for searching enciphered data by adding extra fields to the database instead of making more fundamental modifications; (3) it supports fuzzy queries on the basis of database inner query mechanism. We propose a scheme for the proposed model. The scheme supports fuzzy queries on the enciphered data by transforming their SQL statements from searching for patterns of the data. It generates keywords for each character and forms keyword strings of the same length as the corresponding data, thus it performs fuzzy query at a cost of O(n) times of AES and negligible redundancies in the query results. Generally the scheme is practically secure, while there exists a potentially of leaking semantical structure of the enciphered data.

2 2.1

System Model Our Model

Our system model provides secure modules for the application, which handles security-involved processes, respectively are enciphering, deciphering and what we called query interpretation. The purpose is to implement secure storage and basic queries (in specific, exact queries and fuzzy queries) over sensitive information, without deciphering data in advance, or changing either the inner relations of present databases or the construction of application systems. For each encrypted data field in databases, an extra keyword field is added to maintain the corresponding keyword strings. Two secure modules are in our model consist. One is enciphering/deciphering module, which handles data storage to the databases (connected with enciphering), and responding for queries from the applications (connected with deciphering). On enciphering, the module takes string data from the applications, then generates its keyword string so that all substrings of the data can be represented using the keywords. After that, the module enciphers the data, and respectively stores the ciphertext into the target field of the database, and the keyword string

442

Z. Liu et al.

$33/,&$7,21 6HFXULW\0RGXOHV

Enciphering

Query interpretation

Deciphering

'DWDEDVH data field

Ă

Ă

keyword field

‫ڭ‬

‫ڭ‬

‫ڭ‬

‫ڭ‬

ciphertext

Ă

Ă

keyword string

‫ڭ‬

‫ڭ‬

‫ڭ‬

‫ڭ‬

Fig. 1. System model of secure storage and fuzzy query over encrypted database

into the corresponding keyword field. The deciphering part is simpler, when the module receives encrypted records from the database as the result of queries, it directly deciphers data in the records and send them to the application. The other is query interpretation module, which explains the queries into that on the encrypted data. Using the same method as the former module, it transforms terms in the original query into combinations of keywords, and generates a new query where such combinations are used as terms, which searches for matches on the keyword field instead of directly for the data. Implementation requirements. The main purpose of the proposed model is to support fuzzy query on encrypted databases, considering the practice, certain requirements need to be emphasized: 1) For exploiting the query mechanism of the database itself in performing secure fuzzy query, the keyword strings generated for the enciphered data must be stored in nvarchar fields. 2) To minimize the storage burden caused to databases, the keyword strings should not be too long (expected to be less than 512 characters). Advantages. Overall, the proposed model has the following advantages over existing work: (1) it stands independently, neither the encipher/decipher nor the query interpretation process needs any specific constructional support from the target databases. Thus it’s considered to be database-independent. (2) since adding new field to a database do not affect its original construction, the proposed model can be applied in reforming existing databases without making any fundamental modification, thus significantly reduce the reform cost. This makes it highly practical.

Secure Storage and Fuzzy Query over Encrypted Databases

2.2

443

Security Notions

Firstly, the challenge scenario of the problem should be declared. In this paper, the enciphered data and the keyword strings are supposed to be stored in the same unprotected database (or say, untrusted server), where the adversary is assumed to be fully authorized to access any data. Therefore, no auxiliary protection from any part of the system other than our model, is expected. As mentioned above, unprotected data never appears in the communication between the security modules and the database. In another word, even if an adversary breaks into the database and observes communications between the database and the middleware, it learns nothing but enciphered information. Therefore, an adversary can only perform ciphertext-only attack. This means that traditional attack modes on symmetry ciphers, such as known plaintext attack (KPA), chosen plaintext attack (CPA) and chosen ciphertext attack (CCA), have no practical meaning against this model. However, as a famous work on cryptographic schemes for querying enciphered data, Song et. al. once termed a few useful security notions for the scenario [27], respectively are: (1) Query isolation, meaning that the untrusted server cannot learn anything more about the plaintext than the search result; (2) Controlled searching, meaning that the untrusted server cannot search for an arbitrary word without the user’s authorization; (3) Hidden queries, meaning that the user may ask the untrusted server to search for a secret word without revealing the word to the server. The above notions are used in describing the security of our scheme.

3 3.1

Technical Preliminaries Format-Preserving Encryption

We will first give a review to the classical definition of FPE [4], which is described as follows: Definition 1 (FPE). A format-preserving encryption scheme is a function F : K × N × T × X → X × {⊥},

(1)

where ⊥ = X , and nonempty sets K, N , T , X are respectively called the key space, format space, tweak space and domain. 3.2

Universal Hash Function

Universal hash functions (or UTF), which was first introduced by Carter and Wegman [10, 33], can be described as: Definition 2 (UTF-1). Define M , K and b the bit length of the message, the key and the output, denote R = {0, 1}K , X = {0, 1}M and Y = {0, 1}b , a universal hash function, denote as h(k, m), is then described a function Fuh : R × X → Y for any k ∈ R and m ∈ X .

(2)

444

Z. Liu et al.

Normally, the requirement of a UHF is that for any pair of distinct messages m, m0 ∈ X , the collision probability h(k, m) = h(k, m0 ) is small when key k is randomly chosen from R, described as: Definition 3 (UTF-2). An d -balanced and c -almost universal hash function, Fuh : R × X → Y , satisfies  ∀ m ∈ X /{0}, y ∈ Y : P r{k∈R} [h(k, m) = y]  d (3)    ∀ m, m ∈ X (m = m ) : P r{k∈R} [h(k, m) = h(k, m )]  c 3.3

Notations

Throughout the rest of the paper, let Chars be the set of all possible characters, and Chars∗ be character strings over Chars of any length. Given any two character strings A, B ∈ Chars∗ , denote A  B as their concatenation, therefore ∀ X ∈ Chars∗ ⇔ X = x1  x2  · · ·  xi  · · ·  x∗ , xi ∈ Chars. Since fuzzy query is involved in our model, denote “%” as the wildcard used in the queries, which is also treated as a character. Moreover, given secret keys k1 ∈ KS 1 , k2 ∈ KS 2 , k3 ∈ KS 3 , where KS 1 ,KS 2 , KS 3 are key spaces, we define the following functions: 

– Ek1 (·) and Ek1 (·) denote FPE schemes for character strings, which take in a character string and return an enciphered string of the same length and size. – Hk2 (·) denotes a short-output UHF, which takes in a for fixed-length (say n bits) binary string and returns a 2-byte digest. In correspondence to function H, we let DIG be the set of all possible digests. – Pk3 ({·}) denotes a key-based pseudo-random permutation (or PRP) on an arbitrary set. – Exp(·) denotes a string expansion function, for expanding any l-bit binary string μ (l  n) into an n-bit binary string by: n−l bits

   Exp(μ) ← μ 11 · · · 1 .

(4)

– Ksg(·) denotes a keyword generater, which takes a digest generated by H, and transforms it into a unicode character (a keyword). Each distinct 2-byte digest is represented with a unique character by Ksg(·). Finally, for concision, we now denote DAT A as the data field in the database for storing enciphered character strings, and KeyW as the keyword field, where keyword strings of data in DAT A are kept.

4

Practical Scheme for Our Model

In this section, we give a detailed scheme for the proposed model.

Secure Storage and Fuzzy Query over Encrypted Databases

FKDUDFWHUVWULQJ

445

character character character character

Exp Hkೣ Ksg E' kೢ

Ekೢ

Exp H kೣ Ksg E' kೢ

NH\ZRUG NH\ZRUG

Exp Hkೣ Ksg E' kೢ

Exp Hkೣ Ksg E' kೢ

NH\ZRUG

NH\ZRUG

NH\ZRUGVWULQJ

FLSKHUWH[WVWULQJ

DATA

KeyW

Fig. 2. Demonstration of storage procedure (given a character string of 4 characters)

4.1

Our Scheme

Since the system model consists of two modules, our scheme is described by a storage procedure and a querying procedure. Storage procedure. As demonstrated in Figure 2, for a character string D = d1  d2  · · ·  dn , the storage procedure includes a keyword generation process (denote as KGA ) and an enciphering process (denote as EncA), respectively described as: Definition 4 (KGA ). Given secret keys k1 and k2 , the keywords generater KGA sets D’s keywords by KGA (D, k1 , k2 ) = {ka1 , ka2 , ..., kan }, where

(5)



∀ 1  i  n, kai ← Ek1 (Ksg(Hk2 (Exp(di )))).

(6)



Definition 5 (EncA). Given FPE schemes Ek1 (·) and Ek1 (·) and master key km = k1  k2 , for plaintext D, enciphering process of scheme A is described as: 

(D , KWD ) ← EncAkm (D), where



(7)



D ← Ek1 (D) KWD = ka1  · · ·  kan , ka∗ ∈ KGA (D, k1 , k2 )

.

(8)

After the above processes, the scheme inserts/updates a record in the database,  where the value of DAT A is D’s ciphertext D , and the value of KeyW is the keyword string KWD .

446

Z. Liu et al.

Fuzzy query procedure. It is supposed that applications know the fact that enciphered data are stored in DAT A, but can still only search for unencrypted patterns with statements described in section 3.3. Let the data aimed by the searched pattern be SeD = sd1  · · ·  sdt , sd∗ ∈ Chars. Assume pattern is: ⎧ ⎪ ⎨keyw1 = sd1  · · ·  sdi1 (9) keyw2 = sdi2  · · ·  sdi3 , 1  i1 < i2 < i3 < i4  n, ⎪ ⎩ keyw3 = sdi4  · · ·  sdn the query interpretation module will extract the terms, and generate their corresponding keyword strings by: ⎧  ⎪ ⎨keyw1 ← ka1  · · ·  kai1  (10) keyw2 ← kai2  · · ·  kai3 ⎪  ⎩ keyw3 ← kai4  · · ·  kan where ka∗ ∈ KGA (SeD). After that, the module interprets the original query sentence into    select ∗ from T able where KeyW like ‘keyw1 %keyw2 %keyw3 ’  which is able to find D (as mentioned above, the ciphertext of D) from DAT A, while both DAT A and KeyW remains enciphered during the procedure. The result is handed to the deciphering module of the model, which recovers D and send it to the applications. 4.2

Security Analysis

In consideration of provable security, we suggest using existing FPE and UHF schemes in our model. Options for FPE schemes include FFX [5] and generalized Numeric Feistel [19], since the security bound of such structures has already been proved to be strong [24, 25]. Different FPE schemes are required respectively for enciphering data and keywords. Besides the reason that schemes like FFX cannot work on single characters, such deployment also increases security of the scheme. For the UHF function, several short-output schemes, like MMH [17], NH [6] and digest()[23], are available, whose main properties are given in Table 2. Cryptographically, the ciphertext and keyword string of a data are generated in two independent procedures. Although the same key k1 is shared, the FPE schemes in the two procedures are completely different. Additionally, due to the UHF invoked in generating keywords, given the ciphertext and the keyword Table 2. A summary on the main properties of digest(), MMH and NH Scheme Key length MMH NH digest()

M M M +b

c

d Output length

6 × 2−b 22−b 2−b 2−b 21−b 2−b

b 2b b

Secure Storage and Fuzzy Query over Encrypted Databases

447

string, the adversary cannot learn anything about the plaintext, or the relation between the keywords and the ciphertext. I.e., the security of enciphered data  can be reduced to that of the FPE schemes Ek1 (·), Ek1 (·), and that of the UHF Hk2 (·). Specifically, our scheme – provides query isolation for searches, since the untrusted server can only get access to the ciphertexts and the keyword strings of data; – provides controlled searching, untrusted server is free to search for any keyword or ciphertext, but it is unable to locate a record with a query that search for an unprotected data. – provides hidden queries, since the scheme queries in the implied way (using keywords), unprotected data never appears in such queries. Remark. In this scheme, the same keyword will be encrypted to the same character (required by its correctness). Therefore, the keyword strings could leak semantic information of the corresponding data. In this case, the adversary can perform frequency attack. However, the frequency attack relies on experience of adversary and the statistical validity of character frequency. Considering the following two practical aspects – The different sensitive information(For example, postal code in different countries, mailing address in different countries, et al.) may lead to different statistical distribution. – It is difficult to perform frequency attack when the number of character set is large, because the character frequency statistics becomes hard. For example, the character number of GBK is 21886, which is more bigger than ASCII. Therefore, considering the tradeoff between efficiency and security, we believe that the scheme provides enough security for the practical characteristic of supporting fuzzy query efficiently. 4.3

Performance Evaluation

First of all, it is easy to see that compared with the storage procedure, query procedure of our scheme works much faster, therefore we will mainly analyze the efficiency of the scheme’s storage procedure. Based on the construction, it can be considered that the time cost lies mainly on that of the functions  Ek1 (·), Ek1 (·), Hk2 (·) and Pk3 ({·}). Consider the following implementation: 

– Use the FFX mode as Ek1 (·), and the unbalanced numeric Feistel as Ek1 (·), where in each Feistel round constructed from CBC-MAC, AES is invoked for 2 times (for security, 6 or more rounds is suggested for both scheme); – Use any of MMH, NH or digest() as Hk2 (·); – implement Pk3 ({·}) with AES-based Prefix (given in [7]), where for each member of the input set, AES is invoked once.

448

Z. Liu et al.

Since the short-output UHFs available for Hk2 (·) are all multiplicative universal hashing in nature, where only addition, multiplication and modular addition for short integers (those can be represented using short or int ) are involved, the time cost of Hk2 (·) is negligible compared to the other functions where block cipher is involved in each round.  Suppose both Ek1 (·) and Ek1 (·) have 6 rounds, for enciphering a character string of length n needs n + 1 times of FPE processing, our scheme invokes AES with 12(n + 1) times. Therefore, given the length n of a character string, our scheme is able to encipher it in a searchable way with O(n) times of AES operations.

5

Conclusion

To protect sensitive information in outsourced databases, we proposed a new model for secure storage on databases, as well as fuzzy query over enciphered data. FPE and UHF were applied in the model for enciphering and keyword generation, while the inner mechanisms of storage and query provided by the database itself are also fully exploited. The model provides an original solution towards data enciphering that supports both format-preserving structure and keyword search. Moreover, we proposed one practical scheme. Analysis indicated that our scheme is secure under the proposed model. Performance evaluation showed that our scheme is efficient and practical. Acknowledgements. This work is supported by the National Natural Science Foundation of China (Nos. 60973141 and 61272423), National Key Basic Research Program of China (No. 2013CB834204), Fundamental Research Funds for the Central Universities, Specialized Research Fund for the Doctoral Program of Higher Education of China (Nos. 20100031110030 and 20120031120036), and Funds of Key Lab of Fujian Province University Network Security and Cryptology (No. 2011004).

References 1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, pp. 563–574. ACM (2004) 2. Amanatidis, G., Boldyreva, A., O’Neill, A.: Provably-secure schemes for basic query support in outsourced databases. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 14–30. Springer, Heidelberg (2007) 3. Bao, F., Deng, R.H., Ding, X., Yang, Y.: Private query on encrypted data in multiuser settings. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 71–85. Springer, Heidelberg (2008) 4. Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009)

Secure Storage and Fuzzy Query over Encrypted Databases

449

5. Bellare, M., Rogaway, P., Spies, T.: The ffx mode of operation for format-preserving encryption, NIST submission (February 2010) 6. Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999) 7. Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002) 8. Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009) 9. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007) 10. Carter, J., Wegman, M.N.: Universal classes of hash functions. Journal of Computer and System Sciences 18(2), 143–154 (1979) 11. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: Improved definitions and efficient constructions. Journal of Computer Security 19(5), 895–934 (2011) 12. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010) 13. Evdokimov, S., G¨ unther, O.: Encryption techniques for secure database outsourcing. In: Biskup, J., L´ opez, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 327–342. Springer, Heidelberg (2007) 14. Ge, T., Zdonik, S.: Fast, secure encryption for indexing in a column-oriented dbms. In: IEEE 23rd International Conference on Data Engineering, pp. 327–342. IEEE (2007) 15. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 169–178. ACM (2009) 16. Hakan, H., Bala, L., Chen, L., Sharad, M.: Executing sql over encrypted data in the database-service-provider model. In: Proceedings of the 2002 ACM SIGMOD International Conference on Management of Data, pp. 216–227. ACM (2002) 17. Halevi, S., Krawczyk, H.: MMH: Software message authentication in the gbit/Second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997) 18. Hoang, V.T., Morris, B., Rogaway, P.: An enciphering scheme based on a card shuffle. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 1–13. Springer, Heidelberg (2012) 19. Hoang, V.T., Rogaway, P.: On generalized feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010) 20. Li, J., Wang, Q., Wang, C., Cao, N., Ren, K., Lou, W.: Fuzzy keyword search over encrypted data in cloud computing. In: 2010 IEEE INFOCOM, pp. 1–5. IEEE (2010) 21. Li, M., Liu, Z., Li, J., Jia, C.: Format-preserving encryption for character data. Journal of Networks 7(8), 1239–1244 (2012) 22. Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain: Deterministic encryption and the thorp shuffle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009)

450

Z. Liu et al.

23. Nguyen, L.H., Roscoe, A.W.: Short-output universal hash functions and their use in fast and secure data authentication. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 326–345. Springer, Heidelberg (2012) 24. Patarin, J.: Luby-rackoff: 7 rounds are enough for 2n(1−ε) security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003) 25. Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004) 26. Popa, R.A., Redfield, C.M.S., Zeldovich, N., Balakrishnan, H.: Cryptdb: protecting confidentiality with encrypted query processing. In: Proceedings of the TwentyThird ACM Symposium on Operating Systems Principles, pp. 85–100. ACM (2011) 27. Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: Proceedings of the 21st IEEE Symposium on Security and Privacy, pp. 44–55. IEEE (2000) 28. Spies, T.: Feistel finite set encryption, NIST submission (February 2008) 29. Wang, C., Cao, N., Li, J., Ren, K., Lou, W.: Secure ranked keyword search over encrypted cloud data. In: IEEE 30th International Conference on Distributed Computing Systems, pp. 253–262. IEEE (2010) 30. Wang, C., Ren, K., Yu, S., Urs, K.: Achieving usable and privacy-assured similarity search over outsourced cloud data. In: 2012 IEEE INFOCOM, pp. 451–459. IEEE (2012) 31. Wang, C., Wang, Q., Ren, K.: Towards secure and effective utilization over encrypted cloud data. In: The 31st International Conference on Distributed Computing Systems Workshops, pp. 282–286. IEEE (2011) 32. Wang, Z.F., Dai, J., Wang, W., Shi, B.L.: Fast query over encrypted character data in database. In: Zhang, J., He, J.-H., Fu, Y. (eds.) CIS 2004. LNCS, vol. 3314, pp. 1027–1033. Springer, Heidelberg (2004) 33. Wegman, M.N., Carter, J.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22(3), 265–279 (1981) 34. Yang, Z., Zhong, S., Wright, R.N.: Privacy-preserving queries on encrypted data. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 479–495. Springer, Heidelberg (2006)