Strengthening Order Preserving Encryption with Differential Privacy

TL;DR

This paper introduces OP, a novel order-preserving encryption scheme that incorporates differential privacy to mitigate inference attacks, providing formal privacy guarantees while enabling practical range query processing.

Contribution

It is the first to combine differential privacy with order-preserving encryption, enhancing privacy guarantees against inference attacks.

Findings

OP provides a formal differential privacy guarantee for order leakage.

Empirical evaluation shows OP achieves high accuracy in range queries.

OP significantly reduces inference attack success rates.

Abstract

Ciphertexts of an order-preserving encryption (OPE) scheme preserve the order of their corresponding plaintexts. However, OPEs are vulnerable to inference attacks that exploit this preserved order. At another end, differential privacy has become the de-facto standard for achieving data privacy. One of the most attractive properties of DP is that any post-processing (inferential) computation performed on the noisy output of a DP algorithm does not degrade its privacy guarantee. In this paper, we propose a novel differentially private order preserving encryption scheme, OP$\epsilon$. Under OP$\epsilon$, the leakage of order from the ciphertexts is differentially private. As a result, in the least, OP$\epsilon$ ensures a formal guarantee (specifically, a relaxed DP guarantee) even in the face of inference attacks. To the best of our knowledge, this is the first work to combine DP with a property-preserving encryption scheme. We demonstrate OP$\epsilon$'s practical utility in answering range queries via extensive empirical evaluation on four real-world datasets. For instance, OP$\epsilon$ misses only around $4$ in every $10K$ correct records on average for a dataset of size $\sim732K$ with an attribute of domain size $\sim18K$ and $\epsilon= 1$.