Delegatable Order-Revealing Encryption for Reliable Cross-Database Query

Cloud service providers adopt pay-per-query pricing models to charge data owners based on the amount of data scanned by each query. In such models, the trustworthiness of the underlying billing system is as important as the privacy preservation for the data and queries. In this paper, we revisit delegatable order-revealing encryption (DORE), a range query algorithm allowing authorized users to retrieve data of specific ranges across multiple databases encrypted under different secret keys. We first investigate which factor in the authorization mechanism of DORE can lead to overprivileged users and let them allow any unauthorized user to query over the database of the victim without risking their credits, such as leaking the secret keys. Unfortunately, such unauthorized queries would incur unexpected financial damage to the victim in practical pay-per-query models. We then propose SEDORE, a secure order-revealing encryption scheme with resilience to unauthorized queries across databases. SEDORE features a novel user authorization mechanism limiting user privileges carefully. Consequently, the authorized users cannot illegally invite any unauthorized user to query unless they entirely leak their credits. We demonstrate that the performance of SEDORE is comparable to that of DORE while achieving a higher security level.