Order-Revealing Encryption Scheme with Comparison Token for Cloud Computing

Order-preserving encryption (OPE) is a basic paradigm for the outsourced database where the order of plaintexts is kept in ciphertexts. OPE enables efficient order comparison execution while providing privacy protection. Unfortunately, almost all the previous OPE schemes either require numerous rounds of interactions or reveal more information about the encrypted database (e.g., the most significant bit). Order-revealing encryption (ORE) as a generalization is an encryption scheme where the order of plaintexts can be evaluated by running a comparison algorithm.)erefore, it is desirable to design an efficient ORE scheme which addresses above efficiency and security issues. In this paper, we propose a noninteractive ORE scheme from prefix encoding and Bloom filter techniques.)e proposed scheme is an encryption scheme where a cloud service provider cannot evaluate the order of plaintexts until a comparison token is provided. )e security analysis illustrates that our scheme achieves ideal security with frequency hiding. Furthermore, we illustrate a secure range query scheme through designing an encrypted tree structure named PORE tree from the above ORE scheme.)e PORE tree reveals the order between different nodes and leaves encrypted data items in the same node incomparable even after query execution. Finally, the experimental evaluation shows the high efficiency of the proposed ORE scheme and range query scheme.


Introduction
e rapid development of cloud computing enables resource-constrained data owners to outsource their data storage and computational tasks to a cloud service provider. e outsourced data could be attacked by outside attackers and the cloud service provider, for example, Verizon cloud leak and Equifax data breach. us, sensitive data should be encrypted before outsource, such as CryptDB, CipherCloud, and PRS server. Encryption is a promising approach for protecting sensitive data. However, traditional encryption breaks correlation of plaintexts and brings many difficulties in ordinary services, such as keyword search, numeric operations, and range query. Although some advanced cryptography primitives such as fully homomorphic encryption [1][2][3] and functional encryption [4][5][6] are introduced, the existing schemes are somewhat inefficient.
OPE provides a property that the order of ciphertexts retains that of plaintexts. It has many applications in realworld scenarios, such as in SQL queries [16,[21][22][23], Web applications [24], CRM software [25], and others. e concept of OPE is firstly proposed by Agrawal et al. [14] while without security analysis. As an improvement, Boldyreva et al. [15] introduced a provable OPE scheme called BCLO that provides security models and rigorous analysis from cryptography point. e ideal security of OPE requires that ciphertexts reveal nothing except the order of plaintexts. e BCLO scheme also points out that ideal security is unachievable if an OPE scheme is immutable and stateless. erefore, the BCLO scheme is later shown to leak half of plaintext bits. To enhance security, Popa et al. [16] introduced a mutable OPE scheme named MOPE by leveraging binary tree. e OPE scheme achieves ideal security especially indistinguishability under an order chosen-plaintext attack (IND-OCPA). Unfortunately, the ideally secure scheme [16] requires O(log n)-round of interactions.
Different from previous OPE schemes, Boneh et al. [18] proposed a generalization definition of the order-revealing encryption scheme which reveals the order of plaintexts. Due to the heavy computation burden of multilinear maps, the scheme [18] is impractical and remains a theoretical result for most applications. Chenette et al. [26] introduced a practical ORE scheme called CLWW that sacrifices the index of first different bit. Lewi and Wu [27] designed an ORE scheme named Lewi-Wu ORE that makes a trade-off between efficiency and security. But, the scheme [27] scales linearly with the size of domain space and reveals the index of first different block. As security improvement, Cash et al. [19] proposed a parameter-hiding order-revealing encryption by using asymmetric bilinear map to construct property-preserving hash (PPH) as the heart of the scheme. Unfortunately, the parameter-hiding ORE has a heavy computation burden and is vulnerable to frequency attacks.

Our Contributions.
In this work, we focus on the construction of the order-revealing encryption scheme over the encrypted database system in cloud computing. e main contributions are as follows: (i) We introduce a noninteractive ORE scheme over the encrypted database by leveraging Bloom filter and prefix encoding technologies. e security analysis demonstrates that our ORE scheme achieves ideal security and also hides frequency information of data items. (ii) e introduced ORE scheme leaves encrypted data items incomparable until a comparison provided. Since the encrypted data items are incomparable, our ORE scheme can resist file-injection attacks [28]. (iii) We further present its application in secure range query on an encrypted database. Specifically, data items are stored in a tree structure (e.g., B-tree) to enhance search efficiency. We apply the introduced ORE scheme to encrypt the data items in the tree node and thus construct an encrypted tree, which is referred as PORE tree. (iv) e presented PORE tree reveals order relation between different tree nodes and leaves encrypted data items in same node incomparable even after query execution.
is paper is an extended and enhanced version of the conference paper presented at ISPEC 2018 [17]. Compared with the conference version, we design a new ORE scheme which achieves ideal security with frequency hiding as an enhanced security of conference version with leakage function. e detailed description is depicted in Section 4. Furthermore, we modify the stored contents of PORE tree in Section 5. e proposed PORE tree achieves better security and efficiency. Moreover, formal security definition is presented in Section 3.2, and revised analysis according to the improved ORE scheme is introduced in Section 6. Finally, we add the experimental evaluation to evaluate the performance of MOPE [16], Lewi-Wu ORE [27], and our ORE scheme in Section 7.

Related Work.
Order comparison [29] is one of the most popular operation in database-as-a-service (DaaS). In order to protect sensitive data, encryption is introduced as a prevailing consensus method. Numerous researchers have studied the problem of designing a secure and efficient encryption scheme which allows untrusted cloud servers to perform order comparison operation over ciphertexts. Due to heavy computation time and ciphertext size, fully homomorphic encryption and functional encryption are still impractical to handle order comparison [1,2,30]. erefore, practical OPE schemes have proposed in the past few years [14][15][16]31].
Agrawal et al. [14] formalized the definition of orderpreserving encryption and designed an OPE scheme. It transforms plaintexts into ciphertexts which retain the order and follow a target distribution provided by the client. In [14], the authors gave no security analysis and their scheme only applies for the static system. As an improvement, Boldyreva et al. [15] proposed the ideal security definition and further proved that an OPE scheme with immutable and stateless is impossible to achieve ideal security. e illustrated BCLO scheme in [15] is indistinguishable from a ROPF and later shows that it leaks more than half of plaintext bits [32,33]. Moving a step forward, Dyer et al. [34] introduced an OPE scheme by using approximate integer common divisor problem. However, Dyer et al.'s scheme achieves window one-wayness security.
Popa et al. [16] firstly introduced an ideally secure orderpreserving encoding scheme named MOPE by using a balanced search tree and mutable ciphertexts. Mutable ciphertexts mean that encodings for several plaintext change with a deletion and insertion operation. e security on MOPE shows it is, in principle, possible to reveal no additional information besides orders. Kerschbaum [35] indicated each (deterministic) OPE scheme suffers a simple frequency attack from ciphertexts. For this reason, he provided a stronger security definition and indistinguishability under frequency analysis ordered chosen-plaintext attack (IND-FAOCPA). Based on random ciphertexts, the scheme [35] hides frequency information and achieves IND-FAOCPA security. Enlightened by a buffer tree [36], Roche et al. [37] constructed an order-preserving tree and further proposed a partial order-preserving encoding (POPE) scheme which supports the insert-heavy database and leaks partial orders. Unfortunately, all above schemes limit by multiple round of interactions between clients and cloud servers.
Boneh et al. [18] provided a generalization definition of ORE. Different from traditional OPE, ORE reveals the order of plaintexts. ey designed an ORE scheme by using multilinear maps. Because of the heavy computation burden of multilinear maps, the scheme [18] is impractical in most applications. e CLWW scheme [26] is the first practical ORE scheme by using PRFs. For each bit of data items, a keyed PRF takes this bit concatenated with all more significant bits as input. us, the ciphertexts include n elements which are the numerically sum of the keyed PRF and the next less significant bit. But, the CLWW scheme leaks the index of first different bit of two plaintexts. In order to balance security and efficiency, Lewi and Wu [27] introduced a generalization of the ORE scheme by using the left/ right framework. e scheme of the small domain in [27] scales linearly with the size of message space and large domain reveals the first differing block. Based on bilinear map techniques, Cash et al. [19] proposed a more secure ORE scheme which leaks the equality pattern of the most significant bit.
Several related works about multiclient have been introduced. Xiao et al. [33] gave a method to extend the OPE scheme to multiclient scenario which only supports the OPE system not ORE. As an improvement, two multiclient orderrevealing encryption (MC-ORE) schemes [38] have been proposed by using the design principle of the CLWW scheme. Obviously, MC-ORE schemes are proven secure with different leakage functions. Li et al. [20] introduced and designed the delegatable order-revealing encryption (DORE) scheme for the multiclient system. e DORE scheme reveals the index of the first different bit between two plaintexts. Latest, some attack schemes have been introduced, such as inference attack [39], file-injection attack [28], and multicolumn attack [40]. However, most of these attack schemes require auxiliary information which limits the application in practical.

Organization.
e rest of this paper is organized as follows. In Section 2, we introduce some preliminaries. e system model and ORE definition are illustrated in Section 3. en, in Section 4, we propose a PORE scheme by leveraging prefix encoding and Bloom filter techniques. We demonstrate its application on secure range query in Section 5. e security and efficiency analysis are illustrated in Section 6. In Section 7, we provide a performance evaluation of our scheme. Finally, the conclusions are presented in Section 8.

Preliminaries
In this section, we provide some preliminaries and definitions for the design of the ORE scheme and secure range query scheme.

Bloom Filter.
As a space-efficient data structure, Bloom filter [41] is always used to test whether an element a is a member of a set S. e detailed description of Bloom filter is illustrated in the following.
Bloom filter (BF) contains an array of n cells which store 0 or 1 and k different hash functions In the initial phase, we set all cells of the array to 0. When embedding an element w into the Bloom filter BF, we compute its hash functions H 1 (w), H 2 (w), . . . , H k (w) and set all these chosen cells to 1. To test whether an element w belongs to a set S, we compute its hash functions and check whether the indicated cells of set S are all 1. If all these corresponding cells are 1, then w is an element of set S with allowable errors. Otherwise, w does not belong to the set S. e allowable error is called as false positive which satisfies Pf � (1 − e − ((km)/n) ) k . It reaches its minimum value 2 − k when r � ln 2 * (n/m), where n is the size of the Bloom filter, k is the number of hash functions, and m denotes the number of elements in Bloom filter BF. An example of a Bloom filter is shown in Figure 1.

Prefix Encoding Technique.
Prefix encoding technique converts the testing of whether an element d falls into a range [a, b] to the testing of whether two sets have common elements [42]. e details are demonstrated as follows.
Given a t-bit  Figure 3, the introduced ORE scheme consists of three main parties, data owner (DO), search user (SU), and cloud service provider (CSP).

System Model. As shown in
(i) Data owner: the data owner is the entity who owns the database, encrypts the database, and delegates the encrypted database to a powerful cloud service provider. During the encryption phase, the data owner encrypts the data items from the symmetric encryption scheme to protect its privacy and generates the encrypted search indexes to facilitate data utilization. (ii) Search user: search users receive system parameter and secret keys from the data owner and generate search requests according to their requirements. en, search users send search requests with the Security and Communication Networks 3   corresponding trapdoor to the cloud service provider and receive the search results on ciphertext. Finally, they decrypt the ciphertexts and obtain the results. (iii) Cloud service provider: the cloud service provider owns the powerful storage resources and unlimited computation resources. us, the cloud service provider always provides the storage, computation, and query services for the data owner and search user.
To protect the private sensitive information, the data owner encrypts the database, generates the indexes, and sends them to the cloud service provider. Search users compute the search trapdoor according to their request and send search trapdoor to the cloud service provider. e cloud service provider stores the encrypted database and then searches the encrypted database for the search users. In our paper, we assume the data owner and search users are fully trusted and the cloud service provider is "honest-but-curious." It means the cloud service provider follows protocol and returns answers faithfully but intends to learn additional information about the encrypted database.
e assumption is very common in other work, such as [12,13,43].

Order-Revealing Encryption
Scheme. An ORE scheme is defined by four probabilistic polynomial-time (PPT) algorithms ORE.KeyGen, ORE.Enc, ORE.TokenGen, and ORE.OrderComp. ese algorithms are defined as follows: (i) ORE.KeyGen (λ)⟶SK: DO runs this algorithm to output a secret key SK. e secret key will be secretly stored by the data owner. Furthermore, the data owner will send the secret key to search users through the access control technique. (ii) ORE.Enc(SK, d) ⟶C d : DO runs the data encryption algorithm to encrypt data item d. e data encryption algorithm takes as input a secret key SK and a data item d and outputs the ORE ciphertext as C d . (iii) ORE.TokenGen (SK, a) ⟶TK a : SU runs this algorithm to generate the comparison token. It takes as input a secret key SK and a data item a and outputs the comparison token TK a . (iv) ORE.OrderComp(C d , TK a ) ⟶ ans: CSP runs the order comparison algorithm to output the order relation. e algorithm takes as input the ciphertext C d of data item d and comparison token TK a for another data item. e order comparison algorithm outputs the order relation for data item d and a. If ans� 1, it means a ≥ d; otherwise, ans� 0 means a < d.
In the following, the correctness and security definitions were introduced in the ORE scheme [27].
Consider an experiment defined for the ORE scheme as follows. In the experiment, we introduce the random variable win A,k as the success of adversary A.
e IND-OCPA indistinguishability experiment ExpA,OPE is as follows:

High Description.
Before describing the details of our ORE scheme, we introduce the construction principle in brief. Different from the existing works, we partition a ciphertext C d into two parts E d and I d , where E d � DET.Enc(sk 1 , d) refers to the ciphertext which is produced by the symmetric encryption scheme DET with the strongest security (e.g., AES a DES) and I d is an index which indicates the order of plaintexts. Comparison is only proceeded between the index I d of one plaintext and the search token TK a of another data item a. us, CSP proceeds the query request until a search token provided by SU.
In the following, we focus on the construction of index I d . e order comparison between value d and a is equal to check whether a value d falls into a range[0, a]. By using prefix encoding technique which is proposed in [42], we compute the data prefix F(d) and range prefix S ([0, a]).
us, the checking of whether a value d falls into a range [0, a] converts to the checking of whether two sets F(d) and S([0, a]) have common elements. e basic method is to check whether an element of one set falls into another set. Trivially, the checking is done by leveraging Bloom filter technique in [41].
Since frequency information leads some simple attacks which were pointed out by Naveed et al. [39], DO should also hide the frequency (i.e., hide equality) in the ciphertext E d and the index I d . Owing to DET is an IND-CPA secure Security and Communication Networks encryption scheme, the frequency is hidden in the ciphertext E d . To hide the frequency in index, DO randomizes a data item d as d ′ � d‖01‖r 1 to break the equality before constructing the index.

e Main Construction.
In this section, we introduce the ORE scheme from four processes: key generation, data encryption, token generation, and order comparison.
For the sake of clarity, we assume that all data items are w-bit and greater than 0, and DET � (DET.Key, DET.Enc, DET.Dec) is an IND-CPA secure encryption scheme. e details of our ORE scheme are illustrated as follows: (iii) ORE.TokenGen(SK, a): on input a secret key SK and a data item a, SU wants to compute the comparison token for it.
(1) Data randomization: for a data item a, SU uniformly samples a w-bit random number r and computes its randomization as a′ � a‖11‖r.

Encrypted Range Queries
In this section, we describe the application of the introduced ORE in range queries over the encrypted database. In our model, the resource-constraint data owner outsources the storage and computation tasks to the cloud service provider. Subsequently, search users submit the range query requests and obtain the query results. In outsourcing scenario, the cloud service provider needs to learn the order information for the range query. In this work, the above ORE scheme is introduced to help it in the operation of order comparison. To enhance the efficiency, the data owner stores data items in tree structure, such as B-tree. We describe the secure range query scheme with the proposed ORE scheme in the following algorithms (i) RQ.Setup(λ): takes as input a security parameter, it outputs the secret key SK � {sk1, sk2}, where secret key SK is the same with that in the ORE scheme. (ii) RQ.TreeBuild(D): takes as input a database D, the data owner stores the data items D in a B-tree data structure and obtains tree: where d 1 , d 2 , . . . , d n are data items in database D and P is a set of pointers to cover the parent-child relations of Γ tree. (iii) RQ.TreeEnc(SK, Γ): takes as input the secret key SK and the tree Γ, the data owner runs the ORE.Enc algorithm in the ORE scheme to encrypt Γ tree as where Since Γ * tree reveals order of data items in different nodes and leaves data items in same node incomparable, the encrypted Γ * tree is named as PORE tree. (iv) RQ.RangeQuery(SK, Γ * , [a, b]): the range query algorithm consists of two phases. In the first phase, search users compute and send the encrypted ranges to CSP. In the second phase, CSP proceeds the search process over the encrypted tree structure Γ * .

Analysis
In this section, we demonstrate the security analysis and efficiency analysis.

Theorem 1. e proposed ORE scheme over a well-domain D is correct.
Proof. Suppose that r 1 and r 2 are two w-bit random numbers, C d is the ciphertext for data itemd, and TK a is the comparison token for data item a. We prove the correctness through d ≤ a if and only if ans � 1 without considering the false positive of Bloom   e proposed secure range query scheme over a well-domain D is correct.

Input:
hash function: H(·) secret keys: k 1 , k 2 , . . . , k s data item: d Output: -Bloom filter: BF d (1) In order to hide the frequency, DO adds a random fractional part r for the data item d as d′ � d‖01‖r, where r has the same number of bits with the data item d and d′ is a (2w + 2)-bit number; (2) DO computes prefix family of d′ as F(d′) � P 1 , P 2 , . . . , P 2w+3 ; (3) for i←1 to 2w + 3 do (4) To remove the correlation among different nodes, DO chooses a random numberv · r which has the same size with secret keys k 1 , k 2 , . . . , k s ; (5) for j←1 to s do (6) DO first computes hash value H(k j ‖ P i ) and then sets 1 on the position H(v · r ‖ H(k j ‖ P i )); (7) end for (8) end for (9) After inserting the prefix family, we have a secure Bloom filter BF d . ALGORITHM 1: Secure BF.

Security and Communication Networks
Proof. Suppose that a data item d ∈ D, a range [a, b], and their randomization d ′ � d‖01‖r 1 , a ′ � a‖00‖r 2 and b ′ � b‖11‖r 3 , where r 1 , r 2 , and r 3 are three w-bit random numbers. We proof the correctness through Owing to the fact that for a data item d and range [a, b] at means, C d ∈ Res * , namely, d ∈ Res.
Moreover, if we do not take false positive of Bloom filter into consideration, we can prove the correctness. at is, if d ∈ Res, then d ∈ [a, b]. If d ∈ Dec(sk, Res * ), we can draw the conclusion that After derandomization, we can draw the conclusion that at means d ∈ [a, b]. □ Theorem 3. e proposed ORE scheme is IND-OCPA secure in the random oracle model.
Proof. For the convenience of understanding, we first introduce the concept of computationally indistinguishable. Let X � X k k and Y � Y k k be ensembles of distributions. X and Y are said to be computationally indistinguishable (written X C ≈ Y), if for all PPT adversariesA, Next, we will prove the theorem in the following hybrid games: where the scheme in Hybrid 2 is revised to instead hash function with a random oracle O. Let H A 3 (λ) be the random variable indicating the output of A, namely, A's guess bit.
Because DET is a pseudo-random function, it is obvious that . We give a proof by contradiction for this conclusion. If these two hybrids are distinguishable, then we construct a simulator D 1 which distinguishes pseudo-random numbers from random numbers. e distinguisher D 1 ( r k ): (1) Adversary A is given a security parameter and outputs ({v 0 k } and {v 1 k }) with the same order relation; (2) A uniform bit b← 0, 1 { } is chosen, and then a ciphertext {C b k } � {r k } is computed and given to the adversary A; (3) e adversary A outputs a bit b ′ , its guess for b. e distinguisher D 1 outputs 1 if b ′ � b (meaning pseudo-random sequence) and 0 (meaning random sequence) otherwise.
If adversary A can distinguish these two hybrids, namely, then we conclude that us, we can draw the conclusion that is a pseudo-random function, it draws the same conclusion thatH A 2 (λ) C ≈ H A 3 (λ). Following, we prove the probability adversary A guesses correctly in Hybrid 3 is 1/2. at is, the winning advantage of A can be at most 1/( 2 + negl(k) ). e data owner stores C d � (E d , I d ) in the cloud service provider for a data item d. Because E d is replaced with a random oracle, the adversary A cannot distinguish the ciphertexts of v 0 i and v 1 i , namely, i . Moreover, recall that every value d is assigned a different random number v.r, and random oracle O uses v.r to compute hash functions for the secure Bloom filter BF d .
us, given two different Bloom filters BF i and BF j , it is infeasible for any PPT adversary A to distinguish whether a same string or two different strings are mapped to them. From this, it is easy to draw the conclusion that As a result, the adversary A cannot distinguish with nonnegligible probability. at is, We complete the proof of eorem 3. □ 6.2. Efficiency Analysis. For the convenience of discussion, some marks are introduced in this section. We denote by E/D an encryption/decryption algorithm of the DET scheme with IND-CPA secure, F is a PRF, H is a hash function, r is the number of hashes in a Bloom filter, w is the bits of our data item, n is the size of the database, N is the size of message space, and t is the size of results. We omit other operations such as comparison of plaintexts and uniformly random permutation in Lewi-Wu ORE.
We now describe the efficiency analysis among MOPE [16], Lewi-Wu ORE [27], and the proposed range query scheme with PORE tree, shorted for the PORE scheme. e security in Table 1 demonstrates that all schemes achieve IND-OCPA security which reveals nothing besides the order relation. Furthermore, the PORE scheme hides data frequency and data items in leaf nodes of our PORE scheme which remain incomparable. Stored information in MOPE [16] only consists of the ciphertexts, that is, produced by an IND-CPA secure DET scheme. erefore, the order comparison is achieved by the interaction with a DO/SU. In this condition, there is about O(log n)-round communication between DO/SU and CSP during the range query and update operation. Ciphertexts in Lewi-Wu ORE [27] consist of the left ciphertexts and the right ciphertexts. It is possible to proceed the comparison algorithm with the left of one ciphertext and the right of another ciphertext. To enhance the storage efficiency, CSP only stores the left ciphertexts (about log n bits long) in the sorted order instead of the complete ciphertexts (about n log 3 + log n bits long). When proceeding a range query or an update operation, DO generates the right ciphertexts and sends them to the CSP. e basic idea of our PORE is inspired by Lewi-Wu ORE. We split stored information into a ciphertext produced by DET and an index I d .
e index I d is a Bloom filter storingF(d) with the size of w + 1. Compared with the MOPE and Lewi-Wu ORE scheme, the cost of encryption in our PORE scheme is a little higher. While encryption is onetime in the initialization phase, the cost is acceptable. In range query and update phases, CSP obtains order comparison by communicating with the DO and SU in MOPE. SU decrypts ciphertexts and returns the order information.
e cost in Lewi-Wu ORE [27] is linear with the message space for the DO/SU and logarithm with the database for CSP. MOPE and Lewi-Wu ORE have a better efficiency for CSP in both phases. Both schemes do not use the tremendous compute power of CSP violating the definition of cloud computing. Finally, we observe from decryption cost that all these schemes have a high efficiency.

Performance Evaluation
In this section, we introduce a formal experimental simulation among MOPE [16], Lewi-Wu ORE [27], and the proposed PORE scheme in order to test the practical utility. Specifically, the code is run with Python3 language on a machine with an Intel Xeon (R) CPU i7-8565U processor running at 16 GHz and 1 T memory. We instantiate the hash function with SHA-256 in the Lewi-Wu ORE scheme. e symmetric cipher used is AES-ECB-128 as provided by the PyCrypto library, and the scalable Bloom filer is provided in pybloom live library. Furthermore, we set error rate of Bloom filter as 0.001 and storage limitation L � 4 of B-tree to store ciphertexts.

Database Size.
In the following experiment, we use the Gowalla database which lists 6,442,890 check-in locations collected from 196,591 users. We sample 1,000,000 data items of 48 bit in the database to test the performance of the MOPE and PORE scheme. Figure 4 demonstrates that Lewi-Wu ORE [27] is only suitable in the small domain. In this condition, we cut 12 bit from data items in the Gowalla database to simulate the performance of search and update.

Network.
For these experiments, we simulate all the data owner, search users, and cloud service provider on the same machine. erefore, we test performance by measuring the theoretical communication cost instead of the realistic network with latency and bandwidth restrictions. In the theoretical experimental simulation, we assume that the network is slower than 5 ms of latency and 20 Mbps bandwidth. Figures 5(a) and 5(b) show the time cost and storage cost on tree construction of MOPE, Lewi-Wu ORE, and our PORE scheme. We can easily see that time cost of MOPE is similar to that of Lewi-Wu ORE since the AES-ECB-128 is used to encrypt data items in MOPE and to instantiate the PRF in Lewi-Wu ORE. Furthermore, the time cost from 80s at 100,000 data items and 1082s at 1,000,000 data items of our PORE scheme is greater than that of the MOPE and Lewi-Wu ORE scheme. Meanwhile, the storage cost from 10.5 M to 105 M of the PORE scheme is a little greater than that of the MOPE and Lewi-Wu ORE scheme, from 8.2 M to 82M and 7.5 M to 75 M, respectively. e time cost and storage cost are acceptable of our PORE scheme because of one-time on tree construction.
In our main experiments, we test the performance of range query and update operation (insertion and deletion) with 1,000 operations in MOPE and our PORE scheme and that with 100 operations in the Lewi-Wu ORE scheme. e time cost of range query is shown in Figure 6. It demonstrates that our PORE scheme is far less than MOPE-latency and the Lewi-Wu ORE scheme. Furthermore, our scheme achieves about 18 ms per-range query on the database with million data items vs. about 50 ms per-operation for MOPElatency with communication latency .  Figures 7(a) and 7(b) show the time cost on insertion and deletion operation. As these figures present, the cost is dominated by communication on range query and insertion and deletion of the MOPE-latency scheme with 5 ms latency. e runtime is linear with the round of communication. Moreover, the time cost of MOPE-latency and Lewi-Wu ORE is about 5x greater than our scheme on insertion and 2x on deletion operation. We can see that our scheme is wellsuited for range query and update operation.

Conclusions
In this paper, we introduce a noninteractive order-revealing encryption scheme with comparison token to execute privacy-preserving order comparison in cloud computing. e introduced ORE scheme requires that the cloud service provider could not perform order comparison until a search token provided. e security analysis shows that our ORE scheme achieves IND-OCPA security. Furthermore, we design a secure range query over the encrypted database through designing PORE tree structure from the proposed ORE scheme. e designed PORE tree reveals partial order information of plaintexts and leaves results incomparable even after query execution. Finally, the experimental result shows the high efficiency of our PORE scheme based on the designing of the ORE scheme.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.