Cloud service providers offer support for cross-database queries, wherein clients possess individual databases and grant each other authorization to execute queries involving data from other databases. In this context, the flexibility of the underlying authorization mechanism holds equal importance to the preservation of data privacy and query integrity. This research paper revisits the concept of delegable order-revealing encryption (DORE), which encompasses a range query algorithm facilitating authorized clients in retrieving data from specific ranges across multiple databases encrypted under distinct secret keys. The primary objective of this study is to examine the factors within the authorization mechanism of DORE that contribute to bidirectional authorization, which mandates that a client seeking authorization from others must also authorize them in return. However, this property raises two significant concerns. Firstly, to gain access to other clients’ databases, each client must disclose their own database, thereby hindering flexible authorization. Secondly, bidirectional authorization necessitates the re-encryption process to be performed twice in order to compare two ciphertexts encrypted under different keys, resulting in a doubling of the comparison cost. To address these concerns, we propose a new algorithm called UNIQUE, which employs unidirectional order-revealing encryption for range queries. UNIQUE introduces a novel unidirectional authorization mechanism that requires only a single re-encryption operation for comparing two ciphertexts. Furthermore, it eliminates the need for each client to authorize others to access their respective databases, thus enabling flexible authorization. Experimental results indicate that UNIQUE achieves a two-fold reduction in comparison time compared to DORE, attributed to the decreased re-encryption cost. Moreover, UNIQUE successfully demonstrates its capability to facilitate flexible authorization.
Kwon et al. (Sun,) studied this question.