Order-preserving symmetric encryption (OPE) is a cryptographic primitive that allows efficient range queries on encrypted data. Introduced by Agrawal et al. (SIGMOD '04), OPE is a deterministic encryption scheme that preserves the numerical ordering of plaintexts. This property enables efficient range queries on encrypted data, as a remote server can index encrypted data in a way that allows efficient range queries. However, traditional security notions like IND-CPA are not applicable to OPE due to the deterministic and order-preserving nature of the encryption. Instead, the authors propose a security notion inspired by pseudorandom functions (PRFs), requiring that an OPE scheme behaves "as-random-as-possible" under the order-preserving constraint. The authors design an efficient OPE scheme based on a natural relation between a random order-preserving function and the hypergeometric probability distribution. They use a sampling algorithm for the hypergeometric distribution to construct the encryption scheme. The scheme is stateless, allowing single plaintexts to be encrypted on the fly. The authors also define a security notion called POPF-CCA (pseudorandom order-preserving function against chosen-ciphertext attack), which requires that an adversary cannot distinguish between oracle access to the encryption algorithm and a corresponding "ideal" random order-preserving function. The authors show that their OPE scheme is secure under the POPF-CCA notion, assuming the underlying blockcipher is pseudorandom. They also discuss the use of a length-flexible pseudorandom function (LF-PRF) to implement the scheme efficiently. The LF-PRF is constructed using a variable-input-length PRF and a consistent variable-output-length pseudorandom generator (VOL-PRG). The scheme is efficient, with encryption and decryption times proportional to the logarithm of the size of the plaintext and ciphertext spaces. The authors also discuss the use of the negative hypergeometric distribution for sampling, which allows for slightly simpler and more efficient algorithms. However, the existence of an efficient sampling algorithm for the negative hypergeometric distribution remains an open question. The authors conclude that their OPE scheme is secure, efficient, and practical for use in applications requiring efficient range queries on encrypted data.Order-preserving symmetric encryption (OPE) is a cryptographic primitive that allows efficient range queries on encrypted data. Introduced by Agrawal et al. (SIGMOD '04), OPE is a deterministic encryption scheme that preserves the numerical ordering of plaintexts. This property enables efficient range queries on encrypted data, as a remote server can index encrypted data in a way that allows efficient range queries. However, traditional security notions like IND-CPA are not applicable to OPE due to the deterministic and order-preserving nature of the encryption. Instead, the authors propose a security notion inspired by pseudorandom functions (PRFs), requiring that an OPE scheme behaves "as-random-as-possible" under the order-preserving constraint. The authors design an efficient OPE scheme based on a natural relation between a random order-preserving function and the hypergeometric probability distribution. They use a sampling algorithm for the hypergeometric distribution to construct the encryption scheme. The scheme is stateless, allowing single plaintexts to be encrypted on the fly. The authors also define a security notion called POPF-CCA (pseudorandom order-preserving function against chosen-ciphertext attack), which requires that an adversary cannot distinguish between oracle access to the encryption algorithm and a corresponding "ideal" random order-preserving function. The authors show that their OPE scheme is secure under the POPF-CCA notion, assuming the underlying blockcipher is pseudorandom. They also discuss the use of a length-flexible pseudorandom function (LF-PRF) to implement the scheme efficiently. The LF-PRF is constructed using a variable-input-length PRF and a consistent variable-output-length pseudorandom generator (VOL-PRG). The scheme is efficient, with encryption and decryption times proportional to the logarithm of the size of the plaintext and ciphertext spaces. The authors also discuss the use of the negative hypergeometric distribution for sampling, which allows for slightly simpler and more efficient algorithms. However, the existence of an efficient sampling algorithm for the negative hypergeometric distribution remains an open question. The authors conclude that their OPE scheme is secure, efficient, and practical for use in applications requiring efficient range queries on encrypted data.