A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT ’14) and Asharov et al. (STOC ’16) to construct SSE schemes offering various such tradeoffs and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed. We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the “pad-and-split” framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality L must use space \(\Omega ( N \log N / \log L )\) for databases of size N. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD ’17) which is captured by our pad-and-split framework. Then, within the “statistical-independence” framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive \(O(\log \log \log N)\) factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with \(n = N^{1 - \epsilon (n)}\) document identifiers, the read efficiency is \(\omega (1) \cdot {\epsilon }(n)^{-1}+ O(\log \log \log N)\) when retrieving its identifiers (where the \(\omega (1)\) term may be arbitrarily small, and \(\omega (1) \cdot {\epsilon }(n)^{-1}\) is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most \(N^{1 - 1/o(\log \log \log N)}\) document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency \(O(\log \log \log N)\) when retrieving its identifiers.

可搜索对称加密（SSE）方案使客户端能够将数据存储在不受信任的服务器上，同时以安全的方式支持关键字搜索。最近的实验表明，此类方案的实际相关性在很大程度上取决于它们的空间开销，位置（服务器随每个查询访问的非连续内存位置的数量）和读取效率之间的权衡。（服务器在每个查询中读取的位数与答案的实际大小之间的比率）。这些实验激发了Cash和Tessaro（EUROCRYPT '14）和Asharov等人的动机。（STOC '16）构建提供各种折衷方案的SSE方案，并证明自然SSE框架的下限。不幸的是，尚未确定最佳方案，现有方案与下限之间存在巨大差距，这表明需要更好地了解上交所。我们在两个通用框架内的SSE方案的空间开销，局部性和读取效率之间的折衷之间建立了严格的界限，这些框架捕获了所有现有方案背后的内存访问模式。首先，我们介绍“填充分割”框架，完善Cash和Tessaro的功能，同时仍保留相同的现有方案。在我们的框架内，我们显着增强了他们的下限，证明了任何具有局限性的方案L对于大小为N的数据库，必须使用空间\（\ Omega（N \ log N / \ log L）\）。这是一个严格的下限，与Demertzis和Papamanthou（SIGMOD '17）方案所提供的权衡相吻合，而该方案已通过我们的分拆式框架捕获。然后，在Asharov等人的“统计独立性”框架内。我们显示出它们的下限本质上是紧密的：我们构造了一个方案，使其权衡匹配其下限在其读效率的加法\（O（\ log \ log \ log N）\）因子内，再次改进了现有方案。我们的方案提供了最佳的空间和位置，以及接近最佳的读取效率，这取决于查询的关键字的频率：对于与\（n = N ^ {1-\ epsilon（n）} \）文档标识符，读取效率为\（\ omega（1）\ cdot {\ epsilon}（n）^ {-1} + O（\ log \ log \ log N）\）时检索其标识符（其中\（\ omega（1）\）项可以任意小，而\（\ omega（1）\ cdot {\ epsilon}（n）^ {- 1} \）是Asharov等人证明的下限。特别是，对于与最多\（N ^ {1-1 / o（\ log \ log \ log N）} \）个文档标识符相关联的任何关键字（即，对于不是非常常见的任何关键字），我们检索其标识符时提供读取效率\（O（\ log \ log \ log N）\）。