Skip to main content
SpringerLink
Log in

Tight Tradeoffs in Searchable Symmetric Encryption

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT ’14) and Asharov et al. (STOC ’16) to construct SSE schemes offering various such tradeoffs and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed. We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the “pad-and-split” framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality L must use space \(\Omega ( N \log N / \log L )\) for databases of size N. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD ’17) which is captured by our pad-and-split framework. Then, within the “statistical-independence” framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive \(O(\log \log \log N)\) factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with \(n = N^{1 - \epsilon (n)}\) document identifiers, the read efficiency is \(\omega (1) \cdot {\epsilon }(n)^{-1}+ O(\log \log \log N)\) when retrieving its identifiers (where the \(\omega (1)\) term may be arbitrarily small, and \(\omega (1) \cdot {\epsilon }(n)^{-1}\) is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most \(N^{1 - 1/o(\log \log \log N)}\) document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency \(O(\log \log \log N)\) when retrieving its identifiers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. We consider the notions of locality and read efficiency as formalized by Cash and Tessaro [11]: The locality of a scheme is the number of non-contiguous memory accesses that the server performs with each query, and the read efficiency of a scheme is the ratio between the number of bits the server reads with each query and the actual size of the answer. We refer the reader to Sect. 2.1 for the formal definitions.

  2. Each of the schemes that are captured by our framework offers other important implementation details, improvements and optimizations that we do not intend to capture, since these are not directly related to the tradeoff between space, locality, and read efficiency.

  3. We emphasize that this does not hurt the security of SSE schemes, and still results in minimal leakage as required.

  4. Looking ahead, when supplied with a token corresponding to a keyword \(w_i\), the server will return to the client all data stored in the possible locations of the list \(\mathsf{DB}(w_i)\) (the server will not actually know in which of the possible locations the elements of the list are actually placed).

  5. The scheme of Demertzis et al. [14] is not captured by the two frameworks we consider in this work, as it requires the server to modify its stored data (i.e., the encrypted database) and the user to update her local state whenever a search query is issued.

  6. The unit cost word-RAM model is considered the standard model for analyzing the efficiency of data structures (see, for example, [12, 17, 18, 24, 25] and the references therein).

  7. Note that in the original work of Kirsch et al. [19] they considered a constant-sized stash, whereas in this work we are interested in a stash whose size is not necessarily constant, and thus, we rely on [1].

  8. We refer the reader to the work of Chase and Kamara [9] for a discussion on the necessity of using a random oracle for adaptive security with succinct search tokens.

  9. Note that any scheme in which the server decrypts the results can be easily transformed into a scheme where only the client decrypts the results by adding an additional encryption layer—but this does not necessarily hold in the other direction.

  10. We emphasize that having the read efficiency depend on the length of the retrieved list does not hurt the security of SSE schemes, and our scheme still results in minimal leakage as required.

  11. The details here are quite subtle. The server obtains the pseudorandom key that was used to produce randomness for the relevant invocation of \(\mathsf{RangesGen}\). In addition, the server stores the lengths of the lists in an encrypted manner, and can only reveal the lengths of the already-queried lists. Knowing both the pseudorandom key and the list length allows the server to compute the possible locations of the list \(\mathsf{DB}(w)\).

References

  1. M. Aumüller, M. Dietzfelbinger, P. Woelfel, Explicit and efficient hash families suffice for cuckoo hashing with a stash. Algorithmica, 70(3), 428–456, (2014)

    Article  MathSciNet  Google Scholar 

  2. Y. Arbitman, M. Naor, G. Segev, Backyard cuckoo hashing: constant worst-case operations with a succinct representation, in Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (2010), pp. 787–796

  3. G. Asharov, M. Naor, G. Segev, I. Shahaf, Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations, in Proceedings of the 48th Annual ACM Symposium on Theory of Computing (2016), pp. 1101–1114

  4. R. Curtmola, J. A. Garay, S. Kamara, R. Ostrovsky, Searchable symmetric encryption: improved definitions and efficient constructions, in Proceedings of the 13th ACM Conference on Computer and Communications Security (2006), pp. 79–88

  5. R. Curtmola, J. A. Garay, S. Kamara, R. Ostrovsky, Searchable symmetric encryption: Improved definitions and efficient constructions. J. Comput. Sec. 19(5), 895–934 (2011)

    Article  Google Scholar 

  6. D. Cash, P. Grubbs, J. Perry, T. Ristenpart, Leakage-abuse attacks against searchable encryption, in Proceedings of the 22nd ACM Conference on Computer and Communications Security (2015), pp. 668–679

  7. D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, M. Steiner, Highly-scalable searchable symmetric encryption with support for Boolean queries, in Advances in Cryptology—CRYPTO ’13 (2013), pp. 353–373

  8. D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, M. Steiner, Dynamic searchable encryption in very-large databases: data structures and implementation, in Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)

  9. M. Chase, S. Kamara, Structured encryption and controlled disclosure, in Advances in Cryptology—ASIACRYPT ’10 (2010), pp. 577–594

  10. Y.-C. Chang, M. Mitzenmacher, Privacy preserving keyword searches on remote encrypted data, in Proceedings of the 3rd International Conference on Applied Cryptography and Network Security (2005), pp. 442–455

  11. D. Cash and S. Tessaro, The locality of searchable symmetric encryption, in Advances in Cryptology—EUROCRYPT ’14 (2014), pp. 351–368

  12. M. Dietzfelbinger, R. Pagh, Succinct data structures for retrieval and approximate membership, in Proceedings of the 35th International Colloquium on Automata, Languages and Programming(2008), pp. 385–396

  13. I. Demertzis, C. Papamanthou, Fast searchable encryption with tunable locality, in Proceedings of the 2017 ACM Special Interest Group on Management of Data (SIGMOD) Conference (2017), pp. 1053–1067

  14. I. Demertzis, D. Papadopoulos, C. Papamanthou, Searchable encryption with optimal locality: achieving sublogarithmic read efficiency, in Cryptology ePrint Archive, Report 2017/749 (2017)

  15. E. Goh, Secure indexes, in Cryptology ePrint Archive, Report 2003/216 (2003)

  16. O. Goldreich, Foundations of Cryptography—Volume 2: Basic Applications. Cambridge University Press, Cambridge (2004)

    Book  Google Scholar 

  17. T. Hagerup, Sorting and searching on the word RAM, in Proceedings of the 15th Annual Symposium on Theoretical Aspects of Computer Science (1998), pp. 366–398

  18. T. Hagerup, P. B. Miltersen, R. Pagh, Deterministic dictionaries. J. Algorithms 41(1), 69–85 (2001)

    Article  MathSciNet  Google Scholar 

  19. A. Kirsch, M. Mitzenmacher, U. Wieder, More robust hashing: cuckoo hashing with a stash. SIAM J. Comput., 39(4), 1543–1561, (2009)

    Article  MathSciNet  Google Scholar 

  20. K. Kurosawa, Y. Ohtaki, UC-secure searchable symmetric encryption, in Proceedings of the 16th International Conference on Financial Cryptography and Data Security (2012), pp. 285–298

  21. K. Kurosawa, Y. Ohtaki, How to update documents verifiably in searchable symmetric encryption, in Proceedings of the 12th International Conference on Cryptology and Network Security (2013), pp. 309–328

  22. S. Kamara, C. Papamanthou, Parallel and dynamic searchable symmetric encryption, in Proceedings of the 16th International Conference on Financial Cryptography and Data Security (2013), pp. 258–274

  23. S. Kamara, C. Papamanthou, T. Roeder, Dynamic searchable symmetric encryption, in Proceedings of the 19th ACM Conference on Computer and Communications Security (2012), pp. 965–976

  24. P.B. Miltersen, Cell probe complexity—a survey, in Proceedings of the 19th Conference on the Foundations of Software Technology and Theoretical Computer Science, Advances in Data Structures Workshop (1999)

  25. A. Pagh, R. Pagh, Uniform hashing in constant time and optimal space. SIAM J. Comput. 38(1), 85–96 (2008)

    Article  MathSciNet  Google Scholar 

  26. R. Pagh, F.F. Rodler, Cuckoo hashing. J. Algorithms, 51(2), 122–144 (2004)

    Article  MathSciNet  Google Scholar 

  27. E. Stefanov, C. Papamanthou, E. Shi, Practical dynamic searchable encryption with small leakage, in Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)

  28. D.X. Song, D. Wagner, A. Perrig, Practical techniques for searches on encrypted data, in Proceedings of the 21st Annual IEEE Symposium on Security and Privacy (2000), pp. 44–55

  29. P. van Liesdonk, S. Sedghi, J. Doumen, P.H. Hartel, W. Jonker, Computationally efficient searchable symmetric encryption, in Proceedings of 7th VLDB Workshop on Secure Data Management (2010), pp. 87–100

Download references

Acknowledgements

So in total, the space overhead is O(N).

Funding

Open Access funding enabled and organized by Projekt DEAL.

Author information

Authors and Affiliations

  1. Department of Computer Science, Bar-Ilan University, 5290002, Ramat Gan, Israel

    Gilad Asharov

  2. School of Computer Science and Engineering, Hebrew University of Jerusalem, 91904, Jerusalem, Israel

    Gil Segev & Ido Shahaf

Authors
  1. Gilad Asharov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gil Segev
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ido Shahaf
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ido Shahaf.

Additional information

Communicated by Stefano Tessaro.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A preliminary version of this work appeared in Advances in Cryptology – CRYPTO ’18

Gilad Asharov: Most of the work was done while at Cornell Tech, supported by a Junior Fellow award from the Simons Foundation

Gil Segev: Supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), and by the US-Israel Binational Science Foundation (Grant No. 2014632)

Ido Shahaf: Supported by the Clore Israel Foundation via the Clore Scholars Programme.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Asharov, G., Segev, G. & Shahaf, I. Tight Tradeoffs in Searchable Symmetric Encryption. J Cryptol 34, 9 (2021). https://doi.org/10.1007/s00145-020-09370-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-020-09370-z

Keywords

Search

Navigation