Abstract
A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT ’14) and Asharov et al. (STOC ’16) to construct SSE schemes offering various such tradeoffs and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed. We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the “pad-and-split” framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality L must use space \(\Omega ( N \log N / \log L )\) for databases of size N. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD ’17) which is captured by our pad-and-split framework. Then, within the “statistical-independence” framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive \(O(\log \log \log N)\) factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with \(n = N^{1 - \epsilon (n)}\) document identifiers, the read efficiency is \(\omega (1) \cdot {\epsilon }(n)^{-1}+ O(\log \log \log N)\) when retrieving its identifiers (where the \(\omega (1)\) term may be arbitrarily small, and \(\omega (1) \cdot {\epsilon }(n)^{-1}\) is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most \(N^{1 - 1/o(\log \log \log N)}\) document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency \(O(\log \log \log N)\) when retrieving its identifiers.
Similar content being viewed by others
Notes
We consider the notions of locality and read efficiency as formalized by Cash and Tessaro [11]: The locality of a scheme is the number of non-contiguous memory accesses that the server performs with each query, and the read efficiency of a scheme is the ratio between the number of bits the server reads with each query and the actual size of the answer. We refer the reader to Sect. 2.1 for the formal definitions.
Each of the schemes that are captured by our framework offers other important implementation details, improvements and optimizations that we do not intend to capture, since these are not directly related to the tradeoff between space, locality, and read efficiency.
We emphasize that this does not hurt the security of SSE schemes, and still results in minimal leakage as required.
Looking ahead, when supplied with a token corresponding to a keyword \(w_i\), the server will return to the client all data stored in the possible locations of the list \(\mathsf{DB}(w_i)\) (the server will not actually know in which of the possible locations the elements of the list are actually placed).
The scheme of Demertzis et al. [14] is not captured by the two frameworks we consider in this work, as it requires the server to modify its stored data (i.e., the encrypted database) and the user to update her local state whenever a search query is issued.
We refer the reader to the work of Chase and Kamara [9] for a discussion on the necessity of using a random oracle for adaptive security with succinct search tokens.
Note that any scheme in which the server decrypts the results can be easily transformed into a scheme where only the client decrypts the results by adding an additional encryption layer—but this does not necessarily hold in the other direction.
We emphasize that having the read efficiency depend on the length of the retrieved list does not hurt the security of SSE schemes, and our scheme still results in minimal leakage as required.
The details here are quite subtle. The server obtains the pseudorandom key that was used to produce randomness for the relevant invocation of \(\mathsf{RangesGen}\). In addition, the server stores the lengths of the lists in an encrypted manner, and can only reveal the lengths of the already-queried lists. Knowing both the pseudorandom key and the list length allows the server to compute the possible locations of the list \(\mathsf{DB}(w)\).
References
M. Aumüller, M. Dietzfelbinger, P. Woelfel, Explicit and efficient hash families suffice for cuckoo hashing with a stash. Algorithmica, 70(3), 428–456, (2014)
Y. Arbitman, M. Naor, G. Segev, Backyard cuckoo hashing: constant worst-case operations with a succinct representation, in Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (2010), pp. 787–796
G. Asharov, M. Naor, G. Segev, I. Shahaf, Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations, in Proceedings of the 48th Annual ACM Symposium on Theory of Computing (2016), pp. 1101–1114
R. Curtmola, J. A. Garay, S. Kamara, R. Ostrovsky, Searchable symmetric encryption: improved definitions and efficient constructions, in Proceedings of the 13th ACM Conference on Computer and Communications Security (2006), pp. 79–88
R. Curtmola, J. A. Garay, S. Kamara, R. Ostrovsky, Searchable symmetric encryption: Improved definitions and efficient constructions. J. Comput. Sec. 19(5), 895–934 (2011)
D. Cash, P. Grubbs, J. Perry, T. Ristenpart, Leakage-abuse attacks against searchable encryption, in Proceedings of the 22nd ACM Conference on Computer and Communications Security (2015), pp. 668–679
D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, M. Steiner, Highly-scalable searchable symmetric encryption with support for Boolean queries, in Advances in Cryptology—CRYPTO ’13 (2013), pp. 353–373
D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, M. Steiner, Dynamic searchable encryption in very-large databases: data structures and implementation, in Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)
M. Chase, S. Kamara, Structured encryption and controlled disclosure, in Advances in Cryptology—ASIACRYPT ’10 (2010), pp. 577–594
Y.-C. Chang, M. Mitzenmacher, Privacy preserving keyword searches on remote encrypted data, in Proceedings of the 3rd International Conference on Applied Cryptography and Network Security (2005), pp. 442–455
D. Cash and S. Tessaro, The locality of searchable symmetric encryption, in Advances in Cryptology—EUROCRYPT ’14 (2014), pp. 351–368
M. Dietzfelbinger, R. Pagh, Succinct data structures for retrieval and approximate membership, in Proceedings of the 35th International Colloquium on Automata, Languages and Programming(2008), pp. 385–396
I. Demertzis, C. Papamanthou, Fast searchable encryption with tunable locality, in Proceedings of the 2017 ACM Special Interest Group on Management of Data (SIGMOD) Conference (2017), pp. 1053–1067
I. Demertzis, D. Papadopoulos, C. Papamanthou, Searchable encryption with optimal locality: achieving sublogarithmic read efficiency, in Cryptology ePrint Archive, Report 2017/749 (2017)
E. Goh, Secure indexes, in Cryptology ePrint Archive, Report 2003/216 (2003)
O. Goldreich, Foundations of Cryptography—Volume 2: Basic Applications. Cambridge University Press, Cambridge (2004)
T. Hagerup, Sorting and searching on the word RAM, in Proceedings of the 15th Annual Symposium on Theoretical Aspects of Computer Science (1998), pp. 366–398
T. Hagerup, P. B. Miltersen, R. Pagh, Deterministic dictionaries. J. Algorithms 41(1), 69–85 (2001)
A. Kirsch, M. Mitzenmacher, U. Wieder, More robust hashing: cuckoo hashing with a stash. SIAM J. Comput., 39(4), 1543–1561, (2009)
K. Kurosawa, Y. Ohtaki, UC-secure searchable symmetric encryption, in Proceedings of the 16th International Conference on Financial Cryptography and Data Security (2012), pp. 285–298
K. Kurosawa, Y. Ohtaki, How to update documents verifiably in searchable symmetric encryption, in Proceedings of the 12th International Conference on Cryptology and Network Security (2013), pp. 309–328
S. Kamara, C. Papamanthou, Parallel and dynamic searchable symmetric encryption, in Proceedings of the 16th International Conference on Financial Cryptography and Data Security (2013), pp. 258–274
S. Kamara, C. Papamanthou, T. Roeder, Dynamic searchable symmetric encryption, in Proceedings of the 19th ACM Conference on Computer and Communications Security (2012), pp. 965–976
P.B. Miltersen, Cell probe complexity—a survey, in Proceedings of the 19th Conference on the Foundations of Software Technology and Theoretical Computer Science, Advances in Data Structures Workshop (1999)
A. Pagh, R. Pagh, Uniform hashing in constant time and optimal space. SIAM J. Comput. 38(1), 85–96 (2008)
R. Pagh, F.F. Rodler, Cuckoo hashing. J. Algorithms, 51(2), 122–144 (2004)
E. Stefanov, C. Papamanthou, E. Shi, Practical dynamic searchable encryption with small leakage, in Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)
D.X. Song, D. Wagner, A. Perrig, Practical techniques for searches on encrypted data, in Proceedings of the 21st Annual IEEE Symposium on Security and Privacy (2000), pp. 44–55
P. van Liesdonk, S. Sedghi, J. Doumen, P.H. Hartel, W. Jonker, Computationally efficient searchable symmetric encryption, in Proceedings of 7th VLDB Workshop on Secure Data Management (2010), pp. 87–100
Acknowledgements
So in total, the space overhead is O(N).
Funding
Open Access funding enabled and organized by Projekt DEAL.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Stefano Tessaro.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work appeared in Advances in Cryptology – CRYPTO ’18
Gilad Asharov: Most of the work was done while at Cornell Tech, supported by a Junior Fellow award from the Simons Foundation
Gil Segev: Supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), and by the US-Israel Binational Science Foundation (Grant No. 2014632)
Ido Shahaf: Supported by the Clore Israel Foundation via the Clore Scholars Programme.
Rights and permissions
About this article
Cite this article
Asharov, G., Segev, G. & Shahaf, I. Tight Tradeoffs in Searchable Symmetric Encryption. J Cryptol 34, 9 (2021). https://doi.org/10.1007/s00145-020-09370-z
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-020-09370-z