Tight Tradeoffs in Searchable Symmetric Encryption

  • Gilad Asharov
  • Gil Segev
  • Ido ShahafEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)


A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT ’14) and Asharov et al. (STOC ’16) to construct SSE schemes offering various such tradeoffs, and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed.

We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the “pad-and-split” framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality L must use space \(\varOmega ( N \log N / \log L )\) for databases of size N. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD ’17) which is captured by our pad-and-split framework.

Then, within the “statistical-independence” framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive \(O(\log \log \log N)\) factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly-optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with \(n = N^{1 - \epsilon (n)}\) document identifiers, the read efficiency is \(\omega (1) \cdot {\epsilon }(n)^{-1}+ O(\log \log \log N)\) when retrieving its identifiers (where the \(\omega (1)\) term may be arbitrarily small, and \(\omega (1) \cdot {\epsilon }(n)^{-1}\) is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most \(N^{1 - 1/o(\log \log \log N)}\) document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency \(O(\log \log \log N)\) when retrieving its identifiers.


  1. 1.
    Arbitman, Y., Naor, M., Segev, G.: Backyard cuckoo hashing: constant worst-case operations with a succinct representation. In: Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science, pp. 787–796 (2010)Google Scholar
  2. 2.
    Asharov, G., Naor, M., Segev, G., Shahaf, I.: Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations. In: Proceedings of the 48th Annual ACM Symposium on Theory of Computing, pp. 1101–1114 (2016)Google Scholar
  3. 3.
    Asharov, G., Segev, G., Shahaf, I.: Tight tradeoffs in searchable symmetric encryption. Cryptology ePrint Archive, Report 2018/507 (2018).
  4. 4.
    Aumüller, M., Dietzfelbinger, M., Woelfel, P.: Explicit and efficient hash families suffice for cuckoo hashing with a stash. Algorithmica 70(3), 428–456 (2014)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security, pp. 668–679 (2015)Google Scholar
  6. 6.
    Cash, D., Jaeger, J., Jarecki, S., Jutla, C.S., Krawczyk, H., Rosu, M., Steiner, M.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)Google Scholar
  7. 7.
    Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). Scholar
  8. 8.
    Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368. Springer, Heidelberg (2014). Scholar
  9. 9.
    Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote encrypted data. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005). Scholar
  10. 10.
    Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). Scholar
  11. 11.
    Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 79–88 (2006)Google Scholar
  12. 12.
    Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: Improved definitions and efficient constructions. J. Comput. Secur. 19(5), 895–934 (2011)CrossRefGoogle Scholar
  13. 13.
    Demertzis, I. Papadopoulos, D., Papamanthou, C.: Searchable encryption with optimal locality: achieving sublogarithmic read efficiency. Cryptology ePrint Archive, Report 2017/749 (2017)Google Scholar
  14. 14.
    Demertzis, I., Papamanthou, C.: Fast searchable encryption with tunable locality. In: Proceedings of the 2017 ACM Special Interest Group on Management of Data (SIGMOD) Conference, pp. 1053–1067 (2017)Google Scholar
  15. 15.
    Dietzfelbinger, M., Pagh, R.: Succinct data structures for retrieval and approximate membership. In: Proceedings of the 35th International Colloquium on Automata, Languages and Programming, pp. 385–396 (2008)CrossRefGoogle Scholar
  16. 16.
    Goh, E.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003)Google Scholar
  17. 17.
    Hagerup, T.: Sorting and searching on the word RAM. In: Proceedings of the 15th Annual Symposium on Theoretical Aspects of Computer Science, pp. 366–398 (1998)CrossRefGoogle Scholar
  18. 18.
    Hagerup, T., Miltersen, P.B., Pagh, R.: Deterministic dictionaries. J. Algorithms 41(1), 69–85 (2001)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Proceedings of the 16th International Conference on Financial Cryptography and Data Security, pp. 258–274 (2013)CrossRefGoogle Scholar
  20. 20.
    Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, pp. 965–976 (2012)Google Scholar
  21. 21.
    Kirsch, A., Mitzenmacher, M., Wieder, U.: More robust hashing: cuckoo hashing with a stash. SIAM J. Comput. 39(4), 1543–1561 (2009)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Kurosawa, K., Ohtaki, Y.: UC-secure searchable symmetric encryption. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 285–298. Springer, Heidelberg (2012). Scholar
  23. 23.
    Kurosawa, K., Ohtaki, Y.: How to update documents verifiably in searchable symmetric encryption. In: Proceedings of the 12th International Conference on Cryptology and Network Security, pp. 309–328 (2013)CrossRefGoogle Scholar
  24. 24.
    Miltersen, P.B.: Cell probe complexity - a survey. In: Proceedings of the 19th Conference on the Foundations of Software Technology and Theoretical Computer Science, Advances in Data Structures Workshop (1999)Google Scholar
  25. 25.
    Pagh, A., Pagh, R.: Uniform hashing in constant time and optimal space. SIAM J. Comput. 38(1), 85–96 (2008)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Pagh, R., Rodler, F.F.: Cuckoo hashing. J. Algorithms 51(2), 122–144 (2004)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: Proceedings of the 21st Annual IEEE Symposium on Security and Privacy, pp. 44–55 (2000)Google Scholar
  28. 28.
    Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)Google Scholar
  29. 29.
    van Liesdonk, P., Sedghi, S., Doumen, J., Hartel, P.H., Jonker, W.: Computationally efficient searchable symmetric encryption. In: Proceedings of 7th VLDB Workshop on Secure Data Management, pp. 87–100 (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Cornell TechNew YorkUSA
  2. 2.School of Computer Science and EngineeringHebrew University of JerusalemJerusalemIsrael

Personalised recommendations