Advertisement

Full Database Reconstruction with Access and Search Pattern Leakage

  • Evangelia Anna MarkatouEmail author
  • Roberto Tamassia
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11723)

Abstract

The widespread use of cloud computing has enabled several database providers to store their data on servers in the cloud and answer queries from those servers. In order to protect the confidentiality of data in the cloud, a database can be stored in encrypted form and all queries can be executed on the encrypted database. Recent research results suggest that a curious cloud provider may be able to decrypt some of the items in the database after seeing a large number of queries and their (encrypted) results. In this paper, we focus on one-dimensional databases that support range queries and develop an attack that can achieve full database reconstruction, inferring the exact value of every element in the database. We consider an encrypted database whose records have values from a given universe of N consecutive integers. Our attack assumes access pattern and search pattern leakage. It succeeds after the attacker has seen each of the possible query results at least once, independent of their distribution. If we assume that the client issues queries uniformly at random, we can decrypt the entire database with high probability after observing \(O(N^2 \log N)\) queries.

Notes

Acknowledgments

We would like to thank Thibaut Bagory, Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, and Kenneth G. Paterson and for their helpful comments and suggestions on a previous version of this paper.

References

  1. 1.
    Booth, K.S., Lueker, G.S.: Testing for the consecutive ones property, interval graphs, and graph planarity using PQ-tree algorithms. J. Comput. Syst. Sci. 13(3), 335–379 (1976)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2015)Google Scholar
  3. 3.
    Dautrich Jr., J.L., Ravishankar, C.V.: Compromising privacy in precise query protocols. In: Proceedings of the International Conference on Extending Database Technology, EDBT (2013)Google Scholar
  4. 4.
    Demertzis, I., Papadopoulos, S., Papapetrou, O., Deligiannakis, A., Garofalakis, M.: Practical private range search revisited. In: Proceedings of the ACM International Conference on Management of Data, SIGMOD (2016)Google Scholar
  5. 5.
    Durak, F.B., DuBuisson, T.M., Cash, D.: What else is revealed by order-revealing encryption? In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2016)Google Scholar
  6. 6.
    Grubbs, P., Lacharité, M., Minaud, B., Paterson, K.G.: Learning to reconstruct: statistical learning theory and encrypted database attacks. In: IEEE Symposium on Security and Privacy, pp. 513–529 (2019)Google Scholar
  7. 7.
    Grubbs, P., Lacharité, M.S., Minaud, B., Paterson, K.G.: Pump up the volume: practical database reconstruction from volume leakage on range queries. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2018)Google Scholar
  8. 8.
    Grubbs, P., Lacharité, M.S., Minaud, B., Paterson, K.G.: Learning to reconstruct: statistical learning theory and encrypted database attacks. Cryptology ePrint Archive, Report 2019/011 (2019). https://eprint.iacr.org/2019/011
  9. 9.
    Grubbs, P., McPherson, R., Naveed, M., Ristenpart, T., Shmatikov, V.: Breaking web applications built on top of encrypted data. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2016)Google Scholar
  10. 10.
    Grubbs, P., Ristenpart, T., Shmatikov, V.: Why your encrypted database is not secure. In: Proceedings of the Workshop on Hot Topics in Operating Systems, HotOS (2017)Google Scholar
  11. 11.
    Grubbs, P., Sekniqi, K., Bindschaedler, V., Naveed, M., Ristenpart, T.: Leakage-abuse attacks against order-revealing encryption. In: 2017 IEEE Symposium on Security and Privacy, SP (2017)Google Scholar
  12. 12.
    Kamara, S., Moataz, T.: Computationally volume-hiding structured encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 183–213. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-17656-3_7CrossRefGoogle Scholar
  13. 13.
    Kamara, S., Moataz, T., Ohrimenko, O.: Structured encryption and leakage suppression. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 339–370. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_12CrossRefGoogle Scholar
  14. 14.
    Kellaris, G., Kollios, G., Nissim, K., O’Neill, A.: Generic attacks on secure outsourced databases. In: Proceedings of the ACM Conference on Computer and Communications Security. ACM (2016)Google Scholar
  15. 15.
    Kornaropoulos, E.M., Papamanthou, C., Tamassia, R.: Data recovery on encrypted databases with \(k\)-nearest neighbor query leakage. In: Proceedings of the IEEE Symposium on Security and Privacy, SP, pp. 245–262 (2019)Google Scholar
  16. 16.
    Kornaropoulos, E.M., Papamanthou, C., Tamassia, R.: The state of the uniform: attacks on encrypted databases beyond the uniform query distribution. Cryptology ePrint Archive, Report 2019/441 (2019). https://eprint.iacr.org/2019/441
  17. 17.
    Kornaropoulos, E.M., Papamanthou, C., Tamassia, R.: The state of the uniform: attacks on encrypted databases beyond the uniform query distribution. In: Proceedings of the IEEE Symposium on Security and Privacy, SP (2020, to appear)Google Scholar
  18. 18.
    Lacharité, M.S., Minaud, B., Paterson, K.G.: Improved reconstruction attacks on encrypted data using range query leakage. In: Proceedings of the IEEE Symposium on Security and Privacy, SP (2018)Google Scholar
  19. 19.
    Pouliot, D., Wright, C.V.: The shadow nemesis: inference attacks on efficiently deployable, efficiently searchable encryption. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2016)Google Scholar
  20. 20.
    Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: the power of file-injection attacks on searchable encryption. In: Proceedings of the USENIX Security Symposium (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Brown UniversityProvidenceUSA

Personalised recommendations