Skip to main content
SpringerLink
Log in

Encrypted Key-Value Stores

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2020 (INDOCRYPT 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12578))

Included in the following conference series:

Abstract

Distributed key-value stores (KVS) are distributed databases that enable fast access to data distributed across a network of nodes. Prominent examples include Amazon’s Dynamo, Facebook’s Cassandra, Google’s BigTable and LinkedIn’s Voldemort. The design of secure and private key-value stores is an important problem because these systems are being used to store an increasing amount of sensitive data. Encrypting data at rest and decrypting it before use, however, is not enough because each decryption exposes the data and increases its likelihood of being stolen. End-to-end encryption, where data is kept encrypted at all times, is the best way to ensure data confidentiality.

In this work, we study end-to-end encryption in distributed KVSs. We introduce the notion of an encrypted KVS and provide formal security definitions that capture the properties one would desire from such a system. We propose and analyze a concrete encrypted KVS construction which can be based on any unencrypted KVS. We first show that this construction leaks at most the operation equality (i.e., if and when two unknown queries are for the same search key) which is standard for similar schemes in the non-distributed setting. However, we also show that if the underlying KVS satisfies read your writes consistency, then the construction only leaks the operation equality of search keys that are handled by adversarially corrupted nodes—effectively showing that a certain level of consistency can improve the security of a system. In addition to providing the first formally analyzed end-to-end encrypted key-value store, our work identifies and leverages new and interesting connections between distributed systems and cryptography.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In this work we use the term label and reserve the term key to denote cryptographic keys.

  2. 2.

    Note that the operation equality is a common leakage pattern in practical ESAs.

  3. 3.

    For KVSs that allow their clients to connect directly to the replicas and do not use front end nodes, the abstraction can drop the \(\mathsf {fe}\) mapping and be adjusted in the natural way.

  4. 4.

    Note that for simplicity, we assume that \(\psi \) maps labels to a single address. This however can be extended in a straightforward way where \(\psi \) maps a label to multiple addresses. This would be required to model KVSs where replicas of a label are independent of each other.

  5. 5.

    This is true for every KVS we are aware of [25, 43, 54, 55].

References

  1. Apache ignite. https://ignite.apache.org/

  2. Couchbase. https://www.couchbase.com/

  3. FoundationDB. https://www.foundationdb.org/

  4. MemcacheDB. https://github.com/LMDB/memcachedb/

  5. Redis. https://redis.io/

  6. XAP. https://www.gigaspaces.com/

  7. Agarwal, A., Kamara, S.: Encrypted distributed hash tables. Cryptology ePrint Archive, Report 2019/1126 (2019). https://eprint.iacr.org/2019/1126

  8. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: ACM SIGMOD International Conference on Management of Data, pp. 563–574 (2004)

    Google Scholar 

  9. Asharov, G., Naor, M., Segev, G., Shahaf, I.: Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations. In: ACM Symposium on Theory of Computing, STOC 2016, pp. 1101–1114. ACM, New York (2016)

    Google Scholar 

  10. Asharov, G., Segev, G., Shahaf, I.: Tight tradeoffs in searchable symmetric encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_14

    Chapter  MATH  Google Scholar 

  11. Bailis, P., Ghodsi, A., Hellerstein, J.M., Stoica, I.: Bolt-on causal consistency. In: Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data, pp. 761–772 (2013)

    Google Scholar 

  12. Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_30

    Chapter  Google Scholar 

  13. Blackstone, L., Kamara, S., Moataz, T.: Revisiting leakage abuse attacks. In: Network and Distributed System Security Symposium (NDSS 2020) (2020)

    Google Scholar 

  14. Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_13

    Chapter  Google Scholar 

  15. Bost, R.: Sophos - forward secure searchable encryption. In: ACM Conference on Computer and Communications Security (CCS 2016) (2016)

    Google Scholar 

  16. Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: ACM Conference on Computer and Communications Security (CCS 2017) (2017)

    Google Scholar 

  17. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)

    Google Scholar 

  18. Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: ACM Conference on Communications and Computer Security (CCS 2015), pp. 668–679. ACM (2015)

    Google Scholar 

  19. Cash, D., et al.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: Network and Distributed System Security Symposium (NDSS 2014) (2014)

    Google Scholar 

  20. Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_20

    Chapter  Google Scholar 

  21. Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_20

    Chapter  Google Scholar 

  22. Chang, F., et al.: BigTable: a distributed storage system for structured data. ACM Trans. Comput. Syst. (TOCS) 26(2), 4 (2008)

    Article  Google Scholar 

  23. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_33

    Chapter  Google Scholar 

  24. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: ACM Conference on Computer and Communications Security (CCS 2006), pp. 79–88. ACM (2006)

    Google Scholar 

  25. DeCandia, G., et al.: Dynamo: amazon’s highly available key-value store. ACM SIGOPS Oper. Syst. Rev. 41, 205–220 (2007)

    Article  Google Scholar 

  26. Demertzis, I., Papadopoulos, D., Papamanthou, C.: Searchable encryption with optimal locality: achieving sublogarithmic read efficiency. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 371–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_13

    Chapter  Google Scholar 

  27. Demertzis, I., Papamanthou, C.: Fast searchable encryption with tunable locality. In: ACM International Conference on Management of Data, SIGMOD 2017, pp. 1053–1067. ACM, New York (2017)

    Google Scholar 

  28. Etemad, M., Küpçü, A., Papamanthou, C., Evans, D.: Efficient dynamic searchable encryption with forward privacy. PoPETs 2018(1), 5–20 (2018)

    Google Scholar 

  29. Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 123–145. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_7

    Chapter  Google Scholar 

  30. Fisch, B.A., et al.: Malicious-client security in blind seer: a scalable private DBMS. In: IEEE Symposium on Security and Privacy, pp. 395–410. IEEE (2015)

    Google Scholar 

  31. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: ACM Symposium on Theory of Computing (STOC 2009), pp. 169–178. ACM Press (2009)

    Google Scholar 

  32. Goh, E.-J.: Secure indexes. Technical report 2003/216, IACR ePrint Cryptography Archive (2003). http://eprint.iacr.org/2003/216

  33. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996)

    Article  MathSciNet  Google Scholar 

  34. Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: Network and Distributed System Security Symposium (NDSS 2012) (2012)

    Google Scholar 

  35. Kaashoek, M.F., Karger, D.R.: Koorde: a simple degree-optimal distributed hash table. In: Kaashoek, M.F., Stoica, I. (eds.) IPTPS 2003. LNCS, vol. 2735, pp. 98–107. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45172-3_9

    Chapter  Google Scholar 

  36. Kamara, S., Moataz, T.: Boolean searchable symmetric encryption with worst-case sub-linear complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 94–124. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_4

    Chapter  Google Scholar 

  37. Kamara, S., Moataz, T.: SQL on structurally-encrypted databases. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 149–180. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_6

    Chapter  Google Scholar 

  38. Kamara, S., Moataz, T.: Computationally volume-hiding structured encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 183–213. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_7

    Chapter  Google Scholar 

  39. Kamara, S., Moataz, T., Ohrimenko, O.: Structured encryption and leakage suppression. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 339–370. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_12

    Chapter  Google Scholar 

  40. Kamara, S., Moataz, T., Zdonik, S., Zhao, Z.: An optimal relational database encryption scheme. Cryptology ePrint Archive, Report 2020/274 (2020). https://eprint.iacr.org/2020/274

  41. Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 258–274. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_22

    Chapter  Google Scholar 

  42. Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: ACM Conference on Computer and Communications Security (CCS 2012). ACM Press (2012)

    Google Scholar 

  43. Lakshman, A., Malik, P.: Cassandra: a decentralized structured storage system. ACM SIGOPS Oper. Syst. Rev. 44(2), 35–40 (2010)

    Article  Google Scholar 

  44. Lloyd, W., Freedman, M.J., Kaminsky, M., Andersen, D.G.: Don’t settle for eventual: scalable causal consistency for wide-area storage with COPS. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 401–416 (2011)

    Google Scholar 

  45. Lloyd, W., Freedman, M.J., Kaminsky, M., Andersen, D.G.: Stronger semantics for low-latency geo-replicated storage. In: Presented as Part of the 10th \(\{\)USENIX\(\}\) Symposium on Networked Systems Design and Implementation (\(\{\)NSDI\(\}\) 2013), pp. 313–328 (2013)

    Google Scholar 

  46. Macedo, R., et al.: A practical framework for privacy-preserving NoSQL databases. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 11–20. IEEE (2017)

    Google Scholar 

  47. Maymounkov, P., Mazières, D.: Kademlia: a peer-to-peer information system based on the XOR metric. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 53–65. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8_5

    Chapter  MATH  Google Scholar 

  48. Meng, X., Kamara, S., Nissim, K., Kollios, G.: GRECS: graph encryption for approximate shortest distance queries. In: ACM Conference on Computer and Communications Security (CCS 2015) (2015)

    Google Scholar 

  49. Pappas, V., et al.: Blind seer: a scalable private DBMS. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 359–374. IEEE (2014)

    Google Scholar 

  50. Poddar, R., Boelter, T., Popa, R.A.: Arx: an encrypted database using semantically secure encryption. Proc. VLDB Endow. 12(11), 1664–1678 (2019)

    Article  Google Scholar 

  51. Song, D., Wagner, D., Perrig, A.: Practical techniques for searching on encrypted data. In: IEEE Symposium on Research in Security and Privacy, pp. 44–55. IEEE Computer Society (2000)

    Google Scholar 

  52. Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: Network and Distributed System Security Symposium (NDSS 2014) (2014)

    Google Scholar 

  53. Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: a scalable peer-to-peer lookup service for internet applications. ACM SIGCOMM Comput. Commun. Rev. 31(4), 149–160 (2001)

    Article  Google Scholar 

  54. Sumbaly, R., Kreps, J., Gao, L., Feinberg, A., Soman, C., Shah, S.: Serving large-scale batch computed data with project Voldemort. In: Proceedings of the 10th USENIX conference on File and Storage Technologies, p. 18. USENIX Association (2012)

    Google Scholar 

  55. Basho Technologies: Riak. https://docs.basho.com/riak/kv/2.2.2/learn/dynamo/

  56. Wu, Z., Butkiewicz, M., Perkins, D., Katz-Bassett, E., Madhyastha, H.V.: SPANStore: cost-effective geo-replicated storage spanning multiple cloud services. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, pp. 292–308 (2013)

    Google Scholar 

  57. Zheng, W., Li, F., Popa, R.A., Stoica, I., Agarwal, R.: MiniCrypt: reconciling encryption and compression for big data stores. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 191–204 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Brown University, Providence, USA

    Archita Agarwal & Seny Kamara

Authors
  1. Archita Agarwal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seny Kamara
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Archita Agarwal .

Editor information

Editors and Affiliations

  1. Inria Paris, Paris, France

    Karthikeyan Bhargavan

  2. University of Klagenfurt, Klagenfurt, Austria

    Elisabeth Oswald

  3. Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Manoj Prabhakaran

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Agarwal, A., Kamara, S. (2020). Encrypted Key-Value Stores. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds) Progress in Cryptology – INDOCRYPT 2020. INDOCRYPT 2020. Lecture Notes in Computer Science(), vol 12578. Springer, Cham. https://doi.org/10.1007/978-3-030-65277-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65277-7_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65276-0

  • Online ISBN: 978-3-030-65277-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation