Strengthening the Security of Encrypted Databases: Non-transitive JOINs
Database management systems that operate over encrypted data are gaining significant commercial interest. CryptDB is one such notable system supporting a variety SQL queries over encrypted data (Popa et al., SOSP ’11). It is a practical system obtained by
- PDF / 509,387 Bytes
- 31 Pages / 439.37 x 666.142 pts Page_size
- 81 Downloads / 166 Views
Jerusalem, Israel School of Computer Science and Engineering, Hebrew University of Jerusalem, 91904 Jerusalem, Israel {segev,ido.shahaf}@cs.huji.ac.il 2
Abstract. Database management systems that operate over encrypted data are gaining significant commercial interest. CryptDB is one such notable system supporting a variety SQL queries over encrypted data (Popa et al., SOSP ’11). It is a practical system obtained by utilizing a number of encryption schemes, together with a new cryptographic primitive for supporting SQL’s join operator. This new primitive, an adjustable join scheme, is an encoding scheme that enables to generate tokens corresponding to any two database columns for computing their join given only their encodings. Popa et al. presented a framework for modeling the security of adjustable join schemes, but it is not completely clear what types of potential adversarial behavior it captures. Most notably, CryptDB’s join operator is transitive, and this may reveal a significant amount of sensitive information. In this work we put forward a strong and intuitive notion of security for adjustable join schemes, and argue that it indeed captures the security of such schemes: We introduce, in addition, natural simulation-based and indistinguishability-based notions (capturing the “minimal leakage” of such schemes), and prove that our notion is positioned between their adaptive and non-adaptive variants. Then, we construct an adjustable join scheme that satisfies our notion of security based on the linear assumption (or on the seemingly stronger matrix-DDH assumption for improved efficiency) in bilinear groups. Instantiating CryptDB with our scheme strengthens its security by providing a non-transitive join operator, while increasing the size of CryptDB’s encodings from one group element to four group elements based on the linear assumption (or two group elements based on the matrix-DDH assumption), and increasing the running time of the adjustment operation from that of computing one group exponentiation to that of computing four bilinear maps based on the linear assumption (or two bilinear maps based on the matrix-DDH assumption). Most importantly, however, the most critical and frequent operation underlying our scheme is comparison of single group elements as in CryptDB’s join scheme. I. Mironov and G. Segev—Work initiated at Microsoft Research Silicon Valley. c International Association for Cryptologic Research 2017 Y. Kalai and L. Reyzin (Eds.): TCC 2017, Part II, LNCS 10678, pp. 631–661, 2017. https://doi.org/10.1007/978-3-319-70503-3_21
632
1
I. Mironov et al.
Introduction
Database management systems operating over encrypted data are gaining significant commercial interest. CryptDB, designed by Popa et al. [37–40], is one such notable system that supports a variety of SQL queries over encrypted databases. It is a practical system offering a throughput loss of only 26% as compared to MySQL. We refer the reader to CryptDB’s project page for the growing list of companies and organizations that have already
Data Loading...