TY - JOUR
T1 - Tight Tradeoffs in Searchable Symmetric Encryption
AU - Asharov, Gilad
AU - Segev, Gil
AU - Shahaf, Ido
N1 - Publisher Copyright:
© 2021, International Association for Cryptologic Research.
PY - 2021/4
Y1 - 2021/4
N2 - A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT ’14) and Asharov et al. (STOC ’16) to construct SSE schemes offering various such tradeoffs and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed. We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the “pad-and-split” framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality L must use space Ω (Nlog N/ log L) for databases of size N. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD ’17) which is captured by our pad-and-split framework. Then, within the “statistical-independence” framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive O(log log log N) factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with n= N1-ϵ(n) document identifiers, the read efficiency is ω(1) · ϵ(n) - 1+ O(log log log N) when retrieving its identifiers (where the ω(1) term may be arbitrarily small, and ω(1) · ϵ(n) - 1 is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most N1-1/o(logloglogN) document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency O(log log log N) when retrieving its identifiers.
AB - A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT ’14) and Asharov et al. (STOC ’16) to construct SSE schemes offering various such tradeoffs and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed. We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the “pad-and-split” framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality L must use space Ω (Nlog N/ log L) for databases of size N. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD ’17) which is captured by our pad-and-split framework. Then, within the “statistical-independence” framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive O(log log log N) factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with n= N1-ϵ(n) document identifiers, the read efficiency is ω(1) · ϵ(n) - 1+ O(log log log N) when retrieving its identifiers (where the ω(1) term may be arbitrarily small, and ω(1) · ϵ(n) - 1 is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most N1-1/o(logloglogN) document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency O(log log log N) when retrieving its identifiers.
KW - Balls and bins
KW - Locality
KW - Searchable symmetric encryption
UR - http://www.scopus.com/inward/record.url?scp=85099779322&partnerID=8YFLogxK
U2 - 10.1007/s00145-020-09370-z
DO - 10.1007/s00145-020-09370-z
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85099779322
SN - 0933-2790
VL - 34
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 2
M1 - 9
ER -