Searchable symmetric encryption: Optimal locality in linear space via two-dimensional balanced allocations

Gilad Asharov; Moni Naor; Gil Segev; Ido Shahaf

doi:10.1137/19M1303186

Searchable symmetric encryption: Optimal locality in linear space via two-dimensional balanced allocations

Gilad Asharov, Moni Naor, Gil Segev, Ido Shahaf

The Rachel and Selim Benin School of Engineering and Computer Science

Research output: Contribution to journal › Article › peer-review

Abstract

Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of noncontiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer). We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly optimal read efficiency. Specifically, for a database of size N, under the modest assumption that no keyword appears in more than N^{1−1/log log N} documents, we construct a scheme with read efficiency Õ(log log N). This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT'14) showing that any SSE scheme must be suboptimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency Õ(log N). Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (“balls and bins”) problem that we put forward. We construct nearly optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.

Original language	American English
Pages (from-to)	1501-1536
Number of pages	36
Journal	SIAM Journal on Computing
Volume	50
Issue number	5
DOIs	https://doi.org/10.1137/19M1303186
State	Published - 2021

Bibliographical note

Funding Information:
∗Received by the editors December 2, 2019; accepted for publication (in revised form) June 7, 2021; published electronically September 21, 2021. A preliminary and shorter version appeared in STOC ’16, ACM, New York, 2016, pp. 1101–1114. https://doi.org/10.1137/19M1303186 Funding: This work was supported in part by the Israel Science Foundation (grants 483/13, 950/15, 2439/20 and 2686/20), by the Israeli Centers of Research Excellence (I-CORE) Program (Center 4/11), by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, by the European Union’s Horizon 2020 research and innovation programme under the Marie Sk lodowska-Curie grant agreement 891234, and by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (grant 714253).

Funding Information:
We thank Raphael Bost, Ang?le Bossuat, Pierre-Alain Fouque, and Brice Minaud for observing that our bound on the probability of the event ?E0 in the proof of Theorem 3.2 was incorrect in a previous version of this paper. We additionally thank the SICOMP reviewers for their valuable comments.

Publisher Copyright:
© 2021 Society for Industrial and Applied Mathematics

Keywords

Balanced allocations
Locality
Searchable symmetric encryption

Access to Document

10.1137/19M1303186

Cite this

@article{3613b65b38c3492aabbfb5251a3d40c8,

title = "Searchable symmetric encryption: Optimal locality in linear space via two-dimensional balanced allocations",

abstract = "Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of noncontiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer). We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly optimal read efficiency. Specifically, for a database of size N, under the modest assumption that no keyword appears in more than N1−1/log log N documents, we construct a scheme with read efficiency {\~O}(log log N). This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT'14) showing that any SSE scheme must be suboptimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency {\~O}(log N). Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (“balls and bins”) problem that we put forward. We construct nearly optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.",

keywords = "Balanced allocations, Locality, Searchable symmetric encryption",

author = "Gilad Asharov and Moni Naor and Gil Segev and Ido Shahaf",

note = "Funding Information: ∗Received by the editors December 2, 2019; accepted for publication (in revised form) June 7, 2021; published electronically September 21, 2021. A preliminary and shorter version appeared in STOC {\textquoteright}16, ACM, New York, 2016, pp. 1101–1114. https://doi.org/10.1137/19M1303186 Funding: This work was supported in part by the Israel Science Foundation (grants 483/13, 950/15, 2439/20 and 2686/20), by the Israeli Centers of Research Excellence (I-CORE) Program (Center 4/11), by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister{\textquoteright}s Office, by the European Union{\textquoteright}s Horizon 2020 research and innovation programme under the Marie Sk lodowska-Curie grant agreement 891234, and by the European Union{\textquoteright}s Horizon 2020 Framework Program (H2020) via an ERC Grant (grant 714253). Funding Information: We thank Raphael Bost, Ang?le Bossuat, Pierre-Alain Fouque, and Brice Minaud for observing that our bound on the probability of the event ?E0 in the proof of Theorem 3.2 was incorrect in a previous version of this paper. We additionally thank the SICOMP reviewers for their valuable comments. Publisher Copyright: {\textcopyright} 2021 Society for Industrial and Applied Mathematics",

year = "2021",

doi = "10.1137/19M1303186",

language = "American English",

volume = "50",

pages = "1501--1536",

journal = "SIAM Journal on Computing",

issn = "0097-5397",

publisher = "Society for Industrial and Applied Mathematics Publications",

number = "5",

}

TY - JOUR

T1 - Searchable symmetric encryption

T2 - Optimal locality in linear space via two-dimensional balanced allocations

AU - Asharov, Gilad

AU - Naor, Moni

AU - Segev, Gil

AU - Shahaf, Ido

N1 - Funding Information: ∗Received by the editors December 2, 2019; accepted for publication (in revised form) June 7, 2021; published electronically September 21, 2021. A preliminary and shorter version appeared in STOC ’16, ACM, New York, 2016, pp. 1101–1114. https://doi.org/10.1137/19M1303186 Funding: This work was supported in part by the Israel Science Foundation (grants 483/13, 950/15, 2439/20 and 2686/20), by the Israeli Centers of Research Excellence (I-CORE) Program (Center 4/11), by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, by the European Union’s Horizon 2020 research and innovation programme under the Marie Sk lodowska-Curie grant agreement 891234, and by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (grant 714253). Funding Information: We thank Raphael Bost, Ang?le Bossuat, Pierre-Alain Fouque, and Brice Minaud for observing that our bound on the probability of the event ?E0 in the proof of Theorem 3.2 was incorrect in a previous version of this paper. We additionally thank the SICOMP reviewers for their valuable comments. Publisher Copyright: © 2021 Society for Industrial and Applied Mathematics

PY - 2021

Y1 - 2021

N2 - Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of noncontiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer). We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly optimal read efficiency. Specifically, for a database of size N, under the modest assumption that no keyword appears in more than N1−1/log log N documents, we construct a scheme with read efficiency Õ(log log N). This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT'14) showing that any SSE scheme must be suboptimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency Õ(log N). Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (“balls and bins”) problem that we put forward. We construct nearly optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.

AB - Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of noncontiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer). We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly optimal read efficiency. Specifically, for a database of size N, under the modest assumption that no keyword appears in more than N1−1/log log N documents, we construct a scheme with read efficiency Õ(log log N). This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT'14) showing that any SSE scheme must be suboptimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency Õ(log N). Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (“balls and bins”) problem that we put forward. We construct nearly optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.

KW - Balanced allocations

KW - Locality

KW - Searchable symmetric encryption

UR - http://www.scopus.com/inward/record.url?scp=85116777435&partnerID=8YFLogxK

U2 - 10.1137/19M1303186

DO - 10.1137/19M1303186

M3 - Article

AN - SCOPUS:85116777435

SN - 0097-5397

VL - 50

SP - 1501

EP - 1536

JO - SIAM Journal on Computing

JF - SIAM Journal on Computing

IS - 5

ER -

Searchable symmetric encryption: Optimal locality in linear space via two-dimensional balanced allocations

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this