Strengthening the security of encrypted databases: Non-transitive JOINs

Ilya Mironov, Gil Segev*, Ido Shahaf

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

7 Scopus citations


Database management systems that operate over encrypted data are gaining significant commercial interest. CryptDB is one such notable system supporting a variety SQL queries over encrypted data (Popa et al., SOSP ’11). It is a practical system obtained by utilizing a number of encryption schemes, together with a new cryptographic primitive for supporting SQL’s join operator. This new primitive, an adjustable join scheme, is an encoding scheme that enables to generate tokens corresponding to any two database columns for computing their join given only their encodings. Popa et al. presented a framework for modeling the security of adjustable join schemes, but it is not completely clear what types of potential adversarial behavior it captures. Most notably, CryptDB’s join operator is transitive, and this may reveal a significant amount of sensitive information. In this work we put forward a strong and intuitive notion of security for adjustable join schemes, and argue that it indeed captures the security of such schemes: We introduce, in addition, natural simulation-based and indistinguishability-based notions (capturing the “minimal leakage” of such schemes), and prove that our notion is positioned between their adaptive and non-adaptive variants. Then, we construct an adjustable join scheme that satisfies our notion of security based on the linear assumption (or on the seemingly stronger matrix-DDH assumption for improved efficiency) in bilinear groups. Instantiating CryptDB with our scheme strengthens its security by providing a non-transitive join operator, while increasing the size of CryptDB’s encodings from one group element to four group elements based on the linear assumption (or two group elements based on the matrix-DDH assumption), and increasing the running time of the adjustment operation from that of computing one group exponentiation to that of computing four bilinear maps based on the linear assumption (or two bilinear maps based on the matrix-DDH assumption). Most importantly, however, the most critical and frequent operation underlying our scheme is comparison of single group elements as in CryptDB’s join scheme.

Original languageAmerican English
Title of host publicationTheory of Cryptography - 15th International Conference, TCC 2017, Proceedings
EditorsYael Kalai, Leonid Reyzin
PublisherSpringer Verlag
Number of pages31
ISBN (Print)9783319705026
StatePublished - 2017
Event15th International Conference on Theory of Cryptography, TCC 2017 - Baltimore, United States
Duration: 12 Nov 201715 Nov 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10678 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference15th International Conference on Theory of Cryptography, TCC 2017
Country/TerritoryUnited States

Bibliographical note

Publisher Copyright:
© 2017, International Association for Cryptologic Research.


Dive into the research topics of 'Strengthening the security of encrypted databases: Non-transitive JOINs'. Together they form a unique fingerprint.

Cite this