International Association
for Cryptologic Research

Our web search queries reveal sensitive information about us: where we are (“Hikes in Toronto”), how we are feeling (“Causes of neck pain”), what we are doing (“How to find a lawyer”), and much more. Even if we use privacy-conscious search engines, such as DuckDuckGo, the search engine’s servers see our query strings in plaintext. As a result, search engines today accumulate a trove of sensitive data about us; this data is an attractive target for theft in a data breach, abuse by an authoritarian government, or sale to a third party. This talk will present Tiptoe, a search engine that learns nothing about what its users are searching for. With Tiptoe, a client sends only the encryption of its search query to the search engine’s servers. The search engine then executes a cryptographic protocol to identify the web pages that best answer the user’s query—without ever decrypting the query, without learning what the user is searching for, and without learning what search results it is sending back. Tiptoe’s privacy guarantee is based on cryptography alone; it does not require any trusted hardware or non-colluding servers. The Tiptoe search engine answers these queries in the span of seconds: searching over a public web crawl (360 million pages) incurs 57 MiB of client-server communication and 2.7 seconds of client-perceived latency.