International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Authors:
Sarvar Patel , Google LLC
Giuseppe Persiano , University of Salerno
Kevin Yeo , Google LLC
Download:
DOI: http://dx.doi.org/10.1007/978-3-030-56784-2_15 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2020
Abstract: Encrypted multi-maps (EMMs) enable clients to outsource the storage of a multi-map to a potentially untrusted server while maintaining the ability to perform operations in a privacy-preserving manner. EMMs are an important primitive as they are an integral building block for many practical applications such as searchable encryption and encrypted databases. In this work, we formally examine the tradeoffs between privacy and efficiency for EMMs. Currently, all known dynamic EMMs with constant overhead reveal if two operations are performed on the same key or not that we denote as the global key-equality pattern. In our main result, we present strong evidence that the leakage of the global key-equality pattern is inherent for any dynamic EMM construction with $O(1)$ efficiency. In particular, we consider the slightly smaller leakage of decoupled key-equality pattern where leakage of key-equality between update and query operations is decoupled and the adversary only learns whether two operations of the same type are performed on the same key or not. We show that any EMM with at most decoupled key-equality pattern leakage incurs $\Omega(\log n)$ overhead in the leakage cell probe model. This is tight as there exist ORAM-based constructions of EMMs with logarithmic slowdown that leak no more than the decoupled key-equality pattern (and actually, much less). Furthermore, we present stronger lower bounds that encrypted multi-maps leaking at most the decoupled key-equality pattern but are able to perform one of either the update or query operations in the plaintext still require $\Omega(\log n)$ overhead. Finally, we extend our lower bounds to show that dynamic, response-hiding searchable encryption schemes must also incur $\Omega(log n)$ overhead even when one of either the document updates or searches may be performed in the plaintext.
Video from CRYPTO 2020
BibTeX
@inproceedings{crypto-2020-30406,
  title={Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model},
  publisher={Springer-Verlag},
  doi={http://dx.doi.org/10.1007/978-3-030-56784-2_15},
  author={Sarvar Patel and Giuseppe Persiano and Kevin Yeo},
  year=2020
}