DORY: An Encrypted Search System with Distributed Trust

Efficient, leakage-free search on encrypted data has remained an unsolved problem for the last two decades; efficient schemes are vulnerable to leakage-abuse attacks, and schemes that eliminate leakage are impractical to deploy. To overcome this tradeoff, we reexamine the system model. We surveyed five companies providing end-to-end encrypted filesharing to better understand what they require from an encrypted search system. Based on our findings, we design and build DORY, an encrypted search system that addresses real-world requirements and protects search access patterns; namely,when a user searches for a keyword over the fileswithin a folder, the server learns only that a search happens in that folder, but does not learn which documents match the search, the number of documents that match, or other information about the keyword. DORY splits trust betweenmultiple servers to protect against a malicious attacker who controls all but one of the servers. We develop new cryptographic and systems techniques to meet the efficiency and trust model requirements outlined by the companies we surveyed. We implement DORY and show that it performs orders of magnitude better than a baseline built on ORAM. Parallelized across 8 servers, each with 16 CPUs, DORY takes 116ms to search roughly 50K documents and 862ms to search over 1M documents.

[1]  Murat Kantarcioglu,et al.  Access Pattern disclosure on Searchable Encryption: Ramification, Attack and Mitigation , 2012, NDSS.

[2]  Giulio Malavolta,et al.  Maliciously Secure Multi-Client ORAM , 2017, ACNS.

[3]  Carl A. Gunter,et al.  Dynamic Searchable Encryption via Blind Storage , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[5]  Dan Boneh,et al.  Prio: Private, Robust, and Scalable Computation of Aggregate Statistics , 2017, NSDI.

[6]  Bill Cheswick,et al.  Privacy-Enhanced Searches Using Encrypted Bloom Filters , 2004, IACR Cryptol. ePrint Arch..

[7]  Elaine Shi,et al.  Multi-cloud oblivious storage , 2013, CCS.

[8]  Ion Stoica,et al.  Opaque: An Oblivious and Encrypted Distributed Analytics Platform , 2017, NSDI.

[9]  Ioannis Demertzis,et al.  Dynamic Searchable Encryption with Small Client Storage , 2019, IACR Cryptol. ePrint Arch..

[10]  Sennur Ulukus,et al.  The Capacity of Private Information Retrieval from Byzantine and Colluding Databases , 2017, IEEE Transactions on Information Theory.

[11]  Hovav Shacham,et al.  SiRiUS: Securing Remote Untrusted Storage , 2003, NDSS.

[12]  Abhi Shelat,et al.  Scaling ORAM for Secure Computation , 2017, IACR Cryptol. ePrint Arch..

[13]  Rafail Ostrovsky,et al.  Private Large-Scale Databases with Distributed Searchable Symmetric Encryption , 2016, CT-RSA.

[14]  Jonathan Katz,et al.  Aggregate Message Authentication Codes , 1995 .

[15]  Rafail Ostrovsky,et al.  DURASIFT: A Robust, Decentralized, Encrypted Database Supporting Private Searches with Complex Policy Controls , 2019, WPES@CCS.

[16]  Eu-Jin Goh,et al.  Secure Indexes , 2003, IACR Cryptol. ePrint Arch..

[17]  Tal Malkin,et al.  Private search in the real world , 2011, ACSAC '11.

[18]  Vitaly Shmatikov,et al.  Why Your Encrypted Database Is Not Secure , 2017, HotOS.

[19]  Tobias Distler,et al.  Resource-Efficient Byzantine Fault Tolerance , 2016, IEEE Transactions on Computers.

[20]  Rafail Ostrovsky,et al.  Distributed Oblivious RAM for Secure Two-Party Computation , 2013, TCC.

[21]  Scott Shenker,et al.  Attested append-only memory: making adversaries stick to their word , 2007, SOSP.

[22]  Jonathan Katz,et al.  All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption , 2016, USENIX Security Symposium.

[23]  Hua Sun,et al.  The Capacity of Robust Private Information Retrieval With Colluding Databases , 2016, IEEE Transactions on Information Theory.

[24]  Nickolai Zeldovich,et al.  Multi-Key Searchable Encryption , 2013, IACR Cryptol. ePrint Arch..

[25]  Christopher W. Fletcher,et al.  ZeroTrace : Oblivious Memory Primitives from Intel SGX , 2018, NDSS.

[26]  Jorge Guajardo,et al.  Practical and secure dynamic searchable encryption via oblivious access on distributed data structure , 2016, ACSAC.

[27]  Andreas Peter,et al.  A Survey of Provably Secure Searchable Encryption , 2014, ACM Comput. Surv..

[28]  Adam O'Neill,et al.  Generic Attacks on Secure Outsourced Databases , 2016, CCS.

[29]  Aggelos Kiayias,et al.  Edinburgh Research Explorer Efficient Encrypted Keyword Search for Multi-user Data Sharing , 2016 .

[30]  Giulio Malavolta,et al.  Privacy and Access Control for Outsourced Personal Records , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Seny Kamara,et al.  Forward and Backward Private Searchable Encryption with SGX , 2019, EuroSec@EuroSys.

[32]  Yuval Ishai,et al.  Distributed Point Functions and Their Applications , 2014, EUROCRYPT.

[33]  Hugo Krawczyk,et al.  Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation , 2014, NDSS.

[34]  Frank Wang,et al.  Splinter: Practical Private Queries on Public Data , 2017, NSDI.

[35]  João Leitão,et al.  Visigoth fault tolerance , 2015, EuroSys.

[36]  Amr El Abbadi,et al.  TaoStore: Overcoming Asynchronicity in Oblivious Data Storage , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[37]  David Lie,et al.  Caelus: Verifying the Consistency of Cloud Services with Battery-Powered Devices , 2015, 2015 IEEE Symposium on Security and Privacy.

[38]  David Mazières,et al.  Fast and secure global payments with Stellar , 2019, SOSP.

[39]  Andreas Peter,et al.  Distributed Searchable Symmetric Encryption , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[40]  Kyungtae Kim,et al.  OBLIVIATE: A Data Oblivious Filesystem for Intel SGX , 2018, NDSS.

[41]  Johannes Behl,et al.  CheapBFT: resource-efficient byzantine fault tolerance , 2012, EuroSys '12.

[42]  Charles V. Wright,et al.  The Shadow Nemesis: Inference Attacks on Efficiently Deployable, Efficiently Searchable Encryption , 2016, CCS.

[43]  Camilla Hollanti,et al.  Private Information Retrieval from Coded Databases with Colluding Servers , 2016, SIAM J. Appl. Algebra Geom..

[44]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[45]  Amos Beimel,et al.  Robust Information-Theoretic Private Information Retrieval , 2002, Journal of Cryptology.

[46]  Raluca A. Popa,et al.  Metal: A Metadata-Hiding File-Sharing System , 2020, IACR Cryptol. ePrint Arch..

[47]  Raluca Ada Popa,et al.  Ghostor: Toward a Secure Data-Sharing System from Decentralized Trust , 2020, NSDI.

[48]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[49]  Charalampos Papamanthou,et al.  Dynamic searchable symmetric encryption , 2012, IACR Cryptol. ePrint Arch..

[50]  Liuba Shrira,et al.  HQ replication: a hybrid quorum protocol for byzantine fault tolerance , 2006, OSDI '06.

[51]  Elaine Shi,et al.  ObliviStore: High Performance Oblivious Cloud Storage , 2013, 2013 IEEE Symposium on Security and Privacy.

[52]  Attila A. Yavuz,et al.  Oblivious Dynamic Searchable Encryption on Distributed Cloud Systems , 2018, DBSec.

[53]  Stefanos Gritzalis,et al.  ORAM Based Forward Privacy Preserving Dynamic Searchable Symmetric Encryption Schemes , 2015, CCSW '15.

[54]  Robert H. Deng,et al.  Private Query on Encrypted Data in Multi-user Settings , 2008, ISPEC.

[55]  Sanjam Garg,et al.  TWORAM: Efficient Oblivious RAM in Two Rounds with Applications to Searchable Encryption , 2016, CRYPTO.

[56]  Rafail Ostrovsky,et al.  Efficient computation on oblivious RAMs , 1990, STOC '90.

[57]  Ramarathnam Venkatesan,et al.  Orthogonal Security with Cipherbase , 2013, CIDR.

[58]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[59]  Guevara Noubir,et al.  Multi-User Oblivious RAM Secure Against Malicious Servers , 2015, IACR Cryptol. ePrint Arch..

[60]  Dan Boneh,et al.  Riposte: An Anonymous Messaging System Handling Millions of Users , 2015, 2015 IEEE Symposium on Security and Privacy.

[61]  Arno Fiedler,et al.  Certificate transparency , 2014, Commun. ACM.

[62]  David Cash,et al.  Leakage-Abuse Attacks Against Searchable Encryption , 2015, IACR Cryptol. ePrint Arch..

[63]  Tal Malkin,et al.  Secure anonymous database search , 2009, CCSW '09.

[64]  Qiang Tang,et al.  Nothing is for Free: Security in Searching Shared and Encrypted Data , 2014, IEEE Transactions on Information Forensics and Security.

[65]  Lorenzo Alvisi,et al.  Obladi: Oblivious Serializable Transactions in the Cloud , 2018, OSDI.

[66]  Arun Venkataramani,et al.  Separating agreement from execution for byzantine fault tolerant services , 2003, SOSP '03.

[67]  Elaine Shi,et al.  Practical Dynamic Searchable Encryption with Small Leakage , 2014, NDSS.

[68]  Ioannis Demertzis,et al.  Fast Searchable Encryption With Tunable Locality , 2017, SIGMOD Conference.

[69]  Joshua Schiffman,et al.  Shroud: ensuring private access to large-scale data in the data center , 2013, FAST.

[70]  Arun Venkataramani,et al.  ZZ and the art of practical BFT execution , 2011, EuroSys '11.

[71]  Ioannis Demertzis,et al.  Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency , 2018, IACR Cryptol. ePrint Arch..

[72]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[73]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[74]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[75]  Jonathan Katz,et al.  Simple and Efficient Two-Server ORAM , 2018, IACR Cryptol. ePrint Arch..

[76]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[77]  Stefan Schmid,et al.  Cryptree: A Folder Tree Structure for Cryptographic File Systems , 2006, 2006 25th IEEE Symposium on Reliable Distributed Systems (SRDS'06).

[78]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[79]  Yuval Ishai,et al.  Function Secret Sharing: Improvements and Extensions , 2016, CCS.

[80]  Rafail Ostrovsky,et al.  Private Anonymous Data Access , 2018, IACR Cryptol. ePrint Arch..

[81]  Butler W. Lampson,et al.  A New Presumed Commit Optimization for Two Phase Commit , 1993, VLDB.

[82]  Charalampos Papamanthou,et al.  Parallel and Dynamic Searchable Symmetric Encryption , 2013, Financial Cryptography.

[83]  Yuval Ishai,et al.  Function Secret Sharing , 2015, EUROCRYPT.

[84]  Kartik Nayak,et al.  Asymptotically Tight Bounds for Composing ORAM with PIR , 2017, Public Key Cryptography.

[85]  Kartik Nayak,et al.  Efficient Synchronous Byzantine Consensus , 2017, 1704.02397.

[86]  Michael K. Reiter,et al.  Fault-scalable Byzantine fault-tolerant services , 2005, SOSP '05.

[87]  Stephanie Wang,et al.  Practical Volume-Based Attacks on Encrypted Databases , 2020, 2020 IEEE European Symposium on Security and Privacy (EuroS&P).

[88]  Srdjan Capkun,et al.  Verena: End-to-End Integrity Protection for Web Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[89]  Ethan MacBrough,et al.  Cobalt: BFT Governance in Open Networks , 2018, ArXiv.

[90]  Kevin Fu,et al.  Group Sharing and Random Access in Cryptographic Storage File Systems , 1999 .

[91]  Arkady Yerukhimovich,et al.  Cryptography for Big Data Security , 2015, IACR Cryptol. ePrint Arch..

[92]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[93]  Liehuang Zhu,et al.  Search pattern leakage in searchable encryption: Attacks and new construction , 2014, Inf. Sci..

[94]  Srinivas Devadas,et al.  A Low-Latency, Low-Area Hardware Oblivious RAM Controller , 2015, 2015 IEEE 23rd Annual International Symposium on Field-Programmable Custom Computing Machines.

[95]  Michael Backes,et al.  Secure Key-Updating for Lazy Revocation , 2006, ESORICS.

[96]  Murat Kantarcioglu,et al.  Efficient Similarity Search over Encrypted Data , 2012, 2012 IEEE 28th International Conference on Data Engineering.

[97]  Christof Fetzer,et al.  SPEICHER: Securing LSM-based Key-Value Stores using Shielded Execution , 2019, FAST.

[98]  Amir Herzberg,et al.  Anonymous RAM , 2016, ESORICS.

[99]  Michael Mitzenmacher,et al.  Privacy Preserving Keyword Searches on Remote Encrypted Data , 2005, ACNS.

[100]  Ioannis Demertzis,et al.  SEAL: Attack Mitigation for Encrypted Databases via Adjustable Leakage , 2019, IACR Cryptol. ePrint Arch..

[101]  Alysson Neves Bessani,et al.  State Machine Replication for the Masses with BFT-SMART , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[102]  Attila A. Yavuz,et al.  Hardware-Supported ORAM in Effect: Practical Oblivious Search and Update on Very Large Dataset , 2018, IACR Cryptol. ePrint Arch..

[103]  Elaine Shi,et al.  GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation , 2015, ASPLOS.

[104]  G. Poh,et al.  Searchable Symmetric Encryption: Designs and Challenges , 2017 .

[105]  Erik Riedel,et al.  A Framework for Evaluating Storage System Security , 2002, FAST.

[106]  Marko Vukolic,et al.  XFT: Practical Fault Tolerance beyond Crashes , 2015, OSDI.

[107]  Bruno Crispo,et al.  Supporting complex queries and access policies for multi-user encrypted databases , 2013, CCSW.

[108]  Rishabh Poddar,et al.  Oblix: An Efficient Oblivious Search Index , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[109]  Dan Boneh,et al.  Express: Lowering the Cost of Metadata-hiding Communication with Cryptographic Privacy , 2019, USENIX Security Symposium.

[110]  Muhammad Naveed,et al.  The Fallacy of Composition of Oblivious RAM and Searchable Encryption , 2015, IACR Cryptol. ePrint Arch..

[111]  Matei Zaharia,et al.  ObliDB: Oblivious Query Processing using Hardware Enclaves , 2017 .

[112]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[113]  Ahmad-Reza Sadeghi,et al.  HardIDX: Practical and Secure Index with SGX , 2017, DBSec.