Pushing the Limits of Encrypted Databases with Secure Hardware

09/07/2018 ∙ by Panagiotis Antonopoulos, et al. ∙ Microsoft 0

Encrypted databases have been studied for more than 10 years and are quickly emerging as a critical technology for the cloud. The current state of the art is to use property-preserving encrypting techniques (e.g., deterministic encryption) to protect the confidentiality of the data and support query processing at the same time. Unfortunately, these techniques have many limitations. Recently, trusted computing platforms (e.g., Intel SGX) have emerged as an alternative to implement encrypted databases. This paper demonstrates some vulnerabilities and the limitations of this technology, but it also shows how to make best use of it in order to improve on confidentiality, functionality, and performance.



There are no comments yet.


page 1

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

After more than 10 years of research [18], encrypted databases are becoming a reality. There are a number of promising start-ups in this space (e.g., Privic, Cryptonor, and ZeroDB) and, among established vendors, Microsoft recently shipped the Always Encrypted feature for both the on-premise and cloud versions of SQL Server [28]. CryptDB [25] is a famous research system that has become iconic for the current popularity of encrypted database systems.

The goal of an encrypted database is to maintain confidentiality of the data. That is, the data should only be readable by the owner of the data and other entities who have been authorized by the owner of the data. The data should not be accessable to hackers who have gained control of the machine that hosts the database. In a cloud scenario, the data should not be accessable to the cloud provider, its administrators or to co-tenants who run other applications on the same machines. All these guarantees should be maintained under the strongest possible assumptions, including security vulnerabilities of the operating system and other libraries on the machine. At the same time, the goal is to run as much database functionality as possible (ideally, the full SQL standard and other modern features) and at the same cost and performance as a regular, non-encrypted database system.

To achieve these goals, all encrypted database systems have adopted an architecture that is called client-side encryption, depicted in Figure 1 [18, 1, 25, 26]. Data are encrypted on client machines, which are assumed to be secure and have access to all encryption keys. The encrypted data are sent from clients to the database server that stores the data persistently. Queries are issued by applications at the client and are rewritten by a DB driver to encrypt query constants. The rewritten, encrypted queries are then sent to the server and executed. The server returns encrypted query results, which are in turn decrypted by the DB driver at the client.

Figure 1: Client-side Encryption

To effect queries on encrypted data on the (untrusted) database server, the current generation of encrypted database systems leverage property-preserving encryption (PPE); this approach is often also referred to as partially homomorphic encryption. The key idea of PPE is that, depending on the encryption algorithm used, the database system can carry out operations upon the encrypted data without decrypting it. A prominent example is deterministic encryption (e.g., AES in ECB mode), which produces the same ciphertext when presented with the same plaintext; i.e., for two plaintext values, and , and a deterministic encryption function, enc(). As a result, the database system can evaluate equality predicates (point queries), equi-joins (e.g., foreign-key / primary key joins), and group-by operations. Another example is order-preserving encryption (OPE); e.g., [1, 9, 26, 24]. OPE has the following property: . With OPE, the database system can execute range predicates, Top N, and order-by operations directly on encrypted data. Finally, Paillier encryption [23] is a way to support arithmetics on encrypted data. Microsoft Always Encrypted is based on deterministic encryption [28] and CryptDB supports a variety of different PPE techniques [25].

Unfortunately, the state-of-the-art in property-preserving and homomorphic encryption has many limitations. PPE such as deterministic encryption, OPE, or Paillier is good to support a specific functionality; however, it does not compose. That is, there is no PPE scheme that supports both arithmetics (as with Paillier) and comparisons (as with deterministic): It is either one or the other so that it is not possible to process predicates of the form , if , , and

are encrypted. Furthermore, there is a great deal of SQL functionality (e.g., LIKE predicates with pattern matching) for which no good PPE technique is known. Finally, PPE techniques often do not preserve SQL semantics for errors; for instance, Paillier does not handle overflow errors correctly. Another problem of many PPE techniques is that they leak information, thereby compromising confidentiality for functionality

[22]. Full homomorphic encryption [13] overcomes these problems: It is general, can implement any circuit, and it is semantically secure. However, to date, full homomorphic encryption is impractical from a performance perspective.

Recent advances in trusted computing platforms have given rise to an alternative way to implement encrypted databases. These trusted computing platforms promise to provide strong security features and support arbitrary computation. IBM’s secure co-processor [20], Intel SGX [10], and FPGAs [11] are all based upon secure hardware which provides secure storage and compute capabilities. Similarly, special hypervisor extensions such as VSM [21] are designed to provide stronger isolation and code integrity guarantees. Figure 2 shows the extended encrypted database architecture that makes use of this technology. Here, the server is enhanced with a trusted computing platform that acts as a secure co-processor and runs a special process that we call the trusted machine (TM). Clients grant the TMs access to their encryption keys (through secure protocols), and the TMs can then compute any operation on the encrypted data by decrypting the data, carrying out the operation, and then encrypting the result. Projects that have explored this architecture are TrustedDB [7], Cipherbase [3, 4], Haven [8], and VC3 [27].

Figure 2: Client-side Encryption with Server-Side Trusted Machine

Such trusted computing platforms do not have the limitations of PPE or full homomorphic encryption: They are Turing-complete and have acceptable performance. For instance, such TMs can compose functionality to support comparisons and arithmetics on the same encrypted data. Furthermore, they are reasonably secure: There are known side-channel attacks for Intel SGX [10], but the technology is only going to get better. Despite all these features, it is nevertheless challenging to build an encrypted database system using trusting computing platforms. As we will show in this paper, if not done correctly, all the security advantages of trusted computing platforms are gone and attackers can easily get access to confidential and encrypted data. Furthermore, there are still some basic database features such as integrity constraints and certain kinds of updates that cannot be implemented without leaking information even when using such trusted computing platforms and assuming that they are secure.

This paper makes three contributions. First, it generalizes and formalizes the definition of an encrypted database system whose implementation is based on a trusted computing platform (Section 2). Based on this formalization, our second contribution is to demonstrate novel attacks on encrypted database systems with trusted computing platforms that have not been studied before (Section 3). Given these attacks, it becomes clear that it is not possible to build a perfect encrypted database system that leaks no information on confidential data, implements the full SQL standard, and has good performance for any SQL query, even assuming that the trusted computing platform is fully secure and not subject to side-channel attacks, bugs, or other vulnerabilities. Based on this observation, our third and arguably most important contribution is a clean characterization of different levels of confidentiality. Specifically, we study a scheme to implement an encrypted database that leaks no information, is able to process all read-only queries, but has both functional and performance limitations. Furthermore, we study relaxed schemes that have good performance and implement (almost) the full SQL standard, but are subject to potential inference attacks. While non of these schemes are perfect, they dominate state-of-the-art encrypted systems that are based on PPE (e.g., CryptDB and Always Encrypted) in all regards: functionality, performance, and confidentiality.

2 Encrypted Databases

This section gives a formal definition of an encrypted database. This definition generalizes the definitions used in related projects such as CryptDB [25] and Microsoft Always Encrypted [28]. This definition helps us to reason about attacks on encrypted databases and different levels of confidentiality (Sections 3 to 6).

Encrypted databases allow users to specify which data is confidential and needs to be encrypted and which kinds of operations are supported on which data. For instance, credit card numbers are typically declared to be confidential; equality is often needed to validate a credit card number, but range predicates and arithmetics are rarely needed on credit card numbers. As another example, salaries are also confidential in many applications, but often require a broader set of operations, including arithmetics; e.g., raise a salary by 10 percent.

In systems that are based on PPE (like CryptDB and Always Encrypted), the encryption method implicitly determines the set of operations. In systems that make use of trusted computing platforms, the set of operations on an encrypted column needs to be specified explicitly. As will become clear in Sections 3 and later, it is exactly this specification of the functionality that determines the confidentiality, performance, and functionality of an encrypted database. It will also become clear that there are many ways to effect different functionality and that unfortunately, it is easy to get wrong.

2.1 Confidential Data Types

Like any other relational database, an encrypted database is a collection of tables. Each table has a schema that specifies the name of the table and the types of all the columns of the table. What makes an encrypted database special is that the type of a column can be a confidential type (or encrypted type), indicating that the values of this column need to be encrypted.

In general, a type of an encrypted SQL database is defined by its domain, its encryption method, and a key to encrypt values of that type. More formally, a type is a triple, .


Just as in any other programming environment, the domain of a type defines all the values that an instance of that type may have. In SQL, the domain of a type may include null values. Furthermore, we encode errors as special values of the domain to better compose functions in the event of errors (Section 5). For instance, the Integer domain includes error values that represent the result of “1 / 0” (division-by-zero error) and overflows.

A domain is length indistinguishable if any two values in the domain have the same representational length. A domain is length bounded if there exists an upper bound for the representational length of any value in the domain. For example, char(n) is length indistinguishable, while varchar(n)

is length bounded. A length bounded domain can be made length indistinguishable by padding. Length indistinguishability is important for formal confidentiality statements because standard encryption schemes such as AES on strings reveal the length and unintended information might be inferred from this length in many applications.

Encryption Technique

In theory and for all of the discussions in this paper, two encryption algorithms are sufficient: (a) “probabilistic” (e.g., AES in CBC mode) encryption that is IND-CPA secure (indistinguishability against chosen plaintext) and (b) “plaintext” (i.e., not encrypted at all for non-confidential data). Any other encryption algorithm can be simulated in our type system with the help of rules (Section 2.2). In practice and for performance reasons, however, we will also consider PPE algorithms such as deterministic encryption (Section 5.2).

Encryption Key

The third component that defines a type is the encryption key. In practice, 256-bit AES keys are common. For plaintext, no key is needed; i.e., if plaintext.

2.1.1 Naming Conventions

In the remainder of this paper, we use the following naming conventions for types. First, we use Table.column or just column (if the table is clear) to denote the type of a specific column. For instance, Employee.name denotes the type of the name column of the Employee table.

Second, we often use “one-time-keys” to encrypt query constants or intermediate query results. One-time-keys are encryption keys that can be used only for a limited duration of time (e.g., in the context of processing a single query) and may not be used to encrypt any data that is persistently stored in the database. We denote types that are based on one-time-keys using the Temp keyword. For instance, Temp(Employee.name) denotes a type that has the same domain as Employee.name, uses a one-time-key which is different from the key of Employee.name, and may also differ in terms of the encryption technique from Employee.name. Temp(Integer) denotes a type that has the domain Integer, uses a one-time-key which is different from any other key used in the system, and has a custom-defined encryption technique. If the original type is unambigious, we just use Temp to denote a derived type with a one-time key.

Finally, we use the traditional names to denote plaintext types. For instance, Integer denotes the traditional, unencrypted Integer type, including the not-a-number (NAN) and null values for integers. Likewise, Boolean denotes the traditional, unencrypted Boolean type of SQL with its three-value logic.

2.2 Rules

We uses rules over types to control which operations are permitted over which types in an encrypted database. A rule is of the form:

Here, is an -ary function with domain and range . Such a rule specifies that the TM can execute over the inputs encrypted as specified by the input types and produces its outputs encrypted as specified by the output types. For example, we could provide rules for basic functions such as “add”, “divide”, or “equal”. A rule, however, can also specify more complex functions, predicates, and even user-defined functions. For instance, to evaluate predicates of the form on three encrypted integers, we could define the following rule: addEqual(EncryptedInteger, EncryptedInteger, EncryptedInteger) EncryptedBoolean.

For encrypted database that are based on PPE, the rules are defined implicitly; i.e., equal(T, T) Boolean, if is deterministically encrypted. In our more general setting that makes use of TMs, it is important to define and reason about all rules explicitly.

2.3 Schemas with Type Metadata

To integrate our type system into a relational database system, we propose to extend the SQL DDL in the following ways:

  • Declare and specify all the types used in the database.

  • Specify all the rules. Rules may only refer to declared types or temp types with one-time-keys derived from declared types.

  • Associate each column of a table with a declared type.

We refer to the types declared in such a schema as schema types. In contrast to ordinary types which are defined in Section 2.1, schema types are associated to a rule set. In the context of a database and a rule set, it is possible to reason about the information leakage and strength of a type. For instance, we can have two types: one for credit card numbers and one for salaries. Both types could use AES encryption. However, we likely want to have stronger security guarantees for credit card numbers and we accomplish this by providing a richer set of rules that apply to salaries (e.g., a “percent-raise” function) than for credit card numbers. Thus, the context (rule set and database) determines the strength of a type and Section 4 formalizes this property. Since the focus of this paper is on encrypted database systems, we will mostly use the term type in the remainder of this paper, even though strictly speaking we should be using the term schema type to refer to a type in the context of a database with a rule set.

Conceptually, the owner of a database can freely specify a rule set to their liking. We propose, however, that a database system offers predefined rule sets for different levels of confidentiality because it is easy to get wrong (and thus, insecure). Section 5 discusses examples of such rule sets that correspond to levels of confidentiality that are used in practice today.

Several columns of the same or different tables can be associated to the same type. That is, there is an N:1 relationship between columns and types. For instance, often the primary key column and all foreign key columns that refer to that primary key have the same type. For brevity and without loss of generality, this paper only discusses scenarios in which all values of a column are encrypted using the same key; i.e., a column is associated to only one and not multiple types. Although support for multiple encryption keys and types within a column is useful for multi-tenant database systems [6], throughout this work we assume that such multi-tenant databases are horizontally partitioned by tenant.

2.4 Implementation

There have been several projects that have implemented an encrypted database system using a trusted computing platform. For this work, we adopted the approaches taken in the Cipherbase [4] and VC3 projects [27]. In these approaches, the computation is split between a trusted machine (TM) and an untrusted machine (UM) as shown in Figure 2. The UM carries out all I/O and communication with clients as no state-of-the-art trusted computing technology is able to do I/O. Furthermore, the UM carries out all computations on unencrypted (public) data or computations on data encrypted using PPE, if the operation matches the PPE scheme (e.g., comparison and deterministic encryption). The TM is only needed to carry out operations on encrypted data and if that operation requires decrypting the data.

Query processing proceeds as follows: The client rewrites a query and encrypts all constants, as described in the introduction. The UM at the server compiles and optimizes the rewritten query. During compilation, the server has access to all the meta-data (types and rules), detects all operations that must be carried out by the TM, and generates a corresponding query plan. The UM, in turn, executes the query by interpreting the query plan and calling the TM as needed and returns the (encrypted) query results to the client.

Most of this query processing process is straight-forward and the same as in a traditional (non-encrypted) database system [4]. There are two critical steps in this process, however: First, before the TM can execute any operations on encrypted data, it must receive the keys from the client. We call this process program registration and describe it below. Second, query optimization heavily depends on the rules specified by the developer or security officer. For instance, hash joins can only be used if there is a rule that allows the TM to compute a hash function on the encrypted data. Section 5 discusses how different rule designs impact query optimization.

To give an example, consider the following query:

SELECT * FROM Employee
WHERE department = “IT” and salary > 500;

Assume that department is not confidential (plaintext) and salary is confidential and encrypted using AES in CBC mode with key, . Furthermore, assume that there is a rule:

Then the client would rewrite the query, thereby encrypting the Constant 500 using a one-time key. Furthermore, the client would pass this one-time key and to the TM using the program registration protocol described below. The compiler of the UM has full access to all meta-data (types and rules) and, thus, knows that department is plaintext, that salary is encrypted, and that there is a rule that authorizes the TM to execute the predicate on salary. Correspondingly, the UM compiles a plan that uses the Employee.department index (if that exists) to select all IT workers and then calls the TM to post-filter the employees that, in addition, match the salary predicate.

There are many other ways to implement encrypted databases using TMs. One approach would be to implement the compiler in the TM because query compilation can leak information, too. Studying the affects of that approach is beyond the scope of this paper which focuses on information leakage of the TM at the running time of a query. Another approach is to execute all operations by the TM, rather than splitting the work between the UM and the TM. In this approach, the UM is merely used to do I/O, thereby fetching data from disk for the TM, and serving as a proxy to accept queries from clients and passing query results to the clients. This approach has been proposed by the TrustedDB [7] and Haven projects [8]. Again, studying the confidentiality/performance tradeoffs of that approach is beyond the scope of this paper. Our approach are not directly applicable to that architecture because these systems can better constrain the capabilities of an attacker and, thus, have a weaker attacker model (Section 3). However, there are reasons why these systems are not mainstream yet and why most start-ups and big players like Microsoft use the CryptDB-model of encrypted databases which is also the basis for this work. One particular problem of systems like TrustedDB and Haven is that they require porting an entire database engine to the TM which makes the TM vulnerable from bugs in the DBMS engine code. Another problem is that in the TrustedDB and Haven architecture, it becomes difficult to administer the encrypted database and for the cloud provider to support and debug customer incidents. Eventually, we believe that both models should be studied and formalized and the main contribution of this paper is to formalize a generalized “CryptDB-style” model that makes use of server-side trusted computing.

Program Registration

The rules determine which operations (on which keys and types) the TM is allowed to perform. Correspondingly, each authorized client that has access to encryption keys has an authentic copy of the rule set and explicitly authorizes the TM to execute operations using those keys. We call this authorization process program registration.

In a nutshell, program registration works as follows. For each rule, the client sends a message to the TM that contains the name of the operation and the encryption keys of all input and output types. This method is encrypted using the TM’s public key so that only the TM can decrypt this message and can retrieve the keys. To this end, all TMs must be part of a public-key infrastructure which attests that the TMs and their public keys can be trusted.

Clients carry out program registration lazily. If a function of a type is never needed by the application, then that function is never registered at the TM and, thus, that function is never exposed to a potential attacker who has access to the TM. This lazy approach to program registration corresponds to the onion technique proposed as part of the CryptDB project [25]. Like lazy program registration, CryptDB degrades the level of encryption (using a weaker PPE technique) lazily and as needed by the application by peeling off a layer of stronger encryption from the onion. The important difference is that this process is expensive in CryptDB because it involves updating (re-encrypting) every tuple. In contrast, this process is cheap with lazy program registration because it involves only sending a single message from a client to the TM. Likewise, deregistering a function in the TM is cheap as it involves only a single message to the TM. In contrast, adding a layer of encryption to CryptDB to improve confidentiality is expensive because it again involves updating the whole table, thereby shipping the whole table from the server to the client, re-encrypting it at the client, and sending the re-encrypted table back from the client to the server.

Query Optimization

The basic principles of query optimization for an encrypted database system are the same as for a traditional database system [16]

: enumerate alternative plans, estimate the cost of each plan, and select the cheapest plan. Furthermore, the algorithms and operators used in an encrypted database system are the same as in traditional database systems. The only difference is that some of the computation (e.g., hashing a value, comparisons between two values) is carried out by the TM, whereas the bulk of the algorithms and data movement are carried out by the UM.

Query compilation is nevertheless more complex for two reasons. First, the TM can be seen as additional processing resources. Therefore, encrypted database systems with TMs require distributed query optimization in order to minimize the number of interactions between the UM and TM. An alternative way is to consider expressions that are evaluated by the TM as expensive UDFs and optimize queries accordingly [19]. Second, encryption may limit the use of certain algorithms; for instance, hash-based algorithms are not applicable to Probabilistic types that represent the strongest level of confidentiality (Section 5). Third, depending on the rule system, there might be no, one, or several ways to evaluate an expression and query using the TM. Similar issues have been studied in the context of heterogeneous database system with Web sources in the late Nineties [17]. To illustrate, consider the following example query and example rules ExR1-ExR7:

SELECT R.a + R.b + R.c FROM R


There are two ways to execute this query. First, with Rules ExR1 and ExR3. Second, with Rules ExR5, ExR6, ExR7, and ExR4. The first way involves two calls to the TM per record whereas the second way involves four calls so that the first approach is cheaper.

3 Attacker Model and Example Attacks

Why is it so difficult to build encrypted databases? Why don’t trusted computing platforms solve all problems? The difficulty lies in defining the right rule set and, thus, the right set of operations to run in the TM. If the wrong set of operations runs in the TM, the system leaks information and therefore becomes insecure.

This section defines our attacker model and presents several example attacks that demonstrate why the rule set of an encrypted database must be carefully chosen. Based on these observations, the next sections then give guidance on how to design rule sets for encrypted databases.

3.1 Attacker Model

Looking back at Figure 2, we assume that the client and the TM are trusted and secure and that the attacker can fully observe and manipulate the UM, all other components of the system, and all communication. Specifically, we assume that the attacker has the following capabilities (Figure 3):

  1. Database: The attacker can read and modify the encrypted database as stored on disk or in the main memory/caches of the UM.

  2. Queries: The attacker can observe all communication between the UM and TM and between the UM and all clients. In particular, the attacker can see queries submitted by clients and the (encrypted) query results returned to the clients.

  3. UM: The attacker can read and modify the memory of the UM and change the code that runs in the UM.

  4. TM: The attacker can call the TM as often as she wants, with any input. Furthermore, we assume that the attacker knows which programs are registered in the TM. However, the attacker cannot read or modify the state of the TM in any way.

These capabilities model a strong, active attacker. Such a strong attacker model helps to protect the database against many possible attacks such as insider attacks (administrators or cloud providers), third-party attackers (hackers who gain control of the UM, co-tenants), and bugs in the software of the UM which is the bulk of the database system. In practice, the capabilities of attackers on the UM may be more limited, but assuming such a strong attacker makes it easier to reason about the confidentiality of the system: The only thing that matters are the capabilities of the TM (i.e., the functions supported by the TM) and the encryption technique used to protect confidential data.

In one regard, this attacker model might be too optimistic. It is known that Intel SGX is subject to side-channel attacks [10]. However, studying these kinds of attacks is beyond the scope of this paper and we hope that trusted computing technology will get better, making such attacks more difficult.

Under this attacker model, it is easy for the attacker to launch denial-of-service attacks. For instance, the attacker could simply delete the database on disk or overload the TM with garbage requests. The attacker could also drop all traffic between clients and the database server. Such denial-of-service attacks are outside of the scope of this paper. The goal of this paper is to study confidentiality and protecting secrets stored in the encrypted database.

Read State Modify State Observe Messages Send Messages Client UM TM

Figure 3: Capabilities of Attacker

3.2 Trivial Attacks

Let us start with a trivial example to demonstrate why the rule set of an encrypted database must be designed carefully. The following rule authorizes the TM to compare an (encrypted) salary with a plaintext value:

With this rule, an attacker can discover all salaries in the database by calling the TM to compare them to all possible Integer values. Likewise, the following rule which authorizes the TM to simply decrypt an encrypted value must not be registered in the TM:

3.3 Information Leakage from Errors

Another source of information leakage in an encrypted database with a TM are errors. Consider the following rule which authorizes the TM to execute divisions on salaries (e.g., to implement a 10 percent salary raise), return the result in an encrypted form, yet to expose errors in plaintext so that the UM can react and not update a salary in the event of an error.

If the TM supports this operation, then an attacker can easily find all employees in the database who work for free by obverving division by zero errors when trying to divide a salary by itself.

Exploiting overflow errors is another way for an attacker to infer information from an encrypted database. By observing overflow errors, it is possible to determine which of two (encrypted) integers is larger than the other one by iteratively muliplying these integers with themselves until an overflow error occurs.

3.4 Composition

Arguably, the most dangerous attacks come from composing functionality in the TM. In this attack, each rule by itself is safe, but the combination of rules allows the attacker to infer confidential values. As a simple example, assume that we would like to support both arithmetics and comparisons on salaries and define the following rules:

division(salary, salary) salary
add(salary, salary) salary
equal(salary, salary) Boolean

To determine the value of a specific encrypted salary (e.g., Bob.salary), we execute the following steps, assuming that Bob’s salary is not 0:

  1. EncryptedOne = TM.divide(Bob.salary, Bob.salary)

  2. iEncrypt = EncryptedOne; iPlaintext = 1;

  3. while (NOT TM.equal(Bob.salary, iEncrypt))

    1. iPlaintext++;

    2. iEncrypt = TM.add(iEncrypt, EncryptedOne);

  4. return iPlaintext

3.5 Other, Known Inference Attacks

All of these example attacks are specific to an encrypted database enhanced with a trusted computing platform. In addition, all attacks that have been studied for more traditional encrypted databases (e.g., CryptDB) remain valid.

[22] shows how to reveal confidential information from a medical database if the data is deterministically encrypted and the attacker exploits publicly available background knowledge about value distributions. This work is directly applicable to an encrypted database with a TM, even if the data is not deterministically encrypted. The only thing that is needed is that the TM supports equality (equal() Boolean rule) and the same inference attacks on are possible as if were deterministically encrypted.

As another example, disk access patterns can reveal confidential information [12] in any kind of encrypted database system. For instance, if it is known that Bob gets salary raises most frequently, then an attacker can exploit this information to discover Bob’s record in the encrypted database by observing which record is most frequently updated.

4 Reasoning about Confidentiality

The previous section gave several examples that demonstrate that it is important to define the rule set of an encrypted database carefully. If not, an attacker can easily infer secrets from the database. This section gives a framework to reason about the confidentiality of types in an encrypted database. The key idea is to model the types of the encyrpted database as a graph and determine potential information leakage by analyzing this graph.

4.1 What is Dangerous?

All the example attacks of the previous section have one thing in common: The TM returns plaintext values. These plaintext values are either Boolean values (Section 3.2) and inference attacks on determinic encryption [22]), errors (Section 3.3), or pointers (inference from access patterns [12]). In other words, when analyzing the rule set of an encrypted database, we need to look for rules that involve plaintext types as results. As shown in Section 3.2, the combination of plaintext parameters and plaintext results can be particularly dangerous.

Another observation is that danger can propagate through rules. For instance, if I add two encrypted integers and then compare the result with another integer, then that comparison might leak information about the first two encrypted integers.

A third observation is that rules with cycles can also be particularly dangerous such as the add rule in Section 3.4 which allows the attacker to use the TM to enumerate the whole domain.

4.2 Information Flow Graph

Based on these observations, we study the information leakage using an information flow graph. The nodes of this graph are types and edges in this graph are determined by rules. More formally, given a schema with types and rule set , we define the information flow graph as follows:

  1. Vertices are the schema types in .

  2. There is an edge with label if there is a rule involving function where is the th input type of and is the th output type of .

The set of plaintext terminating walks of Type , , is the (possibly infinite) set of walks (paths) in the information flow graph () that start at vertex and end in a vertex corresponding to a plaintext type.

With these definitions, we can now revisit the examples from the previous section. For instance, Figure 4 shows the information flow graph for the rule set of Section 3.4. Due to the cycle, there is an infinite number of plaintext terminating walks for Emp.salary.

Figure 4: Example Information Flow Graph (Section 3.4)

4.3 What Works?

A type has no information leakage if its values are encrypted using an IND-CPA encryption technique (e.g., AES in CBC mode) and there are no paths from this type (or any parameters of rules it is involved in) to a plaintext type in the information flow graph. Section 5.1 gives an example class of such types and discusses its properties. In a nutshell, all rules follow the encrypted in / encrypted out principles for these types so that the TM only takes encrypted inputs and produces encrypted outputs.

Unfortunately, as shown in Sections 5 and 6, it is not always possible to follow the encrypted in / encrypted out principle for all types because it limits certain SQL functionality (e.g., the use of integrity constraints, Section 6) and the use of important database features such as indexes (Section 5). All these features require some paths to plaintext values. While we cannot prove absolute confidentiality in such situations (any path to a plaintext type leaks information and is a potential vulnerability), we can try to minimize the paths to plaintext values and, thus, limit information leakage as much as possible.

Figure 5: Breaking the Cycle

To give an example, Figure 5 shows the information flow graph of the following rule set that supports arithmetics and comparisons on salaries (in particular, predicates of the form ) and is not vulnerable to the enumeration attack of Section 3.4:

division(salary, salary) Temp
add(salary, salary) Temp
equal(salary, temp) Boolean

The key idea of this rule set is that it breaks the cycle by using temp types; i.e., by encrypting the result of any arithmetics with salaries using one-time-keys. As shown in Section 5.2, this trick allows to support almost any SQL feature without leaking more information than today’s generation of encrypted databases (e.g., CryptDB).

4.4 Type Hierarchy

Using the concepts of an information flow graph and plaintext terminating walks, it is also possible to define a partial order on types. A stronger type leaks as much or less information than a weaker type. Type is stronger than iff . Here corresponds to schema type with rule set and to schema type with rule set . Intuitively, more paths to a plaintext type mean that is richer than and, in particular, supports more potentially dangerous functionality that can result in infering values from using plaintext values that result on computations on values of .

The existence of type hierarchies makes it possible to define levels of confidentiality. The next sections will discuss three possible levels.

5 Confidentiality vs. Performance Tradeoffs

This section defines three classes of schema types: (a) Probabilistic, (b) Deterministic, and (c) Ordered. We chose these classes because they correspond to the “confidentiality à la carte” offerings of state-of-the-art encrypted database systems that are based on property-preserving encryption (PPE). For instance, Microsoft Always Encrypted supports probabilistic and deterministic encryption with AES [28]. CryptDB supports probabilistic and deterministic encryption with AES and order-preserving encryption with a custom-defined encryption scheme [24].

Probabilistic data types as defined here give the same confidentiality guarantees as probabilistic encryption in CryptDB and Always Encrypted. Likewise, Deterministic and Ordered types as defined here provide the same level of confidentiality (information leakage) as deterministic and order-preserving encryption in CryptDB. The difference is that, with trusted computing resources, we can support significantly more functionality than Always Encrypted and CryptDB at the same level of confidentiality. In fact, we show that we can process any SQL SELECT statement at any level of confidentiality, even for Probabilistic types. Using a TM and our generalized model of an encrypted database, the three levels of confidentiality differ most significantly in performance: The higher the level of confidentiality, the lower the performance for certain queries. For instance, Probabilistic types can only make use of oblivious algorithms and no indexes whereas indexes can be used for both Deterministic and Ordered types.

5.1 Probabilistic

5.1.1 Definition and Confidentiality

Probabilistic is the strongest level of confidentiality. Given a schema with types and rules , a type is Probabilistic if there is no path in the information flow graph from to a plaintext type. That is, probabilistic types can only be involved in rules in which all other types (inputs and outputs) are also probabilistic. Furthermore, an IND-CPA encryption algorithm must be used for probabilistic types; e.g., AES in CBC mode.

Both Microsoft Always Encrypted and CryptDB support this level of confidentiality, but they do not support any operations on probabilistically encrypted data. That is, to process values of these types, the client must download all the data (no filter possible), decrypt the data at the client, and process any kind of query on these values at the client. We can show that with a server-side TM, we can execute any SQL SELECT statement on Probabilistic types support and provide the same confidentiality guarantees as Always Encrypted and CryptDB for probabilistically encrypted data.

PR1: PR2: PR3: PR4:

Figure 6: Illustration of rules consistent with Probabilistic types

are Probabilistic and others are arbitrary types in R1-R3

any Row Type; any Probabilistic Row Type

5.1.2 Functionality and Performance

To demonstrate the expressive power of Probabilistic types, Figure 6 gives example rules that are consistent with our definition of a Probabilistic type. The first rule, PR1, specifies that any expression can be executed on a Probabilistic type as long as all inputs and outputs have a Probabilistic type. The expression, , can be any SQL expression; e.g., compositions of arithmetics, string functions, etc. There is no need to encrypt and hide which expressions are registered in the TM.

As shown in Section 3.3, all errors that might occur as a side-effect of processing must be encrypted, too. In PR1 (and all other example rules throughout this section), we model errors as special values of the domain of . When functions are composed (e.g., the result of is used as input to another function), then the errors are propagated; that is, the result is again an encrypted error value. Alternatively, encrypted errors could also be modeled as a separate result type, as done in the example of Section 3.3. In this case, we would implement composition would by providing encrypted errors as additional inputs. These two ways of implementing compositions are equivalent. The first approach to model errors as special values of the encrypted result domain is simpler and that is why we use that approach throughout the remainder of this paper.

Depending on the expression, , in Rule PR1, the condition that all inputs must be encrypted and have a Probabilistic type can be relaxed. For instance, if the expression is and is a secret and is not a secret (and not encrypted), then evaluating that expression is okay if the result is encrypted and has a Probabilistic type. This observation is particularly important for databases in which only few columns contain secrets.

Another interesting way to relax Rule PR1 and extend the expressive power is that depending on the expression, it may be okay to return errors in plaintext. As an example, consider the following expression with a secret string that has a Probabilistic type:

This expression returns an error because the position and length in the substring function must not be negative. However, the attacker does not learn anything about from this error. More formally, the error is a function of the other inputs independent of the (secret) string. So, the following rule would be okay for a Probabilistic type, , with domain String, if is also a Probabilistic type with domain String, and is a plaintext type that returns the error status. may have the same or a different encryption key as .

Such a rule helps to implement updates that would otherwise not be possible. (Section 6 discusses updates and issues with errors in more detail.) However, the following rule would not be okay, if is a Probabilistic type because in this case plaintext errors might give away secrets of values of type :

In general, if we wish to expose errors, we must make sure that the output error does not depend on any input that has a Probabilistic type.

The second and third rule of Figure 6, PR2 and PR3, are special cases of PR1. They are not needed and we only list them here for exposition. PR2 specifies that the TM may evaluate any predicate, if all inputs are Probabilistic. Furthermore, PR2 specifies that the result of the predicate is a probabilistically encrypted Boolean value so that the attacker cannot learn anything from the result. An instance of EncBool can take one of the following values: true, false, unknown (according to SQL’s three-valued logic), and an (encrypted) error code, if the evaluation of the predicate failed (e.g., one of the inputs of the predicate contained an error value).

Like PR2, PR3 is a special case of PR1. PR3 is the identity function that simply re-encrypts its input that is encrypted with the key of using the key of . This identity function is needed, for instance, to implement casts or rotate the key of a column in the database because many organizations have a security policy that specifies that encryption keys need to change every, say, one or two months. PR3 is also applicable if is a plaintext type; PR3 is one of the special cases of PR1 in which the inputs need not be encrypted. This way, PR3 makes it possible to encrypt a column if a column that was previously believed to be non-confidential becomes confidential.

PR4 is different and critical to implement SQL queries on Probabilistic data in an effective way. PR4 specifies the orderPair() function that takes two records as input (the fields of these records may be all encrypted, all plaintext, or some encrypted and some not encrypted), a comparison function, and returns the two records ordered according to the comparison function and fully probabilistically encrypted so that no information is leaked from the result. PR4 makes sure that we can sort any table, thereby using BubbleSort or any other oblivious sort algorithm [15]. Quicksort cannot be implemented for Probabilistic types because it requires a partitioning function which gives a plaintext result that specifies whether an element is larger or smaller than another element and, thus, violates the encrypted in / encrypted out principle.

PR4 is defined on records, rather than values of a domain, because the encrypted result must not give any indication of whether the first or the second tuple is smaller; from this point on, the SQL query processor must operate on records in which all fields are Probabilistic to avoid any kind of inference attacks on the result of an oblivious sort.

In the extended version of this paper [2], we formally prove that an adversary does not learn any instance level information about a value of a Probabilistic type. We prove this by setting up an indistinguishability experiment where the adversary is not able to distinguish between two values given an oracle access to the TM and an access to encryption oracles of other types.

Theorem 1

(informal) The adversary does not learn any information about a value of a Probabilistic type other than what she learns from the schema and the (encrypted) database instance (e.g., via correlations with other columns in the same table).

There is more good news. It turns out that the rules of Figure 6 are sufficient to implement any SQL SELECT query. All database operators can be carried out using sort-based algorithms (e.g., joins, group-by, sub-queries) and expression evaluation. Doing so, each tuple of the final query result is tagged with an EncBool value and the client can filter out the result tuples by decrypting the tuples and this Boolean value. To speed up, this filtering at the client, the final query result can be sorted by the EncBool value in the following way: First, all errors (if any), then all true tuples which are part of the query result, and then all unknown and false values. This way, the client can immediately detect whether an error occurred and, if not, quickly extract the result tuples. Such oblivious query processing has been studied extensively in the literature; e.g., [5] for the most recent overview.

The bad news is that the performance of query processing on Probabilistic types can be prohibitively poor. The size of a join result is quadratic with the join inputs, independent of the selectivity of the join predicate. Similarly, the amount of data that needs to be shipped from the server to the client for a simple query that applies a filter to a table (e.g., a key-value lookup) is in the same order as the table, independent of the selectivity of the filter predicate. Grouping has the same problem. Finally, oblivious RAM simulations [14] are the only way to make use of indexes on Probabilistic types; unfortunately, oblivious RAM simulations have high overheads (e.g., poor cache locality). In summary, Probabilistic types are only the right choice for highly confidential data that are rarely part of a filter predicate, join predicate, or group-by key, or for which performance is not a major concern. To achieve better performance, we need to sacrifice confidentiality. That is what the Deterministic and Ordered types do.

5.2 Deterministic

The goal of Deterministic types is to allow the encrypted database to make the most efficient use of indexes, hash-based algorithms, and filters to limit the size of (intermediate) query results in the same as with a traditional, unencrypted database. Unfortunately, these features cannot be supported without leaking some information. The good news is that the information leakage from supporting these features has already been studied in the context of systems like CryptDB and SQL Always Encrypted which make use of deterministic encryption (e.g., AES in ECB mode). With the use of trusted computing, we can define Deterministic types that significantly extend the functionality that can be implemented with deterministic encryption, thereby giving the same confidentiality guarantees. In particular, we can expand the use of indexes to any sargable predicate such as “” if an index on is available; this expansion is only possible with our specific schemes and not possible in systems like CryptDB and Always Encrypted. This section formally defines Deterministic types and shows how to use indexes and hash-based algorithms to efficiently process queries on Deterministic types.

5.2.1 Definition and Confidentiality

For any domain , let denote the equality predicate over . Also, let denote a cryptographic hash function that maps values of to a plaintext hash domain; e.g., for SHA-1, the hash domain is the domain of 160-bit values. Let be injective functions; that is, for all .

Given a schema with types and rules , we say a type is Deterministic if:

  1. All paths in from to are of the form:

    where each is an injective function.

  2. All paths in from to are of the form:

    where each is an injective function.

  3. For any in (1) and (2) above, there exists a unique path in from to .

  4. There does not exist any path from to a plaintext domain that is not or .

In the full version of this paper [2], we show that for any Deterministic type as defined above, an adversary does not learn any information other than equality over its instances.

Theorem 2

(informal) Values of a Deterministic type have the same information leakage as encrypting the values using deterministic encryption.

To implement a Deterministic type, we can use either probabilistic (e.g., AES in CBC mode) or deterministic encryption (e.g., AES in ECB mode); the choice does not impact confidentiality. For performance reasons, we suggest to use deterministic encryption because that way we need less calls to the TM in order to implement comparisons and hash values of Deterministic types.

5.2.2 Functionality and Performance

To demonstrate the expressive power of Deterministic types, Figure 7 lists some example rules that are consistent with the formal definition of Deterministic types. Specifically, these rules are used to implement indexes and hash-based algorithms such as hash joins. Sort-based algorithms and any oblivious algorithms that can be used for Probabilistic types can also be used for Deterministic types.

DR1: DR2: DR3: DR4: DR5: DR6:

Figure 7: Rules consistent with Strict Deterministic Types

is a Deterministic Type; an Other Deterministic Type

any Probabilistic Type; any Row Type; any Probabilistic Row Type

others are arbitrary types

Deterministic vs. Probabilistic Types (DR1-DR4)

Rules DR1 to DR4 of Figure 7 are almost the same as Rules PR1 to PR4 for Probabilistic types (Figure 6); that is why all oblivous algorithms which are applicable to Probabilistic types are also applicable to Deterministic types. Since Deterministic types support a superset of rules as compared to Probabilistic types, it is also easy to prove that Deterministic types are weaker than Probabilistic types (Section 4.4). There is, however, one subtle point in Rules DR1, DR2, and DR4: All the output types must be Probabilistic. That is, the result type of the addition of two integers that are instances of Deterministic types is Probabilistic. As a consequence, only the rules of Figure 6 are applicable to the result of such expressions and Rules DR5-DR6 of Figure 7 are not applicable. This trick prevents the enumeration attack of Section 3.4 and uses the pattern to break cycles discussed in Section 4.3.

Rule DR3 of Figure 7 is special. The output of DR3 may be a Deterministic type. Just like PR3 of Probabilistic types, we need Rule DR3 for two purposes: (a) casts (e.g., conversion from Integer to Float) and (b) key rotation (i.e., re-encrypting a column with a new key). Casts are frequent in practice and are not supported in any encrypted database system that is based on PPE.

Strict vs. Relaxed Deterministic Types (DR5, DR6)

DR5 and DR6 model the properties of deterministic encryption. So, with deterministic encryption to implement Deterministic types these rules are not needed because these functions can just as well be implemented in the UM in the same way as in any database system that exploits PPE such as Always Encrypted or CryptDB. One important observation is that neither equal nor hash produce errors. A bit trickier are null values. These cannot be kept secret in a Deterministic type because the comparison with a null value is the Boolean value unknown in SQL’s three-value logic. If null values need to be kept confidential, then Deterministic types are not the right choice. This observation holds also for encrypted databases that are based on PPE such as CryptDB or Always Encrypted [28].

Rules DR5 and DR6 of Figure 7 model deterministic encryption in a strict way. With trusted computing resources, we could also implement a more general variant of these rules. This variant of DR5 and DR6 is shown in Figure 8. This variant allows to compare values of two Deterministic types with the same domain, but different encryption keys. In particular, it allows hash joins between two columns that are encrypted using different keys. (For this reason, DR6’ uses the hash function of to hash values of

.) One application for this relaxed variant is a security policy that rotates the encryption keys of primary key columns and foreign key columns individually. During this rotation process the relaxed policy would allow efficient primary key / foreign key joins (e.g., using hash joins or index nested-loop joins) even at a moment after the primary key column has been re-encrypted and before the foreign key column has been re-encrypted. Such relaxed Deterministic types could also result, e.g., from rules

and where and are Deterministic types.

On the negative side, the relaxed rule set of Figure 8 might be vulnerable to additional inference attacks by correlating (encrypted) values of and which are not supposed to be correlated. [2] contains a more detailed and formal definition of relaxed types and discussion of the confidentiality guarantees of relaxed Deterministic types.

DR5’: DR6’: DR7’:

Figure 8: Rules for Relaxed Deterministic Types

any relaxed Deterministic Types,

5.2.3 Composing Expressions and Index Lookups (DR7’)

If there is an index on column R.a, then the goal is to be able to use this index for all sargeable predicates; i.e., predicates of the form:

If the expression is a constant or a parameter of the query, then this constant or query parameter can be encrypted with the key of R.a and we can use the index in a straight-forward way using any Deterministic type (relaxed and strict). However, for more complex expressions, this approach no longer works. The purpose of Rule DR7’ of relaxed Deterministic types is to evaluate such expressions and use the index.

As an example, let us consider the following query with a query parameter, :

SELECT * FROM R, S WHERE R.a = S.a + :x;

This query cannot be executed in systems like CryptDB if R.a and S.a are encrypted deterministically, even if R.a and S.a are encrypted using the same key. This query can be executed in a TM independent of the types and keys of R.a and S.a (Probabilistic, strict Deterministic, or relaxed Deterministic). However, we can only use the index on R.a, if both R.a and S.a have relaxed Deterministic types (possibly with different encryption keys) and the rules of Figure 8 are available. DR7’ is used to evaluate the expression by encrypting the query parameter () using the key of S.a. DR7’, thus, corresponds to DR1 which allows to compute any kind of arithmetics on any kind of Deterministic type. The important difference between DR7’ and DR1 is that DR1 mandates that the result is Probabilistic whereas DR7’ specifies that the result of is also an instance of a relaxed Deterministic type. This way, Rules DR5’ and DR6’ become applicable to the result of and we can use the index on R.a to probe the matching tuples.

In order to understand the details of this approach, we need to describe how to build and probe indexes on columns with relaxed Deterministic types. Rather than building the index on the encrypted values (i.e., ciphertext) as done by Always Encrypted, we build the index on hashes; that is, before inserting a new key into the index, we call the TM in order to determine the hash of that key, thereby using Rule DR6 (or DR6’ which is a generalization of DR6 in this particular case). To probe a key, , during query processing, we apply the following approach:

  • Compute hash(). If is of type R.a, then use Rule DR6. If is of type Temp(R.a) use Rule R6’.

  • Use the index to lookup hash().

  • For all matches with hash() = hash(), check whether . If the type of is R.a, then this test can be done directly without using the TM. If the type of is Temp(R.a), then call the TM to do this comparison (Rule DR5’).

Why does this approach prevent the enumeration attack? The key idea is to use a new, different encryption key to encrypt the result of an expression. This way, the cycle is broken which is needed to enumerate all values of a domain in the enumeration attack.

5.3 Ordered

The last and lowest level of confidentiality that we would like to discuss is Ordered. We model Ordered types using order-preserving encryption (OPE) as a role model. Order-preserving encryption has been studied extensively in the past [1, 9, 26, 24]. It is controversial whether it is strong enough for practical applications. We only cover it here for completeness and without taking a stand on its practicality.

The goal of OPE is to provide efficient implementations of range predicates and Top N queries; in particular, using ordered indexes such as B-trees. Ordered types can be formalized by using the instead of in the definition of Deterministic; we defer the details to the full version of this paper [2].

Within our framework, Ordered types can be implemented by enabling the following additional rule in addition to all the rules for Deterministic types (Figure 7):

By supporting this additional rule, it is obvious that Ordered types are weaker than Deterministic types which are in turn weaker than Probabilistic types (Section 4.4).

As an encryption technique, any OPE technique or deterministic encryption technique or even probabilistic technique can be used. In terms of confidentiality and functionality, the choice of the encryption technique does not matter, assuming that the crypto is strong and cannot be broken. However, OPE achieves best performance because it avoids calls to the TM, in the same way as deterministic encryption achieves the best performance for Deterministic types (Section 5.2).

5.4 Discussion

This section described three levels of confidentiality. All three levels allow the implementation of any SQL SELECT statement on encrypted data. These three levels, however, differ in terms of confidentiality and performance. In terms of confidentiality, these levels correspond to the levels of confidentiality supported in state-of-the-art encrypted database systems using PPE; i.e., the lower levels of confidentiality, Deterministic and Ordered, are vulnerable to certain kinds of inference attacks [22] whereas Probabilistic types are semantically secure. In terms of performance, a lower level of confidentiality can improve performance in two ways: (a) It allows the use of a wider range of algorithms and index structures; (b) (intermediate) result sizes are smaller.

Figure 9 shows which kind of algorithms can be applied to which kind of data. Using a TM, scan-based and sort-based algorithms (e.g., nested-loop joins, sort-merge joins) can be applied to any kind of data. Hash-based algorithms (e.g., hybrid-hash joins), however, can only be applied to Deterministic and Ordered types. Likewise, only Deterministic and Ordered types can make use of indexes. Figure 10 shows the size of encrypted results, depending on the operation and the level of confidentiality. For instance, the size of the encrypted result of a filter is of the same order as the size of the base table (denoted as in Figure 10) as explained in Section 5.1. Obviously, this results in poor performance if further operations such as joins are applied to the result of the filter or large result sets must be shipped to the client. However, queries that apply an aggregate (e.g., count) after the filter can be processed fairly efficiently even on Probabilistic types.

Probabilistic Deterministic Ordered Nested-loop Algorithms Sort-based Algorithms Hash-based Algorithms Equality Indexes Ordered Indexes

Figure 9: Confidentiality Levels and Permissible Algorithms

Probabilistic Deterministic Ordered Aggregation Equi Joins Theta Joins Filter (Equality) Filter (Range)

Figure 10: Confidentiality Levels and Result Sizes

size of input tables; size of result table

Overall, these results confirm the importance of the confidentiality à la carte approach that allows users to chose the right type for each column depending on the workload and confidentiality requirements. This is particularly important for enterprise workloads and benchmarks such as TPC-C; for instance, it is typically affordable from a performance perspective to use a Probabilistic type for credit card numbers whereas it is good to use a Deterministic type for order numbers because inference attacks are difficult for order numbers as the attacker likely does not have much background knowledge on order numbers. Confidentiality à la carte can also be offered with systems that are based on PPE only such as CryptDB and Always Encrypted. However, these systems severely limit the kinds of functions that can be applied to encrypted data, whereas all SQL SELECT statements are executable with trusted computing resources, regardless of the level of confidentiality.

6 Confidentiality vs. Functionality

The previous section showed that any SQL SELECT statement can be executed on encrypted data and that the performance depends on the level of confidentiality. In some sense, all that was good news providing a nice security / performance tradeoff for SQL SELECT statements on encrypted data. This section shows contains some bad news concerning SQL UPDATE statements. It contains three example corner cases that demonstrate that some SQL updates can only be executed with lower levels of confidentiality (limiting the functionality of Probabilistic types), that for some updates with predicates a lower level of confidentiality does not help to improve performance (limiting the effectiveness of weaker levels of confidentiality), and that some updates cannot be implemented with any of the three confidentiality levels presented in the previous section (limiting the functionality of any kind of encrypted database).

6.1 Integrity Constraints

Integrity constraints can only be implemented on Deterministic and Ordered types. This is because checking an integrity constraint implicitly carries out a comparison with a plaintext result.

As an example, consider a database with order and customer information. name is the key of the Customer table and every order refers to a customer (with a foreign key on name). Furthermore, let us assume that customer names are confidential so that Order.customer and Customer.name have a Probabilistic type. If there were a unique or primary key constraint on Customer.name, then an attacker could infer whether an order refers to a specific customer or two orders refer to the same customer by deleting and inserting tuples into the Customer table. To find out whether two orders, and , refer to the same customer (and thus possibly launch an inference attack on the Order table, the attack could issue the following sequence of SQL statements.

  • DELETE FROM Customer;

  • INSERT INTO Customer(name) VALUES (.name);

  • INSERT INTO Customer(name) VALUES (.name);

  • ABORT; // rollback all updates, restore Customer table

If there is a unique constraint on Customer.name and the second INSERT fails, then the attacker can infer that .name == .name which makes Order.name a Deterministic type, rather than a Probabilistic type as required by the database designer.

Due to this kind of information leakage, it is critical that an attacker does not have the authority to change any meta-data of the database. Only the owner of the database is allowed to create integrity constraints and change the schema of an encrypted database.

6.2 Updates

Consider the following SQL update statement that gives all employees of a certain salary class a 10 percent raise:

UPDATE Emp SET salary = 1.1 * salary WHERE salary = 100;

If Emp.salary has a Probabilistic type, the right way to execute this update statement is to register the following program at the TM (using Rule PR1 of Figure 6):

raiseIf100(salary) salary

newsalary = decrypt(, input);
if (newsalary) == 100) newsalary = 1.1 * newsalary;
return encrypt(, newsalary);

This program is called for every employee and the salary of all employees will be updated, even if unchanged. Note that an IND-CPA encryption technique for a Probabilistic type generates a different ciphertext for the same plaintext so that an attacker does not know which salaries were updated.

With a Deterministic type, one would expect that only the salaries of employees with salary == 100 would be updated. That is, the expectated plan would be to select all employees that match the WHERE clause (using Rule DR5 of Figure 7) and then to update those employees using Rule DR1 of Figure 7 to compute the new salary. Unfortunately, however, this plan is not legal because Rule DR1 cannot be used to compute the new salary. The reason is that the results of Rule DR1 must have a Probabilistic type in order to break the cycle as described in Section 4.3. In this example, however, we assumed that Emp.salary has a deterministic type.

So, unfortunately, a Deterministic Emp.salary type does not help to improve the performance of this update statement. Even if Emp.salary has a Deterministic type, this update needs to be processed in the same way as if Emp.salary had a Probabilistic type. In fact, it is even worse because we need to generate a new key to re-encrypt the salary column (using Rule DR3) because of the inapplicability of Rule DR1.

This example nicely demonstrates how subtle and tricky it is to implement encrypted databases and why secure hardware does not solve all problems.

6.3 Updates and Errors

Let us revisit the update statement from the previous subsection that raised the salaries of employees. In fact, we made an important assumption in the previous subsection: the expression “1.1 * salary” does not return any errors. It turns out that if this assumption does not hold, then this update statement is not implementable using any level of confidentiality. The problem is that errors must be encrypted in all levels of confidentiality to avoid the simple attacks described in Section 3.3. While encrypting and, thus, hiding errors is possible while processing SELECT statements (the error can be caught in the driver at the client), errors cannot be hidden while processing update statements (including deletes and inserts). If an update occurs while processing an update, the whole update statement must fail and this failure cannot be hidden from an attacker.

This example shows that it is not possible to implement the whole SQL standard on top of an encrypted database even for low levels of confidentiality and even if we have perfectly secure trusted computing technology.

7 Related Work

There has been a great deal of prior work on encrypted databases. Almost all existing systems take a particular point in the confidentiality / functionality / performance design space. One prominent example is CryptDB, which is based on property preserving encryption [25]. Because of this, CryptDB is limited to the specific confidentiality / functionality / performance characteristics of state-of-the-art PPE techniques. As a result, the supported functionality is severely limited in terms of Probabilistic and Deterministic types. In the system suggested here, the use of server-side TMs opens up new opportunities to implement SQL functionality on encrypted data that cannot be implemented in CryptDB and to achieve better performance at the same of better levels of confidentiality.

One particular innovation of CryptDB is the use of the onion technique. In CryptDB, peeling off a layer of confidentiality requires updating an entire column, potentially making the whole table unavailable during this process. Adding a layer also requires shipping all the data to and from the client for re-encryption. The proposed program registration scheme of this paper (Section 2.4) has the same advantages of CryptDB’s onion technique (dynamically increasing and reducing the confidentiality level) without paying the high price: Using a server-side TM, we can add or remove a layer of protection from a column by simply deactivating and activating TM functionality (i.e., rules).

The closest related work is previous work on encrypted databases that makes use of secure hardware; e.g., TrustedDB [7], Haven [8], Cipherbase [3, 4], and VC3 [27]. The result of this work are not directly applicable to TrustedDB and Haven because TrustedDB and Haven have a different attacker model (Section 3.1). In TrustedDB and Haven, attackers can be prevented from executing queries on the TM by special authorization techniques. This property, however, comes at a cost: The whole database must be encrypted and the whole database engine must be ported and run inside the TM which results in vulnerabilities from bugs and potential performance issues. It is an interesting and important avenue of future work to formalize and study the confidentiality and corresponding tradeoffs of systems like TrustedDB and Haven once these systems have matured and become available. To date, these systems are still research prototypes and it is difficult to formalize their confidentality properties as these properties are still unclear.

Our results are directly applicable to the Cipherbase and VC3 projects which have the same attacker model as CryptDB and all other systems that make use of PPE. The main contributions of the Cipherbase are novel optimization techniques to execute queries and update transactions on encrypted databases with a server-side TM. These techniques are directly applicable to our work, too, and orthogonal to the results of this paper.

This work is based on a large body of work that has explored inference attacks from PPE (e.g., [22]), inference attacks from access patterns (e.g., [12]), oblivioius RAM (e.g., [14]), and oblivious algorithms (e.g., [5]). Our main contribution is to extend that work and come to a more general way to reason about information leaks and cleanly characterize the confidentiality/functionality/performance tradeoffs of state-of-the-art encrypted database systems with secure hardware.

The holy grail of encrypted databases is fully homomorphic encryption (FHE) [13]. With FHE, this work would indeed become obsolete and trusted hardware would not be required. Unfortunately, we are still a far cry away from practical FHE.

8 Conclusion

This paper lays the foundation for a “confidentiality á la carte” encrypted database system that make use of server-side trusted computing. It studied the fundamental limits of those systems and defined three levels of confidentiality that were inspired by today’s generation of property-preserving encryption techniques (PPE). We showed that compared to PPE-based systems we can achieve the same confidentiality, but with much higher functionality and potentially better performance because we support more algorithmic variants (e.g., sort-based algorithms for Probabilistic types). Nevertheless, this work confirmed previous results that there cannot be a perfect encrypted database system that provides semantically security, an implementation of the full SQL standard, and good performance. That is why “confidentiality á la carte” will continue to be the right model for encrypted databases.

There are several avenues for future work. First, the same basic principles laid in this work apply to problems such as directory services (e.g., LDAP, Microsoft Active Directory), collaboration tools (e.g., Wikis, Sharepoint), and any other structured workload where expression evaluation can be factored out. Database systems are just one example of systems that store and process confidential data. Second, there is still a great deal of research required to implement more efficient trusted computing-based database systems: (Distributed) query optimization needs to be revisited and the architecture of Figure 2 inspires research on new algorithms to carry out joins, aggregation, and sorting efficiently between an untrusted and trusted machine. At the moment, this work is still at the conceptual level and we will publish the results of performance experiments in a future paper.


  • [1] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order-preserving encryption for numeric data. In G. Weikum, A. C. König, and S. Deßloch, editors, Proceedings of the ACM SIGMOD International Conference on Management of Data, Paris, France, June 13-18, 2004, pages 563–574. ACM, 2004.
  • [2] P. Antonopoulos et al. Towards database confidentiality a la carte with secure hardware, 2016. http://research.microsoft.com/apps/pubs/?id=262632.
  • [3] A. Arasu, S. Blanas, K. Eguro, R. Kaushik, D. Kossmann, R. Ramamurthy, and R. Venkatesan. Orthogonal security with cipherbase. In CIDR 2013, Sixth Biennial Conference on Innovative Data Systems Research, Asilomar, CA, USA, January 6-9, 2013, Online Proceedings. www.cidrdb.org, 2013.
  • [4] A. Arasu, K. Eguro, M. Joglekar, et al. Transaction processing on confidential data using Cipherbase. In Proceedings of the 31ST IEEE International Conference on Data Engineering (ICDE), 2015.
  • [5] A. Arasu and R. Kaushik. Oblivious query processing. In Proc. 17th International Conference on Database Theory (ICDT), Athens, Greece, March 24-28, 2014., pages 26–37, 2014.
  • [6] S. Aulbach, T. Grust, D. Jacobs, A. Kemper, and J. Rittinger. Multi-tenant databases for software as a service: schema-mapping techniques. In Proceedings of the ACM SIGMOD International Conference on Management of Data, SIGMOD 2008, Vancouver, BC, Canada, June 10-12, 2008, pages 1195–1206, 2008.
  • [7] S. Bajaj and R. Sion. TrustedDB: a trusted hardware based database with privacy and data confidentiality. In T. K. Sellis, R. J. Miller, A. Kementsietsidis, and Y. Velegrakis, editors, Proceedings of the ACM SIGMOD International Conference on Management of Data, SIGMOD 2011, Athens, Greece, June 12-16, 2011, pages 205–216. ACM, 2011.
  • [8] A. Baumann, C. M. Peinado, and G. C. Hunt. Shielding applications from an untrusted cloud with haven. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 267–283, 2014.
  • [9] A. Boldyreva, N. Chenette, Y. Lee, and A. O’Neill. Order-preserving symmetric encryption. IACR Cryptology ePrint Archive, 2012:624, 2012.
  • [10] V. Costan and S. Devadas. Intel SGX explained, 2016. http://eprint.iacr.org/2016/086.pdf.
  • [11] K. Eguro and R. Venkatesan. FPGAs for trusted cloud computing. In FPL, pages 63–70, 2012.
  • [12] M. I. et al. Access pattern disclosure on searchable encryption: Ramification, attack and mitigation, 2013. NDSS Symposium.
  • [13] C. Gentry. Fully homomorphic encryption using ideal lattices. In M. Mitzenmacher, editor,

    Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009

    , pages 169–178. ACM, 2009.
  • [14] O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious rams. J. ACM, 43(3):431–473, 1996.
  • [15] M. T. Goodrich. Randomized shellsort: A simple oblivious sorting algorithm. In Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, Austin, Texas, USA, January 17-19, 2010, pages 1262–1277, 2010.
  • [16] G. Graefe. The cascades framework for query optimization. IEEE Data Eng. Bull., 18(3):19–29, 1995.
  • [17] L. M. Haas, D. Kossmann, E. L. Wimmers, and J. Yang. Optimizing queries across diverse data sources. In M. Jarke, M. J. Carey, K. R. Dittrich, F. H. Lochovsky, P. Loucopoulos, and M. A. Jeusfeld, editors, VLDB’97, Proceedings of 23rd International Conference on Very Large Data Bases, August 25-29, 1997, Athens, Greece, pages 276–285. Morgan Kaufmann, 1997.
  • [18] H. Hacigümüs, B. R. Iyer, C. Li, and S. Mehrotra. Executing SQL over encrypted data in the database-service-provider model. In Proceedings of the 2002 ACM SIGMOD International Conference on Management of Data, Madison, Wisconsin, June 3-6, 2002, pages 216–227, 2002.
  • [19] J. M. Hellerstein and M. Stonebraker. Predicate migration: Optimizing queries with expensive predicates. In P. Buneman and S. Jajodia, editors, Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, Washington, D.C., May 26-28, 1993., pages 267–276. ACM Press, 1993.
  • [20] IBM. Ibm 4764 coprocessor, 2015. http://www-03.ibm.com/security/cryptocards/pcixcc/overview.shtml.
  • [21] S. Juarez. Isolated user mode in windows 10 with dave probert, 2015. Channel 9.
  • [22] M. Naveed, S. Kamara, and C. V. Wright. Inference attacks on property-preserving encrypted databases. In I. Ray, N. Li, and C. Kruegel, editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-6, 2015, pages 644–655. ACM, 2015.
  • [23] P. Paillier. Paillier encryption and signature schemes. In Encyclopedia of Cryptography and Security, 2nd Ed., pages 902–903. 2011.
  • [24] R. A. Popa, F. H. Li, and N. Zeldovich. An ideal-security protocol for order-preserving encoding. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013, pages 463–477. IEEE Computer Society, 2013.
  • [25] R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. Cryptdb: protecting confidentiality with encrypted query processing. In T. Wobber and P. Druschel, editors, Proceedings of the 23rd ACM Symposium on Operating Systems Principles 2011, SOSP 2011, Cascais, Portugal, October 23-26, 2011, pages 85–100. ACM, 2011.
  • [26] T. Sanamrad, L. Braun, D. Kossmann, and R. Venkatesan. Randomly partitioned encryption for cloud databases. In V. Atluri and G. Pernul, editors, Data and Applications Security and Privacy XXVIII - 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, Vienna, Austria, July 14-16, 2014. Proceedings, volume 8566 of Lecture Notes in Computer Science, pages 307–323. Springer, 2014.
  • [27] F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: trustworthy data analytics in the cloud using SGX. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, pages 38–54. IEEE Computer Society, 2015.
  • [28] SQL. Sql server always encrypted, 2015. https://msdn.microsoft.com/en-us/library/mt147923.aspx.