HardIDX: Practical and secure index with SGX in a malicious environment

Abstract

Software-based approaches for search over encrypted data are still either challenged by lack of proper, low-leakage encryption or slow performance. Existing hardware-based approaches do not scale well due to hardware limitations and software designs that are not specifically tailored to the hardware architecture, and are rarely well analyzed for their security (e.g. the impact of side channels). Additionally, existing hardware-based solutions often have a large code footprint in the trusted environment susceptible to software compromises. In this paper we present HardIDX: a hardware-based approach, leveraging Intel’s SGX, for search over encrypted data. It implements only the security critical core, i.e., the search functionality, in the trusted environment and resorts to untrusted software for the remainder. HardIDX is deployable as a highly performant encrypted database index: it is logarithmic in the size of the index and searches are performed within a few milliseconds rather than seconds. We formally model and prove the security of our scheme showing that its leakage is equivalent to the best known searchable encryption schemes. Our implementation has a very small code and memory footprint yet still scales to virtually unlimited search index sizes, i.e., size is limited only by the general – non-secure – hardware resources.

Keywords

Secure index secure search Intel SGX

1. Introduction

Outsourcing the storage and processing of sensitive data to untrusted cloud environments introduces new threats, compared to local data processing, due to possible data leakage, government intrusion, and legal liability. Cryptographic solutions such as Secure Multiparty Computation (MPC) [8,34] and in particular Fully Homomorphic Encryption (FHE) [30] offer a high degree of protection by allowing arbitrary computation on encrypted data. However, MPC and FHE schemes are still impractical for adoption in large distributed systems [19,31].

Moreover, there are a number of useful applications that only require a small set of operations rather than the universal solutions offered by MPC/FHE. A prime example of such operations is the search and retrieval in encrypted databases without the need to download all data from the cloud. For searching over encrypted data, different cryptographic schemes have been proposed such as property-preserving encryption [7,10], or functional encryption [12] and its special case searchable encryption [22,41,48,65]. In this context, performing efficient and secure range queries are commonly considered to be very challenging. CryptDB [59] resorts to order-preserving encryption for this purpose which is susceptible to simple ciphertext-only attacks as shown by Naveed et al. [54].

As we will elaborate in our related work section, many schemes for search over encrypted data supporting range queries require search time linear in the number of database records. Recently, schemes with polylogarithmic search time, based on an index structure, have been proposed [23,26,48]. Nonetheless, the first scheme in [48] is not yet practical, because it applies pairing-based cryptography and also leaks sensitive information about the plaintext, namely the order of the plaintexts. In contrast, [23] and [26] presented approaches with polylogarithmic search time that utilize only lightweight cryptography, that is, pseudorandom functions and symmetric encryption. Out of the many schemes presented in [23], the most secure approach, without false positives and bearable storage cost achieves practical deployability. However, it still leaks much sensitive information, e.g. the search pattern and the range size of each query. Hence, designing an efficient searchable encryption scheme with minimal leakage on the queried ranges remains an open challenge.

Another line of research [4,5] leverages the developments in hardware-assisted Trusted Execution Environments (TEEs) for search over encrypted data. Although Intel’s recently introduced Software Guard Extension (SGX) [2,20,36,38,40,50] has inspired new interest in TEEs, related technologies have been available before, e.g. in ARM processors known as ARM TrustZone [3] as well as in academic research [14,44,66]. Also, AMD has recently announced a TEE for their CPUs [42] rising the hope that TEEs will be widely available in x86 processors, and thus in many relevant environments such as clouds, in the near future.

TEEs provide the secure isolation of sensitive data and computation in hostile environments. For instance, SGX loads application code and data from main memory into an isolated memory, which assures confidentiality and integrity of its data against malicious software on the same system, including privileged software like operating system (OS) or hypervisor. These properties are only guaranteed as long as the TEE operates completely self-contained. However, TEEs have to interact with untrustworthy components within the same computer system for various reasons. In particular, TEEs often have limited resources and need to utilize untrusted resources of their host system. For instance, in case of limited memory it swaps out data to untrusted memory or storage. Hence, in order to achieve comprehensive security, information leakage through those channels has to be considered and taken care of. Previous solutions for isolating databases with SGX load and execute the entire unmodified database management system (DBMS) into an enclave [4,5], but they do not consider possible side channels occurring from the use of untrusted resources as well as resource sharing between TEE and untrusted host. In particular, previous works do not formally consider information leakage. Additionally, they do not scale well due to the limited memory size of SGX’s enclaves and the large footprint of the code they require in the TEE.

Our goal and contribution. We present an efficient scheme for search over encrypted data using SGX that can directly be deployed as a database index. We utilize SGX’s protection characteristics to achieve an outstanding tradeoff between security, performance and functionality. The currently fastest software-based schemes that support range queries are [23] and [26]. Our solution significantly improves over these approaches in terms of performance and storage. Compared to the latest hardware-based schemes [4,5], we improve in terms of security and scalability. Our scheme organizes data in a $B^{+}$ -tree [6] structure that is frequently used for databases indexes in most database management systems (DMBSs) [52,60], for data access [67] as well as for file systems [32,64] to vastly improve the performance of search operations. Our solution supports searches for single values and value ranges. Additionally, our solution can be adapted easily to many other database (search) operations.

We provide two constructions of our search scheme differing in the management of the $B^{+}$ -tree. The tree is either loaded and handled as a whole inside the enclave, or is loaded in an on-demand fashion (see Section 5). Although the tree does not directly leak information about the content of the (encrypted) index, it can leak access pattern information observed during query processing. For both constructions, we show the access pattern leakage with respect to side channels observable by an attacker. Furthermore, we show that the leakage of both constructions is almost the same differing only by their granularity.

We implemented and extensively evaluated both constructions on SGX-enabled hardware (see Section 7 and Section 8). The first construction loads the whole $B^{+}$ -tree structure in an SGX enclave and performs search queries thereafter. However, it is not possible to load arbitrarily large structures into an enclave, as enclave size is limited. We will detail this in Section 7. Our second construction only loads those data in SGX that is currently needed to process a search query. It has a very small code and memory footprint in the TEE compared to other hardware-based approaches [4,5]. Additionally, it scales to arbitrary index sizes, as memory usage in the enclave is constant and untrusted resources are used to store the database itself.

Enhancements compared to conference version. Our solution displays its strength when it is deployed in the cloud. In this scenario, the cloud server has full control over the software. For that reason, internal or external attackers (e.g. administrators or governments) can launch active attacks on the data. Many related papers only consider a passive attacker, but there is no reason why an attacker with full control should refrain from active manipulations. We enhance the work in [27] by a thorough treatment of an active attacker in Section 6. In this extended version, we repeat the relevant background sections from [27] and extend them in many details, e.g. a more formal description of our first construction, a proof for the first construction to highlight the differences on a formal level and a detailed implementation section.

Our main contributions are as follows:

Our scheme has logarithmic complexity in the size of index and searches are performed within a few milliseconds.

We formally model and prove our scheme secure showing that its security (leakage) is comparable to the best known searchable encryption schemes.

We present a scheme that provides security under an active attacker.

We provide an implementation and evaluate the performance and functional bottleneck of SGX on the basis of two different constructions that are designed specifically for SGX to reduce the Trusted Computing Base.

2. Background

We will start by briefly introducing SGX towards which we design HardIDX. Note, our solution is not strictly limited to SGX and could be used with any other system having a TEE with capabilities similar to SGX (e.g., Sanctum [21]). Afterwards we explain the basics of side channel attacks, which are a major concern for HardIDX.

2.1. Intel Software Guard Extensions (SGX)

SGX is an extension of the x86 instruction set architecture (ISA) introduced with the 6th Generation Intel Core processors (code name Skylake). We now present a high level overview of SGX’s features utilized by HardIDX (see [2,20,36,38,40,50] for more details).

Memory isolation. On SGX enabled platforms, programs can be divided into two parts, an untrusted part and an isolated, trusted part. The trusted part, called enclave in SGX terminology, is located in a dedicated portion of the physical RAM. The SGX hardware enforces additional protection on this part of the memory. In particular, all other software on the system, including privileged software like OS, hypervisor, firmware and code in system management mode (SMM) cannot access the enclave memory.

The untrusted part is executed as an ordinary process within the virtual memory address space and the enclave memory is mapped into the virtual memory of the untrusted host process. This mapping allows the enclave to access the entire virtual memory of its host process, while the (untrusted) host process can invoke the enclave only through a well-defined interface. Furthermore, all isolated code and data is encrypted while residing outside of the CPU package. Decryption and integrity checks are performed when the data is loaded inside the CPU.

Memory management. SGX dedicates a fixed amount of the system’s main memory (RAM) for enclaves and related metadata. For current systems this memory is limited to 128 MB which is used for both, SGX metadata and the memory for the enclaves themselves. The latter is called Enclave Page cache (EPC) and is about 96 MB according to our evaluations. The SGX memory is reserved in the early boot phase and is static throughout the runtime of the system. As the number of enclaves which may be loaded and executed in parallel is virtually unlimited, the OS has to manage the enclave memory dynamically. The OS can allocate (parts of) the memory to individual enclaves and change these allocation during the runtime of the enclaves. In particular, the OS can swap out enclave pages. SGX ensures integrity, confidentiality and freshness of swapped-out pages.

Attestation. SGX has a remote attestation feature which allows to verify the correct creation of an enclave on a remote system. During enclave creation the initial code and data loaded into the enclave are measured. This measurement can be provided to an external party to prove the correct creation of an enclave. The authenticity of the measurement as well as the fact that the measurement originates from a benign enclave is ensured by a signature, provided by SGX’s attestation feature (refer to [2] for details). This signature is provided by a component of SGX, called quoting enclave (QE). The QE accepts only measurements from the hardware and the hardware ensures that only correct enclaves are measured. Furthermore, the remote attestation feature allows for establishing a secure channel between an external party and an enclave.

2.2. Side channel attacks

Side channel attacks allow an adversary to extract sensitive information without having direct access to the information source by observing effects of the processing of the sensitive information. Side channel attacks have been known for a long time and various variants have been studied in the past, including hardware side channels like ground potential, EM or power consumption [29]; software timing side channels that can be observed remotely [15] as well as locally, e.g. through cache timing side channels [47,56,72]. However, all these side channel attacks are noisy and require repeated execution and measurements to extract the sensitive information.

In the context of SGX there exist a new class of side channels, called deterministic side channel [71]. As the OS is untrusted, yet still manages the enclave’s resources, including enclave memory, it can observe the enclaves behavior. In particular, the OS can generate a precise trace of the enclave’s code and data accesses at the granularity of pages. In [71] it is shown that this allows to extract sensitive information from an SGX enclave.

3. High level design

Now, we will give a high level description of our design and describe the general working of our scheme. Afterwards we explain our attacker model.

3.1. HardIDX overview

The high level design of our solution is shown in Fig. 1(a). The design involves three entities: the client (who is the data owner and therefore trusted), the untrusted SGX enabled server and the trusted SGX enclave within the server.

Fig. 1.

System model.

Initially, a client prepares its data values by augmenting it with (index) search keys. We abbreviate data values as values and search keys as keys throughout this paper. All other values and keys (e.g. cryptographic keys) are clearly differentiated if ambiguous. The values are stored at pseudo-random position. The keys are then inserted into a $B^{+}$ -tree and the storage order of all nodes is also pseudo-random. The tree and values are linked by adding pointers to the leaves of the tree identifying the random position of the corresponding values. A value can be any data such as records in a relational database or files/documents in other database types. The client then encrypts all nodes of the tree with a secret key $S K_{k_{}}$ and all values with $S K_{v}$ . Then, it deploys the encrypted $B^{+}$ -tree and encrypted values on the untrusted server in the cloud (see step in Fig. 1(a)1

For visualization purposes, the tree nodes and values are shown to be encrypted as a block. In reality each node and value is encrypted individually.

In the second step, a secure connection is established between the client and the enclave. The client uses the SGX attestation feature for authenticating the enclave (see Section 7 for details). Through this secure connection, the client provisions $S K_{k_{}}$ into the enclave (see step ). This step completes the setup of our scheme, which needs to be executed only once. Even when the enclave is unloaded, e.g., due to a reboot, the state (including $S K_{k_{}}$ ) can be securely stored and restored from local memory [2].

From now on the client can send (index) search queries to the server. Randomized encryption with the key $S K_{k_{}}$ is used for all search queries. Hence, the untrusted server cannot learn anything about the query, not even if the same query was send before. When a query arrives in the enclave, $S K_{k_{}}$ is used to decrypt the query (see step ).

In step , the enclave loads the $B^{+}$ -tree structure (tree nodes, but no values) from the untrusted storage into enclave memory and decrypts it. Given sufficient memory, the entire tree is loaded into the enclave and the search is performed afterwards (see step ).

However, as the tree size can exceed the memory available inside the enclave we provide a second design. In this case, only a subset of tree nodes is loaded into the enclave. The tree is traversed starting from the root node. When the search reaches an edge to a node, which is currently not present in the enclave, it is fetched from the untrusted storage.

In both cases the search algorithm eventually reaches a set of leaf nodes, which holds pointers to values matching the query. This list of pointers, representing the search result, is passed to the untrusted part (see step ). The untrusted part learns nothing, except for the cardinality of the result set, from this interaction, because the values are stored in a randomized order.

The result of the index search could be processed further, e.g. in combination with additional SQL operators, in the SGX enclave at the server. In order to complete the end-to-end secure search we assume that the server uses the pointers, in step , to fetch the encrypted values from untrusted storage and sends them to the client. The client uses $S K_{v}$ to decrypt the received files.

Notably, the plaintext data values are never available on the server. They are encrypted with strong standard cryptography methods (AES-128 in GCM mode in our case) and never decrypted on the server, not even inside the SGX enclave. The key to decrypt the values is only know to the client.

3.2. Assumptions and attacker model

We assume a system which provides SGX (or any TEE with capabilities similar to SGX). In particular, code and data inside the TEE are protected with respect to their integrity and confidentiality. We further assume that the TEE provides means to establish a secure channel to the client which allows secure communication and secure provisioning.

Our attacker model is illustrated in Fig. 1(b). Due to SGX’s protection, the attacker cannot directly access the enclave. However, side channels exist, which could potentially be used by the attacker to extract sensitive information. In particular, the attacker aims to learn the structure of the $B^{+}$ -tree which represents the order relation between the indexed data.

We assume the attacker has full control over all software on the system running HardIDX and he can perform active attacks. (1) The attacker can observe all interaction of the enclave with resources outside the enclave. In particular, the attacker can observe the access pattern to $B^{+}$ -tree nodes stored outside the enclave. (2) The attacker can use deterministic page-fault side channel to observe data access inside the enclave at page granularity [71]. Through this side channel, the attacker can observe access patterns on the $B^{+}$ -tree stored inside the enclave. (3) The attacker can use cache side channel to learn about code paths or data access patterns inside the enclave, as SGX does not protect against them [20]. (4) The attacker can deviate from the defined protocol to gain additional sensitive information. For ease of explanation, we begin with a passive attacker in Section 4–5 and explain our additional protection mechanisms in Section 6.

Hardware attacks (in particular hardware/physical side channels) are out of scope in this paper. Furthermore, we consider denial of service (DoS) attacks out of scope, as the untrusted server could always refuse to serve the enclave. Similarly, the network connection between the client and the server is vulnerable to DoS attacks.

4. Notation and definitions

4.1. $B^{+}$ -Tree

A $B^{+}$ -tree is a balanced, n-ary search tree. So called search keys are utilized to index values. A $B^{+}$ -tree can be used to search for single values, e.g. unique staff ids are used to find the corresponding database record (see Fig. 2). Additionally, a $B^{+}$ -tree can perform range searches i.e. retrieve all records below or above a limit or between limits. This is usable, e.g. to query all staff members with a specific salary range if an index is built for the salary data.

Fig. 2.

$B^{+}$ -tree example (random storage position on the left): the unique staff ids (inside the rectangles) are used as keys and the values are the staff records. The records contain surnames, last names and more attributes.

Three node types are differentiated in a $B^{+}$ -tree: the root node, internal nodes and leaf nodes. Every node x contains $x . # k$ keys that are stored in a nondecreasing order: $x . k_{1} ⩽ \dots ⩽ x . k_{x . # k}$ . At every inner node x (including the root if not the only node), the keys separate the key domain into $(x . # k + 1)$ subtrees that are reachable by $(x . # k + 1)$ child pointers: ${x . p_{0}, \dots, x . p_{(x . # k)}} = x . p$ . Every key $x . k_{i}$ has a corresponding pointer $x . p_{i}$ that points to a node containing elements greater than or equal to $x . k_{i}$ and smaller than any other tag $x . k_{j}$ $\forall j \in [i + 1, x . # k]$ . $x . p_{0}$ points to a node containing only keys, which are smaller than $x . k_{1}$ . No internal node is linked to a value. Instead, every leaf node x stores $x . # k$ keys and a pointer to its corresponding value ( $x . p_{0}$ is not used at the leaves). We denote the $B^{+}$ -tree without the values as $B^{+}$ -tree structure. Every node x in the tree has a unique id $x . id$ , a flag stored in $x . isLeaf$ if it is a leaf and we denote $p_{x_{i}}$ as the storage position of $x_{i}$ , i.e. the physical memory address.

We use unchained $B^{+}$ -trees, i.e. the leafs are not connected. Linked leaves would increase the search performance, but it would severely deteriorate the security. The reason is that a range query would directly leak the relationship among leaves if links are followed during a query.

In our constructions, it is not necessary to define the key domain in advance as in many other approaches. It is not even necessary that the domain is a range of integers. Instead, D can be an arbitrary domain with a defined order relation and a defined minimal and a maximal element recognizable by the algorithms. These two elements, denoted as $- \infty$ and ∞, fulfill the following: $- \infty < x . k_{} < \infty$ $\forall x . k_{} \in D$ .

The branching factor b specifies a $B^{+}$ -tree by defining the maximal number of pointers. b also defines the minimal number of pointer for the different node types, but we do not further elaborate on details. For ease of exposition, we assume that every key and pointer fits in an 32 bit block, but this is no prerequisite for our constructions.

4.2. Probabilistic symmetric encryption

A probabilistic authenticated symmetric encryption consists of three probabilistic polynomial-time algorithms $PASE = (PASE_Gen (1^{λ}), PASE_Enc (S K, v), PASE_Dec (S K, C))$ . It provides confidentiality, integrity and authenticity. $PASE_Gen$ takes a security parameter $1^{λ}$ as input and generates a secret key $S K$ . $PASE_Enc$ takes the key $S K$ and a value v as input and returns a ciphertext C. $PASE_Dec$ takes the key $S K$ and a ciphertext C as input and returns $k_{}$ iff $k_{}$ was encrypted with $PASE_Enc$ under the key $S K$ . Otherwise, it returns ⊥. $PASE$ has to be an authenticated IND-CCA secure encryption, e.g. AES-128 in GCM mode.

4.3. Hardware secured $B^{+}$ -tree ( $HSBT$ )

Based on the presented definition of a $B^{+}$ -tree, we define the notion of a Hardware Secured $B^{+}$ -tree as follows. We assume that the $B^{+}$ -tree should store a set s of n key-value pairs: $s = ((k_{1}, v_{1}), \dots, (k_{n}, v_{n}))$ . This set consists of n values $v = (v_{1}, \dots, v_{n})$ and their corresponding keys $k = (k_{1}, \dots, k_{n})$ .

Definition 1 ( $HSBT$ ).

A secure hardware $B^{+}$ -tree scheme is a tuple of six polynomial-time algorithms (HSBT_Setup, HSBT_Enc, HSBT_Tok, HSBT_Dec, HSBT_SearchRange, HSBT_SearchRange_Trusted).

Algorithms executed at the client: $S K \leftarrow HSBT_Setup (1^{λ})$ :

Take the security parameter λ as input and output a secret key $S K$ .

γ \leftarrow HSBT_Enc (S K, s)

Take the secret key $S K$ and a set s of key-value pairs as input. Output an encrypted $B^{+}$ -tree γ.

τ \leftarrow HSBT_Tok (S K, R)

Take the secret key $S K$ and a range $R = [R_{s}, R_{e}]$ as input. Output a search token τ.

v^{'} \leftarrow HSBT_Dec (S K, C^{'})

Take the secret key $S K$ and a set of ciphertext $C^{'}$ as input. Decrypt the ciphertexts and output plaintext values $v^{'}$ .

Executed at the server on untrusted hardware:

C^{'} \leftarrow HSBT_Search Range (τ, [γ])

Take a search token τ and optionally an encrypted tree γ as input and call the secure hardware function $HSBT_Search Range_Trusted$ . Output a set of encrypted values $C^{'}$ .

Executed at the server on secure hardware:

P \leftarrow HSBT_Search Range_Trusted (τ, [X])

Take a search token τ and optionally nodes X as input. Output a set of pointers P.

In the following definitions and constructions, we assume a passive attacker. This is important, as especially the correctness can easily be thwarted by an active attacker. For instance, he can drop results before they are transferred to the client. We present implications of an active attacker and countermeasures in Section 6.

Definition 2 (Correctness).

Let $D$ denote a $HSBT$ -scheme consisting of the six algorithms described in Definition 1. Given a passive attacker, we say that $D$ is correct if for all $λ \in N$ , for all $S K$ output by $HSBT_Setup (1^{λ})$ , for all key-value pairs s used by $HSBT_Enc (S K, s)$ to output γ, for all R used by $HSBT_Tok (S K, R)$ to output τ, for all $C^{'}$ output by $HSBT_Search Range (τ, [γ])$ , the values $v^{'}$ output by $HSBT_Dec (S K, C^{'})$ are all values in s for which the corresponding keys $k^{'}$ fall in R, i.e. $v^{'} = {v_{i} ∣ (k_{i}, v_{i}) \in s \land k_{i} \in [R_{s}, R_{e}] = R}$ .

Our security model, which we define next, is based on a three step framework introduced by Curtmola et al. in [22]. The first step is to formulate a leakage, i.e. an upper bound of the information that an adversary can gather from the protocol. Secondly, one defines the ${Real}_{A} (λ)$ and a ${Ideal}_{A, S} (λ)$ game for an adaptive adversary $A$ and a polynomial time simulator $S$ . ${Real}_{A} (λ)$ is the execution of the actual protocol and ${Ideal}_{A, S} (λ)$ utilizes $S$ to simulate the real game by using only the formulated leakage. An adaptive adversary can use information learned in previous protocol iterations for its queries. Third, a scheme is CKA2-secure if one can show that $A$ can distinguish the output of the games with probability negligibly close to 0. This in turn means that $A$ does not learn anything besides the leakage stated in the first step, because otherwise he could use this additional information to distinguish the games.

At security models of searchable encryption schemes so far, the leakage only covers the transaction between the client and server. In our scenario, there is an additional transaction between the server and the secure hardware that can be viewed by the adversary. Therefore, we extend the CKA2-security to CKA2-HW-security by introducing a new type of leakage denoted as $L_{h w}$ . It consists of the inherent leakage of the used secure hardware and the inputs/outputs to/from the secure hardware.

Definition 3 (CKA2-HW-security).

Let $D$ denote a $HSBT$ -scheme consisting of the six algorithms described in Definition 1. Consider the probabilistic experiments ${Real}_{A} (λ)$ and ${Ideal}_{A, S} (λ)$ , whereas $A$ is a stateful passive adversary and $S$ is a stateful simulator that gets the leakage functions $L_{e n c}$ and $L_{h w}$ . ${Real}_{A} (λ)$ :

the challenger runs $HSBT_Setup (1^{λ})$ to generate a secret key $S K$ . $A$ outputs a set of key-value pairs $s = ((k_{1}, v_{1}), \dots, (k_{n}, v_{n}))$ . The challenger calculates $γ \leftarrow HSBT_Enc (S K, s)$ and passes γ to $A$ . Afterwards, $A$ makes a polynomial number of adaptive queries for arbitrary ranges R. The challenger returns search tokens τ to $A$ after calculating $τ \leftarrow HSBT_Tok (S K, R)$ . $A$ can use γ and the returned tokens at any time to make queries to the secure hardware. The secure hardware returns a set of pointers P. Finally, $A$ returns a bit $b$ that is the output of the experiment.

{Ideal}_{A, S} (λ)

the adversary $A$ outputs a set of key-value pairs $s = ((k_{1}, v_{1}), \dots, (k_{n}, v_{n}))$ . Using $L_{e n c}$ , $S$ creates γ and passes it to $A$ . Afterwards, $A$ makes a polynomial number of adaptive queries for arbitrary ranges R. The simulator $S$ creates tokens τ and passes them to $A$ . The adversary $A$ can use γ and the returned tokens at any time to make queries to $S$ (that simulates the secure hardware). $S$ is given $L_{h w}$ and returns a set of pointers P. Finally, $A$ returns a bit $b$ that is the output of the experiment.

We say $D$ is ( $L_{e n c}$ , $L_{h w}$ )-secure against adaptive chosen-keyword attacks if for all probabilistic polynomial-time algorithms $A$ , there exists a probabilistic polynomial-time simulator $S$ such that $\begin{matrix} | Pr [{Real}_{A} (λ) = 1] - Pr [{Ideal}_{A, S} (λ) = 1] | ⩽ negl (λ) \end{matrix}$

5. Search algorithms

In this section, we will present two different constructions that enable a client to the search for a single value or a range of values based on keys. We use $B^{+}$ -trees in both constructions to achieve logarithmic search and SGX to protect the confidentiality and integrity of the data.

5.1. Construction 1

We describe our first correct (according to Definition 2) and secure (according to Definition 3) construction in this section. The guiding idea of the construction is that the entire data should be stored and processed inside the enclave. The client starts by generating $S K_{k_{}}$ and $S K_{v}$ . It then constructs the $B^{+}$ -tree locally, encrypts the $B^{+}$ -tree structure and the values with $S K_{k_{}}$ and $S K_{v}$ , respectively.

The SGX application gets deployed to an SGX capable server at a cloud provider (see Section 2.1 for details). The remote attestation protocol of Intel SGX (see Section 2.1) is used between client and server to prove to the client that the correct software is deployed on an SGX enabled CPU. During the deployment, the application reserves an SGX protected memory region. The secure channel that is established during remote attestation is used to deploy $S K_{k_{}}$ inside the enclave. Thus $S K_{k_{}}$ is only known by the enclave’s process and the client. The cloud provider and all other processes cannot access this key at any point in time.

Next, the clients sends the $B^{+}$ -tree structure and the values to the application server in the cloud. The application server loads the $B^{+}$ -tree structure from an untrusted to the isolated memory region and use $S K_{k_{}}$ (inside an isolated SGX enclave) to decrypt the tree nodes. It is important to note that the tree is still protected, because all data inside the enclave is secured by SGX. The enclave is then ready to receive search queries from the client.

Since the values (e.g., full staff records) can be very large, the data transfer to the enclave can cause a severe performance overhead. We, therefore, store the values outside of the enclave. A second reason is the limited size of protected memory inside an enclave. Storing the values outside of the enclave has no security implications as the values are encrypted with an authenticated IND-CCA secure encryption scheme and they are stored in a randomized order. The untrusted part receives only pointers to the values from the trusted part and loads them from memory or disk by itself.

We now describe the $HSBT$ -scheme $HSBT 1$ consisting of the six algorithms (HSBT1_Setup, HSBT1_Enc, HSBT1_Tok, HSBT1_Dec, HSBT1_SearchRange, HSBT1_SearchRange_Trusted) and utilizing a pseudorandom permutation $Π : {0, 1}^{λ} \times {0, 1}^{{log}_{2} # x} \to {0, 1}^{{log}_{2} # x}$ in more detail.

Algorithms executed at the client: $S K \leftarrow HSBT 1_Setup (1^{λ})$ :

Use input λ to execute $PASE_Gen$ two times and output $S K = (S K_{k_{}}, S K_{v})$ that the two instances of $PASE_Gen (1^{λ})$ output. $S K_{v}$ and $S K_{k_{}}$ are kept secret at the client. $S K_{k_{}}$ is additionally shared with the server enclave using a secure transport and deployment protocol. The enclave stores $S K_{k_{}}$ inside the isolated enclave.

γ \leftarrow HSBT 1_Enc (S K, s)

Take $S K$ and $s = ((k_{1}, v_{1}), \dots, (k_{n}, v_{n}))$ as input. Start by storing all values $v = (v_{1}, \dots, v_{n})$ in a random order. An almost standard $B^{+}$ -tree insertion is used for all keys. One difference is that every newly created node x gets an id according to the creation order, i.e. the first node gets id 0 ( $x_{} . id = 0$ ), the second id 1 ( $x_{} . id = 1$ ) et cetera. After each pair is inserted, the empty position for keys and pointers in the tree get filled up. More specifically, a node x that contains $x . # k$ keys from the domain gets filled with $(b - 1 - x . # k)$ keys ∞ and $(b - x . # k)$ dummy pointers. Then, all keys and pointers are padded to a length of 32 bit (as mentioned before, this is no prerequisite of our solution). The ids are used by the algorithm to store the nodes at pseudorandom positions: $p_{x_{}} = Π (S K_{k_{}}, x_{} . id)$ . Now, we have a $B^{+}$ -tree in which every node occupies the same storage space and the order of the nodes and values is random. Finally, $PASE_Enc (S K_{v}, \cdot)$ is used to encrypt every value and $PASE_Enc (S K_{k_{}}, \cdot)$ is used to encrypt every node. The encrypted nodes and values form the encrypted tree γ, which is protected by an authenticated IND-CPA secure encryption.

τ \leftarrow HSBT 1_Tok (S K_{k_{}}, R)

Use input $S K_{k_{}}$ and $R = [R_{s}, R_{e}]$ to calculate $τ \leftarrow PASE_Enc (S K_{k_{}}, R_{s} ∥ R_{e})$ and output τ. Query for all elements below $R_{e}$ or all elements above $R_{s}$ can be created by using $R_{s} = - \infty$ or $R_{e} = \infty$ , respectively.

v^{'} \leftarrow HSBT 1_Dec (S K_{v}, C^{'})

Use input $S K_{v}$ to decrypt the encrypted values $C^{'} = (C_{0}, \dots, C_{j})$ : $v^{'} = (PASE_Dec (S K_{v}, C_{0}), \dots, PASE_Dec (S K_{v}, C_{j}))$ . Output $v^{'}$ .

Executed at the server on untrusted hardware:

C^{'} \leftarrow HSBT 1_Search Range (τ)

Take the search token τ as input, pass τ to the trusted part and return the result values (by dereferencing the pointers): $C^{'} = (C_{0}, \dots, C_{j})$ . See Algorithm 1 for details.

Algorithm 1

$HSBT 1_Search Range (τ)$

Executed at the server on secure hardware:

Algorithm 2

$HSBT 1_Search Range_Trusted (τ)$

P \leftarrow HSBT 1_Search Range_Trusted (τ)

Take the search token τ as input, decrypt the token, perform a $B^{+}$ -tree traversal and return the pointers that lead to values falling in the queried range in a random order. The list with the currently processed nodes (X) is shuffled to further hide the order. Note that the enclave does not have to decrypt the nodes, because the client’s encryption was removed already and the CPU has plaintext access to them. See Algorithm 2 for details.

The construction is correct according to Definition 2, because it performs a textbook $B^{+}$ -tree traversal (with an additional randomize step) inside SGX. Furthermore, it is based on a correct $PASE$ -scheme.

A substantial advantage of the approach to put the whole functionality in an enclave is that SGX provides a high level of protection for the enclave memory and thus the $B^{+}$ -tree. One would even assume that an attacker does not learn anything about the tree traversal, because all operations are executed only in protected memory. Unfortunately, SGX is not able to fully protect the access pattern.

As mentioned before, we assume that an attacker is able to reveal the accessed pages during the $B^{+}$ -tree traversal. Each page allocates 4 kB and every encrypted node consists of one or multiple AES-blocks. Up to $k = 4 kB / (o \cdot 128 bit)$ nodes are contained in one page if o AES-blocks are used by each node. Experiments showed that 102 AES-blocks are used for each node if $b = 100$ and 32 bit keys and pointers are used. Therefore, even multiple of those huge nodes fit within a single page. We use the notation $x \in ω$ to express that x is stored in page ω. The $B^{+}$ -tree nodes are stored next to each other in memory and they fit in $# ω = k / # x$ pages $Ω = (ω_{1}, \dots, ω_{# ω})$ .

Next, we will prove the security of Construction 1. The first step is to define the leakage functions that are based on the attack model described in Section 3.2. $L_{e n c} (s)$ :

Given the key-value pairs $s = ((k_{1}, v_{1}), \dots, (k_{n}, v_{n}))$ , this function outputs the amount n of values, the size of each value and the amount of $B^{+}$ -tree nodes $# x$ .

L_{h w} (s, T, R, t_{})

Given the key-value pairs s, the plaintext $B^{+}$ -tree T and the search range R and given point in time $t_{}$ , this function outputs the pages access pattern $P (s, T, R, t_{})$ and the values access pattern $Δ (s, T, R, t_{})$ .

Loosely speaking, the pages access pattern $P (s, T, R, t_{})$ is a tree that contains all pages in Ω that get accessed when the range R is searched for. An edge in $P$ from a parent to a child means that the child page gets accessed after the parent page. More formally, we define M as the set that contains pages, in which leaf nodes are present that contain keys from the search range, i.e. $M = {ω ∣ ω \in Ω \land x \in ω \land x_{} \in T \land x_{} . isLeaf \land x . k_{j} \in R, j \in [1, b - 1]}$ . Additionally, we define $x_{} \to {parent}_{1}$ as the parent node of x in T and $x_{} \to {parent}_{l}$ denotes the node that is reached by moving l layers up in the tree T starting from x. Now, we can specify the node set Y of $P$ as $Y = {ω_{i} ∣ ω_{i} \in M} \cup {ω_{i} ∣ ω_{j} \in M \land x_{1} \in ω_{j} \land ω_{i} \in Ω \land x_{2} \in ω_{i} \land x_{2} \in T \land x_{2} = = x_{1} \to {parent}_{l}, l \in [1, h - 1]}$ . The edge set of $P$ is ${(ω_{i}, ω_{j}) ∣ ω_{i}, ω_{j} \in Y \land \exists x_{1}, x_{2} \in T : x_{1} \in ω_{i} \land x_{2} \in ω_{j} \land i \neq j \land x_{1} = = x_{2} \to {parent}_{1}}$ . The time parameter $t_{}$ defines a snapshot of the random (but fixed) order of sibling nodes at a given point in time. See Fig. 3 for an illustrative example.

The values access pattern $Δ (s, T, R, t_{})$ is defined as the pointers to the result values together with the pages that contain nodes in which these pointers are stored. More formally, $Δ (s, T, R, t_{}) = {(ω, P_{ω}) ∣ ω \in Ω \land x \in ω \land x \in T \land x . isLeaf \land \exists x . k_{j} \in R, j \in [1, b - 1] \land P_{ω} = {x . p_{l} ∣ x \in ω \land x . k_{l} \in R, l \in [1, b - 1]}}$ . The time parameter $t_{}$ defines a random but fixed order of the pointers.

The pages access pattern and the values access pattern are worst case estimations. An attacker would require many queries to exactly determine which page is a child of another page in

P

. The same applies for the exact matching of result values to a page.

Fig. 3.

Illustration of page access pattern leakage: (a) example $B^{+}$ -tree T (page containing the node on the left), (b) leakage $P (s, T, R, t_{})$ for $R = [33, 55]$ and $B^{+}$ -tree T at $t_{1}$ , (c) leakage $P (s, T, R, t_{})$ for $R = [33, 55]$ and $B^{+}$ -tree T at $t_{2}$ .

Theorem 1 (Security).

The secure hardware $B^{+}$ -tree construction $HSBT 1$ is ( $L_{e n c}$ , $L_{h w}$ )-secure according to Definition 3 .

Proof.
We describe a polynomial-time simulator $S$ for which a PPT adversary $A$ can distinguish between ${Real}_{A} (λ)$ and ${Ideal}_{A, S} (λ)$ with negligible probability.
Setup: $S$ creates a new random key $\tilde{S K} = PASE_Gen (1^{λ})$ and stores it.

Simulating γ: $S$ gets $L_{e n c}$ and creates $# x$ nodes $X = (x_{1}, \dots, x_{# x})$ filled with random keys, random pointers and increasing node ids. These nodes are stored in the pages $(ω_{1}, \dots, ω_{# ω})$ . Additionally, $S$ generates n encryptions of random values $C = (C_{1}, \dots, C_{n})$ using $PASE_Enc$ , the number of values and the size of the values. Every encrypted value is given a distinct index. $S$ outputs $γ = (X, C)$

All described operations are possible, because the amount n of values, the size of each value and the amount of nodes $# x$ are included in the leakage. The simulated γ has the same size as the output ${Real}_{A} (λ)$ and the IND-CPA-security of $PASE$ makes the nodes indistinguishable from the output of ${Real}_{A} (λ)$ .

Simulating τ: The simulator $S$ creates two random values ( $r_{1}$ and $r_{2}$ ) and encrypts them: $τ_{s} = PASE_Enc (\tilde{S K}, r_{1})$ , $τ_{e} = PASE_Enc (\tilde{S K}, r_{2})$ . $S$ outputs $τ = (τ_{s}, τ_{e})$ .

The simulated τ is indistinguishable from the output of ${Real}_{A} (λ)$ as a result of the IND-CPA-security of $PASE$ .

Simulating secure hardware: At time $t_{}$ , the simulator $S$ receives a range token τ and $L_{h w}$ . $S$ uses $P (s, T, R, t_{})$ to simulate the page access pattern. For this task, $S$ starts at the root of $P$ and follows the links as unambiguously defined by $t_{}$ . Afterwards, it outputs P = $⋃_{w}$ $P_{ω}$ for every $(ω, P_{ω}) \in$ $Δ (s, T, R, t_{})$ . The leakage Δ determines the order of the pointers in P for a specific point in time $t_{}$ .

$A$ cannot distinguish between the page access of ${Real}_{A} (λ)$ and the simulated access, because the page access pattern delivers deterministic results. Therefore, the results are consistent for different requests of the same range and also for queries of distinct or overlapping ranges. Furthermore, the number of result pointers matches and the pointers are consistent, because $Δ (s, T, R, t_{})$ is unambiguous. The values pointed on are indistinguishable, because they are protected by IND-CCA secure encryption.
□

Cloud computing enables the fast and cost-effective processing of large amounts of data. Unfortunately, Construction 1 suffers from the substantial problem mentioned before: the memory reserved for SGX is limited to 128 MB, and only about 96 MB can be used for data and code. SGX supports a larger enclave size, but enclave pages have to be swapped in and out in this case. Our evaluation (see Section 8) shows that even $50, 000, 000$ values are possible. A $B^{+}$ -tree, however, is only a small part of a full encrypted DBMS based on our constructions. Other components would occupy large regions of the restricted enclave memory and thus further limit the available space. For that reason, we present a second construction in the next section that does not have this problems.
5.2. Construction 2

In this section, we describe our second correct (according to Definition 2) and secure (according to Definition 3) construction. Instead of loading all nodes into the enclave the main idea is to only load the nodes required to traverse the tree. The challenge is to optimize the communication bottleneck between the untrusted part and the enclave. We performed extensive benchmarking and algorithm engineering in order to identify and minimize the most important run-time consuming tasks, such as switching between the untrusted part and the enclave. The decisive advantage of our second construction is that the required memory space inside the enclave is $O (1)$ for a tree of arbitrary size. The trade-off is that all nodes are stored encrypted inside untrusted main memory or on the untrusted disk and thus have to be decrypted by the enclave. This also leads to a slightly larger leakage than in the first construction, namely a finer-granular access pattern on node instead of page level (details are described by a formal model and proof later in this section).

The setup of the $HSBT$ -scheme is slightly different than in the first construction in order to implement the described features. As before, the $B^{+}$ -tree is constructed and encrypted at the client and is then transferred to the cloud provider. However, the application does not reserves memory for the whole $B^{+}$ -tree structure inside the enclave. Instead, it only reserves a fixed space, denoted as $reservedSpace$ , for on the fly processing. The remote attestation and secure key deployment are performed as in the previous construction.

(HSBT2_Setup, HSBT2_Enc, HSBT2_Tok, HSBT2_Dec, HSBT2_SearchRange, HSBT2_SearchRange_Trusted) is a second $HSBT$ -scheme consisting of six algorithms that utilizes a pseudorandom permutation $Π : {0, 1}^{λ} \times {0, 1}^{{log}_{2} # x} \to {0, 1}^{{log}_{2} # x}$ .

All algorithms but $HSBT 2_Search Range$ and $HSBT 2_Search Range_Trusted$ exactly match the descriptions of Construction 1. In contrast to Construction 1, these two algorithm get utilize the optional parameter γ and $nodes$ in $HSBT 2_Search Range$ and $HSBT 2_Search Range_Trusted$ , respectively. This is necessary, because the encrypted tree is not transferred to the enclave before the processing begins (as in Construction 1). We now describe the modified algorithms:

C^{'} \leftarrow HSBT 2_Search Range (τ, γ)

Take the search token τ and the encrypted tree γ as input. At the beginning, pass only the root node to the trusted part and receive pointers to nodes that should be traversed next. The trivial solution is to pass one node after another to the enclave. A severe problem with this design is that every context switch from the untrusted to the trusted part or back causes a substantial overhead. We therefore optimized the number of context switches: transfer as many nodes as currently in the queue, but not more than fit into $reservedSpace$ . We denote the maximal number of nodes as $maxAmount$ , which is directly influenced by the space reserved inside the enclave during the setup process: $maxAmount = reservedSpace / (o \cdot 128 bit)$ where o is the number of AES-blocks used by each node. Nodes are passed until no further are requested. Then output $C^{'}$ by dereferencing pointers to the values. See Algorithm 3 for details.

P \leftarrow HSBT 2_Search Range_Trusted (τ, X)

Take a search token τ and nodes X as input. Every incoming node is encrypted with $S K_{k_{}}$ . During the setup phase, $S K_{k_{}}$ was deployed inside the secure hardware. Therefore, the algorithm is able to decrypt all nodes and the token. Then, search all keys falling in the query range, whereby all keys are accessed. Finally, return the corresponding pointers in a random order. See Algorithm 4 for details.

Algorithm 3

$HSBT 2_Search Range (τ, γ)$

Algorithm 4

$HSBT 2_Search Range_Trusted (τ, X)$

The construction is correct according to Definition 2, because it is based on a textbook $B^{+}$ -tree traversal. The difference to the textbook algorithm is that the nodes are loaded inside the enclave after another and that each node is encrypted. These changes do not influence the correctness, because each node remains accessible to the enclave and the encryption (at the client) and the decryption (inside the enclave) are based on a correct $PASE$ -scheme.

We prove the security of Construction 2 by again defining the leakage functions that are based on the attack model described in Section 3.2.

L_{e n c} (s)

Given the key-value pairs $s = ((k_{1}, v_{1}), \dots, (k_{n}, v_{n}))$ , this function outputs the amount n of values, the size of each value and the amount of $B^{+}$ -tree nodes $# x$ .

L_{h w} (s, T, R, t_{})

Given the key-value pairs s, the plaintext $B^{+}$ -tree T, the search range R and given point in time $t_{}$ , this function outputs the nodes access pattern $X (s, T, R, t_{})$ and the value pointers access pattern $Δ (s, T, R, t_{})$ .

The nodes access pattern $X (s, T, R, t_{})$ is a tree that contains the storage positions of all nodes in T that get accessed when searching for the range R. For a more formal definition, we denote the set of leaf nodes that contain keys from the range as M, i.e. $M = {x_{} ∣ x_{} \in T \land x_{} . isLeaf \land x_{} . k_{j} \in R, j \in [1, b - 1]}$ . We again denote $x_{} \to {parent}_{j}$ as the parent node of x that is reached by moving j layers up in the tree T starting from x. Here, we denote a node that only contains the storage position of a node $x_{i}$ as $y_{i}$ . Now, we can specify the node set Y of $X$ as $Y = {y_{i} ∣ x_{i} \in M} \cup {y_{i} ∣ x_{i} \in T \land x \in M \land x_{i} = = x_{} \to {parent}_{j}, j \in [1, h - 1]}$ . The set of directed edges in $X$ is ${(y_{i}, y_{j}) ∣ y_{i}, y_{j} \in Y \land \exists x_{i}, x_{j} \in T : x_{i} = = x_{j} \to {parent}_{1}}$ . The time parameter $t_{}$ defines a snapshot of the random (but fixed) order of sibling nodes at a given point in time. See Fig. 4 for an illustrative example.

The value pointers access pattern $Δ (s, T, R, t_{})$ is defined as the pointers to the result values together with the leaf nodes in which these pointers are stored. More formally, $Δ (s, T, R, t_{}) = {(x_{}, P_{x}) ∣ x \in T \land x . isLeaf \land \exists x_{} . k_{j} \in R, j \in [1, b - 1] \land P_{x} = {x . p_{l} ∣ x_{} . k_{l} \in R, l \in [1, b - 1]}}$ . The time parameter $t_{}$ defines a random but fixed order of the pointers.

Fig. 4.

Illustration of nodes access pattern leakage: (a) example $B^{+}$ -tree T (random storage position on the left), (b) leakage $X (s, T, R, t_{})$ for $R = [33, 55]$ and $B^{+}$ -tree T at $t_{1}$ , (c) leakage $X (s, T, R, t_{})$ for $R = [33, 55]$ and $B^{+}$ -tree T at $t_{2}$ .

Theorem 2 (Security).

The secure hardware $B^{+}$ -tree construction $HSBT 2$ is ( $L_{e n c}$ , $L_{h w}$ )-secure according to Definition 3 .

Proof.
The simulator $S$ works as follows:
Setup: $S$ creates a new random key $\tilde{S K} = PASE_Gen (1^{λ})$ and stores it.

Simulating γ: $S$ gets $L_{e n c}$ and creates $# x$ nodes filled with 32 bit random keys and random pointers. Every node $x_{i}$ gets a unique node id $x_{i} . id \in [0, # x]$ and the node is stored at the position $p_{x_{i}} = Π (\tilde{S K}, x_{i} . id)$ . The nodes get encrypted with $PASE_Enc (\tilde{S K}, p_{x_{i}})$ . Additionally, $S$ generates n encryptions of random values $C = (C_{1}, \dots, C_{n})$ using $PASE_Enc$ , the number of values and the size of the values. Every encrypted value is given a distinct index. $S$ outputs $γ = (X, C)$ .

All described operations can be executed by $S$ , because the information required for the encryption of values is included in the leakage. The simulated γ has the same size as the output of ${Real}_{A} (λ)$ and the IND-CCA security of $PASE$ makes the nodes and values indistinguishable from the output of ${Real}_{A} (λ)$ .

Simulating τ: The simulator $S$ creates two random values $r_{1}$ and $r_{2}$ and encrypts them: $τ \leftarrow PASE_Enc (S K_{k_{}}, R_{s} ∥ R_{e})$ . $S$ outputs τ.

The simulated τ is indistinguishable from the output of ${Real}_{A} (λ)$ as a result of the IND-CCA security of $PASE$ .

Simulating secure hardware: At time $t_{}$ , the simulator $S$ receives encrypted nodes (denoted as X), a token τ and $L_{h w}$ . It has to simulate the output of the secure hardware enclave. The simulator decrypts every node $x_{i} \in X$ with $PASE_Dec (\tilde{S K}, x_{i})$ . We differentiate between two cases for every $x_{i}$ :

$x_{i}$ is not leaf: $S$ reads the id of $x_{i}$ and searches the corresponding $y_{i}$ in $X (s, T, R, t_{})$ . It returns a pointer to all children in the order defined by $t_{}$ .

$A$ cannot distinguish between the output of ${Real}_{A} (λ)$ and the simulated output, because the pointers point to indistinguishable nodes according to the IND-CCA security of $PASE$ . Furthermore, the results are consistent for different requests of the same range as the nodes access pattern delivers deterministic results and the pseudorandom permutation creates unambiguous positions for the simulated nodes. The same argument applies for queries of distinct or overlapping ranges.

x is leaf: $S$ uses the leakage $Δ (s, T, R, t_{})$ to output all result pointers P = $⋃_{x}$ $P_{x}$ , ∀ $(x, P_{x}) \in$ Δ in the order defined by $t_{}$ .

This output is indistinguishable from the output of ${Real}_{A} (λ)$ as the number of result pointers matches and the pointers are consistent because $Δ (s, T, R, t_{})$ is unambiguous. The values pointed on are indistinguishable, because they are protected by IND-CCA secure encryption.
□

The main difference in the leakages of Construction 1 and Construction 2 is the granularity of the tree and value pointers access pattern. In the second construction, the attacker is able to reveal accesses on a node level. In contrast, the attacker is able to reveal accesses on a page level in the first construction, because SGX inherently leaks the page access pattern.
5.3. Multiple users

So far, we considered a setup comprising one user, but multiple user are directly supported by HardIDX. Multiple users are able to concurrently query data without limitations, as concurrent tree traversals do not influence each other. The only requirement is that each user has access to the key $S K_{k_{}}$ to create query tokens and $S K_{v}$ to decrypt the result. It is also possible that each user shares a different key $S K_{k_{}}$ with the enclave. This would hide the search pattern of one user from all other users, but it requires a small modification in the protocol: the token has to be accompanied by client information, because the enclave has to identify the key to use for the token decryption. The nodes can be encrypted by any key that is known to the enclave. Particularly, it is not required to be a key shared with any user.

6. Search algorithms under an active attacker

Constructions 1 and 2 are secure and correct for a passive attacker, but our overall goal is to enable the outsourcing of data to untrusted cloud providers. Therefore, it is important to consider active attackers. This attacker type tries to thwart the correctness and tries to gain additional sensitive information by not following the defined protocol. We omit concrete definitions of correctness and CKA2-HW-security under a active attacker, because they are easily deducible from Definition 2 and Definition 3. In the following, we consider only Construction 2, but the arguments and techniques can be applied to Construction 1 with minor modifications.

Attack vectors. We identified two basic attack vectors that cover a wide range of possible attacks. Firstly, the attacker can try to attack the protection mechanisms of SGX to gain insights about data and algorithm execution not under his control. We rely on SGX’s protection mechanism that guarantees security and correctness under an active attacker. However, as defined in our attacker model (see Section 3.2), we consider various side channels. Protection mechanisms against these are implementation details and thus described in our implementation section (Section 7). Secondly, the active attacker can try to influence the data and protocol execution that is under his control. Namely, all encrypted nodes, encrypted values, encrypted tokens and the $HSBT 2_Search Range$ algorithm. He can do this to gain additional sensitive information or to prevent the client from getting the correct result. In this section, we present arguments and protection mechanisms that address this second attack vector.

For now, we assume that there is a mechanism that guarantees the following to the client: if it gets a result, all results in the response match the query and the response contains all matching results. This mechanism is presented later in this section, but we first consider the correctness and security implications of this assumption. We show that there are no security implications by introducing an active attacker instead of an passive attacker.

Unprotected static data. The only static data influenceable by the active attacker are values and nodes. The security of this data is guaranteed by using an authenticated IND-CPA secure encryption scheme. The authenticated encryption also thwarts attacks on the correctness that try to modify or add static data, because these actions are noticed by the decryption algorithm. We do not consider the deletion of values or nodes, because it would lead to incomplete results and thus contradict the assumption stated above.

Unprotected dynamic data. The only dynamic data influenceable by the attacker is the search token. Again, the security of tokens and the prevention of modifications and additions is provided by the authenticated IND-CPA secure encryption scheme. A replay attack does also not give any additional information to the attacker as the tree is static and the leakage stays the same for a replayed token. The correctness could only be influenced by a denial of service (DoS) attack by dropping tokens, but DoS is out of scope according to our attacker model.

Unprotected algorithms. $HSBT 2_Search Range$ is the only remaining untrusted part under control of the active attacker. There is only a fixed set of deviations from the protocol that do not lead to a DoS. As explained before, all additional or modified static or dynamic data is directly noticeable by the enclave, which can simply reject further processing. Passing less nodes than possible to the enclave only slows down the process, but does not lead to additional information and does not impact the correctness.2

²
Passing one node after another is already covered by the defined leakage.

The only remaining deviations are: (1) do not pass the root node first to the enclave, (2) pass the wrong nodes to the enclave (3) do not pass all requested nodes to the enclave and (4) do not pass all results to the client. It is important to note that all these deviations do influence the correctness of the protocol, but not the security. We now first present some straightforward, but problematic alternatives. Afterwards, we explain our mechanism that ensures the stated assumption and defends against the four possible deviations.

One straightforward way to protect against deviations (2)–(4) is the usage of a Merkle tree structure (like done in [48]). It would be possible by transferring all values of a leaf node that contains any matching value, the hashes of the matching nodes and the hashes of any sibling of all matching nodes. Together with a stored root hash, the client can check the hashes bottom-up. However, this requires to transfer more data than necessary, leaks unnecessary information by touching sibling nodes and requires additional processing at the client.

A further method to prevent against deviations (2) and (3) is to store a list of requested node ids inside the enclave. For every incoming node, the enclave removes the corresponding id from the list and can be sure that it received all and only correct nodes when the list is empty. However, this approach requires $O (r)$ storage inside the enclave for the total result size r.

Deviations (4) can be mitigated by using the secure channel created during provisioning to transfer the results. Technically, it is possible, because the enclave has direct access to the values. Nevertheless, it would also require $O (r)$ additional storage to memorize r result pointers. Additionally, it would not give any additional protection, because the data access are perceivable by untrusted software.

We now present modifications to Construction 2 that do not exhibit the drawbacks of the Merkle tree approach and do not require $O (r)$ additional storage in the enclave. We utilize so called multiset hashes [18] as a building block to prevent the deviations (2)–(4) with only $O (1)$ additional storage. The properties of a multiset hash are: multiple values are hashed to a fixed-size bit string, elements can be added incrementally and efficiently, the order of the input can be arbitrary and there is an efficient equality check for two multiset hashes. Two multiset hashes are equal if the hash was calculated over same elements (independent of the order). As a concrete example, MSet-XOR-Hash from [18] can be used as a multiset hash. We refer to [18] for details and a security proof that is based on the hardness of breaking the underlying pseudorandom functions.

The construction of the $B^{+}$ -tree is changed in the following way: the root node and every inner node x store the child id $x . {chId}_{i}$ next to the pointers $x . p_{i}$ ; every leaf node x stores a hash $x . {hash}_{i}$ of the plaintext values next to the pointers $x . p_{i}$ . The id of the root node $root . id$ is sent to the enclave together with $S K_{k_{}}$ in the secure channel established during the setup phase.

In the following modifications, we abbreviate the two algorithms of Construction 2 (i.e. HSBT2_SearchRange and HSBT2_SearchRange_Trusted) as $Untrusted$ and $Trusted$ . For every node x that $Trusted$ receives, it decrypts the node and checks if $x . id$ matches $root . id$ . If this is the case, it creates a new nonce. Otherwise, it expects to receive a nonce from $Untrusted$ . The processing aborts if no nonce is present and any node but the root node was passed. This thwarts deviation (1).

For every nonce, $Trusted$ stores how many nodes it expects at the moment in $expectedNodes Amount$ and it stores three multiset hashes: $expectedNodesHash$ , $receivedNodesHash$ and $resultValuesHash$ . For the root and every inner node x, it adds $x . {chId}_{i}$ for every expected child to $expectedNodesHash$ . For each received node x, it adds $x_{} . id$ to $receivedNodesHash$ . It then processes the nodes as before. In each leaf node x, it checks if $x . k_{i}$ falls into the range. $x . {hash}_{i}$ is added to $resultValuesHash$ if this is the case. Finally, it passes the list of pointers and the nonce to $Untrusted$ .

$expectedNodesAmount$ is reduced for every incoming node. After reaching $expectedNodes Amount = 0$ and adding the last ids of each received node to $receivedNodesHash$ , $Trusted$ compares $expectedNodesHash$ with $receivedNodesHash$ . If these hashes do not match, it did not receive the correct nodes from $Untrusted$ , aborts and deletes the nonce. Thus, the algorithm guarantees that it traversed all nodes that might contain an eligible result and thereby protects against deviation (2)3

The attacker does not gain additional information from the processing of wrong nodes. The reason is that the algorithm would not request them and thus already leaks that they do not contain values from the range.

and (3). Otherwise, it adds

x . {hash}_{i}

resultValuesHash

for every result found in the last search round and returns the pointers together with an HMAC over

resultValuesHash

Untrusted

adds the HMAC to the client response. After the decryption, the client calculates a multiset hash over the received values, creates an HMAC and compares it with the received HMAC. The HMAC comparison protects against deviation (4).

Summarizing, the client is guaranteed the stated assumption through the presented mechanism. Performance measurements showed that the described protection mechanisms introduce an overhead of about $0.3 ms$ at a query result size of 100.

7. Implementation

Subsequently, we elaborate on implementation details, which are important with respect to performance or security.

Platform. Our $C + +$ implementation of HardIDX is based on Intel’s Software Development Kit (SDK) for SGX. Services like attestation are available through the interfaces of the SDK. The hardware platform is described in the evaluation (see Section 8).

Provisioning. As described before, the client initially provisions $S K_{k_{}}$ to the enclave. This has to be done securely since $S K_{k_{}}$ should not be revealed to any untrusted party. We use the attestation feature of SGX to establish a secure channel between the client and the enclave. As described in Section 2.1, the initial enclave memory content is measured during its creation. The first operation performed by the enclave is the creation of a key pair (secret key $s k_{E}$ and public key $p k_{E}$ ). The randomness required for the key generation is provided by the hardware random number generator (rdrand [39]) available in current CPUs. As the enclave’s memory is isolated, $s k_{E}$ is never revealed to any other party.

Next, the enclave sends its just created $p k_{E}$ to the quoting enclave (QE). The QE creates an signature over both, the measurement of the initial memory content of the enclave ( $M_{E}$ ) (i.e. the code and static data) and the public key: $σ_{Q E} (M_{E} ∥ p k_{E})$ . $M_{E}$ , $p k_{E}$ and $σ_{Q E} (M_{E} ∥ p k_{E})$ are sent to the client who verifies the signature (given Intel’s public key). The client also verifies the measurement of the initial enclave state to establish trust into this enclave instance (i.e. only if the measurement matches a known value she will continue). The client then encrypts $S K_{k_{}}$ with $p k_{E}$ and sends it back to the enclave, which is the only entity that can decrypt $S K_{k_{}}$ . Subsequently enclave and client share $S K_{k_{}}$ , which they use for secure communication.

Side channels. Our implementation is concerned with three types of (side) channels: external resource access, page-fault side channel and cache timing side channel (see Section 3.2). In particular, by means of all three channels an adversary can observe access patterns to memory with the goal of inferring sensitive information from the observed access patterns.

In HardIDX, access to external resources by the enclave is limited to $B^{+}$ -tree nodes. Here, the attacker’s goal is to leak information about the tree structure and ultimately the order of values stored in the database and searched for by the client. Our Construction 2 explicitly covers the access to external resources, i.e. nodes, in its leakage.

While the external resources used by HardIDX store only data, page-fault side channel and cache timing side channels allow to observe access to enclave memory which contains both, data and code. These side channels do not reveal sensitive data directly. However, they might reveal access to memory locations, which can reveal sensitive information if the memory access to code or data differs depending on sensitive data.

As before, the attacker’s goal might be to extract information about the tree structure and the order of values stored and searched. Additionally the attacker might try to extract cryptographic secrets from the enclave. For instance, the attack might aim at learning the secret key $S K_{k_{}}$ used to encrypt tree nodes or learning one of the keys used during the establishment of a secure channel in the initial provisioning phase.

The page-fault side channel allows the attacker to reliably observe memory access patterns, however, the granularity is relatively coarse (4 kB). All accesses within the same page are indistinguishable for the attacker and, thus, are not exploitable. Construction 1 explicitly considers the leakage of the tree structure through this side channel. In Construction 2 the page-fault side channel does not leak additional information, as nodes are smaller than memory pages and the nodes access pattern is leaked anyway by storing the $B^{+}$ -tree outside of the enclave.

Cache timing side channel allow finer grained memory access observations while being less reliable. Nevertheless, assuming an adversary who is able to observe accesses within a node, the attacker needs to determine which links to child nodes are followed. Our algorithm, however, accesses every key and pointer, whether the pointer is followed or not. By this and other fine grained implementation details, we achieve data independent accesses and thwart the cache timing side channel.

Leakage of cryptographic keys are thwarted for page-fault and cache timing side channel by using leakage resilient implementations and hardware features [9]. For instance, the AES implementation used in HardIDX uses AES-NI hardware which holds the S-Boxes in CPU registers instead of RAM, thus hampering cache side channel attacks [51,70].

Memory management. We implemented both constructions of HardIDX. In particular Construction 2 is optimized with respect to memory transfer operations, and context switches between untrusted and trusted part. To reduce the number of context switches a list of requested nodes is hold by the untrusted part. Nodes from this list are transfered and processed at once, i.e. with only one switch. The memory transfer is optimized by exploiting the fact that the enclave can access the memory of its host process. The $B^{+}$ -tree is loaded in the host process’ memory from where the enclave can fetch nodes directly, decrypt them and process them. This is much more efficient than copying nodes explicitly into enclave memory before decrypting and processing them.

8. Performance evaluation

In this section, we present our evaluation results collected in a number of experiments. First, we compare our two constructions described in Section 5. Then, we examine the effects of the different ways of memory management for the constructions. Finally, we compare our solution against the currently fastest polylogarithmic range query search algorithm presented in [23,26].

Platform. Our evaluation system was equipped with an Intel Core i7-6700 processor at $3.40 Ghz$ (i.e. sixth generation Core-i7, code name Skylake) and $32 GB$ DDR4 RAM. 64-bit Ubuntu 14.04.1 extended with SGX support (e.g. EPC management) was used as operating system. We evaluate our implementation on a real SGX hardware and provide actual measurements.

8.1. Construction 1 vs. Construction 2

First, we compare the performance of our two constructions. The parameters of the $B^{+}$ -tree are held constant for this comparison: the branching factor is 10 and the tree contains $1, 000, 000$ key-value pairs. Range queries of the form $[k_{start}, k_{end}]$ are performed. They are constructed for result sets of five different sizes: $2^{0}, 2^{4}, 2^{8}, 2^{12}, 2^{16}$ . In more detail, a range start $k_{start}$ is selected uniformly at random from the value domain. Next, $k_{end}$ is set to the key that comes $2^{0}, 2^{4}, \dots$ entries later in a sorted list of the keys contained in the tree. The sampling is repeated if the necessary result set size is not feasible, because $k_{start}$ is not followed by enough keys. In Fig. 2, $[2, 4]$ , $[40, 40]$ and $[60, 80]$ are examples of range search of the result set size $2^{0}$ . Figure 5 depicts the results of this evaluation, whereby the x-axis shows the size of the result set and the y-axis shows the median of the run-times in ms.

Fig. 5.

Comparison of constructions.

The performance difference can be explained by the following effects:

Processor mode switch. Before executing inside an enclave, the processor has to switch into “enclave mode”. This includes, e.g. storing the current CPU context on the host process’ stack and loading the CPU context of the enclave. In Construction 1 only one switch is required, whereas in the Construction 2 $O ({log}_{b} n)$ switches are performed, as at least each level of the $B^{+}$ -tree is loaded into the enclave.

Data transfer. In Construction 1, the data transfer between trusted and the untrusted code is limited to the result set and the query whereas in Construction 2 also part of the $B^{+}$ -tree is transferred between the two components.

Access to plain data. In Construction 1, decryption is a one-time effort after loading the entire $B^{+}$ -tree into the enclave. During query processing, it has access to plaintext nodes of the $B^{+}$ -tree. Construction 2 incrementally loads the $B^{+}$ -tree nodes from untrusted storage. All processed nodes need to be decrypted during query processing.

Construction 2, therefore, is slower than Construction 1 by a small factor at any result size. For an increasing size of the result set, both algorithms search a linearly increasing part of the tree. Figure 5 shows that the run-times of our two constructions converge (on a logarithmic scale). This shows that the effects described above diminish compared to the search time of the algorithm.

8.2. Memory management

In order to identify the limiting parameters in the memory management of our two constructions, we evaluate $B^{+}$ -trees with different tree sizes (amounts of key-value pairs) and branching factors. On each tree we ran $1, 000$ randomly chosen queries with result set size of 100 and tested with the branching factors 10, 25, 50 and 100. The results of these evaluation are depicted in Fig. 6(a) and Fig. 6(b). The x-axis shows the size of the $B^{+}$ -tree and the y-axis shows the median run-time of the queries.

Fig. 6.

Effect of different branching factors in (a) Construction 1 and (b) Construction 2.

In Fig. 6(a), we see a sharp increase of the run-time above a tree size of $10^{6}$ records. This is due to the exhausted memory in SGX and the virtual memory mechanism of the operating system that swaps pages in and out. This is not security critical, since pages remain encrypted and integrity protected by the SGX system, even when they are swapped out of the SGX protected memory.

We see a significant difference in the impact of paging between the different branching factors. This becomes clear by considering the number of required page swaps. The lower the branching factor, the higher the number of nodes in a $B^{+}$ -tree. The higher the number of nodes, the higher the number of accesses to different memory pages. The higher the number of different page accesses, the higher the probability of a swapped out page.

In Fig. 6(b), we see that Construction 2 is not affected by paging, albeit supporting an unlimited tree size. Our data also shows that, as expected, higher branching factors result in better performance. Disregarding the paging problem of Construction 1 above a tree size of $10^{6}$ records, a direct comparison of the constructions reveals that the runtime of Construction 2 approaches the runtime of Construction 1 for higher branching factors.

8.3. Comparison with related work

In this section, we compare our Construction 2 against the currently fastest approach with comparable security features and a security proof presented by Demertzis et al. in [23]. The authors present seven different constructions that support range queries. The constructions have different tradeoffs regarding security, query size, search time, storage and false positives. We do not compare against the highly secure scheme with prohibitive storage cost and also exclude the approaches with false positives as our construction does not lead to false positives. Instead, we compare against the most secure approach without these problems: Logarithmic-URC.

We assume that the OXT construction from [16] is used as underlying symmetric searchable encryption scheme (SEE) by Logarithmic-URC. Fundamentally, the SSE scheme is changeable, but the authors of [23] also utilize OXT for the security and performance evaluation. One has to note that a quite equal construction as Logarithmic-URC was presented independently by Faber et al. in [26]. We implemented the algorithm of [23], but a security and performance comparison to [26] would lead to comparable results.

Table 1 compares our Construction 2 and Logarithmic-URC. In this evaluation, we use a branching factor of 100 for Construction 2 and search for a randomly chosen range that contains 100 results. Every test for the four different tree sizes (100, $1, 000$ , $10, 000$ , $100, 000$ ) was performed $1, 000$ times and the table shows the mean.

Table 1
Time comparison of random range queries with Logarithmic-URC [23] and our Constr. 2

Tree size 100 $1, 000$ $10, 000$ $100, 000$

Logarithmic-URC 0.015 s 0.020 s 0.051 s 1.052 s

Construction 2 ( $b = 100$ ) 0.119 ms 0.121 ms 0.124 ms 0.125 ms

Tree size	100	$1, 000$	$10, 000$	$100, 000$
Logarithmic-URC	0.015 s	0.020 s	0.051 s	1.052 s
Construction 2 ( $b = 100$ )	0.119 ms	0.121 ms	0.124 ms	0.125 ms

Our construction runs in about a tenth of a millisecond and with very moderate increase for all tree sizes. In contrast, Logarithmic-URC requires at least multiple milliseconds up to a seconds for bigger trees. A reason for the performance difference might be that OXT construction itself is less efficient then our construction. Furthermore, the search time of OXT depends on the number of entries. Logarithmic-URC fills the OXT construction with elements from a binary tree over the domain for every stored key. An increasing domain severely increases the tree height of a binary tree and thus the number of entries for OXT. In contrast, the height of the $B^{+}$ -tree in our construction increases much slower with the tree size.

A functional difference between Logarithmic-URC and Construction 2 is that Logarithmic-URC requires to fix the search key domain beforehand. Cover a huge domain does negatively influence the setup and search time. In our construction, it is not necessary to fix the domain and the domain size has no performance implications.

It is not trivial to compare Logarithmic-URC and Construction 2 regarding security. The access pattern leakage and the leakage of the internal data structure of Logarithmic-URC is comparable to our access pattern leakages. However, Logarithmic-URC additionally leaks the domain size, the search range size and the search pattern. The search pattern reveals whether the same search was performed before, which might be sensitive information. Furthermore, our construction only requires index storage in $O (n)$ instead of in $O (n log D)$ as in Logarithmic-URC.

9. Related work

Our work is related to searchable encryption, encrypted databases and secure implementations based on a TEE (e.g. SGX).

9.1. Searchable encryption

Song et al. introduced in [65] the first searchable encryption schemes for single plaintexts. In order to improve performance, Goh [33] and Curtmola et al. [22] introduced encrypted (inverted) indices. However, these encryption schemes can only search for keyword equality and not ranges.

Table 2
Comparison of range-searchable encryption schemes. n is the number of keys, D is the size of the plaintext domain and R is the query range size

Scheme Search time Query size Storage size Search pattern leakage Order leakage

Boneh, Waters [13] $O (n D)$ $O (D)$ $O (n D)$ yes no

Shi et al. [63] $O (n log D)$ $O (log D)$ $O (n log D)$ yes no

Shen et al. [62] $O (n log D)$ $O (log D)$ $O (n log D)$ no no

Lu [48] $O (log n log D)$ $O (log D)$ $O (n log D)$ no yes

Demertzis et al. [23], Faber et al. [26] $O (log R)$ $O (log R)$ $O (n log D)$ yes no

HardIDX $O (log n)$ $O (1)$ $O (n)$ no no

Scheme	Search time	Query size	Storage size	Search pattern leakage	Order leakage
Boneh, Waters [13]	$O (n D)$	$O (D)$	$O (n D)$	yes	no
Shi et al. [63]	$O (n log D)$	$O (log D)$	$O (n log D)$	yes	no
Shen et al. [62]	$O (n log D)$	$O (log D)$	$O (n log D)$	no	no
Lu [48]	$O (log n log D)$	$O (log D)$	$O (n log D)$	no	yes
Demertzis et al. [23], Faber et al. [26]	$O (log R)$	$O (log R)$	$O (n log D)$	yes	no
HardIDX	$O (log n)$	$O (1)$	$O (n)$	no	no

Searchable encryption scheme supporting range queries are rare. Table 2 shows a comparison of different searchable encryption schemes and other schemes that support range queries. Note that all existing range-searchable encryption schemes leak the access pattern – including ours. The first range-searchable scheme by Boneh and Waters in [13] encrypt every entry linear in the size of the plaintext domain. The first scheme with logarithmic storage size per entry in the domain was proposed by Shi et al. in [63]. Their security model (match-revealing) is somewhat weaker than standard searchable encryption. The construction is based on inner-product predicate encryption which has been made fully secure by Shen et al. in [62]. All of these schemes have linear search time.

Lu built the range-searchable encryption from [62] into an index in [48], thereby enabling polylogarithmic search time. However, his encrypted inverted index tree reveals the order of the plaintexts and is hence only as secure as order-preserving encryption. Wang et al. [68] proposed a multi-dimensional extension of Lu [48], but it suffers from the same problem of order leakage. There is no known searchable encryption schemes for ranges – until ours – that has polylogarithmic search time and leaks only the access pattern.

A Lu implementation done by us requires several seconds or minutes for a single range search, even with a security parameter much weaker than ours. Hence, we not only improve asymptotic search time, but more importantly reduce the constants in order to open application to much larger data sets.

ORAM can in principle be used to hide the access pattern of searchable encryption. However, Naveed shows that the combination of the two is not straightforward [53]. Special ORAM techniques, like TWORAM [28], are needed.

9.2. Encrypted databases

Encrypted databases, such as CryptDB [59], use property-preserving encryption for efficient search. Property-preserving encryption has very low deployment and runtime overhead due to the ability to use internal index structures of the database engine in the same way as on plain data. Order-preserving encryption [1,10,11,43] allows range queries on the ciphertexts as on the plaintexts. With order-revealing encryption [17,45] a generalization of order-preserving encryption has been published recently. However, Naveed et al. [54] initiated the research direction of practical ciphertext-only attacks on property-preserving encryption, in particular order-preserving encryption, which recover the plaintext in many cases with very high probability (close to $100 %$ ) and further attacks followed [24,35].

There have been a number of attempts to build indices for range queries based on deterministic encryption. Bucketization of ciphertexts [37] groups ciphertexts on the server and filters results at the client. Wang et al. [69] uses distance-revealing encryption in order to build an r-tree. Li and Omiecinski [46] use prefix-preserving encryption in order to build a prefix tree for range searches. However, all of these approaches are susceptible to the same attacks (and worse) as those by Naveed et al.

Four further approaches for a secure DBMS allowing range query evaluation have been published: Firstly, Cash et al. [16] introduce a new protocol called OXT that allows evaluation of boolean queries on encrypted data. Faber et al. [26] extend this data structure to support range queries but either leak additional information on the queried range or the result set contains false positives. In [23], Demertzis et al. present several approaches for range queries. The authors also evaluate the security and performance based on the OXT protocol. The scheme that is most comparable to ours, Logarithmic-URC, is quite equal to the range query approach without false positives from [26] and thus exhibits equal additional leakage. We provide an experimental comparison in Section 8.3. Secondly, Pappas et al. [57] evaluate encrypted bloom filters using Secure Multiparty Computation. However, in order to achieve practical efficiency they propose to split the server into two non-colluding parties. Our approach does not require any additional party. Thirdly, Egorov et al. [25] presented ZeroDB. A database system that enables a client to perform equality and range searches with the help of $B^{+}$ -trees. ZeroDB is an interactive protocol requiring many rounds and thus is not usable for network sensitive cloud computing. Fourthly, Arx was presented by Poddar et al. [58]. The authors propose a binary tree that uses garbled circuits at any node to evaluate the traversal direction in a protected manner. Any traversal destroys the visited garbled circuits. Therefore, the client has to provide new circuits in an additional round or with the next query. This interactive reparation step seriously reduces the usefulness in a highly concurrent cloud scenario, because any query involving intersection ranges requires sequential processing.

9.3. TEE-based applications

Trusted Database System (TDB) uses a trusted execution environment (TEE) to operate the entire database in a hostile environment [49]. While TDB encrypts the entire database storage and metadata (e.g. tree structures to organize the data), TDB is not concerned with information leakage from the TEE. Neither does TDB aim at hiding access patterns nor does it consider side channels attacks against the TEE. Furthermore, since the entire DB operates in the TEE the trusted computing base is very large exposing a very large attack surface.

Haven is an approach to shield application on an untrusted system using SGX [5]. The goal of Haven is to enable the execution of unmodified applications inside an SGX enclave. This technique could be used to isolated off-the-shelf databases with SGX, however, Haven does not consider information leakages through memory access patterns or interactions with the untrustworthy outside world. Furthermore, this approach limits the size of the database due to limited enclave size.

VC3 (short for verifiable confidential cloud computing) adapts the MapReduce computing paradigm to SGX [61]. Mapper and Reducer entities are executed in individual enclaves, this means the data flow between them can leak sensitive information. While VC3 is tailored towards SGX they exclude information leakage from their adversary model. In contrast, we provide the first work on SGX that specifically focuses on information leakage in the interaction of an enclave with other entities.

Data-oblivious machine learning for SGX was presented in [55]. Four machine learning algorithm have been adapted by the authors in order to prevent the exploitation of side channels. All data and code accesses that are dependent on sensitive data are transferred into data-oblivious accesses by using a library providing a set of data-oblivious primitives. Access to external data, specifically input data, is addressed by randomizing the data and always accessing all data, i.e., their solution has an complexity of $O (n)$ , even for tree searches. HardIDX, in contrast, has a complexity of $O (log n)$ in the tree size, by following the same approach as [55] we could trivially achieve data-oblivious access to the tree since the nodes of our tree are randomized as well. However, we would lose a main feature of our construction: search time complexity of $O (log n)$ .

10. Conclusion

In this paper, we introduce HardIDX – an approach to search for ranges and values over encrypted data using hardware support making it deployable as a secure index in an encrypted database. We provide a formal security proof explicitly including side channels and an implementation on Intel SGX. Additionally, we show how to secure HardIDX in an active attacker environment. Our solution compares favorably with existing software- and hardware-based approaches. We require few milliseconds even for range searches on large data and scale to almost arbitrarily large indices. We only leak the access pattern and our trusted code protected by SGX hardware is very small exposing a small attack surface.

Footnotes

Acknowledgments

This research was co-funded by the German Science Foundation, as part of project P3 within CRC 1119 CROSSING, the European Union’s Horizon 2020 Research and Innovation Programme under grant agreement No. 644412 (TREDISEC) and No. 643964 (SUPERCLOUD), and the Intel Collaborative Research Institute for Secure Computing (ICRI-SC).

References

Agrawal,

Kiernan,

Srikant and

Xu, Order preserving encryption for numeric data, in: Proceedings of the ACM International Conference on Management of Data, SIGMOD, 2004.

Anati,

Gueron,

S.P.

Johnson and

V.R.

Scarlata, Innovative technology for CPU based attestation and sealing, in: Workshop on Hardware and Architectural Support for Security and Privacy, HASP, 2013.

ARM Limited, ARM Security Technology – Building a Secure System using TrustZone Technology, 2009, http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf.

Bajaj and

Sion, TrustedDB: A trusted hardware-based database with privacy and data confidentiality, IEEE Transactions on Information Forensics and Security (2014).

Baumann,

Peinado and

Hunt, Shielding applications from an untrusted cloud with haven, in: Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI, 2014.

Bayer and

McCreight, Organization and maintenance of large ordered indices, Mathematical and Information Sciences Report No. 20, Boeing Scientific Research Laboratories, 1970.

Bellare,

Boldyreva and

O’Neill, Deterministic and efficiently searchable encryption, in: Proceedings of the 27th International Conference on Advances in Cryptology, CRYPTO, 2007.

Ben-Or,

Goldwasser and

Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC, 1988.

D.J.

Bernstein,

Lange and

Schwabe, The security impact of a new cryptographic library, in: 2nd International Conference on Cryptology and Information Security in Latin America, LATINCRYPT, 2012.

10.

Boldyreva,

Chenette,

Lee and

O’Neill, Order-preserving symmetric encryption, in: Proceedings of the 28th International Conference on Advances in Cryptology, EUROCRYPT, 2009.

11.

Boldyreva,

Chenette and

O’Neill, Order-preserving encryption revisited: Improved security analysis and alternative solutions, in: Proceedings of the 31st International Conference on Advances in Cryptology, CRYPTO, 2011.

12.

Boneh,

Sahai and

Waters, Functional encryption: Definitions and challenges, in: Proceedings of the 8th Conference on Theory of Cryptography, TCC, 2011.

13.

Boneh and

Waters, Conjunctive, subset, and range queries on encrypted data, in: Proceedings of the 4th Theory of Cryptography Conference, TCC, 2007.

14.

Brasser,

El Mahjoub,

Koeberl,

A.-R.

Sadeghi and

Wachsmann, TyTAN: Tiny trust anchor for tiny devices, in: ACM DAC, 2015.

15.

B.B.

Brumley and

Tuveri, Remote timing attacks are still practical, in: Computer Security – ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12–14, 2011, Proceedings,

Atluri and

Diaz, eds, Springer, Berlin, Heidelberg, 2011, pp. 355–371. ISBN 978-3-642-23822-2. doi:10.1007/978-3-642-23822-2_20.

16.

Cash,

Jarecki,

Jutla,

Krawczyk,

M.-C.

Roşu and

Steiner, Highly-scalable searchable symmetric encryption with support for Boolean queries, in: Proceedings of the 33rd International Conference on Advances in Cryptology, CRYPTO, 2013.

17.

Chenette,

Lewi,

S.A.

Weis and

D.J.

Wu, Practical order-revealing encryption with limited leakage, in: Proceedings of the 23rd International Conference on Fast Software Encryption, FSE, 2016.

18.

Clarke,

Devadas,

Van Dijk,

Gassend and

G.E.

Suh, Incremental multiset hash functions and their application to memory integrity checking, in: Proceedings of the 9th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT, 2003.

19.

J.-S.

Coron,

Mandal,

Naccache and

Tibouchi, Fully homomorphic encryption over the integers with shorter public keys, in: Proceedings of the 31st International Conference on Advances in Cryptology, CRYPTO, 2011.

20.

Costan and

Devadas, Intel SGX Explained, Technical report, IACR Cryptology ePrint Archive, 2016.

21.

Costan,

Lebedev and

Devadas, Sanctum: Minimal hardware extensions for strong software isolation, in: 25th USENIX Security Symposium (USENIX Security 16), 2016.

22.

Curtmola,

Garay,

Kamara and

Ostrovsky, Searchable symmetric encryption: Improved definitions and efficient constructions, in: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS, 2006.

23.

Demertzis,

Papadopoulos,

Papapetrou,

Deligiannakis and

Garofalakis, Practical private range search revisited, in: Proceedings of the 2016 International Conference on Management of Data, SIGMOD ’16, 2016.

24.

F.B.

Durak,

T.M.

DuBuisson and

Cash, What else is revealed by order-revealing encryption?, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS, 2016.

25.

Egorov and

Wilkison, ZeroDB white paper, Technical report, arXiv.org, 2016.

26.

Faber,

Jarecki,

Krawczyk,

Nguyen,

Rosu and

Steiner, Rich queries on encrypted data: Beyond exact matches, in: Proceedings of the 20th European Symposium on Research in Computer Security, ESORICS, 2015.

27.

Fuhry,

Bahmani,

Brasser,

Hahn,

Kerschbaum and

Sadeghi, HardIDX: Practical and Secure Index with SGX, in: Data and Applications Security and Privacy XXXI – 31st Annual IFIP WG 11.3 Conference, DBSec 2017, Philadelphia, PA, USA, July 19-21, 2017, Proceedings, 2017, pp. 386–408.

28.

Garg,

Mohassel and

Papamanthou, TWORAM: Efficient oblivious RAM in two rounds with applications to searchable encryption, in: Proceedings of the 36th Cryptology Conference, CRYPTO, 2016.

29.

Genkin,

Pipman and

Tromer, Get your hands off my laptop: Physical side-channel key-extraction attacks on PCs, Journal of Cryptographic Engineering 5(2) (2015), 95–112. doi:10.1007/s13389-015-0100-7.

30.

Gentry, Fully homomorphic encryption using ideal lattices, in: Proceedings of the Symposium on Theory of Computing, STOC, 2009.

31.

Gentry,

Halevi and

N.P.

Smart, Homomorphic evaluation of the AES circuit, in: Proceedings of the 32nd International Conference on Advances in Cryptology, CRYPTO, 2012.

32.

Giampaolo, Practical File System Design with the Be File System, Morgan Kaufmann Publishers Inc., 1998.

33.

E.-J.

Goh, Secure indexes, Technical report, IACR Cryptology ePrint Archive, 2003.

34.

Goldreich,

Micali and

Wigderson, How to play ANY mental game, in: Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, STOC, 1987.

35.

Grubbs,

Sekniqi,

Bindschaedler,

Naveed and

Ristenpart, Leakage-abuse attacks against order-revealing encryption, Cryptology ePrint Archive, Report 2016/895 2016, http://eprint.iacr.org/2016/895.

36.

Hoekstra,

Lal,

Pappachan,

Phegade and

Del Cuvillo, Using innovative instructions to create trustworthy software solutions, in: Workshop on Hardware and Architectural Support for Security and Privacy, HASP, 2013.

37.

Hore,

Mehrotra and

Tsudik, A privacy-preserving index for range queries, in: Proceedings of the 30th International Conference on Very Large Data Bases, VLDB, 2004.

38.

Intel , Intel Software Guard Extensions Programming Reference, 2014, https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf.

39.

Intel , Intel 64 and IA-32 Architectures Software Developer’s Manual, 2016, http://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-manual-325462.html.

40.

Intel Corporation, Intel^® Software Guard Extensions (Intel^® SGX), 2015, https://software.intel.com/sites/default/files/332680-002.pdf.

41.

Kamara and

Moataz, SQL on structurally-encrypted databases, Technical report, IACR Cryptology ePrint Archive, 2016.

42.

Kaplan,

Powell and

Woller, AMD Memory Encryption, 2016, http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf.

43.

Kerschbaum and

Schröpfer, Optimal average-complexity ideal-security order-preserving encryption, in: Proceedings of the 21st ACM Conference on Computer and Communications Security, CCS, 2014.

44.

Koeberl,

Schulz,

A.-R.

Sadeghi and

Varadharajan, TrustLite: A security architecture for tiny embedded devices, in: ACM EuroSys, 2014.

45.

Lewi and

D.J.

Wu, Order-revealing encryption: New constructions, applications, and lower bounds, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS, ACM, 2016.

46.

Li and

E.R.

Omiecinski, Efficiency and security trade-off in supporting range queries on encrypted databases, in: Proceedings of the 19th Conference on Data and Applications Security, DBSec, 2005.

47.

Liu,

Yarom,

Ge,

Heiser and

R.B.

Lee, Last-level cache side-channel attacks are practical, in: 2015 IEEE Symposium on Security and Privacy, 2015, pp. 605–622. ISSN 1081-6011. doi:10.1109/SP.2015.43.

48.

Lu, Privacy-preserving logarithmic-time search on encrypted data in cloud, in: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS, 2012.

49.

Maheshwari,

Vingralek and

Shapiro, How to build a trusted database system on untrusted storage, in: Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation, Vol. 4, OSDI, 2000.

50.

McKeen,

Alexandrovich,

Berenzon,

C.V.

Rozas,

Shafi,

Shanbhogue and

U.R.

Savagaonkar, Innovative instructions and software model for isolated execution, in: Workshop on Hardware and Architectural Support for Security and Privacy, HASP, 2013.

51.

Mowery,

Keelveedhi and

Shacham, Are AES x86 cache timing attacks still feasible?, in: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW, 2012.

52.

MySQL :: MySQL 5.6 Reference Manual :: 8.3.8 Comparison of B-Tree and Hash Indexes, http://dev.mysql.com/doc/refman/5.6/en/index-btree-hash.html.

53.

Naveed, The fallacy of composition of oblivious RAM and searchable encryption, Technical report, IACR Cryptology ePrint Archive, 2015.

54.

Naveed,

Kamara and

C.V.

Wright, Inference attacks on property-preserving encrypted databases, in: Proceedings of the 22nd ACM Conference on Computer and Communications Security, CCS, 2015.

55.

Ohrimenko,

Schuster,

Fournet,

Meht,

Nowozin,

Vaswani and

Costa, Oblivious multi-party machine learning on trusted processors, in: 25th USENIX Security Symposium (USENIX Security 16), 2016.

56.

D.A.

Osvik,

Shamir and

Tromer, Cache attacks and countermeasures: The case of AES, in: CT-RSA 2006: The Cryptographers’ Track at the RSA Conference, 2006.

57.

Pappas,

Krell,

Vo,

Kolesnikov,

Malkin,

S.G.

Choi,

George,

Keromytis and

Bellovin, Blind seer: A scalable private dbms, in: Proceedings of the 2014 Symposium on Security and Privacy, S&P, 2014.

58.

Poddar,

Boelter and

R.A.

Popa, Arx: A strongly encrypted database system, Cryptology ePrint Archive, Report 2016/591, 2016, https://eprint.iacr.org/2016/591.

59.

R.A.

Popa,

C.M.S.

Redfield,

Zeldovich and

Balakrishnan, CryptDB: Protecting confidentiality with encrypted query processing, in: Proceedings of the 23rd ACM Symposium on Operating Systems Principles, SOSP, 2011.

60.

Ramakrishnan and

Gehrke, Database Management Systems, 3rd edn, McGraw-Hill, 2002.

61.

Schuster,

Costa,

Fournet,

Gkantsidis,

Peinado,

Mainar-Ruiz and

Russinovich, VC3: Trustworthy data analytics in the cloud using SGX, in: Proceedings of the 2015 IEEE Symposium on Security and Privacy, S&P, 2015.

62.

Shen,

Shi and

Waters, Predicate privacy in encryption systems, in: Proceedings of the 6th Theory of Cryptography Conference, TCC, 2009.

63.

Shi,

Bethencourt,

H.T.-H.

Chan,

D.X.

Song and

Perrig, Multi-dimensional range query over encrypted data, in: Proceedings of the 2007 Symposium on Security and Privacy, S&P, 2007.

64.

Sinofsky, Building the next generation file system for Windows: ReFS, 2012, https://blogs.msdn.microsoft.com/b8/2012/01/16/building-the-next-generation-file-system-for-windows-refs/.

65.

D.X.

Song,

Wagner and

Perrig, Practical techniques for searches on encrypted data, in: Proceedings of the 2000 Symposium on Security and Privacy, S&P, 2000.

66.

Strackx,

Piessens and

Preneel, Efficient isolation of trusted subsystems in embedded systems, in: SecureComm, Springer, 2010.

67.

The Power of B-trees, http://guide.couchdb.org/draft/btree.html.

68.

Wang,

Hou,

Li,

Wang and

Li, Maple: Scalable multi-dimensional range search over encrypted cloud data with tree-based index, in: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’14, 2014.

69.

Wang and

Ravishankar, Secure and efficient range queries on outsourced databases using rp-trees, in: Proceedings of the 30th IEEE International Conference on Data Engineering, ICDE, 2013.

70.

Xu, Securing the Enterprise with Intel AES-NI, 2010.

71.

Xu,

Cui and

Peinado, Controlled-channel attacks: Deterministic side channels for untrusted operating systems, in: Proceedings of the 2015 IEEE Symposium on Security and Privacy, S&P, 2015.

72.

Yarom and

Falkner, FLUSH + RELOAD: A high resolution, low noise, L3 cache side-channel attack, in: 23rd USENIX Security Symposium (USENIX Security 14), USENIX Association, San Diego, CA, 2014, pp. 719–732. ISBN 978-1-931971-15-7. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom.

HardIDX: Practical and secure index with SGX in a malicious environment

Abstract

Keywords

1. Introduction

2. Background

2.1. Intel Software Guard Extensions (SGX)

2.2. Side channel attacks

3. High level design

3.1. HardIDX overview

4. Notation and definitions

4.1. B + -Tree

4.3. Hardware secured B + -tree ( HSBT )

Definition 1 ( HSBT ).

Definition 2 (Correctness).

Definition 3 (CKA2-HW-security).

5. Search algorithms

5.1. Construction 1

6. Search algorithms under an active attacker

2 Passing one node after another is already covered by the defined leakage.

8. Performance evaluation

8.1. Construction 1 vs. Construction 2

Table 1 Time comparison of random range queries with Logarithmic-URC [23] and our Constr. 2 Tree size 100 1 , 000 10 , 000 100 , 000 Logarithmic-URC 0.015 s 0.020 s 0.051 s 1.052 s Construction 2 ( b = 100 ) 0.119 ms 0.121 ms 0.124 ms 0.125 ms

9.1. Searchable encryption

9.3. TEE-based applications

10. Conclusion

Footnotes

Acknowledgments

References

4.1. $B^{+}$ -Tree

4.3. Hardware secured $B^{+}$ -tree ( $HSBT$ )

Definition 1 ( $HSBT$ ).

²
Passing one node after another is already covered by the defined leakage.

Table 1
Time comparison of random range queries with Logarithmic-URC [23] and our Constr. 2

Tree size 100 $1, 000$ $10, 000$ $100, 000$

Logarithmic-URC 0.015 s 0.020 s 0.051 s 1.052 s

Construction 2 ( $b = 100$ ) 0.119 ms 0.121 ms 0.124 ms 0.125 ms