Cryptanalysis of An Encrypted Database in SIGMOD ’14 Xinle Cao Jian Liu∗ Zhejiang University Zhejiang University Hangzhou, China Hangzhou, China [email protected] [email protected] Hao Lu Kui Ren Zhejiang University Zhejiang University Hangzhou, China Hangzhou, China [email protected] [email protected] ABSTRACT provides elasticity to DO: they can scale their service consumption Encrypted database is an innovative technology proposed to solve up or down according to their real requirements. the data confdentiality issue in cloud-based DB systems. It allows a On the other hand, this service paradigm brings data confden- data owner to encrypt its database before uploading it to the service tiality issue to DO, as the database stored in SP as well as the queries provider; and it allows the service provider to execute SQL queries sent by DO may contain sensitive information. A hacker can exploit over the encrypted data. Most of existing encrypted databases (e.g., software vulnerabilities to break into the server and snoop on the CryptDB in SOSP ’11) do not support data interoperability: unable data [2] and curious administrators of SP can steal data they are to process complex queries that require piping the output of one interested in [1]. One approach to prevent this potential informa- operation to another. tion leakage is to encrypt sensitive data before storing it at SP, e.g., To the best of our knowledge, SDB (SIGMOD ’14) is the only en- Depot [18], SUNDR [17] and SPORC [9]. To process queries, the crypted database that achieves data interoperability. Unfortunately, encrypted data has to be shipped back to DO and processed locally. we found SDB is not secure! In this paper, we revisit the security of Unfortunately, for some operations, this approach incurs a huge communication overhead that is in the order of the database size, SDB and propose a ciphertext-only attack named co-prime attack. It successfully attacks the common operations supported by SDB, hence it is even worse than storing the database locally. To this end, Popa et al. [22] propose the frst including addition, comparison, sum, equi-join and group-by. We encrypted database evaluate our attack in three real-world benchmarks. For columns called CryptDB allowing SP to execute SQL queries directly over encrypted data. The core idea of CryptDB is to encrypt each data that support addition and comparison, we recover 84.9% − 99.9% item in one or more : diferent onions enable diferent kinds plaintexts. For columns that support sum, equi-join and group-by, onions we recover 100% plaintexts. of operations; within each onion, an item is dressed in layers of Besides, we provide potential countermeasures that can prevent increasingly stronger encryption. For example, it uses homomorphic (HE) [21] for addition in one onion, and uses the attacks against sum, equi-join, group-by and addition. It is still encryption order- (OPE) [3, 6] for comparison in another onion. an open problem to prevent the attack against comparison. preserving encryption However, CryptDB is unable to process complex queries that require piping the output of one operation (onion) to another (i.e., data PVLDB Reference Format: ). For example, the selection clause “ Xinle Cao, Jian Liu, Hao Lu, and Kui Ren. Cryptanalysis of An Encrypted interoperability quantity × unit- ¡ $10, 000” that requires both multiplication and comparison Database in SIGMOD ’14. PVLDB, 14(10): 1743 - 1755, 2021. price at the same time cannot be processed by CryptDB. doi:10.14778/3467861.3467865 SDB in SIGMOD ’14. To achieve data interoperability, in SIGMOD 1 INTRODUCTION ’14, Wong et al. presented an encrypted database named SDB [26]. It uses a special kind of multiplicatively homomorphic encryption Database-as-a-service (DBaaS) is a prevalent cloud-service para- scheme to encrypt each data item: when ciphertexts under diferent digm allowing a data owner ( ) to outsource its database to a DO keys being multiplied with each other, it generates a new key: service provider (SP) that possesses high-performance machines �¹:3,E1 × E2º �¹:1,E1º × �¹:2,E2º and sophisticated database software. DO can query the database as if it was stored locally. SP thus provides storage, computation and Besides, it is additively homomorphic only for ciphertexts under administration services to DO. Most importantly, this paradigm the same key: �¹:, E1 ¸ E2º �¹:, E1º ¸ �¹:, E2º ∗Jian Liu is the corresponding author. When a database is stored, all data items are encrypted under dif- This work is licensed under the Creative Commons BY-NC-ND 4.0 International ferent keys. When DO wants to add two columns, SDB provides a License. Visit https://creativecommons.org/licenses/by-nc-nd/4.0/ to view a copy of operation, which enables (with the assistance of ) this license. For any use beyond those covered by this license, obtain permission by KeyUpdate SP DO emailing [email protected]. Copyright is held by the owner/author(s). Publication rights to update the items in the same row of these two columns to be licensed to the VLDB Endowment. under the same key, so that addition can be done. The KeyUpdate Proceedings of the VLDB Endowment, Vol. 14, No. 10 ISSN 2150-8097. doi:10.14778/3467861.3467865 operation also allows SP and DO to decrypt a whole column with constant communication overhead. 1743 To do comparison, e.g., E1 − E2 ¡ 0, SP (with the assistance of a column for 4 times, we can recover at least 90% plaintexts DO) frst updates �¹:1,E1º and �¹:2,E2º to be under the same key of this column. :3, and computes �¹:3,E1 − E2º. Then, SP computes We summarize our contribution as follows: �¹:5,D¹E1 − E2ºº �¹:3,E1 − E2º × �¹:4,Dº, (1) We revisit SDB (SIGMOD ’14) and make four observations, where �¹:4,Dº was previously uploaded to SP by DO, and D is a which incur serious information leakage but was not men- small random number that will not change the sign of ¹E1 − E2º. In tioned in their paper (Section 2). the end, SP and DO decrypt the whole column using KeyUpdate so (2) We propose a ciphertext-only attack (named co-prime attack) that SP can return the rows that satisfy D¹E1 − E2º ¡ 0. against the addition, sum, comparison, equi-join and group-by To sum a column of = items �¹:1,E1º, ..., �¹:=,E=º, SP (with the operations in SDB (Section 4). 1 1 assistance of DO) updates these encrypted items to<− E1, ...,<− E=, (3) We validate our attack on three public benchmarks, UCI = 1 Credit Card Clients, TPC-C and TPC-H (Section 5). The ex- where < is a new random number. Then, SP returns <− Í E8 to 8=1 perimental results are summarized in Table 1. DO. The equi-join and group-by operations can be realized in the (4) We provide potential countermeasures that can prevent the same way as sum. attacks against sum, equi-join, group-by and addition (Sec- Our contribution. In this paper, we revisit SDB and make the tion 6). It is still an open problem to prevent the attacks following observations: against comparison. (1) It cannot encrypt 0s; (2) The ciphertexts for addition are deterministic: �¹:, E1º = Table 1: Summary of our experimental results. The recovery �¹:, E2º if E1 = E2; rates are for the columns that are executed with the opera- (3) If the ciphertexts �¹:1,E1º, ..., �¹:C ,EC º have been updated tions. More details are in Section 5. to be under the same key :0, then these ciphertexts can be converted back to be under any key within f:0,:1, ..., :C g. Operation Benchmark Recovery (%) Requirements (4) The decryption procedure in comparison not only applies to the diference (i.e., E1 − E2), but also applies to the items Credit 97.3 1 addition query Addition being compared (i.e., E1 and E2). TPC-C 84.9 4 update queries Based on these observations, we present a ciphertext-only attack Credit 99.8 against fve operations in SDB: addition, sum, comparison, equi-join Comparison TPC-C 99.8 10 range queries and group-by. We name it co-prime attack, because its success rate highly depends on the theorem [16, 20]: TPC-H 99.9 Credit 100 given U random positive integers in Z" , the probability for them to 1 $ 1 , Sum TPC-C 100 1 sum query be co-prime is Z ¹Uº ¸ ¹ j" j º TPC-H 100 ¸1 Í 1 where Z refers to the Riemann Z -function and Z ¹Uº = 8U . This Credit 100 8=1 probability is close to 92.4% when U = 4, and close to 99.9% when Equi-Join TPC-C 100 1 equi-join query U = 10. TPC-H 100 Below, we briefy explain the co-prime attack against addition, Credit 100 sum, equi-join, group-by and comparison: Group-by TPC-C 100 1 group-by query To attack , calculates � :, E : � :, E • Addition. addition SP ¹ 1º ¹ 2º = TPC-H 100 W1 : W2; if E1 and E2 are co-prime, then E1 = W1 and E2 = W2. With more items being added together, the co-prime proba- bility of these elements increases. Our experimental results show that we can recover at least 90% plaintexts with 7 2 SDB REVISIT columns added together (cf. Table 6). In this section, we revisit the security of SDB. We frst provide • In the operation, Sum, equi-join and group-by. sum SP technical details of SDB and summarize them into interfaces, so that gets <−1E , ...,<−1E . Similar to , can get ratio 1 = addition SP we can use these interfaces to explain our attack. Then, we make among all elements in this column. In our experiments, with some observations, which result in serious information leakage but the number of rows being more than 100, we can recover all was not mentioned in their paper.