The Locality of Searchable Symmetric Encryption

This paper proves a lower bound on the trade-off between server storage size and the locality of memory accesses in searchable symmetric encryption (SSE). Namely, when encrypting an index of N identifier/keyword pairs, the encrypted index must have size ω(N) or the scheme must perform searching with ω(1) non-contiguous reads to memory or the scheme must read many more bits than is necessary to compute the results. Recent implementations have shown that non-locality of server memory accesses create a throughput-bottleneck on very large databases. Our lower bound shows that this is due to the security notion and not a defect of the constructions. An upper bound is also given in the form of a new SSE construction with an O(N logN) size encrypted index that performs O(logN) reads during a search. 1 Department of Computer Science, Rutgers University, 110 Frelinghuysen Road, Piscataway, New Jersey 08854-8019. Email: [email protected]. URL: http://www.cs.rutgers.edu/∼dc789. 2 Department of Computer Science, University of California, Santa Barbara, Santa Barbara, USA. Email: tessaro @cs.ucsb.edu. URL: http://www.cs.ucsb.edu/∼tessaro/.