See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/309783388
Processing Over Encrypted Data: Between Theory and Practice
Article in ACM SIGMOD Record · September 2016
DOI: 10.1145/3022860.3022862
CITATIONS READS
18 427
4 authors:
Eyad Saleh Ahmad Alsadeh
Sohar University Birzeit University 7 PUBLICATIONS 58 CITATIONS 23 PUBLICATIONS 263 CITATIONS
SEE PROFILE SEE PROFILE
Ahmad Kayed Christoph Meinel
Sohar University German University of Digital Science 42 PUBLICATIONS 331 CITATIONS 1,523 PUBLICATIONS 17,393 CITATIONS
SEE PROFILE SEE PROFILE
All content following this page was uploaded by Ahmad Alsadeh on 19 February 2018.
The user has requested enhancement of the downloaded file.
Processing Over Encrypted Data: Between Theory and Practice
Eyad Saleh Ahmad Alsa’deh Ahmad Kayed
Hasso Plattner Institute Birzeit University Middle East University Potsdam, Germany West Bank, Palestine Amman, Jordan eyad.saleh@hpi.de asadeh@birzeit.edu akayed@meu.edu.jo Christoph Meinel Hasso Plattner Institute Potsdam, Germany christoph.meinel@hpi.de
ABSTRACT programs’ functionality without leaking their se-
Data encryption is a common approach to protect the crets), and integrity of computations (i.e. How to confidentiality of users’ data. However, when computa- outsource computations over encrypted database for tion is required, the data must be decrypted before pro- authorized users). Therefore, in the modern era, cessing. The decryption-for-processing approach causes and motivated by the increasing adoption of the critical threats. For instance, a compromised server may cloud model, the need and possibility of processing lead to the leakage of data or cryptographic keys. On over encrypted data is highly desirable. the other hand, data owners are concerned since the data Developing new constructions that allow opera- is beyond their control. Thus, they look for mecha- tions directly on encrypted data was firstly intro- nisms to achieve strong data protection. Accordingly, duced by Rivest et al. in 1978 [77]. The main hy- alternatives for protecting data become essential. Con- pothesis was that useful privacy homomorphisms sequently, the trend of processing over encrypted data (i.e., encryption schemes) may exist to support pro- starts to arise along with a rapidly growing literature. cessing data while being encrypted. They discussed This paper surveys applications, tools, building blocks, some examples of basic operations that could be and approaches that can be used to directly process en- applicable, such as addition on integers. In 1985, crypted data (i.e., without decrypting it). The purpose of Blakley and Meadows followed Rivest approach and this survey is to provide an overview of existing systems proposed an encryption scheme that supports some and approaches that can be used to process encrypted statistical operations such as sum and average [7]. data, discuss commercial usage of such systems, and to Despite the previous initiation e↵orts, Feigenbaum analyze the current developments in this area. in 1986 and Abadi et al. in 1987 can be considered as the first proposals to discuss the concept of pro- 1. INTRODUCTION cessing over encrypted data in its general form, and the first to use formal definitions and strict security Encryption was previously used to encrypt data requirements [1, 31]. during transmission to prevent eavesdroppers from However, the hype of processing over encrypted intercepting the communication and revealing the data did not receive a considerable attention by the data. In addition, it prevents unauthorized disclo- database community until 2002, when Hacigümüs sure of confidential data in storage. However, the et al. discussed the idea in the context of database standard encryption schemes do not allow compu- applications [51]. A restricted version that focuses tations over encrypted data without access to the only on search over encrypted documents has been decryption key. Furthermore, disclosing the decryp- previously published by Song et al. in 2000 [81]. tion key to the server has drawbacks, mainly, the Since then, a rapidly growing literature evolved, leakage of the key if the server is compromised [46]. and yielded to several approaches and solutions, Thus,the security challenges for cloud cannot be such as Fully Homomorphic Encryption (FHE) [37], addressed e↵ectively by classical encryption algo- CryptDB [71], CloudProtect [28], Silverline [72], Ci- rithms. Those challenges can be classified into three pherbase [5], TrustedDB [6], and Blind Seer [69]. groups: Privacy of data (i.e. How to secure shared However, literature is still evolving and the status data), privacy of programs (i.e. How to preserve
SIGMOD Record, September 2016 (Vol. 45, No. 3) 5
of this new paradigm is yet to be well established. or public-key encryption uses two related keys for Therefore, we believe that there is a strong need for encryption and decryption, a public key and a pri- such a survey that provides a comprehensive view vate key. A private-key known only to one party on the developments and advances in this area. and a public-key is made freely available to other An earlier survey of search over encrypted data parties. If Alice encrypts a message by using the has been introduced by Hacigümüs et al. in 2007 Bob’s public-key, only Bob can decrypt it using [49]. Another survey of homomorphic cryptosys- his matching private-key. This means that pub- tems was also presented by Fontaine and Galand in lishing the public-key on the Internet is safe. If 2007 [32]. Additionally, In 2013, Ravan et al. wrote Alice prepares a message to Bob and encrypts it a survey paper that introduced some methods for using her private-key, Bob can decrypt the mes- searching on encrypted data and compared between sage using Alice’s public-key. Because only Alice these methods in terms of performance and security poses her private-key, the encrypted message with level [73]. Although these surveys are helpful, still her private-key serves as digital signature. There- they focus only on partial issues of the topic. There- fore, the public-key cryptosystems have profound fore, our survey provides more in-depth coverage of consequences on confidentiality, key exchange, and the topic and presents the current advances in this authentication (digital signature). The most widely topic. used general purpose public-key algorithm is RSA Since the objective of this survey is to be a self- scheme. Public-key algorithms are based on math- contained reference, we include a background sec- ematical functions, therefore they are computation- tion that briefly overview the main encryption cat- ally heavy. egories. In Section 3, we discuss the importance The computational overhead of current public- of cryptography, present a detailed description of key encryption schemes keeps the need for symmet- the homomorphic schemes that are used today, and ric encryptions because it is faster than the asym- highlight why they are critical in the cloud environ- metric encryptions. Diffie state that “the restric- ment. Then, the recent advances of processing on tion of public-key cryptography to key management encrypted data is presented in Section 4. Section 5 and signature applications is almost universally ac- discusses the commercial use of cryptography and cepted” [29]. In practice, asymmetric encryption processing over encrypted data. Finally, we discuss used to encrypt small blocks of data, such as en- the limitations and open issues, and conclude the cryption keys, while symmetric encryption used to survey in Section 6 and 7 respectively. encrypt the contents of blocks or streams of data of any size. To use asymmetric encryption, there must be a 2. BACKGROUND way for the communicating parties to discover other Encryption techniques are used for ensuring the public keys. Therefore, the digital certificates are in information secrecy. The encryption algorithms can use. A certificate is a package that provides infor- be classified into two categories: (1) symmetric en- mation to identify a server or a user. It contains in- cryption and (2) asymmetric encryption. With sym- formation, such as the certificate holder name, the metric or single-key encryption, the sender and re- organization that issued the certificate, the holder’s cipient share a single secret key; and they can en- e-mail address and country, and the holder’s public crypt and decrypt all messages with this secret key. key. The digital certificate is forgery resistant and The symmetric encryption algorithm takes as an can be verified because it was issued by a trusted input the message (plaintext) and performs various certificate authority (CA). When a client want to se- substitutions and transformations on the plaintext curely communicate with a server, it sends a query based on the secret key value to produce the scram- over the network to the sever asking for its certifi- bled message (ciphertext). The two most impor- cate. The server responds with a copy of its cer- tant symmetric cryptographic algorithms are Data tificate to the client. The client can extract the Encryption Standard (DES) and Advanced Encryp- server’s public-key from the certificate and verify if tion Standard (AES). The main challenge with the it is genuine and valid by using CA’s public-key. symmetric encryption is the problem with secret keys exchanging over the Internet. If the secret key falls in an adversary hands, encrypted messages by 3. CRYPTOGRAPHY IN THE CLOUD this secret key can be revealed. One solution to the Recent surveys showed that security and privacy secret keys exchange problem is the use of asym- concerns are among the major barriers for cloud metric encryption. adoption [74,76]. Utilization of cryptography in the Asymmetric encryption, also known as two-key cloud can be seen as a potential candidate to the
6 SIGMOD Record, September 2016 (Vol. 45, No. 3)
data confidentiality problem. Here, we discuss the secure and efficient ABE schemes, such as [13, 47]. recent advances of cryptography in this context. Moreover, Garg et al. constructed functional en- cryption for general circuits that depends on “multi- linear maps” [35]. An example of the e↵orts toward 3.1 Functional Encryption standardization is publishing RFC5091 [18]. Originally, the authorized entity who has the de- An extensive research has recently been pursued cryption key can decrypt and read the encrypted to study the functional encryption (FE) schemes data. Thus, conventional encryption schemes are in terms of security, implementations, and applica- all-or-nothing, where the encrypted data is useless tions. In particular, multi-input FE [43], functional without knowing the decryption key. However, in signatures [19], Fully Key-Homomorphic Encryp- many contemporary scenarios, such as complex net- tion [13], secure FE construction [85] and function- works and cloud computing, more fine-grained en- private FE [21]. Nevertheless, the main goal of cryption approach is needed to o↵er more function- functional encryption is to build secure and efficient ality. In some cases, the data owner needs the abil- schemes that support a wide class of functions and ity to control not only who should access the en- policies. crypted data but also what should they see. To ad- dress this problem, the cryptographic community 3.2 Searchable Encryption develop what is known as functional encryption. Functional encryption (FE) is a novel public-key Another interesting approach developed by the encryption scheme that allows both access control community is the Searchable Encryption (SE). SE flexibility and selective processing on the encrypted allows the user to encrypt his data using a private- data. FE supports having multiple restricted se- key and store it in the cloud; then, selectively re- cret keys of the encrypted data, and allows the se- trieve segments of his encrypted data using keyword cret key holder to learn a specific function of the search. One approach of SE is the so-called secure encrypted data but nothing else about the data. index. Informally, the user creates an Index I over a For example, consider a financial data for a com- database DB = (m1 , m2 , ..., mn ) by using some key- pany uses the cloud encrypted in away that only words KW = (kw1 , kw2 , ..., kwm ) extracted from employees of the finance department working in the DB and encrypted using a private-key K. Next, headquarter are allowed to decrypt. In the past the user stores the encrypted database and the se- decade, cumulative e↵orts have been made to en- cure index in the cloud. Later, the user generates able fine-grain access control, which resulted in of- a trapdoor T over KW using K, and requests the fering some derivatives of FE, such as Attribute- server to use T to search the secure index and re- Based Encryption (ABE) and Identity-Based En- turn the segments of data that match the keyword. cryption (IBE) [10, 16, 23, 48, 56, 67, 78]. More gen- A pioneered approach to search directly over the ci- eral notion and framework for functional encryption phertext was introduced by Song et al. [81]. They system that o↵ers selective computation have been introduce several schemes that support both search published in [15, 65]. by sequential scan over an encrypted database (to In a functional encryption system, the data is en- avoid the overhead of keep updating the encrypted crypted once and the appropriate secret keys with index), and the more sophisticated search using an di↵erent decryption capabilities are distributed to encrypted index without sacrificing security. For di↵erent users according to arbitrary functions that more details on SE, we refer the reader to a recent control what each user should learn from the ci- survey which was published during the time of re- phertext. If a user has a key Skf1 associated to viewing this article [17]. some function f1 , then he can apply the key Skf1 to decrypt data and learn the output of applying f1 3.3 Secure Multi-party Computation but nothing else about the plaintext. On the other Yao introduced the Multi-party Computation in hand, another user with a di↵erent key can learn 1982 [86]. Yao asked: How can two millionaires entirely di↵erent things about the encrypted data. know who is richer without disclosing their indi- The enhanced flexibility provided by the func- vidual wealth to each other. Sheikh et al. formal- tional encryption systems that provides partial ac- ized the problem in the so-called Secure Multi-party cess and selective computation on encrypted data Computation (SMC) [79]. SMC provides private is very attractive for many applications, such as computation over data while reveal only the indi- searching on encrypted data, partial access control, vidual item to the respective owner. Given mul- and selective computation on the encrypted data. tiple parties P1 , P2 , ..., Pn involved in a computa- Accordingly, much progress has been done to realize tion of some public function of their private inputs
SIGMOD Record, September 2016 (Vol. 45, No. 3) 7
D1 , D2 , ..., Dn , respectively. Each party P i wants to can be classified as follows: Private Information Re- know the common function f (D1 , D2 , ..., Dn ) with- trieval, Selective Private Function Evaluation, Pri- out disclosing value of its data Di to other par- vacy Preserving Data Mining, Cooperative, Data- ties. Ideal and Real models are the two well-known base Query, Geometric Computation, Intrusion De- paradigms for SMC. In the ideal model, there is tection, and Statistical Analysis [79]. some trusted third party (TTP) among the partici- pants while there is no such assumption in the real 3.4 Homomorphic Cryptosystems model. Worth to mention that in the Data-as-a- Existing encryption schemes can be classified into Service (DaaS) environment and in large volumes two main categories in terms of homomorphic prop- of online transactions, the concept of data privacy erties. Namely, Fully Homomorphic Encryption and and SMC has become a matter of great concern [79]. Partially Homomorphic Encryption. Homomorphic A survey of the main techniques to secure joint is an adjective that describes a special property of computation over private data while preserving the an encryption scheme. That property, at an ab- privacy of their individual items has been intro- stract level, can be defined as the ability to perform duced by Sheikh et al. [79]. They classified the tech- computations on the ciphertext without decrypting niques that solve SMC problems into three main it or even knowing the keys. groups: randomization, anonymization and crypto- graphic. In the randomization method, parties use 3.4.1 Fully Homomorphic Encryption (FHE) random numbers for hiding their data. Cliftonet et al. proposed a secure sum protocol that com- In the cryptography communit’s Conviction, FHE putes the sum of several parties while preserving was impossible to achieve until 2009, when Gentry the privacy of their data [26]. In the anonymization announced his new approach [38, 39]. It is consid- method, TTP is required to hide the identities of ered one of the recent breakthrough of cryptogra- the parties. Mishra and Chandwani proposed and phy. FHE supports arbitrary computation over en- extend anonymous protocols to hide the TTP iden- crypted data and remains secure (achieve semantic tities [62]. Their main protocol unanimously selects security) as well. In his PhD thesis, he discussed one TTP among all TTPs in the SMC architecture how his schemes can be constructed [37]. Before to ensure that no single TTP controls the system Gentry’s achievement, all encryption schemes that and no TTP knows where the computation is taking preserve a homomorphic property were able to sup- place. In the cryptographic technique, blocks are port only a single operation over encrypted data. built to secure computation [64]. Well-known tech- The main contribution of Gentry’s work is the sup- niques that use cryptographic blocks are: Yao’s mil- porting of two homomorphic operations at the same lionaires problem, homomorphic encryption, obliv- time. Namely multiplication and addition. Corre- ious transfer, and private matching. spond to AND (^) and XOR ( ) in boolean alge- Lepinksi et al. stated that cryptographic proto- bra. The remarkable value of supporting these two col can undo all of the carefully planned measures boolean functions is that any computation can be designed by the auctioneer to prevent collaborative converted into a function that contains only (^) and bidding [58]. They define and construct collusion- ( ) as we explained below. Finally, an open-source free protocols in a model in which players can ex- implementation of FHE is available [53, 54]. change physical envelopes to guarantee that no new In algebraic terms, any computation can be ex- method for players to collude are introduced by the pressed as a boolean circuit. For example, to search protocol itself. for a string in a text file, we can convert both the Finally, Alwen et al. addressed the problem of string and the text file into two sequences of bi- building collusion-free protocols without using phys- nary digits, then we do a bitwise XOR for every ical channels [4]. They suggested a mediated model bit of the string, when the result of all bits is 1, where all communication passes through a media- then there is no match for the current position of tor. The goal is to design protocols where collusion- the file; Therefore, we shift one bit to the right and freeness is guaranteed. Recently, Miers et al. pro- compare again. We repeat this process until the re- posed Zero-coin, a cryptographic extension to Bit- sult of comparison is 0, which means that we found coin where their protocol allows fully anonymous a match, or the file ends without a match. Usu- currency transactions [61]. Their system uses stan- ally, several techniques can be used to convert a dard cryptographic assumptions and does not intro- function (i.e., computation) into a more simple or duce new trusted parties. efficient one. Furthermore, they can also be used Current major problems and solutions for SMC to transform a function to use specific boolean op- erations. For instance, ¬A can be expressed as A
8 SIGMOD Record, September 2016 (Vol. 45, No. 3)
1, another example would be A _ B, this can be constant. Next we describe the addition. Let c1 = transformed into ¬(¬A ^ ¬B) which is equivalent g m1 r1n mod n2 and c2 = g m2 r2n mod n2 , then to ((A 1) ^ (B 1)) 1. By utilizing such tech- c1 c2 mod n2 = g m1 r1n g m2 r2n mod n2 niques, all functions can be converted into a series of (^) and ( ) operations. This is the basis behind = g m1 +m2 r1n r2n mod n2 the remarkable achievement of Gentry’s work. Clearly, converting even a simple application into is a valid encryption of m1 + m2 a series of boolean circuits requires enormous num- Goldwasser-Micali Cryptosystem: Proposed ber of operations. Moreover, both the complexity by Goldwasser and Micali as the first probabilistic of encryption and decryption and the size of the encryption scheme [44, 45]. Also the first to in- ciphertext hugely grow. Despite that Gentry is try- vent the term semantic security. The security of ing with the support of his colleagues at IBM to the scheme is based on the complexity of deciding optimize the first version of his work [20, 40, 84], his whether a number is quadratic residues with respect approach remains very expensive and hence imprac- to composite modulo n = pq, where p and q are two tical. distinct prime numbers. The homomorphic prop- erty of the scheme is the support of the addition 3.4.2 Partially Homomorphic Encryption (PHE) operation modulo 2, or in algebraic terms the XOR Several PHE systems have been discussed in the ( ) operation. Given two ciphertexts c1 = 1x1 r1 2 literature. Rivest et al. in 1978 was the first to in- and c2 = 1x2 r2 2 , then troduce the concept of privacy homomorphism [77]. Then, several researchers follow such as ElGamal c1 c2 = ( 1x1 r1 2 )( 1x2 r2 2 ) mod 2 and paillier [34, 68]. Here is a discussion of the most well-known partially homomorphic cryptosys- = 1(x1 +x2 ) (r1 r2 )2 mod 2 tems and a summary is shown in Table 1 as well. is a valid encryption of x1 + x2 mod 2. Benaloh Cryptosystem: Due to the problem ElGamal Cryptosystem: T. ElGamal in 1984 of large ciphertext expansion in Goldwasser-Micali proposed what is known as ElGamal cryptosystem cryptosystem, Benaloh proposed his scheme in 1994 [34]. His scheme is based on problem of solving that decreased the ciphertext size at the cost of discrete logarithms. The homomorphic operation decryption complexity [9]. Benaloh scheme sup- that ElGamal supports is the multiplication over ports both addition and subtraction over cipher- encrypted messages. Given two ciphertexts c1 and texts. Given two ciphertexts c1 = y m1 u1 r mod n c2 that are encryption of m1 and m2 , ↵ is a genera- and c2 = y m2 u2 r tor of a cyclic group G of order p, where p is a large mod n, then prime number. y = ↵x where x is the secret key, k1 and k2 are randoms such that k1 , k2 2 {0, ..., p 1}, c1 c2 = (y m1 u1 r )(y m2 u2 r ) mod n then = y m1 +m2 (u1 u2 )r mod n c1 c2 = (↵k1 ↵k2 mod p, ((m1 · y k1 )(m2 · y k2 )) mod p) is a valid encryption of m1 + m2 , and k1 +k2 k1 +k2 = (↵ , m1 m2 · y ) mod p c1 c2 1 = (y m1 u1 r )(y m2 u2 r ) 1 mod n is a valid encryption of m1 . m2 . One notable draw- back of ElGamal scheme is that the size of cipher- = (y m1 u1 r )(y m2 (u2 1 r ) ) mod n text is double the size of the plaintext message. In- terestingly, several variants of ElGamal have been = y m1 m2 (u1 u2 1 )r mod n proposed, such as Cramer et al. that is homomor- is a valid encryption of m1 m2 . phic on the additive operation [27]. Boneh-Goh-Nissim Cryptosystem: This sys- Paillier Cryptosystem: This scheme is based tem utilizes the bilinear pairing to supports the ho- on the problem of composite residuosity class. i.e., momorphic addition while at the same time allow- given a composite n and an integer z , it is hard ing the computation of a single homomorphic mul- to decide whether there exists y such that z ⌘ tiplication of two cipertexts [14]. Let y n mod n2 [68]. The di↵erence of paillier from RSA c1 = g m1 hr1 mod n and c2 = g m2 hr2 mod n, then is the usage of square number as modulus, where n2 = pq is the product of two large primes. As c1 c2 mod n = (g m1 hr1 )(g m2 hr2 ) mod n for homomorphic property, the scheme supports two main operations, addition and multiplication by a = (g m1 +m2 )(hr1 +r2 ) mod n
Table 1: Summary of the most well-known PHE schemes
approach is basically built on two main ideas. First,
Fully Homomorphic Schemes use SQL-aware encryption schemes to efficiently ex- Homomorphic Schemes Partial Homomorphic ecute queries. And second, use onions of encryption Schemes and adjust them dynamically at the run-time based on the required functionality. The idea of SQL- Secure Co-processors aware encryption schemes is a kind of mapping be- Processing Over Trusted Hardware Security tween the operation required and the homomorphic Hardware Modules Encrypted scheme that can support it. However, onions of en- Data FPGAs cryption cause extra overhead. One major draw Client/Server back of CryptDB is the lack of support for Stored Query Procedures (where the SQL code is integrated into Evaluation the DBMS itself). CryptDB provides the highest security guaran- tees when using a probabilistic encryption, which Figure 1: Classification of Processing Over means that encrypting the same value more than Encrypted Data Models once produces di↵erent result (even when using the same encryption key). Random(RND) where no is a valid encryption of m1 + m2 , and computation is supported, and Homomorphic en- cryption (HOM) where simple computation such as c1 k mod n = (g m1 hr1 )k mod n summation is supported, are conventions used by CryptDB to refer to such schemes. Better run-time = (g km1 hr1 k ) mod n efficiency was achieved by perform aggregation in is a valid encryption of km1 parallel by simultaneously adding multiple 32-bit Based on the above discussion, we argue that ho- integers [36]. momorphic encryption schemes are possible. How- To allow more fine-grained operations, CryptDB ever, they lack general computation support since utilizes the scheme proposed by Song et al. to sup- they can perform limited types of operations, and port search over encrypted data [81]. It enables the hence the question of designing full functional sys- user to perform search operations over encrypted tems that process encrypted data using only homo- data. All text fields in the database are encrypted morphic schemes is still an open challenge. using Song et al. approach and stored in the DBMS. By using this approach, they could execute queries 4. STATE OF THE ART to retrieve records that match a certain keyword, such as SELECT * from Employee where Address As shown in Figure 1, current systems of process- Like %Berlin% ing over encrypted data can be classified into three Another important building block of CryptDB is main categories: (i) Systems that utilize homomor- the use of Deterministic Encryption (DET) that phic encryption schemes, (ii) Client-server splitting allows equality check operations [8]. DET means approaches, and (iii) Trusted-hardware systems. In that repeating the encryption of any message would this section, we discuss systems that fall under these always produce the same ciphertext. We cannot categories. achieve semantic security in this scheme, but it still 4.1 Systems Based on Homomorphic provides high security guarantees. The only infor- mation it leaks is the ability to identify which ci- CryptDB is one of the recent “partially” practi- phertexts are mapped to the same plaintext, with- cal systems that utilized several homomorphic sch- out revealing the actual value of the plaintext. De- emes to support database functionality [71]. Their
10 SIGMOD Record, September 2016 (Vol. 45, No. 3)
terministic encryption can be constructed by the server’s side), and then perform client-side post- use of a block cipher such as AES-ECB. Block-size processing on the result come from the server. The in AES has a fixed length of 128-bit, for lower block- efficiency of this approach relies on how data parti- size, such as 64-bit, alternative schemes could be tioning and query splitting and rewriting is accom- used, such as Blowfish. By utilizing deterministic plished. encryption, the system would be able to execute, for Monomi utilizes both techniques, PHE and split example, queries with equality checks, GROUP BY, client-server query execution [83]. In contrast to and some aggregate functions, such as COUNT. CryptDB that focuses on transactional workloads, Finally, Order-Preserving Encryption (OPE) al- Monomi is mainly targeting analytical workloads. gorithms preserve the numerical order of the ci- Since queries are not known ahead of time, and phertext in a way equivalent to the plaintext [2, to maximize efficiency, Monomi introduces an opti- 11]. One potential use case of such schemes is to mization designer that chooses an appropriate data- perform range queries on encrypted data. For in- base design (on the server) according to the tar- stance, given two plaintext values m1 and m2 , get workload. Further, it provides a planner that where m1 < m2 , then f is order-preserving en- selects the query execution path for every query. cryption function if Additionally, it provides some techniques such as per-row pre-computation and pre-filtering. How- f (m1 ) < f (m2 ) ever, Monomi is far from being generally practical for several reasons. First, in real-world enterprise 4.2 Client-Server Splitting Approaches environments, it could be inefficient since queries Several approaches that utilize the concept of cli- over analytical workloads contain complex compu- ent-server query split have been discussed by the tations that is hard to partition between client and community [50–52, 55, 72, 83]. server. Second, Performance cost is very expensive. Silverline keeps the data at the server-side con- Queries over large (plain) datasets often have the fidential by encrypting it in away that is transpar- problem of i/o bottlenecks, imagine adding the cost ent to the application and being able to have some of using cryptography techniques. Finally, choos- functionality on it as well [72]. Silveline proposed ing a physical design at the runtime, pre-filtering to dynamically analyse the application to deter- and pre-computation are complex tasks and depend mine which parts of the data can be functionally mainly on the targeted workload. Thus, the task encryptable; it assumes that any data that is never need to be repeated for every workload or applica- interpreted or manipulated by the application is en- tion. cryptable. For instance, a SELECT query in typi- cal human-resource applications that searches for all records match the employeeID ’Jan’ is not required 4.3 Trusted-Hardware Systems to interpret the actual string ’Jan’ and hence can To perform a computation on encrypted data, execute the query if it would be encrypted. As for the keys need to be present at the server to de- key-management, it divides the users into groups, crypt the data, compute, and then encrypt again. and assigns a single encryption key to this group, fa- The drawback of this model is the vulnerability of cilitates encryption and information sharing at the compromising cryptographic keys. Therefore, sev- same time. While Silverline seems to be practical to eral techniques and approaches have been discussed some extent, the main drawback is that it requires to overcome such vulnerabilities. These approaches analysis of the application and the data to deter- use secure, tamper-proof hardware components at- mine which parts can be encrypted. Such an analy- tached to the server to store cryptographic keys and sis would be an expensive task; also a repetition of perform computation over encrypted data [5,6]. Ex- this process will be required whenever a change to amples of industrial solutions that are in use in- the application or upgrade is taking place. Further- clude secure co-processors, Hardware Security Mod- more, major part of the data will still be stored in ules (HSM), and Field-Programmable Gate Arrays plaintext, thus privacy and data compromise issues (FPGAs). still open. In contrast to software-based approaches, Trusted In contrast to Silverline, Hacigümüs et al. pro- DB uses IBM’s 4764 cryptographic co-processors to posed to store the entire data in an encrypted form execute SQL queries while maintaining confiden- on the provider’s side, and introduced an algebraic tiality [6]. Since it is implemented entirely using framework for query rewriting [51]. The framework hardware components, the overhead of query exe- divides every query into two parts, execute the first cution is lower by orders of magnitude in compar- part on the encrypted version (i.e., stored on the ison to other approaches. Additionally, They in-
SIGMOD Record, September 2016 (Vol. 45, No. 3) 11
troduced cost-models and insights for the advan- Database [60]. Always Encrypted is a client-side tages of using trusted, hardware-based solutions for technology to ensure that sensitive data is encrypted outsourced data processing. Finally, they recom- and decrypted at the client side and the database mended that trusted-hardware approach be a first- system does not have access to the encryption keys. class candidate for remote and secure data manage- Consequently, database administrator or attackers ment. Di↵erent from TrustedDB, Cipherbase key gaining illegal access to the database are not able idea is to simulate fully-homomorphic encryption to retrieve data from encrypted database. on top of non-homomorphic encryption schemes by Navajo Systems (acquired by Salesforce in 2011) using trusted hardware [5]. [33], CipherCloud [25], and SQLCipher [82] all pro- vide techniques to encrypt enterprise data before storing them in the cloud. For instance, Cipher- 5. CURRENT INDUSTRY OFFERINGS Cloud o↵ers, in addition to key management and Industry o↵erings can be classified into two cat- other things, what they call Tokenization. It gen- egories: encryption at rest and computing on en- erates a random values to substitute the original crypted data. In this section, we discuss the latest data and store them in the cloud. The mapping technologies provided by the pioneered providers. between the random values and the original data is Oracle introduced Transparent Data Encryption stored at the client’s side. Finally, Google is imple- (TDE) that provides data-at-rest encryption [66]. menting and testing some partially homomorphic The data will be stored on the file systems as en- encryptions in a new command-line client-tool that crypted. Yet, and upon request, it transparently de- accesses their BigQuery service [75]. crypt the data for the application to process. TDE The above industry o↵erings are mainly targeted supports both column-level and table-level encryp- to protect data at-rest and in transit. Although we tion. However, a single key is used for the entire ta- introduced Microsoft Always Encrypted and Sky- ble regardless of how many columns are encrypted. highy, supporting functionality over encrypted data, By default, TDE utilizes AES with 192-bit key as a other than basic search or limited queries, remains standard encryption algorithm. However, 128 and a challenge and an open issue for both industry and 256 bits are also supported. In addition, 3DES can academia. be used as an alternative encryption algorithm. To prevent unauthorized disclosure, the keys for all ta- 6. LIMITATIONS AND OPEN ISSUES bles are encrypted with a database-server master key and then stored in a dictionary table in the We point out inherited limitations of current sche- database. Afterwards, the master key is stored in mes and discuss some open problems in the domain an external secure module outside the database and of processing over encrypted data. is accessible only to the security administrator. Similar to Oracle, Microsoft o↵ers TDE as well 6.1 FHE is Impractical [59]. The main concept of securing data at-rest Despite the improvements that follow Gentry’s by utilizing encryption remains the same. How- scheme [20,22,42,84], current proposals of FHE are ever, few di↵erences exist, such as storing the keys far from being practical due to the expensive cost for encrypting data in the database boot record in to perform operations. For example, An evaluation comparison to a dictionary in the case of Oracle. performed by Gentry et al. in 2012 for AES-128 cir- Another major di↵erence is that Microsoft TDE cuit showed that it cost about 40 minutes per AES uses three-levels of encryption along with two mas- block on an Intel core i5-3320M machine running at ter keys and one certificate. Namely Service Mas- 2.6GHz with 256 GB of RAM [41]. The computa- ter Key (SMK) and Database Master Key (DMK). tion model required by FHE is complex due to the First, the SMK is created at the time of SQL Server need of converting the application into a boolean setup. The Windows OS-Level Data Protection API circuit that may results in a very large, non-trivial (DPAPI) is used to encrypt the SMK so it remains one. Therefore, designing an efficient and practical protected. Second, The DMK is created and then FHE scheme remains an open issue. protected by encrypting it using the SMK. Finally, a certificate is generated using the DMK and stored 6.2 PHE Schemes are Limited in the master database that is consequently used In contrast to FHE, PHE schemes are more ef- to encrypt the data encryption key. In addition ficient. This is due to the support of only lim- to TDE, Microsoft developed a new Always En- ited functionality. For instance, paillier takes about crypted feature for protecting sensitive data, such 0.005 ms to perform an addition on two cipher- as credit card number that sorted in Azure SQL texts [71]. PHE schemes are crucial for systems to
12 SIGMOD Record, September 2016 (Vol. 45, No. 3)
process encrypted data because of their practicality. schemes are malleable by design. For instance, a However, they only support partial computations, chosen-ciphertext attack by Ahituv et al. was re- and hence, cannot be used to build complete func- ported against a homomorphic scheme where the tional systems. Yet, and motivated by the previous addition operation is supported [3]. Unlike PHE, schemes and advances in cryptography, we believe and to overcome the security issues of the current that more schemes to come that can help in bridg- schemes, a breakthrough in 2009 introduced by Gen- ing this gap. try for his proposal of the FHE scheme [38,39]. FHE supports arbitrary computation over encrypted data 6.3 Strong Order-Preserving Encryption and remains secure. Despite Gentry’s achievement, Order-Preserving Encryption (OPE) schemes in his approach remains very expensive and impracti- [2,11] are shown to be insecure and reveal about half cal. Also, we discussed and classified several as- of the plaintext [70]. An extension to improve the pects of processing over encrypted data, such as security of [11] was presented by the same authors functional encryption, searchable encryption, multi- in [12]. However, the leakage of nothing except or- party computation, and the recent industry o↵er- der remains questionable. More recent approaches ings. Finally, we believe that an obvious shift in the claim that their schemes achieve ideal security of field of processing over encrypted data is in the inte- OPE (i.e., they leaks nothing but order) [57,70]. Fi- gration of trusted-hardware components with com- nally, although SkyhighNetworks implemented OPE modity servers. Interestingly, some researchers fore- solution in their cloud security [80], the security of see the future of secure remote data management as the best practical OPE schemes is still not well un- infeasible without the usage of the trusted-hardware derstood [24]. model.
6.4 Trusted-Hardware is Expensive 8. REFERENCES
In spite of the fact that the benefits of hardware- based solutions, they require fundamental changes [1] M. Abadi, J. Feigenbaum, and J. Kilian. On to the service provider’s model. Consequently, their hiding information from an oracle. In ACM usage is limited to specific environments. However, Symp. on Theory of Computing, New York, and due to the limitation of software-based solu- USA, 1987. tions, the integration of trusted-hardware with com- [2] R. Agrawal, J. Kiernan, R. Srikant, and modity servers has received a considerable attention Y. Xu. Order-preserving encryption for recently. In order to bring the trusted-hardware numeric data. In ACM SIGMOD Conference, model into practice, we believe that in the near fu- Paris, France, 2004. ture, several IaaS providers will start to o↵er secure [3] N. Ahituv, Y. Lapid, and S. Neumann. co-processors, FPGAs, and HSM in their settings. Processing encrypted data. Communications A more detailed discussion about processing on en- of the ACM, 30(9):777–780, 1987. crypted data using secure hardware is presented [4] J. Alwen, A. Shelat, and I. Visconti. in [30, 63]. Collusion-free protocols in the mediated model. In CRYPTO, pages 497–514, Santa Barbara, California, USA, 2008. Springer. 7. CONCLUSION [5] A. Arasu, S. Blanas, K. Eguro, R. Kaushik, This paper discussed the main applications, tools, D. Kossmann, R. Ramamurthy, and and techniques for processing over encrypted data. R. Venkatesan. Orthogonal security with We reviewed both PHE and FHE schemes. PHE en- cipherbase. In CIDR, California, USA, 2013. cryption schemes that preserve homomorphic prop- [6] S. Bajaj and R. Sion. Trusteddb: A trusted erty can be discussed from two di↵erent perspec- hardware-based database with privacy and tives. On one hand, it is a desirable property that data confidentiality. In ACM SIGMOD allows the user to perform computations on the en- Conference, California, USA, 2011. crypted data without decrypting it or even know- [7] G. R. Balkley and C. Meadows. A database ing the decryption keys. An interesting example encryption scheme which allows the for such a need is electronic voting. On the other computation of statistics using encrypted hand, it is perceived as a drawback or a weakness data. In IEEE S&P, Oakland, CA, USA, 1985. in the encryption scheme since it cannot satisfy in- [8] M. Bellare, A. Boldyreva, and A. O’Neill. distinguishability under adaptive chosen ciphertext Deterministic and efficiently searchable attack (IND-CCA2) requirements, and hence, can encryption. In CRYPTO, pages 535–552, be broken. This is drawn from the fact that PHE California, USA, 2007.
SIGMOD Record, September 2016 (Vol. 45, No. 3) 13
[9] J. Benaloh. Dense probabilistic encryption. In setting. Technical Report Report 2014/550, Selected Areas of Cryptography, pages Cryptology ePrint Archive, 2014. 120–128, Ontario, Canada, 1994. [22] Z. Brakerski and V. Vaikuntanathan. Fully [10] J. Bethencourt, A. Sahai, and B. Waters. homomorphic encryption from ring-lwe and Ciphertext-policy attribute-based encryption. security for key dependent messages. In In IEEE S&P, pages 321–334. IEEE, 2007. CRYPTO, pages 505–524, California, USA, [11] A. Boldyreva, N. Chenette, Y. Lee, and 2011. A. O’Neill. Order-preserving symmetric [23] M. Chase. Multi-authority attribute based encryption. In EUROCRYPT, pages 224–241, encryption. In Theory of Cryptography, Cologne, Germany, 2009. volume 4392 of Lecture Notes in CS, pages [12] A. Boldyreva, N. Chenette, Y. Lee, and 515–534. Springer, 2007. A. O’Neill. Order-preserving encryption [24] N. Chenette, K. Lewi, S. A. Weis, and D. J. revisited: improved security analysis and Wu. Practical order-revealing encryption with alternative solutions. In CRYPTO, pages limited leakage, 2015. 578–595, California, USA, 2011. [25] CipherCloud. Cloud data protection. [13] D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, [retrieved: Oct, 2014]. V. Nikolaenko, G. Segev, V. Vaikuntanathan, [26] C. Clifton, M. Kantarcioglu, J. Vaidya, and D. Vinayagamurthy. Fully X. Lin, and M. Y. Zhu. Tools for privacy key-homomorphic encryption, arithmetic preserving distributed data mining. ACM circuit abe, and compact garbled circuits. In SIGKDD, 4(2):28–34, December 2002. EUROCRYPT 2014, volume 8441 of LNCS, [27] R. Cramer, R. Gennaro, and pages 533–556, 2014. B. Schoenmakers. A secure and optimally [14] D. Boneh, E.-J. Goh, and K. Nissim:. efficient multiauthority election scheme. In Evaluating 2-dnf formulas on ciphertexts. In EUROCRYPT, pages 103–118, NY, USA, Theory of Cryptography, volume 3378, pages 1997. 325–341, 2005. [28] M. H. Diallo, B. Hore, E. C. Chang, [15] D. Boneh, A. Sahai, and B. Waters. S. Mehrotra, and N. Venkatasubramanian. Functional encryption: Definitions and Cloudprotect: Managing data privacy in cloud challenges. In Theory of Cryptography, volume applications. In IEEE Cloud, Hawaii, USA, 6597, pages 253–273. Springer, 2011. 2012. [16] D. Boneh and B. Waters. Conjunctive, subset, [29] W. Diffie. The first ten years of public-key and range queries on encrypted data. In cryptography. Proceedings of the IEEE, Theory of Cryptography, volume 4392, pages 76(5):560 – 577, May 1988. 535–554. Springer, 2007. [30] K. Eguro and R. Venkatesan. Fpgas for [17] C. Bösch, P. Hartel, W. Jonker, and A. Peter. trusted cloud computing. In A survey of provably secure searchable Field-Programmable Logic and Applications, encryption. ACM Computing Surveys Oslo, Norway, 2012. (CSUR), 47(2):18, 2015. [31] J. Feigenbaum. Encrypting problem instances, [18] X. Boyen and L. Martin. Identity-based or, ..., can you take advantage of someone cryptography standard (ibcs) #1: without having to trust him? In CRYPTO. Supersingular curve implementations of the bf Springer-Verlag, 1986. and bb1 cryptosystems. RFC5091, December [32] C. Fontaine and F. Galand. A survey of 2007. homomorphic encryption for nonspecialists. [19] E. Boyle, S. Goldwasser, and I. Ivan. EURASIP Journal on Information Security, Functional signatures and pseudorandom pages 1–15, 2007. functions. In PKC 2014, volume 8383 of [33] Forbes. Salesforce.com brings navajo into LNCS, pages 501–519. Springer, 2014. camp to boost cloud security. [20] Z. Brakerski, C. Gentry, and http://www.forbes.com/sites/greatspeculat- V. Vaikuntanathan. (leveled) fully ions/2011/08/30/salesforce-com-brings- homomorphic encryption without navajo-into-camp-to-boost-cloud-security, bootstrapping. In Innovations in (Theoretical) 2011. CS, Cambridge, MA, USA, 2012. [34] T. E. Gamal. A public key cryptosystem and [21] Z. Brakerski and G. Segev. Function-private a signature scheme based on discrete functional encryption in the private-key logarithms. In CRYPTO, pages 10–18, Santa
14 SIGMOD Record, September 2016 (Vol. 45, No. 3)
Barbara, California, USA, 1984. In 13th ACM Conference on CCS, pages [35] S. Garg, C. G. S. Halevi, M. Raykova, 89–98. ACM, 2006. A. Sahai, and B. Waters. Candidate [49] H. Hacigümüs, B. Hore, B. Iyer, and indistinguishability obfuscation and functional S. Mehrotra. Search on Encrypted Data, encryption for all circuits. In FOCS ’13, pages volume 33, chapter Secure Data Management 40–49. IEEE Computer Society, 2013. in Decentralized Systems, pages 383–425. [36] T. Ge and S. Zdonik. Answering aggregation Springer, 2007. queries in a secure system model. In VLDB, [50] H. Hacigümüs, B. Lyer, , and S. Mehrotra. pages 519–530, 2007. Query optimization in encrypted database [37] C. Gentry. A fully homomorphic encryption systems. In Database Systems for Advanced scheme. PhD thesis, Stanford, 2009. Applications, Beijing, China, 2005. [38] C. Gentry. Fully homomorphic encryption [51] H. Hacigümüs, B. Lyer, C. Li, , and using ideal lattices. In ACM Symp. on the S. Mehrotra. Executing sql over encrypted Theory of Computing, pages 169–178, data in the database-service-provider model. Maryland, USA, 2009. In ACM SIGMOD Conference, Wisconsin, [39] C. Gentry. Computing arbitrary functions of USA, 2002. encrypted data. Comm. of the ACM, [52] H. Hacigümüs, B. Lyer, and S. Mehrotra. 53(3):97–105, 2010. Efficient execution of aggregation queries over [40] C. Gentry, S. Halevi, and N. P. Smart. Better encrypted relational database. In Database bootstrapping in fully homomorphic Systems for Advanced Applications, Jeju encryption. In Public Key Cryptography, Island, Korea, 2004. Darmstadt, Germany, 2012. [53] S. Halevi. Helib: an implementation of [41] C. Gentry, S. Halevi, and N. P. Smart. homomorphic encryption. Homomorphic evaluation of the aes circuit. In https://github.com/shaih/HElib. [retrieved: CRYPTO, pages 850–867, California, USA, Oct, 2014]. 2012. [54] S. Halevi and V. Shoup. Algorithms in helib. [42] C. Gentry, A. Sahai, and B. Waters. In CRYPTO, California, USA, 2014. Homomorphic encryption from learning with [55] B. Hore, S. Mehrotra, , and G. Tsudik. A errors: Conceptually-simpler, privacy-preserving index for range queries. In asymptotically-faster, attribute-based. In VLDB, pages 720–731, Toronto, Canada, CRYPTO, pages 75–92, California, USA, 2004. 2013. [56] J. Katz, A. Sahai, and B. Waters. Predicate [43] S. Goldwasser, S. D. Gordon, V. Goyal, encryption supporting disjunctions, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, polynomial equations, and inner products. In and H.-S. Zhou. Multi-input functional EUROCRYPT, volume 4965, pages 146–162. encryption. In EUROCRYPT, volume 8441 of International Association for Cryptologic LNCS, pages 578–602. Springer, 2014. Research, 2008. [44] S. Goldwasser and S. Micali. Probabilistic [57] F. Kerschbaum and A. Schroepfer. Optimal encryption & how to play mental poker average-complexity ideal-security keeping secret all partial information. In ACM order-preserving encryption. In ACM Symp. on Theory of Computing, pages Conference on CCS, Arizona, USA, 2014. 365–377, California, USA, 1982. [58] M. Lepinksi, S. Micali, and A. Shelat. [45] S. Goldwasser and S. Micali. Probabilistic Collusion-free protocols. In ACM Symp. on encryption. Journal of Computer and System Theory of Computing, 2005. Sciences, 28(2):270–299, 1984. [59] Microsoft. Transparent data encryption. [46] S. Gorbunov. Cryptographic Tools for the http://msdn.microsoft.com/en- Cloud. PhD thesis, MIT, 2015. us/library/bb934049.aspx. [retrieved: Oct, [47] S. Gorbunov, V. Vaikuntanathan, and 2014]. H. Wee. Attribute-based encryption for [60] Microsoft. Always encrypted (database circuits. In STOC ’13, pages 545–554. ACM, engine), February 3 2016. 2013. [61] I. Miers, C. Garman, M. Green, and A. D. [48] V. Goyal, O. Pandey, A. Sahai, and Rubin. Zerocoin: Anonymous distributed B. Waters. Attribute-based encryption for e-cash from bitcoin. In IEEE S&P, pages fine-grained access control of encrypted data. 397–411, San Francisco, California, USA,
SIGMOD Record, September 2016 (Vol. 45, No. 3) 15
2013. http://www.enisa.europa.eu/activities/risk- [62] D. K. Mishra and M. Chandwani. Extended management/files/deliverables/cloud- protocol for secure multiparty computation computing-sme- using ambiguous identity. WSEAS survey/at download/fullReport, 2009. Transaction on Computer Research, [retrieved: Oct, 2014]. 2(2):227–233, February 2007. [75] relax Google BigQuery. Encrypted bigquery [63] R. Müller, J. Teubner, and G. Alonso. Data client. https://code.google.com/p/encrypted- processing on fpgas. PVLDB, 2(1):910–921, bigquery-client. [retrieved: Sep, 2009. 2014]. [64] V. Oleshchuk and V. Zadorozhny. Secure [76] relax North Bridge. Cloud adoption survey. multi-party computations and privacy http://www.northbridge.com/2013-future- preservation: Results and open problems. cloud-computing-survey-reveals-business- Telektronikk, 103(2):20–26, 2007. driving-cloud-adoption-everything-service-era- [65] A. O’Neill. Definitional issues in functional it. [retrieved: Dec, encryption. IACR Cryptology ePrint Archive, 2014]. 556, 2010. [77] R. L. Rivest, L. Adleman, and M. L. [66] Oracle. Transparent data encryption. Dertouzos. On Data Banks and Privacy http://www.oracle.com/technetwork/data- Homomorphisms, pages 169–179. Academic base/options/advanced-security/index- Press, New York, 1982. 099011.html. [78] A. Sahai and B. Waters. Fuzzy identity-based [67] R. Ostrovsky, A. Sahai, and B. Waters. encryption. In EUROCRYPT, volume 3494, Attribute-based encryption with pages 457–473. Springer, 2005. non-monotonic access structures. In 14th [79] R. Sheikh, D. K. Mishra, and B. Kumar. ACM Conference on CCS, pages 195–203. Secure multiparty computation: From ACM, 2007. millionaires problem to anonymizer. [68] P. Paillier. Public-key cryptosystems based on Information Security Journal: A Global composite degree residuosity classes. In Perspective, 20(1):25–33, January 2011. EUROCRYPT, pages 223–238, Prague, Czech [80] Skyhigh. Cloud security and enablement. Republic, 1999. https://www.skyhighnetworks.com/. [69] V. Pappas, F. Krell, B. Vo, V. Kolesnikov, [retrieved: Feb, 2016]. T. Malkin, S. G. Choi, W. George, [81] D. Song, D. Wagner, and A. Perrig. Practical A. Keromytis, and S. Bellovin. Blind seer: A techniques for searches on encrypted data. In scalable private dbms. In IEEE S&P, IEEE S&P, Berkeley, USA, 2000. Oakland, CA, USA, 2014. [82] SqlCipher. Database encryption. [70] R. A. Popa, F. H. Li, and N. Zeldovich. An https://www.zetetic.net/sqlcipher/. ideal-security protocol for order-preserving [retrieved: Oct, 2014]. encoding. In IEEE S&P, Berkeley, California, [83] S. Tu, M. F. Kaashoek, S. Madden, and USA, 2013. N. Zeldovich. Processing analytical queries [71] R. A. Popa, C. M. S. Redfield, N. Zeldovich, over encrypted data. In VLDB, volume 6 of 5, and H. Balakrishnan. Cryptdb: Protecting pages 289–300, Trento, Italy, 2013. confidentiality with encrypted query [84] M. v. Dijk, C. Gentry, S. Halevi, and processing. In ACM Symp. on OSP, Cascais, V. Vaikuntanathan. Fully homomorphic Portugal, 2011. encryption over the integers. In [72] K. P. N. Puttaswamy, C. Kruegel, , and B. Y. EUROCRYPT, Nice, France, 2010. Zhao. Silverline: toward data confidentiality [85] B. Waters. A punctured programming in storage-intensive cloud applications. In approach to adaptively secure functional ACM SOCC, Cascais, Portugal, 2011. encryption. Technical report, University of [73] R. R. Ravan, N. B. Idris, and Z. Mehrabani. Texas at Austin, 2014. A survey on querying encrypted data for [86] A. C. Yao. Protocols for secure computations. database as a service. In CyberC, pages 14–18, In 23rd Symp. on Foundations of CS, pages Beijing, Oct. 2013. IEEE Computer Society. 160–164, Indore, India, 1982. [74] European Union Agency for Network and I. Security. Survey: An sme perspective on cloud computing.