Lina Qiu, Georgios Kellaris, N. Mamoulis, Kobbi Nissim, G. Kollios
{"title":"Doquet: Differentially Oblivious Range and Join Queries with Private Data Structures","authors":"Lina Qiu, Georgios Kellaris, N. Mamoulis, Kobbi Nissim, G. Kollios","doi":"10.14778/3625054.3625055","DOIUrl":null,"url":null,"abstract":"Most cloud service providers offer limited data privacy guarantees, discouraging clients from using them for managing their sensitive data. Cloud providers may use servers with Trusted Execution Environments (TEEs) to protect outsourced data, while supporting remote querying. However, TEEs may leak access patterns and allow communication volume attacks, enabling an honest-but-curious cloud provider to learn sensitive information. Oblivious algorithms can be used to completely hide data access patterns, but their high overhead could render them impractical. To alleviate the latter, the notion of Differential Obliviousness (DO) has been recently proposed. DO applies differential privacy (DP) on access patterns while hiding the communication volume of intermediate and final results; it does so by trading some level of privacy for efficiency. We present Doquet: D ifferentially O blivious Range and Join Que ries with Private Data Struc t ures, a framework for DO outsourced database systems. Doquet is the first approach that supports private data structures, indices, selection, foreign key join, many-to-many join, and their composition select-join in a realistic TEE setting, even when the accesses to the private memory can be eavesdropped on by the adversary. We prove that the algorithms in Doquet satisfy differential obliviousness. Furthermore, we implemented Doquet and tested it on a machine having a second generation of Intel SGX (TEE); the results show that Doquet offers up to an order of magnitude speedup in comparison with other fully oblivious and differentially oblivious approaches.","PeriodicalId":20467,"journal":{"name":"Proc. VLDB Endow.","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proc. VLDB Endow.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14778/3625054.3625055","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Most cloud service providers offer limited data privacy guarantees, discouraging clients from using them for managing their sensitive data. Cloud providers may use servers with Trusted Execution Environments (TEEs) to protect outsourced data, while supporting remote querying. However, TEEs may leak access patterns and allow communication volume attacks, enabling an honest-but-curious cloud provider to learn sensitive information. Oblivious algorithms can be used to completely hide data access patterns, but their high overhead could render them impractical. To alleviate the latter, the notion of Differential Obliviousness (DO) has been recently proposed. DO applies differential privacy (DP) on access patterns while hiding the communication volume of intermediate and final results; it does so by trading some level of privacy for efficiency. We present Doquet: D ifferentially O blivious Range and Join Que ries with Private Data Struc t ures, a framework for DO outsourced database systems. Doquet is the first approach that supports private data structures, indices, selection, foreign key join, many-to-many join, and their composition select-join in a realistic TEE setting, even when the accesses to the private memory can be eavesdropped on by the adversary. We prove that the algorithms in Doquet satisfy differential obliviousness. Furthermore, we implemented Doquet and tested it on a machine having a second generation of Intel SGX (TEE); the results show that Doquet offers up to an order of magnitude speedup in comparison with other fully oblivious and differentially oblivious approaches.
大多数云服务提供商提供的数据隐私保证有限,因此客户不愿使用它们来管理敏感数据。云提供商可以使用带有可信执行环境(TEE)的服务器来保护外包数据,同时支持远程查询。但是,TEE 可能会泄露访问模式并允许通信量攻击,从而使诚实但好奇的云提供商了解敏感信息。遗忘算法可用于完全隐藏数据访问模式,但其高昂的开销可能使其变得不切实际。为了缓解后者的问题,最近有人提出了差分遗忘(DO)的概念。差分遗忘(DO)将差分隐私(DP)应用于访问模式,同时隐藏中间和最终结果的通信量;它是通过以一定程度的隐私换取效率来实现这一点的。 我们介绍 Doquet: D ifferentially O blivious Range and Join Que ries with Private Data Struc t ures),这是一种用于 DO 外包数据库系统的框架。Doquet 是第一种支持私有数据结构、索引、选择、外键连接、多对多连接以及它们在现实 TEE 环境中的组合 select-join 的方法,即使对私有内存的访问可以被对手窃听。我们证明了 Doquet 算法满足差分遗忘性。此外,我们实现了 Doquet,并在第二代英特尔 SGX(TEE)机器上进行了测试;结果表明,与其他完全遗忘和差分遗忘方法相比,Doquet 的速度提高了一个数量级。