Enhancing Access Privacy of Range Retrievals over B+Trees
1. Enhancing Access Privacy of Range Retrievals over B+Trees
Abstract:
Users of databases that are hosted on shared servers cannot take for granted that their
queries will not be disclosed to unauthorized parties. Even if the database is encrypted, an
adversary who is monitoring the I/O activity on the server may still be able to infer some
information about a user query. For the particular case of a B+
-tree that has its nodes encrypted,
we identify properties that enable the ordering among the leaf nodes to be deduced. These
properties allow us to construct adversarial algorithms to recover the B+
-tree structure from the
I/O traces generated by range queries. Combining this structure with knowledge of the key
distribution (or the plaintext database itself), the adversary can infer the selection range of user
queries. To counter the threat, we propose a privacy-enhancing PB+
-tree index which ensures
that there is high uncertainty about what data the user has worked on, even to a knowledgeable
adversary who has observed numerous query executions. The core idea in PB+
-tree is to conceal
the order of the leaf nodes in an encrypted B+-tree. In particular, it groups the nodes of the
tree into buckets, and employs homomorphic encryption techniques to prevent the adversary
from pinpointing the exact nodes retrieved by range queries. PB+
-tree can be tuned to balance
its privacy strength with the computational and I/O overheads incurred. Moreover, it can be
adapted to protect access privacy in cases where the attacker additionally knows a priori
the access frequencies of key values. Experiments demonstrate that PB+
-tree effectively impairs
the adversary's ability to recover the B+
-tree structure and deduce the query ranges in all
considered scenarios.