Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enc2DB: A Hybrid and Adaptive Encrypted Query Processing Framework

Hui Li, Jingwen Shi, Qi Tian, Zheng Li, Yan Fu, Bingqing Shen, Yaofeng Tu

TL;DR

Enc2DB addresses privacy in outsourced DBaaS by blending software-based cryptography and SGX TEEs to enable encrypted query processing on PostgreSQL/openGauss. It introduces a self-adaptive mode switch and a ciphertext index, enabling queries to be executed either in software or inside enclaves depending on runtime conditions. The main contributions are (1) a hybrid architecture with two deployment modes, (2) a ciphertext index implemented via user-defined data types and operators compatible with native optimizers, (3) a cost-based self-adaptive switch guided by a microbenchmark of EPC availability, and (4) an empirical evaluation on TPC-C showing significant performance gains over pure TEEs and cryptographic baselines. The results demonstrate practical viability and improved security posture through $IND ext{-}OCPA$ leakage protection and reduced storage expansion compared with conventional encrypted DBs.

Abstract

As cloud computing gains traction, data owners are outsourcing their data to cloud service providers (CSPs) for Database Service (DBaaS), bringing in a deviation of data ownership and usage, and intensifying privacy concerns, especially with potential breaches by hackers or CSP insiders. To address that, encrypted database services propose encrypting every tuple and query statement before submitting to the CSP, ensuring data confidentiality when the CSP is honest-but-curious, or even compromised. Existing solutions either employ property preserving cryptography schemes, which can perform certain operations over ciphertext without decrypting the data over the CSP, or utilize trusted execution environment (TEE) to safeguard data and computations from the CSP. Based on these efforts, we introduce Enc2DB, a novel secure database system, following a hybrid strategy on PostgreSQL and openGauss. We present a micro-benchmarking test and self-adaptive mode switch strategy that can dynamically choose the best execution path (cryptography or TEE) to answer a given query. Besides, we also design and implement a ciphertext index compatible with native cost model and query optimizers to accelerate query processing. Empirical study over TPC-C test justifies that Enc2DB outperforms pure TEE and cryptography solutions, and our ciphertext index implementation also outperforms the state-of-the-art cryptographic-based system.

Enc2DB: A Hybrid and Adaptive Encrypted Query Processing Framework

TL;DR

Enc2DB addresses privacy in outsourced DBaaS by blending software-based cryptography and SGX TEEs to enable encrypted query processing on PostgreSQL/openGauss. It introduces a self-adaptive mode switch and a ciphertext index, enabling queries to be executed either in software or inside enclaves depending on runtime conditions. The main contributions are (1) a hybrid architecture with two deployment modes, (2) a ciphertext index implemented via user-defined data types and operators compatible with native optimizers, (3) a cost-based self-adaptive switch guided by a microbenchmark of EPC availability, and (4) an empirical evaluation on TPC-C showing significant performance gains over pure TEEs and cryptographic baselines. The results demonstrate practical viability and improved security posture through leakage protection and reduced storage expansion compared with conventional encrypted DBs.

Abstract

As cloud computing gains traction, data owners are outsourcing their data to cloud service providers (CSPs) for Database Service (DBaaS), bringing in a deviation of data ownership and usage, and intensifying privacy concerns, especially with potential breaches by hackers or CSP insiders. To address that, encrypted database services propose encrypting every tuple and query statement before submitting to the CSP, ensuring data confidentiality when the CSP is honest-but-curious, or even compromised. Existing solutions either employ property preserving cryptography schemes, which can perform certain operations over ciphertext without decrypting the data over the CSP, or utilize trusted execution environment (TEE) to safeguard data and computations from the CSP. Based on these efforts, we introduce Enc2DB, a novel secure database system, following a hybrid strategy on PostgreSQL and openGauss. We present a micro-benchmarking test and self-adaptive mode switch strategy that can dynamically choose the best execution path (cryptography or TEE) to answer a given query. Besides, we also design and implement a ciphertext index compatible with native cost model and query optimizers to accelerate query processing. Empirical study over TPC-C test justifies that Enc2DB outperforms pure TEE and cryptography solutions, and our ciphertext index implementation also outperforms the state-of-the-art cryptographic-based system.
Paper Structure (30 sections, 2 equations, 18 figures, 5 tables)

This paper contains 30 sections, 2 equations, 18 figures, 5 tables.

Table of Contents

  1. Introduction
  2. BACKGROUND AND RELATED WORK
  3. Encryption Algorithm
  4. Homomorphic Encryption
  5. Property Preserving Encryption
  6. Trusted Execution Environment
  7. system architecture
  8. Software-based mode, EncDB
  9. TEE-enabled mode, Enc$^2$DB
  10. Key Transfer Protocol and Management
  11. Self-adaptive switch between TEE-enabled and software modes
  12. Static mode switch
  13. Self-adaptive mode switch
  14. cost estimation model
  15. FURTHER OPTIMIZATION
  16. ...and 15 more sections

Figures (18)

  • Figure 1: System Architecture with components differentiated by mode: TEE-enabled (black and red) and Software-based (green).
  • Figure 2: EDL Definition of UDFs
  • Figure 3: Database System Partial UDF Definitions
  • Figure 4: Key Transfer Based on Remote Attestation
  • Figure 5: Execution efficiency of classical algorithms in SGX
  • ...and 13 more figures