IHOP: Improved Statistical Query Recovery against Searchable Symmetric Encryption through Quadratic Optimization
This work poses a severe threat to privacy-preserving SSE schemes by demonstrating that statistical query recovery attacks can be highly effective, even against defenses like PANCAKE, impacting users relying on encrypted search for data privacy.
The authors tackled the problem of query recovery attacks against Searchable Symmetric Encryption (SSE) by developing IHOP, a statistical-based attack that formulates query recovery as a quadratic optimization problem, achieving almost perfect accuracy in some cases and outperforming other statistical attacks across various datasets and defenses.
Effective query recovery attacks against Searchable Symmetric Encryption (SSE) schemes typically rely on auxiliary ground-truth information about the queries or dataset. Query recovery is also possible under the weaker statistical auxiliary information assumption, although statistical-based attacks achieve lower accuracy and are not considered a serious threat. In this work we present IHOP, a statistical-based query recovery attack that formulates query recovery as a quadratic optimization problem and reaches a solution by iterating over linear assignment problems. We perform an extensive evaluation with five real datasets, and show that IHOP outperforms all other statistical-based query recovery attacks under different parameter and leakage configurations, including the case where the client uses some access-pattern obfuscation defenses. In some cases, our attack achieves almost perfect query recovery accuracy. Finally, we use IHOP in a frequency-only leakage setting where the client's queries are correlated, and show that our attack can exploit query dependencies even when PANCAKE, a recent frequency-hiding defense by Grubbs et al., is applied. Our findings indicate that statistical query recovery attacks pose a severe threat to privacy-preserving SSE schemes.