Security Limitations of Using Secret Sharing for Data Outsourcing

  • Jonathan L. Dautrich
  • Chinya V. Ravishankar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7371)


Three recently proposed schemes use secret sharing to support privacy-preserving data outsourcing. Each secret in the database is split into n shares, which are distributed to independent data servers. A trusted client can use any k shares to reconstruct the secret. These schemes claim to offer security even when k or more servers collude, as long as certain information such as the finite field prime is known only to the client. We present a concrete attack that refutes this claim by demonstrating that security is lost in all three schemes when k or more servers collude. Our attack runs on commodity hardware and recovers a 8192-bit prime and all secret values in less than an hour for k = 8.


Data Server Range Query Point Query Secret Sharing Scheme Data Outsource 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: Proc. ACM SIGMOD, pp. 563–574 (2004)Google Scholar
  2. 2.
    Stefanov, E., Shi, E., Song, D.: Towards practical oblivious RAM. In: Proc. NDSS (2012)Google Scholar
  3. 3.
    Hadavi, M., Jalili, R.: Secure Data Outsourcing Based on Threshold Secret Sharing; Towards a More Practical Solution. In: Proc. VLDB PhD Workshop, pp. 54–59 (2010)Google Scholar
  4. 4.
    Agrawal, D., El Abbadi, A., Emekci, F., Metwally, A., Wang, S.: Secure Data Management Service on Cloud Computing Infrastructures. In: Agrawal, D., Candan, K.S., Li, W.-S. (eds.) Information and Software as Services. LNBIP, vol. 74, pp. 57–80. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Tian, X., Sha, C., Wang, X., Zhou, A.: Privacy Preserving Query Processing on Secret Share Based Data Storage. In: Yu, J.X., Kim, M.H., Unland, R. (eds.) DASFAA 2011, Part I. LNCS, vol. 6587, pp. 108–122. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Shamir, A.: How to share a secret. Communications of the ACM, 612–613 (1979)Google Scholar
  7. 7.
    Agrawal, D., El Abbadi, A., Emekci, F., Metwally, A.: Database Management as a Service: Challenges and Opportunities. In: Proc. ICDE Workshop on Information and Software as Services, pp. 1709–1716 (2009)Google Scholar
  8. 8.
    Kantarcıoǧlu, M., Clifton, C.: Security Issues in Querying Encrypted Data. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security 2005. LNCS, vol. 3654, pp. 325–337. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Buchberger, B., Winkler, F.: Gröbner bases and applications. Cambridge University Press (1998)Google Scholar
  10. 10.
    Fang, X., Havas, G.: On the worst-case complexity of integer gaussian elimination. In: Proceedings of the 1997 International Symposium on Symbolic and Algebraic Computation, pp. 28–31. ACM (1997)Google Scholar
  11. 11.
    Stein, J.: Computational problems associated with racah algebra. Journal of Computational Physics 1(3), 397–405 (1967)CrossRefzbMATHGoogle Scholar
  12. 12.
    Booth, K.S., Lueker, G.S.: Testing for the consecutive ones property, interval graphs, and graph planarity using PQ-tree algorithms. J. Comput. System Sci. 13(3), 335–379 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    County of riverside class and salary listing (February 2012),
  14. 14.
    Rabin, M.: Probabilistic algorithm for testing primality. Journal of Number Theory 12(1), 128–138 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Mykletun, E., Tsudik, G.: Aggregation Queries in the Database-As-a-Service Model. In: Damiani, E., Liu, P. (eds.) Data and Applications Security 2006. LNCS, vol. 4127, pp. 89–103. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Hacigümüş, H., Iyer, B., Li, C., Mehrotra, S.: Executing SQL over encrypted data in the database-service-provider model. In: Proc. ACM SIGMOD, pp. 216–227 (2002)Google Scholar
  17. 17.
    Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Keep a Few: Outsourcing Data While Maintaining Confidentiality. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 440–455. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Nergiz, A.E., Clifton, C.: Query Processing in Private Data Outsourcing Using Anonymization. In: Li, Y. (ed.) DBSec 2011. LNCS, vol. 6818, pp. 138–153. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Emekci, F., Agrawal, D., Abbadi, A., Gulbeden, A.: Privacy preserving query processing using third parties. In: Proc. ICDE, p. 27. IEEE (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Jonathan L. Dautrich
    • 1
  • Chinya V. Ravishankar
    • 1
  1. 1.University of CaliforniaRiversideUSA

Personalised recommendations