Response to "Breaking web applications built on top of encrypted data" (CCS 2016) by P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart and V. Shmatikov

A paper by Grubbs et al. (CCS 2016) investigates the security of Mylar. The paper proposes three leakage/attack scenarios: the first two are outside of the scope of Mylar (and Grubbs et al. acknowledge this fact) and the third, an attack on search, was already described in the Mylar paper and does not work against Mylar. We elaborate on these points below.

Grubbs et al. also discuss Mylar's search model (which is described in detail in ePrint report 2013/508). The original definition described security in terms of two games, one focused on hiding data, and the other focused on hiding search tokens. They point out that Mylar's security definition for search could be stronger if it combined the two security games into one. We agree, and thank them for the observation. Nevertheless, we expect that Mylar's search scheme remains secure under a combined security definition (we have not yet proven this formally). Finally, we thank Grubbs et al. for pointing out that some high-level statements in the Mylar paper were unclear. We clarified these in the updated Mylar paper, posted on Crypto ePrint.

In the updated paper, we also took the opportunity to describe in more detail the security guarantees of Mylar.


Response to the document "Mylar: The Guide for the Perplexed" by Grubbs et al.

After we posted our technical response above, Grubbs et al. produced and distributed a Q&A called "Mylar: The Guide for the Perplexed". Their Q&A is inaccurate in several ways. Below, we address the major points.

Last modified on 11/01/2016.