International Association
for Cryptologic Research

In this talk I will present the design, analysis, and implementation of Pancake, the first system to protect key-value stores from access pattern leakage attacks with small constant factor bandwidth overhead. First, I will outline our new formal security model, and explain why it captures realistic attacks. Then, I will describe our frequency smoothing mechanism, which provably transforms plaintext accesses into uniformly-distributed encrypted accesses. Finally, I will explain the implementation and evaluation of the Pancake system itself. We integrated Pancake into three key-value stores used in production clusters, and demonstrated its practicality: on standard benchmarks, PANCAKE achieves 229× better throughput than non-recursive Path ORAM - within 3-6× of insecure baselines for these key-value stores.

We bypass impossibility results for the deterministic encryption of public-key-dependent messages, showing that, in this setting, the classical Encrypt-with-Hash scheme provides message-recovery security, across a broad range of message distributions. The proof relies on a new variant of the forking lemma in which the random oracle is reprogrammed on just a single fork point rather than on all points past the fork.