Motivated by the ”database-as-service ” paradigm wherein data owned by a client is hosted on a third-party server, there is significant interest in secure query evaluation over encrypted databases. We consider this problem for XML databases. We consider an attack model where the attacker may possess exact knowledge about the domain values and their occurrence frequencies, and we wish to protect sensitive structural information as well as value associations. We capture such security requirements using a novel notion of security constraints. For security reasons, sensitive parts of the hosted database are encrypted. There is a tension between data security and efficiency of query evaluation for different granularities of encryption. We show that finding an optimal, secure encryption scheme is NP-hard. For speeding up query processing, we propose to keep metadata, consisting of structure and value indices, on the server. We want to prevent the server, or an attacker who gains access to the server, from learning sensitive information in the database. We propose security properties for such a hosted XML database system to satisfy and prove that our proposal satisfies these properties. Intuitively, this means the attacker cannot improve his prior belief probability distribution about which candidate database led to the given encrypted database, by looking at the encrypted database as well as the metadata. We also prove that by observing a series of queries and their answers, the attacker cannot improve his prior belief probability distribution over which sensitive queries (structural or value associations) hold in the hosted database. Finally, we demonstrate with a detailed set of experiments that our techniques enable efficient query processing while satisfying the security properties defined in the paper. 1.

The trend towards outsourcing increases the number of documents stored at external service providers. This storage model, however, raises privacy and security concerns because the service providers cannot be trusted with respect to maintaining the privacy of the documents. The research project SemCrypt 1 explores techniques for processing queries and updates over encrypted XML documents stored at untrusted servers. By performing encryption and decryption only on the client and not on the server, SemCrypt guarantees that neither the document structure nor the document content are disclosed on the server. Filtering query results and processing as much as possible of the query/update statement on the server does not depend on special encryption techniques. Instead, the chosen approach exploits the structural semantics of XML documents and uses standard, well-proven encryption techniques. SemCrypt thus enables to query and update encrypted XML documents on untrusted servers while ensuring data privacy. 1.