Searchable Symmetric Encryption (SSE) schemes allow a client to perform secure searches over encrypted databases on a remote server. These schemes leak certain information that an honest-but-curious service provider can use to recover the keywords of the client's queries. Effective query recovery attacks typically rely on auxiliary ground-truth information about the queries or dataset. Query recovery is also possible under the weaker statistical auxiliary information assumption, although

more »

... ical-based attacks achieve lower accuracy and are not considered a serious threat. In this work we present IHOP, a statistical-based query recovery attack that formulates query recovery as a quadratic optimization problem and reaches a solution by iterating over linear assignment problems. We show that IHOP outperforms all other statistical-based query recovery attacks on SSE schemes with typical access and search pattern leakage, reaching query recovery accuracies around 80% and 90%. We adapt IHOP against access-pattern obfuscation defenses and show that it still achieves reasonable recovery rates, outperforming existing attacks in this scenario. Finally, we use IHOP in a frequency-only leakage setting where the client's queries are correlated, and show that our attack can exploit query dependencies even when PANCAKE, a recent frequency-hiding defense by Grubbs et al., is applied. Our findings indicate that statistical query recovery attacks pose a severe threat to privacy-preserving SSE schemes.