 Okay, so here's a reminder of the efficiency parameters that we want to optimize in searchable symmetric encryption. There's the space usage of the scheme, which is the size of the encrypted database, and ideally we would like it to be O of N, where N is the size of the original database. There's the read efficiency of the scheme, which is the ratio between the number of bits that the server reads with each query and the actual size of the result. And ideally we would like this ratio to be constant, and there's the locality of the scheme, which is the number of non-contiguous memory locations that the server accesses with each query. And ideally we would like it to be a constant number of locations. So let's go over existing schemes and over bounds, and in our work we focus on schemes that do not modify the encrypted database while searching. And while this captures most of the schemes, our base techniques, such as in the work that we've heard about, are not captured in our work. And we consider schemes that have what is called the minimal leakage, which means that they leak only the size of the database, the size of the result of each query that is performed, and the query repetition pattern, what are called the quality pattern, that is what queries are repeated. And first there are various schemes that did not take locality into account. So they have optimal space and read efficiency, however the locality is as bad as O of N. Then Cashion Tesaro suggested a scheme with space N log N, locality log N, and constant read efficiency. It was later improved by Asherov et al to have a constant locality, and was later generalized by Demetris and Papamantu to have an arbitrary locality. And for locality L, the space overhead is N log N over log L. And actually their scheme also supports non-constant read efficiency, however in those cases the leakage is not minimal. And in terms of lower bounds, there's the lower bound of Cashion Tesaro that applies to schemes that have non-overlapping reads, which roughly means that the locations that are accessed when querying different keywords do not have a significant overlap. So they show that such schemes cannot have both optimal space and locality. And all the above schemes fall into indeed have non-overlapping reads. So this explains why they can't be optimal in all parameters. But still there's a substantial gap between the lower bound and upper bound. So in this work we ask can we close this gap? Now not all schemes have non-overlapping reads. And the two such instances are as follows. The first one is another scheme by Asherov et al with optimal space and locality. So they circumvent the lower bound of Cashion Tesaro. But still the read efficiency is not optimal, it's outiled of login. And they also improve the read efficiency to outiled of log login. However this scheme only works under the assumption that no keyword appears in more than n to the 1 minus 1 over log log n documents. Now in terms of lower bounds, they show a lower bound that applies to schemes that fall into a framework that we call the statistical independence framework, which roughly means that the locations that are accessed when querying different keywords are essentially independent. And they show that such a scheme with space O of n, or even larger, and locality O of 1, when querying a keyword W associated with nW documents, the read efficiency must be a super constant function times 1 over epsilon nW, where nW is the number of documents associated with W, and epsilon nW is the unique epsilon such that big n to the 1 minus epsilon equals nW. And the above two schemes indeed fall into this framework. So the lower bound explains why the assumption on the log log n scheme is necessary. But still there's a gap between the lower bound and the upper bounds. So we again ask, can we close this gap? And our contributions are as follows. We observe that all current SSC techniques in this context are falling to two frameworks. The first one is the already mentioned statistical independence framework. And the second one is a new framework that we introduce and called the patent split framework. So this framework refines the non-overlapping grids property, but still captures the same existing schemes. And within this framework, we show a tight lower bound that matches the scheme of the Mertis and Papamento. And within the statistical independence framework, our main result is an improved upper bound. That is, we construct a new SSC scheme, and it actually matches the lower bound of a share of a tile for a range of parameters as we will see. So more formally, in the patent split framework, our lower bound states that for a scheme with locality l, the read efficiency must be omega of n log n over log n. And within the statistical independence framework, we construct a new SSC scheme with an optimal space and locality. And the read efficiency depends on the size of the result nw and matches the lower bound up to an additive term of all log log log n. And the omega 1 term can be any super constant function. Still our scheme works under the assumption that no keyword appears in more than n over log n cube documents, which is a far less restrictive assumption than the previous one. So what it means is that as long as nw is not too large, our read efficiency is as small as all log log n. And for larger values of nw, our read efficiency matches the lower bound. So in this work, in this talk, I will focus on our scheme. So for the patent split framework and lower bound, please check our paper. So to understand our scheme, we need to understand the log log n scheme of Asherov et al. So what they do is to introduce a process called the two-dimensional two-choice allocation, which on a high level is a way to allocate lists into bins with the following two desired properties. The first one is that the elements of each list are placed in consecutive bins, which helps us in terms of locality. And the second one is that the location of the first element of each list is in one out of two random bins, which allows proving security via the statistical independence framework. And to prevent overflowing bins, what they do is to limit the length of each list and set the size of each bin to our field of log log n. And this results in their scheme that has space of n, locality of 1. And the read efficiency is out of log log n because instead of reading a single element, they read entire bins. And actually it's two bins per element. So our idea is to actually allow overflow. So we show that assuming all lists are of length at most n over log n cubed, if we set the size of each bin to our log log log n and the number of bins accordingly, then there are at most n over log n overflowing elements. So the remaining question is, what should we do with those overflowing lists? So here's an naive attempt to solve this. Maybe we should use the first scheme of a show of a tell. For those overflowing lists. And the reason to do that is because it has optimal locality and read efficiency. And even though the space overhead is not optimal, it's n log n. But in our case, it's actually n over log n. So this only costs in an additional of n space. But the problem with the solution is in its security because it reveals which lists are overflowing. And this in turn leaks information about the database itself. So our solution to that is to modify the scheme of a show of a tell such that it will not reveal whether a list is stored in it or not. And I won't go into the technical details of this. But the key idea there is to avoid rehashing the hash tables in their scheme by using cuckoo hashing with a stash. And since the stash size depends on the length of the list, our read efficiency depends on the size of the result. So this results in an SSE scheme with space of n, locality of 1. And the read efficiency consists of two terms. The first one is caused by the size of each bin. And the second one is caused by the stash size. So to conclude, here's a summary of our result. Thank you for listening.