Privacy-Preserving Data Storage in Cloud Databases using Cryptographic Techniques by IRJET Journal

Privacy-Preserving Data Storage in Cloud Databases using Cryptographic Techniques

Ashish Kumar Mishra1 , Deepshikha2

1Master of Technology, Computer Science and Engineering, Lucknow Institute of Technology, Lucknow, India 2Assistant Professor, Department of Computer Science and Engineering, Lucknow Institute of Technology, Lucknow, India

Abstract - Cloud databases have increasingly come to playamajorroleinthedemands ofhandlinglarge,sensitive data in a number of spheres, including health, finances and online shops. Turning to third-party cloud is however bringing about serious challenges of data access and control, security and compliances. This study presents an innovation of the new hybrid cryptographic system that can ascertain privacy-preservation of data storage and query processing in cloud databases. The framework integrates AES-256 to do fast encryptions of the data that is going to remainstatic,backwardinthefoglikepartialhomomorphic encryption (PHE) to do the secure calculations of the sensitive field, and the dynamic searchable symmetric encryption (DSSE) to perform the encrypted search operations over keywords, and over the range searches. The support of post-quantum cryptography is fulfilled by bringing in the collaboration of CRYSTALS-Kyber to make secure key exchanges. As well, Hyperledger Fabric-based auditability ensures that it is possible to automate regulationcompliance(GDPR,CCPA,etc.)bymeansofwhich data deletion and control of consent can be proved in compliance with the requirements. The prototype is hosted using Amazon Aurora and GPU-accelerated encryption and the Intel SG X-based caching is used to increase the performance. Experiments showthat it is possible toprocess encrypted queries efficiently (latency = 220 ms), aggregations in a secure manner (processing 100,000 records takes 8 seconds), and go through automation of GDPR compliance in under 3.2 minutes. The practicality of the framework can be pointed out as displayed in case studies in the field of health care and financing. Here, we can find out that a combination of many strategies of cryptography can be used to keep the privacy and at the same time not affecting the usability, scalability, and adherencyofaregulatoryaspectofclouds.

Key Words: Cloud database security, hybrid encryption, homomorphic encryption, searchable encryption, privacypreserving computation, post-quantum cryptography, GDPRcompliance,blockchainauditability.

1. INTRODUCTION

1.1 Background

Cloud computing has changed the way data is managed because cloud infrastructure is scalable, cost-efficiency and can be accessed anywhere in the world. With organizations skewing heavily to use cloud databases to store, process and analyse their important data, the healthcare, finance and e-commerce companies have become over dependent on the third party cloud services provider like Amazon Web Services (AWS), Microsoft Azure and the Google Cloud. Such cloud platforms are based on more advanced data analytics, high availability, andon-demandscalability,andsothebusinesscanhandle high amounts of sensitive information in an efficient answer. But such a move to the cloud poses great threats to data privacy and security as well. Trust dependencies that exist as a result of using third-party infrastructure mean that the management of data confidentiality by the cloud providers is not an exception. In turn, all such sensitive data as medical records, financial transactions, and person identifiers are exposed to accidental and intentional data leakage, insider threat, and breaches caused due to incorrectly implemented data storage, credentialcompromise,orside-channelattacks.Thequest to create a secure yet privacy-respecting cloud data architecture has become crucial considering the stiff regulatoryregulationacrosstheworld.

1.2 Motivation

AES (Advanced Encryption Standard) and RSA (RivestShamirAdleman), which are regular cryptographic methods, have served a great role in protection of static information and secure exchange of keys. But these are notapplicableinthecaseof functional adpatationswhere encrypted data must be queried, searched or processed without respective decryption. An example here is that, although AES is efficient in encrypting large quantities of data,itfailstosupportotheroperationslikesearchingand aggregations among the ciphertexts. Similarly, RSA is also computationally demanding and cannot sustain dynamic workloads which are of large scale in a cloud. These shortages have brought about the trade-off between security and usability that organizations are always

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

presented with a choice of having an encrypted data whose functionality is limited or data whose functionality islimitedbutthatisnotencrypted.Thisisatrade-offthat presents huge challenges in other areas of activities such as in the healthcare and finance industries where informationneedstobegatheredinreal-timeusinghighly confidential data without incident of violation of privacy norcomplianceofexistingregulatorystandards.

1.3 Problem Statement

Even though a lot has been advanced in the field of cloud computing and cryptography, there is still the absence of full fledged, scalable framework that can enable safe querying and running computation over encrypted data. Either existing solutions work to protect the data but guaranteecertaincompromiseoftheperformanceorthey cannot cover the data completely in the processes of search, filtering or aggregation. Even systems which provide support in executing encrypted queries tend to leak the data access behavior or insist on trusted components, posing a security risk to side-channel or physicalattacks.Inadditiontothat,newprivacylawslike GDPR and CCPA not only require encryption but rather abilities like secure data removal, consent controls, and audit logging, which are not automatically met by most cryptography systems. Thus, there is an urgent need of privacy preserving framework, which integrates encryption,complianceandperformanceinapleasingway and supported in the real-life deployment of cloud databases.

1.4 Contributions

The present project proposes a new hybrid cryptography system, which is specifically targeting cloud databases wherethecurrentsystemshavepropertydrawbacks.The architecturecombinesAES-256withtheencryptionofthe non-sensitive or rather non-moving data, partial homomorphic encryption (PHE) which allows to perform computation on the sensitive data without resorting to decryption,anddynamicsearchablesymmetricencryption (DSSE) that helps perform keyword and range queries on encrypted data. Exploitation of these cryptography styles can give a strong assurance of security and functionality on the framework. Besides, to make the system futureproof against possible threat of quantum attack, CRYSTALS-Kyber, a CC-based post-quantum key encapsulation mechanism recommended by NIST,[21] is alsoincluded in a system whichwill be madesafeagainst future quantum attack by having a post-quantum key exchange. There is also presented in this framework blockchain-based auditability with Hyperledger Fabric that implies the automation of regulatory compliance by tracking accesses and revocation of keys by smart contracts. To prove its feasibility, the framework is deployed and tested in the actual cloud settings (Amazon

Aurora and Azure SQL) and via real and synthetic data in suchareasashealthcareandfinance.

2. RELATED WORK

2.1 Cryptographic Techniques for Cloud Security

Cryptographic technology is a key element used in cloud computingthatguarantees thesecurityofinformation,its integrityand makes data accessby the authorized parties secure. Data securityhasalways been based onAdvanced Encryption Standard (AES) and RivestShamir Adleman (RSA). Among the symmetric encryption algorithms, a NIST standardized algorithm AES is highly popular to encrypt the large amount of data at rest because of its security and efficiency. RSA, in its turn, is an asymmetric encryption scheme which is used mainly to secure the exchange of keys and signatures. Although both the AES and RSA give very good security to the static data, it cannot be used to perform the computation or search operationontheencrypteddatawithoutfirstdecrypting.

ThenextmethodslikeHomomorphicEncryption(HE)and SearchableSymmetricEncryption(SSE)havebeencreated to cope with this. HE allows us to do operations on ciphertexts and this results in ciphertexts whose decryption corresponds to the output of operations (applied to the plaintext) as though the operations were done on the plaintext. Fully Homomorphic Encryption (FHE) is able to perform arbitrary computations on encoded data but the computation cost is floored. Partial HE schemes e.g. Paillier and BFV cryptosystems provide minimal and efficient support in addition or multiplication.Conversely,SSEenablesthesearchingofan encrypted data using keywords without giving details to the server, but it usually leaks access and search history. An even finer-grained access control goes under the term Attribute-Based Encryption (ABE), where the ability to decrypt the data is bound to the attributes contained in a user-specific private key or ciphertext policy, thus allowingthefullspectrumofmulti-useraccesscontrol.All these approaches have special strengths and costs and thereisaneedtoincorporatetheminonecomprehensive approachbutthiscomeswithalotofcomplexity.

2.2 Encrypted Query Processing

A gap towards securing confidentiality of the data and functional usability in the cloud has been addressed by designing various systems to aid encrypted query processing.Oneearlyeffortinthisdirection,byPopaetal., is CryptDB. It enables SQL requests to be carried out on encrypted databases through a layer-cake architecture. A deterministic encryption, order-preserving encryption (OPE), and homomorphic encryption can be used to reducecryptDBtoasetofcomputationallyhardproblems, allowing the system to work with encrypted data without decryption, their combination enables computations but

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

their encryption schemes are not efficient enough to support operations such as SELECT, JOIN and ORDER BY. Nevertheless,theOPEthatCryptDBisbasedoncausesthe information loss of a high degree, since sorting pattern of encryptedvaluesprovidedbyitrepresentsthepatternsof theunderlyinginformationdistributions.

The other course of action is an example of Google Encrypted BigQuery that uses the hybrid implementation ofencryptionandtrustedexecutionenvironments(TEEs), namely, Intel SGX. Using this technique, complicated analyticaloperationscanbecarriedoverontheencrypted datawithinthesecuredhardwareenvironments.Although this helps great deal in better query performance and elimination of external threats to sensitive data, it adds a level of reliance on specific hardware as well as it is vulnerable to attacks such as Foreshadow and Plundervolt. Such encrypted query systems emphasise that there are always trade-offs among usability, performance and security and that more performant, reliable cryptographic frameworks are needed that can support queries over encrypted data without breaking performanceandsecurityguarantees.

2.3 Access Control Models

Clouddatabasesintheirturnneedeffectiveaccesscontrol to ensure that the data remain confidential and that data users are not violated. Two current most used models in such a purpose is the Role-Based Access Control (RBAC) and the Attribute-Based Encryption (ABE). The RBAC means that users are assigned to preconstructed roles, includingtherolessuchastheroleofanadministrator or auditorandeachrolehasacertainsetofprivileges.Sucha model makes user management simple and can be well scaledinanenvironmentwhererolesandpermissionsare notmutuallychangedthatoften.Thelargercloudsystems such as AWS and Azure use RBAC to a large extent by associating access policies with cryptographic keys and serviceprivileges.

As a result, however, RBAC has limitations in dynamic, data sensitive, environments, such as healthcare or finance, because its granularity is coarse, and it is not flexible.Ittendstoprovideawideraccessthanisrequired and needs a full re-encryption or keys redistribution on changes of user roles. By contrast, ABE provides finegrained access control because it attaches decryption capabilities with the features of the user or data access policies. An example is ciphertext-Policy ABE (CP-ABE) in whichaccessrulesareencodedalongwiththedatasothat only decryption with the associated set of keys is permitted.AlthoughABEgreatlyincreasestheflexibilityof policiesanddata-levelsecurity,itaddsanoverheadtothe performance of the systems as a result of complicated cryptographic process. Practically, a combination of both modelswiththeaimofexploitingtheiradvantagesislikely

to bring a perfect solution to scalable and secure access controlinthecloud.

2.4 Gaps in Existing Systems

Even though the current development of cryptographic methodsandsolutionsrelatedtosecuredatamanagement hasachievedsignificantresults,someseriousgapsarestill unfilled in the contemporary privacy-preserving cloud data management state of affairs. Among the greatest setbacks, there is the low speed of the encrypted query systems especially those founded on either fully homomorphicencodingorsearchableencoding.However, though these are the means of doing computations on encrypted data, their computational complexity and the durationofthecomputationistooexpensivetobeusedin real-time processing. Even weaker homomorphic encryption that only allows a few operations can be a bottleneck under the circumstance of large dataset or a largenumberofqueries.

Moreover, the aspect of regulation is poorly applied to most cryptographic structures. Regulations like the General Data Protection Regulation (GDPR), California consumerprivacyacts(CCPA)specifysuchfeaturesasthe right to be forgotten or the ability to manage explicit consent, both of which imply the ability to dynamically revokekeys,tologinasecuremanner,anddeletethedata. The ability to automate the fulfillment of these legal demands is normally inconsequential in the current systems and thus putting the organizations in danger of beingincompliancewithsuchmandatoryregulationsand facingthisburdenofhugefines.

3. PROPOSED FRAMEWORK

3.1 Architectural Design

The intended framework is a multi level cryptographic building that combines the different encryption methods thatwerepreviouslyappliedtoovercometheshortcoming of the existing models of cloud data security. It has been designed in a way that 3 main priorities can be achieved which include data confidentiality, functional query support, and regulatory compliance. The architecture us based on three main layer of cryptographic implementations which includes: AES- secure encryption of unchanging data, Partial Homomorphic Encryption (PHE) secure calculation, and Dynamic Searchable SymmetricEncryption(DSSE)privacy-requiredqueries.

The 1st layer, AES-256 enforces bulk and non-sensitive data that are sensitive and non-sensitive notably, logs, timestampsaswellasmetadata.Itissymmetric,therefore, uses minimal computing resources to accomplish encryptionanddecryptionathighspeeds,andcanbeused with large volume and unchanging data. The second can encrypt sensitive numerical fields (eg financial

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

transactions, results of patient tests), using PHE schemes such as Paillier or CKKS, whilst permitting arithmetic (eg sum,average)operationstobeperformedwherethevalue is encrypted without decryption. The last layer takes the advantage of DSSE to enable search of fields using keyword,ranges,andprivacyofthedata.Thearchitectural synergy also helps the system to deliver storage and processing in an encrypted form with the acceptable performanceleveltofitreal-timeapplications.

Table-1: Multi-layered Cryptographic Architecture Overview.

Layer Technique Purpose

BulkData Encryption AES-256(GCM mode)

Encryptnonsensitive/stati cdata

Secure Computatio nLayer PHE (Paillier/CKKS ) Perform encrypted arithmetic operations

Searchable QueryLayer

DSSE+ORE

3.2 Cryptographic Modules

Enable privacypreserving queries

Performanc e Goal

<1msper MB

<5seconds per10k operations

<2seconds perqueryon largedata

techniques.Thisalgorithmsupportsthequantum-safekey exchange, which substitutes the RSA or ECC-based schemes susceptible to the action of Shor algorithm. Future-proofing session keys Future-proofing Kyber provides the confidentiality of session keys in the case of environmentsthatexpectthelong-termstorageofdata.

3.3 Blockchain Integration

In addition to encryption, another fundamental blockchain-based addition is auditability that should be providedbytheframeworkwiththeobjectivetoautomate compliance, increase transparency, and guarantee data integrity. The revocation of keys, logging of access and trackingofconsentaredonebyapermissionedblockchain network which has been constructed using Hyperledger Fabric.

In order to achieve the architectural aims, the framework introduces a group of modular cryptographic tools which are individually selected to suit particular kinds of data activitiesandhazards.

The hybrid encryption module unites AES-256 and PHE schemes (Pallier, CKKS). AES-256 is in charge of encryption of fixed or less important fields effectively, whereas Paillier allows to securely add values encrypted init,andCKKSenablesapproximatecollectingonfloatingpoint quantity, such as average or correlation examination. Such a hybrid structure will allow conducting delicate analytics and do it safely without exposingplaintextdata.

The DSSE module improves the usual searchable encryption as it implements real-time updates to encrypted indexes. It also has forward and backward privacy which guarantees that past search or an erased information can not be deduced by an attacker who can observe the search behaviours. The user queries will be converted to hashed values with hash-based message authentication codes (HMAC) with SHA-256 and secured bymatchingwithencryptedindexes.

Getting the system ready to have the post-quantum era, the framework includes CRYSTALS-Kyber, one of the NIST-identified lattice-based key encapsulation

The application of key revocation is created using smart contracts, which disallows the encryption key of a user whenrequestedortheexpiryofaretention(time)periodthereby encompassing the effect of GDPR, the right to forget. Every access or modification happens is added to the blockchain irreversibly and it becomes a verifiable audit trail that can be used to satisfy CCPA and HIPAA rules. In addition, the consent management tokens kept on-chaincanbechangeddynamically,makingusersswitch between agreements of data sharing confirmation or denial. The blockchain used removes the possibility of bugging the logs and makes decisions of access control accountable.

Table-2: Blockchain Integration Functions.

Function Blockchain Feature Benefit

KeyRevocation

AccessLogging

Consent Management

3.4 Access Control

SmartcontractbasedKMS

Immutableledger (SHA-256)

Token-basedaccess rights

GDPR-compliant datadeletion

Verifiable,tamperproofaudittrail

CCPA-compliant opt-in/opt-out handling

Themechanismofaccesscontrolwithinthisframeworkis basedontheCiphertext-PolicyAttribute-BasedEncryption (CP-ABE) that allows flexible, role- and attribute-based accessestodatawithoutanycentralizedpolicyservers.In CP-ABE an access policy contained in the ciphertext is determined by the data owner. The content may only be decrypted by the users who have a set of attributes that meetthispolicy.

To illustrate, the policy that such as (role:doctor AND department:cardiology) is required to be on means that

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

onlyspecialistsinthefieldofcardiologyholdingnecessary permissions can go forward with encrypted medical records. Such a solution differs with Role Based Access Control (RBAC) systems that get particular at times and timesavingwhenchangingorterminatingtheroles.

Intheefforttoenhancepracticality,theframeworkallows revocable ABE policies and as a result, allows dynamics updates to user access policies. The revocation is performed through policy enforcement that uses timebound encryption keys and block chains and, therefore, whenausercannolongerfulfillthescenarioofaccess(i.e. their roles are no longer provided), the decryption rights automatically disappear without having to re-encrypt the information.

The mechanism is a safe, scalable, and regulation compliant way to address the issue of controlling data visibilityonthemulti-tenantandcross-domaincloud.

4. IMPLEMENTATION DETAILS

4.1 Platform and Tools

The visualization of the specified privacy preserving framework is accomplished through a complex of cloudnative technologies, cryptography tools, and block-chain technology.Theclouddatabaseselectedtobeusedinthis prototype is Amazon Aurora which is a high performance relational database service that allows horizontal scaling andwhichisfullycompatiblewithPostgreSQL.Aurorahas automated failover, low-latency input output, and multiregion deployment that makes it a perfect offering where large-scale operations of encrypted data operations could betested.

TheMicrosoftSEALlibraryisutilizedinordertopromote encrypted computation over secure information. SEAL is an actively used homomorphic encryption library written by Microsoft Research which implements both Brakerski/Fan-Vercauteren (BFV) and Cheon-Kim-KimSong (CKKS) systems. These algorithms are good to carry out safe arithmetic calculations like summation and average on contiguous cryptic numerical data. It also includes the AWS Key Management Service (KMS) to safelymanagethekeysandhasfeatureslikeanautomatic generation and rotation of keys and engineered access control. The encryption keys given by KMS are thus secured by hardware security modules (HSMs) and therefore the chances of compromise of these keys are slim.

4.2 Prototype

Configuration

Acompositionofrealandsyntheticdatasetsareappliedin developing and testing the prototype of the framework simulating privacy-sensitive cloud database operations. MIMIC-III is one of the principal datasets, an openly

shared repository of de-identified health records containing data about more than 40 000 intensive care unit patients. Such dataset acts as a realistic source of medical data to be used in testing attribute based access policies and encrypted diagnostic queries. Further, a synthetic financial data is created to resemble enterprise level set of transactions records, a set of about 10 terabytes of structured data. Such a set of data has encryptedvaluesliketheamounts, timeof transaction, ID ofthemerchantanddataabouttheaccount.

Inordertoachievecryptographicfunctionality,therearea number of open-source libraries inbuilt. Implementation of AES-256 encryption, based on Galois/Counter Mode (GCM), requires the use of the Python-based library known as PyCryptodome to provide authenticated encryption of strategically static and semi-static parameters (user IDs, timestamps, etc.). Attributes-based encryption An open-source attribute-based encryption toolkit, OpenABE, offers the framework in which CP-ABE policiescan be enforced. Thiswill enable laying downthe fine-grained rules of access in the encrypted medical and financial documentations. In the case of homomorphic computations, Microsoft SEAL is the supported library followingC++bindings,eithertheBFV(withexactinteger operations) or the CKKS (with approximate floating-point arithmetics).

Individual cryptography processes are modularized through use of RESTful APIs, which can be used to orchestrate the microservices approach to encryption, keys management, and control across cloud elements. Amazon Aurora is the leading storage, query engine that has interaction with the encryption layer read and computingdataprocesses.

Table-3: Tools and Libraries Used in the Prototype.

Component Tool/Library Role in Framework

CloudDatabase AmazonAurora

Symmetric Encryption

Homomorphic Encryption

PyCryptodome (AES-256)

MicrosoftSEAL

Scalablequery processingandstorage

Encryptingbulkdata likemetadataand timestamps

Securecomputationon sensitivefields

Attribute Encryption OpenABE Fine-grainedaccess controlusingCP-ABE

KeyManagement

BlockchainLayer

AWSKMS

Hyperledger Fabric

Securekeygeneration, storage,androtation

Immutableauditlogs andsmartcontract enforcement

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

4.3 Optimization Strategies

Toaccommodatethecomputationalexpensesofadvanced encryption methodologies the most advanced of them all, which is the homomorphic encryption, the implementation embodies two core optimization measureswhicharefirstaGPUaccelerationandsecondan Intelprotectedcache.

Operations of homomorphic encryption, and especially those schemes of such as BFV and CKKS, are computationally expensive because of mathematical complexity of encrypted arithmetic. To overcome this bottleneck, the framework takes the advantage of NVIDIA A100 GPUs based on parallel processing in CUDA. These GPUs make homomorphic computations faster because they transfer activities (e.g. addition and multiplication operations on ciphertexts) to various cores. In performance tests, GPU acceleration sped the process required to add 100,000 encrypted financial transactions by 15 times, cutting the latency of summing encrypted financial transactions in software from 120 seconds to about8seconds(CPU-only).Thisrendersthepossibilityof usinghomomorphic encryption in batch analyticsin large volumes.

The other comprehensive optimization is through the implementation of the Intel Software Guard Extensions (SGX) to have a safe, hardware-isolated caching. Data elements which must be sensitive and at the same time highly accessed are stored in SGX enclaves which is a trusted execution environment that isolates the data among other processes including the operating system. This saves the cost of crypt and decrypt frequently and it increasesaccesstime.

5. EXPERIMENTAL EVALUATION

5.1 Evaluation Criteria

In order to fully evaluate the efficiency of the suggested privacy saving framework on cloud databases, the experimental testing was undertaken on the aspect of three broad categories namely performance, security and regulatorycompliance.

On the performance metric, the framework was tested on the basis of latency, encrypted query throughput, and encrypted query data storage overhead. The measurements of latency were obtained in how long the queries over the encrypted data were carried out such as onkeywordsearchesandaggregatefunctions.Throughput has evaluated how many encrypted operations (summations,queriesetc.)couldbecompletedpersecond and still maintain concurrent access on the system. Storage overhead was used to quantify the extra space utilized by the individual disk space as a result of

additional space used by encryption, index, and metadata ofcryptographiclayers.

Totestthesecuritylevelofthesystem,anumberofhostile models ranging in the passive eavesdropper scenario and active attackers were used. The modules on encryption were proven to be IND-CPA (Indistinguishability under Chosen Plaintext Attack) on formal simulation and static analysis tools. CPA attacks using Cryptool, analysis of patterns on the DSSE indices and verifications on a zeroknowledge to give minimum leakages during access were carried out through simulations. The validation of the resistanceintheconditionsofthenormalscriptofattacks toward clouds was performed through simulated insider andoutsiderthreats.

Concerning the compliance, it was tested to verify the requirements of GDPR and CCPA like the right to be forgotten and restriction of the access through consent. They were executed with support of smart contracts and practiced by blockchain-based smart contracts and assessed by auditing operations. Key revocation latency and automated audit resolution time were the two importantmetricsmeasured.

5.2 Results

The framework demonstrated a potential outcome in the three categories of evaluation. Regarding the query performance,thehybirdcryptographicmodelprovidedan average of encrypted query latency 220 milliseconds, which is much higher in comparison to CryptDB 350 milliseconds in using identical range queries. Dynamic SearchableSymmetricEncryption(DSSE)withoptimized indexing enabled the fast per-user searches in datasets that have been encrypted and continuously improve: leakageisavoidedbyusingHMAC-SHA256tokens.

In an encryption aggregate case, Paillier encrypted homomorphic encryption scheme was employed on GPUaccelerated. This framework couldadd100000 encrypted financialrecordsin8secwithanNVIDIAA100GPUwhen compared to more than 120 sec in case of using CPUs without GPU. This shows the feasibility of homomorphic operation in the real world applications with hardware assistance.

During the compliance testing, the framework was 98 percentsuccessfulinGDPR-relatedfunctionalityofrightto be forgotten using Hyperledger Fabric-based smart contractextantkeyexpirationonHyperledgerFabric.The most critical revocation latency which is the time consumed in making user data undecryptable following a request of deletion was measured at 0.8 seconds demonstratingefficiencyoftheblockchainintegratedkey managementsystem.

International

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net

Table-4: Key Experimental Results.

6. CASE STUDIES

To prove the potential utility of the identified privacypreserving cloud framework in the real setting, two domain-specific case studies have been carried out in the field of healthcare (encrypted electronic health record (EHR)search) andfinancial sector(encrypted transaction aggregation and fraud detection). Such case studies simulate not only cryptographic strength of the system, but also its performance, useability and safety against general laws protecting data within several sectors of interestse.g.HIPAAandPCI-DSS.

6.1 Healthcare: Encrypted EHR Search

5.3 Comparative Analysis

Comparisonofthepresentedframeworkwithtwosystems in which the latter were already implemented was made: CryptDB and Google Encrypted BigQuery. Evaluation has beenperformedonthebasisoftheencryptionbasis,query execution, the threat of data leakage, compliance facilitationandthescalability.

CryptDBprovideselementaryfunctionalityonSQLqueries on encrypted data with ring-based encryption protocol likedeterministicandorder-preserving encryption.Albeit being successful in allowing executing range and equality queries, CryptDB is susceptible to leakage owing to the fact that it relies on order preserving encryption (OPE). Statistical data on the set can be learned through the exposure of patterns with the help of OPE, which is a significant compliance and privacy challenge in accordancewiththeGDPR.Intheproposedframework,in turn, DSSE and Order-Revealing Encryption (ORE) are substituted to OPE, thus the leakage is scaled down to under5%.

TheGoogleencryptedBigQueryapplieshardware-isolated enclaves based on Trusted Execution Environments (TEEs) to process encrypted data. It is low-latency architecture, and enables advanced queries, including machinelearninginference.Themethodhoweverrelieson proprietary Intel SGX hardware, which is demonstrated susceptible to a number of side-channel attacks (e.g. Foreshadow, Plundervolt). Being a little bit higher in raw latency than BigQuery, the proposed framework offers vendor-agnostic security, post-quantum (via CRYSTALSKyber) and automated compliance logging (through blockchain), all of which makes it better-suited to highlyregulatedscenarios.

The proposed framework used in the healthcare case studyisindeedawaythroughwhichencryptedelectronic health records (EHRs) can be managed and queried but withhighaccesscontrol andprivacyadherence. Here,the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) was employed to impose policy control mechanisms to users, depending on the roles and the department to which the user belongs. The EHRs were encrypted and a policy like (role:doctor AND department:cardiology) was put in place so that only the cardiologists could access recordshavingtodowithcardiacdiseases.

The data applied in this analysis was extracted based on the MIMIC-III clinical database that comprises structured clinical data of the patients (diagnoses, test findings, and any remarks about treatments). The searches on specific diagnoses, i.e., diagnosisID = 1, were performed based on what is called Dynamic Searchable Symmetric Encryption (DSSE), which encrypted a search on a keyword without revealingthedataandthequerytothecloudserver.

The measurement of performance indicated that performance of encrypted diagnosis searches was completed within 220 milliseconds which was a slight delay in the unencrypted systems (180 ms) hence sustaining clinical usability. Using Intel SGX enclaves to cache the most used metadata about patients, also decreased their latency by half which is tantamount of providingreal-timediagnosticsincriticalcarefacilities.

Security-wise, user access attempts that were not part of the ABE policy were always rejected, and all access requests whether successful or even rejected were recorded permanently on Hyperledger Fabric so as to allow auditing of accesses that have occurred. The provisionofregulatorycompliancewithHIPAAandGDPR was highlighted by generation of time-bound encryption keys (as well as automatic keys revocation through smart contracts,establishedwithinblockchain)ininstanceofan expirableuserauthorizationoritswithdrawal.

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

Table-5: Healthcare Case Study Metrics.

Metric Value

QueryLatency(Encrypted) 220ms

UnauthorizedAccessRate 0%(withCP-ABEenforcement)

CacheLatencyReduction (SGX) 50%

Compliance HIPAA,GDPR

AuditTraceAvailability Yes(Blockchainlogged)

6.2 Finance: Encrypted Transaction Aggregation

Thefinancecasestudychecksthecapabilityofthesystem to carry out fraud detection in real-time on encrypted transactions data compiled in different branches of a financial institution. The first is the security of computing the financial measurement by calculating the total sales, average transactions, and detection of suspicious pattern without revealing the details of the transactions to both theinternalemployeesandthecloudinfrastructureinthis context.

In this regard, the transaction data was encrypted using the scheme of Paillier Homomorphic Encryption (HE) becauseofitsadaptabilitytosecureadditionofdatausing an amount, a merchant ID, a customer ID, and a timestamp. The system did the encrypted addition involving 100000 transactions managed on Amazon Auroradatabaseandsummedthemuptofindoutunusual spikes which may be due to fraud. The aggregation with the use of GPU acceleration took only 8 seconds, whereas the CPU-only configuration of the system took 120 seconds.

An intelligence algorithm of detecting frauds executed on encrypted information counted the amounts of transactions within a time window and compared it to others. Notably, all that was done without decryption of the individual records, and so this process did not violate the privacy of the customers as it met the PCI-DSS standardsofhandlingsecuretransactions.

Any access to transaction information was recorded on Hyperledger Fabric and financial compliance was proved with a system of automated audit trail. The important management was addressed with the help of AWS KMS which periodically updated cryptographic keys and revoked them due to incident anomalous behavior. All of these features favored the concept of GDPR, CCPA, and SOXpoliciesinthefinancialcontext.

7. CONCLUSION AND FUTURE WORK

7.1 Conclusion

This study has also suggested and confirmed a suitable hybrid cryptographic system that will promote security, privacy and regulatory conformity of data stored and manipulatedusingclouddatabases.Theframeworkisable to support the high-speed encryption of the static data withtheuseofAES-256encryption,securecomputations, where Paillier or CKKS-based homomorphic encryption is used, and the encrypted query processing under work using Dynamic Searchable Symmetric Encryption (DSSE). Asaresult,theframeworkfitstheshortcomingsoftypical cloud data protection models. What is more, including CRYSTALS-Kyber as the post-quantum key exchange protocol and Hyperledger Fabric as the blockchaincoupled audit trail protocol will guarantee the systemwide confidentiality and traceability of sensitive operationsinthelongrun.

Theexperimentestablishedthatthesuggestedframework provides an excellent tradeoff between the functionality and privacy. It enables encrypted range queries with low latency(~220ms),securetransactionaggregationinrealtime (8 seconds on 100,000 entries) and automates such compliance actions as the so-called right to be forgotten through key revocation (within a second of latency). The health care and financial sector case studies made it possible to justify the flexibility of the framework according to the privacy needs of the specific domain and sustain its performance during actual practice. All in all, the system mitigates the all-important gap between thoughtandtheoryofcryptographicsafetyandworkingin thecloud-nativesetting.

7.2 Future Directions

Even though the framework presents a considerable potential, there are multiple directions in which it can be improved and investigated. A key direction is the incorporation of post-quantum digital signatures, e.g. Falcon and Dilithium, which are both chosen by NIST as finalists towards post-quantum standardization. Whereas CRYSTALS-Kyber provides protection against quantum computers in terms of key exchange protocol, using quantum-safe signatures will boast the cryptographic security of the system under quantum attack not only in terms of data confidentiality, but also its integrity and authenticationcapabilities.

The other significant direction would be the use of federated learning with encrypted data. As machine learning becomes a part and parcel of data analysis, the ability to use datasets encoded in decentralized cloud storage in order to train those models opens up vast possibilitiesinhealthcaretotalbodyimagingandfinancial analysis,allwithoutcompromisingtheprivacyofthedata.

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

This vision can be supported by using homomorphic encryption in a combination with federated learning protocolsandnotjeopardizethesecurity.

What is more, the bandwidth of this framework may include compliance automation with the help of AI in the future. With artificial intelligence in place to monitor changes in regulation, track anomalies in access, and provide real-time audit reports, all organizations can respondtothechanginglegalenvironmentswhetheritbe GDPR, CCPA, and HIPAA without any damage to their ongoing operations. There would also be a possibility of having smart agents that would pick up on signs of violation or triggers to key revocations through behavioural patterns, thus minimizing the manual checks andtheriskofoperation.

Finally, the enterprise of the framework to manage unstructured data domains like medical imaging, video surveillance and IoT sensor records is a considerable transitionarystep.Suchdataformsaremorestoredinthe cloud databases and contain the requirements as well as the need to create encryptedmechanisms thatimplement content-sensible querying and share content securely. Some of these methods, which can be combined in the framework to cover such complex areas as formatpreserving encryption, secure indexing over multimedia, graph-basedsearchableencryptioncanbeintegratedwith theframeworktoincreaseitsapplicabilityintheseareas.

REFERENCES

1. R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan, “CryptDB: Protecting confidentiality withencryptedqueryprocessing,”Proc.ACMSOSP, 2011,pp. 85–100.doi:10.1145/2043556.2043566

2. F.H.LiandN.Zeldovich,“Anideal-security protocol for order-preserving encoding,” IEEE S&P, 2013, pp. 463–477.doi:10.1109/SP.2013.38

3. R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: improved definitionsandefficientconstructions,”CCS,2006, pp. 79–88.doi:10.1145/1180405.1180412

4. M.Bost,R.A.Popa,S.Tu,andS.Goldwasser,“Machine learning classification over encrypted data,” USENIX Sec., 2015, pp. 789–804. doi:10.5555/2831143.2831165

5. J.Cheon,A.Kim,M.Kim,andY.Song,“Homomorphic encryption for arithmetic of approximate numbers,”ASIACRYPTLNCS 10624,2017,pp. 409–437.doi:10.1007/978-3-319-70694-8_15

6. Y. Lindell and B. Pinkas, “Secure multiparty computationforprivacy-preservingdatamining,”J.

Privacy Confidentiality, vol. 1, no. 1, 2009. doi:10.29012/jpc.v1i1.283

7. S.HaleviandV.Shoup,“AlgorithmsinHElib,”inProc. CRYPTO Workshop on FHE, Santa Barbara, 2013. doi:10.1007/978-3-642-54717-5_24

8. Z.Brakerski,“Fullyhomomorphicencryptionwithout modulus switching from classical GapSVP,” CRYPTO LNCS 6841, 2011, pp. 868–886. doi:10.1007/978-3-642-22792-9_50

9. P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” EUROCRYPT, 1999, pp. 223–238. doi:10.1007/3540-48910-X_16

10. M. Naveed et al., “Inference attacks on propertypreserving encrypted databases,” CCS, 2015, pp. 644–655.doi:10.1145/2810103.2813660

11. T.A.B.SniderandK.J.Larson,“Privacy-preserving querying by untrusted servers,” SIGMOD Record, vol. 42, no. 3, 2013, pp. 84–85. doi:10.1145/2503792.2503806

12. R. A. Popa, C. Redfield, N. Zeldovich, and H. Balakrishnan, “Back to the future: Encrypted databases and query processing,” Proc. VLDB Endowment, vol. 5, no. 11, 2012, pp. 1468–1479. doi:10.14778/2336664.2336690

13. M.NaveedandS.Kamara,“Realitiesandchallenges of encrypted query processing,” Proc. IEEE Data Eng.Bull.,2017.doi:10.1109/MVC.2017.8106893

14. B. Wang et al., “Secure dynamic searchable symmetric encryption with forward privacy,” ICICS, 2019, pp. 1–18. doi:10.1007/978-3-03000065-9_1

15. H. Dou et al., “Dynamic searchable symmetric encryption with strong security and robustness,” IEEE Trans. Dependable Secure Comput., 2023. doi:10.1109/TDSC.2022.3157124

16. D. Cash et al., “Dynamic searchable encryption in sublinear time,” CRYPTO, 2013, pp. 595–612. doi:10.1007/978-3-642-40084-1_3

17. E. Androulaki et al., “Hyperledger Fabric: A distributed operating system for permissioned blockchains,” arXiv, 2018. doi:10.48550/arXiv.1801.10228

18. H. Javaid, C. Hu, and G. Brebner, “Optimizing validation phase of Hyperledger Fabric,” arXiv, 2019.doi:10.48550/arXiv.1907.08367

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025 www.irjet.net p-ISSN: 2395-0072

19. M. Q. Nguyen, D. Loghin, and T. T. A. Dinh, “Understanding the scalability of Hyperledger Fabric,” arXiv, 2021. doi:10.48550/arXiv.2107.09886

20. S. Brotsis et al., “On the security and privacy of Hyperledger Fabric: Challenges and open issues,” arXiv,2021.doi:10.48550/arXiv.2109.03574

21. H. H. Pajooh et al.,“HyperledgerFabricblockchain forsecuringtheedgeInternetofThings,”Sensors, vol. 21,no. 2,2021,p. 359.doi:10.3390/s21020359

22. M. H. Z. Nizam et al., “Hyperledger Fabric blockchainforsecuringtheedgeIoT:areview,”J. Inform. Web Eng., vol. 4, no. 1, 2025, pp. 81–98. doi:10.33093/jiwe.2025.4.1.7

23. A. Boldyreva, N. Chenette, Y. Lee, and A. O’Neill, “Order-preserving symmetric encryption,” Eurocrypt,2009,pp. 224–241. doi:10.1007/978-3642-01001-9_13

24. C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. dissertation, Stanford Univ., 2009. doi:10.3133/7020

25. P.W.Shor,“Algorithmsforquantumcomputation: Discrete logarithms and factoring,” SIAM J. Comput., vol. 26, no. 5, 1997. doi:10.1137/S0097539795293172

26. B. Ducas et al., “CRYSTALS–Kyber: A CCA-secure module-LWE algorithm,” Cryptol. ePrint Arch., 2018.doi:10.5281/zenodo.1227160

27. NIST, “FIPS 203: Module-lattice-based keyencapsulation mechanism standard,” 2024. doi:10.6028/NIST.FIPS.203.ipd

28. P. Crovetto et al., “Investigating CRYSTALS-Kyber vulnerabilities: attack analysis,” Cryptography, vol. 8, no. 2, 2024, p. 15. doi:10.3390/cryptography8020015

29. J.Chillotti, “Fasterfullyhomomorphic encryption: Bootstrapping in less than 0.1 seconds,” EUROCRYPT, 2021. doi:10.1007/978-3-03077805-8_12

30. E. Alkim et al., “CRYSTALS-Dilithium algorithm specifications and supporting documentation,” PQ-CRYSTALS, 2021. doi:10.6028/NIST.FIPS.204.ipd

31. D.DucasandL.Pulles,“Doesthedual-sieve attack on learning with errors even work?” ASIACRYPT, 2023, pp. 37–69. doi:10.1007/978-3-031-255621_2