Paper 2016/893

Building web applications on top of encrypted data using Mylar

Raluca Ada Popa, Emily Stark, Jonas Helfer, Steven Valdez, Nickolai Zeldovich, M. Frans Kaashoek, and Hari Balakrishnan


Web applications rely on servers to store and process confidential information. However, anyone who gains access to the server (e.g., an attacker, a curious administrator, or a government) can obtain all of the data stored there. This paper presents Mylar, a platform that provides end-to-end encryption to web applications. Mylar protects the confidentiality of sensitive data fields against attackers that gained access to servers. Mylar stores sensitive data encrypted on the server, and decrypts that data only in users’ browsers. Mylar addresses three challenges in making this approach work. First, Mylar allows the server to perform keyword search over encrypted documents, even if the documents are encrypted with different keys. Second, Mylar allows users to share keys securely in the presence of an active adversary. Finally, Mylar ensures that client-side application code is authentic, even if the server is malicious. Results with a prototype of Mylar built on top of the Meteor framework are promising: porting 6 applications required changing just 36 lines of code on average, and the performance overheads are modest, amounting to a 17% throughput loss and a 50 ms latency increase for sending a message in a chat application.

Available format(s)
Publication info
Published elsewhere. MINOR revision.NSDI 2014
web securityend-to-end encryption
Contact author(s)
mylar @ mit edu
2016-09-14: received
Short URL
Creative Commons Attribution


      author = {Raluca Ada Popa and Emily Stark and Jonas Helfer and Steven Valdez and Nickolai Zeldovich and M.  Frans Kaashoek and Hari Balakrishnan},
      title = {Building web applications on top of encrypted data using Mylar},
      howpublished = {Cryptology ePrint Archive, Paper 2016/893},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.