Rishabh Poddar: Why cannot CryptDB combine the Ord and Add onions in just one onion containing the OPE, HOM and RND encryption schemes? (Ignore OPE-JOIN here - it was actually never used.) Multiple onions cannot be combined because the computations supported by the different encryption schemes cannot always be ordered, and the outer encryption scheme might lose its functionality over the plaintext because of the inner encryption scheme. For example, creating a single onion with OPE as the inner layer and HOM as the outer layer defeats the functionality of the HOM scheme; HOM(x) allows additions over a plaintext x while it remains encrypted, but HOM(OPE(x)) does not allow additions over x - it allows additions over OPE(x) instead. Similarly, if OPE were made the outer layer, then it would preserve the order of the inner HOM(x) values, but not of x (since HOM does not preserve order). Describe the purpose of the onions in CryptDB. Onions in CryptDB allow CryptDB to use the most secure encryption schemes that enable running the requested queries on the data. Multiple onions are maintained for different fields in a table for various computations. Each onion consists of multiple layers of increasingly stronger encryption. Each inner layer enables certain kinds of functionality (i.e. computations on encrypted data), while the outermost layer provides security. Further, each onion can only consist of layers such that the inner layers do not block the functionality of the outer layers. On receiving a query on a particular field, CryptDB selects the onion containing the strongest encryption layer which allows the required computation for that field. The outer layers of the onion are then decrypted by the server till the required layer using keys provided by the client (proxy). In the applications surveyed in Fig. 9, what is the most common level of security that fields/columns have if all queries in the apps were to run at the server? The most common level of security is high (i.e. at least IND-CPA secure), because most fields remain RND-encrypted in the steady state.