A Multi-client DSSE Scheme Supporting Range Queries

Abstract

We consider the need for security while providing services that are comparable to that of traditional applications to fully exploit cloud services to its fullest potential. While Dynamic Searchable Symmetric Encryption (DSSE) supports such needs, we want to be able to protect against file-injection attacks. Hence, we require forward privacy and a scheme which allows for a wide range of searching capabilities. We propose an extension, based on the RSA problem, to a DSSE scheme that supports range queries allowing the scheme to also support multiple clients. Furthermore, we describe how we can further manage clients using Attribute-Based Encryption (ABE) such that clients cannot decrypt ciphertexts that fall outside of their access rights.

Appendix

Proof of Theorem 1.

For a one-way trapdoor permutation \( \varPi \), a PRF \( F \), random oracle hash functions \( H_{1} \) and \( H_{2} \) that outputs \( \mu \) and \( \lambda \) bits respectively.

$$ \begin{array}{*{20}c} {For,{\mathcal{L}}_{{{\text{MC}{-}}\Gamma _{\text{A}} }} = \left( {{\mathcal{L}}_{{{\text{MC}{-}}\Gamma _{\text{A}} }}^{\text{Srch}} ,{\mathcal{L}}_{{{\text{MC}{-}}\Gamma _{\text{A}} }}^{\text{Updt}} } \right)} \\ {s.t\,{\mathcal{L}}_{{{\text{MC}{-}}\Gamma _{\text{A}} }}^{\text{Srch}} \left( {\mathbf{n}} \right) = \left( {{\text{sp}}\left( {\mathbf{n}} \right),{\text{Hist}}\left( n \right),{\text{cp}}\left( n \right)} \right),} \\ {{\mathcal{L}}_{{{\text{MC}{-}}\Gamma _{\text{A}} }}^{\text{Updt}} \left( {add,n,ind} \right) = \bot } \\ \end{array} $$

where \( {\mathbf{n}} \) is a set of queried keywords s.t \( n \in {\mathbf{n}} \) . Then \( {\text{MC-}}\Gamma _{\text{A}} \) is \( {\mathcal{L}}_{{{\text{MC-}}\Gamma _{\text{A}} }} \) -adaptively-secure.

Proof.

Inherited from [5], we create a set of games, \( {\text{DSSEReal}}_{{\mathcal{A}}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right) \) and \( {\text{DSSEIdeal}}_{{{\mathcal{A}},S}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right). \)

Game \( \varvec{G}_{0} \). \( G_{0} \) is precisely portrays the real-world game \( {\text{DSSEReal}}_{{\mathcal{A}}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right). \)

$$ \Pr \left[ {DSSEReal_{{\mathcal{A}}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right) = 1} \right] = { \Pr }\left[ {G_{0} = 1} \right] $$

Game \( \varvec{G}_{1} \). In \( G_{1} \), a random key is select for an input of new keyword \( n \), instead of generating \( K_{n} \) through \( F \), removing the need to generate a client key, as such in Algorithm 2. The key is then stored in a table for later use. If an adversary \( {\mathcal{A}} \) can differentiate games \( G_{0} \) and \( G_{1} \), we can then make a reduction table to distinguish between \( F \) and a true random function. More formally, an efficient adversary \( B_{1} \) is made present s.t

$$ \Pr \left[ {G_{0} = 1} \right] - { \Pr }\left[ {G_{1} = 1} \right] \le Adv_{{F,B_{1} }}^{PRF} \left( {1^{\lambda } } \right) $$

Game \( \varvec{G}_{2} \), \( \varvec{ G}_{3} \). We replace hash functions \( H_{1} \) and \( H_{2} \) with random strings in \( G_{2} \) and \( G_{3} \) respectively. These games are as described in more detail in [5]. Where differentiating these games is depends on the hardness of the \( \varPi \), we conclude present an efficient adversary \( B_{2} \) s.t

$$ \Pr \left[ {G_{1} = 1} \right] - \Pr \left[ {G_{3} = 1} \right] \le 2N \cdot Adv_{{\varPi ,B_{2} }}^{OneWay} \left( {1^{\lambda } } \right) $$

where \( N \) is the number of times \( H_{1} \) and \( H_{2} \) ran.

Game \( \varvec{G}_{4} \). In \( G_{4} \), for the random generated encrypted strings of \( H_{1} \) and \( H_{2} \) that are stored, later reused in the search protocol for \( H_{1} \) and \( H_{2} \). Results in \( G_{4} \) to behave exactly like games \( G_{2} \) and \( G_{3} \) s.t

$$ \Pr \left[ {G_{4} = 1} \right] = \Pr \left[ {G_{2,3} = 1} \right] $$

Simulator \( \varvec{S} \). With respect to information leakage “contain pattern” (\( {\text{cp}} \)), an update token \( UT \) can be specifically reused to determine inclusive relationships between keywords. Consequently, the same can be done with “search pattern” (\( {\text{sp}} \)) “history” (\( {\text{Hist}} \)) to simulate the Search and Update operations. In Algorithm 3, we map range queries to a set of specified keywords \( {\mathbf{n}} \) s.t

$$ \Pr \left[ {G_{4} = 1} \right] = \Pr \left[ {{\text{DSSEIdeal}}_{{{\mathcal{A}},S}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right) = 1} \right] $$

Finally,

$$ \begin{array}{*{20}r} \hfill {\Pr \left[ {{\text{DSSEReal}}_{{\mathcal{A}}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right) } \right] - \Pr \left[ {{\text{DSSEIdeal}}_{{{\mathcal{A}},S}}^{{{\text{MC-}}\Gamma _{\text{A}} }} \left( {1^{\lambda } } \right) = 1} \right]} \\ \hfill { \le Adv_{{F,B_{1} }}^{PRF} \left( {1^{\lambda } } \right) + 2N \cdot Adv_{{\varPi ,B_{2} }}^{OneWay} \left( {1^{\lambda } } \right)} \\ \end{array} $$

completing the proof.