Abstract
Dynamic Searchable Symmetric Encryption (DSSE) enables a client to perform updates and searches on encrypted data which makes it very useful in practice. To protect DSSE from the leakage of updates (leading to break query or data privacy), two new security notions, forward and backward privacy, have been proposed recently. Although extensive attention has been paid to forward privacy, this is not the case for backward privacy. Backward privacy, first formally introduced by Bost et al., is classified into three types from weak to strong, exactly Type-III to Type-I. To the best of our knowledge, however, no practical DSSE schemes without trusted hardware (e.g. SGX) have been proposed so far, in terms of the strong backward privacy and constant roundtrips between the client and the server.
In this work, we present a new DSSE scheme by leveraging simple symmetric encryption with homomorphic addition and bitmap index. The new scheme can achieve both forward and backward privacy with one roundtrip. In particular, the backward privacy we achieve in our scheme (denoted by Type-I\(^-\)) is stronger than Type-I. Moreover, our scheme is very practical as it involves only lightweight cryptographic operations. To make it scalable for supporting billions of files, we further extend it to a multi-block setting. Finally, we give the corresponding security proofs and experimental evaluation which demonstrate both security and practicality of our schemes, respectively.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The files are leaked if the second search query is issued after the files are added but before they are deleted. This is unavoidable, since the adversary can easily tell the difference of the search results before and after the same search query.
- 2.
In this example, there is only one addition/deletion pair. For Type-II, the server knows which addition has been canceled by which deletion easily. However, there may have many addition/deletion pairs, then the server cannot know which deletion cancels which addition.
- 3.
Note that, it does not leak the insertion time of \(f_1\) and \(f_3\).
- 4.
A special kind of data structure which has been widely used in database community.
- 5.
After getting \(\overline{bs}\), the client may retrieve the file identifiers represented by \(\overline{bs}\) which is not described in this paper.
- 6.
Deletion is by adding a negative number.
- 7.
Note that, we can update many file identifiers through one update query by using bit string representation bs.
References
Amjad, G., Kamara, S., Moataz, T.: Forward and backward private searchable encryption with SGX. In: Proceedings of the 12th European Workshop on Systems Security, p. 4. ACM (2019)
Bost, R.: \(\Sigma \)o\(\varphi \)o\(\varsigma \): forward secure searchable encryption. In: CCS 2016, pp. 1143–1154. ACM (2016)
Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: CCS 2017, pp. 1465–1482. ACM (2017)
Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: CCS 2015, pp. 668–679. ACM (2015)
Cash, D., et al.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: NDSS 2014, vol. 14, pp. 23–26. Citeseer (2014)
Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for Boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_20
Castelluccia, C., Mykletun, E., Tsudik, G.: Efficient aggregation of encrypted data in wireless sensor networks. In: 3rd Intlernational Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Sensor Networks, Italy (2005)
Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: CCS 2006, pp. 79–88. ACM (2006)
Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 123–145. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_7
Fuhry, B., Bahmani, R., Brasser, F., Hahn, F., Kerschbaum, F., Sadeghi, A.-R.: HardIDX: practical and secure index with SGX. In: Livraga, G., Zhu, S. (eds.) DBSec 2017. LNCS, vol. 10359, pp. 386–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61176-1_22
Garg, S., Mohassel, P., Papamanthou, C.: TWORAM: efficient oblivious RAM in two rounds with applications to searchable encryption. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 563–592. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_20
Ghareh Chamani, J., Papadopoulos, D., Papamanthou, C., Jalili, R.: New constructions for forward and backward private symmetric searchable encryption. In: CCS 2018, pp. 1038–1055. ACM (2018)
Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: CCS 2012, pp. 965–976. ACM (2012)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Sharma, V.: Bitmap index vs. b-tree index: Which and when? Oracle Technical Network (2005). http://www.oracle.com/technetwork/articles/sharma-indexes-093638.html
Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: S&P 2000, pp. 44–55. IEEE (2000)
Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: NDSS 2014, vol. 71, pp. 72–75 (2014)
Sun, S.-F., Liu, J.K., Sakzad, A., Steinfeld, R., Yuen, T.H.: An efficient non-interactive multi-client searchable encryption with support for Boolean queries. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 154–172. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_8
Sun, S.F., et al.: Practical backward-secure searchable encryption from symmetric puncturable encryption. In: CCS 2018, pp. 763–780. ACM (2018)
Wang, X.S., et al.: Oblivious data structures. In: CCS 2014, pp. 215–226. ACM (2014)
Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: the power of file-injection attacks on searchable encryption. In: USENIX Security Symposium, pp. 707–720 (2016)
Zuo, C., Macindoe, J., Yang, S., Steinfeld, R., Liu, J.K.: Trusted Boolean search on cloud using searchable symmetric encryption. In: Trustcom 2016, pp. 113–120. IEEE (2016)
Zuo, C., Sun, S.-F., Liu, J.K., Shao, J., Pieprzyk, J.: Dynamic searchable symmetric encryption schemes supporting range queries with forward (and backward) security. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 228–246. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_12
Acknowledgment
The authors thank the anonymous reviewers for the valuable comments. This work was supported by the Natural Science Foundation of Zhejiang Province [grant number LZ18F020003] and the Australian Research Council (ARC) Grant DP180102199. Josef Pieprzyk has been supported by the Australian Research Council grant DP180102199 and Polish National Science Center grant 2018/31/ B/ST6/03003.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix
Appendix
Theorem 1
(Adaptive security of FB-DSSE). Let F be a secure PRF, \(\varPi =({\texttt {\textit{Setup}}},\) \({\texttt {\textit{Enc}}}, {\texttt {\textit{Dec}}}, {\texttt {\textit{Add}}})\) be a perfectly secure simple symmetric encryption with homomorphic addition, and \(H_1\), \(H_2\) and \(H_3\) be random oracles and output \(\lambda \) bits. We define \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}=(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Search}, \mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Update})\), where \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Search}(w)=\) \(({\texttt {\textit{sp}}}(w),{\texttt {\textit{rp}}}(w),{\texttt {\textit{Time}}}(w))\) and \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Update}(op,w,\) \(bs)=\perp \). Then FB-DSSE is \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}\)-adaptively secure.
Proof
In this proof, the server is the adversary \(\mathcal {A}\) who tries to break the security of our FB-DSSE. The challenger \(\mathcal {C}\) is responsible for generating the search tokens and ciphertexts, and the simulator \(\mathcal {S}\) simulates the transcripts between \(\mathcal {A}\) and \(\mathcal {C}\) at the end.
Game \(G_0\): \(G_0\) is exactly same as the real world game , such that
Game \(G_1\): In \(G_1\), when querying F to generate a key for a keyword w, the challenger \(\mathcal {C}\) chooses a new random key if the keyword w is never queried before, and stores it in a table \(\texttt {Key}\). Otherwise return the key corresponding to w in the table \(\texttt {Key}\). If an adversary \(\mathcal {A}\) is able to distinguish between \(G_0\) and \(G_1\), we can then build an adversary \(\mathcal {B}_1\) to distinguish between F and a truly random function. More formally,
Game \(G_2\): In \(G_2\), as depicted in Algorithm 3, in the Update protocol, we pick random strings for the update token UT and store it in table UT. Then, in the Search protocol, we program these random strings to the output of the random oracle \(H_1\) where \(H_1(K_w,ST_c)=\texttt {UT}[w,c]\). When \(\mathcal {A}\) queries \(H_1\) with the input \((K_w, ST_c)\), \(\mathcal {C}\) will output \(\texttt {UT}[w,c]\) to \(\mathcal {A}\) and store this entry in table \(\texttt {H}_1\) for future queries. If the entry \((K_w, ST_{c+1})\) already in table \(\texttt {H}_1\), \(\texttt {UT}[w,c+1]\) cannot be programed to the output of \(H_1(K_w,ST_{c+1})\) and this game aborts. Now, we will show that the possibility of the game aborts is negligible. The search token is chosen randomly by the challenger \(\mathcal {C}\), then the possibility that the adversary guesses the right search token \(ST_{c+1}\) is \(1/2^{\lambda }\). Assume \(\mathcal {A}\) makes polynomial p queries, then the possibility is \(p/2^{\lambda }\). So we have
Game \(G_3\): In \(G_3\), we model the \(H_2\) as a random oracle which is similar to \(H_1\) in \(G_2\). Then we have
Game \(G_4\): In \(G_4\), similar to \(G_2\), we model the \(H_3\) as a random oracle. \(\mathcal {A}\) does not know the key \(K_w'\), then the possibility that he guesses the right key is \(1/2^{\lambda }\) (we set the length of \(K_w'\) to \(\lambda \)). Assume \(\mathcal {A}\) makes polynomial p queries, the possibility is \(p/2^{\lambda }\). So we have
Game \(G_5\): In \(G_5\), we replace the bit string bs with an all 0 bit string, and the length of the all 0 bit string is \(\ell \). If an adversary \(\mathcal {A}\) is able to distinguish between \(G_5\) and \(G_4\), then we can build a reduction \(\mathcal {B}_2\) to break the perfectly security of the simple symmetric encryption with homomorphic addition \(\varPi \). So we have
Simulator. Now we can replace the searched keyword w with \(\texttt {sp}(w)\) in \(G_5\) to simulate the simulator \(\mathcal {S}\) in Algorithm 4, \(\mathcal {S}\) uses the first timestamp \(\hat{w}\leftarrow \) min \(\texttt {sp}(w)\) for the keyword w. We remove the useless part of Algorithm 3 which will not influence the view of \(\mathcal {A}\).
Now we are ready to show that \(G_5\) and Simulator are indistinguishable. For Update, it is obvious since we choose new random strings for each update in \(G_5\). For Search, \(\mathcal {S}\) starts from the current search token \(ST_c\) and choose a random string for previous search token. Then \(\mathcal {S}\) embeds it to the ciphertext C through \(H_2\). Moreover, \(\mathcal {S}\) embeds the \(\overline{bs}\) to the \(ST_c\) and all 0s to the remaining search tokens through \(H_3\). Finally, we map the pairs (w, i) to the globe update count t. Then we can map the values in table UT, C and sk that we chose randomly in Update to the corresponding values for the pair (w, i) in the Search. Hence,
Finally,
which completes the proof.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zuo, C., Sun, SF., Liu, J.K., Shao, J., Pieprzyk, J. (2019). Dynamic Searchable Symmetric Encryption with Forward and Stronger Backward Privacy. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)