Dynamic Searchable Symmetric Encryption with Forward and Stronger Backward Privacy

Abstract

Dynamic Searchable Symmetric Encryption (DSSE) enables a client to perform updates and searches on encrypted data which makes it very useful in practice. To protect DSSE from the leakage of updates (leading to break query or data privacy), two new security notions, forward and backward privacy, have been proposed recently. Although extensive attention has been paid to forward privacy, this is not the case for backward privacy. Backward privacy, first formally introduced by Bost et al., is classified into three types from weak to strong, exactly Type-III to Type-I. To the best of our knowledge, however, no practical DSSE schemes without trusted hardware (e.g. SGX) have been proposed so far, in terms of the strong backward privacy and constant roundtrips between the client and the server.

In this work, we present a new DSSE scheme by leveraging simple symmetric encryption with homomorphic addition and bitmap index. The new scheme can achieve both forward and backward privacy with one roundtrip. In particular, the backward privacy we achieve in our scheme (denoted by Type-I\(^-\)) is stronger than Type-I. Moreover, our scheme is very practical as it involves only lightweight cryptographic operations. To make it scalable for supporting billions of files, we further extend it to a multi-block setting. Finally, we give the corresponding security proofs and experimental evaluation which demonstrate both security and practicality of our schemes, respectively.

Appendix

Theorem 1

(Adaptive security of FB-DSSE). Let F be a secure PRF, \(\varPi =({\texttt {\textit{Setup}}},\) \({\texttt {\textit{Enc}}}, {\texttt {\textit{Dec}}}, {\texttt {\textit{Add}}})\) be a perfectly secure simple symmetric encryption with homomorphic addition, and \(H_1\), \(H_2\) and \(H_3\) be random oracles and output \(\lambda \) bits. We define \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}=(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Search}, \mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Update})\), where \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Search}(w)=\) \(({\texttt {\textit{sp}}}(w),{\texttt {\textit{rp}}}(w),{\texttt {\textit{Time}}}(w))\) and \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}^{Update}(op,w,\) \(bs)=\perp \). Then FB-DSSE is \(\mathcal {L}_{{\texttt {\textit{FB-DSSE}}}}\)-adaptively secure.

Proof

In this proof, the server is the adversary \(\mathcal {A}\) who tries to break the security of our FB-DSSE. The challenger \(\mathcal {C}\) is responsible for generating the search tokens and ciphertexts, and the simulator \(\mathcal {S}\) simulates the transcripts between \(\mathcal {A}\) and \(\mathcal {C}\) at the end.

Game \(G_0\): \(G_0\) is exactly same as the real world game , such that

Game \(G_1\): In \(G_1\), when querying F to generate a key for a keyword w, the challenger \(\mathcal {C}\) chooses a new random key if the keyword w is never queried before, and stores it in a table \(\texttt {Key}\). Otherwise return the key corresponding to w in the table \(\texttt {Key}\). If an adversary \(\mathcal {A}\) is able to distinguish between \(G_0\) and \(G_1\), we can then build an adversary \(\mathcal {B}_1\) to distinguish between F and a truly random function. More formally,

$$\Pr [G_0=1]-\Pr [G_1=1]\le \mathbf{Adv}_{F,\mathcal {B}_1}^{\texttt {prf}}(\lambda ).$$

Game \(G_2\): In \(G_2\), as depicted in Algorithm 3, in the Update protocol, we pick random strings for the update token UT and store it in table UT. Then, in the Search protocol, we program these random strings to the output of the random oracle \(H_1\) where \(H_1(K_w,ST_c)=\texttt {UT}[w,c]\). When \(\mathcal {A}\) queries \(H_1\) with the input \((K_w, ST_c)\), \(\mathcal {C}\) will output \(\texttt {UT}[w,c]\) to \(\mathcal {A}\) and store this entry in table \(\texttt {H}_1\) for future queries. If the entry \((K_w, ST_{c+1})\) already in table \(\texttt {H}_1\), \(\texttt {UT}[w,c+1]\) cannot be programed to the output of \(H_1(K_w,ST_{c+1})\) and this game aborts. Now, we will show that the possibility of the game aborts is negligible. The search token is chosen randomly by the challenger \(\mathcal {C}\), then the possibility that the adversary guesses the right search token \(ST_{c+1}\) is \(1/2^{\lambda }\). Assume \(\mathcal {A}\) makes polynomial p queries, then the possibility is \(p/2^{\lambda }\). So we have

$$\Pr [G_1=1] - \Pr [G_2=1]\le p/2^{\lambda }$$

Game \(G_3\): In \(G_3\), we model the \(H_2\) as a random oracle which is similar to \(H_1\) in \(G_2\). Then we have

$$\Pr [G_2=1] - \Pr [G_3=1]\le p/2^{\lambda }$$

Game \(G_4\): In \(G_4\), similar to \(G_2\), we model the \(H_3\) as a random oracle. \(\mathcal {A}\) does not know the key \(K_w'\), then the possibility that he guesses the right key is \(1/2^{\lambda }\) (we set the length of \(K_w'\) to \(\lambda \)). Assume \(\mathcal {A}\) makes polynomial p queries, the possibility is \(p/2^{\lambda }\). So we have

$$\Pr [G_3=1] - \Pr [G_4=1]\le p/2^{\lambda }$$

Game \(G_5\): In \(G_5\), we replace the bit string bs with an all 0 bit string, and the length of the all 0 bit string is \(\ell \). If an adversary \(\mathcal {A}\) is able to distinguish between \(G_5\) and \(G_4\), then we can build a reduction \(\mathcal {B}_2\) to break the perfectly security of the simple symmetric encryption with homomorphic addition \(\varPi \). So we have

$$\Pr [G_4=1]-\Pr [G_5=1]\le \mathbf{Adv}_{\varPi ,\mathcal {B}_2}^{\texttt {PS}}(\lambda ).$$

Simulator. Now we can replace the searched keyword w with \(\texttt {sp}(w)\) in \(G_5\) to simulate the simulator \(\mathcal {S}\) in Algorithm 4, \(\mathcal {S}\) uses the first timestamp \(\hat{w}\leftarrow \) min \(\texttt {sp}(w)\) for the keyword w. We remove the useless part of Algorithm 3 which will not influence the view of \(\mathcal {A}\).

Now we are ready to show that \(G_5\) and Simulator are indistinguishable. For Update, it is obvious since we choose new random strings for each update in \(G_5\). For Search, \(\mathcal {S}\) starts from the current search token \(ST_c\) and choose a random string for previous search token. Then \(\mathcal {S}\) embeds it to the ciphertext C through \(H_2\). Moreover, \(\mathcal {S}\) embeds the \(\overline{bs}\) to the \(ST_c\) and all 0s to the remaining search tokens through \(H_3\). Finally, we map the pairs (w, i) to the globe update count t. Then we can map the values in table UT, C and sk that we chose randomly in Update to the corresponding values for the pair (w, i) in the Search. Hence,

Finally,

which completes the proof.