Abstract
This work presents a new experiment defining indistinguishability for searchable symmetric encryption to include security against published practical attacks. The proposed experiment allows the adversaries to use their prior knowledge about the stored documents to win. We solve the problem of modelling the adversaries with prior knowledge using the interacting split adversary technique. This new indistinguishability definition is aligned with the security goals and adversary capabilities listed inĀ [4]. The correctness of the indistinguishability experiment is demonstrated by presenting proofs of strength and vulnerabilities of \(\varSigma {o} \phi {o} \varsigma \)-B and one of its variant. We write the security proofs based on the indistinguishability experiment with an adversary without any prior knowledge and adversary with full knowledge of the document set. We show how to win the indistinguishability experiment using the count attack by an adversary who knows the document distribution, and the file injection attack by an adversary without prior knowledge.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bosch, C., et al.: Distributed searchable symmetric encryption. In: Proceedings of the Twelfth Annual Conference on Privacy, Security and Trust (PST 2014). IEEE (2014)
Bost, R.: \( {o} \phi o \varsigma \)-forward secure searchable encryption. In: Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), pp. 1143ā1154. ACM (2016)
Bost, R., Fouque, P.A.: Thwarting leakage abuse attacks against searchable encryption a formal approach and applications to database padding. Cryptology ePrint Archive, Report 2017/1060 (2017). http://eprint.iacr.org/2017/1060/
Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 668ā679. ACM (2015)
Cash, D., et al.: Dynamic Searchable Encryption in Very Large Databases: Data Structures and Implementation. Cryptology ePrint Archive, Report 2014/853 (2014). http://eprint.iacr.org/2014/853
Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote encrypted data. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 442ā455. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_30
Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577ā594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_33
Cui, S., Asghar, M.R., Galbraith, S.D., Russello, G.: ObliviousDB: practical and efficient searchable encryption with controllable leakage. In: Imine, A., Fernandez, J.M., Marion, J.-Y., Logrippo, L., Garcia-Alfaro, J. (eds.) FPS 2017. LNCS, vol. 10723, pp. 189ā205. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75650-9_13
Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) ACM Conference on Computer and Communications Security, CCS 2006, pp. 79ā88. ACM (2006)
Goh, E.J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003). http://eprint.iacr.org/2003/216/
Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012. The Internet Society (2012)
Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 258ā274. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_22
Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM Conference on Computer and Communications Security - CCS 2012, pp. 965ā976. ACM (2012)
Kamara, S., Moataz, T.: Boolean searchable symmetric encryption with worst-case sub-linear complexity. Cryptology ePrint Archive, Report 2017/126 (2017). http://eprint.iacr.org/2017/126/
Kamara, S., Moataz, T., Ohrimenko, O.: Structured encryption and leakage suppression. Cryptology ePrint Archive, Report 2018/551 (2018). http://eprint.iacr.org/2018/551/
Kurosawa, K., Ohtaki, Y.: UC-secure searchable symmetric encryption. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 285ā298. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_21
LacharitƩ, M.S., Patterson, K.G.: Frequency-smoothing encryption: preventing snapshot attacks on deterministically-encrypted data. Cryptology ePrint Archive, Report 2017/1068 (2017). http://eprint.iacr.org/2017/1068/
Liu, C., Zhu, L., Wang, M., Tan, Y.: Search pattern leakage in searchable encryption: attacks and new construction. Inf. Sci. 265, 176ā188 (2014)
Moataz, T., Shikfa, A.: Boolean symmetric searchable encryption. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) 8th ACM Symposium on Information, Computer and Communications Security - ASIACCS 2013, pp. 265ā276. ACM (2013)
Mohamad, M.S., Tan, S.Y., Chin, J.J.: Searchable symmetric encryption: defining strength against query recovery attacks. In: Proceedings of the 6th International Cryptology and Information Security Conference 2018, pp. 85ā93 (2018)
Naveed, M., Prabhakaran, M., Gunter, C.A.: Dynamic searchable encryption via blind storage. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 639ā654. IEEE Computer Society (2014)
Ogata, W., Kurosawa, K.: No-dictionary searchable symmetric encryption. IEICE Trans. Fundam. E102A(1), 114ā124 (2019)
Pouliot, D., Griffy, S., Wright, C.V.: The strength of weak randomization: efficiently searchable encryption with minimal leakage. Cryptology ePrint Archive, Report 2017/1098 (2017). http://eprint.iacr.org/2017/1098/
Pouliot, D., Wright, C.V.: Shadow nemesis: inference attacks on efficiently deployable, efficiently searchable encryption. In: 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1341ā1352. ACM (2016)
Sedghi, S., Doumen, J., Hartel, P., Jonker, W.: Towards an information theoretic analysis of searchable encryption. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 345ā360. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88625-9_23
Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: Network and Distributed System Security Symposium - NDSS 2014. Internet Society (2014). https://www.ndss-symposium.org/ndss2014/programme/practical-dynamic-searchable-encryption-small-leakage/
Wright, C.V., Pouliot, D.: Early detection and analysis of leakage abuse vulnerabilities. Cryptology ePrint Archive, Report 2017/1052 (2017). http://eprint.iacr.org/2017/1052/
Yoshizawa, T., Watanabe, Y., Shikata, J.: Unconditionally secure searchable encryption. In: 2017 51st Annual Conference on Information Sciences and Systems (CISS), pp. 1ā6, March 2017
Zhang, Y., Katz, J., Papamanthou, C.: All Your Queries Are Belong To Us: The Power of File-Injection Attacks on Searchable Encryption. Cryptology ePrint Archive, Report 2016/172 (2016). http://eprint.iacr.org/2016/172/
Acknowledgement
This work is part of a project under The 11th Malaysia Plan. The authors would like to thank the Ministry of Education of Malaysia for providing part of the financial support for this work through the Fundamental Research Grant Scheme (Project number: FRGS/1/2019/ICT04/MMU/02/5). Ji-Jian Chin would also like to thank the Information Security Lab at MIMOS Berhad for hosting his industrial attachment during which this paper was completed. Finally, we thank the anonymous reviewers and in particular our shepherd, Dr Benjamin Tan, for their help in improving this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A \(\mathcal {L}\)-security byĀ [7]
Let \(\mathsf {SSE}\)Ā =Ā \(\big (\) Setup, Search, Update, Decrypt\(\big )\) be an SSE scheme with a leakage profile \(\mathcal {L}_{\mathsf {SSE}} = (\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Setup}}, \mathcal {L}_{\mathsf {SSE}}^{\mathsf {Search}}, \mathcal {L}_{\mathsf {SSE}}^{\mathsf {Update}})\). Then, \(\mathsf {SSE}\) is \(\mathcal {L}\)-secure against adaptive chosen keyword attacks if for all PPT adversary \(\mathcal {A}\), there exists a PPT simulator \(\mathcal {S}\) such that
where the games are as follows:
-
\(\mathbf {Real}_{\mathsf {SSE}, \mathcal {A}}(1^k)\)
-
1.
\(\mathcal {A}\) generates \(\mathtt{DB}\) and \(\mathbf {D}\) and gives to the challenger, \(\mathcal {C}\).
-
2.
\(\mathcal {C}\) executes Setup, where the resulting I and c are given to \(\mathcal {A}\).
-
3.
\(\mathcal {A}\) then makes a polynomial number of SearchĀ and UpdateĀ queries, and receives the search token and update results.
-
4.
Finally, \(\mathcal {A}\) returns a bit b as the output of the experiment.
-
1.
-
\(\mathbf {Ideal}_{\mathsf {SSE}, \mathcal {A}, \mathcal {S}}(1^k)\)
-
1.
\(\mathcal {A}\) outputs DB and \(\mathbf {D}\) to \(\mathcal {C}\).
-
2.
The simulator \(\mathcal {S}\) simulates I and c based on the leakage information from \(\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Setup}}\), and gives I and c to \(\mathcal {A}\).
-
3.
\(\mathcal {A}\) makes a polynomial number of SearchĀ and UpdateĀ queries.
-
4.
The simulator \(\mathcal {S}\) returns the search tokens based on \(\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Search}}\) and update results based on \(\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Update}}\).
-
5.
Finally, \(\mathcal {A}\) returns a bit b as the output of the experiment.
-
1.
B SSE Indistinguishability byĀ [9]
Let =(KeyGen, Encrypt, Trapdoor, Search, Decrypt) be an index-based SSE, be a security parameter, \(\mathcal {A}\)Ā =Ā (\(\mathcal {A}_0\),...,\(\mathcal {A}_{q+1}\)) be such that and consider the following probabilistic experiment Ind\(^*_{\mathcal {A},{\tiny \textsf {SSE}}}(k)\)
-
\(\mathbf {Initiation}\)
-
1.
Given the security parameter \(1^k\), challenger \(\mathcal {C}\) generates the secret key K.
-
2.
Then \(\mathcal {C}\) randomly chooses a value \(b\in \{0,1\}\).
-
3.
\(\mathcal {A}_0\) generates two document sets, \(\mathbf {D}_0\) and \(\mathbf {D}_0\), such that \(\mathcal {L}^{\mathsf {Setup}}(\mathbf {D}_0)\)Ā =Ā \(\mathcal {L}^{\mathsf {Setup}}(\mathbf {D}_1)\), and submits them to \(\mathcal {C}\). Let \(\mathbf {W}_0\) and \(\mathbf {W}_1\) be the set of all keywords in \(\mathbf {D}_0\) and \(\mathbf {D}_1\) respectively.
-
4.
\(\mathcal {C}\) runs SetupĀ on \(\mathbf {D}_b\) and gives \(\mathcal {A}\) the index \(I_b\) and ciphertexts \(\mathbf {c}_b\).
-
1.
-
\(\mathbf {Query}\)
-
1.
The adversary \(\mathcal {A}\) makes q search queries by having \(\mathcal {A}_i\) choosing \(w_{0,i}\in \mathbf {W}_0\) and \(w_{1,i}\in \mathbf {W}_1\) such that \(\mathcal {L}^{\mathsf {Search}}(w_{0,i})\)Ā =Ā \(\mathcal {L}^{\mathsf {Search}}(w_{1,i})\).
-
2.
For each i, the SearchĀ oracle replies with the search token \(\tau _{i}\) for keyword \(w_{b,i}\).
-
1.
-
\(\mathbf {Response}\)
-
1.
Finally, \(\mathcal {A}_{q+1}\) makes a guess \(b^{\prime }\).
-
2.
The experiment outputs 1 if \(b^{\prime }=b\). Otherwise, outputs 0.
-
1.
We say that SSE is secure in the sense of adaptive indistinguishability if for all PPT adversaries \(\mathcal {A}\)Ā =Ā (\(\mathcal {A}_0\), ..., \(\mathcal {A}_{q+1}\)) such that ,
where the probability is over the choice of b, and the coins of KeyGenĀ and Encrypt.
C \(\varSigma {o} \phi {o} \varsigma \)-B
Here is the SSE scheme \(\varSigma {o} \phi {o} \varsigma \)-B as specified inĀ [2, Ā§5]. In this scheme F is a pseudorandom function, \(\pi \) is a trapdoor permutation, and \(H_1\) and \(H_2\) are keyed hash functions.
-
Setup. Given a security parameter \(1^k\), the algorithm generates a symmetric key \(\mathbf {K_S}\in \{0,1\}^k\), an asymmetric key pair (SK,Ā PK) and prepare two empty mappings \(\mathbf {\Delta }\) and I. Output to the client (\(\mathbf {\Delta }\), (\(\mathbf {K_S}\), SK)) and to server (\(\mathbf {I}\), PK).
-
Search. To search for keyword w, the client prepares \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\)Ā =Ā \(\mathbf {\Delta }[w]\), and then sends \((K_w,ST_c,c)\) to the server. If \((ST_c,c)\)Ā =Ā \(\perp \), directly output \(\emptyset \). The server goes though counter \(i=c,c-1,\ldots ,0\) to compute \(UT_{i}=H_1(K_w,ST_i)\) and extract \(e_i=\mathbf {I}[UT_i]\). The output is unmasked \(d_i\leftarrow e_i\oplus H_2(K_w, ST_i)\). For the next counter, server computes \(ST_{i-1}=\pi _{PK}(ST_i)\). Finally, The server returns a list of document identifiers \((d_i)_{i=0,1,\ldots ,c}\).
-
Update. This algorithm is invoked to update the index for one keyword w from one document D. Let d denotes the identifier for document D. First the client recalculate the keyword key \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\)Ā =Ā \(\mathbf {\Delta }[w]\). If \(\mathbf {\Delta }[w]\)Ā =Ā \(\perp \) this means the keyword is new, hence the client set the first token \(ST_0\) for w to a random string and create new entry \(\mathbf {\Delta }[w]\)Ā =Ā \((ST_0,0)\). Otherwise, calculate the next token, \(ST_{c+1}\)Ā =Ā \(\pi ^{-1}_{SK}(ST_c)\) and renew entry \(\mathbf {\Delta }[w]\)Ā =Ā \((ST_{c+1},c+1)\). Next, compute index key \(UT_{c+1}\)Ā =Ā \(H_1(K_w,ST_{c+1})\) and mask the identifier eĀ =Ā \(d\oplus H_2(K_w,ST_{c+1})\). Finally, the client sends \((UT_{c+1},e)\) to the server which sets \(\mathbf{I} [UT_{c+1}]\)Ā =Ā e.
D Result-Hiding \(\varSigma {o} \phi {o} \varsigma \)-B
Here is a variation of \(\varSigma {o} \phi {o} \varsigma \)-B where the storage server returns masked file identifiers to the client during Search.
-
Setup. Given a security parameter \(1^k\), the algorithm generates a symmetric key \(\mathbf {K_S}\in \{0,1\}^k\), an asymmetric key pair (SK,Ā PK) and prepare two empty mappings \(\mathbf {\Delta }\) and I. Output to the client (\(\mathbf {\Delta }\), (\(\mathbf {K_S}\), SK)) and to server (\(\mathbf {I}\), PK).
-
Search. To search for keyword w, the client prepares \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\)Ā =Ā \(\mathbf {\Delta }[w]\), and then sends \((K_w,ST_c,c)\) to the server. If \((ST_c,c)\)Ā =Ā \(\perp \), directly output \(\emptyset \). The server goes though counter \(i=c,c-1,\ldots ,0\) to compute \(UT_{i}=H_1(K_w,ST_i)\) and then extract \(e_i=\mathbf {I}[UT_i]\). For the next counter, server computes \(ST_{i-1}=\pi _{PK}(ST_i)\). The server returns a list of masked document identifiers \((e_i)_{i=0,1,\ldots ,c}\). Finally, the client unmasks the document identifiers \(d_i=e_i\oplus H_2(K^{\prime }_w,ST_i)\) where \(K^{\prime }_w=F_{\mathbf {K_S}}(w||i^{bin})\) for \(i=0,1,\ldots ,c\).
-
Update. This algorithm is invoked to update the index for one keyword w from one document D. Let d denotes the identifier for document D. First the client recalculate the keyword key \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\)Ā =Ā \(\mathbf {\Delta }[w]\). If \(\mathbf {\Delta }[w]\)Ā =Ā \(\perp \) this means the keyword is new, hence set the first token \(ST_0\) to a random string and set \(\mathbf {\Delta }[w]\)Ā =Ā \((ST_0,0)\). Otherwise, calculate the next token, \(ST_{c+1}\)Ā =Ā \(\pi ^{-1}_{SK}(ST_c)\) and set \(\mathbf {\Delta }[w]\)Ā =Ā \((ST_{c+1},c+1)\). Next, compute index key \(UT_{c+1}\)Ā =Ā \(H_1(K_w,ST_{c+1})\) and mask the identifier eĀ =Ā \(d\oplus H_2(K^{\prime }_w,ST_{c+1})\) where \(K^{\prime }_w\)Ā =Ā \(F_{\mathbf {K_S}}(w||(c+1)^{bin})\). Finally, the client sends \((UT_{c+1},e)\) to the server which sets \(\mathbf{I} [UT_{c+1}]\)Ā =Ā e.
Rights and permissions
Copyright information
Ā© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mohamad, M.S., Chin, JJ. (2020). Improved Indistinguishability for Searchable Symmetric Encryption. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds) Provable and Practical Security. ProvSec 2020. Lecture Notes in Computer Science(), vol 12505. Springer, Cham. https://doi.org/10.1007/978-3-030-62576-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-62576-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62575-7
Online ISBN: 978-3-030-62576-4
eBook Packages: Computer ScienceComputer Science (R0)