Improved Indistinguishability for Searchable Symmetric Encryption

Abstract

This work presents a new experiment defining indistinguishability for searchable symmetric encryption to include security against published practical attacks. The proposed experiment allows the adversaries to use their prior knowledge about the stored documents to win. We solve the problem of modelling the adversaries with prior knowledge using the interacting split adversary technique. This new indistinguishability definition is aligned with the security goals and adversary capabilities listed in  [4]. The correctness of the indistinguishability experiment is demonstrated by presenting proofs of strength and vulnerabilities of \(\varSigma {o} \phi {o} \varsigma \)-B and one of its variant. We write the security proofs based on the indistinguishability experiment with an adversary without any prior knowledge and adversary with full knowledge of the document set. We show how to win the indistinguishability experiment using the count attack by an adversary who knows the document distribution, and the file injection attack by an adversary without prior knowledge.

Appendices

A \(\mathcal {L}\)-security by  [7]

Let \(\mathsf {SSE}\) = \(\big (\) Setup, Search, Update, Decrypt\(\big )\) be an SSE scheme with a leakage profile \(\mathcal {L}_{\mathsf {SSE}} = (\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Setup}}, \mathcal {L}_{\mathsf {SSE}}^{\mathsf {Search}}, \mathcal {L}_{\mathsf {SSE}}^{\mathsf {Update}})\). Then, \(\mathsf {SSE}\) is \(\mathcal {L}\)-secure against adaptive chosen keyword attacks if for all PPT adversary \(\mathcal {A}\), there exists a PPT simulator \(\mathcal {S}\) such that

where the games are as follows:

• \(\mathbf {Real}_{\mathsf {SSE}, \mathcal {A}}(1^k)\)

  1. 1.

     \(\mathcal {A}\) generates \(\mathtt{DB}\) and \(\mathbf {D}\) and gives to the challenger, \(\mathcal {C}\).

  2. 2.

     \(\mathcal {C}\) executes Setup, where the resulting I and c are given to \(\mathcal {A}\).

  3. 3.

     \(\mathcal {A}\) then makes a polynomial number of Search and Update queries, and receives the search token and update results.

  4. 4.

     Finally, \(\mathcal {A}\) returns a bit b as the output of the experiment.

• \(\mathbf {Ideal}_{\mathsf {SSE}, \mathcal {A}, \mathcal {S}}(1^k)\)

  1. 1.

     \(\mathcal {A}\) outputs DB and \(\mathbf {D}\) to \(\mathcal {C}\).

  2. 2.

     The simulator \(\mathcal {S}\) simulates I and c based on the leakage information from \(\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Setup}}\), and gives I and c to \(\mathcal {A}\).

  3. 3.

     \(\mathcal {A}\) makes a polynomial number of Search and Update queries.

  4. 4.

     The simulator \(\mathcal {S}\) returns the search tokens based on \(\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Search}}\) and update results based on \(\mathcal {L}_{\mathsf {SSE}}^{\mathsf {Update}}\).

  5. 5.

     Finally, \(\mathcal {A}\) returns a bit b as the output of the experiment.

B SSE Indistinguishability by  [9]

Let =(KeyGen, Encrypt, Trapdoor, Search, Decrypt) be an index-based SSE, be a security parameter, \(\mathcal {A}\) = (\(\mathcal {A}_0\),...,\(\mathcal {A}_{q+1}\)) be such that and consider the following probabilistic experiment Ind\(^*_{\mathcal {A},{\tiny \textsf {SSE}}}(k)\)

• \(\mathbf {Initiation}\)

  1. 1.

     Given the security parameter \(1^k\), challenger \(\mathcal {C}\) generates the secret key K.

  2. 2.

     Then \(\mathcal {C}\) randomly chooses a value \(b\in \{0,1\}\).

  3. 3.

     \(\mathcal {A}_0\) generates two document sets, \(\mathbf {D}_0\) and \(\mathbf {D}_0\), such that \(\mathcal {L}^{\mathsf {Setup}}(\mathbf {D}_0)\) = \(\mathcal {L}^{\mathsf {Setup}}(\mathbf {D}_1)\), and submits them to \(\mathcal {C}\). Let \(\mathbf {W}_0\) and \(\mathbf {W}_1\) be the set of all keywords in \(\mathbf {D}_0\) and \(\mathbf {D}_1\) respectively.

  4. 4.

     \(\mathcal {C}\) runs Setup on \(\mathbf {D}_b\) and gives \(\mathcal {A}\) the index \(I_b\) and ciphertexts \(\mathbf {c}_b\).

• \(\mathbf {Query}\)

  1. 1.

     The adversary \(\mathcal {A}\) makes q search queries by having \(\mathcal {A}_i\) choosing \(w_{0,i}\in \mathbf {W}_0\) and \(w_{1,i}\in \mathbf {W}_1\) such that \(\mathcal {L}^{\mathsf {Search}}(w_{0,i})\) = \(\mathcal {L}^{\mathsf {Search}}(w_{1,i})\).

  2. 2.

     For each i, the Search oracle replies with the search token \(\tau _{i}\) for keyword \(w_{b,i}\).

• \(\mathbf {Response}\)

  1. 1.

     Finally, \(\mathcal {A}_{q+1}\) makes a guess \(b^{\prime }\).

  2. 2.

     The experiment outputs 1 if \(b^{\prime }=b\). Otherwise, outputs 0.

We say that SSE is secure in the sense of adaptive indistinguishability if for all PPT adversaries \(\mathcal {A}\) = (\(\mathcal {A}_0\), ..., \(\mathcal {A}_{q+1}\)) such that ,

where the probability is over the choice of b, and the coins of KeyGen and Encrypt.

C \(\varSigma {o} \phi {o} \varsigma \)-B

Here is the SSE scheme \(\varSigma {o} \phi {o} \varsigma \)-B as specified in  [2, §5]. In this scheme F is a pseudorandom function, \(\pi \) is a trapdoor permutation, and \(H_1\) and \(H_2\) are keyed hash functions.

• Setup. Given a security parameter \(1^k\), the algorithm generates a symmetric key \(\mathbf {K_S}\in \{0,1\}^k\), an asymmetric key pair (SK, PK) and prepare two empty mappings \(\mathbf {\Delta }\) and I. Output to the client (\(\mathbf {\Delta }\), (\(\mathbf {K_S}\), SK)) and to server (\(\mathbf {I}\), PK).

• Search. To search for keyword w, the client prepares \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\) = \(\mathbf {\Delta }[w]\), and then sends \((K_w,ST_c,c)\) to the server. If \((ST_c,c)\) = \(\perp \), directly output \(\emptyset \). The server goes though counter \(i=c,c-1,\ldots ,0\) to compute \(UT_{i}=H_1(K_w,ST_i)\) and extract \(e_i=\mathbf {I}[UT_i]\). The output is unmasked \(d_i\leftarrow e_i\oplus H_2(K_w, ST_i)\). For the next counter, server computes \(ST_{i-1}=\pi _{PK}(ST_i)\). Finally, The server returns a list of document identifiers \((d_i)_{i=0,1,\ldots ,c}\).

• Update. This algorithm is invoked to update the index for one keyword w from one document D. Let d denotes the identifier for document D. First the client recalculate the keyword key \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\) = \(\mathbf {\Delta }[w]\). If \(\mathbf {\Delta }[w]\) = \(\perp \) this means the keyword is new, hence the client set the first token \(ST_0\) for w to a random string and create new entry \(\mathbf {\Delta }[w]\) = \((ST_0,0)\). Otherwise, calculate the next token, \(ST_{c+1}\) = \(\pi ^{-1}_{SK}(ST_c)\) and renew entry \(\mathbf {\Delta }[w]\) = \((ST_{c+1},c+1)\). Next, compute index key \(UT_{c+1}\) = \(H_1(K_w,ST_{c+1})\) and mask the identifier e = \(d\oplus H_2(K_w,ST_{c+1})\). Finally, the client sends \((UT_{c+1},e)\) to the server which sets \(\mathbf{I} [UT_{c+1}]\) = e.

D Result-Hiding \(\varSigma {o} \phi {o} \varsigma \)-B

Here is a variation of \(\varSigma {o} \phi {o} \varsigma \)-B where the storage server returns masked file identifiers to the client during Search.

• Setup. Given a security parameter \(1^k\), the algorithm generates a symmetric key \(\mathbf {K_S}\in \{0,1\}^k\), an asymmetric key pair (SK, PK) and prepare two empty mappings \(\mathbf {\Delta }\) and I. Output to the client (\(\mathbf {\Delta }\), (\(\mathbf {K_S}\), SK)) and to server (\(\mathbf {I}\), PK).

• Search. To search for keyword w, the client prepares \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\) = \(\mathbf {\Delta }[w]\), and then sends \((K_w,ST_c,c)\) to the server. If \((ST_c,c)\) = \(\perp \), directly output \(\emptyset \). The server goes though counter \(i=c,c-1,\ldots ,0\) to compute \(UT_{i}=H_1(K_w,ST_i)\) and then extract \(e_i=\mathbf {I}[UT_i]\). For the next counter, server computes \(ST_{i-1}=\pi _{PK}(ST_i)\). The server returns a list of masked document identifiers \((e_i)_{i=0,1,\ldots ,c}\). Finally, the client unmasks the document identifiers \(d_i=e_i\oplus H_2(K^{\prime }_w,ST_i)\) where \(K^{\prime }_w=F_{\mathbf {K_S}}(w||i^{bin})\) for \(i=0,1,\ldots ,c\).

• Update. This algorithm is invoked to update the index for one keyword w from one document D. Let d denotes the identifier for document D. First the client recalculate the keyword key \(K_w=F_{\mathbf {K_S}}(w)\) and extract \((ST_c,c)\) = \(\mathbf {\Delta }[w]\). If \(\mathbf {\Delta }[w]\) = \(\perp \) this means the keyword is new, hence set the first token \(ST_0\) to a random string and set \(\mathbf {\Delta }[w]\) = \((ST_0,0)\). Otherwise, calculate the next token, \(ST_{c+1}\) = \(\pi ^{-1}_{SK}(ST_c)\) and set \(\mathbf {\Delta }[w]\) = \((ST_{c+1},c+1)\). Next, compute index key \(UT_{c+1}\) = \(H_1(K_w,ST_{c+1})\) and mask the identifier e = \(d\oplus H_2(K^{\prime }_w,ST_{c+1})\) where \(K^{\prime }_w\) = \(F_{\mathbf {K_S}}(w||(c+1)^{bin})\). Finally, the client sends \((UT_{c+1},e)\) to the server which sets \(\mathbf{I} [UT_{c+1}]\) = e.