Geo-DRS: Geometric Dynamic Range Search on Spatial Data with Backward and Content Privacy

Abstract

Driven by the cloud-first initiative taken by various governments and companies, it has become a common practice to outsource spatial data to cloud servers for a wide range of applications such as location-based services and geographic information systems. Searchable encryption is a common practice for outsourcing spatial data which enables search over encrypted data by sacrificing the full security via leaking some information about the queries to the server. However, these inherent leakages could equip the server to learn beyond what is considered in the scheme, in the worst-case allowing it to reconstruct of the database. Recently, a novel form of database reconstruction attack against such kind of outsourced spatial data was introduced (Markatou and Tamassia, IACR ePrint 2020/284), which is performed using common leakages of searchable encryption schemes, i.e., access and search pattern leakages. An access pattern leakage is utilized to achieve an order reconstruction attack, whereas both access and search pattern leakages are exploited for the full database reconstruction attack. In this paper, we propose two novel schemes for outsourcing encrypted spatial data supporting dynamic range search. Our proposed schemes leverage R\(^{+}\)tree to partition the dataset and binary secret sharing to support secure range search. They further provide backward and content privacy and do not leak the access pattern, therefore being resilient against the above mentioned database reconstruction attacks. Our evaluation shows the practicality of our schemes, due to (a) the minimal round-trip between the client and the server, and (b) low overhead in the client side in terms of computation and storage.

A Security analysis

In our construction, each search result is a share of a list associated with a leaf node and client is the one who reconstructs the final result using these shares. To insert or delete an object within a list, the client generates the new shares of the list and the servers will replace the old shares with the new ones. Thus, 1) there is no leakage regarding the content of the dataset (object’s identifier), 2) it is impossible to distinguish which object was being updated, 3) the search queries do not leak matching objects after they have been deleted. As a result, our construction is content and backward private as proved below.

Theorem 1

Let \(\mathcal {L}\) denote the leakage function of our Geo-DRS\(^+\) scheme as defined in Sect. 3.3. Our constructed Geo-DRS\(^+\) is \(\mathcal { L }\)-adaptively-secure, if the protocol of De Cock et al.(we call it \(\pi _s\)) [6] is secure. Let \(\varSigma \) represents Geo-DRS\(^+\), and \(\mathcal {A}\) be the adversary (the honest-but-curious server)⁵, who breaks the security of \(\varSigma \). Suppose \(\mathcal {A}\) make at most \(q_u > 0\) update queries. One can construct an algorithm \(\mathcal {B}\) that can break the UC-security of De Cock et al. [6] protocol by running \(\mathcal {A}\) as a subroutine with non-negligible probability if \(\log _2 q_s +\ell \ge \lambda \), for security parameter \(\lambda \).

Proof

The proof proceeds using a hybrid argument, by game hopping, starting from the real-world game \({\texttt {REAL}}_{\mathcal {A}}^{\varSigma }(\lambda )\).

• Game \(G_{0}\): This game is exactly the same as the real world security game \({\texttt {REAL}}_{\mathcal {A}}^{\varSigma }(\lambda )\). Hence, we have

  $$\mathbb {P}\left[ {\texttt {REAL}}_{\mathcal {A}}^{\varSigma }(\lambda )=1\right] =\mathbb {P}\left[ G_{0}=1\right] . $$

• Game \(G_{1}\): In this game, we pick random values instead of the output of \(\pi _{s}\) as a share of a search query and store it in a table to be reused if same query is issued. The advantage of the adversary in distinguishing between \(G_0\) and \(G_1\) is exactly the same as advantage for \(\pi _{s}\). Thus, we can build a reduction \(\mathcal {B}\) which is able to distinguish between \(\pi _{s}\) and a truly random function.

  

• Game \(G_{2}\): To update (delete/insert) an object from the list associated to a leaf node on the R\(^{+}\)tree, this game replaces the shares of the leaf node with random shares. For update token, it uses the leakage to learn which node should be updated. The adversary \(\mathcal {A}\) cannot distinguish the real shares from the truly random shares. Suppose \(\mathcal {A}\) makes at most \(q_u > 0\) update queries, then we have

  $$\begin{aligned} |\mathbb {P}\left[ G_{2}=1\right] -\mathbb {P}\left[ G_{1}=1\right] | \le \frac{1}{q_u\cdot 2^\ell }. \end{aligned}$$

• Simulator. We can simulate the \({\texttt {IDEAL}}\) game like Game \(G_{2}\). Let \(\mathcal {S}_{\pi _s}\) be the simulator for De Cock et al. [6] protocol; then we construct a simulator \(\mathcal {S}\) for our construction to perform the search. The algorithm \(\mathcal {B}\) uses \(\mathcal {S}_{\pi _s}\) to construct the simulator \(\mathcal {S}\) in order to answer the queries issued by \(\mathcal {A}\). We just need to use \(\mathcal {S}_{\pi _s}\) for \(\mathcal {A}_{\pi _s}\), to construct \(\mathcal {S}\) for \(\mathcal {A}\). We have that

  

  For the update, simulator \(\mathcal {S}\) works the same as \(G_{1}\) without knowing the content (objects’ identifiers). The simulator only uses \(\mathsf {ru}\) to identify the bounding box of the update query and not the object’s identifier. Therefore, it can simulate the attacker’s view using only \(\mathcal { L } ^{Updt}\).

As a result, our construction satisfies content and backward privacy as the search leakage does not include \(\text {TimeDB}(w)\) or \(\text {Updates}(w)\).    \(\square \)