Extended Functionality in Verifiable Searchable Encryption

Abstract

When outsourcing the storage of sensitive data to an (untrusted) remote server, a data owner may choose to encrypt the data beforehand to preserve confidentiality. However, it is then difficult to efficiently retrieve specific portions of the data as the server is unable to identify the relevant information. Searchable encryption well studied as a solution to this problem, allowing data owners and other authorised users to generate search queries which the server may execute over the encrypted data to identify relevant data portions.

However, many current schemes lack two important properties: verifiability of search results, and expressive queries. We introduce Extended Verifiable Searchable Encryption (eVSE) that permits a user to verify that search results are correct and complete. We also permit verifiable computational queries over keywords and specific data values, that go beyond the standard keyword matching queries to allow functions such as averaging or counting operations. We formally define the notion of eVSE within relevant security models and give a provably secure instantiation.

J. Alderman—Supported by the European Commission under project H2020-644024 “CLARUS” and acknowledges support from BAE Systems Advanced Technology Centre.

S.L. Renwick—Supported by Thales UK and EPSRC under a CASE Award.

Appendices

A Security Models

Index Privacy. In Game 2, we formalise the notion of index indistinguishability against a selective chosen keyword attack, which ensures no information regarding the keywords is leaked from the index. Firstly the adversary outputs two sets of attributes \((D_0, D_1\subseteq \mathcal {U})\) that they wish to be challenged on, with the restriction that \(|D_0|=|D_1|\) (this is required as the CP-ABE used to produce the index does not conceal the index length). The challenger runs \(\mathsf {Setup}\) to produce the public and secret parameters. The challenger selects a bit \(b\in \{0,1\}\) uniformly at random to select which set of attributes to encode into the index. Before the index is created, the challenger needs to create the pre-index from the set of attributes \(D_b\) (line 4 of Game 2). This is done using an \(\mathsf {Encode}\) mechanism that takes the elements of \(D_b\) as input and outputs the pre-index \(\delta (D_b)\). \(\mathsf {Encode}\) is not required in our instantiation as the pre-indexes can be chosen directly from \(\tilde{U}\) as the user knows the mapping from \(\mathcal {U}\) to \(\mathcal {U}^\prime \) and the permutation \(\varPi \); the adversary however does not. The challenger then runs \(\mathsf {BuildIndex}\) using \(\delta (D_b)\) to produce the index \(\mathcal {I}_{D_b}\), which is given to \(\mathcal {A}\). The adversary is then given PP and oracle access, with the restriction that the query results are identical for each index \(\mathcal {I}_{D_0}, \mathcal {I}_{D_1}\), i.e. if \(R_0\leftarrow \mathsf {Search}(\mathcal {I}_{D_0}, QT_{Q}, st_{s}, SK_\mathrm{{S}}, \mathrm {PP})\) and \(R_1\leftarrow \mathsf {Search}(\mathcal {I}_{D_1}, QT_{Q}, st_{s}, SK_\mathrm{{S}}, \mathrm {PP})\) then we need \(R_0=R_1\). After this query phase, \(\mathcal {A}\) outputs a guess \(b^\prime \) and wins the game if the comparison operator \(==\) returns 1 which indicates that \(b^\prime =b\). Hence \(\mathcal {A}\) wins the game if they can identify which attribute set \((D_0\) or \(D_1)\) was encoded into the index \(\mathcal {I}_{D_b}\).

Query Privacy. The queries themselves should not leak any information about the corresponding keywords that make up the query. Our construction of the queries leaks the gates, but not the keywords themselves. This notion of query indistinguishability against a selective chosen query attack is formalised in Game 3. The game runs similarly to that of Game 2, subject to the following restrictions: the challenge queries \((Q_0, Q_1)\) must use the same gates. We denote the gate structure of a query Q by \(\mathcal {G}_Q\), and hence require that \(\mathcal {G}_{Q_0} = \mathcal {G}_{Q_1}\).

1.1 A.1 Security Proofs

Proof

(Public Verifiability). Here we provide a proof sketch; full details can be found in [3]. We start by assuming that \(\mathcal {A}_{eVSE}\) is an adversary with non-negligible advantage \(\delta \). We begin by defining the following three games:

• Game A. This is the selective Public Verifiability game as defined in Game 1.

• Game B. This is the same as Game A with the modification that in \(\mathsf {Query}\), we no longer return an encryption of \(m_0\) and \(m_1\). Instead, we choose another random message \(m^\prime \ne m_0, m_1\) and, if \(Q(\mathcal {I}_{D})=1\), we replace \(c_1\) by \(\mathsf {ABE}.\mathsf {Encrypt}(\overline{Q}, m^\prime , {MPK_{\text {ABE}}^{}})\). Otherwise, we replace \(c_0\) by \(\mathsf {ABE}.\mathsf {Encrypt}(Q, m^\prime , {MPK_{\text {ABE}}^{}})\).

• Game C. This is the same as Game B with the exception that instead of choosing a random message \(m^\prime \), we implicitly set \(m^\prime \) to be the challenge input w in the one-way function game.

We show that an adversary with non-negligible advantage against the selective Public Verifiability game can be used to construct an adversary that may invert the one-way function g.

We begin by showing that there is a negligible distinguishing advantage between Game A and Game B. We construct an adversary \(\mathcal {A}_{ABE}\) that creates an eVSE instance by executing Algorithms 1–8 and uses \(\mathcal {A}_{eVSE}\) as a sub-routine to break the selective IND-CPA security of the CP-ABE scheme. The advantage of our constructed adversary is \(Adv_{\mathcal {A}_{ABE}} \geqslant \frac{\delta }{2}\). Hence, if \(\mathcal {A}_{eVSE}\) has advantage \(\delta \) at distinguishing these games then \(\mathcal {A}_{ABE}\) can win the sIND-CPA game for CP-ABE with non-negligible probability. Thus since we assumed the CP-ABE scheme to be secure, we conclude that \(\mathcal {A}_{eVSE}\) cannot distinguish the games with non-negligible probability. The transition from Game B to Game C is simply to set the value of \(m^\prime _i\) to no longer be random but instead to correspond to the challenge w in the one-way function inversion game. We argue that the adversary has no distinguishing advantage between these games since the new value is independent of anything else in the system bar the verification key g(w) and hence looks random to an adversary with no additional information. Finally we show that using \(\mathcal {A}_{eVSE}\) in Game C, \(\mathcal {A}_{ABE}\) can invert the one-way function g – that is, given a challenge \(z = g(w)\) we can recover w. Now, if \(\mathcal {A}_{eVSE}\) is successful, it will output a forgery comprising the plaintext encrypted under the unsatisfied query (Q or \(\overline{Q}\)). By construction, this will be w and \(\mathcal {A}_{ABE}\) can therefore forward this result to \(\mathcal {C}\) in order to invert the one-way function with the same non-negligible probability that \(\mathcal {A}_{eVSE}\) has against the public verifiability game.

We conclude that if the ABE scheme is sIND-CPA secure and the one-way function is hard-to-invert, then \(e \mathcal {VSE}\) as defined by Algorithms 1–8 is secure in the sense of selective Public Verifiability.                                                       \(\square \)

The remaining proofs can be found in the full version [3].

B Discussion

Table 1. Comparison of schemes

Our scheme extends the expressiveness of queries that can be achieved in VSE. No other VSE schemes to our knowledge are able to perform the range of search queries or include negation of keywords in their search queries. Additionally our scheme leaks neither the access pattern (AP) or the search pattern (SP) to the server whilst executing a search. Our combination of search queries with computational queries is also a novel functionality in the field of VSE.

The search time and size of the queries are both linear in n (the amount of data items stored on the remote server). Due to this eVSE may be more suited to smaller databases to prevent these features from being prohibitively expensive. The VSE scheme of [13] has a search time that is linear in the number of letters in the queried keyword (which is usually much smaller than n). This faster search is achieved using a tree-based index, however only a single keyword equality search can be performed. Another scheme built using ABE [37] is able to achieve multi-level access, where users can be restricted to searching only certain parts of the database. Keywords are grouped with respect to their access control policies, and the search time is linear in the number of groups. This scheme also only achieves a single keyword equality search. The scheme of [35] achieves verifiable fuzzy keyword search with a search time that is linear in the size of the fuzzy keyword set (which varies depending on the level of fuzziness required i.e. searching for data items that contain keywords of edit distance two will require a larger fuzzy keyword set than searching for keywords with an edit distance of one from the queried keyword [24]). Again, this is likely to be less than n. In terms of the number of rounds of communication required per search, our scheme is optimal requiring only one round of communication. The size of the search results in our scheme is also linear in n. Most VSE schemes in the literature return results of a size that is linear in the number of data items that match the query, however this method leaks the access pattern which in turn may leak information about the query. Our scheme hides the access pattern as all search results are of the same form, regardless of what query was submitted.

Our scheme achieves public verifiability, index privacy and query privacy (in terms of the keywords searched for), which is comparable to the security of other VSE schemes. Overall, our scheme sacrifices efficiency when compared to existing VSE schemes, but gains much increased functionality and query expressiveness.

Table 1 gives a brief comparison between our scheme and those in the literature as discussed above and throughout the paper.