VBTree: forward secure conjunctive queries over encrypted data for cloud computing

Abstract

This paper concerns the fundamental problem of processing conjunctive keyword queries over an outsourced data table on untrusted public clouds in a privacy-preserving manner. The data table can be properly implemented with tree-based searchable symmetric encryption schemes, such as the known Keyword Red–Black tree and the Indistinguishable Bloom-filter Tree in ICDE’17. However, as for these trees, there still exist many limitations to support sub-linear time updates. One of the reasons is that their tree branches are directly exposed to the cloud. To achieve efficient conjunctive queries while supporting dynamic updates, we introduce a novel tree data structure called virtual binary tree (VBTree). Our key design is to organize indexing elements into the VBTree in a top-down fashion, without storing any tree branches and tree nodes. The tree only exists in a logical view, and all of the elements are actually stored in a hash table. To achieve forward privacy, which is discussed by Bost in CCS’16, we also propose a storage mechanism called version control repository (VCR), to record and control versions of keywords and queries. VCR has a smaller client-side storage compared to other forward-private schemes. With our proposed approach, data elements can be quickly searched while the index can be privately updated. The security of the VBTree is formally proved under the IND-CKA2 model. We test our scheme on a real e-mail dataset and a user location dataset. The testing results demonstrate its high efficiency and scalability in both searching and updating processes.

Appendix: Proof of Theorem 5.1

Proof

Let’s first study DDFPP. First, given a partition instance, the solution can be verified in polynomial time and then DDFPP is NP. Next, we reduce a known NP-complete problem, the Subset Sum Problem, to DDFPP. The Subset Sum Problem is as follows: “For a multiset of positive numbers \(A=\{a_1,a_2,\ldots ,a_{n}\}\), given a positive number t, is there a set B such that \(\sum _{a_i\in B}{a_i}=t\) and \(B\subseteq A\)?”. \(\square \)

Considering an instance of the Subset Sum Problem with a positive number multiset \(A=\{a_1,a_2,\ldots ,a_n\}\) and a positive number t, we convert it to an instance of DDFPP using following construction. If n is odd, we insert a zero number into A first. We create two variables \(a_{n+1}\) and \(a_{n+2}\), and let \(\sum _{a_i\in A}{a_i}=b\), \(a_{n+1}=2b-t\), and \(a_{n+2}=b+t\). Then, a new set C is created as follows, \(C=A\cup \{a_{n+1},a_{n+2}\}\). For each number \(a_i\) in C, we generate a file group \(G_{a_i}=\{d_1, d_2, \cdots , d_{a_i}\}\). All generated files are \(G_{a_1}\bigcup G_{a_2}\bigcup \cdots \bigcup G_{a_{n+2}}\), which have \(\sum _{a_i\in C}{a_i}=b+(2b-t)+(b+t)=4b\) files in total. For each data file group \(G_{a_i}\), we create k unique keywords first and insert these k keywords into every file in the group. That is to say, in the \(a_i\)th file group, \(a_i\) files share k same keywords. Next, we insert other randomly generated keywords into every file. Repeat this process until all of the file groups are initialized.

Suppose the file groups constructed above have a data file partition solution, and the file groups can be partitioned into \({\mathcal {F}}_1\) and \({\mathcal {F}}_2\) in polynomial time, such that \(\vert {\mathcal {F}}_1\vert =\vert {\mathcal {F}}_2\vert \) and \(\vert W({\mathcal {F}}_1)\bigcap W({\mathcal {F}}_2)\vert <k\). We now prove that A has a subset sum solution. Note that, for each of the file group, the files share k common keywords. It implies that for any file group \(G_{a_i}\) constructed from the number \(a_i\), the files of \(G_{a_i}\) are either all in \({\mathcal {F}}_1\) or all in \({\mathcal {F}}_2\). Otherwise, suppose there exist two files \(d_i\) and \(d_j\) with \(d_i\in {\mathcal {F}}_1\) and \(d_j\in {\mathcal {F}}_2\), then we have \(\vert d_i\bigcap d_j\vert \geqslant k\) and \(\vert W({\mathcal {F}}_1)\bigcap W({\mathcal {F}}_2)\vert \geqslant k\). This contradicts the fact that we assume. Since \(\vert {\mathcal {F}}_1\vert =\vert {\mathcal {F}}_2\vert \), we have \(\vert G_{x_1}\vert +\vert G_{x_2}\vert +\cdots +\vert G_{x_r}\vert =\vert G_{y_1}\vert +\vert G_{y_2}\vert +\cdots +\vert G_{y_r}\vert \), where \(G_{x_i}\subseteq {\mathcal {F}}_1\), \(G_{y_i}\subseteq {\mathcal {F}}_2\), and \(2r=n+2\). As \(\vert G_{x_i}\vert =x_i\) and \(\vert G_{y_i}\vert =y_i\), the following equation holds, \(x_1+x_2+\cdots +x_r=y_1+y_2+\cdots +y_r\). Let \(B=\{x_1,x_2,\ldots ,x_r\}\) and \(B'=\{y_1,y_2,\ldots ,y_r\}\). Note that, \(a_{n+1}\) and \(a_{n+2}\) cannot coexist in the set B or in the set \(B'\), otherwise, \(\sum {x_i}\ne \sum {y_i}\). If \(a_{n+1}\) is in B, then the subset sum \(\sum _{i\in ({B-\{a_{n+1}\}})}a_i=(2b-(2b-t))=t\). If \(a_{n+1}\) is in B,’ then \(\sum _{i\in ({B'-\{a_{n+1}\}})}a_i=(2b-(2b-t))=t\). Now, we have a subset sum solution of \(B-\{a_{n+1}\}\) or \(B'-\{a_{n+1}\}\). Finally, the Subset Sum Problem \(\le _p\) DDFPP, which means DDFPP is NP-complete. Since DDFPP is a special case of DFPP, then DFPP is NP-hard.