No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
New Constructions for Forward and Backward Private Symmetric Searchable Encryption
Abstract
We study the problem of dynamic symmetric searchable encryption. In that setting, it is crucial to minimize the information revealed to the server as a result of update operations (insertions and deletions). Two relevant privacy properties have been defined in that context: forward and backward privacy. The first makes it hard for the server to link an update operation with previous queries and has been extensively studied in the literature. The second limits what the server can learn about entries that were deleted from the database, from queries that happen after the deletion. Backward privacy was formally studied only recently (Bost et al., CCS 2017) in a work that introduced a formal definition with three variable types of leakage (Type-I to Type-III ordered from most to least secure), as well as the only existing schemes that satisfy this property. In this work, we introduce three novel constructions that improve previous results in multiple ways. The first scheme achieves Type-II backward privacy and our experimental evaluation shows it has 145-253X faster search computation times than previous constructions with the same leakage. Surprisingly, it is faster even than schemes with Type-III leakage which makes it the most efficient implementation of a forward and backward private scheme so far. The second one has search time that is asymptotically within a polylogarithmic multiplicative factor of the theoretical optimal (i.e., the result size of a search), and it achieves the strongest level of backward privacy (Type-I). All previous Type-I constructions require time that is at least linear in the total number of updates for the requested keywords, even the (arbitrarily many) previously deleted ones. Our final scheme improves upon the second one by reducing the number of roundtrips for a search at the cost of extra leakage (Type-III).
... ORAM is a strong cryptographic primitive utilized in SSE schemes to minimize information leakages using its oblivious-read/write operations, which ensure the elimination of access and search pattern leakages. However, as the oblivious read and write operations of ORAM require significantly high computation and communication overhead, how to improve efficiency while removing the information leakage has been one of the main research topics [4,14,[30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47][48][49]. Unfortunately, existing ORAM-based SSE schemes reveal the size pattern leakage, of which security concern has been actively discussed in recent studies [6,7,12,15,50]. ...
... Backward privacy restricts the information that the server can acquire during the execution of a search query for a keyword, particularly when certain entries related to that keyword have been previously deleted. Informally, a scheme is backward private if the server cannot obtain any information about the document identifiers that are previously deleted from a search query [33,55]. Backward privacy has three different types (i.e., BP-I, BP-II, BP-III), where the most stringent definition BP-I leaks TimeDB(w), which contains identifiers of the documents currently including a keyword w and timestamps about when the keyworddocument pairs are stored. ...
... For lazy search, we modify the existing single-path ORAM protocols as described in Figure 2. To search for a keyword w, existing single-path ORAM-based SSE schemes [31][32][33]60] typically follow a process where the client initially accesses its position map to find out the paths corresponding to w. Subsequently, for each path, the client invokes an access protocol by sequentially utilizing the IDs of all blocks within the path. The server responds accordingly to these access requests. ...
Size pattern leakage remains a critical issue in oblivious RAM (ORAM)-based Searchable Symmetric Encryption (SSE) schemes. Despite efforts to define security notions against size pattern leakage, existing studies either overly restrict analysis by focusing on maximum padding strategies or fail to offer meaningful quantitative comparisons across distinct schemes. In this paper, we introduce a novel scoring metric, Response Length Obfuscation (RLO), which fundamentally redefines how to assess volume-hiding schemes by measuring the hardness of guessing keywords based on the response lengths of queries. The proposed RLO-scoring utilizes Shannon entropy to measure the inability of guessing keywords for every feasible response length, providing a comprehensive measurement of security. Our main finding is that size pattern leakage should be perceived not merely as a binary categorization of leaked versus not leaked, but rather as a quantifiable continuum. This enables deeper evaluation of the security properties in various SSE schemes. Moreover, we propose how to capture adversarial attempts with size pattern leakage under an adaptive threat model, contrasting with previous work that depends on a selective model. We rigorously demonstrate the general applicability of the RLO-scoring through both theoretical analysis and experimental validation on diverse padding strategies with real-world Enron dataset and Ubuntu dataset corpus.
... Due to its complexity, Bost et al. [6] gave three levels of backward privacy, namely Type-III to Type-I, from the weakest to the strongest. Since then, many DSSE schemes with forward and/or backward privacy have been introduced [1,12,19,38,54,55,62]. ...
... To further improve the efficiency of Janus, Sun et al. [55] introduced a Type-III backward private DSSE (Janus++), which deploys their proposed Symmetric Puncturable Encryption (SPE). Concurrently, Chamani et al. [12] introduced a DSSE (MITRA) with forward and Type-II backward privacy, while it needs to generate search tokens for each entry. To reduce the search tokens, they also deployed the Path ORAM [52] to construct DSSE schemes with forward and backward privacy (ORION and HORUS). ...
... Note that ODXT deploys the technique of MITRA[12] to achieve forward privacy. However, for a search query, the client needs to generate many tokens for the list of files matching a keyword and send them to the server.12 ...
Recent developments in the field of Dynamic Searchable Symmetric Encryption (DSSE) with forward and backward privacy have attracted much attention from both research and industrial communities. However, most DSSE schemes with forward and backward privacy schemes only support single keyword queries, which impedes its prevalence in practice. Although some forward and backward private DSSE schemes with expressive queries (e.g., conjunctive queries) have been introduced, their backward privacy either essentially corresponds to single keyword queries or forward privacy is not comprehensive. In addition, the deletion of many DSSE schemes is achieved by addition paired with a deletion mark (i.e., lazy deletion). To address these problems, we present two novel DSSE schemes with conjunctive queries (termed SDSSE-CQ and SDSSE-CQ-S), which achieve both forward and backward privacy. To analyze their security, we present two new levels of backward privacy (named Type-O and Type-O-, more and more secure), which give a more comprehensive understanding of the leakages of conjunctive queries in the OXT framework. Eventually, the security analysis and experimental evaluations show that the proposed schemes achieve better security with reasonable computation and communication increase.
... For example, Sun et al. proposed schemes to achieve forward and backward privacy by increasing the cost of query generation heavily [28], [29]. Similarly, the time complexity of query generation for a keyword in MITRA [30] and FIDES [10] is linear to the number of updates. In counter-based dynamically verifiable searchable encryption schemes [31] [32], the client needs to maintain additional counters to record the number of keyword updates for verifying search results. ...
... However, most existing schemes achieving forward and backward privacy need many rounds of communication between client and CSP. For example, Oblivious RAM (ORAM) offers an opportunity to achieve forward and backward privacy while requiring many rounds of communication between the client and CSP [10], [30]. It is important to clarify that in the paper, "non-interactive" specifically refers to the search process over indexes, in line with the definitions in [33], [34]. ...
... To fully leverage these advantages, this structure could be applied in scenarios such as libraries, where the data set is large and stable, with infrequent updates and a high volume of retrieval requests. The existing dynamic SSE schemes [33], [10], [30], [28], [35] only consider the requirement of keyword search while ignoring the importance of forward index in adding/deleting a document. Guo et al. recognized the significance of the forward index and made an attempt to construct it [31]. ...
The adoption of symmetric searchable encryption (SSE) has become increasingly common. However, many current SSE schemes assume an honest-but-curious cloud service provider (CSP) or necessitate significant overhead to manage a malicious CSP. Furthermore, most of these schemes are tailored for static datasets. Our paper presents an efficient SSE scheme that aims to address these challenges. To the best of our knowledge, this is the first scheme that supports dynamic datasets with forward and backward privacy, integrity verification of non-empty and empty search results, efficient search, non-interactive, light client, and both forward and inverted indexes simultaneously. In this paper, we present two novel approaches, Hexie and Jianding. Hexie implements secret sharing to conceal index entries, enabling dynamic updates, non-interactive interactions, and lightweight clients. To enhance the reliability of search results and address the problem of empty, incomplete, or inaccurate outcomes, we introduce the Jianding scheme as an extension of Hexie. It combines a chained MAC structure with a secret sharing scheme, which enables a client to verify the data integrity of the search result efficiently. Moreover, we propose graph-based dictionary sharding to enhance search efficiency. Finally, we conduct comprehensive experiments to validate the effectiveness of the proposed schemes.
... The security progressively weakens from Type-I to Type-III. Subsequently, a few schemes with backward privacy [23][24][25][26][27][28] have been proposed recently. These schemes introduce additional cryptographic primitives (e.g., Homomorphic Encryption (HE), Puncturable Encryption (PE), Symmetric Revocable Encryption (SRE), etc.) to support backward privacy. ...
... Several schemes with backward privacy were recently proposed [22][23][24][25][26][27][28]49]. To be more specific, Bost et al. [22] formally defined backward privacy and proposed several schemes with different leakages. ...
... However, this scheme only achieves backwards privacy in Type-III. At the same time, Chamani et al. [24] proposed three improved schemes: Mitra, Orion, and Hours. Mitra, a Type-II scheme, performs better than Fides [22] by using symmetric key encryption. ...
In the cloud-assisted industrial Internet of Things (IIoT), since the cloud server is not always trusted, the leakage of data privacy becomes a critical problem. Dynamic symmetric searchable encryption (DSSE) allows for the secure retrieval of outsourced data stored on cloud servers while ensuring data privacy. Forward privacy and backward privacy are necessary security requirements for DSSE. However, most existing schemes either trade the server’s large storage overhead for forward privacy or trade efficiency/overhead for weak backward privacy. These schemes cannot fully meet the security requirements of cloud-assisted IIoT systems. We propose a fast and firmly secure SSE scheme called Veruna to address these limitations. To this end, we design a new state chain structure, which can not only ensure forward privacy with less storage overhead of the server but also achieve strong backward privacy with only a few cryptographic operations in the server. Security analysis proves that our scheme possesses forward privacy and Type-II backward privacy. Compared with many state-of-the-art schemes, our scheme has an advantage in search and update performance. The high efficiency and robust security make Veruna an ideal scheme for deployment in cloud-assisted IIoT systems.
... Bost, Minaud, and Ohrimenko [28] introduced a formal definition for backward privacy with three different types of leakage and proposed backward-private searchable encryption schemes. Chamani and Papadopoulos [29] also studied how to minimize the information revealed to the server when the data are updated and improved the results of [28] in several ways. Since [28,29], many searchable encryption schemes have been proposed in the designated receiver setting [30][31][32][33][34][35][36][37][38] and mostly were constructed to provide a higher security level. ...
... Chamani and Papadopoulos [29] also studied how to minimize the information revealed to the server when the data are updated and improved the results of [28] in several ways. Since [28,29], many searchable encryption schemes have been proposed in the designated receiver setting [30][31][32][33][34][35][36][37][38] and mostly were constructed to provide a higher security level. In this setting, however, the data owner must know all the identifiers (IDs) of the receivers, which is highly impractical in environments with large numbers of users. ...
... We also defined full-accessibility as functionality that allows new users to have access to the data uploaded before joining the system. Table 1 shows that the searchable encryption schemes designed in the designated receiver setting [11,20,21,[29][30][31][32][33][34][35][36][37][38] do not provide full-accessibility. As the name implies, data access rights are determined during data upload, so it is quite natural that it is impossible to design a scheme that satisfies full accessibility in the designated receiver setting. ...
To securely share the data between users, encryption schemes with keyword searches in various settings have been proposed. Many studies design schemes in a designated receiver setting where a data owner specifies which receivers could download the data in advance at the time the data are uploaded. In this setting, it is not easy to extend the scheme to support environments with multiple data owners. Moreover, there was no scheme considering the situation in which a newly enrolled user accesses data that were uploaded prior to his enrollment. On the other hand, schemes designed in an undesignated receiver setting support multiple data owners and allow data to be accessed by all users in the system, regardless of the time the data were uploaded. However, most of them are not secure against collusion attacks involving an untrusted server and revoked users. In this paper, we propose a full-accessible multiparty searchable encryption (FA-MPSE) scheme for data-sharing systems. Our scheme supports the property that we call full-accessibility, and any users in the system can access all data in the storage. In addition, our scheme is secure against collision attacks so that the revoked users who collaborate with the server can not access the stored data. Furthermore, our scheme provides all the essential properties of MPSE, such as query privacy, query unforgeability, full-revocability, and unlinkability, and its security is proven in a formal security model. We provide the comparison result with the related schemes to show that our scheme has a comparative advantage.
... Recently, some effort has been made to restrict the size of the search result to at most O (|db(w)|) for any given keyword w [10,11,18,29]. To the best of our knowledge, no SSE scheme has considered reducing the storage size beyond |S| and the result size beyond |db(w)|. ...
... While the definition provided in [17] was for static databases, the first dynamic scheme, accommodating database updates, was formalized and proposed by Kamara et al. [22]. This was followed by several Dynamic SSE schemes [5,6,8,11,14,19,30]. Efforts such as [7,20] began studying SSE security through inherent leakages in the schemes. ...
... [5] respectively. Since then, many efficient SSE schemes meeting both forward and backward privacy with different efficiency and security have been proposed [11,14,30,35]. Secure SSE schemes supporting more complex queries like range queries [24,36], conjunctive queries [9,23,27,32,34], wildcard sear-ch [12,15] etc. have also been reported. ...
Searchable Symmetric Encryption (SSE) has emerged as a promising tool for facilitating efficient query processing over encrypted data stored in un-trusted cloud servers. Several techniques have been adopted to enhance the efficiency and security of SSE schemes. The query processing costs, storage costs and communication costs of any SSE are directly related to the size of the encrypted index that is stored in the server. To our knowledge, there is no work directed towards minimizing the index size. In this paper we introduce a novel technique to directly reduce the index size of any SSE. Our proposed technique generically transforms any secure single keyword SSE into an equivalently functional and secure version with reduced storage requirements, resulting in faster search and reduced communication overhead. Our technique involves in arranging the set of document identifiers related to a keyword w in leaf nodes of a complete binary tree and eventually obtaining a succinct representation of the set . This small representation of leads to smaller index sizes. We do an extensive theoretical analysis of our scheme and prove its correctness. In addition, our comprehensive experimental analysis validates the effectiveness of our scheme on real and simulated data and shows that it can be deployed in practical situations.
... And then we have searchable encryption protocols that offer decent performance and stronger security than PPE, e.g. [3,10,14,15,19,20,38,45,53]. All of these schemes leak some information and many recent works [6,12,27,29,31,40] showed that this leakage, even seemingly innocuous, can be exploited by attackers violating privacy of users' data and queries. ...
... More precisely, a security proof for a structured encryption scheme only guarantees that an adversary (e.g. an honest-but-curious server) cannot learn more information about the database and the queries than what is quantified by the leakage. We recall some of the most common leakage profiles permitted by many constructions [3,10,14,15,19,20,38,45,53]. ...
... To the best of our knowledge, most of the constructions in the literature [3,10,14,15,19,20,38,45,53] use SS-CQA-B-NBB as their security notion but the actual proofs are for SS-CQA-B-BB. Hence, the leakage functions proved for those schemes can be used in our security notion directly. ...
Searchable encryption, or more generally, structured encryption, permits search over encrypted data. It is an important cryptographic tool for securing cloud storage. The standard security notion for structured encryption mandates that a protocol leaks nothing about the data or queries, except for some allowed leakage, defined by the leakage function. This is due to the fact that some leakage is unavoidable for efficient schemes.\\ Unfortunately, it was shown by numerous works that even innocuous-looking leakage can often be exploited by attackers to undermine users' privacy and recover their queries and/or data, despite the structured encryption schemes being provably secure. Nevertheless, the standard security remains the go-to notion used to show the 'security' of structured encryption schemes. While it is not likely that researchers will design practical structured encryption schemes with no leakage, it is not satisfactory that very few works study ways to assess leakage.This work proposes a novel framework to quantify leakage. Our methodology is inspired by the quantitative information flow, and we call our method q-leakage analysis. We show how q-leakage analysis is related to the standard security. We also demonstrate the usefulness of q-leakage analysis by analyzing the security of two existing schemes with complex leakage functions.
... However, constructing SGS from existing SSE is by no means trivial, especially considering the dynamics of GS databases (e.g., insertion and deletion of entries) and the privacy implications caused by such dynamics. Specifically, additional privacy, including forward privacy [10][11][12][13] and backward privacy [12,14,15], shall be considered for dynamic databases. Forward privacy is to ensure newly added data cannot be linked to previous queries while backward privacy further eliminates the link between a query and previously deleted data. ...
... All these types allow the leakage of identifiers of documents that match the keyword w that is currently being searched and the time when they were inserted. Under this backward privacy framework, Bost et al. [12] and Ghareh Chamami et al. [14] proposed dynamic SSE constructions with all the three types of backward privacy, respectively. Sun et al. [34] proposed a Type-III backward privacy scheme. ...
... Cleaning Deleted Items. Allowing the size of EDB to grow with each update including deletions is a common strategy in building dynamic SSE [14,35]. This simplifies the deletions while reaching forward and backward privacy. ...
The proliferation of location-based services and applications has brought significant attention to data and location privacy. While general secure computation and privacy-enhancing techniques can partially address this problem, one outstanding challenge is to provide near latency-free search and compatibility with mainstream geographic search techniques, especially the Discrete Global Grid Systems (DGGS). This paper proposes a new construction, namely GridSE, for efficient and DGGS-compatible Secure Geographic Search (SGS) with both backward and forward privacy. We first formulate the notion of a semantic-secure primitive called \textit{symmetric prefix predicate encryption} (SPE), for predicting whether or not a keyword contains a given prefix, and provide a construction. Then we extend SPE for dynamic \textit{prefix symmetric searchable encryption} (pSSE), namely GridSE, which supports both backward and forward privacy. GridSE only uses lightweight primitives including cryptographic hash and XOR operations and is extremely efficient. Furthermore, we provide a generic pSSE framework that enables prefix search for traditional dynamic SSE that supports only full keyword search. Experimental results over real-world geographic databases of sizes (by the number of entries) from to and mainstream DGGS techniques show that GridSE achieves a speedup of - on search latency and a saving of on communication overhead as compared to the state-of-the-art. Interestingly, even compared to plaintext search, GridSE introduces only extra computational cost and additional communication cost. Source code of our scheme is available at https://github.com/rykieguo1771/GridSE-RAM.
... The server sends back the matching encrypted documents. This work focuses on efficient SSE constructions [4,6,9,10,14,20,59,60] that leak the search and access patterns. Some works [1,32] proposed the avoidance of access pattern leakage, but its instantiation is inefficient. ...
Encrypted search schemes have been proposed to address growing privacy concerns. However, several leakage-abuse attacks have highlighted some security vulnerabilities. Recent attacks assumed an attacker's knowledge containing data ``similar'' to the indexed data. However, this vague assumption is barely discussed in literature: how likely is it for an attacker to obtain a "similar enough" data? Our paper provides novel statistical tools usable on any attack in this setting to analyze its sensitivity to data similarity. First, we introduce a mathematical model based on statistical estimators to analytically understand the attackers' knowledge and the notion of similarity. Second, we conceive statistical tools to model the influence of the similarity on the attack accuracy. We apply our tools on three existing attacks to answer questions such as: is similarity the only factor influencing accuracy of a given attack? Third, we show that the enforcement of a maximum index size can make the ``similar-data'' assumption harder to satisfy. In particular, we propose a statistical method to estimate an appropriate maximum size for a given attack and dataset. For the best known attack on the Enron dataset, a maximum index size of 200 guarantees (with high probability) the attack accuracy to be below 5%.
... The initial scheme proposed by Song et al. in 2000 [26] was a private key/symmetric searchable encryption, which is suitable when the user searching for data is also the user who created the data. Subsequent proposals, such as those by Kamara et al. [19], Bost [7], Xia et al. [32], Etemad et al. [14], Chamani et al. [11], and Gao et al. [15], have addressed the limitations of private key/symmetric searchable encryption. However, these schemes are not ideal for infrastructures with multiple users or owners, as they require the secure and costly transmission of private keys between parties involved in the protocol. ...
Searchable encryption is a cryptographic technique enabling efficient searching within a set of encrypted files, while preventing the ability to decrypt them. There are two main types of searchable encryption: symmetric searchable encryption and public key encryption with keyword search. Many existing public key encryption schemes with keyword search are vulnerable to threats from semi-honest but curious servers. This means that the server storing the data may provide incomplete or incorrect information in response to search queries. In this study, we introduce a new approach called Secure Channel Free Verifiable Public key Encryption with Keyword Search (SCF-VPEKS), which builds upon the principles of secure channel free public key encryption with keyword search (SCF-PEKS). Our proposed scheme is designed to address the issues of insider and outsider keyword guessing and file-injection attacks, providing verifiability and robustness against various threats. Through security analysis, we demonstrate that our scheme can withstand not only honest-but-curious server threats but also semi-honest-but-curious server threats.
... ORAMs have been widely applied in encrypted systems to ensure the obliviousness of queries. This includes searchable encryption [10,40,90], oblivious storage and databases [2,7,24,50,65,79,80,82], and data analytic frameworks [38,98]. We note that the adoption of ORAMs in those studies is similar to our Strawman design and will incur noticeable delays or compatibility issues under the CDN setting. ...
Content providers increasingly utilise Content Delivery Networks (CDNs) to enhance users' content download experience. However, this deployment scenario raises significant security concerns regarding content confidentiality and user privacy due to the involvement of third-party providers. Prior proposals using private information retrieval (PIR) and oblivious RAM (ORAM) have proven impractical due to high computation and communication costs, as well as integration challenges within distributed CDN architectures. In response, we present \textsf{OblivCDN}, a practical privacy-preserving system meticulously designed for seamless integration with the existing real-world Internet-CDN infrastructure. Our design strategically adapts Range ORAM primitives to optimise memory and disk seeks when accessing contiguous blocks of CDN content, both at the origin and edge servers, while preserving both content confidentiality and user access pattern hiding features. Also, we carefully customise several oblivious building blocks that integrate the distributed trust model into the ORAM client, thereby eliminating the computational bottleneck in the origin server and reducing communication costs between the origin server and edge servers. Moreover, the newly-designed ORAM client also eliminates the need for trusted hardware on edge servers, and thus significantly ameliorates the compatibility towards networks with massive legacy devices.In real-world streaming evaluations, OblivCDN} demonstrates remarkable performance, downloading a 256 MB video in just 5.6 seconds. This achievement represents a speedup of compared to a strawman approach (direct ORAM adoption) and a improvement over the prior art, OblivP2P.
... They describe ways to store data and perform actions, e.g. by searching through it via an untrusted server, while the server cannot learn any information about the data [4,12,25,41,42,44,72,74]. Most research, however, sees the use case for this in the storage of large databases [46], wherein the storing and accessing of data is done by the same person [3,11,33,52,58], contrary to the approach presented here. ...
In many scenarios, users have to communicate sensitive data with third parties such as doctors, lawyers, insurance companies, social workers, or online shops. Handing over personal data is necessary to use those services, but delegating tasks to increase efficiency still poses the risk that personal data might be leaked. To minimize this risk and further enhance the privacy of users, we propose an interaction concept that uses layered encryption of messages to provide a trade-off between privacy and usability. Users can choose which data is additionally encrypted in an inner layer, e.g. only for the eyes of their doctor, and which data is available in an outer (encrypted or unencrypted) layer for all staff members. Another benefit is the hiding of sensitive data from package inspection or crawling algorithms via emails, while less critical parts can still be processed by these systems via the partial access. To investigate this concept, we derive relevant use cases for form-based communication via email from a quantitative pre-study with 1011 participants, showing that general practitioners are the most suitable use case. We developed demonstrators for this use case and evaluated them in a qualitative study with 42 participants. Our results show that the possibility of minimizing the propagation of sensitive data through additional encryption is highly appreciated and the usage of form-based communication is a promising approach for digital transformation.
... This enables you to deliver solutions instead of 33 merely accumulating more data [3]. 34 Conventional methods for steganography and image, text and audio data encryp-35 tion have been extensively used, including styles similar to LSB steganography 36 [4] and symmetric crucial encryption [5]. Still, these methods aren't without their 37 downsides and limitations. ...
With the increasing need for secure communication and storage of sensitive data in various formats like text, audio and images, there is a growing concern for protecting this information from unauthorized access or data breaches. Although encryption techniques are widely used for secure data transmission, they may not be sufficient for hiding data in plain sight. The proposed approach addresses the challenge of securing sensitive data in text, audio and image formats by implementing robust steganography and encryption techniques while ensuring seamless data storage and data monitoring in cloud storage platforms like Amazon S3. The proposed approach utilizes the least significant bit (LSB) steganography method, where the least significant bit of each pixel or sample in the media is replaced with a bit of the personal data, ensuring minimal visual or audible changes. The proposed approach will be designed to embed secret messages into carrier data using steganography algorithms and encrypt the resulting data using a symmetric key. The encrypted data will be stored in an Amazon S3 bucket for secure storage, and the entire bucket will be monitored using Dynatrace for performance and security analysis. The proposed approach received 90% of security breaches, indicating the monitoring system is highly accurate. Further, the approach could reduce the response time from 5s to 2s and increase the throughput from 100 requests per second to 500 18 requests per second.
... The systems Janus and del , as described in [18], encounter inefficiencies with puncturable encryption and restrictions on keyword/document pairings, respectively. Subsequently, Chamani et al. [34] presented three strategies. Among them, Mitra requires two-round communication but achieves optimal computational and communication complexity. ...
Data owners seeking to boost processing power, storage, or bandwidth can take advantage of cloud computing services. However, this shift poses new challenges related to privacy and data security. Searchable Encryption (SE), which combines encryption and search techniques, addresses these issues (violation of data users' privacy) by allowing user data to be encrypted, transmitted to a cloud server, and searched using keywords. Despite its benefits, several recent real-world attacks have raised concerns about the security of searchable encryption. Ensuring forward and backward privacy is likely to become a standard requirement in the development of new SE systems. To address these issues, we propose a scheme that exclusively uses symmetric cryptographic primitives, achieving high communication efficiency and forward and backward privacy. In addition, we emphasize improved I/O efficiency because only the results of subsequent updates are loaded when searching. The time required to retrieve results is so significantly reduced compared to existing SE methods that we have shown that our scheme achieves superior efficiency. Moreover, by integrating blockchain network services with cloud services, we have developed a searchable intelligent cryptosystem suitable for lightweight smart devices. In our study conducted on the Ethereum network, we found our method to be both efficient and secure, especially when compared to methods such as PPSE and Jiang. The results indicate that our system delivers results in terms of performance and privacy within dynamic cloud environments making it a solution for protecting confidential information.
Oblivious map (OMAP) is an important component in encrypted databases, utilized to prevent the server inferring sensitive information about client's encrypted databases based on access patterns. Despite its widespread usage and importance, existing OMAP solutions face practical challenges, including the need for a large number of interaction rounds between the client and server, as well as substantial communication bandwidth. For example, the SOTA protocol OMIX++ in VLDB 2024 still requires O (log n ) interaction rounds and O (log ² n ) communication bandwidth per access, where n denotes the total number of key-value pairs stored. In this work, we introduce more practical and efficient OMAP constructions. Consistent with all prior OMAPs, our constructions also adapt only the tree-based Oblivious RAM (ORAM) and oblivious data structures (ODS) to achieve OMAP for enhanced practicality. In complexity, our approach needs O (log n /log log n )+ O (log λ ) interaction rounds and O (log ² n /log log n ) + O (log λ log n ) communication bandwidth per data access where λ is the security parameter. This new complexity results from our two main contributions. First, unlike prior works relying solely on search trees , we design a novel framework for OMAP that combines hash table with search trees. Second, we propose a more efficient tree-based ORAM named DAORAM, which is of significant independent interest. This new ORAM accelerates our constructions as it supports obliviously accessing hash tables more efficiently. We implement both our proposed constructions and prior methods to experimentally demonstrate that our constructions substantially outperform prior methods in terms of efficiency.
Graph databases have garnered extensive attention and research due to their ability to manage relationships between entities efficiently. Today, many graph search services have been outsourced to a third-party server to facilitate storage and computational support. Nevertheless, the outsourcing paradigm may invade the privacy of graphs. PeGraph is the latest scheme achieving encrypted search over social graphs to address the privacy leakage, which maintains two data structures XSet and TSet motivated by the OXT technology to support encrypted conjunctive search. However, PeGraph still exhibits limitations inherent to the underlying OXT. It does not provide transparent search capabilities, suffers from expensive computation and result pattern leakages, and it fails to support search over dynamic encrypted graph database and results verification. In this paper, we propose SecGraph to address the first two limitations, which adopts a novel system architecture that leverages an SGX-enabled cloud server to provide users with secure and transparent search services since the secret key protection and computational overhead have been offloaded to the cloud server. Besides, we design an LDCF-encoded XSet based on the Logarithmic Dynamic Cuckoo Filter to facilitate efficient plaintext computation in trusted memory, effectively mitigating the risks of result pattern leakage and performance degradation due to exceeding the limited trusted memory capacity. Finally, we design a new dynamic version of TSet named Twin-TSet to enable conjunctive search over dynamic encrypted graph database. In order to support verifiable search, we further propose VSecGraph, which utilizes a procedure-oriented verification method to verify all data structures loaded into the trusted memory, thus bypassing the computational overhead associated with the client's local verification.
In recent years, the widely collected spatial-textual data has given rise to numerous applications centered on spatial keyword queries. However, securely providing spatial keyword query services in an outsourcing environment has been challenging. Existing schemes struggle to enable top- k spatial keyword queries on encrypted data while hiding search, access, and volume patterns, which raises concerns about availability and security. To address the above issue, this paper proposes OBIR-tree, a novel index structure for oblivious (provably hides search, access, and volume patterns) top- k spatial keyword queries on encrypted data. As a tight spatial-textual index tailored from the IR-tree and PathORAM, OBIR-tree can support sublinear search without revealing any useful information. Furthermore, we present extension designs to optimize the query latency of the OBIR-tree: (1) combine the OBIR-tree with hardware secure enclaves ( e.g., Intel SGX) to minimize client-server interactions; (2) build a Real/Dummy block Tree (RDT) to reduce the computational cost of oblivious operations within enclaves. Extensive experimental evaluations on real-world datasets demonstrate that the search efficiency of OBIR-tree outperforms state-of-the-art baselines by 25x ~ 723× and is practical for real-world applications.
Searchable symmetric encryption (SSE) supporting conjunctive queries has garnered significant attention over the past decade due to its practicality and wide applicability. While extensive research has addressed common leakages, such as the access pattern and search pattern, efforts to mitigate these vulnerabilities have primarily focused on structural issues inherent to scheme construction. In this work, we shift the focus to a less explored yet critical leakage stemming from users’ inherent querying behaviors: query correlation. Originally introduced by Grubbs et al. [USENIX SEC’20], formally defined by Oya et al. [USENIX SEC’22], and leveraged to mount a high-success query recovery attack against single-keyword SSE, query correlation raises a crucial question: does it pose a similar threat to the security of conjunctive SSE? To tackle this issue, we undertake two key efforts. First, we generalize the notion of query correlation in the context of conjunctive SSE, introducing the “generalized query correlation pattern”, which captures the co-occurrence relationships among queried tokens within a conjunctive query. Second, we develop a new passive query recovery attack, QCCK, which exploits both the search pattern and generalized query correlation pattern to infer the mapping between tokens and keywords. Comprehensive evaluations on the Enron dataset confirm QCCK’s efficacy, achieving a query recovery rate of approximately 80% with a keyword universe size ranging from 200 to 1000 and an observed query size between 5000 and 50,000. These findings highlight the significant threat posed by query correlation in conjunctive SSE and underscore the urgent need for robust countermeasures.
Recently, significant progress has been made in the field of public key encryption with keyword search (PEKS), with a focus on optimizing search methods and improving the security and efficiency of schemes. Keyword frequency analysis is a powerful tool for enhancing retrieval services in explicit databases. However, designing a PEKS scheme that integrates keyword frequency analysis while preserving privacy and security has remained challenging, as it may conflict with some of the security principles of PEKS. In this paper, we propose an innovative scheme that introduces a security deadline to query trapdoors through the use of timestamps. This means that the keywords in the query trapdoor can only be recovered after the security deadline has passed. This approach allows for keyword frequency analysis of query keywords without compromising data privacy and user privacy, while also providing protection against keyword-guessing attacks through the dual-server architecture of our scheme. Moreover, our scheme supports multi-keyword queries in multi-user scenarios and is highly scalable. Finally, we evaluate the computational and communication efficiency of our scheme, demonstrating its feasibility in practical applications.
Data outsourcing has become an industry trend with the popularity of cloud computing. How to search data securely and efficiently has received unprecedented attention. Dynamic Searchable Symmetric Encryption (DSSE) is an effective method to solve this problem, which supports file updates and keyword-based searches over encrypted data. Unfortunately, most existing DSSE schemes have privacy leakages during the addition and deletion phases, thus proposing the concepts of forward and backward privacy. At present, some secure DSSE schemes with forward and backward privacy have been proposed, but most of these DSSE schemes only achieve single-keyword query in the single-client setting, which seriously limits the application in practice. To solve this problem, we propose a multi-client and multi-keyword searchable symmetric encryption scheme with forward and backward privacy (MMKFB). Our scheme focuses on the multi-keyword threshold queries in the multi-client setting, which is a new pattern of multi-keyword search realized with the help of additive homomorphism. And performance analysis and experiments demonstrate that our scheme is more practical for use in small and medium size databases. Especially when a large number of files are updated at once, our scheme has advantages over some existing DSSE schemes in terms of computational efficiency and client storage overhead.
Mobile cloud storage enables IoT devices to use on-demand resources and share data with different mobile devices, where these outsourced data on the cloud are encrypted due to data confidentiality concern. Although dynamic searchable symmetric encryption (DSSE) allows data owners to directly search and update its encrypted data, it rarely considers implementing authorized search towards different mobile devices. Existing authorized keyword search systems for mobile cloud storage suffer from the following limitations: (i) only achieves Type-III backward privacy; (ii) no support for verification of search result; (iii) incurs high time overhead for data update and search. Therefore, we propose VE-FLY++, an efficient, verifiable and authorized DSSE system with forward and enhanced backward privacy for mobile cloud storage. Technically, VE-FLY++ presents a verifiable inverted bitmap index (VIBI) to achieve forward privacy and enhanced Type-I (a.k.a., Type-I-) backward privacy, with supporting verification of search results. In addition, we combine symmetric encryption with homomorphic addition with introduced VIBI for fast authorized search function. To further enable efficiently handling hundreds of millions of files, we adopt chunking technology to present a highly-scalable VE-FLY++. Finally, we use Raspberry Pi, Rock Pi, and Huawei Cloud on real datasets to conduct extensive experiments to clarify practical efficiency of VE-FLY++.
In the realm of secure data outsourcing, Verifiable Dynamic Searchable Symmetric Encryption (VDSSE) enables a client to verify search results obtained from an untrusted server while protecting the data privacy. Nevertheless, the storage cost of verification structure in some schemes escalates linearly with the number of keywords, and the generation of proofs demands a substantial number of exponentiation operations. Moreover, some schemes overlook forward and backward security in the dynamic database. In this paper, we introduce FB-VDSSE, an advanced VDSSE scheme that ensures both forward and backward security. Specifically, we introduce an efficient Accumulation Commitment Verification Structure (AC-VS) that attains a commitment verification value with a constant-size storage cost. Based on the AC-VS, we further propose a forward and backward secure VDSSE scheme. Within this scheme, the server exclusively generates a membership proof at the corresponding index of the vector, reducing the computation cost associated with the search operation. Finally, we provide the security proof and functional comparison, demonstrating that our scheme effectively ensures forward security, backward security, and verifiability. Additionally, the experimental evaluations underscore the efficiency of our scheme, showcasing its superior performance compared to relevant schemes in practical scenarios.
Dynamic searchable symmetric encryption (DSSE), as one of the promising cryptographic tools in cloud-based services, faces two crying needs at the age of multi-device. One is a lightweight client, and the other is robustness. A lightweight client facilitates seamless synchronization among multiple devices allowing users to feel as if they are operating on a single device, even on resource-constrained devices. Robustness ensures a reliable system that can tolerate misoperations. DSSE requires both of them to achieve a leap in practicability. However, to our best knowledge, lightweight client and robustness have not been effectively combined thus far. Most existing DSSE schemes maintain a substantial amount of state information on the client for sub-linear search efficiency, but they fail to guarantee security even correctness, after executing the client’s misoperations (e.g., duplicate addition or deletion operation and deleting non-existent targets). The seminal work on robustness, ROSE (TIFS’22), leverages a heavy primitive to preserve security and correctness during post-processing and requires a heavy client storage burden. To guarantee robustness and constant client storage simultaneously, we devise a novel method to preserve robustness timely in the process of misoperations. Specifically, we introduce an alarm mechanism to promptly eliminate the effects of misoperations. Based on the misoperation alarm mechanism and the vORAM+HIRB oblivious map (S&P’16), we propose a new DSSE scheme Themis. In addition to satisfying robustness and constant client storage, it has competitive search and update performance compared to prior representative DSSE schemes. Moreover, it is superior to existing robust schemes in search.
The Internet of Things (IoT) boom has enabled massive data collection in cloud servers. Therefore, access efficiency and data privacy in cloud storage services have become a significant concern. Data and users are hierarchical in IoT applications, which require fine-grained multi-level access control. Additionally, achieving public verification to resist the malicious server and clients is indispensable. Aiming at the challenge above, we propose a new forward private multi-level dynamic searchable symmetric encryption (DSSE) scheme called Peony, employing multi-level linked lists and constrained pseudorandom function, which is more efficient and secure. Then, we introduce a cryptographic primitive named multi-level symmetric revocable encryption (MSRE), and we give a general method for constructing a novel forward and type-II backward-private multi-level DSSE scheme Peony++ based on MSRE. Further, we design the multi-level digests and utilize the smart contract as a trusted platform to support public verification for Peony++. Theoretical analysis and experimental evaluations show that Peony achieves higher security and reduces search time by an average of 35.81% compared to the state-of-the-art multi-level DSSE scheme. To the best of our knowledge, Peony++ is the only multi-level searchable encryption currently available that can achieve forward and type-II backward privacy, all while balancing efficiency and functionality.
In this paper, we propose a Mergeable Searchable Symmetric Encryption (MSSE) scheme to enable secure keyword search and updates over encrypted cloud data. Particularly, MSSE allows flexible keyword merging, where users can remotely merge file identifiers associated with keywords to create new keyword-to-file identifier relationships. The function is designed for a user to manage their outsourced data conveniently. To this end, we first introduce a new encrypted index where each keyword's relevant file identifiers are grouped, encoded, and encrypted with super-increasing sequences and homomorphic encryption. With such an index, users leverage Distributed Multipoint Functions (DMPFs) to achieve secure keyword search and merge, maintaining efficiency while ensuring high privacy. To address the issue of maintaining “merging consistency” between pre-merged entries and newly updated entries, we employ the DMPF on clusters that incorporate the updated files. The approach significantly minimizes client-side computational overhead compared to re-executing the entire keyword merging process. We formally prove that MSSE can achieve parallel privacy. Extensive performance evaluation shows that MSSE is efficient in terms of computational and communication overheads.
The ability to query and update over encrypted data is an essential feature to enable breach-resilient cyber-infrastructures. Statistical attacks on searchable encryption (SE) have demonstrated the importance of sealing information leaks in access patterns. In response to such attacks, the community has proposed the Oblivious Random Access Machine (ORAM). However, due to the logarithmic communication overhead of ORAM, the composition of ORAM and SE is known to be costly in the conventional client-server model, which poses a critical barrier toward its practical adaptations.
In this paper, we propose a novel hardware-supported privacy-enhancing platform called Practical Oblivious Search and Update Platform (POSUP), which enables oblivious keyword search and update operations on large datasets with high efficiency. We harness Intel SGX to realize efficient oblivious data structures for oblivious search/update purposes. We implemented POSUP and evaluated its performance on a Wikipedia dataset containing ≥2 ²⁹ keyword-file pairs. Our implementation is highly efficient, taking only 1 ms to access a 3 KB block with Circuit-ORAM. Our experiments have shown that POSUP offers up to 70× less end-to-end delay with 100× reduced network bandwidth consumption compared with the traditional ORAM-SE composition without secure hardware. POSUP is also at least 4.5× faster for up to 99.5% of keywords that can be searched compared with state-of-the-art Intel SGX-assisted search platforms.
Recently, several practical attacks raised serious concerns over the security of searchable encryption. The attacks have brought emphasis on forward privacy, which is the key concept behind solutions to the adaptive leakage-exploiting attacks, and will very likely to become mandatory in the design of new searchable encryption schemes. For a long time, forward privacy implies inefficiency and thus most existing searchable encryption schemes do not support it. Very recently, Bost (CCS 2016) showed that forward privacy can be obtained without inducing a large communication overhead. However, Bost's scheme is constructed with a relatively inefficient public key cryptographic primitive, and has a poor I/O performance. Both of the deficiencies significantly hinder the practical efficiency of the scheme, and prevent it from scaling to large data settings. To address the problems, we first present FAST, which achieves forward privacy and the same communication efficiency as Bost's scheme, but uses only symmetric cryptographic primitives. We then present FASTIO, which retains all good properties of FAST, and further improves I/O efficiency. We implemented the two schemes and compared their performance with Bost's scheme. The experiment results show that both our schemes are highly efficient, and FASTIO achieves a much better scalability due to its optimized I/O.
Searchable symmetric encryption (SSE) enables a client to perform searches over its outsourced encrypted files while preserving privacy of the files and queries. Dynamic schemes, where files can be added or removed, leak more information than static schemes. For dynamic schemes, forward privacy requires that a newly added file cannot be linked to previous searches. We present a new dynamic SSE scheme that achieves forward privacy by replacing the keys revealed to the server on each search. Our scheme is efficient and parallelizable and outperforms the best previous schemes providing forward privacy, and achieves competitive performance with dynamic schemes without forward privacy. We provide a full security proof in the random oracle model. In our experiments on the Wikipedia archive of about four million pages, the server takes one second to perform a search with 100,000 results.
Searchable Encryption (SE) allows a user to upload data to the cloud and to search it in a remote fashion while preserving the privacy of both the data and the queries. Recent research results describe attacks on SE schemes using the access pattern, denoting the ids of documents matching search queries, which most SE schemes reveal during query processing. However SE schemes usually leak more than just the access pattern, and this extra leakage can lead to attacks (much) more harmful than the ones using basic access pattern leakage only. We remark that in the special case of Multi-User Searchable Encryption (MUSE), where many users upload and search data in a cloud-based infrastructure, a large number of existing solutions have a common leakage in addition to the well-studied access pattern leakage. We show that this
This work presents the design and analysis of the first searchable symmetric encryption (SSE) protocol that supports conjunctive search and general Boolean queries on outsourced symmetrically- encrypted data and that scales to very large databases and arbitrarily-structured data including free text search. To date, work in this area has focused mainly on single-keyword search. For the case of conjunctive search, prior SSE constructions required work linear in the total number of documents in the database and provided good privacy only for structured attribute-value data, rendering these solutions too slow and inflexible for large practical databases.
In contrast, our solution provides a realistic and practical trade-off between performance and privacy by efficiently supporting very large databases at the cost of moderate and well-defined leakage to the outsourced server (leakage is in the form of data access patterns, never as direct exposure of plaintext data or searched values). We present a detailed formal cryptographic analysis of the privacy and security of our protocols and establish precise upper bounds on the allowed leakage. To demonstrate the real-world practicality of our approach, we provide performance results of a prototype applied to several large representative data sets, including encrypted search over the whole English Wikipedia (and beyond).
We consider the problem of encrypting structured data (e.g., a web graph or a social network) in such a way that it can be efficiently and privately queried. For this purpose, we introduce the notion of structured encryption which generalizes previous work on symmetric searchable encryption (SSE) to the setting of arbitrarily-structured data.
We present a model for structured encryption, a formal security definition and several efficient constructions. We present schemes for performing queries on two simple types of structured data, specifically lookup queries on matrix-structured data, and search queries on labeled data. We then show how these can be used to construct efficient schemes for encrypting graph data while allowing for efficient neighbor and adjacency queries.
Finally, we consider data that exhibits a more complex structure such as labeled graph data (e.g., web graphs). We show how to encrypt this type of data in order to perform focused subgraph queries, which are used in several web search algorithms. Our construction is based on our labeled data and basic graph encryption schemes and provides insight into how several simpler algorithms can be combined to generate an efficient scheme for more complex queries.
We present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme known to date with small client storage. We formally prove that Path ORAM has a O(log N) bandwidth cost for blocks of size B = Ω (log²N) bits. For such block sizes, Path ORAM is asymptotically better than the best-known ORAM schemes with small client storage. Due to its practicality, Path ORAM has been adopted in the design of secure processors since its proposal.
The recently proposed file-injection type attacks are highlighting the importance of forward security in dynamic searchable symmetric encryption (DSSE). Forward security enables to thwart those attacks by hiding the information about the newly added files matching a previous search query. However, there are still only a few DSSE schemes that provide forward security, and they have factors that hinder efficiency. In particular, all of these schemes do not support actual data deletion, which increments both storage space and computational complexity. In this paper, we design and implement a forward secure DSSE scheme with optimal search and update complexity, for both computation and communication point of view. As a starting point, we propose a new, simple, theoretical data structure, called dual dictionary that can take advantage of both the inverted and the forward indexes at the same time. This data structure allows to delete data explicitly and in real time, which greatly improves efficiency compared to previous works. In addition, our scheme provides forward security by encrypting the newly added data with fresh keys not related with the previous search tokens. We implemented our scheme for Enron email and Wikipedia datasets and measured its performance. The comparison with Sophos shows that our scheme is very efficient in practice, for both searches and updates in dynamic environments.
Using dynamic Searchable Symmetric Encryption, a user with limited storage resources can securely outsource a database to an untrusted server, in such a way that the database can still be searched and updated efficiently. For these schemes, it would be desirable that updates do not reveal any information a priori about the modifications they carry out, and that deleted results remain inaccessible to the server a posteriori. If the first property, called forward privacy, has been the main motivation of recent works, the second one, backward privacy, has been overlooked.
In this paper, we study for the first time the notion of backward privacy for searchable encryption. After giving formal definitions for different flavors of backward privacy, we present several schemes achieving both forward and backward privacy, with various efficiency trade-offs.
Our constructions crucially rely on primitives such as constrained pseudo-random functions and puncturable encryption schemes. Using these advanced cryptographic primitives allows for a fine-grained control of the power of the adversary, preventing her from evaluating functions on selected inputs, or decrypting specific ciphertexts. In turn, this high degree of control allows our SSE constructions to achieve the stronger forms of privacy outlined above. As an example, we present a framework to construct forward-private schemes from range-constrained pseudo-random functions.
Finally, we provide experimental results for implementations of our schemes, and study their practical efficiency.
Searchable encryption (SE) allows a client to outsource a dataset to an untrusted server while enabling the server to answer keyword queries in a private manner. SE can be used as a building block to support more expressive private queries such as range/point and boolean queries, while providing formal security guarantees. To scale SE to big data using external memory, new schemes with small locality have been proposed, where locality is defined as the number of non-continuous reads that the server makes for each query. Previous space-efficient SE schemes achieve optimal locality by increasing the read efficiency-the number of additional memory locations (false positives) that the server reads per result item. This can hurt practical performance.
In this work, we design, formally prove secure, and evaluate the first SE scheme with tunable locality and linear space. Our first scheme has optimal locality and outperforms existing approaches (that have a slightly different leakage profile) by up to 2.5 orders of magnitude in terms of read efficiency, for all practical database sizes. Another version of our construction with the same leakage as previous works can be tuned to have bounded locality, optimal read efficiency and up to 60x more efficient end-to-end search time. We demonstrate that our schemes work fast in in-memory as well, leading to search time savings of up to 1 order of magnitude when compared to the most practical in-memory SE schemes. Finally, our construction can be tuned to achieve trade-offs between space, read efficiency, locality, parallelism and communication overhead.
Recent work on searchable symmetric encryption (SSE) has focused on increasing its expressiveness. A notable example is the OXT construction (Cash et al., CRYPTO ’13) which is the first SSE scheme to support conjunctive keyword queries with sub-linear search complexity. While OXT efficiently supports disjunctive and boolean queries that can be expressed in searchable normal form, it can only handle arbitrary disjunctive and boolean queries in linear time. This motivates the problem of designing expressive SSE schemes with worst-case sub-linear search; that is, schemes that remain highly efficient for any keyword query.
We present Onion ORAM, an Oblivious RAM (ORAM) with constant worst-case bandwidth blowup that leverages poly-logarithmic server computation to circumvent the logarithmic lower bound on ORAM bandwidth blowup. Our construction does not require fully homomorphic encryption, but employs an additively homomorphic encryption scheme such as the Damgård-Jurik cryptosystem, or alternatively a BGV-style somewhat homomorphic encryption scheme without bootstrapping. At the core of our construction is an ORAM scheme that has “shallow circuit depth” over the entire history of ORAM accesses. We also propose novel techniques to achieve security against a malicious server, without resorting to expensive and non-standard techniques such as SNARKs. To the best of our knowledge, Onion ORAM is the first concrete instantiation of a constant bandwidth blowup ORAM under standard assumptions (even for the semi-honest setting).
Searchable Symmetric Encryption aims at making possible searching over an encrypted database stored on an untrusted server while keeping privacy of both the queries and the data, by allowing some small controlled leakage to the server. Recent work shows that dynamic schemes -- in which the data is efficiently updatable -- leaking some information on updated keywords are subject to devastating adaptative attacks breaking the privacy of the queries. The only way to thwart this attack is to design forward private schemes whose update procedure does not leak if a newly inserted element matches previous search queries.
This work proposes Sophos as a forward private SSE scheme with performance similar to existing less secure schemes, and that is conceptually simpler (and also more efficient) than previous forward private constructions. In particular, it only relies on trapdoor permutations and does not use an ORAM-like construction. We also explain why Sophos is an optimal point of the security/performance tradeoff for SSE.
Finally, an implementation and evaluation results demonstrate its practical efficiency.
We present , an asymptotically efficient oblivious RAM (ORAM) protocol providing oblivious access (read and write) of a memory index y in exactly two rounds: The client prepares an encrypted query encapsulating y and sends it to the server. The server accesses memory obliviously and returns encrypted information containing the desired value . The cost of is only a multiplicative factor of security parameter higher than the tree-based ORAM schemes such as the path ORAM scheme of Stefanov et al. [34].
gives rise to interesting applications, and in particular to a 4-round symmetric searchable encryption scheme where search is sublinear in the worst case and the search pattern is not leaked—the access pattern can also be concealed assuming the documents are stored in the obliviously accessed memory .
We consider a data owner that outsources its dataset to an untrusted server. The owner wishes to enable the server to answer range queries on a single attribute, without compromising the privacy of the data and the queries. There are several schemes on "practical" private range search (mainly in Databases venues) that attempt to strike a trade-off between efficiency and security. Nevertheless, these methods either lack provable security guarantees, or permit unacceptable privacy leakages. In this paper, we take an interdisciplinary approach, which combines the rigor of Security formulations and proofs with efficient Data Management techniques. We construct a wide set of novel schemes with realistic security/performance trade-offs, adopting the notion of Searchable Symmetric Encryption (SSE) primarily proposed for keyword search. We reduce range search to multi-keyword search using range covering techniques with tree-like indexes. We demonstrate that, given any secure SSE scheme, the challenge boils down to (i) formulating leakages that arise from the index structure, and (ii) minimizing false positives incurred by some schemes under heavy data skew. We analytically detail the superiority of our proposals over prior work and experimentally confirm their practicality.
Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of non-contiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer).
We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly-optimal read efficiency. Specifically, for a database of size N, under the modest assumption that no keyword appears in more than N1 − 1/loglogN documents, we construct a scheme with read efficiency Õ(loglogN). This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT ’14) showing that any SSE scheme must be sub-optimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency Õ(logN).
Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (“balls and bins”) problem that we put forward. We construct nearly-optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.
We propose a new tree-based ORAM scheme called Circuit ORAM. Circuit ORAM makes both theoretical and practical contributions. From a theoretical perspective, Circuit ORAM shows that the well-known Goldreich-Ostrovsky logarithmic ORAM lower bound is tight under certain parameter ranges, for several performance metrics. Therefore, we are the first to give an answer to a theoretical challenge that remained open for the past twenty-seven years. Second, Circuit ORAM earns its name because it achieves (almost) optimal circuit size both in theory and in practice for realistic choices of block sizes. We demonstrate compelling practical performance and show that Circuit ORAM is an ideal candidate for secure multi-party computation applications.
We propose graph encryption schemes that efficiently support approximate shortest distance queries on large-scale encrypted graphs. Shortest distance queries are one of the most fundamental graph operations and have a wide range of applications. Using such graph encryption schemes, a client can outsource large-scale privacy-sensitive graphs to an untrusted server without losing the ability to query it. Other applications include encrypted graph databases and controlled disclosure systems. We propose GRECS (stands for GRaph EnCryption for approximate Shortest distance queries) which includes three oracle encryption schemes that are provably secure against any semi-honest server. Our first construction makes use of only symmetric-key operations, resulting in a computationally-efficient construction. Our second scheme makes use of somewhat-homomorphic encryption and is less computationally-efficient but achieves optimal communication complexity (i.e. uses a minimal amount of bandwidth). Finally, our third scheme is both computationally-efficient and achieves optimal communication complexity at the cost of a small amount of additional leakage. We implemented and evaluated the efficiency of our constructions experimentally. The experiments demonstrate that our schemes are efficient and can be applied to graphs that scale up to 1.6 million nodes and 11 million edges.
Searchable (symmetric) encryption allows encryption while still enabling search for keywords. Its immediate application is cloud storage where a client outsources its files while the (cloud) service provider should search and selectively retrieve those. Searchable encryption is an active area of research and a number of schemes with different efficiency and security characteristics have been proposed in the literature. Any scheme for practical adoption should be efficient-i.e. have sub-linear search time-, dynamic-i.e. allow updates-and semantically secure to the most possible extent. Unfortunately, efficient, dynamic searchable encryption schemes suffer from various drawbacks. Either they deteriorate from semantic security to the security of deterministic encryption under updates, they require to store information on the client and for deleted files and keywords or they have very large index sizes. All of this is a problem, since we can expect the majority of data to be later added or changed. Since these schemes are also less efficient than deterministic encryption, they are currently an unfavorable choice for encryption in the cloud. In this paper we present the first searchable encryption scheme whose updates leak no more information than the access pattern, that still has asymptotically optimal search time, linear, very small and asymptotically optimal index size and can be implemented without storage on the client (except the key). Our construction is based on the novel idea of learning the index for efficient access from the access pattern itself. Furthermore, we implement our system and show that it is highly efficient for cloud storage.
We design novel, asymptotically more efficient data structures and algorithms for programs whose data access patterns exhibit some degree of predictability. To this end, we propose two novel techniques, a pointer-based technique and a locality-based technique. We show that these two techniques are powerful building blocks in making data structures and algorithms oblivious. Specifically, we apply these techniques to a broad range of commonly used data structures, including maps, sets, priority-queues, stacks, deques; and algorithms, including a memory allocator algorithm, max-flow on graphs with low doubling dimension, and shortestpath distance queries on weighted planar graphs. Our oblivious counterparts of the above outperform the best known ORAM scheme both asymptotically and in practice. Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Dynamic Searchable Symmetric Encryption allows a client to store a dynamic collection of encrypted documents with a server, and later quickly carry out keyword searches on these encrypted documents, while revealing minimal information to the server. In this paper we present a new dynamic SSE scheme that is simpler and more efficient than existing schemes while revealing less information to the server than prior schemes, achieving fully adaptive security against honest-but-curious servers. We implemented a prototype of our scheme and demonstrated its efficiency on datasets from prior work. Apart from its concrete efficiency, our scheme is also simpler: in particular, it does not require the server to support any operation other than upload and download of data. Thus the server in our scheme can be based solely on a cloud storage service, rather than a cloud computation service as well, as in prior work. In building our dynamic SSE scheme, we introduce a new primitive called Blind Storage, which allows a client to store a set of files on a remote server in such a way that the server does not learn how many files are stored, or the lengths of the individual files, as each file is retrieved, the server learns about its existence (and can notice the same file being downloaded subsequently), but the file's name and contents are not revealed. This is a primitive with several applications other than SSE, and is of independent interest.
While Searchable Encryption (SE) has been widely studied, adapting it to the multi-user setting whereby many users can upload secret files or documents and delegate search operations to multiple other users still remains an interesting problem. In this paper we show that the adversarial models used in existing multi-user searchable encryption solutions are not realistic as they implicitly require that the cloud service provider cannot collude with some users. We then propose a stronger adversarial model, and propose a construction which is both practical and provably secure in this new model. The new solution combines the use of bilinear pairings with private information retrieval and introduces a new, non trusted entity called “proxy” to transform each user’s search query into one instance per targeted file or document.
In this paper we investigate new mechanisms for achieving forward secure encryption in store and forward messaging systems such as email and SMS. In a forward secure encryption scheme, a user periodically updates her secret key so that past messages remain confidential in the event that her key is compromised. A primary contribution of our work is to introduce a new form of encryption that we name puncturable encryption. Using a puncturable encryption scheme, recipients may repeatedly update their decryption keys to revoke decryption capability for selected messages, recipients or time periods. Most importantly, this update process does not require the recipients to communicate with or distribute new key material to senders. We show how to combine puncturable encryption with the forward-secure public key encryption proposal of Canetti et al. To achieve practical forward-secure messaging with low overhead. We implement our schemes and provide experimental evidence that the new constructions are practical.
This paper proves a lower bound on the trade-off between server storage size and the locality of memory accesses in searchable symmetric encryption (SSE). Namely, when encrypting an index of N identifier/keyword pairs, the encrypted index must have size ω(N) or the scheme must perform searching with ω(1) non-contiguous reads to memory or the scheme must read many more bits than is necessary to compute the results. Recent implementations have shown that nonlocality of server memory accesses create a throughput-bottleneck on very large databases. Our lower bound shows that this is due to the security notion and not a defect of the constructions. An upper bound is also given in the form of a new SSE construction with an O(NlogN) size encrypted index that performs O(logN) reads during a search.
We put forward a new notion of pseudorandom functions (PRFs) we call PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a PRF it is possible to derive constrained keys k
S
from the master key k. A constrained key k
S
enables the evaluation of the PRF at a certain subset S of the domain and nowhere else. We present a formal framework for this concept and show that PRFs can be used to construct powerful primitives such as identity-based key exchange and a broadcast encryption system with optimal ciphertext size. We then construct PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept.
We introduce two new cryptographic primitives: functional digital signatures and functional pseudorandom functions.
In a functional signature scheme, in addition to a master signing key that can be used to sign any message, there are signing keys for a function f, which allow one to sign any message in the range of f. As a special case, this implies the ability to generate keys for predicates P, which allow one to sign any message m for which P(m) = 1.
We show applications of functional signatures to constructing succinct non-interactive arguments and delegation schemes. We give several general constructions for this primitive based on different computational hardness assumptions, and describe the trade-offs between them in terms of the assumptions they require and the size of the signatures.
In a functional pseudorandom function, in addition to a master secret key that can be used to evaluate the pseudorandom function F on any point in the domain, there are additional secret keys for a function f, which allow one to evaluate F on any y for which there exists an x such that f(x) = y. As a special case, this implies pseudorandom functions with selective access, where one can delegate the ability to evaluate the pseudorandom function on inputs y for which a predicate P(y) = 1 holds. We define and provide a sample construction of a functional pseudorandom function family for prefix-fixing functions. This construction yields, in particular, punctured pseudorandom functions, which have proven an invaluable tool in recent advances in obfuscation (Sahai and Waters ePrint 2013).
Garbled circuits, a classical idea rooted in the work of Yao, have long been understood as a cryptographic technique, not a cryptographic goal. Here we cull out a primitive corresponding to this technique. We call it a garbling scheme. We provide a provable-security treatment for garbling schemes, endowing them with a versatile syntax and multiple security definitions. The most basic of these, privacy, suffices for two-party secure function evaluation (SFE) and private function evaluation (PFE). Starting from a PRF, we provide an efficient garbling scheme achieving privacy and we analyze its concrete security. We next consider obliviousness and authenticity, properties needed for private and verifiable outsourcing of computation. We extend our scheme to achieve these ends. We provide highly efficient blockcipher-based instantiations of both schemes. Our treatment of garbling schemes presages more efficient garbling, more rigorous analyses, and more modularly designed higher-level protocols.
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy and introduce a novel cryptographic primitive called delegatable pseudorandom functions, or DPRFs for short: A DPRF enables a proxy to evaluate a pseudorandom function on a strict subset of its domain using a trapdoor derived from the DPRF secret key. The trapdoor is constructed with respect to a certain policy predicate that determines the subset of input values which the proxy is allowed to compute. The main challenge in constructing DPRFs is to achieve bandwidth efficiency (which mandates that the trapdoor is smaller than the precomputed sequence of the PRF values conforming to the predicate), while maintaining the pseudorandomness of unknown values against an attacker that adaptively controls the proxy. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRF-querying proxy: achieving this raises new design challenges as policy privacy and bandwidth efficiency are seemingly conflicting goals.
For the important class of policy predicates described as (1-dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the well-known tree-based GGM PRF family, our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constant-factor efficiency reduction, we show that our second construction is also policy private. Finally, we describe that their new security and efficiency properties render our DPRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption.
Searchable symmetric encryption (SSE) allows a client to encrypt its data in such a way that this data can still be searched. The most immediate application of SSE is to cloud storage, where it enables a client to securely outsource its data to an untrusted cloud provider without sacrificing the ability to search over it.
SSE has been the focus of active research and a multitude of schemes that achieve various levels of security and efficiency have been proposed. Any practical SSE scheme, however, should (at a minimum) satisfy the following properties: sublinear search time, security against adaptive chosen-keyword attacks, compact indexes and the ability to add and delete files efficiently. Unfortunately, none of the previously-known SSE constructions achieve all these properties at the same time. This severely limits the practical value of SSE and decreases its chance of deployment in real-world cloud storage systems.
To address this, we propose the first SSE scheme to satisfy all the properties outlined above. Our construction extends the inverted index approach (Curtmola et al., CCS 2006) in several non-trivial ways and introduces new techniques for the design of SSE. In addition, we implement our scheme and conduct a performance evaluation, showing that our approach is highly efficient and ready for deployment.
We present Path ORAM, an extremely simple Oblivious RAM protocol with a small
amount of client storage. Partly due to its simplicity, Path ORAM is the most
practical ORAM scheme known to date. We formally prove that Path ORAM requires
O(log^2 N / k) bandwidth overhead for block size B = k * log N. For block sizes
bigger than O(log^2 N) bits, Path ORAM is asymptotically better than the best
known ORAM scheme with small client storage. Due to its practicality, Path ORAM
has been adopted in the design of secure processors since its proposal.
We propose a fully homomorphic encryption scheme - i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result - that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable. Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable. Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits. Unfortunately, our initial scheme is not quite bootstrap- pable - i.e., the depth that the scheme can correctly evalu- ate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, with- out reducing the depth that the scheme can evaluate. Ab- stractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the de- crypter, much like the server leaves less work for the de- crypter in a server-aided cryptosystem. Categories and Subject Descriptors: E.3 (Data En-
Oblivious RAM is a useful primitive that allows a client to hide its data access patterns from an untrusted server in storage outsourcing applications. Until recently, most prior works on Oblivious RAM aim to optimize its amortized cost, while suffering from linear or even higher worst-case cost. Such poor worst-case behavior renders these schemes impractical in realistic settings, since a data access request can occasionally be blocked waiting for an unreasonably large number of operations to complete.
This paper proposes novel Oblivious RAM constructions that achieves poly-logarithmic worst-case cost, while consuming constant client-side storage. To achieve the desired worst-case asymptotic performance, we propose a novel technique in which we organize the O-RAM storage into a binary tree over data buckets, while moving data blocks obliviously along tree edges.
We consider the following problem: a user wants to store his files in an encrypted form on a remote file server . Later the user wants to efficiently retrieve some of the encrypted files containing (or indexed by) specific keywords, keeping the keywords themselves secret and not jeopardizing the security of the remotely stored files. For example, a user may want to store old e-mail messages encrypted on a server managed by Yahoo or another large vendor, and later retrieve certain messages while travelling with a mobile device.
In this paper, we offer solutions for this problem under well-defined security requirements. Our schemes are efficient in the sense that no public-key cryptosystem is involved. Indeed, our approach is independent of the encryption method chosen for the remote files. They are also incremental, in that can submit new files which are secure against previous queries but still searchable against future queries.
Searchable symmetric encryption (SSE) allows a party to outsource the storage of his data to another party in a private manner, while maintaining the ability to selectively search over it. This problem has been the focus of active research and several security definitions and constructions have been proposed. In this paper we review existing security definitions, pointing out their short- comings, and propose two new stronger definitions which we prove equivalent. We then present two constructions that we show secure under our new definitions. Interestingly, in addition to satisfying stronger security guarantees, our constructions are more ecient than all previous constructions. Further, prior work on SSE only considered the setting where only the owner of the data is capable of submitting search queries. We consider the natural extension where an arbitrary group of parties other than the owner can submit search queries. We formally define SSE in this multi-user setting, and present an ecient construction.
It is desirable to store data on data storage servers such as mail servers and file servers in encrypted form to reduce security and privacy risks. But this usually implies that one has to sacrifice functionality for security. For example, if a client wishes to retrieve only documents containing certain words, it was not previously known how to let the data storage server perform the search and answer the query, without loss of data confidentiality. We describe our cryptographic schemes for the problem of searching on encrypted data and provide proofs of security for the resulting crypto systems. Our techniques have a number of crucial advantages. They are provably secure: they provide provable secrecy for encryption, in the sense that the untrusted server cannot learn anything about the plaintext when only given the ciphertext; they provide query isolation for searches, meaning that the untrusted server cannot learn anything more about the plaintext than the search result; they provide controlled searching, so that the untrusted server cannot search for an arbitrary word without the user's authorization; they also support hidden queries, so that the user may ask the untrusted server to search for a secret word without revealing the word to the server. The algorithms presented are simple, fast (for a document of length n, the encryption and search algorithms only need O(n) stream cipher and block cipher operations), and introduce almost no space and communication overhead, and hence are practical to use today
Implementation of Mitra Orion Horus Fides and DianaDel
- Javad Ghareh
Javad Ghareh Chamani. 2018. Implementation of Mitra, Orion, Horus, Fides, and
DianaDel. https://github.com/jgharehchamani/SSE.
FFSSE: Flexible Forward Secure Searchable Encryption with Efficient Performance. IACR Cryptology ePrint Archive
- Zheli Liu
- Siyi Lv
- Yu Wei
- Jin Li
- Joseph K Liu
- Yang Xiang
Zheli Liu, Siyi Lv, Yu Wei, Jin Li, Joseph K. Liu, and Yang Xiang. 2017. FFSSE:
Flexible Forward Secure Searchable Encryption with Efficient Performance. IACR
Cryptology ePrint Archive 2017 (2017), 1105. http://eprint.iacr.org/2017/1105
Viet Tung Hoang, and Phillip Rogaway. 2012. Foundations of garbled circuits
- Mihir Bellare
Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation
- David Cash
- Joseph Jaeger
- Stanislaw Jarecki
- S Charanjit
- Hugo Jutla
- Marcel-Catalin Krawczyk
- Michael Rosu
- Steiner
- Cash David
David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit S Jutla, Hugo Krawczyk,
Marcel-Catalin Rosu, and Michael Steiner. 2014. Dynamic Searchable Encryption
in Very-Large Databases: Data Structures and Implementation.. In NDSS, Vol. 14.
23-26.
Highly-scalable searchable symmetric encryption with support for boolean queries
- David Cash
- Stanislaw Jarecki
- Charanjit Jutla
- Hugo Krawczyk
- Marcel-Cua Tua Lin Rocs U
- Michael Steiner
- Cash David
The Fallacy of Composition of Oblivious RAM and Searchable Encryption
- Muhammad Naveed
- Naveed Muhammad
Muhammad Naveed. 2015. The Fallacy of Composition of Oblivious RAM and
Searchable Encryption. IACR Cryptology ePrint Archive 2015 (2015), 668. http:
//eprint.iacr.org/2015/668
All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption
- Yupeng Zhang
- Jonathan Katz
- Charalampos Papamanthou
Yupeng Zhang, Jonathan Katz, and Charalampos Papamanthou. 2016. All Your
Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable
Encryption. In USENIX Security 2016. 707-720.
Practical Private Range Search Revisited
- N Minos
- Garofalakis
OpenSSL: The open source toolkit for SSL/TLS
The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. 2003.
https://www.openssl.org/.
All Your Queries Are Belong to Us
- Yupeng Zhang
- Jonathan Katz
- Charalampos Papamanthou
- Zhang Yupeng