Available via license: CC BY-NC-ND 4.0
Content may be subject to copyright.
1
Dynamic Searchable Symmetric Encryption with
Strong Security and Robustness
Haochen Dou, Zhenwu Dan, Peng Xu, Member, IEEE, Wei Wang, Member, IEEE, Shuning Xu, Tianyang Chen,
Hai Jin, Fellow, IEEE
Abstract—Dynamic Searchable Symmetric Encryption (DSSE)
is a prospective technique in the field of cloud storage for secure
search over encrypted data. A DSSE client can issue update
queries to an honest-but-curious server for adding or deleting his
ciphertexts to or from the server and delegate keyword search
over those ciphertexts to the server. Numerous investigations
focus on achieving strong security, like forward-and-Type-I−-
backward security, to reduce the information leakage of DSSE
to the server as much as possible. However, the existing DSSE
with such strong security cannot keep search correctness and
stable security (or robustness, in short) if irrational queries are
issued by the client, like duplicate add or delete queries
and the delete queries for removing non-existed entries, to
the server unintentionally. Hence, this work proposes two new
DSSE schemes, named SR-DSSEaand SR-DSSEb, respectively.
Both two schemes achieve forward-and-Type-I−-backward security
while keeping robustness when irrational queries are issued. In
terms of performance, SR-DSSEahas more efficient communica-
tion costs and roundtrips than SR-DSSEb. In contrast, SR-DSSEb
has a more efficient search performance than SR-DSSEa. Its
search performance is close to the existing DSSE scheme with
the same security but fails to achieve robustness.
Index Terms—Dynamic Searchable Symmetric Encryption,
Forward Security, Backward Security, Robustness
I. INTRODUCTION
DYNAMIC Searchable Symmetric Encryption (DSSE) [1]
is a widely used technique for performing secure key-
word searches over ciphertexts that are constantly changing.
In DSSE applications, all data of the client is encrypted and
stored in remote environments like the cloud, which helps
to maintain data confidentiality. DSSE enables the client to
issue update queries to add or delete ciphertexts to or from
the cloud and delegate keyword search queries over his
ciphertexts to the cloud while maintaining keyword confiden-
tiality [2]. Many software products, such as the Mistubishi
H. Dou, Z. Dan, P. Xu, Shuning Xu, and T. Chen are with National
Engineering Research Center for Big Data Technology and System, Services
Computing Technology and System Lab, Hubei Key Laboratory of Distributed
System Security, Hubei Engineering Research Center on Big Data Security,
School of Cyber Science and Engineering, Huazhong University of Science
and Technology, Wuhan, 430074, China. H. Dou is also with State Key
Laboratory of Cryptology, P. O. Box 5159, Beijing ,100878,China. Emails:
{haochendou, danzw, xupeng, xusn, chentianyang}@mail.hust.edu.cn.
H. Jin is with the National Engineering Research Center for Big Data
Technology and System, Services Computing Technology and System Lab,
Cluster and Grid Computing Lab, School of Computer Science and Technol-
ogy, Huazhong University of Science and Technology, Wuhan, 430074, China.
Emails: hjin@hust.edu.cn.
W. Wang is with the Cyber-Physical-Social Systems Lab, School of
Computer Science and Technology, Huazhong University of Science and
Technology, Wuhan, China. Emails: viviawangww@gmail.com.
Information and Communication System1and the Crypteron
security platform2, have made extensive use of DSSE.
Recently, numerous researchers have paid attention to de-
veloping DSSE with strong security to restrict the information
leakage of DSSE as much as possible. To address these con-
cerns, Stefanov et al. paid an apparent effort by defining two
new kinds of security, named forward security and backward
security [3]. The former restricts that information about the
earlier queries’ keywords is not leaked by any new update
query, while the latter guarantees that an attacker cannot
learn “too much” information about update queries issued
between any two adjacent search queries. Following the
seminal work, Bost et al. categorized backward security into
three different types (from the strongest one to the weakest
one), which is denoted as Type-I,Type-II, and Type-III, re-
spectively, to restrict the information leakage in the degree
from strong to weak [4]. To restrict the information leakage
further, Zuo et al. proposed Type-I−-backward security, which
is the strongest one so far as we know [5].
In brief, Type-I−-backward security requires that the infor-
mation leakage caused by a search query contains which
files match the query and when the related update queries
are issued. Note that in Type-I−-backward security, an attacker
cannot distinguish add and delete queries. Compared with
the Type-I−-backward security, the Type-I-backward security
allows the search query to have an additional leakage of
the time when the related add queries are issued. In Type-II-
backward security, leakage of the search query additionally
consists of when the related add and delete queries are
issued. Finally, compared with Type-II-backward security, the
weaker Type-III-backward security also allows a search
query to leak the relationships between the related add and
delete queries, namely which add queries a delete query
wants to remove.
A. Motivation
For the time being, FB-DSSE is firstly proposed to
achieve forward-and-Type-I−-backward security [5] . It uses
a bitmap index to represent all possible files’ identifiers.
Each FB-DSSE ciphertext contains a keyword and an as-
signed bitmap index to denote which files pair with the
keyword. When receiving a keyword search query, the
1https://www.mitsubishielectric.com/en/about/rd/research/highlights/comm-
unications
2https://www.crypteron.com/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
2
Table I: Comparisons with prior DSSE works. Nis the total number of keyword/file-identifier pairs, |W|denotes the amount
of all different keywords, and |F|denotes the total number of distinct files. For keyword w,awis the total number of inserted
entries, dwis the number of delete queries, nwis the number of files currently containing w,swis the number of search
queries that occurred, iwis the total number of add queries, and s′
wis a number having s′
w≤sw. All schemes except ROSE
have aw=nw+dw. Specifically, ROSE has aw=nw+s′
w+dw. RT is the number of round trips for search until that the
client obtains the matching file identifiers. FS and BS stand for forward security and backward security, respectively. Comp.
and Comm. are abbreviations of computation and communication, respectively. The notation
e
Ohides polylogarithmic factors.
Scheme Robust FS BS Search Efficiency Update Efficiency Client
Comp. Comm. RT Comp. Comm. Storage
IM-DSSEII [6] % ! III O(|F|)O(|F|)1O(|W|)O(|W|)O(|W|+|F|)
IM-DSSEI+II [6] % ! III O(|F|)O(|F|)1O(|W|)O(|W|)O(|W|+|F|)
ORION [7] % ! IO(nwlog2N) (nwlog2N)O(logN)O(log2N)O(log2N)O(1)
FB-DSSE [5] % ! I−O(aw)O(|F|)1O(1) O(|F|)O(|W| × log|F|)
ROSE [8] ! ! III O((nw+s′
w+ 1)dw)O(nw)1O(1) O(1) O(|W| × log|F|)
Moneta [4] ! ! Ie
O(awlogN+log3N)e
O(awlogN+log3N)2e
O(log2N)e
O(log3N)O(1)
SR-DSSEa(Section IV) ! ! I−O(aw|F|)O(|F|)1O(|F|)O(|F|)O(|W| × log|F|)
SR-DSSEb(Section IV) ! ! I−O(aw)O(|F|)2O(1) O(|F|)O(|W| × log|F|)
server computes corresponding indexes at the beginning. Us-
ing these indexes, the server retrieves relevant ciphertexts,
aggregates those ciphertexts into one by an addition homo-
morphic operation, and finally returns the client the aggre-
gated ciphertext. The returned ciphertext contains an assigned
bitmap index to denote all the files matching the search
query. Later, three other DSSE schemes, named FBDSSE-CQ,
SFBDSSE-CQ [9], and FBDSSE-RQ [10], respectively, were
proposed to obtain the forward-and-Type-I−-backward secu-
rity. In particular, both FBDSSE-CQ and SFBDSSE-CQ aim at
achieving conjunctive keyword search, whereas FBDSSE-RQ
aims at solving range keyword search.
All the aforementioned works have achieved forward-and-
Type-I−-backward security. However, they fail to ensure stable
search correctness and security (referred to as robustness for
brevity) in case the client unintentionally issues irrational
queries. The robustness of DSSE was first investigated by Xu
et al. [8]. They demonstrated that a practical DSSE scheme
must be robust since it is very hard to avoid the mistake caused
by the careless client, like issuing duplicate add or delete
queries, or removing non-existed entries by delete queries
either. And they constructed a DSSE scheme named ROSE to
obtain the robustness and the forward-and-Type-III-backward
security. Hence, a natural open problem is thus: “Could we
construct a DSSE scheme to obtain the robustness and the
forward-and-Type-I−-backward security simultaneously?”
B. Our Contributions
We propose a solid answer to the question in this work.
First, before giving our solutions, we have to redefine forward-
and-Type-I−-backward security, such that the new definition
allows an attacker to issue irrational queries to simulate the
careless client (in Section II). Note that the traditional def-
inition of forward-and-Type-I−-backward security implicitly
assumes that irrational queries are not considered. Second, we
find that the bitmap index adapted in FB-DSSE cannot cor-
rectly represent the client’s update queries during search
queries. For example, if two duplicate add queries are issued
to insert the same keyword and file, it is natural to require
that the correct search results contain this file. But the bitmap
index returned by the search query of FB-DSSE represents
that this file is removed. We give an efficient solution to
this problem, which is constructing a new kind of bitmap
index, named bi-bitmap index, and designing a particular
boolean circuit to support the ciphertexts’ aggregation when
searching a keyword, such that the returned bi-bitmap index
can represent the correct search results (in Section III).
In Section IV, we construct the first DSSE scheme, named
SR-DSSEa, to achieve robustness and forward-and-Type-I−-
backward security simultaneously. SR-DSSEaapplies our bi-
bitmap index and particular boolean circuit. To achieve the
particular boolean circuit, SR-DSSEaapplies Torus Fully
Homomorphic Encryption (TFHE) [11]. If the client issues
asearch query and sends the trapdoor to the server, the
SR-DSSEaserver itself can retrieve and aggregate corre-
sponding ciphertexts. Hence, SR-DSSEaachieves the non-
interactive aggregation of ciphertexts. The search process of
SR-DSSEatakes one communication roundtrip. SR-DSSEa
also saves the client overhead when searching a keyword.
To improve the search performance, we construct the second
DSSE scheme, named SR-DSSEb, in Section V. SR-DSSEb
has the same robustness and strong security as SR-DSSEa.
When searching a keyword, SR-DSSEbapplies an interactive
method to achieve the aggregation of ciphertexts. Specifically,
after the server finds all matching ciphertexts, these ciphertexts
are returned to the client. When receiving them, the client
performs decryption and aggregates their contained bi-bitmap
indexes. Finally, the client re-encrypts the aggregated index.
This result is uploaded to the server for the next keyword
search. Compared with SR-DSSEa,SR-DSSEbprevents the
server from running the expensive aggregation process and
saves the search overhead of the server. Although SR-DSSEb
increases the communication roundtrips and the client over-
head, the total search performance is still much better than
SR-DSSEa.
Table I compares SR-DSSEaand SR-DSSEbwith some
previous DSSE schemes that achieve robustness (Moneta
and ROSE), at least forward-and-Type-I-backward secu-
rity (ORION and FB-DSSE), or state-of-the-art practi-
cal performance and bitmap-based index (IM-DSSEII and
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
3
IM-DSSEI+II). Compared to Moneta and ROSE,SR-DSSEa
and SR-DSSEbachieve higher backward security. Compared
to ORION and FB-DSSE, our proposed schemes achieve ro-
bustness. Finally, compared to IM-DSSEII and IM-DSSEI+II ,
SR-DSSEaand SR-DSSEbachieve both robustness and
higher level of backward security. Particularly, SR-DSSEb
achieves higher search computation efficiency than Moneta
and ROSE, and higher update computation efficiency than
Moneta,ORION,IM-DSSEII, and IM-DSSEI+II .
In the experiment part, we test SR-DSSEaand SR-DSSEb
and compare them with FB-DSSE in Section VI. First, we
test the above three schemes regarding the client overhead
during a keyword search. The experimental results show that
SR-DSSEahas a constant client time cost. Both SR-DSSEb
and FB-DSSE have an increasing client time cost which
is linear with the total amount of retrieved ciphertexts. For
search bandwidth cost, both SR-DSSEaand FB-DSSE are
constant, and SR-DSSEbtakes a linear cost with the num-
ber of matching ciphertexts. Furthermore, if the number of
matching ciphertexts is less than 4,210, the bandwidth cost of
SR-DSSEbis cheaper than that of SR-DSSEa.
Secondly, we test the total search time cost of SR-DSSEb
and compare it with FB-DSSE. Note that the total search
time cost consists of both the server’s and the client’s time
cost during a keyword search. Both SR-DSSEband FB-DSSE
have the linear search time cost with the amount of match-
ing ciphertexts. And SR-DSSEbis better than FB-DSSE in
practice if a keyword has been searched several times. The
main reasons are that the client time cost of SR-DSSEbrelies
on the increasing number of matching ciphertexts between
two adjacent search queries. However, the client time cost
of FB-DSSE is always determined by the total amount of
matching ciphertexts.
In summary, our contributions are:
1) We redefine DSSE and its forward-and-Type-I−-
backward security in the context of robustness and design
the bi-bitmap index and its boolean circuit as building
blocks of our DSSE schemes.
2) We construct two new DSSE schemes, SR-DSSEaand
SR-DSSEb, to achieve robustness and forward-and-Type-
I−-backward security simultaneously. The two proposed
schemes outperform previous DSSE works in many as-
pects, e.g., robustness, security, or performance.
3) Finally, we test SR-DSSEaand SR-DSSEband compare
them with FB-DSSE. The numerical results show that
SR-DSSEahas a better client time cost, and the total
search time cost of SR-DSSEbis better.
II. ROBUST DSSE AN D ITS SECURITY DE FIN IT IO NS
A robust DSSE scheme must keep search correctness and
stable security even if the client issues irrational update
queries, like the duplicate add or delete queries and the
delete query to remove the nonexistent entry. Because
the correctness and the security of DSSE are separately
defined and not unified, we integrate robustness to those
two properties, respectively. In this section, we will redefine
the formal concept of DSSE and its forward-and-Type-I−-
backward security in the context of robustness.
Definition 1 (Robust DSSE).Three protocols are the core
compose of a robust DSSE scheme Σ. They are:
•Σ.Setup(λ, n): With the inputted security parameter λ
and the maximum number nof files, the client initializes
an empty encrypted database EDB (kept remotely), a
master secret key KΣand a secret status σ(both kept
locally by the client);
•Σ.Update(KΣ, σ, op, (w, F); EDB): To update (add or
delete) some files containing the same keyword wto
the server, the client takes KΣ,σ, and the entry (w, F)
as inputs, where Fis the set of those files’ identifiers,
generates an update tokens and sends it to the server.
Finally, the server updates EDB as the client’s will;
•Σ.Search(KΣ, w, σ;EDB): Given the master secret key
KΣ, an expected keyword w, and the secret status σ, a
corresponding search trapdoor is generated by the client
and sent to the server. Then, all the ciphertexts containing
keyword ware retrieved from EDB. Finally, the client
outputs the file identifiers that are corresponding to the
files containing keyword w.
A robust DSSE must be consistent in any scenarios. That
is, for any pair of keyword wand file identifier f, no matter
how many times to update (add or delete) this pair, the
output of protocol Σ.Search(KΣ, w, σ;EDB)always contain
fif the final update is a add one, otherwise the output does
not contain f.
Before redefining forward-and-Type-I−-backward security,
we redefine the L-adaptive-security of a robust DSSE scheme
Σ, where L= (LSetup ,LUpdate ,LSearch )includes DSSE
setup, update, and search leakage functions, which denote the
information leaked in each protocol. Compared to traditional
security definition, the redefined security allows the adversary
to issue irrational update queries. The adaptive security
definition always includes two games: a game presenting the
actual interactions named Real and a game presenting the
simulated one named IDEAL. In the real game, an adversary
can issue any update or search query (including the
irrational queries) multi-times. The interactions generate real
transcripts and can be observed by the adver ary. On the
contrary, in the ideal one, same queries as in the real game
can be issued by the adversary A, and a simulator takes Las
input to forge the corresponding transcripts for the adversary.
If the adversary is unable to distinguish the real game from the
ideal game, the robust DSSE is said to be adaptively secure.
The formal definition is as follows.
Definition 2 (L-adaptive-security of A Robust DSSE).For a
robust DSSE scheme Σ, if for any adversary A, we can con-
struct an efficient simulator S(with the input L) having that
|P r[REALA(λ) = 1] −P r[IDEALA,S(λ) = 1]|is negligible,
where REALA(λ)and IDEALA,S(λ)are as follows:
•REALA(λ): In the real game, the implementation of
DSSE protocols is exactly the same as in the real world.
Arbitrary update or search queries (including the
irrational queries) can be issued by the adversary A.
Aobserves the transcripts of protocols’ execution and
finally outputs a bit b∈ {0,1};
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
4
•IDEALA,S(λ): Like the real game, the adversary Aissues
the same update or search queries. With the input of
L, the simulator Ssimulates the transcript of protocols’
execution. At the end, the adversary Aoutputs a bit b∈
{0,1}.
In the forward-and-Type-I−-backward security, the leakage
Lin the above definition must be less than an expected
value. Hence, we define some basic leakage functions in the
following content at first. Let Qdenote the list of all issued
search queries with the form (t, w), where tdenotes the
timestamp of a search query, and wdenotes the searched
keyword. Let Udenote the list of all issued update queries
with the form (t, op, (w, F)), where tdenotes the timestamp
of a update query, op ∈ {add,delete},(w, F)denotes
the pair of updated keyword and the modified file identifiers in
the update query. Some basic leakage functions are defined
as follows:
•∆srch(w) = {t|(t, w )∈Q}: The search pattern leakage
function inputs a searched keyword (denoted as w). It
outputs the timestamps of the historical search queries
of w;
•∆rst(w) = {F ′| ∀(t, op, (w , F)) ∈ U,F′consists
of the non-deleted file identifiers in F}: The result pat-
tern leakage function outputs the non-deleted file identi-
fiers matching a given keyword win current;
•∆T ime(w) = {t|(t, op, (w, F)) ∈ U}: This leakage
function outputs the inserted time (denoted as t) of all
the historical add and delete queries associated with
a given keyword w.
With the basic leakage functions defined above, we can
define the forward-and-Type-I−-backward security of a robust
DSSE scheme as follows. Note that because the forward-and-
Type-I−-backward security leaks quite little information, the
leakage functions defined below are quite similar to those
defined for FB-DSSE. But we emphasize that they have differ-
ent essence. Because our leakage functions are defined over
the assumption that the client may issue irrational update
queries, while those of FB-DSSE are defined with the opposite
assumption.
Definition 3 (The Forward-and-Type-I−-Backward Security).
For a robust and L-adaptively-secure DSSE scheme Σ,iff its
search and update leakage functions LUpdate and LS earch
can be written as
LUpdate (op, (w, F)) = L′(op),
LSearch (w) = L′′(∆sr ch(w),∆rst (w),∆T ime(w))
where both L′and L′′ are stateless, we say that Σis forward-
and-Type-I−-backward secure.
III. THE BI-BITMAP IN DE X
The bitmap index was used in FB-DSSE to represent the file
identifiers that the client wants to update. Suppose the system
can support up to nfiles, then the binary size of the bitmap
index is also n, and each bit of the bitmap index denotes a file.
Let the least significant bit of the bitmap index denote file f1,
and the i-th bit of the bitmap index denote file fi. To add (or
delete) a keyword wand the associated files F, the FB-DSSE
client sets the corresponding bits of the bitmap index to be “1”
according to F, encrypts wand the assigned bitmap index,
and uploads the generated ciphertext to the server. When the
client hopes to search keyword wand a related query is issued,
the server receives the search trapdoor, retrieves corresponding
ciphertexts and aggregates them into one. The aggregation of
those matching ciphertexts means doing the binary addition
on the bitmap indexes that are contained in those matching
ciphertexts.
For example, suppose n= 6, and the client has added
entries (w, F={f4, f2})and (w, F={f5, f3})to the
server successively. Suppose that the client now issues a
search query for w. It generates w’s search trapdoor and
sends it to the server. For the server, it has to retrieve two
matching ciphertexts and make the aggregation. Figure 1
shows the bitmap indexes contained in those two ciphertexts
and the resulted bitmap index contained in the aggregated
ciphertext. Now, suppose to delete entry (w, F={f2}),
then the client uploads a new FB-DSSE ciphertext containing
the bitmap index “000010” to the server. When searching
the keyword wagain, the aggregated ciphertext contains the
bitmap index “011100”. It means that files {f5, f4, f3}are still
valid and matching the keyword w. Obviously, FB-DSSE can
keep search correctness if all update queries are rational;
otherwise, it cannot. In the prior example, if the client adds
file f3repeatedly and then searches the keyword w, the
resulted bitmap index contained in the aggregated ciphertext
is “011000”. It causes a mistake that the file f3is removed.
For adding (w, F={f5, f3}),
the bitmap index is
(010100)
For adding (w, F={f4, f2}),
the bitmap index is
(001010)
The aggregated result is
(011110)
Search and
aggregate
1
Figure 1: An Example about the Bitmap Index in FB-DSSE.
To achieve the robustness, we propose the bi-bitmap index
to represent files and construct a particular boolean circuit
to guarantee that the aggregated bi-bitmap index can keep
search correctness even if the client’s update queries are
irrational. The bi-bitmap index consists of two bitmap indexes.
The first bitmap index denotes files, and the second bitmap
index denotes the operations of files. When adding a file,
the corresponding bits in the first and second bitmap indexes
will be set to “1”. When deleting a file, the corresponding
bits in the first and second bitmap indexes will be set to “1”
and “0”, respectively. To update (add or delete) an entry,
the generated ciphertext contains a bi-bitmap index. If the
client generates a search query of the inputted keyword,
the server repeats to find out a new matching ciphertext
and aggregates it with the last aggregated ciphertext until
all matching ciphertexts are found. Note that the aggregated
ciphertext contains a bitmap index, not a bi-bitmap index. Let
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
5
bscdenote the bitmap index contained in the last aggregated
ciphertext (the initial value of bscis all zero), and (bsa, bsb)
denote the bi-bitmap index contained in a found matching
ciphertext. The essence of aggregating the matching ciphertext
and the last aggregated ciphertext is to compute the boolean
circuit
bsc[i]=(bsa[i]∧bsc[i]) ⊕(bsa[i]∧bsb[i])
for each bit, where bs[i]denotes the i-th bit in the bitmap
index bs.
Table II: The Truth Table for Keeping the Robustness.
bsc[i]
(bsa[i], bsb[i]) (0,0) (0,1) (1,1) (1,0)
0 0 0 1 0
1 1 1 1 0
Here, we show why the above boolean circuit can keep
the robustness. Recall that a robust DSSE must keep search
consistency even if there are irrational update queries.
Without loss of generality, for a file fi, the above boolean
circuit must satisfy the following conditions:
•Case 1: bsc[i] = 0, namely the file fihas been removed or
never be added. In this case, to keep search consistency,
we have bsc[i] = 1 only if bsa[i] = 1 and bsb[i] = 1;
otherwise, we still have bsc[i]=0.
•Case 2: bsc[i] = 1, namely the file fihas been added
and is still valid. In this case, to keep search consistency,
we have bsc[i] = 0 only if bsa[i] = 1 and bsb[i] = 0;
otherwise, we still have bsc[i]=1.
According to the above conditions, we have a truth table shown
as Table II and construct the following boolean circuit to
satisfy those conditions by Karnaugh map reduction [12].
bsc[i]
= (bsa[i]∧bsb[i]∧bsc[i]) ⊕(bsa[i]∧bsb[i]∧bsc[i])
⊕(bsa[i]∧bsb[i]∧bsc[i]) ⊕(bsa[i]∧bsb[i]∧bsc[i])
= (bsa[i]∧bsc[i]) ⊕(bsa[i]∧bsb[i])
(1)
Hence, the above boolean circuit on the bi-bitmap index can
help guarantee robustness.
IV. SR-DSSEa: OUR FI RS T DSSE SCHEME
This section gives the construction of the first DSSE
scheme SR-DSSEa. The server is allowed to aggregate the
corresponding ciphertexts it retrieved, such that the bi-bitmap
indexes contained in those ciphertexts are aggregated accord-
ing to the above boolean circuit. Since the aggregation of
ciphertexts is a kind of homomorphic boolean computation,
we employ TFHE to achieve such operations.
A. TFHE Review
TFHE was proposed by Chilloti et al. in 2016 [11]. The
security foundation of TFHE is the Learning With Errors
(LWE) hardness assumption [13], [14]. The following content
reviews the main functions of TFHE. More details can be
found in [11]. The TFHE scheme Tconsists of the following
four algorithms.
•T.KeyGen(λ): With the input of a security parameter λ,
this algorithm generates a secret key sk and an evaluation
key pk;
•T.Enc(sk, m): Taking sk and a message m∈ {0,1},
this algorithm generates a TFHE ciphertext C;
•T.Dec(sk, C ): This algorithm takes sk as input. With an
assigned TFHE ciphertext C, the algorithm decrypts C
and outputs a confined message m∈ {0,1};
•T.Eval(gate, pk, C1, C2): Given a logical gate gate ∈
{AND,XOR,NOT}and two TFHE ciphertexts C1and C2,
with input of pk, the algorithm generates a new TFHE
ciphertext C′, such that after decryption, the plaintext
(denoted as m′) has that m′=gate(m1, m2), where
m1and m2are the messages contained in C1and
C2, respectively. Note that the inputted C2is empty if
gate =NOT.
Compared with other FHE schemes, TFHE supports logical
operations, like XOR,NOT, and AND. TFHE also has the fastest
bootstrapping to the best of our knowledge [15]. Hence, it has
a good tool for us to construct SR-DSSEa.
B. Some Basic Functions
Here, we construct some basic functions, such as B.Enc,
B.Dec, and B.Eval. They will be employed in SR-DSSEa.
Function B.Enc aims to encrypt a given bitmap index, where
each bit in the given bitmap index is encrypted by TFHE in-
dependently. Function B.Dec is the corresponding decryption
function of B.Enc. Function B.Eval takes an encrypted bi-
bitmap index as input and aggregates it with an encrypted
bitmap index by TFHE. And the aggregated result satisfies
that particular boolean circuit introduced in Section III. Let n
be the binary size of a bitmap index. Algorithm 1 gives the
details of those functions.
Algorithm 1 Functions B.Enc,B.Dec, and B.Eval.
B.Enc(sk, bs, n)
1: Take a TFHE secret key sk and a bitmap index bs with size nas inputs;
2: Initialize an empty vector Vwith size n;
3: for i←1to ndo
4: Compute V[i]← T .Enc(sk, bs[i]);
5: end for
6: return V;
B.Dec(sk, Vc, n)
1: Take a TFHE secret key sk and a vector Vcwith size nas inputs, where
each element of Vcis a TFHE ciphertext;
2: Initialize an empty bitmap index bs with size n;
3: for i←1to ndo
4: Compute bs[i]← T .Dec(sk, Vc[i]);
5: end for
6: return bs;
B.Eval(pk, (Va,Vb),Vc, n)
1: Take an TFHE evaluation key pk, the bi-bitmap index ciphertext (Va,Vb),
and the ciphertext Vcof a bitmap index as inputs, where Va,Vb, and Vc
have the same size n;
2: Initialize an empty and temporary vector Vtwith size n;
3: for i←1to ndo
4: Compute Vt[i]← T .Eval(NOT, pk, Va[i]);
5: Compute Vc[i]← T .Eval(AND, pk, Vt[i],Vc[i]);
6: Compute Vt[i]← T .Eval(AND, pk, Va[i],Vb[i]);
7: Compute Vc[i]← T .Eval(XOR, pk, Vc[i],Vt[i]);
8: end for
9: return Vc;
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
6
Algorithm 2 Scheme SR-DSSEa
SR-DSSEa.Setup(λ, n)
1: Take λand the maximum number nof files as inputs;
2: Choose two secure and independent hash functions H1and H2both with
the form {0,1}λ× {0,1}λ→ {0,1}λ;
3: Choose a secure pseudorandom function P:{0,1}λ×W→ {0,1}λ,
where Wdenote the keyword space;
4: Generate a pair of TFHE keys (sk, pk)← T .KeyGen(λ);
5: Choose a random secret key KΣ
$
← {0,1}λ;
6: Generate an encrypted bitmap index V0← B.Enc(sk, bs, n), where
bs = 0n;
7: Initialize three empty maps SC,SS, and EDB, where SCand SSare
used to store the states of the client and the sever, respectively;
8: Store (pk, V0,SS,EDB)in the server;
9: Store (KΣ, sk, SC)in the client privately;
SR-DSSEa.Update((KΣ, sk),SC, op, (w, F); EDB)
Client:
1: Compute the secret key Kwof keyword wby running Kw←P(KΣ, w);
2: Retrieve the client state about keyword wby (c0, c, Rc)←SC[w];
3: if SC[w] = NULL then
4: Set c0←0,c← −1, and Rc
$
← {0,1}λ;
5: end if
6: Choose a random value Rc+1
$
← {0,1}λ;
7: Compute I←H1(Kw, Rc+1)and C←H2(Kw, Rc+1 )⊕Rc;
8: Set a bi-bitmap (bsa, bsb)according to the inputted op and F;
9: Encrypt (bsa, bsb)by computing Va← B.Enc(sk, bsa, n)and Vb←
B.Enc(sk, bsb, n);
10: Send ciphertext (I, C, (Va,Vb)) to the server;
11: Finally, update the client state by setting SC[w]←(c0, c + 1, Rc+1);
Server:
1: Set EDB[I]←(C, (Va,Vb)) to store the received ciphertext;
SR-DSSEa.Search((KΣ, sk), w, SC;pk, V0,SS,EDB)
Client:
1: Compute the secret key Kwof keyword wby running Kw←P(KΣ, w);
2: Retrieve the client state about keyword wby (c0, c, Rc)←SC[w];
3: if SC[w] = NULL then
4: return ⊥;
5: end if
6: Send a search trapdoor (Kw, Rc, c0, c)to the server;
7: Update the client state by setting SC[w]←(c+ 1, c, Rc);
Server:
1: if SS[Kw] = NULL then
2: Set Vw← V0;
3: else
4: Set Vw←SS[Kw];
5: end if
6: Initialize an empty map E;
7: for i=cto c0do
8: Compute I←H1(Kw, Ri);
9: Retrieve ciphertext (C, (Va,Vb)) ←EDB[I];
10: Store the retrieved and encrypted bi-bitmap E[i−c0]←(Va,Vb);
11: Remove ciphertext EDB[I]
12: Set Ri−1←C⊕H2(Kw, Ri);
13: end for
14: for i=c0to cdo
15: Retrieve the encrypted bi-bitmap (Va,Vb)←E[i−c0];
16: Compute Vw← B.Eval(pk, (Va,Vb),Vw, n);
17: end for
18: Update the server state by setting SS[Kw]← Vw;
19: Send Vwto the client;
Client:
1: Decrypt the received Vwby running bsw← B.Dec(sk, Vw, n);
2: Parse bswinto file identifiers F;
3: return F;
C. Construction
With the above functions, we construct our first robust
DSSE scheme SR-DSSEain Algorithm 2. To update an entry
(w, F), the client of SR-DSSEatransforms this entry to a bi-
bitmap index according to the rules introduced in Section III,
encrypts the index by function B.Enc, and sends the generated
ciphertext to the server for storage. Then, if a search query
containing the inputted keyword wis issued, SR-DSSEa’s
server retrieves all corresponding ciphertexts with a search
trapdoor from the client, aggregates those ciphertexts into
one ciphertext by function B.Eval, and return the resulted
ciphertext to the client. In the end, the client makes the
decryption of received ciphertexts by function B.Dec and
obtains the matching-and-still-valid files. More explanations
are as follows.
In protocol SR-DSSEa.Setup, the client initializes some
hash functions, a pseudo-random function, acceptable TFHE
keys, a secret key, and some data structures to store the
client’s states and the server’s states, respectively. Particularly,
the client encrypts an all-zero bitmap index by function
V0← B.Enc(sk, bs, n)(sk denotes the initialized secret key
of TFHE, bs = 0n, and ndenotes the maximum nfiles the
system supports). The generated V0will be used by the server
as the original state to aggregate the matching ciphertexts when
searching a keyword.
In protocol SR-DSSEa.Update, the client transforms the
chosen update type (add or delete) and the updated entry
(w, F)into a bi-bitmap index, encrypts the resulted bi-bitmap
index by function B.Enc, and generates a searchable ciphertext
of keyword w. All those ciphertexts are sent to the server.
Finally, the client updates his local states. These states will be
used to generate the corresponding keyword search trapdoor if
the client performs a search after the previous update query.
In SR-DSSEa.Search, a keyword search trapdoor for the
corresponding search query is generated via the client’s se-
cret key and current state. With this keyword search trapdoor,
the server is able to retrieve corresponding ciphertexts, which
can be categorized into two types: one is for adding some
files, and the other one is for deleting some files. Then, the
server aggregates all found ciphertexts into one ciphertext.
During the aggregation process, the deleted files will be really
removed, and only the valid files will be contained in the
resulted ciphertext. Moreover, the essence of the aggregation
process is to compute the bi-bitmap indexes, that are contained
in all those found ciphertexts, according to the rule defined in
Equation 1. Hence, SR-DSSEaalso guarantees the robustness
of DSSE.
D. Correctness and Security Analysis
Correctness.SR-DSSEa’s correctness depends on the fact
that hash functions H1and H2are collision-resistant. Briefly
speaking, upon searching an updated keyword w, the client
sends the current random string Rc, the hash function key Kw
and two counters cand c0to the server. With these parameters,
the server repeats computing hash value H1(Kw, Ri), obtain-
ing the distinct indexes and computing the previous random
string by computing Ci⊕H2(Kw, Ri)for i, which is decreas-
ing successively from cto c0. The uniqueness of hash value H1
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
7
guarantees that all ciphertexts are indexed by distinct values.
Similarly, the uniqueness of hash value H2guarantees that the
server can compute the specified random string by XORing
the hash value with the protected mask. This process is always
correct. Because all counters used to generate w’s ciphertexts
are distinct, regardless of whether there are irrational update
queries, i.e., the counter is monotone increasing. Therefore, the
server can correctly find all unsearched encrypted bi-bitmaps
of wfrom EDB. Similarly, the uniqueness of Kwguarantees
that the server can correctly retrieve Vwfrom SS.
Next, the server evaluates the boolean circuit defined in
B.Eval over those retrieved bi-bitmaps. Specifically, according
to Table II that B.Eval is designed to implement, given a file
fi, an add update query (i.e., (Va[i],Vb[i]) = (1,1)) always
maintains the existence of fi(i.e., the resulting bit is always
1), and a delete update query (i.e., (Va[i],Vb[i]) = (1,0))
guarantees that fiis deleted (i.e., the resulting bit is always 0).
In the meanwhile, invalid update queries (i.e., (Va[i],Vb[i]) =
(0,0) or (0,1)) will not change the existence state of fiin
EDB (i.e., the resulting bit is always Vw[i]). Hence, whether
fiappears in the search result only depends on the final valid
update queries (i.e., (Va[i],Vb[i]) = (1,1) or (1,0)). To sum
up, SR-DSSEaachieves the correctness property defined in
Definition 1.
Security. For security, the following theorem shows that
SR-DSSEaachieves the forward-and-Type-I−-backward se-
curity, which is defined in 3. The detailed proof is moved to
Appendix A.
Theorem 1. Suppose that Pis a secure and efficient
PRF function, H1and H2are two random oracles. We
say that the scheme SR-DSSEaachieves robustness with
the adaptive security of leakage functions LSetup(λ, n) =
(λ, n),LUpdate (op, (w, F)) = ∅, and LS earch(w) =
(∆srch(w),∆r st(w),∆T ime (w)).
V. SR-DSSEb: OU R SECOND DSSE SCHEME
This section gives the construction of another robust DSSE
scheme SR-DSSEb, which also has the forward-and-Type-
I−-backward security but more efficient time-cost than SR-
DSSEa. The main difference SR-DSSEband SR-DSSEais
their aggregation process when searching a keyword. In short,
SR-DSSEaallows the server to achieve the aggregation pro-
cess. But, to keep the confidentiality, the aggregation process
of SR-DSSEamust be executed in the scenario of ciphertext.
On the contrary, the aggregation process of SR-DSSEbis
achieved by the client in the scenario of plaintext. Hence, it is
clear that SR-DSSEbhas a more efficient time-cost than SR-
DSSEa. Although SR-DSSEbtakes more round-trips when
searching a keyword, it is more suitable for the application in
which the less search time-cost is a key requirement.
A. Construction
When updating an entry (w, F), the client of SR-DSSEb
transforms the update type (add or delete) and the entry
into a bi-bitmap index as SR-DSSEadoes, encrypts the bi-
bitmap index by normal encryption (here is different with
Algorithm 3 Protocols SR-DSSEb’s Setup and Update.
SR-DSSEb.Setup(λ, n)
1: Take λand the maximum number nof files as inputs;
2: Choose five secure and independent hash functions H1,H2,H3H4and
H5, among which H1,H2are formed as {0,1}λ× {0,1}λ→ {0,1}λ,
H3,H4,H5are formed as {0,1}λ×Z→ {0,1}λ;
3: Choose a secure pseudorandom function P′:{0,1}λ×W→ {0,1}λ×
{0,1}λ, where Wdenote the keyword space;
4: Initialize three empty maps SC,SS, and EDB, where SCand SSare
used to store the states of the client and the sever, respectively;
5: Store (SS,EDB)in the server;
6: Store (KΣ,SC)in the client privately;
SR-DSSEb.Update(KΣ,SC, op, (w, F);EDB)
Client:
1: Compute the secret keys Kwand K′
wof keyword wby running
(Kw, K′
w)←P′(KΣ, w);
2: Retrieve the client state about keyword wby (c0, c, Rc)←SC[w];
3: if SC[w] = NULL then
4: Set c0←0,c← −1, and Rc
$
← {0,1}λ;
5: end if
6: Choose a random value Rc+1
$
← {0,1}λ;
7: Compute I←H1(Kw, Rc+1)and C←H2(Kw, Rc+1 )⊕Rc;
8: Set a bi-bitmap (bsa, bsb)according to the inputted op and F;
9: Encrypt bsaand bsbby ea←H3(K′
w, c + 1) ⊕bsaand eb←
H4(K′
w, c + 1) ⊕bsb, respectively;
10: Send (I, C, (ea, eb)) to the server
11: Finally, update the client state by setting SC[w]←(c0, c + 1, Rc+1);
Server:
1: Set EDB[I]←(C, (ea, eb)) to store the received ciphertext;
SR-DSSEa), and generates a searchable ciphertext of key-
word w. The client generates a corresponding trapdoor upon
searching a keyword wand sends it to the SR-DSSEb’s
server, which retrieves all matching ciphertexts by the trap-
door. These ciphertexts are returned back. Then, the client
makes the decryption of all bi-bitmap indexes. Next, the
plaintext bi-bitmap-indexes are aggregated into one bitmap
index according to the rule of Equation 1. The resulted bi-
bitmap index shows the matching-and-non-deleted files. Since
the aggregation process of SR-DSSEbalso satisfies Equation
1, SR-DSSEbhas the robustness. More explanations are as
follows.
In protocol SR-DSSEb.Setup, the client initializes more
hash functions than SR-DSSEb.Setup, a pseudo-random func-
tion, a secret key, and some data structures to store the client’s
states and the server’s states, respectively. Hash functions are
implemented to encrypt the bi-bitmap index when updating
an entry. It is different with protocol SR-DSSEa.Setup that
protocol SR-DSSEbdoes not need the client to encrypt an
all-zero bi-bitmap index, since the aggregation process for
searching a keyword is achieved by the client not the server.
The main idea of protocol SR-DSSEb.Update is simi-
lar with protocol SR-DSSEa.Update. Their main difference
is the method to encrypt a bi-bitmap index. After trans-
forming the chosen update type (add or delete) and
the updated entry (w, F)into a bi-bitmap index, protocol
SR-DSSEb.Update encrypts the resulted bi-bitmap index by
some hash functions not function B.Enc. This encryption
method is a simple one. When searching a keyword in pro-
tocol SR-DSSEb.Search, the client can decrypt all matching
ciphertexts from the server efficiently by the simple encryption
method. The details are shown in the following.
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
8
Algorithm 4 Protocol SR-DSSEb.Search
SR-DSSEb.Search(KΣ, w, SC;SS,EDB)
Client:
1: Compute the secret keys Kwand K′
wof keyword wby running
(Kw, K′
w)←P′(KΣ, w);
2: Retrieve the client state about keyword wby (c0, c, Rc)←SC[w];
3: if SC[w] = NULL then
4: return ⊥;
5: end if
6: Send a search trapdoor (Kw, Rc, c0, c)to the server;
Server:
1: if SS[Kw] = NULL then
2: Set ew←0n;
3: else
4: Set ew←SS[Kw];
5: end if
6: Initialize an empty map E;
7: for i=cto c0do
8: Compute I←H1(Kw, Ri);
9: Retrieve ciphertext (C, (ea, eb)) ←EDB[I];
10: Store the retrieved and encrypted bi-bitmap E[i−c0]←(ea, eb);
11: Remove ciphertext EDB[I];
12: Set Ri−1←C⊕H2(Kw, Ri);
13: end for
14: Send ew,Eto the client;
Client:
1: Initialize an bitmap bsw←0nto record the matching files;
2: if ew= 0nthen
3: Decrypt the files’ states by running: bsw←ew⊕H5(K′
w, c0);
4: end if
5: for i=c0to cdo
6: Retrieve ciphertexts by running: (ea, eb)←E[i−c0];
7: Decrypt and get bi-bitmap-index by running: (bsa, bsb)←(ea⊕
H3(K′
w, i), eb⊕H4(K′
w, i));
8: Compute the files’ states in plaintext version by running: bsw←
(bsa∧bsw)⊕(bsa∧bsb);
9: end for
10: Update the client state by setting SC[w]←(c+ 1, c, Rc+1);
11: Re-encrypt the files’ states by running: ew←bsw⊕H5(K′
w, c + 1);
12: Send new encrypted states ewto the server;
13: Parse bswinto file identifiers F;
14: return F;
Server:
1: Update the server state by setting SS[Kw]←ew;
In SR-DSSEb.Search, a search trapdoor for the searched
keyword wis generated locally. The generation of the trapdoor
depends on the client’s secret key and the current state of
the queried keyword. When the keyword search trapdoor is
received by the server, it is utilized to search corresponding
ciphertexts. With the encryption of last aggregated bitmap
index, retrieved ciphertexts are returned to the client. Note that
the last aggregated bitmap index is 0nif it is the first time to
search a keyword. Then, the client decrypts several bi-bitmap
indexes and a bitmap index from all received ciphertexts and
aggregate these indexes into one bitmap index according to
Equation 1. The resulted bitmap index tells the client which
files match the search query and are non-deleted. Finally, the
bitmap index are re-encrypted as the ciphertext and stored in
the server.
Scalability. In both SR-DSSEaand SR-DSSEb, the length
of the bi-bitmap index, which also indicates the number of
maximum files, is fixed at the setup phase. One may worry that
this makes the proposed schemes lack scalability to manage
constantly growing large datasets. Fortunately, we can apply
the following steps to extend the proposed schemes to improve
their scalability:
1) Select fair parameters according to the dataset so that the
length of the bi-bitmap index is not so small.
2) As the dataset grows, if the current scheme instance
cannot accommodate more files, the client can then
download the encrypted database from the server and
use secret key to extract plaintext data. Then the client
select setups a new instance of the scheme where the
length of the bi-bitmap index are fixed to a larger number.
Finally, the client embeds the extracted plaintext data to
the new instance and uploads the newly generated en-
crypted database to the server. This approach is solely the
technique that transfers static SSE schemes to dynamic
ones [16]. In this step, all the decryption is performed
on the client side. Hence there is no extra leakage except
the number of distinct keywords currently in the database
and the new length of the bi-bitmap index.
The above steps can effectively tackle the scalability problem
of the proposed schemes, at the cost of amortized O(|W|)
computation and communication overhead.
B. Correctness and Security Analysis
Correctness. For correctness, the way that SR-DSSEbfinds
and aggregates matching ciphertexts is essentially the same as
that of SR-DSSEa, except that SR-DSSEbdecrypts and ag-
gregates the matching ciphertexts on the client side. It is easy
to find that SR-DSSEbalso satisfies the correctness property
defined in Definition 1. Hence, we omit the correctness proof
of SR-DSSEbhere.
Security. For security, the following theorem shows that
SR-DSSEbachieves the forward-and-Type-I−-backward se-
curity, which is defined in Definition 3. The detailed proof is
moved to Appendix B.
Theorem 2. Suppose that P′is a secure and efficient
PRF function, H1,H2,H3,H4and H5are random or-
acles. We say that the scheme SR-DSSEbachieves ro-
bustness with the adaptive security of leakage functions
LSetup (λ, n)=(λ, n),LUpdate (op, (w, F)) = ∅, and
LSearch (w) = (∆srch (w),∆rst(w),∆T ime (w)).
VI. EX PE RI ME NT ANA LYSIS
In this section, we empirically evaluate SR-DSSEaand
SR-DSSEband compare their performance with FB-DSSE
and IM-DSSEI+II.FB-DSSE is the only state-of-the-art
DSSE scheme of forward-and-Type-I−-backward security.
IM-DSSEI+II is quite performant and is selected as the base-
line. All the evaluated schemes employ a bitmap-based index.
In a nutshell, the baseline scheme IM-DSSEI+II outperforms
SR-DSSEa,SR-DSSEb, and FB-DSSE, and SR-DSSEa
achieves close client search overhead to IM-DSSEI+II.
SR-DSSEais advantageous in saving the client’s search
time and communication bandwidth, and SR-DSSEbcosts the
least time to complete the search. Meanwhile, these two
schemes can be accelerated with hardware-based accelerating
techniques to gain higher search performance.
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
9
A. Experiment Setup
Hardware Platform. We perform all experiments on a
workstation with an AMD 5950X processor, an NVIDIA RTX
2080Ti, 128GB RAM, and 64-bit Ubuntu 20.04 operating
system.
Programming Environment. We implement all schemes
with C++. Specifically, we use the GMP [17] big integer data
structure to represent bi-bitmap-index. The storage structures
SS,SC, and EDB are implemented with the container class
unordered map provided by the C++ STL library to elim-
inate the extra overheads caused by disk I/O.
Cryptographic Primitives. We use OpenSSL library [18]
to instantiate most of the cryptographic functions. For exam-
ple, PRF functions Pand P′are implemented by hmac-md5
and hash functions H1,H2are implemented by hmac-sha
family. Hash functions H3,H4, and H5are implemented by
shake128 hash function3. Finally, we adopt TFHE lib [19]
to implement TFHE and set its parameters as the developers
recommend.
Dataset. We leverage English Wikimedia4as the main
dataset. Specifically, we use WikiExtractor [20] to convert it
into JSON documents and then extract keywords from them.
Since the entire dataset is too large, we select two smaller
subsets of it as our test datasets. We name those two datasets
Dataset I and Dataset II. Dataset I contains 714 files and
Dataset II is comprised of 840,499 files. In the following
experiments, we set the number of files that the corresponding
dataset contains as the maximum files the system supports,
that is the length of bitmap index n. Each dataset contains 10
randomly selected keywords. Table.III shows the details of the
two datasets.
Table III: Selected Keywords and Frequencies
Dataset I, n = 714 Dataset II, n = 840,499
Word Freq. Word Freq. Word Freq. Word Freq.
shred 2 correct 10 sauna 109 epigraph 204
filter 4 know 13 rangoon 125 ryu 228
african 5 partner 15 uncensor 140 delimit 252
novel 7 king 16 gemma 165 unravel 277
item 9 presid 20 silica 182 backpack 299
Evaluated Metrics. Our experiments focus on the per-
formance metrics of the search process, namely, search
bandwidth and search time costs. Specifically, search
bandwidth cost counts the total size of data exchanged when
the client and the server execute the search protocol. The
search time cost is computed by the addition of the client’s
token generation time, the server’s search time, and the client’s
decryption and re-update time. We do not evaluate and report
the update performance since, in practice, the search perfor-
mance is more important, especially when the client manages
a large-scale database.
B. Experimental Results
Client Search Time Cost. This experiment is performed
over Dataset I, and the result is reported in Figure 2. The result
3We refer the source code from https://github.com/MockingHawk/shake128
4https://dumps.wikimedia.org/enwiki/20210501/
1
2
3
shred
filter
african
novel
item
correct
know
partner
king
presid
Selected Keywords
0.10
0.15
0.20
0.25
Client Search Time (ms)
FB-DSSE
SR-DSSE
b
SR-DSSE
a
IM-DSSEI+ II
Figure 2: Client Search Time Cost of SR-DSSEa,
SR-DSSEband FB-DSSE
Table IV: Search Bandwidth of SR-DSSEa,SR-DSSEband
FB-DSSE
Scheme SR-DSSEaSR-DSSEbFB-DSSE IM-DSSEI+II
Search Roundtrip 1 2 1 1
Search Communication Cost 1,768KB (aw+ 0.5) · 430B 215B 722B
shows that IM-DSSEI+II outperforms other three evaluated
schemes. SR-DSSEaoutperforms FB-DSSE and SR-DSSEb
on the client side during the search. For example, when
searching for keyword “presid”, SR-DSSEaonly takes the
client 0.3 milliseconds, 11×and 6×faster than FB-DSSE
and SR-DSSEb, respectively. On the other hand, SR-DSSEa
achieves the closest client search performance to other
schemes. For example, the average client search time cost to
find one matching file of IM-DSSEI+II is 0.011 milliseconds,
while those of SR-DSSEa,SR-DSSEb, and FB-DSSE are
0.025, 0.216, and 0.115 milliseconds, respectively.
Search Bandwidth Cost. Table IV lists the search
bandwidth costs of the evaluated schemes. SR-DSSEa,
IM-DSSEI+II, and FB-DSSE achieve the optimal search
roundtrip, while SR-DSSEbintroduces one more search
roundtrip. Although, the search roundtrip of SR-DSSEb
is still constant and practical. FB-DSSE consumes the least
bandwidth, namely, 215 Bytes. IM-DSSEI+II costs the second
least bandwidth. Although SR-DSSEaconsumes more band-
width to complete the search, its cost is totally acceptable
in practice (only 1,768 KB, about 1.73 MB). In terms of
SR-DSSEb, its search bandwidth depends on how many
historical updates related to the queried keyword w(denoted
as aw) are inserted before the search query. When the
historical updates of wis less than 4,210, SR-DSSEbsaves
bandwidth compared to SR-DSSEa. Otherwise, SR-DSSEb
will cost more bandwidth. Actually, the search bandwidth
of SR-DSSEbis still practical and efficient. For example, sup-
pose aw=10,000, the total bandwidth is only about 4.1 MB.
Hence, we can conclude that both SR-DSSEaand SR-DSSEb
achieve practical search bandwidth performance.
Total Search Time Cost. SR-DSSEais based on TFHE.
Hence, it is feasible to accelerate the search process of
SR-DSSEaby adopting the optimizations used in TFHE,
e.g., Compute Unified Device Architecture (CUDA) [21], [22].
Hence, in this part, we evaluate and compare SR-DSSEa’s
search performance on CPU and GPU platforms.
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
10
0.3 × 103
0.9 × 103
1.5 × 103
2.1 × 103
2.7× 103
3.3 × 103
4 × 103
shred
filter
african
novel
item
correct
know
partner
king
presid
Selected Keywords
2
4
6
8
10
12
14
Total Search Time (s)
SR-DSSEa
SR-DSSEa-GPU
Figure 3: Total Search Time Cost of SR-DSSEaon CPU and
GPU
Figure 3 reports the result. In the figure, SR-DSSEadenotes
the CPU version while SR-DSSEa-GPU denotes the GPU ver-
sion that is implemented with CuFHE5. The numerical results
show that the GPU version achieves about 350×acceleration
compared to the CPU version. For example, when searching
for keyword “king”, SR-DSSEatakes 3,149.4 seconds to
complete the search, while SR-DSSEa-GPU only needs 9.1
seconds, saving about 3,140.3 seconds. Considering that GPU
has been commonly deployed in data centers nowadays, and
TFHE is also actively developing [23], the total search time
cost of SR-DSSEais practical and acceptable.
To show the high efficiency of SR-DSSEb, we evaluate it
over Dataset II and compare the results with FB-DSSE. An
important property of SR-DSSEbis that its search perfor-
mance will increase with historical search queries. To show
this property, this part of experiment contains three rounds of
search. For example, the search process of keyword “sauna”
can be described as: (1) in the first round, we issue 36 insertion
queries and then run search, (2) in the second round, we
issue another 36 insertion queries and then run search, and
(3) in the last round, we execute final 37 insertion queries and
then execute search. Figure 4 shows the result. IM-DSSEI+II
keeps its advantages in performace. It is about four magnitudes
faster than SR-DSSEband FB-DSSE. With the increase
of search times, the search performance of SR-DSSEb
is improving. Take keyword “backpack” as an example. In
the first round, SR-DSSEbneeds to take 4.7 seconds to
complete the search, while in the third round the time cost
is 4.8 seconds. In the third round, SR-DSSEboutperforms
FB-DSSE. For example, to complete the search of keyword
“backpack”, FB-DSSE needs 6.9 seconds, incurring extra 2.1
seconds compared to SR-DSSEb. In practice, it is common
for a client to search for a keyword many times. Hence,
SR-DSSEbis more practical in real-world applications.
SR-DSSEbcan also be accelerated via hardware-based
techniques. Different from SR-DSSEa,SR-DSSEbmainly
leverages the CPU-based technique to accelerate, i.e., the
multi-threading technique. Figure 5 shows the performance
of accelerating SR-DSSEbusing OpenMP5with the different
number of threads. The results of the experiment indicate
5https://github.com/vernamlab/cuFHE
5https://www.openmp.org/
that the multi-threading technique significantly improves the
search performance of SR-DSSEb. For example, when
searching for keyword “unravel” with 16 threads, it takes only
1.2 seconds, saving 1,092% time compared to the case using
only a single thread.
In conclusion, the above experiments show that, although
both SR-DSSEaand SR-DSSEbare inferior to IM-DSSEI+II,
considering they are robust and achieve stronger backward
security, they are still practical and efficient. Specifically,
SR-DSSEahas advantages in saving the client time and
SR-DSSEb’s whole search process is faster. Notably, with
the increase of search times, SR-DSSEbachieves higher
search efficiency compared to FB-DSSE.
However, compared with FB-DSSE and IM-DSSEI+II, the
proposed schemes trade the communication overhead (i.e.,
roundtrips or bandwidth) for robustness. Although the extra
communication overhead is acceptable in practice, one may
wonder whether we can eliminate it. Fortunately, with the help
of the Trusted Execution Environment, like SGX, we can avoid
that overhead. More concretely, we can evaluate ii-bitmap
index inside the Trusted Execution Environment. There have
been many DSSE works showing how the Trusted Execution
Environment helps improve efficiency while maintaining high
security [24], [25], [26], [27], [28]. We leave the detailed
construction as an open problem to interested readers.
VII. REL ATED WO RK S
Forward and Backward Private DSSE. DSSE and its
adaptive security were first formulated by Kamara et al. in
2012 [1]. Stefanov et al. gave the introduction and explaination
of a series of DSSE forward and backward privacy concepts
in 2014 [3]. Specifically, with leakage functions, a formal
definition of forward privacy was proposed and accepted.
However, in fact, it is Chang et al. who proposed the earliest
prototype of DSSE schemes trying to achieve forward privacy
in 2005 [29]. In 2016, Bost constructed an optimized forward-
private DSSE scheme with trapdoor permutation [30]. In the
meanwhile, by the implementation of TWORAM [31], Garg
et al. succeeded to give a forward-private DSSE scheme.
Their scheme traded much performance for security. In 2017,
Xu et al. proposed a DSSE scheme combining logical and
physical deletions to reduce information leakage during update
phases [32].
In 2017, Bost et al. firstly proposed definitions of backward
privacy with leakage functions [4]. They categorized backward
privacy into three types: Type-I, II, and III, among which Type-
I is the strongest and Type-III is the weakest. With these new
definitions, they constructed some DSSE schemes achieving
different strength of backward security. Later, Sun et al. [33],
[34], Chamani et al. [7], [35], Demertzis et al. [16], and
Wang and Chow [36] proposed various DSSE schemes to
achieve non-interactive search, high theoretic search perfor-
mance, constant client storage, and range queries etc. In 2019,
Zuo et al. introduced the definition of first Type-I−backward
privacy and gave the construction of a corresponding DSSE
scheme [5]. However, none of the aforementioned works found
or addressed the robustness problem in DSSE.
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
11
1×106
2×106
3×106
4×106
5×106
sauna
rangoon
uncensor
gemma
silica
epigraph
ryu
delimit
unravel
backpack
Selected Keywords
120
130
140
Total Search Time ( s)
FB-DSSE
SR-DSSE
b
IM-DSSEI+ II
(a) First Round
1×106
2×106
3×106
4×106
5×106
sauna
rangoon
uncensor
gemma
silica
epigraph
ryu
delimit
unravel
backpack
Selected Keywords
120
125
130
135
140
Total Search Time ( s)
FB-DSSE
SR-DSSE
b
IM-DSSEI+ II
(b) Second Round
1×106
3×106
5×106
7×106
sauna
rangoon
uncensor
gemma
silica
epigraph
ryu
delimit
unravel
backpack
Selected Keywords
120
125
130
135
Total Search Time ( s)
FB-DSSE
SR-DSSE
b
IM-DSSEI+ II
(c) Third Round
Figure 4: Total Search Time cost of SR-DSSEband FB-DSSE
sauna
rangoon
uncensor
gemma
silica
epigraph
ryu
delimit
unravel
backpack
Selected Keywords
0
2
4
6
8
10
12
14
Total Search Time (s)
Single Thread
2 Threads
4 Threads
8 Threads
16 Threads
Figure 5: Time Cost with Different Threads
Besides the forward and backward security, there are also
many DSSE works diving into higher security to eliminate
harmful information leakage [37] and mitigate attacks [38],
[39], [40]. Among those works, there is an important research
line that leverage real-world security techniques to achieve
the security goal. For example, aforementioned Trusted Ex-
ecution Environment and distributed trust [41], [42], [43].
There are also other research works exploring to equip DSSE
with additional properties, such as shareability [44] and post-
compromise security [45].
Robust DSSE. In 2022, Xu et al. formally defined the
robustness of DSSE [8]. In the context of robustness, a DSSE
client may issue rational update queries (e.g., duplicate add
queries or deletion queries of non-existent ciphertexts). A
robust DSSE scheme must guarantee the desired correctness
and claimed security when the client issues irrational update
queries. Unfortunately, up to now, besides the scheme ROSE
proposed by Xu et al., only MONETA [4] and Bestie [46]
achieve robustness. However, those robust DSSE schemes fail
to achieve Type-I−backward privacy.
VIII. CONCLUSION
In this work, we identify the robustness problem existing
in forward-and-Type-I−-backward private DSSE schemes. To
solve this problem, the definition of Type-I−backward se-
curity is extended. With the new definitions, we constructed
two novel robust DSSE schemes, both of which achieves the
security aim of forward and Type-I−backward privacy, i.e.,
SR-DSSEaand SR-DSSEb. The constructions of these two
schemes leverage our newly proposed Bi-bitmap-index data
structure and a boolean circuit evaluation method. The ex-
perimental results show that SR-DSSEais client-friendly and
SR-DSSEbhas higher search performance. The experiments
show that SR-DSSEaand SR-DSSEbare not as performant
as IM-DSSEI+II, thereby, may not be very suitable for some
performance-intensive scenarios. Fortunately, their practical
performance can be further improved with the hardware-based
acceleration technique, which makes the proposed schemes
quite suitable for managing real databases. Additionally, their
robustness can tolerate irrational client update queries. Hence,
we recommend SR-DSSEaand SR-DSSEbfor real-world
deployment.
REFERENCES
[1] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable
symmetric encryption,” in the ACM Conference on Computer and
Communications Security, CCS’12, Raleigh, NC, USA, October 16-18,
2012, T. Yu, G. Danezis, and V. D. Gligor, Eds. ACM, 2012, pp.
965–976. [Online]. Available: https://doi.org/10.1145/2382196.2382298
[2] S. Lu, J. Zheng, Z. Cao, Y. Wang, and C. Gu, “A survey on cryptographic
techniques for protecting big data security: present and forthcoming,”
Science China Information Sciences, vol. 65, no. 10, pp. 1–34, 2022.
[3] E. Stefanov, C. Papamanthou, and E. Shi, “Practical dynamic searchable
encryption with small leakage,” in 21st Annual Network and Distributed
System Security Symposium, NDSS 2014, San Diego, California,
USA, February 23-26, 2014. The Internet Society, 2014. [On-
line]. Available: https://www.ndss-symposium.org/ndss2014/practical-
dynamic-searchable-encryption-small-leakage
[4] R. Bost, B. Minaud, and O. Ohrimenko, “Forward and backward private
searchable encryption from constrained cryptographic primitives,” in
Proceedings of the 2017 ACM SIGSAC Conference on Computer
and Communications Security, CCS 2017, Dallas, TX, USA, October
30 - November 03, 2017, B. Thuraisingham, D. Evans, T. Malkin,
and D. Xu, Eds. ACM, 2017, pp. 1465–1482. [Online]. Available:
https://doi.org/10.1145/3133956.3133980
[5] C. Zuo, S. Sun, J. K. Liu, J. Shao, and J. Pieprzyk, “Dynamic
searchable symmetric encryption with forward and stronger backward
privacy,” in Computer Security - ESORICS 2019 - 24th European
Symposium on Research in Computer Security, Luxembourg, September
23-27, 2019, Proceedings, Part II, ser. Lecture Notes in Computer
Science, K. Sako, S. A. Schneider, and P. Y. A. Ryan, Eds.,
vol. 11736. Springer, 2019, pp. 283–303. [Online]. Available:
https://doi.org/10.1007/978-3-030-29962-0 14
[6] T. Hoang, A. A. Yavuz, and J. Guajardo, “A secure searchable
encryption framework for privacy-critical cloud storage services,” IEEE
Trans. Serv. Comput., vol. 14, no. 6, pp. 1675–1689, 2021. [Online].
Available: https://doi.org/10.1109/TSC.2019.2897096
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
12
[7] J. G. Chamani, D. Papadopoulos, C. Papamanthou, and R. Jalili, “New
constructions for forward and backward private symmetric searchable
encryption,” in Proceedings of the 2018 ACM SIGSAC Conference
on Computer and Communications Security, CCS 2018, Toronto, ON,
Canada, October 15-19, 2018, D. Lie, M. Mannan, M. Backes, and
X. Wang, Eds. ACM, 2018, pp. 1038–1055. [Online]. Available:
https://doi.org/10.1145/3243734.3243833
[8] P. Xu, W. Susilo, W. Wang, T. Chen, Q. Wu, K. Liang, and H. Jin, “Rose:
Robust searchable encryption with forward and backward security,”
IEEE Transactions on Information Forensics and Security, vol. 17, pp.
1115–1130, 2022.
[9] C. Zuo, S. Sun, J. K. Liu, J. Shao, J. Pieprzyk, and G. Wei, “Forward
and backward private dynamic searchable symmetric encryption for
conjunctive queries,” IACR Cryptol. ePrint Arch., p. 1357, 2020.
[Online]. Available: https://eprint.iacr.org/2020/1357
[10] C. Zuo, S. Sun, J. K. Liu, J. Shao, J. Pieprzyk, and L. Xu, “Forward
and backward private DSSE for range queries,” IEEE Transactions on
Dependable and Secure Computing, vol. 19, no. 1, pp. 328–338, 2022.
[Online]. Available: https://doi.org/10.1109/TDSC.2020.2994377
[11] I. Chillotti, N. Gama, M. Georgieva, and M. Izabach`
ene, “Faster
fully homomorphic encryption: Bootstrapping in less than 0.1
seconds,” in Advances in Cryptology - ASIACRYPT 2016 - 22nd
International Conference on the Theory and Application of Cryptology
and Information Security, Hanoi, Vietnam, December 4-8, 2016,
Proceedings, Part I, ser. Lecture Notes in Computer Science, J. H.
Cheon and T. Takagi, Eds., vol. 10031, 2016, pp. 3–33. [Online].
Available: https://doi.org/10.1007/978-3-662-53887-6 1
[12] M. Karnaugh, “The map method for synthesis of combinational logic
circuits,” Transactions of the American Institute of Electrical Engineers,
Part I: Communication and Electronics, vol. 72, no. 5, pp. 593–599,
1953.
[13] O. Regev, “On lattices, learning with errors, random linear codes, and
cryptography,” Journal of the ACM, vol. 56, no. 6, pp. 34:1–34:40,
2009. [Online]. Available: http://doi.acm.org/10.1145/1568318.1568324
[14] V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and
learning with errors over rings,” Journal of the ACM, vol. 60, no. 6, pp.
43:1–43:35, 2013. [Online]. Available: https://doi.org/10.1145/2535925
[15] K. Matsuoka, R. Banno, N. Matsumoto, T. Sato, and S. Bian,
“Virtual secure platform: A five-stage pipeline processor over
TFHE,” in 30th USENIX Security Symposium, USENIX Security
2021, August 11-13, 2021, M. Bailey and R. Greenstadt, Eds.
USENIX Association, 2021, pp. 4007–4024. [Online]. Available:
https://www.usenix.org/conference/usenixsecurity21/presentation/matsu-
oka
[16] I. Demertzis, J. G. Chamani, D. Papadopoulos, and C. Papamanthou,
“Dynamic searchable encryption with small client storage,”
in 27th Annual Network and Distributed System Security
Symposium, NDSS 2020, San Diego, California, USA, February
23-26, 2020. The Internet Society, 2020. [Online]. Avail-
able: https://www.ndss-symposium.org/ndss-paper/dynamic-searchable-
encryption-with-small-client-storage/
[17] F. S. Foundation, “The gnu mp bignum library,” https://gmplib.org/,
accessed Jun 11, 2021.
[18] O. S. Foundation, “Openssl,” https://www.openssl.org/, accessed Jun 11,
2021.
[19] I. Chillotti, N. Gama, M. Georgieva, and M. Izabach`
ene, “TFHE:
Fast fully homomorphic encryption library,” August 2016,
https://tfhe.github.io/tfhe/.
[20] G. Attardi, “Wikiextractor,” https://github.com/attardi/wikiextractor,
2015.
[21] W. Wang, Z. Chen, and X. Huang, “Accelerating leveled fully
homomorphic encryption using GPU,” in IEEE International Symposium
on Circuits and Systemss, ISCAS 2014, Melbourne, Victoria, Australia,
June 1-5, 2014. IEEE, 2014, pp. 2800–2803. [Online]. Available:
https://doi.org/10.1109/ISCAS.2014.6865755
[22] W. Dai and B. Sunar, “cuhe: A homomorphic encryption accelerator
library,” in Cryptography and Information Security in the Balkans
- Second International Conference, BalkanCryptSec 2015, Koper,
Slovenia, September 3-4, 2015, Revised Selected Papers, ser. Lecture
Notes in Computer Science, E. Pasalic and L. R. Knudsen,
Eds., vol. 9540. Springer, 2015, pp. 169–186. [Online]. Available:
https://doi.org/10.1007/978-3-319-29172-7 11
[23] I. Chillotti, N. Gama, M. Georgieva, and M. Izabach`
ene, “Faster
packed homomorphic operations and efficient circuit bootstrapping
for TFHE,” in Advances in Cryptology - ASIACRYPT 2017 - 23rd
International Conference on the Theory and Applications of Cryptology
and Information Security, Hong Kong, China, December 3-7, 2017,
Proceedings, Part I, ser. Lecture Notes in Computer Science, T. Takagi
and T. Peyrin, Eds., vol. 10624. Springer, 2017, pp. 377–408. [Online].
Available: https://doi.org/10.1007/978-3-319-70694-8 14
[24] G. Amjad, S. Kamara, and T. Moataz, “Forward and backward private
searchable encryption with SGX,” in Proceedings of the 12th European
Workshop on Systems Security, EuroSec@EuroSys 2019, Dresden,
Germany, March 25, 2019. ACM, 2019, pp. 4:1–4:6. [Online].
Available: https://doi.org/10.1145/3301417.3312496
[25] V. Vo, S. Lai, X. Yuan, S. Nepal, and J. K. Liu, “Towards efficient and
strong backward private searchable encryption with secure enclaves,” in
19th International Conference on Applied Cryptography and Network
Security (ACNS), vol. 12726, 2021, pp. 50–75.
[26] T. Hoang, M. O. Ozmen, Y. Jang, and A. A. Yavuz, “Hardware-supported
ORAM in effect: Practical oblivious search and update on very large
dataset,” Proc. Priv. Enhancing Technol., vol. 2019, no. 1, pp. 172–191,
2019.
[27] T. Hoang, R. Behnia, Y. Jang, and A. A. Yavuz, “MOSE: practical multi-
user oblivious storage via secure enclaves,” in Tenth ACM Conference
on Data and Application Security and Privacy (CODASPY), 2020, pp.
17–28.
[28] Y. Huang, S. Lv, Z. Liu, X. Song, J. Li, Y. Yuan, and C. Dong, “Cetus:
an efficient symmetric searchable encryption against file-injection
attack with SGX,” Sci. China Inf. Sci., vol. 64, no. 8, 2021. [Online].
Available: https://doi.org/10.1007/s11432-020-3039-x
[29] Y. Chang and M. Mitzenmacher, “Privacy preserving keyword
searches on remote encrypted data,” in Applied Cryptography and
Network Security, Third International Conference, ACNS 2005,
New York, NY, USA, June 7-10, 2005, Proceedings, ser. Lecture
Notes in Computer Science, J. Ioannidis, A. D. Keromytis, and
M. Yung, Eds., vol. 3531, 2005, pp. 442–455. [Online]. Available:
https://doi.org/10.1007/11496137 30
[30] R. Bost, “Poφoς: Forward secure searchable encryption,” in
Proceedings of the 2016 ACM SIGSAC Conference on Computer
and Communications Security, Vienna, Austria, October 24-28, 2016,
E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and
S. Halevi, Eds. ACM, 2016, pp. 1143–1154. [Online]. Available:
https://doi.org/10.1145/2976749.2978303
[31] S. Garg, P. Mohassel, and C. Papamanthou, “TWORAM: efficient
oblivious RAM in two rounds with applications to searchable
encryption,” in Advances in Cryptology - CRYPTO 2016 - 36th Annual
International Cryptology Conference, Santa Barbara, CA, USA, August
14-18, 2016, Proceedings, Part III, ser. Lecture Notes in Computer
Science, M. Robshaw and J. Katz, Eds., vol. 9816. Springer, 2016, pp.
563–592. [Online]. Available: https://doi.org/10.1007/978-3-662-53015-
3 20
[32] P. Xu, S. Liang, W. Wang, W. Susilo, Q. Wu, and H. Jin, “Dynamic
searchable symmetric encryption with physical deletion and small
leakage,” in Information Security and Privacy - 22nd Australasian
Conference, ACISP 2017, Auckland, New Zealand, July 3-5, 2017,
Proceedings, Part I, ser. Lecture Notes in Computer Science, J. Pieprzyk
and S. Suriadi, Eds., vol. 10342. Springer, 2017, pp. 207–226. [Online].
Available: https://doi.org/10.1007/978-3-319-60055-0 11
[33] S. Sun, X. Yuan, J. K. Liu, R. Steinfeld, A. Sakzad, V. Vo,
and S. Nepal, “Practical backward-secure searchable encryption from
symmetric puncturable encryption,” in Proceedings of the 2018 ACM
SIGSAC Conference on Computer and Communications Security, CCS
2018, Toronto, ON, Canada, October 15-19, 2018, D. Lie, M. Mannan,
M. Backes, and X. Wang, Eds. ACM, 2018, pp. 763–780. [Online].
Available: https://doi.org/10.1145/3243734.3243782
[34] S. Sun, R. Steinfeld, S. Lai, X. Yuan, A. Sakzad, J. K. Liu,
S. Nepal, and D. Gu, “Practical non-interactive searchable encryption
with forward and backward privacy,” in 28th Annual Network
and Distributed System Security Symposium, NDSS 2021, virtually,
February 21-25, 2021. The Internet Society, 2021. [Online].
Available: https://www.ndss-symposium.org/ndss-paper/practical-non-
interactive-searchable-encryption-with-forward-and-backward-privacy/
[35] J. G. Chamani, D. Papadopoulos, M. Karbasforushan, and I. Demertzis,
“Dynamic searchable encryption with optimal search in the presence of
deletions,” in 31st USENIX Security Symposium, USENIX Security 2022,
Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas,
Eds. USENIX Association, 2022, pp. 2425–2442. [Online]. Available:
https://www.usenix.org/conference/usenixsecurity22/presentation/chamani
[36] J. Wang and S. S. M. Chow, “Forward and backward-secure range-
searchable symmetric encryption,” Proc. Priv. Enhancing Technol., vol.
2022, no. 1, pp. 28–48, 2022.
[37] E. M. Kornaropoulos, N. Moyer, C. Papamanthou, and A. Psomas,
“Leakage inversion: Towards quantifying privacy in searchable encryp-
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
13
tion,” in Proceedings of the 29th ACM SIGSAC Conference on Computer
and Communications Security (CCS), 2022, pp. 1829–1842.
[38] S. Oya and F. Kerschbaum, “Hiding the access pattern is not enough:
Exploiting search pattern leakage in searchable encryption,” in 30th
USENIX Security Symposium, 2021, pp. 127–142.
[39] E. M. Kornaropoulos, C. Papamanthou, and R. Tamassia, “Response-
hiding encrypted ranges: Revisiting security via parametrized leakage-
abuse attacks,” in 42nd IEEE Symposium on Security and Privacy (S&P),
2021, pp. 1502–1519.
[40] X. Zhang, W. Wang, P. Xu, L. T. Yang, and K. Liang, “High
recovery with fewer injections: Practical binary volumetric injection
attacks against dynamic searchable encryption,” in 32nd USENIX
Security Symposium, USENIX Security 2023, Anaheim, CA, USA,
August 9-11, 2023, J. A. Calandrino and C. Troncoso, Eds.
USENIX Association, 2023, pp. 5953–5970. [Online]. Available:
https://www.usenix.org/conference/usenixsecurity23/presentation/zhang-
xianglong
[41] T. Hoang, A. A. Yavuz, F. B. Durak, and J. Guajardo, “Oblivious
dynamic searchable encryption on distributed cloud systems,” in Data
and Applications Security and Privacy XXXII: 32nd Annual IFIP WG
11.3 Conference, DBSec 2018, Proceedings, vol. 10980, 2018, pp. 113–
130.
[42] ——, “A multi-server oblivious dynamic searchable encryption frame-
work,” J. Comput. Secur., vol. 27, no. 6, pp. 649–676, 2019.
[43] E. Dauterman, E. Feng, E. Luo, R. A. Popa, and I. Stoica, “DORY:
an encrypted search system with distributed trust,” in 14th USENIX
Symposium on Operating Systems Design and Implementation (OSDI),
2020, pp. 1101–1119.
[44] W. Wang, D. Liu, P. Xu, L. T. Yang, and K. Liang, “Keyword search
shareable encryption for fast and secure data replication,” IEEE Trans.
Inf. Forensics Secur., vol. 18, pp. 5537–5552, 2023. [Online]. Available:
https://doi.org/10.1109/TIFS.2023.3306941
[45] T. Chen, P. Xu, S. Picek, B. Luo, W. Susilo, H. Jin, and K. Liang, “The
power of bamboo: On the post-compromise security for searchable
symmetric encryption,” in 30th Annual Network and Distributed System
Security Symposium, NDSS 2023, San Diego, California, USA, February
27 - March 3, 2023. The Internet Society, 2023. [Online]. Available:
https://www.ndss-symposium.org/ndss-paper/the-power-of-bamboo-on-
the-post-compromise-security-for-searchable-symmetric-encryption/
[46] T. Chen, P. Xu, W. Wang, Y. Zheng, W. Susilo, and H. Jin,
“Bestie: Very practical searchable encryption with forward and
backward security,” in Computer Security - ESORICS 2021 - 26th
European Symposium on Research in Computer Security, Darmstadt,
Germany, October 4-8, 2021, Proceedings, Part II, ser. Lecture Notes
in Computer Science, E. Bertino, H. Shulman, and M. Waidner,
Eds., vol. 12973. Springer, 2021, pp. 3–23. [Online]. Available:
https://doi.org/10.1007/978-3-030-88428-4 1
APPENDIX
A. Security Proof of SR-DSSEa
In the security proof of SR-DSSEa, we build of a sim-
ulator Swith the input of the protocols’ leakage. That
are, LSetup (λ, n)=(λ, n),LUpdate (op, (w, F)) = ∅, and
LSearch (w) = (∆srch (w),∆rst(w),∆T ime (w)). Then, Scan
simulate SR-DSSEa’s three protocols respectively. We will
prove that the ideal SR-DSSEais indistinguishable from the
real one under the adaptive attack and describe the simulator
in Algorithm 5. Concretely speaking, the simulator Scontains
the following three phases.
Setup Phase: The simulator Stakes the function
LSetup (λ, n) = (λ, n)as inputs and initializes three maps
RandomStrList,CipherList, and EDB.EDB is sent to the
server as the real game does, and the client keeps the other
two maps as the internal states. RandomStrList records
each update’s random string. CipherList records ciphertexts
generated by S. Clearly, it is hard for the adversary Ato
distinguish the simulated Setup phase and the real one .
Update Phase: When the adversary Aissues an update
query with the input of op, (w, F), the simulator Stakes the
Algorithm 5 Simulator of Ideal SR-DSSEa
Setup(LSetup (λ, n))
Proof. 1: Initialize three empty map structures: EDB,RandomStrList,
CipherList. Send EDB to the server and keep others locally;
2: Initialize a timestamp parameter u← −1;
Update(LUpdate (op, (w, F)))
1: Add one time to the total timestamp by u←u+ 1;
2: Randomly generate the string R$
← {0,1}λ, the index I$
← {0,1}λ
and the protected mask C$
← {0,1}λ;
3: Randomly generate a bi-bitmap index (bsa, bsb)and encrypt it into the
ciphertext (Va,Vb);
4: Record Rby RandomStrList[u]←R; Record I,Cand (Va,Vb)by
CipherList[u]←(I, C, (Va,Vb));
5: Send I,Cand (Va,Vb)to the server for saving;
Search(LSearch (w) = (∆srch(w),∆r st(w),∆T ime (w)))
1: Add one time to the total timestamp by u←u+ 1;
2: Obtain the timestamp usof the last search query from ∆srch(w), where
us=−1if sp(w) =∅;
3: Obtain all timestamps us+1,...,utbetween usand ufrom Time(w),
where ui< ujif i<j;
4: Abort if t=−1and us=−1(that is, there are no historical update
queries for keyword w);
5: Choose a key Kw
$
← {0,1}λfor the searched keyword w;
6: for i=tto s+ 1 do
7: Retrieve the simulated ciphertext (Iui, Cui,(Va,Vb)) ←
CiphertextList[ui];
8: Retrieve two consecutive random strings Rui←RandomStrList[ui],
Rui−1←RandomStrList[ui−1];
9: Program oracle H1such that H1(Kw, Rui) = Iui;
10: Program oracle H2such that H2(Kw, Rui) = Cui⊕Rui−1;
11: end for
12: Send a search trapdoor (Kw, Rt, s, t)to the server
13: return the file identifiers contained in ∆rst(w)when the client receives
the server’s response
leakage function LUpdate (op, (w, F)) as the input, computes
a timestamp u, picks some randomly chosen string R, index
I, a protected mask C, and a bi-bitmap index (bsa, bsb), and
encrypts this bi-bitmap index. According to the randomness
of oracles H1and H2and the security of T, the simulated
(R, I, C, (Va,Vb)) have the same distribution as the real one
generated by SR-DSSEa.Update in the RO model. Hence, it
is hard for the adversary Ato distinguish the simulated Update
phase and the real one.
Search Phase: When the adversary Aissues a search query
with the input of keyword w, the simulator Stakes the function
LSearch (w) = (∆srch (w),∆rst(w),∆T ime (w)) as the input.
To begin with, it checks the historical update queries about
wand aborts if there is no updates previously (refer to Step
4). Next, the simulator must program the two random oracles
H1and H2, so that the computations of search trapdoors
are valid in the view of the adversary A(refer to Steps
5 to 11). The core work is to guarantee that all simulated
ciphertexts of keyword wcan be retrieved by the server with
a randomly generated search trapdoor. Hence, from the latest
to the earliest query (refer to Step 6), the simulator Sprograms
H1and H2according to the real SR-DSSEa.Update. In the
end, a randomly generated search trapdoor is sent to the
server. Hence, it is hard for the adversary Ato distinguish
the simulated Search phase and the real one.
To summarize, we can construct a simulator Sto simulate
SR-DSSEawith the given leakage functions. And the simu-
lated SR-DSSEais indistinguishable from the real one. Thus,
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
14
Theorem 1 is true.
B. Security Proof of SR-DSSEb
Algorithm 6 Simulator of Ideal SR-DSSEb
Setup(LSetup (λ, n))
1: Initialize four empty map structures: EDB,RandomStrList,CipherList,
BiKeyList. Send EDB to the server and keep others locally;
2: Initialize a timestamp parameter u← −1;
Update(LUpdate (op, (w, F)))
1: Add one time to the total timestamp by u←u+ 1;
2: Randomly generate the string R$
← {0,1}λ, the index I$
← {0,1}λand
the protected mask C$
← {0,1}λ;
3: Randomly choose two keys ska
$
← {0,1}λand skb
$
← {0,1}λand a
bi-bitmap index (bsa, bsb); Encrypt the chosen bi-bitmap index into the
ciphertext by (ea, eb)←(bsa⊕ska, bsb⊕skb);
4: Record Rby RandomStrList[u]←R; Record I,Cand
(ea, eb)by CipherList[u]←(I, C, (ea, eb)); Record (ska, skb)by
BiKeyList[u]←(ska, skb);
5: Send I,Cand (ea, eb)to the server for saving;
Search(LSearch (w) = (∆srch(w),∆r st(w),∆T ime (w)))
1: Accumulate the timestamp parameter by u←u+ 1;
2: Obtain the timestamp usof the last search query from ∆srch(w), where
us=−1if sp(w) =∅;
3: Obtain all timestamps us+1,...,utbetween usand ufrom ∆T ime (w),
where ui< ujif i<j;
4: Abort if t=−1and us=−1(that is, there are no historical update
queries for keyword w);
5: Randomly choose two keys Kw
$
← {0,1}λ,K′
w
$
← {0,1}λfor the
searched keyword w;
6: for i=tto s+ 1 do
7: Retrieve the simulated ciphertext (Iui, Cui,(Va,Vb)) ←
CiphertextList[ui];
8: Retrieve two consecutive random strings Rui←RandomStrList[ui],
Rui−1←RandomStrList[ui−1];
9: Retrieve two keys (ska, skb)←BiKeyList[ui]
10: Program oracle H1such that H1(Kw, Rui) = Iui;
11: Program oracle H2such that H2(Kw, Rui) = Cui⊕Rui−1;
12: Program oracle H3such that H3(K′
w, i) = ska;
13: Program oracle H4such that H4(K′
w, i) = skb;
14: end for
15: Randomly choose a key sk $
← {0,1}λand program oracle H5such that
H5(K′
w, t) = sk if s<t(namely, there are update queries between the
two search queries);
16: Send a search trapdoor (Kw, Rt, s, t)to the server
17: return the file identifiers contained in ∆rst(w)when the client receives
the server’s response
%endmulticols
Proof. In the security proof of SR-DSSEb, we build a sim-
ulator Swith the input of the protocols’ leakage. That
are LSetup (λ, n) = (λ, n),LUpdate (op, (w, F)) = ∅, and
LSearch (w) = (∆srch (w),∆rst(w),∆T ime (w)). Then, the
simulator Scan simulate SR-DSSEb’s three protocols, respec-
tively. We will prove that the ideal SR-DSSEbis indistinguish-
able from the real one under the adaptive attack and describe
the simulator in Algorithm 6. It is similar to the security proof
of SR-DSSEathat the simulator Scontains the following three
phases, and we omit the duplicate details in the description.
Setup Phase: The simulator Stakes the leakage function
LSetup (λ, n)=(λ, n)as the input. The simulator Saddition-
ally initializes a map BiKeyList for recording the bi-bitmap-
index encryption keys and keeps the map as one of the internal
states. Clearly, it is hard for the adversary Ato distinguish the
simulated Setup phase and the real one.
Update Phase: When an update query with the input
of op, (w, F)is issued, the simulator Stakes the leakage
function LUpdate (op, (w, F)) as the input. Besides picking
a randomly generated trapdoor and ciphertexts, the simulator
Salso randomly picks two randomly chosen keys skaand
skband records them into BiKeyList[u]. In the same way,
the distribution of simulated (R, I, C, (ea, eb)) is the same as
the real one, which is generated by SR-DSSEb.Update in
the scenario of the RO model. Therefore, it is hard for the
adversary Ato distinguish the simulated Update phase and
the real one..
Search Phase: When a search query with the input of
keyword wis issued, the simulator Stakes the leakage
function LSearch (w) = (∆srch (w),∆rst(w),∆T ime (w)) as
the input. Before programming the oracles, the simulator S
chooses two random keys Kwand K′
w(refer to Step 5). Then,
during the programming, the simulator Sprograms oracles
H3and H4with the input of K′
w(refer to Steps 12 to 13).
In addition, if there are some update queries between the
two search queries, a random key sk is generated and
programmed to oracle H5for re-encrypting the new result
(refer to Step 15). Hence, it is hard for the adversary Ato
distinguish the simulated Search phase and the real one.
In summary, with the input of the given leakage functions,
we are able to give the construction of a simulator Sto
simulate SR-DSSEb. And the simulated SR-DSSEbis indis-
tinguishable from the real one. Thus, Theorem 2 is true.
Haochen Dou (M’13) received a B.E. degree in
information security from Xidian University, Xi’an,
China, in 2020. He is currently working toward
a master’s degree in cyberspace security at the
Huazhong University of Science and Technology.
His research interests include applied cryptography
and post-quantum cryptography.
Zhenwu Dan (M’13) received a B.S. degree
in mathematics and applied mathematics from
Huazhong University of Science and Technology,
Wuhan, China, in 2020. He is currently working
toward a master’s degree in cyberspace security at
the Huazhong University of Science and Technol-
ogy. His research interests include cryptography and
searchable encryption.
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
15
P. Xu, R. Sun, W. Wang et al. Future Generation Computer Systems 125 (2021) 32–40
[5] C. Brand, A. Czeskis, J. Ehrensvard, M. Jones, A. Kumar, R. Lindemann,
A. Powers, J. Verrept, FIDO 2.0: Client To Authenticator Protocol, FIDO
Alliance, 2019.
[6] D. Balfanz, A. Czeskis, J. Hodges, J. Jones, M. Jones, A. Kumar, A. Liao, R.
Lindemann, E. Lundberg, Web authentication: An api for accessing public
key credentials, 2019, URL: https://www.w3.org/TR/2019/REC-webauthn-
1-20190304/ (accessed: 2021-02-01).
[7] M. Togan, B.-C. Chifor, I. Florea, G. Gugulea, A smart-phone based privacy-
preserving security framework for iot devices, in: 2017 9th International
Conference on Electronics, Computers and Artificial Intelligence (ECAI),
IEEE, 2017, pp. 1–7.
[8] Y. Zhang, X. Wang, Z. Zhao, H. Li, Secure display for fido transaction
confirmation, in: Proceedings of the Eighth ACM Conference on Data and
Application Security and Privacy, 2018, pp. 155–157.
[9] A. Brandon, M. Trimarchi, Trusted display and input using screen overlays,
in: 2017 International Conference on ReConFigurable Computing and
FPGAs (ReConFig), IEEE, 2017, pp. 1–6.
[10] M. Yu, V.D. Gligor, Z. Zhou, Trusted display on untrusted commodity plat-
forms, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer
and Communications Security, 2015, pp. 989–1003.
[11] B. Zhu, X. Fan, G. Gong, Loxin-a solution to password-less universal login,
in: 2014 IEEE Conference on Computer Communications Workshops, IEEE,
2014, pp. 488–493.
[12] F. Stajano, Pico: no more passwords!, in: International Workshop on
Security Protocols, Springer, 2011, pp. 49–81.
[13] T. Bui, S.P. Rao, M. Antikainen, V.M. Bojan, T. Aura, Man-in-the-machine:
exploiting ill-secured communication inside the computer, in: 27th USENIX
Security Symposium, 2018, pp. 1511–1525.
[14] T. Alves, D. Felton, Trustzone: Integrated Hardware and Software Security,
White Paper, 2004.
[15] V. Costan, S. Devadas, Intel sgx explained, IACR Cryptol. EPrint Arch. 2016
(2016) 1–118.
[16] S.G. Lyastani, M. Schilling, M. Neumayr, M. Backes, S. Bugiel, Is fido2 the
kingslayer of user authentication? a comparative usability study of fido2
passwordless authentication, in: 2020 IEEE Symposium on Security and
Privacy, IEEE, 2020, pp. 268–285.
[17] S. Das, A. Dingman, L.J. Camp, Why johnny does not use two factor a
two-phase usability study of the fido u2f security key, in: International
Conference on Financial Cryptography and Data Security, Springer, 2018,
pp. 160–179.
[18] D. Baghdasaryan, B. Hill, J.E. Hill, D. Biggs, FIDO Security Reference, FIDO
Alliance, 2018.
[19] Y. Zhang, Q. Liu, Q. Luo, X. Wang, Xas: Cross-api scripting attacks in social
ecosystems, Sci. China Inf. Sci. 58 (2015) 1–14.
Peng Xu received a Ph.D. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2010. He worked as a post-doctor
at Huazhong University of Science and Technology,
Wuhan, China, from 2010 to 2013, and as an associate
research fellow at the University of Wollongong, Aus-
tralia, from 2018 to 2019. Now, he is a full professor
at Huazhong University of Science and Technology. His
research interests are in the field of cryptography. He
authored over thirty research papers, sixteen patents,
and two books. He was PI in nine grants, including
three NSF projects.
Ruijie Sun received a B.E. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2018. He is currently working to-
ward a master’s degree in cyberspace security at the
Huazhong University of Science and Technology. His
research interests include online authentication and
FIDO protocol.
Wei Wang received the B.E. and Ph.D. degrees in Elec-
tronic and Communication Engineering from Huazhong
University of Science and Technology, Wuhan, China,
in 2006 and 2011, respectively. Currently she works
as a researcher with Cyber–Physical–Social Systems
Lab, Huazhong University of Science and Technology,
Wuhan, China. Her research interests include cloud
security, network coding and multimedia transmission.
She has authored more than 20 papers in international
journals and at conferences.
Tianyang Chen received a B.E. degree in informa-
tion security from Huazhong University of Science
and Technology, Wuhan, China, in 2017. He is cur-
rently working toward a doctor’s degree in cyberspace
security at the Huazhong University of Science and
Technology. His research interests include cryptography
and IoT.
Yubo Zheng received a B.E. degree in information
security from Huazhong University of Science and
Technology, Wuhan, China, in 2019. He is currently
working toward a master’s degree in cyberspace se-
curity at the Huazhong University of Science and
Technology. His research interests include cryptography
and lattices.
Dr. Hai Jin received his Ph.D. degree in computer
engineering from Huazhong University of Science and
Technology, in 1994. He received German Academic
Exchange Service fellowship to visit the Technical Uni-
versity of Chemnitz in Germany in 1996. He worked at
the University of Hong Kong between 1998 and 2000,
and as a visiting scholar at the University of Southern
California between 1999 and 2000. He received the
Excellent Youth Award from the National Science Foun-
dation of China in 2001. He is a Cheung Kung Scholars
chair professor of computer science and engineering of
Huazhong University of Science and Technology. He has coauthored 22 books
and published over 800 research papers. His research interests include computer
architecture, virtualization technology, cluster computing and cloud computing,
peer-to-peer computing, network storage, and network security. He is a fellow
of the CCF, a fellow of the IEEE and a member of the ACM.
40
Peng Xu (M’13) received a Ph.D. degree in com-
puter science from Huazhong University of Science
and Technology, Wuhan, China, in 2010. He worked
as a post-doctor at Huazhong University of Science
and Technology, Wuhan, China, from 2010 to 2013,
and as an associate research fellow at the University
of Wollongong, Australia, from 2018 to 2019. Now,
he is a full professor at Huazhong University of
Science and Technology. His research interests are
in the field of cryptography. He authored over thirty
research papers, nineteen patents, and two books. He
was PI in twenty grants, including three NSF projects.
P. Xu, R. Sun, W. Wang et al. Future Generation Computer Systems 125 (2021) 32–40
[5] C. Brand, A. Czeskis, J. Ehrensvard, M. Jones, A. Kumar, R. Lindemann,
A. Powers, J. Verrept, FIDO 2.0: Client To Authenticator Protocol, FIDO
Alliance, 2019.
[6] D. Balfanz, A. Czeskis, J. Hodges, J. Jones, M. Jones, A. Kumar, A. Liao, R.
Lindemann, E. Lundberg, Web authentication: An api for accessing public
key credentials, 2019, URL: https://www.w3.org/TR/2019/REC-webauthn-
1-20190304/ (accessed: 2021-02-01).
[7] M. Togan, B.-C. Chifor, I. Florea, G. Gugulea, A smart-phone based privacy-
preserving security framework for iot devices, in: 2017 9th International
Conference on Electronics, Computers and Artificial Intelligence (ECAI),
IEEE, 2017, pp. 1–7.
[8] Y. Zhang, X. Wang, Z. Zhao, H. Li, Secure display for fido transaction
confirmation, in: Proceedings of the Eighth ACM Conference on Data and
Application Security and Privacy, 2018, pp. 155–157.
[9] A. Brandon, M. Trimarchi, Trusted display and input using screen overlays,
in: 2017 International Conference on ReConFigurable Computing and
FPGAs (ReConFig), IEEE, 2017, pp. 1–6.
[10] M. Yu, V.D. Gligor, Z. Zhou, Trusted display on untrusted commodity plat-
forms, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer
and Communications Security, 2015, pp. 989–1003.
[11] B. Zhu, X. Fan, G. Gong, Loxin-a solution to password-less universal login,
in: 2014 IEEE Conference on Computer Communications Workshops, IEEE,
2014, pp. 488–493.
[12] F. Stajano, Pico: no more passwords!, in: International Workshop on
Security Protocols, Springer, 2011, pp. 49–81.
[13] T. Bui, S.P. Rao, M. Antikainen, V.M. Bojan, T. Aura, Man-in-the-machine:
exploiting ill-secured communication inside the computer, in: 27th USENIX
Security Symposium, 2018, pp. 1511–1525.
[14] T. Alves, D. Felton, Trustzone: Integrated Hardware and Software Security,
White Paper, 2004.
[15] V. Costan, S. Devadas, Intel sgx explained, IACR Cryptol. EPrint Arch. 2016
(2016) 1–118.
[16] S.G. Lyastani, M. Schilling, M. Neumayr, M. Backes, S. Bugiel, Is fido2 the
kingslayer of user authentication? a comparative usability study of fido2
passwordless authentication, in: 2020 IEEE Symposium on Security and
Privacy, IEEE, 2020, pp. 268–285.
[17] S. Das, A. Dingman, L.J. Camp, Why johnny does not use two factor a
two-phase usability study of the fido u2f security key, in: International
Conference on Financial Cryptography and Data Security, Springer, 2018,
pp. 160–179.
[18] D. Baghdasaryan, B. Hill, J.E. Hill, D. Biggs, FIDO Security Reference, FIDO
Alliance, 2018.
[19] Y. Zhang, Q. Liu, Q. Luo, X. Wang, Xas: Cross-api scripting attacks in social
ecosystems, Sci. China Inf. Sci. 58 (2015) 1–14.
Peng Xu received a Ph.D. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2010. He worked as a post-doctor
at Huazhong University of Science and Technology,
Wuhan, China, from 2010 to 2013, and as an associate
research fellow at the University of Wollongong, Aus-
tralia, from 2018 to 2019. Now, he is a full professor
at Huazhong University of Science and Technology. His
research interests are in the field of cryptography. He
authored over thirty research papers, sixteen patents,
and two books. He was PI in nine grants, including
three NSF projects.
Ruijie Sun received a B.E. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2018. He is currently working to-
ward a master’s degree in cyberspace security at the
Huazhong University of Science and Technology. His
research interests include online authentication and
FIDO protocol.
Wei Wang received the B.E. and Ph.D. degrees in Elec-
tronic and Communication Engineering from Huazhong
University of Science and Technology, Wuhan, China,
in 2006 and 2011, respectively. Currently she works
as a researcher with Cyber–Physical–Social Systems
Lab, Huazhong University of Science and Technology,
Wuhan, China. Her research interests include cloud
security, network coding and multimedia transmission.
She has authored more than 20 papers in international
journals and at conferences.
Tianyang Chen received a B.E. degree in informa-
tion security from Huazhong University of Science
and Technology, Wuhan, China, in 2017. He is cur-
rently working toward a doctor’s degree in cyberspace
security at the Huazhong University of Science and
Technology. His research interests include cryptography
and IoT.
Yubo Zheng received a B.E. degree in information
security from Huazhong University of Science and
Technology, Wuhan, China, in 2019. He is currently
working toward a master’s degree in cyberspace se-
curity at the Huazhong University of Science and
Technology. His research interests include cryptography
and lattices.
Dr. Hai Jin received his Ph.D. degree in computer
engineering from Huazhong University of Science and
Technology, in 1994. He received German Academic
Exchange Service fellowship to visit the Technical Uni-
versity of Chemnitz in Germany in 1996. He worked at
the University of Hong Kong between 1998 and 2000,
and as a visiting scholar at the University of Southern
California between 1999 and 2000. He received the
Excellent Youth Award from the National Science Foun-
dation of China in 2001. He is a Cheung Kung Scholars
chair professor of computer science and engineering of
Huazhong University of Science and Technology. He has coauthored 22 books
and published over 800 research papers. His research interests include computer
architecture, virtualization technology, cluster computing and cloud computing,
peer-to-peer computing, network storage, and network security. He is a fellow
of the CCF, a fellow of the IEEE and a member of the ACM.
40
Wei Wang (M’13) received the B.E. and Ph.D. de-
grees in Electronic and Communication Engineering
from Huazhong University of Science and Technol-
ogy, Wuhan, China, in 2006 and 2011, respectively.
Currently she works as a researcher with Cyber-
Physical-Social Systems Lab, Huazhong University
of Science and Technology, Wuhan, China. Her
research interests include cloud security, network
coding and multimedia transmission. She has au-
thored more than 20 papers in international journals
and at conferences.
Shuning Xu received a B.E. degree in information
security from Zhengzhou University, China, in 2021.
She is currently working toward a master’s degree
in cyberspace security at the Huazhong University
of Science and Technology. Her research interests
include encrypted search and cryptography.
P. Xu, R. Sun, W. Wang et al. Future Generation Computer Systems 125 (2021) 32–40
[5] C. Brand, A. Czeskis, J. Ehrensvard, M. Jones, A. Kumar, R. Lindemann,
A. Powers, J. Verrept, FIDO 2.0: Client To Authenticator Protocol, FIDO
Alliance, 2019.
[6] D. Balfanz, A. Czeskis, J. Hodges, J. Jones, M. Jones, A. Kumar, A. Liao, R.
Lindemann, E. Lundberg, Web authentication: An api for accessing public
key credentials, 2019, URL: https://www.w3.org/TR/2019/REC-webauthn-
1-20190304/ (accessed: 2021-02-01).
[7] M. Togan, B.-C. Chifor, I. Florea, G. Gugulea, A smart-phone based privacy-
preserving security framework for iot devices, in: 2017 9th International
Conference on Electronics, Computers and Artificial Intelligence (ECAI),
IEEE, 2017, pp. 1–7.
[8] Y. Zhang, X. Wang, Z. Zhao, H. Li, Secure display for fido transaction
confirmation, in: Proceedings of the Eighth ACM Conference on Data and
Application Security and Privacy, 2018, pp. 155–157.
[9] A. Brandon, M. Trimarchi, Trusted display and input using screen overlays,
in: 2017 International Conference on ReConFigurable Computing and
FPGAs (ReConFig), IEEE, 2017, pp. 1–6.
[10] M. Yu, V.D. Gligor, Z. Zhou, Trusted display on untrusted commodity plat-
forms, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer
and Communications Security, 2015, pp. 989–1003.
[11] B. Zhu, X. Fan, G. Gong, Loxin-a solution to password-less universal login,
in: 2014 IEEE Conference on Computer Communications Workshops, IEEE,
2014, pp. 488–493.
[12] F. Stajano, Pico: no more passwords!, in: International Workshop on
Security Protocols, Springer, 2011, pp. 49–81.
[13] T. Bui, S.P. Rao, M. Antikainen, V.M. Bojan, T. Aura, Man-in-the-machine:
exploiting ill-secured communication inside the computer, in: 27th USENIX
Security Symposium, 2018, pp. 1511–1525.
[14] T. Alves, D. Felton, Trustzone: Integrated Hardware and Software Security,
White Paper, 2004.
[15] V. Costan, S. Devadas, Intel sgx explained, IACR Cryptol. EPrint Arch. 2016
(2016) 1–118.
[16] S.G. Lyastani, M. Schilling, M. Neumayr, M. Backes, S. Bugiel, Is fido2 the
kingslayer of user authentication? a comparative usability study of fido2
passwordless authentication, in: 2020 IEEE Symposium on Security and
Privacy, IEEE, 2020, pp. 268–285.
[17] S. Das, A. Dingman, L.J. Camp, Why johnny does not use two factor a
two-phase usability study of the fido u2f security key, in: International
Conference on Financial Cryptography and Data Security, Springer, 2018,
pp. 160–179.
[18] D. Baghdasaryan, B. Hill, J.E. Hill, D. Biggs, FIDO Security Reference, FIDO
Alliance, 2018.
[19] Y. Zhang, Q. Liu, Q. Luo, X. Wang, Xas: Cross-api scripting attacks in social
ecosystems, Sci. China Inf. Sci. 58 (2015) 1–14.
Peng Xu received a Ph.D. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2010. He worked as a post-doctor
at Huazhong University of Science and Technology,
Wuhan, China, from 2010 to 2013, and as an associate
research fellow at the University of Wollongong, Aus-
tralia, from 2018 to 2019. Now, he is a full professor
at Huazhong University of Science and Technology. His
research interests are in the field of cryptography. He
authored over thirty research papers, sixteen patents,
and two books. He was PI in nine grants, including
three NSF projects.
Ruijie Sun received a B.E. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2018. He is currently working to-
ward a master’s degree in cyberspace security at the
Huazhong University of Science and Technology. His
research interests include online authentication and
FIDO protocol.
Wei Wang received the B.E. and Ph.D. degrees in Elec-
tronic and Communication Engineering from Huazhong
University of Science and Technology, Wuhan, China,
in 2006 and 2011, respectively. Currently she works
as a researcher with Cyber–Physical–Social Systems
Lab, Huazhong University of Science and Technology,
Wuhan, China. Her research interests include cloud
security, network coding and multimedia transmission.
She has authored more than 20 papers in international
journals and at conferences.
Tianyang Chen received a B.E. degree in informa-
tion security from Huazhong University of Science
and Technology, Wuhan, China, in 2017. He is cur-
rently working toward a doctor’s degree in cyberspace
security at the Huazhong University of Science and
Technology. His research interests include cryptography
and IoT.
Yubo Zheng received a B.E. degree in information
security from Huazhong University of Science and
Technology, Wuhan, China, in 2019. He is currently
working toward a master’s degree in cyberspace se-
curity at the Huazhong University of Science and
Technology. His research interests include cryptography
and lattices.
Dr. Hai Jin received his Ph.D. degree in computer
engineering from Huazhong University of Science and
Technology, in 1994. He received German Academic
Exchange Service fellowship to visit the Technical Uni-
versity of Chemnitz in Germany in 1996. He worked at
the University of Hong Kong between 1998 and 2000,
and as a visiting scholar at the University of Southern
California between 1999 and 2000. He received the
Excellent Youth Award from the National Science Foun-
dation of China in 2001. He is a Cheung Kung Scholars
chair professor of computer science and engineering of
Huazhong University of Science and Technology. He has coauthored 22 books
and published over 800 research papers. His research interests include computer
architecture, virtualization technology, cluster computing and cloud computing,
peer-to-peer computing, network storage, and network security. He is a fellow
of the CCF, a fellow of the IEEE and a member of the ACM.
40
Tianyang Chen received a B.E. degree in in-
formation security from Huazhong University of
Science and Technology, Wuhan, China, in 2017.
He is currently working toward a doctor’s degree
in cyberspace security at the Huazhong University
of Science and Technology. His research interests
include cryptography and IoT.
P. Xu, R. Sun, W. Wang et al. Future Generation Computer Systems 125 (2021) 32–40
[5] C. Brand, A. Czeskis, J. Ehrensvard, M. Jones, A. Kumar, R. Lindemann,
A. Powers, J. Verrept, FIDO 2.0: Client To Authenticator Protocol, FIDO
Alliance, 2019.
[6] D. Balfanz, A. Czeskis, J. Hodges, J. Jones, M. Jones, A. Kumar, A. Liao, R.
Lindemann, E. Lundberg, Web authentication: An api for accessing public
key credentials, 2019, URL: https://www.w3.org/TR/2019/REC-webauthn-
1-20190304/ (accessed: 2021-02-01).
[7] M. Togan, B.-C. Chifor, I. Florea, G. Gugulea, A smart-phone based privacy-
preserving security framework for iot devices, in: 2017 9th International
Conference on Electronics, Computers and Artificial Intelligence (ECAI),
IEEE, 2017, pp. 1–7.
[8] Y. Zhang, X. Wang, Z. Zhao, H. Li, Secure display for fido transaction
confirmation, in: Proceedings of the Eighth ACM Conference on Data and
Application Security and Privacy, 2018, pp. 155–157.
[9] A. Brandon, M. Trimarchi, Trusted display and input using screen overlays,
in: 2017 International Conference on ReConFigurable Computing and
FPGAs (ReConFig), IEEE, 2017, pp. 1–6.
[10] M. Yu, V.D. Gligor, Z. Zhou, Trusted display on untrusted commodity plat-
forms, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer
and Communications Security, 2015, pp. 989–1003.
[11] B. Zhu, X. Fan, G. Gong, Loxin-a solution to password-less universal login,
in: 2014 IEEE Conference on Computer Communications Workshops, IEEE,
2014, pp. 488–493.
[12] F. Stajano, Pico: no more passwords!, in: International Workshop on
Security Protocols, Springer, 2011, pp. 49–81.
[13] T. Bui, S.P. Rao, M. Antikainen, V.M. Bojan, T. Aura, Man-in-the-machine:
exploiting ill-secured communication inside the computer, in: 27th USENIX
Security Symposium, 2018, pp. 1511–1525.
[14] T. Alves, D. Felton, Trustzone: Integrated Hardware and Software Security,
White Paper, 2004.
[15] V. Costan, S. Devadas, Intel sgx explained, IACR Cryptol. EPrint Arch. 2016
(2016) 1–118.
[16] S.G. Lyastani, M. Schilling, M. Neumayr, M. Backes, S. Bugiel, Is fido2 the
kingslayer of user authentication? a comparative usability study of fido2
passwordless authentication, in: 2020 IEEE Symposium on Security and
Privacy, IEEE, 2020, pp. 268–285.
[17] S. Das, A. Dingman, L.J. Camp, Why johnny does not use two factor a
two-phase usability study of the fido u2f security key, in: International
Conference on Financial Cryptography and Data Security, Springer, 2018,
pp. 160–179.
[18] D. Baghdasaryan, B. Hill, J.E. Hill, D. Biggs, FIDO Security Reference, FIDO
Alliance, 2018.
[19] Y. Zhang, Q. Liu, Q. Luo, X. Wang, Xas: Cross-api scripting attacks in social
ecosystems, Sci. China Inf. Sci. 58 (2015) 1–14.
Peng Xu received a Ph.D. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2010. He worked as a post-doctor
at Huazhong University of Science and Technology,
Wuhan, China, from 2010 to 2013, and as an associate
research fellow at the University of Wollongong, Aus-
tralia, from 2018 to 2019. Now, he is a full professor
at Huazhong University of Science and Technology. His
research interests are in the field of cryptography. He
authored over thirty research papers, sixteen patents,
and two books. He was PI in nine grants, including
three NSF projects.
Ruijie Sun received a B.E. degree in computer science
from Huazhong University of Science and Technology,
Wuhan, China, in 2018. He is currently working to-
ward a master’s degree in cyberspace security at the
Huazhong University of Science and Technology. His
research interests include online authentication and
FIDO protocol.
Wei Wang received the B.E. and Ph.D. degrees in Elec-
tronic and Communication Engineering from Huazhong
University of Science and Technology, Wuhan, China,
in 2006 and 2011, respectively. Currently she works
as a researcher with Cyber–Physical–Social Systems
Lab, Huazhong University of Science and Technology,
Wuhan, China. Her research interests include cloud
security, network coding and multimedia transmission.
She has authored more than 20 papers in international
journals and at conferences.
Tianyang Chen received a B.E. degree in informa-
tion security from Huazhong University of Science
and Technology, Wuhan, China, in 2017. He is cur-
rently working toward a doctor’s degree in cyberspace
security at the Huazhong University of Science and
Technology. His research interests include cryptography
and IoT.
Yubo Zheng received a B.E. degree in information
security from Huazhong University of Science and
Technology, Wuhan, China, in 2019. He is currently
working toward a master’s degree in cyberspace se-
curity at the Huazhong University of Science and
Technology. His research interests include cryptography
and lattices.
Dr. Hai Jin received his Ph.D. degree in computer
engineering from Huazhong University of Science and
Technology, in 1994. He received German Academic
Exchange Service fellowship to visit the Technical Uni-
versity of Chemnitz in Germany in 1996. He worked at
the University of Hong Kong between 1998 and 2000,
and as a visiting scholar at the University of Southern
California between 1999 and 2000. He received the
Excellent Youth Award from the National Science Foun-
dation of China in 2001. He is a Cheung Kung Scholars
chair professor of computer science and engineering of
Huazhong University of Science and Technology. He has coauthored 22 books
and published over 800 research papers. His research interests include computer
architecture, virtualization technology, cluster computing and cloud computing,
peer-to-peer computing, network storage, and network security. He is a fellow
of the CCF, a fellow of the IEEE and a member of the ACM.
40
Hai Jin (F’19) received his Ph.D. degree in com-
puter engineering from Huazhong University of Sci-
ence and Technology, in 1994. He received German
Academic Exchange Service fellowship to visit the
Technical University of Chemnitz in Germany in
1996. He worked at the University of Hong Kong
between 1998 and 2000, and as a visiting scholar at
the University of Southern California between 1999
and 2000. He received the Excellent Youth Award
from the National Science Foundation of China in
2001. He is a Cheung Kung Scholars chair professor
of computer science and engineering of Huazhong University of Science and
Technology. He has coauthored 22 books and published over 800 research
papers. His research interests include computer architecture, virtualization
technology, cluster computing and cloud computing, peer-to-peer computing,
network storage, and network security. He is a fellow of the CCF, a fellow
of the IEEE and a member of the ACM.
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2024.3350330
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
