Abstract
Searchable symmetric encryption has been a promising primitive as it enables a cloud user to search over outsourced encrypted data efficiently by only leaking small amount of controllable leakage. However, recent leakage-abuse attacks demonstrate that those stand leakage profiles can be exploited to perform severe attacks – the attacker can recover query or document with high probability. Ideal defending methods by leveraging heavy cryptographic primitives, e.g. Oblivious RAM, Multiparty Computation, are still too inefficient for practice nowadays.
In this paper, we investigate another approach for countering leakage-abuse attacks. Our idea is to design SSE with tunable leakage, which provides a configurable way for trade-off between privacy and efficiency. Another idea is to share the leakage among multiple non-collude servers, thus a single server can only learn partial, rather than the whole leakage. Following the ideas, we proposed two SSE schemes. The first scheme uses two servers and is static, which serves as the first step to emphasize our design methodology. Then we propose a dynamic SSE scheme, by additionally use a third server to hold dynamic updates. We demonstrate that the leakage for the third server is only partial update history, a newly defined leakage notion that leaks limited information rather than the whole update history. Our schemes provide stronger security that hides search/access pattern in a tunable way as well as maintains forward and backward privacy. We also report the performance of our constructions, which shows that both schemes are efficient.
This work is supported by National Natural Science Foundation of China (Grant No. 61572294, 61632020).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ahmad, A., Kim, K., Sarfaraz, M.I., Lee, B.: OBLIVIATE: a data oblivious filesystem for intel SGX. In: NDSS (2018)
Blass, E.O., Mayberry, T., Noubir, G., Onarlioglu, K.: Toward robust hidden volumes using write-only oblivious ram. In: ACM CCS, pp. 203–214. ACM (2014)
Bost, R.: \(\Sigma \)o\(\varphi \)o\(\varsigma \): forward secure searchable encryption. In: ACM CCS, pp. 1143–1154 (2016)
Bost, R., Fouque, P.: Thwarting leakage abuse attacks against searchable encryption - a formal approach and applications to database padding. IACR Cryptology ePrint Archive (2017)
Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: ACM CCS, pp. 1465–1482 (2017)
Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: \(\{\)SGX\(\}\) cache attacks are practical. In: \(\{\)USENIX\(\}\) (\(\{\)WOOT\(\}\)) (2017)
Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: ACM CCS, pp. 668–679 (2015)
Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_20
Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_20
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: FOCS, pp. 41–50. IEEE (1995)
Chow, S.S., Lee, J.H., Subramanian, L.: Two-party computation model for privacy-preserving queries over distributed databases. In: NDSS (2009)
Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016(086), pp. 1–118 (2016)
Cui, S., Belguith, S., Zhang, M., Asghar, M.R., Russello, G.: Preserving access pattern privacy in SGX-assisted encrypted search. In: ICCCN, pp. 1–9. IEEE (2018)
Cui, S., Song, X., Asghar, M.R., Galbraith, S.D., Russello, G.: Privacy-preserving searchable databases with controllable leakage. arXiv preprint arXiv:1909.11624 (2019)
Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. J. Comput. Secur. 19(5), 895–934 (2011)
Demertzis, I., Papadopoulos, D., Papamanthou, C., Shintre, S.: SEAL: attack mitigation for encrypted databases via adjustable leakage. IACR Cryptology ePrint Archive (2019)
Etemad, M., Küpçü, A., Papamanthou, C., Evans, D.: Efficient dynamic searchable encryption with forward privacy. PoPETs 2018(1), 5–20 (2018)
Ghareh Chamani, J., Papadopoulos, D., Papamanthou, C., Jalili, R.: New constructions for forward and backward private symmetric searchable encryption. In: ACM CCS, pp. 1038–1055. ACM (2018)
Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache attacks on intel SGX. In: Proceedings of the 10th European Workshop on Systems Security, p. 2. ACM (2017)
Hoang, T., Yavuz, A.A., Durak, F.B., Guajardo, J.: Oblivious dynamic searchable encryption on distributed cloud systems. In: Kerschbaum, F., Paraboschi, S. (eds.) DBSec 2018. LNCS, vol. 10980, pp. 113–130. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95729-6_8
Hoang, T., Yavuz, A.A., Guajardo, J.: Practical and secure dynamic searchable encryption via oblivious access on distributed data structure. In: ACSAC, pp. 302–313 (2016)
Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: NDSS (2012)
Kamara, S., Moataz, T.: Computationally volume-hiding structured encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 183–213. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_7
Kamara, S., Moataz, T., Ohrimenko, O.: Structured encryption and leakage suppression. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 339–370. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_12
Kim, K.S., Kim, M., Lee, D., Park, J.H., Kim, W.: Forward secure dynamic searchable symmetric encryption with efficient updates. In: ACM CCS, pp. 1449–1463 (2017)
Kornaropoulos, E.M., Papamanthou, C., Tamassia, R.: The state of the uniform: attacks on encrypted databases beyond the uniform query distribution. IACR Cryptology ePrint Archive, p. 441 (2019)
Lai, R.W.F., Chow, S.S.M.: Forward-secure searchable encryption on labeled bipartite graphs. In: ACNS, pp. 478–497 (2017)
Lee, J., et al.: Hacking in darkness: return-oriented programming against secure enclaves. In: USENIX Security, pp. 523–539 (2017)
Liu, C., Zhu, L., Wang, M., Tan, Y.A.: Search pattern leakage in searchable encryption: attacks and new construction. Inf. Sci. 265, 176–188 (2014)
Markatou, E.A., Tamassia, R.: Full database reconstruction with access and search pattern leakage. IACR Cryptology ePrint Archive, p. 395 (2019)
Mishra, P., Poddar, R., Chen, J., Chiesa, A., Popa, R.A.: Oblix: an efficient oblivious search index. In: IEEE SP, pp. 279–296. IEEE (2018)
Pagh, R., Rodler, F.F.: Cuckoo hashing. J. Algorithms 51(2), 122–144 (2004)
Patel, S., Persiano, G., Yeo, K., Yung, M.: Mitigating leakage in secure cloud-hosted data structures: volume-hiding for multi-maps via hashing. In: ACM CCS, pp. 79–93. ACM (2019)
Sasy, S., Gorbunov, S., Fletcher, C.W.: Zerotrace: oblivious memory primitives from intel SGX. IACR Cryptology ePrint Archive 2017, 549 (2017)
Song, X., Dong, C., Yuan, D., Xu, Q., Zhao, M.: Forward private searchable symmetric encryption with optimized I/O efficiency. IEEE Trans. Dependable Secure Comput. 17(5), 912–927 (2020). https://doi.org/10.1109/TDSC.2018.2822294
Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: NDSS (2014)
Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: the power of file-injection attacks on searchable encryption. In: USENIX Security, pp. 707–720 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A Proof of Theorem 1
Proof
We prove the security of our scheme by ideal/real simulation. We start from \(\mathbf{Real} ^\mathrm{\Pi }_{\mathcal {A}}(\lambda )\) and construct a sequence of games that differs slightly from the previous game and show they are indistinguishable. Eventually we reach the last game \(\mathbf{Ideal} ^\mathrm{\Pi }_{\mathcal {A}, \mathcal {S}}(\lambda )\). By the transitive property of the indistinguishability, we conclude that \(\mathbf{Real} ^\mathrm{\Pi }_{\mathcal {A}}(\lambda )\) is indistinguishable from \(\mathbf{Ideal} ^\mathrm{\Pi }_{\mathcal {A}, \mathcal {S}}(\lambda )\) and complete our proof.
Hybrid \(G_1\): \(G_1\) is the same as \(\mathbf{Real} ^\mathrm{\Pi }_{\mathcal {A}}(\lambda )\) except that instead of generating \(t_w\) using F, the experiment maintain a mapping Token to store \((h(w)||s_w||b, k_w)\) pairs. In the search protocol, when \(k_w\) is needed, the experiment first checks whether there is an entry in Token for \(h(w)||s_w||b\), if so returns the entry; otherwise randomly picks a \(k_w\) in \(\{0, 1\}^{\ell _k}\) and stores the \((h(w)||s_w||b, k_w)\) pair in Token. It’s trivial to see that \(G_1\) and \(\mathbf{Real} ^\mathrm{\Pi }_{\mathcal {A}}(\lambda )\) are indistinguishable, otherwise we can distinguish a pseudo-random function F and a truly random function.
Hybrid \(G_2\): \(G_2\) and \(G_1\) is the same except that in \(G_2\) the experiment will maintain a map E. Instead of producing e by calling \(H(k_w, u_w)\), in Setup protocol, the experiment will replace it with the following procedure:
The intuition is to firstly sampling random string during setup, and program H correspondingly to maintain consistency. Now in search protocol, the entry e is generated with the following procedure:
\(G_1\) and \(G_2\) behaves exactly the same except that in \(G_2\), with some probability inconsistency in random oracle query results can be observed. If the adversary queries \(\mathbf{H} \) with \(k_w||u_w\) before the next search query, it will get a value \(e'\) such that with a overwhelming probability \(e'\ne e\) because \(\mathbf{H} [k_w||u_w]\) has not been updated and a random string \(e'\) is chosen by the oracle in this case. If the adversary queries \(\mathbf{H} \) with \(k_w||u_w\) again after the next search query, e will be updated to the \(\mathbf{H} \) and the query result will be e. If the inconsistency is observed (we denote this event as \(\mathbf{Bad} \)), the adversary knows it is in \(G_2\). We have:
The event Bad can only happen if the adversary can query the oracle with \(k_w||u_w\). Since \(k_w\) is pseudorandom output of PRF F and is unknown to the adversary before search, the probability of the adversary choosing \(k_w\) is \(2^{-\lambda }\). A PPT adversary can make at most \(q=\mathbf{poly} (\lambda )\) guesses, then \(\mathrm{Pr}[\mathbf{Bad} ] \le \frac{q}{2^\lambda }\), which is also negligible.
Hybrid \(G_3\): \(G_3\) and \(G_2\) is the same except that in \(G_3\) we change the way of generating encrypted value v. Note that in \(G_2\), the value v is generated by a IND-CPA secure symmetric key encryption scheme SE, therefore the ciphertext is semantically secure. In \(G_3\), the experiment simply choose a random value with the same length as SE’s ciphertext whenever the SE.Enc is called. After above replacement, some code are not necessary, so we do cleanup for readability. The full pseudocode of \(G_4\) can be found in Fig. 5.
The asversary cannot distinguish between \(G_2\) and \(G_3\) because of the semantic security of SE, hence we have:
Hybrid \(G_4\): In \(G_4\), we perform further simplification for the pseudocode. Firstly, the experiment does not need to generate (e, v) pair for each keyword separately. The reason is that in \(G_3\), both e and v are generated by random sampling, so randomly generating \(N_b\) pairs of string in \(G_4\) is not distinguishable from the prior approach.
Similarly, when receiving search query, if the query will touch storage in \(\textsf {EDB}_b\) that is from setup, then the experiment just randomly chooses \(u_w\) non-touched entries, and then programs the random oracle; Otherwise, if the search query is for a keyword that has been search previously, then the experiment will program the random oracle, in a way that make the server return those encrypted values that is previously uploaded by client from a shuffle phrase – the experiment can do above decision by simply checking if \(s_w\) equals to 0. For other parts, \(G_4\) behaves the same as \(G_3\)
\(\mathbf{Ideal} ^\mathrm{\Pi }_{\mathcal {A}, Sim}(\lambda )\): In ideal world, the simulator needs to simulate all views of the server just using the allowed leakage profile. The simulation is quite simple. In setup protocol, the simulator can just randomly generate \(N_b\) pair of random strings and upload to server \(S_b\) to completes the simulation. The tricky part is about the simulation of search protocol. Note that in a our search protocol, the client will firstly query server \(S_b\) for result, then re-encrypt the result and upload to the other server \(S_{b\oplus 1}\). To complete the simulation, in ideal world there are two simulators for \(S_0\) and \(S_1\) separately. The first simulator \(\textsf {Sim}_b\) will simulator the view for \(S_b\) and simulator \(\textsf {Sim}_{b\oplus 1}\) will simulate the view of \(S_{b \oplus 1}\) (the intuition is each simulator can independently complete simulation without sharing information, which is consistent with the non-collusion assumption).
For the simulation for server \(S_b\), simulator \(\textsf {Sim}_b\) will randomly generate \(k_w\), get the group size \(u_w\) from the leakage function, and send them to server \(S_b\). After that, the simulator should program the random oracle to make some entries match with the impending search operation. Specifically, the simulator get leakage \(\textsf {LastUpHist}(w)\) from the leakage function. If \(\textsf {LastUpHist}(w)\) only contains 0, then the simulator knows the keyword is never searched before, then it can just randomly select |PDB(w)| untouched storage entries that are produced from setup protocol (not includes those that are uploaded due to search re-shuffle!); if not, then the simulator knows the keyword has been searched before, and then it can get the re-shuffle time and fetch all required entries. Then \(\textsf {Sim}_b\) program random oracle and complete the simulation. The simulation of \(\textsf {Sim}_{b \oplus 1}\) is simple, it just generate \(|\textsf {PDB}(w)|\) random (e, v) pairs and upload to server \(S_{b \oplus 1}\). For other parts, \(\mathbf{Ideal} ^\mathrm{\Pi }_{\mathcal {A}, Sim}(\lambda )\) behaves the same as \(G_4\).
All summed up, we have:
Appendix B Proof of Theorem 2
The proof of Theorem 2 is almost the same with the proof of Theorem 1, the only difference is to handle the partial update in the third server. Note that the \(\textsf {partUpHist(w)}\) enables the simulator to learn all update timestamps for a temporary keyword that the client updated previously, then the simulator can use similar technique to program the random oracle like Fig. 6. Therefore, we decide not to rewrite the proof here.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Song, X., Yin, D., Jiang, H., Xu, Q. (2020). Searchable Symmetric Encryption with Tunable Leakage Using Multiple Servers. In: Nah, Y., Cui, B., Lee, SW., Yu, J.X., Moon, YS., Whang, S.E. (eds) Database Systems for Advanced Applications. DASFAA 2020. Lecture Notes in Computer Science(), vol 12112. Springer, Cham. https://doi.org/10.1007/978-3-030-59410-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-59410-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59409-1
Online ISBN: 978-3-030-59410-7
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)