Simple Storage-Saving Structure for Volume-Hiding Encrypted Multi-maps

Abstract

Severe consequences in volume leakage (subject to the conditions required by specific attacks) stimulate a new research direction (Eurocrypt 2019) of volume-hiding structured encryption (\(\mathsf {STE}\)), particularly encrypted multi-maps (\(\mathsf {EMM}\)), in which all queries should share the same (as the largest) response size unless the scheme is lossy. Meanwhile, note that the responses are originated from the actual ciphertexts outsourced to the server. Conventional wisdom suggests that the ciphertexts (to be accessed by the server while answering a query) should also contain many dummy results to make a query look uniform with others. Supporting updates is also natural; however, attaching dummy results to a query also complicates the operation and leakage of updates, which excludes many advanced data structures, e.g., cuckoo hashing (CCS 2019). This paper proposes a space-efficient \(\mathsf {EMM}\) without storing any dummy ciphertext, which is volume hiding against passive adversaries (SP 2021) and compatible with dynamic extensions. Its crux structure is a hash ring, which is famous for load balancing but rarely appears in any \(\mathsf {STE}\). Efficiency-wise, our scheme beats the state-of-the-art (Eurocrypt 2019, CCS 2019), maintaining the necessary communication overhead and downsizing the server storage to be linear in the number of values in the \(\mathsf {EMM}\), while ruling out any data loss due to truncations or differential privacy.

Sherman S. M. Chow is supported by General Research Fund (Project Numbers: CUHK 14210217 and CUHK 14209918) from Research Grant Council.

Appendices

A  Security Proof for Theorem 1

Proof

We construct the simulator \(\mathcal {S}\) as follows.

To simulate \(\mathsf {EMM}\) with \(\mathcal {L}_\mathsf {S}=\mathsf {dsize} \), the simulator \(\mathcal {S}\) initializes two arrays \(\mathsf {V}, \mathsf {U} \) of size \(n = \mathsf {dsize} (\mathsf {MM})\), and a dictionary \(\mathsf {DX} _S\). \(\mathcal {S}\) fills each slot of \(\mathsf {U} \) with a uniformly random value sampling from \(\{0,1\}^{s}\), and then sorts \(\mathsf {U} \). For \(i\in [n]\), \(\mathcal {S}\) randomly selects a uniformly random integer t as \(\mathsf {V} [i-1]\) from the interval and sets \(\mathsf {DX} _S[\mathsf {V} [i-1]]\) as a uniformly random value sampling from \(\{0,1\}^{\lambda } \). \(\mathcal {S}\) sorts and keeps \(\mathsf {V} \). \((\mathsf {DX} _S, \mathsf {V})\) is returned as \(\mathsf {EMM} \).

To simulate \(\mathsf {tk} \) for the i-th query of \(\mathsf {key} _i\) with \(\mathcal {L}_\mathsf {Q}= (\mathsf {qeq}, \mathsf {aintx}, \mathsf {mrlen})\), the simulator \(\mathcal {S}\) checks whether \(\mathsf {key} _i\) has been queried before using \(\mathsf {qeq} (\mathsf {key} _1, \ldots , \mathsf {key} _i)\). If so, \(\mathcal {S}\) returns the same \(\mathsf {tk} \) as that of the previous queries of \(\mathsf {key} _i\). Otherwise, \(\mathcal {S}\) checks \(\mathsf {aintx} (\mathsf {EMM}, \mathsf {key} _1, \ldots ,\mathsf {key} _i)\) and get the common slots of \(\mathsf {key} _i\) with previous queries. \(\mathcal {S}\) picks \(\ell = \mathsf {mrlen} (\mathsf {MM})\) intervals in \(\mathsf {V}\), with parts of them determined by the common slots from \(\mathsf {aintx}\) and the rest picked randomly without repeating, and samples a uniformly random value from each selected interval. These \(\ell \) values are returned as \(\mathsf {tk} \).

We show that for all \(\mathsf {PPT}\) adversary \(\mathcal {A}\), the outputs of the real-world game and ideal-world game are indistinguishable. We derive a standard game sequence from the real-world game \(\mathbf {Real}_{\varSigma ,\mathcal {A}}(1^\lambda )\) to the ideal-world game \(\mathbf {Ideal}_{\varSigma ,\mathcal {A},\mathcal {S}}(1^\lambda )\).

• \(\mathbf{Game} _0\) is the same as \(\mathbf {Real}_\mathcal {A}(1^\lambda )\).

• \(\mathbf{Game} _1\) replaces the pseudorandom function F in \(\mathbf{Game} _0\) with a random function (and recalled when needed).

• \(\mathbf{Game} _2\) replaces the \(\mathsf {RCPA}\)-secure encryption scheme in \(\mathbf{Game} _1\) with a random function.

• \(\mathbf{Game} _3\) replaces the outputs of random functions in \(\mathbf{Game} _2\) with values chosen uniformly at random.

• \(\mathbf{Game} _4\), for any query, randomly picks \(\ell = \mathsf {mrlen} (\mathsf {MM})\) intervals in \(\mathsf {V}\) and samples a uniformly random value from each selected interval. \(\mathbf{Game} _4\) is the same as \(\mathbf {Ideal}_{\varSigma ,\mathcal {A},\mathcal {S}}(1^\lambda )\).

\(\mathbf{Game} _0\) and \(\mathbf{Game} _1\) are indistinguishable; otherwise, it violates the security of the pseudorandom function. \(\mathbf{Game} _1\) and \(\mathbf{Game} _2\) are indistinguishable; otherwise, it violates the \(\mathsf {RCPA}\) security of the encryption scheme. By the definition of random functions, winning \(\mathbf{Game} _2\) or \(\mathbf{Game} _3\) shares an equal probability. The probabilities of winning \(\mathbf{Game} _3\) and \(\mathbf{Game} _4\) are also equal since \(\mathsf {DX} _S, \mathsf {V}, \mathsf {tk} \) follow the same distributions in both games. By combining these (in)equalities, we have

B  Forward and Backward Privacy for Batch Updates

Forward privacy for batch updates requires that any batch of updates reveals nothing about the keys to be updated. Thus, the adversary cannot figure out the relation between newly updated multi-maps and any previous query. We extend the definition from that designed for a single key-value update [3].

Definition 3

(Forward Privacy). We say that an \(\mathcal {L}\)-adaptively-secure structured encryption scheme for multi-maps \(\varSigma \) over key space \(\mathcal {K}\) is forward private, if the update leakage function \(\mathcal {L}_\mathsf {U}\) can be written as \(\mathcal {L}_\mathsf {U}(\mathsf {MM} _\mu ) = \mathcal {L}'( \{ \vec {v} _i \}_{\mathsf {key} _i \in \mathcal {K}}),\) where \( \mathsf {MM} _\mu = \{\mu , \mathsf {key} _i, \vec {v} _i\} _{\mathsf {key} _i \in \mathcal {K}}, \) and \(\mathcal {L}'\) is stateless.

Backward privacy hides deleted values during subsequent queries. Like the previous definition [4], we formalize it for batch updates by introducing leakage functions constructed from the union of historical update batches \(\mathsf {MM} = \cup \mathsf {MM} _\mu \):

• Value-batch pattern \(\mathsf {valb} \) reports the values currently associated with \(\mathsf {key} \) and in which batches they are inserted. Formally, \( \mathsf {valb} (\mathsf {MM}, \mathsf {key}) = \{(\mu , u)\ | (\mu , \mathsf {key}, (\mathsf {add}, u))\in \mathsf {MM}\ \wedge \ \forall \mu ', (\mu ', \mathsf {key}, (\mathsf {del}, u))\notin \mathsf {MM} \} \).

• Delete-batch pattern \(\mathsf {delb} \) lists the batch-pairs of deletions and corresponding insertions on \(\mathsf {key} \). Formally, \( \mathsf {delb} (\mathsf {MM}, \mathsf {key}) = \{(\mu , \mu ')\ |\ \exists u \ \text {s.t.}\ (\mu , \mathsf {key}, (\mathsf {del}, u)) \in \mathsf {MM}\ \wedge \ (\mu ', \mathsf {key}, (\mathsf {add}, u))\in \mathsf {MM} \} \).

Definition 4

(Backward Privacy). We say that an \(\mathcal {L}\)-adaptively-secure structured encryption scheme for multi-maps \(\varSigma \) over key space \(\mathcal {K}\) is

• insertion-pattern revealing backward-private (Level-I) if

  $$\begin{aligned} \mathcal {L}_\mathsf {U}(\mathsf {MM} _\mu )&= \mathcal {L}'( \{ \vec {o} _i \} _{\mathsf {key} _i\in \mathcal {K}}),\\ \mathcal {L}_\mathsf {S}(\mathsf {MM},\mathsf {key})&= \mathcal {L}''( \mathsf {valb} (\mathsf {MM}, \mathsf {key}), \ell (\mathsf {key}) ), \end{aligned}$$

• update-pattern revealing backward-private (Level-II) if

  $$\begin{aligned} \mathcal {L}_\mathsf {U}(\mathsf {MM} _u)&= \mathcal {L}' (\{ \mathsf {key} _i, \vec {o} _i \} _{\mathsf {key} _i\in \mathcal {K}}) , \\ \mathcal {L}_\mathsf {S}(\mathsf {MM}, \mathsf {key})&= \mathcal {L}''( \mathsf {valb} (\mathsf {MM}, \mathsf {key}), \mathsf {updb} (\mathsf {MM}, \mathsf {key})) , \end{aligned}$$

• weakly backward-private (Level-III) if

  $$\begin{aligned} \mathcal {L}_\mathsf {U}(\mathsf {MM} _u)&= \mathcal {L}' (\{ \mathsf {key} _i, \vec {o} _i \} _{\mathsf {key} _i\in \mathcal {K}}) ,\\ \mathcal {L}_\mathsf {S}(\mathsf {MM}, \mathsf {key})&= \mathcal {L}''( \mathsf {valb} (\mathsf {MM}, \mathsf {key}), \mathsf {delb} (\mathsf {MM}, \mathsf {key}) ), \end{aligned}$$

where \(\mathsf {MM} = \cup \mathsf {MM} _\mu \) with \(\mathsf {MM} _\mu = \{\mu , \mathsf {key} _i, \vec {v} _i = (\vec {o} _i, \vec {u} _i)\}_{\mathsf {key} _i\in \mathcal {K}}\). \(\ell (\mathsf {key})\) is the volume of \(\mathsf {key} \) in \(\mathsf {MM}\). \(\mathcal {L}'\) and \(\mathcal {L}''\) are stateless.