Skip to main content

Bestie: Very Practical Searchable Encryption with Forward and Backward Security

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

Dynamic searchable symmetric-key encryption (DSSE) is a promising crypto-tool that enables secure keyword searching over dynamically added or deleted ciphertexts. Currently, many works on DSSE devote their efforts to obtaining forward and backward security and practical performance. However, it is still challenging to design a single DSSE scheme that simultaneously achieves this security, high performance, and real deletion. Note that real deletion is a critical feature to guarantee the right of the user to be forgotten stipulated by GDPR. Due to this fact, we propose a new forward-and-backward secure DSSE scheme named Bestie. To achieve high search performance, Bestie takes the traditional hash and pseudorandom functions and symmetric-key encryption as building blocks and supports parallel keyword search. Bestie also achieves non-interactive real deletion for avoiding the client to do a clean-up process. This feature not only guarantees the above GDPR rule but also makes Bestie more suitable for managing large-scale data. Bestie also saves the client’s computation and communication costs. Finally, we experimentally compare Bestie with five previous well-known works and show that Bestie is much better in most respects. For example, Bestie requires approximately 3.66 microseconds to find a matching ciphertext. In contrast, Bestie has search performance at least 2 times faster than both \(\texttt {Mitra}^*\) (CCS’18) and \(\texttt {Diana}_{del}\) (CCS’17), 1,032\(\times \) faster than Fides (CCS’17), and 38,332\(\times \) faster than Janus++ (CCS’18), respectively. Compared with Mitra (CCS’18), Bestie saves at least 80% client time cost during a search.

Keywords

  • Dynamic searchable symmetric-key encryption
  • Forward and backward security
  • High performance
  • Real deletion

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_1
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.

Notes

  1. 1.

    \(\texttt {Mitra}^*\) is a variant of Mitra that achieves interactive real deletion by the client to re-encrypt and re-upload the still-valid searchable ciphertexts.

References

  1. Bost, R.: \(\sum \)o\(\varphi \)o\(\varsigma \): forward secure searchable encryption. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, pp. 1143–1154 (2016)

    Google Scholar 

  2. Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, pp. 1465–1482 (2017)

    Google Scholar 

  3. Cash, D., et al.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA (2014)

    Google Scholar 

  4. Chamani, J.G., Papadopoulos, D., Papamanthou, C., Jalili, R.: New constructions for forward and backward private symmetric searchable encryption. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, pp. 1038–1055 (2018)

    Google Scholar 

  5. Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote encrypted data. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_30

    CrossRef  Google Scholar 

  6. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_33

    CrossRef  Google Scholar 

  7. Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, pp. 79–88 (2006)

    Google Scholar 

  8. Demertzis, I., Chamani, J.G., Papadopoulos, D., Papamanthou, C.: Dynamic searchable encryption with small client storage. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA. The Internet Society (2020)

    Google Scholar 

  9. Foundation, F.S.: The GNU MP bignum library. https://gmplib.org/. Accessed 8 Oct 2019

  10. Foundation, O.S.: OpenSSL. https://www.openssl.org/. Accessed 8 Oct 2019

  11. Garg, S., Mohassel, P., Papamanthou, C.: TWORAM: efficient oblivious RAM in two rounds with applications to searchable encryption. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 563–592. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_20

    CrossRef  MATH  Google Scholar 

  12. Hahn, F., Kerschbaum, F.: Searchable encryption with secure and efficient updates. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, pp. 310–320. ACM (2014)

    Google Scholar 

  13. He, K., Chen, J., Zhou, Q., Du, R., Xiang, Y.: Secure dynamic searchable symmetric encryption with constant client storage cost. IEEE Trans. Inf. Forensics Secur. 16, 1538–1549 (2021)

    CrossRef  Google Scholar 

  14. Hoang, T., Yavuz, A.A., Guajardo, J.: Practical and secure dynamic searchable encryption via oblivious access on distributed data structure. In: Schwab, S., Robertson, W.K., Balzarotti, D. (eds.) Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, pp. 302–313. ACM (2016)

    Google Scholar 

  15. Hunter, J.D.: Matplotlib: a 2D graphics environment. Comput. Sci. Eng. 9(3), 90–95 (2007)

    CrossRef  Google Scholar 

  16. Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA (2012)

    Google Scholar 

  17. Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 258–274. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_22

    CrossRef  Google Scholar 

  18. Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: the ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, pp. 965–976 (2012)

    Google Scholar 

  19. Kim, K.S., Kim, M., Lee, D., Park, J.H., Kim, W.: Forward secure dynamic searchable symmetric encryption with efficient updates. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, pp. 1449–1463. ACM (2017)

    Google Scholar 

  20. Klimt, B., Yang, Y.: Introducing the Enron corpus. In: CEAS 2004 - First Conference on Email and Anti-Spam, Mountain View, California, USA (2004)

    Google Scholar 

  21. Li, J., et al.: Searchable symmetric encryption with forward search privacy. IEEE Trans. Dependable Secur. Comput. 18(1), 460–474 (2021)

    CrossRef  Google Scholar 

  22. van Liesdonk, P., Sedghi, S., Doumen, J., Hartel, P., Jonker, W.: Computationally efficient searchable symmetric encryption. In: Jonker, W., Petković, M. (eds.) SDM 2010. LNCS, vol. 6358, pp. 87–100. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15546-8_7

    CrossRef  Google Scholar 

  23. Parliament, E., Council: on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation) (2016). https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed 16 Jan 2020

  24. Porter, M.F.: An algorithm for suffix stripping. Program 14(3), 130–137 (1980)

    CrossRef  Google Scholar 

  25. Song, D.X., Wagner, D.A., Perrig, A.: Practical techniques for searches on encrypted data. In: 2000 IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 44–55 (2000)

    Google Scholar 

  26. Song, X., Dong, C., Yuan, D., Xu, Q., Zhao, M.: Forward private searchable symmetric encryption with optimized I/O efficiency. IEEE Trans. Dependable Secur. Comput. 17(5), 912–927 (2020)

    CrossRef  Google Scholar 

  27. Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA (2014)

    Google Scholar 

  28. Sun, S., et al.: Practical non-interactive searchable encryption with forward and backward privacy. In: 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, 21–25 February 2021. The Internet Society (2021). https://www.ndss-symposium.org/ndss-paper/practical-non-interactive-searchable-encryption-with-forward-and-backward-privacy/

  29. Sun, S., et al.: Practical backward-secure searchable encryption from symmetric puncturable encryption. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, pp. 763–780 (2018)

    Google Scholar 

  30. Xu, P., Liang, S., Wang, W., Susilo, W., Wu, Q., Jin, H.: Dynamic searchable symmetric encryption with physical deletion and small leakage. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017, Part I. LNCS, vol. 10342, pp. 207–226. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60055-0_11

    CrossRef  Google Scholar 

  31. Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: the power of file-injection attacks on searchable encryption. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, pp. 707–720 (2016)

    Google Scholar 

  32. Zuo, C., Sun, S.-F., Liu, J.K., Shao, J., Pieprzyk, J.: Dynamic searchable symmetric encryption with forward and stronger backward privacy. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019, Part II. LNCS, vol. 11736, pp. 283–303. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_14

    CrossRef  Google Scholar 

Download references

Acknowledgements

We would like to thank our shepherd Prof. Xun Yi and the anonymous reviewers for their insightful comments and valuable suggestions. This work was partly supported by the National Natural Science Foundation of China under Grant No. 61872412, the Wuhan Applied Foundational Frontier Project under Grant No. 2020010601012188, and the Guangdong Provincial Key R&D Plan Project under Grant No. 2019B010139001.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Peng Xu .

Editor information

Editors and Affiliations

A Proof of Theorem 1

A Proof of Theorem 1

figure b

Proof

To prove the forward and Type-III-backward security of the proposed Bestie, we construct a \(\mathcal {S}\) simulator, which takes as inputs leakage functions \(\mathcal {L}^{Stp}(\lambda )=\lambda \), \(\mathcal {L}^{Updt}(op,w,id)=\emptyset \), and \(\mathcal {L}^{Srch}(w)=\{\text {sp}(w), \text {TimeDB}(w), \text {DelHist}(w)\}\) to simulate protocols Bestie.Setup, Bestie.Update, and Bestie.Search, respectively. We will demonstrate that the simulated Bestie is indistinguishable from the real Bestie under the adaptive attacks. Algorithm 2 describes the simulator \(\mathcal {S}\). Specifically, the simulator \(\mathcal {S}\) consists of the following three phases.

Protocol \(\mathcal {S}.\textsf {Setup}\). This protocol simulates protocol Bestie.Setup. In this protocol, simulator \(\mathcal {S}\) takes leakage function \(\mathcal {L}^{Stp}(\lambda )=\lambda \) as input and initializes five empty maps \(\mathbf{CDB} \), \(\mathbf{GRP} \), \(\mathbf{CipherList} \), \(\mathbf{GIndlist} \), and \(\mathbf{Xlist} \), where \((\mathbf{CDB} , \mathbf{GRP} )\) will be sent to the server and the remaining maps are kept as internal states of simulator \(\mathcal {S}\). The map \(\mathbf{CipherList} \) records the ciphertexts generated by simulator \(\mathcal {S}\). The map \(\mathbf{GIndList} \) records the group indexes for the following Search queries. Map \(\mathbf{XList} \) records the simulated values of hash function G. Clearly, the simulated protocol is indistinguishable from the real one in the view of adversary \(\mathcal {A}\).

Protocol \(\mathcal {S}.\textsf {Update}\). This protocol simulates protocol Bestie.Update. In this protocol, simulator \(\mathcal {S}\) takes nothing as input. It randomly chooses a random triplet (LDC) as the generated ciphertext and uploads it to the server. In the real world, \(\mathbf{H} \) is a collision-free hash function, and \(\xi \) is a semantically secure symmetric encryption scheme. Hence, the random triplet is indistinguishable from a real ciphertext if adversary \(\mathcal {A}\) does not know the corresponding search trapdoor. The following content will prove that the random triplet is still indistinguishable from a real ciphertext, even in the opposite case.

Protocol \(\mathcal {S}.\textsf {Search}\). This protocol simulates protocol Bestie.Search. In this protocol, simulator \(\mathcal {S}\) takes the leaked information \(\text {sp}(w)\), \(\text {TimeDB}(w)\), and \(\text {DelHist}(w)\) as inputs. Simulator \(\mathcal {S}\) first checks whether there exists any historical \(\textsf {Update}\) query about keyword w. If not, simulator \(\mathcal {S}\) aborts, as the real protocol does (refer to Steps 2 to 4). Otherwise, simulator \(\mathcal {S}\) sets or retrieves the group index \(I^{grp}_{u_s}\) of keyword w (refer to Steps 5 and 6). In the following content, simulator \(\mathcal {S}\) must program oracle H such that the randomly generated search trapdoor is still valid in the view of adversary \(\mathcal {A}\) (refer to Steps 8 and 15).

In this part, simulator \(\mathcal {S}\) mainly achieves two aims: (1) simulate hash values of function G for all Update queries of keyword w as well as guarantee that the Update queries of the same keyword-and-file-identifier entry have the same hash value (refer to Steps 10 to 12) and (2) program oracle H such that all simulated ciphertexts of keyword w can be correctly found by the server with the randomly generated search trapdoor (refer to Steps 13 and 14). Finally, simulator \(\mathcal {S}\) sends the randomly generated search trapdoor to the server. The transcripts generated by the simulated \(\textsf {Search}\) protocol are indistinguishable from those of the real protocol since all operations are consistent with the real protocol in the view of adversary \(\mathcal {A}\).

To summarize, there exists a \(\mathcal {S}\) simulator to simulate Bestie with the given leakage functions, and the simulation is indistinguishable from the real Bestie. Thus, Theorem 1 is true.    \(\Box \)

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Chen, T., Xu, P., Wang, W., Zheng, Y., Susilo, W., Jin, H. (2021). Bestie: Very Practical Searchable Encryption with Forward and Backward Security. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)