Efficient No-dictionary Verifiable Searchable Symmetric Encryption

Abstract

In the model of no-dictionary verifiable searchable symmetric encryption (SSE) scheme, a client does not need to keep the set of keywords \(\mathcal{W}\) in the search phase, where \(\mathcal{W}\) is called a dictionary. Still a malicious server cannot cheat the client by saying that “your search word w does not exist in the dictionary \(\mathcal{W}\)” when it exists. In the previous such schemes, it takes \(O(\log m)\) time for the server to prove that \(w \not \in \mathcal{W}\), where \(m=|\mathcal{W}|\) is the number of keywords.

In this paper, we show a generic method to transform any SSE scheme (that is only secure against passive adversaries) to a no-dictionary verifiable SSE scheme. In the transformed scheme, it takes only O(1) time for the server to prove that \(w \not \in \mathcal{W}\).

A UC-Security for No-Dictionary vSSE

If a protocol is secure in the universally composable (UC) security framework, its security is maintained even if the protocol is combined with other protocols [4,5,6]. The UC security is defined based on ideal functionality \(\mathcal{F}\). Kurosawa and Ohtaki introduced an ideal functionality of vSSE [18, 20]. Taketani and Ogata [26] generalized it in order to handle the general leakage functions \(L=(L_1,L_2)\) as shown in Fig. 4.

Fig. 4.

Ideal functionality \(\mathcal{F}_{vSSE}^L\)

In the no-dictionary verifiable SSE setting, the real world is described as follows. We assume a real adversary, \(\mathbf{A}^\mathrm{uc}\), can control the server arbitrarily, and the client is always honest. For simplicity, we ignore session id.

In the store phase, an environment, \(\mathbf{Z}\), chooses \((\mathcal{D}, \mathcal{W})\) and sends them to the client. The client computes \(K \leftarrow \mathtt{Gen}(1^{\lambda })\) and \((\mathcal{I}, \mathcal{C})\leftarrow \mathtt{Enc}(K, \mathcal{D}, \mathcal{W},\) \(\{(w, \mathcal{D}(w)) \mid w \in \mathcal{W}\})\), and sends \((\mathcal{I}, \mathcal{C})\) to the server. The client stores K² and the server stores \((\mathcal{I},\mathcal{C})\). In the search phase, \(\mathbf{Z}\) chooses a word \(w\in \{0,1\}^*\) and sends it to the client. The client computes \(t(w) \leftarrow \mathtt{Trpdr}(K,w)\) and sends it to the server. The server, who may be controlled by real adversary \(\mathbf{A}^\mathrm{uc}\), returns \((\tilde{\mathcal{C}}^*, \widetilde{\mathsf{Proof}})\) to the client. If \(\mathtt{Verify}(K,t(w),\tilde{\mathcal{C}}^*, \widetilde{\mathsf{Proof}})\) outputs \(\mathtt{accept}\), then the client decrypts all \(\tilde{C}_i \in \tilde{\mathcal{C}}^*\), and sends the list of plaintexts \(\tilde{\mathcal{D}}(w) = (\tilde{D}_1,\tilde{D}_2,\ldots )\) to \(\mathbf{Z}\). If \(\mathtt{Verify}(K,t(w),\tilde{\mathcal{C}}^*, \widetilde{\mathsf{Proof}})\) outputs \(\mathtt{reject}\), then \(\bot \) is sent to \(\mathbf{Z}\). After the store phase, \(\mathbf{Z}\) outputs a bit b.

On the other hand, the ideal world is described as follows.

In the store phase, \(\mathbf{Z}\) sends \((\mathcal{D}, \mathcal{W})\) to the dummy client. The dummy client sends \((\mathbf{store},\mathcal{D},\mathcal{W})\) to functionality \(\mathcal{F}_{vSSE}^L\) (see Fig. 4). In the search phase, \(\mathbf{Z}\) sends w to the dummy client. The dummy client sends \((\mathbf{search},w)\) to \(\mathcal{F}_{vSSE}^L\), and receives \(\mathcal{D}(w)\) or \(\bot \) (according to ideal adversary \(\mathbf{S}^\mathrm{uc}\)’s decision), which is relayed to \(\mathbf{Z}\). At last, \(\mathbf{Z}\) outputs a bit b

In both worlds, \(\mathbf{Z}\) can communicate with \(\mathbf{A}^\mathrm{uc}\) (in the real world) or \(\mathbf{S}^\mathrm{uc}\) (in the ideal world) in an arbitrary way.

UC-security of no-dictionary vSSE scheme is defined as follows.

Definition 4

(UC-security with leakage L). We say that no-dictionary vSSE scheme has universally composable (UC) security with leakage L against non-adaptive adversaries, if for any PPT real adversary \(\mathbf{A}^\mathrm{uc}\), there exists a PPT ideal adversary (simulator) \(\mathbf{S}^\mathrm{uc}\), and for any PPT environment \(\mathbf{Z}\),

$$ | \Pr [\mathbf{Z}\textit{ outputs 1 in the real world}] -\Pr [\mathbf{Z}\textit{ outputs 1 in the ideal world}] | $$

is negligible.

We can show a weak equivalence of UC security and privacy with reliability.

Theorem 3

If a no-dictionary vSSE scheme satisfies L-privacy and strong reliability for some L, it has UC security with leakage L against non-adaptive adversaries.

Proof

Assume that the scheme satisfies L-privacy and strong reliability.

We consider four games \(\mathbf{Game}_0,\ldots ,\mathbf{Game}_3\). Let

$$\begin{aligned} p_i = \Pr [\mathbf{Z}\text { outputs 1 in}~\mathbf{Game}_i] \end{aligned}$$

for a fixed \(\mathbf{A}^\mathrm{uc}\). \(\mathbf{Game}_0\) is equivalent to the real world in the definition of UC security. So,

$$ p_0 = \Pr [\mathbf{Z}\text { outputs 1 in the real world}]. $$

\(\mathbf{Game}_1\) is different from \(\mathbf{Game}_0\) in the following points.

• In the store phase, the client records \((\mathcal{D},\mathcal{W},\mathcal{I})\) as well as the key K.

• In the search phase, if \(\mathbf{A}^\mathrm{uc}\) instructs the server to return \((\tilde{\mathcal{C}}^*,\widetilde{\mathsf{Proof}})\) such that \((\tilde{\mathcal{C}}^*,\widetilde{\mathsf{Proof}})\ne (\mathcal{C}^*,\mathsf{Proof})\leftarrow \mathtt{Search}(\mathcal{I},\mathcal{C},t(w))\), then the server returns reject to the client. Otherwise the server returns accept.

• If the client receives accept from the server, he sends \(\mathcal{D}(w)\) to \(\mathbf{Z}\). Otherwise, he sends \(\bot \) to \(\mathbf{Z}\).

\(\mathbf{Game}_1\) is the same as \(\mathbf{Game}_0\) until \(\mathbf{A}^\mathrm{uc}\) instructs the server to return \((\tilde{\mathcal{C}}^*,\widetilde{\mathsf{Proof}})\) such that

$$ \mathtt{Verify}(K,t(w),\tilde{\mathcal{C}}^*, \widetilde{\mathsf{Proof}})=\mathtt{accept}\text { and}~(\tilde{\mathcal{C}}^*,\widetilde{\mathsf{Proof}}) \ne (\mathcal{C}^*, \mathsf{Proof}). $$

The above condition is the (strongly) winning condition of \(\mathbf{B}\) in \(\mathbf{Game}_{reli}\). So, we can obtain

$$ |p_0 - p_1| \le \max _{\mathbf{B}} \Pr [\mathbf{B}\text { strongly wins in }\mathbf{Game}_{reli}]. $$

From the assumption, \(|p_0 - p_1|\) is negligibly small.

In \(\mathbf{Game}_2\), we split the client into two entities, client1 and client2, as follows. (See Fig. 5(a).)

Fig. 5.

(a) \(\mathbf{Game}_2\), (b) \(\mathbf{Game}_3\)

• Both client1 and client2 receive all input from \(\mathbf{Z}\).

• In the store/search phase, only client2 sends \((\mathcal{I},\mathcal{C})\)/t(w) to the server.

• In the search phase, only client1 receives accept/reject from the server, and sends \(\mathcal{D}(w)\)/\(\bot \) to \(\mathbf{Z}\).

This change is conceptual only. Therefore \(p_2 = p_1\).

Now, we look at \((\mathbf{Z}, \mathrm{client1}, \mathrm{server}, \mathbf{A}^\mathrm{uc})\) and client2 as an adversary \(\mathbf{A}\) and a challenger \(\mathbf{C}\) in the real game of privacy, respectively. Then, from the assumption, there exists a simulator \(\mathbf{S}\) such that Eq. (2) is negligible.

In \(\mathbf{Game}_3\), client2 plays the role of the challenger in the simulation game of privacy; he sends \(L_1(\mathcal{D},\mathcal{W})\) or \(L_2(\mathcal{D},\mathcal{W},\mathbf{w},w)\) to the simulator \(\mathbf{S}\), and then \(\mathbf{S}\) sends its outputs (the simulated message) to the server. (See Fig. 5(b).) Again, we look at \((\mathbf{Z}, \mathrm{client1}, \mathrm{server}, \mathbf{A}^\mathrm{uc})\) as \(\mathbf{A}\). Then \(\mathbf{Game}_3\) is the simulation game and \(\mathbf{Game}_2\) is the real game. Therefore

$$ |p_3 - p_2| \le |\Pr [\mathbf{A}\text { outputs 1 in } \mathbf{Game}_{real}] -\Pr [\mathbf{A}\text { outputs 1 in } \mathbf{Game}_{sim}^{L}]|, $$

and it is negligible from the assumption.

In \(\mathbf{Game}_3\), \((\mathrm{client1}, \mathrm{client2})\) behaves exactly the same way as \(\mathcal{F}^L_{vSSE}\) in the ideal world. So, considering \((\mathbf{S}, \mathrm{server}, \mathbf{A}^\mathrm{uc})\) as a simulator \(\mathbf{S}^\mathrm{uc}\), we obtain

$$ p_3 = \Pr [\mathbf{Z}\text { outputs 1 in the ideal world}] $$

for this simulator. Consequently, we can say that for any \(\mathbf{A}^\mathrm{uc}\) there exists \(\mathbf{S}^\mathrm{uc}\) such that \(|p_0-p_3|=|\Pr [\mathbf{Z}\text { outputs 1 in the real world}] -\Pr [\mathbf{Z}\text { outputs 1 in the ideal world}] |\) is negligible.    \(\square \)

Theorem 4

If a no-dictionary vSSE scheme has UC security with leakage L against non-adaptive adversaries for some L, it has satisfies L-privacy and reliability.

This theorem is shown by the following lemmas.

Lemma 1

If vSSE has UC security with leakage L against non-adaptive adversaries for some L, vSSE has satisfies L-privacy.

Proof

Assume that the scheme has UC security with leakage L.

Consider a real adversary \(\mathbf{A}_0^\mathrm{uc}\) who sends \(\mathbf{Z}\) all inputs that the corrupted server receives from the client. That is, \((\mathcal{I},\mathcal{C})\) and t(w) are sent to \(\mathbf{Z}\) in the store phase and the search phase, respectively. From the assumption, there exists an ideal adversary \(\mathbf{S}_0^\mathrm{uc}\) for such \(\mathbf{A}_0^\mathrm{uc}\), and any environment \(\mathbf{Z}\) cannot distinguish the real world and the ideal world (Fig. 6). That is,

$$ | \Pr [ \mathbf{Z}\text { outputs 1 in the real world]} - \Pr [ \mathbf{Z}\text { outputs 1 in the ideal world}] | $$

is negligible for any \(\mathbf{Z}\). Note that \(\mathbf{S}_0^\mathrm{uc}\) can compute and send simulated \((\tilde{\mathcal{I}},\tilde{\mathcal{C}})\) and \(\tilde{t}(w)\) to \(\mathbf{Z}\).

Fig. 6.

(a) \(\mathbf{A}_0^\mathrm{uc}\), (b) \(\mathbf{S}_0^\mathrm{uc}\)

Now we consider restricted environments \(\mathbf{Z}_0\) that do not use the answer from the client/dummy client to distinguish the worlds. Namely, in the real world, \(\mathbf{Z}_0\) sends \((\mathcal{D},\mathcal{W})\) and w to the client and receives \((\mathcal{I},\mathcal{C})\leftarrow \mathtt{Enc}(K,\mathcal{D},\mathcal{W},\{(w, \mathcal{D}(w)) \mid w \in \mathcal{W}\})\) and \(t(w)\leftarrow \mathtt{Trpdr}(K,w)\) from \(\mathbf{A}_0^\mathrm{uc}\) in the store phase and the search phase, respectively, and outputs a bit at last. This situation is exactly the same as \(\mathbf{A}\) in \(\mathbf{Game}_{real}\) (Fig. 7(a)). On the other hand, in the ideal world, \(\mathbf{Z}_0\) sends \((\mathcal{D},\mathcal{W})\) and w to the dummy client and receives \((\tilde{\mathcal{I}},\tilde{\mathcal{C}})\) and \(\tilde{t}(w)\) from \(\mathbf{S}_0^\mathrm{uc}\) in each phase, and outputs a bit. This situation is exactly the same as \(\mathbf{A}\) in \(\mathbf{Game}_{sim}\) (Fig. 7(b)). Therefore,

$$\begin{aligned}&\max _{\mathbf{A}} | \Pr [ \mathbf{A}\text { outputs 1 in } \mathbf{Game}_{real}] - \Pr [ \mathbf{A}\text { outputs 1 in } \mathbf{Game}_{sim}] | \\&\,\, = \max _{\mathbf{Z}_0} | \Pr [ \mathbf{Z}_0 \text { outputs 1 in the real world]} - \Pr [ \mathbf{Z}_0 \text { outputs 1 in the ideal world}] | \\&\,\, \le \max _{\mathbf{Z}} | \Pr [ \mathbf{Z}\text { outputs 1 in the real world]} - \Pr [ \mathbf{Z}\text { outputs 1 in the ideal world}] | \\&\,\, = negl. \end{aligned}$$

   \(\square \)

Fig. 7.

\(\mathbf{Z}_0\) in (a)real and (b)ideal world

Lemma 2

If vSSE has UC security with leakage L against non-adaptive adversaries for some L, vSSE has satisfies reliability.

Proof

We fix an arbitrary adversary \(\mathbf{B}=(\mathbf{B}_1,\mathbf{B}_2)\) of reliability game. Consider a real adversary \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\) such that \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\) interacts with the client like \(\mathbf{B}_2\) (by controlling the server), while \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\) interacts with \(\mathbf{Z}\) like \(\mathbf{B}_1\) (Fig. 8(a)). More precisely, at the beginning of each phase, \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\) suggests which \((\mathcal{D},\mathcal{W})\) or w the environment should send to the client.

Fig. 8.

(a) \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\), (b) \(\mathbf{Z}_1\)

If the scheme has UC security with leakage L, there exists an ideal adversary, \(\mathbf{S}_{\mathbf{B}}^\mathrm{uc}\), and any environment \(\mathbf{Z}\) cannot distinguish the real world and the ideal world.

Next, consider a simple environment \(\mathbf{Z}_1\) performs as follows (Fig. 8(b)). At the beginning of each phase, \(\mathbf{Z}_1\) sends the client/dummy client \((\mathcal{D},\mathcal{W})\) or w suggested by \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\). When \(\mathbf{Z}_1\) receives a message from the client/dummy client, \(\mathbf{Z}_1\) relays it to \(\mathbf{A}_{\mathbf{B}}^\mathrm{uc}\). If \(\mathbf{Z}_1\) receives \(\tilde{\mathcal{D}}(w) \not \in \{\mathcal{D}(w),\bot \}\) as a reply of w, then outputs 1.

It is clear that

$$ \Pr [ \mathbf{Z}_1 \text { outputs 1 in the real world}] = \Pr [ \mathbf{B}\text { wins in }\mathbf{Game}_{reli}]. $$

On the other hand, in the ideal world, \(\mathbf{Z}_1\) never receives \(\tilde{\mathcal{D}}(w) \not \in \{\mathcal{D}(w),\bot \}\) from \(\mathcal{F}^{L}_{vSSE}\) through the client. Therefore,

$$ \Pr [ \mathbf{Z}_1 \text { outputs 1 in the ideal world}] = 0. $$

Hence

$$\begin{aligned}&\Pr [ \mathbf{B}\text { wins in }\mathbf{Game}_{reli}] \\&\,\, = \left| \Pr [ \mathbf{Z}_1 \text { outputs 1 in the real world}] - \Pr [ \mathbf{Z}_1 \text { outputs 1 in the ideal world}] \right| , \end{aligned}$$

which is negligible for any \(\mathbf{B}\) from the assumption.    \(\square \)

Corollary 1

Our transformed scheme is UC-secure with leakage \(L'=(L_1',L_2')\) if the original SSE scheme has \(L=(L_1,L_2)\)-privacy, where L and \(L'\) are given in Theorem 1.