UC-Secure Dynamic Searchable Symmetric Encryption Scheme

Abstract

In a dynamic searchable symmetric encryption (SSE) scheme, a client can add/modify/delete encrypted files. In this paper, we first prove a weak equivalence between the UC security and the stand alone security based on the previous work on static SSE schemes. We next show a more efficient UC secure dynamic SSE scheme than before by replacing the RSA accumulator with XOR-MAC to authenticate the index table.

Appendices

A Proof of Theorem 1

(Proof of privacy). In the real world, consider an adversary \(\mathsf{A}_0\) who corrupts the server in such a way that \(\mathsf{A}_0\) sends each message \(Y_i\) that the server received from the client to \(\mathcal{Z}\). Look at \(\mathcal{Z}\) as a distinguisher and (client, server, \(\mathsf{A}\)) as a challenger. Then this real world can be seen as the real game of privacy.

On the other hand, in the ideal world, there exists an adversary \(\mathsf{S}\) which sends \(Y_i'\) which is almost the same \(Y_i\) to \(\mathcal{Z}\) because \(\mathcal{Z}\) cannot distinguish between the real world and the ideal world from our assumption. Now look at \(\mathcal{Z}\) as a distinguisher, \(\mathsf{S}\) as a simulator and (dummy-client, \(\mathcal{F}_{\mathrm{dSSE}}\)) as a challenger. Then this ideal world can be seen as the ideal game of privacy.

This means that \( \mathsf{Adv}^{priv}_S(\mathcal{Z})=\mathsf{Adv}^{uc}_{\mathsf{S}}(\mathcal{Z}, \mathsf{A}_0) \). Therefore we have

$$\begin{aligned} \mathsf{Adv}^{priv}_S = \max _{\mathcal{Z}} \mathsf{Adv}^{priv}_S(\mathcal{Z}) = \max _{\mathcal{Z}} \mathsf{Adv}^{uc}_S(\mathcal{Z}, A_0) = negligible \end{aligned}$$

from our assumption. Hence \(\varPi \) satisfies privacy.

(Proof of reliability). For an adversary \((A_1,A_2)\) of reliability (see Sect. 4), consider an environment \(\mathcal{Z}\) and a real world adversary \(\mathsf{A}\) such that \((\mathcal{Z},\mathsf{A})=(A_1,A_2)\). Then there exists an ideal world adversary \(\mathsf{S}\) such that

$$\begin{aligned} \mathsf{Adv}^{uc}_S(\mathcal{Z}, A)=| \mathrm{P}_{real}- \mathrm{P}_{sim}|=negligible \end{aligned}$$

from our assumption.

In the ideal world, \(\mathcal{Z}\) never receives \(\mathtt{D}(w)'\) such that \(\mathtt{D}(w)' \ne \mathtt{D}(w)\) for any \((\mathsf{search}, w)\). Therefore

$$\begin{aligned} \mathrm{P}_{ideal} = \Pr (\mathcal{Z}\text { outputs }1) = \Pr (A_1 \text { outputs }1) = 0. \end{aligned}$$

Hence \(\mathrm{P}_{real}=\)negligible. This means that

$$\begin{aligned} \mathsf{Adv}^{auth}(A_1,A_2)=\mathrm{P}_{real}=negligible. \end{aligned}$$

Therefore \(\varPi \) satisfies reliability.

B Proof of Theorem 2

Fix a real world adversary \(\mathsf{A}\) who corrupts the server arbitrarily. In the following, we consider a series of games \(\mathtt{Game}_0, \cdots , \mathtt{Game}_3\), where \(\mathtt{Game}_0\) is the real world. Let \( p_i=\Pr (\mathcal{Z} \text{ outputs } 1 \text{ in } \mathtt{Game}_i). \)

• (\(\mathtt{Game}_1\)) This game is the same as \(\mathtt{Game}_0\) except for the following.

  In the store phase, the client records \((\mathcal{D}, \mathcal{W}, \mathtt{Index})\) in addition to sending \((\mathsf{store}, \mathcal{C},\mathcal{I})\) to the server.

  In the search/update phase:

  • – If the client takes \((\mathsf{add}, D, \mathsf{e})\) as an input from \(\mathcal{Z}\), then in addition to sending \((\mathsf{add}, C_{n+1}, \alpha )\) to the server, he appends D to \(\mathcal{D}\), and updates the \(m \times n\) binary matrix \(\mathtt{Index}\) to the \(m \times (n+1)\) one such that the last column is \(\mathsf{e}^T\).

  • – If the client takes the other type of input from \(\mathcal{Z}\), then he sends the (first) message to the server.

  1. 1.

     If \(\mathsf{A}\) instructs the server to return an invalid \((\mathtt{C}'(w), Tag'(w))\) or an invalid \((C_i',tag_i')\), then the server returns \(\mathtt{reject}\) to the client. Otherwise the server returns \(\mathtt{accept}\) to the client.

  2. 2.

     If the client receives \(\mathtt{reject}\) from the server, then he sends \(\mathtt{reject}\) to \(\mathcal{Z}\).

  3. 3.

     Suppose that the client receives \(\mathtt{accept}\) from the server.

     • – If his input is \((\mathsf{search}, w)\), then he sends \(\mathtt{D}(w)\) to \(\mathcal{Z}\).

     • – If his input is \((\mathsf{modify}, i, D_i')\), then he replaces \(D_i\) with \(D_i'\).

     • – If his input is \((\mathsf{delete}, i)\), then he replaces \(D_i\) with \(\mathsf{delete}\).

  Let \(\mathsf{BAD}\) be the event that the client accepts an invalid \((\mathtt{C}'(w), Tag'(w))\) or an invalid \((C_i,tag_i)\) in \(\mathtt{Game}_0\). Then it holds that \( |p_0-p_1| \le \Pr (\mathsf{BAD}) \). Now consider an adversary \((A_1,A_2)\) on the reliability such that \((A_1,A_2)=(\mathcal{Z}, (\mathsf{A},server))\) in \(\mathtt{Game}_0\). Then we can see that \( \Pr (\mathsf{BAD})=\mathsf{Adv}^{sauth}(A_1,A_2) \). Therefore we have \( |p_0-p_1| \le \mathsf{Adv}^{sauth}. \)

  • (\(\mathtt{Game}_2\)) In this game, we modify \(\mathtt{Game}_1\) as follows. We replace the client with \((client_1, client_2)\) such as follows.

  1. 1.

     Both of \(client_1\) and \(client_2\) receive the (same) input from \(\mathcal{Z}\).

  2. 2.

     \(client_2\) sends the (first) message of the client to the server.

  3. 3.

     \(client_1\) receives \(\mathtt{accept}\) or \(\mathtt{reject}\) from the server, and behaves in the same way as the client does in \(\mathtt{Game}_1\).

  This change is conceptual only. Therefore \(p_2=p_1\).

  • (\(\mathtt{Game}_3\)) In this game, we modify \(\mathtt{Game}_2\) as follows. Since \(\varPi \) satisfies privacy from our assumption, there exists a simulator \(\mathsf{Sim}\) such that \(\mathsf{Adv}^{priv}_{\mathsf{Sim}}=negligible\).

  Now in \(\mathtt{Game}_3\), \(client_2\) plays the role of the challenger in the simulation game of privacy, and sends the minimum leakage to \(\mathsf{Sim}\). \(\mathsf{Sim}\) then sends its outputs (the simulated message) to the server.

  Further look at \((\mathcal{Z}, client_1, server, \mathsf{A})\) as a distinguisher of the privacy game. Then \(\mathtt{Game}_3\) is the simulation game and \(\mathtt{Game}_2\) is the real game. Therefore it holds that \( |p_3-p_2| \le \mathsf{Adv}^{priv}_{\mathsf{Sim}}. \)

In \(\mathtt{Game}_3\), \((client_1,clinet_2)\) behaves exactly in the same way as the ideal functionality \(\mathcal{F}_{\mathrm{dSSE}}\). Further look at \((\mathsf{A}, server, \mathsf{Sim})\) as the ideal world adversary \(\mathsf{S}\). Then \(\mathtt{Game}_3\) can be seen as the ideal world of the UC framework.

Therefore we have

$$\begin{aligned} \mathsf{Adv}^{uc}_{\mathsf{S}}(\mathcal{Z},A) = |p_0-p_3| \le \mathsf{Adv}^{sauth}+\mathsf{Adv}^{priv}_{\mathsf{Sim}} \end{aligned}$$

for any \(\mathcal{Z}\). Finally \(\mathsf{Adv}^{sauth}\) and \(\mathsf{Adv}^{priv}_{\mathsf{Sim}}\) are negligible from our assumption. Hence \(\varPi \) securely realizes \(\mathcal{F}_{\mathrm{dSSE}}\).