Abstract
In a dynamic searchable symmetric encryption (SSE) scheme, a client can add/modify/delete encrypted files. In this paper, we first prove a weak equivalence between the UC security and the stand alone security based on the previous work on static SSE schemes. We next show a more efficient UC secure dynamic SSE scheme than before by replacing the RSA accumulator with XOR-MAC to authenticate the index table.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bellovin, S., Cheswick, W.: Privacy-enhanced searches using encrypted bloom filters, Cryptology ePrint Archive, Report 2006/210 (2006). http://eprint.iacr.org/
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS 1997, pp. 394–403 (1997)
Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995)
Ballard, L., Kamara, S., Monrose, F.: Achieving efficient conjunctive keyword searches over encrypted data. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 414–426. Springer, Heidelberg (2005)
Byun, J.W., Lee, D.-H., Lim, J.-I.: Efficient conjunctive keyword search on encrypted data storage system. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 184–196. Springer, Heidelberg (2006)
Benaloh, J.C., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)
Canetti, R., Security, U.C.: A new paradigm for cryptographic protocols, Cryptology ePrint Archive, Report 2000/067 (2005). http://eprint.iacr.org/
Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: ACM Conference on Computer and Communications Security 2006, pp. 79–88 (2006)
Full version of the above: Cryptology ePrint Archive, Report 2006/210 (2006). http://eprint.iacr.org/
Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013)
Cash, D., Jaeger, J., Jarecki, S., Jutla, C.S., Krawczyk, H., Rosu, M.-C., Steiner, M.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: NDSS 2014
Camenisch, J.L., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 61. Springer, Heidelberg (2002)
Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote encrypted data. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005)
Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368. Springer, Heidelberg (2014)
Goh, E.-J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003). http://eprint.iacr.org/
Golle, P., Staddon, J., Waters, B.: Secure conjunctive keyword search over encrypted data. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 31–45. Springer, Heidelberg (2004)
Kurosawa, K.: Garbled searchable symmetric encryption. In: Financial Cryptography 2014, pp. 234–251 (2014)
Kurosawa, K., Ohtaki, Y.: UC-secure searchable symmetric encryption. In: Financial Cryptography 2012, pp. 285–298 (2012)
The final version of [19]. Cryptology ePrint Archive, Report 2015/251 (2015)
Kurosawa, K., Ohtaki, Y.: How to update documents Verifiably in searchable symmetric encryption. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 309–328. Springer, Heidelberg (2013)
Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: FC 2013 (2013)
Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: ACM Conference on Computer and Communications Security 2012, pp. 965–976 (2012)
Naveed, M., Prabhakaran, M., Gunter, C.: Dynamic searchable encryption via blind storage. In: IEEE Security & Privacy 2014
Song, D., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: IEEE Symposium on Security and Privacy 2000, pp. 44–55 (2000)
Wang, P., Wang, H., Pieprzyk, J.: Keyword field-free conjunctive keyword searches on encrypted data and extension for dynamic groups. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 178–195. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Theorem 1
(Proof of privacy). In the real world, consider an adversary \(\mathsf{A}_0\) who corrupts the server in such a way that \(\mathsf{A}_0\) sends each message \(Y_i\) that the server received from the client to \(\mathcal{Z}\). Look at \(\mathcal{Z}\) as a distinguisher and (client, server, \(\mathsf{A}\)) as a challenger. Then this real world can be seen as the real game of privacy.
On the other hand, in the ideal world, there exists an adversary \(\mathsf{S}\) which sends \(Y_i'\) which is almost the same \(Y_i\) to \(\mathcal{Z}\) because \(\mathcal{Z}\) cannot distinguish between the real world and the ideal world from our assumption. Now look at \(\mathcal{Z}\) as a distinguisher, \(\mathsf{S}\) as a simulator and (dummy-client, \(\mathcal{F}_{\mathrm{dSSE}}\)) as a challenger. Then this ideal world can be seen as the ideal game of privacy.
This means that \( \mathsf{Adv}^{priv}_S(\mathcal{Z})=\mathsf{Adv}^{uc}_{\mathsf{S}}(\mathcal{Z}, \mathsf{A}_0) \). Therefore we have
from our assumption. Hence \(\varPi \) satisfies privacy.
(Proof of reliability). For an adversary \((A_1,A_2)\) of reliability (see Sect. 4), consider an environment \(\mathcal{Z}\) and a real world adversary \(\mathsf{A}\) such that \((\mathcal{Z},\mathsf{A})=(A_1,A_2)\). Then there exists an ideal world adversary \(\mathsf{S}\) such that
from our assumption.
In the ideal world, \(\mathcal{Z}\) never receives \(\mathtt{D}(w)'\) such that \(\mathtt{D}(w)' \ne \mathtt{D}(w)\) for any \((\mathsf{search}, w)\). Therefore
Hence \(\mathrm{P}_{real}=\)negligible. This means that
Therefore \(\varPi \) satisfies reliability.
B Proof of Theorem 2
Fix a real world adversary \(\mathsf{A}\) who corrupts the server arbitrarily. In the following, we consider a series of games \(\mathtt{Game}_0, \cdots , \mathtt{Game}_3\), where \(\mathtt{Game}_0\) is the real world. Let \( p_i=\Pr (\mathcal{Z} \text{ outputs } 1 \text{ in } \mathtt{Game}_i). \)
-
(\(\mathtt{Game}_1\)) This game is the same as \(\mathtt{Game}_0\) except for the following.
In the store phase, the client records \((\mathcal{D}, \mathcal{W}, \mathtt{Index})\) in addition to sending \((\mathsf{store}, \mathcal{C},\mathcal{I})\) to the server.
In the search/update phase:
-
– If the client takes \((\mathsf{add}, D, \mathsf{e})\) as an input from \(\mathcal{Z}\), then in addition to sending \((\mathsf{add}, C_{n+1}, \alpha )\) to the server, he appends D to \(\mathcal{D}\), and updates the \(m \times n\) binary matrix \(\mathtt{Index}\) to the \(m \times (n+1)\) one such that the last column is \(\mathsf{e}^T\).
-
– If the client takes the other type of input from \(\mathcal{Z}\), then he sends the (first) message to the server.
-
1.
If \(\mathsf{A}\) instructs the server to return an invalid \((\mathtt{C}'(w), Tag'(w))\) or an invalid \((C_i',tag_i')\), then the server returns \(\mathtt{reject}\) to the client. Otherwise the server returns \(\mathtt{accept}\) to the client.
-
2.
If the client receives \(\mathtt{reject}\) from the server, then he sends \(\mathtt{reject}\) to \(\mathcal{Z}\).
-
3.
Suppose that the client receives \(\mathtt{accept}\) from the server.
-
– If his input is \((\mathsf{search}, w)\), then he sends \(\mathtt{D}(w)\) to \(\mathcal{Z}\).
-
– If his input is \((\mathsf{modify}, i, D_i')\), then he replaces \(D_i\) with \(D_i'\).
-
– If his input is \((\mathsf{delete}, i)\), then he replaces \(D_i\) with \(\mathsf{delete}\).
-
Let \(\mathsf{BAD}\) be the event that the client accepts an invalid \((\mathtt{C}'(w), Tag'(w))\) or an invalid \((C_i,tag_i)\) in \(\mathtt{Game}_0\). Then it holds that \( |p_0-p_1| \le \Pr (\mathsf{BAD}) \). Now consider an adversary \((A_1,A_2)\) on the reliability such that \((A_1,A_2)=(\mathcal{Z}, (\mathsf{A},server))\) in \(\mathtt{Game}_0\). Then we can see that \( \Pr (\mathsf{BAD})=\mathsf{Adv}^{sauth}(A_1,A_2) \). Therefore we have \( |p_0-p_1| \le \mathsf{Adv}^{sauth}. \)
-
(\(\mathtt{Game}_2\)) In this game, we modify \(\mathtt{Game}_1\) as follows. We replace the client with \((client_1, client_2)\) such as follows.
-
1.
Both of \(client_1\) and \(client_2\) receive the (same) input from \(\mathcal{Z}\).
-
2.
\(client_2\) sends the (first) message of the client to the server.
-
3.
\(client_1\) receives \(\mathtt{accept}\) or \(\mathtt{reject}\) from the server, and behaves in the same way as the client does in \(\mathtt{Game}_1\).
This change is conceptual only. Therefore \(p_2=p_1\).
-
(\(\mathtt{Game}_3\)) In this game, we modify \(\mathtt{Game}_2\) as follows. Since \(\varPi \) satisfies privacy from our assumption, there exists a simulator \(\mathsf{Sim}\) such that \(\mathsf{Adv}^{priv}_{\mathsf{Sim}}=negligible\).
Now in \(\mathtt{Game}_3\), \(client_2\) plays the role of the challenger in the simulation game of privacy, and sends the minimum leakage to \(\mathsf{Sim}\). \(\mathsf{Sim}\) then sends its outputs (the simulated message) to the server.
Further look at \((\mathcal{Z}, client_1, server, \mathsf{A})\) as a distinguisher of the privacy game. Then \(\mathtt{Game}_3\) is the simulation game and \(\mathtt{Game}_2\) is the real game. Therefore it holds that \( |p_3-p_2| \le \mathsf{Adv}^{priv}_{\mathsf{Sim}}. \)
-
In \(\mathtt{Game}_3\), \((client_1,clinet_2)\) behaves exactly in the same way as the ideal functionality \(\mathcal{F}_{\mathrm{dSSE}}\). Further look at \((\mathsf{A}, server, \mathsf{Sim})\) as the ideal world adversary \(\mathsf{S}\). Then \(\mathtt{Game}_3\) can be seen as the ideal world of the UC framework.
Therefore we have
for any \(\mathcal{Z}\). Finally \(\mathsf{Adv}^{sauth}\) and \(\mathsf{Adv}^{priv}_{\mathsf{Sim}}\) are negligible from our assumption. Hence \(\varPi \) securely realizes \(\mathcal{F}_{\mathrm{dSSE}}\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kurosawa, K., Sasaki, K., Ohta, K., Yoneyama, K. (2016). UC-Secure Dynamic Searchable Symmetric Encryption Scheme. In: Ogawa, K., Yoshioka, K. (eds) Advances in Information and Computer Security. IWSEC 2016. Lecture Notes in Computer Science(), vol 9836. Springer, Cham. https://doi.org/10.1007/978-3-319-44524-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-44524-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44523-6
Online ISBN: 978-3-319-44524-3
eBook Packages: Computer ScienceComputer Science (R0)