Searchable Encryption
Laltu SardarIndian Statistical Institute, Kolkata
Summer Internship in Cryptology
R. C. Bose Centre for Cryptology and Security
May 22-23, 2018
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 1 / 103
Introduction Searchable Encryption
Cloud Services
Cloud Computing Services
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform
IBM Cloud
Cloud Storage Services
Google Drive
Dropbox
Microsoft Onedrive
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 2 / 103
Introduction Searchable Encryption
Cloud Services
Cloud Computing Services
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform
IBM Cloud
Cloud Storage Services
Google Drive
Dropbox
Microsoft Onedrive
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 2 / 103
Introduction Searchable Encryption
Cloud Services
Cloud Computing Services
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform
IBM Cloud
Cloud Storage Services
Google Drive
Dropbox
Microsoft Onedrive
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 2 / 103
Introduction Searchable Encryption
Can we trust Remote Storage Service Providers?
Cloud Computing and Storage
Email service providers- Gmail, outlook.com, Yahoo! Mail etc.
Stoarge service providers- Google Drive, Dropbox etc.
Institutional Server
Survey Report [CER12]
53% attacks are insider
67% are sensitive or personal data.
No!
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 3 / 103
Introduction Searchable Encryption
Can we trust Remote Storage Service Providers?
Cloud Computing and Storage
Email service providers- Gmail, outlook.com, Yahoo! Mail etc.
Stoarge service providers- Google Drive, Dropbox etc.
Institutional Server
Survey Report [CER12]
53% attacks are insider
67% are sensitive or personal data.
No!
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 3 / 103
Introduction Searchable Encryption
Can we trust Remote Storage Service Providers?
Cloud Computing and Storage
Email service providers- Gmail, outlook.com, Yahoo! Mail etc.
Stoarge service providers- Google Drive, Dropbox etc.
Institutional Server
Survey Report [CER12]
53% attacks are insider
67% are sensitive or personal data.
No!
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 3 / 103
Introduction Searchable Encryption
Can we trust Remote Storage Service Providers?
Cloud Computing and Storage
Email service providers- Gmail, outlook.com, Yahoo! Mail etc.
Stoarge service providers- Google Drive, Dropbox etc.
Institutional Server
Survey Report [CER12]
53% attacks are insider
67% are sensitive or personal data.
No!
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 3 / 103
Introduction Searchable Encryption
Can we trust Remote Storage Service Providers?
Cloud Computing and Storage
Email service providers- Gmail, outlook.com, Yahoo! Mail etc.
Stoarge service providers- Google Drive, Dropbox etc.
Institutional Server
Survey Report [CER12]
53% attacks are insider
67% are sensitive or personal data.
No!
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 3 / 103
Introduction Searchable Encryption
Privacy-Preserving Computation
Preserve search privacy → Private Information Retrieval
Data repository is huge → Privacy-preserving data mining
Data are encrypted → Searchable Encryption
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 4 / 103
Introduction Searchable Encryption
Privacy-Preserving Computation
Preserve search privacy → Private Information Retrieval
Data repository is huge → Privacy-preserving data mining
Data are encrypted → Searchable Encryption
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 4 / 103
Introduction Searchable Encryption
Privacy-Preserving Computation
Preserve search privacy → Private Information Retrieval
Data repository is huge → Privacy-preserving data mining
Data are encrypted → Searchable Encryption
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 4 / 103
Introduction Searchable Encryption
Privacy-Preserving Computation
Preserve search privacy → Private Information Retrieval
Data repository is huge → Privacy-preserving data mining
Data are encrypted → Searchable Encryption
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 4 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Trivial Solution
Encrypt data
Upload data to the cloud server
To perform SEARCH
Download all data
Decrypt data
Perform Search
Re-encrypt and upload
Problems
Huge Communication overhead for the client
Huge Computation at client side
Does NOT solve the purpose of using cloud
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 5 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should be
I OutsourcedI Encrypted
Set Search Goals
I What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should be
I OutsourcedI Encrypted
Set Search Goals
I What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI Outsourced
I Encrypted
Set Search Goals
I What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search Goals
I What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search Goals
I What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to search
I Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should not
I Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciency
I Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciencyI Download all data
I Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection Needed
I Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection NeededI Source Data
I Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection NeededI Source DataI Search keywords
I Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Searchable Encryption Goals
Data should beI OutsourcedI Encrypted
Set Search GoalsI What to searchI Who can search
Client should notI Wait long for search → Ine�ciencyI Download all dataI Compute much
Protection NeededI Source DataI Search keywordsI Search Results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 6 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?
I Cloud Service Provider
What is the power of adversary?
I In�nite Power can not be assumed
What about channel?
I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?
I Cloud Service Provider
What is the power of adversary?
I In�nite Power can not be assumed
What about channel?
I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?I Cloud Service Provider
What is the power of adversary?
I In�nite Power can not be assumed
What about channel?
I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?I Cloud Service Provider
What is the power of adversary?
I In�nite Power can not be assumed
What about channel?
I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?I Cloud Service Provider
What is the power of adversary?I In�nite Power can not be assumed
What about channel?
I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?I Cloud Service Provider
What is the power of adversary?I In�nite Power can not be assumed
What about channel?
I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?I Cloud Service Provider
What is the power of adversary?I In�nite Power can not be assumed
What about channel?I Secure?
I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Introduction Searchable Encryption
Adversarial Model
Who is the adversary?I Cloud Service Provider
What is the power of adversary?I In�nite Power can not be assumed
What about channel?I Secure?I Can it be aborted?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 7 / 103
Preliminaries Cryptographic Tools
Cryptographic Tools
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 8 / 103
Preliminaries Cryptographic Tools
Pseudo Random Function (PRF)
De�nition
F : {0, 1}k × {0, 1}n → {0, 1}m
∀ key K ∈ {0, 1}k , and ∀x ∈ {0, 1}n, F (K , x) or (FK (x)) is E�cientlycomputable
F is Indistinguishable from a random Function
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 9 / 103
Preliminaries Cryptographic Tools
Pseudo Random Permutation (PRP)
De�nition
F : {0, 1}k × {0, 1}n → {0, 1}n
∀ key K ∈ {0, 1}k , and ∀x ∈ {0, 1}n, F (K , x) or (FK (x)) is E�cientlycomputable
Indistinguishable from a random Permutation
Examples
AES
DES
3DES
Note
a PRP is a PRF
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 10 / 103
Preliminaries Cryptographic Tools
Pseudo Random Permutation (PRP)
De�nition
F : {0, 1}k × {0, 1}n → {0, 1}n
∀ key K ∈ {0, 1}k , and ∀x ∈ {0, 1}n, F (K , x) or (FK (x)) is E�cientlycomputable
Indistinguishable from a random Permutation
Examples
AES
DES
3DES
Note
a PRP is a PRF
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 10 / 103
Preliminaries Cryptographic Tools
Pseudo Random Permutation (PRP)
De�nition
F : {0, 1}k × {0, 1}n → {0, 1}n
∀ key K ∈ {0, 1}k , and ∀x ∈ {0, 1}n, F (K , x) or (FK (x)) is E�cientlycomputable
Indistinguishable from a random Permutation
Examples
AES
DES
3DES
Note
a PRP is a PRF
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 10 / 103
Preliminaries Cryptographic Tools
Pseudo Random Generator (PRG)
De�nition
Deterministic random bit generator
Properties
Given a seed (start state), produces a sequences of randomnumbers/bits
E�cient: Can produce many numbers/bits in a short time
Deterministic: Same seeds generate same sequences of numbers/bits
Periodic: Sequence will eventually repeat itself
Examples
Stream cipher
linear congruential generator
Multiple-recursive generators
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 11 / 103
Preliminaries Cryptographic Tools
Pseudo Random Generator (PRG)
De�nition
Deterministic random bit generator
Properties
Given a seed (start state), produces a sequences of randomnumbers/bits
E�cient: Can produce many numbers/bits in a short time
Deterministic: Same seeds generate same sequences of numbers/bits
Periodic: Sequence will eventually repeat itself
Examples
Stream cipher
linear congruential generator
Multiple-recursive generators
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 11 / 103
Preliminaries Cryptographic Tools
Pseudo Random Generator (PRG)
De�nition
Deterministic random bit generator
Properties
Given a seed (start state), produces a sequences of randomnumbers/bits
E�cient: Can produce many numbers/bits in a short time
Deterministic: Same seeds generate same sequences of numbers/bits
Periodic: Sequence will eventually repeat itself
Examples
Stream cipher
linear congruential generator
Multiple-recursive generators
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 11 / 103
Preliminaries Cryptographic Tools
Hash Function
De�nition
An algorithm/function that produces sequences of random numbers/bits.
Features
Publicly known key or no key
Maps arbitrary-size bit-string to a �xed-size bit-string
Deterministic: Same bit-string always results in the same hash
E�cient: Quick to compute the hash value
Properties
Pre-image Resistance, Second pre-image Resistance, CollisionResistance
Examples
SHA-0, SHA-1, SHA-2, SHA-3, MD5, SHA256 etc.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 12 / 103
Preliminaries Cryptographic Tools
Hash Function
De�nition
An algorithm/function that produces sequences of random numbers/bits.
Features
Publicly known key or no key
Maps arbitrary-size bit-string to a �xed-size bit-string
Deterministic: Same bit-string always results in the same hash
E�cient: Quick to compute the hash value
Properties
Pre-image Resistance, Second pre-image Resistance, CollisionResistance
Examples
SHA-0, SHA-1, SHA-2, SHA-3, MD5, SHA256 etc.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 12 / 103
Preliminaries Cryptographic Tools
Hash Function
De�nition
An algorithm/function that produces sequences of random numbers/bits.
Features
Publicly known key or no key
Maps arbitrary-size bit-string to a �xed-size bit-string
Deterministic: Same bit-string always results in the same hash
E�cient: Quick to compute the hash value
Properties
Pre-image Resistance, Second pre-image Resistance, CollisionResistance
Examples
SHA-0, SHA-1, SHA-2, SHA-3, MD5, SHA256 etc.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 12 / 103
Preliminaries Cryptographic Tools
Hash Function
De�nition
An algorithm/function that produces sequences of random numbers/bits.
Features
Publicly known key or no key
Maps arbitrary-size bit-string to a �xed-size bit-string
Deterministic: Same bit-string always results in the same hash
E�cient: Quick to compute the hash value
Properties
Pre-image Resistance, Second pre-image Resistance, CollisionResistance
Examples
SHA-0, SHA-1, SHA-2, SHA-3, MD5, SHA256 etc.Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 12 / 103
Preliminaries Data Structures
Data Type and Structures
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 13 / 103
Preliminaries Data Structures
Linked List
10 a b c d null
Operations
Create (Link List)
Insert (a Node)
Delete (a Node)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 14 / 103
Preliminaries Data Structures
Linked List
10 a b c d null
Operations
Create (Link List)
Insert (a Node)
Delete (a Node)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 14 / 103
Preliminaries Data Structures
Dictionary
De�nition
A collection of (key-value) pairs, such that each possible key appears atmost once in the collection.
Operations
Create (a Dictionary)
Insert a (key-value) pair (a Node)
Search whether a key exists
Properties
Creation: In constant time
Insertion: In logarithmic time
Search: In constant time
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 15 / 103
Preliminaries Data Structures
Dictionary
De�nition
A collection of (key-value) pairs, such that each possible key appears atmost once in the collection.
Operations
Create (a Dictionary)
Insert a (key-value) pair (a Node)
Search whether a key exists
Properties
Creation: In constant time
Insertion: In logarithmic time
Search: In constant time
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 15 / 103
Preliminaries Data Structures
Dictionary
De�nition
A collection of (key-value) pairs, such that each possible key appears atmost once in the collection.
Operations
Create (a Dictionary)
Insert a (key-value) pair (a Node)
Search whether a key exists
Properties
Creation: In constant time
Insertion: In logarithmic time
Search: In constant time
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 15 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Song et al. [SWP00] Scheme
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 16 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme I
Encrypt a document D = (W1,W2, . . . ,Wl ) as follows
si are generated using stream cipher
ki are �xed
For each i
Ti = Si ||Fki (Si )Ci = Wi + Ti
Finally uploads Enc(D) = (C1,C2, . . . ,Cl )
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 17 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme I
Encrypt a document D = (W1,W2, . . . ,Wl ) as follows
si are generated using stream cipher
ki are �xed
For each i
Ti = Si ||Fki (Si )Ci = Wi + Ti
Finally uploads Enc(D) = (C1,C2, . . . ,Cl )
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 17 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme I
Encrypt a document D = (W1,W2, . . . ,Wl ) as follows
si are generated using stream cipher
ki are �xed
For each i
Ti = Si ||Fki (Si )Ci = Wi + Ti
Finally uploads Enc(D) = (C1,C2, . . . ,Cl )
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 17 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme I
Search
To search for a word W
Must reveal all the ki
Problems
Potentially revealing the entire document
Solution
Alice must know in advance which locations W may appear
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 18 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme I
Search
To search for a word W
Must reveal all the ki
Problems
Potentially revealing the entire document
Solution
Alice must know in advance which locations W may appear
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 18 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme I
Search
To search for a word W
Must reveal all the ki
Problems
Potentially revealing the entire document
Solution
Alice must know in advance which locations W may appear
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 18 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme II
ki = fk ′(Wi ), solves problem with keys
Ti = Si ||fki (Si ), f is a PRF
Ci = Wi + Ti
Search
To search for a word W
Only reveals all the fk ′(W ), Controlled searching.
Check all positions
If any decryption matches, returns the Doc
Problems
W is revealed during search
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 19 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme II
ki = fk ′(Wi ), solves problem with keys
Ti = Si ||fki (Si ), f is a PRF
Ci = Wi + Ti
Search
To search for a word W
Only reveals all the fk ′(W ), Controlled searching.
Check all positions
If any decryption matches, returns the Doc
Problems
W is revealed during search
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 19 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme II
ki = fk ′(Wi ), solves problem with keys
Ti = Si ||fki (Si ), f is a PRF
Ci = Wi + Ti
Search
To search for a word W
Only reveals all the fk ′(W ), Controlled searching.
Check all positions
If any decryption matches, returns the Doc
Problems
W is revealed during search
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 19 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme III
Xi = Ek ′′(Wi ), Ek ′′ is a deterministic encryption algorithm
ki = fk ′(Xi )
Ti = Si ||Fki (Xi ),
Ci = Xi + Ti
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 20 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme III
Search
To search for a word W
Compute X = Ek ′′(W )
Compute k = fk ′(X )
Sends (X , k)
Advantages
Searched keyword W is not revealed
Problems
Owner can't recover the plaintext as Ek ′′(Wi ) is needed for decryption
Applicable for Scheme II
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 21 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme III
Search
To search for a word W
Compute X = Ek ′′(W )
Compute k = fk ′(X )
Sends (X , k)
Advantages
Searched keyword W is not revealed
Problems
Owner can't recover the plaintext as Ek ′′(Wi ) is needed for decryption
Applicable for Scheme II
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 21 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme III
Search
To search for a word W
Compute X = Ek ′′(W )
Compute k = fk ′(X )
Sends (X , k)
Advantages
Searched keyword W is not revealed
Problems
Owner can't recover the plaintext as Ek ′′(Wi ) is needed for decryption
Applicable for Scheme II
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 21 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme IV- Final Scheme
Xi = Ek ′′(Wi ), Ek ′′ is a deterministic encryption algorithm
Xi =< Li ||Ri >
ki = fk ′(Li ),
Ti = Si ||Fki (Xi ),
Ci = Xi + Ti
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 22 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme IV
Search
To search for a word W
Sends (X , k) computed similarly
Decryption
To search for a word W
Generate Si
Recover Li XORing Si with Ci
Recover ki = fk ′(Li ),
Recover Xi
Get Wi Decrypting Xi
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 23 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Scheme IV
Search
To search for a word W
Sends (X , k) computed similarly
Decryption
To search for a word W
Generate Si
Recover Li XORing Si with Ci
Recover ki = fk ′(Li ),
Recover Xi
Get Wi Decrypting Xi
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 23 / 103
First Few Searchable Encryptions Song et al. [SWP00] Scheme
Major Disadvantage
Every keywords of every �les have to be decrypted
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 24 / 103
First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme
Eu-Jin Goh [Goh03] Scheme
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 25 / 103
First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme
Main Contribution
De�ned Secure index
Formulated Security Model for indexes
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 26 / 103
First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme
Background
Bloom Filter
A set S = s1, . . . , sn, represented by an array of m bits.
All array bits are initially set to 0
The �lter uses r independent hash functions h1, . . . , hr ,
To determine if an element a belongs to the set S , checks whether allhi (a) are 1 or not
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 27 / 103
First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme
Scheme Overview
Key Generation
Given Security parameter s
f : {0, 1}n × {0, 1}s → {0, 1}s , pseudo-random function
k1, . . . , kr ← {0, 1}s , keys for hash functions
Kpriv ← (k1, . . . , kr )
Build Index
Given Kpriv and a document D = (w0, . . . ,wt) with identi�er Did
For each unique word wi for i ∈ [0, t], -I Compute trapdoor: (x1 = f (wi , k1), . . . , xr = f (wi , kr )) ∈ {0, 1}sr ,I Compute codeword for wi in
Did : (y1 = f (Did , x1), . . . , yr = f (Did , xr )) ∈ {0, 1}srI Insert y1, . . . , yr into Did 's Bloom �lter BF .
Output IDid= (Did ,BF ) as the index for Did .
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 28 / 103
First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme
Scheme Overview
Key Generation
Given Security parameter s
f : {0, 1}n × {0, 1}s → {0, 1}s , pseudo-random function
k1, . . . , kr ← {0, 1}s , keys for hash functions
Kpriv ← (k1, . . . , kr )
Build Index
Given Kpriv and a document D = (w0, . . . ,wt) with identi�er Did
For each unique word wi for i ∈ [0, t], -I Compute trapdoor: (x1 = f (wi , k1), . . . , xr = f (wi , kr )) ∈ {0, 1}sr ,I Compute codeword for wi in
Did : (y1 = f (Did , x1), . . . , yr = f (Did , xr )) ∈ {0, 1}srI Insert y1, . . . , yr into Did 's Bloom �lter BF .
Output IDid= (Did ,BF ) as the index for Did .
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 28 / 103
First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme
Scheme Overview
Trapdoor Generation
Given a keyword w
Tw = (f (w , k1), . . . , f (w , kr ))
Search
(x1, . . . , xr )← Tw
The index IDid= (Did ,BF ) for document Did
For w ComputeDid : (y1 = f (Did , x1), . . . , yr = f (Did , xr)) ∈ {0, 1}sr .Test if BF contains 1's in all r locations denoted by y1, . . . , yr
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 29 / 103
First Few Searchable Encryptions Chang and Mitzenmacher Scheme
Chang and Mitzenmacher [CM05] Scheme
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 30 / 103
First Few Searchable Encryptions Chang and Mitzenmacher Scheme
Scheme Description
Privacy Preserving Keyword Searches on Remote Encrypted Data [CM05]
Scheme overview
Skip Now
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 31 / 103
First Few Searchable Encryptions Issues with the Schemes
Major Issues of Earlier Schemes
Greater Search Complexity: Linear in number of documents
Leaks Access Pattern: Memory addresses of documents that containthe searched keywords
Leaks Search Pattern: Whether two queries were for the same keywordor not
Leakages were not de�ned
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 32 / 103
First Few Searchable Encryptions Issues with the Schemes
Major Issues of Earlier Schemes
Greater Search Complexity: Linear in number of documents
Leaks Access Pattern: Memory addresses of documents that containthe searched keywords
Leaks Search Pattern: Whether two queries were for the same keywordor not
Leakages were not de�ned
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 32 / 103
First Few Searchable Encryptions Issues with the Schemes
Major Issues of Earlier Schemes
Greater Search Complexity: Linear in number of documents
Leaks Access Pattern: Memory addresses of documents that containthe searched keywords
Leaks Search Pattern: Whether two queries were for the same keywordor not
Leakages were not de�ned
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 32 / 103
First Few Searchable Encryptions Issues with the Schemes
Major Issues of Earlier Schemes
Greater Search Complexity: Linear in number of documents
Leaks Access Pattern: Memory addresses of documents that containthe searched keywords
Leaks Search Pattern: Whether two queries were for the same keywordor not
Leakages were not de�ned
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 32 / 103
First Few Searchable Encryptions Issues with the Schemes
Is there any Solution?
Yes, there is.
SSE can be achieved using oblivious RAMs (O-RAM)
Functionality: can simulate any data structure in a hidden way, andcan support conjunctive queries, B-trees etc...
Privacy: hides everything, even the access pattern
E�ciency: logarithmic number of rounds per each read/write
Question?
Can we search over encrypted data in single/constant rounds?
with privacy,
with e�ciency
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 33 / 103
First Few Searchable Encryptions Issues with the Schemes
Is there any Solution?
Yes, there is.
SSE can be achieved using oblivious RAMs (O-RAM)
Functionality: can simulate any data structure in a hidden way, andcan support conjunctive queries, B-trees etc...
Privacy: hides everything, even the access pattern
E�ciency: logarithmic number of rounds per each read/write
Question?
Can we search over encrypted data in single/constant rounds?
with privacy,
with e�ciency
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 33 / 103
First Few Searchable Encryptions Issues with the Schemes
Is there any Solution?
Yes, there is.
SSE can be achieved using oblivious RAMs (O-RAM)
Functionality: can simulate any data structure in a hidden way, andcan support conjunctive queries, B-trees etc...
Privacy: hides everything, even the access pattern
E�ciency: logarithmic number of rounds per each read/write
Question?
Can we search over encrypted data in single/constant rounds?
with privacy,
with e�ciency
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 33 / 103
First Few Searchable Encryptions Issues with the Schemes
Is there any Solution?
Yes, there is.
SSE can be achieved using oblivious RAMs (O-RAM)
Functionality: can simulate any data structure in a hidden way, andcan support conjunctive queries, B-trees etc...
Privacy: hides everything, even the access pattern
E�ciency: logarithmic number of rounds per each read/write
Question?
Can we search over encrypted data in single/constant rounds?
with privacy,
with e�ciency
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 33 / 103
Curtmola et al. [CGKO06] Scheme
Curtmola et al. [CGKO06] Scheme
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 34 / 103
Curtmola et al. [CGKO06] Scheme Preliminaries
Background
Inverted Index
Index data structure
Maps content to its locations in a database
D ← {D1,D2,D3,D4}
D1 ← {cryptography, search,symmetric, encryption}
D2 ← {public, encryption, add}
D3 ← { add, public,cryptography}
D4 ← {search, symmetric,encryption, decryption, add}
Content Locations
encryption [D1,D2,D4]
symmetric [D1,D4]
decryption [D4]
cryptography [D1,D3]
add [D3,D4]
search [D1,D4]
public [D2,D3]
Table: Inverted Index corr. to D
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 35 / 103
Curtmola et al. [CGKO06] Scheme Preliminaries
Background
Inverted Index
Index data structure
Maps content to its locations in a database
D ← {D1,D2,D3,D4}
D1 ← {cryptography, search,symmetric, encryption}
D2 ← {public, encryption, add}
D3 ← { add, public,cryptography}
D4 ← {search, symmetric,encryption, decryption, add}
Content Locations
encryption [D1,D2,D4]
symmetric [D1,D4]
decryption [D4]
cryptography [D1,D3]
add [D3,D4]
search [D1,D4]
public [D2,D3]
Table: Inverted Index corr. to D
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 35 / 103
Curtmola et al. [CGKO06] Scheme Preliminaries
Background
Inverted Index
Index data structure
Maps content to its locations in a database
D ← {D1,D2,D3,D4}
D1 ← {cryptography, search,symmetric, encryption}
D2 ← {public, encryption, add}
D3 ← { add, public,cryptography}
D4 ← {search, symmetric,encryption, decryption, add}
Content Locations
encryption [D1,D2,D4]
symmetric [D1,D4]
decryption [D4]
cryptography [D1,D3]
add [D3,D4]
search [D1,D4]
public [D2,D3]
Table: Inverted Index corr. to D
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 35 / 103
Curtmola et al. [CGKO06] Scheme Preliminaries
Background
Inverted Index
Index data structure
Maps content to its locations in a database
D ← {D1,D2,D3,D4}
D1 ← {cryptography, search,symmetric, encryption}
D2 ← {public, encryption, add}
D3 ← { add, public,cryptography}
D4 ← {search, symmetric,encryption, decryption, add}
Content Locations
encryption [D1,D2,D4]
symmetric [D1,D4]
decryption [D4]
cryptography [D1,D3]
add [D3,D4]
search [D1,D4]
public [D2,D3]
Table: Inverted Index corr. to D
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 35 / 103
Curtmola et al. [CGKO06] Scheme Preliminaries
Notations
D = (D1, . . . ,Dn)- Document Collection
Di - Document
T - A Table
A- An Array
Li - The Link list corr. to Di
F - A PRP
G - A PRG
H- A keyed Hash function
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 36 / 103
Curtmola et al. [CGKO06] Scheme De�nition of SSE
De�nition
A tuple of PPT algorithms as follows
Key Generation:I Input: A security parameter kI Output: A secret key K
Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts
c = (c1, . . . , cn)
Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)
Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers
Decryption: for an encrypted document Di
I Input: A secret key K and a ciphertext ciI Output: A document Di
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 37 / 103
Curtmola et al. [CGKO06] Scheme De�nition of SSE
De�nition
A tuple of PPT algorithms as follows
Key Generation:I Input: A security parameter kI Output: A secret key K
Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts
c = (c1, . . . , cn)
Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)
Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers
Decryption: for an encrypted document Di
I Input: A secret key K and a ciphertext ciI Output: A document Di
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 37 / 103
Curtmola et al. [CGKO06] Scheme De�nition of SSE
De�nition
A tuple of PPT algorithms as follows
Key Generation:I Input: A security parameter kI Output: A secret key K
Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts
c = (c1, . . . , cn)
Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)
Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers
Decryption: for an encrypted document Di
I Input: A secret key K and a ciphertext ciI Output: A document Di
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 37 / 103
Curtmola et al. [CGKO06] Scheme De�nition of SSE
De�nition
A tuple of PPT algorithms as follows
Key Generation:I Input: A security parameter kI Output: A secret key K
Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts
c = (c1, . . . , cn)
Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)
Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers
Decryption: for an encrypted document Di
I Input: A secret key K and a ciphertext ciI Output: A document Di
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 37 / 103
Curtmola et al. [CGKO06] Scheme De�nition of SSE
De�nition
A tuple of PPT algorithms as follows
Key Generation:I Input: A security parameter kI Output: A secret key K
Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts
c = (c1, . . . , cn)
Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)
Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers
Decryption: for an encrypted document Di
I Input: A secret key K and a ciphertext ciI Output: A document Di
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 37 / 103
Curtmola et al. [CGKO06] Scheme De�nition of SSE
De�nition
A tuple of PPT algorithms as follows
Key Generation:I Input: A security parameter kI Output: A secret key K
Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts
c = (c1, . . . , cn)
Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)
Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers
Decryption: for an encrypted document Di
I Input: A secret key K and a ciphertext ciI Output: A document Di
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 37 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Build Inverted Index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 38 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Encrypt List Entries
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 39 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Make Search Table
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 40 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Encrypt 1st Node
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 41 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Encrypt Table
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 42 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Search: Generate Trapdoor
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 43 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Search: Decrypt List
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 44 / 103
Curtmola et al. [CGKO06] Scheme Scheme Overview
Search: Return Result
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 45 / 103
Curtmola et al. [CGKO06] Scheme Advantages of Curtmola et al. [CGKO06] Scheme
Advantages
Search Complexities
# decryption ← O(Search Result)
Communication Complexities
# rounds ← constant
Privacy
Yes
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 46 / 103
Curtmola et al. [CGKO06] Scheme Advantages of Curtmola et al. [CGKO06] Scheme
Advantages
Search Complexities
# decryption ← O(Search Result)
Communication Complexities
# rounds ← constant
Privacy
Yes
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 46 / 103
Curtmola et al. [CGKO06] Scheme Advantages of Curtmola et al. [CGKO06] Scheme
Advantages
Search Complexities
# decryption ← O(Search Result)
Communication Complexities
# rounds ← constant
Privacy
Yes
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 46 / 103
Curtmola et al. [CGKO06] Scheme Advantages of Curtmola et al. [CGKO06] Scheme
Advantages
Search Complexities
# decryption ← O(Search Result)
Communication Complexities
# rounds ← constant
Privacy
Yes
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 46 / 103
Dynamic SSE Introduction
Issues
Previous Schemes are STATIC
One encrypted index is generated, Can't be changed
Does not support Addition of document
Does not support Deletion of document
Does not support Addition of word in a document
Does not support Deletion of word from a document
In Practical
Database should support word of �le updates
Dynamic SSE
SSE that Supports updates
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 47 / 103
Dynamic SSE Introduction
Issues
Previous Schemes are STATIC
One encrypted index is generated, Can't be changed
Does not support Addition of document
Does not support Deletion of document
Does not support Addition of word in a document
Does not support Deletion of word from a document
In Practical
Database should support word of �le updates
Dynamic SSE
SSE that Supports updates
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 47 / 103
Dynamic SSE Introduction
Issues
Previous Schemes are STATIC
One encrypted index is generated, Can't be changed
Does not support Addition of document
Does not support Deletion of document
Does not support Addition of word in a document
Does not support Deletion of word from a document
In Practical
Database should support word of �le updates
Dynamic SSE
SSE that Supports updates
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 47 / 103
Dynamic SSE Introduction
De�nition of Dynamic SSE
Skip Now :)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 48 / 103
Dynamic SSE Introduction
De�nition of Dynamic SSE
Skip Now :)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 48 / 103
Dynamic SSE Introduction
Few Remarkable works on Dynamic SSE
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 49 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Kamara et al. [KPR12] Scheme
Scheme Overview
1st ever work on Dynamic SSE
Improvement over Curtmola et al. [CGKO06].
Inverted Index Based
Instead of one, used TWO indexes-
I Search index - Inverted indexI Deletion Index - General index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 50 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Kamara et al. [KPR12] Scheme
Scheme Overview
1st ever work on Dynamic SSE
Improvement over Curtmola et al. [CGKO06].
Inverted Index Based
Instead of one, used TWO indexes-
I Search index - Inverted indexI Deletion Index - General index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 50 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Kamara et al. [KPR12] Scheme
Scheme Overview
1st ever work on Dynamic SSE
Improvement over Curtmola et al. [CGKO06].
Inverted Index Based
Instead of one, used TWO indexes-
I Search index - Inverted indexI Deletion Index - General index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 50 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Kamara et al. [KPR12] Scheme
Scheme Overview
1st ever work on Dynamic SSE
Improvement over Curtmola et al. [CGKO06].
Inverted Index Based
Instead of one, used TWO indexes-
I Search index - Inverted indexI Deletion Index - General index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 50 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Kamara et al. [KPR12] Scheme
Scheme Overview
1st ever work on Dynamic SSE
Improvement over Curtmola et al. [CGKO06].
Inverted Index Based
Instead of one, used TWO indexes-I Search index - Inverted index
I Deletion Index - General index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 50 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Kamara et al. [KPR12] Scheme
Scheme Overview
1st ever work on Dynamic SSE
Improvement over Curtmola et al. [CGKO06].
Inverted Index Based
Instead of one, used TWO indexes-I Search index - Inverted indexI Deletion Index - General index
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 50 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Example
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 51 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Example
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 52 / 103
Dynamic SSE Kamara et al. [KPR12] Scheme
Issues
Complex Scheme- Di�cult To Implement
Nodes were at Random location- Sequential operation
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 53 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Kamara et al. [KP13] Scheme
Scheme Overview
Search or update can be done in Parallel
Extra: do not leak information about the keywords contained in anewly added or deleted document
Used tree-based multi-map data structure- keyword red-black (KRB)tree
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 54 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Kamara et al. [KP13] Scheme
Scheme Overview
Search or update can be done in Parallel
Extra: do not leak information about the keywords contained in anewly added or deleted document
Used tree-based multi-map data structure- keyword red-black (KRB)tree
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 54 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Kamara et al. [KP13] Scheme
Scheme Overview
Search or update can be done in Parallel
Extra: do not leak information about the keywords contained in anewly added or deleted document
Used tree-based multi-map data structure- keyword red-black (KRB)tree
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 54 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Background
(k ,m) Hash Table
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
KRB Tree
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 55 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Background
(k ,m) Hash Table
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
KRB Tree
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 55 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Background
(k ,m) Hash Table
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
KRB Tree
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 55 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
Background
(k ,m) Hash Table
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
KRB Tree
A table of (key , value) pairs
key ∈ {0, 1}k
at most m entries
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 55 / 103
Dynamic SSE Kamara et al. [KP13] Scheme
KRB-Based Dynamic SSE
Scheme Overview
On White-Board
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 56 / 103
Dynamic SSE Other Remarkable Works
Remarkable Works Till Today
Stefanov et al. [SPS14] Scheme
Practical Dynamic Searchable Encryption with Small Leakage
Naveed et al. [NPG14] Scheme
Dynamic Searchable Encryption via Blind Storage
Cash et al. [CJJ+14] Scheme
Dynamic Searchable Encryption in Very-Large Databases: DataStructures and Implementation
Hahn and Kerschbaum. [HK14] Scheme
Searchable Encryption with Secure and E�cient Updates
Kamara et al. [KM17] Scheme
Boolean SSE with Worst-Case Sub-linear Complexity
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 57 / 103
Dynamic SSE Other Remarkable Works
Remarkable Works Till Today
Stefanov et al. [SPS14] Scheme
Practical Dynamic Searchable Encryption with Small Leakage
Naveed et al. [NPG14] Scheme
Dynamic Searchable Encryption via Blind Storage
Cash et al. [CJJ+14] Scheme
Dynamic Searchable Encryption in Very-Large Databases: DataStructures and Implementation
Hahn and Kerschbaum. [HK14] Scheme
Searchable Encryption with Secure and E�cient Updates
Kamara et al. [KM17] Scheme
Boolean SSE with Worst-Case Sub-linear Complexity
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 57 / 103
Dynamic SSE Other Remarkable Works
Remarkable Works Till Today
Stefanov et al. [SPS14] Scheme
Practical Dynamic Searchable Encryption with Small Leakage
Naveed et al. [NPG14] Scheme
Dynamic Searchable Encryption via Blind Storage
Cash et al. [CJJ+14] Scheme
Dynamic Searchable Encryption in Very-Large Databases: DataStructures and Implementation
Hahn and Kerschbaum. [HK14] Scheme
Searchable Encryption with Secure and E�cient Updates
Kamara et al. [KM17] Scheme
Boolean SSE with Worst-Case Sub-linear Complexity
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 57 / 103
Dynamic SSE Other Remarkable Works
Remarkable Works Till Today
Stefanov et al. [SPS14] Scheme
Practical Dynamic Searchable Encryption with Small Leakage
Naveed et al. [NPG14] Scheme
Dynamic Searchable Encryption via Blind Storage
Cash et al. [CJJ+14] Scheme
Dynamic Searchable Encryption in Very-Large Databases: DataStructures and Implementation
Hahn and Kerschbaum. [HK14] Scheme
Searchable Encryption with Secure and E�cient Updates
Kamara et al. [KM17] Scheme
Boolean SSE with Worst-Case Sub-linear Complexity
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 57 / 103
Dynamic SSE Other Remarkable Works
Remarkable Works Till Today
Stefanov et al. [SPS14] Scheme
Practical Dynamic Searchable Encryption with Small Leakage
Naveed et al. [NPG14] Scheme
Dynamic Searchable Encryption via Blind Storage
Cash et al. [CJJ+14] Scheme
Dynamic Searchable Encryption in Very-Large Databases: DataStructures and Implementation
Hahn and Kerschbaum. [HK14] Scheme
Searchable Encryption with Secure and E�cient Updates
Kamara et al. [KM17] Scheme
Boolean SSE with Worst-Case Sub-linear ComplexityLaltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 57 / 103
Other Papers on Statistical Attacks
Attacks on Searchable Encryption Scheme
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 58 / 103
Other Papers on Statistical Attacks Islam et al. [IKK12] Attack
Islam et al. [IKK12] Attack
Access Pattern disclosure on Searchable Encryption: Rami�cation, Attackand Mitigation
1st to investigate- Access Pattern disclosure on Searchable Encryption
Attack the existing Schemes with few assumptions
Provide solution to the problem
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 59 / 103
Other Papers on Statistical Attacks Islam et al. [IKK12] Attack
Attack Overview
Assumptions
Attacker observes Q =< Q1, . . . ,Ql > and their responses< RQ1 , . . . ,RQl
>
Attacker knows the underlying keywords for a set of k queries: KQ
Attacker has access to a (m ×m) matrix M s.t.Mi ,j = Pr [(ki ∈ d) ∧ (kj ∈ d)] , here d is sampled uniformly from D.
Attack Process
From knowledge of d (sampled uniformly from D)I From publicly known large dataset, ex. WikiLeaksI Inside Attacker may have access to the sizable subset of the dataset
From publicly known large datasetI Attacker can calculate frequency of keywords i.e., Pr [(ki ∈ d)]I Attacker can calculate Mi,j = Pr [(ki ∈ d) ∧ (kj ∈ d)]
They later considered Pr [(ki1 ∈ d) ∧ . . . ∧ (kir ∈ d)]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 60 / 103
Other Papers on Statistical Attacks Islam et al. [IKK12] Attack
Attack Overview
Assumptions
Attacker observes Q =< Q1, . . . ,Ql > and their responses< RQ1 , . . . ,RQl
>
Attacker knows the underlying keywords for a set of k queries: KQ
Attacker has access to a (m ×m) matrix M s.t.Mi ,j = Pr [(ki ∈ d) ∧ (kj ∈ d)] , here d is sampled uniformly from D.
Attack Process
From knowledge of d (sampled uniformly from D)I From publicly known large dataset, ex. WikiLeaksI Inside Attacker may have access to the sizable subset of the dataset
From publicly known large datasetI Attacker can calculate frequency of keywords i.e., Pr [(ki ∈ d)]I Attacker can calculate Mi,j = Pr [(ki ∈ d) ∧ (kj ∈ d)]
They later considered Pr [(ki1 ∈ d) ∧ . . . ∧ (kir ∈ d)]Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 60 / 103
Other Papers on Statistical Attacks Islam et al. [IKK12] Attack
Attack Overview
Attack Result
Knowing only subset of D signi�cant # queries can be guessed
(α, 0)- secure index
For each keyword, there are at least α− 1 keywords which appearexactly in the same set of documents.
It's hard for an attacker to distinguish a keyword given the queryresponse of that particular keyword.
Proposed a noise addition technique
Inject false positive docs so that index remains (α, 0)- secure
User can later decrypt the document and reject if the keywords is notpresent
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 61 / 103
Other Papers on Statistical Attacks Islam et al. [IKK12] Attack
Attack Overview
Attack Result
Knowing only subset of D signi�cant # queries can be guessed
(α, 0)- secure index
For each keyword, there are at least α− 1 keywords which appearexactly in the same set of documents.
It's hard for an attacker to distinguish a keyword given the queryresponse of that particular keyword.
Proposed a noise addition technique
Inject false positive docs so that index remains (α, 0)- secure
User can later decrypt the document and reject if the keywords is notpresent
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 61 / 103
Other Papers on Statistical Attacks Islam et al. [IKK12] Attack
Attack Overview
Attack Result
Knowing only subset of D signi�cant # queries can be guessed
(α, 0)- secure index
For each keyword, there are at least α− 1 keywords which appearexactly in the same set of documents.
It's hard for an attacker to distinguish a keyword given the queryresponse of that particular keyword.
Proposed a noise addition technique
Inject false positive docs so that index remains (α, 0)- secure
User can later decrypt the document and reject if the keywords is notpresent
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 61 / 103
Other Papers on Statistical Attacks Naveed et al. [NKW15] Attack
Inference Attacks on Property-Preserving EDB (Naveed etal. [NKW15])
SKIP NOW
Property Preserving Encryption (PPE)
Leaks a certain property of the plaintext
Order Preserving Encryption (PPE): Reveals the order of the messages(i.e., the order property).
Deterministic Encryption (PPE): Reveals whether they are equal ornot (i.e., the equality property).
Where is it Applicable?
Searchable encryption that supports Range queries
PPE Based database CryptDB and its variants
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 62 / 103
Other Papers on Statistical Attacks Naveed et al. [NKW15] Attack
Inference Attacks on Property-Preserving EDB (Naveed etal. [NKW15])
SKIP NOW
Property Preserving Encryption (PPE)
Leaks a certain property of the plaintext
Order Preserving Encryption (PPE): Reveals the order of the messages(i.e., the order property).
Deterministic Encryption (PPE): Reveals whether they are equal ornot (i.e., the equality property).
Where is it Applicable?
Searchable encryption that supports Range queries
PPE Based database CryptDB and its variants
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 62 / 103
Other Papers on Statistical Attacks Naveed et al. [NKW15] Attack
Inference Attacks on Property-Preserving EDB (Naveed etal. [NKW15])
SKIP NOW
Property Preserving Encryption (PPE)
Leaks a certain property of the plaintext
Order Preserving Encryption (PPE): Reveals the order of the messages(i.e., the order property).
Deterministic Encryption (PPE): Reveals whether they are equal ornot (i.e., the equality property).
Where is it Applicable?
Searchable encryption that supports Range queries
PPE Based database CryptDB and its variants
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 62 / 103
Other Papers on Statistical Attacks Naveed et al. [NKW15] Attack
Inference Attacks on Property-Preserving EDB (Naveed etal. [NKW15])
Attack Techniques
Frequency analysis: DTE
lp-optimization: DTE
Sorting attack: OPE
Cumulative attack: OPE
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 63 / 103
Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack
Leakage-Abuse Attacks (Cash et al. [CGPR15])
Leakage-Abuse Attacks Against Searchable Encryption
Query recovery attack: Determining the plaintext of queries that havebeen issued by the client
Partial plaintext recovery attack: Reconstruct indexed documents asmuch as possible
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 64 / 103
Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack
Query recovery attack
Attack Model
Count Attack:
Server knows count(w)∀w ∈W
Fully document knowledge
Solution?
Padding
Adding Garbage doc id in the index
Query recovery attack from Partially known Docs
See Islam et al. [IKK12]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 65 / 103
Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack
Query recovery attack
Attack Model
Count Attack:
Server knows count(w)∀w ∈W
Fully document knowledge
Solution?
Padding
Adding Garbage doc id in the index
Query recovery attack from Partially known Docs
See Islam et al. [IKK12]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 65 / 103
Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack
Partial plaintext recovery attack
Known-Document Attack
Active Attacks
Known-Document Attack
Order of Hashes Known
Order of Hashes Unknown
Active Attacks
Hash order known for chosen document
Hash order unknown for chosen documents
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 66 / 103
Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack
Partial plaintext recovery attack
Known-Document Attack
Active Attacks
Known-Document Attack
Order of Hashes Known
Order of Hashes Unknown
Active Attacks
Hash order known for chosen document
Hash order unknown for chosen documents
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 66 / 103
Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack
Partial plaintext recovery attack
Known-Document Attack
Active Attacks
Known-Document Attack
Order of Hashes Known
Order of Hashes Unknown
Active Attacks
Hash order known for chosen document
Hash order unknown for chosen documents
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 66 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
File Injection Attack (Zhang et al. [ZKP16])
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 67 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
File Injection Attack
All Your Queries Are Belong to Us: The Power of File-Injection Attacks onSearchable Encryption
Attack Overview
Focused on Query Recover Attack
Applicable for Dynamic SSEs
Attack does not require the server to have any knowledge about theclient's �les
Recovers all the keywords being searched by the client with 100%accuracy
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 68 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
File Injection Attack
All Your Queries Are Belong to Us: The Power of File-Injection Attacks onSearchable Encryption
Attack Overview
Focused on Query Recover Attack
Applicable for Dynamic SSEs
Attack does not require the server to have any knowledge about theclient's �les
Recovers all the keywords being searched by the client with 100%accuracy
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 68 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
File Injection Attack
All Your Queries Are Belong to Us: The Power of File-Injection Attacks onSearchable Encryption
Attack Overview
Focused on Query Recover Attack
Applicable for Dynamic SSEs
Attack does not require the server to have any knowledge about theclient's �les
Recovers all the keywords being searched by the client with 100%accuracy
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 68 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
File Injection Attack
All Your Queries Are Belong to Us: The Power of File-Injection Attacks onSearchable Encryption
Attack Overview
Focused on Query Recover Attack
Applicable for Dynamic SSEs
Attack does not require the server to have any knowledge about theclient's �les
Recovers all the keywords being searched by the client with 100%accuracy
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 68 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Process
Insert #logK �les.
ith �le contains exactly those keywords whose ith most-signi�cant bitis 1
If a keyword w is searched and returns then it matches returned �leswith its injected ones.
Reduction in # �les
If targeted keyword set K ′ ⊂ K
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 69 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Process
Insert #logK �les.
ith �le contains exactly those keywords whose ith most-signi�cant bitis 1
If a keyword w is searched and returns then it matches returned �leswith its injected ones.
Reduction in # �les
If targeted keyword set K ′ ⊂ K
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 69 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Hierarchical File Injection
Considers K ′ instead of K
Apply Binary search on K
# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)
Solution
The Rest of the paper Assume partial knowledge of documents
Attack adaptive and statistical
Applicable for the scheme which are not Forward Private.
Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries
Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 70 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Hierarchical File Injection
Considers K ′ instead of K
Apply Binary search on K
# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)
Solution
The Rest of the paper Assume partial knowledge of documents
Attack adaptive and statistical
Applicable for the scheme which are not Forward Private.
Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries
Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 70 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Hierarchical File Injection
Considers K ′ instead of K
Apply Binary search on K
# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)
Solution
The Rest of the paper Assume partial knowledge of documents
Attack adaptive and statistical
Applicable for the scheme which are not Forward Private.
Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries
Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 70 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Hierarchical File Injection
Considers K ′ instead of K
Apply Binary search on K
# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)
Solution
The Rest of the paper Assume partial knowledge of documents
Attack adaptive and statistical
Applicable for the scheme which are not Forward Private.
Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries
Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 70 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Hierarchical File Injection
Considers K ′ instead of K
Apply Binary search on K
# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)
Solution
The Rest of the paper Assume partial knowledge of documents
Attack adaptive and statistical
Applicable for the scheme which are not Forward Private.
Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries
Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 70 / 103
Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])
Binary search Attack
Hierarchical File Injection
Considers K ′ instead of K
Apply Binary search on K
# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)
Solution
The Rest of the paper Assume partial knowledge of documents
Attack adaptive and statistical
Applicable for the scheme which are not Forward Private.
Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries
Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 70 / 103
Forward Private DSSE
Forward Private DSSE
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 71 / 103
Forward Private DSSE Example of Forward-Secure DSSE
Few Examples of Forward-Secure DSSE
Stefanov et al. [SPS14]
Σoφoς (Sophos) Bost [Bos16] in 2016
Bost et al. [BMO17] in 2017
Rizomiliotis and Gritzalis [RG15], ORAM Based
Lai and Chow [LC17] based on Bipartite Graph
We have focused on Σoφoς
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 72 / 103
Forward Private DSSE Σoφoς
Σoφoς
Devided into two partsI Σoφoς-BI Σoφoς
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 73 / 103
Forward Private DSSE Σoφoς
Σoφoς-B -> Idea
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 74 / 103
Forward Private DSSE Σoφoς
Σoφoς-B -> Setup
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 75 / 103
Forward Private DSSE Σoφoς
Σoφoς-B -> Search
Search(w , σ,EDB)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 76 / 103
Forward Private DSSE Σoφoς
Σoφoς-B -> Update
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 77 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Forward Private DSSE Σoφoς
Problem with Σoφoς-B
No Deletion and Huge Client Storage
Enabling Deletion
Adding Extra Database for Deletion
Searching eliminate the deleted docs
Problem: Database size grows with time even after deletion
Any Solution?
Client-Storage Reduction
ST0 can be generated using PRF
From ST0 compute STc
Still, keyword id and counter have to be stored
Results large Computation
Any solution?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 78 / 103
Security of SSE Scheme
Security of Searchable Encryption Schemes
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 79 / 103
Security of SSE Scheme How to De�ne Security
Security De�nition of SSE
First Formal De�nition by Curtmola et al. [CGKO06].
Approaches
Indistinguishability
Semantic Security
Adversary Types
Non-Adaptive: Queries don't depend on previous results
Adaptive: Queries depend on previous results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 80 / 103
Security of SSE Scheme How to De�ne Security
Security De�nition of SSE
First Formal De�nition by Curtmola et al. [CGKO06].
Approaches
Indistinguishability
Semantic Security
Adversary Types
Non-Adaptive: Queries don't depend on previous results
Adaptive: Queries depend on previous results
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 80 / 103
Security of SSE Scheme How to De�ne Security
Security De�nition of SSE
Notations
D← Collection of documents
w← {w1, . . . ,wq}, set of keywords for queriesHistory H ← (D,w)
Access pattern α(H)← (D(w1), . . . ,D(wq)),
Search pattern σ(H)← M(= (mij)q×q where mij = 1 if wi = wj else0)
Trace τ(H)← (|D1|, . . . , |Dn|, α(H), σ(H))
.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 81 / 103
Security of SSE Scheme How to De�ne Security
Security De�nition of SSE
Notations
D← Collection of documents
w← {w1, . . . ,wq}, set of keywords for queriesHistory H ← (D,w)
Access pattern α(H)← (D(w1), . . . ,D(wq)),
Search pattern σ(H)← M(= (mij)q×q where mij = 1 if wi = wj else0)
Trace τ(H)← (|D1|, . . . , |Dn|, α(H), σ(H))
.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 81 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}
tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to C
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Non-Adaptive Indistinguishability Game IndSSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
parse Hb as (Db,wb)
(Ib, cb)← EncK (Db)
for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)
Sends (Ib, cb, tb) to A
(stA,H0,H1)← A1(1k)
Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 82 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C
(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C
(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C
(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C
(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Indistinguishability
Adaptive Indistinguishability Game Ind∗SSE ,A(k)
Challenger C Adversary A
K ← Gen(1k)
b$←− {0, 1}
Generate and Send(Ib, cb)← EncK (Db)
Generate and Sendtb,1 ← TrpdrK (wb,1)
Generate and Send{tb,i ← TrpdrK (wb,i )}
(stA,D0,D1)← A0(1k)
Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)
Sends w0,1,w1,1
(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )
Let tb = (tb,1, . . . , tb,q)
b′ ← A2(stA, Ib, cb, tb)
Outputs 1 if b = b′, else output 0
SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 83 / 103
Security of SSE Scheme Real-Ideal Game Paradigm
Non-Adaptive Semantic Security
81
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 84 / 103
Security of SSE Scheme Real-Ideal Game Paradigm
Adaptive Semantic Security
81
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 85 / 103
Security of SSE Scheme Non-Adaptive Semantic Security for DSSE
Adaptive Semantic Security for DSSE
RealA(λ):
1 The challenger C generates a key K by running Gen(1λ).
2 A generates a set of �les f and sends it to C.3 C computes (γ, c)← Build(K , f) and sends (γ, c) to A4 A makes polynomial number of adaptive queries. In each query A
sends either a search query for a keyword w or an add query for a �lef1 or a delete query for a �le f2 to C.
5 Depending on the query, C returns either the search tokents ← SearchToken(K ,w) or the add token ta ← AddToken(K , f1) orthe delete token td ← DelToken(K , f2) to A.
6 Finally A returns a bit b that is output by the experiment.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 86 / 103
Security of SSE Scheme Non-Adaptive Semantic Security for DSSE
Adaptive Semantic Security for DSSE
IdealA,S(λ):
1 A generates a set of �les f. It gives f and Lbld (f) to S.2 On receiving Lbld (f), S generates (γ, c) and sends it to A3 A makes polynomial number of adaptive queries q ∈ {w , f1, f2}. For
each query, S is given either Lsrch(w , f) or Ladd (f1, f) or Ldel (f2, f).4 Depending on the query q, S returns to A either search token ts or
add token ta or delete token td .
5 Finally A returns a bit b that is output by the experiment.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 87 / 103
Security of SSE Scheme Non-Adaptive Semantic Security for DSSE
Security
|Pr [RealA(λ) = 1]− Pr [IdealA,S(λ) = 1]| ≤ µ(λ)
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 88 / 103
Searchable Encryption with Complex Queries
Searchable Encryption with Complex Queries
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 89 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Searchable Encryption with Complex Queries Few Example Schemes
Di�erent type of Queries
Range Queries
Given two keywords w1 and w2, �nd all keywords between w1 and w2.
Order should be de�ned
Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]
Conjunctive Queries:
Disjunctive Queries
Boolean Queries:
Substring Queries:
Phrase Queries:
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 90 / 103
Generalization of Searchable Encryption
Generalization of Searchable Encryption
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 91 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite Graph
I Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite Graph
I Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite GraphI Set of documents
I set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite GraphI Set of documentsI set of keywords
I Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite GraphI Set of documentsI set of keywordsI Each document is connected with multiple keywords
I Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite GraphI Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite GraphI Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Generalization of Searchable Encryption Few Schemes on Graph Encryption
Graph Encryption
Graph Encryption is a generalization of Searchable Encryption
It can be considered as Bipartite GraphI Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents
Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph
More complex queries can be solved if Graph encryption becomee�cient
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 92 / 103
Future Research Direction
Scope of Research
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 93 / 103
Future Research Direction Forward Secure Schemes
Future Research Directions
E�cient Forward Secure Scheme Design
New techniques can be applied to propose new SSE/DSSE scheme
E�cient Attacks on existing schemes
Provide Solutions of the attacks
Complex queries on Encrypted Data/DSSE
Complex queries on Encrypted Graph
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 94 / 103
Future Research Direction Forward Secure Schemes
Future Research Directions
E�cient Forward Secure Scheme Design
New techniques can be applied to propose new SSE/DSSE scheme
E�cient Attacks on existing schemes
Provide Solutions of the attacks
Complex queries on Encrypted Data/DSSE
Complex queries on Encrypted Graph
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 94 / 103
Future Research Direction Forward Secure Schemes
Future Research Directions
E�cient Forward Secure Scheme Design
New techniques can be applied to propose new SSE/DSSE scheme
E�cient Attacks on existing schemes
Provide Solutions of the attacks
Complex queries on Encrypted Data/DSSE
Complex queries on Encrypted Graph
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 94 / 103
Future Research Direction Forward Secure Schemes
Future Research Directions
E�cient Forward Secure Scheme Design
New techniques can be applied to propose new SSE/DSSE scheme
E�cient Attacks on existing schemes
Provide Solutions of the attacks
Complex queries on Encrypted Data/DSSE
Complex queries on Encrypted Graph
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 94 / 103
Future Research Direction Forward Secure Schemes
Future Research Directions
E�cient Forward Secure Scheme Design
New techniques can be applied to propose new SSE/DSSE scheme
E�cient Attacks on existing schemes
Provide Solutions of the attacks
Complex queries on Encrypted Data/DSSE
Complex queries on Encrypted Graph
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 94 / 103
Future Research Direction Forward Secure Schemes
Future Research Directions
E�cient Forward Secure Scheme Design
New techniques can be applied to propose new SSE/DSSE scheme
E�cient Attacks on existing schemes
Provide Solutions of the attacks
Complex queries on Encrypted Data/DSSE
Complex queries on Encrypted Graph
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 94 / 103
References
Raphaël Bost, Brice Minaud, and Olga Ohrimenko.
Forward and backward private searchable encryption from constrained
cryptographic primitives.
In Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security, CCS '17, pages 1465�1482, New York, NY, USA, 2017.
ACM.
Raphael Bost.
Sophos - forward secure searchable encryption.
IACR Cryptology ePrint Archive, 2016:728, 2016.
CERT.
2012 cybersecurity watch survey: How bad is the insider threat?
2012.
Reza Curtmola, Juan A. Garay, Seny Kamara, and Rafail Ostrovsky.
Searchable symmetric encryption: improved de�nitions and e�cient constructions.
In Proceedings of the 13th ACM Conference on Computer and Communications
Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 - November 3, 2006, pages
79�88, 2006.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 95 / 103
References
David Cash, Paul Grubbs, Jason Perry, and Thomas Ristenpart.
Leakage-abuse attacks against searchable encryption.
In Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security, Denver, CO, USA, October 12-6, 2015, pages 668�679,
2015.
David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit S. Jutla, Hugo Krawczyk,
Marcel-Catalin Rosu, and Michael Steiner.
Dynamic searchable encryption in very-large databases: Data structures and
implementation.
In 21st Annual Network and Distributed System Security Symposium, NDSS 2014,
San Diego, California, USA, February 23-26, 2014, 2014.
Yan-Cheng Chang and Michael Mitzenmacher.
Privacy preserving keyword searches on remote encrypted data.
In Applied Cryptography and Network Security, Third International Conference,
ACNS 2005, New York, NY, USA, June 7-10, 2005, Proceedings, pages 442�455,
2005.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 96 / 103
References
Ben A. Fisch, Binh Vo, Fernando Krell, Abishek Kumarasubramanian, Vladimir
Kolesnikov, Tal Malkin, and Steven M. Bellovin.
Malicious-client security in blind seer: A scalable private DBMS.
In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA,
May 17-21, 2015, pages 395�410, 2015.
Eu-Jin Goh.
Secure indexes.
IACR Cryptology ePrint Archive, 2003:216, 2003.
Florian Hahn and Florian Kerschbaum.
Searchable encryption with secure and e�cient updates.
In Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages
310�320, 2014.
Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu.
Access pattern disclosure on searchable encryption: Rami�cation, attack and
mitigation.
In 19th Annual Network and Distributed System Security Symposium, NDSS 2012,
San Diego, California, USA, February 5-8, 2012, 2012.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 97 / 103
References
Yuval Ishai, Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky.
Private large-scale databases with distributed searchable symmetric encryption.
In Topics in Cryptology - CT-RSA 2016 - The Cryptographers' Track at the RSA
Conference 2016, San Francisco, CA, USA, February 29 - March 4, 2016,
Proceedings, pages 90�107, 2016.
Seny Kamara and Tarik Moataz.
Boolean searchable symmetric encryption with worst-case sub-linear complexity.
In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, Paris,
France, April 30 - May 4, 2017, Proceedings, Part III, pages 94�124, 2017.
Seny Kamara and Charalampos Papamanthou.
Parallel and dynamic searchable symmetric encryption.
In Financial Cryptography and Data Security - 17th International Conference, FC
2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers, pages 258�274,
2013.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 98 / 103
References
Seny Kamara, Charalampos Papamanthou, and Tom Roeder.
Dynamic searchable symmetric encryption.
In the ACM Conference on Computer and Communications Security, CCS'12,
Raleigh, NC, USA, October 16-18, 2012, pages 965�976, 2012.
Russell W. F. Lai and Sherman S. M. Chow.
Forward-secure searchable encryption on labeled bipartite graphs.
In Applied Cryptography and Network Security - 15th International Conference,
ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings, pages 478�497,
2017.
Muhammad Naveed, Seny Kamara, and Charles V. Wright.
Inference attacks on property-preserving encrypted databases.
In Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security, Denver, CO, USA, October 12-6, 2015, pages 644�655,
2015.
Muhammad Naveed, Manoj Prabhakaran, and Carl A. Gunter.
Dynamic searchable encryption via blind storage.
In 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA,
May 18-21, 2014, pages 639�654, 2014.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 99 / 103
References
Panagiotis Rizomiliotis and Stefanos Gritzalis.
ORAM based forward privacy preserving dynamic searchable symmetric encryption
schemes.
In Proceedings of the 2015 ACM Workshop on Cloud Computing Security
Workshop, CCSW 2015, Denver, Colorado, USA, October 16, 2015, pages 65�76,
2015.
Emil Stefanov, Charalampos Papamanthou, and Elaine Shi.
Practical dynamic searchable encryption with small leakage.
In 21st Annual Network and Distributed System Security Symposium, NDSS 2014,
San Diego, California, USA, February 23-26, 2014, 2014.
Dawn Xiaodong Song, David A. Wagner, and Adrian Perrig.
Practical techniques for searches on encrypted data.
In 2000 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May
14-17, 2000, pages 44�55, 2000.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 100 / 103
References
Yupeng Zhang, Jonathan Katz, and Charalampos Papamanthou.
All your queries are belong to us: The power of �le-injection attacks on searchable
encryption.
In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA,
August 10-12, 2016., pages 707�720, 2016.
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 101 / 103
Questions
Questions?
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 102 / 103
thankyou
Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 103 / 103