A Dynamic Searchable Symmetric Encryption Scheme for Multiuser with Forward and Backward Security

Zhang, Xi; Su, Ye; Qin, Jing

doi:https://doi.org/10.1155/2020/8893016

Security and Communication Networks

On this page

Abstract Introduction Related Works System Model Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8893016 | https://doi.org/10.1155/2020/8893016

A Dynamic Searchable Symmetric Encryption Scheme for Multiuser with Forward and Backward Security

Xi Zhang,¹Ye Su,¹and Jing Qin^1,2

Academic Editor: A. Peinado

Received30 Jun 2020

Revised23 Aug 2020

Accepted24 Sept 2020

Published20 Oct 2020

Abstract

Dynamic Searchable Symmetric Encryption for Multiuser (M-DSSE) is an advanced form of symmetric encryption. It extends the traditional symmetric encryption to support the operations of adding and deleting the encrypted data and allow an authenticated group of data users to retrieve their respective desired encrypted data in the dynamic database. However, M-DSSE would suffer from the privacy concerns regarding forward and backward security. The former allows an attacker to identify the keywords contained in the added data by lunching file-injection attacks, while the latter allows to utilize the search results and the deleted data to learn the content. To our knowledge, these privacy concerns for M-DSSE have not been fully considered in the existing literatures. Taking account of this fact, we focus on the dynamic searchable symmetric encryption for multiuser meeting the needs of forward and backward security. In order to propose a concrete scheme, the primitives of Pseudorandom Functions (PRF) and the Homomorphic Message Authenticator (HMAC) are employed to construct the inverted index and update the search token. The proposed scheme is proven secure in the random model. And the performance analysis shows that the proposed scheme achieves the enhanced security guarantees at the reasonable price of efficiency.

1. Introduction

Searchable encryption (SE) is popular among the various cloud storage services because one can keep the ability to selectively retrieve the encrypted data that he or she stored on the cloud. And there are many traditional works [1–5] focusing on it. However, the traditional works cannot meet the using needs or habits of the clients. It is because frequently clients upload some new data and delete or modify some encrypted data in cloud and many clients often share data with others. For example, a regional medical center needs to update the local Electronic Health Records (EHRs) [6] periodically and share them with other medical institutions to conduct advanced research. This means that the regional medical center should have the ability of updating the encrypted data and authorizing others to search over his data storage in cloud.

To address it, some dynamic searchable encryption schemes [7–11] have been proposed to support data updates. These works are designed for the single client that means only the client itself can search on the cloud and cannot meet the requirement to share data. Data sharing is widely used by both individuals and organizations, and we introduce two forms here: one is multiwriter/multireader and the other is single writer/multireader. For ease of exposition, we call the client who owns data the data owner and the clients who share the data the data user. The former means many data owners and many data users, and there have been efforts to design schemes for fine-grained keyword search [12, 13], privacy-preserving attribute-based keyword search [14], and rank keyword search in arbitrary language [15]. The latter means only one data owner and many data users who are especially popular among companies, schools, and medical institutions. It was named as dynamic searchable symmetric encryption for multiuser (M-DSSE), which was also called multiclient in [16], and it is the topic that we are interested in.

However, M-DSSE suffers from the privacy concerns regarding forward and backward security. The former is that the adversary can use the file-injection attacks to compromise the privacy of the data and keywords. This attack was proposed by Zhang et al. [17] in 2016. More specifically, one can inject the carefully selected files and trick the client into encrypting them, then identify the keyword by matching the submitted search tokens and injected files, and consequently get all files containing this keyword. This behavior seriously undermines the privacy of data, for example, the disclosure of the patient’s identity information or home address in EHRs that should be kept private. The latter means that, in most searchable encryption schemes, the identifier of the deleted document still can be retrieved by the server in the subsequent search. Then when the regional medical center deletes some EHRs, not only the privacy of the patients will be disclosed, but also the accuracy of the advanced research will be affected.

Both attacks are simple but destructive. Therefore, M-DSSE needs stronger security from a practical and safe point of view, that is, Dynamic Searchable Symmetric Encryption for Multiuser with Forward and Backward Security (FBM-DSSE). Although there are many works concentrating on the dynamic symmetric searchable encryption schemes with forward and backward security (FB-DSSE) [18–22], most of them cannot be extended to FBM-DSSE directly. On the one hand, if the method used in FB-DSSE is extended to FBM-DSSE directly, the data owner may need to share the whole key with all users. And users can do more rather than search only. Specifically, users can change client’s data without restrictions and destroy data's integrity and privacy. On the other hand, the existing FB-DSSE schemes adopt some special structures to achieve forward and backward security, which is not suitable to extend to multiuser setting. For example, Li et al. [23] reduce information leakage in SSE by partitioning the inverted index into disjoint partitions and generating subkeyword sets. When searching, the data owner chooses subkeyword according to his own needs and the server needs to delete all the touched blocks after each search. This search method is complex for users in M-DSSE and may get incomplete search results due to untimely updates. Therefore, it is not feasible to directly implement the methods of FB-DSSE in FBM-DSSE, and it is still a problem that how to achieve forward and backward security in M-DSSE.

Considering the serious consequences that these security issues may bring and the inflexibility of the methods from FB-DSSE to FBM-DSSE, we believe that solving security problems in FBM-DSSE is of great practical significance. Taking account of it, we focus on the Dynamic Searchable Symmetric encryption schemes supporting multiuser with Forward and Backward Security. In order to achieve this it, we give a concrete FBM-DSSE scheme based on the Pseudorandom Functions (PRF), the Homomorphic Message Authenticator (HMAC) [24], and the bitmap index [25, 26].

Our contributions are summarized as follows: The proposed scheme is forward and backward secure. We combine the homomorphic MAC and the bitmap index to achieve secure and efficient updates of the search token and use PRF to hide the specific correspondence between files and indexes to protect the update information from being leaked. Specifically, we use pseudorandom functions to reorder files and the keywords in index and the server could not identify the specific relationship between them so that it could not get any private information except the current search results. The proposed scheme has rich functionality. It is obvious that the proposed scheme supports update operations and multiuser setting. It also supports verifiability and can realize revocation of the user’s access permission. Specifically, if the data owner wants to cancel someone’s access right to the updated file but retain the permission for the previously searched file, he or she is not needed to send the updated search token to the user. Furthermore, our scheme is easily extended to support multifunctional search such as wildcard search [27], similarity search (including hamming distance and edit distance), fuzzy keyword search [28], and disjunctive [29] (or conjunctive [30]) keyword search. The proposed scheme has a comprehensive security analysis. We give the correctness of the scheme and the rigorous security proof of forward and backward security according to the definitions in DSSE. And the security of the proposed scheme can be reduced to the existence of pseudorandom functions and the CPA-secure symmetric encryption system, which provides a concrete implementation favorable guarantee.

The paper is organized as follows. Section 1 is the introduction. Section 2 introduces the related work. Cryptographic tools and notations are introduced in Section 3. Section 4 presents the system model, security model, and the definition of the forward security and the backward security. Section 5 mainly introduces the proposed scheme and the security analysis. Section 6 shows simply how the proposed scheme can be extended to support multifunctional search. Section 7 gives the experiment result and its analyses. At last, the paper is concluded in Section 8.

Searchable encryption (SE) is popular among various cloud storage services because it protects plaintext information from being leaked to the compromised server while preserving the search functionality. There are two areas in SE: public key encryption with keyword search (PEKS) [2–5] and searchable symmetric encryption (SSE). In our work, we mainly talk about the SSE.

The first symmetric searchable encryption (SSE) was proposed by Song et al. [1] in 2000. They proposed a special two-layer encryption scheme. Because this scheme needs to scan the file, the searching time is linear to the length of the files. The followed work is that of Curtmola et al. [31]. They constructed the first inverted index and achieved that the amount of the server’s work is proportional to the number of files containing the queried keyword. There are also many SSE schemes concentrating on rich queries [32–34]. However, those works mainly focused on searchable encryption under static conditions, that is, there is no update of files. Due to the universality of dynamic operation, it is important and necessary to migrate it to the cloud services. Therefore, the dynamic searchable encryption (DSSE) is more in line with the practical situation.

In 2012, Kamara et al. [7] constructed a DSSE scheme based on the inverted index technique and achieved sublinear search complexity and CKA2-secure. And then they [8] constructed another dynamic searchable encryption scheme based on the red-black tree index and achieved parallel search of keywords and parallel addition and deletion of files. There are others scheme including Naveed et al. [9] based on the blind storage, Xia et al. [10] based on the tree-based index, and Guo et al. [11] based on the inverted index. At the same time, DSSE schemes leak some information such as search pattern (the pattern in search queries), size pattern [18] (the number of search results), and access pattern (how the encrypted data or indexes are accessed). These attracted people’s attention. Zhang et al. [17] proposed a file-injection attack in 2016, and the attacker can determine the keywords corresponding to the token by injecting files containing different keywords. The effective attack calls for the stronger security of DSSE. The trivial way of downloading and then decrypting the full encrypted files to obtain the needed files contradicts the purpose of search encryption. The ways of using secure two-party computation, fully homomorphic encryption, and oblivious RAM to realize the higher level of security waste more local storage space and acquire high computational and communication complexity. Both of them are very expensive and impractical.

In 2014, the term of forward privacy and backward privacy was first proposed by Stefanov et al. [18], and it is the new secure goal that dynamic searchable encryption schemes should meet in the practical level. Since 2014, some schemes have been proposed to achieve it using different methods, including but not limited to Stefanov et al.[18] based on a hierarchical structure of logarithmic levels; Bost [19] based on trapdoor permutations, and then they proposed a forward and backward scheme relying on primitives such as constrained pseudorandom functions and puncturable encryption schemes[35]; Wang et al.[20] based on the proxy server; Sun et al.[21] based on the symmetric puncture encryption primitive; and Kim et al.[22] based on dual dictionary.

As for the DSSE for multiusers, some works have been carried out. As for multiwriter/multireader, Nair and Rajasree [13] used a bilinear accumulator to implement a fine-grained multiuser solution for search control and access control; Popa and Zeldovich [36] proposed a method for encrypting different files with different keys. As for single writer/multireader, Curtmola et al. [31] proposed the first scheme structure based on broadcast encryption; Wang et al. [20] proposed a multiuser forward secure dynamic searchable symmetric encryption in 2018; Jarecki et al. [37] used the forgotten PRF to generate keyword trapdoors. However, the research on the Dynamic Searchable Symmetric Encryption for multiusers with Forward and Backward Security (FBM-DSSE) is not enough.

3. Cryptographic Tools and Notions

3.1. Cryptographic Tools

3.1.1. Pseudorandom Functions

There are security parameter and polynomial in . There are key space , domain , and output space . Let be a keyed function. We defineas the advantage of the adversary against the pseudorandomness of , where is a random element in key space and is chosen in all functions from to . If for any PPT adversary , the advantage is a negligible function; then, we say that is a negligible function.

3.1.2. Homomorphic MAC

In this paper, we will use a construction of a homomorphic message authenticator scheme (HMAC) allowing for homomorphic evaluation and arbitrary composition (i.e., outputs of previously authenticated computations can be used as inputs for new ones). The scheme is simple and efficient and its security relies only on a pseudorandom function.

A HMAC is 4-tuple of algorithms working as follows: Setup:. For a security parameter , the algorithm outputs the secret key and evaluation key needed in the scheme. Auth:. This algorithm inputs the secret key , a label , and a message , and it outputs the corresponding tag . Ver:. This algorithm inputs the secret key , a program , a message , and its tag , and it outputs (reject) or (accept). Eval:. This algorithm inputs the evaluation key , a circuit , and , and it outputs a new tag . We restrict that the arithmetic circuits used in the proposed scheme only has the additive gates, so the size of the produced tags will not grow. The concrete description of the HMAC scheme is shown in [24].

3.1.3. Symmetric Encryption

A symmetric encryption consists of the following algorithms:

Gen:. For a security parameter , the algorithm outputs the secret key needed in the scheme. Enc:. This algorithm inputs the secret key and a message , and it outputs the corresponding ciphertext . Since may be randomized, we write this as . Dec:. This algorithm inputs the secret key and ciphertext , and it outputs . We assume that is deterministic, and so write . CPA-Secure: there is a symmetric encryption , and the IND-CPA experiment is shown below.

:(1).(2)Send to adversary , and can ask the random oracle . At last, outputs , where .(3), and send it to , where is named to the challenge ciphertext.(4) continues to ask the random oracle and outputs a bit .(5)If , then , otherwise .

Definition 1. A symmetric encryption is CPA-Secure only if for all Probability Polynomial adversary , and there exists a negligible function :

3.2. Notations

We show some notations used in the proposed scheme in Table 1.

4. System Model and Security Model

4.1. System Model and Security Model

As shown in Figure 1, the system model consists of three entities: the data owner, data users, and the cloud server.

4.1.1. Data Owner

The data owner extracts the keywords from files and constructs the plain index. Then, he encrypts all files and the index with different private keys and uploads the encrypted EDB to the cloud server. Besides that, he is also responsible for managing users and updating files. More specifically, he distributes keys, updates tokens to users, and sends the updated encrypted files and index to the cloud server. And the data owner is assumed to be always trusted.

4.1.2. Cloud Server

The main job of the cloud server is to store the encrypted files and index from data owner and perform searches for data users. When receiving the updated information from the data owner, it updates the encrypted database. Upon receiving the search requests from data users, it performs search operation over the index and returns the search results to data users. The cloud server is regarded as an honest but curious entity. That is to say, it performs algorithms honestly but will try its best to get more valuable information. Besides, the cloud server may return invalid or nonupdated search results to the data user because of computation mistakes.

4.1.3. Data Users

Data users are authorized and shared with some keys needed in the scheme by the data owner. When they want to search files containing the interested keyword, they send the search token to cloud server and receive the search results. Furthermore, they can verify the validity of the results with the help of the data owner. The data users are assumed to be always trusted.

4.2. Security Model

We use two games and to show the security definition of DSSE. The is the same as the DSSE. And the is conducted by simulator with the leakage of DSSE. The leakage of DSSE is parameterized by a function , which describes the information leaked to the adversary . The adversary will interact with or and guess. If the adversary can correctly guess the game he interacts only with a negligible advantage, then we can say the DSSE is secure because of the leaked information limited to the leakage function . : the adversary chooses a database DB and inputs it, then this game performs the and outputs EDB. During the search phase, the adversary runs search query or update query , where is the operation and the is the identifier of the file. The game outputs the search results by performing or . Eventually, outputs a bit. : the adversary chooses a database DB and inputs it; then, the simulator performs the and outputs EDB. During the search phase, the adversary runs search query or update query . The simulator outputs the search results by performing the leakage function or . Eventually, outputs a bit.

Definition 2. A DSSE scheme is -adaptively secure only if for every PPT adversary, and there exists an efficient simulator and a negligible function such that

4.3. Forward and Backward Security

In 2016, Bost [19] defined the traditional forward privacy that the server cannot link the newly updated files with previously searched keywords. And in Li et al.’s work [23], they further defined the forward update privacy, strong forward search privacy, and weak forward search privacy. The forward update privacy requires that the information leaked in update operation should not be more than the identifier and the number of keywords of newly updated files. And the strong forward search privacy implies fully oblivious search operation, which is a too strong notion to achieve unless using the expensive protocols such as ORAM or PIR. The weak forward search privacy means the leaked information is the list of files containing the keyword at the time . Our scheme can achieve forward update privacy and weak forward search privacy, but for the consistent with most studies, we adopt the traditional forward privacy which is defined as follows.

Definition 3. A -adaptively secure DSSE scheme is forward secure if the update leakage function can be written aswhere is the set of modified documents paired with number of modified keywords for the updated document . Specially, the leakage function in this paper.
In 2014, the term of backward privacy was first proposed by Stefanov et al. [18], and it was clearly defined by Bost et al. [35] in 2017. They defined three backward privacy from to , and Zuo et al. [26] formulated the most secure definition in 2019. Our construction will adopt the latter, which is defined as follows.

Definition 4. A -adaptively secure DSSE scheme is backward private only if the search and update leakage function can be written aswhere is a timestamp, is a search pattern, represents all file identifiers that currently match , and and are stateless.

5. The Proposed Scheme

5.1. Overview

We mainly consider how to achieve forward and backward security when the cloud server is semihonest and the users are honest (the collusion between the cloud server and the user is not considered here). In order to achieve such a security goal, we use a pseudorandom function to shuffle the order of files so that the cloud server cannot identify the specific relationship between the index and the files from the search results and cannot get any private information.

First, it is necessary to ensure that the search token of the keywords will be changed after the update; otherwise, the cloud server will learn whether the newly updated documents match a previously searched keyword or not. Here, in order to reduce the computational complexity of the index update and facilitate the user to update the search token, we adopt the HMAC technology. The plain index is regarded as the message and is regarded as the symmetric key of the encrypted . In this case, the data owner only needs to send to the user and the user invokes the algorithm to get the latest key, which can be used to generate a search token.

Second, in order to not let the cloud server obtain the specific relationship between the index and the files, we assign a key to each column. When an update occurs, we use PRF to reorder the columns corresponding to the files and re-encrypt those files with the new key. It can be seen that our scheme is more suitable for scenarios where the ratio of file updated is relatively large.

Third, there will still be cases where the file has not been updated and the relationship with the column of the index has not changed. The adversary cannot distinguish them because the index has been updated with the CPA-secure symmetric encryption scheme.

5.1.1. The Bitmap Index

In this article, we use the bitmap index which is an inverted index with search time. Specifically, we first extract keywords from the files. The bitmap index is a matrix of 0 and 1. The columns of the matrix correspond to different files. The rows of the matrix correspond to the keywords. If the number of the th row and the th column of the matrix is 1, it means that the keyword is included in the file, otherwise vice versa. The advantage of the bitmap is that it can easily implement the update of the index.

Take a simple example for simplicity, and there are 5 files at time . The index of the keyword corresponding to the th row is represented by a binary string 01001, which indicates that the files corresponding to the 2nd and 5th column contain . At time , the index of is updated and become 01100, which means that the files corresponding to columns 2 and 3 now contain , and the file corresponding to column 5 does not contain any more. In order to update the index and search token, the data owner only needs to change the index from 01100 to 01001, which is an easy operation.

5.1.2. The Homomorphic Message Authenticator

When data updates, the data owner needs to update the search token and send it to data users otherwise they cannot search on cloud any more. In order to explain clearly and simplicity, we still use the above example. The data owner updates the search token by calculating and sends the to data users. Then, users execute and get the new search token. Since only the data users have the evaluation key, the interaction does not need the secret channel. Furthermore, the communication overhead is only a HMAC tag which efficiently reduces the transmission complexity and the whole process is simple.

5.1.3. The Pseudorandom Functions

The Pseudorandom Functions is mainly used to generate the bitmap index. For example, there are 5 files and 3 keywords . And in time , the files are mapped to and the keywords to by pseudorandom functions. The former means the first column of index indicates , the second one is , and so on. The latter shows the first row of index indicates , the second one is , and the last is .

5.2. Concrete Construction

Now, we are ready to give our dynamic searchable symmetric encryption scheme for multiuser with forward and backward security. See Algorithm 1 for more information. Our scheme is based on the framework of and calls and keyed PRF. The scheme is defined by Algorithm 1.

	Setup:
(1)	input a security parameter
(2)	generate
(3)	set
(4)	set
	Update:
	data owner:
(1)	if then
(2)	extract keywords from the files
(3)	attach keys with column identifiers
(4)	for each column identifier
(5)
(6)	(match files to column identifiers and encrypt files)
(7)	for each file
(8)
(9)
(10)	if that does not match files
(11)
(12)
(13)
(14)	(generate bitmap index)
(15)	for each keyword
(16)
(17)
(18)	:
(19)
(20)
(21)
(22)
(23)
(24)
(25)	send to cloud server
(26)	else if
(27)	forming the
(28)	for each file
(29)	if
(30)
(31)	if
(32)
(33)
(34)	(reorder)
(35)
(36)
(37)	for each file
(38)
(39)	(generate the new index)
(40)	for each
(41)	if the
(42)
(43)
(44)
(45)	if the
(46)
(47)
(48)	for each
(49)
(50)
(51)
(52)
(53)
(54)
(55)
(56)
(57)
(58)	send to cloud server
(59)	send to users
	Search:
	user
(1)	if there is no updation, then
(2)
(3)
(4)	else
(5)
(6)
(7)
(8)	sends to cloud server
	cloud server:
(9)	if cannot be found in UL, then
(10)	output error
(11)	else
(12)
(13)
(14)
(15)	if
(16)
(17)	returns and to user

Setup:

The algorithm is run by the data owner. For a security parameter , the algorithm outputs the and needed in the scheme.

Update:

The algorithm is run by the data owner too. At the beginning, the initial index and EDB are empty, so when , it means that it is the first time for the data owner to add the file. When , it means the normal update operations. It should be noted that, in order to be consistent with the DSSE structure, we have omitted the algorithm of adding users in Algorithm 1 FBM-DSSE, and the algorithm is defined as Algorithm 2: Adduser.

	Adduser:
(1)
(2)
(3)	sends to cloud server

Search:

This polynomial time algorithm is executed by the cloud server and the users. When data users want to search , he runs the line 1 to 8, generates the search token , and sends it to cloud server. Then, the cloud server verifies the legitimacy of the user and performs a search. Finally, the cloud server outputs the search results.

Actually, we have omitted the decryption and verification algorithms in Algorithm 1 FBM-DSSE for the same reason. And the algorithms are defined as Algorithm 3: Decrypt and Algorithm 4: Verify.

	Decrypt:
(1)
(2)

	Verify:
(1)	transform to and send to data owner
(2)	if
(3)	returns “reject”
(4)	if
(5)	returns “accept”

5.3. Security Analysis

In this section, we first present the correctness of the proposed scheme and then give the security analysis.

5.3.1. Correctness

if the user wants to search for files containing the keyword at time , he executes lines 1–8 of the search algorithm and then sends the search token of to the cloud server. The ciphertext index saved in cloud is generated by the same pseudorandom function, which ensures the correctness of the searched keywords. Secondly, according to the bitmap index generation process and the cloud server being semihonest, the cloud sever will search 1 in the index and return corresponding files, so the returned file does contain the keyword .

5.3.2. Security analysis

Then, we will show the security analysis of the proposed scheme.

Theorem 1 (adaptive security of FBM-DSSE). Let be secure PRF, be a CPA-secure symmetric encryption, and be a secure homomorphic message authenticator scheme. We define thatwhere and . Then, FBM-DSSE is -adaptively secure.

Proof. As mentioned above, the server is the semihonest adversary who correctly follows the protocol but attempts to use the messages received to learn information that should remain private. The challenger is responsible for generating EDB and the search tokens of . The simulator simulates the view between and according to the leakage functions . Game: is the same as the real world game , and there is Game: in , when querying to generate the key for a column , the challenger chooses a new random key if the column is never queried before and stores it in a table Key. Otherwise, return the key corresponding to in the table Key. The adversary cannot be able to distinguish between and , otherwise we can build an adversary to distinguish between and a truly random function. More formally, Game: in , we model the as a table just like in ; then, we can build an adversary to distinguish between and a truly random function, and there is Similarly, we build the for and for . Game: in , as shown in Algorithm 1, in the update stage, the challenger randomly picks a string for every keyword as the updated index and gets the new EDB. Now, we will show that the adversary gets more things than the new EDB is negligible.(1)In the update stage, changed the order of the keywords in the new index. The two search tokens were and . The adversary could not get specific information about the keywords based on them. Even if the index corresponding to the keyword has not changed, will generate a corresponding label for a string of 0. Otherwise, it would conflict with the authentication of HMAC.(2)The probability of using the search token corresponding to the keyword to decrypt the indexes of other keywords is negligible. Even if the indexes are the same, because the difference among keywords decides that in corresponding keys, it is impossible to achieve , where , otherwise it will contradict the security of symmetric encryption.(3)Similarly, even if the file has not changed and the corresponding encryption key has not changed, it is impossible for an adversary to obtain relevant information about the file based on the ciphertext of the index because symmetric encryption is CPA-secure.(4)Obviously, for an adversary who does not have the , even if he obtains , he will not be able to obtain a new key. Otherwise, there will be an adversary that can break the security of HMAC. Simulator. We can replace the searched keyword with in to simulate the simulator . And now we are ready to show that and Simulator are indistinguishable. For update, it is obvious since we choose new index for each update in . For search, chooses a new search token according to the which can be modeled by tables and does the encryption. So,Finally,where is negligible, which completes the proof.

Corollary 1 (adaptive forward privacy of FBM-DSSE). FBM-DSSE is forward private.

Proof. From Theorem 1, we can infer that FBM-DSSE achieves forward privacy because the leakage function of FBM-DSSE does not leak more information than that defined in Definition 3.

Corollary 2 (adaptive backward privacy of FBM-DSSE). FBM-DSSE is backward private.

Proof. From Theorem 1, we can get the conclusion that FBM-DSSE does achieve backward privacy since the leakage functions of FB-DSSE only leaks the same information as defined in Definition 4.

6. Multifunctional Search

Due to using the bitmap index, our scheme is easily extended to support multifunctional search. Specifically, Hu et al. [29] proposed an efficient and secure multifunctional searchable symmetric encryption schemes which supports wildcard search, similarity search (including hamming distance and edit distance), fuzzy keyword search, and disjunctive keyword search simultaneously. Hu’s scheme builds a bloom filter for every keyword followed by a encryption index , where is the symmetric private key and is the random value generated by a random function. If one replaces the encryption index in [29] with our bitmap index, the new scheme can achieve all the functional searches in [29].

As for the conjunctive keyword search, the primary schemes first search for one keyword at a time and then collect the results together. Our scheme can achieve a more effective way. First, data users provide keywords’ search token to the server; then, the server decrypts the corresponding rows in the bitmap index, conducts the conjunctive operation, and finally returns the result set.

7. Performance Analysis

In this section, we first summarize the comparisons between our scheme and prior forward private schemes. See Table 2, where F/B in security, respectively, shows the forward privacy/backward privacy, where B1 means backward privacy, B describes backward privacy, and B3 indicates backward privacy. NA/A means the scheme is nonadaptive/adaptive indistinguishability security; D/S in dynamism column describes dynamic or static; S/M shows single/multi; R in the column of computable complexity denotes the round in search phase; Do represents the date owner; D denotes the number of documents in the document collection; N is the number of keyword/file-identifier pairs; is the number of added/deleted entries for keyword ; W is the collection of distinct keywords; is the computational time of a modular addition; is the number of files currently matching keyword ; means the number of subkeywords; and is the number of the keywords whose has changed.

Then, we evaluate the performance of the proposed scheme. We implement our scheme using LINUX in Windows 10 with an Intel Core i7-8550U CPU 2.00 GHz processor and 16 GB memory. We simulate the update algorithm and search algorithm on this machine to evaluate the computation overhead time cost of our scheme. In our experiment, the size of each file is 50 kB, the number of the keywords is 5,000, and the symmetric encryption scheme and public key encryption scheme are AES and RSA, respectively. We simulate the number of files on 10,000 to 100,000 by an increase of 10,000 each time.

In the update phase, the data owner needs times (number of columns) symmetric encryption operations, times index homomorphic message authentication, and times symmetric encryption; Figure 2 shows the total time required to generate the index.

In the search phase, the user only needs to perform the public key encryption operation once, and if there is an update, he needs to perform another homomorphic operation (when only one keyword is searched); Figures 3 and 4 illustrate the time cost of search token generation for users and search time for the cloud server.

In the search phase, the server needs to perform a public key decryption operation and a symmetric decryption operation. Figure 5 displays that the time cost of search for server which is mainly in the RSA.

These figures illustrate that the effect of the increase in the number of files on the search phase is linear, which is reasonable but an exponential growth for index generation. The crux of our scheme is the update algorithm, so we concluded that the proposed scheme is more suitable for small databases and achieves the enhanced security guarantees at the reasonable price of efficiency.

In order to simplify the update algorithm, we propose two more efficient methods for updating at the cost of losing some security. It is a tradeoff between efficiency and security.

One is a new update algorithm named the . For files that will not be updated in the short term, the data owner calculates the ciphertext of time to time and is a cycle. When the data owner is updated at time, he arranges them in the corresponding column in chronological order. If the update time is , the data owner only needs to upload the files that need to be changed and a certain amount of dummy data without downloading the files that does not change. Taking as an example, the specific description is as follows.

Suppose there are and the time periods are, respectively, . Call in advance from to and they are mapped to . When the data owner updates data at time , he encrypts the with (where means the column’s key), the with , the with , the with , and the with and sendsto the server.

When the user is searching at time and the search result is , the server just returns . This new update algorithm can efficiently reduce the communication complexity of updates during the period.

Another method is that the data owner can use a proxy server. The proxy server is semihonest in the sense that it honestly runs the protocols but is curious to obtain privacy information. Additionally, it cannot collude with the cloud server. The proxy server is mainly responsible for the update of the database. Specifically, the data owner calculates the updated ciphertext together with the proxy server and stores it on the proxy server. And then proxy server interacts with the cloud server according to the specified time period and updates the ciphertext. Moreover, it is also responsible for updating the trapdoor. And we are studying further how to construct a FBM-DSSE scheme under a proxy server or a malicious server in the future.

8. Conclusions

In this work, we propose a Dynamic Searchable Symmetric encryption scheme for multiuser with Forward and Backward Security (FBM-DSSE). The proposed scheme realizes the Forward and Backward Security in Dynamic Searchable Symmetric encryption for multiuser. More specifically, the proposed scheme adopts a keyed pseudorandom function to hide the correspondence between files and indexes, takes symmetric encryption to improve the efficiency of file encryption and update, and uses HMAC to improve the efficiency of updating search tokens as files are changed. Furthermore, our scheme also supports verifiability and can be extended to multifunctional search. Further research work aims to reduce the computational complexity and communication complexity of the data owner and server. It will also combine access control to achieve fine-grained user management and file search.

Data Availability

All data included in this study are available upon request from the corresponding author.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant nos. 61772311 and 62072276).

References

D. X. Song, D. A. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” IEEE Symposium on Security and Privacy, vol. 3, no. 3, pp. 44-45, 2000.
View at: Publisher Site | Google Scholar
D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search,” Advances in Cryptology-EUROCRYPT 2004, vol. 26, pp. 506–522, 2004.
View at: Publisher Site | Google Scholar
E. Goh, “Secure indexes,” IACR Cryptology ePrint Archive, vol. 216, 2003.
View at: Google Scholar
J. Baek, R. Safavi-Naini, and W. Susilo, “Public key encryption with keyword search revisited,” in Proceedings of the Computational Science and Its Applications – ICCSA 2020, pp. 1249–1259, Cagliari, Italy, July 2008.
View at: Google Scholar
B. Zhu, J. Sun, J. Qin, and J. Ma, “A secure data sharing scheme with designated server,” Security and Communication Networks, vol. 19, pp. 1–16, 2019.
View at: Publisher Site | Google Scholar
W. Shen, J. Qin, J. Yu, R. Hao, and J. Hu, “Enabling identity-based integrity auditing and data sharing with sensitive information hiding for secure cloud storage,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 2, pp. 331–346, 2019.
View at: Publisher Site | Google Scholar
S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable symmetric encryption,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 965–976, Raleigh, NC, USA, October 2012.
View at: Google Scholar
S. Kamara and C. Papamanthou, “Parallel and dynamic searchable symmetric encryption,” Financial Cryptography and Data Security, vol. 25, 2013.
View at: Publisher Site | Google Scholar
M. Naveed, M. Prabhakaran, and C. A. Gunter, “Dynamic searchable encryption via blind storage,” IEEE Symposium on Security and Privacy, vol. 2, no. 5, pp. 639–654, 2014.
View at: Google Scholar
Z. Xia, X. Wang, X. Sun, and Q. Wang, “A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2, pp. 340–352, 2016.
View at: Publisher Site | Google Scholar
C. Guo, X. Chen, Y. M. Jie et al., “Dynamic multi-phrase ranked search over encrypted data with symmetric searchable encryption,” IEEE Transations on Services Computing, vol. 99, p. 1, 2017.
View at: Google Scholar
Y. Miao, R. Deng, K.-K. R. Choo, X. Liu, J. Ning, and H. Li, “Optimized verifiable fine-grained keyword search in dynamic multi-owner settings,” IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 99, p. 1, 2019.
View at: Publisher Site | Google Scholar
M. S. Nair and M. S. Rajasree, “Fine-grained search and access control in multi-user searchable encryption without shared keys,” Journal of Information Security and Applications, vol. 41, pp. 124–133, 2018.
View at: Publisher Site | Google Scholar
Y. B. Miao, X. Liu, K. K. R. Choo et al., “Privacy-preserving attribute-based keyword search in shared multi-owner setting,” IEEE Transactions on Dependable and Secure Computing, vol. 19, p. 1, 2019.
View at: Google Scholar
Y. Yang, X. Liu, and R. Deng, “Multi-user multi-keyword rank search over encrypted data in arbitrary language,” IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 99, p. 1, 2017.
View at: Google Scholar
J. K. Liu and R. Steinfeld, “Multi-user cloud-based secure keyword search,” ACISP, vol. 1, pp. 227–247, 2017.
View at: Google Scholar
Y. P. Zhang, J. Katz, and C. Papamanthou, “All your queries are belong to us: the power of file-injection attacks on searchable encryption,” IACR Cryptology ePrint Archive, vol. 172, 2016.
View at: Google Scholar
E. Stefanov, C. Papamanthou, and E. Shi, Practical Dynamic Searchable Encryption with Small Leakage, National Down Syndrome Society, New York, NY, USA, 2014.
R. Bost, “ : forward secure searchable encryption,” in Proceedings of the ACM Conference on Computer and Communications Security, Orlando, FL, USA, November 2016.
View at: Google Scholar
Q. Wang, Y. Guo, H. J. Huang et al., “Multi-user forward secure dynamic searchable symmetric encryption,” NSS, vol. 125, 2018.
View at: Google Scholar
S. F. Sun, X. L. Yuan, K. Joseph et al., “Practical backward-secure searchable encryption from symmetric puncturable encryption,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 763–780, Toronto, Canada, October 2018.
View at: Google Scholar
K. S. Kim, M. Kim, D. Lee, J. H. Park, and W. H. Kim, “Forward secure dynamic searchable symmetric encryption with efficient updates,” in Proceedings of the CCS, ACM, pp. 1449–1463, Dallas, TX USA, October, 2017.
View at: Google Scholar
J. Li, Y. Huang, Y. Wei et al., “Searchable symmetric encryption with forward search privacy,” IEEE Transactions on Dependable and Secure Computing, vol. 19, p. 1, 2019.
View at: Publisher Site | Google Scholar
D. Catalano and D. Fiore, “Practical homomorphic message authenticators for arithmetic circuits,” Journal of Cryptology, vol. 31, no. 1, pp. 23–59, 2018.
View at: Publisher Site | Google Scholar
C. Guo, X. Fu, Y. Mao, G. Wu, F. Li, and T. Wu, “Multi-user searchable symmetric encryption with dynamic updates for cloud computing,” Information, vol. 9, no. 10, p. 242, 2018.
View at: Publisher Site | Google Scholar
C. Zuo, S.-F. Sun, J. K. Liu, J. Shao, and J. Pieprzyk, “Dynamic searchable symmetric encryption with forward and stronger backward privacy,” Lecture Notes in Computer Science, vol. 2, pp. 283–303, 2019.
View at: Publisher Site | Google Scholar
J. Hua, Y. Liu, H. Chen, X. Tian, and C. Jin, “An enhanced wildcard-based fuzzy searching scheme in encrypted databases,” World Wide Web, vol. 23, no. 3, pp. 2185–2214, 2020.
View at: Publisher Site | Google Scholar
J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, and W. J. Lou, “Enabling efficient fuzzy keyword search over encrypted data in cloud computing,” IACR Cryptology ePrint Archive, vol. 2019, p. 593, 2009.
View at: Google Scholar
C. Hu, L. Han, and S. M. Yiu, “Efficient and secure multi-functional searchable symmetric encryption schemes,” Security and Communication Networks, vol. 9, no. 1, pp. 34–42, 2016.
View at: Publisher Site | Google Scholar
S. Q. Lai, S. Patranabis, A. Sakzad et al., “Result pattern hiding searchable encryption for conjunctive queries,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 745–762, Toronto, Canada, October 2018.
View at: Google Scholar
R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: improved definitions and efficient constructions,” Journal of Computer Security, vol. 19, no. 5, pp. 895–934, 2011.
View at: Publisher Site | Google Scholar
S. Faber, S. Jarecki, H. Krawczyk, Q. Nguyen, M. Rosu, and M. Steiner, “Rich queries on encrypted data: beyond exact matches,” in Proceedings of the Computer Security--ESORICS 2015 ESORICS, pp. 123–145, Vienna, Austria, September 2015.
View at: Publisher Site | Google Scholar
R. Li and A. X. Liu, “Adaptively secure conjunctive query processing over encrypted data for cloud computing,” in Proceedings of the ICDE, pp. 697–708, San Diego, CL, USA, April 2017.
View at: Google Scholar
I. Demertzis, S. Papadopoulos, O. Papapetrou, A. Deligiannakis, and M. Garofalakis, “Practical private range search revisited,” in Proceedings of the SIGMOD, ACM, pp. 185–198, San Francisco, CL, USA, June 2016.
View at: Google Scholar
R. Bost, B. Minaud, and O. Ohrimenko, “Forward and backward private searchable encryption from constrained cryptographic primitive,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 1465–1482, Dallas, TX, USA, November 2017.
View at: Publisher Site | Google Scholar
R. A. Popa and N. Zeldovich, “Multi-key searchable encryption,” IACR Cryptology ePrint Archive, vol. 508, 2013.
View at: Google Scholar
S. Jarecki, C. S. Jutla, H. Krawczyk et al., “Outsourced symmetric private information retrieval,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 875–888, Orlando, FL, USA, November 2013.
View at: Google Scholar

Copyright

Copyright © 2020 Xi Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1323

Downloads

819

Citations

Security and Communication Networks

A Dynamic Searchable Symmetric Encryption Scheme for Multiuser with Forward and Backward Security

Abstract

1. Introduction

2. Related Works

3. Cryptographic Tools and Notions

3.1. Cryptographic Tools

3.1.1. Pseudorandom Functions

3.1.2. Homomorphic MAC

3.1.3. Symmetric Encryption

3.2. Notations

4. System Model and Security Model

4.1. System Model and Security Model

4.1.1. Data Owner

4.1.2. Cloud Server

4.1.3. Data Users

4.2. Security Model

4.3. Forward and Backward Security

5. The Proposed Scheme

5.1. Overview

5.1.1. The Bitmap Index

5.1.2. The Homomorphic Message Authenticator

5.1.3. The Pseudorandom Functions

5.2. Concrete Construction

5.3. Security Analysis

5.3.1. Correctness

5.3.2. Security analysis

6. Multifunctional Search

7. Performance Analysis

8. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright