Searchable symmetric encryption: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 07:00, 22 February 2022 edit Eagleash (talk \| contribs) Extended confirmed users 108,991 edits date value and line feed ref error msgs Tag: Visual edit ← Previous edit		Latest revision as of 02:57, 26 August 2025 edit undo 101.96.76.102 (talk) →History of Searchable Symmetric Encryption: Fixed typo Tags: Mobile edit Mobile web edit
(30 intermediate revisions by 15 users not shown)
Line 1: {{Short description\|System allowing searching of encrypted documents}} '''Searchable symmetric encryption''' ('''SSE''') is a is a form of [[encryption]] that allows one to efficiently search over a collection of encrypted documents or files without the ability to decrypt them.<ref name=":0">{{Cite journal\|last1=Dawn Xiaoding Song\|last2=Wagner\|first2=D.\|last3=Perrig\|first3=A.\|title=Practical techniques for searches on encrypted data\|url=http://dx.doi.org/10.1109/secpri.2000.848445\|journal=Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000\|year=2000\|pages=44–55\|publisher=IEEE Comput. Soc\|doi=10.1109/secpri.2000.848445\|isbn=0-7695-0665-8\|s2cid=2829840}}</ref><ref name=":1">{{Cite journal\|last1=Curtmola\|first1=Reza\|last2=Garay\|first2=Juan\|last3=Kamara\|first3=Seny\|last4=Ostrovsky\|first4=Rafail\|date=2006-10-30\|title=Searchable symmetric encryption: improved definitions and efficient constructions\|url=https://doi.org/10.1145/1180405.1180417\|journal=Proceedings of the 13th ACM Conference on Computer and Communications Security\|series=CCS '06\|___location=Alexandria, Virginia, USA\|publisher=Association for Computing Machinery\|pages=79–88\|doi=10.1145/1180405.1180417\|isbn=978-1-59593-518-2\|s2cid=961719}}</ref> SSE can be used to outsource files to an untrusted cloud storage server without ever revealing the files in the clear but while preserving the server's ability to search over them. ▼ [[File:Searchable Symmetric Encryption (SSE) scheme.png\|thumb\|400x400px\|Keyword search using an SSE scheme]] ▲'''Searchable symmetric encryption''' ('''SSE''') ~~is a~~ is a form of [[encryption]] that allows one to efficiently search over a collection of encrypted documents or files without the ability to decrypt them.<ref name=":0">{{Cite ~~journal~~book\|last1=Dawn Xiaoding Song\|last2=Wagner\|first2=D.\|last3=Perrig\|first3=A.\|title=Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000 \|chapter=Practical techniques for searches on encrypted data \|chapter-url=http://dx.doi.org/10.1109/secpri.2000.848445~~\|journal=Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000~~\|year=2000\|pages=44–55\|publisher=IEEE Comput. Soc\|doi=10.1109/secpri.2000.848445\|isbn=0-7695-0665-8\|s2cid=2829840}}</ref><ref name=":1">{{Cite ~~journal~~book\|last1=Curtmola\|first1=Reza\|last2=Garay\|first2=Juan\|last3=Kamara\|first3=Seny\|last4=Ostrovsky\|first4=Rafail~~\|date=2006-10-30~~\|title=~~Searchable~~Proceedings ~~symmetric~~of ~~encryption:~~the ~~improved~~13th ~~definitions~~ACM conference on Computer and ~~efficient~~communications security ~~constructions~~\|chapter=Searchable symmetric encryption \|date=2006-10-30\|chapter-url=https://doi.org/10.1145/1180405.1180417~~\|journal=Proceedings of the 13th ACM Conference on Computer and Communications Security~~\|series=CCS '06\|___location=Alexandria, Virginia, USA\|publisher=Association for Computing Machinery\|pages=79–88\|doi=10.1145/1180405.1180417\|isbn=978-1-59593-518-2\|s2cid=961719}}</ref><ref>{{Cite journal \|last1=Amorim \|first1=Ivone \|last2=Costa \|first2=Ivan \|date=2023-07-01 \|title=Leveraging Searchable Encryption through Homomorphic Encryption: A Comprehensive Analysis \|journal=Mathematics \|language=en \|volume=11 \|issue=13 \|pages=2948 \|doi=10.3390/math11132948 \|doi-access=free \|issn=2227-7390\|arxiv=2306.14407 }}</ref> SSE can be used to outsource files to an untrusted cloud storage server without ever revealing the files in the clear but while preserving the server's ability to search over them. == Description == Line 7 ⟶ 9: A static SSE scheme consists of three algorithms <math>\mathsf{SSE = (Setup, Token, Search)}</math> that work as follows: * <math>\mathsf{Setup}</math> takes as input a security parameter <math>k</math> and a document collection <math>\mathbf{D}</math> and outputs a symmetric key <math>K</math>, an encrypted index <math>\mathbf{I}</math>, and an encrypted document collection <math>\mathbf{ED}</math> * <math>\mathsf{Token}</math> takes as input the secret key <math>K</math> and a keyword <math>w</math> and outputs a search token <math>tk</math> * <math>\mathsf{Search}</math> takes as input the encrypted index <math>\mathbf{I}</math>, the encrypted document collection <math>\mathbf{ED}</math> and a search token <math>tk</math> and outputs a set of encrypted documents <math>\mathbf{R} \subseteq \mathbf{ED}</math> A static SSE scheme is used by a client and an untrusted server as follows. The client encrypts its data collection using the <math>\mathsf{Setup}</math> algorithm which returns a secret key <math>K</math>, an encrypted index <math>\mathbf{I}</math> and an encrypted document collection <math>\mathbf{ED}</math>. The client keeps <math>K</math> secret and sends <math>\mathbf{ED}</math> and <math>\mathbf{I}</math> to the untrusted server. To search for a keyword <math>w</math>, the client runs the <math>\mathsf{~~SearchToken~~Token}</math> algorithm on <math>K</math> and <math>w</math> to generate a search token <math>tk</math> which it sends to the server. The server runs Search with <math>\mathbf{ED}</math>, <math>\mathbf{I}</math>, and <math>tk</math> and returns the resulting encrypted documents back to the ~~server~~client. === Dynamic SSE === A dynamic SSE scheme supports, in addition to search, the insertion and deletion of documents. A dynamic SSE scheme consists of seven algorithms <math>\mathsf{SSE = (Setup, Token, Search, ~~InertToken~~InsertToken, Insert, DeleteToken, Delete)}</math> where <math>\mathsf{Setup}</math>, <math>\mathsf{Token}</math> and <math>\mathsf{Search}</math> are as in the static case and the remaining algorithms work as follows: * <math>\mathsf{InsertToken}</math> takes as input the secret key <math>K</math> and a new document <math>\mathrm{D_{n+1}}</math> and outputs an insert token <math>itk</math> * <math>\mathsf{Insert}</math> takes as input the encrypted document collection ~~EDC~~<math>\mathbf{ED}</math> and an insert token <math>itk</math> and outputs an updated encrypted document collection <math>\mathbf{ED'}</math> * <math>\mathsf{DeleteToken}</math> takes as input the secret key <math>K</math> and a document identifier <math>id</math> and outputs a delete token <math>dtk</math> * <math>\mathsf{Delete}</math> takes as input the encrypted data collection <math>\~~mathrm~~mathbf{~~EDC~~ED}</math> and a delete token <math>dtk</math> and outputs an updated encrypted data collection <math>\mathbf{ED'}</math> To add a new document <math>\mathrm{D_{n+1}}</math> the client runs <math>\mathsf{InsertToken}</math> on <math>K</math> and <math>\mathrm{D_{n+1}}</math>to generate an insert token <math>itk</math> which it sends to the server. The server runs <math>\mathsf{Insert}</math> with <math>\mathbf{ED}</math> and <math>itk</math> and stores the updated encrypted document collection. To delete a document with identifier <math>id</math>, the client runs the <math>\mathsf{DeleteToken}</math> algorithm with <math>K</math> and <math>id</math> to generate a delete token <math>dtk</math> which it sends to the server. The server runs <math>\mathsf{Delete}</math> with <math>\mathbf{ED}</math> and <math>dtk</math> and stores the updated encrypted document collection. An SSE scheme that does not support <math>\mathsf{DeleteToken}</math> and <math>\mathsf{Delete}</math> is called semi-dynamic. == History of Searchable Symmetric Encryption == The problem of searching on encrypted data was considered by [[Dawn Song\|Song]], [[David A. Wagner\|Wagner]] and [[Adrian Perrig\|Perrig]] <ref name=":0" /> though previous work on [[Oblivious RAM]] by [[Oded Goldreich\|Goldreich]] and [[Rafail Ostrovsky\|Ostrovsky]] <ref>{{Cite journal\|~~last~~last1=Goldreich\|~~first~~first1=Oded\|last2=Ostrovsky\|first2=Rafail\|date=May 1996\|title=Software protection and simulation on oblivious RAMs\|url=http://dx.doi.org/10.1145/233551.233553\|journal=Journal of the ACM\|volume=43\|issue=3\|pages=431–473\|doi=10.1145/233551.233553\|hdl=1721.1/103684 \|s2cid=7502114 \|issn=0004-5411\|hdl-access=free}}</ref> could be used in theory to address the problem. This work <ref name=":0" /> proposed an SSE scheme with a search algorithm that runs in time <math>O(s)</math>, where <math>s = \|\mathbf{D}\|</math>. Goh <ref name=":2">{{Cite web\|last=Goh\|first=Eu-Jin\|title=Secure Indexes\|year=2003 \|url=https://eprint.iacr.org/2003/216}}</ref> and Chang and [[Michael Mitzenmacher\|Mitzenmacher]] <ref name=":3">{{Cite ~~journal~~book\|~~last~~last1=Chang\|~~first~~first1=Yan-Cheng\|last2=Mitzenmacher\|first2=Michael\|title=Applied Cryptography and Network Security \|chapter=Privacy Preserving Keyword Searches on Remote Encrypted Data \|date=2005\|editor-last=Ioannidis\|editor-first=John\|editor2-last=Keromytis\|editor2-first=Angelos\|editor3-last=Yung\|editor3-first=Moti~~\|title=Privacy Preserving Keyword Searches on Remote Encrypted Data\|url=https://link.springer.com/chapter/10.1007/11496137_30\|journal=Applied Cryptography and Network Security~~\|series=Lecture Notes in Computer Science\|volume=3531 \|language=en\|___location=Berlin, Heidelberg\|publisher=Springer\|pages=442–455\|doi=10.1007/11496137_30\|isbn=978-3-540-31542-1\|doi-access=free}}</ref> gave new SSE constructions with search algorithms that run in time <math>O(n)</math>, where <math>n</math> is the number of documents. Curtmola, Garay, [[Seny Kamara\|Kamara]] and [[Rafail Ostrovsky\|Ostrovsky]] <ref name=":1" /> later proposed two static constructions with <math>O(\mathrm{opt} )</math> search time, where <math>\mathrm{opt}</math> is the number of documents that contain <math>w</math>, which is optimal. This work also proposed a semi-dynamic construction with <math>O(\mathrm{opt}\cdot \log(u))</math> search time, where <math>u</math> is the number of updates. An optimal dynamic SSE construction was later proposed by [[Seny Kamara\|Kamara]], Papamanthou and Roeder.<ref>{{Cite ~~journal~~book\|~~last~~last1=Kamara\|~~first~~first1=Seny\|last2=Papamanthou\|first2=Charalampos\|last3=Roeder\|first3=Tom\|~~date~~title=Proceedings of the 2012~~-10-16~~ ACM conference on Computer and communications security \|~~title~~chapter=Dynamic searchable symmetric encryption \|date=2012-10-16\|chapter-url=https://doi.org/10.1145/2382196.2382298~~\|journal=Proceedings of the 2012 ACM conference on Computer and communications security~~\|series=CCS '12\|___location=New York, NY, USA\|publisher=Association for Computing Machinery\|pages=965–976\|doi=10.1145/2382196.2382298\|isbn=978-1-4503-1651-4\|s2cid=243046 }}</ref> Goh <ref name=":2" /> and Chang and [[Michael Mitzenmacher\|Mitzenmacher]]<ref name=":3" /> proposed security definitions for SSE. These were strengthened and extended by Curtmola, Garay, Kamara and Ostrovsky <ref name=":1" /> who proposed the notion of adaptive security for SSE. This work also was the first to observe leakage in SSE and to formally capture it as part of the security definition. Leakage was further formalized and generalized by Chase and [[Seny Kamara\|Kamara]].<ref>{{Cite ~~journal~~book\|~~last~~last1=Chase\|~~first~~first1=Melissa\|last2=Kamara\|first2=Seny\|~~date~~title=Advances in Cryptology - ASIACRYPT 2010 \|~~editor-last=Abe\|editor-first=Masayuki\|title~~chapter=Structured Encryption and Controlled Disclosure \|~~url~~date=~~https://link.springer.com/chapter/10.1007/978~~2010\|editor-3last=Abe\|editor-~~642-17373-8_33\|journal~~first=~~Advances in Cryptology - ASIACRYPT 2010~~Masayuki\|series=Lecture Notes in Computer Science\|volume=6477 \|language=en\|___location=Berlin, Heidelberg\|publisher=Springer\|pages=577–594\|doi=10.1007/978-3-642-17373-8_33\|isbn=978-3-642-17373-8\|doi-access=free}}</ref> Islam, Kuzu and Kantarcioglu described the first leakage attack ~~against SSE~~. <ref>{{Cite journal\|~~last~~last1=Islam\|~~first~~first1=Mohammad\|last2=Kuzu\|first2=Mehmet\|last3=Kantarcioglu\|first3=Murat\|title=Access Pattern disclosure on Searchable Encryption:Ramification, Attack and Mitigation\|url=https://www.ndss-symposium.org/wp-content/uploads/2017/09/06_1.pdf\|journal=Network and Distributed System Security (NDSS) Symposium}}</ref> All the previously mentioned constructions support single keyword search. Cash, Jarecki, Jutla, [[Hugo Krawczyk\|Krawczyk]], ~~Rosu~~Roşu and Steiner <ref>{{Cite ~~journal~~book\|~~last~~last1=Cash\|~~first~~first1=David\|last2=Jarecki\|first2=Stanislaw\|last3=Jutla\|first3=Charanjit\|last4=Krawczyk\|first4=Hugo\|last5=Roşu\|first5=Marcel-Cătălin\|last6=Steiner\|first6=Michael\|~~date~~title=Advances in Cryptology – CRYPTO 2013~~\|editor-last=Canetti\|editor-first=Ran\|editor2-last=Garay\|editor2-first=Juan~~ A.\|~~title~~chapter=Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries \|~~url~~date=~~https://link.springer.com/chapter/10.1007/978~~2013\|editor-3last=Canetti\|editor-~~642~~first=Ran\|editor2-~~40041-4_20~~last=Garay\|~~journal~~editor2-first=~~Advances~~Juan ~~in Cryptology – CRYPTO 2013~~A.\|series=Lecture Notes in Computer Science\|volume=8042 \|language=en\|___location=Berlin, Heidelberg\|publisher=Springer\|pages=353–373\|doi=10.1007/978-3-642-40041-4_20\|isbn=978-3-642-40041-4\|doi-access=free}}</ref> proposed an SSE scheme that supports conjunctive search in sub-linear time in <math>n</math>. The construction can also be extended to support disjunctive and Boolean searches that can be expressed in searchable normal form (SNF) in sub-linear time. At the same time, Pappas, Krell, Vo, Kolesnikov, [[Tal Malkin\|Malkin]], Choi, George, Keromytis and [[Steven M. Bellovin\|Bellovin]] <ref>{{Cite ~~journal~~book\|~~last~~last1=Pappas\|~~first~~first1=Vasilis\|last2=Krell\|first2=Fernando\|last3=Vo\|first3=Binh\|last4=Kolesnikov\|first4=Vladimir\|last5=Malkin\|first5=Tal\|last6=Choi\|first6=Seung Geol\|last7=George\|first7=Wesley\|last8=Keromytis\|first8=Angelos\|last9=Bellovin\|first9=Steve\|~~date~~title=2014~~-05~~ IEEE Symposium on Security and Privacy \|~~title~~chapter=Blind Seer: A Scalable Private DBMS \|~~url~~date=~~http://dx.doi.org/10.1109/sp.~~May 2014~~.30~~\|~~journal~~pages=~~2014~~359–374 ~~IEEE Symposium on Security and Privacy~~\|publisher=IEEE\|doi=10.1109/sp.2014.30\|isbn=978-1-4799-4686-0 \|s2cid=9165575 \|doi-access=free}}</ref> described a construction that supports conjunctive and all disjunctive and Boolean searches in sub-linear time. == Security == SSE schemes are designed to guarantee that the untrusted server cannot learn any partial information about the documents or the search queries beyond some well-defined and reasonable leakage. The leakage of a scheme is formally described using a leakage profile which itself can consists of several leakage patterns. SSE constructions attempt to minimize leakage while achieving the best possible search efficiency. SSE security can be analyzed in several adversarial models but the most common are: * the persistent model ,<ref name=":1" />, where an adversary is given the encrypted data collection and a transcript of all the operations executed on the collection; * the snapshot model ,<ref name=":4">{{Cite journal\|~~last~~last1=Amjad\|~~first~~first1=Ghous\|last2=Kamara\|first2=Seny\|last3=Moataz\|first3=Tarik\|date=2019-01-01\|title=Breach-Resistant Structured Encryption~~\|url=https://www.sciendo.com/article/10.2478/popets-2019-0014~~\|journal=Proceedings on Privacy Enhancing Technologies\|language=en\|volume=2019\|issue=1\|pages=245–265\|doi=10.2478/popets-2019-0014\|s2cid=4047057 \|doi-access=free}}</ref>, where an adversary is only given the encrypted data collection (but possibly after each operation). === Security in the Persistent Model === In the persistent model, there are SSE schemes that achieve a wide variety of leakage profiles. The most common leakage profile for static schemes that achieve single keyword search in optimal time is <math>\Lambda_{\mathrm{opt}}</math> which reveals the number of documents in the collection, the size of each document in the collection, if and when a query was repeated and which encrypted documents match the search query. <ref name=":1" /><ref>{{Cite web\|title=Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation – NDSS Symposium\|url=https://www.ndss-symposium.org/ndss2014/programme/dynamic-searchable-encryption-very-large-databases-data-structures-and-implementation/\|access-date=2022-02-22\|language=en-US}}</ref> It is known, however, how to construct schemes that leak considerably less at an additional cost in search time and storage. <ref>{{Cite ~~journal~~book\|~~last~~last1=Kamara\|~~first~~first1=Seny\|last2=Moataz\|first2=Tarik\|last3=Ohrimenko\|first3=Olya\|title=Advances in Cryptology – CRYPTO 2018 \|chapter=Structured Encryption and Leakage Suppression \|date=2018\|editor-last=Shacham\|editor-first=Hovav\|editor2-last=Boldyreva\|editor2-first=Alexandra\|~~title=Structured Encryption and Leakage Suppression\|~~chapter-url=https://link.springer.com/chapter/10.1007/978-3-319-96884-1_12~~\|journal=Advances in Cryptology – CRYPTO 2018~~\|series=Lecture Notes in Computer Science\|volume=10991 \|language=en\|___location=Cham\|publisher=Springer International Publishing\|pages=339–370\|doi=10.1007/978-3-319-96884-1_12\|isbn=978-3-319-96884-1\|s2cid=51603585 }}</ref><ref>{{Cite web\|title=Revisiting Leakage Abuse Attacks – NDSS Symposium\|url=https://www.ndss-symposium.org/ndss-paper/revisiting-leakage-abuse-attacks/\|access-date=2022-02-22\|language=en-US}}</ref> When considering dynamic SSE schemes, the state-of-the-art constructions with optimal time search have leakage profiles that guarantee forward privacy <ref>{{Cite web\|title=Practical Dynamic Searchable Encryption with Small Leakage – NDSS Symposium\|url=https://www.ndss-symposium.org/ndss2014/programme/practical-dynamic-searchable-encryption-small-leakage/\|access-date=2022-02-22\|language=en-US}}</ref> which means that inserts cannot be correlated with past search queries. === Security in the Snapshot Model === In the snapshot model, efficient dynamic SSE schemes with no leakage beyond the number of documents and the size of the collection can be constructed. <ref name=":4" /> When using an SSE construction that is secure in the snapshot model one has to carefully consider how the scheme will be deployed because some systems might cache previous search queries. <ref>{{Cite ~~journal~~book\|~~last~~last1=Grubbs\|~~first~~first1=Paul\|last2=Ristenpart\|first2=Thomas\|last3=Shmatikov\|first3=Vitaly\|~~date~~title=~~2017-05-07~~Proceedings of the 16th Workshop on Hot Topics in Operating Systems \|~~title~~chapter=Why Your Encrypted Database Isis Not Secure \|date=2017-05-07\|chapter-url=https://doi.org/10.1145/3102980.3103007~~\|journal=Proceedings of the 16th Workshop on Hot Topics in Operating Systems~~\|series=HotOS '17\|___location=New York, NY, USA\|publisher=Association for Computing Machinery\|pages=162–168\|doi=10.1145/3102980.3103007\|isbn=978-1-4503-5068-6\|s2cid=10111288 }}</ref> === Cryptanalysis === A leakage profile only describes the leakage of an SSE scheme but it says nothing about whether that leakage can be exploited or not. [[Cryptanalysis]] is therefore used to better understand the real-world security of a leakage profile. There is a wide variety of attacks working in different adversarial models, based on a variety of assumptions and attacking different leakage profiles. <ref>{{Cite ~~journal~~book\|~~last~~last1=Yao\|~~first~~first1=Jing\|last2=Zheng\|first2=Yifeng\|last3=Guo\|first3=Yu\|last4=Wang\|first4=Cong\|~~date~~title=~~2020-10-06~~Proceedings of the 8th International Workshop on Security in Blockchain and Cloud Computing \|~~title~~chapter=SoK: A Systematic Study of Attacks in Efficient Encrypted Cloud Data Search \|date=2020-10-06\|chapter-url=https://doi.org/10.1145/3384942.3406869~~\|journal=Proceedings of the 8th International Workshop on Security in Blockchain and Cloud Computing~~\|series=SBC '20\|___location=New York, NY, USA\|publisher=Association for Computing Machinery\|pages=14–20\|doi=10.1145/3384942.3406869\|isbn=978-1-4503-7609-9\|s2cid=222179683 }}</ref><ref>{{Cite journal\|~~last~~last1=Kamara\|~~first~~first1=Seny\|last2=Kati\|first2=Abdelkarim\|last3=Moataz\|first3=Tarik\|last4=Schneider\|first4=Thomas\|last5=Treiber\|first5=Amos\|last6=Yonli\|first6=Michael\|date=2021\|title=Cryptanalysis of Encrypted Search with LEAKER - A framework for LEakage AttacK Evaluation on Real-world data\|url=https://eprint.iacr.org/2021/1035}}</ref> == See also == Line 60 ⟶ 61: {{reflist}} ~~[[Category:Cryptography]]~~ [[Category:Cryptographic primitives]]