Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky

OUTLINE Searchable Symmetric Encryption Revisiting SSE security definitions SEE-1(non-adaptive) SEE-2(adaptive) Multi-user Searchable Encryption 證明

Revisiting SSE security definitions “A secure SSE scheme should not leak anything beyond the outcome of a search” “search outcome”: memory addresses of documents that contain a hidden keyword Important to note: different keyword requests may lead to the same search outcome “search pattern”: whether two queries were for the same keyword or not A (slightly) better intuition “A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search”

SSE Algorithms Keygen(1k): outputs symmetric key K (by user) BuildIndex(K, {D1, ..., Dn}): outputs secure index I (by user) Trapdoor(K, w): outputs a trapdoor Tw (by user) Search(I, Tw): outputs identifiers of documents containing w (id1, ..., idm) (by server)

SSE client can upload additional “encrypted” data structures to help search Index Keyword server

Our model History: documents and keywords View: encrypted documents, index, trapdoors Trace: length of documents, search outcomes, search pattern

Our intuition Previous intuition “A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search” A more “formal intuition” “any function about the documents and the keywords that can be computed from the encrypted documents, the index and the trapdoors can be computed from the length of the documents, the search outcomes and the search pattern

What is adaptiveness? Non-adaptive :adversaries make search queries without seeing the outcome of previous searches Adaptive :adversaries can make search queries as a function of the outcome of previous searches (Note)The user may or may not generate its word queries depending on the outcome of previous searches We call queries that do depend on previous search outcomes adaptive

Non-Adaptive Adaptive (new) [SWP00,Goh03,CM05,...] SI w1 SI w2 w1 w2 w3 w4 w3

Non-adaptive SSE construction Index Server Keyword Trapdoor Did

<address,value> Index是由2種data structure製作 -Array A and look-up table T |D(w)| Li Did <address,value> T |△|

一些符號定義 Let △= {w1, . . . ,wd} be a dictionary of d words, and 2△ be the set of all possible documents. let D ⊆2 △be a collection of n documents D = (D1, . . . ,Dn) and 2 2△ be the set of all possible document collections. Let id(D) be the identifier of document D D(w) (the set of identifiers of documents containing w) as the outcome of a search for w and to the sequence (D(w1), . . . ,D(wn)) as the access pattern of a client

Example D={D1,D2,D3},w={w1,w2,…,w5} 假設D(w1)={D1,D3},D(w2)={D1,D2}, D(w3)={D2,D3},D(w4)={D1},D(w5)={D2} 建立index A: T: W5 <1,6> W2 <2,3> 0 1 2 3 D1||null D1||2 D3||null D1||7 W4 <3,0> 4 5 6 7 W3 <4,5> D3||null D2||4 D2||null D2||null W1 <5,1>

Seaching: P: Pseudo Random Permutation F: Pseudo Random Function addr = P(w3) key = F(w3) Trapdoor = (addr, key)=(4,5) => D2,D3

Adaptive SSE construction

比較

Secure updates 新舊document collection combine後重新建立index,因此得到新的document collection and 新的index

證明

proof:由紀銘偉大大白板講解