Libertas: Backward Private Dynamic Searchable Symmetric Encryption Supporting Wildcards

Abstract

When outsourcing data, Searchable Symmetric Encryption (SSE) allows clients to query the server for their encrypted files without compromising data confidentiality. Several attacks against searchable encryption schemes have been proposed that leverage information leakage the schemes emit when operating. Schemes should achieve Forward and Backward Privacy to mitigate these types of attacks. Despite the variance of query types across SSE schemes, most forward and backward private schemes only support exact keyword search. In this research, we extend backward privacy notions and their underlying leakage functions to the Wildcard Search domain. Additionally, we present \(\mathsf {Libertas}\); a construction that provides backward privacy to any wildcard supporting SSE scheme. If the scheme is forward private, this property is inherited. We prove security in the established \(\mathcal {L}\)-adaptive security model with respect to a leakage function \(\mathcal {L}\). We show that the performance overhead scales linearly with the number of deletions.

Z &N: Construction

We provide the construction of \( \mathsf {Z \& N}\): a DSSE scheme supporting wildcard search. It is proposed by Zhao and Nishide in [20] and uses Bloom filters [2] and a regular index. The algorithms are described in Algorithm 2. An implementation of \( \mathsf {Z \& N}\) can be found at https://github.com/LibertasConstruction/Libertas. The scheme uses a hash function g. \(\overline{g}\) denotes the first bit of a hash using g. The scheme uses g with r different keys to effectively create r different hash functions to use for Bloom filters. \(\mathsf {BF}[p]\) denotes the bit in a Bloom filter at position p. \(\mathsf {ind} \mathbin \Vert w\) indicates a concatenation of \(\mathsf {ind}\) and w. The scheme uses keyword characteristic and token (query) characteristic sets, \(S_K(w)\) and \(S_T(q)\), to capture the structure of keywords and queries to support both ‘*’ and ‘_’ wildcard symbols. Every keyword characteristic set is stored in a Bloom filter.

1.1 Keyword Characteristic Set

\(S_K(w)\) is made up of the two sets \(S_K^{(o)}(w)\) and \(S_K^{(p)}(w)\). The set \(S_K^{(o)}(w)\) contains characters of a keyword w together with their position. For example, \(S_K^{(o)}(\text {`diana'})=\{\text {`1:d'},\text {`2:i'},\text {`3:a'},\text {`4:n'},\text {`5:a'},\text {`6:}\backslash \text {0'}\}\). Note the terminator symbol indicating the end of the keyword. The set \(S_K^{(p)}(w)\) consists of the sets \(S_K^{(p1)}(w)\) and \(S_K^{(p2)}(w)\). These sets consider pairs of characters. Let us take a look at these sets when using the keyword \(\text {`diana'}\).

$$\begin{aligned} S_K^{(p1)}(\text {`diana'})=\{\text {`1:1:d,i'},\text {`2:1:d,a'},\text {`3:1:d,n'},\text {`4:1:d,a'},\text {`5:1:d,}\backslash \text {0'},\\ \text {`1:1:i,a'},\text {`2:1:i,n'},\text {`3:1:i,a'},\text {`4:1:i,}\backslash \text {0'},\\ \text {`1:1:a,n'},\text {`2:1:a,a'},\text {`3:1:a,}\backslash \text {0'},\\ \text {`1:1:n,a'},\text {`2:1:n,}\backslash \text {0'},\\ \text {`1:1:a,}\backslash \text {0'}\} \end{aligned}$$

Here, the element \(\text {`3:1:d,n'}\) comes from the character pair \(\text {`}\mathrm {\underline{d}ia\underline{n}a}\text {'}\), where 3 is the distance between the characters and 1 indicates that it is the first occurrence of the pair with the given distance in this set.

$$\begin{aligned} S_K^{(p2)}(\text {`diana'})=\{\text {`-:1:d,i'},\text {`-:1:d,a'},\text {`-:1:d,n'},\text {`-:2:d,a'},\text {`-:1:d,}\backslash \text {0'},\\ \text {`-:1:i,a'},\text {`-:1:i,n'},\text {`-:2:i,a'},\text {`-:1:i,}\backslash \text {0'},\\ \text {`-:1:a,n'},\text {`-:1:a,a'},\text {`-:1:a,}\backslash \text {0'},\\ \text {`-:1:n,a'},\text {`-:1:n,}\backslash \text {0'},\\ \text {`-:2:a,}\backslash \text {0'}\} \end{aligned}$$

Here, the element \(\text {`-:2:i,a'}\) comes from the character pair \(\text {`d}\mathrm {\underline{i}an\underline{a}}\text {'}\). Distances are not considered in this set. The 2 indicates that this is the second occurrence of the pair in the set.

1.2 Token Characteristic Set

Next, we will show how to construct the token characteristic set \(S_T(q)\) of a search query q. As this scheme does not support conjunctive keyword queries, q can be thought of as a keyword containing wildcards. Similar to \(S_K(w)\), \(S_T(q)\) is made up of the sets \(S_T^{(o)}(q)\), \(S_T^{(p1)}(q)\) and \(S_T^{(p2)}(q)\). The construction of the sets is illustrated by an example with the query \(\text {`di*a}\_\text {a*}\backslash \text {0'}\).

The set \(S_T^{(o)}(q)\) is constructed by extracting characters from q with a specified appearance order. \(S_T^{(o)}(\text {`di*a}\_\text {a*}\backslash \text {0'})=\{\text {`1:d'}, \text {`2:i}\}\).

We define a character group as a group of subsequent characters that do not contain wildcards. \(\text {`di*a}\_\text {a*}\backslash \text {0'}\) consists of the character groups \(\text {`di'}\), \(\text {`a'}\), \(\text {`a'}\) and \(\text {`}\backslash \text {0'}\). For \(S_T^{(p1)}(q)\), we consider the character group to the left and to the right of ‘_’ wildcards. We generate all possible character pairs with their corresponding distance. Then, we do mostly the same for ‘*’ wildcards: we consider the character group left and right of the ‘*’ wildcard. This time, however, we concatenate the character groups before generating the character pairs, thereby ignoring the wildcard itself in the distance computation. The resulting pairs are added to \(S_T^{(p1)}\). The following example illustrates what this means exactly. Consider \(S_T^{(p1)}(\text {`di*a}\_\text {a*}\backslash \text {0'})\). The ‘_’ wildcard is surrounded by \(\text {`a'}\) and \(\text {`a'}\). \(S_T^{(p1)}\) therefore contains \(\text {`2:1:a,a'}\). The first ‘*’ wildcard is surrounded by character group \(\text {`di'}\) and character \(\text {`a'}\), adding \(\text {`1:1:d,i'}\), \(\text {`2:1:d,a'}\) and \(\text {`1:1:i,a'}\) to the set. In the same fashion, \(\text {`1:1:a,}\backslash \text {0'}\) is added.

To construct the set \(S_T^{(p2)}(q)\), consider the search string without wildcard symbols. Then, follow the same procedure as with the construction of \(S_K^{(p2)}(w)\).