Abstract
When outsourcing data, Searchable Symmetric Encryption (SSE) allows clients to query the server for their encrypted files without compromising data confidentiality. Several attacks against searchable encryption schemes have been proposed that leverage information leakage the schemes emit when operating. Schemes should achieve Forward and Backward Privacy to mitigate these types of attacks. Despite the variance of query types across SSE schemes, most forward and backward private schemes only support exact keyword search. In this research, we extend backward privacy notions and their underlying leakage functions to the Wildcard Search domain. Additionally, we present \(\mathsf {Libertas}\); a construction that provides backward privacy to any wildcard supporting SSE scheme. If the scheme is forward private, this property is inherited. We prove security in the established \(\mathcal {L}\)-adaptive security model with respect to a leakage function \(\mathcal {L}\). We show that the performance overhead scales linearly with the number of deletions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abadi, M., Rogaway, P.: Reconciling two views of cryptography. In: van Leeuwen, J., Watanabe, O., Hagiya, M., Mosses, P.D., Ito, T. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44929-9_1
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13, 422–426 (1970)
Bösch, C., Brinkman, R., Hartel, P., Jonker, W.: Conjunctive wildcard search over encrypted data. In: Jonker, W., Petković, M. (eds.) SDM 2011. LNCS, vol. 6933, pp. 114–127. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23556-6_8
Bost, R.: \(\sum \)o\(\varphi \)o\(\varsigma \): forward secure searchable encryption. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2016)
Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2017)
Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Proceedings of the ACM SIGSAC Conference On Computer and Communications Security (2015)
Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for Boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_20
Chase, M., Shen, E.: Substring-searchable symmetric encryption. In: Proceedings on Privacy Enhancing Technologies (2015)
Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2006)
Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 123–145. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_7
Goh, E.J.: Secure indexes. IACR Cryptol. ePrint Arch. (2003). https://ia.cr/2003/216
Hu, C., Han, L.: Efficient wildcard search over encrypted data. Int. J. Inf. Secur. 15(5), 539–547 (2015). https://doi.org/10.1007/s10207-015-0302-0
Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: NDSS (2012)
Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2012)
Naveed, M.: The fallacy of composition of oblivious RAM and searchable encryption. IACR Cryptol. ePrint Arch (2015). https://ia.cr/2015/668
Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: Proceedings of the IEEE Symposium on Security & Privacy. IEEE (2000)
Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: Proceedings of the Network and Distributed System Security Symposium (2014)
Suga, T., Nishide, T., Sakurai, K.: Secure keyword search using bloom filter with specified character positions. In: Takagi, T., Wang, G., Qin, Z., Jiang, S., Yu, Y. (eds.) ProvSec 2012. LNCS, vol. 7496, pp. 235–252. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33272-2_15
Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: the power of file-injection attacks on searchable encryption. In: Proceedings of the USENIX Security Symposium (2016)
Zhao, F., Nishide, T.: Searchable symmetric encryption supporting queries with multiple-character wildcards. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds.) NSS 2016. LNCS, vol. 9955, pp. 266–282. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46298-1_18
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Z &N: Construction
Z &N: Construction
We provide the construction of \( \mathsf {Z \& N}\): a DSSE scheme supporting wildcard search. It is proposed by Zhao and Nishide in [20] and uses Bloom filters [2] and a regular index. The algorithms are described in Algorithm 2. An implementation of \( \mathsf {Z \& N}\) can be found at https://github.com/LibertasConstruction/Libertas. The scheme uses a hash function g. \(\overline{g}\) denotes the first bit of a hash using g. The scheme uses g with r different keys to effectively create r different hash functions to use for Bloom filters. \(\mathsf {BF}[p]\) denotes the bit in a Bloom filter at position p. \(\mathsf {ind} \mathbin \Vert w\) indicates a concatenation of \(\mathsf {ind}\) and w. The scheme uses keyword characteristic and token (query) characteristic sets, \(S_K(w)\) and \(S_T(q)\), to capture the structure of keywords and queries to support both ‘*’ and ‘_’ wildcard symbols. Every keyword characteristic set is stored in a Bloom filter.
1.1 Keyword Characteristic Set
\(S_K(w)\) is made up of the two sets \(S_K^{(o)}(w)\) and \(S_K^{(p)}(w)\). The set \(S_K^{(o)}(w)\) contains characters of a keyword w together with their position. For example, \(S_K^{(o)}(\text {`diana'})=\{\text {`1:d'},\text {`2:i'},\text {`3:a'},\text {`4:n'},\text {`5:a'},\text {`6:}\backslash \text {0'}\}\). Note the terminator symbol indicating the end of the keyword. The set \(S_K^{(p)}(w)\) consists of the sets \(S_K^{(p1)}(w)\) and \(S_K^{(p2)}(w)\). These sets consider pairs of characters. Let us take a look at these sets when using the keyword \(\text {`diana'}\).
Here, the element \(\text {`3:1:d,n'}\) comes from the character pair \(\text {`}\mathrm {\underline{d}ia\underline{n}a}\text {'}\), where 3 is the distance between the characters and 1 indicates that it is the first occurrence of the pair with the given distance in this set.
Here, the element \(\text {`-:2:i,a'}\) comes from the character pair \(\text {`d}\mathrm {\underline{i}an\underline{a}}\text {'}\). Distances are not considered in this set. The 2 indicates that this is the second occurrence of the pair in the set.
1.2 Token Characteristic Set
Next, we will show how to construct the token characteristic set \(S_T(q)\) of a search query q. As this scheme does not support conjunctive keyword queries, q can be thought of as a keyword containing wildcards. Similar to \(S_K(w)\), \(S_T(q)\) is made up of the sets \(S_T^{(o)}(q)\), \(S_T^{(p1)}(q)\) and \(S_T^{(p2)}(q)\). The construction of the sets is illustrated by an example with the query \(\text {`di*a}\_\text {a*}\backslash \text {0'}\).
The set \(S_T^{(o)}(q)\) is constructed by extracting characters from q with a specified appearance order. \(S_T^{(o)}(\text {`di*a}\_\text {a*}\backslash \text {0'})=\{\text {`1:d'}, \text {`2:i}\}\).
We define a character group as a group of subsequent characters that do not contain wildcards. \(\text {`di*a}\_\text {a*}\backslash \text {0'}\) consists of the character groups \(\text {`di'}\), \(\text {`a'}\), \(\text {`a'}\) and \(\text {`}\backslash \text {0'}\). For \(S_T^{(p1)}(q)\), we consider the character group to the left and to the right of ‘_’ wildcards. We generate all possible character pairs with their corresponding distance. Then, we do mostly the same for ‘*’ wildcards: we consider the character group left and right of the ‘*’ wildcard. This time, however, we concatenate the character groups before generating the character pairs, thereby ignoring the wildcard itself in the distance computation. The resulting pairs are added to \(S_T^{(p1)}\). The following example illustrates what this means exactly. Consider \(S_T^{(p1)}(\text {`di*a}\_\text {a*}\backslash \text {0'})\). The ‘_’ wildcard is surrounded by \(\text {`a'}\) and \(\text {`a'}\). \(S_T^{(p1)}\) therefore contains \(\text {`2:1:a,a'}\). The first ‘*’ wildcard is surrounded by character group \(\text {`di'}\) and character \(\text {`a'}\), adding \(\text {`1:1:d,i'}\), \(\text {`2:1:d,a'}\) and \(\text {`1:1:i,a'}\) to the set. In the same fashion, \(\text {`1:1:a,}\backslash \text {0'}\) is added.
To construct the set \(S_T^{(p2)}(q)\), consider the search string without wildcard symbols. Then, follow the same procedure as with the construction of \(S_K^{(p2)}(w)\).
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Weener, J., Hahn, F., Peter, A. (2022). Libertas: Backward Private Dynamic Searchable Symmetric Encryption Supporting Wildcards. In: Sural, S., Lu, H. (eds) Data and Applications Security and Privacy XXXVI. DBSec 2022. Lecture Notes in Computer Science, vol 13383. Springer, Cham. https://doi.org/10.1007/978-3-031-10684-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-10684-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10683-5
Online ISBN: 978-3-031-10684-2
eBook Packages: Computer ScienceComputer Science (R0)