Beyond Volume Pattern: Storage-Efficient Boolean Searchable Symmetric Encryption with Suppressed Leakage

Abstract

Boolean Searchable Symmetric Encryption (BSSE) enables users to perform retrieval operations on the encrypted data while supporting complex query capabilities. This paper focuses on addressing the storage overhead and privacy concerns associated with existing BSSE schemes. While Patel et al. (ASIACRYPT’21) and Bag et al. (PETS’23) introduced BSSE schemes that conceal the number of single keyword results, both of them suffer from quadratic storage overhead and neglect the privacy of search and access patterns. Consequently, an open question arises: Can we design a storage-efficient Boolean query scheme that effectively suppresses leakage, covering not only the volume pattern for singleton keywords, but also search and access patterns?

In light of the limitations of existing schemes in terms of storage overhead and privacy protection, this work presents a novel solution called SESAME. It realizes efficient storage and privacy preserving based on Bloom filter and functional encryption. Moreover, we propose an enhanced version, SESAME+, which offers improved search performance. By rigorous security analysis on the leakage functions of our schemes, we provide a formal security proof. Finally, we implement our schemes and demonstrate that SESAME+ achieves superior search efficiency and reduced storage overhead.

Appendix A Proof of Theorem 1

We provide a formal security proof of our construction SESAME+. We consider a database DB and a sequence of DNF queries \(\mathcal {Q} = \{Q_1, \cdots , Q_n\}\), where \(Q_i = q_{i,1} \vee \cdots \vee q_{i,m}\) consists of m conjunctions.

The leakage function \(\mathcal {L}_{\textsf {Setup}}\) captures information that is leaked from the Setup algorithm. In our construction, we use Bloom filters to represent documents and encrypt them using functional encryption. As the adversary is restricted to access only the encrypted vectors, the acquired information is confined to the total number of encrypted vectors and their respective lengths, represented as d and l, respectively. Hence, the Setup leakage function is defined as \(\mathcal {L}_{\textsf {Setup}} = (d, l)\).

The leakage function \(\mathcal {L}_{\textsf {Token}}\) is a summary of the information that an adversary can acquire in the context of the Token algorithm. It is noteworthy that both the vector \(\boldsymbol{\alpha }\), which records the number of non-zero elements, and the vector \(\boldsymbol{\beta }\), which records the positions of non-zero elements, are sent to the server as auxiliary query information, thereby making them susceptible to the adversary. Additionally, \(\boldsymbol{U}\) can be derived from \(\boldsymbol{\beta }\), which means that it is not part of \(\mathcal {L}_{\textsf {Token}}\). Furthermore, \(\boldsymbol{\beta }\) discloses the number of clauses in the query Q as m. Consequently, the Token leakage function is represented as \(\mathcal {L}_{\textsf {Token}} = (m, \boldsymbol{\alpha }, \boldsymbol{\beta })\).

Regarding the information that is leaked in the Search algorithm, it is important to note that the output from the Token is received by the server, and this output has already been included in the \(\mathcal {L}_{\textsf {Token}}\). During query execution, the server prunes the matrix \(\boldsymbol{A}\) based on \(\beta _i\) to derive \(\boldsymbol{A}'\) for each clause in Q, where \(\boldsymbol{A}\) represents the ciphertext vectors encrypted by functional encryption generated in the Setup, and its security is guaranteed by functional encryption. Subsequently, the server decrypts \(\boldsymbol{A}'\) to obtain the inner product result \(\boldsymbol{r}_i\), which can be acquired by the adversary. Additionally, the server discloses the query’s result set \(\mathcal {R}\), which constitutes information accessible to the adversary. Therefore, the Search leakage function is defined as \(\mathcal {L}_{\textsf {Search}} = (\{\boldsymbol{r}_1, \cdots , \boldsymbol{r}_{m}\}, \mathcal {R})\).

Proof

To demonstrate that \({\textbf {Real}}_{\mathcal {A}}^{{\textsf {SESAME+}}}(\lambda )\) and \({\textbf {Ideal}}_{\mathcal {A,S}}^{{\textsf {SESAME+}}}(\lambda )\) are computationally indistinguishable, we characterize a probabilistic polynomial-time simulator \(\mathcal {S}\) capable of simulating the three protocols in our SESAME+ scheme. The simulator \(\mathcal {S}\) must be able to regenerate the encrypted database and tokens from the leakage information \(\mathcal {L}\), with the regenerated tokens satisfying the dependencies among the leakage functions \(\mathcal {L}_{\textsf {Setup}}\), \(\mathcal {L}_{\textsf {Token}}\), and \(\mathcal {L}_{\textsf {Search}}\), in order to prevent the adversary \(\mathcal {A}\) from distinguishing between the real world and ideal world scenarios. The adversary \(\mathcal {A}\) has access to the simulated encrypted database and can retrieve data using the simulated tokens.

Provided the leakage information \(\mathcal {L} = (\mathcal {L}_{\textsf {Setup}}, \mathcal {L}_{\textsf {Token}}, \mathcal {L}_{\textsf {Search}})\), the simulations can be formulated as follows:

To simulate the Setup protocol, \(\mathcal {S}\) selects a cyclic group \(\mathbb {G}\) of prime order \(p > 2^\lambda \). Then, \(\mathcal {S}\) randomly samples \(s_i, t_i \leftarrow \mathbb {Z}_p\) for each \(i \in \{1, \cdots , l\}\), where l is determined by \(\mathcal {L}_{\textsf {Setup}}\), randomly samples \(k \leftarrow \{0,1\}^\lambda \) and computes \(h_i = g^{s_i} \cdot h^{t_i}\), where g and h are two randomly generated generators in \(\mathbb {G}\). As a result, \(\mathcal {S}\) simulates the master secret key and master public key as \(\textsf {msk} := (\textsf {sk}_{\textsf {IPFE}}=\{(s_i, t_i)\}^l_{i=1}, k)\) and \(\textsf {mpk} := (\mathbb {G}, g, h, \{h_i\}_{i=1}^{l})\), respectively.

For simulating the EDB, \(\mathcal {S}\) generates d Bloom filters \(\boldsymbol{v}_i\) of length l. These vectors are constructed to maintain dependencies with the leakage functions \(\mathcal {L}_{\textsf {Token}}\) and \(\mathcal {L}_{\textsf {Search}}\), ensuring that the adversary’s verification using simulated tokens remains valid. The adversary can only learn the length l of the vectors and the number of vectors d, as they only have access to the encrypted vectors. Finally, the simulator \(\mathcal {S}\) employs functional encryption for inner product with the mpk to encrypt the vectors and simulate the encrypted database EDB.

In the context of the Setup protocol, given the leakage information \(\mathcal {L}\), the simulator \(\mathcal {S}\) generates simulated outputs, including the encrypted database EDB, the master public key mpk, and the master secret key msk. The difference between the simulated EDB and the real-world scenario lies in the selection of \(\boldsymbol{v}_i\). Instead of obtaining \(\boldsymbol{v}_i\) based on the document mapping, \(\mathcal {S}\) selects \(\boldsymbol{v}_i\) using the leakage functions \(\mathcal {L}_{\textsf {Token}}\) and \(\mathcal {L}_{\textsf {Search}}\), followed by its encryption. The advantage of distinguishing them is negligible if functional encryption is fully secure. The simulations of the mpk and msk are equivalent with those of the real world.

In the simulation of the Token protocol, \(\mathcal {S}\) simulates tokens for Boolean queries based on the leakage function \(\mathcal {L}_{\textsf {Token}}\) and ensures that these tokens can operate on the simulated encrypted database EDB. The leakage information provided by \(\mathcal {L}_{\textsf {Token}}\) reveals the positions of non-zero elements in the vector for each Boolean query clause, as well as the number of clauses for each Boolean query. Consequently, \(\mathcal {S}\) can generate tokens that are identical to those in the real experiment. For simulating the decryption key, \(\mathcal {S}\) leverages the leaked positions information to simulate the decryption key using the Keygen algorithm of functional encryption. The advantage of \(\mathcal {A}\) in distinguishing between the real world and the ideal world becomes negligible if the functional encryption is secure.

When simulating the Search protocol, \(\mathcal {S}\) retrieves documents from the encrypted database EDB based on a given Boolean query. Upon receiving the simulated token tok, \(\mathcal {S}\) prunes the simulated EDB according to the corresponding \(\boldsymbol{\beta }\), then performs the decryption process on the pruned EDB to obtain the identifiers of documents that satisfy the query. Since both EDB and tok are simulated based on the leakage function \(\mathcal {L}\), the search process performed on the simulated token leaks the same information as \(\mathcal {L}_{\textsf {Search}}\). Consequently, \(\mathcal {A}\) cannot distinguish between the real world and the ideal world with more than negligible probability.

In the above proof, we describe a probabilistic polynomial-time simulator \(\mathcal {S}\) that simulates the real experiment by using a given leakage information from \(\mathcal {L}\). Assuming that functional encryption for inner product is secure, then our scheme SESAME+ achieves \(\mathcal {L}\)-secure, that is

$$|\text {Pr}[{\textbf {Real}}_{\mathcal {A}}^{{\textsf {SESAME}+}}(\lambda ) = 1] - \text {Pr}[{\textbf {Ideal}}_{\mathcal {A}, \mathcal {S}}^{{\textsf {SESAME}+}}(\lambda ) = 1]|\le \textsf {negl}(\lambda ).$$

Remark. Due to subtle issues from the underlying inner product functional encryption, we prove \(\textsf {SESAME}+\) with non-adaptive security, i.e., the adversary issues all queries before running the game. Designing an adaptively secure BSSE scheme with similar properties as \(\textsf {SESAME}+\) seems to require fundamentally different primitives and proof techniques, for which we leave as a future work.