Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives

Using dynamic Searchable Symmetric Encryption, a user with limited storage resources can securely outsource a database to an untrusted server, in such a way that the database can still be searched and updated efficiently. For these schemes, it would be desirable that updates do not reveal any information a priori about the modifications they carry out, and that deleted results remain inaccessible to the server a posteriori. If the first property, called forward privacy, has been the main motivation of recent works, the second one, backward privacy, has been overlooked. In this paper, we study for the first time the notion of backward privacy for searchable encryption. After giving formal definitions for different flavors of backward privacy, we present several schemes achieving both forward and backward privacy, with various efficiency trade-offs. Our constructions crucially rely on primitives such as constrained pseudo-random functions and puncturable encryption schemes. Using these advanced cryptographic primitives allows for a fine-grained control of the power of the adversary, preventing her from evaluating functions on selected inputs, or decrypting specific ciphertexts. In turn, this high degree of control allows our SSE constructions to achieve the stronger forms of privacy outlined above. As an example, we present a framework to construct forward-private schemes from range-constrained pseudo-random functions. Finally, we provide experimental results for implementations of our schemes, and study their practical efficiency.

[1]  Muhammad Naveed,et al.  The Fallacy of Composition of Oblivious RAM and Searchable Encryption , 2015, IACR Cryptol. ePrint Arch..

[2]  Matthew Green,et al.  Forward Secure Asynchronous Messaging from Puncturable Encryption , 2015, 2015 IEEE Symposium on Security and Privacy.

[3]  Charalampos Papamanthou,et al.  Parallel and Dynamic Searchable Symmetric Encryption , 2013, Financial Cryptography.

[4]  Sanjam Garg,et al.  TWORAM: Efficient Oblivious RAM in Two Rounds with Applications to Searchable Encryption , 2016, CRYPTO.

[5]  Moni Naor,et al.  Anti-persistence: history independent data structures , 2001, STOC '01.

[6]  Hugo Krawczyk,et al.  Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries , 2013, IACR Cryptol. ePrint Arch..

[7]  David Cash,et al.  The Locality of Searchable Symmetric Encryption , 2014, IACR Cryptol. ePrint Arch..

[8]  Adam J. Aviv,et al.  A Practical Oblivious Map Data Structure with Secure Deletion and History Independence , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Seny Kamara,et al.  Boolean Searchable Symmetric Encryption with Worst-Case Sub-linear Complexity , 2017, EUROCRYPT.

[10]  Rishabh Poddar,et al.  Arx: A Strongly Encrypted Database System , 2016, IACR Cryptol. ePrint Arch..

[11]  Hugo Krawczyk,et al.  Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation , 2014, NDSS.

[12]  Elaine Shi,et al.  Practical Dynamic Searchable Encryption with Small Leakage , 2014, NDSS.

[13]  Charalampos Papamanthou,et al.  Dynamic searchable symmetric encryption , 2012, IACR Cryptol. ePrint Arch..

[14]  George Kollios,et al.  GRECS: Graph Encryption for Approximate Shortest Distance Queries , 2015, IACR Cryptol. ePrint Arch..

[15]  Ran Canetti,et al.  Constraint-Hiding Constrained PRFs for NC1 from LWE , 2017, EUROCRYPT.

[16]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[17]  Srdjan Capkun,et al.  Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory , 2012, USENIX Security Symposium.

[18]  Raphael Bost,et al.  ∑oφoς: Forward Secure Searchable Encryption , 2016, CCS.

[19]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[20]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[21]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[22]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[23]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[24]  Richard J. Lipton,et al.  A Revocable Backup System , 1996, USENIX Security Symposium.

[25]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[26]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[27]  David Cash,et al.  Leakage-Abuse Attacks Against Searchable Encryption , 2015, IACR Cryptol. ePrint Arch..

[28]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[29]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[30]  Ian Miers,et al.  IO-DSSE: Scaling Dynamic Searchable Encryption to Millions of Indexes By Improving Locality , 2017, NDSS.

[31]  Brent Waters,et al.  Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model , 2015, ASIACRYPT.

[32]  Silvio Micali,et al.  How to Construct Random Functions (Extended Abstract) , 1984, FOCS.

[33]  Melissa Chase,et al.  Structured Encryption and Controlled Disclosure , 2010, IACR Cryptol. ePrint Arch..

[34]  Radu Sion,et al.  HIFS: history independence for file systems , 2013, CCS.

[35]  Jonathan Katz,et al.  All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption , 2016, USENIX Security Symposium.

[36]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.