Dynamic Searchable Encryption via Blind

Storage

M. Naveed, M. Prabhakaran, C.A. Gunter

Presented by:Keegan Sherman and Pardeep Banwait

Searchable Symmetric Encryption• Allows a user to store a collection of encrypted

documents and perform keyword searches on those documents.

• The server storing the documents is required to not learn any information from interactions with the stored documents except for certain patterns.

• Our Dynamic SSE allows for adding and removing documents throughout the life-time of the system in the face of an honest-but curious server.

Previous SSE Research• Basic Approach by R. Curtmola, et.al. from NJIT.

• Keep index files that map keywords to lists of documents that contain it. Store index files as encrypted linked lists. Randomly sort the nodes for each list.

• Approach by S. Kamara, et.al. from Microsoft.

• Dynamic SSE based off inverted index approach with server side computation.

Blind Storage• Allows a server to store a set of encrypted files in such a

way that the server does not know how many files are being stored nor the lengths of the files.

• Server learns about the existence of a file when it is being retrieved but the file’s name and contents are kept hidden.

Blind Storage Parameters• - Upper bound on storage slack ratio

• - Ratio between the number of blocks in a file and the number of blocks downloaded/uploaded when a given file is accessed.

• - The minimum number of blocks that can be downloaded/uploaded from the server.

• We use CRHF, a PRF, a FD-PRF, PRG, and a PRP all relying on an AES block-cipher .

• KSSE = (Kd, Kid, KID).

�

↵

Blind Storage1 2 3 4 5 6 7 8 9 10 11 12

FreeOccupiedid data

Generate seed for PRG: s = FD-PRF (id)Kid1

10 3 4 2

Check that needed number of blocks are free. If so choose the shortest subset, S, containing size free blocks.

3

size = 4 blocks

6 10 3 1 4 9 2 8

Generate indexes for a pseudorandom subset of size max( size, ) from PRG(s).

2

↵⇤

Blind Storage

vi H(id) datajvi H(id) size data0

4 Create blocks with necessary information.

5

Store blocks into S10 3 4 2

}Encrypt blocks using PRF Kd

vi Ej6}

Blind Storage Update1 2 3 4 5 6 7 8 9 10 11 12

FreeOccupied

Generate seed for PRG: s = FD-PRF (id)Kid1

6 10 3 1

Generate indexes for a pseudorandom subset of size from PRG(s).

2

Find first block with our id using decryption.3

vi E0

H(id) size data0

Our file

Blind Storage Update4 Output size to client and accept size’ as the size of the file after update.

5 Determine if < max(size, size’). If so calculate, download and decryptremaining pseudorandom blocks.

↵⇤

6 10 3 1 4 9 2 8

6

10 3 4 2

Determine blocks with our id’s and output them.

7 Accept data’ as updated document

8 If size < size’ download more pseudorandom blocks and store.

Clear Storage• Similar to blind storage except there is no encryption.

• Uses a separate file system that stores header files indexing the last block of the pseudorandom subset occupied by a file.

vi H(id) datajvi H(id) size data0

}10 3 4 2

Store blocks into S

… …

H(id) 2

… …

Header File System Interface

Overview of BSTORE-SSE• All index files are stored in either blind storage or clear

storage.

• No server-side computation.

• Architecture independent.

• Highly parallelizable computation.

Operations of BSTORE-SSE• SSE.keygen: Generate keys

• SSE.indexgen: Generates index files for each keyword that is in at least one document. Proceeds to fill the blind storage array with index files. Uploads array and encrypted documents.

• SSE.remove: Removes a document from the system using a lazy delete strategy.

• SSE.add: Adds a document to the system. Generates/updates keyword index files.

• SSE.search: Search documents in BSTORE-SSE system for a given keyword.

Initialization• Operation of SSE.indexgen. Takes a set of (idf, dataf) tuples

and KSSE.

• Generate a document ID: E(idf) = PRP (idf).

• For each keyword present generate an index file that contains the E(idf) of the documents that contain that keyword.

• Store index files in blind storage system.

• Store encrypted documents outside of blind storage system.

KID

Removing Files• Operation of SSE.remove

• Takes document idf

• Compute document E(idf), identical to how we did during initialization.

• Check if document with E(idf) exist in system. If so delete it and move E(idf) to removed list.

• Keyword index files are not updated until a subsequent search operation. (lazy-delete)

Adding Files• Operation of SSE.add

• Takes tuple (idf, dataf)

• Compute document E(idf), identical to how we did during initialization.

• Generate random tag t for the document.

• Encrypt then prefix t to the document.

• Upload document to server using label E(idf).

Adding Files• For each keyword that is present in a document append

a tuple (E(idf), t) to the index file in the clear storage system for that keyword.

• Upload index files to the clear storage system.

Searching for Files• Operation of SSE.search

• Takes keyword w.

• Retrieves index files for w from both blind storage and clear storage using the first six stages of their update operations.

• Search index files for E(idf)’s that are also in the remove list.

• If found remove E(idf) and finish update process.

• User now has all idf’s and can request the document they are looking for.

Security Analysis• During update we leak (op, vi, size).

• For clear store the server learns all encrypted documents containing a specific encrypted keyword.

• During addition and removal of a document the updated remove list is revealed to the server.

• During a search the server learns how many times a keyword has been searched.

Experimental Results

Decreased per pair initialization time

Experimental Results

Average time for initialization.

Experimental Results

Time to search for a keyword excluding final decryption.

Future Research• Multiple client searches on single data-owner (shared)

cloud storage.

• Security against actively corrupt servers.

• Multiple keyword searches.

Related Works• R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky,

“Searchable symmetric encryption: improved definitions and efficient constructions,” in CCS, 2006, pp. 79–88.

• S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable symmetric encryption,” in CCS, 2012, pp. 965–976.

Questions?