Searchable symmetric encryption
In-game article clicks load inline without leaving the challenge.
Searchable symmetric encryption (SSE) is a form of encryption that allows efficient searching over a collection of encrypted documents or files without requiring decryption. SSE can be used to outsource files to an untrusted cloud storage server without revealing the files in plaintext, while preserving the server's ability to perform searches over them.
Description
A searchable symmetric encryption scheme is a symmetric-key encryption scheme that encrypts a collection of documents D = ( D 1 , … , D n ) {\displaystyle \mathbf {D} =(\mathrm {D_{1}} ,\dots ,\mathrm {D_{n}} )}, where each document D i ⊆ W {\displaystyle \mathrm {D_{i}} \subseteq \mathbb {W} } is viewed as a set of keywords from a keyword space W {\displaystyle \mathbb {W} }. Given the encryption key K {\displaystyle K} and a keyword w ∈ W {\displaystyle w\in \mathbb {W} }, one can generate a search token t k {\displaystyle tk} with which the encrypted data collection can be searched for w {\displaystyle w}. The result of the search is the subset of encrypted documents that contain the keyword w {\displaystyle w}.
Static SSE
A static SSE scheme consists of three algorithms S S E = ( S e t u p , T o k e n , S e a r c h ) {\displaystyle {\mathsf {SSE=(Setup,Token,Search)}}} that work as follows:
- S e t u p {\displaystyle {\mathsf {Setup}}} takes as input a security parameter k {\displaystyle k} and a document collection D {\displaystyle \mathbf {D} } and outputs a symmetric key K {\displaystyle K}, an encrypted index I {\displaystyle \mathbf {I} }, and an encrypted document collection E D {\displaystyle \mathbf {ED} }
- T o k e n {\displaystyle {\mathsf {Token}}} takes as input the secret key K {\displaystyle K} and a keyword w {\displaystyle w} and outputs a search token t k {\displaystyle tk}
- S e a r c h {\displaystyle {\mathsf {Search}}} takes as input the encrypted index I {\displaystyle \mathbf {I} }, the encrypted document collection E D {\displaystyle \mathbf {ED} } and a search token t k {\displaystyle tk} and outputs a set of encrypted documents R ⊆ E D {\displaystyle \mathbf {R} \subseteq \mathbf {ED} }
A static SSE scheme is used by a client and an untrusted server as follows: the client encrypts its data collection using the S e t u p {\displaystyle {\mathsf {Setup}}} algorithm which returns a secret key K {\displaystyle K}, an encrypted index I {\displaystyle \mathbf {I} }, and an encrypted document collection E D {\displaystyle \mathbf {ED} }. The client keeps K {\displaystyle K} secret and sends E D {\displaystyle \mathbf {ED} } and I {\displaystyle \mathbf {I} } to the untrusted server. To search for a keyword w {\displaystyle w}, the client runs the T o k e n {\displaystyle {\mathsf {Token}}} algorithm on K {\displaystyle K} and w {\displaystyle w} to generate a search token t k {\displaystyle tk} which it sends to the server. The server runs Search with E D {\displaystyle \mathbf {ED} }, I {\displaystyle \mathbf {I} }, and t k {\displaystyle tk} and returns the resulting encrypted documents back to the client.
Dynamic SSE
A dynamic SSE scheme supports, in addition to search, the insertion and deletion of documents. A dynamic SSE scheme consists of seven algorithms S S E = ( S e t u p , T o k e n , S e a r c h , I n s e r t T o k e n , I n s e r t , D e l e t e T o k e n , D e l e t e ) {\displaystyle {\mathsf {SSE=(Setup,Token,Search,InsertToken,Insert,DeleteToken,Delete)}}} where S e t u p {\displaystyle {\mathsf {Setup}}}, T o k e n {\displaystyle {\mathsf {Token}}}, and S e a r c h {\displaystyle {\mathsf {Search}}} are as in the static case and the remaining algorithms work as follows:
- I n s e r t T o k e n {\displaystyle {\mathsf {InsertToken}}} takes as input the secret key K {\displaystyle K} and a new document D n + 1 {\displaystyle \mathrm {D_{n+1}} } and outputs an insert token i t k {\displaystyle itk}
- I n s e r t {\displaystyle {\mathsf {Insert}}} takes as input the encrypted document collection E D {\displaystyle \mathbf {ED} } and an insert token i t k {\displaystyle itk} and outputs an updated encrypted document collection E D ′ {\displaystyle \mathbf {ED'} }
- D e l e t e T o k e n {\displaystyle {\mathsf {DeleteToken}}} takes as input the secret key K {\displaystyle K} and a document identifier i d {\displaystyle id} and outputs a delete token d t k {\displaystyle dtk}
- D e l e t e {\displaystyle {\mathsf {Delete}}} takes as input the encrypted data collection E D {\displaystyle \mathbf {ED} } and a delete token d t k {\displaystyle dtk} and outputs an updated encrypted data collection E D ′ {\displaystyle \mathbf {ED'} }
To add a new document D n + 1 {\displaystyle \mathrm {D_{n+1}} } the client runs I n s e r t T o k e n {\displaystyle {\mathsf {InsertToken}}} on K {\displaystyle K} and D n + 1 {\displaystyle \mathrm {D_{n+1}} }to generate an insert token i t k {\displaystyle itk} which it sends to the server. The server runs I n s e r t {\displaystyle {\mathsf {Insert}}} with E D {\displaystyle \mathbf {ED} } and i t k {\displaystyle itk} and stores the updated encrypted document collection. To delete a document with identifier i d {\displaystyle id}, the client runs the D e l e t e T o k e n {\displaystyle {\mathsf {DeleteToken}}} algorithm with K {\displaystyle K} and i d {\displaystyle id} to generate a delete token d t k {\displaystyle dtk} which it sends to the server. The server runs D e l e t e {\displaystyle {\mathsf {Delete}}} with E D {\displaystyle \mathbf {ED} } and d t k {\displaystyle dtk} and stores the updated encrypted document collection.
An SSE scheme that does not support D e l e t e T o k e n {\displaystyle {\mathsf {DeleteToken}}} and D e l e t e {\displaystyle {\mathsf {Delete}}} is called semi-dynamic.
History of Searchable Symmetric Encryption
The problem of searching on encrypted data was considered by Song, Wagner and Perrig, although earlier work on Oblivious RAM by Goldreich and Ostrovsky could, in theory, be used to address the problem. This work proposed an SSE scheme with a search algorithm that runs in time O ( s ) {\displaystyle O(s)}, where s = | D | {\displaystyle s=|\mathbf {D} |}. Goh and Chang and Mitzenmacher proposed new SSE constructions with search algorithms that run in time O ( n ) {\displaystyle O(n)}, where n {\displaystyle n} is the number of documents. Curtmola, Garay, Kamara and Ostrovsky later proposed two static constructions with O ( o p t ) {\displaystyle O(\mathrm {opt} )} search time, where o p t {\displaystyle \mathrm {opt} } is the number of documents that contain w {\displaystyle w}, which is optimal. This work also proposed a semi-dynamic construction with O ( o p t ⋅ log ( u ) ) {\displaystyle O(\mathrm {opt} \cdot \log(u))} search time, where u {\displaystyle u} is the number of updates. An optimal dynamic SSE construction was later proposed by Kamara, Papamanthou and Roeder.
Goh and Chang and Mitzenmacher proposed security definitions for SSE. These were later strengthened and extended by Curtmola, Garay, Kamara and Ostrovsky, who introduced the notion of adaptive security for SSE. This work was also the first to observe leakage in SSE and to formally capture it as part of the security definition. Leakage was further formalized and generalized by Chase and Kamara. Islam, Kuzu and Kantarcioglu described the first leakage attack.
All the previously mentioned constructions support single-keyword search. Cash, Jarecki, Jutla, Krawczyk, Roşu and Steiner proposed an SSE scheme that supports conjunctive search in sub-linear time in n {\displaystyle n}. The construction can also be extended to support disjunctive and Boolean searches that can be expressed in searchable normal form (SNF) in sub-linear time. At the same time, Pappas, Krell, Vo, Kolesnikov, Malkin, Choi, George, Keromytis and Bellovin described a construction that supports conjunctive and all disjunctive and Boolean searches in sub-linear time.
Security
SSE schemes are designed to ensure that an untrusted server cannot learn any partial information about the documents or search queries beyond a well-defined and reasonable leakage. The leakage of a scheme is formally described using a leakage profile, which itself can consist of several leakage patterns. SSE constructions attempt to minimize leakage while achieving the best possible search efficiency.
SSE security can be analyzed in several adversarial models, but the most common are:
- the persistent model, in which an adversary is given the encrypted data collection and a transcript of all operations executed on the collection;
- the snapshot model, in which an adversary is given only the encrypted data collection (possibly after each operation).
Security in the Persistent Model
In the persistent model, there are SSE schemes that achieve a wide variety of leakage profiles. The most common leakage profile for static schemes that achieve single keyword search in optimal time is Λ o p t {\displaystyle \Lambda _{\mathrm {opt} }} which reveals the number of documents in the collection, the size of each document in the collection, if and when a query was repeated and which encrypted documents match the search query. It is also possibly to construct schemes that leak considerably less, at the cost of increased search time and storage.
For dynamic SSE schemes, state-of-the-art constructions with optimal-time search have leakage profiles that guarantee forward privacy, meaning that inserts cannot be correlated with past search queries.
Security in the Snapshot Model
In the snapshot model, efficient dynamic SSE schemes can be constructed with no leakage beyond the number of documents and the size of the collection. When using an SSE construction that is secure in the snapshot model, careful consideration must be given to deployment, as some systems might cache previous search queries.
Cryptanalysis
A leakage profile describes only the leakage of an SSE scheme and does not indicate whether that leakage can be exploited. Cryptanalysis is therefore used to better understand the real-world security implications of a leakage profile. A wide range of attacks exist, operating under different adversarial models, based on a variety of assumptions, and targeting different leakage profiles.
Systems Supporting Searchable Symmetric Encryption
| Company | Product / Feature | SSE Notes |
|---|---|---|
| MongoDB | Queryable Encryption | Client-side field-level encryption indexes enabling equality search; SSE-style |
| Cossack Labs | Acra (searchable encryption / blind indexes) | Field-level encryption with blind index-based searchable encryption (exact, prefix, suffix); SSE-style |
| Baffle | Read Queryable Encryption (Baffle Data Protection) | Symmetric, proxy-based encryption that supports queries over protected data; SSE-like construction |
| AWS | AWS Database Encryption SDK – Searchable Encryption | Client-side encryption with HMAC-based beacons for equality search; related to SSE but explicitly noted by AWS as differing from academic SSE |