Practical and secure dynamic searchable encryption via oblivious access on distributed data structure

Thang Hoang, Attila Altay Yavuz, Jorge Guajardo
2016 Proceedings of the 32nd Annual Conference on Computer Security Applications - ACSAC '16  
Dynamic Searchable Symmetric Encryption (DSSE) allows a client to perform keyword searches over encrypted files via an encrypted data structure. Despite its merits, DSSE leaks search and update patterns when the client accesses the encrypted data structure. These leakages may create severe privacy problems as already shown, for example, in recent statistical attacks on DSSE. While Oblivious Random Access Memory (ORAM) can hide such access patterns, it incurs significant communication overhead
more » ... d, therefore, it is not yet fully practical for cloud computing systems. Hence, there is a critical need to develop private access schemes over the encrypted data structure that can seal the leakages of DSSE while achieving practical search/update operations. In this paper, we propose a new oblivious access scheme over the encrypted data structure for searchable encryption purposes, that we call Distributed Oblivious Data structure DSSE (DOD-DSSE ). The main idea is to create a distributed encrypted incidence matrix on two non-colluding servers such that no arbitrary queries on these servers can be linked to each other. This strategy prevents not only recent statistical attacks on the encrypted data structure but also other potential threats exploiting query linkability. Our security analysis proves that DOD-DSSE ensures the unlinkability of queries and, therefore, offers much higher security than traditional DSSE. At the same time, our performance evaluation demonstrates that DOD-DSSE is two orders of magnitude faster than ORAM-based techniques (e.g., Path ORAM), since it only incurs a small-constant number of communication overhead. That is, we deployed DOD-DSSE on geographically distributed Amazon EC2 servers, and showed that, a search/update operation on a very large dataset only takes around one second with DOD-DSSE , while it takes 3 to 13 minutes with Path ORAM-based methods. CCS Concepts •Security and privacy → Privacy-preserving protocols; Domain-specific security and privacy architectures; Keywords Privacy enhancing technology; privacy in cloud computing; searchable encryption; ORAM; oblivious data structure DOD-DSSE ‡ 1.1 s 2 ¶ We simulated the cost of ODS [25] with Path ORAM protocol [24] on dictionary (ODICT) and incidence matrix (OMAT) data structures. † The delays of schemes were measured in our experiment with an average network latency of 31 ms and throughput of 30 Mbps. ‡ This leakage does not lead to any statistical attacks. * Due to the sublinear operation time of dictionary data structure, ODS cannot fully hide the length of search/update result without fully padding which is very costly. To evaluate the performance of ODICT over the real network, we only simulated ODICT with average padding. § Full query linkability allows the adversary to perform, for example, frequency analysis [15] , resulting in statistical attacks. sponding files encrypted by standard encryption (e.g., [13, 12, 10, 4, 26] ). The client then can outsource encrypted files along with I and perform keyword searches or file updates without revealing the keyword/file content.
doi:10.1145/2991079.2991088 fatcat:lsou3ssf3ndbvlhiwnyfmi6exm