d-DSE: Distinct Dynamic Searchable Encryption Resisting Volume Leakage in Encrypted Databases

TL;DR

The results demonstrate that the scheme is practical in data search and with comparable computational performance to the SOTA DSE scheme and padding strategies and padding strategies and sharply reduces the communication cost as compared to padding strategies.

Abstract

Dynamic Searchable Encryption (DSE) has emerged as a solution to efficiently handle and protect large-scale data storage in encrypted databases (EDBs). Volume leakage poses a significant threat, as it enables adversaries to reconstruct search queries and potentially compromise the security and privacy of data. Padding strategies are common countermeasures for the leakage, but they significantly increase storage and communication costs. In this work, we develop a new perspective to handle volume leakage. We start with distinct search and further explore a new concept called \textit{distinct} DSE (\textit{d}-DSE). We also define new security notions, in particular Distinct with Volume-Hiding security, as well as forward and backward privacy, for the new concept. Based on \textit{d}-DSE, we construct the \textit{d}-DSE designed EDB with related constructions for distinct keyword (d-KW-\textit{d}DSE), keyword (KW-\textit{d}DSE), and join queries (JOIN-\textit{d}DSE) and update queries in encrypted databases. We instantiate a concrete scheme \textsf{BF-SRE}, employing Symmetric Revocable Encryption. We conduct extensive experiments on real-world datasets, such as Crime, Wikipedia, and Enron, for performance evaluation. The results demonstrate that our scheme is practical in data search and with comparable computational performance to the SOTA DSE scheme (\textsf{MITRA}*, \textsf{AURA}) and padding strategies (\textsf{SEAL}, \textsf{ShieldDB}). Furthermore, our proposal sharply reduces the communication cost as compared to padding strategies, with roughly 6.36 to 53.14x advantage for search queries.

Figures (14)

• Figure 1: The high-level of d-DSE design EDB. $\Sigma_{\textbf{T}_1.x}^\texttt{c}(w_1)$ and $\mathcal{E}_{\textbf{T}_1.y}^\texttt{c}(v_1)$ denote that the keyword $w_1$ and value $v_1$ in table column $\textbf{T}_1.x$ and $\textbf{T}_1.y$ are encrypted by $\Sigma$ and $\mathcal{E}$ with a counter $\texttt{c}$, respectively.
• Figure 2: BF-SRE: the scheme overview. We use the blue color to represent the same revocation.
• Figure 3: The number of keyword/value pairs associated with each keyword on Crime, Wikipedia and Enron dataset. The blue and red nodes represent the number of all and distinct keyword/value pairs, respectively.
• Figure 4: Comparison of the total search time and communication costs of BF-SRE, AURA$^P$, and MITRA$^P$without deletion.
• Figure 5: Comparison of search time costs of BF-SRE, AURA$^P$, and MITRA$^P$ on client without deletion.

Theorems & Definitions (15)

• Definition 1: The Distinct DSE
• Definition 2: Sim-adaptive Security of d-DSE
• Definition 3: Forward privacy
• Definition 4: Backward privacy
• Definition 5: DwVH Security
• Theorem 1: Adaptive Security of BF-SRE
• Theorem 2: DwVH Security of BF-SRE
• Theorem 1: Adaptive Security of BF-SRE
• Proof 1
• Theorem 2: BF-SRE's DwVH Security