Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Power of Bamboo: On the Post-Compromise Security for Searchable Symmetric Encryption

Tianyang Chen, Peng Xu, Stjepan Picek, Bo Luo, Willy Susilo, Hai Jin, Kaitai Liang

TL;DR

This work addresses the vulnerability of dynamic searchable symmetric encryption (DSSE) schemes to client secret-key compromises, a gap in prior forward- and backward-secure designs. It introduces searchable encryption with key-update (SEKU) and defines post-compromise security via leakage functions, enabling non-interactive key updates while preserving data confidentiality after compromise. The Bamboo protocol implements SEKU with two-layer encryption and a hidden inter-ciphertext chain to achieve constant DataUpdate, sub-linear Search, and non-interactive KeyUpdate, and it is proven secure under the Type 1 threat model; it also subsumes forward security and is compatible with backward security. Experimental evaluation on a real-world Wikipedia-derived dataset shows Bamboo delivering strong security with competitive or superior performance relative to state-of-the-art forward-and-backward secure DSSE schemes, with notable gains in client-side efficiency and a bandwidth-reducing variant Bamboo* employing adjustable padding.

Abstract

Dynamic searchable symmetric encryption (DSSE) enables users to delegate the keyword search over dynamically updated encrypted databases to an honest-but-curious server without losing keyword privacy. This paper studies a new and practical security risk to DSSE, namely, secret key compromise (e.g., a user's secret key is leaked or stolen), which threatens all the security guarantees offered by existing DSSE schemes. To address this open problem, we introduce the notion of searchable encryption with key-update (SEKU) that provides users with the option of non-interactive key updates. We further define the notion of post-compromise secure with respect to leakage functions to study whether DSSE schemes can still provide data security after the client's secret key is compromised. We demonstrate that post-compromise security is achievable with a proposed protocol called ``Bamboo". Interestingly, the leakage functions of Bamboo satisfy the requirements for both forward and backward security. We conduct a performance evaluation of Bamboo using a real-world dataset and compare its runtime efficiency with the existing forward-and-backward secure DSSE schemes. The result shows that Bamboo provides strong security with better or comparable performance.

The Power of Bamboo: On the Post-Compromise Security for Searchable Symmetric Encryption

TL;DR

This work addresses the vulnerability of dynamic searchable symmetric encryption (DSSE) schemes to client secret-key compromises, a gap in prior forward- and backward-secure designs. It introduces searchable encryption with key-update (SEKU) and defines post-compromise security via leakage functions, enabling non-interactive key updates while preserving data confidentiality after compromise. The Bamboo protocol implements SEKU with two-layer encryption and a hidden inter-ciphertext chain to achieve constant DataUpdate, sub-linear Search, and non-interactive KeyUpdate, and it is proven secure under the Type 1 threat model; it also subsumes forward security and is compatible with backward security. Experimental evaluation on a real-world Wikipedia-derived dataset shows Bamboo delivering strong security with competitive or superior performance relative to state-of-the-art forward-and-backward secure DSSE schemes, with notable gains in client-side efficiency and a bandwidth-reducing variant Bamboo* employing adjustable padding.

Abstract

Dynamic searchable symmetric encryption (DSSE) enables users to delegate the keyword search over dynamically updated encrypted databases to an honest-but-curious server without losing keyword privacy. This paper studies a new and practical security risk to DSSE, namely, secret key compromise (e.g., a user's secret key is leaked or stolen), which threatens all the security guarantees offered by existing DSSE schemes. To address this open problem, we introduce the notion of searchable encryption with key-update (SEKU) that provides users with the option of non-interactive key updates. We further define the notion of post-compromise secure with respect to leakage functions to study whether DSSE schemes can still provide data security after the client's secret key is compromised. We demonstrate that post-compromise security is achievable with a proposed protocol called ``Bamboo". Interestingly, the leakage functions of Bamboo satisfy the requirements for both forward and backward security. We conduct a performance evaluation of Bamboo using a real-world dataset and compare its runtime efficiency with the existing forward-and-backward secure DSSE schemes. The result shows that Bamboo provides strong security with better or comparable performance.
Paper Structure (36 sections, 1 theorem, 15 equations, 10 figures, 4 tables, 4 algorithms)

This paper contains 36 sections, 1 theorem, 15 equations, 10 figures, 4 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Motivation
  3. Simple Solutions Do Not Work
  4. Ideas Behind Bamboo
  5. Contributions
  6. Threat Model of SEKU
  7. SEKU and Its Security Definitions
  8. Notations
  9. SEKU Syntax
  10. Adaptive Security against $\mathcal{A}_\text{Srv}$
  11. Adaptive Security against $\mathcal{A}_\text{Thf}$
  12. Post-Compromise Security of SEKU
  13. Overview
  14. Definition of Timestamp
  15. The Formal Definition
  16. ...and 21 more sections

Key Result

Theorem 1

Suppose hash functions $\mathbf{H}_1$, $\mathbf{H}_2$, and $\mathbf{G}$ are random oracles, and DDH assumption holds in $\mathbb{G}$, $\texttt{Bamboo}$ is a post-compromise-secure SEKU scheme since:

Figures (10)

  • Figure 1: The Observations on Client Queries and Key Compromise in the Moderate Threat Model. Note that in the stronger threat model, the two parties will share their observations.
  • Figure 2: An example of Bamboo. In the beginning, the client has run DataUpdate with $(op_1,(w,id_1))$ and $(op_2,(w,id_2))$. After the compromise, if the client is not "warned" immediately, it may still perform a new DataUpdate query on $(op_3,(w,id_3))$. At last, the client executes KeyUpdate for $K_\Sigma$.
  • Figure 3: Total KeyUpdate Time Cost of Bamboo vs. Number of Threads.
  • Figure 4: Total Search Time Cost vs. Result Size without Deletion.
  • Figure 5: Client Search Time Cost vs. Result Size without Deletion.
  • ...and 5 more figures

Theorems & Definitions (8)

  • Definition 1: SEKU
  • Definition 2: Adaptive Security Against $\mathcal{A}_\text{Srv}$
  • Definition 3: Adaptive Security Against $\mathcal{A}_\text{Thf}$
  • Definition 4: Post-Compromise Security
  • Theorem 1
  • Definition 5: Decisional Diffie-Hellman (DDH) Assumption
  • proof
  • proof