Searchable Encryption wi t h Secure and Efficient Updates
Florian Hahn
SAP, Karlsruhe
Germany
florian.hahn@sap.com
Florian Kerschbaum
SAP, Karlsruhe
Germany
florian.kerschbaum@sap.com
ABSTRACT
Searchable (symmetric) encryption allows encryption while
still enabling search for keywords. Its immediate applica-
tion is cloud storage where a client outsources its files while
the (cloud) service provider should search and selectively
retrieve those. Searchable encryption is an active area of
research and a number of schemes with different efficiency
and security characteristics have been proposed in the liter-
ature. Any scheme for practical adoption should be efficient
– i.e. have sub-linear search time –, dynamic – i.e. allow
updates – and semantically secure to the most possible ex-
tent. Unfortunately, efficient, dynamic searchable encryp-
tion schemes suffer from various drawbacks. Either they
deteriorate from semantic security to the security of det er-
ministic encryption under updates, they require to store in-
formation on the client an d for deleted files and keywords
or they have very large index sizes. All of this is a problem,
since we can expect the majority of data to be later added
or changed. Since these schemes are also less efficient than
deterministic encryption, they are currently an unfavorable
choice for encryption in the cloud. In this paper we present
the first searchable encryption scheme whose updates leak
no more information than the access pattern, that still has
asymptotically optimal search time, linear, very small and
asymptotically optimal index size and can be implemented
without storage on the client (except the key). Our con-
struction is based on the novel idea of learning the index for
efficient access from the access pattern itself. Furthermore,
we implement our system and show that it is highly efficient
for cloud storage.
Categories and Subject D escriptors
D.4.6 [Operating Systems]: Security and Protection—
Cryptographic controls; H.3.1 [Information Storage and
Retrieval]: Content Analysis and Indexing—Indexing meth-
ods
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from permiss ions@acm.org.
CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA.
Copyright is held by the owner/author(s). Publication rights licensed to ACM.
ACM 978-1-4503-2957-6/14/11 ...$15.00.
http://dx.doi.org/10.1145/2660267.2660297.
Keywords
Searchable Encryption; Dynamic Searchable Encryption; Se-
cure Index; Update
1. INTRODUCTION
Searchable (symmetric) encry ption [8, 9, 11, 13, 19, 20,
24, 29] consists of three operations. Encryp tion transforms a
keyword/file pair using a secret key into a ciphertext. Using
the secret key one can generate a search token for a specific
keyword. Using th is token, one can then search in a set of
ciphertexts for those that match th e keyword. Hence, one
can encryp t, but still search without decryption.
The immediate application for searchable encryption is
cloud storage where the client outsources its storage, but
encrypts its files for confidentiality beforehand and retains
the key. The advantage compared to standard encryption is
that the cloud can perform t he search operation without the
key and only return a matching subset for a query. Hence,
the client does not have to download the entire data set and
search h imself. In many cases this is an enormous efficiency
gain.
Any practical searchable encryption scheme should be effi-
cient, dynamic and secure. By efficiency we mean sub-linear
search time and this is achieved using an (inverted) index.
Indices can be difficult to update, particularly if they are
encrypted, but efficient dynamic searchable encryption [8,
19, 20, 24] achieves just this. Nevertheless, current efficient,
dynamic schemes [20, 24] leak a d et erministic function of
the keyword during an update, require client storage and
additional storage linear in the number of deletes [8] or have
an ind ex of the size of the number of docu ments times the
number of keywords [19]. This is a problem, since in long-
running systems the majority of data will be later added,
changed or deleted. Hence, a long-running system using
such a method is either no more secure or very inefficient
in storage. Furthermore, since deterministic encryption is
very efficient, searchable encryption becomes an unfavorable
choice for such cloud storage systems.
In this paper we present the first dynamic searchable en-
cryption scheme with secure and efficient updates. Even
under updates, our schemes leaks no more than what can
be inferred from the search tokens. Our index is on ly linear
in the number of keywords, hence asymptotically optimal,
and client storage (except the key) is optional in ou r con-
struction
1
. While our time for the first, initial search of a
keyword is linear in the number of keywords, we show that
1
Client storage can be used to speed up additions
it amortizes over multiple searches and is hence practical.
We show a theoretic upper bound for amortization in O(n
2
)
searches in Section 6.3. In our experiments amortization is
approached much faster, namely after 0.73n searches, which
is a much more practical assumpt ion. Furthermore, 84% of
all keywords where never searched for and remained seman-
tically secure encrypted.
Hence, our scheme offers a new viable alternative for se-
cure storage in the cloud. It is nearly as efficient as determin-
istic encryption having the same overall search complexity,
but it is clearly m ore secure leaking only t he access pattern
of files. We implement our scheme and show that is highly
efficient also in absolute performance metrics.
In summary, we contribute a searchable encryption scheme
that is
• dynamic. Data can be added, deleted and hence changed
after the initial outsourcing. In fact, we do not offer
a specific operation for initial outsourcing and assume
all data is added incrementally.
• efficient. Our scheme has asymptotically op timal, sub-
linear search time. Furthermore, our Java-based im-
plementation shows that a search in a collection with
300.000 keywords and docu ments can be performed in
70 ms on average. We only require to store 2 crypto-
graphic hash values per keyword and document.
• secure. We formalize security using a simulation-based
definition. Particularly, we define our own leakage
functions which are significantly more restrictive than
those of related work. Lo osely speaking, our scheme
is semantically secure unless a search token has been
revealed.
The remainder of the paper is structured as follows. In
the next section, we explain the problem of securely up -
dating searchable encryption in more detail an d outline our
solution approach. In Section 3 we describe the algorithms
of our scheme and formally define its security. We p resent
our construction in Section 4, before we prove its security
according to our definition in Section 5. We discuss open as-
pects in Section 6. In Section 7 we present the results of the
evaluation of our implementation. Finally, in Section 8 we
overview related work, before we summarize our conclusions
in Section 9.
2. PROBLEM DESCRIPTION
Searchable encryption consists of three operations: en-
cryption, token generation and search. Encryption takes a
plaintext, e.g. a file identifier, a (set of) keyword(s) and a
key as input. In this paper we investigate sy m met ric search-
able encryption, but there also exists public key searchable
encryption [6]. Encrypt ion produces a ciphertext which can
be outsourced to a server, e.g. in the cloud. The key holder
can generate a search token for a keyword using the token
generation operation. The storage service provider can iden-
tify all ciphertexts for a keyword using this search token and
the ciphertext( s) in the search operation. He learns which
ciphertexts match th e query (the access pattern) and mul-
tiple ciphertexts can match.
Searchable encryption can secure outsourcing of data by
retaining the key at the client. Still due to the search ca-
pability efficient retrieval can be implemented. The leakage
of the access pattern is key to this efficiency, since it allows
to retrieve all ciphertexts in one round. Methods that hide
the access pattern come with additional restrictions. Private
information retrieval ( PIR) [10, 22] can only retrieve one ci-
phertext. Furthermore computational PIR [22] requires a
linear scan of the d ata [28] and information-theoretic PIR
requires multiple servers to store t he data [10]. Oblivious
RAM [14, 31, 33] accesses also one entry at a time and
that even with at least logarithmic overhead. An interesting
scheme is proposed by Stefanov et al. that combines ORAM
and searchable encryption [30]. This scheme leaks th e access
pattern, but hides all keywords of updated files. Hence, it
has less leakage than our scheme, but it still has logarithmic
search time.
Song et al. introduced searchable encryption as a standard
semantically secure encryption scheme that only leaks the
access pattern of searches [29]. Their scheme still requires a
linear scan of all data for searching. Meanwhile, Hacig
¨
um
¨
us
et al. use deterministic encryption to search efficiently – in
sublinear time – in databases [16]. Clearly, deterministic en -
cryption leaks significantly more information than the access
pattern and hence is less secure, but more efficient.
Curtmola et al. introduced semantically secure searchable
encryption with sublinear search time [11]. Loosely speak-
ing, the basic idea is to construct an index as also used
in deterministic encrypt ion. The index is encrypted and
contains deterministically encrypted index keywords. Then
there is a list of entries where the pointer to the next entry
is encrypted with a key specific for the keyword. The search
token is a deterministic function of the keyword plus the
key for the decryption of the pointers. The storage service
provider can look up the d eterministic keyword in sublinear
time and then decrypt and traverse th e list. Still, th is is
semantically secure unless a search token has b een revealed,
since each keyword is encrypted deterministically at most
once.
Curtmola et al.’s constru ction builds this index on the
client before he uploads the data to the service provider.
They introduce an additional operation called BuildIndex
that takes all plaintexts and keywords as input. Afterwards
they allow no more updates until the client builds the next
entire index. Kamara et al. propose dynamic searchable en-
cryption where this index can be incrementally updated [20].
They describe an update operation that, lo osely speaking,
takes the deterministically encrypted keyword, a ciphertext
and a token key as inpu t. The service provider can then
insert the new ciphertext at the beginning of the list and
encrypt the pointer using the token key.
Another contribution starting with Curtmola et al. is the
simulation-based security definition. Differently from a game-
based security definition as in standard semantic security
the simulation-based security uses all leaked information to
construct a simulator that produces ind istinguishable out-
put. This has the clear ad vant age that the expected leakage
of the encryption is explicitly spelled out. In ord er t o acco-
mod ate updates Kamara et al. introduced additional leakage
functions: L
3
and L
4
in their paper. Particularly, for addi-
tions L
3
leaks a deterministic function of each keyword in a
ciphertext. Now, consider a case where the client uploads an
empty index and incrementally adds all ciphertexts. In this
case, the deterministic keyword function result(s) is (are)
revealed for each ciphertext. Hence, in this case dynamic
searchable encryption is no more secure than any determin-
Scheme Search Time Index Size Client Storage Revocation Storage Update Leakage Update Cost
[20] O(m /n) O(m + n) O(1) - ID(w) O(m /n)
[24] O(m /n) O(m + n) O(1) - ID(w) O(m /n)
[19] O(log |f| · m/n) O(|f | · n) O(1) - - O(log |f | · n)
[8] O(m /n) O(m + n) O(n) O(m ) - O(m /n)
This paper 1 O(m /n) O(m + n) O(n) - - O(m/n)
This paper 2 O(m /n) O(m + n) O(1) - - O(m )
Table 1: Overview over average complexities for efficient dynamic searchable encryption schemes. n is the number of unique
keywords, m is the total number of keywords, ID(w) is a deterministic identifier of the keyword, |f | is the number of files
istic encryption, yet has a constant overhead in space and
time.
Naveed et al. propose a scheme which trades storage for
performance by scattering the stored blocks using hashing
instead of encrypting the index [24]. They still leak a deter-
ministic function of the added keywords, i.e. the block where
the keyword index is stored. Kamara and Papamant hou fix
this problem by using a tree-based construction, but this
has index size linear in the number of d ocuments times the
number of keywords [19]. Furth ermore, constants are quite
high, since each index entry (one bit) requires a semantically
secure ciphertext. Cash et al. fix this prob lem by giving each
update a counter, but the client has to keep track of these
counters [8]. Furthermore, in order to accomodate deletes,
they organize those by keeping a revocation list, such that
the data may actually never be deleted. Nevertheless, they
offer an edit operation that is also indistinguishable from
an add operation in case of never before searched keywords.
Table 1 gives a comparison of these and our schemes.
The problem we consider in this paper is whether we can
update an outsourced storage without leaking anything ex-
cept th e access pattern and with minimal storage overhead.
It is important to maintain an index for sublinear search
time, since for large data sets linear scans are prohibitive,
particularly if they involve a linear number of cryptographic
operations. Moreover, it is important to provide storage-
efficient updates, since in the long run the majority of the
data will have been added after the initial outsourcing. O ver
the history of computing we have observed an exponential
growth in data, such that the initial data set is quickly
marginalized.
On a h igh level our approach works by learning the index
from the access pattern. We start with a non-index based
searchable encryption scheme that requires linear scans. When
we search, we learn the search token which is deterministic
and t he access pattern. We then start to construct an in-
dex u sing the token and the accessed ciphertexts. When
we search the same keyword again we can use the index
and search in constant time. Over the long run, the initial
linear search time amortizes and we achieve asymptotically
optimal search time while leaking nothing except the access
pattern.
We show a theoretic analysis with an upp er bound for
amortization of O(n
2
) searches. Yet, in our exp eriments
amortization is approached much faster, namely after 0.73n
searches.This is an assumption which can be easily met in
practice.
Clearly, the access pattern of past searches extends to the
future. A search token stays valid and can be used to match
against future ciphertexts until the entire system is rekeyed.
We have to account for this in our security definition and
include the respective leakage. We emphasize that this leak-
age is notably less than the leakage of the add operation
by Kamara et al. [20] or N aveed et al. [24] and differently
to their scheme ciphertext s for not previously searched key-
words remain semantically secure. Furthermore, this leakage
is already part of the most simple construction based on the
searchable encryption scheme by Song et al. [29] and it is also
not excluded in any of the other efficient, dynamic searchable
encryption schemes [8, 19]. In ou r experiments using real-
world search terms, 84% of all keywords were never searched
for and hence remained semantically secure encrypted.
We also optionally maintain a history of previous search
tokens at the client, such that ciphertext s for previously
searched keywords are en crypted differently. We emphasize
that this choice is a pure performance optimization and the
history could just as well be kept at th e service provider at a
higher upd ate cost. Furthermore, should the client lose the
saved history, he can restore it from th e index information
of the service provider. We further explain this choice in
Section 6.1.
Still, our construction is highly efficient and provides prac-
tical performance. We implement our system and a search
in collection with 300.000 keywords and documents can be
performed in 70 ms on average. We require very little stor-
age overhead and only need to store 2 cryptographic h ash
values per keyword and document. We provide the detailed
performance results in Section 7.
3. DEFINITIONS
The set of b inary strings of length n is denoted as {0, 1}
n
,
the set of all finite binary strings is denoted as {0, 1}
∗
.
Given a binary string u, we denote len (u) as its bit length.
Given two binary strings u, v, the concatenation is written
as u||v. The notation [1, n] with n ∈ N denotes the integer
set {1, . . . , n}. We d enote the output z of a (possibly proba-
bilistic) algorithm A as z ← A. Sampling uniformly random
from a set X is denoted as x ← X.
Throughout, λ will denote the security parameter. A
function f : N → R is negligible in x if for every positive
polynomial p(·) there exists a x
0
such that for all x > x
0
,
f(x) < 1/p(·).
We assume each file f having a unique file identifier ID(f ),
each file consists of words that is f = (w
1
, . . . , w
len(f )
) with
w
i
∈ {0, 1}
∗
. For a fileset f we denote len (f) as the number
of files in f. Given a keyword w we write f
w
as t he subset
of all files f that contain w. In addition, the set of all file
identifiers that contain th is keyword w is denoted by I
w
more
formally it is defined as I
w
= {ID(f
i
) : f
i
∈ f
w
}.
As mentioned in Section 1, our scheme does not offer an
operation for initial outsourcing a set of files but starts with
an empty search index γ. The service provider’s search in-
dex γ and collection of encrypted files c are updated by file
sp ecific add tokens α
f
for file f and its encryption.
To perform a search query for keyword w, the client gen-
erates an deterministic search token τ
w
that is handed to
the service provider. For simplicity of the exposition we as-
sume that all generated search tokens are given to the service
provider, i.e. if a search token has been created by the client
the service provider gains knowledge of it.
Finally, to delete a file f the client simply passes its file
identifier ID(f) to the service provider.
Definition 1 (SUISE). A securely updating index-based
searchable encryption scheme is a tuple of eight (possibly
probabilistic) polynomial-time algorithms SUISE = (Gen,
Enc, SearchToken, Search, AddToken, Add, Delete, Dec)
such that:
(K, γ, σ) ← Gen(1
λ
): is a probabilistic algorithm that
takes as input a security parameter λ and outputs a
secret key K, a (still empty) search index γ and a (still
empty) search history σ.
c ← Enc(K, f): is a probabilistic algorithm that takes
as input a secret key K and a file f . It outputs an
encrypted file c.
(σ
′
, τ
w
) ← SearchToken(K, w, σ): i s a (possibly proba-
bilistic) algorithm that takes as input a secret key K,
a keyword w and search history σ. It outputs a new
search history σ
′
and a search token τ
w
.
(I
w
, γ
′
) ← Search(τ
w
, γ) : is a deterministic algorithm
that takes as input a search token τ
w
, a sequence of
encrypted files c and a search index γ. It outputs a
sequence of identifiers I
w
and an updated search index
γ
′
.
α
f
← AddToken(K, f, σ): is a (possibly probabilistic)
algorithm that takes as input a secret key K, a file f
and a search history σ. It outputs an add token α
f
.
(c
′
, γ
′
) ← Add(α
f
, c, c, γ): is a deterministic algo-
rithm that takes as i nput an add token α
f
, an en-
crypted file c, a sequence of encrypted files c and a
search index γ . It outputs an updated search i ndex γ
′
and an updated sequence of encrypted files c
′
.
(c
′
, γ
′
) ← Delete(ID(f), c, γ): is a deterministic algo-
rithm that takes as input an identifier ID(f) of the file
that shall be removed, a sequence of encrypted files c
and a search index γ. It outputs an updated sequence
of encrypted files c
′
and an updated search index γ
′
.
f ← Dec(K, c): is a deterministic algorithm that takes
as input an encrypted file c and a key K. It outputs
the decrypted file f.
In Figure 1 we show the protocols between client and
server combining these algorithms into interaction patterns.
A dynamic searchable encryption scheme is called correct
if for all λ ∈ N, all keys K generated by Gen(1
λ
), and all
sequences of add, delete and search operations on search
index γ, every search operation returns the correct set of
files (except with n egligible probability).
In an ideal scenario, searchable encryption is implemented
in a way where the service provider learns absolutely nothing
abou t either the files or the search queries. As mentioned
in Section 2, there are methods to achieve this strict secu-
rity goals, but these come along with huge overhead. By
allowing the sever to learn particular information (e.g. the
access pattern) we can construct more efficient searchable
encryption schemes. To address this small knowledge the
service provider gains, we follow the approach of [8, 11, 19,
20, 24] and use leakage functions. The additional knowledge
the provider gains by getting ciphertexts and (add or search)
tokens is defin ed by these functions.
As noticed in [11], there is a difference between security
against adaptive chosen keyword attacks (CKA2) and non-
adaptive chosen keyword attacks (CKA 1), that must be
taken into account for security analyses. Security against
CKA2 guarantees security even when the client’s generated
query depend on results of previous queries and the search
index. In contrast, security against CKA1 guarantees se-
curity only when all queries generated by the client are in-
dependent of previous queries and th e search ind ex. Our
construction achieves the stronger notion of CKA2 security,
that is modified in a way suggested by Kamara et al. in [20]
to fit into the scenario of dynamic SSE.
Definition 2. Let SUISE = (Gen, Enc, SearchToken,
Search, AddToken, Add, Delete, Dec) be a securely updat-
ing index-based searchable encryption scheme. Consider the
following experiments with stateful attacker A, stateful sim-
ulator S and stateful leakage functions L
search
, L
add
, L
encrypt
.
Real
SSE
A
(λ) : the challenger runs Gen(1
λ
) to get the
tuple (K, γ, σ). The adversary A m akes a polynomial
number of adaptive queries q ∈ {w, f
1
, f
2
} and for
each query q the challenger generates either a search
token τ
w
← SearchToken(K, w, σ), an add token α
f
←
AddToken(K, f
1
, σ), or a file encryption c ← Enc(K, f
2
).
Finally, A returns a bit b that is output by the experi-
ment.
Ideal
SSE
A,S
(λ) : the simulator sets up its internal envi-
ronment. The adversary A makes a polynomial num-
ber of adaptive queries q ∈ {w, f
1
, f
2
} and for each
query q the simulator is given the appropriate leakage
i.e. either given L
search
(f, w), L
add
(f, f
1
) or L
encrypt
(f
2
).
S returns the appropriate token fτ
w
, fα
f
or a ciphertext
ec. Finally, A returns a bit b that is output by the ex-
periment.
We say SUISE is (L
search
, L
add
, L
encrypt
)-secure against adap-
tive dynamic chosen-keyword attacks if for all probabilis-
tic polynomial-time algorithms A there exists a probabilistic
polynomial-time simulator S so that advantage of A defined
as
Pr
Real
SSE
A
(λ) = 1
− Pr
Ideal
SSE
A,S
(λ) = 1
is negligible in λ.
4. IMPLEMENTATION
On a high level our construction works by learning the
index from the access pattern. Initially we maintain a reg-
ular index, i.e. for each document we store its (encrypted)
keywords. We denote this index γ
f
. Once a keyword is
searched, we move all file identifiers to an inverted index for
Client
Server
Add File
Delete File
Search Files
Gen(1
λ
)
(K, γ, σ)
γ
. . .
. . .
Initial Setup
Client
Server
SearchToken(K, w, σ)
(σ
′
, τ
w
)
Search(τ
w
, γ)
(I
w
, γ
′
)
Dec(K, c
i
)
i∈I
w
{f
i
}
i∈I
w
τ
w
{c
i
}
i∈I
w
Search Files
Client
Server
Enc(K, f)
c
AddToken(K, f, σ)
α
f
Add(α
f
, c, c, γ)
(c
′
, γ
′
)
c, α
f
Add File
Client
Server
Delete(ID(f), c, γ)
(c
′
, γ
′
)
ID(f)
Delete File
Figure 1: Use of algorithms from Definition 1 for realizing the complete p rotocol.
the keyword, i.e. the keyword is now the key to the index.
The keyword is also encrypted; it is the search token. We
denote this ind ex γ
w
.
Clearly, we have to accomodate future updates for key-
words that have already been searched. These keywords –
and their corresponding file identifiers – have been moved to
the inverted index. Hence, an update needs to update the
inverted index, or we need to always search both indices,
completely ruining search time. In this section we present
the option to maintain the search history at the client. The
client checks whether a keyword has been searched and tells
the server to include it in the inverted index. This is a pure
performance optimization. We present the alternative op-
tion to maintain the search history on the server at a higher
update cost in Section 6.1.
For our implementation we use several data structures in-
cluding lists and (chained) hash tables. For list l we denote
len (l) for the number of elements in l and x ∈ l iff value x is
stored in list l. Accessing the element at position i is written
as l[i]. A hash table T stores values v associated with keys
k, written as T [k] = v. We write v ∈ T if there is a key k so
that T [k] = v. For our imp lementation it is crucial that it is
feasible to access a value v with corresponding key k stored
in a hash table in constant time. If the values stored in the
hash table are lists, we call it a chained hash table.
Given an IND-CPA secure secret-key encryption scheme
SKE = (G
IND-CPA
, E
IND-CPA
, D
IND-CPA
), a pseudorandom
number generator G th at outputs random numbers with
bit length λ an d a pseudorandom functions F : {0, 1}
λ
×
{0, 1}
∗
→ {0, 1}
λ
, and a random oracle H : {0, 1}
λ
×{0, 1}
∗
→
{0, 1}
λ
we construct d ynamic SSE scheme SUISE = (Gen,
Enc, SearchToken, Search, AddToken, Add, Delete, Dec) as
follows:
• (K, γ, σ) ← Gen(1
λ
): sample two λ-bit strings k
1
←
{0, 1}
λ
and k
2
← G
IND-CPA
(1
λ
). In addition, create
two empty chained hash tables γ
f
, γ
w
and an empty
set σ. Output (K, γ, σ), with K = ( k
1
, k
2
) and γ =
(γ
f
, γ
w
).
• c ← Enc(K, f): parse key K = (k
1
, k
2
) and output
c = E
IND-CPA
k
2
(f).
• (τ
w
, σ
′
) ← SearchToken(K, w, σ): parse key K = (k
1
, k
2
)
calculate F
k
1
(w) = τ
w
set σ
′
= σ ∪ {τ
w
} and output
(τ
w
, σ
′
).
• (I
w
, γ
′
) ← Search(τ
w
, γ): parse search index γ = (γ
w
, γ
f
)
and check if there is an entry for τ
w
in γ
w
.
– If yes, then set I
w
= γ
w
[τ
w
] and γ
′
w
= γ
w
.
– Otherwise create an emp ty list I
w
and do for every
c ∈ γ
f
:
1. for every c
i
∈
c that is i ∈ [1, len (c)], set
c
i
= l
i
||r
i
and check if H
τ
w
(r
i
) = l
i
. If yes
then insert ID(f ) that corresponds t o
c into
I
w
.
Update γ
′
w
by creating an entry γ
w
[τ
w
] = I
w
Output I
w
and (an updated version of) γ
′
= (γ
′
w
, γ
f
).
• α
f
← AddToken(K, f, σ): parse K = (k
1
, k
2
). For file
f that consists of a sequ ence of words create a list
f
of unique words f ⊇ f = (w
1
, . . . , w
len
(
f
)
). Generate
