Searchable symmetric encryption: Improved definitions and efficient constructions
read more
Citations
Cryptographic cloud storage
Privacy-Preserving Multi-Keyword Ranked Search over Encrypted Cloud Data
Dynamic searchable symmetric encryption
Dynamic Searchable Symmetric Encryption.
Enabling Personalized Search over Encrypted Outsourced Data with Efficiency Improvement
References
Space/time trade-offs in hash coding with allowable errors
How to play ANY mental game
Protocols for secure computations
OceanStore: an architecture for global-scale persistent storage
Practical techniques for searches on encrypted data
Related Papers (5)
Frequently Asked Questions (13)
Q2. What is the main challenge in proving adaptive SSE schemes secure?
The main challenge lies in proving such constructions secure in the simulation paradigm, since the simulator requires the abilityto commit to a correct index before the adversary has even chosen its search queries—in other words, the simulator needs to commit to an index and then be able to perform some form of equivocation.
Q3. What is the reason why a user is not able to recover r′?
Since revoked users will not be able to recover r′, with overwhelming probability, their queries will not yield a valid trapdoor after the server applies φ−1r′ .
Q4. What is the search pattern induced by a q-query history?
The search pattern induced by a q-query history H = (D,w), is a symmetric binary matrix σ(H) such that for 1 ≤ i, j ≤ q, the element in the ith row and jth column is 1 if wi = wj, and 0 otherwise.
Q5. What is the solution for a large number of updates?
For applications where the number of queries dominates the number of updates, their solution may significantly reduce the communication size and the server’s computation.
Q6. What is the implication of the new definitions?
The implication is that, contrary to the natural use of searchable encryption described in [40, 23, 18], these definitions only guarantee security for users that perform all their searches at once.
Q7. What is the problem with proving a SSE-1 construction secure against an adaptive adversary?
The difficulty of proving their SSE-1 construction secure against an adaptive adversary stems from the difficulty of simulating in advance an index for the adversary that will be consistent with future unknown queries.
Q8. What is the function that can be used to locate and decrypt the nodes of Li?
Since each node of Li contains a pointer to the next node, the server can locate and decrypt all the nodes of Li, revealing the identifiers in D(wi).
Q9. What is the function that retrieves the documents that contain wi?
When the user wants to retrieve the documents that contain keyword wi, it computes the decryption key and the address for the corresponding entry in T and sends them to the server.
Q10. What would be the cost of a more expensive authentication protocol for each search query?
If access control mechanisms were used instead for this step, a more expensive authentication protocol would be required for each search query in order to establish the identity of the querier.
Q11. What is the simplest way to avoid revealing the number of distinct keywords in D?
To avoid revealing the number of distinct keywords in D, the authors add an additional |∆| − |δ(D)| entries in T filled with random values so that the total number of entries is always equal to |∆|.
Q12. What is the lexicographic order of the dictionary of d words?
Let ∆ = (w1, . . . , wd) be a dictionary of d words in lexicographic order, and 2∆ be the set of all possible documents with words in ∆.
Q13. What is the maximum number of virtual addresses in a look-up table?
the maximum number of entries in a look-up table will be polynomial in `, so the number of virtual addresses that are used is poly(`).