Rethinking Searchable Symmetric Encryption

2023 IEEE Symposium on Security and Privacy (SP) Pub Date : 2023-05-01 DOI:10.1109/SP46215.2023.10179460

Zichen Gui, Ken Paterson, Sikhar Patranabis

{"title":"Rethinking Searchable Symmetric Encryption","authors":"Zichen Gui, Ken Paterson, Sikhar Patranabis","doi":"10.1109/SP46215.2023.10179460","DOIUrl":null,"url":null,"abstract":"Symmetric Searchable Encryption (SSE) schemes enable keyword searches over encrypted documents. To obtain efficiency, SSE schemes incur a certain amount of leakage. The vast majority of the literature on SSE considers only leakage from one component of the overall SSE system, the encrypted search index. This component is used to identify which documents to return in response to a keyword query. The actual fetching of the documents is left to another component, usually left unspecified in the literature, but generally envisioned as a simple storage system matching document identifiers to encrypted documents.This raises the question: do SSE schemes actually protect the security of data and queries when considered from a system-wide viewpoint? We answer this question in the negative. We do this by introducing a new inference attack that achieves practically efficient, highly scalable, accurate query reconstruction against end-to-end SSE systems. In particular, our attack works even when the SSE schemes are built in the natural way using the state-of-the-art techniques (namely, volume-hiding encrypted multi-maps) designed to suppress leakage and protect against previous generations of attack.A second question is whether the state-of-the-art leakage suppression techniques can instead be applied on a system-wide basis, to protect both the encrypted search index and the encrypted document store, to produce efficient SSE systems. We also answer this question in the negative. To do so, we implement SSE systems using those state-of-the-art leakage suppression methods, and evaluate their performance. We show that storage overheads range from 100× to 800× while bandwidth overheads range from 20× to100×, as compared to a naïve baseline system.Our results motivate the design of new SSE systems that are designed with system-wide security in mind from the outset. In this regard, we show that one such SSE system due to Chen et al. (IEEE INFOCOM 2018), with provable security guarantees based on differential privacy, is also vulnerable to our new attack.In totality, our results force a re-evaluation of how to build end-to-end SSE systems that offer both security and efficiency.","PeriodicalId":439989,"journal":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP46215.2023.10179460","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 16

Abstract

Symmetric Searchable Encryption (SSE) schemes enable keyword searches over encrypted documents. To obtain efficiency, SSE schemes incur a certain amount of leakage. The vast majority of the literature on SSE considers only leakage from one component of the overall SSE system, the encrypted search index. This component is used to identify which documents to return in response to a keyword query. The actual fetching of the documents is left to another component, usually left unspecified in the literature, but generally envisioned as a simple storage system matching document identifiers to encrypted documents.This raises the question: do SSE schemes actually protect the security of data and queries when considered from a system-wide viewpoint? We answer this question in the negative. We do this by introducing a new inference attack that achieves practically efficient, highly scalable, accurate query reconstruction against end-to-end SSE systems. In particular, our attack works even when the SSE schemes are built in the natural way using the state-of-the-art techniques (namely, volume-hiding encrypted multi-maps) designed to suppress leakage and protect against previous generations of attack.A second question is whether the state-of-the-art leakage suppression techniques can instead be applied on a system-wide basis, to protect both the encrypted search index and the encrypted document store, to produce efficient SSE systems. We also answer this question in the negative. To do so, we implement SSE systems using those state-of-the-art leakage suppression methods, and evaluate their performance. We show that storage overheads range from 100× to 800× while bandwidth overheads range from 20× to100×, as compared to a naïve baseline system.Our results motivate the design of new SSE systems that are designed with system-wide security in mind from the outset. In this regard, we show that one such SSE system due to Chen et al. (IEEE INFOCOM 2018), with provable security guarantees based on differential privacy, is also vulnerable to our new attack.In totality, our results force a re-evaluation of how to build end-to-end SSE systems that offer both security and efficiency.

查看原文本刊更多论文

重新思考可搜索对称加密

对称可搜索加密(SSE)方案支持对加密文档进行关键字搜索。为了获得效率，SSE方案会产生一定的泄漏。绝大多数关于SSE的文献只考虑整个SSE系统的一个组成部分的泄漏，即加密搜索索引。该组件用于标识响应关键字查询时要返回哪些文档。文档的实际获取留给另一个组件，通常在文献中没有指定，但通常设想为将文档标识符与加密文档匹配的简单存储系统。这就提出了一个问题:当从系统范围的角度考虑时，SSE方案实际上保护了数据和查询的安全性吗?我们的回答是否定的。我们通过引入一种新的推理攻击来实现这一点，该攻击可以针对端到端SSE系统实现实际有效、高度可扩展、准确的查询重建。特别是，即使SSE方案是使用最先进的技术(即卷隐藏加密的多映射)以自然的方式构建的，我们的攻击也能起作用，这些技术旨在抑制泄漏并防止前几代攻击。第二个问题是，是否可以在系统范围内应用最先进的泄漏抑制技术，以保护加密搜索索引和加密文档存储，从而产生高效的SSE系统。我们也用否定的方式回答这个问题。为此，我们使用最先进的泄漏抑制方法实施SSE系统，并评估其性能。我们展示了与naïve基线系统相比，存储开销从100倍到800倍不等，带宽开销从20倍到100倍不等。我们的结果激励了新的SSE系统的设计，这些系统从一开始就考虑到系统范围的安全性。在这方面，我们表明，由于Chen等人(IEEE INFOCOM 2018)的一个这样的SSE系统，具有基于差异隐私的可证明的安全保证，也容易受到我们的新攻击。总的来说，我们的结果迫使人们重新评估如何构建端到端的SSE系统，以提供安全性和效率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量