Secure Cloud Storage Service with An Efficient DOKS Protocol

Transcription

1 Secure Cloud Storage Servce wth An Effcent DOKS Protocol ZhengTao Jang Councaton Unversty of Chna Abstract Storage servces based on publc clouds provde custoers wth elastc storage and on-deand accessblty. However, ovng data to reote cloud storage also rases prvacy concerns. Cryptographc cloud storage and search over encrypted data have attracted attentons fro both ndustry and acadecs. In ths paper, we present a new approach to constructng effcent oblvous keyword search (OKS) protocol, whch perts fast search (.e., sub-lnear te) and relatvely short cphertext, whle provdng provably strong prvacy for both users and cloud storage servce provders. Prevous OKS protocols have cphertext sze lnear n the nuber of keywords, whch consue uch storage space and relatvely long searchng te. We forally defne a Dsunctvely Oblvous Keyword Search (DOKS) protocol realzng oblvous keyword search wth the cphertext sze constant n sze of keywords, whch s sgnfcantly less than that of prevous OKS protocols. Our approach proves both the prvacy and effcency of exstng OKS protocols. Wth DOKS, adversary cannot dstngush two search keywords subtted by users, and cannot know the relatons between cphertext of docuents and search keywords. A search keyword cannot be reused by adversares. Users can get the atchng docuents wthout revealng statstcal nforaton on search keywords. Keywords-Cloud storage; searchable encrypton; prvacy; provable securty; oblvous keyword search; DOKS I. INTRODUCTION Cloud coputng and ts pay per use elastc prcng and utlty odel has ade outsourcng storage and coputng needs ore attractve than ever. By ovng coputng and storage needs to the cloud, users can avod the hgh cost of storage and coputng nfrastructure ownershp and acheve avalablty and relablty at a relatvely low cost. However, outsourcng storage and coputng to a publc cloud nfrastructure also faces soe new challenges snce users and cloud storage provders (ether IaaS or SaaS lke databases) are not located n the sae trust doan. Thus, both data prvacy and access prvacy ust be antaned as a part of servce level agreeent (SLA) wth hgh level of guarantee. Ths akes securty and prvacy of outsourced data and prvate nforaton retreval one of the bggest challenges for outsourcng to cloud storage servces. A. Requreents for Secure Outsoutcng There are two portant challenges n secure outsourcng. Frst, the stored data ust be protected aganst unauthorzed access. Second, both the data and the access to data need to be protected fro cloud storage servce provders (e.g., cloud syste adnstrators). In these scenaros, relyng on password and other access control Lng Lu Georga Insttute of Technology lnglu@cc.gatech.edu echanss s nsuffcent. Cryptographc encrypton echanss are typcally eployed. However, sply havng encrypton and decrypton pleented n the cloud database systes s nsuffcent. In order to support both challenges, data should be encrypted frst by users before t s outsourced to a reote cloud storage servce and both data securty and data access prvacy should be protected such that cloud storage servce provders have no abltes to decrypt the data, and when the user wants to search soe parts of the whole data, the cloud storage syste wll provde the accessblty wthout knowng what the porton of the encrypted data returned to the user s about. In suary, a cloud storage servce should eet the followng three securty and prvacy requreents: (a) General data securty: The data should be securely stored n database hosted by the cloud storage servce such that any unauthorzed users cannot access t; (b) Database securty: A user s allowed to retreve soe data by keyword search technques, but the user cannot get ore content than the searchng result; (c) User query prvacy: The user s query preference ay be senstve, and the cloud storage provder and ts database server should not learn any useful nforaton about whch search keyword was subtted by the user and whch data has been obtaned by the user. In addton to eetng the securty and prvacy requreents outlned above, the cloud storage servce should contnue to honor the generally accepted servce level agreeents (SLAs). That s, the cloud storage servce should provde hgh coputaton and councaton effcency and support query-based access to allow users to selectvely and prvately retreve any desred segent of the whole data on deand. Fndng a good securty-functonalty tradeoff for outsourcng s a challengng research proble, whch has receved a great deal of attenton recently [1,2]. Cryptographc storage technques are wdely recognzed as an approach that holds the potental to eet the above requreents. The an advantage of cryptographc storage servces s that ts securty propertes are derved fro cryptography, as opposed to legal echanss, physcal securty or access control, and can be proved n a foral anner. A sple soluton for secure cloud storage s to encrypt the whole data and then store t n a database. To query any part of the data, one ust download the whole encrypted data for decrypton. Its coputaton and councaton coplexty s hgh, and t fals to eet the database securty and user query prvacy requreents [3]. Searchable encrypton schees are desgned to effcently solve securty probles for reote cryptographc storage whle enablng search for the expected contents correspondng to an encrypted keyword securely. The area of 1

2 searchable encrypton has been dentfed by DARPA as one of the techncal advances that can be used to balance the need for both prvacy and natonal securty n nforaton aggregaton systes. It also provdes value-added features to any busness servces, such as Google Desktop wth the ablty of searchng a clent s data across several coputers wthout sacrfcng the clent s prvacy. B. Searchable Encrypton Technques for Cloud Storage Searchable encrypton technques are coonly used to effcently eet the above requreents. There are several types of searchable encrypton schees n the lterature, each of whch s approprate to a partcular applcaton scenaro. Syetrc searchable encrypton (SSE) schee ntroduced n [4] s sutable for the settng where a party searchng over the data s also the one who generates t. Such scenaro s referred to as sngle wrter and sngle reader (SW/SR) [6]. Asyetrc searchable encrypton (ASE) s desgned for the scenaro where a party searchng over the data can be dfferent fro the party who generates t [5]. Such scenaro s referred to as any wrters and sngle reader (MW/SR) [6]. Snce wrters and readers can be dfferent, ASE schees are ore sutable for the settng wth a larger nuber of users. Both SSE and ASE protocols dd not copletely solve the proble that one can prvately retreve segents of encrypted data fro reote databases. Snce the database server can learn by passve loggng wth statstcal nference whch encrypted keyword atches the subtted search keyword and whch encrypted docuent s retreved. Oblvous keyword search (OKS) protocols are ang at realzng the searchng capabltes of searchable encrypton (SSE, ASE) protocols whle preservng prvacy of both wrters (requreent (b)) and readers (requreent (c)) n a strong verson, whch s not realzed by SSE or ASE. The noton of OKS protocol was frst ntroduced n [7], based on the assupton that reote storage servce provders and users do not trust each other absolutely, and one party ay try to learn senstve nforaton of the other party when conductng transactons. OKS hdes statstcal nforaton on search keywords by not leakng keyword atch results to databases or eavesdroppers. However, to prove the practcal applcablty of OKS protocols, the followng two ssues need to be addressed: () Ineffcent councaton, coputaton and storage. In prevous OKS protocols, each keyword s used to generate an encrypton key, whch s then used to encrypt the docuents, so the nuber of cphertexts and encrypton keys to be antaned s equal to the nuber of keywords to be used for search over the encrypted docuents. Usually the nuber of keywords s large, these protocols cost large storage space, hgh server coputaton te and hgh councaton bandwdth. () Strong securty guarantee. To acheve a confdent level of OKS securty n a provable anner, proper foral securty odels of characterzng OKS attacks and for classfyng coon behavors of adversares are needed. C. Scope and Contrbuton of the Paper In ths paper, we attept to address the above two challenges by desgnng a new approach to constructng effcent oblvous keyword search (OKS) protocol, whch perts fast search (.e., sub-lnear te) and relatvely short cphertext, whle provdng provably strong prvacy for both users and cloud storage servce provders. The sallercphertext-sze property s acheved by correspondng one cphertext to a keyword set. The provably-strong-prvacy property s acheved by reducng adversary s ablty of decryptng and dstngushng search keywords to dscrete logarth proble (DLP) and Dffe-Hellan (DDH) proble respectvely. Concretely, prevous OKS protocols have cphertext sze lnear n the nuber of keywords, whch consue uch storage space and relatvely long searchng te. We forally defne a Dsunctvely Oblvous Keyword Search (DOKS) protocol, whch realzes oblvous keyword search wth the cphertext sze constant n sze of keywords, sgnfcantly less than that of prevous OKS protocols. Our approach proves both the prvacy of and effcency of exstng OKS protocols. We show that DOKS s provably secure aganst adaptve chosen keyword attack (CKA) n rando oracle (RO) odel, whch overcoes securty flaws occurred n prevous OKS protocols. Wth DOKS, any adversary cannot know the relatons between cphertext of docuents and search keywords. Furtherore, a search keyword can not be reused by an adversary and users can get the atchng docuents wthout revealng any statstcal nforaton on search keywords. The DOKS protocol has any possble applcatons. For exaple, a user Alce wants to search for soe docuents provded by other users or organzatons fro whch Alce obtaned authorzaton. DOKS wll ensure that the search preference of Alce and other unrelated docuents are perfectly protected. Ths type of secure search over reote storage systes can be useful for electronc health records (EHR) systes, n whch a patent (or a physcan) wants to search for senstve treatent nforaton about the patent(s) for a partcular dsease dagnoss fro EHR databases hosted n soe thrd party storage servce provders. II. OVERVIEW & PROBLEM STATEMENT In ths secton we gve a bref overvew of exstng searchable encrypton protocols and present the proble stateent for the DOKS protocol developent. A. Basc Searchable Encrypton Protocols There are two basc types of searchable encrypton protocols: one s based on syetrc encrypton schees, and the other s based on asyetrc (publc key) encrypton schees. 1) Syetrc Searhable Encyrpton (SSE) The frst constructon of SSE schee s proposed n [4]. It works as follows. Gven a set of docuents to be outsourced to a cloud storage servce, each docuent s odeled as a sequence of words, represented by (w 1, w 2, w,, w l ). SSE can be used by a user U to encrypt each 2

3 docuent word by word such that the cphertext of all words are stored n the reote database server sequentally. U can search for those docuents that contan a search word w f ts cphertext atches one of the stored cpher blocks for the docuents n the reote docuent database. Below we descrbe how the encrypton and search are perfored: Frst, a user U generates an encrypton key k for a keyword w ( = 1, 2,, l), and gets X Ek ( w ) L, R, where X has n bts, L and R denote the frst n- bts and the last bts of X respectvely. U generates an encrypton key k for atchng verfcaton, and coputes k = f k (L ). Then U generates a rando nuber S and coputes T S Fk ( S). The fnal cphertext for w s C = X T. C s stored n the database server DS. To search for docuents contanng a keyword w, U coputes X = E k (w) and k = f k (L), and sends <X, k> to DS. Ths allows DS to search for w wthout revealng w tself. Any cphertext stored n the database server DS s coposed of cpher blocks, C, ( = 1, 2, N). DS sequentally coputes S F = C X, and F = F k (S ). If F = F, t eans that w s contaned n ths docuent wth hgh probablty. To decrypt the docuent, U generates S usng pseudorando generator (snce U knows the seed) sequentally, then he recovers L by XORng S wth the frst n- bts of C. Knowng L allows U to copute k and get X = E k (w ). Fnally, U gets w fro E k (w ) based on k. Snce SSE s based on syetrc encrypton schees, and encrypton of the search words and the correspondng atchng docuents s deternstc under one encrypton key. SSE has the followng ltatons: (1) It s only sutable for sngle-user envronent n whch a user who generates the cphertext for storage s the sae user who subts a searchng task. (2) Several secrete keys ust be stored on the user sde. U ust store at least three secret keys: () k for encryptng/decryptng words w 1,, w l and search word w; () k for calculatng the verfcaton functon f k (L); () Seeds for generatng rando verfcaton (and askng) values S 1,, S l. (3) Low prvacy protecton for users. Snce X = E k (w) and for effcency consderaton, k s not changed accordng to each word of the docuents to be encrypted, t cannot hde statstcal nforaton of words very well [4]. The DS server can get exact postons and frequency of search words n any docuent, even though he cannot learn the exact content. Furtherore, f a newly encrypted docuent s added to the database, the server can check whether t contans a partcular keyword (as well as ts exact postons, frequences, etc.) that has been subtted by users n the prevous queres. (4) Low dstngushablty guarantee for docuents. After recevng search words, DS can dstngush two docuents by checkng the ncluson or the postons of the encrypted data beng quered by search words. (5) Keyword encrypton s of coarse granularty. Snce docuents are encrypted word by word sequentally by strea cpher, f two words needs to be exchanged, soe new words need to be added or soe exstng words need to be reoved n a docuent, the whole docuent ust be re-encrypted. These ltatons otvate the developent of ASE. 2) Asyetrc Searchable Encrypton (ASE) Motvated by the ltatons of SSE, [5] ntroduced the asyetrc searchable encrypton (ASE) protocol usng publc key encrypton. For exaple, Bob sends encrypted eals to Alce usng Alce's publc key. Both the eal contents and the keywords are encrypted.the al gateway cannot know the keywords and hence cannot ake routng decsons or pleent searchng for custoers. Ther goal s to enable Alce to gve the gateway the ablty to test whether a keyword s ncluded n the eal, but the gateway should learn nothng else about the eal. Another advantage for ASE s that t s sutable for the settng where the party search over encrypted data s dfferent fro the party who encrypts the data. Concretely, ASE works as follows. (1) To send a essage M to Alce wth keywords w 1,, w, Bob sends E Apub (M) ASE(A pub,w 1 ) ASE(A pub,w ) to the gateway, where each keyword w s encrypted under Alce's publc key A pub. (2) Alce sends the gateway a certan token T w* that enables the gateway to test whether one of the keywords assocated wth the essage s equal to the search word w subtted by Alce. Naely, Gven ASE(A pub, w) and T w* the gateway can test whether w * = w. ASE protocols are ore sutable for ult-user settng than SSE. Even though the encrypton ASE(A pub, w ) s probablstc for w whereas the cphertext of SSE s deternstc, ASE stll has soe securty flaws for preservng prvacy. 1) Leakng frequency of search words. The token T w s deternstc on w and the atchng result s known to the gateway server. It knows the exact frequency of keywords quered by the users, and knows how any docuents contan such keyword, whch ay suffer fro dctonary attack. 2) Adversares can check whether a new docuent contans a certan keyword queres before. Wthout authorzaton, any adversary (ncludng the server) can check whether a new docuent contans a certan keyword that has been quered. Another ltaton of ASE s that t only focuses on encrypton of keywords and does not provde a concrete ethod on encryptng docuents. To overcoe the ltatons of both SSE and ASE, [6] desgned OKS protocols by hdng statstcal nforaton and provdng stronger prvacy protecton for both users and reote database servers [7,8]. OKS s applcable for the settng where one party uploads ts encrypted data and any authorzed users can download the portons of the data contanng partcular search keywords n an oblvous and yet ore effcent anner. We refer to such scenaro as sngle 3

4 wrter/any reader (SW/MR), whch dffers fro the settng of SSE (SW/SR) and ASE (MW/SR). B. Oblvous Keywork Search (OKS) Protocols In OKS, a database server possesses senstve docuents. It allows a user to search and retreve docuents contanng soe keywords chosen by users n an oblvous anner such that both user query prvacy and the database securty are guaranteed. By user prvacy, we ean that both adversares and database servers wll learn nothng about the keywords subtted by users and whch docuents has been retreved. By database securty, we ean that a user can only get the docuents that he has searched for, and cannot learn any ore nforaton on other docuents. We below forally defne these concepts. * w Defnton 1 (Correctness for OKS) Let Search ( ) denote the real search result whch s a set of unencrypted docuents n the database server DS contan a search word w *. After runnng the OKS protocol on the user s nput w *, f the database DS also outputs the sae search results as Search ( w * ), we say that the OKS s correct. Defnton 2 (User Prvacy n OKS) An OKS protocol s secure for a user, f for any alcous provder DS, the vew * * of DS for two keyword strngs ( w 1,..., wk ) and ( w 1,..., w k ) s coputatonally ndstngushable when the followng * * holds: ( w1,..., wk ) ( w 1,..., w k ). Defnton 3 (Database Securty n OKS) An OKS protocol s secure for a database, f the user can only get her * * searchng result Search ( w1 ),..., Search ( wk ), and cannot get any ore useful nforaton about other docuents wth non-neglgble advantage. Defnton 4 (OKS Securty) An OKS protocol s secure f t satsfes both user securty and database securty. OKS protocols are two party protocols between a database and a user, whch perfors encrypton and search over encrypted data wth user prvacy and database securty guarantee through a two-phase process: cot phase and transfer phase [7]. In cot phase, the database server DS has n data blocks, B 1,, B n such that B = (w, c ), where c denotes a docuent or data content to be encrypted and w W (W s the keyword space) s the correspondng keyword that wll be used to search over encrypted content. The reote database server DS cots the cphertexts C 1,, C n, where C = Enc(k, c ) and the encrypton key k s generated fro ts correspondng keyword w. At each subphase, U chooses a keyword w W and then ntates a key generaton protocol (KGP) wth database server DS. U gets the decrypton key for cphertexts ncludng w n an oblvous anner. Based on KGP, U learns Search(w), where Search(w) = {(, c ) w = w} s the set of all docuents contanng w as a keyword. However, U learns nothng ore than Search(w) and DS gans no nforaton on w. Presently, there are anly two ways to realze OKS: One s based on blnd sgnatures, and the other s based on oblvous polynoal evaluaton (OPE). Coparng wth general keyword search encrypton schees, OKS protocols have advantages of preservng prvacy for both user and database server. However OKS protocol also ntroduces dsadvantages, such as hgh councaton and coputaton cost, larger storage space to store cphertext, snce a large nuber of cphertexts of docuents are generated (see next subsecton for detal.). One of the challenges for OKS s to reduce the sze of cphertexs and ts pleentaton cost, whle preservng provable prvacy for both partes (user and database). D. Proble Stateent and Overvew of DOKS The dea of protectng prvacy of user access and ensurng database securty by usng secure coputaton has been studed by any researchers. Accordng to the types of cryptographc prtves utlzed n lterature, OKS fall nto the followng two categores: OKS constructed fro OPE and OKS fro RSA. To llustrate the probles of exstng OKS protocols and otvate the developent of DOKS, we assue that the docuent database conssts of a set of docuents, and U wants to retreve soe of the accordng to partcular keywords. Thus we below classfy the proble of keyword search over docuents nto four scenaros: Case 1 (1:1). Each docuent has only one keyword. Naely, there s one-to-one relatonshp between keywords and docuents. Case 2 (1:n). There are keywords, and each keyword assocates wth n docuents. The relatonshp between keywords and docuents s one-to-any. Case 3 (:1). There are n docuents, and each docuent ncludes keywords. The relatonshp between keywords and docuents s any-to-one. Case 4 (:n). There are n docuents and keywords, and each docuent ncludes keywords, each keyword assocates wth n docuents. The relatonshp between keywords and docuents s any-to-any. Prevous OKS protocols are only sutable for Case 1 and Case 2, n whch each keyword s used to generate one encrypton key for the assocated docuent [7]. If a docuent conssts of keywords (e. g., Case 3, Case 4), then copes of cpherctexts ust be generated by encrypton keys respectvely. Therefore, the nuber of cphertext for each docuent s equal to the nuber of keywords t contans. If the nuber of keywords s large, the sze of cphertex s also large. In Case 3 and Case 4, each docuent has ultple keywords. For exaple, the docuent Doc has keywords, represented by the keyword set KSet(Doc ) = {KW 1,.., KW }. Usng exstng OKS protocols for Case 3 and Case 4, one ust encrypt Doc tes, one per search word, wth encrypton keys generated by KW 1,.., KW respectvely. All the cphertexts for Doc ust be coputed, stored and delvered to the users who need to search over the encrypted docuent collecton. Snce the nuber of keywords s often 4

5 large, these protocols are hghly prohbtve for Case 3 and Case 4. Here are a lst of probles faced by exstng OKS: Proble 1. Coputaton exploson can be caused by large set of keywords. If each docuent has a large keyword set, say on the order of thousands or ore, then a large nuber of keys and cphertexts ust be generated and the docuents need to be encrypted ultple tes. When a new keyword s added to a docuent, one ore cphertext correspondng to ths keyword ust be generated. Probele 2. Storage space exploson can be caused by large duplcatons of encrypted versons of the orgnal docuents. If a docuent contans keywords, then t ust be encrypted by copes, usng one of the encrypton keys, one per keyword, whch consues huge storage spaces and search cost when the nuber of docuents s large and the nuber of search words per docuents s large. Proble 3. Councaton exploson can be caused by large nuber of cphertexts transferrng between the reote database server DS and each user U. A large nuber of copes of cphertexts need to be transferred fro database to users for each query servce request, whch consues hgh network I/O bandwdth. Proble 4. It lacks of foral securty odels to characterze and anage OKS attacks for case 3 and case 4 scenaros. E. DOKS: Desgn Ideas and Man Contrbutons The desgn of our DOKS protocol as at addressng the above challenges sultaneously by desgnng a new effcent OKS protocol. DOKS s ore effcent than exstng OKS protocols, especally for the case 3 and case 4 scenaros. More specfcally, DOKS needs only n cphertexts to be transferred, whle prevous OKSs transfer KSet KSet n (O(n)) cphertexts, where KSet s the set of keyword of docuent ( = 1, 2,, n), n s the nuber of docuent, s the average nuber of keywords contaned n each docuent. Thus, DOKS s sgnfcantly ore effcent n ters of storage, coputaton and councaton perforance copared wth prevous OKS protocols, especally for those case 3 and case 4, thanks to ts sall nuber of cphertexts. DOKS s applcable to sngle wrter and ultple reader (SR/MR) envronents, unlke SEE, whch s constraned to only the SR/SW envronent, and unlke ASE, whch works for MW/SR envronent (case 1 and case 2). To the best of our knowledge, ths DOKS developent s aong the frst endeavors on developng effcent and DLP based secure OKS protocols. In DOKS we address the prvacy property guarantee by usng a strong foral securty odel. We show that DOKS s provably secure aganst adaptve chosen keyword attack (CKA) n RO odel, whch overcoes securty flaws occurred n prevous OKS protocols. The provably-strong prvacy property s acheved by reducng adversary s attackng ablty to DLP and DDH proble respectvely. Generally speakng, cryptographc settngs are deployed to support two types of encrypton schees: nteger factorzaton proble (IFP) based RSA schees or DLP based Dffe-Hellan schees. To the best of our knowledge, all prevous OKS protocols are constructed fro RSA or OPE schees. Thus t s valuable to desgn DLP based OKS protocols, whch s sutable for cryptographc settng of dscrete logarth based encrypton. To prove the securty guarantee of DOKS, the foral chosen keyword attack (CKA) odel s ntroduced to characterze OKS attackers. DOKS provdes strong provable prvacy for both users and database servce provders aganst CKA n RO odel. Ths CKA odel can also be extended to analyze securty of other prevous OKS protocols. III. DOKS PROTOCOL BASED ON DL-ENCRYPTION In ths secton we frst ntroduce the basc defntons and securty odel for the DOKS protocol and then descrbe two phases of the DOKS protocol: encrypton and upload phase, download and decrypton phase. A. Defntons and Securty Models The DOKS protocol s constructed usng dscrete logarth proble (DLP) based Dffe-Hellan schee. Thus before we ntroduce the DOKS protocol, we provde defnton of soe basc concepts. Defnton 5 (The dscrete logarth proble DLP) Gven (g, X, Y, Z), where g, y Z p, to fnd x such that g x = y od p, s called dscrete logarth proble (DLP). The DLP assues that there does not exst any polynoal-te algorth that can solve DLP wth nonneglgble advantage. Defnton 6 (The Coputatonal Dffe-Hellan CDH) Gven (g, X, Y, Z), where X = g x od p and Y = g y od p, wthout knowng x and y, to copute Z = g xy od p, s called coputatonal Dffe-Hellan (CDH) prole. Slarly, CDH assues that there exst no polynoalte algorths that can solve CDH proble wth nonneglgble advantage. Defnton 7 (The decsonal Dffe-Hellan DDH) Gven (g, X, Y, Z), where g Z p, X = g x od p and Y = g y od p, to decde whether Z = g xy od p, s called decsonal Dffe-Hellan (DDH) proble. DDH also assues that there exst no polynoal-te algorths that can solve DDH proble wth non-neglgble advantage. Defnton 8 (DOKS) A dsunctve oblvous keyword search protocol based on DLP, denoted by DOKS, conssts of the followng polynoal te algorths: KeyGen(1 k ): Generates syste paraeters p, q Z p, such that q p 1, and g s of order q. User U s publc/prvate key par s pk/sk. Encode(KSet): Generates a rando polynoal P(x) n cotent phase, such that P(h w ) = t, where h w = H(w) s a hash functon and w KSet, t s a rando nuber, and KSet s the set of keyword assocated wth a docuent. Docuents are encrypted based on the key ateral t n cotent phase. Blnd(w * ): Blnds a search word w * wth U s publc key. 5

6 Encrypt(Blnd(w * )): Insert decrypton key aterals nto Blnd(w * ), and get c = Enc(Blnd(w * ), pk). Decrypt(c, sk): Decrypts c wth sk to get a decrypton key accordng to w *. Decode(E): Based on Decrypt(c, sk), decodes data generated n cotent phase. The DOKS protocol reles on the followng steps to encrypt data before uploadng t to the reote cloud storage and then to enable search over encrypted data by keywords: (1) The database server S encodes a set of keywords of each docuent to be a secret polynoal P(x); then the docuent s encrypted based on paraeters of P(x). (2) U subts a search word w to search for docuents contanng w. (3) U ntates a blnd key generaton protocol and gets the decrypton key. (4) If a docuent contans w as a keyword, U can decrypt the correspondng cphertext. We have entoned that DOKS protocols are secure aganst CKA n RO odel. It provdes strong provable prvacy of both users and database servce provders. Below we defne the chosen keyword attack (CKA) odel. Defnton 9 (CKA) Gven a DOKS protocol, DOKS = (KeyGen, Encode, Blnd, Encrypt, Decrypt, Decode), and the set of publc paraeters generated by KeyGen, the odel of chosen keyword attack (CKA) works as follows. In the attack gae, the adversary U nteracts wth the sulator S, who sulates database server, through queres n RO odel. (1) S generates n strngs E 1,..., E n n the cotent phase. (2) U queres S wth the search words, and S sulates the database server as n the real world. (3) S generates a challengng cphertext E. (4) U and S repeat (2). (5) At the end of the attack gae, U outputs the plantext c of cphertext E. U wns the attack gae f c s a vald plantext of E. The advantage of an adversary s defned as the probablty t wns the gae. An adversary s sad to be (, t, q w )-attacker, f t has advantage at least n the above gae, runs n te at ost t, and ake at ost q w hash queres, where [0, 1] s a real nuber. Defnton 10 (CKA securty) An OKS schee s sad to be (, t, q w )-secure n the sense of chosen keyword attack (CKA), f no (, t, q w )-attacker exsts. B. DOKS Two Phase Protocol DOKS protocol s a two-phase protocol wth upload phase and download phase. The upload phase s also called cot phase. The data owner (wrter) wll frst encode and encrypt all the docuents before uploadng the to the cloud storage. A cotent processor (CP) s used to carry out ths task by followng the phase I of the protocol. The second phase s called download phase or transfer phase, n whch a reader U who s authorzed by the wrter can query over the encrypted data hosted n the cloud database server by havng a download processor (DP) sendng blnded search word(s) to the reote database server DS. U can download and decrypts the atchng cphertexts. DP wll carry out ths task by followng the phase II of the protocol, whch gets decrypton keys for partcular docuents oblvously fro CP based on a blnded search word. DP also generates publc/secret key pars for user U. Let D = {(w 11, w 12,, w 1 ; c 1 ),, (w n1, w n2,, w n ; c n )} denote the collecton of n docuents to be uploaded to the cloud database, where s the rank of keyword feld, c s the data to be searched for, and w 1, w 2,, w are the keywords correspondng to c (1 n). Thus D contans a total of n search words. The concrete DOKS protocol works as follows: Syste publc paraeter (KeyGen): Generate two large pre ntegers p and q, such that q p-1. g Z q * s of order q. G s a pseudo-rando generator. Y = g µ od p s U s publc key, and µ s U s prvate key. Input: CP: D = {(KSet ; c )} [n], where KSet = (w 1, w 2,, w ), and w are not necessarly dstnct (1 n, 1 ), [n] denotes the set {1, 2,, n}; DP: a search word w. Output: DP: c, f w KSet ; nothng otherwse. (1) Upload and Data Encrypton At Upload Phase (Cot Phase), CP encodes keywords, encrypts correspondng docuents as cphertexts and attaches soe etadata (e.g., keywords, types, access odels, etc), and cots cphertext of docuents and etadata to the cloud storage server. CP encodes docuents as polynoals usng a pseudorando generator. Cot Phase (Encode): The CP perfors three tasks. Frst, CP chooses two rando nubers r, t Z * q for each docuent D = (w 1, w 2,, w ; c ), =1,,n; and then coputes hash value H(w ) = x, then D s encoded to be a polynoal: 1 P ( x) r ( x x ) t a x. 0 Therefore, each keyword s one root of P (x) t = 0, and can be used as a token to generate the decrypton key. Second, CP uses a pseudorando functon G to encrypt the docuent content (c 0 l ) n an XOR way: E = G(T ) (c 0 l ), t where T g od p, denotes concatenaton, 0 l s a l-bt strng. The 0-sequence checks valdty of the content c. Thrd, CP uploads the cphertexts of the docuents, E 1, E 2,, E n to the cloud database server DS. Wthout knowng the key T, any adversary cannot get c. (2) Data Download and Decrypton At Download Phase (Transfer Phase), user U can get senstve docuents contanng keyword w, wthout lettng DS know what he s downloadng. U (DP) blnds w wth hs publc key, Blnd(w), and sends t to the server, who knows nothng about w. DP generates Enc(Blnd(w)) by nsertng decrypton key nforaton nto Blnd(w). 6

7 On gettng Enc(Blnd(w)), Alce unblnds Enc(Blnd(w)) and gets the correspondng key to w. Then Alce can decrypt docuents what he wanted. ElGaal encrypton echans s used as the blndng functon. The probablstc encrypton and hooorphs property of ElGaal schee wll be used to ensure seantc securty for search word w n the followng for: k Enc y g w od p, n whch k s rando and y s the publc key of user U, and h w = H(w). Transfer phase: U wants to search for docuents assocatng wth a keyword set, Kset, contanng the keyword w. He nvokes DP. DP frst coputes h w = H(w) and then carres out the search, download and decrypton n the followng 4 steps. Step 1 (Blnd). DP chooses rando ntegers k Z * q (1 ), and coputes K k h k hw g od p, Enc y g od p. Then sends (K 1, Enc 1 ),, (K, Enc ) to CP. Step 2 (Encrypt). CP uses the hooorphs property of ElGaal encrypton to copute Enc( P ( h )) g and coputes w A a0 1 a ( Enc a ) 1 y ak g P ( hw ) g od p, = 0, 1,,. od p, CP sends Enc(P 1 (h w )),, Enc(P n (h w )) and A (1 n, 0 ) to DP. Ths step as at hdng statstcal nforaton on search words to ensure user access prvacy. Step 3 (Decrypt). DP has U s prvate key µ and knows k, = 1, 2,..,, so t can use ElGaal decrypton ethod to P recover T g ( hw ) od p, = 1, 2,, n. Step 4 (Decode). Intally, let T = Ø. For = 1, 2,, n, U coputes (a b ) = E G(T ). If b = 0 l, then DP succeeds and adds (w, a ) to T. Otherwse, DP outputs a falure essage. Fnally, DP has T = Search(w) as the searchng result, n whch the keyword set of each docuent contanng w. IV. DOKS FEASIBILITY ANALYSIS We have presented the desgn of DOKS protocol. One of the portant developents of DOKS protocol s to forally prove ts correctness, user securty and database securty. However, due to the space constrant, n ths secton we gve an nforal dscusson on the DOKS feasblty analyss and we refer readers to our techncal report [3] for further detal. For correctness analyss, we want to prove that there s a hgh probablty that DOKS wll return accurate and coplete set of the results of a keyword search. Suppose that there are n cphertexts and l denote the nuber of zero n the 0-sequence whch checks the valdty of the decodng process n step 4. After runnng DOKS protocol, the probablty that one can get the fnal searchng result Search(w) s at least 1 n2 -l. Consder two cases: () If the search word w subtted by a user U s equal to a keyword belongng to the keyword set KSet (1 ), then U can get the correct key nforaton and the correct decrypton key for docuents. () In the case that the search word w s not equal to any keyword of the keyword set KSet (1 ), then the probablty that U can get the correct decrypton key for docuents s no hgher than 2 -l. In addton to correctness, we also need to forally prove that DOKS preserves desred user s securty and database securty. To acheve User s securty, DOKS protocol should prevent any adversary, ncludng database server S fro gettng any useful nforaton on the keyword hdden n the cphertext. Concretely, n step 1 of DOKS protocol, f an adversary wants to dstngush two keywords, he wll run nto the proble of seantc securty of ElGaal encrypton schee, whch s ntractable. We next analyze the database s securty n RO odel by assung that DLP s hard. Suppose that there s a gae between the sulator S and an adversary. S sulates the encrypton ablty of the server by encryptng keyword ndexes and generatng cphertexts n RO odel. Based on the ntractablty of DLP, t can prove that the probablty that an adversary outputs the correct plantext s neglgble. Based on the assupton of DLP, a alcous user cannot get any extra useful nforaton on other docuents n the proposed DOKS protocol. In fact, by assung that DLP s hard, for a DLP-challenge nstance, the ablty of recoverng other plantext wll be reduced to guess the output value of rando oracle, whch s neglgble. At Query Phase 1: S acts as S to encode keywords as polynoals; U subts a polynoal nuber of search words for queryng; S trans U s attack ablty by answerng the queres correctly n RO odel. At Challenge Phase 2: U s gven a challengng cphertext to extract plantext ndexed by a keywords set. At Query Phase 3: U and S repeat Query Phase 1. At Query Phase 4: U outputs the plantext of the challengng cphertext n Phase 2. Furtherore, based on the assupton that DLP s hard, the U s attack ablty s reduced to guessng a rando value, whch s neglgble. Snce a set of keywords s encoded nto only one encrypton key n DOKS, DOKS only needs to antan n cphertexts for the sae dataset to be outsourced to a cloud storage, nstead of generatng and storng n cphertexts, whch s expensve n ters of storage, coputaton and councaton, especally when the nuber of keyword () and the nuber of cphertexts (n) are large. Furtherore, users do not have to download, decrypt and verfy n cphertexts. Therefore, even though the per encrypton cost n DOKS s slghtly hgher than exstng OKS protocols, wth the reducton on the nuber of encrypton/ decryptons needed fro n to n, DOKS protocol consues sgnfcantly 7

8 less coputaton and transsson for both encryptng and uploadng the outsourced datasets as well as downloadng and decryptng query results, whle offerng hgher user access prvacy and database securty. In short, DOKS needs to transfer (n+2) p bts, and the total coputaton s about (2n+6+1) odule exponentatons (E) and (n+1) odule ultplcatons (M), whle the OKS protocol n [7] needs ore than (n+2) E; and the OKS protocol n [9] needs ore than (2n+n+1) E. DOKS needs to store wth n cphertexts, whle [7], [8] and [9] stores n cphertexts. In the applcaton of reote storage, soe new keywords ay need to be added to the database and soe keywords ay to be deleted fro the database. 1) Keywords Addton Suppose that a new keyword w s added to the docuent c, then ts correspondng polynoal generated n cot phase should be changed nto P ( x) r 1 ( x x )( x h( w) w ) t 1 a x 0 where h w = h(w). Snce the paraeters r, t are not changed, odd users do not need to ntates new pleentaton of the full DOKS protocol. 2) Keywords Deleton When a keyword w needs to be deleted fro a docuent c, the syetrc key G(T ) of E = G(T ) (c 0 l ) ust be changed. The database server S chooses new paraeters r, t for P (x), and the procedure of transfer phase s not changed. 3) Mult-User Settng Snce the generaton of polynoal P(x) and docuent encrypton do not depend on any users key, DOKS protocol supports ult-user settngs, naely SW/MR, whch s dfferent fro SW/SR (SSE) or MW/SR (ASE). V. RELATED WORK The cryptographc storage servces have ganed actve attenton recently [6]. The an coponent for search over encrypted data ncludes the searchable encrypton (SSE, ASE and Mult-user SSE), the attrbute-based encrypton, and proofs of storage. [10] has presented two solutons to desgn ore effcent SSE, both of the offer ore effcency and stronger securty (adaptve SSE securty) n a ult-user settng. Ther frst constructon s effcent nonadaptve SSE schee n ters of coputaton on the server, and ncurs a nal cost for the user. Ther second constructon acheves adaptve securty. As we dscussed n the ntroducton secton, both SSE and ASE have soe ltatons: whle they are proven to be a secure encrypton schee, t s not proven to be a strongly secure searchable encrypton schee; the dstrbuton of the underlyng plantexts s vulnerable to statstcal attacks [5]. Recently a publc-key encrypton schee s proposed [11] to hde the access patterns. However, t has an overhead n search te that s proportonal to the square root of the database sze, whch s far less effcent than SSE[12]. Oblvous keyword search (OKS) protocols [6,8] present alternatve approaches to address the prvacy and securty of access patterns. However, as analyzed n Secton 2, we have shown the neffcency and weaker securty of exstng OKS protocols. VI. CONCLUSIONS AND FUTURE WORKS Ths paper nvestgated new approaches for constructng an effcent OKS protocol fro DLP. Snce all prevous OKS protocols are based on RSA or OPE probles, DOKS s sutable for new securty paraeter settngs. Foral DOKS protocol and CKA odel are ntally defned to acheve better perforance and provably strong prvacy. The cphertext sze of DOKS s ndependent of the nuber of keywords, leadng to better perforance than prevous OKS protocols n ters of the cost of councaton, coputaton and storage space. Other sgnfcant advantages of DOKS nclude: seantc securty for search words, full query solaton fro docuents, controlled search preventng search words fro reusng, hdng statstcal nforaton on queres. Acknowledgeent. Ths work s partally sponsored by grants fro NSF NetSE progra, SaTC progra, IBM faculty award and Intel ISTC on Cloud Coputng. The frst author thanks the support fro NSF ( , , ), BMNSF ( ), Engneerng Progra Proect of CUC, IERCPGP&ME (2012B ). REFERENCES [1] C. Wang, K. Ren, Sh. Ch. Yu, et al. Achevng usable and prvacyassured slarty search over outsourced cloud data. INFOCOM, [2] Y. Z. Tang, T. Wang, L. Lu, et al.. Prvacy-preervng ndexng for ehealth nforaton network, Proceedngs of 20th ACM CIKM, [3] Z. T. Jang, L. Lu. Practcal DOKS protocols wthout cphertext expanson for secure cloud storage. Techncal Report, Feb. 2013, CERCS, Georga Insttute of Technology. [4] D. X. Song, D. Wagner, A. Perrg. practcal technques for searches on encrypted data. Proceedngs of the IEEE Syposu on Securty and Prvacy, 2000, pp [5] D. Boneh, G. D. Crescenzo, R. Ostrovsky, G. Persano. Publc key encrypton wth keyword search. Advances n Cryptology- EUROCRYPT'04, 2004, LNCS 3027, Sprnger, pp [6] S. Kaara, K. Lauter. Cryptographc cloud storage. The 14th nternatonal conference on Fnancal cryptograpy and data securty, 2010, Sprnger-Verlag, pp [7] W. Ogata, K. Kurosawa. Oblvous keyword search. Journal of Coplexty, 2004, Vol. 20, Iss. 2-3, pp [8] M. J. Freedan, Y. Isha, B. Pnkas, et al. Keyword search and oblvous pseudorando functons. Proceedngs of the Second nternatonal conference on Theory of Cryptography- TCC'05, 2005, Sprnger-Verlag Berln, pp [9] H. S. Rhee, J. W. Byun, D. H. Lee, et al. Oblvous conunctve keyword search. Proceedngs of the 6th nternatonal conference on Inforaton Securty Applcatons-WISA'05, 2005, Sprnger-Verlag, Berln, pp [10] R. Curtola, J. Garay, S. Kaara, et al. Searchable syetrc encrypton: proved defntons and effcent constructons. Proceedngs of the 13th ACM conference on Coputer and councatons securty-ccs'06, 2006, pp [11] D. Boneh, E. Kushlevtz, R. Ostrovsky, et al. Publc-key encrypton that allows PIR queres. Cryptology eprnt Archve: Report 2007/073. [12] H. F. Zhu, F. Bao. Oblvous keyword search protocols n the publc database odel. ICC'07, 2007, pp