A Searchable Encryption Scheme for Outsourcing Cloud Storage

A Searchable Encryption Scheme for Outsourcing Cloud Storage Jyun-Yao Huang Department of Computer Science and Engineering National Chung Hsing University Taichung 402, Taiwan allen501pc@gmail.com I-En Liao Department of Computer Science and Engineering National Chung Hsing University Taichung 402, Taiwan ieliao@nchu.edu.tw Abstract With the oncoming information explosion, cloud service providers or enterprises are often placing encrypted data into third party cloud storage via data outsourcing. It is crucial cloud service providers or enterprises provide a secure encryption algorithm and allow it to be searchable. By using secret sharing and searchable encryption techniques, we can search the encrypted tuples of the cloud databases and storages without revealing our data to third party cloud storage providers. In recent years, some schemes for searchable encryption did not consider suitable solution for encrypted numeric and nonnumeric and numeric. This paper proposes a robust and searchable encryption scheme for data outsourcing in cloud computing by considering both numeric and non-numeric data. In the other aspect, this scheme provides some fault-tolerance availability for cloud computing. Keywords-Cloud Computing; Data Outsourcing; Data Security; Searchable Encryption; Secret Sharing I. INTRODUCTION In recent years, due to the coming of cloud computing services, information companies have been rapidly providing convenient services to users. This technology is used widely by researchers to obtain amazing research results. It makes an agile service prototype for users to achieve more and more convenient service. Cloud computing is a large-scale distributed computing paradigm. According to NIST s (National Institute of Standards and Technology) definition of cloud computing: Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1][2]. Usually, cloud providers have their own cloud infrastructures or corresponding applications for their customers. There are three typical service models for cloud computing: 1) Infrastructure as a Service (IaaS), which provides cloud computing infrastructures for customers. 2) Platform as a Service (PaaS), which provides both IaaS and platform components such as operating systems or needed libraries. 3) Software as a Service (SaaS), which provides applications on the cloud-computing platform. However, NIST also defines the deployment model for cloud computing[1][2]: 1) Public cloud, which allows users access to the cloud via the web browser interface. 2) Private cloud, which is set up by the action using internal communication. 3) Hybrid cloud, which is a private cloud linked to one or more external cloud services, centrally managed, provisioned as a single unit, and circumscribed by a secure network. 4) Community cloud, which shares infrastructure resources between server organizations via secret community channels. With the coming of cloud computing, hundreds of thousands of network users or enterprises would like to register their personal or private information for the use of some services. However, many enterprises prefer to construct their private cloud service for security or extend the data storage as hybrid cloud storage services such as Dropbox[3], Amazon S3, etc. Enterprises may use third-party cloud storage services to store their large-scale user data, with these services generally termed data outsourcing. However, some data outsourcing services may be malicious, illegally monitoring or retrieving user stored private information. The file search service is often used in cloud storage. Therefore, providing a searchable encryption method for enterprises in outsourcing cloud storage is an important issue. The implemented method should ensure: (1) if a cybercriminal steals part of the data, he or she cannot access the decrypted data easily, and (2) provide keyword search ability based on the encryption scheme. Secret sharing algorithms are sufficient methods which can achieve the above two requirements for data outsourcing in cloud storage. In recent years, some researches proposed secret sharing based methods for this issue in cloud storage. However, these seldom considered non-numeric data (e.g. text), which are a common media type in cloud storage. This paper proposes a robust and searchable encryption This research was partially supported by National Science Council, Taiwan, under contract no. NSC100-2221-E-005-070. 978-1-4673-0887-8/12/$31.00 2012 IEEE 142 COMNETSAT 2012

considering both numeric and non-numeric data. Further, this scheme provides some fault-tolerance availability for cloud computing. The rest of this paper is organized as follows. Section II discusses the related work for secret sharing methods and cloud computing. Section III describes our scheme for encryption and searching. Section IV analyzes security and fault tolerance. Finally, section V offers conclusion. II. RELATED WORK In 2000, Dawn Xiaodong Song et al[4] proposed a search algorithm for encrypted data. It takes encryption on per n-bit word of message, and outputs it as encrypted data. When one user wanted to search for some special words in that encrypted data without decrypting the input data, he or she just used the same encryption method as the search words. Thus, only a normal text search method was required to obtain the search results. This method is shown in Figure 1. Figure 1. Searchable encryption The above method is a symmetric encryption algorithm. The asymmetric encryption is proposed in 2004, Dan Boneh et al[5] proposed PKES(Public Key Encryption with keyword Search) based on BDH( Bilinear Diffie-Hellman assumption), which assumes the use of bilinear map properties: A modified Weil pairing ê: G q G q μ q is admissible, if it has three properties: 1) Bilinear: For all P, Q G q and a, b Z, ê(ap, bq)= ê(bp, aq)=ê(p,q) ab. And it can be restated as for all P, Q, R G q, ê(p+r, Q)= ê(p, Q) ê(r, Q) and ê(p, Q+R)= ê(p, Q) ê(p, R). 2) Non-degenerate: ê(p, P) F *, is an element of order q, q and in fact a generator ofμ q 3) Computable: Given P, Q G q, there is an effective method to compute ê(p, Q) Mihir Bellare et al[6] proposed the Efficiently Searchable Encryption (ESE). They provided deterministic searchable algorithm by computing the tags of the ciphertext and message. At the same time, Boneh et al[7] proposed PIR (Private Information Retrieval) using Bloom Filter and Buffer schemes to improve the search speed. In 2010, Rei Yoshida et al[8] proposed a more practical method IPIR (Improved PIR) to improve on it. However, the above techniques may not be useful, because the cloud storage providers may not provide buffer to the user. Thus, our proposed scheme considers this situation. The secret sharing idea was announced in 1979. Shamir et al[9] described the main concept: We make the file into n replicas and encrypt each one. Thus, it guaranteed: 1) We must collect at least k replicas (k<n) to recover it. 2) If we cannot collect at least k replicas, we cannot recover it. This can be proposed by the polynomial formula with order k-1. However, this method incurs a higher cost for range query, because it should recover all the replicas of each datum and make comparisons. Therefore, Bijit Hore et al[10] improved this method by adding tags to the encrypted replicas to mark the range of each datum. Thus, it could be sped up. However, this proposed method had some drawbacks in that one must determine a suitable range of each datum to mark up. This defect makes it rather unsuitable for cloud storage services. In 2010, Divyakant Agrawal et al[11] implemented a secret sharing algorithm for cloud storage. It encrypts data and distributes ciphtertext replicas to each cloud storage such as Amazon S3, and it should know the encryption formulas. It has the following properties: 1) Fault tolerance: the data cannot be destroyed easily. 2) High security: If there is one attacker in the third party storage service, he should get far more replicas in different cloud storages, nor can he decrypt data easily. However, this method had the same drawback in range query and cannot provide text search. Therefore, it provided order preserving polynomial construction and added range query record to support range queries. For text search, it converted the input text into a number type. However, it is not suitable for searching large text data because of overflow and lower performance. In the other aspect, the proposed scheme only supports part of the text query. For example, it converts regular text AB*** into encoding (12000) 27 to support keyword searching which begins with AB but it may not support *AB* very well. This paper proposes a robust and searchable encryption considering both numeric and non-numeric data. Further, this scheme provides some fault-tolerance availability for cloud computing. III. PROPOSED SCHEME This scheme is inspired by the Divyakant Agrawal et al method[11], but the main difference is we provide an integrated scheme for numeric data and text data queries and provide corresponding searchable encryption. The design of this scheme is shown in Figure 2. The architecture is partitioned into two parts: trusted private cloud service and un-trusted cloud service. The un-trusted cloud service provides several cloud databases (noted by CDB) and 143

cloud file storages (noted by CFS). Cloud database service and cloud file storage service may be provided by different cloud service providers. In our scheme, there are N cloud databases and four cloud file storages. Note, each CDB and CFS has its unique id. We note CDB i as the CDB with id i and CFS i as CFS with id i, respectively. Input: File content value V, number of segments s, column name C and tuple id I. Output: Coefficients c 1 ~c n, ciphertext M c, secret number x 1. Partition V into multiple blocks V 11 V 12 V 1s V 21 V 22 V 2s V n1 V ns (by Text Splitter) 2. Select one to one mapping function H(g)=g, where g, g {1,2,,s} 3. For j=1 to s, do 4. Create arbitrary coefficients c j1,c j2 in [-N, N] and secret number x j, which N is self-defined integer 5. Declare string list L; 6. For i=1 to n, do 7. V ij c j2 x j 2 + c j1 V ij x j 8. L L V ij 9. End Figure 2 System architecture A. Content Encryption In the trusted private cloud service, the data source is from one table of the relational database. There is one procedure to retrieve column type, data id, column name, and content value of each tuple in the table. Then, this procedure sends the content value to one checking procedure. The checking procedure will send the numeric or text data to each encryption method. We provide the content encryption by the following two cases: 1) Numerical data: Use the secret sharing algorithm[11], and the encrypted data are stored in cloud databases. 2) Non-numeric(Text) data: Run the non-numeric segment encryption algorithm in Figure 3. In Figure 3, we split the content into several segments in line 1. For each position of segments, encrypt the segments and chain them as lists in line 6~9. Store the encrypted part segments chaining lists into CFS with id H(t) in line 10. Then, encrypt the coefficients and secret number by the secret sharing algorithm with order k and store them in CDBs in line 11~12. For Figure 3, in line 10~12, it stores the calculated partial list L t in the Cloud File Storage with ID H(t). It uses the secret sharing algorithm to encrypt the generated coefficients, secret number, then places these encrypted parameters into cloud databases. Thus, there is no maintenance overhead over our encryption method and increased fault-tolerance abilities for storing these important parameters. 10. Store L to the path /C/I in CFS H(j) 11. Use secret number sharing algorithm with order k to encrypt c 1 as c' 1,c 2 as c' 2, and x j as x j ' to generate N secreted share, respectively. 12. Put the encrypted data c' j1,c' j2, and x j ' into N CDBs with (I, j, c' j1, c' j2, x' j ) in column name C. 13. End Figure 3 Non-numeric data encryption algorithm For example, if there is one content value AB with UTF- 32 encoding stored in column name C and its tuple id(primary key) is 2. Since each alphabet is encoded by 4 characters in UTF-32 encoding, the text splitter splits these two alphabets into single characters α 1 β 1 γ 1 δ 1 α 2 β 2 γ 2 δ 2, and these characters are encoded with the following: L 1 =α' 1 α' 1, L 2 =β' 1 β' 2, L 3 =γ' 1 γ' 2, L 4 =δ' 1 δ' 2 ' 2 where αi = c2xi + c0α ixi, for i N. And the other alphabet uses the same formula with different coefficients. Assume H(1) = 4, H(2)=3, H(3)=2, H(1)=4. The program puts the lists L 1 ~L 4 in the corresponding path /C/2/ at CFS 4, CFS 3, CFS 2, and CFS 1, respectively. B. Searchable ciphertext query In this searchable ciphertext query, given searched column name C, content value, and the corresponding content type T of name C, there are two cases for searching queries, if the content type T is: 1) Numeric: we use [11] method to search numerical data. 2) Non-numeric: we take the non-numeric searching algorithm as shown in Fig. 4. The main idea is based on normal keyword search in the file system. We just add the encryption to the keyword before searching and hand out the 144

encrypted keyword searching task to CSF. Thus, the cloud storage service provider cannot know the content in our CFSs. Input:keyword W in selected column C. Output:the full tuples containing W in column C. 1. Use "Text Splitter" to split W into several segments W 11 W 12 W 1s W 21 W 22 W 2s W n1 W ns 2. For I=1 to N in column C in CDB (where I is tuple id noted in the records in column name C and we assume that there are N different tuple ids), do 3. For j=1 to s, do 4. Fetch the coefficients c j2, c j1, and secret number x j by the secret sharing algorithm from CDBs. 5. For i=1 to s, do 6. W j =W j (c i2 x 2 ij + c i1 W nj x ij ) 7. End 8. Retrieve the file containing W j from path /C/I in CFS H(j). If it cannot retrieve the file, go to line 2. 9. Combine ciphertext W =W 11 W 12 W 1s W 21 W 22 W 2s W n1 W ns. If W'=W, cached the decrypted file and tuple id I. 10. End 11. Output the result including non-numeric and numeric tuples with cached tuple ids from CFSs and CDBs. 12. End Figure 4 Procedure of searching non-numerical file For example, if we want to find the full tuples which contain the text keyword AB in specific column name C, it should run the following steps: 1) Split AB codes into 11 134 138 16 12 113 138 11 ( each code is separated by one space.) 2) Assume the proposed scheme recovers the coefficients from Cloud DB using the secret sharing algorithm: c 12 =9, c 11 =2, c 22 =4, c 21 =1, c 32 =4, c 31 =2, c 42 =4, c 41 =2 and secret number x 1 =3, x 2 =5, x 3 =x 4 =2. 3) Encode W'= 11 134 138 11 12 113 138 11 as W 1 = (9*3 2 +2*11*3) ( 9*3 2 +2*12*3),W 2 = (4*5 2 +1*134*5) ( 4*5 2 +1*113*5), W 3 =(4*2 2 +2*138*2) ( 4*2 2 +2*138*2), W 4 =(4*2 2 +2*11*2) ( 4*2 2 +2*11*2). 4) For each Send W i to CFS H(i) for text searching. All CSFs will return the paths like /C/* and keyword locations in the founded partial encrypted file of the CSF. Then, the algorithm will compare if the results are correct or not in line 8~9. If some results are correct, the algorithm will recover it from CSFs and cache the files and tuple id. 5) Retrieve the corresponding numeric tuples in CDBs to form full tuples in line 11. IV. ANALYSIS In this section, we analyze our proposed scheme with three aspects: security analysis, performance analysis, and faulttolerance. A. Security Analysis We propose this scheme to support both numeric and nonnumeric data searching. This scheme can provide some securities if the adversary obtains the encrypted data from CDBs and CFSs in the cloud storage service provider, but: 1) He cannot decrypt the fetched encrypted data without the polynomial formula and input the secret number in line 7 of Figure 3. 2) The coefficients and secret number in Figure 3 are all encrypted with the secret sharing algorithm and stored in CDBs. The adversaries cannot obtain information about these important parameters from CDBs based on secret sharing security. 3) Assume each word can be partitioned into s segments and be stored in at least s cloud storages. Even though the adversary obtains the s-1 cloud storages, it is very difficult to recover the pure data without the one remaining cloud storage. This means the adversary cannot get all of the data. B. Performance Analysis Our scheme provides numeric data encryption with the Divyakant Agrawal et al[11] method and non-numeric encryption. The non-numeric data [11] method only supports limited length non-numeric data. To compare the performance between our schemes and [11] method, we discuss encryption and decryption for limited length non-numeric data. The following are the notations needed for these comparisons. 1) C trans : the cost of transforming one alphabet into numeric or transforming one numeric number to another. 2) C enc : the cost of taking secret sharing encryption. 3) C dec : the cost of taking secret sharing decryption. TABLE I. COST COMPARISON FOR ENCRYPTION AND DECRYPTION IN LIMITED LENGTH DATA Scheme Computations Encryption Decryption Divyakant n C trans +1C enc n C trans +1C dec Agrawal et al[11] Proposed (s*n)c trans +3C enc (s*n)c trans +3C dec Proposed (Optimized) (s*n)c trans +3C enc (s*n)c trans For the computation cost shown in, assume each alphabet could be split into s segmentation and the limited length of word is at most n. With encryption, in [11] proposed scheme, it requires n alphabet transformation for transforming the alphabet into numeric numbers, and one encoding the transformed word with a secret sharing algorithm. In our proposed scheme, this method use three decoding operations for decoding the parameters and uses the O(s*n) multiplication and add operations. With decryption, the cost overhead is similar to encryption in both of the schemes. For optimization, this scheme can cache the coefficients and secret number without recalculation. Therefore, the decryption of the proposed optimization scheme doesn't have a secret 145

sharing decoding cost. Usually, the number of segmentation s should be between two to four for some machine constraint conditions. Although the computation cost of our proposed scheme may be a little higher than [11], it can support complex regular expressions such as *AB*, **AB by using CFS APIs. C. Fault Tolerance Our scheme includes [11] benefits: a polynomial of degree k 1 is used to divide the secret and thus k shares and parties are needed to compute the secret. Therefore, in the secret sharing scheme if k of the n service providers are available, the queries can be answered using the shares coming from these service providers. For non-numeric data, the encrypted data are separated into multiple partitions to be stored in cloud file storages. Moreover, this proposed scheme can use any well-known cloud file storages such as Amazon S3 or Google Storage Service to store these partitioned data and it should make some replicas. Therefore, the stored data would have fault tolerance. However, the coefficients, secret number x for non-numeric data are stored in cloud databases so they can be retrieved from any k of n cloud databases. Thus, this scheme could archive some fault-tolerance. Lecture Notes in Computer Science, A. Menezes, Ed. Springer Berlin / Heidelberg, 2007, vol. 4622, pp. 535 552. [7] D. Boneh, E. Kushilevitz, R. Ostrovsky, and W. Skeith, Public key encryption that allows PIR queries, in Advances in Cryptology - CRYPTO 2007, ser. Lecture Notes in Computer Science, A. Menezes, Ed. Springer Berlin / Heidelberg, 2007, vol. 4622, pp. 50 67. [8] R. Yoshida, Y. Cui, T. Sekino, R. Shigetomi, A. Otsuka, and H. Imai, Practical searching over encrypted data by private information retrieval, in 2010 IEEE Global Telecommunications Conference, December 2010, pp. 1 5. [9] A. Shamir, How to share a secret, Commun. ACM, November 1979, vol. 22, pp. 612 613. [10] B. Hore, S. Mehrotra, and G. Tsudik, A privacy-preserving index for range queries, in Proceedings of the Thirtieth international conference on Very large data bases - Volume 30, ser. VLDB 04. VLDB Endowment, 2004, pp. 720 731. [11] D. Agrawal, A. E. Abbadi, F. Emekci, A. Metwally, and S. Wang, Secure data management service on cloud computing infrastructures, New Frontiers in Information and Software as Services, 2011, pp. 57 80. V. CONCLUSION This paper proposed a robust and searchable encryption considering both numeric and non-numeric data. In the other field, this scheme provides some fault-tolerance availability for cloud computing. After all, we can protect the keyword search and data stored in the third party of cloud databases and storages from revealing to malicious adversaries. ACKNOWLEDGMENT This research was partially supported by National Science Council, Taiwan, under contract no. NSC100-2221-E-005-070. REFERENCES [1] P. M. T. Grance. (2009) The nist definition of cloud computing (15 ed.) NIST. [Online]. Available: http://csrc.nist.gov/groups/sns/ cloudcomputing [2] P. M. T. Granc, The NIST Definition of Cloud Computing (Draft), National Institute of Standards and Technology (NIST) Std. [Online]. Available: http://csrc.nist.gov/publications/drafts/800-145/draft-sp-800-145_cloud-definition.pdf [3] DropBox. Where are my files stored? [Online]. Available: https://- www.dropbox.com/help/7 [4] D. X. Song, D. Wagner, and A. Perrig, Practical techniques for searches on encrypted data, in Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on, 2000, pp. 44 55. [5] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, Public key encryption with keyword search, in Advances in Cryptology - EUROCRYPT 2004, ser. Lecture Notes in Computer Science, C. Cachin and J. Camenisch, Eds. Springer Berlin / Heidelberg, 2004, vol. 3027, pp. 506 522. [6] M. Bellare, A. Boldyreva, and A. O'Neill, Deterministic and efficiently searchable encryption, in Advances in Cryptology - CRYPTO 2007, ser. 146