Searchable encryption

We built a system supporting encrypted substring search of a text document. The user can encrypt and upload files to a server. The client can also query the server to ask whether an encrypted file contains a particular string of characters. The query, like the file, is not sent in plaintext but is encrypted or hashed. The server should be able to respond correctly to queries without learning the contents of the file or the queries. We designed and implemented two novel schemes for the problem of encrypted substring search. Both schemes require a copy of the file encrypted with a standard block cipher. The first scheme relies on an encrypted suffix array. In the second scheme, the server stores cryptographic hashes of all repeated substrings which occur in the file, as well as all substrings which occur once but would occur multiple times if the last character were deleted. It also stores the index in the file of each of these uniquely occurring substrings occurs. The encrypted suffix array scheme is simpler and has better memory usage and faster preprocessing time. The hashing scheme has better query time and security properties. Its query time can be made to be independent of the size of the file, assuming constant-time hash table lookups. The space usage on worst-case inputs is poor, but the space usage is reasonable on input files having the properties of English text or of randomly generated strings. We assume the following threat model. Threat model. We assume that the server is honest but curious. That is, the server will follow the protocol and will respond appropriately to all user queries. However, the server will additionally seek to learn whatever it can about the client’s data. The server does not have the capability to issue queries, and has no information about the strings being queried. Previous work. There has been a sequence of recent papers on the problem of keyword search of encrypted data. In this setting, the file is assumed to consist of a sequence of words, e.g. whitespaceseparated words in the file or any other atomic units the file can be broken up into. The server must be able to determine which encrypted files contain a particular queried word, which is also encrypted. Song, Wagner and Perrig [11] published the first solution to encrypted keyword search. Their scheme has provable security properties, linear-time encryption and search, and little space overhead. The CryptDB system [8] implements this encryption scheme and uses it to support keyword-based predicates in SQL queries. Several subsequent papers provide additional guarantees, alternate proposals, and improvements. For instance, Chang and Mitzenmacher [2] present an alternate scheme and prove that no information is leaked from search in addition to the set of files which contain the search keyword in common. Boneh et al. [1] present a solution in the public key setting. Kamara, Papamanthou and Roeder [3] provide a solution with a number of desirable properties, including sublinear search, strong security guarantees, and efficient upload and download of files. Popa and Zeldovich [9] present a practical encryption scheme for keyword search of data which is encrypted using different keys. The techniques used in the papers mentioned above heavily rely on the fact that search is over keywords, which roughly correspond to the words that appear in the document. Building on this insight, it is possible to encrypt each unique keyword into a list of all keywords. Thus, to search for a keyword, the user can