2024年2月20日发(作者:)

DynamicSearchableEncryptioninVery-LargeDatabases:DataStructuresandImplementationDavidCash∗,JosephJaeger∗,StanislawJarecki†,CharanjitJutla‡,HugoKrawczyk‡,Marcel-C˘at˘alinRos¸u‡,andMichaelSteiner‡†University∗RutgersUniversityofCalifornia,Irvine‡IBMResearchdatastructuresandthusshowpotentialforpracticaleffi-ciency,ostconstructionshavetheoreticallyoptimalsearchtimesthatscaleonlywiththenumberofdocumentsmatchingthequery,slikeI/Olatency,storageutilization,andthevarianceofreal-worlddatasetdistributionsdegradethepracticalperformanceoftheoreticallyeffiticalsourceofinefficiencyinpractice(oftenignoredintheory)isacompletelackoflocalityandparallelism:Toexecuteasearch,mostpriorSSEschemessequentiallyreadeachresultfromstorageatapseudorandomposition,andtheonlyknownwaytoavoidthiswhilemaintainithefirstSSEimplementationthatcanencryptandsearchondatasetswithtensofbillionsofrecord/gnourscheme,westartwithanew,simple,theoreticalSSEconstructionthatusesagenericdictionarystructuretoalreadyachieveanasymptoticimprovementoverpriorSSEschemes,givingoptimalleakage,serversize,searchcomputation,artingpointcanbeseenasageneralizationandsimplificationofthemoread-hoctechniquesof[3].Weshowhowtomaketheschemedynamic,meaningthatthedatacanbechangedafterencryption:Ourschemecaneasilysupportadditionstothedata,etheschemeusesagenericdictionarythatitselfhasnosecurityproperties,itallowsforseveralextensionsandmodifiicular,ourimplementationeffortshowedthatdiskI/Outilizationremainedabottleneckwhichpreventedscaling;xtensionspreserveprivacywitedescribethetechniquesbehindresultsinmoredetail,startingwiththenewtheoreticalschemethatweextendlater,emeisverysimple(seeFigure2):Itassociateswitheachrecord/keywordpairapseu-dorandomlabel,andthenforeachpairstorestheencryptedrecordidentifivethelabelssothattheclient,oninputakeywordtoquery,cancomputeakeyword-specificshortkeyallowingtheservertosearchbyfirstrecomputingthelabels,thenretrievingtheencryptedidentifiersfromthedic-Abstract—Wedesignandimplementdynamicsymmetricsearchableencryptionschemesthatefficientlyandprivatelysearchserveictheoreticalconstructionsup-portssingle-keywordsearchesandoffersasymptoticallyoptimalserverindexsize,fullyparallelsearching,lementationeffortbroughttotheforeseveralfactorsignoredbyearliercoarse-grainedtheoreticalperformanceanal-yses,includinglow-levelspaceutilization,I/rdinglyintroduceseveraloptimizationstoourtheoreticallyoptimalconstructionthatmodeltheprototype’urschemesandoptimizationsareprovensecureandtheinformationleakedtotheuntrustedserverispreciselyquantifiuatetheperformanceofourprototypeusingtwoverylargedatasets:asynthesizedcensusdatabasewith100millionrecordsandhundredsofkeywordsperrecordaer,wereportonanimplementationthatusesthedynamicSSEschemesdevelopedhereasthebasisforsupportingrecentSSEadvances,,Booleanqueries),querydelegation),ablesymmetricencryption(SSE)al-lowsonetostoredataatanuntrustedserverandlatersearchthedataforrecords(ordocuments)centworks[3]–[5],[7],[9],[14],[15],[17],[19],[21]studiedSSEandprovidedsolutionswithvaryingtrade-offsbetweensecurity,efficiency,andtheaonstructionsaimatpracticalefficiency,incontrasttogenericcryptographictoolslikehomomorphicencryptionormultipartycomputationwhicharehighlysecurebutnotlikelytobeeffiatasizesmotivatestorageoutsourcing,ngSSEschemesemployonlysymmetriccryptographyoperationsandstandardPermission