In the previous sections, we show how RE-RAM and PRAM can be extended to support a wide range of properties, including persistent database (Section9.2), output hiding (Section9.3), long output (Section9.5), and verifiability (Section9.4). Different combinations of these properties are useful for different scenarios of outsourced computation. In particular, as a direct application ofREwith all the above extensions, we consider a very powerful searchable symmetric encryption (SSE) scheme with almost all desirable properties considered in theSSEliterature.
Roughly,SSEallows a client to outsource the storage of his or her encrypted data to a semi-honest (possibly malicious) server, while retaining the server’s ability to query over the encrypted data without learning the plaintext data. The query can be as general as data modification, (conjunctive / fuzzy) keyword search, or essentially any function over the plaintext data. To query over the encrypted data, the client uses its private key to transform its query into a trapdoor, which is sent to the server. With the help of the trapdoor, the server possibly updates the encrypted database and returns the encrypted query results to the client.
about the plaintext data and query results21 respectively. It is commonly believed that such security require- ments can be achieved usingORAM. In reality, typicalSSE schemes which do not rely onORAMleak some information such as the search and access patterns as a trade-off for efficiency.
UsingREwith persistent database, we can naturally encode our plaintext data into an encrypted database which will then be stored in a cloud server. Then, with the support of long output and output hiding, an encoded query can be processed by the server to return a long sequence of ciphertext, which can be decrypted to obtain the results of the query. Moreover, by the succinctness of ourREconstruction, the query complexity is preserved up to a logarithmic factor.
In terms of security, note that by the security of RE, the server only learns the sizes of the database and the query results. The security of thisSSE scheme is thus not only much stronger than most of the existing schemes which leak search and access patterns, but also achieves two very desirable properties named forward privacy and backward privacy. Forward privacy means that a previously issued trapdoor for a query is not useful for querying newly added data. Similarly, backward privacy means that a trapdoor is not useful for querying deleted data. In addition, with the verifiability extension, the correctness of the query results can be verified. It is also worth mentioning that while mostSSE schemes are proven secure in the random oracle model, our construction is secure in the standard model.
A
Preliminaries
Notations Letλbe the security parameter. Letpolybe any polynomial. Letneglbe any negligible function.
A.1 Models of Computation
A.1.1 Random-Access Machines (RAM)
A random-access machine (RAM) consists of a CPU with a local register st of size logn and an external memorymem ∈ {0,1}n, where n = poly(λ). A RAM program P with random-access to mem takes as
inputx ∈ {0,1}`input, where`
input ≤ n, and outputsy = P(x)as the result of the computation. During the
computation, the CPU may access the memory multiple times using READor WRITEoperations: READ(loc): upon receiving a memory addressloc, return the valuemem[loc].
WRITE(loc,val): upon receiving a memory addresslocand a valueval, setmem[loc] :=val.
In this work, we use both functional program and next-step program to represent the RAM program, and we represent the above functional programP as a series of executions of a small next-step programF which executes a single CPU step:
(stout,locout,valout) =F(stin,locin,valin).
At each time stept, the CPU-step circuit takes as input an input statestin, a locationlocin, and a valuevalin=
mem[locin]read from the memory, and outputs an output statestout, a location locout to be accessed, and a
valuevalout.
By convention, at the first step (i.e., step0), the next-step program is executed withlocin=⊥andvalin=⊥. At each step, a copy of the next-step program is executed. IfF issues a WRITEmemory operation withlocout
andvalout specified, then the value valout will be written to mem[locout], and the evaluator sets locin = ⊥
andvalin=⊥for the next step. Else ifFissues a READmemory operation withlocinspecified andvalout=⊥, then the evaluator setslocin =locout, and the locationlocinis read by settingvalin =mem[locin]for the next
step.
There are two ways to define the output of the computation. The first approach is to interpret the output state of the last CPU-step circuit as the output of the computation, which limits the size of the output tologn. The second approach is to interpret a pre-defined region of the external memory mem as the output of the computation. For simplicity, we adopt in this work the first definition, but note that the second definition can also be adopted.
A.1.2 Parallel RAM (PRAM)
A parallel random-access machine (PRAM) consists ofmCPUs, each with local memory register of sizelogn, sharing an external memorymem ∈ {0,1}n, wheren = poly(λ). A RAM is simply a PRAM with m = 1.
A PRAM programP has random-access tomem, takes as inputxand outputsy = P(x)as the result of the computation. In general, a PRAM program utilizes a dynamic number of CPUs in each time step. In a simpler variant, it is assumed that the program always uses all themCPUs.
Similar to a RAM program, a PRAM program can be represented by a series of executions of the next- step programF, but with the additional ability to executem copies in parallel at each time step. For each CPUk ∈ [m], F computes a time step with itsk-th copy of state and memory operation, and an additional argumentkdenoting which CPU it is computing. That is, for eachk∈[m],
(stoutk ,locoutk ,valoutk ) =F(k,stink,locink,valink).
The conflicts in read and write locations are resolved according to either the exclusive read exclusive write (EREW), concurrent read exclusive write (CREW), or concurrent read concurrent write (CRCW) strategy. For
be any conflicting writes. We further assume for simplicity (but equivalently) that allmCPUs read and write synchronously and alternatively, which yields a two-fold (parallel) time overhead because any CPU can at least issue a dummy access and defer the actual access to the next iteration.
Without loss of generality, the inputxis stored in a pre-defined region of the external memorymem, and all initial states are the same value⊥for all CPUs. The output of the computation is the output state of the last CPU-step circuit of a specific CPU, which is defined similarly as that for RAM programs. All CPUs halt at the same time with a statest= (halt,·). There is a special CPUcpu1 which always halts with resultyby outputtingst= (halt, y)while all other CPUs outputst= (halt,⊥).
In some occasions, we will assume additionally (but equivalently) that the CPUs can communicate with each other directly. Roughly speaking, such communication can be simulated by accessing the shared memory. We will explain the details when needed in Sections6and8.
A.1.3 Memoryless PRAM (mPRAM)
A simpler variant of PRAM is the memoryless PRAM (denoted by mPRAM), which consists of m CPUs, each with local memory register of sizelogn, but without external memory. However, there are synchronous communications transmitting constant size messages between CPUs. Their communication pattern is assumed to be oblivious and, at each time step, each CPU only receives one message from one CPU and sends one message to one other CPU.
Similar to the standard PRAM program, an mPRAM program can be represented by a series of executions of the next-step circuit, but with the additional ability to execute multiple copies of the circuit at a time step, corresponding to the number of CPUs used in that time step. Unlike in PRAM, the input and output are both stored in the corresponding initial and final CPU states. We will explain the details when needed in Section6.
Memoryless PRAM is strictly weaker than the standard PRAM, which can emulate mPRAM with memory sizem < nand emulate each communication by writing and reading memory cells.