Towards Multi-User Private Keyword Search for Cloud Computing

Yanjiang YangInstitute for Infocomm Research

SingaporeEmail: yyang@i2r.a-star.edu.sg

Abstract—Storage-as-a-service is an essential component ofthe cloud computing infrastructure. Database outsourcing is atypical use scenario of the cloud storage services, wherein dataencryption is a good approach enabling the data owner to retainits control over the outsourced data. Searchable encryption is acryptographic primitive allowing for private keyword basedsearch over the encrypted database. The setting of enter-prise outsourcing database to the cloud requires multi-usersearchable encryption, whereas virtually all existing schemesconsider the single-user setting. To bridge this gap, we proposea practical multi-user searchable encryption scheme, which hasa number of advantages over the known approaches.

I. INTRODUCTION

Storage-as-a-service is an essential component of thecloud computing infrastructure, which allows the customersto outsource their databases to the regime of a cloud.Database outsourcing relieves the customers from buildingand maintaining their proprietary databases, which usuallyis extremely costly. However, one main hurdle to dataoutsourcing is security concerns, and in particular, end userswould worry that their data would be abused without theirconsent or even awareness, among others. It is thus idealthat data outsourcing does not deprive the customers of theircontrol over the outsourced data. Encryption of the data inoutsourcing is deemed a good approach in attaining thisobjective, as well as solving other issues such as regulatorycompliance, and geographic restrictions [2], [3]. However,data encryption would greatly restrict the cloud’s ability inhandling user access requests. A typical example is thata user may wish to retrieve records that contain a certainkeyword; normally, the cloud is hard to pinpoint thoserecords within an encrypted database.

Fortunately, Searchable encryption (e.g., [1], [4]) is acryptographic primitive that can enable the above keyword-based searches upon an encrypted database while withoutrevealing the plaintexts to the cloud (we thus call it privatekeyword search). Existing searchable encryption schemesnormally consider the single-user setting: only the holder ofa secret key, which is referred to as query key hereafter, canissue valid search queries upon the database. We, however,observe that in the case of enterprise-outsourcing-database-to-cloud, as shown in Figure 1, it often requires multi-usersearchable encryption where searchable encryption worksin a multi-user setting: an enterprise outsources its databaseto the cloud, and authorizes multiple users (e.g., its staff

EnterpriseUsers

Access

Outsource

Authorize

Database

Cloud

Figure 1. Use scenario of enterprise-outsourcing-database-to-cloud

members) to access the database. There are more factors tobe considered in the multi-user setting, e.g., user account-ability, user dynamics (joining of new users and revocationof existing users).

The only work we aware of that has ever discussedmulti-user searchable encryption is due to Curtmola et al.[1], which proposes transferring their single-user searchableencryption scheme to one working in the multi-user setting:besides sharing the query key, each user is also issued a keyfor broadcast encryption; a user encrypts her search queriesusing the broadcast encryption key before submitting to theserver who hosts the database; the server also knows thebroadcast encryption key, and thus can decrypt and obtainthe search queries. The underlying broadcast encryptiontakes charge of user dynamics, and guarantees that only theset of authorized users and the server can use the broadcastencryption. However, broadcast encryption in general is anextremely expensive primitive, which may severely affectthe practicality of Curtmola et al.’s method.

Towards enabling private keyword search in the usescenario in Figure 1, we propose an efficient multi-usersearchable encryption scheme, which possesses the follow-ing features.

• Distinct Query Keys. Each authorized user has a distinctquery key for constructing search queries. This makes userrevocation and accountability possible in our scheme.

• Efficient Yet Complete User Revocation. Our schemeallows for very efficient user revocation: revocation of auser does not affect other non-revoked users at all, requiringneither key renewal for non-revoked users, nor update to theencrypted database including the index. This is the best wecan expect for user revocation in terms of efficiency. More-

2011 IEEE 4th International Conference on Cloud Computing

978-0-7695-4460-1/11 $26.00 © 2011 IEEE

DOI 10.1109/CLOUD.2011.76

758

Setup(1κ) : ENT sets up public system parameters G1, G2, and e; selects random x ∈ Z∗p and sets masterkey MKENT = x; selects a random record encryption key ek for semantically secure symmetrickey encryption Enc(.).

AddUser(MKENT , ek, u): ENT selects random xu ∈ Z∗p and sets qku = xu; computes hku = gMKENT

xu ∈ G1; securelysends qku, ek to user u; also securely sends hku to CLD, who then adds a new entry (u, hku)to the U-Hkey list.

RemoveUser(u): To revoke user u, ENT simply instructs CLD to delete the entry of (u, hku) from the U-HKeylist.

WriteRecord(MKENT , ek, di): To write a record di to D′, ENT first generates the index of di.w using MKENT as follows: com-putes in turn ew = e(h1(di.w), gMKENT ) and k = h2(ew), and sets Indx(di.w) = 〈m, hk(m)〉,where m ∈M is a random value. ENT then computes Enc(di) using ek. Finally, ENT passesd′i = 〈Indx(di.w), Enc(di)〉 to CLD.

GenQuery(qku, w): User u computes qu(w) = h1(w)qku and outputs (u, qu(w)) as her search query on keywordw.

Search(qu(w), hku, D′): CLD first looks for hku in the U-HKey list. If no matching entry is found, it outputs ⊥. Otherwise,using hku, it computes k′ = h2(e(qu(w), hku)) and sets RPLYqu(w) = ∅. Then CLD scansD′ and for each Indx(di.w) in the form 〈mi, ci〉, if ci = hk′(mi), then sets RPLYqu(w) =RPLYqu(w) ∪ {Enc(di)}. The reply set will be sent to u in a secure manner.

Figure 2. Multi-user searchable encryption for enterprise-outsourcing-database-to-cloud

over, revoked users completely lose their search privileges,given that the semi-trusted cloud destroyed the related helperkeys (the concept is explained later) as instructed.

• Exculpability. Our scheme achieves exculpability, i.e., noone (including the cloud) can generate valid search querieson behalf of a user. Exculpability turns out to be an importantproperty in the multi-user setting where accountability isdesired.

II. OUR CONSTRUCTION

Our scheme uses bilinear maps, we thus begin with a briefreview of related concepts.

Bilinear Map: Let G1 and G2 be two groups of primeorder p. A bilinear map is a function e : G1 × G1 → G2,satisfying the following properties:

1) Bilinear: For all g1, g2 ∈ G1 and all x1, x2 ∈ Z∗p ,e(gx1

1 , gx22 ) = e(g1, g2)x1x2 .

2) Non-degenerate: If g is a generator of G1, then e(g, g)is a generator of G2.

3) Computable: e(g1, g2) can be efficiently computed forany g1, g2 ∈ G1.

A. Our SchemeSystem model: Geared to the use scenario in Figure 1,

the system consists of {D, ENT, CLD, U}, where Dis a database, ENT is the enterprise, CLD is the cloudproviding storage services, and U is a set of users. D iscomposed of a number of records {d1, d2, · · ·} of multipleattributes, and one attribute is keyword used for search.The domain of the keyword attribute is denoted by W .The keyword of di is denoted by di.w. CLD hosts anencrypted version of D, denoted by D′ = {d′1, d′2, · · ·},where d′i = 〈Indx(di.w), Enc(di)〉: the first element is anindex generated from di.w, to be used for search; the secondis an encryption of the remaining attributes of di.

Each authorized user u ∈ U is issued a distinct query keyqku by ENT, and can submit search queries based on her

chosen keywords using qku. We use qu(w) to denote a queryfrom user u on keyword w ∈ W . For each authorized user u,ENT also passes securely a helper key, hku, to CLD, whichhelps CLD in processing queries from u. As a result, CLDmaintains a U-HKey list, with each entry being of the form(u, hku). On receiving query q = qu(w), CLD is expectedto return RPLYq = {Enc(di) | di ∈ D, di.w = w}. ENTcan revoke an authorized user’s search privileges, so U =UA ∪ UR, where UA is the set of authorized users and UR

is the set of revoked users.Construction: Let G1, G2 be two cyclic groups of a

prime order p, and a bilinear map e : G1 × G1 → G2 bedefined as above. Let g be the generator of G1. Let h1 :W → G1 and h2 : G2 → K be collision-resistant hashfunctions, and hk : K ×M→ H be a keyed hash functionunder a secret key k ∈ K, where M,H are appropriatedomains. The details of the scheme are depicted in Figure 2.

Security: It can be checked that our construction sat-isfies (I) query privacy: user queries do not reveal to CLDmore information than what can be acquired via observation;(II) query unforgeability: other users (or CLD) cannot gener-ate valid search queries on behalf of a user; (III) revocability:revoked users are no longer able to search the database.

REFERENCES

[1] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovskey, Search-able Symmetric Encryption: Improved Definitions and EfficientConstructions. Proc. ACM Conference on Computer and Com-munications Security, CCS’06, pp. 79-88, 2006.

[2] S. Kamara and K. Lauter, Cryptographic Cloud Storage. Proc.Financial Cryptography 2010.

[3] T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security andPrivacy: An Enterprise Perspective on Risks and Compliance.O’Reilly Media, 2009.

[4] D. Song, D. Wagner, and A. Perrig, Practical Techniquesfor Searches on Encrypted Data. Proc. IEEE Symposium onSecurity and Privacy, S&P’00, pp. 44-55, 2000.

759