Leakless privacy-preserving multi-keyword ranked search over encrypted cloud data

1.1 System model

Our system model as illustrated in Figure 1, involves three different entities: data owner, data users, and cloud server. The data owner has a collection of documents (files) to be outsourced to the cloud server. Since files may contain sensitive information and the cloud server is not fully trusted, data must be encrypted (); and any kind of information leakage that jeopardizes the data privacy is inadmissible. Moreover, for the sake of effective data utilization and to ensure precise results, the cloud server must apply the search requests (queries) on the encrypted data. Hence, before outsourcing the data onto the cloud, the data owner extracts a set of keywords Δ_d to build an encrypted searchable index . We extract the keywords before encrypting the data, so the keywords with a high frequency get encrypted into a number of ciphertexts. As a result, it becomes significantly more difficult for the cloud to track specific keywords in documents as we will explain shortly. Both the encrypted index and encrypted data are then transferred to the cloud server.

Figure 1. Architecture of the search over encrypted cloud data.

To search for files of interest, an authorized user first acquires a key K from the data owner through a search control mechanism such as broadcast encryption^[4]. Upon receiving the encrypted search request q from a data user, the cloud server applies the request on the corresponding index and returns the results (q). To increase result precision, the results are ranked based on their relevance to the request by the cloud server. Furthermore, to reduce the communication cost, the data user may send an optional number k along with q, so the cloud server only sends back the top-k documents that are most relevant to the search request^[14].

The rest of this paper is organized as follows: Section 2 presents our threat model, design goals, and the preliminary. In Section 3, we describe the LRSE privacy requirements. Section 4 shows the proposed schemes in detail, followed by Section 5 which presents the privacy and security analysis. We summarize related works on privacy-preserving multi-keyword ranked search over encrypted cloud data in Section 6, and Section 7 summarizes our conclusions.

2.1 Design goals

To address the aforementioned privacy issues (see Section 1), our design system should achieve privacy security and a high level of performance simultaneously with the following three goals:

● Leakless ranked search: For the sake of effective data retrieval and preserving privacy data users should be able to generate a leakless search query which reveals nothing more than the encrypted query.

● Privacy-preserving: Preventing the cloud server from learning additional information rather than seeing encrypted files, queries, and indexes is our highest goals. We describe the privacy requirements in Section 3.

● Efficiency: All of the above goals should be realized with a reasonable (or low) computation and communication overhead.

2.2 Preliminaries

Let = {D₁,…, D_n} be a corpus of n documents, and id(D_i) be the unique identifier of the of document D_i. Let Δ be a dictionary of keywords with size m. Let Δ_d = {w₁,…, w_d} be the dictionary of the d words for the corpus such that Δ_d ⊆ Δ.

Definition 1. (Searchable Encryption). A multi-keyword Searchable Encryption (SE) scheme consists of 6 algorithms, SE = (KeyGen, BuildIndex, Encryption, Query, Search, Decryption) such that:

1. KeyGen (1^λ): Taking a security parameter λ as an input and outputs a secret key K.

2. BuildIndex (): This algorithm takes in a corpus of documents = {D₁,…, D_n} and generates an index .

3. Encryption (, , K): The encryption algorithm takes a document corpus , an index and a secret key K as input and outputs an encrypted document corpus = {C₁,…, C_n}, and a secure index .

4. Query (Δ_q, K): This algorithm takes a set of keywords Δ_q ⊆ Δ_d, and a secret key K as input, and generates an encrypted query q.

5. Search (q, ): The search algorithm takes an encrypted query q and the secure index as input, it outputs (q) a set of document identifiers whose corresponding documents are the most relevant files to the query q.

6. Decryption (C_i, K): The decryption algorithm takes in an encrypted data file C_i ∈ and a secret key K as input, and outputs D_i.

Definition 2. (History). Let be a document corpus. Let Δ_qi be a set of queried keywords of query q_i. A history over is a tuple over t queries.

The history is information that we are trying to hide from an adversary (cloud).

Definition 3. (Search Pattern). The search pattern over a history ^t is a tuple, Ψ = (_q1,…,_qt), over t queries where _qi, 1 ≤ i ≤ t is a set of encrypted keywords in the i-th query.

Definition 4. (Access Pattern). The access pattern over a history ^t is a set, Ω = ((q₁),…, (q_t)) over t queries.

2.3 Threat model

We consider the cloud server an “honest-but-curious” entity in our model ^{[4,9-11, 14]}. This means the cloud server complies with the designated protocol (“honest”), but it is eager to collect more information by analyzing the encrypted data, message flows, and the index (“curious”). In our scheme, we assume that the cloud server knows the employed encryption and decryption methods, in addition to the encrypted documents and index . However, it does not know the key K. We are willing to leak document identifiers id(D_i), 1 ≤ i ≤ n, encrypted queries and the access pattern defined in Definition 4. We can assume that the document sizes will also be leaked, but it can be trivially preserved by a “padding” method^[4]. Thus, we classify the attack model to Known Ciphertext Attack in which the adversary only observes the ciphertext, i.e., encrypted documents , encrypted index , and queries.

4.1 Scheme I-sequential scan

Recall that in Definition 1 a searchable encryption scheme contains a suite of 6 algorithms. Here, we explain how each algorithm works in Scheme I. In the setup phase, beside calling the KeyGen to generate the secret key K, we generate a document-term matrix and a required ciphertext vector. Scheme I’s details are presented here:

● Setup. Let γ be a n × d document-term matrix(DTM) which an element e_{i j} represents the frequency of keyword wj in document D_i. Let φ = (l₁,…, l_d)be required-ciphertext vector which l_i, 1 ≤ i ≤ d shows the number of required ciphertext for keyword w_i. We first extracts the corpus keyword dictionary Δ_d from the entire corpus and then generates the document-term matrix γ. Afterwards, we generate the the required-ciphertext vector φ (see below for more details).Then we call KeyGen algorithm to generate the secret key K that will be used to encrypt the documents.

● RequiredCiphertext. The probability of querying high frequency keywords is high, so these keywords are more prone to privacy leakages. In a strong attack model^[12] where the cloud server is equipped with more knowledge such as the term frequency statistics, the attacker(cloud) can extract invaluable information form the encrypted files^[16]. Moreover, by issuing each query to the cloud, the data user is revealing more private information such as her interests and hobbies. Thus, there are two main challenges: 1) hiding the keyword frequencies in the outsourced encrypted documents and 2) obscuring the frequency of the queried keywords which may lead to exposing the underlying keywords^[12].

In an ideal world the keyword frequencies are equal, and the data user uniformly queries all of the available keywords. Thus, the cloud observation from the encrypted files and the queries does not leak any information. Although this is impossible in the real world, our goal is to break down the keyword frequencies to get close to the ideal scenario. For this reason we calculate the average of each column (average of each keyword in the document collection ). Note that because we are employing uniform distribution the average and the median are effectively the same. Let A = (a₁,…, a_d) be the average vector in which a_i , 1 ≤ i ≤ d shows the average of keywords w_i in corpus ; thus, .

To determine the number of required ciphertexts for each keyword (l_i) we define a new measure as threshold τ which is the floor of the minimum element in the average vector A. Finally, we determine the number of required-ciphertext vector φ by calculating the ceiling of the maximum frequency for each keyword in DTM-matrix γ divided by the threshold τ: where max_ei is the maximum value in the w_i column.

We divide the maximum frequency of each keyword by the minimum average of the keywords (threshold factor τ) to ensure each encrypted version will occur with the same frequency as the minimum value in the average vector A. With this strategy, the cloud (or an adversary) sees all of the encrypted keywords in the same frequency range. Thus, we gain more uncertainty and a higher level of entropy so identifying the keywords becomes more difficult for the cloud.

● GenerateCiphertext. Before we explain how we encrypt the documents, we define the BuildChain algorithm which will be used by the Encryption algorithm.

- BuildChain(K, Δ_d, φ). This algorithm takes a secret key K, a document keyword dictionary Δ_d, and a required-ciphertext vector φ as input. It outputs an encrypted keyword dictionary _dʹ = (ŵ₁₁,…, ŵ_ij) where ŵ_ij is the j-th ciphertext of w_i^1≤i≤d and d′ is the number of encrypted keywords.

For each keyword w_i ∈ Δ_d, BuildChain generates the first ciphertext ŵ_i1 by encrypting keyword w_i using the secret key K. To generate the second ciphertext ŵ_i2, BuildChain encrypts XOR of previous ciphertext ŵ_i1 with keyword w_i using the same secret key K (i.e., ŵ_i1w_i). Hence, each ciphertext is chained to the previous one. The algorithm continues generating new ciphertext for keyword w_i until we have the expected number of ciphertexts according to the φ vector. Figure 2 shows the chaining process.

Note that compared to other approaches that adopt multiple keys^[1], in our chaining methodology, we employ only one key for all of the required ciphertexts. This characteristic mitigates the key management challenges and lessen system costs during the key generation. Moreover, it enables the data users to generate the whole chain on their own side which reduces the communication costs and increases security and privacy. From the privacy viewpoint, keywords with a high frequency get encrypted multiple times (using chaining notion). As a result, it becomes significantly more difficult for the cloud to track down a specific keyword in a single document or across multiple documents.

We explain how Encryption algorithm (see Definition 1) works in LRSE. Note that, Scheme I is not an index-based method, so it does not need to take in an index (we will employ an index in Scheme II). After taking the inputs, Encryption algorithm call the BuildChain to generate the required-ciphertext vector φ. The BuildChain algorithm returns the encrypted keyword dictionary _d′ to the Encryption algorithm. Then Encryption algorithm starts to encrypt each document by fetching each word from the file and if the word is one of the keywords in Δ_d, we randomly choose one of its encrypted versions from _d′, otherwise we encrypt the word with the secret key¹. The subroutine “Add” in this algorithm adds the encrypted document (here C_i) to the encrypted file collection (). Algorithm 1 demonstrates how we encrypt each file.

Since the cloud sees the encrypted document collection , it generates the DTM matrix (γ′) based on the encrypted keywords in . Thus, the number of columns in γ′ is d′ rather than d (d ≤ d′) and the high frequency keywords are eliminated in the whole matrix.

● GenerateQuery. In the initialization phase, the data owner and the data user exchange φ vector and the secret key K that enable the data user to make an encrypted query q. In addition, because we have multiple encrypted versions (ciphertexts) of each keyword, the data user can use a portion of the available ciphertexts for each keyword, but the data user must use the same portion for all of the keywords in the same query to not effect the results. For example, the data user may decide to use sixty percent of available ciphertext for each keyword, but he cannot employ sixty percent for the first keyword and forty percent for the second one, because it makes the results imprecise. Finally, encrypted query q is sent to the cloud. The data user may send an optional parameter k to the cloud to retrieve only the top-k resultant documents.

This is one of the characteristics that distinguishes our approach from other schemes. With each query the data user is able to randomly choose some of the ciphertext for each keyword which delivers more uncertainty and consequently more entropy. Thus, even if consecutive queries share some of their keywords, the cloud is not able to find a pattern between the queries due to using different versions of ciphertext in each query. Moreover, co-occurring terms appear with different ciphertext in the encrypted files, so, finding the co-occurring terms becomes significantly more difficult for the cloud.

The details of Query is shown in Algorithm 2. The data user declares the “portion” manually or it can be determined randomly by the algorithm (like we did in the Algorithm 2). This feature determines the percentage of each keyword ciphertext that will be employed in the query encryption process. For example, if w_i possesses five different ciphertext and the portion is set to sixty percent, the algorithm employs three versions of the ciphertexts randomly for the current query. Moreover, the data user is able to generate the ciphertexts as all encrypted versions are chained together. Note that the plain query can be indicated by today’s web search engine such as Bing^® and Google^®, in which the data users tend to provide a sentence in natural languages or a set of keywords to express their intentions. In this case, we first extract the keywords Δ_q from the plain query.

● Search. Before explaining the LRSE search algorithm we define the document and query vector and the relevance score:

Definition 5. (Document Vector). Let Δ_d be the dictionary of keywords from corpus . A document vector T_i = (f_w1,…, f_wd) is a normalized vector that demonstrates the normalized frequency of each keyword f_wj, 1 ≤ j ≤ d in document D_i. Let T = {T₁,…, T_n} be a set of all document vectors.

Definition 6. (Query Vector). A query vector Q is a d-element boolean vector such that ∀ 1 ≤ i ≤ d, Q[i] = 1 if w_i ∈ Δ_q, and 0 otherwise.

Definition 7. (Relevance Score). Let T_i denote the normalized frequency vector of the document D_i and Q be the query vector from Δ_q. Their relevance score s_i is inner product of document D_i to query vector Q.

Recall that upon receiving the encrypted document collection the cloud builds its own DTM matrix γ′ and based on that it generates a set of encrypted document vectors = {₁,…, _n}. However, the cloud cannot make the real γ matrix and T (see Section 4.1). Upon receiving the encrypted query q, the cloud server executes Search algorithm. The LRSE Search(q, , k) algorithm takes the encrypted query q, encrypted document vectors , and an optional k, and returns the top-k encrypted resultant documents corresponding to (q) to the data user. Consider that the resultant documents are ranked according to their relevance score s.

● Decryption. The data user executes Decryption(C_i, K, _d′) for each C_i in the resultant documents. This algorithm inputs an encrypted document C_i, a secret key K, and an encrypted keyword dictionary _d′, and outputs D_i. Keywords in the resultant documents are encrypted randomly with a different encrypted piece of the chain. Thus, before decrypting the results, Decryption algorithm normalizes the results by changing each keywords ciphertext with the first ciphertext in the chain. It then decrypts the normalized encrypted document using the secret key K.

Figure 2. Chaining notion - generating multiple ciphertexts for each keyword.

4.2 Scheme II - Index

In Scheme II we employ an index structure to increase the search speed. In Scheme I we encrypt each document keyword by keyword, i.e., each block cipher contains one keyword (we consider each block large enough to store an encrypted keyword). In contrast, in Scheme II each block cipher contains 128 bits of a file (which may vary depend on the protocol and employed encryption scheme). Hence, the cloud learns nothing from the encrypted documents and is not able to generate its own γ′ matrix, so must to rely on the index (provided by the data owner) to find and rank the results.

Furthermore, the cloud is not able to learn the keyword positions in the documents. We also employ the secure asymmetric inner-product mechanism ^[14] which prevents the cloud from learning relevance score between two encrypted documents, and is only able to calculate the relevance score between the encrypted query vector and encrypted document vectors . The following describes scheme II in detail:

● Setup. This part of the scheme consists of the same steps as Scheme I. We first extracts the corpus keyword dictionary Δ_d from the entire corpus and then generates the document-term matrix γ. Afterwards, we generate the required-ciphertext vector φ. In contrast with Scheme I we do not need to actually apply Algorithm 1 and generate multiple ciphertexts for each keyword w_i. Instead, we apply the concept of the chaining notion on the document vectors and represent high frequency keywords with more than one element in the document vectors. For example, assume φ_i = 5, so keyword w_i is represented with 5 positions in the document vectors. This property has less system cost and improves the system efficiency. Then we call KeyGen algorithm to generate a secret key K that will be used to encrypt the documents.

● KeyGen. The key generation algorithm is slightly different from the previous scheme. Beside a secret key K, the KeyGen should create a (d′ × d′) invertible random matrix m where d′ is the sum of all elements in φ (i.e. all of needed encrypted versions). The data owner runs KeyGen(1^λd′) algorithm. The LRSE KeyGen algorithm takes in a security parameter λ and a number d’ and it returns a secret key K and an invertible (d′×d′) matrix m. This matrix will be used to encrypt the query and document vectors, so like the secret key, it should be protected.

● BuildIndex. The LRSE BuildIndex(, φ) takes in a document corpus and a required-ciphertext vector φ and outputs the plain index . This algorithm first generates a normalized document vector T_i for each document D_i based on tf-idf mechanism^[19]. Note that each keyword w_i is presented with multiple positions in the document vector based on value of φ_i. Then using the document vector set T, the algorithm builds a plain index. We adopt a tree-based index structure called keyword balanced binary (KBB) tree proposed by Xia et al. ^[16] Their secure index structure uses a “Greedy Depth-First Search(GDFS)” algorithm to find the most related nodes (documents) to the query.

In the KBB tree, each node u consists of 5 elements: node , two pointers to the left and right child of node u, document (set to null in case u is an internal node), and the last element is a vector T_i that denotes the normalized “t f×idf” values of the keywords in the document D_i. If u is an internal node, each element in vector T_i gets the maximum value of the corresponding keyword among u’s child nodes.

In the index construction phase, we generate a node for each document in the corpus. These nodes are the index tree’s leaves. The internal nodes are generated by generating a parent node for each two nodes (same strategy we apply to build a balanced binary tree). The parent node gets the highest value from its children for each element in its T_i vector.

Figure 3 provides an example of the index tree that is applied in our approach. The corpus in this example consists of 6 files(documents) f₁,…, f₆ and 4 keywords(cardinality of the dictionary d = 4). Assuming the query vector Q is equal to (0,0.83,0,0.24) and parameter k is set to 3 (i.e. number of documents returned to the data user). The figure shows the search process. The search process starts from the root node n and calculates the relevance score of the n₁₁ (1.07) and n₁₂ (0.428) to the query vector and moves to the n₁₁ due to its higher relevance score. The search continues and reaches leaf node f₄ with relevance score of 1.07 and then reaches f₃ and f₂ with 1.127 and 0.498 relevance scores, respectively. Afterwards, the search algorithm gets to the f₁ with 0.524 relevance score and replace f₃ in the result list (because we should return the top-3 relevant files and f₁ relevance score is higher than f₃ score). Finally, the search algorithm goes back to n₁₂ node (based on Depth First Search algorithm) and stops there because the relevance score of the n₁₂ (0.428) is less than the minimum relevance score (0.524) in the result list. Note that in practice T and Q vectors are encrypted using secret key K and matrix m. We refer the reader to Xia et al.^[16] for more information about the index structure.

● GenerateCiphertext. The LRSE Encryption(, , m, K) algorithm takes a document collection D, a plain index , a secret matrix m, and a secret key K. The algorithm encrypts all of the documents in using the secret key K. To encrypt the index , we adopt the secure asymmetric inner product by Wong et al.^[14]. The algorithm can make the cloud server compute the inner product of two encrypted vectors _i and without revealing any information about the actual values of them. Accordingly the encrypted subindex is built as {m^TTi} where m is the random matrix that the data owner generates through running KeyGen algorithm. After encrypting the index and document corpus , the data owner performs a random shuffle on the encrypted document vectors, ensuring that the order of the encrypted entries do not reveal any information about the underlying data. The data owner then transfers the encrypted index and documents to the cloud.

● GenerateQuery. The Query(Δ_q, K, φ) algorithm is similar to Query algorithm in Scheme I (see Section 4.1), except in the last step, instead of sending the encrypted query q, it builds the corresponding query vector and generates the encrypted query vector by performing {m⁻¹ Q}. It shuffles the encrypted query vector in the same way that the document vectors are shuffled and sent it to the cloud. The data user may send an optional parameter k to the cloud to retrieve only the top-k resultant documents.

● Search. Upon receiving the encrypted query , the cloud server runs Search(, , k) algorithm which takes in an encrypted query vector , an encrypted index and an optional parameter k. The Search algorithm finds the top-k resultant documents using the tree-based index . To gain the relevance score we calculates the inner product of the encrypted document vector in the encrypted query vector.

Note that the cloud server only learns the relevance score (similarity) of the documents to the query, while deducing the similarity between encrypted documents is not possible^[14]. Finally, the cloud server returns the top-k resultant files to the data user.

● ResultDecryptor. In contrast with Scheme I, in this scheme we do not need to normalize the encrypted resultant documents so we achieve lower system cost and faster decryption. The LRSE Decryption(C_i, K) algorithm inputs an encrypted document and the secrets key k and outputs the document D_i. The data user simply call the Decryption algorithm for each encrypted document in the resultant documents.

Figure 3. An example of the index tree that is employed in our approach.

5.1 Entropy of LRSE Document Vectors

We prove that by expanding the document vectors using our approach, privacy and security of the outsourced data increases. Note that, adding dummy keywords^[4,9] to extend the length of the data vectors does not necessarily ensure an increase of the security, and in some case it may even decrease the privacy and security of the outsourced data (see Example 1).

The main idea behind expanding/extending the length of the document vectors is to add more uncertainty to document and query vectors, which results in higher entropy. Although, adding to the length of the document vector can lead to higher entropy, in Example 1 we demonstrate that just extending the document vector’s length does not guarantee having a more uniform vector and higher entropy.

Example 1. Consider a document D₁ with 3 keywords. Assume the frequency of each keyword in D₁ is (2, 3, 4), so term-frequency(t f) vector is . The entropy of this vector is equal to 1.06.

Now, to increase privacy and security to D₁ we add a new dummy keyword with the frequency of 15. The modified frequency vector is (2, 3, 4, 15) and the new term-frequency(t f) vector is The first impression is because of adding a dummy keyword, the entropy increases; however the entropy of the new vector is 1.059 which is less than the entropy of the original vector.

In Example 1 we showed that adding dummy keywords to the document/query vectors does not necessarily provide more security/privacy. Defining the property of the new dummy keywords that ensures higher entropy, are not considered in the related literature and we leave it as a future work. However, in Theorem 1 we prove that LRSE scheme provides more security/privacy.

Theorem 1. Given any document vector T_i for document D_i valid in the LRSE scheme, where H is the entropy measure and LRSE(T_i) = T′_i.

Proof. Consider:

and

The entropy of the document vector T_i = (f_wi,…, f_wd) is: and the entropy of the T′i = (f′_w1,…, f_wd′) is:

Recall φ = (l₁,....,l_d), with , and for any f_wj ∈ T_i we have:

Hence:

Moreover, note that log(x) is a monotonically increasing function and T′_i possesses positive values (based on (1)), thus we have:

By extending the above inequality for all of the keyword frequencies in T_i and T′_i:

Thus we have:

□

5.2 Privacy attacks

In Section 3 we identified two private information leakage (privacy attacks). In this section we explain how LRSE prevents search pattern and co-occurrence attack. Our schemes are not designed to preserve the user privacy against access pattern attack and we leave it as future work.

In LRSE with each query the data user is able to randomly choose a portion of the ciphertexts for each keyword. Thus, even if consecutive queries share some of their keywords, the cloud is not able to find a pattern between the queries due to using multiple versions of ciphertexts in each query. Further, co-occurring terms appear with different ciphertexts, so, finding the co-occurring terms becomes significantly more difficult for the cloud (see Section 4).

Assume, φ_i is the number of available ciphertexts for keyword w_i, and in each query the query generator uses β percent of the φ_i. The number of possible permutations Γ that the query generator can employ is: .

For example, if we have φ_i = 10 available ciphertexts for keyword w_i, and the query generator employs 40 percent of the ciphertexts in each query (β = 40%) the number of possible permutation is: . This means, there are 210 distinct possible choices for the query algorithm to ask for the same keyword. In other words, the probability of having 2 queries with same permutation of the ciphertexts for w_i is 0.047% (). Note that the main idea is cloud sees all of the keywords are queried with the same probability even if the user starts requesting for the same keyword multiple times.

5.3 Result completeness

To apply the LRSE scheme we first extract keywords from documents in corpus. Technically, keywords with high frequency get extracted considering some linguistic knowledge to avoid stop words such as “the”, “for”, “if”, and etc.^[23]. We then generate the φ vector based on the minimum value among the average of each keyword in the entire corpus. Further, we assume the random number generator is fair.

Considering all of the aforementioned, there is still a rare chance of incomplete results on the paper. Assume the term frequency of the keyword w_i in document D is fi, and the number of the available ciphertexts for the corresponding keyword is φ_i. As long as f_i ≥ φ_i there is no problem (case 1), because the corresponding C (encrypted D) contains all of the available ciphertexts and no matter which ciphertext versions are employed in the user query, C (and consequently D) will be placed among the possible results.

If f_i ≤ φ_i the user query may contain encrypted versions of w_i that do not exist in D (case 2). Recall that along with the query, the user also sends the parameter k to retrieve only the top-k documents. In case 2 if k is relativity less than the number of documents that includes w_i there is still no problem because D’s relevance score to the query is very low and even if D had all of the encrypted versions of w_i, it would not be placed among the top-k files (case 3). Note that number of documents that f_i ≤ φ_i should be very low, otherwise the keyword extraction algorithm would not choose w_i as a keyword in the first place.

The problem occurs when the user asks for all of the documents that includes keyword w_i (case 4). In this condition, the results may be incomplete, because the user employs a portion of the available ciphertexts which may not be used in D. For example, consider we have a corpus with four documents (d₁, d₂, d₃, d₄), and the term frequency of keyword w_i in each document is (25, 32, 6, 29). Also, consider that the number of available ciphertexts φ_i = 10 and the portion is set to forty percent for query q (e.g., forty percent of the available ciphertexts are employed to generate q by the query generator). Thus, the query generator randomly selects four versions of available ciphertexts (forty percent of φ_i). No matter what versions of the ciphertexts are employed in the query q, d₁d₂, and d₄ will be placed among the possible results because the term frequency of keyword w_i in those documents are greater than φ_i so those documents possess all of the available ciphertexts for w_i (case 1). However, if f_i ≤ φ_i (case 2), D₃ may get excluded from the results due to not possessing the same versions that are employed in the query q. If k is set to 1,2, or 3, this issue does not effect the result accuracy because the user is only interested in the first top-k documents and d₃ will not be placed in the top-k list. The problem occurs when users demands all of the documents containing w_i (case 4).

To tackle this challenge (case 4), in Scheme I, we can inject the missed ciphertexts in the corresponding documents. In Scheme II, we do not even need to touch the encrypted documents; the only action is to adjust the corresponding document vectors regarding the missed ciphertexts. In order not to effect the relevance score, we employ the same strategy the related literature employs by adding dummy keywords while not affecting the relevance score^[19,14].

5.4 Security

The secure asymmetric inner product^[14] is widely used in many existing secure search schemes^{[19,10,16,18,24]} and it has been proved to be secure in known ciphertext attacks. In this section we show that chaining the ciphertexts are not weakening the underlying secure symmetric encryption scheme; and we give the security proofs for the schemes presented in Section 4.

Definition 8. (Symmetric encryption scheme)^[4]. A symmetric encryption scheme is a set of three polynomial-time algorithms (, ξ, ) such that takes an unary security parameter k and returns a secret key K; ξ takes a key K and n-bit message m and returns ciphertext c; D takes a key K and a ciphertext c and returns m if K was the key under which c was produced. We refer to Curtmola et al.^[4] for formal definition of security for symmetric encryption schemes.

Definition 9. (Indistinguishability). Let G and E be two random variables distributed on {0, 1}ⁿ. A SSE scheme is indistinguishable secure if for all non-uniform probabilistic polynomial-time adversaries : {0, 1}ⁿ → {0, 1}, for all polynomial “poly” and all sufficiently large k the distinguishable probability (also called advantage of adversary) is:

Definition 10. (Novel chaining notion). Let (, ξ, ) be an indistinguishable secure symmetric encryption scheme with ξ : {0, 1}^k ×{0, 1}ⁿ → {0, 1}ⁿ. Let w_i ∈ {0, 1}ⁿ be a keyword in the dictionary Δ_d. Given a natural number of ℓ The novel chaining notion of w_i (NCN(w_i)) is defined as:

Theorem 2. The novel chaining notion is indistinguishable secure against known plaintext attack.

Proof. Let (, ξ, ) be the an indistinguishable symmetric encryption scheme. Moreover, recall ξ : {0, 1}^k × {0, 1}ⁿ → {0, 1}ⁿ, so an encrypted vector is a valid vector as an input for ξ (because both encrypted () and plain (V) vectors are in {0, 1}ⁿ). Hence for any w_i in the dictionary Δ_d and for any j, NCN^j(w_i) is in {0, 1}ⁿ. Since (, ξ, ) is indistinguishable secure scheme, the attacker is not able to find any relation between input and output except for a negligible amount^[4], so the outputs is independent of the inputs, otherwise the encryption function (ξ) is not indistinguishable. Hence, keyword w_i is independent from NCN⁽¹⁾(w_i) and NCN⁽¹⁾(w_i) is independent from NCN⁽²⁾(w_i). Now we have to prove that every pair of the chains such as NCN^(j)(w_i) and NCN^(j+i)(w_i) is indistinguishable. By contradiction, let’s assume NCN^(j)(w_i) and NCN^(j+i)(w_i) are distinguishable, then even the pairwise NCN^(j)(w_i) and NCN^(j+1)(w_i) is distinguishable too, which is a contradiction. Therefore, NCN(.) is secure. □

Theorem 3. LRSE is an indistinguishable secure scheme against known ciphertext attack.

Proof. Let (, ξ, ) be an indistinguishable symmetric encryption scheme. Let the = {ξ(D_i), 1 ≤ i ≤ n} be the encrypted document collection. Let be the encrypted searchable index, and let the NCN(.) be our secure chaining notion. Since (, ξ, ) is indistinguishable secure the encrypted documents ξ(D_i), 1 ≤ i ≤ n are indistinguishable secure from a random string {0, 1}*. Hence, the encrypted documents are indistinguishable secure. Further, the encrypted index and encrypted query vectors are secured using asymmetric inner product^[14]. In Theorem 2 we proved that the NCN is indistinguishable secure, so chaining the ciphertexts does not weaken the symmetric encryption. Recall that in Scheme I we encrypt each file word by word using our novel chaining notion. In Scheme II we take advantage of the same idea in generating the document vectors and encrypt the documents block by block (instead of word by word). Thus, the encrypted documents ξ(D_i), 1 ≤ i ≤ n, the index and the encrypted query vectors, and the novel chaining notion (NCN) are indistinguishable secure, so LRSE is indistinguishable secure. □

5.5 Efficiency and System Costs

Although two(multi) - party computation can address our designed goals, they suffer from low efficiency. They usually employ a n-path (in best case two-path) algorithm which means the retrieval phase needs two rounds of communication between the cloud server and data user^[25]. Further, one of the biggest drawbacks is the complexity of the system and even for basic operations requires significantly more complicated computations.

Thus, scholars propose new methodologies to make a trade-off between privacy/security and efficiency. Table 1 compares LRSE with the previous work. In comparison with SSE schemes, LRSE preserves both the search pattern and co-occurring terms which are not supported in the multi-keyword SSE schemes.

Specifically, in comparison with Curtmola et al.^[4] LRSE needs more sever computation, but LRSE supports multi-keyword search queries and also preserves the search pattern and co-occurring terms privacy which are not among Curtmola et al.^[4] achievements. In compare with Cao et al. ^[9] LRSE preserves co-occurring terms. Both methods are at the same level of system costs, because in Cao et al.^[9] work, to increase the privacy, length of the document vectors are extended with dummy keywords. In LRSE, we expand the length of the document vectors to increase the uncertainty and at the same time hide the search pattern and co-occurring terms (two birds with one stone). Moreover, in Section 6.1 we show that LRSE reaches a higher level result accuracy compared to Cao’s approach.

In comparison with a recent work^[18], LRSE preserves search pattern and co-occurring terms privacy. Moreover, in Guo et al.’s^[18] approach, a trusted proxy is considered in the system model which increases the system cost.

6.1 Result Accuracy

Section 4.1 describes a certain number of available ciphertexts (portion) are selected in every query. Although, the same portion for each keyword is employed in the query, it may effect the accuracy of the results due to the reason we explained in Section 5.3. Thus, there is a small chance to lose some result accuracy when the number of available ciphertexts for a keyword is bigger than its frequency in a specific document (because the encrypted versions that are employed in the document may differ from the ones in the query). In other words, when the cloud server returns the top-k documents based on their similarity to the query some of the real top-k relevant documents may be excluded.

This issue occurs in Cao’s ^[9] work when dummy keywords are inserted into each document vectors. conversely, to boost the privacy level, LRSE does not insert dummy keywords, instead we employ multiple ciphertexts to represents each keyword (based on their frequency) and for this reason (not adding noise to the document vectors) we expect to see higher level of result accuracy in LRSE. To evaluate the accuracy of the LRSE results we define the result accuracy R_acc = ||(K′ ∩ K)||/||K|| where K and K′ are sets of expected result documents and documents retrieved by cloud server using LRSE. Additionally, ||A|| determines the number of elements in set A. Figure 4 and Figure 5 demonstrate our results.

Figure 4. Effect of portion on result accuracy over 5000 queries.

Figure 5. Result accuracy based on top_k over 5000 queries.

Recall that the “portion” determines percentage of each keyword ciphertext that will be employed in query encryption process (see Section 4.1). Figure 4 shows the effect of portion on result accuracy over 5000 queries. As the diagram shows LRSE achieves more than 91% result accuracy even when only 10% of the available ciphertexts are employed. Note that in our calculation in Section 5.2 we assumed 40% of the ciphertexts are employed and setting the portion to 10% increases the number of possible permutations and it becomes harder for the cloud server to analyze the access pattern. Moreover, increasing the portion from 10% to 20% raises the result accuracy around 5% and it gets to 95% which seems to be a reasonable trade-off to gain more result accuracy.

Figure 5 demonstrates the effect of top-k on the result accuracy. As the figure shows LRSE achieves to more than 98% result accuracy for top-3 documents. Top-10 or top-15 seems to be a reasonable top-k in our simulation since we have 203 books in our dataset. Even if we consider top-20 (which is 10% of our repository), we have more than 97% result accuracy. In comparison to MRSE (Cao’s work), LRSE achieves a higher precision in results. In MRSE standard deviation (σ) plays an important role which can effect the result accuracy. The bigger the σ is, the less result accuracy we have and it becomes more difficult for the cloud server to obtain information about the user data. Although the σ is not a parameter to be set up in LRSE, we calculate the standard deviation of the document vectors after applying LRSE. The average of σ for document vectors in lRSE is 1.34 with minimum of 0.97. Compared to MRSE (when the σ is 1) LRSE is 7% more accurate than MRSE, and this difference becomes more if the average of LRSE’s σ decreases to 1.

In both LRSE and MRSE as the top-k increases, the result accuracy decreases. In MRSE, this is because of the dummy keywords which can effect the similarity scores (dummy keywords may reduce some document scores which are in the real top-k results or increase the score of some documents out of the real top-k results). In LRSE, with increasing top-k, documents with less relevance to the query are placed in the result set. The frequency of the queried keywords in some documents is insufficient to cover all of the available ciphertexts for the corresponding keyword. Thus when the query asks for the missed ciphertext versions, those documents do not get into the resultant set even when they contain the required keywords. In Section 5.3 we propose to inject the missed ciphertext versions to prevent this problem. However, the results show that LRSE loses less than 1% accuracy from top-3 to top-30, which is tolerable. More importantly, this happens to less relevant documents to the query.

6.2 Document Vectors

6.2.1 Entropy of Document Vectors

We employed Shanon entropy to calculate entropy of the original and LRSE document vectors: H(V) = , where V is the document vector, n is the number of keywords, and p_i is probability of keyword i.

To calculate LRSE entropy progress, we define a measure as entropy improvement H_imp = (H(V_li)–H(V_oi))/H(V_oi). where H(V_li) is the entropy of the document i vector in LRSE and H(V_oi) is the entropy of the original document vector of the same document.

In Section 5.1 we proved that the entropy of document vectors which are generated by LRSE are greater than or equal to the entropy of original vectors.The simulation results emphasizes our theorem and shows at least a 25% entropy improvement in all of the documents and in some documents around 90%. Figure 6 demonstrates the first 20 documents entropy improvement.

Figure 6. Entropy improvement of the first 20 documents.

Note that, some documents such as “Document6” in Figure 6 may possess a high frequency of some keywords because specifically discuss a special topic. For example, legal terminologies are used heavily in the congress documents which increases their frequencies and drastically reduces the entropy of the document vectors and threatens owner/user privacy. In LRSE, we break down these high frequency occurrences to a couple of frequencies in the average frequency range (see Section 4.1). For example, assume the frequency of keyword w_i in document Dj is 72 and the threshold is τ = 25, thus . Hence, LRSE divides the w_i frequency to 3 smaller parts (say 22, 24, 26) which are close to the frequency average (25), and then generates 3 ciphertexts using the chaining notion for each part. Because of this LRSE feature, our observation and result simulation show a 90% entropy improvement in some of the documents.

6.2.2 Standard Deviation of Document Vectors

A low standard deviation (σ) represents that most of the keyword frequencies are very close to the average and consequently to each other. Note that, the keywords can be deduced or identified in a strong attack model that the cloud server is equipped with more knowledge such as the term frequency statistics of the document collection^[16]. For example, the frequency of economic terminologies is much higher than the other keywords in a budget document. Thus, the more keyword frequencies become closer to each other the more difficult identifying the keywords becomes.

Figure 7 demonstrates the standard deviation reduction of first 20 documents which are calculated by comparing the standard deviation of the original document vector and the corresponding vector in LRSE. The results show at least a 80%, σ reduction in each document. This means the frequency of the keywords are at least 80% closer to each other which preserve the data privacy against privacy attacks such as frequency statistical analysis mentioned above.

Figure 7. Standard deviation deduction in the first 20 documents.

6.3 Query Vectors

Although documents’ vectors are constant and barely change, the query vectors are prone to change as the user intentions and demands change. In other words, the number of queries increases over time, more information such as access pattern will be revealed to the cloud. For this reason, we dedicate the third part of our analysis to query vectors. The result analyses shows that LRSE protects the access pattern and privacy of the queries even when the number of queries grows.

6.3.1 Euclidean Distance from Ideal Vector

To preserve the access pattern, the ideal is the cloud server sees all of the queried keywords with the same frequency. In other words, after receiving m search requests the normalized vector of queries on n keywords is: , which means that to predict the next queried keywords or discovering the underlying plain keywords, the cloud server has no more chance than flipping a coin, which is the best case scenario.

We apply Euclidean distance measure to determine the distance between the ideal vector and the original/LRSE query vector. The less the Euclidean distance is, the closer we are to the ideal vector, and the more private is the data. To calculate the query vector, we processed the frequency of each queried keyword after every 3000 queries (for both original and LRSE queries). We then calculate its Euclidean distance from the ideal vector.

Figure 8 demonstrates the Euclidean distance improvement. The results show that the query frequency vector is at least 67% closer to the ideal vector after 30000 search requests submitted. Note that this is the minimum improvement due to using uniform distribution. We randomly select some keywords to create the queries. However in the real world users keep asking for documents in their field of expertise or their interests which makes the original frequency vector farther away from the ideal vector.

Figure 8. Euclidean distance improvement over 30000 queries.

6.3.2 Standard Deviation of Query Vectors

In Section 6.2.2 we explained the importance of having low standard deviation(σ) and analyzed the σ of LRSE document vectors. In this section we study the σ reduction of the query vectors. Unlike the documents, the number of the queries and consequently query vectors increases during the time and for this reason we show the σ reduction over time. We employed the same methodology in Section 6.2.2 to evaluate the standard deviation reduction.

Figure 9 demonstrates that LRSE reduces the standard deviation 25-30%. In other words, identifying the keywords are 30% more difficult using LRSE. Moreover the reduction amount stays in the same range (25%-30%) as the number of queries increases which shows the stability of LRSE.

Figure 9. Standard deviation improvement of the queries over 30000 queries.

Authors’ contributions

Each author contributed equally to the paper.

Availability of data and materials

Not applicable.

Financial support and sponsorship

This research is partly supported by the Natural Sciences and Engineering Research Council of Canada.

Conflicts of interest

All authors declared that there are no conflicts of interest.

Ethical approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Copyright

© The Author(s) 2020.