Key-Aggregate Searchable Encryption, Revisited: Formal Foundations for Cloud Applications, and Their Implementation

TL;DR

This paper revisits key-aggregate searchable encryption (KASE), formally analyzes its security, identifies vulnerabilities in prior schemes, and proposes two new provably secure schemes suitable for cloud data sharing with efficient search capabilities.

Contribution

It provides the first formal security analysis of KASE, demonstrates the insecurity of previous schemes, and introduces two new secure constructions with practical efficiency.

Findings

The original KASE scheme is insecure under formal definitions.

The first secure scheme operates efficiently in a single-server setting.

The main secure scheme ensures privacy in a two-server setting, with search times of 3-6 seconds.

Abstract

In the use of a cloud storage, sharing of data with efficient access control is an important requirement in addition to data security and privacy. Cui et al. (IEEE Trans. on Comp. 2016) proposed \textit{key-aggregate searchable encryption (KASE)}, which allows a data owner to issue an \textit{aggregate key} that enables a user to search in an authorized subset of encrypted files by generating an encrypted keyword called \textit{trapdoor}. While the idea of KASE is elegant, to the best of our knowledge, its security has never been discussed formally. In this paper, we discuss the security of KASE formally and propose provably secure schemes. The construction of a secure KASE scheme is non-trivial, and we will show that the KASE scheme of Cui et al. is insecure under our definitions. We first introduce our provably secure scheme, named \textit{first construction}, with respect to encrypted files and aggregate keys in a single-server setting. In comparison with the scheme of Cui et al., the first construction is secure without increased computational costs. Then, we introduce another provably secure scheme, named \textit{main construction}, with respect to trapdoors in a two-server setting. The main construction guarantees the privacy of a search, encrypted files, and aggregate keys. Considering 5,000 encrypted files, the first construction can finish search within three seconds and the main construction can finish search within six seconds.