Leakage-Abuse Attacks Against Forward and Backward Private Searchable Symmetric Encryption

TL;DR

This paper investigates the practical vulnerabilities of forward and backward private DSSE schemes, revealing inherent construction limitations and demonstrating that they leak volumetric information, thus questioning their true privacy guarantees.

Contribution

The paper uncovers inherent limitations in current DSSE schemes that allow leakage-abuse attacks and demonstrates that these schemes leak volumetric information similar to non-private schemes.

Findings

Existing schemes are vulnerable to query linkage attacks.

Volumetric leakage persists despite privacy guarantees.

Practical LAAs can recover query keywords and volumes.

Abstract

Dynamic searchable symmetric encryption (DSSE) enables a server to efficiently search and update over encrypted files. To minimize the leakage during updates, a security notion named forward and backward privacy is expected for newly proposed DSSE schemes. Those schemes are generally constructed in a way to break the linkability across search and update queries to a given keyword. However, it remains underexplored whether forward and backward private DSSE is resilient against practical leakage-abuse attacks (LAAs), where an attacker attempts to recover query keywords from the leakage passively collected during queries. In this paper, we aim to be the first to answer this question firmly through two non-trivial efforts. First, we revisit the spectrum of forward and backward private DSSE schemes over the past few years, and unveil some inherent constructional limitations in most schemes. Those limitations allow attackers to exploit query equality and establish a guaranteed linkage among different (refreshed) query tokens surjective to a candidate keyword. Second, we refine volumetric leakage profiles of updates and queries by associating each with a specific operation. By further exploiting update volume and query response volume, we demonstrate that all forward and backward private DSSE schemes can leak the same volumetric information (e.g., insertion volume, deletion volume) as those without such security guarantees. To testify our findings, we realize two generic LAAs, i.e., frequency matching attack and volumetric inference attack, and we evaluate them over various experimental settings in the dynamic context. Finally, we call for new efficient schemes to protect query equality and volumetric information across search and update queries.