Searchable symmetric encryption(SSE)has been introduced for secure outsourcing the encrypted database to cloud storage,while maintaining searchable features.Of various SSE schemes,most of them assume the server is hon...Searchable symmetric encryption(SSE)has been introduced for secure outsourcing the encrypted database to cloud storage,while maintaining searchable features.Of various SSE schemes,most of them assume the server is honest but curious,while the server may be trustless in the real world.Considering a malicious server not honestly performing the queries,verifiable SSE(VSSE)schemes are constructed to ensure the verifiability of the search results.However,existing VSSE constructions only focus on single-keyword search or incur heavy computational cost during verification.To address this challenge,we present an efficient VSSE scheme,built on OXT protocol(Cash et al.,CRYPTO 2013),for conjunctive keyword queries with sublinear search overhead.The proposed VSSE scheme is based on a privacy-preserving hash-based accumulator,by leveraging a well-established cryptographic primitive,Symmetric Hidden Vector Encryption(SHVE).Our VSSE scheme enables both correctness and completeness verifiability for the result without pairing operations,thus greatly reducing the computational cost in the verification process.Besides,the proposed VSSE scheme can still provide a proof when the search result is empty.Finally,the security analysis and experimental evaluation are given to demonstrate the security and practicality of the proposed scheme.展开更多
Cloud computing facilitates convenient and on-demand network access to a centralized pool of resources.Currently,many users prefer to outsource data to the cloud in order to mitigate the burden of local storage.Howeve...Cloud computing facilitates convenient and on-demand network access to a centralized pool of resources.Currently,many users prefer to outsource data to the cloud in order to mitigate the burden of local storage.However,storing sensitive data on remote servers poses privacy challenges and is currently a source of concern.SE(Searchable Encryption)is a positive way to protect users sensitive data,while preserving search ability on the server side.SE allows the server to search encrypted data without leaking information in plaintext data.The two main branches of SE are SSE(Searchable Symmetric Encryption)and PEKS(Public key Encryption with Keyword Search).SSE allows only private key holders to produce ciphertexts and to create trapdoors for search,whereas PEKS enables a number of users who know the public key to produce ciphertexts but allows only the private key holder to create trapdoors.This article surveys the two main techniques of SE:SSE and PEKS.Different SE schemes are categorized and compared in terms of functionality,efficiency,and security.Moreover,we point out some valuable directions for future work on SE schemes.展开更多
The prosperity of network function virtualization(NFV)pushes forward the paradigm of migrating in-house middleboxes to third-party providers,i.e.,software(virtualized)middlebox services.A lot of enterprises have outso...The prosperity of network function virtualization(NFV)pushes forward the paradigm of migrating in-house middleboxes to third-party providers,i.e.,software(virtualized)middlebox services.A lot of enterprises have outsourced traffic processing such as deep packet inspection(DPI),traffic classification,and load balancing to middleboxes provided by cloud providers.However,if the traffic is forwarded to the cloud provider without careful processing,it will cause privacy leakage,as the cloud provider has all the rights to access the data.To solve the security issue,recent efforts are made to design secure middleboxes that can directly conduct network functions over encrypted traffic and middlebox rules.However,security concerns from dynamic operations like dynamic DPI and rule updates are still not yet fully addressed.In this paper,we propose a privacy-preserving dynamic DPI scheme with forward privacy for outsourced middleboxes.Our design can enable cloud side middlebox to conduct secure packet inspection over encrypted traffic data.Besides,the middlebox providers cannot analyze the relationship between the newly added rules and the previous data.Several recent papers have proven that it is a strong property that resist adaptive attacks.Furthermore,we design a general method to inspect stateful packets while still ensuring the state privacy protection.We formally define and prove the security of our design.Finally,we implement a system prototype and analyze the performance from experimental aspects.The evaluation results demonstrate our scheme is effective and efficient.展开更多
基金supported by the National Natural Science Foundation of China (Grant Nos.61932010 and 62072357)the Zhuhai Top Discipline-Information Securitysupported by the China Scholarship Council (CSC)and the Australian Research Council (ARC).
文摘Searchable symmetric encryption(SSE)has been introduced for secure outsourcing the encrypted database to cloud storage,while maintaining searchable features.Of various SSE schemes,most of them assume the server is honest but curious,while the server may be trustless in the real world.Considering a malicious server not honestly performing the queries,verifiable SSE(VSSE)schemes are constructed to ensure the verifiability of the search results.However,existing VSSE constructions only focus on single-keyword search or incur heavy computational cost during verification.To address this challenge,we present an efficient VSSE scheme,built on OXT protocol(Cash et al.,CRYPTO 2013),for conjunctive keyword queries with sublinear search overhead.The proposed VSSE scheme is based on a privacy-preserving hash-based accumulator,by leveraging a well-established cryptographic primitive,Symmetric Hidden Vector Encryption(SHVE).Our VSSE scheme enables both correctness and completeness verifiability for the result without pairing operations,thus greatly reducing the computational cost in the verification process.Besides,the proposed VSSE scheme can still provide a proof when the search result is empty.Finally,the security analysis and experimental evaluation are given to demonstrate the security and practicality of the proposed scheme.
基金This work is supported by Guangxi Cooperative Innovation Center of Cloud Computing and Big Data(No.YD16506)。
文摘Cloud computing facilitates convenient and on-demand network access to a centralized pool of resources.Currently,many users prefer to outsource data to the cloud in order to mitigate the burden of local storage.However,storing sensitive data on remote servers poses privacy challenges and is currently a source of concern.SE(Searchable Encryption)is a positive way to protect users sensitive data,while preserving search ability on the server side.SE allows the server to search encrypted data without leaking information in plaintext data.The two main branches of SE are SSE(Searchable Symmetric Encryption)and PEKS(Public key Encryption with Keyword Search).SSE allows only private key holders to produce ciphertexts and to create trapdoors for search,whereas PEKS enables a number of users who know the public key to produce ciphertexts but allows only the private key holder to create trapdoors.This article surveys the two main techniques of SE:SSE and PEKS.Different SE schemes are categorized and compared in terms of functionality,efficiency,and security.Moreover,we point out some valuable directions for future work on SE schemes.
基金supported by the Fundamental Research Funds for the Central Universities under grants 310421108.
文摘The prosperity of network function virtualization(NFV)pushes forward the paradigm of migrating in-house middleboxes to third-party providers,i.e.,software(virtualized)middlebox services.A lot of enterprises have outsourced traffic processing such as deep packet inspection(DPI),traffic classification,and load balancing to middleboxes provided by cloud providers.However,if the traffic is forwarded to the cloud provider without careful processing,it will cause privacy leakage,as the cloud provider has all the rights to access the data.To solve the security issue,recent efforts are made to design secure middleboxes that can directly conduct network functions over encrypted traffic and middlebox rules.However,security concerns from dynamic operations like dynamic DPI and rule updates are still not yet fully addressed.In this paper,we propose a privacy-preserving dynamic DPI scheme with forward privacy for outsourced middleboxes.Our design can enable cloud side middlebox to conduct secure packet inspection over encrypted traffic data.Besides,the middlebox providers cannot analyze the relationship between the newly added rules and the previous data.Several recent papers have proven that it is a strong property that resist adaptive attacks.Furthermore,we design a general method to inspect stateful packets while still ensuring the state privacy protection.We formally define and prove the security of our design.Finally,we implement a system prototype and analyze the performance from experimental aspects.The evaluation results demonstrate our scheme is effective and efficient.