460 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO.

1, JANUARY/FEBRUARY 2021

Searchable Symmetric Encryption

with Forward Search Privacy
Jin Li , Yanyu Huang , Yu Wei , Siyi Lv, Zheli Liu , Changyu Dong , and Wenjing Lou , Fellow, IEEE

Abstract—Searchable symmetric encryption (SSE) has been widely applied in the encrypted database for queries in practice.
Although SSE is powerful and feature-rich, it is always plagued by information leaks. Some recent attacks point out that forward privacy
which disallows leakage from update operations, now becomes a basic requirement for any newly designed SSE schemes. However,
the subsequent search operations can still leak a significant amount of information. To further strengthen security, we extend the
definition of forward privacy and propose the notion of “forward search privacy”. Intuitively, it requires search operations over newly
added documents do not leak any information about past queries. The enhanced security notion poses new challenges to the design of
SSE. We address the challenges by developing the hidden pointer technique (HPT) and propose a new SSE scheme called Khons,
which satisfies our security notion (with the original forward privacy notion) and is also efficient. We implemented Khons and our
experiment results on large dataset (wikipedia) show that it is more efficient than existing SSE schemes with forward privacy.

Index Terms—Searchable encryption, forward search privacy, forward privacy, data privacy

1 INTRODUCTION

D ATA storage outsourcing is increasingly prevalent

fuelled by the development of cloud computing. While
the users enjoy benefits such as low cost and ubiquitous
uses SSE to implement SQL equality queries (=, !=, IN, NOT
IN, etc) when the values in the column are not unique.
Recently, it has been proposed to apply SSE to support rich
access, data privacy becomes a major concern. To protect queries [5], e.g., conjunctive query [9], range query [12], and
data privacy, the users usually encrypt data before upload- so on. Moreover, ARX has applied SSE to provide equality
ing it to the untrusted storage server. However, encryption query over the encrypted NoSQL databases.
makes data incomprehensible so that common retrieval
methods such as the keyword search cannot be directly exe- 1.1 The Need for Forward Privacy
cuted on ciphertexts. To solve this problem, searchable sym-
Deterministic encryption used in SSE makes it easy for the
metric encryption (SSE) was introduced in 2000 [11]. It
malicious server to observe repeated queries and other
allows a client to store encrypted documents on an
information. These leakages are modeled as search pattern
untrusted server, then to retrieve all documents containing
(repetitive pattern in search queries), size pattern (the num-
a certain keyword by submitting a token that cryptographi-
ber of search results) [13] and access pattern (how the
cally encodes the keyword.
encrypted data or indexes are accessed). Generally, these
Now, SSE has been widely used in encrypted data-
leakages could be eliminated by using an oblivious RAM
bases [1], [2], [3], [4], [5], [6], [7] and encrypted emails [8].
(ORAM) [10], [18], [19], [27], [28]. However, ORAM usually
Take the CryptDB [4] as an example, besides supporting
brings heavy computational overhead and bandwidth cost
SQL LIKE operator by using an SSE scheme [11] directly, it
for each keyword search. Thus, a practical SSE has to allow
some information leakage in exchange for acceptable
efficiency. Unfortunately, these leakages have been abused

J. Li is with the School of Computer Science, Guangzhou University,
Guangzhou, Guangdong 510000, China, and the College of Cyber Science,
to attack SSE schemes in different ways [14], [15], [29],
Nankai University, Nankai Qu 300071, China and also with the Department [38], [39].
of Computer Science, Virginia Polytechnic Institute and State University, In 2016, Zhang et al. [16] proposed the file-injection
Blacksburg, VA 24061 USA. E-mail: [email protected]. attack. This attack assumes that the adversary can inject

Y. Huang, Y. Wei, S. Lv, and Z. Liu are with the College of Cyber Science,
College of Computer Science, Tianjin Key Laboratory of Network and Data files, i.e., to craft a set of documents and trick the client into
Security Technology, Nankai University, Nankai Qu 300071, China. encrypting them. By injecting the carefully selected files, the
E-mail: {onlyerir, lv_si_yi}@163.com, [email protected], adversary can recover keywords, which should be kept pri-
[email protected].

C. Dong is with the School of Computing, Newcastle University, Newcastle
vate, from search tokens submitted by the client. The attack
upon Tyne NE1 7RU, United Kingdom. E-mail: [email protected]. is very effective and requires only a small number of files to

W. Lou is with the Department of Computer Science, Virginia Polytechnic be injected. The problem highlighted by this attack is that
Institute and State University, Blacksburg, VA 24061 USA. the security notion widely used in the past is too weak.
E-mail: [email protected].
More specifically, it allows the adversary to gain knowledge
Manuscript received 28 July 2018; revised 10 Jan. 2019; accepted 12 Jan. 2019. about keywords queried in the past by relating past
Date of publication 22 Jan. 2019; date of current version 15 Jan. 2021.
(Corresponding author: Zheli Liu and Jin Li.) submitted token to newly updated files. The attack calls for
Digital Object Identifier no. 10.1109/TDSC.2019.2894411 a more stringent treatment of information leakage in SSE
1545-5971 ß 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tps://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 461

and makes forward privacy the baseline for newly devel- efficiency, most of SSE schemes leverage inverted index so
oped SSE schemes. that maps a keyword to a set of documents containing this
Forward privacy (FP) requires that the update (addition keyword. Conceptually, for each keyword w, there is a list
and deletion) operations cannot be linked to previous Lw such that each element in Lw is a pair (index, ind), where
search queries. From a practical point of view, it is impor- ind is the identifier of a document that contains w, and index
tant for users to securely and dynamically build the is a pointer to the previous (or next) element in Lw . To
encrypted database [34], [35], [36], [37]. Since 2016 several achieve forward privacy, all the Lw s are merged into a sin-
schemes have been proposed to achieve this goal using dif- gle list L, and some cryptographic primitives are used so
ferent cryptographic primitives, including Sophos [20] (uses that when a new element is added into L, one cannot link it
trapdoor permutation (TDP)), Diana [24] (uses Constrained to a specific Lw (until the next search query for w). A search
Pseudorandom Function (CPRF)), and Dual [25] (uses query for w can be easily answered by giving the index of
keyed hash function). Among them, Diana [24] and latest element in Lw , and decrypting the previous element’s
Dual [25] only use symmetric primitives and are more effi- index one by one to recover all identifiers. However, it is
cient. Backward privacy (BP) is a related security notion not suitable for the goal of forward search privacy, because
that prevents search operations from leaking the matching it is hard to get a part of elements without leaking which list
elements after they have been deleted. It was showed in [24] they belong to and the relation with other elements in the
that a two-roundtrip backward-private SSE can be obtained same list. How to achieve the highest possible level of secu-
from any forward private SSE scheme by applying the rity while preserving the efficiency of SSE can be a huge
generic transformation. challenge.

1.2 Security Limitation of Forward Privacy 1.4 Our Contributions

Currently, FP (and BP, as it can be obtained from an FP Our contributions are summarized as follows.
scheme) has become a basic security requirement for SSE
without ORAM. However, we think that FP is not satis- 1) We explain the security limitation of current forward
factory enough, and there is still room for improving privacy and propose an enhanced notion forward
security. search privacy, which ensures that searches over
The problem of FP is that new updates remain unlinkable newly added documents do not leak the past query
to previous search queries only until a search query is per- information. We point out that forward search pri-
formed. The search query links all updates matching to the vate SSE will leak less information than SSE which
same keyword. This is the reason why it can resist the adap- only satisfies the original FP notion. We also describe
tive file-injection attack, but not statistical inference its applications in building secure encrypted applica-
attacks [14], [15], [17], [29]. These statistical attacks are based tions and improving efficiency in the design of
on a large collection of information about the same query encrypted databases.
behaviors. If the newly added documents remain unlink- 2) We design Khons scheme which achieves forward
able after search queries, it will be more difficult for an search privacy and supports parallel query. It has
adversary to infer the keywords being queried and may both high security and efficiency. Experiment results
defend some statistical attacks. show that with the large dataset (wikipedia) and
To some degree, the current FP concerns only informa- RockDB, in multiple thread environment, Khons is
tion leakage caused by update operations and can be at least 3× faster than Dual [25] and 2× than
regarded as “forward update privacy” (Fu P). A more stringent Fides [24].
security notion should also consider information leaked Table 1 summarizes the comparisons between our
through search operations. If an SSE scheme is forward schemes and prior forward private schemes.
update privacy and its search operation over newly
updated documents or over documents within a period of 2 PRELIMINARIES
time does not leak the past query information, it achieves a
new security notion. We call it “forward search privacy” (Fs P). In this section, we will introduce the notations used in this
paper, the cryptographic primitives, and the definition of
1.3 Challenges of Designing a Forward Search Searchable Symmetric Encryption (SSE).
Privacy Scheme
Primarily, we divide forward search privacy into two types: 2.1 Notations
weak forward search privacy and strong forward search privacy In this paper, negl() is a negligible function, where  is
respectively, which will be described detailedly in Section the security parameter. Unless specified explicitly, the sym-
3.2. Among them, the latter can only be achieved by Oblivi- metric keys are strings of  bits, and the key generation
ous RAM or similar construction. However, ORAM will algorithm uniformly samples a key in f0; 1g . We only con-
bring heavy computation and communication overhead, sider (probabilistic) algorithms and protocols running in
which make SSE impractical. As we focus on practically rel- time polynomial in the security parameter . In particular,
evant SSE schemes, strong forward search privacy is adversaries are probabilistic polynomial-time (PPT)
beyond the scope of this article. algorithms. For a finite set X, x $ X means that x is sam-
For the weak forward search privacy, the most critical pled uniformly from X.
challenge is to design a brand new SSE scheme which can A database DB = (indi , Wi ÞD i¼1 is a tuple of index/
balance the security and efficiency. For the consideration of keyword-set pair with indi 2 f0; 1gm and Wi  f0; 1g where

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
462 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

TABLE 1
Comparison with Prior Forward Private SSE Schemes

Scheme Computation Communication Client BP PT Fu P Fs P

Search Update Search RT Update Storage
Previous works

TWORAM [10] e w log N þlog 3 NÞ

Oða e
Oðlog 2
NÞ e w log N þlog 3 NÞ
Oða 2 e
Oðlog 3
NÞ Oð1Þ   √ 
Dual [25] Oðaw  dw Þ Oð1Þ Oðnw Þ 1 Oð1Þ OðKlog DÞ   √ ×
Fides [24] Oðaw Þ Oð1Þ Oðaw Þ 2 Oð1Þ OðKlog DÞ II  √ ×
Dianadel [24] Oðaw Þ Oðlog aw Þ Oðnw þ dw log aw Þ 2 Oð1Þ OðKlog DÞ III  √ ×
Janus [24] Oðnw  dw Þ Oð1Þ Oðnw Þ 1 Oð1Þ OðKlog DÞ III  √ ×
This works
Khons Oðnw Þ Oð1Þ Oðnw Þ 2 Oð1Þ Oðmlog Dþ Dlog KÞ III √ √ √

K is the number of keywords, m is the number of sub keywords, D is the number of documents in EDB. The nw is the size of the search result set matching keyword
w, aw is the total number of entries matching keyword w, dw is the number of deleted entries matching w. RT denotes round trip, BP denotes backward-private,
PT denotes Partition-based technique, Fu P denotes forward update privacy and Fs P denotes forward search privacy.

indi is a document identifier and Wi is a set of keywords any string x 2 f0; 1g , and outputs a string H s ðxÞ 2
matching document S D indi . The keyword set of the database f0; 1glðnÞ . It is not much more difficult to see that a ran-
DB S is W ¼ i¼1 Wi and the document set is dom oracle acts like a hash function.The success probabil-
D
D¼ i¼1 find i g. We define the number of search results for ity of any polynomial-time adversary A in the following
keyword w as nw and the set of documents containing a key- game is negligible:
word w as DB(w) = (indi jw 2 DB(indi )} where jDBðwÞj is aw .
A keyword w can be divided into a set of sub keywords
A random function H is chosen.
Sw ¼ fwi jEKs ðw; iÞ; 1  i  xg where Ks is the encryption
A succeeds if it outputs x; x0 with HðxÞ ¼ Hðx0 Þ but
key and x is a constant. Let D ¼ jDj denotes the number of x 6¼ x0 .
documents in DB, W = jWj the total number of keywords, We refer the reader to [30] for formal definitions of CPA-
and N be the number of document/keyword pairs (we security, PRFs and Hash functions.
identify documents Pwith their identifier).
P Note that N can
2.3 Searchable Symmetric Encryption
be written as N ¼ ni¼1 jDBðindi Þj ¼ w2W jDBðwÞj.
Initially, SSE is proposed to protect static data and thus does
not support update operations. Recently, most research
2.2 Cryptographic Primitives
focuses on constructing dynamic searchable symmetric
A private-key encryption scheme [26], [30] is a set of three encryption (DSSE) [6], [21], [22], [23] that offers search capa-
polynomial-time algorithms SK ¼ (Gen, Enc, Dec) where bility and allows dynamically adding and deleting docu-
Gen is a probabilistic algorithm that takes as a input a
ments. We review the definition of dynamic SSE in [20]. A
security parameter  and returns a secret key Ks , Enc is a
DSSE scheme P ¼ ðSetup, Search, Update) contains a
probabilistic algorithm takes as inputs a key Ks and a mes-
Setup algorithm, and two protocols Search and Update:
sage m and returns a ciphertext c and Dec is a deter-
ministic algorithm that takes as inputs a key Ks and a
Setup(DB) ! (EDB, sk, s) is an algorithm for setting
ciphertext c and returns m if Ks was the key under which up the encrypted database supporting keyword
c was encrypted. Informally, a private-key encryption search. It takes as input a database DB and outputs
scheme is CPA-secure if for any probabilistic polynomial- (EDB, sk, s) where EDB is the encrypted database,
time adversary A, there exists a negligible function negl sk is a secret key, and s is the client’s state.
such that
Search(sk; q; s; EDBÞ ¼ ðSearchC ðsk; q; sÞ, SearchS
ðEDB)) is a client-server protocol supporting search
1 operation of a document. The client takes as inputs
A;SK ðÞ ¼ 14 þ neglðÞ:
Pr½PrivKCPA the key sk, its state s, and a search query q. The
2
server takes as input EDB, outputs the results as doc-
For encryption schemes, we employ pseudo-random ument identifiers matching the query q.
functions (PRF), which is a polynomial-time comput-
Update(sk, s, op, in; EDB) = (UpdateC ðsk; s; op, in),
able functions. PRF cannot be distinguished from random UpdateS (EDB)) is a client-server protocol supporting
functions by any probabilistic polynomial-time adversary. update operation of a document. The client takes as
A hash function is a pair of probabilistic polynomial- inputs the key sk, an operator op which is taken
time algorithms ðGen; HÞ where Gen is a probabilistic from the set {add, del}, client’s state s and an input in
algorithm which takes as input a security parameter 1n parsed as the document ind and a set W of keywords.
and outputs a key s. We assume that 1n is included in s. The server takes as input the EDB.
There exists a polynomial l such that H is (deterministic) Adaptive Security of SSE. The standard security definition
polynomial-time algorithm that takes as input a key s and of a DSSE scheme follows the ideal/real simulation

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 463

paradigm [20], [24]. It requires the server to know as little as initially sets to 0, and which is incremented at each query.
possible about the content of database and queries. More Let sp(x) and qp(x) denote the search and query patterns
specifically, we wish the adversary will learn nothing except respectively which are defined as
for some obvious leakages. We use a stateful leakage func-
tions to express the information leaked to the adversary by spðxÞ ¼ fj : ðj; xÞ 2 Qgðonly matches search queriesÞ
each SSE operation, which is L ¼ ðLSetup , LSearch , LUpdate ), qpðxÞ ¼ fj : ðj; xÞ 2 Qg or ðj; op; inÞ 2 Q and x appears in in:
whose components correspond respectively to the informa-
tion leaked to the adversary by Setup, Search and Update
In this paper, TimeDBðwÞ is the list of all documents
operations. The definition ensures that the scheme will
matching w, excluding the deleted ones, together with the
reveal no information beyond what is inferred from the leak-
timestamp of when they were inserted in the database.
age functions.
UpdatesðwÞ is the list of timestamps of updates on w. Dele-
The adversary aims to distinguish between a real world
tion history DelHistðwÞ is the list of timestamps for all dele-
SSEREAL and an ideal world SSEIDEAL. In these worlds, the
tion operations, together with the timestamp of the inserted
adversary can trigger Setup, Search and Update operations
entry it removes.
with parameters which are chosen by herself. Then, she can
observe the execution of the scheme like what the server
3.1 Forward Update Privacy
does. We describe what the adversary A does in real world
The traditional forward privacy [20] is that the server can-
and ideal world specifically as follows.
not learn whether the newly updated documents match a

In the SSEReal world, the DSSE scheme is executed previously searched keyword or not. In this paper, we
honestly. The adversary A chooses a database DB. define it as forward update privacy.
The experiment runs Setup(DB) and returns EDB to
Definition 2 (Forward update privacy): A L-adaptively-secure
A. Then, A adaptively chooses queries qi . The experi-
SSE scheme is forward-update-private iff the update leakage
ment runs Search(sk; qi ; s i ; EDBi ) or Update(sk; s i ,
function LUpdate can be written as
op, ini ; EDBi ) depending on the protocol of query qi
and returns (s iþ1 ,DB(wi ) EDBiþ1 ) or (s iþ1 , EDBiþ1 ). 0
Finally, the adversary A outputs a bit b 2 f0; 1g. LUpdate ðop; ind; W Þ ¼ L ðind; jW jÞ;

In the SSEIdeal world, the adversary sees messages
where ind denotes the identifiers of the newly added documents,
generated by a PPT algorithm S, known as the simula-
jW j denotes the number of keywords of the newly added docu-
tor, that has access to only the leakage functions but 0
ment and L is stateless.
not the database or queries. The adversary A chooses
a database DB. The simulator returns an encryption As shown in Definition 2, forward update privacy
database EDB SðLSetup ðDBÞÞ to A. Then, A adap- requires that the information leaked in update operation
tively chooses queries qi . The experiment runs should not be more than the identifier and the number of
SðLSearch ðqi ÞÞ or SðLUpdate ðqi ÞÞ to answer the query qi . keywords of newly updated document.
Finally, the adversary A outputs a bit b 2 f0; 1g.
If an adversary can distinguish the real game and the 3.2 Forward Search Privacy
ideal game of DSSE with only a negligible probability, we In existing SSE schemes, a search token leaks a significant
say that DSSE achieves adaptive security, which is defined amount of information. This is captured by the leakage
0 0
as follows. function LSearch ðwÞ ¼ L ðTimeDBðwÞÞ, where L is stateless.
Definition 1 (Adaptive security). A DSSE scheme P with a Forward search privacy is defined on the basis of for-
collection of leakage functions L is L-adaptively-secure, if for ward update privacy. It further prevents the server to know
any polynomial-time adversary A issuing a polynomial number whether a search over newly updated documents matches a
of queries qðÞ, there exists a PPT simulator S such that previously searched keyword. We first introduced the
notion of strong forward search privacy. An SSE scheme
  satisfies strong forward search privacy if the search token
jPr SSERealP A ð; qÞ¼1 Pr½SSEIdealS;A;L ð; qÞ¼1j  neglðÞ:
leaks no information. We define it as follows:

3 PRIVACY DEFINITION Definition 3 (Strong forward search privacy): A L-

adaptive-secure SSE scheme is strong forward-search-private,
We now review the definitions of forward privacy and back- iff functions LSearch can be written as
ward privacy and define the new forward search privacy.
The following notations are used throughout the paper. 0
The repetition of token (i.e., queried keywords) sent to LSearch ðwÞ ¼ L ð?Þ;
the server will be leaked in the most SSE schemes. If this 0
where L is stateless.
leakage is limited to search queries, we call it search pattern.
If this leakage includes the repetition of updated keywords, This is a very strong notion, but on the other hand is also
we call it the query pattern. very difficult to achieve. In fact, this implies the search oper-
The leakage function L will keep as state the query list Q: ation is fully oblivious, and cannot be achieved unless
the list of all queries issued so far, and whose entries are expensive protocols such as ORAM or PIR are used. For
ði; wÞ for a search query on keyword w, or ði; op; inÞ for an practicality, we also define a weaker notion of forward
op update query with input in. The integer i is a timestamp, search privacy that leaks partial pattern:

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
464 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

0 00
where L and L are stateless and jTimeDBðwÞj ¼ aw for aw is
a constant.
Definition 7 (BP-III): A Ladaptively  secure SSE scheme
is weakly backward-private iff leakage functions LSearch can be
written as

0
LUpdate ðop; w; indÞ ¼ L ðop; wÞ;
00
LSearch ðwÞ ¼ L ðTimeDBðwÞ; DelHistðwÞÞ;

0 00
where L and L are stateless and jTimeDBðwÞj ¼ aw for aw is
a constant.
Fig. 1. An example of HPT. There are four data blocks, whose identifiers The difference between weak forward search and back-
and encryption keys are (id1 , key1 ), (id2 , key2 ), (id3 , key3 ) and (id4 , key4 ). ward privacy is that weak forward search privacy only
The head block in the target list is the id1 , whose encryption key is main-
tained in the client; the id2 is an inner block and its key is stored in the pre-
leaks partial query pattern. Note that in the Defintion 4, the
fix block id1 ; the tail block is the id4 , whose encryption key is stored in the leakage function is based on TimeDBðwi Þ where wi is a sub-
prefix block id2 . The ptr value of id4 is ? because it is the end of this list. keyword of keyword w, while in Definitions 5, 6, and 7, the
leakage function is based on TimeDBðwÞ, i.e., it exposes the
Definition 4 (Weak forward search privacy). Let Sw ¼ whole query pattern.
fw1 ; . . . ; wx g denote a set of sub keywords for a keyword w
where x is a constant. A L-adaptive-secure SSE scheme is 4 OVERVIEW OF TECHNIQUES
weak forward-search-private, iff the leakage functions LSearch
can be written as In this section, we will introduce two techniques to help
achieve the forward search privacy and then describe a toy
0 construction.
LSearch ðwi Þ ¼ L ðTimeDBðwi ÞÞ;
0
where L is stateless and jTimeDBðwi Þj ¼ aw for aw is a 4.1 Partitioning Technique
constant. In SSE schemes, indexes are used widely. In our construc-
tion, inverted index is used to facilitate search queries in the
3.3 Backward Privacy form of a pair (key, value), where key is a keyword and
An SSE scheme satisfies backward privacy if after deleting a value is a list of identifiers of documents containing this
document ind matching keyword w, the server cannot reveal keyword. Given a keyword, we can retrieve all the docu-
the deleted document ind from the subsequent search of key- ments that contains the keyword efficiently.
word w. We partition the inverted index into disjoint partitions and
In 2017, Bost et al. [24] have defined backward privacy at generate a sub-keyword for each partition to reduce informa-
three levels: BP-I, BP-II and BP-III. They all leak the docu- tion leakage in SSE. In this way, a search token of a keyword
ments currently matching w, when they were inserted. As will become multiple search tokens, each for a different parti-
for other leakages: BP-I only allows the leakage of “the total tion. More specifically, we add the identifier of the document
number of updates on w”; BP-II further allows the leakage of to a partition using a sub-keyword derived from w as the key
“when all the updates on w happened”; and BP-III further when adding a document that contains a keyword w. When
allows the leakage of “which deletion update canceled which performing a search query, we allow the client to submit a
insertion update”. We review these definitions as follows. search token of a sub-keyword to search over a subset of docu-
ments in this partition. If we set only one partition for a key-
Definition 5 (BP-I): A L-adaptively-secure SSE scheme is word, it will be the traditional inverted index.
insertion pattern revealing backward-private iff leakage func-
tions LSearch can be written as 4.2 Hidden Pointer Technique (HPT)
0 To use the partitioning technique in SSE, we need to build
LUpdate ðop; w; indÞ ¼ L ðopÞ; encrypted lists so that we can store all indexes at the server
00
LSearch ðwÞ ¼ L ðTimeDBðwÞÞ; securely.
0 00
We first define the data structure. A data block is a four-
where L and L are stateless and jTimeDBðwÞj ¼ aw for aw is tuple (id, data, key, ptr), where id is the block identifier, data
a constant. is a piece of data, key and ptr are the encryption key and
Definition 6 (BP-II). A L-adaptively-secure SSE scheme is identifier of another block (suffix block). If a block has no
update pattern revealing backward-private iff leakage func- suffix block, key is set to ?. In a data block b, data, ptr and
tions LSearch can be written as key fields should be encrypted. We denote b:id as the id of
block b and b:value as all the other contents of b including
0 b:data, b:key and b:ptr.
LUpdate ðop; w; indÞ ¼ L ðop; wÞ;
00
As shown in Fig. 1, HPT allows us to add data blocks into
LSearch ðwÞ ¼ L ðTimeDBðwÞ; UpdatesðwÞÞ; an encrypted linked list. Let L be a list of data blocks. Let the
head block be the latest block being added to L and the tail

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 465

complete search query that covers all partitions, it must

issue all the search tokens of all sub-keywords.
Another huge challenge is immediate deletion problem.
Immediate deletion means that when a document is deleted,
it should immediately delete the related keyword-document
pairs in the inverted index. If the final SSE does not support
immediate deletion, a single partition query may return
Fig. 2. The toy construction of forward search privacy.
documents that have already been deleted.
How to Achieve Weak Forward Search Privacy. In order to
block be the oldest block in L. We can describe how HPT satisfy the requirement of weak Fs P, when adding a docu-
works by the following algorithms: ment, the keyword-document pair should not be added into
the list that has been searched. If the latest partition has

AddHeadðL; id; value; 1 Þ: it adds a new block as the been searched, even if it is not full, we must create a new
head block to list L. It has four steps: 1) generate a partition and generate a new sub-keyword for this partition.
data block as b=(id, data, L:head:key, L:head:id); 2) In other cases, we can add the keyword-document pair into
sample a random key k from f0; 1g ; 3) use k to the latest partition directly until it is full.
encrypt the b:value; 4) add b to L.

RetrieveABlockðL; id; kÞ: it retrieves a data block
from the list L. It has three steps: 1) find block b by 5 KHONS: FIRST SSE SCHEME WITH FORWARD
identifier id; 2) decrypt block b:value by the corre- SEARCH PRIVACY
sponding key k; 3) return b. In this section, we propose a forward and backward secure

RetrieveListðL; id; kÞ: it retrieves all data blocks from SSE scheme named “Khons”. It satisfies the weak forward
a sublist of L, by calling RetrieveABlockðL; id; kÞ search privacy and forward update privacy (thus can be
repeatedly until the tail block (i.e., a block b such that extended to backward privacy(BP-II)). We combine inverted
b:key ¼ ?) is visited. indexes and forward indexes for efficient search, addition
We can use it to build secure index. For example, we can and more importantly immediate deletion.
build an inverted index ðw; Lw Þ such that Lw is a list built
using HPT. The client can keep the head of the list and store 5.1 Storage Structure
Lw on the server. The list Lw can be updated by the client by The server stores the data blocks in a dictionary D where
adding a new block, and the client can search the index by D½id stores a data block with identifier id. As in Section 4.3,
revealing the id of the head block and the encryption key to from each keyword w we derive a set of sub-keywords
the server. Similarly, we can also build a forward index Sw ¼ fwi jEKs ðw; iÞ; 1  i  xg where Ks is the encryption
using HPT that maps a document identifier to a list of key- key. For each sub-keyword wi , we build a list Lwi for the sin-
words contained in the document. gle partition query which is treated as an inverted index.
One advantage of HPT is that one can have multiple lists To support the full search query, for each keyword w, we
and store their blocks in arbitrary order, and can still made some change to the tail blocks of the lists. In a single
retrieve each individual list correctly by the id and the partition search, the search is restricted to one partition
encryption key of the head block of the list. Another advan- because the server knows only the head id and encryption
tage is that if the server stores multiple lists and a new block key for that one list (partition). When reaching the tail block
comes in, the server will not be able to tell which list this of the list, the search has to stop because there is not pointer
block belongs to (until later the user reveals it), which is to the next block. Now in the list Lwi , we store the head
important if we want to achieve forward privacy. head id and encryption key, both encrypted, for Lwi1 . More
specifically, the encrypted head id is stored in the data field
4.3 A Toy Construction and the encrypted encryption key is stored in the key field.
We propose a toy construction, which is shown in Fig. 2, to Encrypting the two pieces of information ensures that the
achieve forward search privacy. For a keyword w, we divide server cannot do a full search without the user’s permission.
it into a set of sub-keywords Sw =fw1 ; . . . ; wx g according to The encryption brings a problem, that is, where to store the
the total number of associated documents and the number keys. To solve this problem, we also build another list Lw . It
of documents in a partition where x is a constant. Each sub- has one block for each Lwi that store the key to decrypt data
keyword wi maintains its own index list Lwi . Each Lwi can stored in the tail block of Lwi .
be retrieved using the sub-keyword state that includes the To support immediate deletion, for each document ind,
id and encryption key of its head node. The total number of there is a list Lind . Lind play a role as forward index.
partitions and sub-keyword states should be maintained at The client stores key Ks and map Mb , Mb  , Mf . Key Ks is
the client. the user secret key for generating a one-time key to encrypt
As shown in Fig. 2, the server stores Lwi (i 2 ½1; x) and data. Additionally, we apply a map Mb , Mb  to store the state
the client stores the head of Lwi . Thus, for each keyword, of each keyword and sub-keyword. Mf stores the state of
the client maintains at most x heads. With these heads, the each document. For each keyword w, we define Mb [w] stores
client can search each partition. (nump , cntp , key, flag) with initial value of (1, 0, ?, false),
Challenges. A traditional SSE can be used to implement where nump is the total number of partitions, cntp , keyw the
the single partition search query by issuing a search token number of blocks and the encryption key of the tail block in
of the associated sub-keyword. However, to implement a the latest (nump th) partition and flag denotes whether the

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
466 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

into list Lwi . The block Btail stores the identify and encryp-
tion key of the head block of list Lwi1 and encryption key of
the tail block of list Lwi1 . The prefix block of Btail in list Lwi
only stores the identifier of Btail but does not store its
encryption key. The details are shown in Algorithm 2.

Algorithm 2. Khons.Update( add; w; ind; s; EDB)

Client:
1: (idf , keyf ) (Mf [ind]:id, Mf [ind].key)

forward index

2: idf $ f0; 1g ; key $ f0; 1g

Fig. 3. The storage structure of Khons. There are three lists. List Lind1 3: mask H1 (key, idf )
contains the keywords in document ind1 in form of (ind1 ; w). List Lw11 4: value EKs ðindkwÞkkeyf kidf
and Lw12 contain the document identifiers of the first and second partition 5: ðb:id; b:valueÞ ðidf ; value maskÞ
of keyword w1 respectively; however, instead of storing a document 6: Mf [ind].id idf , Mf [ind].key key
identifier ind directly, they store an identifier of a block whose value is
(ind; w1 ) in list of Lind . The blue dotted line shows it. List Lw1 builds a hid-
den list among lists of its sub-keywords, by linking all the tail blocks in inverted index
them. The red line shows it. 7: ðnump ; cntp ; keyw Þ ðMb ½w:nump ; Mb ½w:cntp ; Mb ½w:keyw Þ
8: wi Hðkeyh ; wknump Þ
latest (nump th) partition is accessed. Notice that a partition 9: ðidb ; keyb Þ ðMb ½wi :id; Mb ½wi :keyÞ
can only hold at most P blocks. For each sub-keyword wi , 10: ðcntb ; flagb Þ ðMb ½wi :cnt; Mb ½wi :flagÞ
Mb  ½wi  ¼ ðid, key, cnt, flag) with initial value of (?; ?, 0, 11: IF (cntp ¼ P k flagb ¼ true)
false), where id, key is the identify and encryption key of 12: IF (flagb ¼ true)
the head block in Lwi , cnt the number of blocks in this parti- 13: padding P  cntp dummy blocks to wi
tion related to wi and flag denotes whether this partition 14: nump nump þ 1; cntp 1
(keyword wi ) is accessed. For each document ind, we adopt 15: wi Hðkeyh ; wknump Þ
16: initialize Mb ½wi 
Mf [ind] = (id, key), i.e., the pointer information of head block
17: ELSE
of list Lind . Fig. 3 shows the details of the storage structure.
18: cntp cntp þ 1
5.2 Basic Algorithm 19: idb $ f0; 1g ; key $ f0; 1g
In the following pseudo codes, encryption Ek ðmÞ and 20: mask2 H2 ðkey ; idb Þ
21: IF (cntb ¼ 0Þ // Add the first block into the list
decryption Dk ðcÞ are implemented by an IND-CPA (indis-
22: idt $ f0; 1g ; keyt $ f0; 1g
tinguishability against the chosen plaintext attack) secure
23: mask3 H3 ðkeyt ; wÞ
symmetric cryptographic primitive with the encryption key
24: Btail :id idt
k. H; H1 ; H2 and H3 are keyed hash functions. 25: wi1 Hðkeyh ; wknump  1Þ
26: Btail :value ðkeyw kMb ½wi1 :keykMb ½wi1 :idÞ mask3
Algorithm 1. Khons.Setup() 27: idb idt ; keyb ?; Mb ½w:keyw keyt
1: Ks $ f0; 1g ; keyh $ f0; 1g 28: ðb :id; b :valueÞ ðidb ; ðidf kkeyb kidb Þ mask2 Þ
2: Mb , Mb  , Mf empty map 29: Mb ½wi :id idb ; Mb ½wi :key key ; Mb ½wi :cnt++
3: D empty dictionary 30: Send block b, b and Btail (if exists) to the server.

Khons.Setup. The client randomly generates Ks as user Server:

key and initializes map Mb , Mb  and Mf for maintaining the 31: D½b:id ¼ b:value
pointer information of each keyword and document. The 32: D½b :id ¼ b :value
server initializes the dictionary D to store data blocks. 33: IF(Btail exists)
Khons.Add. To add a document (with identifier ind) 34: D½Btail :id ¼ Btail :value
matching w, there are three steps. Khons first inserts a block
b with value of (ind, w) into list Lind . Then, it gets the key- Khons.Delete. To delete a document with identifier ind,
word state stored in Mb [w] and obtains sub-keyword wi of the client gets pointer information of the list associated with
the latest partition. Notice that, if the latest partition has it from map Mf , i.e., ðid; keyÞ (Mf ½ind:id, Mf ½ind:key),
been accessed or is full (P is maximum number of docu- and sends them to the server. Then, the server repeatedly
ments in a partition), it must create a new partition by add- gets all the blocks in list Lind , deletes them (marking them as
ing a new sub-keyword wi for w. If the number of elements inaccessible) and returns their identifiers back to the client
in the latest partition is less than P , we must fill with for future reuse. The details are shown in Algorithm 3.
dummy blocks until the number of elements in this partition Notice that Khons.Delete only influences the blocks in
reaches P . Finally, a block with the value of b:id will be Lind . The identifier ind is not stored in Lw or Lwi directly, but
inverted into list Lwi . only stored in Lind . Because Lw and Lwi only store the
We explain how to add the first block to list Lwi in more pointer information to Lind , the deletion of Lind will make
details. To build list Lw , we first add a special tail block Btail the search meaningless.

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 467

blocks. If the decrypted keyword of an element is not equal

Algorithm 3. Khons.Update( delete; ind; s; EDB) to w, it will be removed from the search results.
Client:
1: ðid; keyÞ ðMf ½ind:id; Mf ½ind:keyÞ 5.3 Comparison
2: Send ðid; keyÞ to the server. The highlight of our index is to support the partial query
and maintain the complete query at the same time with the
Server: help of HPT technique. The key to implementing the partial
3: REPEAT query is that encryption key and pointer should be separate.
4: b D½id But in [21], each item in index list Lwi shares the same key,
5: Delete the block b from the dictionary D so that partial query is difficult to implement.
6: mask H1 ðkey; idÞ There exist some differences among our scheme, [21] and
7: b:value b:value mask [25] even we all employ forward and backward indexes
8: ðid; keyÞ ðb:idf ; b:keyf Þ simultaneously. Notice that the order of the pointers of ele-
9: UNTIL (id ¼?) ments in Khons is the opposite of [21] and [25]. Namely the
new file will point to the old file, so that adding a new file
Khons.Search. Two kinds of query can be supported with no longer require changing the pointing of the previous file.
the same search token t ¼ ðid, key, keyw ). For a single parti- The reverse of pointers will simplify the addition operation
tion query, such as the ith partition, the client issues token= of Khons. But in [21] the add operation needs to homo-
(Mb ½wi :id, Mb ½wi :key). The query in a partition will result morphically set the previous node’s “next” pointers to point
in the update of its sub-keyword state, which is aimed to to newly added nodes, which brings more computation
achieve the Fs P. Note that each query will return a fixed overhead than our solution. And [25] utilizes label and
number of elements due to the padding of dummy blocks in count to “concatenate” each block corresponding to the
Khons.Upadte. Algorithm 4 shows the details of the search same keyword. In add operation of [25], the client will gen-
operation. We emphasize that every touched blocks will be erate and upload a set contains label and count to the dictio-
deleted after querying and updated to corresponding nary in the server.
keyword. For deletion operation, Khons only deletes the elements
of file physically according to the linked list in forward
Algorithm 4. Khons.Search( w; i; s; EDB) index, so that the inverted index will not point to the ele-
Client: ment in forward index any more. The inverted index will be
1: wi Hðkeyh ; wkiÞ updated after querying. The deletion of [21] is a “dual oper-
2: ðid; keyÞ ðMb ½wi :id; Mb ½wi :keyÞ ation” to addition. The server will “free” the correlative

3: Mb ½wi :flag true positions in deletion array and search array. While“freeing”
4: Send token ðid; keyÞ to the server. the positions in the search array, it will also homomorphi-
cally update the pointers of previous entries in the corre-
Server: sponding keyword list. The dual operation is complicated
5: S empty set, j 0 to update both deletion array and search array. For [25], the
6: REPEAT server calculates label with key and count and then deletes
7: b D½id the corresponding document identifier. The server repeats
8: mask2 H2 ðkey; idÞ
this process by incrementing the counter until all docu-
9: b:value b:value mask2
ments in forward index are deleted. Accordingly, the corre-
10: S ¼ S [ D½b:idf 
sponding entries in inverted index will be deleted.
11: ðid; keyÞ ðb:idb ; b:keyÞ
Simultaneous updating of two index increases the cost
12: IF (key ¼ ? )
13: id ? of deletion operations. Additionally, since Fides [24],
14: UNTIL (id ¼?) Dianadel [24] and Janus [24] only unitize inverted index but
15: Send S to the Client. not forward index, the deletion operation is slightly differ-
ent. Fides only deletes entries logically. And in Dianadel and
Client: Janus, the server maintains two instances of the construc-
16: S DecryptKs ðSÞ tion, one for insertions and one for deletions.

Khons achieves backward privacy with two round trips. 5.4 Analysis
After receiving the search token, the server retrieves data In Khons, all the states of documents, keywords and sub-
from either a single partition or all the partitions. For each keywords are stored in the client. Thus its client storage
block b in the list associated with the keyword w, it contains overhead is Oðmlog D þ Dlog KÞ, where m, D and K denote
a block identifier. With this block identifier, the server can the number of sub-keywords, documents and keywords
access the corresponding block in the list associated with a respectively. Khons supports parallel query which is more
document and get its value (the encrypted document identi- efficient when performing full query. Because the server
fier and keyword). Then, the server returns all the can get the pointer information of head block of each parti-
encrypted information to the client. The client finally tion by retrieving the list Lw .
decrypts them, removes the element whose keyword is not The computation complexities in Khons are Oðnw Þ and
w and downloads the documents from the server. The Oð1Þ in Search and Update process respectively, where nw
remove operation is caused by the immediate deletion of is the size of the search result set matching keyword w. And

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
468 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

Fig. 4. Algorithms for G1 .

the communication complexities in Khons are also Oðnw Þ Game G1 . In G1 , we pick random strings as identifiers
and Oð1Þ in Search and Update process respectively. Khons in Update protocol instead of calling H1 to generate a
achieves backward privacy with two round trips. new encryption key. The algorithm of G1 is described in
In Search operation, each partition which has been que- Fig. 4. In Search protocol, the random oracle H2 is pro-
ried will be updated so that there is no sub-keyword will be grammed so that H2 ðkey; idÞ ¼ mask. Note that in G1 ,
repeatedly queried. Except that, the number of elements in the generation of key is as same as in G0 , so that mask
each partition is the same, which prevents the server from can be treated as a random string. For convenience, we
identifying sub-keyword by the number of elements con- ignore the generation and application of tail block in G1 .
tained in the partition. We remove the code which is useless with the security
Adaptive Security. Khons is the first forward search pri- analysis. Furthermore, compared with G0 , we do not con-
vacy SSE scheme with partial pattern when. It can also sider the reuse of blocks and the partition mechanism in
achieve weak backward privacy as the server learns when G1 . Hence, we have
the deletions occurred. The adaptive security of Khons is
proven in Theorem 1. Pr½G0 ¼ 1  Pr½G1 ¼ 1 ¼ 0:
0
Theorem 1. Let  denotes the security parameter. Assume L is Game G2 . In G2 , the same argument of H2 can be
Update
stateless. Define LKhon ¼ ðLSearch
Khon ; LKhon Þ, where reused. Thus the only difference between G1 and G2 is
0
H2 . Hence, we have
LUpdate
Khon ðop; w; indÞ ¼ L ðop; wÞ;
00 Pr½G1 ¼ 1  Pr½G2 ¼ 1 ¼ 0:
Khon ðwÞ ¼ L ðspðwÞ; TimeDBðwÞ; UpdatesðwÞÞ;
LSearch
Game G3 . In G3 , the same argument of H3 can be
Then Khons is LK adaptivelysecure with forward reused. Thus the only difference between G2 and G3 is
update privacy and backward privacy(BP-II). H. Hence, we have
Proof. We derive some games from real world game to
Pr½G2 ¼ 1  Pr½G3 ¼ 1 ¼ 0:
prove the theorem.
Game G0 . G0 is the real world SSE security game SSER- Simulator. The algorithm of simulator is shown in
EAL. That is to say,
Fig. 5 and the leakage function is LKhons . We generate a
new block whose identifier is picked randomly
Pr½SSERealKhons
A ðÞ ¼ 1 ¼ Pr½G0 ¼ 1:
when performing update operation. When performing

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 469

Fig. 5. Algorithms for simulator S.

Khons:UpdateðaddÞ, we use the random oracle and store security analysis of Khons-f is similar to Khons, so that
the relationship between timestamp u and document we will not repeat the analysis.
identifier in table Update. Therefore, when perform
Khons:UpdateðdeleteÞ, simulator can get the document Algorithm 5. Khons.Search( w; s; EDB)
identifier through Update. Hence, we have
Client:
1: ðkeyw ; nump Þ ðMb ½w:key; Mb ½w:nump Þ
Pr½G3 ¼ 1  Pr½SSEIdealKhons
A;S;LKhons ðÞ ¼ 1 ¼ 0: 2: wi Hðkeyh ; wknump Þ
3: ðid; keyÞ ðMb ½wi :id; Mb ½wi :keyÞ
Conclusion. By combining all the contributions from all 4: Mb ½wi :flag true
the games, there exists an adversary A such that 5: Send token ðid; key; keyw Þ to the server.

jPr½SSERealKhons
A ðÞ¼1  Pr½SSEIdealKhons
A;S;LKhons ðÞ¼1j
Server:
6: S empty set, j 0
 Advprf
F;A ðÞ: 7: REPEAT
8: b D½id
We conclude that the probability of result is negl() by 9: mask2 H2 ðkey; idÞ
assuming that PRF is secure. u
t 10: b:value b:value mask2
11: S ¼ S [ D½b:idf 
12: ðid; keyÞ ðb:idb ; b:keyÞ
6 KHONS-F: SSE SCHEME SUPPORTING
13: IF (key ¼ ? )
FULL QUERY 14: IF ( keyw ¼ ? ) id ?
To support full query, we propose a forward security SSE 15: ELSE b D½id
scheme named Khons-f. It satisfies backward privacy(BP- 16: mask3 H3 ðkeyw ; wÞ
II). The Setup and Update operation in Khons-f is almost 17: b :value b :value mask3
as the same as Khons, so that we will not repeat these 18: ðid; key; keyw Þ ðb :id; b :key; b :keyw Þ
algorithms. The only difference between Khons-f and 19: UNTIL (id ¼?)
Khons is Search operation, which is shown in Algorithm 5. 20: Send S to the Client.
In Khons-f, we leverage tail blocks to link all elements
in Lwi . As mentioned before, the tail block in Lwi stores the Client:
21: S DecryptKs ðSÞ
id and key of head block in Lwi and key of the tail block
of Lwi 1 . To perform full query, the client issues token =
(Mb ½wnump :id, Mb ½wnump :key, Mb ½w:keyw ). The server can
trace all Lwi in order of Lnump to L0 . First, the server retrieves 7 APPLICATIONS
the blocks in Lnump one after another. Second, the tail block As a special type of SSE, Khons can be applied to typical
of Lnump can be retrieved to get the pointer information of ciphertext retrieval scenarios to reduce information leakage
the head block and the encryption key of the tail block in or improve the efficiency.
Lnump1 . Therefore, the server can continue to retrieve all the Build Secure Encrypted Applications. The two most popular
blocks in Lnump1 . And so on in a similar fashion, all the ele- applications supporting keyword search are mail system
ments belong to keyword w can be sent to the client. The and cloud storage system. In encrypted mail system (such

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
470 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

TABLE 2 TABLE 3
Dataset Overall Comparison with Creation using Enron Dataset

Small dataset Large dataset Implementation Time(s) Pairs per sec(s) storage(MB)
name Enron email wikipedia-20150602 Client Server
tar.gz file size 0.432 GB 11.9 GB Khons 406 85,000 11 3,418
key-value pair number 34510k 445505k Fides 39,653 870 16 803
file number 517k 5078k Dual 469 73,582 11 2,352
key number 20k 70k

table to store M. For server storage, we chose google imple-

as ShadowCrypt [8]), mails are stored in chronological order mented B-tree map [31], MongoDB and RocksDB. We wrote
and queries are allowed to be made within a certain period wrapper code for them and tested the performance of the
of time. Its default query is to first get all of the page infor- above SSE schemes on them.
mation and mailing list matching this query on the first For cryptographic algorithms, AES and Blake2b are
page. Then, it obtains the mailing list according to the page selected as symmetric encryption algorithm and underlying
selected by the user. Each page can be regarded as a logical hash function, respectively. The encryption key of AES is
partition of Khons. As for cloud storage systems, most of set to 256 bits. Moreover, the sse crypto library used in
them support pagination display at their clients. Therefore, Sophos [20] is used as our cryptographic tools.
Khons can also be used to build index trees for documents Experiment Environment. All the experiments were per-
added in different time periods or different storage areas. formed on a desktop computer with a single Intel Core i7-
These applications usually do not need to retrieve all 7700 3.6 GHz CPU, 16 GB of DDR3 RAM running Linux
documents and pagination query can meet the application Ubuntu 14.04 LTS operating system.
requirements. For them, Khons can be directly applied to
achieve forward search privacy without loss of functional- 8.2 Dataset
ity. In this case, they can resist some statistical attacks, such We used the well-known Enron email [32] and Wikipedia
as non-adaptive file injection attack. dumps [33] as our test datasets. Table 2 shows their statistic
New Directions for Designing Encrypted Databases. Recently, characteristics.
encrypted databases [1], [3], [4], [5], [6] have become a prom- Dataset Preprocess. A set of keyword-document pairs
ising direction, which provides confidentiality and function- were extracted from each wikipedia document or email. We
ality by running queries on encrypted data based on SSE, used the NLTK library to exclude stopwords and punctua-
order-preserving encryption (OPE) and other cryptographic tion marks from the original text. Then we used Porter-
prototypes. Working as proxy services, they usually build Stemmer provided by the NLTK to extract keywords and
their own indexes for ciphertext data and achieve transpar- exclude duplicate keywords in every document.
ent client support by reinterpreting SQL statements.
In encrypted databases, Khons may help implement
some complex queries. Especially, Khons can be considered 8.3 Evaluation on B-Tree Map
for implementing pagination query. By reinterpreting SQL We focus on the detailed tree operations in different SSE
“LIMIT” statement to that in one or many partitions, it can schemes, for understanding their effects on overall perfor-
reduce information leakage and improve search efficiency. mance. Meanwhile, we try to evaluate the performance of
Even if full query must always be executed, Khons can also SSE schemes excluding disk I/O latency. Thus, we used B-
be used instead of SSE to improve efficiency because it can tree map [31] stored in memory as server storage structure.
provide the ability of parallel query. Moreover, in the com-
mercial database products, Khons can be combined with 8.3.1 EDB Creation
some fine-grained access control techniques like attribute- We ran all three SSE schemes to store the entire encrypted
based encryption (ABE) to enhance the security without contents of Enron email dataset. Table 3 presents that
loss of efficiency. Khons is 100× faster than Fide [24] and 1.15× faster than
Dual [24]. Notice that the time of creation is nearly propor-
8 EXPERIMENTS AND EVALUATION tionate to the cryptographic computation time. Compared
to Fides [24], AES encryption adopted in Khons is much
8.1 Experiment Details
faster than its 2048-bit RSA-based operation. Compared to
Implementation Details. We implemented Fides [24] and Dual [25], Khons does less symmetric cryptographic com-
Dual [25] in single thread mode without remote RPC. We putation reported in Table 4. We also report the fact that
further implemented Khons in parallel mode (on search our scheme takes up more space than other two schemes.
operation). Fides [24] is implemented following the
Algorithm 2 mentioned in [24] which is based on the open
source code of Sophos. Dual [25] is implemented following 8.3.2 EDB Search
its pseudo code and is added two-roundtrip mechanism to To evaluate search performance, we searched all keywords
achieve backward privacy. extracted from Enron dataset. We further added some code
For client storage, we used a C++ STL map to store key- to google B-tree implementation to record the numbers of
word dictionary and a memory-mapped disk-resident hash node splitting, node merging and node rebalancing per

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 471

TABLE 4
Comparison of Main Operations Per Search

cryptographic database
computation operation
T H F E insert delete update
Fides 1aw 3aw aw aw aw nw 0
Dual - 5aw - 1aw 2aw 2aw 0
Khons - 1aw aw 2aw 0 0 0

T: trapdoor permutation, H:hash function, F:PRF, E:symmetric encryption.

Fig. 7. Comparison with influenced nodes of B-tree. Influenced node

means node is allocated or freed; rebalanced node means node whose
values inside is moved.

Fig. 6. Comparison with search time per matched document on B-tree.

search operation. Due to space constraints, we just reported

the records that were not approximate to zero in Fig. 7.
Fig. 6 shows the average time used to search based on the
number of documents returned in a search. The average time Fig. 8. Comparison with creation using Enron email dataset on real-world
means the time taken to search divided by the number of database.
matched documents. From Fig. 6, we can see that: 1) Khons
is 20-100× faster than Fides [24] for all the cases of matched database MongoDB, which uses B-tree as its index structure.
documents; 2) Khons is 2× faster than Dual [25] for the case We also used RocksDB as storage structure to verify
of small number of matched documents, but is nearly equal whether the node reuse can rise performance in other stor-
to Dual [25] for the case of large number of matched docu- age structures, such as LSM tree-based structure.
ments. We pointed out that Fides [24] and Dual [25] need to
delete old nodes and add new nodes. The former is for actual 8.4.1 EDB Creation
deletion and the latter is in nature. We explain the above con-
We ran all four schemes to store the entire encrypted con-
clusion from two aspects. First, the performance of search
tents of the Enron email dataset. Fig. 8 shows the EDB crea-
operation is related to the cryptographic computation.
tion time of these schemes on different databases.
Fides [24] and Dual [25] need to generate indexes for new From Fig. 8, we can see that Khons are 20-40× faster than
nodes, but Khons can reuse the existing nodes and thus Fides [24] and 1.2× faster than Dual [25]. Compared to the
reduce these cryptographic computations. Second, the fre- result on B-tree, the performance reduction is due to the
quent add and delete operations in Fides [24] and Dual [25] database management expenditure and the load of disk I/
bring more underlying tree operations and corresponding I/ O. Moreover, the creation time in RocksDB is shorter than
O cost. We report the details in . Besides, we could see that that in MongoDB, because the underlying structure of
the performance of Khons is better when considering the
RocksDB has been optimized for write operation. For all the
real-world I/O latency in Section 8.4.
storage wrapper code, we used the default configuration.
Fig. 7 represents that a significant amount of B-tree nodes
is influenced in the search operations of Fides [24] and
Dual [25]. Khons influences none due to node reuse. The 8.4.2 EDB Search
result indicates that node reuse can avoid a significant From Figs. 9 and 10, we can see that the disk I/O latency
amounts of storage space allocation, free and memory copy. delay factor is enlarged. Compared with Dual [25], Khons
Thus, node reuse can efficiently reduce the I/O load. is 2-3× faster for all the cases of matched documents. They
both much faster than Fides [24].
8.4 Evaluation on Real-World Database
To verify that node reuse can take advantage in a real-world 8.5 Evaluation on Large Dataset
database and evaluate the performance in more realistic sit- Experiments on large dataset are designed to evaluate the
uation, we stored the data in the well-known key-value full search performance of Khons in parallel mode. In these

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
472 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

Fig. 11. Comparison with search time per matched document on

RocksDB (Large Dataset).

the memory locality, the time spent on memory access is

proportional to the number of database operations. There-
fore, Dual costs the most time on memory access to com-
Fig. 9. Comparison with search time on MongoDB (Small Dataset).
plete its search and Khons costs the least. To note, Khons
needs more storage space to store node states which leads
to extra time cost due to swap of memory. For the second,
the parallelized cryptographic computation cost takes
up the most of computation cost. For Fides, although RSA
and hash function computations are fully parallelized,
computation based on RSA private key is very expensive.
For Khons, its parallelization mechanism is based on pag-
ination technique. In the case of small result set, the
search time cost cannot be amortized. Thus, Fides costs
the most time on computation to complete its search
while Dual and Khons cost less.

9 CONCLUSIONS
In this paper, we proposed the notion “forward search
privacy”, which ensures search operation over newly added
Fig. 10. Comparison with search time on RocksDB (Small Dataset).
documents doesn’t leak the past query information. To
achieve this security goal, we developed the new forward
experiments, we chose RocksDB as storage structure and set private technique, hidden pointer technique (HPT). Finally,
the maximum number of documents in a partition to 20, we constructed the Khons scheme achieving both forward
which is reasonable in applications supporting pagination search privacy and backward privacy. Experiment results
query. show that Khons is efficient and practical.
Khons can support partial query, but the application sce-
narios of our solutions may be relatively limited. And our
8.5.1 EDB Creation scheme can only achieve weak forward search security.
The average throughput of each scheme is close to the per- How to achieve strong forward search security can be our
formance testing on small datasets. Through experiments, key point in the future work.
we report that the update throughput of Khons is around
83,500 keyword-document pairs per second in average. ACKNOWLEDGMENTS
Dual is around 73,000 keyword-document pairs per second
and Fides is around 920 keyword-document pairs per This work was supported by National Natural Science
second. Foundation Projects (No. 61472091, No. 61672300), for Out-
standing Youth Foundation (No. 61722203), Guangzhou
scholars project for universities of Guangzhou (No.
8.5.2 EDB Search 1201561613) and National Natural Science Foundation of
From Fig. 11, we can conclude that Khons is at least 3× faster Tianjin (No. 16JCYBJC15500).
than Dual [25] and 2× faster than Fides [24] for the cases of
medium and large result set. For the case of small result set, REFERENCES
however, it is slower than Dual [25] and Fides [24].
[1] CipherCloud, “Cloud data encryption”, [Online]. Available:
In these experiments, we mainly take two factors into https://www.ciphercloud.com/encryption
considerations: storage accesses and cryptographic com- [2] M. Bellare, A. Boldyreva, and A. O’Neill, “Deterministic and effi-
putation. For the first, because it is impossible to load full ciently searchable encryption,” in Proc. 27th Annu. Int. Cryptology
EDB in the case of the large dataset, accessing data on dif- Conf. Advances Cryptology, 2007, pp. 535–552.
[3] S. Tu, M. F. Kaashoek, S. Madden, and N. Zeldovich, “Processing
ferent hierarchies of memory is unavoidable and becomes analytical queries over encrypted data,” Proc. VLDB Endowment,
a bottleneck. Furthermore, since SSE is not optimized for vol. 6, no. 5, pp. 289–300, 2013.

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: SEARCHABLE SYMMETRIC ENCRYPTION WITH FORWARD SEARCH PRIVACY 473

[4] R. A. Popa, C. Redfield, N. Zeldovich, and H. Balakrishnan, [28] D. S. Roche, A. Aviv, and S. G. Choi, “A practical oblivious map
“CryptDB: Protecting confidentiality with encrypted query proc- data structure with secure deletion and history independence,” in
essing,” in Proc. 23rd ACM Symp. Operating Syst. Principles, 2011, Proc. IEEE Symp. Secur. Privacy, 2016, pp. 178–197.
pp. 85–100. [29] M. Naveed, S. Kamara, and C. V. Wright, “Inference attacks on
[5] S. Faber, S. Jarecki, H. Krawczyk, N. Quan, M. Rosu, and M. Steiner, property-preserving encrypted databases,” in Proc. ACM SIGSAC
“Rich queries on encrypted data: Beyond exact matches,” in Proc. Conf. Comput. Commun. Secur., 2015, pp. 644–655.
20th Eur. Symp. Res. Comput. Secur., 2015, pp. 123–145. [30] J. Katz and Y. Lindell, Introduction to Modern Cryptography. Boca
[6] D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M. C. Rosu, Raton, FL, USA: Chapman & Hall/CRC, 2008.
and M. Steiner, “Dynamic searchable encryption in very-large [31] Google.2011.cpp-btree, [Online]. Available: https://code.google.
databases: Data structures and implementation,” in Proc. Netw. com/arch-ive/p/cpp-btree/
Distrib. Syst. Secur. Symp., 2014, pp. 23–26. [32] Enron Email Dataset, [Online]. Available: https://www.cs.cmu.
[7] I. Demertzis, D. Papadopoulos, and C. Papamanthou, “Searchable edu/enron
encryption with optimal locality: Achieving sublogarithmic read [33] Wikimedia Foundation, [Online]. Available: https://dumps.
efficiency,” in Proc. Annu. Int. Cryptology Conf. Advances Cryptol- wikimedia.org
ogy, 2018, pp. 371–406. [34] S Navathe, “Vertical partitioning algorithms for database design,”
[8] W. He, D. Akhawe, S. Jain, E. Shi, and D. Song, “ShadowCrypt: ACM Trans. Database Syst., vol. 9, no. 4, pp. 680–710, 1984.
Encrypted web applications for everyone,” in Proc. ACM SIGSAC [35] C. Curino, E. Jones, Y. Zhang, and S. Madden, “Schism: A work-
Conf. Comput. Commun. Secur., 2014, pp. 1028–1039. load-driven approach to database replication and partitioning,”
[9] R. Li and A. X. Liu, “Adaptively secure conjunctive query process- Proc. VLDB Endowment, vol. 3, no. 1, pp. 48–57, 2010.
ing over encrypted data for cloud computing,” in Proc. IEEE 33rd [36] M. Stonebraker, A. Aboulnaga, A. Pavlo, A. J. Elamore, R. Taft,
Int. Conf. Data Eng., 2017, pp. 697–708. and M. Serafini, “Clay: Fine-grained adaptive partitioning for gen-
[10] S. Garg, P. Mohassel, and C. Papamanthou, “TWORAM: Efficient eral database schemas,” Proc. VLDB Endowment, vol. 10, no. 4,
oblivious RAM in two rounds with applications to searchable pp. 445–456, 2016.
encryption,” in Proc. 36th Annu. Int. Cryptology Conf. Advances [37] Y. Lu, A. Shanbhag, A. Jindal, and S. Madden, “AdaptDB: Adap-
Cryptology, 2016, pp. 563–592. tive partitioning for distributed joins,” Proc. VLDB Endowment,
[11] D. X. Song, D. Wagner, and A. Perrig, “Practical techniques for vol. 10, no. 5, pp. 589–600, 2017.
searches on encrypted data,” in Proc. IEEE Symp. Secur. Privacy, [38] Q. Wang, M. He, M. Du, S. Chow, R. Lai, and Q. Zou, “Searchable
2000, pp. 44–55. encryption over feature-rich data,” IEEE Trans. Depend. Sec. Com-
[12] I. Demertzis, S. Papadopoulos, O. Papapetrou, A. Deligiannakis, put., vol. 15, no. 3, pp. 496–510, May/Jun. 2018.
and M. Garofalakis, “Practical private range search revisited,” in [39] M. Du, Q. Wang, M. He, and J. Weng, “Privacy-preserving index-
Proc. Int. Conf. Manage. Data, 2016, pp. 185–198. ing and query processing for secure dynamic cloud storage,”
[13] E. Stefanov, C. Papamanthou, and E. Shi, “Practical dynamic IEEE Trans. Inf. Forensics Secur., vol. 13, no. 9, pp. 2320–2332, Sep.
searchable encryption with small leakage,” in Proc. Netw. Distrib. 2018.
Syst. Secur. Symp., 2014, pp. 72–75.
[14] M. S. Islam, M. Kuzu, and M. Kantarcioglu, “Access pattern dis- Jin Li received the BS degree in mathematics
closure on searchable encryption: Ramification, attack and miti- from Southwest University, 2002, the MS degree
gation,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2012, pp. 12–27. in mathematics from Sun Yat-sen University,
[15] D. Cash, P. Grubbs, J. Perry, and T. Ristenpart, “Leakage-abuse 2004, and the PhD degree in information security
attacks against searchable encryption,” in Proc. ACM SIGSAC from Sun Yat-sen University, 2007. He is cur-
Conf. Comput. Commun. Secur., 2015, pp. 668–679. rently a professor and vice dean of School of
[16] Y. Zhang, J. Katz, and C. Papamanthou, “All your queries are belong Computer Science, Guangzhou University. His
to us: The power of file-injection attacks on searchable encryption,” research interests include design of secure proto-
in Proc. 25th USENIX Conf. Secur. Symp., 2016, pp. 707–720. cols in cloud computing and cryptographic proto-
[17] G. Kellaris, G. Kollios, K. Nissim, and A. O’Neill, “Generic attacks cols. He has published more than 100 papers in
on secure outsourced databases,” in Proc. ACM SIGSAC Conf. international conferences and journals, including
Comput. Commun. Secur., 2016, pp. 1329–1340. IEEE INFOCOM, IEEE TIFS, IEEE TPDS, IEEE TOC and ESORICS
[18] L. Ren, C. Fletcher, A. Kwon, E. Stefanov, E. Shi, M. V. Dijk, and etc. His work has been cited more than 10000 times at Google Scholar
S. Devadas, “Constants count: Practical improvements to oblivious and the H-Index is 34. He also served as program chairs and committee
RAM,” in Proc. 24th USENIX Conf. Secur. Symp., 2015, pp. 415–430. for many international conferences. He received NSFC Outstanding
[19] X. Wang, H. Chan, and E. Shi, “Circuit ORAM: On tightness of the Youth Foundation in 2017.
goldreich-ostrovsky lower bound,” in Proc. ACM SIGSAC Conf.
Comput. Commun. Secur., 2015, pp. 850–861.
[20] R. Bost, “Sofo&forward secure searchable encryption,” in Proc. Yanyu Huang received the bachelor’s degree of
ACM SIGSAC Conf. Comput. Commun. Secur., 2016, pp. 1143–1154. information security from the China University of
[21] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable Geosciences, Wuhan, China, in 2016. Currently,
symmetric encryption,” in Proc. ACM SIGSAC Conf. Comput. Com- she is working toward the doctor degree in com-
mun. Secur., 2012, pp. 965–976. puter science at Nankai University. Her research
[22] K. Kurosawa and Y. Ohtaki, “UC-secure searchable symmetric interests include applied cryptography, data pri-
encryption,” in Proc. Int. Conf. Financial Cryptography Data Secur., vacy protection.
2012, pp. 285–298.
[23] M. Naveed, M. Prabhakaran, and C. A. Gunter, “Dynamic search-
able encryption via blind storage,” in Proc. IEEE Symp. Secur. Pri-
vacy, 2014, pp. 639–654.
[24] R. Bost, B. Minaudy, and O. Ohrimenko, “Forward and backward
private searchable encryption from constrained cryptographic Yu Wei received the bachelor’s degree of infor-
primitives,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., mation security and law from Nankai University,
2017, pp. 1465–1482. Tianjin, China, in 2018. Currently, he is working
[25] K. S. Kim, M. Kim, D. Lee, J. H. Park, and W. H. Kim, “Forward toward the master’s degree in computer science at
secure dynamic searchable symmetric encryption with efficient Nankai University. His research interests include
updates,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., applied cryptography, data privacy protection.
2017, pp. 1449–1463.
[26] O. Goldreich, S. Goldwasser, and S. Micali, “How to construct
random functions (extended abstract),” in Proc. Annu. Symp.
Found. Comput. Sci., 1984, pp. 464–479.
[27] X. S. Wang, K. Nayak, C. Liu, T. H. Chan, E. Shi, E. Stefanov, and
Y. Huang, “Oblivious data structures,” in Proc. ACM SIGSAC
Conf. Comput. Commun. Secur., 2014, pp. 215–226.

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.
474 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 18, NO. 1, JANUARY/FEBRUARY 2021

Siyi Lv received the bachelor’s degree of infor- Wenjing Lou received the PhD degree in Electri-
mation security and law from Nankai University, cal and Computer Engineering from the Univer-
Tianjin, China, in 2016. Currently, she is working sity of Florida. She joined the Electrical and
toward the master’s degree in computer science Computer Engineering Department at Worcester
at Nankai University. Her research interests Polytechnic Institute as an assistant professor, in
include applied cryptography, data privacy pro- 2003, where she was promoted to associate pro-
tection. fessor with tenure, in 2009. In 2011, she joined
the Computer Science Department at Virginia
Tech as an associate professor with tenure. Her
current research interests are in the area of cyber
security, with emphases on wireless network
security, security and privacy in cloud computing and cyber physical sys-
Zheli Liu received the BSc and MSc degrees in tems. She is also interested in network protocols. She is currently serv-
computer science from Jilin University, China, in ing on the editorial board of five journals: the IEEE Transactions on
2002 and 2005, respectively, and the PhD degree Wireless Communications, the IEEE Transactions on Smart Grid, the
in computer application from Jilin University, in IEEE Wireless Communications Letter, the Elsevier Computer Net-
2009. After a postdoctoral fellowship in Nankai works, and the Springer Wireless Networks. She has served as TPC co-
University, he joined the College of Cyber Sci- chair for the security symposium of several leading IEEE conferences,
ence of Nankai University, in 2011. Currently, he including General Symposium at IEEE Globecom 2007, Network Secu-
works at Nankai University as a associate profes- rity and Privacy Track at IEEE ICCCN 2009, Security Symposium at
sor. His current research interests include applied IEEE ICC 2010, Security and Localization Track at IEEE PIMRC 2011,
cryptography and data privacy protection. and Security Symposium at IEEE Globecom 2012. She serves as TPC
member regularly for many premier IEEE and ACM conferences. She
was named Joseph Samuel Satin Distinguished fellow in 2006 by WPI.
Changyu Dong received the PhD degree from She was a recipient of the U.S. National Science Foundation Faculty
Imperial College London. He is currently a senior Early Career Development (CAREER) award in 2008. She received the
lecturer with the School of Computing, Newcastle Sigma Xi Junior Faculty Research Award at WPI in 2009. She is a fellow
University. He has authored more than 30 publica- of the IEEE.
tions in international journals and conferences.
His research interests include applied cryptogra-
phy, trust management, data privacy, and security
policies. His recent work focuses mostly on " For more information on this or any other computing topic,
designing practical secure computation protocols.
please visit our Digital Library at www.computer.org/csdl.
The application domains include secure cloud
computing and privacy preserving data mining.

Authorized licensed use limited to: Monash University. Downloaded on March 15,2023 at 08:57:04 UTC from IEEE Xplore. Restrictions apply.