# Searchable symmetric encryption – Wikipedia

**Searchable symmetric encryption**(

**SSE**) is a imprint of encoding that allows one to efficiently search over a collection of code documents or files without the ability to decrypt them. [ 1 ] [ 2 ] SSE can be used to outsource files to an untrusted cloud memory server without ever revealing the files in the clear but while preserving the waiter ‘s ability to search over them .

## description [edit ]

A searchable symmetrical encoding scheme is a symmetric-key encoding scheme that encrypts a collection of documents D = ( D 1, …, D n ) { \displaystyle \mathbf { D } = ( \mathrm { D_ { 1 } }, \dots, \mathrm { D_ { normality } } ) } , where each document D one ⊆ W { \displaystyle \mathrm { D_ { one } } \subseteq \mathbb { W } } is viewed as a set of keywords from a keyword space W { \displaystyle \mathbb { W } } . Given the encoding key K { \displaystyle K } and a keyword w ∈ W { \displaystyle w\in \mathbb { W } } , one can generate a search token thyroxine thousand { \displaystyle tk } with which the encrypted data collection can be searched for watt { \displaystyle tungsten } . The solution of the search is the subset of code documents that contain the keyword watt { \displaystyle west } .

### electrostatic SSE [edit ]

A electrostatic SSE scheme consists of three algorithms S S E = ( S vitamin e t u p, T o k e n, S e a radius speed of light h ) { \displaystyle { \mathsf { SSE= ( Setup, Token, Search ) } } } that work as follows :

- S einsteinium thymine uranium p { \displaystyle { \mathsf { Setup } } }
thousand { \displaystyle k } D { \displaystyle \mathbf { D } } K { \displaystyle K } E D { \displaystyle \mathbf { ED } }

- T o k e north { \displaystyle { \mathsf { Token } } } K { \displaystyle K } west { \displaystyle watt } t potassium { \displaystyle tk }
- S e a gas constant carbon heat content { \displaystyle { \mathsf { Search } } } E D { \displaystyle \mathbf { ED } } thyroxine k { \displaystyle tk } R ⊆ E D { \displaystyle \mathbf { R } \subseteq \mathbf { ED } }

A static SSE system is used by a node and an untrusted waiter as follows. The client encrypts its data collection using the S e deoxythymidine monophosphate u p { \displaystyle { \mathsf { Setup } } } algorithm which returns a secret key K { \displaystyle K } and an code text file collection E D { \displaystyle \mathbf { ED } }. The node keeps K { \displaystyle K } secret and sends E D { \displaystyle \mathbf { ED } } to the untrusted server. To search for a keyword w { \displaystyle w }, the customer runs the S e a gas constant cytosine h T o k e n { \displaystyle { \mathsf { SearchToken } } } algorithm on K { \displaystyle K } and tungsten to generate a search token t k { \displaystyle tk } which it sends to the server. The server runs Search with E D { \displaystyle \mathbf { ED } } and thyroxine kilobyte { \displaystyle tk } and returns the resulting code documents back to the server .

### Dynamic SSE [edit ]

A dynamic SSE schema supports, in addition to search, the insertion and omission of documents. A dynamic SSE schema consists of seven algorithms S S E = ( S e t u phosphorus, T o k e n, S e a gas constant c hydrogen, I n second einsteinium r thyroxine T o k e n, I n south e r deoxythymidine monophosphate, D e l east deoxythymidine monophosphate e T o k e n, D e lambert e t e ) { \displaystyle { \mathsf { SSE= ( Setup, Token, Search, InsertToken, Insert, DeleteToken, Delete ) } } } where S e metric ton uracil p { \displaystyle { \mathsf { Setup } } }, T o k e nitrogen { \displaystyle { \mathsf { Token } } } and S e a r c planck’s constant { \displaystyle { \mathsf { Search } } } are as in the inactive subject and the remaining algorithm work as follows :

- I n s e radius thyroxine T o k e n { \displaystyle { \mathsf { InsertToken } } } K { \displaystyle K } D n + 1 { \displaystyle \mathrm { D_ { n+1 } } } one t kelvin { \displaystyle itk }
- I n randomness vitamin e radius metric ton { \displaystyle { \mathsf { Insert } } }
Read more: Dual_EC_DRBG – Wikipedia

i t kilobyte { \displaystyle itk } E D ′ { \displaystyle \mathbf { ED ‘ } }

- D e lambert einsteinium metric ton e T o k e n { \displaystyle { \mathsf { DeleteToken } } } K { \displaystyle K } one d { \displaystyle id } vitamin d t kilobyte { \displaystyle dtk }
- D vitamin e fifty e triiodothyronine einsteinium { \displaystyle { \mathsf { Delete } } } E D C { \displaystyle \mathrm { EDC } } d t k { \displaystyle dtk } E D ′ { \displaystyle \mathbf { ED ‘ } }

To add a new document D normality + 1 { \displaystyle \mathrm { D_ { n+1 } } } the client runs I n second e r metric ton T o k e n { \displaystyle { \mathsf { InsertToken } } } on K { \displaystyle K } and D n + 1 { \displaystyle \mathrm { D_ { n+1 } } } to generate an insert token iodine t thousand { \displaystyle itk } which it sends to the server. The waiter runs I n south vitamin e gas constant t { \displaystyle { \mathsf { Insert } } } with E D { \displaystyle \mathbf { ED } } and iodine thymine thousand { \displaystyle itk } and stores the updated code document collection. To delete a text file with identifier one d { \displaystyle idaho }, the customer runs the D e l e t e T o k e n { \displaystyle { \mathsf { DeleteToken } } } algorithm with K { \displaystyle K } and i vitamin d { \displaystyle idaho } to generate a erase token d thymine kilobyte { \displaystyle dtk } which it sends to the server. The waiter runs D e l e deoxythymidine monophosphate einsteinium { \displaystyle { \mathsf { Delete } } } with E D { \displaystyle \mathbf { ED } } and vitamin d thyroxine k { \displaystyle dtk } and stores the updated code document collection. An SSE schema that does not support D e fifty e metric ton einsteinium T o k e n { \displaystyle { \mathsf { DeleteToken } } } and D e fifty e thyroxine east { \displaystyle { \mathsf { Delete } } } is called semi-dynamic .

## history of Searchable Symmetric encoding [edit ]

The problem of searching on encrypted data was considered by Song, Wagner and Perrig [ 1 ] though previous work on oblivious RAM by Goldreich and Ostrovsky [ 3 ] could be used in theory to address the trouble. This work [ 1 ] proposed an SSE system with a search algorithm that runs in time O ( s ) { \displaystyle O ( mho ) } , where randomness = | D | { \displaystyle s=|\mathbf { D } | } . Goh [ 4 ] and Chang and Mitzenmacher [ 5 ] gave new SSE constructions with search algorithm that run in time O ( north ) { \displaystyle O ( nitrogen ) } , where nitrogen { \displaystyle normality } is the issue of documents. Curtmola, Garay, Kamara and Ostrovsky [ 2 ] former proposed two static constructions with O ( o p triiodothyronine ) { \displaystyle O ( \mathrm { opt } ) } search time, where o p thyroxine { \displaystyle \mathrm { opt } } is the total of documents that contain watt { \displaystyle tungsten }, which is optimum. This work besides proposed a semi-dynamic structure with O ( oxygen phosphorus triiodothyronine ⋅ log ( u ) ) { \displaystyle O ( \mathrm { opt } \cdot \log ( uracil ) ) } search time, where uranium { \displaystyle u } is the total of updates. An optimum dynamic SSE construction was former proposed by Kamara, Papamanthou and Roeder. [ 6 ] Goh [ 4 ] and Chang and Mitzenmacher [ 5 ] proposed security definitions for SSE. These were strengthened and extended by Curtmola, Garay, Kamara and Ostrovsky [ 2 ] who proposed the notion of adaptive security for SSE. This knead besides was the foremost to observe escape in SSE and to formally capture it as part of the security definition. escape was far formalized and generalized by Chase and Kamara. [ 7 ] Islam, Kuzu and Kantarcioglu described the first escape attack. [ 8 ] All the previously mentioned constructions support individual keyword search. Cash, Jarecki, Jutla, Krawczyk, Rosu and Steiner [ 9 ] proposed an SSE dodge that supports concerted research in sub-linear clock time in north { \displaystyle newton }. The structure can besides be extended to support disjunctive and boolean searches that can be expressed in searchable normal form ( SNF ) in sub-linear clock. At the lapp time, Pappas, Krell, Vo, Kolesnikov, Malkin, Choi, George, Keromytis and Bellovin [ 10 ] described a construction that supports concerted and all disjunctive and boolean searches in sub-linear time .

## security [edit ]

SSE schemes are designed to guarantee that the untrusted server can not learn any fond information about the documents or the research queries beyond some well-defined and fair escape. The escape of a outline is formally described using a escape profile which itself can consists of several escape patterns. SSE constructions attempt to minimize escape while achieving the best possible search efficiency. SSE security can be analyzed in respective adversarial models but the most common are :

- the persistent model,[2] where an adversary is given the encrypted data collection and a transcript of all the operations executed on the collection;
- the snapshot model,[11] where an adversary is only given the encrypted data collection (but possibly after each operation).

### security system in the Persistent Model [edit ]

In the persistent model, there are SSE schemes that achieve a wide variety show of escape profiles. The most common escape profile for static schemes that achieve single keyword search in optimum time is Λ oxygen p thyroxine { \displaystyle \Lambda _ { \mathrm { opt } } } which reveals the number of documents in the solicitation, the size of each document in the solicitation, if and when a question was repeated and which encrypted documents match the search question. [ 2 ] [ 12 ] It is known, however, how to construct schemes that leak well less at an extra cost in search time and storage. [ 13 ] [ 14 ]

Read more: Dual_EC_DRBG – Wikipedia

When considering dynamic SSE schemes, the state-of-the-art constructions with optimum time search have escape profiles that guarantee forward privacy [ 15 ] which means that inserts can not be correlated with past search queries .

### security in the Snapshot Model [edit ]

In the snapshot model, efficient active SSE schemes with no escape beyond the number of documents and the size of the collection can be constructed. [ 11 ] When using an SSE construction that is secure in the snapshot model one has to cautiously consider how the scheme will be deployed because some systems might cache previous search queries. [ 16 ]

### cryptanalysis [edit ]

A escape profile only describes the escape of an SSE system but it says nothing about whether that escape can be exploited or not. cryptanalysis is consequently used to better understand the real-world security of a escape profile. There is a wide variety show of attacks working in different adversarial models, based on a assortment of assumptions and attacking unlike escape profiles. [ 17 ] [ 18 ]