Structured Encryption and Controlled Disclosure
This page was last modified on 9 December 2015, at 11:09.

Contents
 Abstract. We consider the problem of encrypting structured data (e.g., a web graph or a social network) in such a way that it can be efficiently and privately queried. For this purpose, we introduce the notion of structured encryption which generalizes previous work on symmetric searchable encryption (SSE) to the setting of arbitrarilystructured data.
We present a model for structured encryption, a formal security definition and several efficient constructions.We present schemes for performing queries on two simple types of structured data, specifically lookup queries on matrixstructured data, and search queries on labeled data. We then show how these can be used to construct efficient schemes for encrypting graph data while allowing for efficient neighbor and adjacency queries.
Finally, we consider data that exhibits a more complex structure such as labeled graph data (e.g., web graphs). We show how to encrypt this type of data in order to perform focused subgraph queries, which are used in several web search algorithms. Our construction is based on our labeled data and basic graph encryption schemes and provides insight into how several simpler algorithms can be combined to generate an efficient scheme for more complex queries.
Introduction
The most common use of encryption is to provide confidentiality by hiding all useful information about the plaintext. Encryption, however, often renders data useless in the sense that one loses the ability to operate on it. In certain settings this is undesirable and one would prefer encryption schemes that allow for some form of computation over encrypted data.
One example is in the context of remote data storage, or socalled “cloud storage”, where a data owner wishes to store structured data (e.g., a collection of web pages) on an untrusted server and only retain a constant amount of information locally. To guarantee confidentiality, the owner could encrypt the data before sending it to the server but this approach is unsatisfactory because the data loses its structure and, in turn, the owner loses the ability to query it efficiently.
To address this problem we introduce the notion of structured encryption. A structured encryption scheme encrypts structured data in such a way that it can be queried through the use of a queryspecific token that can only be generated with knowledge of the secret key. In addition, the query process reveals no useful information about either the query or the data. An important consideration in this context is the efficiency of the query operation on the server side. In fact, in the context of cloud storage, where one often works with massive datasets, even linear time operations can be infeasible.
Roughly speaking, we view structured data as a combination of a data structure and a sequence of data items such that encodes the data’s structure and represents the actual data. For example, in the case of graphstructured data such as a social network, is a graph with nodes and the th element of is the data associated with node . To query the data efficiently, one queries to recover a set of pointers and then retrieves the items in indexed by .
At a high level, a structured encryption scheme takes as input structured data and outputs an encrypted data structure and a sequence of ciphertexts . Using the private key, a token can be constructed for any query such that pointers to the encryptions of can be recovered from and . Furthermore, given the private key, one can decrypt any ciphertext .
A certain class of symmetric searchable encryption (SSE) schemes ^{[1]} ^{[2]} ^{[3]} can be viewed as structured encryption schemes for the special purpose of private keyword search over encrypted document collections. Of course, the functionality provided by structured encryption can be achieved using general techniques like oblivious RAMs ^{[4]}, secure twoparty computation ^{[5]} and fullyhomomorphic encryption (FHE) ^{[6]}. In our context, however, we are interested in solutions that are noninteractive and, at worst, linear in the number of data items as opposed to linear in the length of the data. All the schemes described in this work are noninteractive and optimal in that the query time is linear in the number of data items to be returned.
Informally, a basic notion of security for structured encryption guarantees that (1) an encrypted data structure and a sequence of ciphertexts reveal no partial information about the data ; and that (2) given, in addition, a sequence of tokens for queries no information is leaked about either or beyond what can be inferred from some limited leakage which is a function of , and . A stronger notion, introduced in ^{[3]}, guarantees that (2) holds even when the queries are generated adaptively.
All known constructions that can be considered efficient structured encryption schemes (i.e., the indexbased SSE schemes) reveal some limited information about the data items and queries. In particular, for any query they reveal at least (1) the access pattern, which consists of the pointers I; and (2) the query pattern, which reveals whether two tokens were for the same query.
Applications of Structured Encryption
Private queries on encrypted data.
The most immediate application of structured encryption is for performing private queries on encrypted data. In this setting, a client encrypts its (structured) data resulting in an encrypted data structure and a sequence of ciphertexts . It then sends to the server. Whenever the client wishes to query the data, it sends a token to the server which the latter uses to recover pointers to the appropriate ciphertexts. Using a structured encryption scheme in this manner enables the client to store its data remotely while simultaneously guaranteeing confidentiality against the server (in the sense outlined above) and efficient querying and retrieval.While this problem has received considerable attention for the special case of document collections ^{[7]} ^{[1]} ^{[8]} ^{[9]} ^{[10]} ^{[11]} ^{[12]} ^{[13]}, as far as we know, it has never been considered for other kinds of data.
Controlled disclosure for local algorithms.
While the original motivation for structured encryption was to perform private queries on encrypted data (or more precisely, private searches on encrypted data), we introduce here a new application which we refer to as controlled disclosure.
In this setting, the client not only wants to store its data remotely but expects the server (or some third party) to perform some computation over the data. In particular, while the client is willing to reveal the information necessary for the server to perform its task, the client does not want to reveal anything else. Consider, e.g., a client that stores a largescale social network remotely and that, at some point, needs the server to analyze a small subset of the network. If the social network were encrypted using a classical encryption scheme the client would have to reveal the entire network, leaking extra information to the server. Ideally, what we want in this setting is a mechanism that allows the client to encrypt the data and later disclose the “pieces” of it that are necessary for the server to perform its task.
Another application of controlled disclosure is to the emerging area of (cloudbased) data brokerage services, such as Microsoft’s Dallas ^{[14]} and Infochimps ^{[15]} .
Here, the cloud provider acts as a broker between a data provider that wishes to sell access to a massive dataset and a data consumer that needs access to the data. The data is stored “in the cloud” and the cloud operator manages the consumer’s access to the provider’s data. Using controlled disclosure, the provider could encrypt its data before storing it in the cloud and release tokens to the consumer as appropriate. Such an approach would have several advantages including (1) enabling the producer to get an accurate measure of the consumer’s use of the data; and (2) ensuring the producer that the consumer can only access the authorized segments of data, even if the consumer and the cloud operator collude.
Clearly, if the algorithm executed by the server (or the data consumer) is “global”, in the sense that it needs to read all the data, then controlled disclosure provides no security. On the other hand, if the algorithm is “local”, in that it only needs to read part of the data, then controlled disclosure preserves the confidentiality of the remaining data. There are numerous algorithms that exhibit this kind of local behavior and they are used extensively in practice to solve a variety of problems. For example, many optimization problems like the traveling salesman problem or vertex cover are handled in practice using local search algorithms (e.g., hill climbing, genetic algorithms or simulated annealing). Several linkanalysis algorithms for web search such as Kleinberg’s seminal HITS algorithm ^{[16]} (and the related SALSA ^{[17]} algorithm) are local. Finally, the recent work of Brautbar and Kearns on “jump and crawl” algorithms ^{[18]} motivates and proposes several local algorithms for social network analysis, including for finding vertices with highdegree and high clustering coefficient.
Controlled disclosure can be viewed as a compromise between full security on the one hand and efficiency and functionality on the other. In settings where computation needs to be performed on massive datasets and “fully secure” solutions like multiparty computation ^{[19]} ^{[5]} ^{[20]} and fullyhomomorphic encryption ^{[6]} are prohibitively expensive, controlled disclosure provides a practical solution without completely compromising security.
Our Results
Performing private queries on encrypted data is an important goal that is well motivated by the recent trend towards cloud storage. Giving clients the means to encrypt their data without losing the ability to efficiently query and retrieve it provides obvious benefits to the client but also frees the cloud provider from many legal exposures (see ^{[21]} ^{[22]} ^{[23]} for discussion of these issues). It additionally provides a mechanism by which clients from regulated industries can make use of cloud storage (e.g., to store medical records or financial documents) while remaining compliant.
While the recent work on searchable encryption constitutes an important step towards this goal, we note that a noticeable fraction of the data generated today is not text data. Indeed, many largescale datasets (e.g., image collections, social network data, maps or location information) exhibit a different and sometimes more complex structure that cannot be handled properly using searchable encryption.
To address this, we:
 introduce the notion of structured encryption, which generalizes indexbased symmetric searchable encryption ^{[1]} ^{[2]} ^{[3]} to arbitrarilystructured data and propose a novel application of structured encryption (and therefore of SSE) to the problem of controlled disclosure.
 extend the adaptive security definition of ^{[3]} to the setting of structured encryption.
 give constructions of adaptivelysecure structured encryption schemes for a variety of structures and queries including:
 (lookup queries on matrixstructured data) given a matrix and pair , return the value stored at row and column . This captures, e.g., lookup queries on digital images or retrieval of maps.
 (search queries on labeled data) given a set of labeled items and keyword , return the items labeled with . This captures the familiar setting of searchable encryption. We briefly note that our construction exhibits a combination of useful properties that, as far as we know, no revious scheme achieves.
 (neighbor queries on graphstructured data) given a graph and a node , return all the nodes adjacent to . This captures, e.g., retrieving a user’s “friend list” in a social network.
 (adjacency queries on graphstructured data) given a graph and two nodes and , return 1, if they are adjacent and return 0 otherwise. This captures, e.g., testing whether two users are “friends” in a social network.
 While the previous constructions are useful in their own right, an important goal with respect to structured encryption is to construct schemes that are able to encrypt complex structures and to handle expressive queries that take full advantage of the complexity of the data’s structure. As an example, consider the case of web graphs (i.e., subgraphs of the Web) which are composed of pages with both text and hyperlinks. Encrypting the pages of a web graph using a searchable encryption scheme will only enable keyword search over the encrypted pages. Web graphs, however, exhibit a much richer structure and we typically want to perform more complex queries on them. Towards this goal, our final contribution is to show how to encrypt web graphs and, more generally, what we refer to as labeled graph data. In particular, we:
 give a structured encryption scheme for labeled graphs that handles focused subgraph queries. Roughly speaking, for a given search keywork, a focused subgraph query on a web graph returns a subgraph that encodes enough information about it to yield a good ranking of the pages for that search. These queries are an essential part of Kleinberg’s seminal HITS algorithm ^{[16]} (and its many successors). Our construction uses as building blocks some of the schemes mentioned above. We stress, however, that it is not sufficient to use the schemes “asis” and we show a novel way of combining structured encryption schemes for simple structures in order to build schemes that handle more complex data and more expressive queries. The approach is general and can be adapted to other complex data types.
 : generate two random bit strings , and a key . Set .
 : construct a mutrix размером as follows:
 parse as and
 choose a pseudorandom permutation
 sample a bit string uniformly at random
 for all ,
 : output , where and .
 : parse as ; compute and output .
 : return .
 : sample two random  bit keys ,, and generate a key . Set .
 : construct a dictionary as follows:
 parse as and .
 choose a pseudorandom permutation
 sample a  bit string uniformly at random
 for each such that , and
 : output .
 : parse as and compute , where refers to the value stored in with search key . If is not in then output and . Otherwise parse as and output и .
 : output .
 : generate and output .
 : parse as and and construct a labeling , that associates to each the set , where
 : compute and output .
 : output .
 : output .
 : generate and output .
 : construct a matrix as follows:
 : compute and output .
 : output .
 : output .
 : generate three keys , .
 :
 compute ,
 compute ,
 for ,
 compute ,
 compute ,
 let be the labeling generated from all the words in (i.e., each is labeled with the words it contains) and let ,
 compute , where is composed of and ,
 output and .
 : output .
 :
 compute
 for all ,
 compute ,
 compute ,
 output .
 : return .
 ↑ ^{1.0} ^{1.1} ^{1.2} ^{1.3} ^{1.4} ^{1.5} EJ. Goh. Secure indexes. Technical Report 2003/216, IACR ePrint Cryptography Archive, 2003.See http://eprint.iacr.org/2003/216. See http://eprint.iacr.org/2003/216.
 ↑ ^{2.0} ^{2.1} ^{2.2} ^{2.3} M. Brautbar and M. Kearns. Local algorithms for _nding intersting individuals in large networks.In Innovations in Computer Science (ICS '10), 2010.
 ↑ ^{3.0} ^{3.1} ^{3.2} ^{3.3} ^{3.4} ^{3.5} ^{3.6} ^{3.7} ^{3.8} ^{3.9} R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: Improved de_nitions and e_cient constructions. In ACM Conference on Computer and Communications Security (CCS '06), pages 79{88. ACM, 2006.
 ↑ O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious RAMs. Journal of the ACM, 43(3):431{473, 1996.
 ↑ ^{5.0} ^{5.1} B. Waters, D. Balfanz, G. Durfee, and D. Smetters. Building an encrypted and searchable auditlog. In Network and Distributed System Security Symposium (NDSS '04). The Internet Society, 2004.
 ↑ ^{6.0} ^{6.1} C. Gentry. Fully homomorphic encryption using ideal lattices. In ACM Symposium on Theory of Computing (STOC '09), pages 169{178. ACM Press, 2009.
 ↑ ^{7.0} ^{7.1} E. Shi, J. Bethencourt, T. Chan, D. Song, and A. Perrig. Multidimensional range query over encrypted data. In IEEE Symposium on Security and Privacy, pages 350{364, Washington, DC, USA, 2007. IEEE Computer Society.
 ↑ ^{8.0} ^{8.1} D. Boneh, G. di Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search. In Advances in Cryptology { EUROCRYPT '04, volume 3027 of Lecture Notes in Computer Science, pages 506{522. Springer, 2004.
 ↑ ^{9.0} ^{9.1} D. Song, D. Wagner, and A. Perrig. Practical techniques for searching on encrypted data. In IEEE Symposium on Research in Security and Privacy, pages 44{55. IEEE Computer Society, 2000.
 ↑ ^{10.0} ^{10.1} M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. M. Lee, G. Neven, P. Paillier, and H. Shi. Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. In V. Shoup, editor, Advances in Cryptology { CRYPTO '05, volume 3621 of Lecture Notes in Computer Science, pages 205{222. Springer, 2005.
 ↑ M. Bellare, A. Boldyreva, and A. O'Neill. Deterministic and e_ciently searchable encryption. In A. Menezes, editor, Advances in Cryptology { CRYPTO '07, Lecture Notes in Computer Science, pages 535{552. Springer, 2007.
 ↑ A. Shamir. Identitybased cryptosystems and signature schemes. In George Robert Blakley andDavid Chaum, editors, Advances in Cryptology { CRYPTO '84, volume 196 of Lecture Notes inComputer Science, pages 47{53. Springer, 1985.
 ↑ ^{13.0} ^{13.1} D. Boneh, E. Kushilevitz, R. Ostrovsky, and W. Skeith. Publickey encryption that allows PIR queries. In A. Menezes, editor, Advances in Cryptology { CRYPTO '07, volume 4622 of Lecture Notes in Computer Science, pages 50{67. Springer, 2007.
 ↑ Micrsoft Corp. Windows azure marketplace. http://www.microsoft.com/windowsazure/marketplace/.
 ↑ Infochimps. http://www.infochimps.org.
 ↑ ^{16.0} ^{16.1} ^{16.2} J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In Advances in Cryptology  EUROCRYPT 2008, volume 4965 ofLecture Notes in Computer Science, pages 146{162. Springer, 2008.
 ↑ ^{17.0} ^{17.1} J. Kleinberg. Authoritative sources in a hyperlinked environment. In Symposium on Discrete Algorithms (SODA '08), pages 668{677. Society for Industrial and Applied Mathematics, 1998.22
 ↑ X. Boyen and B. Waters. Anonymous hierarchical identitybased encryption (without randomoracles). In Advances in Cryptology  CRYPTO 2006, volume 4117 of Lecture Notes in ComputerScience, pages 290{307. Springer, 2006.
 ↑ O. Goldreich, S. Micali, and A. Wigderson. How to play ANY mental game. In ACM Symposium on the Theory of Computation (STOC '87), pages 218{229. ACM, 1987.
 ↑ D. Chaum, C. Cr_epeau, and I. Damgard. Multiparty unconditionally secure protocols. In ACM symposium on Theory of computing (STOC '88), pages 11{19. ACM, 1988.
 ↑ J. Bardin, J. Callas, S. Chaput, P. Fusco, F. Gilbert, C. Ho_, D. Hurst, S. Kumaraswamy, L. Lynch,S. Matsumoto, B. O'Higgins, J. Pawluk, G. Reese, J. Reich, J. Ritter, J. Spivey, and J. Viega. Security guidance for critical areas of focus in cloud computing. Technical report, Cloud Security Alliance, April 2009.
 ↑ S. Kamara and K. Lauter. Cryptographic cloud storage. In Workshop on on RealLife Cryptographic Protocols and Standardization, volume 6054 of Lecture Notes in Computer Science, pages 136{149. Springer, 2010.
 ↑ E. Shen, E. Shi, and B.Waters. Predicate privacy in encryption systems. In Theory of Cryptography Conference (TCC '09), pages 457{473, Berlin, Heidelberg, 2009. SpringerVerlag.
 ↑ D. Boneh and B. Waters. Conjunctive, subset, and range queries on encrypted data. In Theory of Cryptography Conference (TCC '07), volume 4392 of Lecture Notes in Computer Science, pages 535{554. Springer, 2007.
 ↑ D. Boneh, A. Sahai, and B. Waters. Functional encryption: De_nitions and challenges. Technical Report 2010/543, IACR ePrint Cryptography Archive, 2010. See http://eprint.iacr.org/ 2010/543.
 ↑ [34] C. Soghoian. Caught in the cloud: Privacy, encryption, and government back doors in the web 2.0 era. Journal on Telecommunications and High Technology Law, 8(2), 2010.
 ↑ ^{27.0} ^{27.1} Yehuda Lindell and Benny Pinkas. A proof of security of yao's protocol for twoparty computation. J. Cryptology, 22(2):161{188, 2009.
 ↑ ^{28.0} ^{28.1} D. Boneh and M. Franklin. Identitybased encryption from the weil pairing. In Advances in Cryptology  CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213{229. SpringerVerlag, 2001.
 ↑ R. Lempel and S. Moran. SALSA: The stochastic approach for linkstructure analysis. ACM Transactions on Information Systems, 19(2):131{160, April 2001.
 ↑ V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attributebased encryption for _negrained access control of encrypted data. In ACM conference on Computer and communications security (CCS'06), pages 89{98, New York, NY, USA, 2006. ACM.
 ↑ J. Bethencourt, A. Sahai, and B. Waters. Ciphertextpolicy attributebased encryption. In IEEE Symposium on Security and Privacy, pages 321{334. IEEE Computer Society, 2007.
 ↑ J. Katz and Y. Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC, 2008.
 ↑ A. Sahai and B. Waters. Fuzzy identitybased encryption. In R. Cramer, editor, Advances in Cryptology { EUROCRYPT '05, volume 3494 of Lecture Notes in Computer Science, pages 457{473. Springer, 2005.
 ↑ Y. Chang and M. Mitzenmacher. Privacy preserving keyword searches on remote encrypted data. In Applied Cryptography and Network Security (ACNS '05), volume 3531 of Lecture Notes in Computer Science, pages 442{455. Springer, 2005.
 ↑ R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: Improved de_nitions and e_cient constructions. Journal version (under submission), 2010.
Related Work
We already mentioned work on oblivious RAMs, secure twoparty computation and FHE so we restrict the following discussion to searchable and functional encryption.
Searchable encryption. As mentioned above, structured encryption is a generalization of the notion of a secure index first proposed by Goh ^{[1]} for the purpose of building symmetric searchable encryption schemes ^{[7]} . In ^{[1]} Goh gives a formal security definition for secure indexes and a construction based on Bloom filters. This was followed by ^{[2]} and ^{[3]}, the latter of which gave stronger security definitions and more efficient constructions. Our security definitions for structured encryption in section 4 generalize the ones in ^{[3]} to arbitrarilystructured data. Searchable encryption has also been considered in the publickey setting ^{[10]} ^{[9]} ^{[8]} ^{[24]} ^{[13]} ^{[25]}.
Functional encryption. Functional encryption ^{[26]} яis a recent paradigm that generalizes work on a variety of problems including identitybased encryption ^{[27]} ^{[28]} ^{[27]} ^{[28]}, attributebased encryption ^{[29]} ^{[30]} ^{[31]}, and predicate encryption ^{[32]} ^{[33]}.
Roughly speaking, a structured encryption scheme can be viewed as a functional encryption scheme for which a token can only be used on a single ciphertext. We provide a more detailed comparison between the two approaches in the full version ^{[34]} .
Notation and Preliminaries
Notation. Given a sequence of elements, we refer to its th element as . If is a function with domain and then refers to the image of under . The set of all matrices over a set is denoted . and are the sets of all undirected and directed graphs of size and , respectively. An undirected graph consists of a set of vertices and a set of edges where . We denote by the degree of node . If is directed, then the pairs are ordered and we refer to as the tail and to as the head of the edge. In addition, we denote i’s in and out degrees by and , respectively.
Data types. An abstract data type is a collection of objects together with a set of operations defined on those objects. For simplicity and visual clarity we define data types as having a single operation but this can be extended to model data types with multiple operations in the natural way. Formally, a data type is defined by a universe and an operation Query : , where is the operation’s query space and is its response space. The universe, query and response spaces are ensembles of finite sets indexed by the security parameter . In this work, we assume the universe is a totally ordered set, and that the response space includes a special element denoting failure.
Definitions
In this section we formalize structured encryption schemes and present our main security definition. Before doing so, however, we make explicit two properties of structured encryption which we will make use of throughout this work.
Induced permutation. Unlike previous work on searchable encryption we choose to include the data items (i.e., the documents in the case of searchable encryption) and their encryptions in our definitions. We prefer this approach because explicitly capturing each component of the system can bring to light subtle interactions between them. As an example, consider the correlation between the location of the data items in the sequence and the locations of their corresponding ciphertexts in . More precisely, let be the permutation over such that for all . We refer to as the permutation induced by and .
The reason most SSE constructions (with the exception of oblvious RAMs) leak the access pattern is because  is the identity function. This means that in order to (efficiently) retrieve items the server must know . Our constructions hide part of the access pattern essentially because they break this correlation by inducing a (pseudo)random permutation between and .
Associativity. We also make explicit a property possessed by some constructions (e.g., the nonadaptively secure SSE construction of ^{[3]} ) that we refer to as associativity. Intuitively, a scheme is associative if one can associate an item with data item in such a way that a query operation returns, in addition to the pointers , the strings . We capture this by redefining the message space of our encryption algorithms to take, in addition to a data structure a sequence of pairs that consist of a private data item and a semiprivate item . We sometimes refer to the sequences and as and , respectively.
Associativity is useful for several reasons. The most direct application is to provide the client the ability to associate some metadata with the ciphertexts that may be useful to the server (e.g., file name or size). In situations where the client wishes to grant the server access to the data, the semiprivate items could even be decryption keys for the associated ciphertexts. As we will see in Section 6, however, associativity can also be used to “chain” structured encryption schemes together in order to construct complex schemes from for simpler ones.

The intuitive security guarantee we seek is that (1) given an encrypted data structure and a sequence of ciphertexts , no adversary can learn any partial
information about ; (and that (2) given, in addition, a sequence of tokens for an adaptively generated sequence of queries , no adversary can learn any partial information about either or beyond what is revealed by the semiprivate data .
This exact intuition can be difficult to achieve and in some settings is unnecessarily strong. Consider, e.g., the fact that the number of data items is immediately revealed to the adversary since it receives the ciphertexts . Another example is in the setting of SSE where, as discussed earlier, all known efficient and noninteractive schemes ^{[1]} ^{[2]} ^{[3]} reveal the access and query patterns. We would therefore like to weaken the definition appropriately by allowing some limited information about the messages and the queries to be revealed. On the other hand, it is not clear that such leakage is always necessary in order to achieve efficiency (e.g., the number of data items can be easily hidden by padding) so we prefer not to “hardcode” this leakage in our definition. To formalize this we parameterize the definition with two leakage functions and that capture precisely what is being leaked by the ciphertext and the tokens.
We now present our security definition for adaptive adversaries which is a generalization of the definition of ^{[35]}. Intuitively, we require that the view of an adversary (i.e., the encrypted data structure, the sequence of ciphertexts, and the sequence of tokens) generated from any adaptive query strategy be simulatable given the leakage information and the semiprivate data.

: outputs a tuple . Given , generates and sends a pair to . The adversary makes a polynomial number of adaptive queries and for each query the simulator is given , where . The simulator returns a token . Finally, returns a bit , that is output by the experiment.
We say that  secure against adaptive chosenquery attacks if for all ppt adversaries there exists a simulator such that
As previously discussed, the leakage of our constructions mainly consists of the query and intersection patterns. Intuitively, the query pattern reveals when a query is repeated while the intersection pattern reveals when the same items are accessed. The intersection pattern reveals when the same items are accessed but not which items are accessed (i.e., their locations in ). The latter is hidden in our definition below by applying a random permutation to the item’s locations in .

Structured Encryption for Basic Structures
In this Section we present constructions of structured encryption schemes for data with simple structures. In Section 6 we will use some of these as building blocks to design schemes for data that exhibits a more complex structure. We stress, however, that the constructions presented here are of independent interest.
Lookup Queries on Matrices
We describe a structured encryption scheme for matrixstructured data which consists of an matrix of pointers into a sequence of data items . Here, the matrix type has universe and supports the lookup operation , that takes as input a matrix and a pair and returns .
Matrixstructured data is ubiquitous and includes any kind of twodimensional data. Consider, e.g., the case of digital images which can be viewed as a pair where is a matrix such that the cell at location points to some that encodes the color of the pixel at location in the image.
Our construction, described in Figure 1 below, is associative. At a high level, encryption is done by (1) padding the data items to be of the same length; (2) randomly permuting the location of the data items, (3) randomly permuting the location of the matrix cells using a PRP; and (4) encrypting the contents of the cells (and the semiprivate data) using the output of a PRF. The purpose of the last two steps are immediate. Steps (1) and (2) are what allow us hide part of the access pattern by inducing a pseudorandompermutation between and .
Lookup queries are handled by sending the permuted location of a cell (which can be recovered by the client since it stores the key to the PRP) and the output PRF of the PRF used to encrypt the contents (which can also be recovered since the client stores the key to the PRF).
In Theorem 1 below we show that the construction above is secure against adaptive chosenquery attacks.

Let be a pseudorandom function, be pseudorandom permutation and be a privatekey encryption scheme. Our encryption scheme is defined as follows:
store where , at location .
If , то above is replaced with a random string of appropriate length. Let be the sequence that results from padding the elements of so that they are of the same length and permuting them according to . For , let . Output and .
Fig. 1. An associative structured encryption scheme for matrices
Search Queries on Labeled Data
We now present a structured encryption scheme for labeled data which consists of a “labeling” and a sequence of data items . Informally, a labeling just associates a set of keywords to each data item. More formally, the labeling data type has as universe the set of all binary relations between and , where is a set of keywords. In addition, it supports the operation , that takes as input a labeling and a keyword and returns the set .
Our construction, described in Figure 2, is efficient, associative and adaptively secure and, as far as we know, is the first scheme to achieve all three properties. It is based on the first scheme of ^{[3]} (SSE 1), which is efficient and associative but not adaptively secure3. The second scheme of ^{[3]} , on the other hand, is adaptively secure but is inefficient and not associative.
Our construction makes use of a dictionary which is a data structure that stores pairs such that given , the corresponding value can be recovered efficiently. We refer to as the “search key” and to as the value. Dictionaries can be implemented in a variety of ways, including using search trees or hash tables. Intuitively, encryption proceeds as follows in our scheme. As in our previous construction, we pad and permute the data items with a PRP . For each keyword an array is constructed where each cell stores (1) a pointer from the set and (2) the corresponding semiprivate item . The array is then padded up to a standard length, and encrypted using the output of a PRF and is stored in a dictionary using as search key the output of another PRF on the keyword. Search queries are handled by sending the search key (which can be recovered by the client using the key to the second PRF) and the output of the PRF used to encrypt the array (which can be recovered using the key to the first PRF). The efficiency of our search operation depends on how the underlying dictionary is implemented but in this context any solution based on hash tables is appropriate and will give search time that is , which is optimal.
Let and be pseudorandom functions and be a privatekey encryption scheme. Our scheme is defined as follows:
store in with search key . Use padding to ensure that the strings are all of the same length. Let be the sequence that results from padding the elements of so that they are of the same length and permuting them according to . For , let . Output and .
Fig. 2. An associative structured encryption scheme for labeled data

Neighbor Queries on Graphs
We now consider encryption of graphstructured data and, in particular, of graphs that support neighbor queries. Formally, the graph type we consider has universe and supports the neighbor operation , that takes as input an undirected graph with nodes and a node and returns the nodes adjacent to .
Our approach here is to encode the graph as a labeling and to apply a structured encryption scheme for labeled data (such as the one described in the previous Section). Given some graphstructured data , where , we construct the labeled data such that assigns to each data item a label set corresponding to the set of nodes adjacent to the th node. Neighbor queries are handled by sending a token for “keyword” , which allows the server to recover pointers to all the data items associated with by the labeling. Our construction is described in detail in Figure 3 below.
Let  be an associative structured encryption scheme for labeled data. Our scheme is defined as follows:
is the set of edges in . Output .
Fig. 3. A structured encryption scheme for graphs supporting neighbor queries

Adjacency Queries on Graphs
In this Section we give a simple scheme to encrypt graphs supporting adjacency queries based on any matrix encryption scheme. The approach is straightforward and, at a high level, consists of encrypting the graph’s adjacency matrix. Given data , where is a directed graph of size and each data item is assigned to some edge in , encryption proceeds as follows. We create a matrix , that holds at location a pointer to the data item associated with edge (or when there is no such edge). We then use the matrix encryption scheme on . Our construction is described in detail in Figure 4.
Let be an associative encryption scheme for matrixstructured data. Our scheme is defined as follows:
if , then stores a pointer to the item assigned to edge ; if , then . Output .
Fig. 4. A structured encryption scheme for graphs supporting adjacency queries

Structured Encryption for Labeled Graphs
In this Section we describe an adaptively secure structured encryption scheme for data that is both labeled and associated with a graphstructure. As an example, consider a web graph where each page is labeled with a set of keywords (which could be the set of all the words in the page) and points to a set of other pages. Another example is social network data which consists of user profiles (with some associated metadata) that link to other users.
While the constructions from the previous Section can be used to encrypt this type of data, the queries they support (i.e., keyword search, adjacency, and neighbor queries) are limited in this setting since they are only relevant to part of the data’s structure. Indeed, if we were to encrypt a web graph using a scheme for labeled data, then we could only perform keyword search. Similarly, if we were to use a graph encryption scheme that supports only neighbor queries then we could only retrieve pages that are linked from a particular page. But web graphs, and labeled graph data in general, exhibit a much richer structure and ideally we would like to design schemes that support more complex queries that take advantage of this structure.
Focused subgraph queries. One example of complex queries on web graphs are focused subgraph queries. These queries are an essential part of a certain class of search engine algorithms which includes Kleinberg’s seminal HITS algorithm ^{[16]} and the SALSA algorithm ^{[17]}. At a high level, they work as follows. Given a keyword , a keyword search is performed over the web pages. This results in a subset of pages called the root graph. A focused subgraph is then constructed by adding all the pages that either link to pages in the root graph or are linked from pages in the root graph. An iterative algorithm is then applied to the focused subgraph which returns, for each page, a score that quantifies its relevance with respect to keyword . The key property of these “linkanalysis” algorithms (and the reason for their success) is that they take advantage not only of the information provided by the keywords associated with the pages, but also of the implicit information embedded in the graph structure (i.e., the links) of the web graph.
Our approach.
At a high level, our approach is to decompose the complex structure into simpler structures (e.g., in the case of a web graph into its graph and its labeling) and then use different structured encryption schemes to handle each “substructure”. We note, however, that the substructures cannot be handled in isolation. In particular, for this approach to work the individual schemes have to be combined in a particular way. This is where we make essential use of ssociativity, which will allow us to “chain” the schemes together in order to obtain the functionality we want (this technique will be illustrated in our discussion below).
Our construction.
We now illustrate our second approach for the case of web graphs but note that our construction applies to any labeled graph data. A detailed description of our construction is given in Figure 5. We note that it is not associative. A web graph will be viewed as a tuple , which consists of a directed graph of size , a labeling over a keyword space and text pages . The graph encodes the link structure of the web graph and the labeling assigns keywords to each page. The focused subgraph operation takes as input a directed graph of size and a keyword and returns the subgraph , that consists of (1) the nodes in ; (2) any node that links to the nodes in ; and (3) any node that is linked from the nodes in .
Our construction makes use of three structured encryption schemes: , that supports search over labeled data, , that supports incoming neighbor queries over graphstructured data, and , that supports outgoing neighbor queries over graphstructured data. We stress that must be associative. Given a web graph , we encrypt , using both and , resulting in ciphertexts and . Now, for each node in , we generate a pair of tokens . We then use , to encrypt , using the token pairs as semiprivate data (recall that is associative). We then output the encryption of .
A focused subgraph query on keyword is handled as follows. A token is generated and sent to the server.When used with the ciphertext , this token will reveal to the server (1) pointers to all the (encrypted) web pages labeled with keyword ; and (2) for each of these encrypted pages , the semiprivate information which consists of tokens . For each encrypted page, the server can then use the token pairs with ciphertexts and , to recover pointers to any incoming and outgoing neighbors of page .

Let be an encryption scheme for labeled data, and be graph encryption schemes that support neighbor queries. Our scheme is defined as follows:
Fig. 5. A structured encryption scheme for web graphs supporting focused subgraph queries
Conclusions and Future Directions
Several interesting future directions are suggested by this work. The most immediate is whether efficient and noninteractive structured encryption can be achieved while leaking less than the query and intersection pattern. The construction of efficient dynamic structured encryption schemes (i.e., that allow for updates to the encrypted data) is another direction left open by this work. Of course, the construction of schemes that handle other types of structured data and more complex queries on the data types considered here would also be interesting.
Acknowledgements
We are grateful to Kristin Lauter for encouragement during the early stages of this work, to Sherman Chow and Satya Lokam for useful discussions regarding graph encryption and to Susan Hohenberger for insisting on a thoroughcomparison with functional encryption. We are also grateful to Adam O’Neill for several helpful discussions on functional encryption. Finally, we thank Emily Shen and Charalampos Papamanthou for useful feedback on the manuscript and the anonymous reviewers for helpful suggestions.
Присоединяйся к команде
ISSN:
Следуй за Полисом
Оставайся в курсе последних событий
License
Except as otherwise noted, the content of this page is licensed under the Creative Commons Creative Commons «AttributionNonCommercialNoDerivatives» 4.0 License, and code samples are licensed under the Apache 2.0 License. See Terms of Use for details.