Privacy preserving delegated word search in the Cloud

Privacy Preserving Delegated Word Search in the Cloud

Kaoutar Elkhiyaoui, Melek ¨Onen and and Refik Molva

EURECOM, Sophia-Antipolis, France {elkhiyao, onen, molva}@eurecom.fr

Keywords: Privacy preserving keyword search, delegation, cloud

Abstract: In this paper, we address the problem of privacy preserving delegated word search in the cloud. We consider a scenario where a data owner outsources its data to a cloud server and delegates the search capabilities to a set of third party users. In the face ofsemi-honestcloud servers, the data owner does not want to disclose any information about the outsourced data; yet it still wants to benefit from the highly parallel cloud environment.

In addition, the data owner wants to ensure that delegating the search functionality to third parties does not allow these third parties to jeopardize the confidentiality of the outsourced data, neither does it prevent the data owner fromefficientlyrevoking the access of these authorized parties. To these ends, we propose a word search protocol that builds upon techniques of keyed hash functions, oblivious pseudo-random functions and Cuckoo hashing to construct a searchable index for the outsourced data, and uses private information retrieval of short information to guarantee that word search queries do not reveal any information about the data to the cloud server. Moreover, we combine attribute-based encryption and oblivious pseudo-random functions to achieve an efficient revocation of authorized third parties. The proposed scheme is suitable for the cloud as it can be easily parallelized.

1 INTRODUCTION

The cloud computing paradigm offers clients the ease of outsourcing the storage of their massive data with the advantage of reducing cost and assuring availability. Large-scale cloud infrastructures bring up severe security and privacy issues: Apart from tra- ditional security challenges, the outsourced storage of

”big data” raises the challenge of processing it at the cloud in a secure and privacy preserving manner while considering the cloud provider itself as a potential ad- versary.

While data owners (i.e. clients) can simply en- crypt their data before outsourcing it to the cloud, tra- ditional confidentiality mechanisms fall short when it comes to mining/processing the data. Recently, several solutions have been proposed to allow the search of words over encrypted data. In this paper however, we address the problem of delegated word search whereby in addition to the data owner itself, some authorized third-parties can perform search op- erations over private data. In addition to security and privacy properties that classical search solutions as- sure under a semi-honest (i.e., honest-but-curious) se- curity model, a privacy preserving delegated word search mechanism includes the delegation and revo-

cation operations: The data owner should be able to remove the search capability of a third party at any point in time through an efficient revocation mecha- nism.

We propose a new privacy preserving word search solution whereby as in [5], the data owner constructs a searchable index with all words listed in its files and similarly to [3], it applies a private information re- trieval to guarantee that the adversary including the cloud itself does not discover any information about the search query and its result. The newly proposed solution outperforms existing ones thanks to a com- bination of Cuckoo hashing with private information retrieval for the search operation. The use of Cuckoo hashing helps in assigning one word to a unique po- sition in the index, thus removing the probability of collisions within the index: The data owner first con- structs a confidential index where each particular el- ement corresponds to a unique word and fills it in with some private information derived from the actual word. The search operation consists of the computa- tion of the position corresponding to the queried word using Cuckoo hashing, and building the correspond- ing PIR query to be sent to the cloud provider.

Moreover, the delegation operation is assured thanks to the use of attribute based encryption (ABE)

which only allows users holding certain ”attributes”

to search over the data. For example, when compa- nies outsource their logs over the cloud, they can al- low some data protection commissioner to search over them under an audit operation. Whereas efficient re- vocation is achieved by a combination of ABE and oblivious pseudo random functions. The revocation operation does not imply the re-encryption of the out- sourced data and only requires an update of the access policy by the data owner which can be considered as a negligible cost.

The major contributions of the paper can be sum- marized as follows:

• We propose a new word search protocol which is based on an efficient word-index construction thanks to the use of Cuckoo hashing and the trans- formation of PIR into privacy preserving word search.

• The newly proposed solution also includes del- egation and revocation capabilities thanks to the use of Attribute Based Encryption and Oblivious Pseudo Random Functions. The revocation oper- ation does not incur any cost except for the update of the access policy by the data owner.

• We define the main privacy requirements and fur- ther provide a formal analysis of these properties.

Section 2 introduces the generic problem of pri- vacy preserving delegated word search and the appli- cation scenario. The different privacy requirements are formally defined in section 3. The first version of the privacy preserving word search solution is de- scribed in section 4. The entire solution including the delegation and revocation operations is presented in section 5. We analyze the new solution in terms of se- curity and performance in Sections 6 and 7. Finally, Section 8 reviews the state of the art.

2 BACKGROUND

We consider a scenario where a data owner out- sources some privacy sensitive data to a cloud server and wishes to later on perform some operations over it without revealing any details about the data. The operation we are focusing on is word search over en- crypted data and in our scenario the data owner may wish to delegate part of the search operations to au- thorized third parties. An illustrative example of such a requirement can be a scenario wherein due to regu- latory matters, some data (such as logs) still need to be searchable by third parties such as data protection commissioners. The three entities involved in a pri- vacy preserving delegated word search and the main

algorithms are formally defined in the following sec- tions.

2.1 Entities

A privacy preserving delegated word search involves the following entities:

• Data ownerO: It possesses a large fileF that it outsources to the cloud serverS. Without loss of generality, we assume that the number of distinct words inF isn and the corresponding set is de- fined asLω={ω₁,ω₂, ...,ω_n}. Similarly to pre- vious work such as [3, 6], we assume that onceO outsources a fileF, it will no longer modify it.

• Cloud serverS: It stores anencryptedversion of the outsourced fileFand a searchable indexI ^of the setLωof “distinct” words present inF.

• Authorized userU: It has access to a set of cre- dentials that enable it to perform search queries on F. This authorized user could be an auditor which as part of its auditing task has to search the ac- tivity logs ofO. We also note that in some cases an authorized user could correspond to the data owner that wants to perform word search on its outsourced data.

2.2 Privacy Preserving Delegated Word-Search

In accordance with the work of Curtmola et al. [6], a privacy preserving delegated word-search comprises the following algorithms:

• Setup(ζ)→(MK,P): It is a randomized algo- rithm that is executed by the data owner O^{. It} takes as input the security parameterζ, and out- puts a master keyMKand a set of public parame- tersP that will be used by subsequent algorithms to perform the word-search.

• Encrypt(MK,F)→C: This algorithm is run by O. It has as input the master keyMKand the file F, and outputs an encryptionCof fileF.

• BuildIndex(MK,F)→I: This algorithm has as input the master keyMKand a fileF and outputs an indexI of distinct wordsωipresent inF. This algorithm is generally run by the data ownerO^.

• Delegate(MK,St_o,id_u)→K_u: This algorithm is executed byOto delegate the search capabilities on its files to some third party user. On input of the master keyMK, the current stateSt_oofO^{and the} identifierid_uof some userU^{,Delegateoutputs a} secret keyK_uthat will be provided toU^.

• Token(ω,St_u,K_u)→τ: This algorithm is exe- cuted by authorized users or the data ownerO ^to generate a search token for some wordω. It takes as input the wordω, the current stateSt_uof autho- rized userUand the keyK_uand outputs a search tokenτ.

• Query(τ)→Q: It is a randomized algorithm that is run by authorized users to generate word search queries. On input of a tokenτ,Query outputs a word search query Q that will be forwarded to cloud serverS^.

• Response(Q^,I^)→R: This algorithm is invoked byS^wheneverSreceives a word search queryQ^. It takes as inputQ and the indexI and outputs a word search responseR^.

• Verify(R^,Stu)→b: It is a deterministic algorithm run by authorized users to verify S’s responses.

On input ofS’s responseR and the current state St_uof authorized userU^,Verifyoutputs a bitb= 1 ifω∈Fandb=0 otherwise.

• Revoke(MK,St_o,id_u)→ (St⁰_o,St⁰_s): This algo- rithm is run by the data owner O to revoke the access of previously authorized users. It has as input the master keyMK, the current stateSt_oof data ownerOand the identifierid_uof some previ- ously authorized userU, and it outputs an updated stateSt⁰_oforOand an updated stateSt⁰_sfor cloud serverS^.

3 ADVERSARY MODEL

The crucial privacy challenge to address when de- signing a privacy preserving delegated word search is assuring privacy against a misbehaving cloud server.

Indeed, the cloud server may attempt to infer sensitive information about the outsourced files (and their own- ers thereof) from the ciphertexts and indexes it keeps.

It may also try to derive information about those files from the word search queries it processes. Thus, it is of utmost importance to ensure that the ciphertexts and the indexes that the cloud stores together with the word search queries it processes do not leak any in- formation about the data owners’ files.

Furthermore, the delegation of search capabilities to third party users inherently raises the requirements of access authorization and revocation, and therewith the requirement ofprivacy against revoked users. For example, a previously authorized user may exploit the information it collected during its word search oper- ations that occurred when it was still authorized to conduct lookup operation after its revocation so as to learn new information about the outsourced files.

Therefore, one should ensure that even if revoked users can still issue valid search queries to the cloud server, they should not be able to decode the cloud server’s responses.

Along these lines, we provide in the subsequent sections formal models for the notions of both pri- vacy against cloud servers and privacy against re- voked users, which we will employ to assess the se- curity of our scheme in the appendix of this paper.

Of course, solutions protected against misbehaving clouds and revoked users are inherently secure against any other type of external adversaries.

3.1 Privacy against Cloud Server

In accordance with the work of Blass et al. [3] and Curtmola et al. [6], we assume that the cloud serverS issemi-honest: Although interested in discovering the content of the data and the queries,Sstill performs all the required operations correctly.

A privacy preserving delegated word search should ensure that the semi-honest cloud server S does not discover any information about the content of an outsourced file from either its encryption or its index. This means that in addition to not being able to break the confidentiality of the outsourced data,S should neither be able to mount statistical attacks on the outsourced files (e.g. occurrence of words) nor to tell whether two files contain (or do not contain) the same words. In compliance with the work of [3], we refer to this requirement asstorage privacy. More- over, a solution for privacy preserving delegated word search should as well guaranteequery privacy: during the lookup phase, cloud serverSshould not be able to derive any useful information about the queries of au- thorized users. Namely, S should not be able to tell whether any two word search queries were issued for the same word or not (cf. [3]).

To formally capture the adversarial capabilities of S in the subsequent privacy definitions, we assume thatSis given access to the following oracles:

• Oencrypt(F,MK)→C: This oracle takes a fileF and the master keyMKof some data ownerO^as inputs and computes an encryptionCof fileFby calling the algorithmEncrypt.

• Oindex(F,MK)→I: On inputs of file F and the master keyMK, this oracle executes the algorithm BuildIndexand returns the indexI associated with fileF.

• Osearch,s(I^,ω)→views: Cloud serverS ^invokes this oracle whenever it wants to receive and pro- cess a word search query. On inputs of index I ^{and word}ω, this oracle starts an execution of

Algorithm 1:Learning phase of the storage pri- vacy game

//S calls oraclesOencryptandOindexa polynomial //number of times

F_i←S^;

C_i←Oencrypt(F_i,MK);

Ii←Oindex(F_i,MK);

//Sreturns a challenge word ω^∗←S^;

Algorithm 2: Challenge phase of the storage privacy game

//Let F^∗₀and F^∗₁be two files s.t.F^∗₁containsω^∗ //while F^∗₀does not

b← {0,1};

C^∗_b←Oencrypt(F_b^∗,MK);

I_b^∗←Oindex(F_b^∗,MK);

b^∗←S^;

the word search protocol with cloud serverS ^to check whetherωis inI or not. At the end of the word search operation, Osearch,s returns the view view_s = (St_s,rand_s,M_1,s,M_2,s, ...,M_l,s) of cloud serverS during the word search, whereSt_sis the current state of cloud serverS^,rands is its inter- nal randomness that it used to generate its word search response and Mi,s is the i^th message that S received during the word search from oracle Osearch,s.

3.1.1 Storage Privacy

We define storage privacy using an indistinguishability-based game that comprises two phases: A learning phase (cf. Algorithm 1) and a challenge phase (cf. Algorithm 2). The goal of cloud serverS in this game is to tell whether a challenge fileF_b^∗contains some wordω^∗. To this effect, cloud server S calls the oracles Oencrypt and Oindex for a polynomial number of times in the learning phase.

By the end of this phase,Soutputs a challenge word ω^∗.

LetF₀^∗andF₁^∗be two files such thatF₁^∗contains ω^∗whileF₀^∗does not.

Now in the challenge phase, cloud serverS^{is pro-} vided with the encryptionC_b^∗and the indexI_b^{∗of file} F_b^∗whereb is picked randomly from{0,1}. At the end of the challenge phase,Soutputs its guessb^∗for the bitb. We say thatS succeeds in the storage pri- vacy game ifb=b^∗.

Definition 1 (Storage privacy). Let Π^S_success denote the probability that S succeeds in the storage pri-

Algorithm 3:Learning phase of the query pri- vacy game

//S calls oraclesOencrypt, Oindex, andOsearch,s

//a polynomial number of times (F_i,ωi)←S^;

C_i←Oencrypt(F_i,MK);

Ii←Oindex(F_i,MK);

view_s,i←Osearch,s(I^,ωi);

//Soutputs achallenge file F^∗and two distinct //wordsω0andω1

(F^∗,ω^∗₀,ω^∗₁)←S^;

Algorithm 4:Challenge phase of the query pri- vacy game

C^∗←Oencrypt(F^∗,MK);

I^∗←Oindex(F^∗,MK);

b← {0,1};

view^∗_s ←Osearch,s(I^∗,ω^∗_b);

b^∗←S^;

vacy game. We say that a word search protocol as- sures storage privacy, iff for any cloud server S^, Π^S_success≤ ¹₂+ε, whereεis a negligible function in the security parameterζ.

3.1.2 Query Privacy

Similarly to storage privacy, we formalize query pri- vacy through an indistinguishability-based game that runs in two phases: A learning phase and a challenge phase. In the learning phase as depicted in Algo- rithm 3, cloud serverSpicks adaptively a polynomial number of file and word pairs (F_i,ω_i). For each se- lected pair (F_i,ω_i), S calls first the oracles Oencrypt

andOindexto encrypt F and build the corresponding index respectively, then it queries the oracleOsearch,s

to receive and process a search query for wordωi in Fi. At the end of the learning phase,S outputs a chal- lenge fileF^∗and two challenge wordsω^∗₀andω^∗₁.

In the challenge phase (cf. Algorithm 4), cloud serverSqueries the oraclesOencryptandOindexwhich provide S with the encryption and the index of the challenge file F^∗ respectively. Then, the oracle Osearch,sexecutes an instance of the word search pro- tocol for wordω^∗_bwithS^{, whereb}is a randomly se- lected bit. Finally,Soutputs its guessb^∗for the bitb.

We say thatS succeeds in the query privacy game if b=b^∗.

Definition 2. LetΠ^S_successdenote the probability that S succeeds in the query privacy game. We say that a word search protocol ensures query privacy,ifffor

any cloud serverS^,ΠSsuccess≤¹₂+ε, whereεis a neg- ligible function in the security parameterζ.

3.2 Privacy against Revoked Users (”forward privacy”)

Ideally, a privacy preserving delegated word search should assure that when an authorized user is revoked, it can no longer look for words in the cloud server’s files (this does not imply that the revoked user can- not query the server’s database, rather it means that it cannot successfully interpret the cloud server’s re- sponses). In other words, a privacy preserving dele- gated word search should make sure that even if a re- voked user is able to issue word search queries, it can- not inferany new informationabout the outsourced files that it did not learn before its revocation. This requirement resembles the notion of forward secrecy whereby a user cannot have access to any data after its revocation. In the context of word search in addition to the content of the data, the revoked user should not infer any additional information from future queries as well.

Since in this paper we only focus onstatic data (i.e. the data owner does not update its file once out- sourced to the cloud server), we argue that the above intuition can be captured by assuring that revoked users cannot look up a word for which they did not issue a search query when they were still authorized.

Without loss of generality, we assume that there is a data ownerO that outsources its fileF and the corresponding indexI to cloud serverS, and that a userUis interested in searching the fileFeven after its revocation. To this effect, U ^{may behave mali-} ciouslyduring the execution of the word search pro- tocol. Namely,U may provide bogus word search queries to cloud serverS^.

In order to formalize privacy against revoked users, we use a privacy game that similarly to the two previous games consists of a learning and a challenge phase. In addition to the oraclesOencrypt andOindex, userUhas access to the following oracles.

• Odelegate(MK)→K_u: On input of the data owner O’s master keyMK, the oracleOdelegateexecutes the algorithm Delegate to allow U ^{to perform} word search onO^{’s fileF} and outputs the secret keyK_u.

• Orevoke: This oracle revokes the right of U ^to search the file F by executing the algorithm Revokewhich updates the states of data ownerO and cloud serverS^.

• Osearch,u(I^{,ω) → view}u: U calls this oracle whenever it wants to perform a word search

on the index I^. It takes as input an index I and a word ω and outputs the view view_u = (St_u,rand_u,M_1,u,M_2,u, ...,M_l⁰_,u)of userU^during the word search, whereSt_uis the current state of userU^andranduis its internal randomness that it used to generate its word search query, whereas M_i,u corresponds to the i^th message that U ^re- ceived fromOsearch,uduring the word search.

• Ochal,u(I^{,ω)→ chal}u,b: When called with an index I ^{and word ω,} this oracle flips a random coin b ∈ {0,1}. If b = 1, then Ochal,ureturns the actual viewchal_u,1=view_u= (St_u,rand_u,M¹_1,u,M¹_2,u, ...,M_l¹0,u)of userU^during the word search forω, such thatSt_uis the current state of userU ^andranduis its internal random- ness, whereasMi,ucorresponds to thei^thmessage that U received from Osearch,u during the word search. If b=0, then Ochal,u outputs chal_u,0= (St_u,rand_u,M⁰_1,u,M⁰_2,u, ...,M_l⁰0,u), whereSt_uis the current state of user U ^{and rand}u is its internal randomness, andM_i,u⁰ are generated randomly by Ochal,u.

Once userUenters the learning phase of the pri- vacy game (see Algorithm 5), it first calls the oracle Oindex with a file F of its choosing to get the cor- responding index I. Next user U invokes the ora- cle Odelegate which supplies U with the secret key K_u. This key will enable U to execute the word search protocol with cloud server S on the index I and therewith on fileF. Then userUqueries the or- acle Osearch,u for a polynomial number of wordsω_i of its choosing. Next, the oracle Orevoke revokesU^. After the revocation, U can still issue a polynomial number of word search queries on file F by calling Osearch,u. Finally,Uoutputs a challenge wordω^∗that is not present in fileF.

In the challenge phase (see Algorithm 6), U queries the oracle Ochal,u with the wordω^∗ and the index I^∗that corresponds to F∪ {ω^∗}. The oracle Ochal,uin turn flips a random coinb∈ {0,1}and out- puts the challenge viewchal^∗_u,b. At the end of the chal- lenge phase, revoked userUoutputs a guessb^∗for bit b.

We say that U succeeds in the game of privacy against revoked users ifi.)b=b^∗and ifii.)U^{did not} issue a search query for the challenge wordω^∗before calling the oracleOrevoke(i.e.ω^∗6=ωi,∀i).

Definition 3. LetΠ^U_successdenote the probability that U succeeds in the privacy game against revoked users. We say that a delegated word search mech- anism provides privacy against revoked users ifffor any revoked user U^, Π^U_success≤ ¹₂+ε, whereεis a negligible function in the security parameterζ.

Algorithm 5: Learning phase of the privacy game against revoked users

I ^←Oindex(F,MK);

K_u←Odelegate(I^);

//U ^callsOsearch,ufor a polynomial number of //times

ωi←U^;

view_u,i←Osearch,u(I^,ωi);

Orevoke(U^);

//U ^callsOsearch,ufor a polynomial number of //times after revocation

ω⁰_i←U^;

view⁰_u,i←Osearch,u(I^,ω0i);

//Ureturns a challenge word that is not in file F ω^∗←U^;

Algorithm 6: Challenge phase of the privacy game against revoked users

I^∗←Oindex(F∪ {ω^∗},MK);

chal^∗_u,b←Ochal,u(I^∗,ω∗);

b^∗←U^;

4 PRIVACY PRESERVING WORD SEARCH

In this section, we describe the first version of the proposed word search solution which does not offer any delegation capabilities and therefore only assures privacy against honest-but-curious cloud providers.

Similarly to [3, 5], to assure query privacy against a semi-honestcloud server, we rely onPrivate Informa- tion Retrieval(PIR) to build our word-search scheme.

Actually, PIR allows a user to retrieve a data block from a server’s database without disclosing any infor- mation about the sought block. However, PIR proto- cols assume that the user know beforehand the posi- tion in the database of the data block to be retrieved, and therefore, they cannot be used directly in privacy preserving word search wherein a user only holds a list of words to look for. Fortunately, Chor et al. [5]

proposed a technique that transforms any PIR mech- anism into a protocol for private information retrieval by keyword, and thereby, into a privacy preserving word-search. The main idea is to first construct an in- dex of all the distinct words present in the outsourced data and then apply a PIR to this index. As shown in [5], this can be achieved by representing the index by a hash-table that maps each word to a unique po- sition in the table. During the search phase, the user first computes the position of the requested word in the hashtable (i.e. the index) and further runs PIR to

fetch the block stored at that position. While the con- struction of [5] can be easily transformed into a pri- vacy preserving word search, we believe that it can be further optimized by using Cuckoo hashingto build the hashtables (i.e. the indexes) of the words in the outsourced files.

Along these lines, we first formalize and describe the PIR and the Cuckoo hashing algorithms that will underpin our word search solution.

4.1 Building Blocks

4.1.1 Trapdoor Private Information Retrieval For efficiency purposes, we opt for a PIR mechanism calledtrapdoor PIR which was proposed by Trostle and Parrish [16], and whose security is based on the trapdoor group assumption. We stress however that this particular PIR can be interchanged by any other efficient PIR algorithm.

In compliance with the work of Trostle and Par- rish [16], we model the server’s database on which private information retrieval is performed by a binary (k,l)−matrixM. Trapdoor PIR allows a user to re- trieve the bitbat position(x,y)inM as follows:

• PIRQuery(x)→~α: The user picks asecretlarge number p (typically |p|=200 bits) and selects randomlyu∈Z^∗pandkother valuesa_i∈Zp. Next, it computes thekfollowing values:e_x=1+2·a_x and ∀ i6=x, ei =2·ai, and sends the vector

~α= (α_i)^k_i=1= (u·e_imodp)^k_i=1to the cloud.

• PIRResponse(~α,M^{) → ~β:} On receiving ~α, the server computes the matrix product ~β = (β₁,β2, ...,βl) =~α·M^.

• PIRAnalysis(~β,y) → b: After receiving the server’s response ~β = (β₁,β₂, ...,β_l), the user computesγy=βy·u⁻¹modp, and retrievesbby computingγymod 2.

4.1.2 Cuckoo Hashing

Cuckoo hashing was first proposed by Pagh and Rodler [14] to build efficient and practical data in- dexes. It ensures worst-case constant look-up and deletion time and amortizedconstant insertion time while minimizing the storage requirements.

In order to store n elements in some index I^, Cuckoo hashing uses two hash tables T andT⁰ con- taining L entries each, and two hash functions H: {0,1}^∗→ {1,2, ...,L}andH⁰:{0,1}^∗→ {1,2, ...,L}.

Now, an elementτi is either stored in entryH(τ_i)in hash table T, or in entryH⁰(τ_i)in hash tableT⁰ but never in both.

The lookup operation in I is therefore simple:

When given an elementτ∈ {0,1}^∗, the two entries at positionsH(τ_i)andH⁰(τ_i)are queried in tablesT andT⁰respectively. To delete an element τi fromI^, the entry corresponding toτ_iis removed. Finally, to insert a new elementτ_i∈ {0,1}^∗intoI, we first check whether the entry ofT at positionH(τ_i)is empty. If it is the case, thenτiis inserted in this entry ofT and the insertion algorithm converges. Otherwise, if that entry is already occupied by another elementτj, then τ_jwill be removed from its current entry inT and re- located to its other possible entryH⁰(τ_j)inT⁰. Now, if there is an elementτkin the entryH⁰(τ_j)ofT⁰, then τj will be inserted in entryH⁰(τ_j)in tableT⁰ while τ_kwill be moved to its other possible entryH(τ_k)in T. This insertion process is repeated iteratively until the insertion of all elements in eitherT orT⁰. If this process of insertion does not converge (i.e., there is an element that cannot be inserted), or it takes too long to converge, then all the elements inI will be rehashed with new hash functionsHandH⁰.

An analysis of Cuckoo hashing [13] shows that if L≥n, then there is a family of universal hash func- tions that guarantees a small rehashing probability of orderO(¹_n)and a constant expected time for inser- tion. For a more comprehensive analysis of the per- formance of Cuckoo hashing, the reader may refer to [14].

4.2 Protocol Description

We recall that in this first version, the data ownerO wants to upload a large fileF to cloud serverS ^and once its data uploadedO wants to further search for some words within the file without revealing any in- formation to the semi-honest cloud server. The set of all distinct words within F is defined as Lω = {ω₁,ω₂, ...,ωn}. The proposed protocol can be di- vided into two main phases:

• During the uploadphase, before outsourcing its data, O builds the index corresponding to then distinct words present in fileFand encryptsFus- ing asemantically securesymmetric encryption.

• During the search phase, O computes the posi- tion of the requested word ω in F’s index and perform a PIR query to retrieve the information stored at that position in the index. Upon recep- tion of server S’s PIR response, O verifies this response and decides accordingly whether ω is present inFor not.

4.2.1 Setup

The data owner O ^{calls the Setup} algorithm which takes as input the security parameterζand outputs a master keyMKand a set of public parametersP ^such that:

• The master keyMKis composed of a symmetric encryption keyKencand a MAC keyKmac.

• The public parametersP comprise a MACHmac: {0,1}^ζ× {0,1}^∗→ {0,1}^κ and a cryptographic hash functionH:{0,1}^∗→ {0,1}^t.

4.2.2 Upload

The file upload phase consists of i.) Encrypting the fileFusing asemantically secureencryption such as AES in counter mode (cf. Encrypt) andii.) building a searchable index forLω(cf.BuildIndex).

The data owner O first generates a unique file identifier fidfor fileF and then encrypts F by call- ing the algorithm Encrypt. This algorithm takes as inputs secret key Kenc and file F and outputs a semantically secure encryption C=Enc(Kenc,F) of F. Next, O invokes the algorithm BuildIndex which on input of master key MK (more precisely MAC keyKmac), file identifierfidand the list of dis- tinct words Lω={ω₁,ω2, ...,ωn} present in F out- puts a list of MACs LH ={h₁,h₂...,h_n}, such that h_i=Hmac(Kmac,ω_i||fid)where||denotes concatena- tion. Then the algorithm BuildIndex constructs an indexI ^forLH ={h₁,h₂...,h_n}using Cuckoo hash- ing. In order to optimize the performance of the PIR underlying our word-search scheme, our index will differ from traditional Cuckoo hashing indexes by comprising two sets oft binary (rectangular) ma- trices {Mj}^t_j=1,{M⁰j}^t_j=1 of size (k,l) rather than two hash-tables T and T⁰. Namely, instead of us- ing two hash functions that hash into{1,2, ...,L}, we employ two hash functionsH andH⁰ that hash into {1,2, ...,k} × {1,2, ...,l}. For an elementh∈ {0,1}^∗, the hash functionH(H⁰resp.) returns a position(x,y) ((x⁰,y⁰)resp.) in matrices{Mj}({M⁰j}resp.). More precisely, the algorithmBuildIndexexecutes the fol- lowing:

• FirstBuildIndexgenerates two sets oftbinary ma- trices {Mj} and{Mj⁰} (1≤ j≤t) of size (k,l) each, where each element is initialized to 0.

• BuildIndexthen picks two hashesH andH⁰ that map each element h_i in LH to either a position (x_i,y_i) =H(h_i)in matrices{Mj}or to a position (x⁰_i,y⁰_i) =H⁰(h_i)in matrices {M_j⁰}, by following the Cuckoo hashing algorithm described in Sec- tion 4.1.2. We recall that in order to ensure worst- case constant look-up using Cuckoo hashing, k

andl have to be chosen such thatkl≥n, where nis the size ofLH.

• BuildIndexsubsequently fills the binary matrices {Mj}and{M_j^0}(1≤j≤t) as follows:

– For each h_i, BuildIndex computes H(h_i) = (b_i,1,b_i,2, ...,bi,t), whereHis at−bits crypto- graphic hash function.

– Now, if h_i is mapped to a position (x_i,y_i) = H(h_i)inMj (or to a position(x⁰_i,y⁰_i) =H⁰(h_i) inM_j⁰ resp.), then the bit at position(x_i,y_i)in Mj(the bit at position(x⁰_i,y⁰_i)inM_j⁰resp.) will be set tob_i,j. Hence, ifh_iis mapped to a posi- tion(x_i,yi) =H(h_i)in{Mj}(1≤ j≤t), then:

H(h_i) = (M1(x_i,y_i),M2(x_i,y_i), ...,Mt(x_i,y_i))

• Finally, BuildIndex outputs the searchable index I ^{= {H,H0,}M,M⁰} such that M = {M1,M2, ...,Mt}andM⁰={M₁^0,M₂^{0, ...,}Mt⁰}.

At the end of this phase, data ownerO^{sends the} file identifierfid, the encryptionCand the indexI ^to cloud serverS^.

4.2.3 Word Search

The search phase is divided into the three following steps:

Search Query To look for a wordω in file F,O calls the algorithmTokenwhich computes the MAC h=Hmac(Kmac,ω||fid). Further,Oruns the algorithm Query which computes H(h) = (x,y) and H⁰(h) = (x⁰,y⁰). We recall that(x,y) and(x⁰,y⁰)correspond to the potential position ofhin{Mj}and{Mj⁰}re- spectively. Next, algorithmQuery outputs two PIR queries~α=PIRQuery(x) = (α₁,α₂, ...,α_k)and~α⁰= PIRQuery(x⁰) = (α⁰₁,α⁰₂, ...,α⁰_k)that will allowO ^to retrieve thex^th andx^0throws respectively of(k,l)bi- nary matrices, as depicted in Section 4.1.1. Finally,O sends its search queryQ ^{= (~α, ~α0)to server}S^. Search response On receiving O^{’s search} query Q ^{= (~α,~α0),} S runs algorithm Response which on input of Q^, M = {M1,M2, ...,Mt} and M⁰ = {M₁^0,M₂^{0, ...,}Mt⁰}, computes two sets of t PIR responses R = {~β1,~β2, ...,~βt} and R⁰={~β⁰₁,~β⁰₂, ...,~β⁰_t}such that for all 1≤j≤t:

~βj = PIRResponse(~α,Mj) =~α·Mj

~β⁰_j = PIRResponse(~α⁰,M_j^{0) =~}α⁰·M_j⁰ S sends then its word search response R ⁼ {R,R⁰}toO^.

Verification To verify whether ω is in file F, the data ownerOruns the algorithmVerify. When called, algorithmVerifyunblinds they^thelement of each vec- tor~βj by executingPIRAnalysis(y)and they^0th ele- ment of each vector~β⁰_j by runningPIRAnalysis(y⁰), as was shown in Section 4.1.1. This allowsVerifyto derive a bit b_j from~βj and a bitb⁰_j from~β⁰_j respec- tively for all 1≤j≤t.

We denote by ~b and ~b⁰ the string of bits (b₁,b₂, ...,b_t) and (b⁰₁,b⁰₂, ...,b_t⁰) respectively. After obtaining~b and ~b⁰, algorithm Verify computes the hash H(h) and checks whether~b =H(h) or ~b⁰ = H(h). If so, thenVerifyoutputs 1 meaning thatω∈F;

otherwise,Verifyoutputs 0.

5 PRIVACY PRESERVING WORD SEARCH WITH DELEGATION

In this section we describe the entire solution in- cluding the delegation capabilities. We recall that data ownerO^{wants to: i.)} upload a large fileF that con- tainsndistinct wordsLω={ω₁,ω2, ...,ωn}to cloud serverS^,ii.)delegate the search capabilities on fileF to third party users and finallyiii.) be able to revoke these third party users at any point of time. There- fore the final solution involves in addition to the pre- viously mentioned two phases from the basic proto- col (i.e.UploadandWdSearch), aDelegationand a Revocationphase. We modify theUploadandWord Search phases so as to allow the data owner to up- load the necessary material that will enable authorized users to perform search operations, whereas during the newly defined Delegationphase, the data owner provides authorized users with the MAC key used to build the index. Finally, theRevocationphase is de- fined in order to grant the data owner the capability to revoke authorized users efficiently.

The additional two phases are defined thanks to the use ofCiphertext-Policy Attribute-Based Encryp- tion(CP-ABE) andOblivious Pseudo Random Func- tions (OPRF). We stress here that by combining OPRF and ABE, we do not only allow for seamless revocation but also we ensure theanonymity of autho- rized users. As opposed to traditional access control mechanisms, the proposed solution does not require authorized users to identify and authenticate them- selves to the cloud server.

Before providing a detailed description of our scheme, we summarize and formalize in the next sec- tion the algorithms underlying CP-ABE and OPRFs.

5.1 Building Blocks

5.1.1 Ciphertext-Policy Attribute-Based Encryption

A ciphertext-policy attribute-based encryption allows a user to encrypt a messageMunder some access pol- icyAPin such a way that only parties possessing at- tributes that matchAPcan deriveMfrom the cipher- text. Actually, a CP-ABE consists of the following algorithms, cf. [2]:

• Setup_abe(ζ)→(MKabe,Pabe): It is a randomized algorithm that takes as input a security parameter ζ, and outputs a master key MK_abe and a set of public parametersPabethat will be used by subse- quent algorithms.

• Encabe(M,AP) →C: It is a randomized algo- rithm that takes as input a messageM and some access policy AP, and outputs a ciphertext C= Encabe(M,AP) such that only users holding the attributes satisfying the access policyAPcan de- cryptC.

• CredGen_abe(MK_abe,Ai)→cred_i: It is a random- ized algorithm which on input of master key MKabeand a set of attributesAi, generates a set of credentialscred_ithat are associated withAi. This algorithm is generally executed by a trusted third party (for instance a certification authority) whose aim is to define a set of admissible attributes A and to issue credentialscred_ito any user possess- ing attributesAi⊂A.

• Decabe(C,cred_i)→M: It is a deterministic al-ˆ gorithm that takes as input a ciphertext C and a set of credentials cred_i. Assume that C en- crypts a message M under the access policyAP (i.e.,C=Encabe(M,AP)) and that the credentials cred_i are associated with the set of attributesAi. If the attributes Ai satisfy the access policyAP, thenDec_abe decryptsCsuccessfully and outputs Mˆ =Dec_abe(C,cred_i) =M. Otherwise, the de- cryption fails andDecabeoutputs ˆM=⊥.

5.1.2 Oblivious Pseudo-Random Functions An OPRF [9, 11] is a two-party protocol that allows a senderSwith inputδand a receiverRwith inputhto compute jointly the function f_δ(h)for some pseudo- random function familyf_δ, in such a way that receiver Ronly learns the value f_δ(h), whereas senderSlearns nothing from the protocol interaction.

Definition 4 (Oblivious Pseudo-Random Function [9]). A two-party protocol πbetween a sender S of inputδ and a receiver R of inputhis said to be an

oblivious pseudo-random function (OPRF), if there is some pseudo-random function family f_δ such that at the end of the execution ofπ:

• Receiver R gets f_δ(h) while learning nothing about S’s inputδ.

• Sender S learns nothing about R’s inputhor the value of f_δ(h).

In the following, we provide a quick overview of the generic algorithms underpinning an OPRF that evaluates the output of some pseudo-random function family f_δ:

• Setup_oprf(ζ)→(δ,Poprf): It is a randomized algo- rithm that is run by the senderS. It takes as input the security parameterζand outputs an OPRF se- cret keyδand a set of public parametersPoprfthat will be used by subsequent algorithms.

• Query_oprf(h)→Qoprf: It is a randomized algo- rithm that is executed by the receiver R when- ever R wants to generate an OPRF query. This algorithm has as input an elementh∈ {0,1}^κand outputs a matching OPRF queryQoprfthat will be sent later to senderS.

• Response_oprf(Qoprf,δ)→Roprf: It is a randomized algorithm which is operated by sender S when- everS receives an OPRF query. On input of an OPRF queryQoprf, the algorithmResponse_oprfre- turns the corresponding OPRF responseRoprfthat will be forwarded to the receiver.

• Resultoprf(Roprf,St_r)→ f_δ(h): It is deterministic algorithm that is run by receiverRand takes as in- put an OPRF responseRoprf and the current state St_r ofR. Without loss of generality, we assume thatRreceived the responseRoprf as a follow-up to a previous OPRF query that was generated for h∈ {0,1}^κ. Accordingly, the algorithmResultoprf

outputs f_δ(h), i.e. the evaluation of the pseudo- random function f_δat pointh.

In the remainder of this paper, we employ the OPRF proposed by Jarecki and Liu [11] which al- lows a receiver Rand a senderS to compute jointly the evaluation of the pseudo-random function f_δ(h) = g^1/(δ+h)for anyh∈Z^∗_N, whereNis an RSA safe mod- ulus andgis a random generator of a groupGof order N. However for ease of exposition, we will omit the implementation details of this OPRF and we will only refer to the generic OPRF algorithms when describing our scheme.

5.2 Protocol Description

In the sequel of this paper and in accordance with the work of Curtmola et al. [6], we assume that the cloud

server does not collude with revoked users. We indi- cate that if such a collusion happens, then our protocol will not be able to deter revoked users from searching the outsourced files.

Without loss of generality, we also assume that there is some certification authority which is in charge of: i.) defining the universe of admissible attributes A={att₁,att₂, ...},ii.)providing potential data own- ers and potential authorized users with their creden- tialscred_i that match their attributesAi⊂Afollow- ing for instance the CP-ABE scheme proposed by Bethencourt et al. [2].

5.2.1 Setup

As in the first version of the protocol, the data owner O^{calls theSetup}algorithm which takes as input the security parameterζand outputs a master keyMKand a set of public parametersP ^{such that:}

• The master key MK is composed of a symmet- ric encryption keyKenc, a MAC keyKmacand an OPRF secret keyδ.

• The new public parameters P comprise a MAC Hmac:{0,1}^ζ× {0,1}^∗→Z^∗_N (whereNis a safe RSA modulus), a cryptographic hash functionH: {0,1}^∗→ {0,1}^t and the public parametersPoprf

of the OPRFf_δ(h) =g^1/(δ+h). 5.2.2 Upload

The file upload phase amounts to i.) Encrypting the fileF using AES encryption (cf. Encrypt) ii.) building a searchable index forLω(cf. BuildIndex).

Now instead of building the indexI ^{based on}LH = {h₁,h₂...,h_n} as was done previously, the index will be constructed using the OPRF values f_δ(h_i) = g^1/(δ+hi). Since the computation of OPRF is deemed to be demanding, we suggest thatBuildIndexbe exe- cuted jointly byO ^{and the}semi-honest cloud server S in such a way that O is only required to com- pute symmetric operations (e.g. hash functions and AES encryption) whereas the cloud server performs the more computationally intensive operations (i.e.

OPRF and Cuckoo Hashing). Henceforth, we denote BuildIndex_O the sub-algorithm of BuildIndexthat is executed by data ownerO ^{andBuildIndex}Sthe sub- algorithm of BuildIndex that is operated by cloud serverS^.

Processing at the data owner As in the previous protocol, data owner O first generates a unique file identifierfidfor fileF and then encrypts F by call- ing the algorithm Encrypt which outputs an AES

encryption C = Enc(Kenc,F) of F. Then, O ^in- vokes the algorithm BuildIndex_O which outputs a list of MACs LH ={h₁,h₂...,h_n}, such that h_i = Hmac(Kmac,ωi||fid). Next,O defines the access pol- icy AP that will be associated with file F and fi- nally forwards (via a secure channel) the file iden- tifier fid, the encryptionC, the list of MACs LH = {h₁,h₂, ...,h_n}, the access policy APand the OPRF secret keyδto cloud serverS^.

Processing at the cloud The processing at the cloud comprises two operations. The first one is to compute OPRF over the MACs in LH = {h₁,h2, ...,hn} using the secret key δ. The second operation is to build an index with the resulting val- ues using Cuckoo hashing. More precisely, upon re- ceipt of file identifierfid, ciphertextC, list of keyed hashesLH={h₁,h₂, ...,h_n}, access policyAPassoci- ated withCand the OPRF keyδ,Scalls the algorithm BuildIndex_Swhich proceeds as explained below:

• First, BuildIndex_S computes τ_i = f_δ(h_i) = g^1/(δ+hi)for all 1≤i≤n.

• BuildIndex_S prepares an index I ^for T = {τ₁,τ2, ...,τn} using Cuckoo hashing. Namely, BuildIndex_S generates two sets of t binary ma- trices {Mj} and{Mj⁰} (1≤ j≤t) of size (k,l) each, where each element is initialized to 0.

BuildIndex_S then selects two hashes H and H⁰ that map each elementτiinTto either a position (x_i,y_i) =H(τ_i)in matrices{Mj}or to a position (x⁰_i,y⁰_i) =H⁰(τ_i)in matrices{Mj⁰}, by executing the Cuckoo hashing algorithm.

• BuildIndex_S fills the binary matrices {Mj} and {M_j^{0} (1≤ j≤}t) similarly to the previous ver- sion of the protocol. The only difference is that instead of storing the hashesH(h_i)in{Mj}and {M_j⁰}, we store the hashesH(τ_i).

• Finally, BuildIndex_S outputs the searchable index I ^{= {H,H0,}M,M⁰} such that M = {M1,M2, ...,Mt}andM⁰={M1⁰,M2⁰, ...,Mt⁰}.

5.2.3 Delegation

To delegate the word search capabilities on the en- crypted file F to third party users, data owner O encrypts its MAC key Kmac under its access pol- icyAPusing attribute-based encryption and provides cloud server S with the resulting ciphertext Cmac= Enc_abe(K_mac,AP). Thereafter,Spublishes the cipher- textCmacand the file identifierfid.

We note that an authorized userUwill in principle possesses a set of attributes A (and therewith a set of credentialscred) that satisfy the access policyAP.

Hence,Uwill be able to decrypt the ciphertextCmac

usingcredand derives the MAC keyKmac. This MAC key Kmac will be then used by U to perform word search onO’s file as will be shown in the next section.

5.2.4 Word Search

To search the encrypted fileCfor some wordω, the authorized userUperforms the following operations:

Token generation The token generation phase con- sists of executing an OPRF protocol between the au- thorized userUand the cloud serverS^{, where}U^cor- responds to the receiverRandS to the senderS(fol- lowing the notations in Section 5.1.2). Consequently, to generate a tokenτfor wordω, U executes algo- rithmTokenas follows:

• On inputs of the word ω, the file identifier fid and the MAC keyKmac, the algorithmTokenfirst computes h=Hmac(K_mac,ω||fid). Then it calls the algorithmQuery_oprf which on input ofhout- puts an OPRF query Qoprf to evaluate f_δ(h) = g^1/(δ+h). Next, the algorithmTokenforwards the OPRF queryQoprfto cloud serverS^.

• Upon receipt of Qoprf, S calls the OPRF algo- rithmResponse_oprf. This algorithm uses the secret OPRF keyδand the OPRF queryQoprf to output an OPRF responseRoprf.

Here instead of sending the OPRF responseRoprf

in clear toU^, S will obfuscate it in such a way that only an authorized (i.e. non-revoked) user will be able to derive Roprf. This obfuscation is performed as follows:

– S picks randomly a symmetric encryption key K_enc⁰ and encrypts the OPRF responseRoprfus- ing K_enc⁰ and the semantically secure encryp- tionEnc. This will result in a ciphertextC⁰= Enc(K_enc⁰ ,Roprf).

– Then it computes a CP attribute-based encryp- tionCenc=Enc_abe(K_enc⁰ ,AP)of the encryption keyK_enc⁰ under the access policyAPof the data ownerO^.

Notice that in this manner, we make sure that only authorized users will be able to decrypt the OPRF response and therewith obtain the token τ= f_δ(h) =g^1/(δ+h) necessary to perform the word search.

At the end of this step,Sforwards the ciphertexts C⁰andCencto authorized userU^.

• On receiving the ciphertextsC⁰ andCenc, the al- gorithm Tokenfirst decrypts Cenc using the cre- dentials cred that U obtained from the CA and

getsK_enc⁰ =Decabe(Cenc,cred). Then it computes the OPRF response Roprf by decrypting the ci- phertext Cenc using the secret key K_enc⁰ . Next, the algorithm Token calls the OPRF algorithm Response_oprf which takes as inputRoprf and out- puts consequently the word search token τ =

f_δ(h) =g^1/(δ+h).

Search Query After obtaining the token τ cor- responding to the word ω, U runs the algorithm Querywhich first computesH(τ) = (x,y)andH⁰(τ) = (x⁰,y⁰). Then, as in the previous solution, it computes two PIR queries(~α, ~α⁰)to retrieve thex^thand thex^0th row of a(k,l)binary matrix and sends the word search queryQ ^{= (~α, ~}α⁰)to cloud serverS^.

Search response On receiving U’s search query Q ^{= (~α,~}α⁰), cloud serverSruns algorithmResponse which computes the two sets oft PIR responsesR= {~β1,~β2, ...,~βt}andR⁰={~β⁰₁,~β⁰₂, ...,~β⁰_t}such that for all 1≤j≤t:

~β_j = PIRResponse(~α,Mj) =~α·Mj

~β⁰_j = PIRResponse(~α⁰,Mj⁰) =~α⁰·Mj⁰

S sends then its word search response R ⁼ {R,R⁰}toU^.

Verification To verify whetherωis in the encrypted fileC, the authorized user U runs the original algo- rithm Verify as described in Section 4.2.3. But af- ter obtaining~band~b⁰, algorithmVerifycomputes the hash H(τ)instead of the hashH(h)and checks ac- cordingly whether~b=H(τ)or~b⁰=H(τ). If it is the case, thenVerifyoutputs 1 meaning thatω∈F; oth- erwise,Verifyoutputs 0.

5.2.5 Revocation

For sake of simplicity, we assume that the data owner O revokes attributes att_i ∈A instead of individual users U. We believe that this assumption is suffi- cient in the context of our application as described in Section 2, where the data owner delegates the word search capabilities to regulators or auditors that are not identified by their identities but by their attributes.

Now to revoke an attributeatt_i,Oruns the algo- rithmRevokewhich outputs a new access policyAP⁰ that will be given to the cloud serverS. For instance, if we assume that the initial access policyAPof O states thatauditorsfromEUand theUScan perform word search onO’s files, then a revocation of attribute USwill lead to a new access policyAP⁰that says that

onlyauditorsfrom theEUcan perform word search.

In this manner,auditorsfrom the USwill no longer have access toO^{’s file.}

6 PRIVACY ANALYSIS

In this section, we briefly analyze the privacy properties of the proposed scheme. The interested reader may refer to the appendix for a more formal analysis.

6.1 Storage Privacy

Our scheme insures storage privacy thanks to the use of semantically secure encryption and message au- thentication codeduring the upload phase. Actually, the semantically secure encryption assures that cloud serverS cannot derive any information about the file F from its encryptionC. In addition, by computing MACs that not only depend on the words present in the file but also on its unique identifier, we ensure that the indexI does not leak any information about the outsourced file. Notably, cloud serverS cannot tell whether two outsourced files have words in common or not, based on their indexes.

6.2 Query Privacy

Query privacy is assured by the use of bothOPRFand PIR. On the one hand, OPRF allows authorized user Uto generate a word search tokenτwithout disclos- ing anything to cloud serverS about the wordωthat Uis interested in. On the other hand, PIR enablesU to preform word search onS’s database while mak- ing sure thatS learns nothing about the word search queries or their corresponding results.

6.3 Privacy against Revoked Users

Since in this paper, we only focus on the case where data ownerOrevokes attributes instead of individual users, it follows that using for instance the CP-ABE scheme proposed by Bethencourt et al. [2] suffices to ensure efficient revocation. As shown in the previous section, revocation is achieved by updating the access policy associated with fileF and by exploiting the properties of OPRF: ObfuscatingS’s responses dur- ing the token generation phase (cf. Section 5.2) stops a revoked user from deriving new word search tokens and consequently from verifyingS’s responses.

Note also that even if revoked users gain access to the cloud server’s database, they cannot decrypt the

content of the outsourced files as they do not have ac- cess to the encryption keyKenc. All they can achieve is performing a dictionary attack on the indexI ^using the MAC keyKmacand the OPRF secret keyδ, which can be computationally intensive.

7 PERFORMANCE EVALUATION

During the upload phase, the data owner is only required to encrypt the file to be outsourced using a symmetric encryption and to compute a MACh_i for each word ωi∈Lω. On the other hand, the cloud server computes the OPRFs (i.e. tokens)τi= f_δ(h_i) and builds the corresponding indexIby following the algorithm of Cuckoo hashing. Although the compu- tation of the OPRF proposed in [11] may be deemed computationally demanding as it calls for exponenti- ations, it can be efficiently parallelized at the cloud server. Actually, if the cloud server possessesNma- chines for instance, it can provide each one of its machines with _N¹ fraction of the list of MACsLH = {h₁,h₂, ...,h_n}supplied by the data owner. Each ma- chine will consequently compute _Nⁿ exponentiations whose results will be given back to the cloud server to construct the indexI^.

While some would argue that using PIR to com- pute the responses of the cloud server to word search queries is computationally intensive, we note that this computation consists ofmatrix multiplicationswhich can easily be parallelized. Actually, the cloud server can store at each one of its machine _N¹-fraction of the binary matrices{Mj}and{Mj⁰}. Upon receipt of a word search query,S forwards the PIR queries it re- ceives to itsNmachines which accordingly compute the corresponding PIR responses.

Furthermore, we emphasize that in this paper we employ PIR to retrieve a hash of word search tokens instead of their actual values. This fact drastically en- hances the computation and the communication per- formances of our scheme. For example, if we instan- tiate the OPRF in the token generation phase with the OPRF presented in [11], then we will end up with to- kens of size 1024 bits. This means that if we retrieve the actual values of the token to perform word search, then each search query will consist of retrieving 1024 bits which is far from being practical. Instead in our protocol, each search operation consists of fetching t-bit (t is typically 80) hash. We note also that set- ting the size(k,l)of the matrices{Mj}and{Mj⁰}to (√

tn,p_n

t)results in a minimal communication cost ofO(√

tn).

Finally, we stress that contrary to related work [6], revocation in our protocol does not require the re-