DeepAI
Log In Sign Up

Survey on Secure Search Over Encrypted Data on the Cloud

11/24/2018
by   Hoang Pham, et al.
0

Cloud computing has become a potential resource for businesses and individuals to outsource their data to remote but highly accessible servers. However, potentials of the cloud services have not been fully unleashed due to users' concerns about security and privacy of their data in the cloud. User-side encryption techniques can be employed to mitigate the security concerns. Nonetheless, once the data in encrypted, no processing (e.g., searching) can be performed on the outsourced data. Searchable Encryption (SE) techniques have been widely studied to enable searching on the data while they are encrypted. These techniques enable various types of search on the encrypted data and offer different levels of security. In addition, although these techniques enable different search types and vary in details, they share similarities in their components and architectures. In this paper, we provide a comprehensive survey on different secure search techniques; a high-level architecture for these systems, and an analysis of their performance and security level.

READ FULL TEXT VIEW PDF

page 1

page 2

page 3

page 4

12/03/2018

Secure outsourced calculations with homomorphic encryption

With the rapid development of cloud computing, the privacy security inci...
02/24/2020

Semantic, Efficient, and Secure Search over Encrypted Cloud Data

Companies and individuals demand more and more storage space and computi...
01/07/2020

Provenance-based Classification Policy based on Encrypted Search

As an important type of cloud data, digital provenance is arousing incre...
04/12/2018

QRES: Quantitative Reasoning on Encrypted Security SLAs

While regulators advocate for higher cloud transparency, many Cloud Serv...
09/20/2019

HEAX: An Architecture for Computing on Encrypted Data

With the rapid increase in cloud computing, concerns surrounding data pr...
04/27/2019

A Novel Fuzzy Search Approach over Encrypted Data with Improved Accuracy and Efficiency

As cloud computing becomes prevalent in recent years, more and more ente...
09/20/2019

HEAX: High-Performance Architecture for Computation on Homomorphically Encrypted Data in the Cloud

With the rapid increase in cloud computing, concerns surrounding data pr...

1 Introduction

As cloud computing becomes prevalent, more cloud-based solutions are developed and widely used in different applications. Companies that have adopted cloud storage solutions are reported to gain a competitive edge against those that have not [1].

Cloud computing is favored due to its many advantages, including: convenience and accessibility, consistent back ups to reducing the burden of local storage, and saving capital expenditure on in-house hardware and software maintenance [2]. Apart from advantages, public cloud storage services are utilized by multi-tenant customers who store large amounts of potentially sensitive data on the cloud. In addition, using cloud storage implies losing full control over data and delegating it to the cloud administrators. These issues expose the data to potential external and internal attacks [3, 4], which can be devastating for organizations that rely on confidentiality of their data (e.g financial corporations).

These problems has made businesses concerned about outsourcing their data to the cloud and making use of its potentials [5, 6]. For instance, a medical center that owns patients’ health records cannot outsource its data to a cloud that is vulnerable to attacks, due to legal regulations [7]. Another instance, is a law enforcement agency that keeps sensitive criminal records and hesitates to use cloud storage.

One way to overcome the confidentiality problem is to encrypt data on the local premises before outsourcing it to the cloud. While this approach preserves data confidentiality, it hinders data processing. In particular, searching is of paramount importance for outsourced unstructured data [8]. In fact, when data is encrypted, search systems do not function anymore, because they are unable to compare the query to the encrypted data.

A naïve approach to enable search on encrypted data would be downloading all of the data from the cloud, decrypting them, and locally performing plain text search [9]. However, with potentially huge data (also called big data) hosted on the cloud and limited network bandwidth [10], this approach remains impractical. Therefore, searchable encryption systems (e.g.,  [11, 12, 13, 14]) have been introduced to cope with this problem. These systems ideally allow the encrypted data to be searched without revealing data and the search query. Hence, they relieve concerns about data confidentiality in the cloud.

Efforts to create searchable encryption systems are dated back to early 2000 by Song et al.,  [10]. Since then, numerous research works have been undertaken to enable different types of searchable encryption. Although these systems are different in their searching approaches, security level, and performance, they share certain architectural similarities. There are other survey studies over different searchable encryption systems [15, 16]. This paper complements those survey studies by providing a comprehensive survey of the existing searchable encryption systems and differentiate them in terms of their searching approaches, security level, and performance. In addition, we provide a generic framework that encompasses the components of searchable encryption systems. As recently more granular search systems are demanded by different industries, we survey domain-specific search systems as well. Finally, we identify the shortcomings of the current research works and recommend avenues for future research and development efforts in the searchable encryption area. In summary, the contributions of this paper are as follows:

  • Analyzing the commonalities and differences in various types of cloud-based searchable encryption systems.

  • Providing a generic framework for cloud-based searchable encryption systems.

  • Providing survey and categorizing current cloud-based searchable encryption systems.

  • Surveying domain-specific encryption systems.

  • Identifying forthcoming challenges in searchable encryption and introducing future research avenues to address them.

The remainder of the paper is organized as follow: Section 2 introduces the background and preliminaries of searchable encryption. An overall framework for searchable encryption is given in Section 3. Section 4 reviews the security requirements and criteria to assess searchable encryption systems. Section 5 reviews the categorization of different searchable encryption schemes and Section 6 evaluates the security shortcomings of the searchable encryption system and also categorizes the existing searchable encryption systems based on their security analysis. Next, Section 7 surveys domain-specific searchable encryption schemes. Finally, Section 9 summarizes the paper and provides avenues for future research in this area.

2 Elements of a Cloud-Based Searchable Encryption System

Figure 1: Main elements involved in cloud-based searchable encryption systems.

Song et al.,  [10] are one of the pioneers in searchable encryption. They provide a system in which a client (i.e., data owner) can search over her encrypted data (in the form of emails) on an email server. Once the data owner wants to search some keywords in her emails, she submits an encrypted query (termed trapdoor) to the server. The server is in charge of searching over the encrypted data and retrieving the related ones to the owners.

More recent research works in searchable encryption  (e.g.,  [13, 17, 18, 19, 12, 20]) describe their systems with similar elements to Song et al., work. In the rest of this section, we introduce these elements in more details.

As depicted in Figure 1 which is inspired by works in [13, 17], searchable encryption systems are commonly composed of three main elements, as follows:

Data owner

A data owner sets up the system by granting access control to data users and uploading documents to the cloud. The data owner posses a collection of documents and wants to outsource them to a remote public cloud server (e.g., Amazon and IBM Cloud Storage) for storing or sharing purposes. In order to protect confidentiality of the documents, the owner encrypts the data locally using her authorization key and uploads the encrypted data to the cloud.

Data user

The data users are those who are authorized to search and retrieve the uploaded documents. The data users have an encryption key that is applied on their search queries and creates trapdoors111For further explanation about trapdoors, please see Section 3. The trapdoors are then sent to the cloud servers to retrieve search results in form of a list of relevant documents (e.g., in [21, 22]) or document identifiers (e.g., in [23, 24]). The data user can be potentially permitted to decrypt the document locally [23, 24]. It is worth noting that, in practice, a data owner can be a data user too.

Cloud server

The cloud server receives an encrypted collection of documents uploaded by data owners and carries out three main tasks: storing uploaded documents; searching them against trapdoors; and maintaining search data structures updated.

The research works that have been undertaken in cloud-based searchable encryption generally assume cloud servers to be honest-but-curious. That is, although the cloud server administrator follows necessary security procedures and does not modify nor delete data files, she is still “curious” about the content of the documents.

Another component we found common in current searchable encryption systems is trusted computing base. Each searchable encryption system implements this element in its owned way to adapt its purposes and functionality. Although trusted computing base can be combined with other components in the searchable encryption system system, it is worth recognizing and mentioning that in the paper.

Trusted computing base (Gateway)

Data owner and Data users in a searchable encryption system need data preparation and preprocessing (e.g., removing stop words from the search query or extracting keywords from documents [20]) in their local domain before proceeding to the Cloud server. The preprocessing constructs another element in the searchable encryption system, termed Trusted computing base (or Gateway) [13, 19, 11], that includes the client-side application. In particular, job of the gateway is to prepare document in the setup phase for data owner and preprocess user’s query in the retrieval phase. The gateway is generally assumed to be trusted and resides in the user’s premise. There are two approaches to implement the gateway: client-end approach in which the gateway is part of client machine [25, 26]; and trusted server approach in which the gateway resides on separate trusted sever [13, 19, 11].

  • Client-end approach The advantage of the client-end approach is that the data is secure from its origin, thus, is safe against connection interception. The drawback of this approach is to impose overhead on the client-side application and potentially affecting its performance. Hence, it is considered inappropriate for circumstances that data users predominantly use thin-client devices (e.g., smart phones) [27].

  • Trusted server approach The Trusted server approach is generally faster and lends itself better to the edge computing platforms. Although this approach imposes a low overhead on the client machines, it reveals data in the communication channels between the client machine and the trusted server. This approach also includes server provisioning and maintenance costs. In practice, the trusted server approach is appropriate for circumstances where clients’ devices fall short in computing power and have limited energy supply [18].

3 A General Architecture for Searchable Encryption Systems

3.1 Overview

The architecture of a searchable encryption system has to implement four processes involved with the elements mentioned in the previous section. In this section, we first describe these four processes, then we discuss how they are applied within different elements of the searchable encryption system.

3.2 Processes Involved in a Searchable Encryption System

The processes in a searchable encryption system are namely Key generation (Keygen), Build-Index, Trapdoor generation, and Search. These processes are enablers of searchable encryption systems and generally have polynomial time complexity [11, 28].

Key Generation (Keygen) Process

This process is in charge of creating key to encrypt plain text documents, and later to decrypt the retrieved documents. The algorithm for this process generates a key based on a set of given security parameters. Probabilistic key generation algorithm [28] are commonly used for this process.

As data owner and data user transmit and store data through the server, there is a need to secure the resided documents in privacy and how to recognized the authorized users to access these data. There are two common methods that encryption documents can be carried out: symmetric and asymmetric encryption.

  • Symmetric Encryption: In this methods, both data owner and data user share the same secret key. This secret can be used to both encrypt and decrypt the document. In other words, this key is to create unclarity noise in the documents to the unauthorized user while the authorized data user can use that shared key (or a computable ïnversedk̈ey to defuse and remove the uncertainty in the document [29]

  • Asymmetric Encryption: Known as Public Key Encryption. This cryptography includes two different key: public key and private key which are used to encrypt and decrypt the document [30, 31]. More specifically, the data owner would use one of his keys for encryption the document and the other to decrypt. Since the two key are completely different and there is no computationally correlation between them, even if the encryption key (public key) is compromised, the attacker can not get the message content without the private key.

Build-Index

Searchable encryption systems commonly utilize an index structure to keep track of occurrences of keywords in documents. The process of initializing this index, called Build-Index, takes key from Keygen process the and a collection of documents as inputs. Then, it extracts keywords from the documents and insert them into the index structure.

This Build-Index process is used by the data owner to generate a secure and searchable strucure that enables search over the encrypted data. An index structure is generally implemented in form of a hash table [32], meta data (markup) [17], or inverted index [27, 33] where each unique keyword is mapped to document identifiers it appears in.

Trapdoor Generation

This process is used by data users to form search queries. It encrypts the user’s search query using a key that is compatible with the Build-Index key .

It is possible that the search query preprocessed (e.g., expanded) by the Trapdoor Generation process [26, 20, 12]. Then, the encrypted Trapdoor is sent to the cloud server.

Search

After receiving the trapdoor, the server runs the search procedure to match documents that contain the set of keywords in the trapdoor. Next, the results are sent back to the client.

3.3 General Architecture for Searchable Encryption Systems

The general architecture for a cloud-based searchable encryption system is depicted in Figure 2.

Figure 2: Architectural Overview of Cloud-based Searchable Encryption Systems.

The system architecture consists of two main mechanisms, namely Setup and Retrieval. The main job of the Setup mechanism is to prepare documents for searching by data users. Upon receiving a search query from the data user, the job of Retrieval mechanism, is to perform search on the dataset, find matching documents and send the results back to the data user.

In the next subsections, we elaborate on how these mechanisms operate.

3.3.1 Setup Mechanism

Before sending documents to the cloud, in the Setup mechanism, first, the useful information from the documents are extracted. The type of extracted data depends on the type of search system (e.g., keyword search [34, 35] versus semantic search [13, 14]). Then, the extracted data and documents are encrypted and sent to the cloud server.

The data owner initiates the search system through the Keygen process (see Section 3.2 for more details). The generated key is necessary to encrypt documents before outsourcing, and decrypt downloaded documents.

In some searchable encryption systems, the Setup mechanism also includes creating an “Index structure” [13, 14, 20, 34]. The Index structure is also known as “meta data” [17] or “identify keywords” [30, 36]). The index comprised of keywords that represents the essence of each uploaded document. Alternatively, some other searchable encryption systems do not rely on the index structure. They directly encrypt each keyword individually and form an encrypted searchable document [10].

The searchable encryption system then encrypts the documents’ contents as well as the index structure (if it exists), before sending them to the cloud server.

In systems that data owner and data users are separated entities, the data owner needs to distribute the public-key to the data users. The keys are utilized by data users to create trapdoors that are compatible with the encrypted uploaded data. Methods such as public key cryptography [32] or broadcast encryption [35] are commonly used for key distribution.

3.3.2 Retrieval Mechanism

After setup, the system is expected to have a collection of files ready to be searched over. Data users or owners can submit a search query, defined as a set of keywords .

Trapdoor is produced using and the keys data user owns. Some systems (e.g.,  [21, 37]) also apply pre-processing of the search query in producing Trapdoor. Once Trapdoor is produced, it is sent to the cloud server.

The cloud server includes a search engine that carries out the search process. In the systems that rely on an index structure, the index is used to match Trapdoor against index entries to find relevant documents. At the end, the list of results, which includes matching documents or their identifiers, are sent back to the user. Upon receiving the result list, the data user can request to receive (i.e., download) and decrypt the documents, if they are authorized.

It is worth mentioning that during the Retrieval mechanism, the cloud server could learn minimal information about the documents [35, 20]. In the next section, we provide further details on security aspects of cloud-based searchable encryption systems.

4 Security Requirements and Shortcomings of Searchable Encryption Systems

4.1 Security Criteria of searchable encryption Systems

It is crucial for searchable encryption systems to prove that they can preserve confidentiality of the user’s data and prevent information leakage. Therefore, the resistance of searchable encryption systems should be verified against possible internal or external attacks on an untrusted server. More specifically, the server should not be able to learn anything about the original data, from the cipher text or the search process. Song at el [10] defined 3 security properties that every searchable encryption system should maintain:

  1. Controlled searching: Unauthorized users should not be able to search in the server. In [36, 38], an unauthorized user cannot submit a query to the server unless she has the secret key to generate a trapdoor. On the server side, the data must be kept in encrypted manner. Also, processing of the data must be done without decrypting the data. Thus, without a trapdoor, nothing can be returned in response to an unauthorized search request.

  2. Hidden query: this technique hides the unencrypted query from the untrusted server. Every searchable encryption system should be able to mask or encrypt the content of the search query to avoid the possibility of the server inferring the content from the search results. The untrusted server can only learn about the relationship of a secure query to a set of document identifiers, not what that set of documents are about.

    Without an encrypted query, an attacker can submit numerous queries to the searchable encryption system. Then, by analyzing the search results, documents’ contents can be inferred [36]. In [36], the authors present secure index (e.g., Z-idx) that does not reveal the actual search query, by hashing it into an irreversible trapdoor, before sending it to the server. Hence, the server cannot learn any information from the query. Similarly, in [39], Ren et al.,  implement a secondary homomorphic encryption on top of deterministically encrypted query terms to further obfuscate the original query.

  3. Query isolation: In the search process, the server should know nothing, except the search results [10]. In searchable encryption systems (e.g., [38]), if there is a match between the query and the index, the server can locate the related documents and return them to the data user. However, since the data on the server is encrypted and secret key is not stored in the server, the server cannot understand anything other than the search result.

4.2 Shortcomings of Searchable Encryption Systems

The security requirement means that the system needs to adopt methods to protect the data. For example, documents and auxiliary indices are encrypted using the secret key so that only a user with the valid key can learn about the content, thus, its privacy and confidentiality from the untrusted server are protected. Even with cipher text, there are prevention measures against different hacking techniques, such as statistical attacks [40] and keyword-distribution attacks [40], that aims at deriving the correlation of the cipher text and the plain text. These prevention measures contribute to the complexity of the searching mechanism.

The complexity of the prevention measures compels the searchable encryption system to trade-off between performance and security. In searchable encryption systems, the access pattern and search pattern are the most common security factors to consider for these trade-offs.

Search pattern

is defined as any information or pattern that an attacker can use to derive, if random queries are related to a keywords [23]. In some of the earlier research works (e.g.,  [10, 24, 36]), the searchable encryption system reveals the search pattern to in favor of efficiency in the search operation. In a searchable encryption system by Curtmola et al.,  [23], the trapdoor is created using deterministic encryption, hence, the system leaks the search pattern. Similarly, research works undertaken in [10, 24, 36] compromise search pattern to improve search efficiency.

Access pattern

is defined as any information that the attacker can use to determine the frequency at which files are accessed or associate to the query. For example, an observant and patient attacker could sniff the network connections to understand which files are searched for most frequently, thus, determining the most important documents in a dataset.

In the context of searchable encryption, Goldreich et al., [41] achieved fully secure searchable encryption using Oblivious RAM (ORAM) to hide the access pattern. ORAM periodically shuffles the data blocks so that the user avoids accessing the same data (memory) block for the same retrieved data. However, in this work, the initial setup phase is computationally expensive and the search phase requires logarithmic rounds of interaction between the user and the server to narrow down the search results. This makes it a burden on the bandwidth and not suitable for large scale datasets.

Another work aimed at hiding the access pattern has been carried out by Boneh et al., [31] using Private Information Retrieval (PIR) technique. In a system consists of replicated servers, the user sends homomorphic encrypted queries [42, 31] to the servers to retrieve data blocks from the servers that collectively make up the result [43]. The system has to touch all of the replicated servers, thus, imposes a significant communication overhead to retrieve one single query.

To provide an efficient searchable encryption system, Song et al., [10] resorted to the weakened security guarantee, i.e., revealing the access pattern and search pattern but nothing else. Later works (e.g., [23, 24, 39]) attempt to find a proper method to balance a reasonable access and search pattern leakage and improve the search performance.

We should note that even with these security compromises, it is still difficult for an attacker to derive helpful information from the dataset. In fact, the attackers cannot learn anything beyond the importance of certain documents.

4.3 One-to-Many Order Preserving Symmetric Encryption (OM-OPSE)

In searchable encryption systems, data users generally need to see the search results ordered by their relevance to the search queries. As such, a searchable encryption system needs a method to assign relevance score to each found document and rank them for the user.

One way to achieve ranking of the search results is to assign an importance value (i.e., weight) to the extracted keywords in the index structure. The weight of an extracted keyword can be obtained based on its importance in the document [29, 44]. These weights are typically hidden using deterministic encryption methods [45]. However, because deterministic encryption is a one-to-one mapping of plain text to cipher text, this encryption method can potentially leak some information about the documents [45]. In fact, an internal attacker can potentially deduce the distribution of encrypted scores in the data collection.

Given the context background of the corpus, the attacker can utilize the retrieved score distribution to gain knowledge about the documents or even break the encryption of the system [34]. To prevent this, certain research works have modified the Order Preserving Symmetric Encryption (OPSE) which is a deterministic encryption method that preserves numerical order of the plain text [46].

Wang et al., [35] and Sun et al., [13]

utilized OPSE to create a more efficient approach (known as one-to-many order-preserving mapping) to increase obfuscation of the original encrypted scores while maintaining plain text order. Instead of mapping the plaintext score to a single encrypted document, the encrypted score is assigned within a randomly appointed bucket within a predefined range. Therefore, the randomness of score distribution increases and the probability of being predicted decreases. Several research works have demonstrated that modifying OPSE is “as-strong-as-possible” encryption technique

[35, 13].

5 Taxonomy of Searchable Encryption Systems

There have been various research efforts to enable different forms of search operation on encrypted data. However, a lot of them are rooted from some general approaches. The goal of this section is to provide a comprehensive taxonomy of the current searchable encryption systems and supply an overview of the conducted research in this domain. The taxonomy of searchable encryption systems is provided in Figure 3. As we can see in this figure, the searchable encryption systems can be broadly categorized based on the type of search they perform into three main types, namely Keyword Search; Regular Expression Search; and Semantic search.

Figure 3: Taxonomy of the current searchable encryption systems.

5.1 Keyword Search

5.1.1 Sequential Scan Keyword Search

Song et al., [10] pioneered the idea of user-side encryption and keyword-based search over the encrypted documents. The user intends to retrieve encrypted documents that contain her search keyword. In the proposed scheme, each keyword of a document is encrypted independently in two encryption layers. Firstly, they pre-encrypt the keyword with into bits. This is then split into two parts: the right part () consists of bits and left part () consists of bits.

Secondly, the left part is encrypted with a stream cipher which has characteristics to check for matching using XOR method.

When a user requests documents that include a set of interested keywords, she submits the encryption version of each keyword of the query: and , the server performs XORing matching on bits of each cipher text to see whether XOR is of the form () for some S [10]. In this system, since every word is independently encrypted, to find all the matches, the server has to follow the above steps word-by-word for the entire document. For this reason, this method of searching is known as sequential scan.

Another work in Sequential Scan category is PEKS (Public key Encryption with Keyword Search) [31]. PEKS encrypts each keyword in the uploaded document based on a public key using Bilinear Diffie-Hellman [31] or Trapdoor Permutation [31] method. In the client side, the data owner uses her private key to verify if her query keyword occurs in a document. In this method, the server needs to scan every cipher text (i.e., keyword) of each document to find the occurrences. The method is computationally expensive because the search cost is proportionate to the number of the documents in the dataset.

There is not many dominant research works that also follow this fashion due to its limitation of time complexity to search through the whole dataset size, given the fact of growing volume of data in current storage. More advanced and efficient searchable encryption systems are mentioned later.

5.1.2 Index-Based Keyword Search

In order to deal with the inefficiency of the Sequential Scan keyword search, Song et al., [10] proposes a data structure called an “index” that contains a list of keywords mapped to its original document using a document pointer (also known as document identifier [25]). The keyword is encrypted as and the document identifier is encrypted using a key resulting from a key generator function with input of the hashed keyword .

In the Index-based keyword search systems, instead of searching sequentially (word-by-word) for every document, the system only needs to check the index structure for the interested keywords. From the results, the system retrieves the document identifiers and sends them back to the client.

Goh et al., [36] was one of the first works to introduce the secure index-based search method. In this work, the system creates an index for each document before encrypting and uploading it. The index consists of keywords that are considered relevant to the document. There are two main ways to construct the secure index: IND-CKA [36] and the efficient variant construction called Z-IDX [36]. Both of these methods use Bloom Filter [36] as an index for each document to track its keywords. At the search time, the system creates search trapdoor and uses the Bloom Filter to check if the trapdoor is contained in the dataset.

Ren et al., [39] directly extended the two-layer encryption idea originally presented by Song et al., into a hashed index representation, seeing significant speed increases. In addition, they introduced another layer of randomized XOR-homomorphic encryption on the search query to further obfuscate the query to adversaries watching the network stream. Liu et al., [47] presented a searchable encryption method with multiple data sources where the cloud index is composed of multiple Index(es) from different sources. Research works such as [34, 35] introduced a similarity score for keyword search using formulas based on the term frequency of the keywords. Introducing similarity score allows the result list to be ranked for the end users. We will review their scoring and ranking keyword against document and query in details in Section 5.3.3.

Earlier works from [36, 10, 31, 23] using index-based keyword search with their owned methods to perform single keyword or disjunctive keywords search on encrypted documents. However, as the requirements of data user are growing and in need for more accurate search result, different techniques are introduced on to the index to support multi-keyword and conjunctive keywords search. MRSE [48] is one of the first works propose solution to that demand. Cao et al., [48]

define a dictionary consisting of all the keywords and each keyword has a defined location in the dictionary. Data file and search query are represented by binary vectors which, then are used in ”inner product computation” to measure the similarity of the data file and the query. Cao

et al., [48] also apply their owned internal ranking to return relevant ordered result. Later on, Z. Xu et al., [49] improve MRSE in so its fixed dictionary can be extended dynamically. Their works also improve the ranking algorithms by using access frequency in weighing the matched data file.

5.2 Regular Expression Search

One expansion to the keyword-based searchable encryption is to allow users performing regular expression search on encrypted data. A preliminary approach by Song et al., [10] proposes to create all possible variations of a given regular expression. For instance, for query, it generates all 26 possible search queries that are . This approach only works for simple regular expressions with and is not scalable for those with high degree of variability, e.g., .

RESeED [19, 50] is a regular expression search system for encrypted data. RESeED operates based on two data structures: a Column Store, which is an unencrypted inverted index, representing keywords and the documents they appeared in; an Order Store which is a fuzzy (hashed) representation of keywords within a document. For a given search phrase, RESeED builds a Nondeterministic Finite Automaton (NFA) [19]. The NFA is then partitioned into sub-NFAs that can be matched against keywords in the Column Store. For the documents found in the previous step, their Order Store is checked to confirm the keywords are in the same order of the regular expression.

5.3 Semantic Search

Searchable encryption solutions providing keyword or regular expression-based search abilities are useful when users exactly know what keywords they are searching for in the documents. However, with a growing collection of documents and the emergence of big data, the data users may not remember exact keywords they want to retrieve, or they might want to search for documents that are more broadly related to a topic [27, 33].

For instance, in a hospital with encrypted medical records, a doctor may desire to search for records using the query “heart disease”. While the doctor is interested in documents containing the exact query terms, she is also interested in documents with semantically related terms (e.g., “heart attack” or “chest pain”). Therefore, semantic search ability is needed to return documents related to terms in the query and to avoid redundant searching attempts.

Many research works have been undertaken to enable different forms of semantic searchable encryption. As we can see in the taxonomy (Figure 3), these semantic search systems can be further categorized into three main types, namely Fuzzy Keyword Search; Stemming Search; and Ontological Search.

5.3.1 Fuzzy Keyword Search

A Fuzzy Keyword Search improves the usability of a system by searching for close matches to the query if it fails to find sufficient matches for the exact query. Although these systems are categorized as search systems, they may not be directly used for search purposes. Fuzzy search can be particularly used to make a system tolerant to user’s typos [51].

Fuzzy keyword search systems work based on edit distance that measures the similarity between two strings and [52]. It is defined as the number of string operations needed to transform to . The possible string operations are insertion (insert a character into a string), substitution (replace one character with another in a string), and deletion (remove a character from a string) [25]. Let , a collection of documents stored on an untrusted third-party server (e.g., cloud); a unique set of keywords with a fixed edit distance ; and a search trapdoor with threshold . Then, a fuzzy keyword search system outputs a list of documents that possibly contain keyword , if ; else return document where .

Li et al., [25] provide a fuzzy keyword search system that injects all possible words that satisfy where denotes the extracted keyword. For example, the fuzzy list of the keyword CAR is {ACAR, CAAR, CARA, , CARZ}. This list of fuzzy variants is sent to the server where the index structure is located and includes those keywords and their associated documents. Similarly, in the Retrieval phase, the query is augmented with fuzzy variants, sent to the server to be matched, and a list of documents is returned. However, this approach is computationally expensive. For instance, if the number of possible variants is . To improve this, the authors [25] propose a wild-card-based technique that inserts wild card (*) to represent the fuzzy character or omit a letter from . For instance, the fuzzy key set of CAR is and . These techniques significantly reduce the size of the index structure, thus, improve the search time.

In a later study, Liu et al., [53] proposes a Dictionary-based Fuzzy search method. The method takes a dictionary and a predefined edit distance value and generates a set of fuzzy keywords for each keyword in the search queries. However, instead of inserting a wild-card, this technique only injects words that exist in the given dictionary. At the search time, the query goes through the same process to get the fuzzy set extension from the dictionary and encrypts it before sending it to the server to be searched.

In fuzzy keyword search, the system needs to search for the entire list of fuzzy keywords which imposes an extensive overhead for a large edit distance. Therefore, to further enhance the fuzzy searching performance, Wang et al., [11] build a tree from the fuzzy keyword set that reduces the search to of the fuzzy list’s size.

5.3.2 Stemming Search

Utilizing the Fuzzy Keyword Search makes searchable encryption systems more resistant to minor typos, but in many cases does not exactly cover the semantic perspective. In fact, two keywords having a close lexicographical distance does not necessitate that they are semantically related. Different words (e.g. “student” and “studying”), despite having a large edit distance (4), are highly semantically related. The stemming search method aims at solving this problem based on the belief that semantically related words tend to start from the same root (stem).

The model is the same as other searchable encryption systems: a user encrypts documents and extracts keywords as an encrypted index. The difference in this system is the additional step it takes to convert the keyword set into a set of stem words. When a user searches for a query, the query keywords are replaced by its stem words [12]. There are three ways to extract the stem of a word:

  • Affix stripping: This method applies well-known stemming algorithms to find the stem of a word. Prominent methods include the J.B. Lovins [54] and Porter stemming algorithms [55]. These algorithms remove the suffix and prefix to get the root of a word. However, these algorithms require the language knowledge and can be computationally costly.

  • Statistical Stemming: known as n-gram stemming algorithm to statistically find the frequency of contiguous sequence of

    items from a given sequence of text in the whole document [56]. The lowest frequent n-gram is considered to be the stem (also called root).

  • Hybrid: Utilizing both of the aforementioned methods to find the stem.

Both the uploaded documents and the search query extension go through the same process to get the stemming of the extracted keywords. These stemming keywords are stored in the index on of the third-party server (e.g., public cloud) and used for in the search process.

5.3.3 Ontological Semantic Search

Fuzzy keyword and stemming searchable encryption methods cannot truly capture the semantic essence in searching. For example, if a user intends to search for “robbery”, she is interested to see results about “burglary” or “break in” as well. However, neither the fuzzy presentation nor the stemming method can capture this type of semantic. In fact, the semantically related words neither share the same stem nor have a close edit distance. To resolve this problem, ontological semantic search was invented to find more meaningful and related data to the original query [27, 33]. As we can see in the taxonomy of Figure 3, Ontological semantic search can be achieved using synonym semantics, conceptual semantics, or a combination of the semantics. In this part, we explore these schemes, however, we first to revisit some of the preliminary concepts that are enablers of Ontological Searching:

  • Semantic Relationship: Psycholinguists, Church et al., [57] propose that the word association can be inferred from statistical description of semantic relationship between words through the co-occurrence of words. To calculate the similarity score between two keywords, Sun et al., [13] use data mining methods to effectively find out the co-occurrence degree between terms in a dataset. For two string and , the similarity score information is defined based on Equation 1.

    (1)

    where is the probability that and appear together; and are the probabilities that and appear independently in the collection. Higher values of the similarity score express the more relevance between and .

    Another method to measure the similarity is based on Cosine similarity

    [13, 58] that can be calculated using the vector presentation of the documents and the queries to get a relevant score of the closeness between the queries and documents.

  • Inverted Index: It is a data structure that maps each unique keyword to the documents that contain them. This structure keeps track a list of keywords throughout the whole dataset, each keyword is associated with list of documents that it appears in. For some work [13, 17, 34] in order to further assist ranking functionality, a normalized numerical relevance score often (value between [0,1]) is also given along with each document to indicate the relevance of it to the key .

  • Ranking function: In a large dataset, commonly, an abundant number of documents match a certain semantic search query with different degrees of relevance. Therefore, it is necessary for the user to receive the list of documents based on the relevance order. This introduces the need for a ranking function that measures the relevance of matching document to the search query. The most common ranking function is known as (term frequency, inverted document frequency) [13, 14] where indicates the significance of that keyword in the document and indicates the significance of the keyword over all documents in the dataset.

Different methods have been developed to measure the relevance of a given keyword in searchable encryption systems. Woodworth et al., [27] extend Okapi BM25 standardized text retrieval method [27] which use term frequency and inverse document frequency to calculate the semantic relevance of a given query to a document. These score later on is used to rank documents in the result set.

Sun et al., and Xia et al., [13, 20] propose different mechanisms for semantic searchable encryption by extending the query keywords and rank the result set. The data owner constructs metadata for each document and sends the encrypted metadata to a trusted server (e.g., a private cloud) to build an inverted index and a semantic relationship library (SRL). The inverted index is then sent and reside in the public cloud. Upon receiving a search query, the trusted server extends the query using the semantic relationship library to get ontologically related keywords and synonyms. Then, it encrypts the extended keywords and sends them to the public cloud to look up the index structure. The returned documents are ranked based on the relevance ranking functions and sent back to the user.

In another study, Moh et al., [14] introduce three schemes to learn the semantic meaning of a search query in order to produce accurately related result. Particularly, they propose Synonym-Based Keyword Search (SBKS), Wikipedia-Based Keyword Search (WBKS), and a combination of the two schemes called WBSKS. In SBKS scheme, besides extracting the important keyword of the document, its synonyms that represent the semantic of a document are collected. The encrypted version of these keywords and synonyms are sent to the cloud to form a searchable index. Similarly, the search query is also extended with its synonyms to form the trapdoor. Then trapdoor is compared with the cloud index structure to find documents that are semantically matching the search query. In WBKS scheme, a pre-defined set of Wikipedia articles (WKS) are collected and a vector representation (VR) [14] of them are created using the term frequency and inverse document frequency () technique.

When document is uploaded, its VR is then compared against the VR in WKS and the obtained score is stored in the index structure. In the searching phase, the user query is converted to a VR and is compared to the WKS library using cosine similarity method. This score is then added to the trapdoor to let the server know how semantically related the query is to the WKS library. The cloud server computes the cosine similarity score of the trapdoor and the existing entries in the index to create a ranked list of documents and returns to the user. In WBSKS scheme, both SBKS and WSKS techniques are used. SBKS is used to expand the query in the Search phase and WSKS is used to construct the expanded index of the uploaded documents of the Setup phase.

Another way to get the semantic meaning is by using WordNet [17]. WordNet is a tool created by Princeton University that contains a dictionary including word definitions and their synonyms. For example, Yang et. al [59] utilize WordNet to construct a semantic keyword set. Before the query is encrypted and searched with, each query keyword is expanded with the provided synonyms.

Woodworth et al., [27] further propose work that reduces the number of terms put in the index by extracting only the most important terms from an uploaded document, and extends the query using Wikipedia and Synonym to capture the broader meaning of the query. The result is a space-efficient index which still achieves an accurate semantic search.

Table 1 provides a summary of categorization of different searchable encryption approaches in terms of components mentioned in Figure 2. We point out references to the works in each searchable encryption type, so readers could easily compare the difference between these works.

Search Approach

File

Extractor

Using

Index File

Multi-keyword

Searching

Query Expansion

Ranking

Search Result

Keyword Search N/A [36, 47, 34, 35, 39] [48, 49] N/A [34, 35]
Regular Expression Search N/A N/A N/A [19, 50] [12, 10, 35, 24, 36, 31]
Semantic Search [27, 51, 13, 17, 34] [27, 13, 17, 34] [27] [27, 51, 25] [27, 13, 20, 14]
Table 1: Categorizing different studied searchable encryption systems in terms of components they contain.

6 Security Analysis of Searchable Encryption Systems

Based on security criteria of searchable encryption systems (mentioned in Section 4.1) and the level of information leakage, we can categorize current searchable encryption systems into four security levels. The differences between these security levels are summarized in Table 2 and are explained below.

Security Level

Leak Plain

Text Document

Using Trusted Computational Base

Leak Index

Data

Plain

Data Stored Remotely

Leak Access

Pattern

Leak Search

Pattern

Related

Works

Somewhat secure No Yes No Yes Yes Yes [13, 19, 11]
Semi secure No No Partially No Yes Yes [27, 17]
Secure No No No No Yes Yes [12, 10, 35, 24, 36, 31]
Fully secure No No No No No No [41]
Table 2: Security level of current secure search systems.
Somewhat Secure

The searchable encryption systems in this category often deploy a trusted server (also known as a private cloud [13] or a gateway [19]) in between the third-party server (e.g., public cloud) and the client device. The searchable encryption systems that leverage edge/fog computing [60] paradigms also fall under this category.

In Somewhat Secure searchable encryption systems, unencrypted documents are sent to the private cloud, where they are parsed and encrypted to form the index structure. These systems not only leak access and search patterns, but also expose the documents’ contents to an internal attacker of the trusted server. Sun et al., [13] make use of the computational capacity of private clouds to build a Semantic Relations Library (SRL). The SRL quantifies the semantic distance of each term to other terms based on their co-occurrence in the dataset. However, SRL is maintained unencrypted on the private cloud, hence, is susceptible to attacks on the private cloud.

Semi Secure

In searchable encryption systems with this level of security, the auxiliary index structure is partially encrypted. That is, some information about the documents or the keywords are not encrypted and can be leaked from the index structure.

In [17], the index structure keeps track of encrypted keywords and for each keyword, the list of documents that include the keyword. However, the weight (i.e., score) of the keyword in each document is maintained in an unencrypted manner. Therefore, the index structure is partially encrypted and reveals the relevance score that represents the relatedness of a given keyword to a document. In [27], Woodworth et al., provided a semantic search system for encrypted data in the cloud. Their system, named S3C, also exposes the frequency of a keyword within the original documents. These unencrypted data are considered security holes in the searchable encryption system that attackers can take advantage of and conduct a statistical attack.

Secure

Such searchable encryption systems do not trust any part of the system, except the client’s device. Also, the auxiliary index is properly secured and does not expose any plain text data to the server. Keywords in the index structure are hashed using SHA-1 or HMAC-SHA [35, 61] methods. Also, relevance scores are encrypted using OM-OPSE method (as explained in Section 4.3).

Because of the aforementioned reasons, Secure searchable encryption systems are less prone to internal attacks, in compare to those in the Somewhat or Semi Secure categories. However, the Secure searchable encryption systems still leak the access and search patterns. Although there are methods (e.g., Private Information Retrieval [62, 30], Oblivious RAM [41]) to avoid such leaks, they slow down the search process. Thus, Secure searchable encryption systems prefer to expose these leaks in favor of the search performance. Instances of Secure searchable encryption systems can be found in [12, 10, 35, 24].

Fully Secure

The searchable encryption systems in this category provide full security of the data and the search operation. Systems in this category do not even reveal the search and access pattern to the server.

Research undertaken by Goldreich et al., [41] falls into the fully secure category. It provides search and access pattern security through ORAM method (see Section 4.2). This strong security, however, comes with poly-logarithmic rounds of communication between the server and the user, which restrains its usability. In the same research, the authors introduced another method that needs only two-round communication between the users and the server. Nonetheless, it induces a square root complexity overhead in the set up phase.

7 Application Driven Domain

Certain regulations [63] require some businesses and industries (e.g., health care) to store their data in a secure a manner. As such, they need to store their data in an encrypted format, if they were to use a third-party servers or a public cloud for storage. Therefore, there have been several efforts from those businesses to tailor searchable encryption solutions for their specific domains. This section provides an overview of such works. In the rest of this section, we investigate such domain-specific searchable encryption systems.

Health care

For health care providers, all Personal Health Records (PHRs) have to be encrypted to guarantee a patient’s privacy [64]. Health care providers focus on maintaining the privacy of PHR in an emerging patient-centric model that uses public clouds to easily store, retrieve, and share health information between medical centers. Although the public cloud solutions are convenient and attractive for health care providers, privacy concerns restrain its potential [65].

The owner of the PHR has the utmost right to share and distribute the decryption key to other users for personal or professional purposes [64]. However, the encrypted PHR makes key functionalities, such as keyword search by multiple users challenging. Multiple data users need to request for the decryption key to access the encrypted PHR. However, the key requests by users are generally unpredictable and this makes it challenging for the data owner to manage key distribution, as they are not always online [64]. To overcome this challenge, attribute-based encryption (ABE) scheme is proposed [66]. In ABE, there is a set of attributes that manage the access policies. Only users with the valid decryption key that matches the attribute can decrypt the patient’s PHR and users with a revoked key cannot do anything with the encrypted PHRs. The ABE encryption scheme also enables a patient to exchange PHRs with a group of users without prior knowledge of the complete list of users.

In [18], Naseeruddin et al., developed an ABE-based schema that allows the system to audit user access, allowing it to identify the source of a breach and detect if information is distributed properly or if there was illegal access to the data. An encrypted PHR will be delegated to trusted authorities from the data owner (patient). To access and search on the encrypted data, a data user need to acquire the approval of trusted authorities. Their work modified ABE with a signature threshold where a valid message is guaranteed if there are at least valid signature shares out of verified parties. In the Key generation algorithm of ABE, the key is generated based on an ABE-modification to encrypt the data before outsourcing it to the public cloud, which can be searched later to retrieve necessary information.

Another modification of ABE is proposed in [64, 67] to add another layer of fine-grained privacy protection beyond the underlying cryptographic mechanisms to enable searchable encryption or data access control. The study develops a hierarchical predicate encryption (HPE), in which the data owner generates a key and distributes it to a local trusted authority (LTA). These LTAs are able to delegate the key to allow authorized users to search to that patient’s PHR. In the search phase, the server has to verify that the user has a valid signature from a registered LTA before performing search. It is worth noting that this study only supports keyword search, and not other forms of search.

These methods are appropriate for normal medical procedures, but may hamper first-aid treatment in emergency situations in which a patient’s life is at risk and an authorized user is not present. To combat this challenge, Yang et al., [68] implement adaptive dual-layer access control, in which normal approved users are allowed to see all of the patient’s health care data, while outside users can view a subset of the data in emergency situations using a password-based break-glass access mechanism. This approach provides data security while limiting danger in emergency scenarios.

Law Enforcement

Other industries, such as law enforcement, can potentially have privacy restrictions in granting access to their datasets. Data owners, in this industry, require data that is stored in external sources (e.g., in a cloud) to be encrypted, and searchable encryption systems may only be used to enable search over data without providing direct access to the data. For example, a detective needs to know if the subject has any matching record in the court reports. The detective but does not need to (or cannot) access the information of all people in the court system.

Text Editors

Li et al., [25] propose a secure search system which could handle user typos through a fuzzy keyword search. Wang et al., [11] used a similar approach to find matches for similar keywords to the user’s query by using edit distance as a similarity metric, allowing for words with similar structures and minor spelling differences to be matched. However, these methods reveal the topic of the external sources that an attacker can use to categorize the data sources based query retrieval.

Other Domains

Financial and military domains generally have strict data privacy and confidentiality rules [69], however, currently, there is no dedicated study on the particular use of searchable encryption in these domains.

8 Future Research Directions

1. Clustering Encrypted Data

Since the field’s inception, searchable encryption systems have primarily strived to improve search accuracy, performance, and security. Despite many provable improvements to security, searchable encryption solutions still need to enhance their performance and maintain the real-timeness of the search operation. This is particularly important as datasets get substantially larger, and with more businesses looking to outsource their big data to the cloud. One promising approach to dealing with big data is to cluster the data and restrict the search to relevant clusters. This approach presents several challenges: clustering encrypted keywords based on some meaningful semantic data, determining which clusters are most relevant at seasrch time, and determining how many of those clusters should be searched.

2. Searchable Encryption Across Multi-source Datasets

As datasets grow larger and more organizations opt to use remote cloud storage, it becomes increasingly likely that users and organizations will need to search across multiple sources. For example, a law enforcement officer who needs to obtain information on a suspect may need to search across datasets from other jurisdictions. One challenge to this is that each of these organizations can potentially have their own privacy and confidentiality policies and use various encryption standards. The datasets may also have different characteristics, such as document structure or length. Further research is needed to deal with a wider variety of data, and combining multiple levels of security.

3. Edge Computing for Searchable Encryption

Most current searchable encryption systems have a two-tier architecture, utilizing primarily a user-end and cloud-end. The user-end includes the client machine, often in the form of a thin-client (e.g., smart phone or tablet) with limited computational power. This often creates a performance bottleneck, as much of the document and query pre-processing must occur on the client-end since it is the only trusted component. An edge computing paradigm can be utilized to bypass this bottleneck. Use of this paradigm would add additional architectural tiers along the network between the server and client. Off-loading computational work to an edge node can substantially improve performance, but weakens security, as edge nodes are more vulnerable to attacks than clients. Further research efforts should determine what processes can be performed on edge nodes while minimally compromising security.

4. Utilizing Blockchain in Searchable Encryption

With recent breakthroughs, blockchain technology and decentralization idea nowadays are becoming more promising aspects and gaining more attention from the searchable encryption community. There are several of proposals to utilizing blockchain in searchable encryption. Hu et al., [70] introduce decentralized privacy-preserving search scheme leveraging smart contract where blockchain verifies the accuracy and fairness in the contract between users and cloud provider. In other research, Cai et al., [71]suggest decentralized storage platform which is an concept of people leasing their hardware capacity as a service. However, it is questionable that outsourcing data to other storage providers could be exposed threats of data integrity which is mentioned in [72] and thus affect autonomous payment of people involving the service [71]. The system proposed by Cai et al., [71] utilizes cryptocurrencies and cryptographic incremental hashing to solve the mentioned concerns. This is one of the very first works integrating blockchain with searchable encryption systems which starts a promising direction. Nevertheless, it would need more investigation and experiments to develop more mature approaches in the future.

9 Summary

In this work, we surveyed current searchable encryption systems and techniques that perform various forms of search operation on encrypted data located on an untrusted third-party cloud. We identified common components of the searchable encryption systems and the overall architecture through which these components interact with each other. Then, we provided a taxonomy that categorizes the searchable encryption systems based on the type of search operation supported by them. We analyzed the security of the current searchable encryption systems and categorized them into four security levels. We investigated particular demands of searchable encryption systems in various domains, such as health care and law-enforcement. Finally, we offered suggested directions for future research, including clustering data for improved search speed, searching across multiple datasets, and utilizing edge computing and blockchains.

Acknowledgments

We would like to acknowledge anonymous reviewers of the manuscript. This research was supported by the Louisiana Board of Regents under grant number LEQSF(2017-20)-RD-B-06, and Perceptive Intelligence, LLC.

References

References

  • [1] S. Marston, Z. Li, S. Bandyopadhyay, J. Zhang, A. Ghalsasi, Cloud computing—the business perspective, Decision support systems 51 (1) (2011) 176–189.
  • [2] M.-G. Avram, Advantages and challenges of adopting cloud computing from an enterprise perspective, Procedia Technology 12 (2014) 529–534.
  • [3] Z. Yan, X. Li, M. Wang, A. V. Vasilakos, Flexible data access control based on trust and reputation in cloud computing, IEEE Transactions on Cloud Computing (TCC) 5 (3) (2017) 485–498.
  • [4] A. S. Sohal, R. Sandhu, S. K. Sood, V. Chang, A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things environments, Computers & Security 74 (2018) 340 – 354.
  • [5] M. Nakayama, C. Chen, C. Taylor, The effects of perceived functionality and usability on privacy and security concerns about cloud application adoptions, Journal of Information Systems Applied Research 10 (2) (2017) 529–534.
  • [6] V. Chang, Y.-H. Kuo, M. Ramachandran, Cloud computing adoption framework: A security framework for business clouds, Future Generation Computer Systems 57 (2016) 24 – 41.
  • [7] J. Singh, T. Pasquier, J. Bacon, H. Ko, D. Eyers, Twenty security considerations for cloud-supported internet of things, IEEE Internet of Things Journal 3 (3) (2016) 269–284.
  • [8] A. Meharwade, G. Patil, Efficient keyword search over encrypted cloud data, Procedia Computer Science 78 (C) (2016) 139–145.
  • [9] Y. Wang, J. Wang, X. Chen, Secure searchable encryption: a survey, Journal of Communications and Information Networks 1 (4) (2016) 52–65.
  • [10] D. X. Song, D. Wagner, A. Perrig, Practical techniques for searches on encrypted data, in: Proceedings of IEEE Symposium on Security and Privacy, 2000. S&P 2000., 2000, pp. 44–55.
  • [11] J. Wang, H. Ma, Q. Tang, J. Li, H. Zhu, S. Ma, X. Chen, Efficient verifiable fuzzy keyword search over encrypted data in cloud computing, Computer science and information systems 10 (2) (2013) 667–684.
  • [12] T. Moataz, A. Shikfa, N. Cuppens-Boulahia, F. Cuppens, Semantic search over encrypted data, in: Proceedings of 20th International Conference on Telecommunications (ICT), 2013, pp. 1–5.
  • [13] X. Sun, Y. Zhu, Z. Xia, L. Chen, Privacy-preserving keyword-based semantic search over encrypted cloud data, International journal of Security and its Applications 8 (3) (2014) 9–20.
  • [14] T.-S. Moh, K. H. Ho, Efficient semantic search over encrypted data in cloud computing, in: Proceedings of 12th International Conference on High Performance Computing & Simulation (HPCS), 2014, pp. 382–390.
  • [15] C. Bösch, P. Hartel, W. Jonker, A. Peter, A survey of provably secure searchable encryption, ACM Comput. Surv. 47 (2) (2014) 18:1–18:51. doi:10.1145/2636328.
    URL http://doi.acm.org/10.1145/2636328
  • [16] G. S. Poh, J.-J. Chin, W.-C. Yau, K.-K. R. Choo, M. S. Mohamad, Searchable symmetric encryption: Designs and challenges, ACM Comput. Surv. 50 (3) (2017) 40:1–40:37. doi:10.1145/3064005.
    URL http://doi.acm.org/10.1145/3064005
  • [17] M. Saleem, M. Warsi, N. S. Khan, Secure metadata based search over encrypted cloud data supporting similarity ranking, International Journal of Computer Science and Information Security 15 (3) (2017) 353–361.
  • [18] N. Ali, N. Pathan, S. P. Dubey, Privacy and protection of mobile health data on secure cloud storage, Imperial Journal of Interdisciplinary Research 3 (4).
  • [19] M. Amini Salehi, T. Caldwell, A. Fernandez, E. Mickiewicz, D. Redberg, E. W. D. Rozier, S. Zonouz, RESeED: Regular Expression Search over Encrypted Data in the Cloud, in: Proceedings of the 7th IEEE Cloud conference, Cloud ’14, 2014.
  • [20] Z. Xia, Y. Zhu, X. Sun, L. Chen, Secure semantic expansion based search over encrypted cloud data supporting similarity ranking, Journal of Cloud Computing 3 (1) (2014) 8–17.
  • [21] N. Cao, C. Wang, M. Li, K. Ren, W. Lou, Privacy-preserving multi-keyword ranked search over encrypted cloud data, IEEE Transactions on parallel and distributed systems 25 (1) (2014) 222–233.
  • [22] Z. Fu, X. Sun, Q. Liu, L. Zhou, J. Shu, Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing, IEICE Transactions on Communications 98 (1) (2015) 190–200.
  • [23] R. Curtmola, J. Garay, S. Kamara, R. Ostrovsky, Searchable symmetric encryption: improved definitions and efficient constructions, Journal of Computer Security 19 (5) (2011) 895–934.
  • [24] Y.-C. Chang, M. Mitzenmacher, Privacy preserving keyword searches on remote encrypted data, in: Proceedings of the 3rd International Conference on Applied Cryptography and Network Security, ACNS ’05, 2005, pp. 442–455.
  • [25] J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, W. Lou, Fuzzy keyword search over encrypted data in cloud computing, in: Proceedings of the 29th Conference on Information Communications, INFOCOM ’10, 2010, pp. 441–445.
  • [26] Z. Fu, F. Huang, K. Ren, J. Weng, C. Wang, Privacy-preserving smart semantic search based on conceptual graphs over encrypted outsourced data, IEEE Transactions on Information Forensics and Security 12 (8) (2017) 1874–1884.
  • [27] J. Woodworth, M. A. Salehi, V. Raghavan, S3C: An architecture for space-efficient semantic search over encrypted data in the cloud, in: Proceedings of 5th IEEE International Conference on Big Data (Big Data), 2016, pp. 3722–3731.
  • [28] L. Ballard, S. Kamara, F. Monrose, Achieving efficient conjunctive keyword searches over encrypted data, in: Proceedings of the 7th International Conference on Information and Communications Security, ICICS ’05, 2005, pp. 414–426.
  • [29] Z. Fu, K. Ren, J. Shu, X. Sun, F. Huang, Enabling personalized search over encrypted outsourced data with efficiency improvement, IEEE transactions on parallel and distributed systems 27 (9) (2016) 2546–2559.
  • [30] J. Baek, R. Safavi-Naini, W. Susilo, Public key encryption with keyword search revisited, in: Proceeding of the International Conference on Computational Science and Its Applications, Part I, ICCSA ’08, 2008, pp. 1249–1259.
  • [31] D. Boneh, E. Kushilevitz, R. Ostrovsky, W. Skeith, Public key encryption that allows pir queries, Advances in Cryptology-CRYPTO 2007 (2007) 50–67.
  • [32] D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M.-C. Rosu, M. Steiner, Dynamic searchable encryption in very-large databases: Data structures and implementation., in: NDSS, Vol. 14, 2014, pp. 23–26.
  • [33] J. Woodworth, M. Amini Salehi, S3BD: Secure Semantic Search over Encrypted Big Data in the Cloud, Concurrency and Computation: Practice and Experience (CCPE).
  • [34] C. Wang, N. Cao, K. Ren, W. Lou, Enabling secure and efficient ranked keyword search over outsourced cloud data, IEEE Transactions on parallel and distributed systems 23 (8) (2012) 1467–1479.
  • [35] C. Wang, N. Cao, J. Li, K. Ren, W. Lou, Secure ranked keyword search over encrypted cloud data, in: Proceedings of 30th IEEE International Conference on Distributed Computing Systems, ICDCS ’10, 2010, pp. 253–262.
  • [36] E.-J. Goh, Secure indexes, Cryptology ePrint Archive, report 2003/216 (2003).
    URL http://eprint.iacr.org/
  • [37] Z. Xia, X. Wang, X. Sun, Q. Wang, A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data, IEEE transactions on parallel and distributed systems 27 (2) (2016) 340–352.
  • [38] M. Ding, F. Gao, Z. Jin, H. Zhang, An efficient public key encryption with conjunctive keyword search scheme based on pairings, in: Proceedings of 3rd IEEE International Conference on Network Infrastructure and Digital Content, IC-NIDC ’12, 2012, pp. 526–530.
  • [39] S. Q. Ren, B. H. M. Tan, S. Sundaram, T. Wang, Y. Ng, V. Chang, K. M. M. Aung, Secure searching on cloud storage enhanced by homomorphic indexing, Future Generation Computer Systems 65 (2016) 102 – 110.
  • [40] P. Kocher, J. Jaffe, B. Jun, Introduction to differential power analysis and related attacks (1998).
  • [41] O. Goldreich, R. Ostrovsky, Software protection and simulation on oblivious rams, Journal of the ACM (JACM) 43 (3) (1996) 431–473.
  • [42] K. Banawan, S. Ulukus, The capacity of private information retrieval from coded databases, IEEE Transactions on Information Theory 64 (3) (2018) 1945–1956.
  • [43] T. Mayberry, E.-O. Blass, A. H. Chan, Efficient private file retrieval by combining oram and pir., in: Network and Distributed System Security Symposium, NDSS ’13, 2014.
  • [44] Z. Fu, X. Wu, Q. Wang, K. Ren, Enabling central keyword-based semantic extension search over encrypted outsourced data, IEEE Transactions on Information Forensics and Security 12 (12) (2017) 2986–2997.
  • [45] K. Li, W. Zhang, C. Yang, N. Yu, Security analysis on one-to-many order preserving encryption-based cloud data search, IEEE Transactions on Information Forensics and Security 10 (9) (2015) 1918–1926.
  • [46] A. Boldyreva, N. Chenette, Y. Lee, A. O’Neill, Order-preserving symmetric encryption, in: Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques, EUROCRYPT ’09, 2009, pp. 224–241.
  • [47] C. Liu, L. Zhu, J. Chen, Efficient searchable symmetric encryption for storing multiple source data on cloud, in: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01, TRUSTCOM ’15, 2015, pp. 451–458.
  • [48] N. Cao, C. Wang, M. Li, K. Ren, W. Lou, Privacy-preserving multi-keyword ranked search over encrypted cloud data, in: 2011 Proceedings IEEE INFOCOM, 2011, pp. 829–837.
  • [49] Z. Xu, W. Kang, R. Li, K. Yow, C. Xu, Efficient multi-keyword ranked query on encrypted data in the cloud, in: 2012 IEEE 18th International Conference on Parallel and Distributed Systems, 2012, pp. 244–251.
  • [50] M. A. Salehi, T. Caldwell, A. Fernandez, E. Mickiewicz, E. W. D. Rozier, S. Zonouz, D. Redberg, RESeED: A secure regular-expression search tool for storage clouds, Software: Practice and Experience (SPE) 47 (9) (2017) 1221–1241.
  • [51] Z. Fu, X. Wu, C. Guan, X. Sun, K. Ren, Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement, IEEE Transactions on Information Forensics and Security 11 (12) (2016) 2706–2716.
  • [52] B. Wang, S. Yu, W. Lou, Y. T. Hou, Privacy-preserving multi-keyword fuzzy search over encrypted data in the cloud, in: Proceedings of IEEE Conference on Computer Communications, INFOCOM ’14, 2014, pp. 2112–2120.
  • [53] C. Liu, L. Zhu, L. Li, Y. Tan, Fuzzy keyword search on encrypted cloud storage data with small index, in: Proceedings of IEEE International Conference on Cloud Computing and Intelligence Systems, 2011, pp. 269–273.
  • [54] J. B. Lovins, Development of a stemming algorithm, Mech. Translat. & Comp. Linguistics 11 (1-2) (1968) 22–31.
  • [55] M. F. Porter, An algorithm for suffix stripping, Program 14 (3) (1980) 130–137.
  • [56] N. Durrani, H. Schmid, A. Fraser, P. Koehn, H. Schütze, The operation sequence model-combining n-gram-based and phrase-based statistical machine translation, Computational Linguistics 41 (2) (2015) 185–214.
  • [57] K. W. Church, P. Hanks, Word association norms, mutual information, and lexicography, Computational linguistics 16 (1) (1990) 22–29.
  • [58] N. Cao, C. Wang, M. Li, K. Ren, W. Lou, Privacy-preserving multi-keyword ranked search over encrypted cloud data, IEEE Transactions on Parallel and Distributed Systems (TPDS) 25 (1) (2014) 222–233.
  • [59] Y. Yang, X. Zheng, V. Chang, C. Tang, Semantic keyword searchable proxy re-encryption for postquantum secure cloud storage, Concurrency and Computation: Practice and Experience 29 (19).
  • [60] S. Yi, Z. Qin, Q. Li, Security and privacy issues of fog computing: A survey, in: International Conference on Wireless Algorithms, Systems, and Applications, Springer, 2015, pp. 685–695.
  • [61] F. Hahn, F. Kerschbaum, Searchable encryption with secure and efficient updates, in: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, 2014, pp. 310–320.
  • [62] E. Kushilevitz, R. Ostrovsky, Replication is not needed: Single database, computationally-private information retrieval, in: Proceedings of the 38th Annual Symposium on Foundations of Computer Science, 1997, pp. 364–373.
  • [63] N. J. King, V. Raja, Protecting the privacy and security of sensitive customer data in the cloud, Computer Law & Security Review 28 (3) (2012) 308–319.
  • [64] M. Li, S. Yu, Y. Zheng, K. Ren, W. Lou, Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption, IEEE transactions on parallel and distributed systems 24 (1) (2013) 131–143.
  • [65] J.-J. Yang, J.-Q. Li, Y. Niu, A hybrid solution for privacy preserving medical data sharing in the cloud environment, Future Generation Computer Systems 43 (2015) 74–86.
  • [66] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: Proceedings of the 13th ACM conference on Computer and communications security, Acm, 2006, pp. 89–98.
  • [67] M. Li, S. Yu, N. Cao, W. Lou, Authorized private keyword search over encrypted data in cloud computing, in: Distributed Computing Systems (ICDCS), 2011 31st International Conference on, IEEE, 2011, pp. 383–392.
  • [68] Y. Yang, X. Zheng, W. Guo, X. Liu, V. Chang, Privacy-preserving smart iot-based healthcare big data storage and self-adaptive access control system, Information Sciences.
  • [69] A. I. Anton, J. B. Earp, Q. He, W. Stufflebeam, D. Bolchini, C. Jensen, Financial privacy policies and the need for standardization, IEEE Security & privacy 2 (2) (2004) 36–45.
  • [70] S. Hu, C. Cai, Q. Wang, C. Wang, X. Luo, K. Ren, Searching an encrypted cloud meets blockchain: A decentralized, reliable and fair realization, in: IEEE INFOCOM, 2018.
  • [71] C. Cai, X. Yuan, C. Wang, Towards trustworthy and private keyword search in encrypted decentralized storage, in: 2017 IEEE International Conference on Communications (ICC), 2017, pp. 1–7.
  • [72] S. Basu, A. Bardhan, K. Gupta, P. Saha, M. Pal, M. Bose, K. Basu, S. Chaudhury, P. Sarkar, Cloud computing security challenges & solutions-a survey, in: Computing and Communication Workshop and Conference (CCWC), 2018 IEEE 8th Annual, IEEE, 2018, pp. 347–356.