Score:0

How "identifier" works in Symmetric Searchable Encryption?

br flag
zbo

I'm new to this field,Symmetric Searchable Encryption, and have read some papers in this field. Notice lots of these papers about SSE use identifiers when build encrypted index and return identifiers as the search results to users.

These schemes seems work like this: when users get the identifiers, then use them to download files from server or server just sends the files along with the identifiers in search phase.

What bothers me is , when get a search result like $ids = \{doc1.txt,doc2.txt,doc3.txt \}$, What's the next step? When user talks to server and say give me the file named $doc1.txt$ , the server can easily give the user some other file and just name it as $doc1.txt$ and return it to the user.

I know there is Verifiable Symmetric Searchable Encryption, but it seems the "verifiable" means the search result is verifiable ,i.e if the result is $ids = \{doc1.txt,doc2.txt,doc3.txt \}$ ,the server can not send $ids = \{doc1.txt,doc3.txt \}$ since the user can verify. But still the server can fool user by the rename trick.

How these kinds of problem solved?
Do I miss something and misunderstand something?

Reference
[1] Bost, Raphael. "∑ oφoς: Forward secure searchable encryption." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016.
[2] Demertzis, Ioannis, et al. "Dynamic searchable encryption with small client storage." Cryptology ePrint Archive (2019).
[3] Bost, Raphaël, Brice Minaud, and Olga Ohrimenko. "Forward and backward private searchable encryption from constrained cryptographic primitives." Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017.
[4] Bost, Raphael, Pierre-Alain Fouque, and David Pointcheval. "Verifiable Dynamic Symmetric Searchable Encryption: Optimality and Forward Security." IACR Cryptol. ePrint Arch. 2016 (2016): 62.

Aman Grewal avatar
gb flag
Presumably, the user can decrypt the file and remembers what she searched for. It should be pretty obvious if the server returned a file that didn't contain the search terms.
zbo avatar
br flag
zbo
@AmanGrewal,thanks, that make sense. I am trying to find is there a technical way to prevent this situation.
Score:0
gb flag

If you're using an AEAD cipher, you can use the id as the additional data. When the client tries to decrypt the file, the decryption will fail if the server tries to swap files.

zbo avatar
br flag
zbo
After reading the answer and this post https://security.stackexchange.com/questions/179273/what-is-the-purpose-of-associated-authenticated-data-in-aead , i think it is solved. We can use the 'identifier' as the 'associate data' in AEAD and if the content of file is changed , It will fail to decrypt with the 'identifier' as AD.
zbo avatar
br flag
zbo
Hence the rename trick won't work.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.