We study formal privacy notions for data outsourcing schemes. The aim of our efforts is to define a security framework that is applicable to highly elaborate as well as practical constructions. First, we define the privacy objectivesdata privacy,query privacy, andresult privacy. We then investigate fundamental relations among them. Second, to make them applicable to practical constructions, we define generalisations of our basic notions. Lastly, we show how various notions from the literature fit into our framework. Data privacy and query privacy are independent concepts, while result privacy is consequential to them. The generalised notions allow for a restriction on the number of the adversary’s oracle calls, as well as a “leakage relation” that restricts the adversary’s choice of challenges. We apply the generalised notions to existing security notions from the fields of searchable encryption, private information retrieval, and secure database outsourcing. Some are direct instantiations of our notions, others intertwine the concepts. This work provides a privacy framework for data outsourcing schemes from various cryptographic fields with an unified view, from which several new interesting research questions emerge.

Authors and Affiliations

1. Karlsruhe Institute of Technology (KIT), Karlsruhe, Germany

   Dirk Achenbach & Jörn Müller-Quade

2. FZI Forschungszentrum Informatik, Karlsruhe, Germany

   Matthias Huber & Jochen Rill

Corresponding author

Correspondence toDirk Achenbach.

Editors and Affiliations

1. University of Primorska, Koper, Slovenia

   Enes Pasalic

2. Technical University of Denmark, Kgs. Lyngby, Denmark

   Lars R. Knudsen

A Further Case Studies

1.1A.1 Semantic Security against Adaptive Chosen Keyword Attacks

Goh [12] presents a security notion for index-based searchable encryption schemes. We give a translation into our formalisms. Trapdoors are translated to a view oracle.

Security Game 9 (\({\mathsf {IND}}\text {-}\mathsf {CKA}^{\mathcal {A}}_{(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Q})}\))

1. 1.

   The experiment chooses a key\(K \leftarrow \mathsf {Gen}(1^k)\) and a random bit\(b~\leftarrow ~\{0, 1\}\).

2. 2.

   The adversary\({\mathcal {A}}\) is given input\(1^k\) and access to an oracle\({\mathrm {view}}_{\mathfrak {S}}^{\pi _{\cdot }}({\mathsf {Enc}}(\cdot ,K))\).

3. 3.

   \({\mathcal {A}}\) outputs two plaintexts\(m_0\) and\(m_1\) of the same length to the experiment. The adversary must not have queried the oracle for words that are only in one of the two plaintexts.

4. 4.

   \({\mathcal {A}}\) is given\(\mathsf {Enc}_K(m_b)\) and access to an oracle\({\mathrm {view}}_{\mathfrak {S}}^{\pi _{\cdot }}({\mathsf {Enc}}(m_b,K))\).

5. 5.

   \({\mathcal {A}}\) submits a guess\(b'\) forb.

The result of the experiment is 1 if\(b'=b\) and 0 else.

\(\mathsf {IND}{} \mathbf - \mathsf {CKA}\) is a weaker form of Data Privacy. Were the adversary not restricted in choosing queries (Line 3. in Security Game 9), the notions would be equivalent. As in the case of Curtmola et al.’s notion (Sect. A.2), we prove the relation of Goh’s notion to our model without considering this restriction. Our security notions could easily be further generalised to include this restriction, however, we decided against this, as the applications of such restrictions seem limited.

Theorem 9

\({\mathsf {IND}}\text {-}{\mathsf {CKA}}\) implies static security.

The proof is a straightforward reduction and we omit it here.

Theorem 10

Database privacy implies\({\mathsf {IND}}\text {-}{\mathsf {CKA}}\).

Due to space constraints, the proof is only included in the full version.

1.2A.2 Adaptive Security for Symmetric Searchable Encryption

Curtmola et al.’s notionadaptive indistinguishability security for SSE [8] is also a security notion for symmetric searchable encryption based on indices.

Security Game 10 (\(\mathsf {Ind}^*_{\text {SSE},\mathcal {A},(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Q})}(k)\) [8])

1. 1.

   The experiment chooses a key\(K \leftarrow \mathsf {Gen}(1^k)\) and a random bit\(b~\leftarrow ~\{0, 1\}\).

2. 2.

   The adversary\(\mathcal {A}\) is given input\(1^k\) and outputs two plaintexts\(m_0\) and\(m_1\) of the same length to the experiment.

3. 3.

   \(\mathcal {A}\) is given\(\mathsf {Enc}_K(m_b)\).

4. 4.

   \(\mathcal {A}\) can output polynomially many pairs of queries\((q_0,q_1)\) and is given\(\mathrm {view}_{\mathfrak {S}}^{\pi _{q_b}}({\mathsf {Enc}}(d_b,K))\).

5. 5.

   \(\mathcal {A}\) submits a guess\(b'\) forb.

The result of the experiment is 1 if\(b'=b\) and 0 else. Note that in Curtmola et al.’s notion, Query Privacy and Data Privacy are intertwined. Thus, it can not be directly instantiated from our framework. We instead show how his notion relates to our notions.\(\mathsf {Ind}^*_{\text {SSE}}\) also requires the adversary to only choose plaintexts and corresponding search queries which have the same views for both databases. This is a very strict restriction which we do not take into consideration here. We instead focus on the more general notion.

Theorem 11

(\(\mathsf {Q}\text {-}\mathsf {IND} \wedge \mathsf {D}\text {-}\mathsf {IND} \implies \mathsf {Ind}^*_{\text {SSE}}\)). If a queryable outsourcing scheme has Query Privacy, Data Privacy implies\(\mathsf {Ind}^*_{\text {SSE}}\).

Theorem 12

(\(\mathsf {Ind}^*_{\text {SSE}} \implies \mathsf {D}\text {-}\mathsf {IND} \)).\(\mathsf {Ind}^*_{\text {SSE}}\) implies database privacy.

Due to space constraints, the proofs are omitted here. They are included in the full version.

Reprints and permissions

© 2016 Springer International Publishing Switzerland

Policies and ethics