In the following, we introduce new security notions for four concepts: data privacy, query privacy, result privacy and integrity of ciphertexts. Therefore, we divide the related work concerning security notions for data outsourcing schemes into three categories: notions which only consider the privacy of the outsourced data, notions which only consider the privacy of the queries, those which intertwine both and security notions for file systems.
Security Notions for Data Privacy There is a rich body of literature on data outsourcing schemes which only consider the privacy of the outsourced data in both static and adaptive settings. There are game-based notions [55, 67, 49], simulation-based notions [27, 26, 71], and notions that use the Universal Composability framework [21, 94, 78]. A well-known example for an adaptive security notion is IND-CKA established by Goh [55]. The intuition is that an adversary should not be able to distinguish two sets of data of his choosing based on the generated index even if he can issue and observe queries. However, in Goh’s notion, the queries the adversary can choose are strongly restricted: he is not allowed to query for words that are exclusive to one of the two sets he chooses as challenge. This severely restricts the kinds of schemes which can be described within this model.
An example for a notion which only considers static security is Huber et al.’s IND-ICP [67]. Here, the idea is that an adversary should not be able to distinguish the encryptions of two databases. However, the databases the adversary is challenged on are restricted to being independent permutations of one another.
Security Notions for Query Privacy Hiding queries on outsourced data on a single server has been studied in the context of Single-Server Private Information Retrieval [31] (PIR). The PIR notion requires that an adversary who observes access patterns cannot distinguish any two queries. PIR does not guarantee that the data itself is kept private [31]. There is a rich body of literature on PIR schemes which have sublinear communication complex- ity ([79, 20, 53]). However, all PIR schemes inherently have a computational complexity for the server which is linear in the size of the data [92]. The PIR
security notion is thus not applicable to efficient schemes.
The privacy of queries on data has also been investigated in the context of Oblivious RAMs (ORAMs) first introduced by Goldreich and Ostrovsky [56] and further explored and improved upon by others [87, 91, 38]. Similar to
PIR, an “oblivious” RAM is one that cannot distinguish access patterns—the data itself is not required to be private. As is the case with PIR, all ORAM constructions can not be considered efficient in our sense. They either have polylogarithmic computation cost while requiring the client to store a constant amount of data [91] or have logarithmic computation cost, but require the client to store at least a sublinear amount of data dependent on the size of the RAM [59]. Therefore, the security notion for ORAM is not suitable for our cause.
Security Notions for Data Privacy as well as Query Privacy There are security notions in the literature which consider both data privacy as well as query privacy. Chase et al. [29] introduce the simulation-based notion of “chosen query attacks” which models both the privacy of queries and that of the data. However, in their notion, the concepts of privacy for data and privacy for queries are intertwined. Haynberg et al. [62] try to separate both properties: they introduce the notion of “data privacy” and complement it with “pattern privacy”, which is similar to PIR. However, their notion for data privacy only allows the adversary to observe the execution of one query. While the notion works for their scheme, this limitation is too strict for other schemes.
Modeling Information Leakage A reoccurring pattern in security no- tions for practical schemes is the use of a leakage function which describes the information the scheme leaks to the adversary during execution. A certain amount of leakage seems necessary in order for schemes to be efficient. Cash et al. investigate the construction of efficient and practical schemes that also have a formal security analysis [27, 26]. Their analyses follow a simulation- based approach. The constructions leak information about the plaintext and the query which they explicitly model by a leakage function L. This is similar to Chase et al. [29], whose notion allows to describe the information that leaks through the encryption itself (L1) and the information about the ciphertext and the queries combined that is leaked by evaluating queries (L2).
Stefanov et al. [94] employ the same technique in the Universal Composability Framework. In game-based notions such leakage is modelled by restricting the challenges the adversary can choose. Thus, in our framework we define “leakage relations” that model information leakage.
Secure Cloud File Systems There are various existing commercial and free solutions for secure cloud storage 234. None of them have a formal proof of security. There has been research into how to model the security
2https://spideroak.com 3
http://tresorit.com
of file systems, however, most of this research is directed at disk encryption schemes. Damgård et al. [37] for example introduce a formalization of encryp- tion schemes for file systems that is based on the Universal Composability framework. However, there are many artefacts in their model which are not relevant in the cloud setting (e. g. they explicitly model physical and logical sectors). Their model also misses important components on which security is regularly based upon (i.e. different states for client and server) and thus is not well suited for our setting. Kristian Gjøsteen [54] and more recently Khati et al. [76] both introduce a game-based security model, which, however, is also only suited for modeling full disk encryption. There is a rich body of work regarding outsourcing schemes and corresponding security models which provide proofs of data possession (PDPs) and proofs of retrievability (e. g. Zhang et al. [99], Erway et al. [48] and Cash et al. [25]). Similar to our goals, all these schemes provide integrity for outsourced data. However, their requirements are fundamentally different. The goal of a PDP scheme is for a cloud provider to be able to prove that he has all of the outsourced data and that he did not modify it maliciously without requiring the user to hold a copy of the data himself and without having to download it. This is very useful if the server performs computations on the outsourced data without interaction of the user and the user wants to verify if all the data is still correct. In our case however, the server is only used for storage and users interact with the data only locally. Thus, all integrity checks can be performed by the user on the data itself. In order to achieve these particular integrity guarantees, PDP schemes require design and performance trade offs, which are also reflected in their security models. This makes the schemes incomparable to our scheme and the security models hard to adapt to our case.