3.1 Threat Model

We assume that the data owner is credible and the users authorized by the data owner are also trusted. The cloud servers store the encrypted index and documents and perform SSE. We consider the cloud servers are untrusted and malicious which may perform active attacks. The server might deduce some sensitive information from the search results. Besides, when a client lunch a query, the servers may return partial search results to the user. Or the servers may initiate replay attacks. We try to mitigate such attacks in our scheme.

In addition, we don’t consider the access pattern leakage and query pattern leakage which can be tackled by oblivious methodologies. Also we don’t consider the information leakage through side channel or timing channel.

3.2 Design Goal

In this paper, our goal is to design an Efficient, Secure, Verifiable SSE scheme on the three-party model. We try to achieve the following goals:

1. The user can verify the correctness of the received result from the server.

2. The user can detect whether the server is launching a replaying attack.

3. The overall performance can be reasonably improved. For example, when the server receives the user′s query, the server can save the overall cost through our specific algorithm and data structure.

4. The proposed data structure and algorithm can support efficient dynamic updating.

4.1 System Structure

Fig. 1 shows the overall structure of our scheme. It consists of data owners, cloud servers, and authorized users. The data owner stores the encrypted data in a cloud server. Authorized users can search the data of the cloud server. Data owners have administrative rights over data in the cloud.

Fig. 1.

The system architecture of ESVSSE on the three-party model.

Show All

4.2 System Model

We aim to develop an Efficient, Secure, Verifiable Symmetric Searchable Encryption scheme(ESVSSE). The data owner uploads the encrypted documents, authenticator and the security index using the B+-Tree to the cloud server. This scheme allows the user to verify the integrity and freshness of the search results. Our ESVSSE scheme is defined as follows: ESVSSE is a three-party model where data owners store secure indexes, authenticators, and encrypted documents on the cloud server. The data owner can authorize users to query the cloud servers. The authorization procedure is similar to [20]. The cloud server provide storage and search capabilities. Authorized users can initiate query and verification operations.

Definition 3. ESVSSE is a collection of seven polynomial-time algorithms.

• Gen (1k)→{K1,K2,K3,(ssk,spk)}: is a probabilistic algorithm that takes as input a security parameter k and outputs private keys K1,K2,K3, and a random signing key pair (ssk, spk) and it is executed by the data owner.

• Init(K1,K2,K3,ssk,D)→{I,π,πbf,C }: is an algorithm executed by the data owner. It takes as input the secret keys K1,K2,K3, the signing private key ssk, and the document set D, and outputs the secure index I, encrypted documents C, the authenticator π and the authenticator of Counting Bloom Filter πbf. The πbf is an authenticator, which can provide proof when the keyword queried by the user does not exist. The data owner stores the I and πbf locally and meanwhile sends I, C, π, and πbf to the cloud server.

• PreUpdate(K1,K2,K3,ssk,f)→{τω,π,πbf}: is an algorithm that takes as private keys K1,K2,K3, and the signing private key ssk, and the file f to be updated, and outputs the update tokens τω and the authenticator π. The data owner runs the algorithm and sends τω, πbf, and authenticator π to the cloud server.

• Update(I,τω)→{I′}: is an algorithm that takes as secure index I and updated tokens τω, and outputs the new secure index I′, and is run by the cloud server.

• Trapdoor(K1,ω)→{τω}: is a deterministic algorithm run by the authenticated user to generate a trapdoor for a given keyword. It takes as input a secret key K1 and a keyword ω, and outputs a trapdoor τω corresponding to ω.

• Search(I,τω,tq)→{(ρ,πtq,πc,Rω)or(πbf)}: is a deterministic algorithm run by the server. It takes as input the secure index I, the trapdoor τω, the query time tq, and outputs the path list ρ of search results, the authenticatorπtq,πc, and encrypted documents Rω of search results. Finally, the server sends ρ,πtq,πc, and Rω to the user, or output a proof authenticator πbf.

• Validation(K1,K2,K3,spk,Rω,ρ,πtq,πc,τω,πbf,)→{0,1} : is an algorithm run by the authenticated user that takes as input symmetric keys K1,K2,K3, the public key spk, the query result Rω, the secure list ρ, authenticator πtq,πc, πbf, and the token τω corresponding to ω, it outputs a bit b. It represents the user accepts the result of the query when b is equal to 1, and rejects the search results when b is equal to 0.

  ⎧⎩⎨⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪πi,0=(νi,0,Sig(νi,0))upi<tpi,0≤upi+1νi,0=EncK3(rti,0||tpi,0)…πi,j=(νi,j,Sig(νi,j))tpi,j−1<tpi,j≤upi+1νi,j=EncK3(rti,j||tpi,j||νi,j−1)…πi,n=(νi,n,Sig(νi,n))tpi,n=upi+1νi,n=EncK3(rti,n||tpi,nνi,n−1)(1)
  View Source \begin{equation*} \qquad\quad\left\lbrace \begin{array}{l}\pi _{i,0}=(\nu _{i,0},Sig_(\nu _{i,0})) \qquad \qquad up_{i}< tp_{i,0}\leq up_{i+1}\\ \nu _{i,0}=Enc_{K_{3}}(rt_{i,0}||tp_{i,0}) \\ \ldots \\ \pi _{i,j}=(\nu _{i,j},Sig_(\nu _{i,j})) \qquad \qquad tp_{i,j-1}< tp_{i,j}\leq up_{i+1}\\ \nu _{i,j}=Enc_{K_{3}}(rt_{i,j}||tp_{i,j}||\nu _{i,j-1}) \\ \ldots \\ \pi _{i,n}=(\nu _{i,n},Sig_(\nu _{i,n})) \qquad \qquad tp_{i,n}= up_{i+1}\\ \nu _{i,n}=Enc_{K_{3}}(rt_{i,n}||tp_{i,n} \nu _{i,n-1}) \\ \end{array} \right. \tag{1} \end{equation*}
  {πnbf=(ψnbf,Sig(ψnbf))ψnbf=EncK3(CBF||tpi,n||ψn−1bf)(2)
  View Source \begin{equation*} \left\lbrace \begin{array}{l}\pi ^{n}_{bf}=(\psi ^{n}_{bf},Sig_(\psi ^{n}_{bf}))\\ \psi ^{n}_{bf}=Enc_{K_{3}}(CBF||tp_{i,n} ||\psi ^{n-1}_{bf}) \qquad\qquad\qquad\qquad\qquad\end{array} \right. \tag{2} \end{equation*}

5.1 Building Secure Index

We use the B+-Tree structure to build a secure index. The index is built from the collection of documents D and the inverted list Δ calculated from the documents set. The inverted list includes four parts: all keywords, the documents corresponding to the keywords, the trapdoor corresponding to the keywords, and the keyword corresponds to the hash value of the document. We build a B+-Tree using key-value pairs and the value only stored in the leaf node of the B+-Tree. In order to prevent cloud server from launching replay attacks and ensure the freshness of the root, we maintain a timestamp-chain for authenticators, such that users can trace authenticators in the chain and ensure if the root is fresh. The data owner generates the authenticator according to Equation (1). Here i represents the ith update interval, and j represents the jth authenticator in the interval. νi,jrepresents the encryption of the timestamp tpi,j and root rti,j of the B+-Tree. πi,j includes νi,jand includes the signature of the data owner to νi,j. πbf is calculated according to Equation (2). πbf is an authenticator that maintains a timestamp chain and a signature. CBF is a Bloom Filter that includes all tokens and supports efficient updating. The pseudo code for Init algorithm is shown in Fig. 2.

Fig. 2.

Algorithm. Init.

Show All

An example illustrates the Bloom Filter as shown in the Fig. 3. Suppose the data owner has three tokens, the server hashes it through the four hash functions to the Bloom Filter. Suppose the user gives a token to the query. The server checks if there is a τωicorresponding to it in the Bloom Filter. All it takes is to hash the user’s query τωi into the Bloom Filter using four hash functions. The cloud server only needs to check if the corresponding result is all 1 corresponding to it. If all is 1, the τωi to be queried exists, otherwise it does not exist. Fig. 4. is a case where the trapdoor to be queried does not exist. Due to the ordinary Bloom Filter does not support dynamic updating. So we introduce Counting Bloom Filter to solve this problem through an array to count the number of occurrences of each bit. As shown Fig. 5, if there are two keywords. The token is hashed to the Bloom Filter by 3 hash functions. The one-dimensional array is used to count the number of occurrences of the corresponding bit. For the add operation, the corresponding bits are increased by 1. And the bits corresponding to the delete operation are decreased by 1.

Fig. 3.

The token queried by the user exists in the Bloom Filter.

Show All

Fig. 4.

The token queried by the user don’t exists in the Bloom Filter.

Show All

Fig. 5.

Description of the counting bloom filter.

Show All

5.2 Query Procedure

When an authorized user needs to query the data of the cloud server. First, the user generates a token for the keyword. Then, the user sends the token to the cloud server. The cloud server performs the search algorithm. The specific algorithm is shown in Fig. 6. When the cloud server receives the token sent by the user,

Fig. 6.

Algorithm.Search.

Show All

5.3 Verifying the Search Results

For the verification of data integrity, we use a hash function to hash each node of the B+-Tree from the leaf node to the root node layer by layer. The user can verify the integrity of the query results according to the root node. Another way is that the data owner only hashes all the leaf nodes. This paper uses a timestamp mechanism to verify the freshness of the data. The timestamp mechanism is shown in Fig. 7. It includes the update interval and the authenticator π. The update interval is set by the data owner based on the frequency of the update. The authenticator is composed of the root and the timestamp of the B+-Tree.

Fig. 7.

Description of the timestamp-chain mechanism.

Show All

In order to prevent the server from returning partial or historical versions of the query results. The authorized user performs the verification algorithm (shown in Fig. 8) when the user receives the query result from the cloud server. Similarly, there are two cases in which the results are verified. One is that the keyword does not exist and the other is that the keyword exists.

Fig. 8.

Algorithm.Validation.

Show All

When the queried keyword does not exist, the user can use the πbf authenticator to check whether the keyword is really non-existent. Through the verification algorithm, the user can verify whether the server is malicious. The CBF authenticator consists of CBF Bloom Filter with time-stamp and the corresponding signature of the data owner. The user can check the non-existence of tokens through CBF. The freshness of the CBF can be checked by the time-stamp mechanism. If the verification algorithm returns 1, the user accepts the result from the server. Otherwise, it rejects the returned result. The user can prove whether the server is malicious. And the complexity of the verification is O(1). And the cost for the user is negligible.

When the searched keyword exists, the user needs to build the root of the B+-Tree based on the results returned by the server and use the root to verify the integrity of search results. The freshness of the results is verified based on the timestamp in the decryption authenticator. The user can build root based on the list returned by the server and verify the integrity of the returned result by comparing it with the root of the authenticator.

Let us explain what is a replay attack by the following example. Let’s consider the following situations: 1. When the user queries at t1(see Fig. 7.), wheret1 <tpi,0, the server can only return πi−1,n to the user. When a user queries at t2after the data update event at tpi,0, the server has two options: the one is returns the authenticator πi,0to the user. the other is that sends the authenticator πi−1,n to the user. When the server returns πi−1,n to the user, the server launches a freshness attack.

5.4 Update

The Update algorithm updates the secure index on the server and supports three operations, i.e., the add, delete, and edit operations. The data owner first executes the pre-update algorithm to create the tokens for the update algorithm, CBF, the signature and sends them to the cloud server. Then, the cloud server executes the update algorithm to update the CBF and the secure index I. Since both the security index and the files are encrypted. The server cannot learn anything useful from it. For add operation, the data owner needs to generate {τω,GK2(f)}pairs, where τω is the token of a specific keyword extracted from the file f, and GK2(f) is a pseudo-random string of f. The cloud server finds the corresponding leaf node based on its token and the value {IHK2(f)} to the existing node value. If the token does not have a corresponding leaf node, a new leaf node will be created. The corresponding bits in the Counting Bloom Filter also need to be increased by 1(see Fig. 5.)The authenticator πbf and π also need to be updated by the data owner. For π and πbf, the update is performed according to Equations (1) and (2) respectively. The data owner sends the updated authenticator πbf and π to the cloud server. The delete operation is similar to the add operation. And, the edit operation is equivalent to add a new file after deleting an old file.

5.5 An Illustrative Example

We illustrate our scheme through an example. Suppose there are nine files to initialize, i.e.{f1,f2,f3,f4,f5,f6,f7,f8,f9}, which contain nine keywords presented in the inverted list (see the Fig. 9). The query tokens and values corresponding to the keyword are given in the inverted list (Fig. 9). Initially, we build the secure index by inserting the key-value pairs into B+-Tree (see Fig. 10). The data owner hashes all tokens to the Counting Bloom filter to generate a πbf. An authenticator π is generated according to Equation (1). For an update operation, adding a new file f10 that includes ω5 and ω10, the update tokens are divided into ['4af8',IH(GK2(f10))] and ['ff56' IH(GK2(f10))]. For the token '4af8' that already exists, the server needs to add IH(GK2(f10)) after the original node. For the new token 'ff56', the server needs to create a new node and assigns a new value IH(GK2(f10)) to it. The data owner needs to authenticator πbf and π accordingly.

Fig. 9.

The inverted list.

Show All

Fig. 10.

The index of B+-Tree.

Show All

Now suppose that the user wants to query the keyword ω3 and submit the corresponding token '30ba'. After the server receives the user′s token, it first tests whether it exists in the Bloom Filter. If it exists, the server searches for it to the user. The search path of this token is {IN1, LN2}, and the search list is [Mr2,Mr1,Mr0](see Fig. 11). When the user receives the results list ρ from the server, the user runs the validation algorithm. The user can generate the root hash according to the list ρ. If there is an attack, for example, the server only returns the file f3. The user can rebuild root hash values which will not be the same as the root of the authenticator. So it will return 0. If they are equal, it proofs server returns the correct result for the user. Suppose the user submits a token that does not exist in the proof index, e.g., token ′30bb′. The server only needs to send the user a proof authenticator πbf. The user verifies the signature then hashes the queried token to a Bloom Filter CBF′. The correctness of the result is verified by comparing the CBF′ with the CBF, which decryption in the authenticator πbf.

Fig. 11.

Search list ρ of an existing token '30ba'.

Show All

Proof.

We will prove that there is a polynomial time simulator S and a probabilistic polynomial time adversary A, the output is indistinguishable through Real and Ideal. First, S simulates the secure index I′by randomly selecting key-value pairs from |I| and inserting them into the B+-tree. At the same time, S selects a random string π′ of length |π| as a verifier. Meanwhile, S needs to hash the tokens of all selected keywords in the bloom filter. Each key-value pair in the B+-tree is encrypted by a pseudo-random function, and the confidentiality of the verifier is guaranteed by key-value pair encryption. Therefore, A cannot distinguish (I′,π′) from (I,π). A initiates a search, and lets S simulates a search token τω. First, the token τω queried by A is hashed into the CBF to check whether the token being queried exists. If the token τω of the query exists at I′, S selects a random selection of a result path and returns it to A. A cannot distinguish between a real token τω and a simulated token τω. For tokens that are queried later, if they have appeared before, they were the same as before, or the same as the first token of the simulation. Similarly, when A simulates the update of the token τω, the updated token is set to τ′ω, and the verifier π′ is set to a random string of the same length as π. For each query, A randomly selects a string to simulate a search token. In the Real game, all tokens are encrypted by the pseudo-random function F, and the adversary A cannot distinguish whether the simulated token is from RealSSE,A(k) or IdealSSE,A,S(k).

7.1 Performance Analysis

For checking existent is independent of the searching algorithm. The average performance of our scheme depends on the missing rate of the keywords. We define mr as missing rate. Suppose that the mr equals a%, this means if the user performs n queries, there are n×a% queried token that don’t exist. And the complexity of checking CBF is O(1), and it is independent of the scale of the dataset. The complexity of searching the B+tree is about O(|W|)) where |W| is the number of the keyword set. The average performance of our searching algorithm is about O(1)×a%+O(log(|W|))×(100−a)%. And the performance of verification is similar.

Whereas, the performance of the most current scheme with the same functionality is about O(log|W|). The overall performance improvement of our scheme depends on the missing rate of the queried keywords. The proposed CBF architecture is somewhat like a translation lookaside buffer in a memory system. And the CBF supports efficient dynamic updating. In addition, the performance of the users’ side is also improved similarly. This improvement is especially critical for energy or computation constrained devices.

In the real world, there are many cases that give rise to the increasing of the missing rate such as spelling errors, hitting an adjacent key when typing, etc. It also depends on how the index is built. For all these aspects vary across different people and different datasets, we will give a general analysis. People mainly operate computers through a keyboard interface. However, they often make spelling errors when using a keyboard, for example, hitting an adjacent key or using phonologically similar letters [40]. In [40], they define spelling errors as (1) a typo from an incorrect keyboard operation, (2) a spelling confusion from an incorrect identification. Their experiments show that the corrected errors, substitution errors were the most frequent, deletion and insertion errors were almost the same, and transposition errors were few. [41] studied the type of English spelling for students whose native language is English. Spelling errors of students were analyzed by grade-level spelling patterns and linguistic characteristics: phonological, orthographic, orthographic image, transposition, and morphological. Their results revealed that morphological spelling pattern errors occurred most frequently. Of the opportunities available for students to make linguistic spelling errors, phonological errors occurred 1.30 percent, orthographic errors occurred 8.52 percent, orthographic image errors occurred 8.23 percent, and morphological errors occurred 56.2 percent. The dataset also affect the built index as well as the way people build the index. For example, in the typical example of the Enron mailbox [42], if all the IDs are built in the index, it is hard for people to distinguish them.

7.2 Experiment Setup

In order to prove the feasibility of our proposed scheme, we have implemented it by using Java with the JDK 8.0. The prototype is written by about 4000+ lines of codes. The operating system we used is a 64-bit window7 system and the computer is with an i5-6500 CPU and 16 GB RAM. We use Python language to extract keywords. We use 128-bit AES to encrypt the authenticator and signs it with RSA signature. We implement two random-oracles with HMAC-SHA256 and SHA3-256. We use the Enron mailbox dataset [42]. The following sequences introduce our various aspects of experimental and testing results.

7.3 Index Construction Cost

First, we measure the delays of the initialization algorithm performed by the data owner as shown in Fig. 12. The Init algorithm includes the construction of the secure index, CBF, and the generation of the authenticator. All the delays and subsequent measurements are the average results with ten runs of experiments. We tested the delays of 500,000 key-value pairs for establishing a B+-Tree security index of a different order. We mainly test the relationship between the number of document keyword pairs and the total time required to generate a secure index and authenticator. We test the order of 100, 500, and 900 B+-Tree. As the number of key-value pairs increased, the time consumed is also increased. When the size of the key-value pair is less than 100,000, the time overhead is similar. When the number of key-value pairs is between 100,000 and 200,000, the time overhead of the 900th order is slightly larger than the other two, and the total time of the 100th and 500th order B+-Tree initialization is almost the same. When it is greater than 200,000, the B+-Tree has the minimum initialization time overhead of 100 steps, and the time cost of 900 orders is the largest. Overall, the initialization consumes around 1.5 seconds where the documents include 500,000 keywords, which is acceptable.

Fig. 12.

Init delays.

Show All

We measure the storage cost B+-Tree as shown in Fig. 13. The dataset contains 500,000 keywords. The storage overhead is about 100 MB. As the number of keywords continues to increase, the storage overhead also increases linearly. We tested the storage space of B+-Tree of different orders. As shown in Fig. 13, the storage space of the B+-Tree has little relationship with the order of the tree.

Fig. 13.

Storage cost of B+-Tree.

Show All

7.4 Performance of Update

The update delay is decided by the size of the database that is measured by the number of keywords. Strictly speaking, the delay is directly related to the order of the B+-Tree. To show the relationship between update latency and database size, we use different numbers of keywords to measure latency. Since the number of keywords varies from each file, we use the computing overhead to measure the number of keyword-document pairs that can be updated per second (see Fig. 14). When the number of key-value pairs is between 100,000 and 200,000, the computing overhead of delete operations decreases as the number of keywords increases. The computing overhead is almost balanced between 200,000 and 500,000. At the same time, the computing overhead and the order in this interval also has a certain relationship. As the order increases, the computing overhead of the delete operation is decreasing. In the case of a certain dataset, the computing overhead of the deletion follows the increase of the order, with a gap of 10,000 to 20,000. We observed that the computing overhead of adding and delete operations is almost the same. Both the computing overhead of adding and deleting are relatively stable.

Fig. 14.

Update thoughput.

Show All

7.5 Performance of Query

When the user launches a query operation, the token of the corresponding keyword is generated, and then the token is sent to the server. Fig. 15 shows the relationship between the number of keyword documents pairs and the search time when the server performs a search. Note that this experiment only measures the cost of generating the proof, and the the waiting time for the authenticator in the checkpoint is not included. Fig. 16 shows the query time performed on the CBF when the keyword queried by the user does not exist. As we can see from the picture, the server′s search time is about 0.03 milliseconds in the database containing 500,000 tokens. The time cost is stable and can be negligible. For the server just needs to return the corresponding CBF authenticator when there is no matching in the CBF. The complexity is about O(1) and the results are consistent with our performance analysis.

Fig. 15.

Search delay for tokens existence.

Show All

Fig. 16.

Search delay for tokens not present.

Show All

7.6 Performance of Verification

In Fig. 17, We evaluate the verification delays for the authorized users by the data owner. We can see that the search time is proportional to the number of keyword-document pairs. The larger the number of keywords, the longer the server will take to search. In the case where the number of keywords is constant, the time for the server to search is also related to the order of the B+-Tree. As shown in Fig. 17, the smaller the order of the B+-Tree, the longer the server searches. When the order of the B+-Tree is 500 and 900 respectively, the verification delays are similar, but search time delay is different. A database of 500,000 key-value pairs with a verification delay of approximately 4 milliseconds. As shown in Fig. 17, the user’s verification time is proportional to the size of the data set. When the data set is fixed, the time of verification cost is stable and very short. Whereas the validation cost of the other two schemes increases linearly.

Fig. 17.

Verify latency for token exist.

Show All

Fig. 18 illustrates the verification time when a keyword queried by a user does not exist and compares the result with previous work. Here, the verification time includes the time when the user decrypts the verifier and the time to perform the comparison verification. Since the time for the user to hash the queried keywords to the CBF is very efficient, it can be ignored. We tested the time trend of the CBF authenticator as the number of keywords changed. At the same time, we compare with the two schemes. The MVSSE in the Fig. 18 is the one proposed in the [36]. VSSE is the solution proposed in [15]. As can be seen from the figure, as the number of keywords increases, the ESVSSE scheme verification time is almost constant. The other two options are that as the number of keywords increases, so does the verification time. In general, our solution is more efficient than existing solutions under the same attack model conditions.

Fig. 18.

Authenticator πbf delays for token does not exist.

Show All

Fig. 19. shows the throughput for authenticator. Here, η is the update frequency of the data owner. The size of the first authenticator in each update interval is around 176 bytes, which includes 32 bytes of the root of B+-Tree, 8 bytes of the timestamp, an 8 bytes AES-CBC extension and a 128 bytes RSA signature. They consist of two parts: the overhead introduced by the fixed update time points and delays from data updates. We can see that when the update interval is reduced to 0, the bandwidth overhead is increased to about 2 KB per second, which is introduced by a fixed update time point, and it is inversely proportional to the bandwidth overhead. This bandwidth is introduced by the length of the authenticator. As the update interval grows, the length of the authenticator becomes larger.

Fig. 19.

Bandwidth consumption.

Show All

7.7 Storage Cost of Verification

In order to better verify the communication overhead of this scheme during the verification phase, we test the storage cost of the validator in different situations by testing the keyword document. Since this solution is divided into two cases, one is that the keyword searched by the user exists(see Fig. 20), and the other is that the keyword does not exist(see Fig. 21). And we test the size of the memory occupied by the verifier when the B+-tree order is different. It can be seen from the experiment that the size of the validator is also related to the B+-tree order. When the search token exists, the minimum validator size of the document keyword pair with a data set of 500,000 is 400 KB. When the order is 100, the memory occupied by the validator is 1100 KB. Therefore, the appropriate order is also a factor to reduce storage overhead. When the keyword does not exist, because the server returns the CBF verifier. The CBF verifier is all the leaf nodes of the hash B-tree, so it has nothing to do with the tree order. When the keyword document pair is 500,000, the storage overhead occupied by the validator is 1220 KB. In real life, it is full of data in various formats,Not just data in document format, so the index validator is still acceptable at the KB level.

Fig. 20.

The storage cost of Authenticator.

Show All

Fig. 21.

The storage cost of CBF Authenticator.

Show All

7.8 Comparison With Existing Schemes

We compare our scheme with the concrete implementation of dynamic SSE scheme proposed by Cash et al. [20] and Jie Zhu et al. [15]. The experiment Results show that the additional overhead introduced by ESVSSE scheme is not large. In order to justly compare the schemes, we test with the same dataset and parameters on our machine. As shown in Fig. 22, we measure the overall overhead of the initialization phase, the search phase and the update phase in those schemes. The average performance is calculated through ta×a%+te×(100−a)% where ta is the time cost for the keyword is absent, te is the time cost for the keyword exist, and mr is the missing rate of keywords. As shown in Fig. 22, the average performance is improved along with the missing rate mr. The results is consistent with our performance analysis.

Fig. 22.  图 22。

Comparison with other SSE.
与其他 SSE 的比较。

Show All

We verify the feasibility of this solution by comparing with the well-known dynamic SSE solution and the universal verifiable solution. In order to compare these schemes fairly, we use the same data set and parameters for testing on our machines. We tested on the famous mailbox data set, which contains 500,000 documents and extracted 2 million document keyword pairs from it. The test mainly includes two stages, initialization, search and update stage. Initialization is a test for indexing 2 million document-keywords, and testing for 10,000 data in the search and verification phase. In Table 3. Due to differences in search results, we report the average communication cost based on 5,000 runs. It can be seen from Table 3 that the average search token of SSE [20] is 390B, and the search result is 53 KB. The token of the GSSE scheme is 32B, and the search and verification overhead is 3 KB. In our scheme, the storage overhead of search verification is 2.7 KB. This shows that the overhead generated by EVSSE is better and acceptable.
我们通过与众所周知的动态 SSE 解决方案和通用可验证解决方案进行比较来验证该解决方案的可行性。为了公平比较这些方案，我们在我们的机器上使用相同的数据集和参数进行测试。我们在著名的邮箱数据集上进行了测试，该数据集包含 500,000 份文件，并从中提取了 2 百万份文件关键字对。测试主要包括两个阶段，初始化、搜索和更新阶段。初始化是对 2 百万份文件关键字建立索引的测试，并在搜索和验证阶段对 10,000 份数据进行测试。在 Table 3 。由于搜索结果不同，我们基于 5,000 次运行报告平均通信成本。从 Table 3 可以看出，SSE [20] 的平均搜索令牌为 390B，搜索结果为 53 KB。GSSE 方案的令牌为 32B，搜索和验证开销为 3 KB。在我们的方案中，搜索验证的存储开销为 2.7 KB。这表明 EVSSE 产生的开销更好且可接受。

TABLE 3 Comparison With the SSE Scheme [20] and [15]
与 SSE 方案 [20] 和 [15] 的比较表 3