
Sophos – Forward Secure Searchable Encryption - nanis
https://eprint.iacr.org/2016/728
======
escapologybb
Hi,

I am not a cryptographer so I'm not entirely sure what I'm reading, I mean I'm
technically literate like most of you but cryptography is not my field.

Is there any chance it's possible for somebody to reduce this to an
understandable precis for the uninitiated, or is that a ridiculous question
considering the topic at hand?

Any clarification in explanation would certainly be welcome, I'd just like to
understand a little more. Thanks in advance!

~~~
swordswinger12
I do research in this area. What exactly would you like clarified?

~~~
m4dc4pXXX
* How is it possible to construct all the previous "search tokens" on the server side?

* The client stores does a lot of work (storing a map of all keys, for one). Could the client get away with ONLY generating a new search token when a document is updated/inserted? That is, could the client only be responsible for creating "UTc+1 ← H1(Kw, STc+1)" and "e ← ind ⊕ H2(Kw, STc+1)" (in the update portion of "Algorithm 1")? In other words, could the map W be stored on the server, as well?

Hope these questions make sense!

~~~
swordswinger12
-Usually the SSE model accounts for a malicious server that just stores every search token it's given, so the server doesn't need to reconstruct them.

\- You could store W on the server, but you would leak additional information
to the server during an update - namely, the per-keyword update frequency.
Section 5.5 describes an extension to reduce client-side storage at the cost
of additional computation.

------
zbuttram
Same name as a fairly well-known security company in the IT channel (e.g.
Symantec). [https://www.sophos.com/en-us.aspx](https://www.sophos.com/en-
us.aspx)

------
paxcoder
Did anyone invest the effort and time to figure out how secure and practical
this is?

~~~
swordswinger12
I haven't looked closely at the full construction, but it's fairly similar to
an earlier paper by Cash et al.
([https://eprint.iacr.org/2014/853](https://eprint.iacr.org/2014/853)) which
is surprisingly practical - their system can do keyword searches on the entire
English Wikipedia in just a couple seconds.

In terms of security, things are a bit more complicated. The last ~year has
seen a couple papers
([https://eprint.iacr.org/2016/718](https://eprint.iacr.org/2016/718) and
[https://eprint.iacr.org/2016/172](https://eprint.iacr.org/2016/172)) that
demonstrate damaging and practical attacks against most SSE constructions.
It's really not clear how secure _any_ SSE scheme is in practice, or whether
there is a sensible model in which SSE can be both secure and efficient enough
for practical use.

------
mstef
deleted, mistake

~~~
nanis
Do you mean
[https://gitlab.com/sse/sophos/tree/master](https://gitlab.com/sse/sophos/tree/master)
?

    
    
        > Sophos' dependencies need a compiler 
        > supporting C++14 (Sophos' core codebase doesn't).
        > It has been successfully built and tested on 
        > Ubuntu 14 LTS using both clang 3.6 and gcc 4.9.3 
        > and on Mac OS X.10 using clang 7.0.0
    

I don't see Windows mentioned anywhere.

~~~
mstef
strange, my mistake i guess. sorry for the noise

