TTP-Aided Searchable Encryption of Documents Using Threshold Secret

Sharing

Ahmad Akmal Aminuddin Mohd Kamal

1 a

and Keiichi Iwamura

Department of Information and Computer Technology, Tokyo University of Science, Tokyo, Japan

Department of Electrical Engineering, Tokyo University of Science, Tokyo, Japan

Keywords:

Searchable Encryption, Threshold Secret Sharing, TTP-Aided, Secure Computation, Secure Storage, Clouds,

Cloud Security, Information Security.

Abstract:

In recent years, the introduction of services such as storage-as-a-service has enabled users to outsource their

data to cloud servers to mitigate the cost of physical storage infrastructure. Moreover, cloud storage allows

users to access data anywhere. However, outsourcing sensitive data to cloud servers also introduces concerns

regarding data leakage and privacy. Therefore, these data must be encrypted before storage. Searchable

encryption (SE) is a method that allows data to be searched in its encrypted state. SE uses symmetric key

encryption, public key encryption, or secret sharing. SE using symmetric and public key encryptions can be

implemented using one cloud server. However, most SEs utilize the search index for efﬁciency, which incurs

the additional cost of constantly updating the search index. SE using secret sharing is computationally light.

Therefore, a direct search over ciphertext is possible without sacriﬁcing the efﬁciency. However, it requires

multiple, independently managed cloud servers. In this study, by effectively using a trusted third party, we

demonstrate that realizing an SE with a single cloud server is possible, even if secret sharing is used, thereby

reducing the total running cost and communications required. Moreover, we demonstrate that the proposed

method is secure against a semi-honest adversary.

1 INTRODUCTION

Cloud computing services, such as secure-storage-as-

a-service, enable businesses and users to upload their

private data into the clouds for easy access from any-

where in the world, without requiring any physical

infrastructure. Owing to concerns and risks regard-

ing the privacy and conﬁdentiality of the information

stored in the cloud, data must be encrypted before

storage (Wang et al., 2017). However, in this ap-

proach, searching encrypted data using conventional

encryption methods is not possible. That is, the en-

crypted data must be decrypted momentarily to search

for possibilities.

Searchable encryption (SE) allows cloud users

to search for and retrieve encrypted data while se-

curely preserving data conﬁdentiality. Conventional

SE methods use symmetric encryption, public key en-

cryption, and secret sharing. In recent years, several

SE solutions using symmetric and public key encryp-

tions have been proposed. SE solutions using these

https://orcid.org/0000-0002-7941-3021

encryption methods allow users to securely outsource

their private data to a single third-party cloud server

as long as the encryption keys used to encrypt their

data are kept secure. Therefore, only a single cloud

server is required for secure storage, minimizing the

usage cost.

However, most SEs based on symmetric and pub-

lic key encryptions proposed thus far only realize the

search of encrypted data using a search index. A

search index is a body of structured data that a search

engine in the cloud server refers to when searching for

data that are relevant to a speciﬁc search query by the

user (Goh, 2003). Index data are related to the key-

words in a document, which are encrypted and regis-

tered in the search index. However, this method has

two main disadvantages: (1) keywords that are not

registered in the search index cannot be searched and

(2) the search index needs to be updated each time a

new document is added or removed.

By contrast, Kamal et al. proposed SEs based

on secret sharing (Kamal and Iwamura, 2021). Se-

cret sharing is a method in which a secret input is di-

vided into multiple different values (known as shares)

442

Kamal, A. and Iwamura, K.

TTP-Aided Searchable Encryption of Documents Using Threshold Secret Sharing.

DOI: 10.5220/0011653700003405

In Proceedings of the 9th International Conference on Information Systems Security and Privacy (ICISSP 2023), pages 442-449

ISBN: 978-989-758-624-8; ISSN: 2184-4356

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

and stored on multiple cloud servers (Shamir, 1979).

SEs using secret sharing enable direct searching over

encrypted data, thereby solving the aforementioned

drawbacks of using a search index. Moreover, be-

cause the secret sharing method is computationally

light, the computational cost for encrypting data is ex-

tremely low compared to that of SEs using symmetric

and public key encryptions.

However, secret sharing requires multiple inde-

pendently managed cloud servers (generally at least

three) to be secure. Therefore, the user must use mul-

tiple cloud servers from different providers to imple-

ment SE using secret sharing, which is difﬁcult and

costly. In addition, a high-speed communication net-

work between all the cloud servers is necessary.

Moreover, the SEs proposed by Kamal et al. were

based on a secure computation known as the Tokyo

University of Science 2 (TUS 2) method (Kamal and

Iwamura, 2017) (details provided in Section 2). In se-

cure computation in the TUS 2 method, the search op-

eration between the query and encrypted data can be

computed in its encrypted state using a minimum of

two cloud servers. However, the computation cost of

the TUS 2 method is extremely large when compared

to that of conventional secure computation methods.

Therefore, this is not the most efﬁcient and practical

SE method.

In contrast, in the latest version of the TUS

method (known as the TUS 6 method), by leverag-

ing a trustable third party (TTP), Iwamura et al. pro-

posed a secure computation based on secret sharing

with only a single computing server (Iwamura et al.,

2022a). This method overcomes the drawbacks of all

secret sharing methods.

Our Contributions.

In this study, the concept of direct searching in Kamal

et al.’s SE (Kamal and Iwamura, 2021) was combined

with the idea of TTP-assisted secure computation in

the TUS 6 method (Iwamura et al., 2022a) to realize

an efﬁcient SE based on (k,n) threshold secret sharing

with one cloud server.

In particular, we applied the concept of differen-

tiating the parameters used for shares (n) and cloud

servers (N) in the TUS 6 method and extended the

general secure computation in the TUS 6 method

(Iwamura et al., 2022a) to realize an SE method us-

ing (k,n) threshold secret sharing, which can realize

a direct search over encrypted documents with only a

single cloud server.

Thus, our proposed SE can be implemented using

a single cloud server, thereby reducing the total run-

ning cost required and making the actual implementa-

tion more practical. Moreover, because our proposed

SE does not require any consecutive computations us-

ing the search result, it achieves lower computational

and communication costs than those of the TUS 6

method.

We also evaluated the security of our proposed

method and showed that it could achieve a higher se-

curity level than that of the original TUS 6 method.

Finally, we discuss a more efﬁcient SE method by al-

lowing some partial information leakage and also in-

clude a discussion on the use of TTP.

2 BUILDING BLOCKS

This section explains the basic methodology required

to realize an SE using (k,n) threshold secret sharing

with only a single cloud server.

2.1 (k, n) Threshold Secret Sharing

Secret sharing is a method of converting a secret in-

put s into a sequence of n different values (known as

shares) and distributing them to n different computing

servers. A secret sharing that satisﬁes the following

conditions is known as (k,n) threshold secret sharing

(Shamir, 1979). However, n ≥ k > 1.

• Any k − 1 or fewer shares will not reveal details

about the secret s;

• Any k or more shares will allow for the recon-

struction of the secret s.

Therefore, if the cloud servers that store the shares

are managed by the same organization, k (or more)

shares are collected and the secret input is leaked.

Examples of (k,n) threshold secret sharing include a

method that uses polynomials for the distribution of

the secret input proposed by Shamir (Shamir, 1979)

(hereinafter called Shamir’s (k,n) method), and addi-

tive secret sharing. Unless otherwise stated, Shamir’s

(k, n) method was used, and the prime number was p.

In addition, the shares of secret s are denoted by [s]

2.2 TUS Methods

Encryption of a secret input using Shamir’s (k,n)

method is performed using a (k − 1)-degree polyno-

mial (with the secret input being the constant term)

to compute n shares corresponding to n cloud servers.

This means that collecting a threshold of k shares al-

lows the user to reconstruct the polynomial and, con-

sequently, the secret. However, the multiplication of

two secret inputs results in a (2k − 2)-degree polyno-

mial, and the number of shares required to reconstruct

the result increases to 2k − 1 (Cramer et al., 2000).

TTP-Aided Searchable Encryption of Documents Using Threshold Secret Sharing

443

Therefore, all secure computations based on Shamir’s

(k, n) method require at least n = 2k − 1 = 3 servers.

TUS methods have been used to represent the se-

cure computation methods proposed by a research

group at TUS. TUS methods propose solutions for se-

cure computation using Shamir’s (k, n) method with-

out increasing the number of cloud servers required.

In all TUS methods, the secret input is ﬁrst encrypted

with a random number before being secret-shared to

the cloud servers. Moreover, when performing mul-

tiplication, the encrypted secret is momentarily re-

stored and multiplied by the shares of the other en-

crypted secrets to prevent an increase in the polyno-

mial degree in the resulting shares.

However, all the TUS methods require at least

two independently managed cloud servers. There-

fore, Iwamura et al. proposed an improved TUS 6

method that uses only a single cloud server with the

help of TTP (Iwamura et al., 2022a). This is realized

by sending multiple shares of the same secret input to

the server. Here, the TTP generates and protects the

random numbers used throughout the computation.

This study extends the latest version of the TUS

method, known as the TUS 6 method (Iwamura et al.,

2022a), to realize SE using a single cloud server. The

protocols of the TUS 6 method are not disclosed here

owing to page limits.

3 RELATED WORKS OF SE

3.1 SE Using Symmetric Encryption

The ﬁrst SE using symmetric encryption was pro-

posed by Song et al., in which the search was directly

performed over the encrypted keywords of each doc-

ument (Song et al., 2000). However, this method has

low efﬁciency, and keywords that have not been reg-

istered before cannot be searched.

To solve the efﬁciency problem, SE with a secure

index, such as a document-based or keyword-based

index, was proposed. Goh et al. proposed an SE us-

ing a document-based index, where the construction

of the secure index is performed using pseudorandom

functions and Bloom ﬁlters (Goh, 2003). However,

each index only corresponds to one document; there-

fore, the server must search through multiple indexes

when multiple documents are stored. Curtmola et al.

proposed an SE using a keyword-based index, where

one keyword in the index may correspond to many

document identiﬁers (Curtmola et al., 2006).

The advantage of using a secure index is that in-

stead of scanning the entire ciphertext of keywords

in a document, the server only needs to search over

the search indexes. However, if the keyword is not

pre-registered in the index, the search is not possi-

ble. Moreover, the index should be updated whenever

a new document is added or removed from the cloud

server, thereby increasing overall operation and main-

tenance costs (Wang et al., 2017).

3.2 SE Using Public Key Encryption

The ﬁrst SE using public key encryption was pro-

posed by Boneh et al., based on identity-based en-

cryption (Boneh et al., 2004). In SE using public-

key encryption, the owner encrypts the keywords us-

ing a public key and stores the ciphertext to the cloud

server. The searcher with the correct private key pro-

duces a search tag and sends it to the cloud server,

where the server identiﬁes whether a search tag is in

a particular ciphertext.

Many SEs that use public key encryption have

been proposed. Abdalla et al. proposed a generic

solution for SE by utilizing a keyword search in a

mail server (Abdalla et al., 2005). Xu et al. pro-

posed an SE that supports fuzzy keyword searches

(Xu et al., 2013). Nonetheless, SE using public key

encryption is extremely inefﬁcient and incurs large

computational costs. Moreover, the ciphertext size of

the registered keyword is often large and requires con-

siderable storage space.

3.3 SE Using Secret Sharing

Kamal et al. proposed a solution for realizing SE

using secret sharing (Kamal et al., 2017). In this

method, SE is used to search for encrypted images

stored in cloud servers. However, because the search-

ing process is performed on each single pixel, and the

result is also reconstructed for each pixel, it is not se-

cure against brute-force attacks because the adversary

that corrupts the searcher can change the search query

for each pixel that does not match.

To solve this problem, Kamal et al. proposed an

improved version of SE using secret sharing, which

allows the result of multiple characters to be recon-

structed simultaneously (Kamal and Iwamura, 2021).

However, communication and computation costs are

extremely high because this method is based on the

TUS 2 method (Kamal and Iwamura, 2017).

In addition, Iwamura et al. proposed an SE that

can realize a partial matching search, where a cer-

tain difference in the search query is allowed (Iwa-

mura et al., 2022b). However, all SEs based on (k, n)

threshold secret sharing require at least two indepen-

dently managed cloud servers. Therefore, the initial

setup and maintenance costs are signiﬁcantly larger

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

444

than those of most SEs using key encryption, where

the subscription of a single cloud server is sufﬁcient.

4 PROPOSED METHOD

This section explains our SE using (k,n) threshold se-

cret sharing on a single cloud server.

4.1 Overview of the Proposed Method

In the proposed searching method, we implemented

the concept of direct searching proposed by Kamal

et al. (Kamal and Iwamura, 2021), where, rather

than searching for a matching keyword in the pre-

computed search index, we realize a search process

for each character between the search query and reg-

istered document in the cloud server.

Moreover, we simultaneously realize the func-

tion of total matching search for multiple characters.

That is, although search computation is performed per

character, the ﬁnal result is reconstructed only once.

However, the method by Kamal et al. (Kamal and

Iwamura, 2021) requires at least two cloud servers,

considerable communication and computation costs,

being extremely inefﬁcient. In this study, a more efﬁ-

cient search method is proposed.

Details of the total matching search computations

used in the proposed method are described below.

Suppose a registered document a with l characters

,...,a

, and a search query b with g characters

,...,b

. The difference for each character between

documents a and query b can be computed as d

− b

, d

= a

− b

, ..., d

= a

− b

Here, a function f such that f = 0 only when all

differences are equal to zero can be represented as fol-

lows:

f (d

,...,d

) = d

× ··· × d

Therefore, in the proposed method, we performed

the aforementioned computation for each g character

using only one cloud server. Moreover, if the search

query does not match the ﬁrst g characters of the doc-

uments, the search process can be continued by shift-

ing the search position h to the left by one (h = h+1).

4.2 Proposed Protocols

The speciﬁc protocols of the proposed method are de-

scribed below.

The size of each character a

(x = 1,...,l) in

the registered document a and the character b

(y =

1,...,g) in the search query are elements within p−2.

Moreover, all random numbers generated in the pro-

tocols are non-zero elements of GF(p). Here, p is

a prime number, and all computations are performed

within modulus p.

In addition, in the following protocols, let x =

1,...,l, y = 1, . . . , g, i = 0, . . . , n − 1, j = 0,...,k − 1,

and parameter k ≥ 3. For ease of understanding,

we describe the protocols with n = k; therefore, the

ranges of i and j are the same, that is, i = j =

0,...,k − 1.

Protocol 1.1: Encryption of documents.

• Input: a

(x = 1,...,l)

• Output: α

+ 1)

1. Each owner generates l random numbers α

and

computes α

+ 1) = α

× (a

+ 1) for each

character of document a. Then, it sends α

to TTP

and α

+ 1) to server S.

Protocol 1.2: Encryption of search query.

• Input: b

(y = 1,...,g)

• Output: β

+ 1)

1. The searcher generates g random numbers β

and

computes β

+1) = β

×(b

+1) for each char-

acter of their search query b. Then, it sends β

TTP and β

+ 1) to server S.

Protocol 1.3: Search process.

• Input: a,b

• Output: a or failed

1. The computing server S and TTP perform the

following for g consecutive characters in docu-

ment a and search query b, starting with the ini-

tial position h = 0. In the following steps, we let

y = 1,...,g, v = h + y, and h = 0,...,l − g.

(a) TTP generates a random number γ

and com-

putes and distributes the following auxiliary

random numbers using Shamir’s (k, n) method:

(b) TTP generates random numbers τ

′

( j

′

1,...,k − 1), computes, and sends the follow-

ing to server S, with τ

0,h

= 1:

j,h





= τ

j,h





j,h





= τ

j,h





0,...,k − 1:

∑

y=1

j,h

− b

]

∑

y=1



+ 1)

× τ

j,h





− β

+ 1) × τ

j,h







TTP-Aided Searchable Encryption of Documents Using Threshold Secret Sharing

445

(d) TTP distributes constant 0 using Shamir’s (k,n)

method, and computes γ

[0]

= γ

× [0]

(e) TTP obtains

∑

y=1

m,h

− b

]

from server

S, and computes

∑

y=1

− b

]

+ γ

[0]

follows. Here, m = 1,...,k − 1. Then, TTP

sends

∑

y=1

− b

]

+ γ

[0]

and γ

[0]

server S.

∑

y=1

− b

]

+ γ

[0]

∑

y=1

m,h

− b

]

m,h

+ γ

[0]

(f) Server S adds γ

[0]

∑

y=1

0,h

− b

]

with τ

0,h

= 1, and reconstructs the computation

result

∑

y=1

− b

2. If the reconstructed result is equal to 0, server S

and TTP send α

+ 1) and α

to the searcher.

3. The searcher reconstructs document a from the

following:

+ 1)

− 1.

5 SECURITY OF THE PROPOSED

METHOD

In this section, we discuss the security of the proposed

SE method. In the proposed SE, we implemented the

secure computation of the TUS 6 method (Iwamura

et al., 2022a), which was proven computationally se-

cure against a semi-honest adversary, to realize an SE

with a single cloud server. However, we further ex-

tended the secure computation in the TUS 6 method

to realize a more efﬁcient computation and a higher

security level. In the proposed method, we assumed

a semi-honest adversary. Moreover, the TTP is as-

sumed to be trusted.

5.1 Security of Protocols 1.1 and 1.2

Suppose that the adversary has no information about

the registered document a or search query b. How-

ever, the adversary has information from the cloud

server S. Here, when the adversary can identify the

unknown information of a or b, the attack is consid-

ered successful.

In Protocols 1.1 and 1,2, cloud server S holds the

following information A on document a and search

query b. Let x = 1,...,l and y = 1,...,g.

A = (α

+ 1),β

+ 1)).

Here, α

+ 1) and β

+ 1) are the encrypted

information for document a and query b, respectively.

However, because the random numbers α

and β

used to encrypt document a and search query b, re-

spectively, are not sent to server S, these random num-

bers cannot be retrieved by the adversary. That is,

even if the adversary corrupts server S, the values of

and b

cannot be retrieved. Therefore, protocols

1.1 and 1.2 are information-theoretic secure against a

semi-honest adversary, and the following statement is

true:

H(a

) = H(a

|A), H(b

) = H(b

|A).

5.2 Security of Protocol 1.3

Herein, we study the security of Protocol 1.3 in detail.

In most SEs, security evaluation is performed under

the assumption that the adversary only corrupts the

cloud server without considering that either the owner

or the searcher is the adversary.

However, considering the situation in which the

adversary may also corrupt the searcher to learn about

the document registered in the server is also impor-

tant. Therefore, we consider the following two types

of semi-honest adversaries.

Adversary 1: The adversary corrupts the cloud

server S. Adversary 1 has information from server

S, and attempts to learn the content of document a or

search query b.

Adversary 2: The adversary corrupts both the

cloud server S and the searcher with search query b.

Adversary 2 has all the information from Protocol 1.2

in addition to the information from server S, and at-

tempts to learn the content of document a.

Security Against Adversary 1.

Suppose that Adversary 1 has information from server

S in Protocol 1.3, in addition to encrypted information

of document a and search query b. Adversary 1 has

the following information: B. Let j = 0,...,k − 1,

y = 1,...,g, x = 1,...,l, h = 0, . . . , l − g, v = h + y

and m = 1,...,k − 1.

B =



+ 1),β

+ 1),τ

j,h





,τ

j,h





∑

y=1

j,h

− b

]

∑

y=1

− b

]

+ γ

[0]

∑

y=1

− b

)



First, to learn secret inputs a

of the owner and

search query b

of the searcher from α

+ 1) and

+ 1), Adversary 1 has to learn random numbers

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

446

and β

from τ

j,h

[γ

/α

]

and τ

j,h

[γ

/β

]

, respec-

tively.

However, because both random numbers τ

j,h

and

are generated by the TTP, Adversary 1 will not be

able to learn them from server S. Moreover, Adver-

sary 1 learns k shares of the following from Steps 1 (c)

and (e). Adversary 1 will be able to learn τ

0,h

= 1, but

will not be able to learn the remaining τ

m,h

from the

ratio of the following information without ﬁrst learn-

ing about each individual share, γ

[0]

∑

y=1

j,h

− b

]

∑

y=1

− b

]

+ γ

[0]

Finally, in the reconstruction of the computational

result, Adversary 1 learns

∑

y=1

− b

). If the re-

sult is not equal to zero, a random number is output;

otherwise, Adversary 1 learns that

∑

y=1

∑

y=1

;

however, the information of random number γ

will

not be leaked.

From the arguments above, our proposed method

is information-theoretic secure against Adversary 1,

and Adversary 1 cannot learn a

or b

. Therefore, the

following statement is true:

H(a

) = H(a

|B), H(b

) = H(b

|B).

Security Against Adversary 2.

From Protocol 1.2, Adversary 2 has information on

the search query b and random numbers β

inputted

by the searcher. Therefore, Adversary 2 contains the

following information: C.

C =



,α

+ 1),τ

j,h





,τ

j,h





∑

y=1

j,h

− b

]

∑

y=1

− b

]

+ γ

[0]

∑

y=1

− b

)



To learn secret a

of the owner from α

+ 1),

Adversary 2 ﬁrst has to learn a random number α

from τ

j,h

[γ

/α

]

However, because random numbers τ

j,h

and γ

are generated by the TTP, Adversary 2 will not be

able to learn them without corrupting the TTP. More-

over, Adversary 2 holds β

and τ

j,h

[γ

/β

]

from the

searcher and the cloud server S, respectively.

The TTP in our proposed method does not secret

share random number γ

to cloud server S. Therefore,

even if Adversary 2 compute k shares τ

j,h

[γ

]

from

above, the computational attack of guessing random

numbers τ

j,h

and comparing the reconstructed result

of the computed γ

with the correctly distributed γ

not possible, and the random number γ

is not leaked.

Moreover, Adversary 2 will not be able to learn

random numbers τ

m,h

from the ratio of k shares of the

following without ﬁrst learning about each individual

share of γ

[0]

∑

y=1

m,h

− b

]

∑

y=1

− b

]

+ γ

[0]

Finally, in the reconstruction of the computational

result, Adversary 1 learns

∑

y=1

− b

). If the

result is equal to zero, Adversary 2 will learn that

∑

y=1

∑

y=1

; however, information on the ran-

dom number γ

will not be leaked.

From the arguments above, we can state that Ad-

versary 2 cannot learn any a

. Therefore, the follow-

ing statement is true:

H(a

) = H(a

|C).

However, Adversary 2 may perform a brute-force

search attack by inputting multiple search queries to

the cloud server and learning documents a even with-

out the correct search query b, which is true for all

SEs without user authentication.

Nonetheless, this can be overcome by introducing

a time gap between each search, as implemented in

the block-time in Bitcoin blockchains. Alternatively,

the attack can also be overcome by the introduction of

a password such that the actual SE process using the

search query will only be performed if the SE on the

password matches. Moreover, because the password

can be easily updated by the owner, the aforemen-

tioned attacks can be prevented. The detailed com-

putation is omitted here because of space constraints.

6 DISCUSSION

6.1 Tradeoff Between Efﬁciency and

Partial Information Leakage

The proposed SE described in Section 4 was proven

to be secure against semi-honest adversaries 1 and 2.

However, realizing security against both adversaries

requires extra computation and communication costs

between the cloud server and TTP.

However, as previously mentioned, some SEs

(particularly SEs with a single-client model) only

assume an adversarial model where a semi-honest

server attempts to compromise the privacy of the data

and search queries. This is the same as our deﬁnition

of Adversary 1, where collusion between the cloud

server and the user who provides the search queries is

not assumed.

In the case where Adversary 2 is not assumed,

the proposed SE can be further optimized to realize

TTP-Aided Searchable Encryption of Documents Using Threshold Secret Sharing

447

a more efﬁcient SE at the cost of partial information

leakage. In particular, because the adversary has no

knowledge of the search query b and random num-

bers β

used in Protocol 1.2, the random number γ

will not be leaked even if γ

/α

and γ

/β

are sent

directly to the server instead of previously encrypting

their shares with another random number τ

j,h

Therefore, Steps 1(a)—1(f) in Protocol 1.3 de-

scribed in Section 4, can be simpliﬁed as follows:

Protocol 1.4: Optimized search process.

(a) TTP generates a random number γ

, computes,

and sends γ

/α

and γ

/β

to server S:

(b) Server S computes

∑

y=1

− b

) as follows:

∑

y=1

− b

) =

∑

y=1



+ 1) ×

− β

+ 1) ×



Security Against Adversary 1.

To learn inputs a

of the owner and search query b

the searcher from α

+ 1) and β

+ 1), respec-

tively, Adversary 1 ﬁrst has to learn random numbers

and β

from γ

/α

and γ

/β

However, because the random number γ

is gener-

ated by the TTP, Adversary 1 will not be able to learn

it from server S. Moreover, it will be able to compute

+ 1) and γ

+ 1) from α

+ 1), γ

/α

and

+ 1), γ

/β

, respectively.

Because γ

+ 1) and γ

+ 1) are encrypted

by the same random number γ

, if a

= b

, the same

encrypted values of γ

+ 1) = γ

+ 1) are com-

puted, and the adversary will also learn γ

= γ

for that particular position v and y. This is the same

as most deterministic encryption methods, such as

RSA (without padding), where the same encryption

key and input will result in the same encrypted data

each time.

However, because the adversary has no informa-

tion about b

, the information of a

and random num-

ber γ

will not be leaked. Moreover, because the ran-

dom number γ

is changed for every new position h,

no additional information is leaked, except that both

and b

are equal to an unknown random number.

That is, our proposed SE can be more efﬁcient by al-

lowing partial information to be leaked without sacri-

ﬁcing the conﬁdentiality of the documents and search

queries.

However, the aforementioned partial leakage can

also be solved in the same manner as in most deter-

ministic encryptions, that is, with the implementation

of a randomization process. The details are omitted

here because of space limitation.

6.2 Trusted Third Party

In the proposed SE, a TTP is required to generate and

store random numbers and provides computation as-

sistance during the reconstruction of the search result.

However, TTP does not handle any raw secret inputs

of document a and search query b.

The use of TTP is common in cryptography. For

example, in SEs using public key encryption, TTP is

required to realize SE in a multi-user setting. A multi-

user setting allows a group of authorized users to sub-

mit search queries (Wang et al., 2017). To realize this,

Bao et al. (Bao et al., 2008) and Kiayias et al. (Ki-

ayias et al., 2016) proposed the use of TTP to generate

secret keys for all parties. In contrast, our proposed

method of secret sharing also supports multi-user set-

tings, without requiring any additional processes for

sharing secret keys among multiple users.

However, for real-world implementation, a TTP

might become a potential limitation. To address this,

we can adopt various security techniques and tech-

nologies to realize TTP, such as using a trusted ex-

ecution environment (TEE) (i.e., a secure hardware

enclave of Intel Software Guard Extensions (SGX)).

TEE, such as Intel SGX (Costan and Devadas,

2016), offers hardware-based memory encryption that

isolates speciﬁc application code and data in memory.

This allows the TEE to perform the same tasks as the

TTP in Section 4 without sacriﬁcing privacy and se-

curity. Moreover, because of a TEE in the central pro-

cessing unit (CPU) of the cloud server, replacing the

role of TTP with a TEE means that all communica-

tions can be performed locally. This results in faster

processing time and extremely low latency.

In our future study, we will consider the details of

implementing a TEE to replace TTP.

6.3 Comparing Computation,

Communication, and Storage Costs

In this study, instead of symmetric or public-key en-

cryption, we realized SE using secret sharing. Con-

ventional encryption methods, such as public key en-

cryption, are often based on difﬁcult operations to en-

sure security, resulting in more costly computations.

By contrast, secret sharing is computationally light,

reducing computational costs.

In addition, to realize SE in a multi-user setting,

where the searcher might not be the original data

owner, a mechanism of sharing the secret keys is re-

quired in both SEs using symmetric and public key

encryptions. In contrast, secret sharing does not rely

on any encryption keys. Therefore, a multi-user set-

ting is possible without any additional process.

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

448

Moreover, the ciphertext size produced by public

and symmetric key encryptions is often large com-

pared to that of secret sharing, where the computed

shares are almost the same size as the input. There-

fore, ciphertext generated by public and symmetric

key encryptions incurs more storage costs than shares

generated by secret sharing. In other words, our pro-

posed SE requires less storage.

Finally, SEs using symmetric and public key en-

cryptions can be performed using a single cloud

server; therefore, all computations are performed lo-

cally. In contrast, secret sharing typically requires

communication between multiple servers. In the pro-

posed SE, only a single server is required, and com-

putations are performed on the server, except when

reconstructing the result, where communication with

the TTP is required. In our future study, we will con-

sider using a TEE in the CPU to realize an SE with

zero communication. Detailed comparison with con-

ventional SEs is omitted owing to space limitation.

7 CONCLUSION

In this study, we extended the secure computation

in the TUS 6 method, combined the concept of di-

rect searching in (Kamal and Iwamura, 2021), and

realized an improved SE using (k,n) threshold secret

sharing with only a single cloud server. We succeeded

in solving the drawbacks of SEs using secret sharing,

where multiple cloud servers are required.

In future studies, we will implement the proposed

method and perform a detailed comparison with con-

ventional SEs. We also consider the means of increas-

ing the practicality of the proposed method by consid-

ering the use of a TEE instead of TTP.

REFERENCES

Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T.,

Lange, T., Malone-Lee, J., Neven, G., Paillier, P., and

Shi, H. (2005). Searchable encryption revisited: con-

sistency properties, relation to anonymous ibe, and ex-

tensions. In Shoup, V., editor, Advances in Cryptology

– CRYPTO 2005, pages 205–222, Berlin, Heidelberg.

Springer Berlin Heidelberg.

Bao, F., Deng, R. H., Ding, X., and Yang, Y. (2008). Pri-

vate query on encrypted data in multi-user settings. In

Chen, L., Mu, Y., and Susilo, W., editors, Informa-

tion Security Practice and Experience, pages 71–85,

Berlin, Heidelberg. Springer Berlin Heidelberg.

Boneh, D., Di Crescenzo, G., Ostrovsky, R., and Per-

siano, G. (2004). Public key encryption with keyword

search. In Cachin, C. and Camenisch, J. L., editors,

Advances in Cryptology - EUROCRYPT 2004, pages

506–522, Berlin, Heidelberg. Springer Berlin Heidel-

berg.

Costan, V. and Devadas, S. (2016). Intel sgx explained.

Cryptology ePrint Archive, Paper 2016/086.

Cramer, R., Damg

ard, I., and Maurer, U. (2000). Gen-

eral secure multi-party computation from any linear

secret-sharing scheme. LNCS, 1807:316–334.

Curtmola, R., Garay, J., Kamara, S., and Ostrovsky, R.

(2006). Searchable symmetric encryption: Improved

deﬁnitions and efﬁcient constructions. In Proceed-

ings of the 13th ACM Conference on Computer and

Communications Security, CCS ’06, page 79–88, New

York, NY, USA. ACM.

Goh, E.-J. (2003). Secure indexes. Cryptology ePrint

Archive, Paper 2003/216.

Iwamura, K., Kamal, A. A. A. M., and Inamura, M.

(2022a). TTP-aided secure computation using secret

sharing with only one computing server. In Proceed-

ings of the 2022 ACM on Asia Conference on Com-

puter and Communications Security, ASIA CCS ’22,

page 1243–1245, New York, NY, USA. ACM.

Iwamura, K., Kamal, A. A. A. M., and Kuroi, D. (2022b).

Efﬁcient secret sharing-based partial matching search

using error correction code. In Arai, K., editor,

Proceedings of the Future Technologies Conference

(FTC) 2021, Volume 3, pages 65–81, Cham. Springer

International Publishing.

Kamal, A. A. A. M. and Iwamura, K. (2017). Conditionally

secure multiparty computation using secret sharing

scheme for n < 2k-1 (short paper). In 2017 15th An-

nual Conference on Privacy, Security and Trust (PST),

pages 225–2255.

Kamal, A. A. A. M. and Iwamura, K. (2021). Searchable

encryption using secret sharing scheme that realizes

direct search of encrypted documents and disjunctive

search of multiple keywords. Journal of Information

Security and Applications, 59:102824.

Kamal, A. A. A. M., Iwamura, K., and Kang, H. (2017).

Searchable encryption of image based on secret shar-

ing scheme. In 2017 Asia-Paciﬁc Signal and Informa-

tion Processing Association Annual Summit and Con-

ference (APSIPA ASC), pages 1495–1503.

Kiayias, A., Oksuz, O., Russell, A., Tang, Q., and Wang, B.

(2016). Efﬁcient encrypted keyword search for multi-

user data sharing. LNCS, 9878 LNCS:173–195. SE

multi-user with TTP.

Shamir, A. (1979). How to share a secret. Communications

of the ACM, 22:612–613.

Song, D. X., Wagner, D., and Perrig, A. (2000). Practical

techniques for searches on encrypted data. In Pro-

ceeding 2000 IEEE Symposium on Security and Pri-

vacy. S&P 2000, pages 44–55.

Wang, Y., Wang, J., and Chen, X. (2017). Secure searchable

encryption: a survey. Journal of Communications and

Information Networks, 1(4):52–65.

Xu, P., Jin, H., Wu, Q., and Wang, W. (2013). Public-key

encryption with fuzzy keyword search: A provably se-

cure scheme under keyword guessing attack. IEEE

Transactions on Computers, 62(11):2266–2277.

TTP-Aided Searchable Encryption of Documents Using Threshold Secret Sharing

449