Dynamic searchable symmetric encryption (DSSE) enables a server to efficiently search and update over encrypted files. To minimize the leakage during updates, a security notion named forward and backward privacy is expected for newly proposed DSSE schemes. Those schemes are generally constructed in a way to break the linkability across search and update queries to a given keyword. However, it remains underexplored whether forward and backward private DSSE is resilient against practical leakage-abuse attacks (LAAs), where an attacker attempts to recover query keywords from the leakage passively collected during queries. In this paper, we aim to be the first to answer this question firmly through two non-trivial efforts. First, we revisit the spectrum of forward and backward private DSSE schemes over the past few years, and unveil some inherent constructional limitations in most schemes. Those limitations allow attackers to exploit query equality and establish a guaranteed linkage among different (refreshed) query tokens surjective to a candidate keyword. Second, we refine volumetric leakage profiles of updates and queries by associating each with a specific operation. By further exploiting update volume and query response volume, we demonstrate that all forward and backward private DSSE schemes can leak the same volumetric information (e.g., insertion volume, deletion volume) as those without such security guarantees. To testify our findings, we realize two generic LAAs, i.e., frequency matching attack and volumetric inference attack, and we evaluate them over various experimental settings in the dynamic context. Finally, we call for new efficient schemes to protect query equality and volumetric information across search and update queries.

翻译：摘要：动态可搜索对称加密（DSSE）使服务器能够高效地搜索和更新加密文件。为了最小化更新过程中的泄漏，新提出的DSSE方案需要满足一种称为前向和后向隐私的安全概念。这些方案通常通过打破针对给定关键字的搜索和更新查询之间的可链接性来构建。然而，前向和后向私有DSSE是否能够抵御实际中的泄漏滥用攻击（LAAs）仍未得到充分探索，在这种攻击中，攻击者试图从查询期间被动收集的泄漏中恢复查询关键字。在本文中，我们旨在通过两项重要工作首次明确回答这个问题。首先，我们回顾了过去几年中前向和后向私有DSSE方案的谱系，并揭示了大多数方案中固有的构造局限性。这些局限性使攻击者能够利用查询等价性，在映射到候选关键字的不同（刷新后的）查询令牌之间建立有保证的链接。其次，我们通过将每个更新和查询与特定操作相关联，细化了它们的体积泄漏特征。通过进一步利用更新体积和查询响应体积，我们证明所有前向和后向私有DSSE方案都会泄漏与没有此类安全保障的方案相同的体积信息（例如，插入体积、删除体积）。为了验证我们的发现，我们实现了两种通用LAAs，即频率匹配攻击和体积推理攻击，并在动态环境中的各种实验设置下对其进行了评估。最后，我们呼吁设计新的高效方案，以保护搜索和更新查询中的查询等价性和体积信息。