Abstract

We study the problem of multi-user dynamic searchable symmetric encryption (DMUSSE) where a data owner stores its encrypted documents on an untrusted remote server and wishes to selectively allow multiple users to access them by issuing keyword search queries. Specifically, we consider the case where some of the users may be corrupted and <i>colluding with the server</i> to extract additional information about the dataset (beyond what they have access to). We provide the first formal security definition for the dynamic setting as well as forward and backward privacy definitions. We then propose <inline-formula><tex-math notation="LaTeX">$\mu$</tex-math></inline-formula> <small>SE</small> , the first provably secure DMUSSE scheme and instantiate it in two versions, one based on oblivious data structures and one based on update queues, with different performance trade-offs. Furthermore, we extend <inline-formula><tex-math notation="LaTeX">$\mu$</tex-math></inline-formula> <small>SE</small> to support verifiability of results. To achieve this, users need a secure digest initially computed by the data owner and changed after every update. We efficiently accommodate this, without relying on a trusted third party, by adopting a blockchain-based approach for the digests’ dissemination and deploy our schemes over the permissioned Hyperledger Fabric blockchain. We prototype both versions and experimentally evaluate their practical performance, both as stand-alone systems and running on top of Hyperledger Fabric.