CS2: A Searchable Cryptographic Cloud Storage System Seny Kamara Microsoft Research senyk@microsoft.com Charalampos Papamanthou UC Berkeley cpap@cs.berkeley.edu ∗ Tom Roeder Microsoft Research throeder@microsoft.com Abstract Cloud storage provides a highly available, easily accessible and inexpensive remote data repos- itory to clients who cannot afford to maintain their own storage infrastructure. While many ap- plications of cloud storage require security guarantees against the cloud provider (e.g., storage of high-impact business data or medical records), most services cannot guarantee that the provider will not see or modify client data. This is largely because the current approaches for providing security (e.g., encryption and digital signatures) diminish the utility and/or performance of cloud storage. This paper presents CS2, a cryptographic cloud storage system that guarantees confidentiality, integrity and verifiability without sacrificing utility. In particular, while CS2 provides security against the cloud provider, clients are still able not only to efficiently access their data through a search interface but also to add and delete files securely. The CS2 system is based on new highly-efficient and provably-secure cryptographic primitives and protocols. In particular, we (1) construct the first searchable symmetric encryption scheme that is adaptively secure, dynamic and achieves sub-linear search time; (2) introduce and construct search authenticators (which allow a client to efficiently verify the correctness of search operations); and (3) design an efficient and dynamic proof of data possession scheme. Based in part on our new constructions, we propose two cryptographic protocols for cloud storage which we prove secure in the ideal/real-world paradigm. The first protocol implements standard keyword search. Our second protocol implements what we refer to as assisted keyword search, where a user performs a keyword search, sees a summary of the results and asks for a subset of these results. Experimental results from an implementation of CS2 over both simulated and real-world data sets demonstrate that all operations achieve practical performance. 1 Introduction Cloud storage promises high data availability, easy access to data, and reduced infrastructure costs by storing data with remote third-party providers. But availability is often not enough, as clients need guarantees about confidentiality and integrity for many kinds of data—guarantees that current cloud storage services cannot provide without prohibitive costs in computation and bandwidth. For example, confidentiality and integrity are essential for high-business impact enterprise data, secret government documents, and medical records. In this paper, we present CS2, a cryptographic cloud storage system that provides confidentiality, integrity and verifiability properties. We also present a prototype implementation that demonstrates the feasibility of CS2 in practice. The need for cloud storage is increasing. According to studies conducted by the International Data Corporation [28, 27], the total amount of digital data generated by consumers and enterprises will grow next year to 1.2 zettabytes, i.e., 1.2 million petabytes. The increasing scale of stored data makes it ∗ Work done as an intern at Microsoft Research. 1