1. A practical searchable encryption security detection method is characterized in that: the method comprises the following steps:

step S1: initializing variables required for steps S2 to S11;

step S2: expanding the m ' x n ' file-keyword matrix A ';

step S3: finding a mapping (ed, d) of the encrypted file ed and the file d;

step S4: finding more (ed, d) mappings using matrix M and matrix M';

wherein M represents an n × n ed-occurrence matrix, wherein M is_i,jRepresenting encrypted files ed_iAnd ed_jThe intersection of the query tokens; m 'represents a d-occurrence matrix of n' × n ', where M'_i,jPresentation document d_iAnd d_jThe intersection of the keywords of (1);

step S5: update counter and set C_newAnd R_newIs empty; wherein, C_newRepresents a set of (ed, d) mappings that record the new discovery; r_newRepresents the collection of (q, w) maps that record the new findings.

Step S6: finding a mapping (q, w) of the query token q and the keyword w;

step S7: finding more (ed, d) mappings using the (q, w) mapping in step S6;

step S8: find more (ed, d) mappings.

Step S9: finding more (ed, d) mappings using matrix M and matrix M';

step S10: if it is notOrStep S5 is executed; otherwise, go to step S11;

step S11: if the recovered (q, w) mapping set R and (ed, d) mapping set C are not empty, outputting 0; otherwise, 1 is output.

2. The practical searchable encryption security detection method according to claim 1, wherein: the specific content of step S1 is:

initialize a counter ct 1, four setsAnd C_new,R_newC, R areAnd two matrices B_mapAnd A ″)_map(ii) a Wherein, the matrix B_mapRepresenting a mapping matrix, A ″, between the query token and the encrypted file_mapIs a mapping matrix between the keywords and the files.

3. The practical searchable encryption security detection method according to claim 1, wherein: the specific contents of the file-keyword matrix a ' expanded by m ' × n ' in step S2 are as follows:

extending the matrix A ' of m ' × n ' to a matrix A ″ of m × n ', where m ' < m, and m ∈ [ m ' +1, m ∈ m ' +1]And j ∈ [ n']，A″_i,j＝0；

The matrix A' is

The matrix A' is

Finally, set A ″)_map＝A″，

Wherein, w_i，i∈[1,m]Representing a specific keyword; d_j，j∈[1,n]Representing a particular file.

4. The practical searchable encryption security detection method according to claim 1, wherein: the specific content of the map (ed, d) between the encrypted file ed and the file d found in the step S3 is:

for each j e [ n ], the following is performed:

1) initializing a vector VB for the jth column in matrix B_j；

2) Calculation of c_j＝column_jSum, and set VB_j[1]＝c_j；

Wherein, column_jRepresents the jth column of the matrix T; column_j-sum represents the hamming distance of the jth column of the matrix T;

similarly, for each j '∈ [ n' ], the following operations are performed:

1) for column j' in matrix A ″_j′Initializing a vector VA_j′；

2) C 'is calculated'_j′＝column_j′Sum, and setting VA_j′[1]＝c′_j′；

Finally, if for { VB_j}_j∈[n]VB only_jIn the presence of VA_j′Make VA_j′＝VB_j(j′∈[n′]) Then will (ed)_j,d_j′) Add to set C.

5. The practical searchable encryption security detection method according to claim 1, wherein: in step S4, the step of finding more (ed, d) mappings by using the matrix M and the matrix M' specifically includes:

calculating an nxn ed-occurrence matrix M as

Calculating the matrix M ' of n ' × n ' asThen, Occurence (C, M, M', A ″)_map,B_map) The algorithm obtains a set S of (ed, d) mappings and adds S to C; the method specifically comprises the following steps: taking as input a known (ed, d) mapping set C, a matrix M, M ', M × n ' matrix A ' and a matrix B; first, the initialization S is set to {1},then, C' is set to C; finally, it is judgedIf the set S is empty, outputting the set S and terminating the algorithm; if set S is not empty, setAnd for each unmapped d_j′(j′∈[n′]) Setting ED to unmapped ED_jIn which j ∈ [ n ]]，c′_j′＝c_j(ii) a For each ED in ED_jIf M is_j,k≠M′_j′,k′Will ed_jRemoval from the ED; if there is only one ED in the ED_jWill (ed)_j,d_j′) Adding to the set S and setting C ═ us ═ C ═ S; then, outputting the set S; if, there is not only one ED in the ED_jThe set S is directly output.

6. The practical searchable encryption security detection method according to claim 1, wherein: the step S5 updates the counter and initializes the set C_newAnd R_newThe method specifically comprises the following steps:

setting ct as ct +1,

in the step S6, the mapping (q, w) of the query token q and the keyword w is found and added to the set R respectively_newAnd R is specifically:

assume that the set of mappings of (ed, d) that have been found isWhereinFrom (B)_map,A″_map) To obtain C column matched submatrix pairs (B)_c,A″_c) In which B is_cIs composed ofA″_cIs composed ofIf for B_cUnique and different row of_iCan be in A ″)_cIn which the same row is found_i′Then (q) will be_i,w_i′) Are added to the set R separately_newAnd R, wherein row_iRepresenting the ith column of the matrix T.

7. The practical searchable encryption security detection method according to claim 1, wherein: in step S7, finding more (ed, d) mappings by using the (q, w) mapping in step S6 specifically includes:

assume that the set of (q, w) that has been found isWhereinCalculating from (B, A') to obtain a matrix pair (B)_r,A″_r) (ii) a Wherein B is_rIs composed of

A″_rIs composed ofIf for B_rColumn with unique difference_jCan be in A ″)_rIn which the same column is found_j′Then will (ed)_j,d_j′) Are added to the set C separately_newAnd C.

8. The practical searchable encryption security detection method according to claim 1, wherein: the step S8 of finding more (ed, d) mappings specifically includes:

setting all matching behaviors 0 in B and A'; to pairAll column columns in B that do not match_jRecalculating c_j＝column_jSum, and set VB_j[ct]＝c_j(ii) a Similarly, for all unmatched columns column in matrix A ″_j′Recalculate c'_j′＝column_j′Sum, and setting VA_j′[ct]＝c′_j′(ii) a If forEach VB in_jAll have a VA_j′So that VB_j＝VA_j′(j′∈S′_up) Then will be (ed)_j,d_j′) Are added to the set C separately_newAnd C in which S_up,S′_upThe set of indices for the unmatched columns in matrices B and a ", respectively.

9. The practical searchable encryption security detection method according to claim 1, wherein: in step S9, finding more (ed, d) mappings by using the matrix M and the matrix M' specifically includes:

run Occurrence (C, M, M', A ″)_map,B_map) The algorithm gets a set S 'of (ed, d) mappings and adds S' to the set C respectively_newAnd C; specifically, the method comprises the following steps: taking as input a known (ed, d) mapping set C, a matrix M, M ', M × n ' matrix A ' and a matrix B; first, the initialization S is set to {1},then, C' is set to C; finally, judging whether the set S is empty; if the set S is empty, outputting the set S and terminating the algorithm; if set S is not empty, setAnd for each unmapped d_j′(j′∈[n′]) Setting ED to unmapped ED_jIn which j ∈ [ n ]]，c′_j′＝c_j(ii) a For each ED in ED_jIf M is_j,k≠M′_j′,k′Will ed_jRemoval from the ED; if there is only one ED in the ED_jWill (ed)_j,d_j′) Adding to the set S and setting C ═ us ═ C ═ S; then, outputting the set S; if, there is not only one ED in the ED_jThe set S is directly output.

10. The practical searchable encryption security detection method according to claim 1, wherein: if it is notOrStep S5 is executed; otherwise, executing step S11; the step S11 of outputting the detection result specifically includes:

if at least one of the set R of (q, w) maps and the set C of (ed, d) maps recovered by performing all the above steps is not empty, it indicates that the searchable encryption method cannot withstand LEAP attack and 0 is output. Otherwise, 1 is output.

Background

The encrypted cloud storage system allows an individual or organization to outsource ciphertext of sensitive data to a third party cloud storage provider. In order to maintain retrievability of outsourced encrypted data, a Searchable Encryption (SE) scheme is proposed. In the SE scenario, the third party cloud storage provider does not get the queried data from the retrieval process.

Most existing SE solutions build an industrially useful, practical solution at the expense of acceptable information leakage. For example, ShadowCrypt employs an encryption method known as efficient deployable, efficient searchable encryption (EDESE) to accomplish secure retrieval of outsourced encrypted data. The EDESE encryption method also reveals the encrypted data set and the query token while achieving high efficiency. Recent attacks show that such leakage can (partially) recover the underlying keywords of the query token, assuming that the attacker possesses some background knowledge. According to the recovered keywords, the content of the outsourced encrypted data can be guessed, and the confidentiality of the outsourced encrypted data is broken. It can be seen that before a searchable encryption method is adopted, in order to ensure that the encryption method does not reveal the content of the outsourced encrypted data, the security of the system should be checked.

In view of the above situation, the present invention provides a practical searchable encryption security detection method. The invention can detect a new leak abuse attack (LEAP) against the EDESE scheme. The new leakage abuse attack can accurately recover the bottom keywords and outsourced encrypted data content of the query token based on partially known data and a complete leakage occurrence pattern. A number of experiments have shown that LEAP is more destructive than the PW16-U challenge and the PW16-P challenge. In the 10% case of accessing the data set, LEAP accurately recovered 4904 (query token, key) mappings from 4991 keys, while the PW16-P attack maps 1638 and the PW16-U attack maps 38. In the case of only 0.1% of the data set leakage, LEAP accurately recovered 132 (query token, key) mappings from 1144 keys, compared to 2 for the PW16-P attack and 5 for the PW16-U attack. LEAP thus reveals a new risk of using the EDESE encryption method given a priori knowledge of the data set. A practical searchable encryption security detection method should be able to detect LEAP attacks.

Disclosure of Invention

In view of the above, an object of the present invention is to provide a practical searchable encryption security detection method, which detects security of an encryption method that is highly-deployable and highly-searchable encryption (EDESE), and prevents leakage of query keywords and external encrypted data contents.

The invention is realized by adopting the following scheme: a practical searchable encryption security detection method comprises the following steps:

step S1: initializing variables required for steps S2 to S11;

step S2: expanding the m ' x n ' file-keyword matrix A ';

step S3: finding a mapping (ed, d) of the encrypted file ed and the file d;

step S4: finding more (ed, d) mappings using matrix M and matrix M';

wherein M represents an n × n ed-occurrence matrix, wherein M is_i,jRepresenting encrypted files ed_iAnd ed_jThe intersection of the query tokens; m 'represents a d-occurrence matrix of n' × n ', where M'_i,jPresentation document d_iAnd d_jThe intersection of the keywords of (1);

step S5: update counter and set C_newAnd R_newIs empty; wherein, C_newRepresents a set of (ed, d) mappings that record the new discovery; r_newRepresents the collection of (q, w) maps that record the new findings.

Step S6: finding a mapping (q, w) of the query token q and the keyword w;

step S7: finding more (ed, d) mappings using the (q, w) mapping in step S6;

step S8: find more (ed, d) mappings.

Step S9: finding more (ed, d) mappings using matrix M and matrix M';

step S10: if it is notOrStep S5 is executed; otherwise, go to step S11;

step S11: if the recovered (q, w) mapping set R and (ed, d) mapping set C are not empty, outputting 0; otherwise, 1 is output.

Further, the specific content of step S1 is:

initializing a counter ct to 1, four sets C_new,R_newC, R areAnd two matrices B_mapAnd A ″)_map；

Wherein, the matrix B_mapRepresenting a mapping matrix, A ″, between the query token and the encrypted file_mapIs a mapping matrix between the keywords and the files.

Further, the specific content of the file-keyword matrix a ' expanded by m ' × n ' in the step S2 is as follows:

extending the matrix A ' of m ' × n ' to a matrix A ″ of m × n ', where m ' < m, and m ∈ [ m ' +1, m ∈ m ' +1]And j ∈ [ n']，A″_i,j＝0；

The matrix A' is

The matrix A' is

Finally, set upWherein, w_i，i∈[1,m]Representing a specific keyword; d_j，j∈[1,n]Representing a particular file.

Further, the specific content of the map (ed, d) between the encrypted file ed and the file d found in the step S3 is:

for each j e [ n ], the following is performed:

1) initializing a vector VB for the jth column in matrix B_j；

2) Calculation of c_j＝column_jSum, and set VB_j[1]＝c_j；

Wherein, column_jRepresents the jth column of the matrix T; column_j-sum represents the hamming distance of the jth column of the matrix T;

similarly, for each j '∈ [ n' ], the following operations are performed:

1) for column j' in matrix A ″_j′Initializing a vector VA_j′；

2) C 'is calculated'_j′＝column_j′Sum, and setting VA_j′[1]＝c′_j′；

Finally, if for { VB_j}_j∈[n]VB only_jIn the presence of VA_j′Make VA_j′＝VB_j(j′∈[n′]) Then will (ed)_j,d_j′) Add to set C.

Further, the step S4 of finding more (ed, d) mappings by using the matrix M and the matrix M' specifically includes:

calculating an nxn ed-occurrence matrix M asCalculating the matrix M ' of n ' × n ' asThen, Occurence (C, M, M', A ″)_map,B_map) The algorithm obtains a set S of (ed, d) mappings and adds S to C; the method specifically comprises the following steps: taking as input a known (ed, d) mapping set C, a matrix M, M ', M × n ' matrix A ' and a matrix B; first, the initialization S is set to {1},then, C' is set to C; finally, judging whether the set S is empty, if the set S is empty, outputting the set S and terminating the algorithm; if set S is not empty, setAnd for each unmapped d_j′(j′∈[n′]) Setting ED to unmapped ED_jIn which j ∈ [ n ]]，c′_j′＝c_j(ii) a For each ED in ED_jIf M is_j,k≠M′_j′,k′Will ed_jRemoval from the ED; if there is only one ED in the ED_jWill (ed)_j,d_j′) Adding to the set S and setting C ═ us ═ C ═ S; then, outputting the set S; if, there is not only one ED in the ED_jThe set S is directly output.

Further, the counter is updated and the set C is initialized in the step S5_newAnd R_newThe method specifically comprises the following steps:

setting ct as ct +1,

in the step S6, the mapping (q, w) of the query token q and the keyword w is found and added to the set R respectively_newAnd R is specifically:

assume that the set of mappings of (ed, d) that have been found isWhereinFrom (B)_map,A″_map) To obtain C column matched submatrix pairs (B)_c,A″_c) In which B is_cIs composed ofA″_cIs composed ofIf for B_cUnique and different row of_iCan be in A ″)_cIn which the same row is found_i′Then (q) will be_i,w_i′) Are added to the set R separately_newAnd R, wherein row_iRepresenting the ith column of the matrix T.

Further, in the step S7, using the (q, w) mapping in the step S6, finding more (ed, d) mappings specifically includes:

assume that the set of (q, w) that has been found isWhereinCalculating from (B, A') to obtain a matrix pair (B)_r,A″_r) (ii) a Wherein B is_rIs composed of

A″_rIs composed ofIf for B_rColumn with unique difference_jCan be in A ″)_rIn which the same column is found_j′Then will (ed)_j,d_j′) Are added to the set C separately_newAnd C.

Further, the step S8 of finding more (ed, d) mappings specifically includes:

setting all matching behaviors 0 in B and A'; for all column columns in B that do not match_jRecalculating c_j＝column_jSum, and set VB_j[ct]＝c_j(ii) a Similarly, for all unmatched columns column in matrix A ″_j′Recalculate c'_j′＝column_j′Sum, and setting VA_j′[ct]＝c′_j′(ii) a If forEach VB in_jAll have a VA_j′So that VB_j＝VA_j′(j′∈S′_up) Then will be (ed)_j,d_j′) Are added to the set C separately_newAnd C in which S_up,S′_upIndexes of unmatched columns in matrices B and A ", respectivelyA collection of (a).

Further, the step S9 of finding more (ed, d) mappings by using the matrix M and the matrix M' specifically includes:

run Occurrence (C, M, M', A ″)_map,B_map) The algorithm gets a set S 'of (ed, d) mappings and adds S' to the set C respectively_newAnd C; specifically, the method comprises the following steps: taking as input a known (ed, d) mapping set C, a matrix M, M ', M × n ' matrix A ' and a matrix B; first, the initialization S is set to {1},then, C' is set to C; finally, judging whether the set S is empty; if the set S is empty, outputting the set S and terminating the algorithm; if set S is not empty, setAnd for each unmapped d_j′(j′∈[n′]) Setting ED to unmapped ED_jIn which j ∈ [ n ]]，c′_j′＝c_j(ii) a For each ED in ED_jIf M is_j,k≠M′_j′,k′Will ed_jRemoval from the ED; if there is only one ED in the ED_jWill (ed)_j,d_j′) Adding to the set S and setting C ═ us ═ C ═ S; then, outputting the set S; if, there is not only one ED in the ED_jThe set S is directly output.

Further, ifOrStep S5 is executed; otherwise, executing step S11; the step S11 of outputting the detection result specifically includes:

if at least one of the set R of (q, w) maps and the set C of (ed, d) maps recovered by performing all the above steps is not empty, it indicates that the searchable encryption method cannot withstand LEAP attack and 0 is output. Otherwise, 1 is output.

Compared with the prior art, the invention has the following beneficial effects:

the invention detects the security of the encryption method of the high-efficiency deployable and high-efficiency searchable encryption (EDESE), and prevents the leakage of the query keywords and the external encrypted data content.

The invention ensures that the detected searchable encryption method can effectively resist the leakage abuse attack and effectively promotes the application of the searchable encryption method in practice.

Drawings

FIG. 1 is a flow chart of a method according to an embodiment of the present invention.

Fig. 2 is a schematic diagram of an Occurrence algorithm according to an embodiment of the present invention.

Detailed Description

The invention is further explained below with reference to the drawings and the embodiments.

It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.

As shown in fig. 1, the present embodiment provides a method for detecting security of a searchable encryption, which includes the following steps:

step S1: initializing variables required for steps S2 to S11;

step S2: expanding the m ' x n ' file-keyword matrix A ';

step S3: finding a mapping (ed, d) of the encrypted file ed and the file d;

step S4: finding more (ed, d) mappings using matrix M and matrix M';

wherein M represents an n × n ed-occurrence matrix, wherein M is_i,jRepresenting encrypted files ed_iAnd ed_jThe intersection of the query tokens; m 'represents a d-occurrence matrix of n' × n ', where M'_i,jPresentation document d_iAnd d_jThe intersection of the keywords of (1);

step S5: update counter and set C_newAnd R_newIs empty; wherein, C_newRepresents a set of (ed, d) mappings that record the new discovery; r_newRepresents the collection of (q, w) maps that record the new findings.

Step S6: finding a mapping (q, w) of the query token q and the keyword w;

step S7: finding more (ed, d) mappings using the (q, w) mapping in step S6;

step S8: find more (ed, d) mappings.

Step S9: finding more (ed, d) mappings using matrix M and matrix M';

step S10: if it is notOrStep S5 is executed; otherwise, go to step S11;

step S11: if the recovered (q, w) mapping set R and (ed, d) mapping set C are not empty, outputting 0; otherwise, 1 is output.

In this embodiment, the specific content of step S1 is:

initializing a counter ct to 1, four sets C_new,R_newC, R areAnd two matrices B_mapAnd A ″)_map(ii) a Wherein, the matrix B_mapRepresenting a mapping matrix, A ″, between the query token and the encrypted file_mapIs a mapping matrix between the keywords and the files.

In this embodiment, the specific content of the file-keyword matrix a ' expanded by m ' × n ' in step S2 is as follows:

extending the matrix A ' of m ' × n ' to a matrix A ″ of m × n ', where m ' < m, and m ∈ [ m ' +1, m ∈ m ' +1]And j ∈ [ n']，A″_i,j＝0；

The matrix A' is

The matrix A' is

Finally, set upWherein, w_i，i∈[1,m]Representing a specific keyword; d_j，j∈[1,n]Representing a particular file.

In this embodiment, the specific content of the map (ed, d) between the encrypted file ed and the file d found in step S3 is:

for each j e [ n ], the following is performed:

3) initializing a vector VB for the jth column in matrix B_j；

4) Calculation of c_j＝column_jSum, and set VB_j[1]＝c_j；

Wherein, column_jRepresents the jth column of the matrix T; column_j-sum represents the hamming distance of the jth column of the matrix T;

similarly, for each j '∈ [ n' ], the following operations are performed:

3) for column j' in matrix A ″_j′Initializing a vector VA_j′；

4) C 'is calculated'_j′＝column_j′Sum, and setting VA_j′[1]＝c′_j′；

Finally, e.g.Fruit pair { VB_j}_j∈[n]VB only_jIn the presence of VA_j′Make VA_j′＝VB_j(j′∈[n′]) Then will (ed)_j,d_j′) Add to set C.

In this embodiment, the step S4 of finding more (ed, d) mappings by using the matrix M and the matrix M' specifically includes:

calculating an nxn ed-occurrence matrix M as

Calculating the matrix M ' of n ' × n ' asThen, Occurence (C, M, M ', A') shown in FIG. 2 is run_map,B_map) The algorithm obtains a set S of (ed, d) mappings and adds S to C;

the method specifically comprises the following steps: taking as input a known (ed, d) mapping set C, a matrix M, M ', M × n ' matrix A ' and a matrix B; first, the initialization S is set to {1},then, C' is set to C; finally, judging whether the set S is empty, if the set S is empty, outputting the set S and terminating the algorithm; if set S is not empty, setAnd for each unmapped d_j′(j′∈[n′]) Setting ED to unmapped ED_jIn which j ∈ [ n ]]，c′_j′＝c_j(ii) a For each ED in ED_jIf M is_j,k≠M′_j′,k′Will ed_jRemoval from the ED; if there is only one ED in the ED_jWill (ed)_j,d_j′) Adding to the set S and setting C ═ us ═ C ═ S; then, outputting the set S; if, there is not only one ED in the ED_jThe set S is directly output.

In the present embodimentIn the step S5, the counter is updated and the set C is initialized_newAnd R_newThe method specifically comprises the following steps:

setting ct as ct +1,

in the step S6, the mapping (q, w) of the query token q and the keyword w is found and added to the set R respectively_newAnd R is specifically:

assume that the set of mappings of (ed, d) that have been found isWhereinFrom (B)_map,A″_map) To obtain C column matched submatrix pairs (B)_c,A″_c) In which B is_cIs composed ofA″_cIs composed ofIf for B_cUnique and different row of_iCan be in A ″)_cIn which the same row is found_i′Then (q) will be_i,w_i′) Are added to the set R separately_newAnd R, wherein row_iRepresenting the ith column of the matrix T.

In this embodiment, the step S7 uses the (q, w) mapping in the step S6 to find more (ed, d) mappings specifically as follows:

assume that the set of (q, w) that has been found isWhereinCalculating from (B, A') to obtain a matrix pair (B)_r,A″_r) (ii) a Wherein B is_rIs composed of

A″_rIs composed ofIf for B_rColumn with unique difference_jCan be in A ″)_rIn which the same column is found_j′Then will (ed)_j,d_j′) Are added to the set C separately_newAnd C.

In this embodiment, the step S8 of finding more (ed, d) mappings specifically includes:

setting all matching behaviors 0 in B and A'; for all column columns in B that do not match_jRecalculating c_j＝column_jSum, and set VB_j[ct]＝c_j(ii) a Similarly, for all unmatched columns column in matrix A ″_j′Recalculate c'_j′＝column_j′Sum, and setting VA_j′[ct]＝c′_j′(ii) a If forEach VB in_jAll have a VA_j′So that VB_j＝VA_j′(j′∈S′_up) Then will be (ed)_j,d_j′) Are added to the set C separately_newAnd C in which S_up,S′_upThe set of indices for the unmatched columns in matrices B and a ", respectively.

In this embodiment, the step S9 of finding more (ed, d) mappings by using the matrix M and the matrix M' specifically includes:

the Occurence (C, M, M ', A') shown in FIG. 2 was run_map,B_map) The algorithm gets a set S 'of (ed, d) mappings and adds S' to the set C respectively_newAnd C; specifically, the method comprises the following steps: taking as input a known (ed, d) mapping set C, a matrix M, M ', M × n ' matrix A ' and a matrix B; first, the initialization S is set to {1},then, C' is set to C; finally, judging whether the set S is empty; if the set S is empty, outputting the set S and terminating the algorithm; if set S is not empty, setAnd for each unmapped d_j′(j′∈[n′]) Setting ED to unmapped ED_jIn which j ∈ [ n ]]，c′_j′＝c_j(ii) a For each ED in ED_jIf M is_j,k≠M′_j′,k′Will ed_jRemoval from the ED; if there is only one ED in the ED_jWill (ed)_j,d_j′) Adding to the set S and setting C ═ us ═ C ═ S; then, outputting the set S; if, there is not only one ED in the ED_jThe set S is directly output.

In this embodiment, ifOrStep S5 is executed; otherwise, executing step S11; the step S11 of outputting the detection result specifically includes:

if at least one of the set R of (q, w) maps and the set C of (ed, d) maps recovered by performing all the above steps is not empty, it indicates that the searchable encryption method cannot withstand LEAP attack and 0 is output. Otherwise, 1 is output.

Preferably, in the present embodiment, the symbols and definitions are as follows:

d: a file.

w: a key word.

ed: an encrypted file.

d_i: a specific file.

w_iA specific keyword.

ed_iA specific encrypted file.

q_iA specific query token.

T is an m x n matrix.

column_jThe jth column of the matrix T.

row_iI column of the matrix T.

column_jSum is the Hamming distance of the jth column of the matrix T.

row_i-sum: hamming distance in column i of matrix T.

F＝{d₁,...,d_n}: and (5) collecting files.

W＝{w₁,...,w_n}: a set of keywords.

F′＝{d_1′,...,d_n′}: the part of the file content exposed to the attacker, n' < n.

W′＝{w_1′,...,w_m′}: the attacker extracts partial keyword content from F ', and m' < m.

A': an m '× n' file-keyword matrix.

M: an n x n ed-occurrence matrix, wherein M_i,jRepresenting encrypted files ed_iAnd ed_jThe intersection of the query tokens.

M': an n ' x n'd-occurrence matrix, wherein M '_i,jPresentation document d_iAnd d_jThe intersection of the keywords.

C_new: the set of newly found (ed, d) mappings is recorded.

R_new: the set of newly found (q, w) mappings is recorded.

The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.