We introduce Password Authenticated Searchable Encryption (PASE), a novel searchable encryption scheme where a single human-memorizable password can be used to outsource (encrypted) data with associated keywords to a group of servers and later retrieve this data through the encrypted keyword search procedure. PASE ensures that only the legitimate user who knows the initially registered password can perform these operations. In particular, PASE guarantees that no single server can mount an offline attack on the user’s password or learn any information about the encrypted keywords. The concept behind PASE protocols extends previous concepts behind searchable encryption by removing the requirement on the client to store high-entropy keys, thus making the protocol device-agnostic on the user side. In this paper, we model the functionality of PASE along with two security requirements (indistinguishability against chosen keyword attacks and authentication) and propose an efficient direct construction in a two-server setting those security we prove in the standard model under the Decisional Diffie–Hellman assumption. Our constructions support outsourcing and retrieval procedures based on multiple keywords and allow users to change their passwords without any need for the re-encryption of the outsourced data. Our theoretical efficiency comparisons and experimental performance and scalability measurements show that the proposed scheme is practical and offers high performance in relation to computations and communications on the user side. The practicality of our PASE scheme is further demonstrated through its implementation within a JavaScript-based web application that can readily be executed on any (mobile) browser and remains practical for commodity user devices such as laptops and smartphones.

我们介绍了密码验证的可搜索加密（PASE），这是一种新颖的可搜索加密方案，其中可以使用单个易于记忆的密码将具有关联关键字的数据外包（加密）到一组服务器，然后通过加密的关键字搜索过程来检索此数据。PASE确保只有知道初始注册密码的合法用户才能执行这些操作。特别是，PASE保证没有任何一台服务器可以对用户的密码进行离线攻击或了解有关加密关键字的任何信息。通过消除客户端存储高熵密钥的要求，PASE协议背后的概念将可搜索加密背后的先前概念扩展了，从而使该协议在用户端与设备无关。在本文中，我们将PASE的功能与两个安全性要求（针对所选关键字攻击和身份验证的不可区分性）一起建模，并提出了在两台服务器中进行高效直接构建的设置，这些安全性是在Decision Diffie-Hellman假设下在标准模型中证明的。我们的结构支持基于多个关键字的外包和检索过程，并允许用户更改密码而无需重新加密外包数据。我们的理论效率比较以及实验性能和可伸缩性测量表明，该方案是实用的，并且在用户端的计算和通信方面具有高性能。