Privacy-Preserving Pattern Matching on Encrypted Data

. Pattern matching is one of the most fundamental and important paradigms in several application domains such as digital forensics, cyber threat intelligence, or genomic and medical data analysis. While it is a straightforward operation when performed on plaintext data, it becomes a challenging task when the privacy of both the analyzed data and the analysis patterns must be preserved. In this paper, we propose new provably correct, secure, and relatively eﬃcient (compared to similar existing schemes) public and private key based constructions that allow arbitrary pattern matching over encrypted data while protecting both the data to be analyzed and the patterns to be matched. That is, except the pattern provider (resp. the data owner), all other involved parties in the proposed constructions will learn nothing about the patterns to be searched (resp. the data to be inspected). Compared to existing solutions, the constructions we propose has some interesting properties: (1) the size of the ciphertext is linear to the size of plaintext and independent of the sizes and the number of the analysis patterns; (2) the sizes of the issued trapdoors are constant on the size of the data to be analyzed; and (3) the search complexity is linear on the size of the data to be inspected and is constant on the sizes of the analysis patterns. The conducted evaluations show that our constructions drastically improve the performance of the most eﬃcient state of the art solution.


Introduction
In several application domains such as deep-packet inspection and genomic data analysis, learning the presence of specific patterns as well as their positions in the data are essential.In the previous two use cases, pattern searches are often performed by entities that are not fully trusted by data owners.For instance, in the case of deep-packet inspection (DPI), a company that aims to outsource its network traces to a third party forensic scientist to find indictors of compromise might not be comfortable revealing the full contents of its traces to the forensic scientist.Similarly, in the case of genomic data analysis, a patient that wants to check whether its genome contains particular patterns representing a genetic predisposition to specific diseases might not be comfortable revealing the full contents of its genome to the laboratory that performs the analysis.
Existing solutions that may be used to overcome the previous problem rely mainly on searchable encryption based techniques [1][2][3][4][5][6].Unfortunately, these techniques suffer from at least one of the following limitations.First, the lack of support for pattern-matching with evolving patterns, such as virus signatures which are updated frequently (case of symmetric searchable encryption [2][3][4]); second, the lack of support for variable pattern lengths (e.g., tokenization-based techniques such as BlindBox [5]); third, the incompleteness of pattern detection methods which yield false negatives (case of BlindIDS [6]); and fourth, the disclosure of detection patterns (case of searchable encryption with shiftable trapdoors [1]).We provide a full comparison with related literature in Section 2.
In this paper, we propose two technically sound constructions: S 4 E supporting pattern matching of adaptively chosen and variable (upper bounded) lengths patterns on secret key encrypted streams, and AS 3 E supporting pattern matching of adaptively chosen and variable (upper bounded) lengths patterns on public key encrypted streams.Both S 4 E and AS 3 E ensure that (1) both the data owner and the third-party entity performing pattern matching operations will learn nothing about the searched patterns except their lengths, (2) both the pattern provider and the third-party entity that is going to perform pattern matching will learn nothing about the data to be analyzed except the presence or the absence of the set of unknown patterns (i.e., the third-party entity will not have access to patterns plaintexts), (3) the third-party entity will be able to perform pattern matching correctly over the data to be analyzed.From a practical point of view, our construction has some interesting properties.First, the size of the ciphertext depends only on the size of the plaintext (it is independent of the sizes and the number of analysis patterns).Second, the size of the issued trapdoors is independent of the size of the data to be analyzed.Third, the search complexity depends only on the size of the data to be analyzed and is constant on the size of the analysis patterns.The two constructions we propose in this paper are -to our knowledge -the first constructions to provide all previously mentioned properties without using costly and complex cryptographic scheme such as fully homomorphic encryption.The conducted evaluations show that the two proposed constructions improve by up to four orders of magnitude the performance of the most efficient state of the art solution SEST [1].
The paper is organized as follows.Section 2 reviews related work and details the main contributions of our work.Section 3 presents the assumptions under which our schemes achieve provable security.The intuition behind the proposed constructions is presented in Section 4. Section 5 and 6 formalize our S 4 E and AS 3 E primitives and provide their security results.In Sections 7 and 8, we discuss the complexity of our constructions and provide experimental results.Finally, section 9 concludes.

Related Work
One possible solution for pattern matching over encrypted traffic is to use techniques that allow evaluation of functions over encrypted data.Generic approaches such as fully homomorphic encryption (FHE) [7,9] and functional encryption (FE) [8] are currently impractical due to their very high complexities.
Several searchable encryption (SE) techniques have been proposed for keyword searching over encrypted data [2][3][4].The main idea is to associate a trapdoor with each keyword to allow searching for these keywords within a given encrypted data.Ideally, an entity which does not have access to the plaintext and encryption key should learn nothing about the plaintext except the presence or the absence of the keyword.For most existing SE techniques, searches are performed on keywords that have been pre-chosen by the entity encrypting the data.Such approaches are more suitable for specific types of searches, such as database searches in which records are already indexed by keywords, or in the case of emails filtering in which flags such as "urgent" are used.Unfortunately, SE techniques become useless when the set of keywords cannot be known before encryption.This is usually the case for messaging application and Internet browsing traffic where keywords can include expressions that are not sequences of words per se (e.g., /chamjavanv.inf?aapf/login.jsp?=).The two constructions we propose in this paper offer better search flexibility as, even after the plaintext has been encrypted, they can allow arbitrarily chosen keywords to be searched without re-encryption.
To overcome the previous limitations, tokenization-based approaches have been proposed.In [5], the authors propose BlindBox, an approach that splits the data to be encrypted into fragments of the same size l and encrypts each of those fragments using a searchable encryption scheme where each fragment will represent a keyword.Nevertheless, this solution suffers from two limitations: (1) it is useful only if all the searchable keywords have the same length l.Obviously the previous condition is seldom satisfied in real-world applications that requires pattern matching (e.g., DPI).If we want to use this approach with keyword of different lengths L, we should for each l i ∈ L, split the data to be encrypted into fragments of size l i and encrypt them, which quickly becomes bulky.(2) The proposed approach may easily cause false negatives since, even if the keyword is of size l (the size of each fragment), it cannot be detected if it straddles two fragments.Recently, in [6], Canard et al. proposed BlindIDS -a public key variant of the BlindBox approach [5] that additionally ensures keywords indistinguishability.That is, the entity that is going to search over the encrypted data will lean nothing about the keywords.Unfortunately, BlindIDS suffers from the same limitations as BlindBox.The two constructions we propose in this paper address the main drawbacks of these tokenization-based techniques since they allow for arbitrary trapdoors to be matched against the encrypted data, without false negatives or false positives.
Several approaches [10][11][12] proposed solutions for substring search over encrypted data based on secure multi-party computation.Unfortunately, to offer pattern matching operation, these solutions require often several interactions between the searcher and the data encrypter.
As pointed out in [1], anonymous predicate encryption (e.g., [13]) or hidden vector encryption [14] may provide a convenient solution for pattern matching over encrypted data.However, in order to search a pattern p of length l on a data of length n, the searcher should obtain n − l keys to be able to check the presence of p on every possible offset of the data, which is clearly a problem when dealing with large datasets.
One of the most interesting techniques for pattern matching over encrypted traffic is the searchable encryption with shiftable trapdoor (SEST) [1].The proposed construction relies on public-key encryption and bilinear pairings to overcome most of the limitations of previously mentioned techniques.It allows for patterns of arbitrary lengths to be matched against the encrypted data, without false negatives or false positives.This improvement comes at the cost of the practicability of the technique.In fact, the proposed schema requires a public key of size linear to the size of the data to be encrypted (a public key of 8000 GB is required for encrypting 1GB of data).Moreover, the trapdoor generation technique used by the SEST leaks many information (such as, the number of different characters, the maximum number of occurrences of a character) about the patterns to be searched.Furthermore, the number of pairings needed for testing the presence of a keyword in an offset of the data depends on the maximum number of occurrences of the characters contained in the keyword.This makes the proposed technique quite inefficient when used for bit level matching.By contrast, for testing the presence of a pattern in encrypted data, our constructions require a constant number of pairings in the size of the pattern (see Section 7 for more details).This makes our constructions more efficient when matching long keywords at bit level.
As we have seen, many different approaches can be used to address pattern matching over encrypted data.To give better understanding of the benefits of the two approaches we propose in this paper compared to existing ones, we provide in Table 1 a comparative overview of their asymptotic complexities, and their ability to ensure the security properties we are aiming to provide.Note that we only consider BlindBox (a symmetric searchable encryption-based solution), BlindIDS (an asymmetric searchable encryption-based solution), Predicate Encryption/Hidden Vector Encryption and the SEST approach.Other approaches, as explained before, require data re-encryption each time a new keyword is considered [2][3][4], induce higher complexity [7][8][9], require interactivity [10][11][12] or ensure weaker privacy level [4].
According to the Table 1, the two constructions we propose in this paper (S 4 E and AS 3 E) are the only primitives that simultaneously enable arbitrary trapdoors (with upper bounded keyword size), provides a correct keyword detection, and ensures the privacy of the used trapdoors.
In Table 1, () is used to denote that a property is provided under specific conditions.AS 3 E ensures trapdoor's privacy for patterns of high-min entropy (see Section 6 for more details).In addition, both S 4 E and AS 3 E support pattern Encryption keys size   1: Complexity and ensured security properties comparison between related work and our primitive.The scalars n, q, l i , L, s denotes respectively the length of the traffic to encrypt, the number of pattern to be searched, the length of each pattern, the number of different lengths among the q patterns to be searched and the number of data encrypters.We used () to denote that the property is provided under specific conditions.matching of arbitrary but upper bounded lengths patterns.As we show in Section 7, we stress that in both S 4 E and AS 3 E, increasing the upper bound size of patterns affects only the size of the trapdoor generated for each pattern.The size of later increases linearly with the increase of the size of the former.
The two constructions we propose do not require very large public parameters, secret key or very large public keys as SEST and PE/HVE.Moreover, their search complexities is lower than SEST by a factor of l i (the length of the pattern w i to be searched), since they are constant in the size of the pattern to be searched.Therefore, the proposed constructions are an interesting middle way which provides the best of PE/HVE and SEST while ensuring patterns' privacy.Their only limitation compared to PE/HVE and SEST is the upper bounded size of patterns to be searched that should be fixed before the data encryption, which we believe to be a reasonable price to pay to achieve all the other features.

Security Assumption
In this section, we describe the security assumptions under which our two constructions S 4 E and AS 3 E achieve provable security.
Definition 1 (Bilinear Maps).Let G 1 , G 2 , G T be three finite cyclic groups of large prime order p.We assume that there is an asymmetric bilinear map e : G 1 × G 2 → G T such that, for all a, b ∈ Z p the following conditions hold: As in [1], the security of the proposed constructions hold as long as G 1 = G 2 and no efficiently computable homomorphism exists between G 1 and G 2 in either directions.In the sequel, the tuple (G 1 , G 2 , G T , p, e(•, •)) is refereed to as a bilinear environment.
Some of the security proofs of the proposed constructions, given in the full version of this paper [22], rely partially on showing that given a number of pattern trapdoors, the adversary will be unable to distinguish a new valid trapdoor from a random element.Thus, the leakage can be bounded only by considering the adversary's query to the issuing oracle.Hence, either we considerably reduce the maximum length of the patterns to be searched (≤ 30), which allow to define a GDH instance providing all public parameters, the trapdoors for all possible patterns, and the challenge elements.Or we use an interactive variant of the GDH assumption to offer flexibility to the simulator by allowing the elements g xc) , and e(g, g) T (i) (x1,••• ,xc) of the GDH assumption [19] to be queried to specific oracles.
So, we prove the security of the proposed constructions under an interactive assumption.That is, we use a slightly modified General Diffie-Hellman (GDH) problem assumption [19] to allow the adversary to request the set of values on which the reduction will break the GDH assumption.This interactive aspect of the GDH instance we are considering reduces slightly the security of the construction we are proposing.However, this interactive assumption makes possible the definition of quite efficient constructions with interesting properties.First, the size of the ciphertext depends only on the size of the plaintext (it is independent of the sizes and the number of the analysis patterns).Second, the size of the issued trapdoors is independent of the size of the data to be searched.Third, the search complexity depends only on the size of the data and is constant on the sizes of the patterns to be matched.Attaining all previously mentioned properties while protecting both the data to be analyzed and the patterns to be matched and being able to handle arbitrary analysis pattern query is not obvious and may justify the use of such an interactive assumption.
Definition 2 (independence [19]).Let p be some large prime, r, s, t, c, and k be five positive integers and R three tuples of multivariate polynomials over F p .Let R (i) , S (i) and T (i) denote respectively the i-th polynomial contained in R, S, and T .For any polynomial f i,j } i=r,j=s i=1,j=1 , {ϑ We say that f is independent of < R, S, T > if f is not dependent on < R, S, T >.
Definition 3 (i-GDH assumption).Let p be some large prime, r, s, t, c, and k be five positive integers and R ) be secret vector and q r (resp.q s ) (resp.q t ) be the number of queries to O r (resp.O s ) (resp.O t ).The i-GDH assumption states that, given {g , and {e(g, g) As argued in [1], the hardness of the i-GDH problem depends on the same argument as the GDH problem which has already been proven in the generic group model [19].That is, as long as the challenge polynomial that we denote f is independent of < R, S, T >, an adversary cannot distinguish . The definition method of the content of the sets R,S, and T (by assumption or by the queries to oracles) does not fundamentally change the proof.

The Intuition
The intuition behind the proposed constructions relies on two observations.First, the number of analysis patterns is often very small compared to the quantity of data that are going to be analyzed, e.g., in a deep packet inspection scenario, the number of patterns provided by the SNORT intrusion detection system is 3734 [20].Second, the sizes of the detection patterns are also very small compared to the size of the traces to be analyzed (e.g., the largest pattern size used by SNORT is 364 Bytes).
For a data with alphabet Σ, the proposed constructions associate each element σ of Σ with a secret encoding (α σ , α σ ).They fragment the sequence of symbols that represents the data B as described in the Figure 1 in which Φ represents the number of symbols (i.e., the size) of each fragment and p max represents the largest number of symbols in a pattern.To allow the matching of patterns at any possible offset of the data to be searched, in the proposed constructions, we require that Φ ≥ 2 • (p max − 1).In the rest of the paper, we will use {x i } i=b i=a to denote the set of elements x i , i ∈ [a, b] and |B| to denote the number of symbol (i.e., the size) that compose |B|.
As illustrated by the Figure 1, the sequence of symbols where η = |B|/Φ (for simplicity we will suppose that |B| is a multiple of Φ).
Given an i ∈ [0, |B| − 1], in the rest of this paper, we will denote by i F the index of i inside the fragment F where A trapdoor for a pattern w = σ w,0 • • • σ w,l−1 will be associated with a set of polynomials where v i is a random secret scalar used to prevent new trapdoor forgeries and z a random scalar belonging to the secret key K s .The trapdoor generated for w consists then in the elements . Each of the previous elements will be used to check the presence of w at a specific index of the previously constructed fragments.
Meanwhile, the encryption of each symbol σ i is the tuple Then, if we want to test the presence of w at the index i, if i belongs to F (resp.F ), then we compare the bilinear mapping results of the elements C i F , . If w is not present, then the bilinear mapping results will be random-looking elements of G T which will be useless to the adversary for learning any information about the plaintext and/or the content of the tested pattern.

S 4 E Construction
In this section, we propose S 4 E, a construction that supports pattern matching of adaptively chosen and variable (upper bounded) lengths patterns on secret key encrypted streams.Before formalizing S 4 E, we present a use-case scenario on which S 4 E can be useful.

Usage Scenario
To cope with new and sophisticated cybercrime threats, new threat intelligence platforms such as [18] are relying on the collaboration between different involved entities that include, on one side, companies, organizations, and individuals that are targeted by cyber attacks, and on the other, security editors that are in charge of defining and providing strategies for effectively detect and prevent cyber attacks.To be useful, such platforms should, on one hand, be fueled by data owners, i.e., companies, organizations, and individuals that agree to share the traces (e.g., network and operating system traces) of the cyber attacks that they have suffered.On the other hand, the platform should allow the security editors to analyze (e.g., search specific patterns) and correlate the traces that are shared by the data owners.The considered threat intelligence platform is often managed by non-fully trusted third-party service provider (SP) which provides the required storage space and computation power with affordable cost.
Unfortunately, both data owners (i.e., attack traces owners) and security editors are still very reluctant for adopting such kind of threat intelligence platforms because of two main reasons.First, the traces to be shared contain often highly sensitive information that may raise serious security and/or business threats when disclosed to non-fully trusted third parties (e.g, SP).Second, the shared traces analysis rely mainly on techniques that use pattern matching for inspecting and detecting malicious behaviors.Those analysis patterns are the result of extensive threat intelligence conducted by security editors.They are often put forward as a key competitive differentiator arguing that they can cover a wider set of malicious behaviors.Thus, security editors are typically reluctant to share their analysis patterns with non-fully trusted third-parties.
The S 4 E construction can be used to overcome the previous two limitations by building a platform that is (1) market compliant meaning that both the data owner and the third-party entity performing the pattern matching operations will learn nothing about the patterns to be used by security editors for analyzing the shared traces (as proved by Theorem 4), and (2) privacy-friendly, signifying that (2.1) the third-party entity performing pattern matching will learn nothing about the shared data except the presence or the absence of a set of unknown analysis patterns, and (2.2) the pattern provider will learn no more than the indexes on which the searched pattern exists (as proved by Theorem 2).

Architecture
The architecture considered for the S 4 E construction involves three parties: the data owner (DO) representing the entity that holds the data to be analyzed (e.g., the network traces in the case of DPI), the pattern provider (PP) representing the entity that supplies the patterns that will be matched, and the service provider (SP) are stakeholders that offer computation infrastructures that will be used to perform the pattern matching operations on the data to be analyzed.To test the presence of a pattern on DO's data, PP starts by generating collaboratively with DO a trapdoor for the pattern to be matched.Then, PP sends the generated trapdoor to SP who performs the matching operation and notifies the PP with the results (i.e., the presence of the patterns as well as their corresponding positions in the DO's data).

Security Requirements and Hypothesis
PP, DO, and SP are considered in S 4 E as Honest-but-curious entities.First, we expect PP to provide valid patterns allowing an effective analysis of DO's shared data.This a fairly reasonable assumption since a pattern provider (e.g., a security editor in the case of DPI or a laboratory in the case of genomic data analysis) will not defile its reputation by issuing incorrect or misleading analysis patterns.Otherwise, this will result in many false positives, which may considerably degrade the quality of the analyses that will be provided to the DO.Nevertheless, we expect the PP to be curious: it may try to derive information about the analyzed data by accessing the data analyzed by the SP and/or the pattern matching results returned by the SP.
Second, we suppose that SP will perform the pattern matching operations honestly over the DO's data using the analysis patterns provided by PP.However, we suppose that SP may try to learn additional information about either or both the DO's outsourced data and the analysis patterns provided by PP.In addition, we assume that the SP that may try to create values by analyzing other third-parties data using the set of patterns provided by PP for the analysis of DO's outsourced data.
Third, we suppose DO to follow honestly the S 4 E protocol.However, we expect that he/she may try to learn additional information about the patterns provided by PP for analyze his/her data.
In addition, we suppose that (i) SP and PP will not collude to learn more information about the traffic, and (ii) SP and DO will not collude to learn more information about the patterns to be searched.We believe that these two last assumptions are fairly reasonable since, in a free market environment, an open dishonest behavior will result in considerable damages for involved entities.
Finally, we require S 4 E to provide correct results.That is, (1) any part of DO's data that matches one of PP's patterns when not encrypted must be matched by S 4 E (no false negatives), and (2) we require that for any traffic that does not match any of the PP's analysis patterns when not encrypted, the probability that S 4 E returns a false positive is negligible.

Definition of S 4 E
S 4 E is defined using five algorithms that we denote Setup, Keygen, Encrypt, Issue, and Test.The first three algorithms are performed by DO, the Issue algorithm is performed collaboratively by DO and PP, and the Test algorithm is performed by SP.
-Setup(1 λ , Φ, p max ) is a probabilistic algorithm that takes an input a security parameter λ, the fragmentation size to be used Φ, and the maximum size of a pattern p max .It returns the public parameters params.-Keygen(params, Σ) is a probabilistic key generation algorithm that takes as input the public parameters params and a finite set Σ representing the alphabet to be used for representing the data to be searched and the pattern to be matched.It outputs a secret key K s and a trapdoor generation key K t .The latter will be sent to PP using a secure channel.-Encrypt(params, K s , B) is a probabilistic algorithm that takes as input the public parameters params, the secret key K s , and a finite sequence (string) of elements B of Σ of size n.It returns a ciphertext C. -Issue(params, K s , K t , w) is a probabilistic algorithm executed interactively between PP and DO.It takes as input the public parameters params, the secret key K s , the trapdoor generation key K t , and w -a sequence of elements of Σ of length smaller or equal to p max , and returns a trapdoor td w .-Test(params, C, td w ) is a deterministic algorithm that takes as input the public parameters params, a ciphertext C encrypting a sequence of m elements and the trapdoor td w for the sequence of Σ's elements of length l, w = σ w,0 • • • σ w,l−1 .This algorithm is executed interactively between PP and SP.The former provides the trapdoor td w and the latter executes the algorithm and returns the set of indexes I ⊂ {0, m−l−1} where for each i ∈ I, We note that the sizes of the elements defined in the previous algorithms, i.e., the size of the data to be analyzed B, the size of the pattern to be searched w, and the largest analysis pattern size p max refer to the number of symbols of Σ that compose each element.In addition, we note that S 4 E does not consider a decryption algorithm since there is no need for decrypting the outsourced data.However, we stress that a decryption feature can be straightforwardly performed by issuing a trapdoor for all characters σ ∈ Σ and running the Test algorithm on the encrypted data for each of them.

S 4 E's Security Requirements
As said in Section 5.3, there are mainly 4 security requirements that should be satisfied by our construction: Trace indistinguishability for both PP and SP, pattern indistinguishability for both DO and SP, trapdoor usefulness (i.e., the trapdoors are useful only to search DO's data), and the correctness property.
In the following, we use the game-based security definition proposed in [1] for trace indistinguishability by adapting the standard notion of IND-CPA which requires that no adversary A (e.g., PP or SP), even with an access to an oracle O s that issues a trapdoor td pi for any adaptively chosen pattern p i , can decide whether an encrypted trace contains T 0 or T 1 as long as the trapdoors {td pi } issued by O s do not allow trivial distinction of the traces T 0 and T 1 .We note that we consider the quite standard selective security notion [16].This notion requires the adversary to choose and commit T 0 and T 1 at the beginning of the experiment, before seeing params.
Definition 4 (Data indistinguishability).Let λ be the security parameter, Σ be the alphabet to be used, A be the adversary and C be the challenger.We consider the following game that we denote Exp S 4 E D IN D CP A A,β : (1) Setup: C executes Setup(1 λ , Φ, p max ) to generate params and the algorithm Keygen(params, Σ) to generate the keys K s and K t .Then it sends params to the adversary.(2) Query: A can adaptively ask O s for the trapdoor td wi for any pattern w i = σ i,0 • • • σ i,li−1 where σ i,j ∈ Σ.We denote W the set of patterns submitted by A to O s in this phase.(3) Challenge: Once A decides that Phase (2) is over, it chooses two data streams , and j such that: We define A's advantage by Adv We note that in the previous definition, the restriction used in phase (3)(a) ensures that if one of the data streams T k contains a pattern w i ∈ W in the position j, then this is also the case for T 1−k .If such a restriction is not used, A will trivially win the game by running T est(params, C, td wi ).
We want to be able to evaluate the advantage of the SP for using the issued trapdoors to analyze other third-parties' data (i.e., data that are not provided and encrypted by DO).Since encrypted data and trapdoors should be created using the same secret key K s (the trapdoor generation key K t is created using K s ), such an advantage is equivalent to the ability of the SP to forge valid DO's encrypted data.
Definition 5 (Encrypted Data Forgery).Let λ be a security parameter, Σ be the alphabet to be used, A be the adversary, C be the challenger, O s be an oracle that issues a trapdoor for any adaptively chosen pattern, and O r be an oracle that encrypts any adaptively chosen data.We consider the following Exp S 4 E EDF A game: (1) Setup: C executes Setup(1 λ , Φ, p max ) to generate params and the algorithm Keygen(params, Σ) to generate the keys K s and K t .Then it sends params to the adversary.(2) Query: -A can ask O s for issuing the trapdoor td wi for any adaptively chosen pattern where σ i,j ∈ Σ.We denote W the set of patterns submitted by A to O s in this phase.-A can adaptively ask O r to create C T = Encrypt(params, K s , T ).We denote T the set of datasets encrypted by the O r .
(3) Forgery: The adversary chooses the dataset T * / ∈ T such that T * contains w (w ∈ W) at index i and forges the encrypted dataset C T * of T * .
We define A's advantage of winning the game Exp S The following definition formalizes the patterns indistinguishability property for SP.That is, we evaluate the advantage of the SP to decide whether a trapdoor encrypts the pattern w * 0 or w * 1 even with an access to an oracle O s that issues a trapdoor for any adaptively chosen pattern.
Definition 6 (Pattern Indistinguishability to SP).Let λ be the security parameter, Σ be the alphabet to be used, A be the adversary and C the challenger.We consider the following game that we denote Exp In addition, we aim to evaluate the advantage of DO for deciding whether a trapdoor encrypts the patterns w * 0 or w * 1 even with an access to an oracle O s that plays the role of PP and perform the issue algorithm for any adaptively chosen pattern.The following definition formalizes the pattern indistinguishably property for DO.
Definition 7 (Pattern Indistinguishability to DO).Let λ be the security parameter, Σ be the alphabet to be used, A be the adversary and C the challenger.We consider the following game that we denote Exp S 4 E P IN D CP A A DO ,β : (1) Setup: C executes Setup(1 λ , Φ, p max ) to generate params and the algorithm Keygen(params, Σ) to generate the keys K s and K t .Then it sends params to the adversary.(2) Query: A can ask O s to play the role of PP in the issue algorithm for any adaptively chosen pattern w i = σ i,1 • • • σ i,li where σ i,j ∈ Σ.We denote by W the set of patterns chosen by A in this phase.(3) Challenge: Once A decides that Phase (2) is over, it chooses two patterns ∈ W and sends them to C. The latter chooses a random β ∈ {0, 1}, and plays the role of PP in the issue algorithm to generate a trapdoor for w * β .(4) Guess: A outputs the guess β .( 5) Return (β = β ).
We define the advantage of the adversary A for winning We say that S 4 E provides pattern indistinguishability if it is pattern indistinguishable to both DO and SP.
be respectively the data to be analyzed and the pattern to be matched.S 4 E is correct iff the following conditions hold: (i) P r[i ∈ T est(params, Encrypt(params, B, K s ), Issue(params, K s , K t , w))] = 1 if B contains p at index i.(ii) P r[i ∈ T est(params, Encrypt(params, B, K s ), Issue(params, K s , K t , w))] is negligible if B does not contain w at index i.
Condition (i) of the previous definition ensures that the Test algorithm used by S 4 E produces no false negatives.Condition (ii) ensures that false positives (i.e., the case in which Test algorithm returns i notwithstanding the fact that only occur with negligible probability.

A trivial Protocol
A trivial attempt for defining a construction that ensures all of the security requirements we defined in Section 5.3 would consist of modifying the most efficient state of the art solution SEST [1] towards a secret key based-construction as described in the following algorithms.The Setup, Keygen, and Encrypt algorithms are to be performed by the DO.The Issue algorithm will be performed collaboratively by the DO and the PP, while the Test algorithm will be performed by the SP.
-Setup(1 λ , n): -Keygen(params,Σ): On input of the alphabet Σ, this algorithm selects where C i = g a•z i and C i = g a•ασ i •z i .-Issue(params, w, K s ) issues a trapdoor td w for a pattern w = σ w,0 , • • • , σ w,l−1 of length l ≤ n as described in Algorithm 1.We denote by L the array that will be used to store random scalars that will be used to encode each symbol of the pattern w, and by I the array of sets representing the indices of symbols in w that are encoded using the same random scalar.Actually, a random scalar can be re-used as long as it has not been used to encode the same symbol.That is, L[i] is the random scalar to use with the (imperatively distinct) symbols at indices I i of w.
, and checking for all j ∈ [0, n − l] if the following equation holds: We can prove the correctness, the data indistinguishability, and encrypted data unforgeability properties by following the same strategies as in [22] (Sections A.1, A.2, and A.3). Unfortunately, this construction inherits the three main limitations of the SEST construction.First, the size of the public parameters params is linear to the size of the data to be analyzed (which may be very large).Second, the pattern indistinguishability requirement cannot be satisfied since the Issue algorithm (Algorithm 1) leaks many information (such as, the number of different symbols and the maximum number of occurrences of a symbol) about the pattern to be matched.Third, searching the presence of a pattern w is linear to the maximum number of occurrences of each symbol in w, which makes this construction impractical for matching small alphabet based patterns (e.g., bit, or hexadecimal patterns).
-Keygen(params, Σ): On input of the alphabet Σ, this algorithm selects z

and computes and adds
to params.It returns the secret key K s = {r, z, {α σ , α σ } σ∈Σ } and the trapdoor generation key ,σ∈Σ which will be sent to PP using a secure channel.
-Encrypt(params, B, K s ): it starts by fragmenting where as described in the following algorithm.
Algorithm 2: Encrypt -Issue(params, K s , K t , w) issues a trapdoor td w for the sequence of symbols w = σ w,0 , • • • , σ w,l−1 of length l < p max as described in the following: and sends it to DO.
and sends it to PP.
α σw,j • α i+j σw,j • z j -Test(params, C, td w ) tests whether the encrypted data C contains w using the following algorithm.It returns the set I of indexes i in which w exists in C.
We note here that the size of the ciphertext produced by the Encrypt algorithm does not depend on the set of patterns to be used but depends only on the size of data to be encrypted.In addition, our Issue and Test algorithms allow to search an arbitrary (upper bounded size) and unforgeable (without the knowledge of the secret key K s ) patterns.The sizes of those trapdoors do not depend on the size of the data to be encrypted but only on the size of the data fragment (around the double of the maximum size of a pattern).Finally, we underline that the elements { g vi } Φ−l−1 i=0 of a trapdoor td w will not be accessible to the DO, since the trapdoor is to be used only between PP and SP in the Test algorithm to match the pattern w on the encrypted data.

S 4 E's Security Results
In this section, we prove that the S 4 E construction described in Section 5.7 provides the security requirements we described in Section 5.3.The proofs of the following theorems are provided in the full version [22].
Theorem 1. S 4 E is correct.
Theorem 2. S 4 E is trace indistinguishable under the i-GDH assumption.
Theorem 3. S 4 E is encrypted data forgery secure under the i-GDH assumption.
Theorem 4. S 4 E is pattern indistinguishable under the i-GDH assumption.

AS 3 E Construction
The S 4 E construction, introduced in Section 5, allows for pattern matching on symmetrically encrypted data.In this section we show that the data fragmentation approach we propose in Section 4 can also be used to build AS 3 E: a pattern matching of upper bounded length keywords on asymmetrically encrypted stream.In particular, we show in Section 7 that considering the same system and threat model as the most efficient state of the art solution SEST [1], AS 3 E is far more practical than SEST as it reduces (1) considerably the size of public keys and (2) slightly the search complexity while increasing the size of ciphertext only by a factor of 2.

Architecture
AS 3 E involves four roles: Pattern Provider (PP), Service Provider (SP), a sender, and a receiver.PP and SP are the same two entities we used in the S 4 E construction.That is, PP is the entity that supplies the patterns that will be searched, and the Service Provider SP are stakeholders that offer computation infrastructures that will be used to perform pattern matching operations on the data to be analyzed.The role sender is used to represent the entities that are going to generate the data that is going to be analyzed (e.g., a website that provides web contents).The role receiver represents the entities that will receive and process the traffic sent by the sender.The receiver and the sender roles are interchangeable.That is, within the same secure network connection session, each end-point may play both the sender and the receiver roles.In this context, we suppose that the receiver want to analyze the data (e.g., to detect malicious contents) to be sent by the sender before using it.In AS 3 E, we require that the sender and the receiver will not collaborate together, otherwise, they could use a secure channel that is out of reach for the SP.This scenario should not be considered as a limitation of AS 3 E since, in such scenario pattern matching cannot be provided by SP even in the context of a plaintext traffic.

Security Requirements and Hypothesis
We consider the same hypothesis for the two entities PP and SP as in our S 4 E construction.That is, PP and SP are considered to be honest-but-curious entities.Specifically, PP is supposed to provide valid patterns that allow SP to effectively analyze the data generated by the sender while SP is supposed to perform correctly the matching between the patterns provided by PP and the sender 's data.Nevertheless, we expect PP and SP to be curious as the former may try to learn information about the sender's data and the latter may try to get additional information about both the patterns provided by PP and the sender's data.
Moreover, we expect the receiver to be honest-but-curious.That is, he/she will correctly follow AS 3 E's protocol.However, he/she may try to learn more information about the patterns that are provided by PP.
In addition, we suppose that the receiver and SP will not collude to learn more information about the patterns provided by PP.Otherwise, they could easily mount a dictionary attack.Again, we believe that this last assumption is fairly reasonable since an open dishonest behavior will result in considerable damages for both entities.
Finally, as in S 4 E, the pattern matching functionality provided by AS 3 E should be correct in a way that (1) any traffic that matches a least one of the analysis patterns provided by PP when not encrypted must be detected as malicious traffic by our construction, and (2) the probability that our construction returns a false positive for any traffic that does not match any of the PP's analysis patterns when not encrypted is negligible.

Definition of AS 3 E
Similarly to the S 4 E construction, we used five algorithms to define our construction: Setup, Keygen, Encrypt, Issue, and Test.The algorithms Setup and Keygen are performed by the entity playing receiver role.The Issue algorithm is performed collaboratively by the receiver and the PP.The Encrypt algorithm is performed by the sender while the Test algorithm is performed by SP.
-Setup(1 λ , Φ, p max ) is a probabilistic algorithm that takes as input a security parameter λ, the fragmentation size to be used Φ, and the maximum size of a pattern p max .It returns the public parameters params which will be an implicit input to all other algorithms.-Keygen(Σ) is a probabilistic algorithm that takes as input a finite set of symbols Σ representing the alphabet (e.g., bit symbols, byte symbols) used to represent the data to be analyzed.It returns the keys K s , K p , and K t , where K s is private and known only to the receiver, K t is know only to PP, and K p is public.-Encrypt(B, K p ) is a probabilistic algorithm that takes as input the data to be encrypted B along with the public key K p and returns a ciphertext C.
-Issue(K s , K t , w) is a probabilistic algorithm performed collaboratively by the receiver and the PP.It takes as input the receiver 's private key K s , the trapdoor generation key K t , and a pattern w of length l (l ≤ p max ) and returns a trapdoor td w .-Test(C, td w ) is a deterministic algorithm that takes as input a ciphertext C encrypting a data stream B along with a trapdoor td w for a pattern w and returns the set of indexes at which the pattern w occurs in B.
Similarly to the S 4 E construction, we omit the decryption algorithm in the previous description since we focus mainly on providing arbitrary universal3 pattern matching over encrypted traffic.The decryption functionality can be easily added by encrypting the data stream B under a conventional encryption scheme.

Security Model
For the AS 3 E construction, there are mainly three security requirements that should be satisfied: the traffic indistinguishability to SP and PP, the pattern indistinguishability to SP and the receiver, and the correct detection requirements.We note that, similarly to our S 4 E construction, we consider the selective security notion [16].In the following, we denote by O s a trapdoor-issuing oracle that can be queried to create a trapdoor for any pattern.
The following definition states that it is not feasible for the SP or PP to learn any information about the content of the traffic more than the presence or the absence of the patterns to be matched.

Definition 9 (Trace indistinguishability).
Let λ be the security parameter, Σ be the alphabet to be used, A be the adversary and C be the challenger.We consider the following game that we denote Exp AS 3 E T IN D CP A A,β : (1) Setup: C executes Setup(1 λ , Φ, p max ) to generate params and Keygen(Σ) to generate K s , K t , and K p .Then it sends params, K p , and K t to A. (2) Query: A can adaptively query O s to create a trapdoor td wi for any adaptively chosen pattern w i = σ i,0 • • • σ i,li−1 where σ i,j ∈ Σ.We denote W the set of patterns submitted by A to O s in this phase.(3) Challenge: Once A decides that Phase (2) is over, it chooses two data streams , and j such that: , and sends it to A.
We define A's advantage by The pattern indistinguishability property informally requires that it is not feasible for an adversary (the SP or the receiver ) to learn any information about the detection patterns.Since our construction is a public-key based scheme, we need to take into consideration the fact that an adversary can create any traffic of its choice using the public key K p .In this case, an adversary can mount a brute force attack on PP's patterns by adaptively creating as much traffic as needed to understand the logic behind them.However, a pattern matching-based solution over plaintext or public-key encryption ciphertext cannot resist such an attack, and therefore, it should not be considered in the security model of AS 3 E. Hence, for AS 3 E, the pattern indistinguishability property requires that the adversary A will not learn more information than what is provided as output to the Test algorithm.Formally, we use the high-min entropy property [17] which informally states that A cannot obtain the patterns "by chance".
Definition 10 (min-entropy).Given a set of detection patterns W,and a ran- A is said to have high-min entropy if it has min-entropy µ with µ(λ) ∈ ω(log(λ)).
In the experiment Exp AS 3 E P IN D A SP =(A f ,Ag),β (Definition 11), we define the security notion AS 3 E P IN D for an adversary A SP = (A f , A g ) (A f and A g are non colluding entities, as in e.g., [17,6]) with high-min entropy, that can create any traffic of its choice.
Definition 11 (Pattern indistinguishability to SP).Let λ be the security parameter, Σ be the alphabet to be used, A SP = (A f , A g ) be the adversary and C be the challenger.We consider the following game that we denote Exp AS 3 E P IN D A SP =(A f ,Ag),β : (1) Setup: C executes Setup(1 λ , Φ, p max ) to generate params and Keygen(Σ) to generate K s , K t , and K p .Then it sends params and K p to A SP .(2) Query: A SP can adaptively query O s to create a trapdoor td wi for any pattern ,σ∈Σ , the private key K s = {r, α σ , α σ , z} σ∈Σ , and the trapdoor generation key where i=1 as described in the following algorithm.
) issues a trapdoor td w for the sequence of symbols w = σ w,0 , • • • , σ w,l−1 of length l < p max .AS 3 E uses the same Issue algorithm as S 4 E except that DO will be replaced by the receiver.-Test(C, td w ) tests whether the encrypted traces C contains the sequence of symbols w.It returns the set I of indexes i in which w exists in C. The Test algorithm is the same as described for the S 4 E construction (Algorithm 3).

AS 3 E Security Results
This section presents the security results of AS 3 E.The proofs of the following theorems are given in the full version of this paper [22].
Theorem 5. AS 3 E is correct.
Theorem 6. AS 3 E is trace indistinguishable under the i-GDH assumption.
Theorem 7. AS 3 E is pattern-indistinguishable to SP for patterns of high minentropy under the i-GDH assumption.
Theorem 8. AS 3 E is pattern-indistinguishable to the receiver under the i-GDH assumption.

The complexity
We evaluate the practicability of S 4 E and AS 3 E regarding several properties: the sizes of the public parameters for S 4 E, public keys for AS 3 E, the trapdoor generation key, the ciphertext, the trapdoor, and the encryption and search complexities.Let Φ be the size of a fragment, p max be the maximum size of a pattern, n be the total number of symbols in the data to be analyzed.Note that S 4 E and AS 3 E share the same sizes for the ciphertext, the trapdoor generation key, the trapdoors, and the same complexities for trapdoor generation, encryption, and search operations.
The size of the public parameters used in S 4 E: The public parameters params used in the S 4 E construction contain Φ elements of G 1 which represents 32 × Φ bytes using Barreto-Naehrig (BN) [15].
The size of the public keys used in AS 3 E: The public key K p used in the S 4 E construction contains 2 × Φ elements of G 1 which represents 64 × Φ bytes using BN.We underline that the size of the required public key is independent of the size of the data to be analyzed n and depends only on the maximum size of a pattern p max (n Φ ≥ 2 × (p max − 1)).Hence, compared to the most efficient state of the art solution SEST, AS 3 E reduces considerably the size of the required public key.To illustrate, if we suppose that 1G of data is to be analyzed using a set of patterns, each composed of at most 10000 bytes, SEST requires a public key of size 32 × (1 + 256) × 10 9 bytes 8000 GB while AS 3 E requires a public key of size 20000 × 64 bytes 1.20 MB.
The size of the pattern generation key K t : For both S 4 E and AS 3 E, K t contains Φ × p max × |Σ| elements of G 2 .A key allowing to generate trapdoors for a binary pattern of length l ≤ 1000 will have a size equals to 128 MB.
The size of the ciphertext: In the worst case (i.e., Φ = 2 × (p max − 1)), each symbol is represented by 4 elements of G 1 .Thus, encrypting n symbols requires 128 × n bytes, while SEST produces a ciphertext of size 64 × n bytes using BN.
The upper bound size of patterns: The upper bound size p max of the patterns that can be searched by S4 E and AS 3 E depends Φ (p max = Φ/2 − 1).Increasing p max will increase linearly the trapdoor's sizes and generation complexity.However, it will not affect any of the other properties of S 4 E and AS 3 E.
Encryption complexity According to the Encrypt algorithm (Algorithm 2), in the worst case (i.e., Φ = 2 × (p max − 1)), encrypting a sequence of n symbols using S 4 E requires 10 × n exponentiations in G 1 .In case in which n is large (i.e., n Φ and n |Σ|), the previous complexity can be reduced by pre-computing {g α σ •(ασ•z) i , g z i } i=Φ−1 i=0,σ∈Σ .Then for each symbol to encrypt, the encryptor needs only to perform four exponentiations: (g α σ •(ασ×z) i F ) a , (g z i F ) a , (g α σ •(ασ×z) i F ) a , and (g z i F ) a which reduces the overall complexity to Φ × |Σ| + 4 × n exponentiations in G 1 .As for AS 3 E, encrypting a sequence of n symbols requires 2 × n exponentiations in G 1 .
Search complexity: According to the Test algorithm (Algorithm 3), searching a pattern of size l on a sequence of symbols of size n requires nl − l 2 multiplications on the group G 1 and 2 × (n − l) pairings.In fact, the Test algorithm verifies the presence of a pattern (using its associated trapdoor) in each possible offset in the data to be analyzed.Let us denote by s 0 and s 1 the two sequences of symbols of length l to be analyzed to check the presence of a pattern in offsets 0 and 1 respectively of the fragment F i (resp.F i ).Checking the presence of the pattern in the offset 0 requires the computation of l−1 i=0 C i (resp.l−1 i=0 C i+1 ).Obviously, for the offset 1, we can avoid the recomputation of l−1 i=1 C i since it has already been computed for the offset 0. Following the previous observation, searching a pattern of length l on a sequence of symbols of length n requires only n multiplications and n divisions on the group G 1 , and 2 × (n − l) pairings.Considering the fact that l n, we can upper bound the search complexity by n multiplications, n divisions and 2n pairings.Finally, we note that pairing operations can be implemented very efficiently [21] and that our Test procedure is highly parallelizable.

Empirical Evaluation
In this section, we experimentally evaluate the performance of S 4 E and AS 3 E 4 .We implement the two constructions using the RELIC cryptographic library [21] over the 254-bits BN curve 5 .For all conducted experiments, we used real network traces as the data to be encrypted and analyzed, and we (pseudo) randomly generated the analysis patterns to be searched.In addition, since in both S 4 E and AS 3 E, the encryption and the trapdoor generation algorithms are to be performed by entities (data owners in case of S 4 E or data sender in case of AS 3 E) which may not have a large computation power, we run both the trapdoor generation and the encryption algorithms tests on an Amazon EC2 instance (a1.2xlarge) running Linux with an Intel Xeon E5-2680 v4 Processor with 8 vCPU and 16 GB of RAM.In contrast, as the search operations are performed by SP which is supposed to have a large computation power, we run search experiments on an Amazon EC2 instance (m5.24xlarge) running Linux with an Intel Xeon E5-2680 v4 Processor with 96 vCPU and 64 GB of RAM.
In our empirical evaluation, we aim to quantify the following characteristics of the proposed constructions: -The time required to generate a trapdoor and its corresponding size as a function of the size of the largest analysis pattern p max that can be searched.-The time taken to encrypt a data stream as a function of its size (i.e. the size of the sequence of symbols that composed the data to be encrypted), the fragmentation size Φ and the size of the considered alphabet.-The time needed to perform a pattern matching query as a function of the size of the data to be queried and the size of the patterns to be searched.Trapdoor generation.Fig. 2 describes the time required for issuing a trapdoor for a pattern w as a function of its length (Fig. 2 (a)) as well as the size Φ of data a data fragment (Fig. 2 (b)).According to our experiments, issuing a trapdoor for a pattern of 5000 symbols take 1.4 second.In addition, the sizes of the generated trapdoors are relatively small (256 KB for a pattern of 4000 symbols and a fragmentation size of 10000 symbols).
Encryption time.According to Section 7, the duration of an encryption operation depends mainly on the number of symbols in the data to be encrypted n but also on the fragmentation size Φ and the size |Σ| of the considered alphabet Σ.Table 2 reports the time needed to encrypt a data stream fragmented in chunks, each containing 1000 bits (Φ = 1000 and Σ = {0, 1}), as a function of the data stream length n. 6   As we noted in Section 4, the fragmentation size Φ and the considered alphabets are important parameters in our construction.The former directly influences the size of the largest analysis pattern that can be searched over the encrypted data since the bigger the size of the fragments are, the bigger the size of the supported analysis patterns could be.The latter parameter determines the type of search that can be performed by our construction.In Fig. 3, we compute the time required for the encryption of a data stream composed of 10 5 symbols as a function of the fragmentation size Φ and the type of the considered symbols.We consider three types of alphabets: binary, hexadecimal, and base 256 (i.e., ASCII alphabet) where each symbol is represented respectively in 1, 4 and 8 bits.For Φ, we consider 3 different fragment sizes: 10 3 , 10 4 , and 10 5 symbols.
As illustrated in Fig. 3, the time required for encrypting a dataset composed of 10 5 symbols increases only by a factor of 0.02 (from 3,04 to 3,2 seconds) when increasing the size of the fragments by a factor of 100 (from 10 3 to 10 5 ) and increasing the size of the considered alphabet by a factor of 128 (from a base 2 alphabet where Σ = {0, 1} to a base 256 alphabet where Σ = {0, 1, • • • , 255}).The previous results show that the increase of the size of supported patterns and the size of the considered alphabet affects very little the encryption time required by the proposed constructions.
Search time.As shown in Section 7, the complexity of the search operation depends mainly on the number of encrypted symbols n that compose the data to be analyzed.Fig. 4 describes the time required for searching a pattern as a function of the number of encrypted symbols in the data to be analyzed.The conducted evaluations show that the average search throughput of our construction is 139078 symbols per second with a multi-threaded implementation 7 .Thus, if an ASCII (resp.binary) alphabet is considered, the search throughput is 139 KB (resp.Kb) per second.) compares the time needed for both our and the SEST (both its asymmetric [1] and symmetric (Section 5.6) variants) constructions to test the presence of a pattern of bytes (resp. of bits) in a 10 MB (resp.Mb) dataset as a function of the length of the pattern to be searched.In both bit and byte searches, our construction drastically reduces the search time compared to SEST.This is because that our Test algorithm is constant on the size and on the content of the searched pattern which is not the case for SEST.

Conclusion
In this work, we introduced two new provably correct and secure constructions S 4 E and AS 3 E. S 4 E (resp.AS 3 E) supporting pattern matching of adaptively chosen and variable (upper bounded) lengths patterns on secret key (resp.public key) encrypted streams.The proposed constructions have several interesting properties.First, they ensure data and pattern indistinguishability meaning that the entity that is going to perform pattern matching will learn nothing about the patterns to be searched as well as the data to be inspected, except the presence or the absence of a set of "unknown" patterns (since the entity charged to perform pattern matching will not have access to the patterns plaintexts).Second, the size of the ciphertext is linear to the size of the plaintext and is constant on the sizes and the number of analysis patterns.Third, the size of the issued trapdoors is constant on the size of the data to be analyzed.Finally, the search complexity is linear to the size of the trace and is constant on the size of the analysis patterns.The proposed constructions can be useful for other application scenarios such as subtrees search and searching of structured data.
To prove the security of the two proposed schemes, we used a slightly modified GDH assumption where the adversary is allowed to choose on which input to play the GDH instance.This relatively minor modification of the GDH assumption allow to define constructions that offer an interesting compromise between the secure and quite costly solutions and the fast and unsecure solution where the data has to be decrypted by the third-party entity that performs the pattern matching.
4 E EDF A by Adv Exp S 4 E EDF A (λ) = P r[i ∈ T est(params, C T * , td w )].S 4 E is said to be encrypted data forgery secure if Adv Exp S 4 E EDF A (λ) is negligible.

l− 1 i=0
C i ) while checking the presence of the pattern in offset 1 requires the computation of l−1 i=0 C i+1 (resp.

Fig. 3 :
Fig. 3: Time required for encrypting 10 5 symbols as a function of Φ and Σ

Fig. 4 :
Fig.4: required for searching a pattern as a function of the number of encrypted symbols in the data to be analyzed

Fig. 5 :
Fig. 5: Timing comparison for testing the presence of a pattern in a string of 10 7 symbols as a function of the pattern size

Table
three tuples of multivariate polynomials over F p .Let O r , (resp.O s and O t ) be oracle that, on input {{a

Table 2 :
. Encrypting time as a function of n