In this paper, we consider a setting where a client wants to outsource storage of a large amount of private data and then perform substring search queries on the data – given a data string s and a search string p, find all occurrences of p as a substring of s. First, we formalize an encryption paradigm that we call queryable encryption, which generalizes searchable symmetric encryption (SSE) and structured encryption. Then, we construct a queryable encryption scheme for substring queries. Our construction uses suffix trees and achieves asymptotic efficiency comparable to that of unencrypted suffix trees. Encryption of a string of length n takes O(λn) time and produces a ciphertext of size O(λn), and querying for a substring of length m that occurs k times takes O(λm+k) time and three rounds of communication. Our security definition guarantees correctness of query results and privacy of data and queries against a malicious adversary. Following the line of work started by Curtmola et al. (ACM CCS 2006), in order to construct more efficient schemes we allow the query protocol to leak some limited information that is captured precisely in the definition. We prove security of our substring-searchable encryption scheme against malicious adversaries, where the query protocol leaks limited information about memory access patterns through the suffix tree of the encrypted string.
 M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology, 15(2):103–127, 2002.
 A. V. Aho and M. J. Corasick. Efficient string matching: An aid to bibliographic search. Comm. ACM, 18(6):333–340, June 1975.
 J. Baron, K. El Defrawy, K. Minkovich, R. Ostrovsky, and E. Tressler. 5PM: Secure pattern matching. In I. Visconti and R. D. Prisco, editors, SCN 12, volume 7485 of LNCS, pages 222–240. Springer, Sept. 2012.
 M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 531–545. Springer, Dec. 2000.
 M. Bellare and P. Rogaway. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 317–330. Springer, Dec. 2000.
 S. Benabbas, R. Gennaro, and Y. Vahlis. Verifiable delegation of computation over large datasets. In P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 111–131. Springer, Aug. 2011.
 D. Boneh, A. Sahai, and B. Waters. Functional encryption: Definitions and challenges. In Y. Ishai, editor, TCC 2011, volume 6597 of LNCS, pages 253–273. Springer, Mar. 2011.
 R. S. Boyer and J. S. Moore. A fast string searching algorithm. Comm. ACM, 20(10):762–772, 1977.
 Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In R. Ostrovsky, editor, 52nd FOCS, pages 97–106. IEEE Computer Society Press, Oct. 2011.
 Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (leveled) fully homomorphic encryption without bootstrapping. In S. Goldwasser, editor, ITCS 2012, pages 309–325. ACM, Jan. 2012.
 D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M.-C. Rosu, and M. Steiner. Highly-scalable searchable symmetric encryption with support for boolean queries. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 353–373. Springer, Aug. 2013. 10.1007/978-3-642-40041-4_20.
 D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M.-C. Rosu, and M. Steiner. Dynamic searchable encryption in very-large databases: Data structures and implementation. In NDSS 2014. The Internet Society, Feb. 2014.
 M. Chase and S. Kamara. Structured encryption and controlled disclosure. In M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 577–594. Springer, Dec. 2010.
 K.-M. Chung, Y. T. Kalai, F.-H. Liu, and R. Raz. Memory delegation. In P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 151–168. Springer, Aug. 2011.
 T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. The MIT Press, 3rd edition, 2009.
 R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In A. Juels, R. N. Wright, and S. Vimercati, editors, ACM CCS 06, pages 79–88. ACM Press, Oct. / Nov. 2006.
 I. Damgård, V. Pastro, N. P. Smart, and S. Zakarias. Multiparty computation from somewhat homomorphic encryption. In R. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 643–662. Springer, Aug. 2012.
 C. Dwork, M. Naor, G. N. Rothblum, and V. Vaikuntanathan. How efficient can memory checking be? In O. Reingold, editor, TCC 2009, volume 5444 of LNCS, pages 503–520. Springer, Mar. 2009.
 M. Farach. Optimal suffix tree construction with large alphabets. In 38th FOCS, pages 137–143. IEEE Computer Society Press, Oct. 1997.
 M. Fischlin. Pseudorandom function tribe ensembles based on one-way permutations: Improvements and applications. In J. Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 432–445. Springer, May 1999.
 C. Fletcher, M. van Dijk, and S. Devadas. A secure processor architecture for encrypted computation on untrusted programs. In STC 2012, 2012.
 K. B. Frikken. Practical private DNA string searching and matching through efficient oblivious automata evaluation. In DBSec ’09, pages 81–94, 2009.
 R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 465–482. Springer, Aug. 2010.
 R. Gennaro, C. Hazay, and J. S. Sorensen. Text search protocols with simulation based security. In P. Q. Nguyen and D. Pointcheval, editors, PKC 2010, volume 6056 of LNCS, pages 332–350. Springer, May 2010.
 C. Gentry. Fully homomorphic encryption using ideal lattices. In M. Mitzenmacher, editor, 41st ACM STOC, pages 169–178. ACM Press, May / June 2009.
 C. Gentry, S. Halevi, and N. P. Smart. Homomorphic evaluation of the AES circuit. In R. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 850–867. Springer, Aug. 2012.
 C. Gentry, S. Halevi, and N. P. Smart. Fully homomorphic encryption with polylog overhead. In D. Pointcheval and T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 465–482. Springer, Apr. 2012.
 D. Gusfield. Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. Cambridge University Press, 1997.
 C. Hazay and Y. Lindell. Efficient protocols for set intersection and pattern matching with security against malicious and covert adversaries. Journal of Cryptology, 23(3):422–456, July 2010.
 S. Kamara and C. Papamanthou. Parallel and dynamic searchable symmetric encryption. In A.-R. Sadeghi, editor, FC 2013, volume 7859 of LNCS, pages 258–274. Springer, Apr. 2013. 10.1007/978-3-642-39884-1_22.
 S. Kamara, C. Papamanthou, and T. Roeder. Dynamic searchable symmetric encryption. In T. Yu, G. Danezis, and V. D. Gligor, editors, ACM CCS 12, pages 965–976. ACM Press, Oct. 2012.
 R. M. Karp and M. O. Rabin. Efficient randomized pattern-matching algorithms. IBM Journal of Research and Development, 31(2):249–260, March 1987.
 J. Katz and Y. Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC, 2008.
 J. Katz and L. Malka. Secure text processing with applications to private DNA matching. In E. Al-Shaer, A. D. Keromytis, and V. Shmatikov, editors, ACM CCS 10, pages 485–492. ACM Press, Oct. 2010.
 J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes of operation. In B. Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284–299. Springer, Apr. 2001.
 J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In N. P. Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS, pages 146–162. Springer, Apr. 2008.
 D. E. Knuth, J. H. M. Jr., and V. R. Pratt. Fast pattern matching in strings. SIAM Journal on Computing, 6(2): 323–350, 1977.
 K. Kurosawa and Y. Ohtaki. UC-secure searchable symmetric encryption. In A. D. Keromytis, editor, FC 2012, volume 7397 of LNCS, pages 285–298. Springer, Feb. / Mar. 2012.
 P. Mohassel, S. Niksefat, S. S. Sadeghian, and B. Sadeghiyan. An efficient protocol for oblivious DFA evaluation and applications. In O. Dunkelman, editor, CTRSA 2012, volume 7178 of LNCS, pages 398–415. Springer, Feb. / Mar. 2012.
 J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra. A new approach to practical active-secure two-party computation. In R. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 681–700. Springer, Aug. 2012.
 R. Ostrovsky. Software protection and simulation on oblivious RAMs. PhD thesis, MIT, 1992.
 E. Shen, E. Shi, and B. Waters. Predicate privacy in encryption systems. In O. Reingold, editor, TCC 2009, volume 5444 of LNCS, pages 457–473. Springer, Mar. 2009.
 E. Stefanov, E. Shi, and D. X. Song. Towards practical oblivious RAM. In NDSS 2012. The Internet Society, Feb. 2012.
 E. Stefanov, M. van Dijk, A. Juels, and A. Oprea. Iris: A scalable cloud file system with efficient integrity checks. In ACSAC ’12, 2012.
 E. Stefanov, C. Papamanthou, and E. Shi. Practical dynamic searchable encryption with small leakage. In NDSS 2014. The Internet Society, Feb. 2014.
 J. R. Troncoso-Pastoriza, S. Katzenbeisser, and M. Celik. Privacy preserving error resilient dna searching through oblivious automata. In P. Ning, S. D. C. di Vimercati, and P. F. Syverson, editors, ACM CCS 07, pages 519–528. ACM Press, Oct. 2007.
 E. Ukkonen. On-line construction of suffix trees. Algorithmica, 14(3):249–260, 1995.