Public Key Encryption with Keyword Search from Lattices in Multiuser Environments

A public key encryption scheme with keyword search capabilities is proposed using lattices for applications in multiuser environments.The proposed scheme enables a cloud server to check if any given encrypted data contains certain keywords specified by multiple users, but the server would not have knowledge of the keywords specified by the users or the contents of the encrypted data, which provides data privacy as well as privacy for user queries in multiuser environments. It can be proven secure under the standard learning with errors assumption in the random oracle model.


Introduction
Cloud storage has established itself as a widely used service for businesses and individuals; however, it comes with inherent challenges including security risks, reliable data storage, and data accessibility.The fact that data owners lose full control over their data brings about concerns with regard to privacy, data integrity, and confidentiality.Data owners have no way to prevent unauthorized individuals or even the party hosting the cloud servers to access or tamper with their data.To ensure data confidentiality and privacy, any sensitive data would need to be encrypted before it is sent to a cloud sever.Unfortunately, data encryption greatly restricts the ability of cloud servers to handle user access requests.A typical example is that of an encrypted document; the encryption changes the contents of the document, making it very hard to search/sort documents using keywords.
To resolve this problem, the notion of the public key encryption with keyword search (PEKS) was proposed by Boneh et al. [1].The construction of this scheme was inspired by identity-based encryption (IBE) and aims to allow a user to search for encrypted keywords without decryption.In the PEKS scheme, a sender uploads an encrypted email to a server along with an encrypted list of keywords.The receiver sends the desired keyword (denoted as a trapdoor) to the email server, which then tests the encrypted emails for the presence of this trapdoor.Soon afterwards, Waters et al. [2] demonstrated that a PEKS scheme can be used in a wide range of practical applications such as building encrypted and searchable audit logs.Subsequently, many intuitions have been proposed to improve upon this construction (e.g., [3][4][5][6][7][8]).
The security of most PEKS schemes and their variants are based on the hard problems of number theory such as large integer factorization, the discrete logarithm problem, and bilinear mapping with the Diffie-Hellman problems.However, Shor [9] has discovered a function which can effectively solve the discrete logarithm problem, as well as an algorithm for quantum factoring.This means that quantum computers are a threat to the security of these cryptosystems.
One possible solution that has undergone rapid development in recent years is lattice-based cryptographic schemes.So far, there has been no quantum algorithm which can effectively solve this class of problems, which makes them an attractive candidate for robust encryption.Ajtai [10] first presented the proof of the hardness of lattice problems, and following this work, many new constructions with lattices have been proposed (e.g., [11][12][13][14]).However, there have only been two PEKS schemes from lattices proposed in the literature so far, and these schemes were constructed in a single-user environment.Notably, there is currently no similar work available in the literature for PEKS scheme, which means that there is no a PEKS system constructed using lattices in multiuser environment.It is very clear that 2 Mathematical Problems in Engineering the schemes proposed for use in a single-user environment cannot be directly and effectively used in multiuser environments because of the increased requirements of the latter.In PEKS schemes constructed in a single-user environment, data owner can only share his data with a single user and also only permit a single user to search for the encrypted keywords on the encrypted data.While in multiuser environments, such as cloud storage, data owners hope to share their data with multiple users and also permit the multiple users to search over the owner's shared data on the cloud server side.Therefore, PEKS schemes constructed in a single-user environment can not satisfy the characteristics of cloud environment.
In order to solve this problem, a public key encryption scheme with keyword search is proposed using lattices for applications in multiuser environments, which is called PEKSL scheme.In the proposed scheme, cloud server can translate a keyword encrypted under one public key into the same keyword encrypted under another public key, so that it checks if any given encrypted data contains certain keywords specified by multiple users but learns nothing else about the data.This provides data privacy as well as privacy for user queries in multiuser environments.Furthermore, it can be proven secure under the hardness of the standard learning with errors problem in the random oracle model.

Related Work.
To enable users search over encrypted outsourced data through keywords without decrypting the data at first, the notion of public key encryption with keyword search (PEKS) was first put forth by Boneh et al. [1] and its construction makes use of the construction of identitybased encryption (IBE).This construction was later improved by several schemes using the bilinear pairing.Waters et al. [2] demonstrated that these PEKS schemes could be useful to build encrypted and searchable audit logs.Abdalla et al. [4] presented an improved universal transformation from anonymous IBE to PEKS, and Baek et al. [6] proposed a PEKS scheme with a designated server to remove a secure channel.Golle et al. [3] defined the first security model for conducting conjunctive keyword searches to achieve a combinable multikeyword search.Subsequently, Boneh and Waters [5] extended the PEKS scheme to support conjunctive, subset, and range comparisons over the supplied keywords.Camenisch et al. [7] proposed oblivious generation of the keyword search trapdoor to maintain the privacy of the keyword against a curious trapdoor generator, and Cao et al. [8] presented ranked searches using multikeywords over encrypted cloud data and established a variety of privacy requirements.
Nowadays, lattice-based cryptographic schemes have a more fast development, and many new constructions with lattices have been proposed.Ajtai [10] first presented the proof of the hardness of lattice problems, and following this work, many new constructions with lattices have been proposed.These include group signature schemes (e.g., [11,12]), hierarchical identity-based encryption schemes (e.g., [13,14]), broadcast encryption on lattice schemes (e.g., [15,16]), attribute-based encryption (e.g., [17]), and fully homomorphic encryption schemes (e.g., [18,19]).Notably, there were only two public key encryption with keyword search schemes from lattice [20,21] so far in the literature, and their schemes were constructed in a single-user environment.

Paper Organization.
The following sections are described briefly as follows.We review the basic concepts about integer lattices, discrete Gaussians, learning with errors problem, the formal models, and a security model of PEKSL in Section 2. We give the specific construction about the PEKSL in a multiuser environment and then prove our scheme under the security model in Section 3. Finally, we conclude this paper in Conclusion.

Preliminaries
We describe some preliminaries and other useful concepts that are used in our approach in this section.
For prime  and A ∈ Z ×  and  ∈    , define (2)
There is a deterministic polynomial-algorithm that, given an arbitrary basis of Λ and a full-rank set ( Theorem 3 (see [22]).
with all but negligible probability in .

Discrete Gaussians
Definition 4. Choose a subset  ⊆ Z  .For any positive parameter  ∈ R >0 and any vector  ∈ R  define The discrete Gaussians distribution over  with parameter  and center  is Lemma 5 (see [23]).Let  ≥ 2 and A be a matrix in Z ×  with  > .Let T  be a basis for Λ ⊥  (A) and  ≥ ‖ T ‖√log .Then for  ∈ R  and  ∈ Z   , (i) there is a PPT algorithm (A, T  , , ) that returns  ∈ Λ ⊥  (A) drawn from a distribution statically close to D Λ,, , (ii) there is a PPT algorithm (A, T  , , ) that returns  ∈ Λ   (A) drawn from a distribution statically close to D Λ,, , whenever Λ   (A) is not empty.
Theorem 6 (see [14]).Define   = √ log √log .D × stands for the distribution on matrices in Z × defined as (D Z  ,  )  conditioned on the resulting matrix being Z invertible.There are some important algorithms: The (Z  , , )-LWE problem allows repeat queries to the challenge oracle Ψ.We say that an algorithm  decides the

PEKSL Scheme in a Multiuser Environment
3.1.Intuition behind the Construction.In PEKS scheme, a sender (Bob) sends an encrypted email to the email gateway using a receiver's (Alice's) public key appended with some encrypted keywords.When Alice gives the email gateway a trapdoor associated with searching keywords, it tests if the keywords are relevant to the email and learns nothing else.Since the ciphertext encrypted with receiver's public key can only be tested by a trapdoor given by Alice and cannot be tested by a trapdoor obtained from another user, such as Charles, PEKS scheme is constrained to be used in a single-user environment where the receiver can only be a single user.In order to meet the need that multiple users can execute encrypted keyword searches over the encrypted files, we add a Re-KeyGen algorithm in the definition of PEKS and construct PEKSL scheme, which is inspired by the concept of proxy reencryption.The Re-KeyGen algorithm is used to convert a keyword encrypted by a public key into the same keyword encrypted under another public key.More precisely, given a special information (i.e., a reencryption key), the Re-KeyGen algorithm enables cloud server to convert the encrypted keyword with Alice's public key in the ciphertext of the same keyword for Charles so that cloud server can check if the encrypted keywords are relevant to an email upon a trapdoor generated by Charles.Based on the above idea, we construct our PEKSL scheme using lattices for a multiuser environment, where multiple users can execute encrypted keyword searches over the data uploaded by data owner to the cloud server.

Definition.
A PEKSL scheme includes a trust center (TC), data owners, cloud servers, and data users.TC is trusted and is responsible for generating system parameters.The data owners refer to a special type of users who create the private/confidential data and then outsource them to cloud servers in an encrypted form so it can be shared with authorized users.The cloud servers are responsible for producing query results on the encrypted data and then sending these results to the users.Users generally refer to those who are authorized to search for encrypted keywords in the encrypted data.In this paper we consider the users to be from the public domain.
A PEKSL scheme for a multiuser environment involves the following six algorithms: (i) (1  ).After input a secure parameter , the Setup algorithm outputs a global public/private key pair (, ) hold by TC.
(ii) (, , ).The KeyGen algorithm takes as input (, ) and a user's identity label  and then generates a public key   , a private key   for user , and a secret key   for TC.
(iv) (,   ).The PEKS algorithm produces a searchable encryption  of keyword  with user's public key   .

Security Game.
The security of PEKSL scheme for a multiuser environment is indistinguishable against chosen keyword attack.According to the rules of the security game, an adversary can get the most of trapdoors except those which are relevant to two specified keywords.Yet, it can not distinguish which keyword appended with to a given PEKS ciphertext.
In the following game, a PEKSL scheme for a multiuser environment is indistinguishable against chosen keyword attack if an adversary F has a negligible advantage against a challenger C in polynomial time.[24], that is, the reencryption key queries are not allowed between uncorrupted oracle and corrupted oracle.

Security
(iii) Challenge.F gives C two keywords  0 ,  1 that it hopes to be challenged on.The only limitation is that F have not queried for the trapdoors   0 or   1 .C chooses a random  ∈ {0, 1} and sends F a PEKSL ciphertext  * = (,   ) as the challenge ciphertext.
(iv) Phase 2. F adaptively queries C for the trapdoor   for any keyword  he wants again, and it is important to note that the  must satisfy  ̸ =  0 , (v) Guess.Finally, F gives   ∈ {0, 1}.If   = , F wins the game.
In this game, we define the advantage of F that is | Pr[  = ] − 1/2|.

Construction.
Choose two positive integers , , a prime , satisfying  > 6 log  and  ≥ 3, and a hash function  : {0, 1} * → Z   .Construction of PEKSL scheme in a multiuser environment is described as follows: (i) (1  ).Take a secure parameter  as input, TC invokes (, ) to produce a randomly uniform matrix A ∈ Z ×  along with a short basis T  ∈ Z ×  for Λ ⊥  (A), and output the global public key  = A as well as global private key  = T  .
(ii) (, , ).After input (, ) and a user identity label , TC invokes firstly -ℎ (1  ) to generate a Z  -invertible matrix R  in Z ×  sampled from D × , where  is a security parameter.Then TC invokes -ℎ (A, R  , T  , ) to generate a basis T  of Λ ⊥  (AR −1  ), and output the user's public key   = AR −1   in Z ×  and private key   = T  and a secret key   = R  .TC sends   to the user  by a security way and saves a list of (  ,   ).

Security Analysis.
We show the security analysis of PEKSL scheme for a multiuser environment in this section.
In the random oracle model, supposing that there is an adversary F that has a nonnegligible advantage to attack our mechanism in polynomial time, we are able to construct a polynomial time algorithm S having a probability /2  to solve the LWE assumption, where   denotes the query times of which F queries the random oracle (⋅).
Proof.With the adversary F, we construct the algorithm S as follows.
(i) Setup.Given LWE samples, S assembles the random matrix A ∈ Z ×  from , more exactly, making the th column of A be the vector   ( = 1, 2, 3, . . ., ), and gives the public key A to F. (iii) Challenge.F sends two keywords  0 ,  1 with a  it wants to challenge on, when it decides to finish Phase 1. S calls the algorithm mentioned above to answer (⋅) queries twice with input (,  0 ), (,  1 ).If  ̸ =  * , then S aborts; if both ( 0 ) ̸ =  0 and ( 1 ) ̸ =  0 , then S aborts either.Otherwise, supposing (  ) =  0 , S retrieves (V 0 , V 1 , V 2 , . . ., V  ) ∈ Z  from the LWE instance and sets  1 = [V 1 , V 2 , . . ., V  ]  ∈ Z   and  2 = V 0 ∈ Z  .S responds with challenge ciphertext ( 1 ,  2 ).Note that when Ψ is a pseudorandom LWE oracle and for the random  if S does not halt, the distribution of both the challenge ciphertext and the public parameters is identical to its distribution in the real system.If S aborts the challenge ciphertext will be independently randomly sampled from Z   × Z  .That is, if S does not abort, the advantage of S in solving LWE is identical to F's advantage to attack this mechanism.
[20]1 ,  2 , ...,   } ⊆ Z × and calculateT   = {R 1 , R 2 , ..., R  } ⊆ Z × .Observe that T  is a set of independent vectors in Λ ⊥  (B), where B = AR −1 in Z × (see[20]).Consider a prime , a positive integer , and a distribution  over Z  , all public.(Z,,)-LWE problem instance consists of access to an unspecified challenge oracle Ψ, being either a noisy pseudorandom sample Ψ  carrying some constant random secret key  ∈ Z   or a truly random sampler Ψ  , whose behaviors are respectively as follows:(i) Ψ  : output noisy pseudorandom sample of the form(  , V  ) = (  ,    ⋅  +   ) ∈ Z   × Z  ,where  ∈ Z   is an uniformly distributed persistent value invariant across invocations,   ∈ Z  is a fresh randomness from , and   is uniform in Z   .(ii) Ψ  : output truly uniform random sample from Z   × Z  .
The following simple algorithm samples matrices in Z × from a distribution that is statistically close to D × .(a)Let T be the canonical basis of the lattice Z  .(ii)ℎ (A, R, T  , ).Input a rank  matrix A ∈ Z ×  , a Z  -invertible matrix R in Z ×  sampled from D × (or a product of such), a basis T  for Λ ⊥  (A), and a parameter  > ‖ T ‖  √(log 2/3 ).(a)Let T Uncorrupted key generation oracle: return a fresh key pair (  ,   ); give   to F. (b) Corrupted key generation oracle: return a fresh key pair (  ,   ); F is given (  ,   ).(c) Trapdoor Oracle: after input (  , ) by F, return the trapdoor   = (  ,   , ), where   is the secret key that corresponds to   .(d) Reencryption key generation oracle: return F a reencryption key  ↔ .Noting that correspondent   and   are from uncorrupted key generation oracle or corrupted key generation oracle as in Game(i) Setup.C calls  algorithm to produce a key pair (, ) and sends  to F.(ii) Phase 1. F makes the following queries:(a) Phase 1. S answers queries of F as follows: (a) Uncorrupted key generation oracle: after input an index , if this  is uncorrupted, S runs ℎ (1  ) to obtain a Z  -invertible matrix R  in Z ×  and computes   = AR  ,   = 0. Finally S saves the tuple (,   , R  ,   = 0) in PK-List.S sends   to F.  , T  , ) to get a basis T  for   .Finally S responds to F with (  ,   = T  ) and records the tuple (,   , R  ,   ,  = 1) in PK-List.If this query is the query number  * (i.e.,  =  * ), S defines (  ) =  0 ,  * =   satisfying  * = 0, and returns (  ).(2) Otherwise, if this query (  ,   ) has saved in the -list, then S responds to (  ) =   .If the query (  ,   ) does not appears on the -list and the corresponding   = 0 in PK-List, S chooses    ←  D Z  , and computes   =     .Finally S saves the quadruple (  ,   ,   ,   ) in -list for future use and returns (  ) =   to F. (d) Trapdoor Oracle: for input   ∈ {0, 1} * and   , if (  ) =  0 , S aborts and fails.Otherwise, S retrieves the saved quadruple (  ,   ,   ,   ) from the -list.Here we assume that a trapdoor query on   is preceded by a (⋅) query with   .By construction,   is the trapdoor for the keyword   .S return   as the trapdoor to F. (e) Reencryption key generation oracle: after input (  ,   ), S checks whether both   and   occur in PK-List, if not, S aborts.Otherwise, S does the following operations: (1) If   =   , S responds to F with R  R −1  .(2) If   ̸ =   , S aborts.
(c)  Oracle: to answer  queries, S saves the tuples (  ,   ,   ,   ) in a -list, which is initially empty.For the th query, F sends   ∈ {0, 1} * to  and S answers as follows:(1)