A Novel Model for Lattice-Based Authorized Searchable Encryption with Special Keyword

Data stored in the cloud servers, keyword search, and access controls are two important capabilities which should be supported. Public-keyword encryption with keyword search (PEKS) and attribute based encryption (ABE) are corresponding solutions. Meanwhile, as we step into postquantum era, pairing related assumption is fragile. Lattice is an ideal choice for building secure encryption scheme against quantum attack. Based on this, we propose the first mathematical model for lattice-based authorized searchable encryption. Data owners can sort the ciphertext by specific keywords such as time; data users satisfying the access control hand the trapdoor generated with the keyword to the cloud sever; the cloud sever sends back the corresponding ciphertext. The security of our schemes is based on the worst-case hardness on lattices, called learning with errors (LWE) assumption. In addition, our scheme achieves attribute-hiding, which could protect the sensitive information of data user.


Introduction
Nowadays, more and more people use service from cloud server [1], which provides scalable and elastic storage and computation resources by the Internet.Outsourcing data services to the cloud enables companies to not only save equipment investment, but also simplify the local IT management.Cloud infrastructures are physically hosted and maintained by the cloud providers.To minimize the risk of data leakage to cloud service providers and protect data security and privacy, data owners choose to encrypt sensitive data, such as health records, and property information, before outsourcing it to the cloud, while retaining the decryption key by itself and other authorized users.However, simple encryption scheme is not enough, because the data owners tend to strengthen the sharing of sensitive data under finegrained access control.Cloud server cannot be fully trusted by the data owner, so traditional server-based access control methods are no longer suitable solution for cloud computing.
In order to address the problem of secure and decentralized access control, Sahai and Waters [2] proposed the concept of ABE by extending identity-based encryption, which achieved flexibility and one-to-many encryption and provided a fine-grained data sharing scheme.Later, there are two kinds of ABE that were put forward: key policy (KP) ABE, which is the ciphertext associated with the attributes and the secret key associated with the decryption policy, and ciphertext policy (CP) ABE, where the secret key associated a list of attributes and the ciphertext associated with access policy.Goyal et al. [3] proposed the first construction of KP-ABE which supported any monotone access policy.After then, the first CP-ABE scheme was provided by Bethencourt et al. [4]; unfortunately the security proof of their scheme was only proved in the generic group model.Subsequently, Ostrovsky et al. broaden the two programs, to support any nonmonotonic structure [5].The first CP-ABE scheme which could be proved in the standard model was proposed by Cheung and Newport [6] including only AND-gate.Later on, Waters [7] gave the first CP-ABE proved in the standard model supporting fully expressive access structure.
All the schemes mentioned above are constructed from pairings.But unluckily, if we move into the era of postquantum, pairing related assumption is fragile.Lattice is an ideal choice for building secure encryption scheme according to two facts: firstly, there is no known algorithm even with the help of quantum computer that can efficiently solve lattice hard problems; secondly, lattice-based cryptographic constructions enjoy several potential advantages: asymptotic efficiency, conceptual simplicity, and security proof based on worst-case hard problem.Recently, ABE from lattice assumptions are ascendant.J. Zhang and Z. Zhang [8] proposed a CP-ABE without pairings scheme, which supports ANDgates access structure.Boyen [9] built a KP-ABE from lattice assumptions and pointed to the future work of the study of CP-ABE as an open problem.ABE resolves the problem of fine-grained access control and provides a one-to-many encryption which can improve the efficiency of the data owner; however, data utilization is still a challenging problem.For example, in order to search some relevant documents amongst an encrypted data set stored in the cloud, one may have to download and decrypt the entire data set.This is apparently impractical when the data volume is large.Thus, mechanisms that allow users to search directly on the encrypted data are of great interest in the era of cloud computing.Based on the traditional plaintext keyword search data services will result in bad quality of service because the data are encrypted.Boneh et al. [10] proposed a public key encryption with keyword search (PEKS) scheme to address the problem of searching encrypted data.
There are also many existing searchable encryption schemes from parings.Lai et al. [11] present a more efficient construction based on Lewko et al. 's KP-ABE scheme [12].However, scheme [11] discloses the searching keywords in the trapdoor, which will let the server learn whether the encrypted data contains the keywords in the trapdoor.Compared with [13], the size of a ciphertext (or a trapdoor) in [11] is linear with the number of keywords.Recently, Lv et al. [14] present an expressive and secure asymmetric searchable encryption scheme, which is the first to simultaneously support conjunctive, disjunctive, and negation search operations.However, there has been no ASE scheme from lattice assumptions so far.In this paper, we integrate CP-ABE with PEKS and propose authorized searchable encryption with attribute-hiding from lattices, which enables only authorized users to perform keyword search and then decrypt ciphertext.
Meanwhile, by setting the keyword such as year, month, and day, data owners can sort ciphertext.If data users want to extract the ciphertext from some time point, they only need to submit trapdoor corresponding to keyword the cloud server.
Therefore, there are two main contributions of our scheme in detail as follows.
(1) To the best of our knowledge, this is the first work that addresses ASE from lattice assumptions.
(2) In contrast to previous solutions [11,14], our scheme achieves attribute-hiding, which could protect sensitive user information from being leaked.
The rest of the paper is organized as follows.Section 2 states the preliminaries about definitions for ASE, security model for PEKS and CP-ABE, and lattice knowledge.Section 3 describes our ASE with attribute-hiding from lattice assumptions in detail.Section 4 gives the security proof of our scheme.Section 5 presents our conclusion for this paper.

Preliminaries
2.1.Definitions for ASE.We consider ASE in cloud computing.The system architecture is similar to that in [15] which is illustrated as Figure 1.There exist four participants in our system.
Trusted Authority (TA).The entity is fully trusted by the other participants of the system.The responsibility of TA is to initialize system parameters, to generate attributed-based private keys, and to generate trapdoor keys for data users.

Cloud Services Provider (CSP).
The entity provides data storage and retrieval services.It stores the outsourcing data content of the data owner.Only the specified receiver who meets the access policy can search and download the content.We adopt the honest-but-curious model for the cloud server as in [16].It assumes that the cloud server would honestly follow the designated protocols and procedures to fulfill its service providers role, while it may analyze the information stored and processed on the server in order to learn additional information about its customers.

Data Owner (DO).
The entity is a cloud storage subscriber who wants to encrypt its data content first and then upload to the cloud storage service.Intended receivers who satisfy the access policy can read the encrypted content.The responsibility of data owner is to create encrypted data and to choose keywords to encrypt.

Data User (DU).
The entity is another cloud storage subscriber who queries encrypted data from CSP.Only retrievers who satisfy the access policy can have the legal rights to access the encrypted content and read the original message.The responsibility of data users is to choose keywords to create trapdoor for search, to initiate search requests, and to decrypt data.
In our setting, a user will be identified by a set of attributes; let  be the users attributes.An ASE scheme consists of six polynomial-time algorithms described as follows.
Setup.The setup algorithm is run by TA, which inputs a security parameter .It outputs the master secret key  and public system parameters  which include the description of attribute universe and keyword universe.TA publishes  and keeps  secret.We describe it as (1  ) → (, ).

ABE-KeyGen.
The attribute private key generation algorithm is an interactive protocol implemented between DU and TA.The public input to TA and DU consists of the system public parameters , the users attributes set  owned by DU.The private input to TA is the master secret key .Finally, DU can extract an attribute private key   .We describe it as -(, , ) →   .

KS-CPABE.
DO runs the encryption algorithm, which inputs the system public parameters , an access structure , and a message .The algorithm encrypts  and produces a ciphertext .Note that, in our ASE, the ciphertext does not contain , which achieves attribute-hiding.We describe it as (, , , ) → .
Trapdoor.The query private key generation algorithm is an interactive protocol implemented between DU and TA.The public input to TA and DU consists of the system public parameters , the users attributes set  owned by DU, and a keyword .TA inputs the master secret key .In addition, a sequence of random coin tests may be used by TA and DU as private inputs.Finally, DU can extract an attribute trapdoor   .We describe it as (, , ) →   .After then, DU sends   to CSP.
Test.The keyword test algorithm is run by CSP, which takes as input system parameters  and a trapdoor   corresponding to the keyword  from a DU and tests the  for keyword set   .Output 1 if  =   and 0 otherwise.Decrypt.DU runs decryption algorithm, which takes the ciphertext  and   as input.Only if  satisfies the access control , it will return the message .

Security Model for PEKS and CPABE.
In this subsection, we introduce the functionality of PEKS and CP-ABE independently.

PEKS.
A  scheme includes four polynomialtime algorithms: , , , and .The algorithm generates a public/private key pair (, ).The  algorithm generates a searchable encryption form of keyword  corresponding to intended receivers public key.The  algorithm produces a trapdoor   for keyword  corresponding to receiver's private key.And the  algorithm verifies whether a ciphertext matches a trapdoor.
The general security property of  scheme is the indistinguish ability against chosen keyword attack.The  scheme is semantic security if a polynomial adversary has no nonnegligible advantage against the challenger in the following security game [10].

Security Game
KeyGen.The challenger C runs  algorithm to generate a key pair (, ) and give  to the adversary A.
Phase 1.A queries the challenger for the trapdoor for any keyword  ∈ {0, 1} * of his choice.
Challenge.At some time, A sends the challenger two keywords  0 and  1 which it wishes to challenge.The only restriction is that A has never previously queried the trapdoors   0 and   1 for  0 and  1 , respectively.The challenger selects  ∈ {0, 1} randomly and sends the adversary  = (,   ) as the challenge  ciphertext.Phase 2. A can continue to adaptively ask the challenger for the trapdoor for the keyword  of his choice which satisfies  ̸ =  0 ,  1 .

A CP-ABE Scheme with
Attribute-Hiding.The scheme consists of four algorithms [17].
Setup.This algorithm inputs a security parameter  and generates the public key  and a master secret key . is used for encryption;  is used to generate user secret keys.It is held by the central authority.
Encrypt.This algorithm inputs the public key , a message , and an access policy .It outputs the ciphertext .Note that, in CP-ABE supporting attribute-hiding, the ciphertext does not contain .

Mathematical Problems in Engineering
KeyGen.This algorithm inputs a set of attributes  associated with the user and outputs a secret key   .
Decrypt.This algorithm takes as input the ciphertext  and a secret key   .Only if  satisfies the access policy , it returns the message .

Selective Game for CP-ABE with Hiding Attributes
Init.The adversary A gives the challenge ciphertext policies  0 ,  1 before setup.
Setup.The challenger C runs the setup algorithm and gives  to the adversary A.
Phase 1.The adversary A submits the attribute list  for a  query.If  ⊆  0 ∧  ⊆  1 or  ̸ ⊂  0 ∧  ̸ ⊂  1 , the challenger gives the adversary the secret key   .The adversary A can repeat this query polynomial times.
Challenge.The adversary A submits messages  0 ,  1 to the challenger.If the adversary obtained the   whose associated attribute list  satisfies both  0 and  1 in Phase 1, then it is required that  0 =  1 .The challenger flips a random coin  and passes the ciphertext (,   ,   ) to the adversary.
Guess.The adversary outputs a guess   of .The advantage of an adversary in this game is defined as | Pr[  = ] − 1/2|.Definition 2. A CP-ABE scheme with hiding attributes is selective CPA secure if all polynomial-time adversaries have at most a negligible advantage  in the above security game.For a basis , let B denote its Gram-Schmidt orthogonalization, defined iteratively as b1 =  1 , and b is the component of   orthogonal to span ( 1 , . . .,  −1 ).‖‖ denotes the longest Euclid norm of the column vectors in .
The subscripts  are taken to be 0 when omitted.Gentry et al. [19] defined and constructed the preimage sampleable functions.Let   be a basis for an -dimensional lattice Λ satisfying  ≥ ‖ T ‖(√log ), the algorithm samples from the discrete Gaussian distribution  Λ,, .
The preimage sampleable function is defined as follows.

Learning with Error Problem.
Our construction can be reduced to learning with errors  problem, which is a classical problem defined by Regev [20].
For an integer  = () and a distribution  on   , the goal of the (average case) learning with errors problem  , is to distinguish the distribution  , for some uniform secret  ∈    and the uniform distribution on    ×  .The hardness of  problem means the distribution  , is pseudorandom.Regev demonstrated that, for certain modulo  and Gaussian error distributions ,  , is as hard as solving several standard worst-case lattice problems using quantum algorithm.
Proposition 5 (see [20]).For an  ∈ (0, 1) and a prime  > 2√/, let   denote the distribution over   of the random variable ⌊ + 1/2⌋ mod , where  is a normal random variable with mean 0 and standard deviation / √ 2.If there exists an efficient, possibly quantum, algorithm for deciding the (  , , )- problem, then there exists an efficient quantum algorithm for approximating the  and  problems, to within Õ(/) factors in the  2 norm, in the worst case.

Authorized Searchable Encryption Scheme
In this section, we put forward our ASE scheme where the access structures include positive and negative attributes based on AND-gates.Define some symbols simply as follows: let the set of attributes be  = {1, 2, . . ., } for a fixed natural number .Mark attributes  and their negations ¬ as literals.Consider access structures that consist of an AND-gate policy whose inputs are literals, which is denoted by  = ∧ ∈ , where  ⊆  and every  is literal (i.e.,  or ¬).Our construction is defined as follows, which is parameterized by dimension , Gaussian parameter , modulus , and  that determines the error distribution .(, , , ).TA chooses a cryptographic secure hash function , which maps each keyword  to a vector in   .Compute ( 0 ,   0 ) ← (, , ); then, for each  ∈ , randomly choose   + ←  ×  ,   − ←  ×  .Intuitively, the public key elements   + ,   − associate with two cases of : positive and negative.Next, randomly choose a vector  ←    and set public key  = ( 0 , {  + ,   − } ∈ , , ), while keeping the master secret key  = (,   0 ).ABE-KeyGen.Denote  as the input attribute set of DU.Every  ∉  is implicitly as a negative attribute.For each  ∈ , if  ∈ , define   =   + ; else define   =   − ; then, for each  ∈ , randomly choose   ←    , , and compute  = −∑ ∈     ; finally, compute  0 ← ( 0 ,   0 , , ), and return secret key

KS-CPABE.
Given a message bit  ∈ {0, 1} and an AND-gate access structure  = ∧ ∈ , let  + ( − ) be the set of positive (negative) attributes in , respectively, and denote   =  + ∪  − ; then, for each  ∈   , if  ∈  + , define  1 as a well-formed ciphertext and  2 as a malfunction ciphertext.If  ∈  − , the situation is converse; define  2 as a well-formed ciphertext and  1 as a malfunction ciphertext.If  ∈  \   , both  1 and  2 are well-formed ciphertext, and, for each keyword , () ∈    .Randomly choose  ∈    ,   ,   ∈ , and  0 ,   + ,   − ∈   as noise distributions; compute  =    +   + ⌊/2⌋,  = ()   +   , and  0 =   0  +  0 .If  ∈  + ,  1 =    +  +   + , and  2 is a random  dimension vector and could be achieved by randomly choosing Trapdoor.To generate a trapdoor for a keyword, DU must contact with TA.TA enforces the trapdoor generation similar to the process of ABE-KeyGen phase.For each  ∈ , if  ∈ , define   =   + ; else define   =   − ; then, for each  ∈ , randomly choose   ←    , and compute  = () − ∑ ∈     ; finally, compute  0 ← ( 0 ,   0 , , ) and return secret key we have  ⋅   = ().TA securely transform the query trapdoor to DU.When users want to download ciphertext related to keywords , DU sends   = [ 0 ,  1 , . . .,  || ] and a list  corresponds to attribute positive or negative to CSP; ask the CSP to enforce the search ciphertext.Note that DU does not reveal the attribute name to CSP except the positive or negative information of the attributes.

Security Proof
In this section, we discuss the security proof of our ASE scheme.Comparing ASE scheme with CP-ABE with attribute-hiding and PEKS scheme, we divide our ASE scheme into two parts.If we only choose setup, ABE-KeyGen, encrypt (do not take over the keyword ciphertext ), and decrypt from ASE scheme, our scheme is a CP-ABE scheme with attributehiding.If we only choose setup, encrypt (do not take over the first ciphertext ), trapdoor, and test from ASE scheme, our scheme is a PEKS scheme.So we give our security proof of our ASE schemes by the following two theorems.Theorem 6.If  , is hardness problem, then this CP-ABE scheme with attribute-hiding is secure against selective chosen plaintext attack.It means that if there exists an adversary A that breaks the selective chosen plaintext attack game with advantage , then there exists an algorithm B cloud solve  , with probability .
Proof.Algorithm B has an oracle (⋅), the goal of B is to decide whether the samples output by (⋅) is from  , or uniform.B runs adversary A and simulates A's view selective chosen plaintext attack game as follows.
A can make more key generation queries with the limitation that the attribute set  does not satisfy  0 and  1 .Finally, A outputs a bit   as a guess for .If   = , B outputs 1; else it outputs 0.
On one hand, if (⋅) is a  oracle for some  * ,  * is a valid ciphertext; thus the distribution of A's view is statistically close to that in the real game.On the other hand, if (⋅) is chosen from uniform, then the ciphertext  is uniform from   ; then the probability that A guesses the right  is exactly 1/2.Therefore, if A can break our system, B can solve the  problem.Proof.In the random oracle mode, suppose there is a polynomial-time adversary A that has nonnegligible advantage  attacking the scheme; let the maximum number of  queries be   , and construct an algorithm B to solve the  problem.B runs A as a subroutine.B uniformly chooses a random index  ← [  ] and interacts with A as follows.
Notice that if  is pseudorandom ,  is a part of an effective encryption; if  is random ,  is uniform distribution from   .Phase 2. B answers A's query about  ∈ {0, 1} * as the phase 1; the only limitation is  ̸ =  0 ,  1 .
We now analyze the reduction.The probability of B does not abort in the trapdoor query 1 − 1/  .In the phase of challenge, the probability of ( 0 ) = ℎ * or ( 1 ) = ℎ * is 2/  , so we can get that the advantage of B solving  is 2(  − 1)/ 2  .

Conclusion
We propose an authorized searchable encryption with attribute-hiding from lattices, which only enables authorized users to perform keyword search and then decrypt ciphertext.We are the first to integrate PEKS with CP-ABE based lattices assumption.In contrast to previous solutions [11,14], our scheme achieves attribute-hiding, which could prevent the revelation of sensitive user information.The security of our schemes is based on LWE assumption; meanwhile data owners can sort ciphertext.If data users want to extract the ciphertext from some time point, they only need to submit trapdoor corresponding to keyword the cloud server.

Theorem 7 .
Assuming the  assumption is hardness, this  scheme is IND-PEKS CPA secure in the random oracle model.