Abstract

Data stored in the cloud servers, keyword search, and access controls are two important capabilities which should be supported. Public-keyword encryption with keyword search (PEKS) and attribute based encryption (ABE) are corresponding solutions. Meanwhile, as we step into postquantum era, pairing related assumption is fragile. Lattice is an ideal choice for building secure encryption scheme against quantum attack. Based on this, we propose the first mathematical model for lattice-based authorized searchable encryption. Data owners can sort the ciphertext by specific keywords such as time; data users satisfying the access control hand the trapdoor generated with the keyword to the cloud sever; the cloud sever sends back the corresponding ciphertext. The security of our schemes is based on the worst-case hardness on lattices, called learning with errors (LWE) assumption. In addition, our scheme achieves attribute-hiding, which could protect the sensitive information of data user.

1. Introduction

Nowadays, more and more people use service from cloud server [1], which provides scalable and elastic storage and computation resources by the Internet. Outsourcing data services to the cloud enables companies to not only save equipment investment, but also simplify the local IT management. Cloud infrastructures are physically hosted and maintained by the cloud providers. To minimize the risk of data leakage to cloud service providers and protect data security and privacy, data owners choose to encrypt sensitive data, such as health records, and property information, before outsourcing it to the cloud, while retaining the decryption key by itself and other authorized users. However, simple encryption scheme is not enough, because the data owners tend to strengthen the sharing of sensitive data under fine-grained access control. Cloud server cannot be fully trusted by the data owner, so traditional server-based access control methods are no longer suitable solution for cloud computing.

In order to address the problem of secure and decentralized access control, Sahai and Waters [2] proposed the concept of ABE by extending identity-based encryption, which achieved flexibility and one-to-many encryption and provided a fine-grained data sharing scheme. Later, there are two kinds of ABE that were put forward: key policy (KP) ABE, which is the ciphertext associated with the attributes and the secret key associated with the decryption policy, and ciphertext policy (CP) ABE, where the secret key associated a list of attributes and the ciphertext associated with access policy. Goyal et al. [3] proposed the first construction of KP-ABE which supported any monotone access policy. After then, the first CP-ABE scheme was provided by Bethencourt et al. [4]; unfortunately the security proof of their scheme was only proved in the generic group model. Subsequently, Ostrovsky et al. broaden the two programs, to support any nonmonotonic structure [5]. The first CP-ABE scheme which could be proved in the standard model was proposed by Cheung and Newport [6] including only AND-gate. Later on, Waters [7] gave the first CP-ABE proved in the standard model supporting fully expressive access structure.

All the schemes mentioned above are constructed from pairings. But unluckily, if we move into the era of postquantum, pairing related assumption is fragile. Lattice is an ideal choice for building secure encryption scheme according to two facts: firstly, there is no known algorithm even with the help of quantum computer that can efficiently solve lattice hard problems; secondly, lattice-based cryptographic constructions enjoy several potential advantages: asymptotic efficiency, conceptual simplicity, and security proof based on worst-case hard problem. Recently, ABE from lattice assumptions are ascendant. J. Zhang and Z. Zhang [8] proposed a CP-ABE without pairings scheme, which supports AND-gates access structure. Boyen [9] built a KP-ABE from lattice assumptions and pointed to the future work of the study of CP-ABE as an open problem.

ABE resolves the problem of fine-grained access control and provides a one-to-many encryption which can improve the efficiency of the data owner; however, data utilization is still a challenging problem. For example, in order to search some relevant documents amongst an encrypted data set stored in the cloud, one may have to download and decrypt the entire data set. This is apparently impractical when the data volume is large. Thus, mechanisms that allow users to search directly on the encrypted data are of great interest in the era of cloud computing. Based on the traditional plaintext keyword search data services will result in bad quality of service because the data are encrypted. Boneh et al. [10] proposed a public key encryption with keyword search (PEKS) scheme to address the problem of searching encrypted data.

There are also many existing searchable encryption schemes from parings. Lai et al. [11] present a more efficient construction based on Lewko et al.ā€™s KP-ABE scheme [12]. However, scheme [11] discloses the searching keywords in the trapdoor, which will let the server learn whether the encrypted data contains the keywords in the trapdoor. Compared with [13], the size of a ciphertext (or a trapdoor) in [11] is linear with the number of keywords. Recently, Lv et al. [14] present an expressive and secure asymmetric searchable encryption scheme, which is the first to simultaneously support conjunctive, disjunctive, and negation search operations. However, there has been no ASE scheme from lattice assumptions so far. In this paper, we integrate CP-ABE with PEKS and propose authorized searchable encryption with attribute-hiding from lattices, which enables only authorized users to perform keyword search and then decrypt ciphertext.

Meanwhile, by setting the keyword such as year, month, and day, data owners can sort ciphertext. If data users want to extract the ciphertext from some time point, they only need to submit trapdoor corresponding to keyword the cloud server.

Therefore, there are two main contributions of our scheme in detail as follows.

(1) To the best of our knowledge, this is the first work that addresses ASE from lattice assumptions.

(2) In contrast to previous solutions [11, 14], our scheme achieves attribute-hiding, which could protect sensitive user information from being leaked.

The rest of the paper is organized as follows. Section 2 states the preliminaries about definitions for ASE, security model for PEKS and CP-ABE, and lattice knowledge. Section 3 describes our ASE with attribute-hiding from lattice assumptions in detail. Section 4 gives the security proof of our scheme. Section 5 presents our conclusion for this paper.

2. Preliminaries

2.1. Definitions for ASE

We consider ASE in cloud computing. The system architecture is similar to that in [15] which is illustrated as Figure 1. There exist four participants in our system.

Trusted Authority (TA). The entity is fully trusted by the other participants of the system. The responsibility of TA is to initialize system parameters, to generate attributed-based private keys, and to generate trapdoor keys for data users.

Cloud Services Provider (CSP). The entity provides data storage and retrieval services. It stores the outsourcing data content of the data owner. Only the specified receiver who meets the access policy can search and download the content. We adopt the honest-but-curious model for the cloud server as in [16]. It assumes that the cloud server would honestly follow the designated protocols and procedures to fulfill its service providers role, while it may analyze the information stored and processed on the server in order to learn additional information about its customers.

Data Owner (DO). The entity is a cloud storage subscriber who wants to encrypt its data content first and then upload to the cloud storage service. Intended receivers who satisfy the access policy can read the encrypted content. The responsibility of data owner is to create encrypted data and to choose keywords to encrypt.

Data User (DU). The entity is another cloud storage subscriber who queries encrypted data from CSP. Only retrievers who satisfy the access policy can have the legal rights to access the encrypted content and read the original message. The responsibility of data users is to choose keywords to create trapdoor for search, to initiate search requests, and to decrypt data.

In our setting, a user will be identified by a set of attributes; let be the users attributes. An ASE scheme consists of six polynomial-time algorithms described as follows.

Setup. The setup algorithm is run by TA, which inputs a security parameter . It outputs the master secret key and public system parameters which include the description of attribute universe and keyword universe. TA publishes and keeps secret. We describe it as .

ABE-KeyGen. The attribute private key generation algorithm is an interactive protocol implemented between DU and TA. The public input to TA and DU consists of the system public parameters , the users attributes set owned by DU. The private input to TA is the master secret key . Finally, DU can extract an attribute private key . We describe it as .

KS-CPABE. DO runs the encryption algorithm, which inputs the system public parameters , an access structure , and a message . The algorithm encrypts and produces a ciphertext . Note that, in our ASE, the ciphertext does not contain , which achieves attribute-hiding. We describe it as .

Trapdoor. The query private key generation algorithm is an interactive protocol implemented between DU and TA. The public input to TA and DU consists of the system public parameters , the users attributes set owned by DU, and a keyword . TA inputs the master secret key . In addition, a sequence of random coin tests may be used by TA and DU as private inputs. Finally, DU can extract an attribute trapdoor . We describe it as . After then, DU sends to CSP.

Test. The keyword test algorithm is run by CSP, which takes as input system parameters and a trapdoor corresponding to the keyword from a DU and tests the for keyword set . Output 1 if and 0 otherwise.

Decrypt. DU runs decryption algorithm, which takes the ciphertext and as input. Only if satisfies the access control , it will return the message .

2.2. Security Model for PEKS and CPABE

In this subsection, we introduce the functionality of PEKS and CP-ABE independently.

2.2.1. PEKS

A scheme includes four polynomial-time algorithms: , , , and . The algorithm generates a public/private key pair . The algorithm generates a searchable encryption form of keyword corresponding to intended receivers public key. The algorithm produces a trapdoor for keyword corresponding to receiverā€™s private key. And the algorithm verifies whether a ciphertext matches a trapdoor.

The general security property of scheme is the indistinguish ability against chosen keyword attack. The scheme is semantic security if a polynomial adversary has no nonnegligible advantage against the challenger in the following security game [10].

Security Game

KeyGen. The challenger runs algorithm to generate a key pair and give to the adversary .

Phase 1. queries the challenger for the trapdoor for any keyword of his choice.

Challenge. At some time, sends the challenger two keywords and which it wishes to challenge. The only restriction is that has never previously queried the trapdoors and for and , respectively. The challenger selects randomly and sends the adversary as the challenge ciphertext.

Phase 2. can continue to adaptively ask the challenger for the trapdoor for the keyword of his choice which satisfies .

Guess. In the end, the adversary outputs . If , wins the game. Define the advantage of in this game as .

Definition 1. A PEKS scheme is IND-PEKS CPA secure if all polynomial time adversaries making at most token queries have at most a negligible advantage in the above security game.

2.2.2. A CP-ABE Scheme with Attribute-Hiding

The scheme consists of four algorithms [17].

Setup. This algorithm inputs a security parameter and generates the public key and a master secret key . is used for encryption; is used to generate user secret keys. It is held by the central authority.

Encrypt. This algorithm inputs the public key , a message , and an access policy . It outputs the ciphertext . Note that, in CP-ABE supporting attribute-hiding, the ciphertext does not contain .

KeyGen. This algorithm inputs a set of attributes associated with the user and outputs a secret key .

Decrypt. This algorithm takes as input the ciphertext and a secret key . Only if satisfies the access policy , it returns the message .

Selective Game for CP-ABE with Hiding Attributes

Init. The adversary gives the challenge ciphertext policies , before setup.

Setup. The challenger runs the setup algorithm and gives to the adversary .

Phase 1. The adversary submits the attribute list for a query. If or , the challenger gives the adversary the secret key . The adversary can repeat this query polynomial times.

Challenge. The adversary submits messages , to the challenger. If the adversary obtained the whose associated attribute list satisfies both and in Phase 1, then it is required that . The challenger flips a random coin and passes the ciphertext to the adversary.

Phase 2. Phase 1 is repeated. If , the adversary cannot submit such that .

Guess. The adversary outputs a guess of . The advantage of an adversary in this game is defined as .

Definition 2. A CP-ABE scheme with hiding attributes is selective CPA secure if all polynomial-time adversaries have at most a negligible advantage in the above security game.

2.3. Lattice and Hardness Assumption
2.3.1. Integer Lattices

Definition 3. Let be an matrix which consists of linearly independent vectors . The dimensional full-rank lattice generated by is ; is called a basis of the lattice .
For a basis , let denote its Gram-Schmidt orthogonalization, defined iteratively as , and is the component of orthogonal to span . denotes the longest Euclid norm of the column vectors in .
Given a matrix for a prime , integers and , we consider two kinds of full-rank -dimensional integer defined by , .

Proposition 4 (see [18]). For any prime and , there is a probabilistic polynomial-time algorithm TrapGen that outputs a matrix and a full-rank set such that is statistically close to uniform over and is a basis for .

2.3.2. Discrete Gaussian

For any , the Gaussian function on centered at with parameter is defined as , . Let . The discrete Gaussian distribution over with center and parameter is defined as , . The subscripts are taken to be 0 when omitted.

Gentry et al. [19] defined and constructed the preimage sampleable functions. Let be a basis for an -dimensional lattice satisfying , the algorithm samples from the discrete Gaussian distribution .

The preimage sampleable function is defined as follows.

. The algorithm takes as input , the short basis for , the target image , and Gaussian parameters and outputs which is statistically close to .

2.3.3. Learning with Error Problem

Our construction can be reduced to learning with errors problem, which is a classical problem defined by Regev [20].

For an integer and a distribution on , the goal of the (average case) learning with errors problem is to distinguish the distribution for some uniform secret and the uniform distribution on . The hardness of problem means the distribution is pseudorandom. Regev demonstrated that, for certain modulo and Gaussian error distributions , is as hard as solving several standard worst-case lattice problems using quantum algorithm.

Proposition 5 (see [20]). For an and a prime , let denote the distribution over of the random variable , where is a normal random variable with mean and standard deviation . If there exists an efficient, possibly quantum, algorithm for deciding the - problem, then there exists an efficient quantum algorithm for approximating the and problems, to within factors in the norm, in the worst case.

3. Authorized Searchable Encryption Scheme

In this section, we put forward our ASE scheme where the access structures include positive and negative attributes based on AND-gates. Define some symbols simply as follows: let the set of attributes be for a fixed natural number . Mark attributes and their negations as literals. Consider access structures that consist of an AND-gate policy whose inputs are literals, which is denoted by , where and every is literal (i.e., or ). Our construction is defined as follows, which is parameterized by dimension , Gaussian parameter , modulus , and that determines the error distribution .

. TA chooses a cryptographic secure hash function , which maps each keyword to a vector in . Compute ; then, for each , randomly choose , . Intuitively, the public key elements , associate with two cases of : positive and negative. Next, randomly choose a vector and set public key , while keeping the master secret key .

ABE-KeyGen. Denote as the input attribute set of DU. Every is implicitly as a negative attribute. For each , if , define ; else define ; then, for each , randomly choose , and compute ; finally, compute , and return secret key . Observe that if letting , we have .

KS-CPABE. Given a message bit and an AND-gate access structure , let be the set of positive (negative) attributes in , respectively, and denote ; then, for each ā€‰, if , define as a well-formed ciphertext and as a malfunction ciphertext. If , the situation is converse; define as a well-formed ciphertext and as a malfunction ciphertext. If , both and are well-formed ciphertext, and, for each keyword , . Randomly choose , , and as noise distributions; compute , , and . If , , and is a random dimension vector and could be achieved by randomly choosing , . If , , . If , , .

Finally, return ciphertext and secure keyword attachment .

Trapdoor. To generate a trapdoor for a keyword, DU must contact with TA. TA enforces the trapdoor generation similar to the process of ABE-KeyGen phase. For each , if , define ; else define ; then, for each , randomly choose and compute ; finally, compute and return secret key .

Observe that if we let , we have . TA securely transform the query trapdoor to DU. When users want to download ciphertext related to keywords , DU sends and a list corresponds to attribute positive or negative to CSP; ask the CSP to enforce the search ciphertext. Note that DU does not reveal the attribute name to CSP except the positive or negative information of the attributes.

Test. CSP receives the trapdoor and list about the positive or negative information of attributes; let if is a positive attribute, and let ; else let . Define ; compute ; let ; if , CSP accepts it as a valid ciphertext and outputs 1, otherwise, CSP refuses it as an invalid ciphertext and outputs 0.

Decrypt. After receiving the cipthertext from CSP, DU does the decryption procedure as the test phase. Define as above; compute . Define . Finally if in , return 1; otherwise, return 0.

4. Security Proof

In this section, we discuss the security proof of our ASE scheme. Comparing ASE scheme with CP-ABE with attribute-hiding and PEKS scheme, we divide our ASE scheme into two parts. If we only choose setup, ABE-KeyGen, encrypt (do not take over the keyword ciphertext ), and decrypt from ASE scheme, our scheme is a CP-ABE scheme with attribute-hiding. If we only choose setup, encrypt (do not take over the first ciphertext ), trapdoor, and test from ASE scheme, our scheme is a PEKS scheme. So we give our security proof of our ASE schemes by the following two theorems.

Theorem 6. If is hardness problem, then this CP-ABE scheme with attribute-hiding is secure against selective chosen plaintext attack. It means that if there exists an adversary A that breaks the selective chosen plaintext attack game with advantage , then there exists an algorithm cloud solve with probability .

Proof. Algorithm has an oracle , the goal of is to decide whether the samples output by is from or uniform. ā€‰ā€‰ runs adversary and simulates ā€™s view selective chosen plaintext attack game as follows.
Init. Adversary chooses two challenge ciphertext policies and and gives them to . Let be the set of positive (negative) attributes in and let .
Setup. After receiving , , obtains and from .
For each , obtains , from . For each , obtains from and then computes . For each , obtains from and then computes .
Finally sets public key , while keeping the master secret key ().
KeyGen Queries. receives a query from with attribute sets . If satisfies and , simply outputs . Otherwise, for each , if , lets ; else it lets .
Since does not satisfy and , namely, or , there must exist a , such that is generated by TrapGen. Hence, knows its trapdoor .
Let ; then, for each , randomly choose and compute , and computes and returns secret key and returns to .
Challenge. The adversary submits messages , to the challenger. If the adversary obtained the whose associated attribute list satisfies both and in Phase 1, then it is asked that . randomly chooses and computes and . For each , let ; is a random vector. For each , let ; is a random vector. For each , let , .
Finally, returns .
Phase 2.ā€‰ā€‰Phase 2 has similar operations to phase 1. If , the adversary cannot submit such that .
can make more key generation queries with the limitation that the attribute set does not satisfy and . Finally, outputs a bit as a guess for . If , outputs 1; else it outputs 0.
On one hand, if is a oracle for some , is a valid ciphertext; thus the distribution of ā€™s view is statistically close to that in the real game. On the other hand, if is chosen from uniform, then the ciphertext is uniform from ; then the probability that guesses the right is exactly . Therefore, if can break our system, can solve the problem.

Theorem 7. Assuming the assumption is hardness, this scheme is IND-PEKS CPA secure in the random oracle model.

Proof. In the random oracle mode, suppose there is a polynomial-time adversary that has nonnegligible advantage attacking the scheme; let the maximum number of queries be , and construct an algorithm to solve the problem. runs as a subroutine. uniformly chooses a random index and interacts with as follows.
Setup. sends to .
Phase 1. answers queries of as follows.
Phase 1: Hash Queries. keeps a list which is originally empty. The form of is . Receiving ā€™s th distinct query to , if , then sets , and gives to ; else, for , randomly chooses and returns secret key . Let ; we have , and return to .
Phase 1: Trapdoor Queries. When asks for the trapdoor for a keyword , if has already queried about , let be the corresponding tuple in the list . If , then aborts; otherwise it gives to .
Challenge. submits two target keywords to , if has already queried about and meets and ; then aborts. Otherwise, compute as normal; is chosen from challenge oracle ; or a random number from . Finally, return ciphertext .
Notice that if is pseudorandom , is a part of an effective encryption; if is random , is uniform distribution from .
Phase 2.ā€‰ā€‰ answers ā€™s query about as the phase 1; the only limitation is .
Guess. outputs ; finally, if , then outputs 1; otherwise outputs 0.
We now analyze the reduction. The probability of does not abort in the trapdoor query . In the phase of challenge, the probability of or is , so we can get that the advantage of solving is .

5. Conclusion

We propose an authorized searchable encryption with attribute-hiding from lattices, which only enables authorized users to perform keyword search and then decrypt ciphertext. We are the first to integrate PEKS with CP-ABE based lattices assumption. In contrast to previous solutions [11, 14], our scheme achieves attribute-hiding, which could prevent the revelation of sensitive user information. The security of our schemes is based on LWE assumption; meanwhile data owners can sort ciphertext. If data users want to extract the ciphertext from some time point, they only need to submit trapdoor corresponding to keyword the cloud server.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (Grant nos. 61272525 and 61370203) and Science and Technology on Communication Security Laboratory Foundation (no. 9140C110301110C1103).