Research Article | Open Access

Daini Wu, Xiaoming Wang, Qingqing Gan, "Public Key Encryption with Keyword Search from Lattices in Multiuser Environments", *Mathematical Problems in Engineering*, vol. 2016, Article ID 6549570, 7 pages, 2016. https://doi.org/10.1155/2016/6549570

# Public Key Encryption with Keyword Search from Lattices in Multiuser Environments

**Academic Editor:**Nazrul Islam

#### Abstract

A public key encryption scheme with keyword search capabilities is proposed using lattices for applications in multiuser environments. The proposed scheme enables a cloud server to check if any given encrypted data contains certain keywords specified by multiple users, but the server would not have knowledge of the keywords specified by the users or the contents of the encrypted data, which provides data privacy as well as privacy for user queries in multiuser environments. It can be proven secure under the standard learning with errors assumption in the random oracle model.

#### 1. Introduction

Cloud storage has established itself as a widely used service for businesses and individuals; however, it comes with inherent challenges including security risks, reliable data storage, and data accessibility. The fact that data owners lose full control over their data brings about concerns with regard to privacy, data integrity, and confidentiality. Data owners have no way to prevent unauthorized individuals or even the party hosting the cloud servers to access or tamper with their data. To ensure data confidentiality and privacy, any sensitive data would need to be encrypted before it is sent to a cloud sever. Unfortunately, data encryption greatly restricts the ability of cloud servers to handle user access requests. A typical example is that of an encrypted document; the encryption changes the contents of the document, making it very hard to search/sort documents using keywords.

To resolve this problem, the notion of the public key encryption with keyword search (PEKS) was proposed by Boneh et al. [1]. The construction of this scheme was inspired by identity-based encryption (IBE) and aims to allow a user to search for encrypted keywords without decryption. In the PEKS scheme, a sender uploads an encrypted email to a server along with an encrypted list of keywords. The receiver sends the desired keyword (denoted as a trapdoor) to the email server, which then tests the encrypted emails for the presence of this trapdoor. Soon afterwards, Waters et al. [2] demonstrated that a PEKS scheme can be used in a wide range of practical applications such as building encrypted and searchable audit logs. Subsequently, many intuitions have been proposed to improve upon this construction (e.g., [3–8]).

The security of most PEKS schemes and their variants are based on the hard problems of number theory such as large integer factorization, the discrete logarithm problem, and bilinear mapping with the Diffie-Hellman problems. However, Shor [9] has discovered a function which can effectively solve the discrete logarithm problem, as well as an algorithm for quantum factoring. This means that quantum computers are a threat to the security of these cryptosystems.

One possible solution that has undergone rapid development in recent years is lattice-based cryptographic schemes. So far, there has been no quantum algorithm which can effectively solve this class of problems, which makes them an attractive candidate for robust encryption. Ajtai [10] first presented the proof of the hardness of lattice problems, and following this work, many new constructions with lattices have been proposed (e.g., [11–14]). However, there have only been two PEKS schemes from lattices proposed in the literature so far, and these schemes were constructed in a single-user environment. Notably, there is currently no similar work available in the literature for PEKS scheme, which means that there is no a PEKS system constructed using lattices in multiuser environment. It is very clear that the schemes proposed for use in a single-user environment cannot be directly and effectively used in multiuser environments because of the increased requirements of the latter. In PEKS schemes constructed in a single-user environment, data owner can only share his data with a single user and also only permit a single user to search for the encrypted keywords on the encrypted data. While in multiuser environments, such as cloud storage, data owners hope to share their data with multiple users and also permit the multiple users to search over the owner’s shared data on the cloud server side. Therefore, PEKS schemes constructed in a single-user environment can not satisfy the characteristics of cloud environment.

In order to solve this problem, a public key encryption scheme with keyword search is proposed using lattices for applications in multiuser environments, which is called PEKSL scheme. In the proposed scheme, cloud server can translate a keyword encrypted under one public key into the same keyword encrypted under another public key, so that it checks if any given encrypted data contains certain keywords specified by multiple users but learns nothing else about the data. This provides data privacy as well as privacy for user queries in multiuser environments. Furthermore, it can be proven secure under the hardness of the standard learning with errors problem in the random oracle model.

##### 1.1. Related Work

To enable users search over encrypted outsourced data through keywords without decrypting the data at first, the notion of public key encryption with keyword search (PEKS) was first put forth by Boneh et al. [1] and its construction makes use of the construction of identity-based encryption (IBE). This construction was later improved by several schemes using the bilinear pairing. Waters et al. [2] demonstrated that these PEKS schemes could be useful to build encrypted and searchable audit logs. Abdalla et al. [4] presented an improved universal transformation from anonymous IBE to PEKS, and Baek et al. [6] proposed a PEKS scheme with a designated server to remove a secure channel. Golle et al. [3] defined the first security model for conducting conjunctive keyword searches to achieve a combinable multikeyword search. Subsequently, Boneh and Waters [5] extended the PEKS scheme to support conjunctive, subset, and range comparisons over the supplied keywords. Camenisch et al. [7] proposed oblivious generation of the keyword search trapdoor to maintain the privacy of the keyword against a curious trapdoor generator, and Cao et al. [8] presented ranked searches using multikeywords over encrypted cloud data and established a variety of privacy requirements.

Nowadays, lattice-based cryptographic schemes have a more fast development, and many new constructions with lattices have been proposed. Ajtai [10] first presented the proof of the hardness of lattice problems, and following this work, many new constructions with lattices have been proposed. These include group signature schemes (e.g., [11, 12]), hierarchical identity-based encryption schemes (e.g., [13, 14]), broadcast encryption on lattice schemes (e.g., [15, 16]), attribute-based encryption (e.g., [17]), and fully homomorphic encryption schemes (e.g., [18, 19]). Notably, there were only two public key encryption with keyword search schemes from lattice [20, 21] so far in the literature, and their schemes were constructed in a single-user environment.

##### 1.2. Paper Organization

The following sections are described briefly as follows. We review the basic concepts about integer lattices, discrete Gaussians, learning with errors problem, the formal models, and a security model of PEKSL in Section 2. We give the specific construction about the PEKSL in a multiuser environment and then prove our scheme under the security model in Section 3. Finally, we conclude this paper in Conclusion.

#### 2. Preliminaries

We describe some preliminaries and other useful concepts that are used in our approach in this section.

##### 2.1. Integer Lattices

*Definition 1 (see [20]). *Given linearly independent vectors , the lattice generated by them is denoted and define The vectors are called the basis of lattice.

For prime and and , define

##### 2.2. The Gram-Schmidt Norm of Basis

Let denote the Gram-Schmidt orthogonalization of the set of linearly independent vectors in . It is defined as follows: and is the component of orthogonal to span , where . We refer to as the Gram-Schmidt norm of .

Lemma 2 (see [14]). *Let be an -dimensional lattices. There is a deterministic polynomial-algorithm that, given an arbitrary basis of and a full-rank set in , returns a basis of satisfying *

Theorem 3 (see [22]). *Let and be positive integers and let be a prime, with and ; there is a probabilistic polynomial time algorithm that outputs a pair such that is statistically close to a uniform matrix in and is a basis for satisfying with all but negligible probability in .*

##### 2.3. Discrete Gaussians

*Definition 4. *Choose a subset . For any positive parameter and any vector define The discrete Gaussians distribution over with parameter and center is

Lemma 5 (see [23]). *Let and be a matrix in with . Let be a basis for and . Then for and , *(i)*there is a PPT algorithm that returns drawn from a distribution statically close to ,*(ii)*there is a PPT algorithm that returns drawn from a distribution statically close to , whenever is not empty.*

Theorem 6 (see [14]). *Define . stands for the distribution on matrices in defined as conditioned on the resulting matrix being -invertible. There are some important algorithms: *(i)*. The following simple algorithm samples matrices in from a distribution that is statistically close to .(a) Let be the canonical basis of the lattice .(b)For , do .(c)If is -invertible, output ; otherwise repeat step 2.*(ii)

*. Input a rank matrix , a -invertible matrix in sampled from (or a product of such), a basis for , and a parameter .(a)*

*Let and calculate . Observe that is a set of independent vectors in , where in .*(b)*Convert into a basis of whose Gram-Schmidt norm is no more than that of .*(c)*Call and output the resulting basis of .*##### 2.4. LWE Problem

*Definition 7 (see [20]). *Consider a prime , a positive integer , and a distribution over , all public. -LWE problem instance consists of access to an unspecified challenge oracle , being either a noisy pseudorandom sample carrying some constant random secret key or a truly random sampler , whose behaviors are respectively as follows: (i): output noisy pseudorandom sample of the form , where is an uniformly distributed persistent value invariant across invocations, is a fresh randomness from , and is uniform in .(ii): output truly uniform random sample from .

The -LWE problem allows repeat queries to the challenge oracle . We say that an algorithm decides the -LWE problem if is nonnegligible for a random .

#### 3. PEKSL Scheme in a Multiuser Environment

##### 3.1. Intuition behind the Construction

In PEKS scheme, a sender (Bob) sends an encrypted email to the email gateway using a receiver’s (Alice’s) public key appended with some encrypted keywords. When Alice gives the email gateway a trapdoor associated with searching keywords, it tests if the keywords are relevant to the email and learns nothing else. Since the ciphertext encrypted with receiver’s public key can only be tested by a trapdoor given by Alice and cannot be tested by a trapdoor obtained from another user, such as Charles, PEKS scheme is constrained to be used in a single-user environment where the receiver can only be a single user. In order to meet the need that multiple users can execute encrypted keyword searches over the encrypted files, we add a* Re-KeyGen* algorithm in the definition of PEKS and construct PEKSL scheme, which is inspired by the concept of proxy reencryption. The* Re-KeyGen* algorithm is used to convert a keyword encrypted by a public key into the same keyword encrypted under another public key. More precisely, given a special information (i.e., a reencryption key), the* Re-KeyGen* algorithm enables cloud server to convert the encrypted keyword with Alice’s public key in the ciphertext of the same keyword for Charles so that cloud server can check if the encrypted keywords are relevant to an email upon a trapdoor generated by Charles. Based on the above idea, we construct our PEKSL scheme using lattices for a multiuser environment, where multiple users can execute encrypted keyword searches over the data uploaded by data owner to the cloud server.

##### 3.2. Definition

A PEKSL scheme includes a trust center (TC), data owners, cloud servers, and data users. TC is trusted and is responsible for generating system parameters. The data owners refer to a special type of users who create the private/confidential data and then outsource them to cloud servers in an encrypted form so it can be shared with authorized users. The cloud servers are responsible for producing query results on the encrypted data and then sending these results to the users. Users generally refer to those who are authorized to search for encrypted keywords in the encrypted data. In this paper we consider the users to be from the public domain.

A PEKSL scheme for a multiuser environment involves the following six algorithms:(i). After input a secure parameter , the* Setup* algorithm outputs a global public/private key pair hold by TC.(ii). The* KeyGen* algorithm takes as input and a user’s identity label and then generates a public key , a private key for user , and a secret key for TC.(iii). After input a key pair , the* Re-KeyGen* algorithm produces a reencryption key .(iv)). The* PEKS* algorithm produces a searchable encryption of keyword with user’s public key .(v)). The trapdoor algorithm generates a trapdoor for keyword with a public/private key pair .(vi). The Test algorithm verifies whether a ciphertext matches a trapdoor.

##### 3.3. Security Game

The security of PEKSL scheme for a multiuser environment is indistinguishable against chosen keyword attack. According to the rules of the security game, an adversary can get the most of trapdoors except those which are relevant to two specified keywords. Yet, it can not distinguish which keyword appended with to a given PEKS ciphertext.

In the following game, a PEKSL scheme for a multiuser environment is indistinguishable against chosen keyword attack if an adversary has a negligible advantage against a challenger in polynomial time.

*Security Game *(i)*Setup*. calls algorithm to produce a key pair and sends to .(ii)*Phase 1*. makes the following queries:(a)Uncorrupted key generation oracle: return a fresh key pair ; give to .(b)Corrupted key generation oracle: return a fresh key pair ; is given .(c)Trapdoor Oracle: after input by , return the trapdoor , where is the secret key that corresponds to .(d)Reencryption key generation oracle: return a reencryption key . Noting that correspondent and are from uncorrupted key generation oracle or corrupted key generation oracle as in [24], that is, the reencryption key queries are not allowed between uncorrupted oracle and corrupted oracle.(iii)*Challenge*. gives two keywords that it hopes to be challenged on. The only limitation is that have not queried for the trapdoors or . chooses a random and sends a PEKSL ciphertext as the challenge ciphertext.(iv)*Phase 2*. adaptively queries for the trapdoor for any keyword he wants again, and it is important to note that the must satisfy .(v)*Guess*. Finally, gives . If , wins the game.In this game, we define the advantage of that is .

##### 3.4. Construction

Choose two positive integers , , a prime , satisfying and , and a hash function . Construction of PEKSL scheme in a multiuser environment is described as follows:(i). Take a secure parameter as input, TC invokes to produce a randomly uniform matrix along with a short basis for , and output the global public key as well as global private key .(ii). After input and a user identity label , TC invokes firstly to generate a -invertible matrix in sampled from , where is a security parameter. Then TC invokes to generate a basis of , and output the user’s public key in and private key and a secret key . TC sends to the user by a security way and saves a list of .(iii). TC gets from the list of and computes TC sends to the cloud server by a security way.(iv). The data owner computes and chooses uniformly and computes and , where is a noise vector. Output the ciphertext .(v). A user computes and invokes to generate , where is a Gaussian parameter. Note that in . Output as a trapdoor; that is .(vi). The cloud server computes then let . If , return 1; otherwise, return 0.

##### 3.5. Security Analysis

We show the security analysis of PEKSL scheme for a multiuser environment in this section. In the random oracle model, supposing that there is an adversary that has a nonnegligible advantage to attack our mechanism in polynomial time, we are able to construct a polynomial time algorithm having a probability to solve the LWE assumption, where denotes the query times of which queries the random oracle .

*Proof. *With the adversary , we construct the algorithm as follows.

requests from ( is a pseudorandom LWE oracle) and receives a fresh pair for each and selects a random integer . (i)*Setup*. Given LWE samples, assembles the random matrix from , more exactly, making the th column of be the vector , and gives the public key to .(ii)*Phase 1*. answers queries of as follows:(a)Uncorrupted key generation oracle: after input an index , if this is uncorrupted, runs to obtain a -invertible matrix in and computes , . Finally saves the tuple in PK-List. sends to .(b)Corrupted key generation oracle: after input an index , if this is corrupted, runs firstly to obtain a -invertible matrix and then to get a basis for . Finally responds to with and records the tuple in PK-List.(c) Oracle: to answer queries, saves the tuples in a -list, which is initially empty. For the th query, sends to and answers as follows:(1)If this query is the query number (i.e., , defines , satisfying , and returns .(2)Otherwise, if this query has saved in the -list, then responds to . If the query does not appears on the -list and the corresponding in PK-List, chooses and computes . Finally saves the quadruple in -list for future use and returns to .(d)Trapdoor Oracle: for input and , if , aborts and fails. Otherwise, retrieves the saved quadruple from the -list. Here we assume that a trapdoor query on is preceded by a query with . By construction, is the trapdoor for the keyword . return as the trapdoor to .(e)Reencryption key generation oracle: after input , checks whether both and occur in PK-List, if not, aborts. Otherwise, does the following operations:(1)If , responds to with .(2)If , aborts.(iii)*Challenge*. sends two keywords with a it wants to challenge on, when it decides to finish Phase 1. calls the algorithm mentioned above to answer queries twice with input . If , then aborts; if both and , then aborts either. Otherwise, supposing , retrieves from the LWE instance and sets and . responds with challenge ciphertext . Note that when is a pseudorandom LWE oracle and for the random and the noise value , then and is valid encryption for . While is a random oracle, is uniformly sampled from .(iv)*Phase 2*. answers queries of the same way it does in Phase 1 if , , and the is from uncorrupted key generation oracle.(v)*Guess*. At last guesses . returns 1 if ; otherwise returns 0.if does not halt, the distribution of both the challenge ciphertext and the public parameters is identical to its distribution in the real system. If aborts the challenge ciphertext will be independently randomly sampled from . That is, if does not abort, the advantage of in solving LWE is identical to ’s advantage to attack this mechanism.

*Probability Analysis*. We now analyze the situations that did not come to a halt in the simulation. There are two independent situations:(i): did not report failure during any ’s trapdoor queries.(ii): did not report failure during any ’s challenge queries.

The trapdoor of the same keyword is supposed not to be queried twice by . And because is chosen randomly in and , does not abort in the simulation of with probability ; that is, .

The only situation where reports failure during challenge phase is that and . The probability that or is . Hence, we have .

So we have the probability of in solving LWE which is at least .

#### 4. Conclusion

A public key encryption with keyword search scheme is first presented using lattices for multiuser environment. Fruitful lattice-based cryptographic schemes have been proposed before, but as far as we know, it is the first lattice-based public key encryption with keyword search scheme targeted towards applications in multiuser environments. Its security can be proven based on the standard LWE assumption in the random oracle model.

#### Competing Interests

The authors declare that they have no competing interests.

#### Acknowledgments

This work was granted partially by National Natural Science Foundation of China (61272415 and 61070164), Science and Technology Planning Project of Guangdong Province, China (2013B010401015), and Natural Science Foundation of Guangdong Province, China (S2012010008767).

#### References

- D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search,” in
*International Conference on the Theory and Applications of Cryptographic Techniques EUROCRYPT 2004: Advances in Cryptology—EUROCRYPT 2004*, vol. 3027 of*Lecture Notes in Computer Science*, pp. 506–522, Springer, Berlin, Germany, 2004. View at: Google Scholar - B. R. Waters, D. Balfanz, G. Durfee, and D. K. Smetters, “Building an encrypted and searchable audit log,” in
*Proceedings of the NDSS Symposium*, vol. 4, pp. 5–6, February 2004. View at: Google Scholar - P. Golle, J. Staddon, and B. Waters, “Secure conjunctive keyword search over encrypted data,” in
*Applied Cryptography and Network Security: Second International Conference, ACNS 2004, Yellow Mountain, China, June 8–11, 2004. Proceedings*, vol. 3089 of*Lecture Notes in Computer Science*, pp. 31–45, Springer, Berlin, Germany, 2004. View at: Publisher Site | Google Scholar - M. Abdalla, M. Bellare, D. Catalano et al., “Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions,” in
*Advances in Cryptology—CRYPTO 2005*, V. Shoup, Ed., vol. 3621 of*Lecture Notes in Computer Science*, pp. 205–222, Springer, Berlin, Germany, 2005. View at: Publisher Site | Google Scholar - D. Boneh and B. Waters, “Conjunctive, subset, and range queries on encrypted data,” in
*Theory of Cryptography Conference: TCC 2007: Theory of Cryptography*, vol. 4392 of*Lecture Notes in Computer Science*, pp. 535–554, Springer, Berlin, Germany, 2007. View at: Publisher Site | Google Scholar - J. Baek, R. Safavi-Naini, and W. Susilo, “Public key encryption with keyword search revisited,” in
*Computational Science and Its Applications—ICCSA 2008: International Conference, Perugia, Italy, June 30– July 3, 2008, Proceedings, Part I*, vol. 5072 of*Lecture Notes in Computer Science*, pp. 1249–1259, Springer, Berlin, Germany, 2008. View at: Publisher Site | Google Scholar - J. Camenisch, M. Kohlweiss, A. Rial, and C. Sheedy, “Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data,” in
*Public Key Cryptography-PKC 2009*, pp. 196–214, Springer, Berlin, Germany, 2009. View at: Google Scholar - N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving multi-keyword ranked search over encrypted cloud data,”
*IEEE Transactions on Parallel and Distributed Systems*, vol. 25, no. 1, pp. 222–233, 2014. View at: Publisher Site | Google Scholar - P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in
*Proceedings of the 35th Annual Symposium on Foundations of Computer Science (SFCS '94)*, pp. 124–134, IEEE, 1994. View at: Publisher Site | Google Scholar - M. Ajtai, “Generating hard instances of lattice problems,” in
*Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC '96)*, pp. 99–108, Philadelphia, Pa, USA, May 1996. View at: Publisher Site | Google Scholar - S. D. Gordon, J. Katz, and V. Vaikuntanathan, “A group signature scheme from lattice assumptions,” in
*Advances in Cryptology—ASIACRYPT 2010*, vol. 6477, pp. 395–412, Springer, 2010. View at: Publisher Site | Google Scholar | MathSciNet - A. Langlois, S. Ling, K. Nguyen, and H. Wang, “Lattice-based group signature scheme with verifier-local revocation,” in
*Public-Key Cryptography—PKC 2014*, H. Krawczyk, Ed., vol. 8383 of*Lecture Notes in Computer Science*, pp. 345–361, Springer, Berlin, Germany, 2014. View at: Publisher Site | Google Scholar - S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in
*Advances in Cryptology—EUROCRYPT 2010*, vol. 6110, pp. 553–572, Springer, 2010. View at: Publisher Site | Google Scholar | MathSciNet - S. Agrawal, D. Boneh, and X. Boyen, “Lattice basis delegation in fixed dimension and shorter-cipher text hierarchical ibe,” in
*Annual Cryptology Conference: CRYPTO 2010: Advances in Cryptology—CRYPTO 2010*, vol. 6223 of*Lecture Notes in Computer Science*, pp. 98–115, Springer, Berlin, Germany, 2010. View at: Google Scholar - X. Li, B. Yang, Y. Guo, and W. Sun, “Provably secure group based broadcast encryption on lattice,”
*Journal of Information and Computational Science*, vol. 8, no. 2, pp. 179–193, 2011. View at: Google Scholar - A. Georgescu, “Anonymous lattice-based broadcast encryption,” in
*Information and Communication Technology*, pp. 353–362, Springer, Berlin, Germany, 2013. View at: Google Scholar - Y. Wang, “Lattice ciphertext policy attribute-based encryption in the standard model,”
*International Journal of Network Security*, vol. 16, no. 6, pp. 444–451, 2014. View at: Google Scholar - C. Gentry, “Fully homomorphic encryption using ideal lattices,” in
*Proceedings of the 41th Annual ACM Symposium on Theory of Computing (STOC '09)*, pp. 169–178, ACM, 2009. View at: Publisher Site | Google Scholar - C. Gentry, “Toward basing fully homomorphic encryption on worst-case hardness,” in
*Annual Cryptology Conference: CRYPTO 2010: Advances in Cryptology—CRYPTO 2010*, vol. 6223 of*Lecture Notes in Computer Science*, pp. 116–137, Springer, Berlin, Germany, 2010. View at: Publisher Site | Google Scholar - C. Gu, Y. Guang, Y. Zhu, and Y. Zheng, “Public key encryption with keyword search from lattices,”
*International Journal of Information Technology*, vol. 19, no. 1, 2013. View at: Google Scholar - C. Hou, F. Liu, H. Bai, and L. Ren, “Public-key encryption with keyword search from lattice,” in
*Proceedings of the 8th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC '13)*, pp. 336–339, IEEE, Compiegne, France, October 2013. View at: Publisher Site | Google Scholar - J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,”
*Theory of Computing Systems*, vol. 48, no. 3, pp. 535–553, 2011. View at: Publisher Site | Google Scholar | MathSciNet - C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in
*Proceedings of the 14th Annual ACM Symposium on Theory of Computing (STOC '08)*, pp. 197–206, Victoria, Canada, May 2008. View at: Publisher Site | Google Scholar - C.-K. Chu, J. Weng, S. S. M. Chow, J. Zhou, and R. H. Deng, “Conditional proxy broadcast re-encryption,” in
*Information Security and Privacy*, C. Boyd and J. G. Nieto, Eds., vol. 5594 of*Lecture Notes in Computer Science*, pp. 327–342, Springer, Berlin, Germany, 2009. View at: Publisher Site | Google Scholar

#### Copyright

Copyright © 2016 Daini Wu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.