Public key encryption with conjunctive keyword search on lattice

Public key encryption with conjunctive keyword search on lattice

Journal of Information Security and Applications 51 (2020) 102433 Contents lists available at ScienceDirect Journal of Information Security and Appl...
Download PDF
686KB Sizes 0 Downloads 76 Views
Report

Journal of Information Security and Applications 51 (2020) 102433

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Public key encryption with conjunctive keyword search on lattice Peng Wang a, Tao Xiang a,∗, Xiaoguo Li a, Hong Xiang b a b

College of Computer Science, Chongqing University, Chongqing 400044, China School of Big Data & Software Engineering, Chongqing 400044, China

a r t i c l e

i n f o

Article history:

Keywords: Lattice-based cryptography Learning with errors Conjunctive keyword search

a b s t r a c t Outsourcing data in cloud storage is gaining popularity recently. For protecting data privacy, the data should be encrypted, and it is thus critical to provide search services for encrypted outsourced data. However, it becomes a problem about how to retrieve encrypted data while protecting data privacy at the same time. Therefore, public key encryption with keyword search (PEKS) is proposed. Nevertheless, the majority of the existing PEKS schemes are based on bilinear mappings and do not provide quantum security. Although some lattice-based PEKS schemes have been proposed, they cannot support conjunctive keyword search. In this paper, we first propose a public key encryption with conjunctive keyword search (PECK) using lattices. Our PECK scheme provides efficient search over encrypted data containing multiple keywords for a single data user. To support multiple data users, a multi-user PECK scheme is also presented. The two schemes are proved secure against indistinguishable chosen keyword attacks (IND-CKA) based on learning with errors (LWE) problem in the random oracle model. Finally, we provide performance evaluation of our proposed scheme by theoretical analysis and experimental simulation. © 2019 Elsevier Ltd. All rights reserved.

1. Introduction Cloud computing has been gaining its popularity for its great convenience in data computing, storage and management, however, there are also great security challenges for the data outsourced to the cloud. In reality, to reduce the cost of data storage and infrastructure maintenance, a number of companies and individuals store local data in the cloud for obtaining high-quality services from shared and configurable computing resources. Although the flexibility and economy of cloud storage attract a lot of attention from customers, it also brings serious data privacy issues for customers. The data stored on the cloud server might contain large amounts of sensitive information about customers, such as emails, electronic health records, credit card number, commercial contracts etc. The loss may be immeasurable if these data are compromised. Thus, for protecting the data privacy, the data that outsourced into the commercial public cloud should be encrypted by data owners. Encryption prevents administrators and others with root rights from accessing the data without a key, but at the same time the data owner also has no search capability. A simple solution is that data user downloads and decrypts all the data locally, but this is impractical because we have to consider the overhead of decryption as well as communication bandwidth. ∗

Corresponding author. E-mail address: [email protected] (T. Xiang).

https://doi.org/10.1016/j.jisa.2019.102433 2214-2126/© 2019 Elsevier Ltd. All rights reserved.

To deal with this issue, searchable encryption (SE) [1–11] technologies are proposed. Searchable encryption allows data user to securely retrieve the encrypted documents of interest through keywords. In general, searchable encryption mainly contains symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). In this paper, we mainly discuss the PEKS schemes. In a PEKS scheme, when a data owner stores his data to the server, he can encrypt the sensitive data and the keywords extracted from it, and then send the ciphertext to the server. Then the data user can use his own private key to compute a trapdoor for the keywords he desires to query, and send the trapdoor to the server. Upon receiving the query request, the server can search the encrypted data for a file containing the keyword and return it back to the data user. Throughout the process, the server was unable to get any information about the data and the keywords. Most existing PEKS schemes are based on number theory. Unfortunately, these schemes cannot resist quantum attack due to the thriving of quantum computation. In this case, lattice-based cryptography attracts a lot of attentions because it is secure against quantum attacks. Although some recent schemes [12–21] have been proposed to query over encrypted data based on lattice assumption, these constructions only support a single keyword search. Therefore, designing a secure SE scheme that supports conjunctive keyword search against quantum computer attacks is a valuable research effort.

2

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433

In this paper, we present a public key encryption with conjunctive keyword search (PECK) scheme against quantum attack from lattice assumption. The basic idea is that, prior to uploading the ciphertext, the data owner uses learning with errors (LWE) [22] to encrypt the PECK ciphertexts, and the data user uses preimage sample function [23] to generate query trapdoor. Specifically, in our PECK scheme, the system comprises data owner, data user and a server. When the data owner stores his data to the server, he can encrypt the data and a set of keywords extracted from it, and upload the ciphertext to the server. In order to retrieve encrypted data containing these keywords, the data user can use his private key to make a trapdoor query and send the trapdoor to the server. After the server receives the query request, it can search for all encrypted data by using the trapdoor and return the results back to the user. In the PECK scheme, when a data owner uploads his data and expects multiple data users to do the search, he would encrypt the same data and its corresponding keywords with each of users’ public keys repeatedly. In this case, there is a large computation overhead. To eliminate these reduplicate operations, we further improve our proposed PECK scheme to support multiple data users. In this multi-user PECK scheme, when a data owner uploads his data to the server and wants to share them with multiple data users, he can use these data users’ public keys to encrypt the data and its corresponding keywords that he expects to share. To retrieve the encrypted data containing some keywords, any data user can use his own private key and these keywords to compute a secure trapdoor, and then use it to perform the keyword search operation. Our contributions are summarized as follows: 1. We construct a PECK scheme and prove that the scheme is IND-CKA secure under the LWE assumption in the random oracle model. 2. We extend the proposed PECK scheme to support multi-user PECK (mPECK) scheme and prove that this scheme is INDCKA secure under the LWE assumption in the random oracle model. 3. We evaluate the performance of the proposed PECK scheme by theoretical analysis and experiments conducted on realworld dataset. The remainder of this paper is organized as follows. Section 2 shows the related work. In Section 3, we review the basic concepts on lattice and the hardness assumptions for our constructions. Section 4 gives the system model and security definition for our scheme. In Section 5, we construct a single-user PECK scheme and show its correctness analysis and security proof. In Section 6, we extend the PECK scheme to support multiple data users. Section 7 provides our performance evaluation results. Finally, we conclude the paper in Section 8. 2. Related work Boneh et al [1] proposed the first PEKS scheme in 2004. It can ensure that a server uses the data user’s trapdoor to retrieve the encrypted data while not obtaining any information about the plaintext. Since its advent, amounts of PEKS schemes [3,4,24] have been proposed which enrich search functionalities. Nevertheless, these schemes cannot satisfy users’ requirements of searching multiple keywords efficiently. To solve above problem, some conjunctive keyword search schemes [5–9,11] have been proposed. However, with the thriving of quantum computation, the security of above schemes will be seriously threatened. To solve this security problem, PEKS schemes based on lattice assumption are proposed [12,13], however, these schemes cannot execute synonym queries. In [15], Yang solved semantic keyword

search based on lattice utilizing a synonym of the pre-defined keyword to query. However, these schemes we mentioned cannot support multiple data users. Later on, a lattice-based PEKS scheme supporting multiple users is proposed by Wu et al. [14]. Furthermore, Yang et al. [16] gave a scheme based on lattice which enables synonym query and support multiple user system. Behnia et al. [18] gave two PEKS schemes based on the work in [25,26]. The PEKS and Test algorithm in NTRU-PEKS are more efficient than the pairing-based scheme, and LWE-PEKS provides provable security based on learning with errors (LWE) problem in the standard model. After that, a PEKS scheme supporting keywords revoking is proposed by Yu et al. [19]. A proxy-oriented identitybased PEKS scheme in [20] supports the proxy authorized by data owner, and the proxy can encrypt sensitive data and the keywords extracted from it. Furthermore, this scheme reduces the computational delay between the server and data receiver. In [21], the authors presented a forward secure PEKS (FS-PEKS) scheme, and FS-PEKS achieves its security based on the lattice assumptions. Furthermore, an extended FS-PEKS is proposed and it is secure against the insider keyword guessing attacks. 3. Preliminaries Before presenting our work, we collect some basic notations and existing cryptographic tools that we will use throughout our construction. 3.1. Notations We let R be the real numbers, Z be the integers, and Z+ be the positive integers. For q ∈ Z+ , let Zq be integers modulo q.  denote its Gram-Scahmidt orthogonalizaFor a matrix A, we let A tion. Furthermore, we let A denote its Euclidean norm (A = maxi∈{1,··· ,n} ai ), where ai is the ith column vector of A. 3.2. Lattice We first introduce the definitions of lattices as follows. Definition 1 [27]. Given a matrix B = [b1 , b2 , · · · , bn ] ∈ Rn×m whose columns are linearly independent vectors. A lattice  =  {Bx = ni=1 xi bi |xi ∈ Z} is generated by B. We refer to B as a basis of the lattice. Definition 2 [28]. For a prime q, A ∈ Znq ×m and u ∈ Znq , we can define:

⊥q (A ) = {v ∈ Zm |Av = 0 mod q}

(1)

uq (A ) = {v ∈ Zm |Av = u mod q}

(2)

We then use the following Theorem to define the algorithm TrapGen for generating public key and private key in our scheme. Theorem 1 [29]. Let q ≥ 2 and m ≥ 6nlog q, there exists a probabilistic polynomial time (PPT) algorithm TrapGen(q, n) that outputs (A ∈ Znq ×m , TA ∈ Zm×m ) such that A is statistically close to a uniform matrix in Znq ×m and TA is a basis for ⊥ q (A ) satisfying  T  ≤ O(nlog q) and T  ≤ O( n log q ) with overwhelming probaA

A

bility. We further review the application of Gaussian function in lattice-based cryptographic construction, and describe the algorithm SamplePre for sampling from the discrete Gaussian distribution D,σ ,c . Definition 3 [30]. Let ρσ ,c (x ) = exp(−π x − c2 /σ 2 ) be a Gaussian function on Rm centered at c with parameter σ > 0. For

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433

 a lattice  ∈ Rm , we define ρσ ,c () = x∈ ρσ ,c (x ). ∀y ∈ , ρ (y ) D,σ ,c (y ) = ρ σ ,c() is discrete Gaussian distribution over . σ ,c

Theorem 2 [23]. Let q ≥ 2, m ≥ 2nlog q, there exists a PPT algorithm SamplePre(A, TA , u, σ ) that on input of A ∈ Znq ×m , a basis TA for  ⊥ (A ), a vector u ∈ Zn , and an integer σ ≥ T ω ( log m ), outputs q

A

q

e ∈ uq (A ) sampled from a distribution statistically close to Duq (A ),σ .

Finally, we introduce the algorithms SampleBasis and GenSamplePre [31]. SampleBasis is a technique to generate the private key in our scheme, and GenSamplePre is important to achieve the security of our scheme. Let A ∈ Znq ×km and denote A = [A1 , · · · , Ak ], where each Ai ∈ Znq ×m . For S⊆{1, , k}, S = {i1 , · · · , i j }, we write AS = [Ai1 , · · · , Ai j ]. Theorem 3 [31]. Let q ≥ 2 and m ≥ 2nlog q, S⊆{1, , k}, n a matrix A ∈ Znq ×km , BS is a basis of ⊥ q (AS ), u ∈ Zq and σ ≥  √  B  kmω ( log km ). We have: S

1. There exists a PPT algorithm SampleBasis(A, BS , S, σ ) that out puts B such that B is a short basis of ⊥ q (A ) with B ≤ σ . 2. There exists a PPT algorithm GenSamplePre(A, BS , S, u, σ ) that outputs e ∈ uq (A ) sampled from a distribution statistically close to Duq (A ),σ . 3.3. Complexity assumptions We introduce a LWE assumption, which was introduced by Regev [22] as follows. Definition 4 (LWE [22]). Let n, q ∈ Z+ , χ be an error distribution over Z and a secret vector s ∈ Znq . We denote the distribution Ls,χ ,q over Znq × Zq is obtained by choosing a random a ∈ Znq , choosing e ∈ χ , and returning (a, c ) = (a, a, s + e ) ∈ Znq × Zq . The problem with the decisional LWE is to distinguish whether pairs (a, c ) ∈ Znq × Zq are sampled from Ls,χ ,q or the uniform distribution on Znq × Zq . For certain Gaussian error distributions χ , Regev [22] has illustrated that solving the LWE problem is as hard as solving the worst-case SIVP and GapSVP. 4. System model and security definition 4.1. System model Fig. 1 describes the system model for our PECK and mPECK schemes. The system model comprises three entities: data owner, data server and data user. The system works as follows. First, the data owner extracts keywords set W from a document that needs to be outsourced, then encrypts the document and keyword set W before they are uploaded to the data server. When a data user

3

wishes to retrieve the encrypted data for a given keyword set Q, he generates a corresponding trapdoor TQ through his private key sk and submits the TQ to the data server. The data server is assumed to be honest-but-curious, which honestly follows the designated protocols but can analyze data in its storage to learn some information. Upon receiving the trapdoor TQ , the server seeks to retrieve all the encrypted documents and returns the corresponding results that contain all the queried keywords to the user. Formally, an mPECK scheme with N data users contains the following four algorithms. When N = 1, this is the PECK model for a single user. 1. KeyGen(1κ ): On input a security parameter κ , this algorithm outputs the public and private key pair (pk1 , sk1 ), , (pkN , skN ) for multiple data users. 2. mPECK(pk1 , , pkN , W): Taking the public key pk1 , , pkN and the keyword set W = {w1 , w2 , · · · , wl }, it outputs CT as the ciphertext of W. 3. Trapdoor(skj , Q): Let Ii denote a position of wIi in keyword set W. This algorithm takes the private key skj and query keyword set Q = {I1 , I2 , · · · , Im , wI1 , wI2 , · · · , wIm } (m ≤ l) as input, it outputs a trapdoor Tj,Q . 4. Test(pkj , CT, Tj, Q ): On input the public key pkj , ciphertext CT and trapdoor Tj,Q . If CT includes Q, this algorithm outputs ‘1’; otherwise, it outputs ‘0’. 4.2. Security definition Based on the security definition of PECK in the previous work [5–7]. The security of our proposed multi-user PECK scheme is defined by using the game as follows. When N = 1, this is the security game for single-user PECK. 1. Setup: C runs KeyGen (1κ ) → ((pk1 , sk1 ), , (pkN , skN ), params) and sends ((pk1 , , pkN ), params) to A. 2. Phase 1: A adaptively queries (j, Qi ) (1 ≤ i ≤ d), where j is a user’s index and Qi is keyword sets. The challenger C runs Trapdoor(sk j , Qi ) → T j,Qi and sends T j,Qi to A. 3. Challenge: A submits the challenger C two keyword sets W0 and W1 with the limitation that the trapdoor of W0 and W1 have never been queried. C chooses ξ ∈ {0, 1} and runs mPECK(pk1 , , pkN , Wξ ) → CTξ and sends CTξ to A. 4. Phase 2: A additionally queries (j, Qi = W0 and W1 ) (d + 1 ≤ i ≤ γ ). The challenger C runs Trapdoor(sk j , Qi ) → T j,Qi . The constraint is that T j,Qi should not distinguish W0 and W1 . C sends T j,Qi to A. 



5. Guess: Eventually, A outputs his guess ξ ∈ {0, 1}. If ξ = ξ , adversary A wins the game. Definition 5. A mPECK scheme is IND-CKA secure if for all PPT adversaries A, there exists a negligible (κ ) such that −CKA k AdvIND mPECK,A (1 ) = |P r



1  ξ = ξ − | ≤ (κ ) 2

We say that this is the security game for single-user PECK if N = 1 and A submits keyword sets Qi to obtain trapdoor TQi in Phase 1 and Phase 2. 5. Single-user PECK system We construct a PECK scheme in a single-user scenario and then prove that the PECK scheme is IND-CKA secure. 5.1. Construction

Fig. 1. The system model.

Let H : {0, 1}∗ → Znq ×m be a hash function. The parameters n, m, k, q, α , σ are specified in Section 5.2.

4

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433

1. KeyGen (1κ ): This algorithm runs TrapGen(q, n ) → (A0 , TA0 ), where A0 ∈ Znq×m is a random matrix and TA0 ∈ ⊥ q (A0 ) is a short basis. Then it chooses a matrix

U = [u1 , · · · , uk ] ∈ Znq ×k at random. The public key pk and private key sk are given by

pk = (A0 , U ), sk = TA0 2. PECK (pk, W): Given a keyword set W = {w1 , w2 , · · · , wl } by the data owner. It chooses s ∈ Znq at random, and then computes H(wi )(1 ≤ i ≤ l). Let A = A0 H (w1 ) · · · H (wl ), it computes p = AT s + x ∈ Zq(l+1 )m and c = U T s + y ∈ Zkq ,

where x ← χ (l+1 )m and y ← χ k are noise vectors. Let p = ( p0 , p1 , · · · , pl ), x = (x0 , x1 , · · · , xl ) and c = (c1 , · · · , ck ), m and c ∈ Z . The data owner sends where pi ∈ Zm q i q , xi ∈ χ the ciphertext CT = ( p, c ) to the server. 3. Trapdoor (sk, Q): Given the queried keyword set Q = {I1 , · · · , It , wI1 , · · · , wIt }, this algorithm first com

putes H (wIi )(1 ≤ i ≤ t ), and then it computes A = A0 H (wI1 ) · · · H (wIt ). For j = 1, · · · , k, it chooses a e j ∈ Zq(t+1 )m 



satisfying A e j = u j

by ej

← GenSam-

plePre(A , TA0 , S = {1}, u j , σ ), where σ is a Gaussian parameter. It outputs TQ = (e1 , · · · , ek , I1 , I2 , · · · , It ) as the trapdoor.  4. Test (pk, CT, TQ ): Let p = ( p0 , pI1 , · · · , pIt ). For j = 1, · · · , k, 

the algorithm computes b j = c j − eTj p . If for all j = 1, · · · , k,

|b j | <  4q , it outputs 1 meaning that CT includes Q (“yes”); otherwise, it outputs 0 (“no”).

5.2. Correctness and parameters setting We now analyze the correctness of our proposed PECK scheme under its proper parameters setting.  If Q⊆W, then Qi = wIi for some Ii , thus p = ( p0 , pI1 , · · · , pIt ) =  ( A )T s





+ x , where x = (x0 , xI1 , · · · , xIt ). Therefore we have 





b j = c j − eTj p = uTj s + y j − eTj (A )T s − eTj x = y j − eTj x









[23], y j − eTj x is bounded by (l + 1 )mqασ ω ( log((l + 1 )m )) + O((l + 1 )σ m ). In order to make sure that all the algorithms in our proposed PECK scheme can work properly, we have the following requirements on these parameters: 1. For the algorithm Test, the error term |y j − eTj x| is less





than 5q , then α < [ (l + 1 )mσ ω ( log((l + 1 )m ))]−1 and q = ((l + 1 )σ m ). 2. For the algorithm TrapGen, we need m > 6nlog q. 3. For  the algorithm GenSamplePre, we need σ ≥  T A0  (l + 1 )mω ( log (l + 1 )m ). √ 4. For Regev’s reduction, we need q > 2 n/α . To satisfy the range requirements of these  parameters, set m = 6nlog q, q = (l + 1 )1.5 m2 ω ( log((l + 1 )n )),   √ σ = l + 1mω ( log((l + 1 )n )), α = [(l + 1 )m (l + 1 )mω we

 ( log((l + 1 )n ))]−1 .

The following theorem shows that our PECK scheme is IND-CKA secure under the LWE assumption in the random oracle model. Theorem 4. The proposed PECK scheme is IND-CKA secure if the LWE assumption holds. Proof. Suppose the proposed PECK scheme is not IND-CKA secure under the security definition. Then there exists an adversary A that breaks the PECK scheme with an -advantage. We can construct an algorithm B that uses A to break the LWE problem. Assume H( · ) is modeled as a random oracle. Setup: The challenger gives the parameters (ai , bi ) ∈ Znq × Zq (0 ≤ i ≤ (lqt + 1 )m + k ) to the adversary B, where all bi ∈ Zq are equal to aTi s + xi or randomly chosen. B sets A0 = [a1 , a2 , · · · , am ], U = [a(lqt +1 )m+1 , · · · , a(lqt +1 )m+k ], a short basis of ⊥ q (A0 ) as the private key. Then, B sends pk = (A0 , U ) to adversary A. H-queries: A makes H queries at most qh in this phase. To respond these H queries, B creates a list {wj , cj , Aj , Bj } called the Hlist . At the beginning, the Hlist is empty. If the keyword wj has been queried, then B returns H (w j ) = A j in Hlist . Otherwise, B 1

chooses cj ∈ {0, 1} such that P r[c j = 1] = ( 1+1q ) l . If c j = 0, then t

B runs the algorithm TrapGen to generate A j ∈ Znq ×m and a short ×m basis B j ∈ Zm for ⊥ q q (A j ), in which Aj is a uniform matrix in Znq ×m . Otherwise, it sets A j = [a jm+1 , a jm+2 , · · · , a( j+1 )m ] and selects ×m a random matrix B j ∈ Zm . It adds {wj , cj , Aj , Bj } to Hlist , and sends q Aj to A. Phase 1: A adaptively queries keyword set Qμ = {Iμ,1 , Iμ,2 , · · · , Iμ,t , wμ,1 , wμ,2 , · · · , wμ,t } to obtain a trapdoor TQμ . Let Iμ be {Iμ,1 , Iμ,2 , , Iμ,t }. B obtains a list such that {wμ, λ , cμ, λ , Aμ, λ , Bμ, λ } for 1 ≤ λ ≤ t by querying the oracle H. If there are cμ,λ = 1 for all λ(1 ≤ λ ≤ t), then B aborts. Oth

erwise, it computes Aμ = A0 Aμ,1  · · · Aμ,t and for 1 ≤ r ≤ k, 

(t+1 )m

The formula y j − eTj x is the error term. According to Lemma 6.2 in 

5.3. Security reduction



If QW, with the randomness of uj and ej , then uTj s + y j − eTj p is a random vector in Znq , therefore |bj | ∈ [0, q] is random. Thus,

for 1 ≤ j ≤ k, the probability of |b j | <  4q  is at most 14 . Therefore, when QW, the probability of the Test algorithm outputting 1 is 1 . Thus, we need k to be large enough to make sure our scheme 4k is correct.

chooses a eμ,r ∈ Zq satisfying Aμ eμ,r = ur by eμ,r ← Gen SamplePre(Aμ , Bμ,λ , S = {λ}, ur , σ ) (where cμ,λ = 0), and outputs TQμ = (eμ,1 , eμ,2 , · · · , eμ,k ). Challenge: A submits two keyword sets W0 = {w0,1 , w0,2 , · · · , w0,l } and W1 = {w1,1 , w1,2 , · · · , w1,l } with the limitation that the trapdoor of W0 and W1 have never been queried. Then, B chooses ξ ∈ {0, 1}. B queries wξ , j (1 ≤ j ≤ l) of Wξ to H-oracle and obtains lists {wξ , j , cξ , j , Aξ , j , Bξ , j } for all j from oracle. If there are cξ , j = 1 for all j = 1, 2, · · · , l, then B computes a challenge ciphertext CTξ = ( pξ , cξ ), where T

pξ = (b1 , b2 , · · · , bm , bξ ,m+1 , · · · , bξ ,2m , · · · , bξ ,(l−1 )m+1 , · · · , bξ ,lm ) and cξ = (b(lqt +1 )m+1 , b(lqt +1 )m+2 , · · · , b(lqt +1 )m+k ). Otherwise, B aborts. Then, the ciphertext CTξ is sent to A. Phase 2: A adaptively queries the trapdoor of keyword sets with the constraint that the trapdoor cannot distinguish W0 and W1 . B responds as before in Phase 1.   Guess: The adversary A outputs his guess ξ ∈ {0, 1}. If ξ = n ξ , then B outputs 1 meaning (ai , bi ) ∈ Zq × Zq are sampled from Ls,χ ,q . Otherwise, it outputs 0 meaning (ai , bi ) ∈ Znq × Zq are sampled from the uniform distribution on Znq × Zq . If the algorithm B aborts in Phase 1 or the Challenge phase, then the simulation fails. In Phase 1, the probability of aborting the algorithm is (1 − 1+1q )qt −1 1+1q for qt queries. t t In the Challenge phase, the probability of aborting the algorithm is 1 − 1+1q . Therefore, the probability of aborting the alt

gorithm during the simulation is at most 1 qt −1 1 1+qt ) 1+qt

1 , because (1 − 2(1+qt ) n ∈ Zq × Zq are sampled

(1 − )≤ If (ai , bi ) according to Ls,χ ,q , then the challenge ciphertext of Wξ is valid. Let x = (x1 , x2 , · · · , xm , xξ ,m+1 , · · · , xξ ,2m , · · · , xξ ,(l−1 )m+1 , · · · , xξ ,lm ), 1 1+qt

1 . 2(1+qt )

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433

y = (x(lqt +1 )m+1 , · · · , x(lqt +1 )m+k ).

=





= =



= =

  

Theorem 5. The proposed mPECK scheme is IND-CKA secure if the LWE assumption holds.

b1 , b2 , · · · , bm , bξ ,m+1 , · · · , bξ ,2m ,

· · · , bξ ,(l−1 )m+1 , · · · , bξ ,lm A0



T  Aξ ,1  · · ·  Aξ ,l s + x

b(lqt +1 )m+1 , b(lqt +1 )m+2 , · · · , b(lqt +1 )m+k a(lqt +1 )m+1 , · · · , a(lqt +1 )m+k

T



s+y

UT s + y

In this case, adversary A maintains his advantage, and |P r[ξ =  ξ ] − 12 | ≥ . If (ai , bi ) ∈ Znq × Zq are sampled from the uniform distribution on Znq × Zq , and algorithm B does not abort, we have 

P r[ξ = ξ ] = 12 . Therefore, the algorithm B has advantage (1 − 1 ) in solving the LWE problem.  2(1+q ) t

6. Multi-user PECK system In this section, we extend our single-user PECK scheme to support multiple data user scenario. 6.1. Construction Let H : {0, 1}∗ → Znq ×m be a hash function. The parameters n, m, k, q, α , σ are specified in Section 5.2. 1. KeyGen (1κ ): This algorithm runs TrapGen(q, n ) → (A0 , TA0 ), where A0 is a uniformly random matrix in Znq×m and TA0 is a short basis of ⊥ q (A0 ). Suppose the identity of user j is IDj and let A j = (A0 H (ID j )), it runs SampleBasis(A j , TA0 , S = {1}, σ ) → B j and B j ∈ ⊥ q (A j ) is a short basis.

Then it chooses a random matrix U = [u1 , · · · , uk ] ∈ Znq ×k . For 1 ≤ j ≤ N, the public key is pk j = (A j , U ), the private key is sk j = B j . 2. mPECK (pk1 , , pkN , W): Given a keyword set W = {w1 , w2 , · · · , wl } by the data owner. It chooses a random s ∈ Znq , and then computes H(wζ )(1 ≤ ζ ≤ l). For 

i = 1, 2, · · · , N, let Ai = Ai H (w1 ) · · · H (wl ) ∈ Znq ×(l+2 )m , it computes



pi = (Ai )T s + xi ∈ Zq(l+2 )m

where xi ← χ (l+2 )m and y ←

χk

and c = U T s + y ∈ Zqk ,

are noise vectors. Let pi =

( pi,0 , pi,1 , · · · , pi,l+1 ) and c = (c1 , · · · , ck ), where pi,ς ∈ Zm q (0 ≤ ς ≤ l + 1 ) and cτ ∈ Zq (1 ≤ τ ≤ k). It outputs the ciphertext CT = ( p1 , p2 , · · · , pN , c ). 3. Trapdoor (skj , Q): Given the query keyword set Q = {I1 , · · · , It , wI1 , · · · , wIt }, the algorithm first computes

H (wIη )(1 ≤ η ≤ t ),

and

then

it

computes



Aj =

A j H (wI1 ) · · · H (wIt ) ∈ Znq ×(t+2 )m . For 1 ≤ r ≤ k, it chooses 

a e j,r ∈ Zq(t+2 )m satisfying A j e j,r = ur by ej,r ← GenSam plePre(A j , B j , S

= {1, 2}, ur , σ ), where σ is a Gaussian parameter. It outputs T j,Q = (e j,1 , e j,2 , · · · , e j,k , I1 , · · · , It ) as the trapdoor.  4. Test (pkj , CT, Tj,Q ): Let p j = ( p j,0 , p j,1 , p j,I1 , · · · , p j,It ). For ν = 

1, · · · , k, the algorithm computes bν = cν − eTj,ν p j . If for all

ν = 1, · · · , k, |bν | <

5

q 4,

it outputs 1 meaning that CT includes Q (“yes”); otherwise, it outputs 0 (“no”). Correctness and parameters are the same as those of Section 5.

Proof. Suppose the proposed mPECK scheme is not IND-CKA secure under the security definition. Then there exists an adversary A that breaks the mPECK with an -advantage. We can construct an algorithm B that uses A to break the LWE problem. Assume H( · ) is modeled as a random oracle. Setup: The challenger gives the parameters (ai , bi ) ∈ Znq × Zq (0 ≤ i ≤ (lqt + N + 1 )m + k ) to the adversary B, where all bi ∈ Zq are equal to aTi s + xi or randomly chosen. For 1 ≤ i ≤ N, B sets Di = [aim+1 , aim+2 , · · · , a(i+1 )m ], A0 = [a1 , a2 , · · · , am ], U = [a(lqt +N+1 )m+1 , · · · , a(lqt +N+1 )m+k ], a short basis of ⊥ q (A0 Di ) as a private key ski . Let pki = ((A0 Di ), U ) is a public key. Then, B sends pk1 , , pkN to adversary A. H-queries: A makes H queries at most qh in this phase. To respond these H queries, B creates a list {wη , cη , Aη , Bη } called the Hlist . At the beginning, the Hlist is empty. If the keyword wη has been queried, then B returns H (wη ) = Aη in Hlist . Otherwise, B 1

chooses cη ∈ {0, 1} such that P r[cη = 1] = ( 1+1q ) l . If cη = 0, then B t ×m , runs the algorithm TrapGen to generate Aη ∈ Znq ×m and Bη ∈ Zm q n×m ⊥ in which Aη ∈ Zq is a random matrix and Bη ∈ q (Aη ) is a short basis. Otherwise, it sets Aη = [a(N+η )m+1 , a(N+η )m+2 , · · · , a(N+η+1 )m ] ×m and selects a random matrix Bη ∈ Zm . It adds {wη , cη , Aη , Bη } to q list H , and sends Aη to A. Phase 1: A submits (j, Qμ ) to obtain a trapdoor T j,Qμ , where j is a user’s index and Qμ = {Iμ,1 , · · · , Iμ,t , wμ,1 , · · · , wμ,t } is keyword sets. Let Iμ be {Iμ,1 , Iμ,2 , , Iμ,t }. B obtains a list such that {wμ, λ , cμ, λ , Aμ, λ , Bμ, λ } for 1 ≤ λ ≤ t by querying the oracle H. If there are cμ,λ = 1 for all λ (1 ≤ λ ≤ t), then 

B aborts. Otherwise, it computes Aμ = A0 D j Aμ,1  · · · Aμ,t and  for 1 ≤ r ≤ k, chooses a e j,μ,r ∈ Zq(t+2 )m satisfying Aμ e j,μ,r = ur 

by ej,μ,r ← GenSamplePre(Aμ , Bμ,λ , S = {λ}, ur , σ )(where cμ,λ = 0), and outputs T j,Qμ = (e j,μ,1 , · · · , e j,μ,k ). Challenge: A submits two keyword sets W0 = {w0,1 , w0,2 , · · · , w0,l } and W1 = {w1,1 , w1,2 , · · · , w1,l } with the limitation the trapdoor of W0 and W1 have never been queried. Then, B chooses ξ ∈ {0, 1}. B queries wξ , η (1 ≤ η ≤ l) of Wξ to H-oracle and obtains lists {wξ , η , cξ , η , Aξ , η , Bξ , η } for all η from oracle. If there are cξ ,η = 1 for all 1 ≤ η ≤ l, then B computes a challenge ciphertext CTξ = ( pξ , cξ ), where pξ = [ p1 , p2 , · · · , pN ] and cξ = (b(lqt +N+1 )m+1 , · · · , b(lqt +N+1 )m+k ), for 1 ≤ γ ≤ N, pγ = (b1 , · · · , bm , bγ m+1 , · · · , b(γ +1 )m , dξ ,1 , · · · , dξ ,l ), dξ ,η = (bξ ,(N+η )m+1 , · · · , bξ ,(N+η+1 )m ). Otherwise, it aborts. Then, B sends CTξ to A. Phase 2: A adaptively queries the trapdoor of keyword sets with the constraint that the trapdoor cannot distinguish W0 and W1 . B responds as before in Phase 1.   Guess: The adversary A outputs his guess ξ ∈ {0, 1}. If ξ = ξ , then B outputs 1 meaning (ai , bi ) ∈ Znq × Zq are sampled from Ls,χ ,q . Otherwise, it outputs 0 meaning (ai , bi ) ∈ Znq × Zq are sampled from the uniform distribution on Znq × Zq . If the algorithm B aborts in Phase 1 or the Challenge phase, then the simulation fails. In Phase 1, the probability of aborting the algorithm is (1 − 1+1q )qt −1 1+1q for qt queries. In the t t Challenge phase, the probability of aborting the algorithm is 1 − 1+1q . Therefore, the probability of aborting the algot

rithm during the simulation is at most 6.2. Security reduction We now prove that our mPECK scheme is IND-CKA secure under the LWE assumption in the random oracle model.

1 , because (1 − 2(1+qt ) ∈ Znq × Zq are sampled

1 1 qt −1 1 (1 − 1 ) ≤ . If (ai , bi ) 1+qt ) 1+qt 1+qt 2(1+qt ) according to Ls,χ ,q , then the challenge ciphertext of Wξ is valid. Let x = (x1 , x2 , · · · , xm , xγ m+1 , xγ m+2 , · · · , x(γ +1 )m , xξ ,1 , · · · , xξ ,lm ), y = (x(lqt +N+1 )m+1 , · · · , x(lqt +N+1 )m+k ). For 1 ≤ γ ≤ N,

6

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433 Table 1 Communication cost. Scheme

Public key size

Private key size

Ciphertext size

Trapdoor size

[12] [13] [16] [21] LWE-PEKS [18] PECK mPECK

mnlog q (3mn + nk ) log q (mn + n ) log q mnlog q  ((l + 2 )nm + n ) log q (mn + nk ) log q N (2mn + nk ) log q

m2 log q m2 log q m2 log q m2 log q m2 log q m2 log q 4Nm2 log q

(m + k ) log q (2m + k ) log q (6km + 1 ) log q + 1 ( + m ) log q κ ((2m + 1 ) log q + 1 ) ((l + 1 )m + k ) log q (N (l + 2 )m + k ) log q

kmlog q 2kmlog q 9m2 log q mlog q 2mlog q (t + 1 )km log q (t + 2 )km log q

Table 2 Computation cost. Scheme

Key generation

Ciphertext generation

Trapdoor generation

Test

[12] [13] [16] [21] LWE-PEKS [18] PECK mPECK

TTr TTr Tha + TTr + TSB TTr TTr TTr N (TSB + Tha ) +TTr

kTha + (k + 1 )mul + 1add Tha + 3mul + 2add Tha + 2mul + 2add Tha + 2mul + 2add  3κ mul + (κ + l )add Tha + 2mul + 2add lTha + (N + 1 )mul +(N + 1 )add

kTha + kTSa Tha + kTSL Tha + TSB Tha + 1TSa + TNe  l add + TSL tTha + kTGe tTha + kTGe

kmul kmul 1mul + TSa mul κ mul kmul kmul



pγ = b1 , · · · , bm , bγ m+1 , · · · , b(γ +1)m , dξ ,1 , · · · , dξ ,l



= A0 Dγ Aξ ,1  · · · Aξ ,l



T

s+x

cξ = b(lqt +N+1)m+1 , · · · , b(lqt +N+1)m+k



= a(lqt +N+1)m+1 , · · · , a(lqt +N+1)m+k



T

s+y

T

= U s+y In this case, adversary A maintains his advantage, and |P r[ξ =  ξ ] − 12 | ≥ . If (ai , bi ) ∈ Znq × Zq are sampled from the uniform distribution on Znq × Zq , and algorithm B does not abort, we have 

P r[ξ = ξ ] = 12 . Therefore, the algorithm B has advantage (1 − 1 ) in solving the LWE problem.  2(1+q ) t

7. Performance evaluation We analyze the performance of our proposed PECK scheme theoretically and experimentally. 7.1. Theoretical evaluation In this part, we analyze the performance of our PECK scheme from a theoretical perspective. We show the communication cost and the computation cost of our PECK scheme in Tables 1 and 2. Moreover, we compare the communication cost of our PECK with that of existing lattice-based searchable encryption schemes in terms of public key size, private key size, ciphertext size, and trapdoor size. We also compare the computation cost of algorithms (i.e. key generation, ciphertext generation, trapdoor generation, and test) in our PECK with that of algorithms in existing schemes. In  Tables 1 and 2, Tha denotes the running time of a hash function. l denotes the length of keyword. TTr , TSL , TGe , TNe , TSa , TSB denote the cost of running algorithms TrapGen, SampleLeft, GenSamplePre, NewBasisDel, SamplePre, SampleB, respectively. add and mul represent the cost of addition and multiplication between matrix, respectively. For communication cost, as shown in Table 1, the size of the public key in PECK is larger than that of other schemes because when the queried keyword set is not in the encrypted keyword set, we need to make sure that the scheme is correct. The sizes of private keys of PECK scheme and other existing schemes are similar because the private key is a short basis of lattice. Although the public key, private key and ciphertext size of mPECK are slightly

bigger than those of [12,13,16,18,21], only mPECK supports multiple data users and conjunctive keywords search. Thus, mPECK just has reasonable overhead increase in terms of public key, private key and ciphertext size. Since PECK and mPECK support conjunctive keywords search, we need to encrypt multiple keywords. The ciphertext size of PECK and mPECK linearly increases with the number of keywords in the encrypted keyword set. Also, the size of trapdoor in PECK and mPECK is linear to the size of queried keyword set because PECK and mPECK support multiple keyword queries. Therefore, the ciphertext size and trapdoor size in the PECK and mPECK are larger than those of other schemes, respectively. For computation cost, from Table 2, PECK, [12,13,18] and [21] have similar computation cost in the key generation because they just need to run TrapGen to generate public and private keys, which is less than that of [16]. Since mPECK supports multiple data users, the computation cost of key generation is more than that of [12,13,16,18,21]. In ciphertext generation, the computation cost of PECK requires l hash function operations and two matrix multiplication and two matrix addition, which is more than that of [13,16,21], because PECK needs to encrypt l keywords. The computation cost of mPECK in ciphertext generation is more than that of other schemes, because mPECK supports multiple data users and conjunctive keywords search. In trapdoor generation, PECK and mPECK require t operations of hash function and k operations of sampling algorithm in lattice. In Test, PECK and mPECK require k operations of multiplication, and the computation cost of PECK and mPECK achieves almost the same as that of [12,13,18,21], and is more efficient than that of [16]. From Table 3, we also note that the schemes [12,13,16,18,21] only achieve single keyword search, and only

Table 3 Feature comparison. Scheme

Conjunctive keywords support

[12] [13] [16] [21] LWE-PEKS [18] PECK mPECK

No No No No No Yes Yes

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433 Table 4 The time cost of PECK algorithm for the different size of dataset with the same keyword set l = 4.

7

Table 9 The time cost of Test algorithm for the same size of dataset with different size of query keyword set.

Size of dataset

10 0 0

20 0 0

30 0 0

40 0 0

50 0 0

Number of query keyword

1

2

3

4

Time of PECK algorithm(s)

3.9792

8.0059

12.0418

15.9689

20.0142

Time of Test algorithm(s)

1.0496

1.1064

1.1863

1.2304

Table 5 The time cost of PECK algorithm for the same dataset with different size of keyword set. Size of keyword set

1

2

3

4

Time of PECK algorithm(s)

2.3386

2.9155

3.4783

3.9792

Table 6 The time cost of Trapdoor algorithm for the same size of query keyword set t = 1 with different size of keyword set. Size of keyword set

1

2

3

4

Time of Trapdoor algorithm(s)

5.504

5.501

5.503

5.505

Table 7 The time cost of Trapdoor algorithm for the same keyword set l = 4 with different size of query keyword set. Number of query keyword

1

2

3

4

Time of Trapdoor algorithm(s)

5.5321

17.8342

49.8632

108.4625

Table 8 The time cost of Test algorithm for the same size of query keyword set t = 1 with different sizes of dataset. Size of dataset

10 0 0

20 0 0

30 0 0

40 0 0

50 0 0

Time of Test algorithm(s)

1.0604

2.119

3.1652

4.2295

5.338

Fig. 2. PECK algorithm.

our proposed schemes PECK and mPECK support conjunctive keywords search. 7.2. Experimental evaluation In this part, we show a comprehensive experimental evaluation of our proposed PECK scheme on a real-world dataset: the Enron email dataset [32]. We use C++ language and NTL library [33] to implement our scheme. We run our experiments on a personal computer with Intel Core i5-8500 CPU @ 3.00GHz and 8GB RAM. We set n = 2, k = 1, q = 4093 and σ = 768. We evaluate the average runtime of PECK algorithm, Trapdoor algorithm, Test algorithm respectively. We show the experimental results in Table 4–9. For the PECK algorithm, from Table 4, given the same keyword set where l = 4, the operation time of the PECK algorithm is nearly linear to the size of the dataset. Table 5 shows that, given the same size of dataset containing 10 0 0 data documents, the time cost of the PECK algorithm depends on the size of keyword set. As described in our PECK scheme, to calculate the cost of PECK algorithm, we need to calculate the multiplication between the (l + 1 )m × n matrix and the n-dimensional vector, and the size of the matrix is related to the number of keywords in keyword set. Table 6–7 demonstrates the result of Trapdoor algorithm, From Table 6 we find that, for the same query keywords where t = 1, the number of keywords in keyword set almost has no effect on the cost of trapdoor generation; but as shown in Table 7, the size of query keyword set has a great influence on the time of generating a trapdoor given the same keyword set where l = 4. This is because the generation of each trapdoor requires k samples from a lattice, and as the size of the query keyword set increases, so does the size of the dimension of the lattice.

Fig. 3. Trapdoor algorithm.

We show the result of Test algorithm in Tables 8 and 9. As shown in Table 8, for the same query keywords where t = 1, as the size of the dataset increases, so does the query time. It is observed from Table 9 that, given the same size of dataset containing 10 0 0 data documents, the size of query keyword set has slight affect on the Test algorithm. We also show the running time of PECK algorithm, Trapdoor algorithm, and Test algorithm in a dataset that contains single document. The operation time of the PECK algorithm is related to the size of the keyword set shown in Fig. 2. Figs. 3 and 4 describes the operation time of Trapdoor algorithm and Test algorithm are both related to the size of queried keyword set.

8

P. Wang, T. Xiang and X. Li et al. / Journal of Information Security and Applications 51 (2020) 102433

Fig. 4. Test algorithm.

8. Conclusions In this paper, we present a lattice-based searchable encryption scheme supporting conjunctive keyword search. It supports multiple data owners to upload their data and a data user to search. Furthermore, we demonstrate how the proposed PECK scheme extends to support multiple data users in the mPECK scheme. Then the security reduction demonstrates that the PECK and mPECK schemes both achieve IND-CKA secure under the LWE assumption in the random oracle model. We also evaluate the performance of the proposed PECK scheme by using real-world dataset. Declaration of Competing Interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. CRediT authorship contribution statement Peng Wang: Conceptualization, Methodology, Software, Writing - original draft. Tao Xiang: Conceptualization, Writing - review & editing, Funding acquisition, Supervision. Xiaoguo Li: Methodology. Hong Xiang: Writing - review & editing. Acknowledgments This work was supported by National Key R&D Program of China (No. 2017YFB08020 0 0). References [1] Boneh D, Crescenzo GD, Ostrovsky R, Persiano G. Public key encryption with keyword search. In: Advances in cryptology-EUROCRYPT. Berlin, Heidelberg; 2004. p. 506–22.

[2] Boneh D, Kushilevitz E, Ostrovsky R, SkeithIII WE. Public key encryption that allows pir queries. In: Advances in cryptology-CRYPTO. Berlin, Heidelberg; 2007. p. 50–67. [3] Fang L, Susilo W, Ge C, Wang J. A secure channel free public key encryption with keyword search scheme without random oracle. In: Cryptology and network security. Berlin, Heidelberg; 2009. p. 248–58. [4] Guo L, Yau W-C. Efficient secure-channel free public key encryption with keyword search for emrs in cloud storage. J Med Syst 2015;39(2):11. [5] Park DJ, Kim K, Lee PJ. Public key encryption with conjunctive field keyword search. In: International workshop on information security applications. Berlin, Heidelberg; 2004. p. 73–86. [6] Hwang YH, Lee PJ. Public key encryption with conjunctive keyword search and its extension to a multi-user system. In: International conference on pairing-based cryptography. Berlin, Heidelberg; 2007. p. 2–22. [7] Zhang B, Zhang F. An efficient public key encryption with conjunctive-subset keywords search. J Netw Comput Appl 2011;34(1):262–7. [8] Ding M, Gao F, Jin Z, Zhang H. An efficient public key encryption with conjunctive keyword search scheme based on pairings. In: IEEE international conference on network infrastructure and digital content; 2013. p. 526–30. [9] Chen Z, Wu C, Wang D, Li S. Conjunctive keywords searchable encryption with efficient pairing, constant ciphertext and short trapdoor. In: Intelligence and security informatics. Berlin, Heidelberg; 2012. p. 176–89. [10] Nair MS, MS R. Fine-grained search and access control in multi-user searchable encryption without shared keys. J Inf Secur Appl 2018;41:124–33. [11] Li Y, Zhou F, Qin Y, Lin M, Xu Z. Integrity-verifiable conjunctive keyword searchable encryption in cloud storage. Int J Inf Secur 2018;17(5):549–68. [12] Gu C, Guang Y, Zhu Y, Zheng Y. Public key encryption with keyword search from lattices. Int J Inf Technol 2013;19(1):1–10. [13] Gu C, Zheng Y, Kang F, Xin D. Keyword search over encrypted data in cloud computing from lattices in the standard model. In: Cloud computing and big data. Cham; 2015. p. 335–43. [14] Wu D, Wang X, Gan Q. Public key encryption with keyword search from lattices in multi-user environments. Math Probl Eng 2016;2016(2):1–7. [15] Yang Y, Ma M. Semantic searchable encryption scheme based on lattice in quantum-era. J Inf Sci Eng 2016;32:425–38. [16] Yang Y, Zheng X, Chang V, Ye S, Tang C. Lattice assumption based fuzzy information retrieval scheme support multi-user for secure multimedia cloud. Multimedia Tool Appl 2017(1):1–15. [17] Behnia R, Yavuz AA, Ozmen MO. High-speed high-security public key encryption with keyword search. In: IFIP annual conference on data and applications security and privacy; 2017. p. 365–85. [18] Behnia R, Ozmen MO, Yavuz AA. Lattice-based public key searchable encryption from experimental perspectives. IEEE Trans Depend SecurComput 2018. doi:10.1109/TDSC.2018.2867462. [19] Yu X, Xu C, Xu L. Lattice-based searchable encryption with keywords revocable and bounded trapdoor exposure resistance. IEEE Access 2019;7:43179–89. [20] Zhang X, Tang Y, Wang H, Xu C, Miao Y, Cheng H. Lattice-based proxy-oriented identity-based encryption with keyword search for cloud storage. Inf Sci 2019;494:193–207. [21] Zhang X., Xu C., Wang H., Zhang Y., Wang S.. FS-PEKS: lattice-based forward secure public-key encryption with keyword search for cloud-assisted industrial internet of things. IEEE Trans Depend SecurComput. doi:10.1109/TDSC. 2019.2914117. [22] Regev O. On lattices, learning with errors, random linear codes, and cryptography. JACM 2009;56:1–40. [23] Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC’08; 2008. p. 197–206. [24] Crescenzo GD, Saraswat V. Public key encryption with searchable keywords based on Jacobi symbols. In: Progress in cryptology-INDOCRYPT; 2007. p. 282–96. [25] Shweta A, Dan B, Xavier B. Efficient lattice (h)ibe in the standard model. In: Advances in cryptology-EUROCRYPTO. Berlin, Heidelberg; 2010. p. 553–72. [26] Léo D, Vadim L, Thomas P. Efficient identity-based encryption over ntru lattices. In: Advances in cryptology-ASIACRYPT; 2014. p. 22–41. [27] Regev O.. Lattices in computer science. Avaliable Online: https://cims.nyu.edu/ ∼regev/teaching/lattices_fall_20 09/index.html; 20 04a. [28] Ajtai M. Generating hard instances of the short basis problem. In: Automata, languages and programming. Berlin, Heidelberg; 1999. p. 1–9. [29] Alwen J, Peikert C. Generating shorter bases for hard random lattices. Theory Comput Syst 2011;48:535–53. [30] Regev O. New lattice-based cryptographic constructions. J ACM 2004;51:899–942. [31] Cash D, Hofheinz D, Kiltz E. How to delegate a lattice basis. IACR Cryptology ePrint Arch 2009;25(4):601–39. [32] Cohen W.W.. Enron email dataset. https://www.cs.cmu.edu/∼enron/. [33] Shoup V.. Ntl: a library for doing number theory. https://www.shoup.net/ntl/.