Chosen-ciphertext lattice-based public key encryption with equality test in standard model

Abstract

With the rapid growth of cloud storage and cloud computing services, many organizations and users choose to store the data on a cloud server for saving costs. However, due to security concerns, data of users would be encrypted before sending to the cloud. However, this hinders a problem of computation on encrypted data in the cloud, especially in the case of performing data matching in various medical scenarios. Public key encryption with equality test (PKEET) is a powerful tool that allows the authorized cloud server to check whether two ciphertexts are generated by the same message. PKEET has then become a promising candidate for many practical applications like efficient data management on encrypted databases. Lee et al. (Information Sciences 2020) proposed a generic construction of PKEET schemes in the standard model and hence it is possible to yield the first instantiation of post-quantum PKEET schemes based on lattices. At ACISP 2019, Duong et al. proposed a direct construction of PKEET over integer lattices in the standard model. However, their scheme does not reach the CCA2-security. In this paper, we propose an efficient CCA2-secure PKEET scheme based on ideal lattices. In addition, we present a modification of the scheme by Duong et al. over integer lattices to attain the CCA2-security. Both schemes are proven secure in the standard model, and they enjoy the security in the upcoming quantum computer era.

Introduction

With the rapid growth of cloud computing, more and more organizations and individuals tend to store their data in cloud as well as outsource their heavy computations to the cloud services. Since the data is normally sensitive, e.g., medical records of patients, it is desired to encrypt the data before sending or outsourcing to the cloud services. However, this causes a big problem for doing computations on encrypted data, especially in performing data matching in various medical scenarios.

Public key encryption with equality test (PKEET), introduced by Yang et al. [1], is a special kind of public key encryption that allows any authorized tester with a given trapdoor to test whether two ciphertexts are generated by the same message. This special feature has made PKEET a powerful tool utilized in many practical applications, such as keyword search on encrypted data, encrypted data partitioning for efficient encrypted data management, personal health record systems, and spam filtering in encrypted email systems. Since then, there have been an intensive research in this direction with the appearance of improvements and ones with additional functionalities [2], [3], [4], [5], [6]. However, those schemes are proven to be secure in the random oracle model, which is not a realistic, even though no insecurity has been found in practical schemes [7]. It is a desire to construct cryptographic schemes, e.g., PKEET, in the standard model.

Up to the present, there are only a few PKEET schemes in the standard model. Lee et al. [8] first proposed a generic construction of a PKEET scheme. Their method is to use a 2-level hierarchical identity-based encryption (HIBE) scheme together with a one-time signature scheme. The HIBE scheme is used for generating an encryption scheme and for equality test, and the signature scheme is used for making the scheme CCA2-secure, based on the method of transforming an identity-based encryption (IBE) scheme to a CCA2-secure encryption scheme of Canetti et al [9]. As a result, they obtain a CCA2-secure PKEET scheme given that the underlying HIBE scheme is IND-sID-CPA secure and the one-time signature scheme is strongly unforgeable. From their generic construction, it is possible to obtain a PKEET in standard model under many hard assumptions via instantiations. In another recent paper, Zhang et al. [10] proposed a direct construction of a CCA2-secure PKEET scheme based on pairings without employing strong cryptographic primitives such as HIBE schemes and strongly secure signatures as the generic construction of Lee et al. [8]. Their technique comes from a CCA2-secure public key encryption scheme by [11] which was directly constructed by an idea from IBE. A comparison with an instantiation from Lee et al. [8] on pairings shows that their direct construction is much more efficient than the instantiated one.

All aforementioned existing schemes base their security on the hardness of some number-theoretic assumptions which are insecure against the quantum computer attacks [12]. The generic construction by Lee et al. [8] is the first one with the possibility of yielding a post-quantum instantiation based on lattices, since lattice cryptography is the only post-quantum cryptography area up to present offers HIBE primitives, e.g., [13]. At ACISP 2019, Duong et al. [14] proposed a direct PKEET in standard model based on lattices from IBE scheme by Agrawal et al. [13], from which several extensions have been proposed [15], [16], [17], [18], [19]. However, their PKEET scheme [14] is not CCA2-secure as claimed.

Our contribution: In this paper, we propose an efficient PKEET scheme based on ideal lattices. The core construction is to utilize the IBE scheme by Agrawal et al. [13] in the ideal lattice version proposed by Bert et al. [20]. In order to achieve the CCA2-security, we apply the generic CHK transformation by Canetti et al. [9] in which we employ the efficient one-time strong signature scheme over ideal lattices by Lyubashevsky and Micciancio [21]. As a result, we obtain an efficient CCA2-secure PKEET scheme in standard model over ideal lattices. The security of the scheme is reduced to the hardness of the learning with errors (LWE) problem and the short integer solution (SIS) problem over rings; see Section 3 for the detail.

We next revisit and modify the PKEET construction over integer lattices by Duong et al. [14] to achieve CCA2-security by correctly applying the CHK transformation. In order to reserve the construction as in [14], we utilize the strong signature scheme in [13], in which we can use the public key as a verification key. As a trade-off, the ciphertext needs to add one more matrix in ${\mathbb{Z}}_q^{n\times m}$ for verification and a signature in ${\mathbb{Z}}_q^{2m}$. This results to a CCA2-secure PKEET scheme, which is still more efficient than the generic construction of Lee et al. [8]; see Section 4 for the detail. We also present in the Appendix the instantiation of the construction by Lee et al. [8]. As a result, our scheme in Section 4 has much smaller ciphertext size compared to that of Lee et al. Note that in both constructions, one just needs to generate a one-time signature in the encryption process which in turn reduces the ciphertext size. We also note that the PKEET version over integer lattices of our proposed scheme in Section 3, by utilizing the IBE scheme in [13] and the one-time signature scheme from SIS in [21], is still more efficient than the revisited scheme in Section 4 and the instantiation of the construction by Lee et al. [8] in the Appendix. Table 1 summarizes the bit-sizes of ciphertext, public key and secret key of considered PKEET schemes. We leave the concrete parameter choices and implementations for future work.