Chosen-ciphertext lattice-based public key encryption with equality test in standard model
Introduction
With the rapid growth of cloud computing, more and more organizations and individuals tend to store their data in cloud as well as outsource their heavy computations to the cloud services. Since the data is normally sensitive, e.g., medical records of patients, it is desired to encrypt the data before sending or outsourcing to the cloud services. However, this causes a big problem for doing computations on encrypted data, especially in performing data matching in various medical scenarios.
Public key encryption with equality test (PKEET), introduced by Yang et al. [1], is a special kind of public key encryption that allows any authorized tester with a given trapdoor to test whether two ciphertexts are generated by the same message. This special feature has made PKEET a powerful tool utilized in many practical applications, such as keyword search on encrypted data, encrypted data partitioning for efficient encrypted data management, personal health record systems, and spam filtering in encrypted email systems. Since then, there have been an intensive research in this direction with the appearance of improvements and ones with additional functionalities [2], [3], [4], [5], [6]. However, those schemes are proven to be secure in the random oracle model, which is not a realistic, even though no insecurity has been found in practical schemes [7]. It is a desire to construct cryptographic schemes, e.g., PKEET, in the standard model.
Up to the present, there are only a few PKEET schemes in the standard model. Lee et al. [8] first proposed a generic construction of a PKEET scheme. Their method is to use a 2-level hierarchical identity-based encryption (HIBE) scheme together with a one-time signature scheme. The HIBE scheme is used for generating an encryption scheme and for equality test, and the signature scheme is used for making the scheme CCA2-secure, based on the method of transforming an identity-based encryption (IBE) scheme to a CCA2-secure encryption scheme of Canetti et al [9]. As a result, they obtain a CCA2-secure PKEET scheme given that the underlying HIBE scheme is IND-sID-CPA secure and the one-time signature scheme is strongly unforgeable. From their generic construction, it is possible to obtain a PKEET in standard model under many hard assumptions via instantiations. In another recent paper, Zhang et al. [10] proposed a direct construction of a CCA2-secure PKEET scheme based on pairings without employing strong cryptographic primitives such as HIBE schemes and strongly secure signatures as the generic construction of Lee et al. [8]. Their technique comes from a CCA2-secure public key encryption scheme by [11] which was directly constructed by an idea from IBE. A comparison with an instantiation from Lee et al. [8] on pairings shows that their direct construction is much more efficient than the instantiated one.
All aforementioned existing schemes base their security on the hardness of some number-theoretic assumptions which are insecure against the quantum computer attacks [12]. The generic construction by Lee et al. [8] is the first one with the possibility of yielding a post-quantum instantiation based on lattices, since lattice cryptography is the only post-quantum cryptography area up to present offers HIBE primitives, e.g., [13]. At ACISP 2019, Duong et al. [14] proposed a direct PKEET in standard model based on lattices from IBE scheme by Agrawal et al. [13], from which several extensions have been proposed [15], [16], [17], [18], [19]. However, their PKEET scheme [14] is not CCA2-secure as claimed.
Our contribution: In this paper, we propose an efficient PKEET scheme based on ideal lattices. The core construction is to utilize the IBE scheme by Agrawal et al. [13] in the ideal lattice version proposed by Bert et al. [20]. In order to achieve the CCA2-security, we apply the generic CHK transformation by Canetti et al. [9] in which we employ the efficient one-time strong signature scheme over ideal lattices by Lyubashevsky and Micciancio [21]. As a result, we obtain an efficient CCA2-secure PKEET scheme in standard model over ideal lattices. The security of the scheme is reduced to the hardness of the learning with errors (LWE) problem and the short integer solution (SIS) problem over rings; see Section 3 for the detail.
We next revisit and modify the PKEET construction over integer lattices by Duong et al. [14] to achieve CCA2-security by correctly applying the CHK transformation. In order to reserve the construction as in [14], we utilize the strong signature scheme in [13], in which we can use the public key as a verification key. As a trade-off, the ciphertext needs to add one more matrix in for verification and a signature in . This results to a CCA2-secure PKEET scheme, which is still more efficient than the generic construction of Lee et al. [8]; see Section 4 for the detail. We also present in the Appendix the instantiation of the construction by Lee et al. [8]. As a result, our scheme in Section 4 has much smaller ciphertext size compared to that of Lee et al. Note that in both constructions, one just needs to generate a one-time signature in the encryption process which in turn reduces the ciphertext size. We also note that the PKEET version over integer lattices of our proposed scheme in Section 3, by utilizing the IBE scheme in [13] and the one-time signature scheme from SIS in [21], is still more efficient than the revisited scheme in Section 4 and the instantiation of the construction by Lee et al. [8] in the Appendix. Table 1 summarizes the bit-sizes of ciphertext, public key and secret key of considered PKEET schemes. We leave the concrete parameter choices and implementations for future work.
Section snippets
Public key encryption with equality test (PKEET)
In this section, we will recall the model of PKEET and its security model.
We remark that a PKEET system is a multi-user setting. Hence we assume that in our system throughout the paper, each user is assigned with an index i with where N is the number of users in the system.
Definition 1 PKEET Public key encryption with equality test (PKEET) consists of the following polynomial-time algorithms: : On input a security parameter λ and set of parameters, it outputs the a pair of a user's public key and
PKEET over ideal lattices
In this section, we propose a CCA2-secure PKEET over ideal lattices. The scheme is inherited from the one in [30]. Our scheme is presented in Section 3.1. The correctness of the scheme and the choice of parameters are presented in Section 3.2 while the security analysis is presented in Section 3.3.
Revisting PKEET over integer lattices from [14]
In this paper, we modify the construction of PKEET from [14] to achieve CCA2-security. We apply the CHK transformation [9] with the strongly one-time signature from [21] described in Section 2.4. Note that the version of PKEET in Section 3 over integer lattices is much more efficient, in terms of key size, than the one presented in this paper, which we modify directly on the scheme proposed by Duong et al. [14].
Conclusion
In this paper, we propose a direct construction of an efficient PKEET scheme over ideal lattices. We also propose a modification of the PKEET construction over integer lattices from [14]. Our two schemes are proven to be CCA2-secure in the standard model. We also provide an instantiation from the generic construction by Lee et al. [8] from which we conclude that our schemes are much more efficient than that generic construction. It is an interesting question of whether one can further improve
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
This research is partially supported by the ARC Linkage Project LP190100984.
References (38)
- et al.
Semi-generic construction of public key encryption and identity-based encryption with equality test
Inf. Sci.
(2016) - et al.
Public key encryption with equality test in the standard model
Inf. Sci.
(2020) - et al.
Efficient public key encryption with equality test in the standard model
Theor. Comput. Sci.
(2019) - et al.
Lattice-based signcryption with equality test in standard model
Comput. Stand. Interfaces
(2021) - et al.
Probabilistic public key encryption with equality test
Towards public key encryption scheme supporting equality test with fine-grained authorization
Public key encryption schemes supporting equality test with authorisation of different granularity
Int. J. Appl. Cryptogr.
(2012)Public key encryption supporting plaintext equality test and user-specified authorization
Secur. Commun. Netw.
(2012)- et al.
Public key encryption with delegated equality test in a multi-user setting
Comput. J.
(2015) - et al.
The random oracle methodology, revisited (preliminary version)
Chosen-ciphertext security from identity-based encryption
Efficient cca-secure pke from identity-based techniques
Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer
SIAM Rev.
Efficient lattice (h) ibe in the standard model
A lattice-based public key encryption with equality test in standard model
Lattice-based public key encryption with equality test supporting flexible authorization in standard model
Lattice-based IBE with equality test in standard model
A lattice-based certificateless public key encryption with equality test in standard model
Lattice-based IBE with equality test supporting flexible authorization in the standard model
Cited by (4)
A new lightweight public key encryption with equality test for cloud storage
2024, Multimedia Tools and ApplicationsCBEET: Constructing Certificate-based Encryption with Equality Test in the CB-PKS
2023, Information Technology and ControlA Generic Construction of CCA-Secure Identity-Based Encryption with Equality Test against Insider Attacks
2023, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences