1 Lattice-Based Public Key Searchable Encryption from Experimental Perspectives

Rouzbeh Behnia, Muslum Ozgur Ozmen, Attila A. Yavuz†, Member, IEEE,

Abstract—Public key Encryption with Keyword Search (PEKS) aims in mitigating the impacts of data privacy versus utilization dilemma by allowing any user in the system to send encrypted files to the server to be searched by a receiver. The receiver can retrieve the encrypted files containing specific keywords by providing the corresponding trapdoors of these keywords to the server. Despite their merits, the existing PEKS schemes introduce a high end-to-end delay that may hinder their adoption in practice. Moreover, they do not scale well for large security parameters and provide no post-quantum security promises. In this paper, we propose two novel lattice-based PEKS schemes that offer a high computational efficiency along with better security assurances than that of the existing alternatives. Specifically, our NTRU-PEKS scheme achieves 18 times lower end-to-end delay than the most efficient pairing-based alternatives. Our LWE-PEKS offers provable security in the standard model with a reduction to the worst-case lattice problems. We fully implemented our NTRU-PEKS scheme and benchmarked its performance as deployed on Amazon Web Services cloud infrastructures.

Index Terms—applied cryptography, Public Key Encryption with Keyword Search (PEKS), lattice-based cryptography, searchable ecnryption !

1 INTRODUCTION retrieve the files that are associated with the keyword. PEKS is well suited for distributed applications (e.g., e-mail, audit LOUD computing has significantly impacted the com- C puting infrastructure and enabled a large pool of logging for Internet of Things, etc.) where a large number of applications. For example, data outsourcing [1] permits users/entities generate encrypted data to be retrieved by a small/medium-sized businesses to increase data availability receiver. The focus of this paper is on PEKS schemes. by minimizing the management and maintenance costs. Figure 1 illustrates a potential application which is con- Data outsourcing, despite its merits, raises significant data sidered as the main motive for the initial proposal of PEKS privacy concerns for clients. Traditional encryption tech- schemes in [5]. Alice, who is assumed to have a number of niques can be used to overcome such privacy concerns. devices (e.g., cell phone, desktop, etc.), wants her e-mails to However, standard encryption does not permit search ca- be routed to her devices based on the keywords associated pabilities on the encrypted data. Therefore, a significant with them. For instance, when the sender, Bob, sends her an amount of research is focused on Searchable Encryption e-mail with keyword “urgent”, the e-mail should be routed (SE) technologies that can be used to efficiently address this to her cellphone. To achieve this, after encrypting the e-mail problem. There are two main branches of SE where each is content with a conventional public key encryption, Bob uses tailored for a distinct set of applications. a PEKS scheme to encrypt the keyword “urgent” and sends Dynamic Searchable Symmetric Encryption (DSSE) (e.g., it together with the encrypted e-mail to the e-mail server. [2], [3], [4]) provides search capabilities on encrypted data Alice can then use her private key to generate the trapdoor w = for private data outsourcing applications (e.g., data storage corresponding to keyword “ urgent” and ask the server w on the cloud), in which the client uses her own private to retrieve all the e-mails associated with . key to encrypt and then search on her own data over the Another important application of PEKS schemes is in cloud. Public Key Encryption with Keyword Search (PEKS) storing and searching on private log files. PEKS schemes can schemes [5] allow any client to encrypt data with specified enable a heterogeneous set of devices to send encrypted log keywords under the public key of a designated receiver. The files concatenated with a searchable ciphertext of distinct designated receiver, Alice, can then use her private key keywords to an untrusted storage server. To analyze the to generate and send trapdoors for her desired keywords, log files, an auditor can use his private key to generate and enable the server to search on the encrypted data to trapdoors and enable the server to search and return the files that are associated with the target keyword. † Work done in part while Attila A. Yavuz was at Oregon State University, Corvallis, OR, USA. 1.1 Research Gap • Rouzbeh Behnia and Muslum Ozgur Ozmen are with the Department of Electrical Engineering and Computer Science, Oregon State University, Since their introduction in [5], several PEKS schemes with a Corvallis, OR, USA. variety of features have been proposed (e.g., [6], [7], [8], [9]). E-mail: {behniar, ozmenmu}@oregonstate.edu • Attila A. Yavuz is with the Department of Computer Science and Engi- However, the wide adoption of PEKS schemes in practice neering, University of South Florida, Tampa, FL, USA. has been hindered due to a number of obstacles: E-mail: [email protected] • High End-to-End Delay: The most computationally ex- pensive part of the PEKS is generally the search phase, 2

Senders

I DEF GH , JK&LMS , +S ← GDHO GH, P%QJE! e-mail Server !" ← $%&'())%(+,, .) !" on keyword . = urgent

I DEF GH , JK&LMR , +R ← GDHO GH, KJJ!LEQ I I DEF GH , JK&LMN , DEF(GH , JK&LMS)

Run {0,1} ← $J+! ! , + S " X XYN Receiver I on encrypted emails, return DEF GH , JK&LMN , +N ← GDHO GH, P%QJE! corresponding ciphertext

Fig. 1. PEKS scheme in secure email system which requires the execution of a Test algorithm for quantum security promise and presented a full-fledged im- each keyword-file pair in the database. The existing PEKS plementation of our efficient lattice-based PEKS scheme and schemes (e.g., [5], [7]) introduce a significant end-to-end its pairing-based counterpart. We outline our contributions computational delay due to at least one pairing operation as follows: that is required in the Test algorithm which is to be called • First Lattice-Based PEKS Schemes: In the initial pro- linear to the total number of keyword-file pairs in the posal of PEKS in [5], Boneh et al. showed how to derive database, for each search query. Therefore, providing a com- a PEKS scheme from an Identity-Based Encryption (IBE). putational efficient Test algorithm is a critical requirement Abdalla et al. [12] specified the requirements for the un- to minimize the end-to-end delay. derlying IBE scheme to ensure the security and consistency • Lack of Long-term Security: It is a highly desirable of the derived PEKS. In this paper, we propose two PEKS property for data storage applications to offer long-term schemes based on lattices-based tools. (i) Our first scheme data security measures. However, achieving a high level is referred to as NTRU-PEKS, which harnesses Ducas et of security for an extended duration of time requires a al.’s IBE scheme [13], and it meets the all requirements continuous increment of key sizes, which results in a sub- provided by [12] to ensure provable security in Random stantial increase in computation overhead for conventional Oracle Model (ROM). (ii) Our second scheme is referred to cryptographic primitives (e.g., ECC, RSA). Furthermore, the as LWE-PEKS, which leverages IBE constructions in [14], emergence of quantum computers will render most of the [15] to offer the first provable secure lattice-based PEKS conventional asymmetric cryptography primitives unsafe, in the standard model (to the best of our knowledge). We and therefore, there is a great merit in devising PEKS prove the security and consistency of our PEKS schemes schemes that can provide post-quantum security promises. and suggest parameter sizes to avoid potential consistency • Lack of Full-Fledged Implementations: While a num- errors (with an overwhelming probability). ber of DSSE schemes have been fully implemented on real • High Computational Efficiency: Our NTRU-PEKS data (and are publicly accessible, e.g., [10], [11]), to the best scheme offers significant computational efficiency advan- of our knowledge, no full-fledged implementation (with a tages over the existing PEKS schemes. This is achieved by real dataset) of PEKS schemes is publicly available to this harnessing the latest efforts in improving the efficiency of date. Hence, there is a need for providing a full-fledged the lattice-based schemes, ring-LWE [16] and fast arithmetic implementation of PEKS schemes and benchmarking their operations (e.g., Fast Fourier Transform) over polynomial deployment on actual cloud platforms to measure important rings [x]/(xN + 1). As it is shown in Table 2, the NTRU- performance factors (e.g., communication delay, disk access Z PEKS scheme has significantly more efficient Test and time) that cannot be precisely captured with mere "cost PEKS algorithms than those in [5], [17], which are currently estimations". considered as the most efficient PEKS alternatives [18]. The 1.2 Our Contribution efficiency of the Test algorithm is of vital importance, since it is executed by the server once per every keyword-file The main goal of this paper is developing a signifi- pair in the database which results in O(L) computation cantly more efficient PEKS scheme and proposing a PEKS overhead, where L is the total number of keyword-file pairs. scheme with worst-case reduction by harnessing the exist- The efficiency of the PEKS algorithm facilitates the im- ing lattice-based IBE schemes using Abdalla et. al. generic plementation of PEKS schemes on battery-limited devices. anonymous-IBE to PEKS transformation. We also provide Due to its computational efficiency, despite having larger an extensive analysis to highlight the advantages and parameters, we showed the deployment of NTRU-PEKS on disadvantages of such schemes. actual cloud achieves a superior end-to-end response time as compared to its counterparts (see Section 4). Towards addressing the aforementioned research gaps, • Long-term Security: Both of our constructions are we developed two lattice-based PEKS schemes with a post- based on lattice-based tools that provide long-term secu- 3

rity and are currently considered secure against quantum efficient counterpart (i.e., BCOP [5]) on commodity hard- computers. It is worth noting that lattice-based schemes ware, ARM processor and cloud server. (ii) We introduce the also have a substantially smoother performance response to first LWE-based PEKS scheme in the standard model (LWE- increased key sizes compared to conventional cryptographic PEKS) with a security reduction to the worst-case lattice- primitives (e.g., ECC, RSA). based problems. (iii) We provide a detailed cost dissection • Full-Fledged Implementation: We provide a full- analysis to measure the computation cost, communication fledged implementation of our NTRU-PEKS scheme and its overhead, and disk access time of the proposed schemes. most efficient pairing-based counterpart with deployment (iv) We expanded our security discussion and provided a in actual cloud setting with Enron e-mail dataset. We chose set of recommended parameter lists for our scheme. Amazon Web Server (AWS) as the server in our system, a commodity hardware and an ARM Cortex-A53 as the client machines. One can easily see the importance of a full- 2 PRELIMINARIES fledged implementation when comparing the benchmark In this section, we provide definitions and notations that are provided from the simulation results in [19] and the bench- used by our schemes. For the sake of compliance, we try to mark results of the implementation in Section 4. Detailed use similar notation as in [13] and [14]. experimental results are further explained in Section 4. We $ also open-sourced our implementations for public testing Notations. a ←−X denotes that a is randomly selected and wide adoption (see Section 4). from distribution X . Hi for i ∈ {1, . . . , n} denotes a hash function which is perceived to behave as a random oracle. 1.3 Limitations We represent vectors as bold letters v, while scalars are rep- O1,...,On We present two lattice-based schemes, one with security in resented as non-bold letters i.e., v. A (.) denotes that the random oracle model and one in the standard model. In algorithm A is provided with access to oracles O1,..., On. The norm of a vector v is denoted by kvk. dxc rounds x this section, we point out their limitations as compared to ∆ their conventional pairing-based counterparts. to the closest integer. x = y means x is defined as y. The The Trapdoor algorithm of NTRU-PEKS (secure in function gcd(x, y) returns the greatest common divisor of the random oracle model) is slower than that of BCOP. values x and y. One should note that the Trapdoor algorithm is to be executed once per each query on the receiver’s side and has 2.1 Identity-Based Encryption negligible effect on the end-to-end delay (e.g., see Figure 2). Another downside of NTRU-PEKS is the parameter sizes, Definition 1. An IBE scheme is a tuple of four algorithms for instance, the searchable ciphertext size in NTRU-PEKS IBE = (Setup,Extract,Enc,Dec) defined as follows. is significantly larger than that of BCOP [5]. We should k • (mpk, msk) ← Setup(1 ) note that while the storage blow-up remains a concern, the : On the input of the secu- increased communication overhead and disk access time rity parameter(s), this algorithm publishes system- params have negligible effects on the end-to-end delay (e.g., see wide public parameters , outputs the master mpk msk Figure 2). NTRU-PEKS provides very efficient PEKS and public key and the master secret key . • sk ← Extract(id, msk, mpk) Test algorithms. The efficient PEKS algorithm provides : On the input of a id ∈ {0, 1}∗ mpk msk significant efficiency for the sender as it is called to generate user’s identity , , and , this sk searchable ciphertext for each keyword to be attached to algorithm outputs the user’s private key . • c ← Enc(m, id, mpk) the file. The Test algorithm is the main factor in reducing : On the input of a message m ∈ {0, 1}∗ id mpk end-to-end delay in PEKS schemes since it is executed once , identity , and , this algorithm c for every keyword-file pairs in the database (e.g., see Figure 2). outputs a ciphertext . • m ← Dec(c, sk) c Given all the computation efficiency gains, we believe the : On the input of a ciphertext , the sk mpk storage blow-up might be a favorable trade-off for certain receiver’s private key and , this algorithm m c applications where end-to-end delay and long-term security recovers the message from the ciphertext . are more critical than the storage. Halevi in [20] introduced a condition for an IND-CPA In the line of proposing PEKS schemes in the standard encryption scheme to offer the notion of anonymity (ANO- model, to the best of our knowledge, the proposed LWE- CPA). This condition requires that given two public keys PEKS scheme provides the highest security promise with PK 0 and PK 1 and a ciphertext c, encrypted under PK b, reduction to worst-case problems. However, as shown in for b ∈ {0, 1}, a computationally unbounded adversary Section 4, it is significantly less efficient (in both compu- should have a negligible advantage in determining b. Later, tation and storage) than Zhang and Imai’s pairing-based Abdalla et. al. [12] extended this condition to identity- PEKS scheme which is also secure in the standard model based encryption schemes by including the handling of [17]. random oracles and weakening the statistical requirement to a computational one. The following definition defines the 1.4 Differences Between this Article and its Preliminary new anonymity under chosen plaintext attack for an IBE Version in [19] scheme (IBE-ANO-RE-CPA). We highlight the main differences of this article and its Definition 2. Given an IBE scheme, the KeyQuery(·) oracle, preliminary version in [19] as follows: (i) We provide a as defined below, we associate a bit b ∈ {0, 1} to the adversary A IBE-ANO-RE-CPA-b k full-fledged implementation of NTRU-PEKS and its most in the following experiment ExpIBE,A (1 ): 4 KeyQuery(id) TdQuery(w) idSet ← idSet ∪ id wSet ← wSet ∪ w return sk tw ← Trapdoor(w, sk, pk) return t Experiment ExpIBE-ANO-RE-CPA-b(1k) w IBE,A PEKS-IND-CKA-b k Experiment ExpP EKS,A (1 ) $ idSet ← ∅, (mpk, msk) ←− Setup(1k) wSet ← ∅, (pk, sk) ← KeyGen(1k) for a random oracle H KeyQuery(·),H for a random oracle H (id0, id1, m) ← A (mpk) :find stage TdQuery(.),H H (w0, w1) ← A (pk) :find stage c ← Enc (m, idb, mpk) H 0 KeyQuery(·),H sw ← PEKS (pk, wb) b ← A (c) :guess stage 0 TdQuery(.),H 0 b ← A (sw) :guess stage if {id0, id1} ∩ idSet = ∅ return b else, return 0 0 if {w0, w1} ∩ wSet = ∅ return b else, return 0 A’s advantage in the above experiment is defined as: A’s advantage in the above experiment is defined as: IBE-ANO-RE-CPA k IBE-ANO-RE-CPA-1 k AdvIBE,A (1 ) = Pr[ExpIBE,A (1 ) = 1] PEKS-IND-CKA k PEKS-IND-CKA-1 k AdvP EKS,A (1 ) = Pr[ExpP EKS,A (1 ) = 1] IBE-ANO-RE-CPA-0 k − Pr[ExpIBE,A (1 ) = 0] PEKS-IND-CKA-0 k −P r[ExpP EKS,A (1 ) = 0] After queries to KeyQuery(·) and random oracle H in After queries to TdQuery(·) and hash oracle H, in the the find stage, A outputs a challenge (id , id , m). A will 0 1 find stage, A outputs a challenge (w0, w1). Awill then then receive c, which is an encryption of the message m receive sw, which is a searchable encryption of wb where under idb where b ∈ {0, 1} is the output of a fair coin flip. b ∈ {0, 1} is the output of a fair coin flip, under pk . In the In the guess stage, given c, A will output its decision bit b0 0 guess stage, given sw, A will output its decision bit b and and wins if b0 = b where id and id were never queried to 0 0 1 wins if b = b where w0 and w1 were never queried to the the KeyQuery(·) oracle. TdQuery(·) oracle. Lemma 1. If an IBE scheme is IBE-IND-CPA and IBE-ANO- 2.2.1 Consistency of PEKS RE-CPA-secure, then it is also IBE-ANO-CPA-secure. Due to the properties of NTRU-based encryption scheme, Proof. Please refer to [12]. and following the work of [21], we investigate the Abdalla et. al. IBE to PEKS transformation [12]: The consistency of our scheme from two aspects, namely, right- authors prove that if an IBE scheme is IBE-ANO-CPA (in keyword consistency and adversary-based consistency [12]. the sense of [20]) and IBE-ANO-CPA, then one can obtain a secure PEKS scheme. We use this transformation to obtain Right-Keyword Consistency: Right-keyword consistency NTRU-PEKS and LWE-PEKS implies the success of a search query to retrieve records associated with keyword w for which the PEKS algorithm had computed a searchable ciphertext. More specifically, 2.2 Public Key Encryption with Keyword Search right-keyword consistency refers to the decryption error in A PEKS scheme consists of the following algorithms. the underlying IBE scheme which leads to the inconsistency of the Test algorithm in the resulting PEKS scheme. Definition 3. A PEKS scheme is a tuple of four algorithms PEKS = (KeyGen,PEKS,Trapdoor,Test) defined as fol- Adversary-Based Consistency: We define the adversary- lows. based consistency [12] in the following definition. k • (pk, sk) ← KeyGen(1 ): On the input of the security Definition 5. Adversary-based consistency of a PEKS scheme is parameter(s), this algorithm outputs the public and defined in the following experiment. private key pair (pk, sk). PEKS-Consist k Experiment ExpP EKS,A (1 ) • sw ← PEKS(pk, w): On the input of user’s public key pk and a keyword w ∈ {0, 1}∗, this algorithm (pk, sk) ← KeyGen(1k) outputs a searchable ciphertext sw. for a random oracle H • tw ← Trapdoor(sk, w): On the input of a user’s H H (w0, w1) ← A (pk), sw0 ← PEKS (pk, w0) private key sk and a keyword w ∈ {0, 1}∗, this H tw1 ← Trapdoor (pk, w1) algorithm outputs a trapdoor tw. H if w0 6= w1 and [Test (pk, tw1 , sw0 ) = 1] return 1 else, • d ← Test(tw, sw): On the input of a trapdoor tw = return 0 0 Trapdoor(sk, w ) and a searchable ciphertext sw = A’s advantage in the above experiment is defined as PEKS(pk, w) PEKS-Consist k PEKS-Consist k , this algorithm outputs a decision bit AdvP EKS,A (1 ) = Pr[ExpPEKS,A (1 ) = 1]. d = 1 if w = w0, and d = 0 otherwise. We note that for schemes with security in the standard Keyword indistinguishability against an adaptive model, the random oracle H is eliminated in Definitions 2, chosen-keyword attack for a PEKS scheme (PEKS-IND- 4 and 5 . CKA) is defined in the following experiment. Definition 4. Given a PEKS scheme, and the TdQuery(·) oracle 2.3 Tools and Definitions m×m as defined below, we associate a bit b ∈ {0, 1} to the adversary A Integer Lattices: Let B = [b1| ... |bm] ∈ R be an m × PEKS-IND-CKA-b k in the following experiment ExpP EKS,A (1 ). m matrix whose columns are linearly independent vectors 5

m n b1,..., bm ∈ R . The m-dimensional full-rank lattice Λ a lattice Λ ⊂ R , the discrete Gaussian distribution over Λ is ρσ,c(x) generated by B is the set, DΛ,s,c(x) = for all x ∈ Λ. ρσ,c(Λ) m  X  If we pick a noise vector over a Gaussian distribution Λ = L(B) = y ∈ m : ∃s ∈ m, y = Bs = s b R Z i i with the radius not smaller than the smoothing parameter [27], i=1 and reduce the vector to the fundamental parallelepiped of n×m n Definition 6. For a prime q, A ∈ Zq and u ∈ Zq , define: our lattice, the resulting distribution is close to uniform. m n > Λq(A) := {e ∈ Z : ∃s ∈ Zq where A s = e mod q} We formally define this parameter through the following ⊥ m Λq (A) := {e ∈ Z : Ae = 0 mod q} definition. Λu(A) := {e ∈ m : Ae = u mod q} q Z Definition 11. (Smoothing Parameter [27]) For any N- ∗ NTRU Lattices: Ajtai [22] introduced the Short Integer dimensional lattice Λ, its dual Λ and  > 0, the smoothing √ ∗ Solution (SIS) problem and demonstrated the connection parameter η(Λ) is the smallest s > 0 such that ρ1/s 2π,0(Λ \ between average-case SIS problem and worst-case problems 0) . A scaled version of the smoothing parameter is defined in 6 0 η = √1 η (Λ) over lattices. Hoffstein et al. [23] proposed a very efficient [13] as  2π  . public key encryption scheme based on NTRU lattices. Gentry et al. [25] defined a requirement on the size of Regev [16] introduced the Learning with Error (LWE) prob- σ related to the smoothing parameter. In [13], Ducas et lem. The SIS and LWE problems have been used as the al. showed that using Kullback-Leibler divergence, the re- building blocks of many lattice-based schemes. √ quired width of σ can be reduced by a factor of 2. Based√ on NTRU encryption works over rings of polynomials −λ/2 ∆ N 0 ∆ N [13], [25], [28], for positive integers n, λ,  6 2 /(4 2N), R = Z[x]/(x + 1) and R = Q[x]/(x + 1) which are N×N 1×n any basis B ∈ and any target vector c ∈ , the parametrized with N as a power-of-two integer. (xN + Z Z 0 algorithm (v0 ← Gaussian-Sampler(B, σ, c)) as defined 1) is irreducible, therefore, R is a cyclotomic field. For −λ N−1 N−1 in [13], [25] is such that ∆(D , v ) < 2 . f = P f xi and g = P g xi as polynomials in Λ(B),σ,c 0 i=0 i i=0 i In this paper, we will use the same algorithm in our [x], fg denotes polynomial multiplication in [x] while Q Q Trapdoor algorithm of our NTRU-PEKS scheme. f ∗g =∆ fg mod (xN +1) is referred to as convolution prod- In [16], Regev has shown that for a certain error distri- uct. For an N-dimension anti-circulant matrix AN we have bution χ, denoted Ψ¯ α, the LWE problem is as hard as the (f) + (g) = (f + g), and (f) × (g) = (f ∗ g). AN AN AN AN AN worst-case SIVP and GapSVP under quantum reduction. Definition 7. For prime integer q and f, g ∈ R, h = g ∗ f −1 ¯ 2 Definition 12. (Distribution of Ψα [16], [29]) For α ∈ (0, 1) mod q, the NTRU lattice with h and q is Λh,q = {(u, v) ∈ R : ¯ and a prime q, Ψα denotes the distribution over Zq of the random u + v ∗ h = 0 mod q}. Λh,q is a full-rank lattice generated by   variable bqXe mod q is a normal random variable with mean 0 AN (h) IN α Ah,q = , where I is an identity matrix. and the standard deviation √ . qIN 0N 2π Note that one can generate this basis using a single Definition 13. (A tool for computing Gram-Schmidt norm [13]) f ∈ R0 f¯ f ∈ R0 polynomial h ∈ R . However, the lattice generated from Let , we denote as a unique polynomial in q T ¯ PN−1 i ¯ such that A(f) = A(f). If f(x) = fix , then f(x) = Ah,q has a large orthogonal defect which results in the i=0 PN−1 i inefficiency of standard lattice operations. As proposed by f0 − i=1 fN−ix . [24], another basis (which is much more orthogonal) can be efficiently [13] generated by selecting F,G ∈ R and comput-   3 PROPOSED SCHEMES A(g) −A(f) ing f ∗G−g∗F = q. The new base B = In this section, we first propose our scheme based on NTRU f,g A(G) −A(F ) lattices (i.e., NTRU-PEKS) which enjoys from highly efficient generates the same lattice Λh,q. Test and PEKS algorithms and then put forth our scheme Definition 8. (Gram-Schmidt norm [25]) Given B = (bi)i∈I in the standard model (i.e., LWE-PEKS) which provides a as a finite basis and B˜ = (b˜ ) as its Gram-Schmidt orthogo- i i∈I high level of security. nalization, the Gram-Schmidt norm of B is B˜ = max kbik. i∈I 3.1 PEKS Scheme from NTRU Lattices Definition 9. (Statistical Distance [14]) Given two random variables X and Y taking values in a finite set S, the statistical In this section, we present our highly efficient NTRU- distance is defined as: PEKS scheme using Abdalla et. al. transformation [12] to transform Ducas et. al. IBE scheme [13]. For this 1 X ∆(X,Y ) = | Pr[X = s] − Pr[Y = s]| transformation to work, aside being IND-CPA, the 2 s∈S underlying IBE scheme should be anonymous in the sense of Definition 2. We show that Ducas et. al.’s IBE scheme X is said to be δ−uniform over S if ∆(X,Y ) ≤ δ. is indeed anonymous via Theorem 2. Our NTRU-PEKS Using Gaussian sampling, Gentry et al. [25] proposed a scheme consists of the following algorithms. technique to use a short basis as a trapdoor without dis- closing any information about the short basis and prevent (pk, sk) ← KeyGen(q, N): Given a power-of-two integer N attacks similar as in [26]. and a prime q, this algorithm works as follows. q q 1) Compute σf ← 1.17 and select f, g ← DN,σ Definition 10. An N-dimensional Gaussian function ρσ,c : 2N f 2 ∆ kx−ck B˜ ← max(k(g, −f)k , R → (0, 1]) is defined as ρσ,c(x)= exp(− 2σ2 ). Given to compute f,g and Norm 6

qf¯ qg¯ √ q q ( f∗f¯+g∗g¯ , f∗f¯+g∗g¯ ) ). If Norm < 1.17 q, proceed to the z = r ∗ s + e2 − e1 ∗ tw are in the range (− 4 , 4 ) and q ≈ √ 24 27 next step. Otherwise, if Norm ≥ 1.17 q, this process is 2 for κ = 80 and q ≈ 2 for κ = 192. As highlighted in repeated by sampling new f and g. [30], for such large values of q, the probability of decryption 2) Using extended euclidean algorithm, compute ρf , ρg ∈ error is negligible with respect to the security parameter. R R , R ∈ ρ · f = R mod (xN + and f g Z such that f f Theorem 1. A’s advantage in breaking the consistency of 1) ρ · g = R mod (xN + 1) and g g . Note that if NTRU-PEKS scheme in the sense of Definition 5, after making gcd(Rf , Rg) 6= 1 or gcd(Rf , q) 6= 1, start from the q1 and q2 queries to H1(·) and H2(·), respectively, is: previous step by sampling new f and g. 2 2 3) Using extended euclidean algorithm, compute u, v ∈ Z PEKS-Consist k (q1 + 2) (q2 + 2) AP EKS,A (1 ) ≤ + +  such that u ·Rf + v ·Rg = 1. Compute F ← q · v · ρg, N2log2 q N2log2 q ¯ G ← q · u · ρ k ← b F ∗f+G∗g¯ e ∈ R F f and f∗f¯+g∗g¯ and reduce where the term  is negligible in term of the security parameter κ. and G by computing F ← F − k ∗ f and G ← G − k ∗ g. 4) Finally, compute h = g ∗ f −1 mod q and B = Proof. Upon inputting q and N, the challenger C initiates   A(g) −A(f) the experiment (h, B) ← KeyGen(q, N). It passes h to the and output (pk ← h, sk ← B). A(G) −A(F ) adversary A and keeps B secret. sw ← PEKS(pk, w): Given cryptographic hash functions H ∗ N N N N • (w0, w1) ← A (pk): A sends C two keywords H1 : {0, 1} → Zq and H2 : {0, 1} × {0, 1} → Zq , the ∗ (w0, w1). receiver’s public key pk and a keyword w ∈ {0, 1} to be H • sw0 ← PEKS (pk, wb): C computes c0 = r ∗ h + e1 encrypted, the sender performs as follows.  q  and c1 = r ∗ H(w0) + e2 + 2 k for a random se- $ N 1) Compute t ← H1(w) and pick r, e1, e2 ←−{−1, 0, 1} , $ N $ N lection of r, e1, e2 ←−{−1, 0, 1} , k ←−{0, 1} , and $ N k ←−{0, 1} . sends hc0, c1,H2(k, c1)i to A. H 2) Compute c0 ← r ∗ h + e1 ∈ Rq and c1 ← r ∗ t + e2 + • tw ← Trapdoor (pk, wb): C samples short vectors  q  1 2 k ∈ Rq. s, tw such that s + tw ∗ h = H(w1) and returns tw 3) Finally, the algorithm outputs sw = hc0, c1,H2(k, to A. c1)i. Following Definition 11, A wins when w0 6= w1, and the tw ← Trapdoor(sk, w): Given the receiver’s private key Test algorithm outputs 1 (i.e, H (k, c ) = H (y, c )). sk, and a keyword w ∈ {0, 1}∗, the receiver com- 2 1 2 1 Note that in the above game, A wins when w 6= w0 and putes t ← H1(w) and using the sampling algorithm 0 0 H2(z1, z1) = H2(z2, z2). Let’s assume A makes q1 queries Gaussian-Sampler(B, σ, (t, 0)), samples s and tw such to H1 and q2 queries to H2 oracles. Let E1 be the event that s + tw ∗ h = t. that there exists (x1, x2) such that H1(x1) = H1(x2) and d ← Test(pk, tw, sw): On the input of a receiver’s pub- x1 6= x2 and let E2 be the event that there exist two pairs lic key pk, a trapdoor tw and a searchable ciphertext 0 0 0 0 (z1, z1) and (z2, z2) such that H2(z1, z1) = H2(z2, z2) for sw = hc0, c1,H2(k, c1)i, this algorithm computes y ← 0 0 c −c ∗t z 6= z and z 6= z . Then if Pr[·] represents the probability b 1 0 w e and outputs d = 1 if H (y, c ) = H (k, c ) 1 2 1 2 q/2 2 1 2 1 AdvPEKS-Consist(1k) ≤ Pr[E ] + d = 0 of consistency definition, P EKS,A 1 and , otherwise. PEKS-Consist ¯ ¯ Pr[E2] + Pr[ExpP EKS,A = 1 ∧ E1 ∧ E2] Given the domain of our hash functions, the first and 3.1.1 Completeness and Consistency 2 2 (q1+2) (q2+2) second terms are upper bounded by log q and log q , In this section, we show the completeness and consistency N2 2 N2 2 respectively. For the last term, if H (x ) 6= H (x ), then in of NTRU-PEKS. 1 1 1 2 our scheme, the probability that B1 = B2 is negligible due Lemma 2. Given a public-private key pair (h, B) ← to the decryption error. Therefore, H2(y1,B1) 6= H2(y2,B2), KeyGen(q, N), a searchable ciphertext sw ← PEKS(pk, w), and hence, the probability of the last term is also negligible. a trapdoor generated by the receiver tw ← Trapdoor(sk, w) our proposed scheme is complete. 3.1.2 Security Analysis

Proof. To show the completeness of our scheme for sw = In this section, we focus on analyzing the security of the hc0, c1,H2(k, c1)i, the Test algorithm should return 1 NTRU-PEKS scheme. c1−c0∗tw The security of lattice-based schemes can be deter- when b q/2 e = k . To affirm this, we work as follows. mined by hardness of the underlying lattice problem (in j q k c − c ∗ t = (r ∗ t + e + k) − (r ∗ h + e ) ∗ t ∈ R case of NTRU-PEKS, ring-LWE). Therefore, similar to the 1 0 w 2 2 1 w q q LWE-PEKS scheme, we use the root Hermite factor to = r ∗ s + e + b ck − t ∗ e assess the security of the NTRU-PEKS scheme. Accord- 2 2 w 1 ing to [31], for a short planted vector v in an NTRU r, e , e , t s Given 1 2 w and are all short vectors (due to the lattice,√ the associated root Hermite factor is computed as 1/n parameters of our sampling algorithm), all the coefficients n N/(2πe)×det(Λ) kvk q q γ = 0.4×kvk . Based on [32], [33], γ ≈ 1.004 of r ∗ s + e2 − tw ∗ e1 will be in (− 4 , 4 ), and therefore, b c1−c0∗tw e = k. guarantees intractability and provides approximately 192- q/2 bit security. To address right-keyword consistency issues related Following Lemma 1, to establish the security of our to the decryption error of encryption over NTRU lat- NTRU-PEKS scheme, we need to rely on the security of the tices, we need to make sure that all the coefficients of underlying IBE scheme. Ducas et al. provided the proof of 7

IBE-IND-CPA of their scheme in [13]. Therefore, we are left Discussion on Subfield Attacks: Subfield attacks target the to prove the anonymity of their scheme via Theorem 2. presence of a subfield in ideal lattices to solve the over- stretched version of the NTRU problem. Recently, there have Theorem 2. The IBE scheme of Ducas et al. is anonymous in the been noticeable advancements to extend subfield attacks on sense of Definition 2 under the decision ring-LWE problem. ideal lattices [37], [38], [39]. However, as also shown in [38], Proof. Since the output of the PEKS algorithm of our scheme these attacks do not affect the parameters that are used in corresponds to the encryption algorithm of [34], [35], for our scheme. A to determine sw corresponds to which keyword with Pr ≥ 1 +   any probability 2 , for any non-negligible , it 3.2 Lattice-Based PEKS Scheme in the Standard Model has to solve the decision ring-LWE. Our scheme works N over the polynomial ring Z[x]/(x + 1), for a power-of- In this section, we present our highly secure LWE-PEKS two N and a prime q ≡ 1 mod 2N. The ring-LWE based scheme using Abdalla et. al. transformation [12] to trans- PEKS algorithm computes a pseudorandom ring-LWE vec- form Agrawal et. al. IBE scheme [14] . For this transforma- $ N tion to work, aside from being IND-CPA, the underlying tor c0 = r ∗ h + e1 (for a uniform r, e1 ←−{−1, 0, 1} ) and  q  IBE scheme should be anonymous in the sense of Definition uses H(w) to compute c = r ∗ H(w) + e + k that is 1 2 2 2. While the scheme proposed in [14] does provide the also statistically close to uniform. Therefore, the adversary’s anonymity required by Abdalla et. al. transformation [12], view of hc , c ,H (k, c )i is indistinguishable from uniform 0 1 2 1 in the adaptive security of the scheme, the number of distribution under the hardness of decision ring-LWE. The adversarial queries was bounded by q. In other words, only pseudorandomness is preserved when t is chosen from w the bounded form of the security of the scheme was proven the error distribution (by adopting the transformation to in [14]. This restriction was later lifted in a more refined Hermite’s normal form) similar to the one in standard LWE analysis in [15]. [36]. Similar to [14], we treat keywords as a sequence of l l Theorem 3. If there exists an adversary A that can break PEKS- bits w = (b1, . . . , bl) ∈ {1, −1} . Before presenting the IND-CKA of NTRU-PEKS scheme as in Definition 4, one can scheme in details, we review the tools that are needed for build an adversary F that uses A as subroutine and breaks the the correctness of our LWE-PEKS scheme. In [40], Ajtai security of the IBE scheme in Definition 2. illustrated how to sample a random uniform matrix (with n×m a small Gram-Schmidt norm) A ∈ Zq with an associated ⊥ Proof. The proof works by having adversaries F and A basis SA of Λq (A). The following theorem, defines the initiating the find phase as in Definition 8 and Definition properties of TrapGen algorithm [14], [41] which is used 10 respectively. in the KeyGen algorithm of the LWE-PEKS scheme. KeyQuery(.),H Algorithm F (find, mpk) (A, S) ← TrapGen(q, n) : Given a prime q, a positive n and 1 TrapGen $ δ = 3 , there is a polynomial time algorithm (q, n) • (mpk, msk) ←− Setup(q, N): F receives mpk and n×m m×m that outputs a pair (A ∈ Zq , S ∈ Z ) s.t., A is statis- passes it to A. ⊥ tically close to uniform and S is a basis for Λq (A) , where ˜ √ Algorithm AT dQuery(.),H (find, pk) m > 6n log q and kSk ≤ O( n log q) and kSk ≤ O(n log n) hold with a high probability. √ • Queries on TdQuery(.): Upon such queries, F Following [14], we set σTG = O( n log q) as the queries KeyQuery(.) which keeps a list idSet main- maximum Gram-Schmidt norm of the basis generated by taining all the previously requested queries and TrapGen(q, n). responses. If the submitted query exists, the same In the following we define the sampling algorithm response is returned, otherwise, to sample short which is used to generate trapdoors in our scheme (i.e., $ vectors s, tw the oracle uses msk to run (s, tw) ←− SampleLeft), the same algorithm, with identical properties Gaussian-Sampler(msk, σ, (H(w), 0)) and passes has also been used in [29], [42]. tw to F. F sends tw to A. e ← SampleLeft(A, M1, TA, u, σ): Given an n-rank n×m n×m1 matrix A ∈ Zq , a matrix M1 ∈ Zq , a short basis After the find phase, a hidden fair coin b ∈ {0, 1} is flipped. ⊥ n TdQuery(.),H of Λq (A), a vector u ∈ Zq , and a Gaussian parameter Execute (w0, w1) ← A (guess, pk) ˜ p σ > TA · ω( log(m + m1)), this algorithm outputs a • Upon receiving (w , w ), F selects a message m ∈ m+m1 0 1 vector e ∈ Z sampled from the distribution statisti- {0}N Enc(m, w , w ) and calls 0 1 that runs encryption D u F := (A|M ) cally close to Λq (F1),σ where 1 1 . on (wb, m) which works as in Definition 7 and out- In the following, we present the LWE-PEKS scheme in puts sw = hc0, c1,H2(k, c1)i. F relays sw to A. detail. Finally, A outputs its decision bit b0 ∈ {0, 1}. F also outputs (pk, sk) ← KeyGen(λ): On the input of the security param- b0 as its response. Omitting the terms that are negligible in eter λ, and the parameters q, m, n, σ, α (set as instructed terms of q and N, the upper bound on IND-CKA of NTRU- in the following section), the receiver works as follows to PEKS is as follows. generate her key pair. 1) Use TrapGen(q, n) to pick a random matrix A0 ∈ AdvPEKS-IND-CKA(q, N) ≤ AdvNTRU-IBE-ANO-CPA(q, N) A F n×m with basis T for Λ>(A ) s.t. T˜ ≤ Zq √ A0 q 0 A0 O( n log q). 8

$ n×m 2) Select l+1 random matrices A1,... Al, B ← Zq and TABLE 1 $ n Parameter sizes of our schemes and their pairing-based counterparts a random vector u ← Zq . for κ = 192. 3) Output the public key pk ← (A0, A1,..., Al, B, u) and secret key sk ← T . Public Private † ‡ A0 Schemes SC (Kb) TD (Kb) Key (Kb) Key (Kb) sw ← PEKS(pk, w): On the input of the pk and an l-bit l 0 $ BCOP [5] 0.38 0.19 0.57 0.38 keyword w = (b1, . . . , bl) ∈ {1, −1} , the sender picks bj ← ZI [17] 0.76 0.19 0.89 0.57 Pl n×m {0, 1} for j = 1, . . . , κ, sets Aw ← B + i=1biAi ∈ Zq NTRU-PEKS 27.2 32 52 27 n×2m 0 and Fw ← (A0|Aw) ∈ Zq . For each bj, it computes as LWE-PEKS 57,216 14,647,390 186,867 112 follows. † SC refers to searchable ciphertext (i.e., the output of the PEKS algorithm). $ n ‡ TD refers to trapdoor (i.e., the output of the Trapdoor algorithm). 1) Choose a uniformly random sj ← Zq and matrices   $ m×m y 0 > j Rij ← {−1, 1} for i = 1, . . . , l and set Rb ← Where x − t is the error term. Based on Lemma 22 j w z Pl m×m j i=1 biRij ∈ {−l, . . . , l} . in [14], the error term is bounded by q · σ · l · m · α · ω · Ψm √ Ψα α m ( log m)+O(σm3/2) 2) Choose noise vectors xj ← Zq and yj ← Zq , and set . For the system to work correctly, one > m needs to make sure that: zj ← Rb0 yj ∈ Zq . j √ −1 3/2 > 0 q > i. α < [σ · l · m · ω( log m)] and q = Ω(σm ), 3) Set c0j ← u sj + xj + bjb c ∈ Zq and c1j ← Fwsj +   2 ii. m > 6n log q so TrapGen can operate, yj 2m ∈ Zq . iii. σ is large enough so that SampleLeft as de- zj 0 fined above, and SampleRight (which is similar to 4) Output searchable ciphertext sw = (c0 , c1 , b ) for j j j j SampleLeft j = 1, . . . , κ. , and is used√ in the proof of [14]) can operate, i.e., σ > l · m · ω( log m) tw ← Trapdoor(pk, sk, w): On the input of the keys and a √ l iv. For Regev’s [16] reduction to work, set q > 2 n/α . keyword w = (bi, . . . , bl) ∈ {1, −1} , the receiver computes as follows. Pl n×m 2.5 1) Let Aw ← B+ i=1 biAi ∈ Zq and sample tw ∈ √To achieve these requirements,√ we set q ≥ m · 2m 1 ω( log n), m = 6n1+δ σ = ml · ω( log n) α = [l2m2 · Zq as tw ← SampleLeft(A0, Aw, TA0 , u,σ) . , , √ −1 2) Output the trapdoor as tw. ω( log n)] . This is based on the assumption that δ such that nδ > dlog qe. Given Fw := (A0|Aw), then Fw · tw = u ∈ Zq, and tw is 2 u Following the results of Lemma 13 and Lemma 19 in distributed as DΛ Fw,σ. q [14], setting the parameters of the scheme as suggested d ← Test(tw, sw): Given a trapdoor td for a keyword w = l above will ensure the right-keyword consistency of our (bi, . . . , bl) ∈ {1, −1} , and κ searchable ciphertexts swj = 0 PEKS scheme with a high probability. (c0j , c1j , bj) for j = 1, . . . , κ on keyword w, it computes as follows. Theorem 4. The LWE-PEKS scheme is consistent in the sense of q q Definition 11. i. Set νj ← c0j −twc1j ∈ Zq and check if |νj −b 2 c| < b 4 c, set νj ← 1 and otherwise, νj ← 0. 0 Proof. For the Test algorithm to return 1, all the κ bits ii. If νj = bj holds for all 1 ≤ j ≤ κ, set d ← 1, else d ← 0. 0 of bj and νj for 1 ≤ j ≤ κ should match. This implies that given A (obtained from the bit string in the keyword 3.2.1 Completeness and Consistency w w), the SampleLeft algorithm should sample short vectors In this section we show the completeness and consistency statistically close (i.e., have negligible statistical distance) of our scheme. to Fw ← (A0|Aw). Therefore, our adversary based consis- Lemma 3. Given a public-private key pair (pk, sk) ← tency comes from the Theorem 3.4 in [42] (and the signing t KeyGen(λ), a searchable ciphertext sw ← PEKS(pk, w) and a algorithm in [29]) that proves the statistical closeness of w trapdoor generated by the receiver td ← Trapdoor(pk, sk, w), that is generated by the SampleLeft on the input of Fw. the proposed scheme is complete. Therefore, for the suggested parameters and based on [29], [42], our LWE-PEKS scheme is consistent. Proof. To show the completeness of our scheme for swj := 0 (c0j , c1j , bj), the Test algorithm should return 1 when νj = 0 bj where νj ← c0j − tdc1j for all j = 1, . . . , κ. To affirm this, we work as follows. 3.2.2 Security Analysis > Based on [32], the hardness of lattice problems is measured νj = c0j − tw c1j   using the root Hermite factor. > 0 q > yj
= u sj + xj + bjb c − tw Fidsj + Following Lemma 1, to establish the security of our 2 zj LWE-PEKS scheme, we need to establish the anonymity   > 0 q > > yj property of the underlying IBE scheme. In [14], Agrawal = u sj + xj + bjb c − u sj − tw 2 zj et al. proved the security of their adaptive IBE scheme   0 q > yj with a strong privacy property called indistinguishable from = bjb c + x − tw 2 zj random, which is a stronger security notion as compared to the anonymity property defined in [12], [43]. In the initial 1 As shown in [14], A0 is of rank n, with a high probability. proposal of [14], for the security proof of the adaptive 9 variant of the scheme, there was a restriction where q > Q TABLE 2 where Q is the number of queries made by the adversary. Micro Benchmark (One Execution) of our schemes and their pairing-based counterparts This restriction was later lifted in by a more refined analysis in [15]. This implies that based on Lemma 1, the resulting PEKS Trapdoor Test Schemes † LWE-PEKS scheme is secure in the standard model. Based (ms) (ms) (ms) on [32], the hardness of lattice problems is measured using κ = 80 6.78 1.26 4.55 BCOP [5] the root Hermite factor. For a vector v in an N-dimension κ = 192 66.31 4.13 60.75 th κ = 80 48.87 4.12 12.93 lattice that is larger than the n root of the determinant, the ZI [17] kvk κ = 192 301.14 10.61 166.12 root Hermite factor is computed as γ = 1/n . For our det(Λh,q ) κ = 80 1.97 9.71 1.05 NTRU-PEKS LWE-PEKS scheme, we follow the suggested parameters κ = 192 4.44 31.59 3.40 in [33], [44] to achieve ≈ 192-bit security for message and κ = 80 2115.12 814.9 643 LWE-PEKS κ = 192 randomness recovery attack with γ ≈ 1.0042. 3727 1509.19 1214 this directly affects the consistency of the scheme and shifts the burden of decrypting unrelated responses to the receiver. 3.3 Secure Channel Requirement As compared to PEKS schemes, in ESE schemes, the tag can be computed from both the plaintext and ciphertext. This Baek et al. [45] highlighted the requirement of a secure highly differentiates the applications of these two searchable channel for trapdoor transmission between the receiver and encryption schemes. the server and proposed the notion of Secure-Channel Free In this paper, we focused on PEKS scheme as it does (SCF) PEKS schemes. SCF-PEKS schemes require the server not have consistency issues or a min-entropy distribution to be initialized with a key pair through which the receiver requirement, and fits better for our target real-life applica- encrypts the trapdoor before sending it over a public (in- tions (as discussed in Section 1). Nevertheless, for the sake secure) channel. Upon receiving the encrypted trapdoor, of completeness, to extend the advantages of NTRU-based the server will first decrypt the trapdoor before initiating encryption [53] to ESE, we also instantiated an NTRU-based the Test algorithm. Offline keyword-guessing attack, as ESE scheme based on the encrypt-with-hash transformation introduced by Byun et al. [46], implies the ability of an proposed in [52]. We compared it with its counterpart adversary to find which keyword was used to generate the which was instantiated based on El-Gamal encryption. Our trapdoor. This inherent issue is due to low-entropy nature of implementations of NTRU-based ESE and El-Gamal ESE the commonly selected keywords and public availability of (developed on elliptic curves) were run on an Intel i7 the encryption key [18]. Since Byun et al.’s work [46], there 6700HQ 2.6GHz CPU with 12GB of RAM . We observed have been a number of attempts in proposing schemes that that encryption for NTRU-based ESE takes 0.011ms where address keyword guessing attacks [47], [48], [49]. However, encryption in El-Gamal ESE takes 2.595ms. As for decryp- in all of the proposals, once the trapdoor is revealed to tion, NTRU-based ESE takes 0.013ms and El-Gamal ESE the server, keyword guessing attacks remain a perpetual takes 0.782ms. The differences are substantial, since the problem [49]. Jeong et al. [49] showed the trade-off between NTRU-base ESE is 236× and 60× faster in encryption and the security of a PEKS scheme against keyword-guessing decryption, respectively. attacks and its consistency - by mapping a trapdoor to multiple keywords. For our scheme, we can assume a con- ventional or even post quantum secure [50], [51] SSL/TLS 4 PERFORMANCE ANALYSIS AND COMPARISON connection between the receiver and the server. We believe We first give the analytical performance comparison and such reliable protocols provide the best means for commu- then describe our experimental setup and evaluation met- nicating trapdoors to the servers. Establishing a secure line rics. We then provide a detailed performance analysis and through SSL/TLS could be much more efficient than using cost dissection of our scheme in a cloud setting. To the any public key encryption as in SCF-PEKS. Since in such best of our knowledge, this is the first deployment of PEKS protocols, after the handshake protocol, all communications schemes in real-life cloud infrastructure with public data are encrypted using symmetric encryption. sets.

3.4 Alternative NTRU-based Constructions 4.1 Analytical Performance Comparison Bellare et al. [52] proposed a new variation of public key In this section, we first present a set of recommended encryption with search capability called Efficiently Search- parameters for our scheme which were used in our instanti- able Encryption (ESE). The idea behind ESE is to store a ations and then discuss the analytical performance from the deterministically computed “tag” along with the ciphertext. computation To respond to search queries, the server only needs to Parameters: For NTRU-PEKS, with 80-bit security, we set N = 512 and q = 223. For 192-bit security, we set N = 1024 lookup for a tag in a list of sorted tags. This significantly 27 reduces the search time on the server. For ESE to provide and q = 2 . Following [13], the Gram-Schmidt norm of q qe privacy, the keywords need to be selected from a distribu- coefficients of the private key is set as s ≈ 2 , where e tion with a high min-entropy. To compensate for privacy in is the base of natural logarithm. As illustrated in Section absence of a high min-entropy distribution for keywords, 3.1, the error terms r, e1, e2 are N-dimension vectors with the authors suggested truncating the output of the hash coefficients in {−1, 0, 1}N . For LWE-PEKS, with 80-bit secu- function to increase the probability of collisions. However, rity, we set n = 256, q = 4093 and σ = 8.35. For 192-bit 10 security, we set n = 320, q = 4093 and σ = 8. Error terms most of these applications, the smaller devices are conceived are sampled from the distribution as defined in Definition to be in the role of a sender, in our experiments, their 12. performance is evaluated in terms of searchable ciphertext Computation: The main performance advantage of NTRU- generation and sending it to the server. In other applications PEKS stems from the fact that the Test algorithm is ex- (e.g., secure e-mail system), commodity hardware may also ecuted once on every keyword-file pair for each search generate searchable ciphertext and send it to the e-mail query. Therefore, since the Test algorithm of our NTRU- server. Thus, their cost is also evaluated on commodity PEKS scheme only requires one convolution product, which hardware. The receiver/auditor generates a trapdoor to is much more efficient than the bilinear pairing operation search over the database and process the results. In most required in almost all of the existing pairing-based PEKS applications, the receiver is conceived to be equipped with schemes, we achieve noticeable performance gains in terms a commodity hardware (e.g., Laptop). Therefore, we eval- of the end-to-end delay. The dominant operations of the uated trapdoor generation and sending it to the server on PEKS algorithm in our NTRU-PEKS scheme are two convo- commodity hardware only. lution products of form x1 ∗ x2. However, since one of the Software Libraries and Hardware Configurations: $ operands has very small coefficients (i.e., r ←−{−1, 0, 1}N ), We fully implemented our NTRU-PEKS scheme in C++, the convolution products can be computed very efficiently. using NTL [56], ZeroMQ and b2 libraries. NTL library Specifically, in our case, since N has been selected as a was used for low-level arithmetic and matrix operations power-of-two integer, the convolution product can be com- whereas ZeroMQ was used for network communication. puted in N log N operations by the Fast Fourier Transform. b2 library is a portable C implementation of high-speed The PEKS algorithm in BCOP scheme requires one bilinear Blake2 hash function [57]. Blake2 is used in the full im- pairing operation that is more costly than the convolution plementation of NTRU-PEKS to map keywords to vec_ZZ products. The Trapdoor algorithm in NTRU-PEKS requires type. More specifically, we used Blake2 as a pseudorandom a Gaussian Sampling, similar as in [13], [25]. This is the most function (PRF), in our Trapdoor and PEKS algorithms. costly operation in our scheme. This algorithm in BCOP The implementation of the pairing-based counterpart [5] only requires one scalar multiplication and consequently, was obtained from MIRACL library, that was provided as a it is the fastest. For LWE-PEKS, it requires the same type simulation. We extended this implementation for real cloud of operations as in NTRU-PEKS, however, mostly due to setting, therefore, in addition to MIRACL, ZeroMQ library is the very large dimension of the parameters, it suffers from also used in this implementation. Elliptic curves for BCOP significant performance loss as compared to its pairing- scheme were selected based on MIRACL, specifically, we based counterpart. used MNT curve with κ = 80-bit security (with embedding Storage and Communication: In terms of storage and degree k = 6) and KSS curve with κ = 192-bit security communication, our schemes are more storage intensive (with embedding degree k = 18). We made both of the than their pairing-based counterparts. For instance, in our implementations open-sourced for further improvements most efficient scheme (i.e., NTRU-PEKS), the sender needs and adoption2. For the schemes in the standard model, we to store the receiver’s public key of size N · log2 q. Referring only simulated the implementation of our LWE-PEKS and to Table 1, for 192-bit security, it can be up to 27.2 Kb. The its pairing-based counterpart [17]. Therefore, due to their searchable ciphertext in NTRU-PEKS scheme 3N log2(q) poor computational performance and parameter sizes (for bits, which corresponds to 52 Kb. Trapdoor in NTRU-PEKS LWE-PEKS), we decided not to go ahead with the full- scheme 2N log2(2sπ) bits, where s defines the norm of the fledged implementation and merely provide an overview Gram-Schmidt coefficient. As depicted in Table 1 the size of how costly these schemes could be as compared to the of the searchable ciphertext in NTRU-PEKS is significantly schemes in the random oracle model. larger than the one in BCOP [5]. However, in Section 4.3, we As the commodity hardware, we used an Intel Core i7- show that in the deployment of the schemes, even though 6700HQ laptop with a 2.6 GHz CPU and 12GB RAM. As our NTRU-PEKS scheme incurs a higher communication a low-power device, we selected ARM Cortex A53 proces- overhead, this overhead is insignificant when the end-to- sor, due to its flexibility and low-power consumption [58]. end search delay is considered (as compared to the pairing- Although it is a low-power device (can run with a small based counterparts), even with a moderate-speed network. 2200 mAh battery), ARM Cortex A53 is equipped with a For LWE-PEKS, the public key is n·log2 q((l +2)·m+1) 64-bit 1 GHz processor and 1 GB SDRAM. It is extensively 1+δ bits, where as alluded to in Section 3.2, m = 6n and preferred in practice since it combines powerful processing l is the bit length of the keyword. As suggested in [14], power with low energy consumption [58]. At the server- δ δ should be set such that n > dlog2 qe. The searchable side, we used an Amazon EC2 instance located in Oregon, ciphertext size is κ(2m + 1) log2 q. As depicted, in Table 1 with a single core Intel(R) Xeon(R) CPU E5-2676 operating the parameter sizes of LWE-PEKS is significantly larger than at 2.4GH, 2GB RAM and 250 GB SSD. Since our parameter those of NTRU-PEKS scheme. sizes are larger than pairing-based schemes, we preferred to be conservative and selected a moderate-speed network with a 75 4.2 Evaluation Metrics and Experimental Setup Mbps connection for both commodity hardware and ARM pro- cessor. The ping to the server is measured as 25.23 ms and Evaluation Metrics: We implemented our NTRU-PEKS 26.78 ms from commodity hardware and ARM processor, scheme based on the preliminary implementations in [54], [55]). As aforementioned, PEKS schemes have potential applications in settings with heterogeneous devices. Since in 2https://github.com/Rbehnia/Full_PEKS 11

Fig. 2. End-to-end search time of NTRU-PEKS for κ = 192. Fig. 3. End-to-end search time of LWE-PEKS for κ = 192.

respectively. In our experiments, we used subsets of publicly receiver searches over the database for κ = 192 based on our available Enron e-mail dataset. full-fledged implementation and simulation results, respec- One can notice that despite the strong security assur- tively. As depicted, server computation which is running ances that schemes in the standard model offer, the com- the Test algorithm, dominates the total cost for both of putation and storage overhead (especially for LWE-PEKS) the schemes since it is executed once per each keyword- marks their impracticality, especially with the current state file pair (linear) in the database. Disk access time on the computation capabilities of commodity hardware. server is also linear to the number of keyword-file pairs in the database, however, it is much faster as compared to the Test algorithm . Therefore, it contributes to 3% of the 4.3 Performance Evaluation total end-to-end delay in NTRU-PEKS. Due to the larger Table 2 shows the experimental results obtained from parameter sizes in LWE-PEKS this increases to 15% of the the full-fledged implementation of our lattice-based PEKS total end-to-end delay. schemes and the one proposed in [5], [17]. As illustrated, We conducted experiments with varying sizes of × × our NTRU-PEKS scheme is 15 and 18 faster than BCOP database, up to 200,000 keyword-file pairs. As depicted in PEKS Test in the and algorithms, respectively. However, Figure 4, for 200,000 keyword-file pairs, BCOP algorithm Trapdoor due to costly Gaussian Sampling, the algorithm takes 3.34 hours, whereas NTRU-PEKS takes 11.71 minutes. × is approximately 8 slower than the one in BCOP scheme. Both of these times are dominated by the Test computation We note that due to the latest advancements in Gaussian on the server-side, since the receiver generates and sends the Test sampling techniques, one can instantiate the algo- Trapdoor only once for each search. rithm with more recent algorithms, for instance, using the PEKS method proposed in [59]. As for communication, sending We implemented on both the commodity hard- one searchable ciphertext (for κ = 192 bits, equivalent to 52 Kb of data), with our moderate-speed network setting takes only 94 ms which is only 12 ms higher than that of BCOP. This communication cost becomes much costlier in LWE- PEKS. Sending a Trapdoor, which needs to be done once per receiver query on the server, takes 92 ms in our scheme which is only 12 ms more than that in the BCOP scheme. As for our implementation on ARM processor, the searchable ciphertext generation takes 22.58 ms in our scheme which is 40× faster than that of BCOP. As afore- mentioned, we did not benchmark the Trapdoor algorithm since in most applications, these devices operate as senders. The communication of one searchable ciphertext in our scheme takes 100 ms on ARM processor with the aforemen- tioned network setting which is only 14.5 ms higher than that of BCOP scheme.

4.4 Detailed Analysis and Cost Dissection Figure 2 and Figure 3 show the cost dissection of the end- to-end delays for NTRU-PEKS and LWE-PEKS when the Fig. 4. End-to-end search time comparison for κ = 192. 12

ware and ARM processors. We observed significant im- 5 RELATED WORK provements on the ARM processor, wherein specifically, for Searchable encryption can be instantiated from both sym- κ = 192, the PEKS algorithm only takes 22.58 ms which is metric or asymmetric key settings. Song et al. [2] proposed 40× faster than BCOP in ARM Cortex A53. This difference the first SE scheme that relies on symmetric key cryptog- is mainly due to the fact that our PEKS algorithm does raphy. Kamara et al. [60] proposed the first DSSE scheme not require any expensive operations (e.g., exponentiation to address the limitation of its static ancestors. While being or pairing computation) and matrix operations can be ef- highly efficient, symmetric SE schemes are more suitable for ficiently computed on a wide range of devices. Another applications that involve a single client who outsources her advantage of our scheme is the energy efficiency (longer own data to the cloud relying on her private key. battery life) on these devices. The energy consumption of a device is linear with the computation time (E = V · I · t, In this paper, given the target applications that need mul- where E = energy, V = voltage, I = current and t = tiple heterogeneous entities to create searchable encrypted time). Therefore, with our NTRU-PEKS scheme, battery data, our focus is on SE schemes instanced in asymmetric replacement cost and cryptographic overhead on energy settings. In particular, we concentrate on PEKS, as it requires consumption would potentially decrease significantly. neither specific probability distributions on keywords nor performance/consistency trade-offs as dictated by some We observed that although parameter sizes for NTRU- other asymmetric alternatives (e.g., ESE as discussed in PEKS are much larger than the pairing-based counterpart, Section 3.4). In PEKS schemes, decryption and trapdoor they do not significantly affect the communication delay. generation take place using the private key of the receiver, More specifically, as aforementioned communication dif- while any user can use the corresponding public key to ference between NTRU-PEKS and BCOP is only around generate searchable ciphertext. With a few exceptions, all 10 − 15 ms. The reason behind this is the round-trip delay of the proposed PEKS schemes are developed using costly time (RTT) from our moderate-speed home network (which bilinear pairing operations. The first instance of pairing-free is located in the same state as the server, i.e., Oregon) to PEKS schemes are constructed by Crescenzo and Saraswat 25.23 26.78 the server is ms and ms, for commodity hard- [21] based on the IBE scheme in [61], which is constructed ware and ARM processor, respectively. With a three-way using quadratic residue for a composite modulus. Khader handshake in TCP, RTT dominates the total communication [62] proposed the first instance of such schemes in the cost, resulting in an insignificant difference between our standard model based on a k-resilient IBE, she also put forth NTRU-PEKS and BCOP. This shows that, although NTRU- a scheme which supports multiple-keyword search. based schemes have larger parameters, their computational In the Trapdoor algorithm of NTRU-PEKS and LWE- results in a lower end-to-end delay as compared to their PEKS, following the works in [13] and [14], the receiver uses communication efficient counterparts (e.g., pairing-based its secret, which is a short basis of the lattice, as a trapdoor schemes). When the schemes in the standard model are to sample short vectors. Using the short basis of the lattice considered, based on our simulated results, as depicted in as a trapdoor to efficiently sample private keys (trapdoors, Figure 4, the gap between the BCOP scheme and ZI scheme in the case of PEKS schemes) has been extensively studied (which is secure in the standard model) is much less than in the literature (e.g., [63], [64], [65], [66], [67]). the gap between NTRU-PEKS and the LWE-PEKS which is secure in the standard model. ACKNOWLEDGMENTS The authors would like to thank Leo Ducas and Thomas 4.5 Discussion Prest for their valuable discussions. The authors would also like to thank the anonymous reviewers of IEEE TDSC whose comments significantly helped to improve the quality of this We presented the first full-fledged implementations for paper. This work is supported by the NSF CAREER Award PEKS schemes, and make our implementation open-sourced CNS-1652389. for further adoption and improvements. Our experiments showed that (i) Test algorithm dominates the total search time since it runs O(L) times (linear with the number of keyword-file pairs, L). (ii) The efficiency of PEKS algorithm REFERENCES is also crucial since it is to be run on energy-constrained [1] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, devices in heterogeneous settings. (iii) Given that lattice- A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica et al., based schemes have larger parameters and require signif- “Above the clouds: A berkeley view of cloud computing,” 2009. icantly larger ciphertexts/trapdoors to be transferred, in [2] D. X. Song, D. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” in Proceeding IEEE Symposium on a real cloud setting, with a moderate speed network, the Security and Privacy S&P, 2000, pp. 44–55. communication time difference with pairing-based schemes [3] A. A. Yavuz and J. Guajardo, “Dynamic searchable symmetric could be insignificant. encryption with minimal leakage and efficient updates on com- modity hardware,” in Selected Areas in Cryptography – SAC 2015, For real-world cases with large databases, our NTRU- O. Dunkelman and L. Keliher, Eds. Springer Berlin Heidelberg, PEKS scheme seems to be the only practical solution at this 2016, pp. 241–259. moment. We believe that this is one of the main aspects [4] M. O. Ozmen, T. Hoang, and A. A. Yavuz, “Forward-private dynamic searchable symmetric encryption with efficient search,” of our scheme that makes it an attractive candidate to be in 2018 IEEE International Conference on Communications (ICC), May implemented for real-world applications. 2018, pp. 1–6. 13

[5] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public lattice,” in Topics in Cryptology — CT-RSA 2003 Proceedings, M. Joye, Key Encryption with Keyword Search,” in Advances in Cryptology - Ed. Springer Berlin Heidelberg, 2003, pp. 122–140. EUROCRYPT 2004: International Conference on the Theory and Appli- [25] C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard cations of Cryptographic Techniques, C. Cachin and J. L. Camenisch, lattices and new cryptographic constructions,” in Proceedings of the Eds. Springer Berlin Heidelberg, 2004, pp. 506–522. Fortieth Annual ACM Symposium on Theory of Computing. New [6] D. J. Park, K. Kim, and P. J. Lee, “Public key encryption with con- York, NY, USA: ACM, 2008, pp. 197–206. junctive field keyword search,” in Information Security Applications, [26] P. Q. Nguyen and O. Regev, “Learning a parallelepiped: Crypt- C. H. Lim and M. Yung, Eds. Springer Berlin Heidelberg, 2005, analysis of ggh and ntru signatures,” J. Cryptol., vol. 22, no. 2, pp. pp. 73–86. 139–160, 2009. [7] D. Boneh and B. Waters, “Conjunctive, subset, and range queries [27] D. Micciancio and O. Regev, “Worst-case to average-case reduc- on encrypted data,” in Theory of Cryptography Proceedings, S. P. tions based on gaussian measures,” SIAM Journal on Computing, Vadhan, Ed. Springer Berlin Heidelberg, 2007, pp. 535–554. vol. 37, no. 1, pp. 267–302, 2007. [8] E. Shi, J. Bethencourt, T.-H. H. Chan, D. Song, and A. Perrig, [28] L. Ducas and P. Q. Nguyen, “Faster gaussian lattice sampling “Multi-dimensional range query over encrypted data,” in Proceed- using lazy floating-point arithmetic,” in ASIACRYPT 2012: 18th ings of the 2007 IEEE Symposium on Security and Privacy S&P. IEEE International Conference on the Theory and Application of Cryptology Computer Society, 2007, pp. 350–364. and Information Security, X. Wang and K. Sako, Eds. Springer [9] J. Bringer, H. Chabanne, and B. Kindarji, “Error-tolerant searchable Berlin Heidelberg, 2012, pp. 415–432. encryption,” in IEEE International Conference on Communications, [29] C. Peikert, “Bonsai trees (or, arboriculture in lattice-based cryp- 2009, pp. 1–6. tography),” Cryptology ePrint Archive, Report 2009/359, 2009, [10] R. Bost, B. Minaud, and O. Ohrimenko, “Forward and backward http://eprint.iacr.org/2009/359. private searchable encryption from constrained cryptographic [30] T. Prest, “Gaussian sampling in lattice-based cryptography,” PhD primitives,” Cryptology ePrint Archive, Report 2017/805, 2017, Thesis, École Normale Supérieure, 2015. https://eprint.iacr.org/2017/805. [31] L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice [11] R. Bost, “Sophos - forward secure searchable encryption,” Cryp- signatures and bimodal gaussians,” in Advances in Cryptology – tology ePrint Archive, Report 2016/728, 2016, https://eprint.iacr. CRYPTO 2013, R. Canetti and J. A. Garay, Eds. Springer Berlin org/2016/728. Heidelberg, 2013, pp. 40–56. [12] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, [32] N. Gama and P. Q. Nguyen, “Predicting lattice reduction,” in Ad- J. Malone-Lee, G. Neven, P. Paillier, and H. Shi, “Searchable vances in Cryptology – EUROCRYPT 2008: 27th Annual International encryption revisited: Consistency properties, relation to anony- Conference on the Theory and Applications of Cryptographic Techniques, mous ibe, and extensions,” in Advances in Cryptology – CRYPTO N. Smart, Ed. Springer Berlin Heidelberg, 2008, pp. 31–51. 2005: 25th Annual International Cryptology Conference, V. Shoup, Ed. [33] Y. Chen and P. Q. Nguyen, “BKZ 2.0: Better lattice security Springer Berlin Heidelberg, 2005, pp. 205–222. estimates,” in ASIACRYPT 2011: 17th International Conference on the [13] L. Ducas, V. Lyubashevsky, and T. Prest, “Efficient identity-based Theory and Application of Cryptology and Information Security, D. H. encryption over ntru lattices,” in Advances in Cryptology – ASI- Lee and X. Wang, Eds. Springer Berlin Heidelberg, 2011, pp. 1–20. ACRYPT 2014: 20th International Conference on the Theory and Appli- [34] V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices cation of Cryptology and Information Security, P. Sarkar and T. Iwata, and learning with errors over rings,” in Advances in Cryptology Eds. Springer Berlin Heidelberg, 2014, pp. 22–41. – EUROCRYPT 2010: 29th Annual International Conference on the [14] S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (h)ibe in the Theory and Applications of Cryptographic Techniques, H. Gilbert, Ed. standard model,” in Advances in Cryptology – EUROCRYPT 2010: Springer Berlin Heidelberg, 2010, pp. 1–23. 29th Annual International Conference on the Theory and Applications [35] ——, “A toolkit for ring-lwe cryptography,” in Advances in Cryp- of Cryptographic Techniques, H. Gilbert, Ed. Springer Berlin Hei- tology – EUROCRYPT 2013: 32nd Annual International Conference on delberg, 2010, pp. 553–572. the Theory and Applications of Cryptographic Techniques, T. Johansson [15] X. Boyen, “Lattice mixing and vanishing trapdoors: A framework and P. Q. Nguyen, Eds. Springer Berlin Heidelberg, 2013, pp. for fully secure short signatures and more,” in Public Key Cryptog- 35–54. raphy – PKC 2010: 13th International Conference on Practice and The- [36] D. Micciancio and O. Regev, “Lattice-based cryptography,” in ory in Public Key Cryptography, P. Q. Nguyen and D. Pointcheval, Post-Quantum Cryptography, D. J. Bernstein, J. Buchmann, and Eds. Springer Berlin Heidelberg, 2010, pp. 499–517. E. Dahmen, Eds. Springer Berlin Heidelberg, 2009, pp. 147–191. [16] O. Regev, “On lattices, learning with errors, random linear codes, [37] D. J. Bernstein, “A subfield-logarithm attack against ideal lattices,” and cryptography,” in Proceedings of the Thirty-seventh Annual ACM http://blog.cr.yp.to/20140213-ideal.html, 2014. Symposium on Theory of Computing. ACM, 2005, pp. 84–93. [38] M. Albrecht, S. Bai, and L. Ducas, “A subfield lattice attack on [17] R. Zhang and H. Imai, “Generic combination of public key encryp- overstretched NTRU assumptions,” in Advances in Cryptology – tion with keyword search and public key encryption,” in Cryptol- CRYPTO 2016, M. Robshaw and J. Katz, Eds. Springer Berlin ogy and Network Security Proceedings, F. Bao, S. Ling, T. Okamoto, Heidelberg, 2016, pp. 153–178. H. Wang, and C. Xing, Eds. Springer Berlin Heidelberg, 2007, pp. [39] P. Kirchner and P.-A. Fouque, “Revisiting lattice attacks on over- 159–174. stretched ntru parameters,” in Advances in Cryptology – EURO- [18] C. Bösch, P. Hartel, W. Jonker, and A. Peter, “A survey of provably CRYPT 2017: 36th Annual International Conference on the Theory secure searchable encryption,” ACM Comput. Surv., vol. 47, no. 2, and Applications of Cryptographic Techniques, J.-S. Coron and J. B. pp. 18:1–18:51, 2014. Nielsen, Eds. Cham: Springer International Publishing, 2017, pp. [19] R. Behnia, A. A. Yavuz, and M. O. Ozmen, “High-speed high- 3–26. security public key encryption with keyword search,” in Data [40] M. Ajtai, “Generating hard instances of the short basis problem,” and Applications Security and Privacy XXXI: 31st Annual IFIP WG in Automata, Languages and Programming: 26th International Collo- 11.3 Conference, G. Livraga and S. Zhu, Eds. Cham: Springer quium, J. Wiedermann, P. van Emde Boas, and M. Nielsen, Eds. International Publishing, 2017, pp. 365–385. Springer Berlin Heidelberg, 1999, pp. 1–9. [20] S. Halevi, “A sufficient condition for key-privacy.” IACR Cryptol- [41] J. Alwen and C. Peikert, “Generating shorter bases for hard ogy ePrint Archive, vol. 2005, p. 5, 2005. random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp. [21] G. Di Crescenzo and V. Saraswat, “Public key encryption with 535–553, Apr 2011. searchable keywords based on jacobi symbols,” in Progress in [42] D. Cash, D. Hofheinz, and E. Kiltz, “How to delegate a lattice Cryptology – INDOCRYPT 2007: 8th International Conference on basis,” Cryptology ePrint Archive, Report 2009/351, 2009, http: Cryptology in India, K. Srinathan, C. P. Rangan, and M. Yung, Eds. //eprint.iacr.org/2009/351. Springer Berlin Heidelberg, 2007, pp. 282–296. [43] M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval, “Key- [22] M. Ajtai, “Generating hard instances of lattice problems,” in privacy in public-key encryption,” in Advances in Cryptology — Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory ASIACRYPT 2001 Proceedings, C. Boyd, Ed. Springer Berlin of Computing. ACM, 1996, pp. 99–108. Heidelberg, 2001, pp. 566–582. [23] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: A ring-based [44] R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE- public key cryptosystem,” pp. 267–288, 1998. based encryption,” in Topics in Cryptology – CT-RSA 2011: The [24] J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, Cryptographers’ Track at the RSA Conference 2011, A. Kiayias, Ed. and W. Whyte, “NTRUSign: Digital signatures using the NTRU Springer Berlin Heidelberg, 2011, pp. 319–339. 14

[45] J. Baek, R. Safavi-Naini, and W. Susilo, “Public key encryption [57] J.-P. Aumasson, L. Henzen, W. Meier, and R. C.-W. Phan, “Sha-3 with keyword search revisited,” in Computational Science and proposal blake,” Submission to NIST (Round 3), 2010. [Online]. Its Applications, O. Gervasi, B. Murgante, A. Laganà, D. Taniar, Available: http://131002.net/blake/blake.pdf Y. Mun, and M. L. Gavrilova, Eds. Springer Berlin Heidelberg, [58] V. Vujovi´cand M. Maksimovi´c,“Raspberry pi as a sensor web 2008, pp. 1249–1259. node for home automation,” Comput. Electr. Eng., vol. 44, no. C, [46] J. W. Byun, H. S. Rhee, H.-A. Park, and D. H. Lee, “Off-line pp. 153–171, May 2015. keyword guessing attacks on recent keyword search schemes over [59] L. Ducas and T. Prest, “Fast fourier orthogonalization,” in Pro- encrypted data,” in Secure Data Management: Third VLDB Workshop ceedings of the ACM on International Symposium on Symbolic and Proceedings, W. Jonker and M. Petkovi´c, Eds. Springer Berlin Algebraic Computation, ser. ISSAC ’16. New York, NY, USA: ACM, Heidelberg, 2006, pp. 75–83. 2016, pp. 191–198. [47] C. Hu and P. Liu, “A secure searchable public key encryption [60] S. Kamara and K. Lauter, “Cryptographic cloud storage,” in scheme with a designated tester against keyword guessing attacks Financial Cryptography and Data Security, R. Sion, R. Curtmola, and its extension,” in Advances in Computer Science, Environment, S. Dietrich, A. Kiayias, J. M. Miret, K. Sako, and F. Sebé, Eds. Ecoinformatics, and Education, S. Lin and X. Huang, Eds. Springer Springer Berlin Heidelberg, 2010, pp. 136–149. Berlin Heidelberg, 2011, pp. 131–136. [61] C. Cocks, “An identity based encryption scheme based on [48] L. Fang, W. Susilo, C. Ge, and J. Wang, “Public key encryption with quadratic residues,” in Cryptography and Coding: 8th IMA Inter- keyword search secure against keyword guessing attacks without national Conference Cirencester, B. Honary, Ed. Springer Berlin random oracle,” Information Sciences, vol. 238, pp. 221 – 241, 2013. Heidelberg, 2001, pp. 360–363. [49] I. R. Jeong, J. O. Kwon, D. Hong, and D. H. Lee, “Constructing [62] D. Khader, “Public key encryption with keyword search based on PEKS schemes secure against keyword guessing attacks is possi- K-resilient IBE,” in Proceedings of the 2007 International Conference on ble?” Computer Communications, vol. 32, no. 2, pp. 394 – 396, 2009. Computational Science and Its Applications. Springer-Verlag, 2007, [50] J. W. Bos, C. Costello, M. Naehrig, and D. Stebila, “Post-quantum pp. 1086–1095. key exchange for the tls protocol from the ring learning with errors [63] D. Micciancio and C. Peikert, “Trapdoors for lattices: Simpler, problem,” in 2015 IEEE Symposium on Security and Privacy, 2015, tighter, faster, smaller,” in Proceedings of the 31st Annual Interna- pp. 553–570. tional Conference on Theory and Applications of Cryptographic Tech- [51] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “Post- niques, ser. EUROCRYPT’12. Springer-Verlag, 2012, pp. 700–718. quantum key exchange—a new hope,” in 25th USENIX Security [64] C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard Symposium (USENIX Security 16). Austin, TX: USENIX Associa- lattices and new cryptographic constructions,” in Proceedings of the tion, 2016, pp. 327–343. Fortieth Annual ACM Symposium on Theory of Computing, ser. STOC [52] M. Bellare, A. Boldyreva, and A. O’Neill, “Deterministic and ’08. New York, NY, USA: ACM, 2008, pp. 197–206. efficiently searchable encryption,” in Advances in Cryptology - [65] R. W. F. Lai, H. K. F. Cheung, and S. S. M. Chow, “Trapdoors CRYPTO 2007: 27th Annual International Cryptology Conference, for ideal lattices with applications,” in Information Security and A. Menezes, Ed. Springer Berlin Heidelberg, 2007, pp. 535–552. Cryptology, D. Lin, M. Yung, and J. Zhou, Eds. Cham: Springer [53] W. Whyte, N. Howgrave-Graham, J. Hoffstein, J. Pipher, J. H. International Publishing, 2015, pp. 239–256. Silverman, and P. S. Hirschhorn, “IEEE P1363. 1 Draft 10: Draft [66] N. Genise and D. Micciancio, “Faster gaussian sampling for trap- Standard for Public Key Cryptographic Techniques Based on Hard door lattices with arbitrary modulus,” Cryptology ePrint Archive, Problems over Lattices.” IACR Cryptology EPrint Archive, vol. 2008, Report 2017/308, 2017, https://eprint.iacr.org/2017/308. p. 361, 2008. [67] R. Bendlin, S. Krehbiel, and C. Peikert, “How to share a lattice trap- [54] T. Prest, “Lattice-IBE,” https://github.com/tprest/Lattice-IBE, door: Threshold protocols for signatures and (h)ibe,” in Applied 2013. Cryptography and Network Security, M. Jacobson, M. Locasto, P. Mo- [55] R. Behnia, “NTRUPEKS,” https://github.com/Rbehnia/ hassel, and R. Safavi-Naini, Eds. Berlin, Heidelberg: Springer NTRUPEKS, 2016. Berlin Heidelberg, 2013, pp. 218–236. [56] V. Shoup, “NTL: A library for doing number theory,” http://www. shoup.net/ntl, 2003.