Public Key Authenticated Encryption with Keyword Search from LWE

被引:20
作者
Cheng, Leixiao [1 ,2 ]
Meng, Fei [3 ,4 ]
机构
[1] Shandong Univ, Sch Math, Jinan 250100, Peoples R China
[2] Shandong Univ, Sch Cyber Sci & Technol, Qingdao, Peoples R China
[3] Yanqi Lake Beijing Inst Math Sci & Applicat, Beijing, Peoples R China
[4] Tsinghua Univ, Yau Math Sci Ctr, Beijing, Peoples R China
来源
COMPUTER SECURITY - ESORICS 2022, PT I | 2022年 / 13554卷
关键词
Public key authenticated encryption; Keyword search; Inside keyword guessing attack; LWE;
D O I
10.1007/978-3-031-17140-6_15
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Public key encryption with keyword search (PEKS) inherently suffers from the inside keyword guessing attack. To resist against this attack, Huang et al. proposed the public key authenticated encryption with keyword search (PAEKS), where the sender not only encrypts a keyword, but also authenticates it. To further resist against quantum attacks, Liu et al. proposed a generic construction of PAEKS and the first quantum-resistant PAEKS instantiation based on lattices. Later, Emura pointed out some issues in Liu et al.'s construction and proposed a new generic construction of PAEKS. The basic construction methodology of Liu et al. and Emura is the same. In this paper, we first analyze the schemes of Liu et al. and Emura, and point out some issues regarding their construction and security model. In short, in their lattice-based instantiations, the sender and receiver use a lattice-based word independent smooth projective hash functions (SPHF) to compute the same shared key to authenticate keywords, leading to a super-polynomial modulus q; their generic constructions need a trusted setup assumption or the designated-receiver setting; Liu et al. failed to provide convincing evidence that their scheme satisfies their claimed security. Then, we propose two new lattice-based PAEKS schemes with totally different construction methodology from Liu et al. and Emura. Specifically, in our PAEKS schemes, instead of using the shared key calculated by SPHF, the sender and receiver achieve keyword authentication by using their own secret key to sample a set of short vectors related to the keyword. In this way, the modulus q in our schemes could be of polynomial size, which results in much smaller size of the public key, ciphertext and trapdoor. In addition, our schemes need neither a trusted setup assumption nor the designated-receiver setting. Finally, our schemes can be proven secure in stronger security model, and thus provide stronger security guarantee for both ciphertext privacy and trapdoor privacy.
引用
收藏
页码:303 / 324
页数:22
相关论文
共 27 条
[1]  
Agrawal S, 2010, LECT NOTES COMPUT SC, V6110, P553
[2]  
Ajtai M., 1999, Automata, Languages and Programming. 26th International Colloquium, ICALP'99. Proceedings (Lecture Notes in Computer Science Vol.1644), P1
[3]   Generating Shorter Bases for Hard Random Lattices [J].
Alwen, Joel ;
Peikert, Chris .
THEORY OF COMPUTING SYSTEMS, 2011, 48 (03) :535-553
[4]  
Applebaum B, 2009, LECT NOTES COMPUT SC, V5677, P595, DOI 10.1007/978-3-642-03356-8_35
[5]   Lattice-Based Public Key Searchable Encryption from Experimental Perspectives [J].
Behnia, Rouzbeh ;
Ozmen, Muslum Ozgur ;
Yavuz, Attila Altay .
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2020, 17 (06) :1269-1282
[6]   Hash Proof Systems over Lattices Revisited [J].
Benhamouda, Fabrice ;
Blazy, Olivier ;
Ducas, Leo ;
Quach, Willy .
PUBLIC-KEY CRYPTOGRAPHY - PKC 2018, PT II, 2018, 10770 :644-674
[7]  
Boneh D, 2004, LECT NOTES COMPUT SC, V3027, P506
[8]  
Byun JW, 2006, LECT NOTES COMPUT SC, V4165, P75
[9]   Bonsai Trees, or How to Delegate a Lattice Basis [J].
Cash, David ;
Hofheinz, Dennis ;
Kiltz, Eike ;
Peikert, Chris .
JOURNAL OF CRYPTOLOGY, 2012, 25 (04) :601-639
[10]  
Chang YC, 2005, LECT NOTES COMPUT SC, V3531, P442
123