mathematics
Article
Multi-Keyword Searchable Identity-Based Proxy Re-Encryption
from Lattices
Er-Shuo Zhuang 1 and Chun-I Fan 1,2,3, *
[email protected]
[email protected]
Citation: Zhuang, E.-S.; Fan, C.-I.
Multi-Keyword Searchable
Identity-Based Proxy Re-Encryption
from Lattices. Mathematics 2023, 11,
3830. https://doi.org/10.3390/
math11183830
Academic Editor: Sheng-Tzong
Cheng
Received: 28 July 2023
Revised: 1 September 2023
Accepted: 4 September 2023
Published: 6 September 2023
Copyright: © 2023 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Mathematics 2023, 11, 3830. https://doi.org/10.3390/math11183830
1 Department of Computer Science and Engineering, National Sun Yat-sen University,
Kaohsiung 804, Taiwan;
2 Information Security Research Center, National Sun Yat-sen University, Kaohsiung 804, Taiwan
3 Intelligent Electronic Commerce Research Center, National Sun Yat-sen University, Kaohsiung 804, Taiwan
* Correspondence:
Abstract: To protect the privacy of cloud data, encryption before uploading provides a solution.
However, searching for target data in ciphertext takes effort. Therefore, searchable encryption
has become an important research topic. On the other hand, since the advancement of quantum
computers will lead to the crisis of cracking traditional encryption algorithms, it is necessary to
design encryption schemes that can resist quantum attacks. Therefore, we propose a multi-keyword
searchable identity-based proxy re-encryption scheme from lattices. In addition to resisting quantum
attacks, the proposed scheme uses several cryptographic techniques to improve encryption efficiency.
First, identity-based encryption is used to reduce the computation and transmission costs caused
by certificates. Second, the proposed scheme uses proxy re-encryption to achieve the purpose of
outsourced computing, allowing the proxy server to reduce the computation and transmission costs
of the users. Third, the proposed multi-keyword searchable encryption can provide AND and OR
operators to increase the flexibility of searchability. Moreover, the access structure of the proposed
scheme is not based on a linear secret sharing scheme (LSSS), avoiding the errors caused by an
LSSS-based structure in decryption or search results. Finally, we also give formal security proof of
the proposed scheme under the decisional learning with errors assumption.
Keywords: post-quantum cryptography; lattice-based cryptography; multi-keyword search; identity-
based encryption; proxy re-encryption
MSC: 68P25
1. Introduction
Encrypting data before uploading to the cloud has become a standard method to
protect data privacy. With the advancement of technology, cloud services have become a
part of people’s daily lives. Sharing data through the cloud server can reduce the storage
cost of the user end, but at the same time, there will be concerns about data leakage.
Therefore, to protect the data’s confidentiality, users may encrypt it before uploading it to
the cloud server. Based on the convenience of key management, most people use the public
key cryptography system to encrypt data. To confirm the correctness of a user’s public
key, a certificate of the user’s public key is often required as proof. However, since the
management and verification of certificates will lead to more computation and transmission
costs, many certificate-less public key cryptosystems have been proposed.
Functional encryption is a type of certificate-less public key encryption. For example,
identity-based encryption (IBE), attribute-based encryption (ABE), and subset-predicate
encryption (SPE) are functional encryption methods. In 1984, Shamir proposed the first
IBE scheme [1]. In his scheme, the data owner can use the receivers’ identities as the
encryption keys, thereby saving the management and verification of certificates. In 2005,
Sahai and Waters proposed a fuzzy IBE scheme [2]. Since a fuzzy identity can be regarded
https://www.mdpi.com/journal/mathematics
Mathematics 2023, 11, 3830 2 of 27

as an attribute, the scheme of Sahai and Waters is considered the first ABE scheme. In
ABE schemes, the data owner can use attributes to encrypt data, so there is no need to
use certificates. The concept of SPE was first introduced by Katz et al. [3] in 2017. In SPE
schemes, the data owner can select an attribute set to encrypt data, and the receivers can
decrypt it if and only if their attributes are subsets of the attribute set of the encrypted data.
Proxy re-encryption (PRE) is used to reduce file-sharing costs. To change the recipient
of the ciphertext from Alice to Bob, one may decrypt the ciphertext with Alice’s private key
and then encrypt it with Bob’s public key. However, this method is inefficient, and how
to directly convert the ciphertext becomes an issue. Therefore, the purpose of PRE is to
directly convert the ciphertext without decrypting it. The first PRE scheme was proposed
by Blaze et al. in 1998 [4]. In their scheme, a semi-trusted proxy is allowed to transform
the ciphertext for Alice into the ciphertext for Bob without changing the content of the
message, thereby reducing the computation and transmission costs of sharing files. On the
other hand, PRE can be used in combination with functional encryption. For example, the
first identity-based PRE scheme was proposed by Green and Ateniese [5] in 2007; the first
attribute-based PRE scheme was proposed by Liang et al. in 2009 [6].
Searchable encryption (SE) solves the problem that files cannot be searched after
encryption. Although encryption can protect data privacy, searching for encrypted data
takes effort. To solve this problem, Song et al. [7] proposed the first SE scheme in 2000,
whereas encrypted files are searchable. In 2004, Boneh et al. proposed the first SE scheme
with keyword search [8]. In Boneh et al.’s scheme, users can choose a keyword to search
for files. In 2007, Hwang and Lee [9] proposed SE that supports multi-keyword search,
increasing the flexibility of searchability.
On the other hand, due to the rapid development of quantum computers, some tradi-
tional encryption schemes are facing a crisis of being cracked. Due to the special properties
of quantum bits, quantum computers can perform parallel operations on large amounts of
data. Therefore, quantum computers can use their parallel computing capabilities to solve
some traditional hard problems on classical computers. In 1994, Shor proposed a quantum
algorithm [10] that can find the prime factors of a large integer. In addition, the discrete loga-
rithm problem, which is generally considered as difficult as the prime factorization problem,
is also considered to be at risk of being solved by quantum algorithms. Therefore, encryption
schemes based on such mathematical problems suffer from the risk of being cracked.
Lattice-based cryptography has been extensively researched and validated for security
on both classical and quantum algorithms. To resist quantum attacks, the National Institute
of Standards and Technology (NIST) launched a post-quantum cryptography standards
competition. In July 2022, the competition winner was Kyber [11], a lattice-based public-
key encryption algorithm. The competition result shows that lattice-based schemes are
generally considered to be effective against quantum attacks. Lattice-based cryptography
is considered quantum-resistant because it is based on mathematical problems that are
difficult for quantum computers to solve. Quantum computers cannot solve the shortest
vector problem exponentially faster than classical computers, which means that quantum
attacks would not be able to break the encryption schemes based on that problem. The
Learning with Errors (LWE) problem is also considered intractable for quantum computers.
In addition, no known quantum algorithm can break the Decisional Learning with Errors
(D-LWE) problem, which has applications in many fields.
Many lattice-based public-key cryptosystems have been proposed. In 1996, Ajtai [12] pro-
posed a one-way hash function based on the shortest vector problem. In 1997, Goldreich et al., pro-
posed the first public-key cryptosystem based on the closest vector problem. Hoffstein et al. [13]
proposed a public key encryption scheme called the Number Theory Research Unit (NTRU) in
1998. Although the security of NTRU is not formally proven, its computation cost is lower than
previous schemes. In 2005, Regev [14] proposed the LWE problem, which is at least as hard as
the worst case of the shortest independent vectors problem. Since then, most of the lattice-based
public-key cryptosystems published after 2005 were based on the LWE problem due to the low
Mathematics 2023, 11, 3830 3 of 27

computational cost required. Even the Kyber algorithm [11], the winner of the NIST post-quantum
competition, is based on the LWE problem.
One of the advantages of the lattice encryption algorithm is that it can provide func-
tional encryption. In 2008, Gentry et al., published an IBE scheme based on LWE. In 2013,
Boneh proposed the first lattice-based ABE scheme [15]. In 2014, Singh et al. proposed
the first identity-based PRE [16]. In 2019, Liu et al. [17] proposed an ABE protocol for
searchable keywords. In 2022, Wang et al. [18] proposed a searchable SPE scheme.
Outsourcing computation reduces the computation and transmission costs of the
data sender. In 2019 Zhang et al. [19] proposed a lattice-based SE support outsourcing
computation. In their scheme, DO will generate oriented keys and send them to PS. With
those keys, PS can prove that DO has authorized it to assist in encryption. With the
assistance of PS, DO can save some computation and transmission costs.
Some lattice-based SE schemes [17,20–22] use linear secret sharing scheme (LSSS) as the
access structure, but using LSSS under the LWE problem may cause problems. Because the
Gaussian elimination method used to solve the LSSS problem will generate coefficients that
cannot be guaranteed to be small enough, the decryption or search results after running LSSS
may be wrong. Therefore, LSSS-based schemes under the LWE problem cannot be realized in
practice. To avoid this problem, the proposed scheme uses a tree-based access structure.

1.1. Problem Statements

In summary, to improve the efficiency of cloud services, an encrypted file-sharing
scheme should meet the following features:
• The encryption should resist quantum attacks.
• The encrypted file should be searchable. Moreover, the scheme should support multi-
keyword to increase the flexibility of searchability.
• To reduce the file-sharing costs of the data owner, the scheme should support PRE.
• The encryption should avoid the cost of using certificates.
Unfortunately, no known scheme can achieve these features simultaneously. Therefore,
we propose a scheme to satisfy these features simultaneously.

1.2. Contributions
We proposed a multi-keyword searchable identity-based proxy re-encryption scheme
from lattices. To highlight the contributions, the features comparison between the proposed
scheme and other schemes is shown in Table 2. The proposed scheme is the first to offer the
following properties simultaneously:
• To resist quantum attacks, the security of the proposed scheme is based on the LWE
problem from lattices.
• The flexibility of searchability is increased through the proposed multi-keyword search
that supports AND and OR operations. The access structure is tree-based rather than
LSSS-based, avoiding possible errors in the decryption and search phases.
• KGC only needs to assist users in generating private keys during the registration phase.
The burden on the KGC is reduced since it does not involve other phases. Moreover, the
risk of KGC being attacked by adversaries through the network can be reduced.
• The proposed scheme supports PRE to reduce file-sharing costs of the data owner. The
concept of outsourcing computation is added to the scheme design. As the number of
data users increases, the costs required for the data owner remain the same, and the
proxy server will handle the increased workload.
• Users’ access rights are verified in both the search phase and the decryption phase to
prevent adversaries from illegally accessing files.
• The proposed scheme is identity-based, which avoids the cost of using certificates.
Mathematics 2023, 11, 3830 4 of 27

2. Preliminaries
The definitions of lattice, trapdoors, and hardness assumptions are shown here. Fur-
thermore, the access structure, system model, and security model of the proposed scheme
are presented here.

2.1. Lattices
Definition 1. An n-dimensional lattice Λ is defined as a set of linear combinations of m linearly
independent vectors a1 , a2 , ..., am ∈ Zn .

Λ = {∑im=1 xi ai | xi ∈ Z},

where {a1 , a2 , ..., am } is a basis of Λ, and the rank of Λ is m.

Definition 2. Given a prime number q, a basis A = {a1 , a2 , ..., am } ∈ Znq ×m , and a vector
u ∈ Znq .
Three types of lattices are defined as follows:

Λq (A) := v ∈ Zm | A> s = v mod q, s ∈ Zn



Λuq (A) := {v ∈ Zm | Av = u mod q}

Λ⊥ m
q ( A ) : = { v ∈ Z | Av = 0 mod q }

2.2. Discrete Gaussians

Definition 3. Given a Gaussian parameter α ∈ R+ , a vector c ∈ Rm , and L ∈ Zm .
• The discrete Gaussian distribution over L is
ρα,c ( x )
∀ x ∈ L, D L,α,c ( x ) = ρα,c ( L)
.

• The sum of all ρα,c ( x ) is

ρα,c ( L) = ∑ x∈ L ρα,c ( x ).

• The Gaussian function on Rm is

k x − c k2
ρα,c ( x ) = exp(−π α2
).

2.3. Inhomogeneous Short Integer Solution (ISIS)

Definition 4 (ISIS problem). Given a prime q, a random matrix A ∈ Znq ×m , a target vector
t ∈ Znq , and a parameter β ∈ R, the goal is to find a non-zero vector x ∈ Zm q such that
Ax = t mod q and kxk ≤ β.

The ISIS problem is a variant of the Shortest Vector Problem (SVP) in lattices, which
is known to be computationally hard. It falls within the class of NP-hard problems and
is believed to be resistant to efficient classical and quantum algorithms. Lattice-based
schemes often design public and private keys based on the ISIS problem. A and t are often
used as public parameters or public keys, while x is often used as a private key.

2.4. Decisional Learning with Errors (D-LWE)

Given a prime q, a Gaussian distribution χ over Zq , and a positive integer n. Assume
that there is a non-specified oracle O , which could be a truly uniform random sampler O$
or a noisy pseudo-random sampler Os . Os and O$ are defined as follows:
• Os : The noisy pseudo-random sampler Os outputs pseudo-random samples (ui , vi ) =
(ui , ui> s + ei ) ∈ Znq × Zq , where ei is sampled from χ, s ∈ Znq is a consistent secret
vector, and ui ∈ Znq is a uniformly random vector.
• O$ : The truly random sampler O$ outputs uniformly random samples in Znq × Zq .
Mathematics 2023, 11, 3830 5 of 27

Definition 5 (D-LWE problem). Given a polynomial number of samples from O . Decide whether
O is Os or O$ .

Definition 6. The advantage of an adversary A to break the D-LWE problem is defined as

Adv D− LWE ( A) = Pr [ AOs = 1] − Pr [ AO$ = 1]

Definition 7 (D-LWE Assumption). If no polynomial-time algorithm has a non-negligible ad-

vantage in solving the D-LWE problem, then the D-LWE assumption holds.

The D-LWE problem is widely regarded as a hard problem in lattice-based cryptogra-

phy. Many lattice-based cryptographic schemes, such as encryption, signatures, and key
exchange protocols, rely on the hardness of D-LWE for their security. As long as solving
the D-LWE problem is difficult, the security of those schemes will be guaranteed.

2.5. Trapdoor Functions

There are two types of trapdoor functions.Type 2 trapdoor functions are smaller, faster,
and better than Type 1 trapdoor functions. The type 2 trapdoor functions are based on
the one-way function proposed by Regev [23], and their security is constructed on the
hardness of the learning with errors problem (LWE). In 2012, Micciancio and Peikert [24]
proposed an efficient trapdoor generation function. Then, Genise and Micciancio [25]
gave improved algorithms in 2018. Therefore, the proposed scheme applies the trapdoor
generation functions [24,25] and introduces them here.
Given a prime q and two positive integers n, m. To obtain a trapdoor of a lattice, a
h i>
gadget vector g is defined as g = 1 2 4 · · · 2k−1 ∈ Z1q×k , where k = dlog2 qe.
Moreover, a gadget matrix G is defined as

g> ···
 
0 0
0 g> ··· 0 
G = In ⊗ g> =  .  ∈ Znq ×w , where w = nk.
 
.. ..
 .. 0 . . 
0 ··· 0 g>

Definition 8. (A, R) ← GenTrap(A0 , H)

0
Given a matrix A0 ∈ Znq ×m and an invertible matrix H ∈ Znq ×n . Output a matrix
0 ×w
A = [A0 | − A0 R + HG] ∈ Znq ×m and a trapdoor R ∈ Zm
q of A , where m = m0 + w.
√ p
Moreover, the trapdoor’s quality guaranteed that s(R) ≤ m · ω ( log q), where the function s()
extracts the Euclidean length of the input, and the little-omega notation ω () is an asymptotic notation.

Definition 9. x ← SampleD(A = [A0 | − A0 R + HG], H, R, t, σ)

0
Given a matrix A = [A0 | − A0 R + HG] ∈ Znq ×m , a trapdoor R ∈ Zm ×w of A, an invertible
matrix H ∈ Znq ×n , a target t ∈ Znq , and a Gaussian parameter σ. Output a vector x such that
Ax = t ∈ Znq .

The details of how to generate x with a gadget matrix G is described as follows:

1. Randomly choose a perturbation vector p ∈ Zm
q with σ, and divide p into two parts
0
p 1 ∈ Zm w
q and p2 ∈ Zq :
 
p1
p= .
p2
2. Compute
y1 = A0 (p1 − Rp2 ) ∈ Znq
y2 = Gp2 ∈ Znq ,
Mathematics 2023, 11, 3830 6 of 27

v = H−1 (t − y1 ) − y2 = H−1 (t − Ap) ∈ Znq .

q from Λq ( G ), and compute

Choose a vector z ∈ Zw
3. v



R
x = p+ z.
Iw

4. Output x.

0 0
Definition 10. R0 ← DelTrap(A = [A|A1 ], R, H , σ )
0 0
Given a matrix A = [A|A1 ] ∈ Znq ×m × Znq ×w (A1 is an arbitrary matrix), a trapdoor R ∈ Zm ×w of
0
A, an invertible matrix H0 ∈ Znq ×n , and a Gaussian parameter σ. Output a trapdoor R0 of A .

DelTrap will call SampleD repeatedly until getting a trapdoor R0 containing d linearly
0 0
independent vectors [y1 , ..., yd ] such that AR = H G − A1 .

2.6. Tree-Based Access Structure

In the proposed scheme, the data owner will choose a set of keywords KW while
encrypting data, and a data user may determine a keyword-search policy τ while generating
a search token. Moreover, the cloud server will send the encrypted data to the data user if
KW satisfies τ. The access structure in the proposed scheme is a tree-based access structure
supporting OR and AND gates.
Figure 1 shows an example of the tree-based access structure applied in the proposed
scheme. In the example, the keyword-search policy τ = (k1 ∪ k3 ∪ k5 ) ∩ (k6 ∩ k7 ), where
k i denotes the i-th keyword in the system. Here is how to generate Tτ,ki ∈ {−1, 0, 1}n×n ,
which will be used in the proposed scheme. First, the data user will set the value of the root
node as an identity matrix In . Second, since the root node has two child nodes and requires
an AND gate, the data user will compute two invertible matrices T1 , T2 ∈ {−1, 0, 1}n×n
such that T1 + T2 = In . Third, since T1 has three child nodes and requires an OR gate, the
data user will set Tτ,k1 = Tτ,k3 = Tτ,k5 = T1 . Fourth, since T2 has two child nodes and
requires an AND gate, the data user will compute two invertible matrices Tτ,k6 , Tτ,k7 ∈
{−1, 0, 1}n×n such that Tτ,k6 + Tτ,k7 = T2 . Finally, each Tτ,ki belonging to k i will be used
to generate a search token in the proposed scheme. If a keyword set KW = {k01 , k02 , . . . , k0o }
can exactly satisfy τ, then ∑io=1 Tτ,k0 = In . For example, in Figure 1, both {k1 , k6 , k7 } and
i
{k3 , k6 , k7 } can exactly satisfy τ, then Tτ,k1 + Tτ,k6 + Tτ,k7 = Tτ,k3 + Tτ,k6 + Tτ,k7 = In .

Figure 1. Example of a Tree-Based Keyword-Search Policy τ.

Mathematics 2023, 11, 3830 7 of 27

2.7. System Model

Figure 2 shows the system model of the proposed scheme. It includes five system
roles, and their behaviors are defined as follows.
• Key Generation Center (KGC): KGC is fully trusted and is responsible for system
setup and key distribution.
• Data Owner (DO): DO can pre-generate re-encryption keys and send them to PS before
the encryption phase. Then, in the encryption phase, DO computes the ciphertext, index,
and IDs (a set of DUs’ identities). Then, DO sends (ciphertext, index, IDs) to PS.
• Proxy Server (PS): PS is fully trusted and responsible for re-encryption. After receiv-
ing the re-encryption keys, ciphertext, index, and IDs from DO, PS re-encrypts the
ciphertext and index. Finally, PS sends the re-encrypted results to CS.
• Cloud Server (CS): CS is honest-but-curious and responsible for data storage and search.
• Data User (DU): DU can send a search request with a search token to CS to download
matching ciphertexts.

Figure 2. The System Model.

The proposed scheme consists of the following polynomial-time algorithms.

• ( MSK, PP) ← Setup(λ): Taking a security parameter λ as input, KGC outputs the
public parameters PP and the master secret key MSK.
• (SK ID ) ← KeyGen( PP, MSK, ID ): With a user’s identity ID and MSK as inputs, KGC
computes the private key SK ID of the user.
• ( RK IDx ← IDy ) ← Re-KeyGen(PP, IDx , IDy , SK IDx ): Taking DU’s identity IDy , and
SK IDx as inputs, the user IDx computes the re-encryption key RK IDx → IDy .
• (C IDx , I IDx ) ← Enc(PP, IDx , µ, KWID ): Taking an identity IDx , a one-bit message µ,
and a keyword set KWIDx as inputs, DO outputs the ciphertext C IDx and the index I IDx .
• (C IDy , IDy ) ← Re-Enc(PP, (C IDx , IDx ), IDy , RK IDx → IDy ,): Given the ciphertext C IDx ,
the index I IDx , DO’s identity IDx , DU’s identity IDy , and a re-encryption key RK IDx → IDy
as inputs, PS computes the re-encrypted ciphertext C IDy and re-encrypted index I IDy .
• ( TK, ID ) ← TokenGen(PP, ID, SK ID , τ): Taking a keyword-search policy τ, ID, and
SK ID as inputs, DU can compute the search token TK.
• (C ID or ⊥) ← Search( PP, TK, ID, (C ID , I ID )): Given TK, ID, and (C ID , I ID ) as inputs,
CS checks whether TK matches I ID . If the result matches, CS sends C ID to DU.
Otherwise, CS sends ⊥ to DU.
• (µ) ← Dec(PP, ID, SK ID , C ID ): With C ID and SK ID , DU decrypts C ID and gets the
plaintext µ.
Mathematics 2023, 11, 3830 8 of 27

2.8. Security Model

Based on the security requirements of cloud services, the proposed scheme achieves
indistinguishability under chosen plaintext attacks (IND-CPA) and indistinguishability
under chosen keyword attacks (IND-CKA). The security model is defined as the following
IND-CPA and IND-CKA games. Assume that A is a polynomial-time adversary, and the
simulator S simulates the games.

2.8.1. Ciphertext Security

The IND-CPA game is defined as follows:
• Init: A gives a target identity ID ∗ to S . S receives a polynomial number of samples
from the D-LWE oracle.
• Setup S initializes the system and sends public parameters PP to A.
• Phase 1 A can adaptively issue the following queries multiple times:
– H0 query: A gives an identity ID to S . S sends H0 ( ID ) to A.
– H1 query: A gives an identity ID to S . S sends H1 ( ID ) to A.
– KeyGen query A gives an identity ID. If ID = ID ∗ , S aborts it. Otherwise, S
sends SK ID to A.
– Re-KeyGen query A gives DO’s identity IDx and DU’s identity IDy . If IDx = ID ∗ ,
S aborts it. Otherwise, S sends RK IDx → IDy to A.
• Challenge: A submits two messages (µ0 , µ1 ) to S . S randomly chooses b ∈ {0, 1}.
Then, S computes the ciphertext C ID∗ related to µb . Finally, S sends C ID∗ to A.
• Phase 2: A may do more queries as in Phase 1.
0 0
• Guess: Finally, A answers a bit b . If b = b , A wins the IND-CPA game.

Definition 11. The advantage of A to win the IND-CPA game is defined as

1
Adv I ND−CPA (A) = Pr b0 = b −
 
2

Definition 12. If no polynomial-time adversary wins the IND-CPA game with a non-negligible
advantage, then the proposed scheme is IND-CPA secure.

2.8.2. Keyword-Search Security

The IND-CKA game is defined as follows:
• Init: A gives a target identity ID ∗ and two target keywords (k00 , k01 ) to S . S randomly
chooses b ∈ {0, 1} and will use k0b for the challenge. Furthermore, S receives a
polynomial number of samples from the D-LWE oracle.
• Setup S initializes the system and sends public parameters PP to A.
• Phase 1 A can adaptively issue the following queries multiple times:
– H0 query: A gives an identity ID to S . S sends H0 ( ID ) to A.
– H1 query: A gives an identity ID to S . S sends H1 ( ID ) to A.
– KeyGen query A gives an identity ID. If ID = ID ∗ , S aborts it. Otherwise, S
sends SK ID to A.
– Re-KeyGen query A gives DO’s identity IDx and DU’s indetiy IDy . If IDx = ID ∗ ,
S aborts it. Otherwise, S sends RK IDx → IDy to A.
– TokenGen query A gives an identity ID and a keyword-search policy τ. If (ID =
ID ∗ and (τ contains k00 or k01 )), S aborts it. Otherwise, S sends ( TK, ID ) to A.
• Challenge: A submits a signal to start the Challenge. S computes the index I ID∗
related to k0b . Finally, S sends I ID∗ to A.
• Phase 2: A may do more queries as in Phase 1.
0 0
• Guess: Finally, A answers a bit b . If b = b , A wins the IND-CKA game.
Mathematics 2023, 11, 3830 9 of 27

Definition 13. The advantage of A to win the IND-CKA game is defined as

1
Adv I ND−CKA (A) = Pr b0 = b −
 
2

Definition 14. If no polynomial-time adversary wins the IND-CKA game with a non-negligible
advantage, then the proposed scheme is IND-CKA secure.

3. Related Works
This section introduces a traditional SE scheme and some lattice-based schemes in
recent years. The features comparison between the proposed scheme and those schemes
will be shown in Section 6.

3.1. Huang et al.’s [26] Traditional Multi-Keyword Attribute-Based SE Scheme

Huang et al. [26] proposed a traditional multi-keyword attribute-based SE scheme
in 2022. Their scheme supports AND and NOT operators in keyword search queries.
Moreover, user access rights are verified during the decryption and keyword-search phases.
However, since the scheme is based on discrete logarithm hard problems, it cannot resist
quantum attacks. Since Huang et al.’s scheme uses traditional encryption, their scheme
will not be compared in computation and transmission costs.

3.2. Wang et al.’s [27] Public Key SE Scheme from Lattices

In 2020, Wang et al. [27] introduced a public key SE scheme, which supports conjunc-
tive keyword search (multi-keyword but only AND operators). Their multi-user scheme
uses a user’s identity’s hash value as its public key. Therefore, their scheme is IBE. However,
their scheme does not detail the decryption phase.

3.3. Attribute-Based SE Schemes from Lattices

Four attribute-based SE schemes are introduced here. Their access structures are all
LSSS, which may cause errors in decryption.

3.3.1. Liu et al.’s [17] Scheme

In 2019, Liu et al. [17] proposed an attribute-based SE scheme. Since their method
verifies user access rights only in the decryption phase, anyone can search the ciphertext
without authentication in the keyword-search phase. Although there are multi-keywords
in Liu et al.’s Encryption, the search token contains only one keyword. Liu et al.’s method
requires KGC to be online to help users generate search tokens. Moreover, the access
structure is LSSS, which may cause errors in decryption.

3.3.2. Varri et al.’s [20] Scheme

In 2021, Varri et al. [20] proposed an attribute-based SE scheme supporting multi-
keyword searches. Although their method verifies user access rights in the keyword-search
phase, all users use the same decryption key in the decryption phase. Although there are
multi-keywords in their Encryption, the search token contains only one keyword. Therefore,
the scheme does not support multi-keyword. Moreover, Varri et al.’s method also requires
KGC to be online to generate search tokens. Furthermore, the access structure is LSSS,
which may cause errors in decryption.

3.3.3. Chen’s [21] Scheme

In 2021, Chen [21] proposed an attribute-based SE scheme supporting dynamic mem-
bership management. His scheme is based on Wang’s scheme [28]. His method verifies user
access rights in both the decryption and the keyword-search phases. Moreover, his search
algorithm verifies ζ times to ensure that the user is valid. However, the access structure is
LSSS, which may cause errors in decryption. Moreover, the data user needs to know the
Mathematics 2023, 11, 3830 10 of 27

access structure of the data before generating a search token. The algorithms of his scheme
are shown as follows:

3.3.4. Wang’s [22] Scheme

In 2022, Wang [22] proposed an attribute-based multi-keyword SE scheme supporting
dynamic membership management. Her scheme is based on Chen’s scheme [21]. Therefore,
her scheme shares many similar features with Chen’s scheme, and the access structure is
LSSS, which may cause errors in decryption. Moreover, the keywords are only protected
by the hash function, which may be attacked by offline dictionary attacks.

3.4. Zhang et al.’s [19] Identity-Based SE Scheme from Lattices

In 2019, Zhang et al. [19] introduced an identity-based SE scheme, which reduces data
owners’ computation and transmission costs with a proxy mechanism. Users can generate
search tokens by themselves so that KGC can be offline. However, their scheme does not
detail the decryption phase. Moreover, DU needs to know which proxy PS sent the data
when generating a search token. Furthermore, CS needs a special public key of PS when
testing the search.

3.5. Wang et al.’s [18] Lattice-Based SE Schemes Supporting SPE

In 2022, Wang et al. [18] proposed a SE scheme supporting SPE. Their scheme verifies
user access rights during the decryption and keyword-search phases. Moreover, users
can generate search tokens in Wang et al.’s method. Although their method supports
multi-keywords, only OR operations are supported.

3.6. Lattice-Based SE Schemes Supporting PRE

Two lattice-based SE schemes supporting PRE are introduced here. Both schemes do
not support functional encryption.

3.6.1. Zhang et al.’s [29] Scheme

In 2021, Zhang et al. [29] introduced an SE scheme providing proxy re-encryption.
In their scheme, although users can generate search tokens by themselves, KGC must be
online to help users generate re-encryption keys. Moreover, their scheme does not detail
the decryption phase.

3.6.2. Hou et al.’s [30] Scheme

In 2022, Hou et al. [30] proposed a multi-keyword SE scheme with proxy re-encryption.
Their scheme supports semantic aware search in keyword search queries. However, like
Zhang et al.’s method, Hou et al.’s scheme does not detail the decryption phase and requires
KGC to be online to generate re-encryption keys.

4. Construction
This section presents the proposed multi-keyword searchable identity-based proxy
re-encryption scheme from lattices. The system model is defined in Section 2.7.

4.1. Algorithms
Table 1 shows the notations of the proposed scheme. Figure 3 presents the data flow
of the proposed scheme. To make the figure simple and easy to understand, Figure 3 only
shows the case of one DU. In actual situations, there may be multiple DUs, and DO should
provide a re-encryption key to PS for each DU. Then, PS will compute a re-encrypted
ciphertext and a re-encrypted index for each DU.
Mathematics 2023, 11, 3830 11 of 27

Table 1. Notations.

Notation Meaning
PP Public parameters
λ A security parameter
χ A Gaussian distribution
σ A Gaussian parameter
q A modulo prime number
n The dimension of a vector space
m The number of vectors of a basis
l The number of keywords
A key generated by DelTrap has w bits
w
more than the original private key
KW A keyword set
ki The i-th keyword
A0 A random matrix
A> The transpose of a matrix A
H An invertible matrix
u A random vector
H0 , H1 , H2 Hash functions
R A trapdoor of Λ⊥
q (A)

ID A user’s identity
IDs A set of users’ identities
SK ID The private key of ID
µ One-bit message
TK A Search token
τ A keyword-search policy
Tτ,ki An invertible matrix belongs to k i and is related to τ
f A flag used to determine search results

Figure 3. Data Flow of The Proposed Scheme.

Mathematics 2023, 11, 3830 12 of 27

The proposed scheme includes eight algorithms as follows (Appendix A).

• ( MSK, PP) ← Setup(λ)
Taking a security parameter λ, KGC sets up the system by the following steps:
1. Select a Gaussian distribution χ, a Gaussian parameter σ, a prime q, four integers
0
n, m0 , l, and w, a keyword set KW = {k i }1≤i≤l , a random matrix A0 ∈ Znq ×m , an
invertible matrix H ∈ Znq ×n , a random vector u ∈ Znq . Let m = m0 + w.
2. Select three hash functions H0 : {0, 1}∗ → Znq ×w , H1 : {0, 1}∗ → Znq ×n , and
H2 : {0, 1}∗ → Znq ×n , where the output of H1 or H2 is an invertible matrix.
3. Generate a matrix A = [A0 | − A0 R + HG] ∈ Znq ×m and a corresponding trapdoor
0
×w of Λ⊥ ( A ) by invoking GenTrap( A , H ) defined in Section 2.5, where
R ∈ Zm q q 0
G ∈ Znq ×w is a gadget matrix defined in Section 2.5.
4. Publish the public parameters PP = (χ, σ, q, n, m, l, w, KW = {k i }1≤i≤l , A,
H0 , H1 , H2 , u) and keep the master secret key MSK = R.
In GenTrap algorithm, G is a special matrix that is public. H can be an identity matrix
and be public. Due to the difficulty of solving the ISIS problem defined in Section 2.3,
even given A, A0 , H, and G, it is hard to find R. Therefore, only the trapdoor R needs
to be kept secret.
• (SK ID ) ← KeyGen( PP, MSK, ID )
With a user’s ID and MSK as inputs, KGC runs KeyGen to compute the user’s private
key SK ID by the following steps:
1. Compute A ID = H0 ( ID ) ∈ Znq ×w .
0
2. Set A ID = [A|A ID ].
3. Compute H ID = H1 ( ID ) ∈ Znq ×n .
0
4. Run DelTrap(A ID , R, H ID , σ) defined in Section 2.5 to generate R ID ∈ Zm×w such
that AR ID = H ID G − A ID , where R ID is a trapdoor of Λ⊥ q ([ A | A ID ]).
0 0
5. Run SampleD (R ID , A ID , H ID , u, σ) to generate x ID so that A ID x ID = u.
6. Set SK ID = {R ID , x ID }. and send it to the user.
0
A ID will be treated as the public key associated with the user ID. However, because
0 0
the number of bits of the matrix A ID is relatively high, directly storing A ID will
consume a large storage space. Therefore, users only need to store the ID, and when
users need to use A, they use the hash function to compute it. Anyone who knows the
0
user ID can compute the corresponding A ID . Similarly, users do not store H ID directly,
thereby reducing storage requirements. On the other hand, the determinants |R ID |
and |x ID | should be small. Otherwise, it will affect the correctness of the proposed
scheme. Since |R ID | and |x ID | need to be small, the difficulty for an adversary to
compute an effective private key is equivalent to solving the ISIS problem.
• ( RK IDx → IDy ) ← Re-KeyGen( PP, IDx , IDy , SK IDx )
With SK IDx , the user IDx can compute the re-encryption key RK IDx → IDy by the fol-
lowing steps:
1. Compute A IDx = H0 ( IDx ) ∈ Znq ×w .
0 n×(m+w)
2. Set A IDx = [A|A IDx ] ∈ Zq .
3. Compute A IDy = H0 ( IDy ) ∈ Znq ×w .
0 n×(m+w)
4. Set A IDy = [A|A IDy ] ∈ Zq .
5. Compute H IDx = H1 ( IDx ) ∈ Znq ×n .
0 0
6. Perform SampleD(R IDx , A IDx , H IDx , A IDy , σ) defined in Section 2.5 to get R IDx → IDy
0 0
such that A IDx R IDx → IDy = A IDy .
7. Set RK IDx → IDy = R>
IDx → IDy .
Mathematics 2023, 11, 3830 13 of 27

0
The concept of re-encryption is to compute a matrix R IDx → IDy so that the matrix A IDx
0
multiplied by R IDx → IDy will be equal to the matrix A IDy . Moreover, the determinant
|R>
IDx → IDy | should be small, so it can be ignored in the search results or the decryption
results. Otherwise, it will affect the correctness of those results. Since |R> IDx → IDy |
needs to be small, the difficulty for an adversary to compute an effective re-encryption
key is equivalent to solving the ISIS problem.
• (C IDx , I IDx ) ← Enc(PP, IDx , µ, KWID )
Taking a one-bit message µ ∈ {0, 1} and a keyword set KWIDx ⊆ KW = {k i }1≤i≤l ,
DO encrypts µ with its IDx by the following steps:
1. Compute A IDx = H0 ( IDx ) ∈ Znq ×w .
0 n×(m+w)
2. Set A IDx = [A|A IDx ] ∈ Zq .
3. Sample noises e1 , e3 ∈ χ and e2 , e4,1 , e4,2 , . . . e4,l ∈ χm+w .
4. Choose two secret vectors s, v ∈ Znq .
q
5. Compute C1IDx = u> s + µ 2 + e1 ∈ Zq .
0>
6. Compute C2IDx = A ID x
s + e2 ∈ Zqm+w .
7. Set the ciphertext C IDx = {C1IDx , C2IDx }.
8. Compute I1IDx = u> v + e3 ∈ Zq .
9. For i = 1 to l,
(a) if the keyword k i ∈
/ KWIDx ,
IDx
i. generate a random matrix I2,k ∈ Zm
q
+w .
i

(b) if k i ∈ KWIDx , perform the following steps:

i. Compute Hki = H2 (k i ) ∈ Znq ×n .
IDx 0
> H > v + e ∈ Zm + w .
ii. Compute I2,k = A ID x k 4,i q
i i

10. Set the index I IDx = { I1IDx , { I2,k

IDx
} 1≤ i ≤ l } .
i
11. Choose DUs’ identities IDs.
12. Send ((C IDx , I IDx , IDx ), IDs) to PS.
To reduce the computation and transmission costs of DO by outsourced computing,
DO encrypts the message with its public key. Then, DO sends the ciphertext, index,
and DUs’ IDs to PS. When the number of DUs increases, DO only needs to increase
the list of receivers without any other cost. Therefore, when the number of DUs is
large, the proposed scheme can effectively reduce the burden on DO.
• (C IDy , I IDy , IDy ) ← Re-Enc(PP, (C IDx , I IDx , IDx ), IDy , RK IDx → IDy ,)
Given the ciphertext C IDx , the index I IDx , DO’s identity IDx , DU’s identity IDy ∈ IDs,
and a re-encryption key RK IDx → IDy , PS can transfer (C IDx , I IDx ) to (C IDy , I IDy ) by the
following steps:
0 0 0 0
1. Sample noises e2 , e4,1 , e4,2 , . . . , e4,l ∈ χm+w .
IDy
2. Set C1 = C1IDx .
IDy 0
3. Compute C2 = RK IDx → IDy C2IDx + e2 .
IDy IDy
4. Set C IDy = {C1 , C2 }.
IDy
5. Set I1 = I1IDx .
IDx IDy 0
6. For i = 1 to l, compute I2,k = RK IDx → IDy I2,k + e4,i .
i i
IDy IDy
7. Set I IDy = { I1 , { I2,k }1≤i≤l }.
i
8. Upload (C IDy , I IDy , IDy ) to CS.
PS computes an independent re-encrypted ciphertext and re-encrypted index for each
DU. Moreover, the difficulty for an adversary to compute the re-encryption key from
the ciphertext (or index) and the re-encrypted ciphertext (or re-encrypted index) is
equivalent to solving the LWE problem.
Mathematics 2023, 11, 3830 14 of 27

• ( TK, ID ) ← TokenGen(PP, ID, SK ID , τ)

Taking a keyword-search policy τ and the private key SK ID , the user ID can compute
the search token TK by the following steps:
1. Compute A ID = H0 ( ID ) ∈ Znq ×w .
0 n×(m+w)
2. Set A ID = [A|A ID ] ∈ Zq .
3. n ×
Compute H ID = H1 ( ID ) ∈ Zq n .
4. According to τ, generate invertible matrices {Tτ,ki ∈ {−1, 0, 1}n×n }ki ∈τ . The
detail of how to generate {Tτ,ki }ki ∈τ is described in Section 2.6.
5. For i = 1 to l,
(a) if k i ∈ τ, then perform the following steps:
i. Compute Hki = H2 (k i ) ∈ Znq ×n .
ii. Compute the inverse matrix H− 1 −1
k i of Hk i , such that Hk i · Hk i = In ,
where In is an identity matrix.
0
iii. Perform SampleD(R ID , A ID , H ID , H− 1 >
k Tτ,k u, σ) to get wk i such
i i
0
that A ID wki = H− 1 >
k Tτ,k u. i i

6. Set the search token TK = (τ, {wki }ki ∈τ ).

7. Send ( TK, ID ) to CS.
In the proposed scheme, DU can generate tokens since it has a trapdoor specific to its
0
public key A ID . Therefore, KGC does not need to stay online to assist in generating
tokens. On the other hand, through the method mentioned in Section 2.6, if a keyword
set {k01 , k02 , . . . , k0o } can exactly satisfy the keyword-search policy τ, then ∑io=1 Tτ,k0 =
i
In . Therefore, TK generated by the TokenGen algorithm will make the following
0 0 >
equation hold: ∑io=1 w> A > H> = ∑io=1 (A ID wk0 )> H>
k0 ID k0 k0
= ∑io=1 u> Tτ,k0 H−
k0
1
H>
k0
=
i ii i i i i
∑io=1 u> Tτ,k0i = u> .
• (C ID or ⊥) ← Search( PP, TK, ID, (C ID , I ID ))
Given TK, ID, and (C ID , I ID ), CS checks whether TK matches I ID by the following steps:
1. According to the keyword-search policy τ, for any keyword set {k01 , k02 , . . . , k0o }
exactly satisfying τ, CS performs the following steps:
(a) Set z = 0.
(b) for i = 1 to l,
i. if k i ∈ {k01 , k02 , . . . , k0o },
A. compute z = z + w> ID
k I2,k . i i

(c) Compute f = |z − I1ID |.

q
(d) If f < 4 , send C ID to DU.
2. Return ⊥ to DU, if there are no matching search results.
By choosing appropriate parameter values, the size of the error term should be between
−q/4 and q/4. Therefore, if the search token matches the index, the search result f
should be less than q/4.
• (µ) ← Dec(PP, SK ID , C ID )
With the ciphertext C ID and private key SK ID , the user ID can decrypt C ID by the
following steps:
0
1. Compute µ = |C1ID − x> ID
ID C2 |.
0 q
2. If µ < 4 , return µ = 0; otherwise return µ = 1.
By choosing appropriate parameter values, the size of the error term should be between
0
−q/4 and q/4. Therefore, if the decrypted result µ is less than q/4, the plaintext
should be 0. Note that while DU may compute x ID with the trapdoor R ID , we
recommend DU to store x ID . Because computing it requires a SampleD operation,
storing x ID can reduce the computation cost for decryption.
Mathematics 2023, 11, 3830 15 of 27

4.2. Correctness
• Correctness in Search
Suppose ∑io=1 Tτ,k0 = In , which means that the keyword set {k01 , k02 , . . . , k0o } can exactly
i
satisfy the keyword-search policy τ. Note that In is an identity matrix.
f = |z − I1ID |
o
= | ∑ w> ID ID
k0 I2,k0 − I1 |
i i
i =1
o
0
= | ∑ (w> > > > >
k0 A ID Hk0 v + wk0 e4,i0 ) − ( u v + e3 )|
i i i
i =1
o o
>
= | ∑ u> Tτ,k0 H−
k0
1
k0 v + ∑ wk0 e4,i0 − u v − e3 |
H> > >
i i i i
i =1 i =1
o o
= | ∑ u> Tτ,k0 v + ∑ w> >
k0 e4,i0 − u v − e3 |
i i
i =1 i =1
o
= |u> v + ∑ w> >
k0 e4,i0 − u v − e3 |i
i =1
o
= | ∑ w>
k0 e4,i0 − e3 |
i
i =1
| {z }
error term
For the correctness of the search result, the absolute value of the error term must be
less than q/4.
• Correctness in Decryption
0
µ = |C1ID − x> C2ID |
jqk 0>
= |(u> s + µ + e1 ) − (x> A ID s + x> e2 )|
jqk2
= |u> s + µ + e1 − u > s − x > e2 |
2
q
= | µ b c + e1 − x > e2 |
2 | {z }
error term
For the correctness of the decryption result, the absolute value of the error term must
be less than q/4.

5. Security Proofs
The proposed scheme is IND-CPA secure in ciphertext security and IND-CKA secure
in keyword-search security based on the D-LWE assumption defined in Section 2.4. Proof
by contradiction is used to prove that the proposed scheme achieves IND-CPA security and
IND-CKA security. This section presents the details of security proofs.

5.1. Ciphertext Security

Theorem 1. The proposed scheme is IND-CPA secure in ciphertext security based on the
D-LWE assumption.

Proof. If there exists an adversary A that can win the IND-CPA game defined in Section 2.8.1
with a non-negligible advantage in polynomial time, then the simulator S can break the
D-LWE assumption with A by simulating the following game.
• Init: A gives a target identity ID ∗ to S . S chooses two integers (m0 , w) and sets m = m0 +
w. Then S receives (1 + m + w) samples (u0 , v0 ), (u1 , v1 ), (u2 , v2 ), . . . , (um+w , vm+w )
from the D-LWE oracle O , where each (ui , vi ) ∈ (Znq × Zq ).
• Setup:
– S chooses λ and runs Setup(λ) algorithm to generate the following parameters
and hash functions (χ, σ, q, n, l, KW = {k i }1≤i≤l , H0 , H1 , H2 ).
Mathematics 2023, 11, 3830 16 of 27

0
– S sets u = u0 , A0 = [u1 |u2 | . . . |um0 ] ∈ Znq ×m , and A1 = [um0 +1 |um0 +2 | . . . |um ] ∈
Znq ×w . Note that m = m0 + w.
– S computes an invertible matrix H and a small matrix R such that A1 = −A0 R +
HG, where G ∈ Znq ×w is a gadget matrix defined in Section 2.5.
– S sets MSK = R, A = [A0 |A1 ], and PP = (χ, σ, q, n, m, l, w, KW, H2 , A, u).
– Finally, S sends PP to A.
• Phase 1: A may adaptively issue the following queries.
– H0 query: A gives an identity ID to S .
* If ID 6= ID ∗ , S computes A ID = H0 ( ID ) ∈ Znq ×w and sends it to A.
* If ID = ID ∗ , S sets A ID∗ = [um+1 |um+2 | . . . |um+w ] ∈ Znq ×w and sends A ID∗
to A.
– H1 query: A gives an identity ID to S .
* If ID 6= ID ∗ , S computes H ID = H1 ( ID ) ∈ Znq ×n and sends it to A.
* If ID = ID ∗ ,
· if H ID∗ exists, S returns H ID∗ to A.
· else, S computes an invertible matrix H ID∗ and a small matrix R ID∗
such that AR ID∗ = H ID∗ G − A ID∗ . S stores H ID∗ and sends it to A.
– KeyGen query: A gives an identity ID to S .
* If ID 6= ID ∗ ,
· if SK ID exists, S returns SK ID to A.
· else, S runs KeyGen( PP, MSK, ID ) to generate SK ID . S stores SK ID
and sends it to A.
* If IDx = ID ∗ , S aborts it.
– Re-KeyGen query: A gives DO’s identity IDx and DU’s indetiy IDy to S .
* If IDx 6= ID ∗ , S runs Re-KeyGen(PP, IDx , IDy , SK IDx ) to generate RK IDx → IDy
and sends it to A.
* If IDx = ID ∗ , S aborts it.
• Challenge: A submits two different messages µ0 , µ1 ∈ {0, 1} to S . S performs the
following steps:
– S randomly chooses b ∈ {0, 1}.
∗
S computes C1ID = v0 + µb 2q ∈ Zq .
 
–
∗
– S sets C2ID = [v1 , v2 , . . . , vm+w ]> ∈ Zmq
+w .
∗ ∗
– S sets the ciphertext C ID∗ = {C1ID , C2ID } and sends it to A.
• Phase 2: A may do more queries as in Phase 1.
0 0
• Guess: A answers a bit b to S . If b = b , S answers the D-LWE assumption that the
samples are from the noisy pseudo-random sampler Os . Otherwise, S answers that
the samples are from the truly random sampler O$ .
If the samples from the D-LWE assumption are generated from Os , the ciphertext C ID∗
will be: jqk
∗
C1ID = v0 + µb
2
> q
= u 0 s + µ b b c + e0
2
q
= u > s + µ b b c + e0
2
Mathematics 2023, 11, 3830 17 of 27

∗
C2ID = [v1 , v2 , . . . , vm+w ]>
= [[u1 , . . . , um0 ]|[um0 +1 , . . . , um ]|[um+1 , . . . , um+w ]] > s + [e1 , e2 , . . . , em+w ]>
= [[A0 |A1 ]|A ID∗ ] > s + [e1 , e2 , . . . , em+w ]>
= [A|A ID∗ ]> s + [e1 , e2 , . . . , em+w ]>
= [A0 ID∗ ]> s + [e1 , e2 , . . . , em+w ]>

Therefore, the ciphertext simulated by S will conform to the format of the proposed
scheme. If A has a non-negligible advantage e to win the IND-CPA game defined in
Section 2.8.1, the probability that A can correctly guess b is ( 12 + e).
Otherwise, if the samples are from O$ , then the ciphertext C ID∗ is uniformly random.
In this case, the probability that A can correctly guess b is 12 .
Thus, the advantage for S to break the D-LWE assumption is

1 1
Pr [ AOs = 1] − Pr [ AO$ = 1] = ( + e) − =e
2 2

Therefore, if A has an advantage e to win the IND-CPA game, then S has an advantage
e to break the D-LWE assumption in polynomial time. Since the D-LWE assumption is a
hard problem, the proposed scheme achieves IND-CPA security.

5.2. Keyword-Search Security

Theorem 2. The proposed scheme is IND-CKA secure in keyword-search security based on the
D-LWE assumption.

Proof. If there exists an adversary A that can win the IND-CKA game defined in Section 2.8.2
with a non-negligible advantage in polynomial time, then the simulator S can break the
D-LWE assumption with A by simulating the following game.
• Init: A gives a target identity ID ∗ and two target keywords (k00 , k01 ) to S .
– S randomly chooses b ∈ {0, 1} and will use k0b for the challenge.
– S chooses two integers (m0 , w) and sets m = m0 + w. Then S receives (1 + m + w)
samples (u0 , v0 ), (u1 , v1 ), (u2 , v2 ), . . . , (um+w , vm+w ) from the D-LWE oracle O ,
where each (ui , vi ) ∈ (Znq × Zq ).
• Setup:
– S chooses λ and runs Setup(λ) algorithm to generate the following parameters
and hash functions (χ, σ, q, n, l, KW = {k i }1≤i≤l , H0 , H1 , H2 ).
0
– S sets u = u0 , B0 = [u1 |u2 | . . . |um0 ] ∈ Znq ×m , and B1 = [um0 +1 |um0 +2 | . . . |um ] ∈
Znq ×w . Note that m = m0 + w.
– S computes Hk0 = H2 (k0b ) ∈ Znq ×n and its inverse matrix H− k0
1
. Then S stores H− k0
1
.
b b b
– S computes the following matrices:
* A0 = H −
k0
1
B0 ,
b

* A1 = H −
k0
1
B1 .
b
Note that B0 = Hk0 A0 , and B1 = Hk0 A1 .
b b
– S computes an invertible matrix H and a small matrix R such that A1 = −A0 R +
HG, where G ∈ Znq ×w is a gadget matrix defined in Section 2.5.
– S sets MSK = R, A = [A0 |A1 ], and PP = (χ, σ, q, n, m, l, w, KW, H2 , A, u).
– Finally, S sends PP to A.
• Phase 1: A may adaptively issue the following queries.
– H0 query: A gives an identity ID to S .
* If ID 6= ID ∗ , S computes A ID = H0 ( ID ) ∈ Znq ×w and sends it to A.
Mathematics 2023, 11, 3830 18 of 27

* If ID = ID ∗ , S sets B ID∗ = [um+1 |um+2 | . . . |um+w ] ∈ Znq ×w . Then, S com-

putes A ID∗ = H− k0
1
B ID∗ and sends A ID∗ to A.
b

– H1 query: A gives an identity ID to S .

* If ID 6= ID ∗ , S computes H ID = H1 ( ID ) ∈ Znq ×n and sends it to A.
* If ID = ID ∗ ,
· if H ID∗ exists, S returns H ID∗ to A.
· else, S computes an invertible matrix H ID∗ and a small matrix R ID∗
such that AR ID∗ = H ID∗ G − A ID∗ . S sets SK ID∗ = R ID∗ and stores it.
Finally, S stores H ID∗ and sends it to A.
– KeyGen query: A gives an identity ID to S .
* If ID 6= ID ∗ ,
· if SK ID exists, S returns SK ID to A.
· else, S runs KeyGen( PP, MSK, ID ) to generate SK ID . S stores SK ID
and sends it to A.
* If IDx = ID ∗ , S aborts it.
– Re-KeyGen query: A gives DO’s identity IDx and DU’s indetiy IDy to S .
* If IDx 6= ID ∗ , S runs Re-KeyGen(PP, IDx , IDy , SK IDx ) to generate RK IDx → IDy
and sends it to A.
* If IDx = ID ∗ , S aborts it.
– TokenGen query: A gives an identity ID and a keyword-search policy τ to S .
* If (ID = ID ∗ and (τ contains k00 or k01 )), S aborts it.
* Else, S runs TokenGen( PP, ID, SK ID , τ ) to generate TK. Then S sends
( TK, ID ) to A.
• Challenge: A submits a signal to start the Challenge phase. S performs the following
steps:
∗
– S sets I1ID = v0 ∈ Zq .
ID ∗ = [ v , v , . . . , v
S sets I2,k > m+w .
– 0 1 2 m + w ] ∈ Zq
b
∗ ∗
– S sets the index I ID∗ = { I1ID , I2,k
ID } and sends it to A.
0
b

• Phase 2: A may do more queries as in Phase 1.

0 0
• Guess: A answers a bit b to S . If b = b , S answers the D-LWE assumption that the
samples are from the noisy pseudo-random sampler Os . Otherwise, S answers that
the samples are from the truly random sampler O$ .
If the samples from the D-LWE assumption are generated from Os , the index I ID∗ will be:
∗
I1ID = v0
= u0> s + e0
= u > s + e0
ID ∗
I2,k 0 = [ v1 , v2 , . . . , v m + w ] >
b

= [[u1 , . . . , um0 ]|[um0 +1 , . . . , um ]|[um+1 , . . . , um+w ]] > s + [e1 , e2 , . . . , em+w ]>

= [B0 |B1 |B ID∗ ] > s + [e1 , e2 , . . . , em+w ]>
= [(Hk0 A0 )|(Hk0 A1 )|(Hk0 A ID∗ )]> s + [e1 , e2 , . . . , em+w ]>
b b b

= (Hk0 [A0 |A1 |A ID∗ ]) s + [e1 , e2 , . . . , em+w ]>

>
b

= [A0 |A1 |A ID∗ ]> H>

k 0 s + [ e1 , e2 , . . . , e m + w ]
>
b
>
= [A|A ID∗ ] H>
k0b s + [ e1 , e2 , . . . , em+w ]
>

= [A0 ID∗ ]> H>

k 0 s + [ e1 , e2 , . . . , e m + w ]
>
b
Mathematics 2023, 11, 3830 19 of 27

Therefore, the index simulated by S will conform to the format of the proposed scheme.
If A has a non-negligible advantage e to win the IND-CKA game defined in Section 2.8.2,
the probability that A can correctly guess b is ( 21 + e).
Otherwise, if the samples are from O$ , then the index I ID∗ is uniformly random. In
this case, the probability that A can correctly guess b is 21 .
Thus, the advantage for S to break the D-LWE assumption is

1 1
Pr [ AOs = 1] − Pr [ AO$ = 1] = ( + e) − =e
2 2

Therefore, if A has an advantage e to win the IND-CKA game, then S has an advantage
e to break the D-LWE assumption in polynomial time. Since the D-LWE assumption is a
hard problem, the proposed scheme achieves IND-CKA security.

6. Comparison
Table 2 shows the features comparison between the proposed scheme and the schemes
introduced in Section 3. Moreover, this section presents a performance comparison of the
proposed scheme with other lattice-based searchable encryption schemes. Because some
schemes use one-bit plaintext or one recipient to illustrate their schemes, it is not easy to
make a completely fair comparison. For fairness, the plaintext in all schemes is set as a
one-bit message, and the number of receivers is 1. Moreover, values that do not specify the
meaning of parameters in all schemes will be set to m. The notations used for comparison
are shown in Table 3.

Table 2. Features Comparison.

Quantum Multi- Offline Proxy Authentication Not Functional

Resistant Keyword KGC Re-Encryption Decryption Search LSSS-Based Encryption

[26] % ! ! % ! ! ! ABE

[27] ! ! ! % % ! ! IBE
[17] ! % % % ! % % ABE
[20] ! % % % % ! % ABE
[21] ! % ! % ! ! % ABE
[22] ! ! ! % ! ! % ABE
[19] ! % ! % % ! ! IBE
[18] ! % ! % ! ! ! SPE
[29] ! % % ! % ! ! %
[30] ! ! % ! % ! ! %
Ours ! ! ! ! ! ! ! IBE
KGC denotes the key generation center. ABE denotes attribute-based encryption. IBE denotes identity-based
encryption. SPE denotes subset predicate encryption.

Table 3. Notations for Comparison.

Meaning
n The dimension of a vector space
m The number of vectors of a basis
q A modulo prime number
N N = (n + 1) log q
s The number of attributes used in ABE
s0 The number of bits of a set used in SPE
Mathematics 2023, 11, 3830 20 of 27

Table 3. Cont.

Meaning
β The number of random values to generate secret shares in LSSS
l The number of keywords
w A key generated by DelTrap has w bits more than the original private key
ζ A security parameter

6.1. Transmission Cost

We compare the ciphertext size, index size, and token size with other lattice-based
schemes. The transmission cost of the schemes are shown in Table 4.
• Ciphertext size: Since the proposed scheme uses DelTrap to achieve ID-based features,
the ciphertext size requires (m + w + 1) log q bits. On the other hand, all users use
the same key for decryption in [20], so its ciphertext size can be shorter than other
schemes. Moreover, [19,27,29,30] do not provide or detail the decryption phase.
• Index size: The proposed scheme supports multi-keyword search, which requires a
multiple of l more index sizes. Therefore, the index size of the proposed scheme is
(l (m + w) + 1) log q.
• Token size: The proposed scheme supports multi-keyword search, which requires a
multiple of l more token sizes. Therefore, the token size of the proposed scheme is
l (m + w) log q.
To compare, one can consider comparing single-keyword searches. One can set l = 1
and w = m. Then, in the proposed scheme, the ciphertext size is (2m + 1) log q, the index
size is (2m + 1) log q, and the token size is 2m log q. In this case, the proposed scheme
is only slightly worse than [19,29] in the part of the token size. Therefore, the proposed
scheme has a good performance in transmission cost.

Table 4. Comparison of Transmission Cost.

Ciphertext Size Index Size Token Size

Wang et al. [27] % (lm + 3m) log q m2 log q
Liu et al. [17] (2ms + 1) log q (2lm + l ) log q 2m log q
Varri et al. [20] (2m + n) log q (2lm + ns) log q 2m log q
Chen [21] (ms + 1) log q (ms + ζ ) log q (msζ ) log q
Wang [22] (ms + 1) log q (ms + ζ ) log q (msζ + l ) log q
Zhang et al. [19] % (1 + 2m) log q m log q
Wang et al. [18] (1 + m + s0 m) log q (m + s0 m + ζ ) log q 2ζm log q
Zhang et al. [29] % (2n + 2) log q m log q
Hou et al. [30] % ( N )2 (log q) ( N )2 (log q)
Ours (m + w + 1) log q (l (m + w) + 1) log q l (m + w) log q
% indicates that the scheme does not provide or detail the part.

6.2. Computation Cost

We compare the costs of “Encryption plus Index”, Decryption, TokenGen, and Search
with other lattice-based schemes. The details of computation cost are shown in Tables 5 and 6.
For fairness, we compare the amount of Tmul required for matrix multiplication in each scheme,
where Tmul denotes the computation cost of a multiplication operation in Zq . Tinv denotes
the cost of computing an inverse matrix. TH and T f la denote the cost of running a hash
function and a Flatten operation, respectively. Tbd , Tsd , Tsp , and Tsl denote the costs of running
algorithms BasisDel, SampleD, SamplePre, and SampleLeft, respectively. TdecFHE denotes the
decryption cost of fully homomorphic encryption. Tlsss denotes the cost of computing an
integer coefficient set in LSSS.
Mathematics 2023, 11, 3830 21 of 27

To compare, one can consider comparing single-keyword searches. One can set
l = 1 and w = m. Then, in the proposed scheme, the Encryption cost is 2TH + (4mn +
2n) Tmul , the Decryption cost is 2mTmul , the TokenGen cost is 3TH + Tinv + Tsd + 2n2 Tmul ,
and the Search cost is 2mTmul . In this case, the proposed scheme has good performance in
Decryption and Search costs but a higher cost in Encryption and TokenGen costs.

Table 5. Comparison of Computation Cost—Part 1.

Encryption + Index Decryption

[27] lTH + ((l + 2)mn + m) Tmul %
[17] lTH + n(l + 2lm + 2ms + 1) Tmul Tlsss + s(3 + 4m) Tmul
[20] lTH + (sβ + m2 + 2lmn + n) Tmul (2mn + 2m) Tmul
[21] ζTH + (sβ + 1 + n) + ζ (1 + n) + (s + 2mns) Tmul mnsTmul
[22] ζTH + (sβ + 1 + n) + ζ (1 + n) + (s + 2mns) Tmul mnsTmul
[19] 2TH + Tsp + Tinv + (2nm2 + mn) Tmul %
[18] (s0 mn + ζn + mn + n) Tmul 2mTmul
[29] TH + (n2 + mn + 4n) Tmul %
[30] T f la + ( N 3 + Nm2 ) Tmul %
Ours (l + 1) TH + (n(l + 1)(m + w) + 2n) Tmul (m + w) Tmul
% indicates that the scheme does not provide or detail the part.

Table 6. Comparison of Computation Cost—Part 2.

TokenGen (Trapdoor) Search (Test)

[27] lTH + mTsp (l + 2)m2 Tmul
[17] Tsl 2lmTmul
[20] Tsl Tlsss + l (s(2mn + 2)) + 2m) Tmul
[21] ζTH + ζTsp + Tlsss + ζsTmul ζmnsTmul
[22] ζTH + ζTsp + Tlsss + (sβ + ζs) Tmul 2Tlsss + ζ (2s + mns + 1) Tmul
[19] TH + Tbd + Tsp TH + (2mn) Tmul
[18] 2ζmTmul 2ζmTmul
[29] TH + Tsp 2(n + m2 + m) Tmul
[30] T f la + ( N 3 + Nm2 ) Tmul Tdec FHE
Ours (l + 2) TH + lTinv + lTsd + 2n2 Tmul l (m + w) Tmul

6.3. Summary
Compared with other schemes, the proposed scheme has good performance in trans-
mission cost. Although the proposed scheme has a slightly higher computation cost than
other schemes in the case of a single-keyword search, the proposed scheme is the first
to simultaneously support multi-keyword search, identity-based encryption, proxy re-
encryption, and offline KGC. Furthermore, it verifies the user’s access rights during the
decryption phase and the search phase. In addition, as the number of DUs increases, the
costs required for DO remain the same, and PS will handle the increased workload.
On the other hand, the type-2 trapdoor has smaller n and m than the type-1 trapdoor.
Our scheme uses the type-2 trapdoor, but other schemes [19,21,22,29] use the type-1 trap-
door BasisDel, which does not increase dimension when generating new basis. If they use
the type-1 trapdoor, then the comparison results will change. Therefore, the efficiency of
the proposed scheme will be relatively better in reality.
Mathematics 2023, 11, 3830 22 of 27

7. Conclusions
In this research, a multi-keyword searchable identity-based proxy re-encryption
scheme from lattices has been proposed. First, based on the D-LWE assumption, the
proposed scheme can resist quantum attacks. Second, it provides multi-keyword searcha-
bility with AND and OR operators, increasing the flexibility of keyword searches. Third,
KGC in the proposed scheme can be offline, avoiding the risk of being attacked by ad-
versaries through the network. Fourth, the proposed scheme supports PRE to reduce
file-sharing costs of the data owner. The costs of the data owner will remain the same as
the number of data users increases. Fifth, to prevent illegal access to files, the user’s access
rights are verified in both the search and decryption phases. Finally, the proposed scheme
is identity-based, avoiding the cost of using certificates.
Compared with other schemes, the proposed scheme has good performance in transmis-
sion cost. Although the proposed scheme has a slightly higher computation cost than other
schemes in the case of a single-keyword search, the proposed scheme supports multi-keyword
search, increasing the flexibility of keyword searches. In addition, the cost of the data owner
does not increase with the number of data users. In the future, we will try to reduce the
transmission and computation costs of the proposed scheme. Furthermore, future research
will be designing a new multi-keyword mechanism that supports threshold operations.

Author Contributions: Conceptualization, all authors; methodology, E.-S.Z.; software, E.-S.Z.; vali-
dation, all authors; formal analysis, all authors; investigation, E.-S.Z.; resources, E.-S.Z.; data curation,
E.-S.Z.; writing—original draft preparation, E.-S.Z.; writing—review and editing, C.-I.F.; visualization,
E.-S.Z.; supervision, C.-I.F.; project administration, C.-I.F.; funding acquisition, C.-I.F. All authors
have read and agreed to the published version of the manuscript.
Funding: This work was partially supported by the National Science and Technology Council (NSTC)
of Taiwan under grants 112-2634-F-110-001-MBK and 110-2923-E-110-001-MY3. It also was financially
supported by the Information Security Research Center at National Sun Yat-sen University in Taiwan
and the Intelligent Electronic Commerce Research Center from The Featured Areas Research Center
Program within the framework of the Higher Education Sprout Project by the Ministry of Education
(MOE) in Taiwan.
Data Availability Statement: Not applicable.
Conflicts of Interest: The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

IBE Identity-Based Encryption

ABE Attribute-Based Encryption
SPE Subset-Predicate Encryption
PRE Proxy Re-Encryption
SE Searchable Encryption
LWE Learning With Error
D-LWE Decisional Learning with Errors
ISIS Inhomogeneous Short Integer Solution
KGC Key Generation Center
DO Data Owner
DU Data User
PS Proxy Server
CS Cloud Server
IND-CPA INDistinguishability under Chosen Plaintext Attacks
IND-CKA INDistinguishability under Chosen Keyword Attacks
LSSS Linear Secret Sharing Scheme
NIST the National Institute of Standards and Technology
Mathematics 2023, 11, 3830 23 of 27

Appendix A
Here, the proposed scheme is presented in pseudo-code to make the algorithms easier
to understand.

Algorithm A1 Setup
Require: A security parameter λ.
Ensure: The public parameters PP and the master secret key MSK.
1: Select a Gaussian distribution χ, a Gaussian parameter σ, a prime q, and four integers n,
m0 , l, and w, a keyword set KW = {k i }1≤i≤l , a random matrix A0 , an invertible matrix
H, a random vector u.
2: Set m = m0 + w.
3: Select three hash functions H0 : {0, 1}∗ → Zn q
×w , H : {0, 1}∗ → Zn×n , and H :
1 q 2
∗ n × n
{0, 1} → Zq , where the output of H1 or H2 is an invertible matrix.
4: Generate a matrix A = [ A0 | − A0 R + HG ] and a corresponding trapdoor R of Λ⊥ q (A)
by performing GenTrap(A0 , H).
5: Set PP = (χ, σ, q, n, m, l, w, KW = { k i }1≤i ≤l , A, H0 , H1 , H2 , u ).
6: Set MSK = R.
7: Return ( PP, MSK ).

Algorithm A2 KeyGen
Require: PP, MSK, the user’s ID.
Ensure: The private key SK ID .
1: Compute A ID = H0 ( ID ) ∈ Zn ×w .
q
0
2: Set A ID = [A|A ID ].
3: Compute H ID = H1 ( ID ) ∈ Znq ×n .
0
4: Generate R ID = DelTrap(A ID , R, H ID , σ) so that AR ID = H ID .
0 0
5: Compute x ID = SampleD(R ID , A ID , H ID , u, σ) so that A ID x ID = u.
6: Set SK ID = { R ID , x ID }.
7: Return (SK ID ).

Algorithm A3 Re-KeyGen
Require: PP, SK IDx , the user’s IDx , the delegate’s IDy .
Ensure: The re-encryption key RK IDx → IDy .
1: Compute A IDx = H0 ( IDx ).
0
2: Set A ID = [ A | A IDx ].
x
3: Compute A IDy = H0 ( IDy ).
0
4: Set A IDy = [A|A IDy ].
5: Compute H IDx = H1 ( IDx ).
0 0 0
6: Compute R IDx → IDy = SampleD(R IDx , A ID , H IDx , A ID , σ) so that A ID R IDx → IDy =
x y x
0
A IDy .
7: Set RK IDx → IDy = R IDx → IDy .
8: Return RK IDx → IDy .
Mathematics 2023, 11, 3830 24 of 27

Algorithm A4 Encrypt
Require: PP, a one-bit message µ ∈ {0, 1}, a keyword set KWIDx ⊆ KW = {k i }1≤i≤l , and DO’s
identity IDx .
Ensure: The ciphertext C IDx , the index I IDx , IDx , and DUs’ identities IDs.
1: Compute A IDx = H0 ( IDx )
0
2: Set A ID = [A|A IDx ].
x
3: Sample noises e1 , e2 , e3 .
4: for i = 1 to l do
5: Sample a noise e4,i .
6: end for
7: Select two vectors s, v. q
ID
8: Compute C1 x = u> s + µ 2 + e1 .
ID 0 > s+e .
9: Compute C2 x = A ID 2
x
ID ID
10: Set C IDx = {C1 x , C2 x }.
ID
11: Compute I1 x = u> v + e3 ∈ Zq .
12: for i = 1 to l do
13: if k i ∈
/ KWIDx then
IDx
14: Generate a random matrix I2,k .
i
15: else
16: Compute Hki = H2 (k i ).
IDx 0>
17: I2,k = A ID x
H> k i v + e4,i .
i
18: end if
19: end for
20: Set I IDx = { I1IDx , { I2,k
IDx
}1≤ i ≤ l }.
i
21: Choose IDs.
22: Return ((C IDx , I IDx , IDx ), IDs)

Algorithm A5 Re-Enc
Require: (C IDx , I IDx , IDx ), IDy , and a re-encryption key RK IDx → IDy
Ensure: The re-encrypted ciphertext C IDy , the re-encrypted index I IDy , and IDy .
0
1: Sample a noise e2 .
2: for i = 1 to l do
0
3: Sample a noise e4,i .
4: end for
IDy
5: Set C1 = C1IDx .
IDy 0
6: Compute C2 = RK IDx → IDy C2IDx + e2
IDy IDy
7: Set C IDy = {C1 , C2 }.
IDy
8: Set I1 = I1IDx .
9: for i = 1 to l do
IDy IDx 0
10: Compute I2,k = RK IDx → IDy I2,k + e4,i .
i i
11: end for
IDy IDy
12: Set I IDy = { I1 , { I2,k }1≤i ≤l }.
i
13: Return (C IDy , I IDy , IDy )
Mathematics 2023, 11, 3830 25 of 27

Algorithm A6 TokenGen
Require: PP, SK ID , ID, R ID , and a keyword-search policy τ.
Ensure: A search token TK and ID.
1: Compute A ID = H0 ( ID ).
0
2: Set A ID = [ A | A ID ]
3: Compute H ID = H1 ( ID )
4: Generate invertible matrices { Tτ,k i }k i ∈τ according to τ.
5: for i = 1 to l do
6: if k i ∈ τ then
7: Compute Hki = H2 (k i ).
0
8: Compute Tk = T> τ,k u.
i i
00 0
9: Compute Tk = H− 1
k Tτ,k .
i i i
0 00 0
10: Compute wki = SampleD(R ID , A ID , H ID , Tk , σ) so that A ID wki = H− 1 >
k i Tτ,k i u.
i
11: end if
12: end for
13: Set TK = (τ, {wki }ki ∈τ ).
14: Return ( TK, ID ).

Algorithm A7 Search
Require: PP, TK, ID, and (C ID , I ID ).
Ensure: C ID or ⊥.
1: for any keyword set { k 01 , k 02 , . . . , k 0o } exactly satisfying τ do
2: Set z = 0.
3: for i = 1 to l do
4: if k i ∈ {k01 , k02 , . . . , k0o } then
5: Compute z = z + w> ID
k i I2,k i .
6: end if
7: end for
8: Compute f = |z − I1ID |.
q
9: if f < 4 then
10: Return C ID .
11: end if
12: end for
13: Return ⊥.

Algorithm A8 Dec
Require: PP, SK ID , and C ID .
Ensure: µ.
0
1: Compute µ = |C1ID − x> ID
ID C2 |.
0 q
2: if µ < 4 then
3: Set µ = 0.
4: else
5: Set µ = 1.
6: end if
7: Return (µ ).

References
1. Shamir, A. Identity-based cryptosystems and signature schemes. In Proceedings of the Workshop on the Theory and Application
of Cryptographic Techniques, Paris, France, 9–11 April 1984; Springer: Berlin/Heidelberg, Germany, 1984; pp. 47–53.
2. Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Proceedings of the Annual International Conference on the Theory and
Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Springer: Berlin/Heidelberg, Germany, 2005;
pp. 457–473.
Mathematics 2023, 11, 3830 26 of 27

3. Katz, J.; Maffei, M.; Malavolta, G.; Schröder, D. Subset predicate encryption and its applications. In Proceedings of the Cryptology
and Network Security: 16th International Conference, CANS 2017, Hong Kong, China, 30 November–2 December 2017; Springer:
Berlin/Heidelberg, Germany, 2018; pp. 115–134.
4. Blaze, M.; Bleumer, G.; Strauss, M. Divertible protocols and atomic proxy cryptography. In Proceedings of the Advances in
Cryptology—EUROCRYPT’98: International Conference on the Theory and Application of Cryptographic Techniques, Espoo,
Finland, 31 May–4 June 1998; Springer: Berlin/Heidelberg, Germany, 1998; pp. 127–144.
5. Green, M.; Ateniese, G. Identity-based proxy re-encryption. In Proceedings of the Applied Cryptography and Network
Security: 5th International Conference, ACNS 2007, Zhuhai, China, 5–8 June 2007; Springer: Berlin/Heidelberg, Germany, 2007;
pp. 288–306.
6. Liang, X.; Cao, Z.; Lin, H.; Shao, J. Attribute based proxy re-encryption with delegating capabilities. In Proceedings of the
4th International Symposium on Information, Computer, and Communications Security, Sydney, Australia, 10–12 March 2009;
pp. 276–286.
7. Song, D.X.; Wagner, D.; Perrig, A. Practical techniques for searches on encrypted data. In Proceedings of the 2000 IEEE
Symposium on Security and Privacy, S&P, Berkeley, CA, USA, 14–17 May 2000; IEEE: Piscataway, NJ, USA, 2000; pp. 44–55.
8. Boneh, D.; Di Crescenzo, G.; Ostrovsky, R.; Persiano, G. Public key encryption with keyword search. In Proceedings of
the Advances in Cryptology-EUROCRYPT 2004: International Conference on the Theory and Applications of Cryptographic
Techniques, Interlaken, Switzerland, 2–6 May 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 506–522.
9. Hwang, Y.H.; Lee, P.J. Public key encryption with conjunctive keyword search and its extension to a multi-user system. In
Proceedings of the Pairing-Based Cryptography–Pairing 2007: First International Conference, Tokyo, Japan, 2–4 July 2007;
Springer: Berlin/Heidelberg, Germany, 2007; pp. 2–22.
10. Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual
Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; IEEE: Piscataway, NJ, USA, 1994;
pp. 124–134.
11. Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS-Kyber:
A CCA-secure module-lattice-based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy
(EuroS&P), London, UK, 24–26 April 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 353–367.
12. Ajtai, M. Generating hard instances of lattice problems. In Proceedings of the Twenty-Eighth Annual ACM Symposium on
Theory of Computing, Hiladelphia, PA, USA, 22–24 May 1996; pp. 99–108.
13. Hoffstein, J.; Pipher, J.; Silverman, J.H. NTRU: A ring-based public key cryptosystem. In Proceedings of the International
Algorithmic Number Theory Symposium, Burlington, VT, USA, 13–18 June 2004; Springer: Berlin/Heidelberg, Germany, 1998;
pp. 267–288.
14. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the Thirty-Seventh Annual
ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005; pp. 84–93.
15. Boyen, X. Attribute-based functional encryption on lattices. In Proceedings of the Theory of Cryptography Conference, Tokyo,
Japan, 3–6 March 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 122–142.
16. Singh, K.; Rangan, C.P.; Banerjee, A. Lattice based identity based unidirectional proxy re-encryption scheme. In Proceedings of
the International Conference on Security, Privacy, and Applied Cryptography Engineering, Pune, India, 18–22 October 2004;
Springer: Berlin/Heidelberg, Germany, 2014; pp. 76–91.
17. Liu, L.; Wang, S.; He, B.; Zhang, D. A keyword-searchable abe scheme from lattice in cloud storage environment. IEEE Access
2019, 7, 109038–109053. [CrossRef]
18. Wang, P.; Chen, B.; Xiang, T.; Wang, Z. Lattice-based public key searchable encryption with fine-grained access control for edge
computing. Future Gener. Comput. Syst. 2022, 127, 373–383. [CrossRef]
19. Zhang, X.; Tang, Y.; Wang, H.; Xu, C.; Miao, Y.; Cheng, H. Lattice-based proxy-oriented identity-based encryption with keyword
search for cloud storage. Inf. Sci. 2019, 494, 193–207. [CrossRef]
20. Varri, U.S.; Pasupuleti, S.K.; Kadambari, K. CP-ABSEL: Ciphertext-policy attribute-based searchable encryption from lattice in
cloud storage. Peer Peer Netw. Appl. 2021, 14, 1290–1302. [CrossRef]
21. Chen, X.J. Lattice-Based Searchable Attribute-Based Encryption Supporting Dynamic Membership Management. Master’s Thesis,
National Sun Yet-sen University, Kaohsiung, Taiwan, 2021.
22. Wang, D.R. Multi-Keyword Searchable Attribute-Based Encryption Supporting Dynamic Membership Management from Lattices.
Master’s Thesis, National Sun Yet-sen University, Kaohsiung, Taiwan, 2022.
23. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 2009, 56, 1–40. [CrossRef]
24. Micciancio, D.; Peikert, C. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of the Annual Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Springer:
Berlin/Heidelberg, Germany, 2012; pp. 700–718.
25. Genise, N.; Micciancio, D. Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In Proceedings of the Advances
in Cryptology–EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic
Techniques, Tel Aviv, Israel, 29 April–3 May 2018; Springer: Berlin/Heidelberg, Germany, 2018; pp. 174–203.
26. Huang, Q.; Yan, G.; Wei, Q. Attribute-based expressive and ranked keyword search over encrypted documents in cloud
computing. IEEE Trans. Serv. Comput. 2022, 16, 957–968. [CrossRef]
Mathematics 2023, 11, 3830 27 of 27

27. Wang, P.; Xiang, T.; Li, X.; Xiang, H. Public key encryption with conjunctive keyword search on lattice. J. Inf. Secur. Appl. 2020,
51, 102433. [CrossRef]
28. Wang, Y. Lattice Ciphertext Policy Attribute-based Encryption in the Standard Model. Int. J. Netw. Secur. 2014, 16, 444–451.
29. Zhang, E.; Hou, Y.; Li, G. A lattice-based searchable encryption scheme with the validity period control of files. Multimed. Tools
Appl. 2021, 80, 4655–4672. [CrossRef]
30. Hou, Y.; Yao, W.; Li, X. A Lattice-Based Semantic Aware Multi-Keyword Searchable Encryption for Multi-User Environments.
SSRN 2022. [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.