Dual Fine-Grained Public-Key Searchable Encryption from Lattices

,


Introduction
Public-key encryption with keyword search (PEKS), first proposed by Boneh et al. (2004), allows users to search encrypted files by specific keywords with data privacy.The general PEKS is sufficient in some multi-user scenarios.However, in more real-world scenarios, we need some cryptographic primitives with access control to realize fine-grained schemes.Specifically, data senders need to flexibly control the search permission of data receivers, such that only by matching the attribute or the identity can data receivers search successfully, which is non-negligible in practical cloud computing.One of the solutions is applying identity-based encryption and attribute-based encryption to PEKS.Along with that, the dual access control variants go a step further in flexibility.For instance, in cloud computing, dual access control can comprise attribute-based access control for the user authentication and inner product access control for verification (Sheng, Wen, Guo, & Yin, 2013).Additionally, as a consideration, it is unacceptable to require users (data senders or data receivers) to be online permanently, which could be solved by delegation.In other words, a receiver is able to delegate his/her search permission to other users by adopting an access policy.
Although there have been a number of fine-grained PEKS schemes in the literature (Wang, Li, Li, & Xu, 2013, Shi, Lai, Li, Deng, & Weng, 2014, He et al., 2018, Zheng, Xu, & Ateniese, 2014), the security of them relies on the hardness of conventional assumptions (e.g., classical number-theoretic assumptions), which may be insecure against quantum adversaries.Subsequently, many scholars work on the schemes with quantum-resistant, especially lattice-based constructions.However, the existing lattice-based fine-grained PEKS scheme only offers single access control (Li, Ma, Zhang, Fan, & Li, 2019).Therefore, we are motivated to design the lattice-based PEKS scheme with fine-grained access control that supports dual access control.

Contribution
To address the above issues, in this work, we propose a lattice-based fine-grained PEKS scheme, which enjoys dual access control and unlimited keyword space.Our construction is provable in the standard model.Also, we present our implementation and experimental result.Table 1 gives the comparison between our and recent PEKS schemes in terms of access control, security, quantum-resistant and support for unlimited keyword space.Specifically, we list the main contribution of this paper as follows: 1. We define a dual access control PEKS primitive, which enables both data senders and data receivers to specify the search permission to the encrypted data.Dual access control in our scheme consists of attribute-based access control and inner product access control (two pairs of access control) simultaneously.Our concrete construction adopts the key homomorphic technique and the noise rerandomization to realize it.Concretely, the data sender generates the ciphertext corresponding to the keyword w by his/her attribute x and hidden access policy vector z.
The data receiver generates the trapdoor corresponding to the keyword w ′ by access policy f and public attribute vector y.Besides w = w ′ , the successful searching needs to satisfy f (x) = 0 and ⟨y, z⟩ = 0.
2. We present a security model for our proposed scheme: ciphertext indistinguishability which can resist the chosen keyword attacks with selective attribute and access policy (IND-sAF-CKA for short).Then we give the proof based on the hardness assumption from lattices in the standard model, which is quantum-safe.In addition, our construction supports unlimited keyword space by collision-resistant hash function (CRHF).
3. Furthermore, we give extensions and discussions of our proposed scheme to offer conjunctive keywords and delegation.In our design, data receivers could delegate their search permission to others.There are two approaches of delegation.For one thing, the data receiver can search successfully with access policy f and attribute vector y, he/she can generate a delegated key or delegated trapdoor for another data receiver.For another thing, the data receiver is able to delegate his/her trapdoor to others without revealing the search keyword.Boneh et al. (2004) first introduced the concept of PEKS and gave a concrete construction.Following that, Abdalla et al. (2005) revisited the PEKS and built the connection between PEKS and anonymous IBE, which has a certain impact on later PEKS schemes (Park, Kim, & Lee, 2004, Abdalla et al., 2005, Boneh, Kushilevitz, Ostrovsky, & Skeith, 2007, Bao, Deng, Ding, & Yang, 2008).Nevertheless, these PEKS schemes in single-user settings are unable to achieve more flexible and sophisticated search in multi-user settings for practical applications.Bao et al. (2008) offered security notions for multi-user settings as well as a provable construction.Besides, fine-grained access control is more desired in practical scenarios.A new primitive called ciphertext-policy attribute-based encryption with keyword search, proposed by Wang et al. (2013), solved the issue with secure construction from bilinear pairings.Aiming at the search permission about keywords, not just users' attributes, Shi et al. (2014) proposed an authorized keyword search scheme inspired by the dual-policy attribute-based encryption scheme.Similarly, He et al. (2018) proposed a searchable encryption primitive with attribute-based access control for hybrid boolean keyword search.Moreover, Zheng et al. (2014) proposed a variant keyword search scheme with verification.However, the above schemes are vulnerable to be against quantum attacks.For designing quantum-safe schemes, lattice-based constructions, especially based on LWE problem, are effective alternatives (Regev, 2006).Behnia et al. (2018) presented an LWE-based PEKS scheme by combining IBE (Agrawal, Boneh, & Boyen, 2010) and general transformation (Abdalla et al., 2005).However, the keyword space in this scheme is limited.
Another LWE-based PEKS scheme with limited keyword space was presented by Xu et al. (2019), which realized the identity-based feature.Both of (Behnia et al., 2018) and (Xu et al., 2019) offer provable security in the standard model.Also, there are some fine-grained schemes in the random oracle model.Zhang et al. (2019) provided an identity-based PEKS scheme with a delegation that needs a proxy in the system model.The proxy is authorized by an original data sender and delegates encrypted data.However, this work has a dispute over security recently (Liu, Tseng, Tso, & Lee, 2021).Li et al. (2019) proposed a key policy attribute-based keywords search scheme based on LWE problem and the scheme is proven against chosen keyword attacks and keyword guessing attacks in the random oracle model, which integrates the key homomorphic technique from (Boneh et al., 2014) and construction technique from (Agrawal et al., 2010).

Paper Organization
The rest of this paper is organized as follows.Preliminaries are shown in Section 2 for listing the background of lattices, algorithms for sampling and key homomorphic features.In Section 3, we give the formal definition and security model for our proposed scheme.The construction and correctness analysis are described in Section 4. In Section 5, we prove our proposed scheme in the standard model by games.In Section 6, we illustrate the performance of our scheme in terms of computation and storage.Section 7 presents the extensions and discussions of our proposed scheme.We conclude in Section 8.

Notations.
Let λ be the security parameter.For integer n, let [n] = 1, . . ., n.We use bold capital letters to denote matrices, such as A, B. Correspondingly, we denote vectors as bold lowercase letters, such as x, y.We denote the matrix of horizontally (resp.veritically) as (A|B) (resp.(A||B)).

Lattices Preliminaries
Lattices.For any matrix A ∈ Z n×m q and any vector u ∈ Z n q , we define Λ ⊥ q (A) := {e ∈ Z m : Ae = 0 mod q}, Λ u q (A) := {e ∈ Z m : Ae = u mod q}.
Norms.For any vector x, we use ∥x∥ to denote its l 2 norm.For any matrix A, ∥A∥ denotes the maximum of the l 2 norm over the columns of A. ∥A∥ 2 denotes the operator norm of A defined as ∥A∥ 2 = sup ∥x∥=1 ∥Ax∥.A denotes its Gram-Schmidt orthogonalization.
In addition, s 1 (A) denotes the largest singular value of A. There is a lemma corresponding to computation of the largest singular value: Lemma 1 (Ducas & Micciancio, 2014) Let X ∈ R n×m be a subgaussian random matrix with parameter s.There exists a universal constant C ≈ 1 √ 2π such that for any t ≥ 0, we have s 1 (X) ≤ Cs( The following definitions and corollaries are taken from (Brakerski & Vaikuntanathan, 2016).
Definition 2 A distribution χ supported over Z is (B, ϵ)-swallowing if for all y ∈ [−B, B] ∩ Z it holds that χ and y + χ are within ϵ statistical distance.
Learning with errors (LWE).(Regev, 2009) Let q be a prime, χ be a distribution over Z q and s be uniformly random over Z n q .For an integer m, The LWE q,χ,n problem is to distinguish between the distributions (A, A T s + e) and (A, u) where (Regev, 2009) Let α = α(n) ∈ (0, 1) and let q = q(n) be a prime such that αq > 2 √ n.If there exist an efficient algorithm that solves LWE q,α , then there exists an efficient quantum algorithm for approximating SIVP and GapSVP in the l 2 norm with O(n/α) factors in the worst case.
Inhomogeneous short integer solutions (ISIS).(Gentry, Peikert, & Vaikuntanathan, 2008) Given A ∈ Z n×m q and y ∈ Z n q , find e ∈ Z m satisfying Ae = y mod q and ∥e∥ ≤ β where β is a small value normally.Theorem 1 (Gentry et al., 2008) There is a probabilistic polynomial time algorithm SampleD that, given a basis B of an n-dimensional lattice Λ, a parameter s ≥ ∥ B∥ • ω( √ logm), and a center c ∈ R n , outputs a sample from a distribution that is statistically close to D Λ,s,c .
Proposition 2 (Ajtai, 1999, Micciancio & Goldwasser, 2002) For any prime q = poly(n) and any m ≥ 5nlogq, there is a probabilistic polynomial time algorithm that outputs a matrix A ∈ Z n×m q and a full-rank set S ⊂ Λ ⊥ q (A), where the distribution of A is statistically close to uniform over Z n×m q and the length ∥S∥ ≤ L = m 2.5 .Also, S can be converted efficiently to a basis T of Λ ⊥ q (A) such that ∥T∥ ≤ ∥S∥ ≤ L.
Lemma 2 (Cai, 1998) For any arbitrary integer lattice Λ, it holds that: with the minimum is over all (ordered) bases B of lattice Λ where Λ * is dual lattice of Λ.
Lemma 3 (Agrawal et al., 2010) Let q be a prime and m > (n + 1)logq + ω(logn).Let S be chosen uniformly from {−1, 1} m×k mod q, with k polynomial in n.Let A and B be chosen uniformly from Z n×m q and Z n×k q respectively.Then, for every e ∈ Z m q , it holds that the distributions (A, AS, S T e) and (A, B, S T e) are statistically close.Trapdoor generators.The following lemmas state properties of algorithms for generating short basis of lattices.
Lemma 4 (Gentry et al., 2008) Let n, m, q > 0 be integers with q prime and m = Θ(nlogq).There is a probabilistic polynomial time (PPT) algorithm TrapGen defined as follows: Inputs: a security parameter n, an integer m such that m = Θ(nlogq), and a prime modulus q.
Outputs: a matrix A ∈ Z n×m q and a basis T A ∈ Z n×m q for Λ ⊥ q (A) such that the distribution of A is close to uniform with negligible probability and Lemma 5 (Boneh et al., 2014) Let n, m, q > 0 be integers with q prime.There are two deterministic polynomialtime(DPT) algorithms ExtendRight and ExtendLeft defined as follows: • ExtendRight(A, T A , B) : • ExtendLeft(A, G, T G , S) : and a basis T G of Λ ⊥ q (G). Outputs: In addition, for m = n⌈logq⌉ there is a fixed full-rank matrix G ∈ Z n×m q s.t. the lattice Λ ⊥ q (G) has a publicly known basis where BD is a deterministic algorithm defined in (Boneh et al., 2014).
Lemma 7 (Gentry et al., 2008) (Preimage Samplable Functions) For any prime q = poly(n), any m ≥ 5nlogq, and any s ≥ L • ω( √ logm) (L be as in Proposition 2), it holds that the following distributions D 1 , D 2 are statistically close: and returns e 1 + e 2 ∈ Z m q .If s > s 1 (R), the distribution (Re + e ′ ) and the distribution e ′′ ← D m,2sσ are statistically close, where e ← D t,σ and e ′ ← NoiseGen(R, s).(Boneh et al., 2014) For integers n and q = q(n), let m = Θ(nlogq), G ∈ Z n×m q be the gadget matrix from Lemma 5.For x ∈ Z q , B ∈ Z n×m q , s ∈ Z n q and δ > 0 define the set

Key Homomorphic Features
There are three efficient deterministic algorithms Eval pk , Eval ct , Eval sim that implement the key homomorphic features and satisfy the following properties with respect to some family of functions F = { f : Z l q → Z q } and a function α F : Z → Z.
) with all but negligible probability.

Definition and Security Model
In this section, we introduce the system model of our proposed primitive for cloud computing, which is based on the classical model of PEKS and consists of four entities: a data sender, a data receiver, a trusted authority and a server: • Data sender: A data sender who sends his/her encrypted data (ciphertext) to the server by adopting access control.
A data sender has a vector as a public attribute, and a secret vector as an access policy vector.
• Data receiver: A data receiver who retrieves outsourced data after sending the trapdoor corresponding to keywords to the server.A data receiver has a public access policy and a public vector as an attribute vector.
• Trust Authority: An authority who generates a master public key, master secret key, and secret key for data receivers with access policy.
• Server: An entity that offers storage and searches for encrypted data.
We give the definition of our proposed primitive as follows: Definition 3 Our fine-grained PEKS scheme consists of five polynomial time algorithms: • Setup(1 λ ) → (mpk, msk).The setup algorithm takes the security parameter λ as input, and outputs the master public key mpk with the master secret key msk.
• KeyGen(mpk, msk, f ) → sk f .The key generation algorithm takes the master public key mpk, master secret key msk and access policy f of data receiver as input.It outputs the secret key sk f corresponding to f .
• Trapdoor(sk f , f, w, y) → R. The trapdoor generation algorithm takes the secret key sk f corresponding to access policy f , keyword w and attribute vector y corresponding to data receiver.It outputs a trapdoor R.
• Enc(mpk, w ′ , x, z) → ct.The encrypt algorithm takes the master public key mpk, keyword w ′ , attribute x of data sender and access policy vector z corresponding to data sender.It outputs the ciphertext ct.
• Test(mpk, ct, R) → 0/1.The test algorithm takes the master public key mpk, ciphertext ct and trapdoor R. It outputs the 1 for successful search or 0 for failed search.
Correctness.For any keyword w, attribute x, attribute y, access policy z and any honestly generated master public key mpk and secret key sk f corresponding to access policy f , we require that Test(mpk, ct, R) outputs 1, where ct ← Enc(mpk, w ′ , x, z), R ← Trapdoor(sk f , f, w, y),⟨y, z⟩ = 0, w = w ′ , and f (x) = 0.
We give a security model definition of our scheme: ciphertext indistinguishability which can resist the chosen keyword attacks with selective attribute and access policy (IND-sAF-CKA).We first give the definition of IND-sAF-CKA as follows: Definition 4 Game IND-sAF-CKA: • Setup: The adversary A sends a challenge attribute x * and access policy f * such that f * (x * ) = 0 to challenger C. The challenger C computes (mpk, msk) ← Setup(1 λ ) and sends mpk to the adversary A.
• Query Phase 1.The adversary A can make trapdoor queries ( f, y, w) for trapdoor oracle OT rapdoor() and key queries f for key oracle OKeyGen(), that is A OT rapdoor(),OKeyGen() with the restriction that f (x * ) 0 or f = f * .
• Query Phase 2. The same as Query Phase 1.
• Guess Phase.The adversary A outputs the guess bit β ′ .
The adversary A wins the above game if β = β ′ .We can define the advantage of

Our Construction
We define a CRHF H : {0, 1} * → Z n×m q , y ∈ {0, . . ., Y} k , z ∈ {0, . . ., Z} k .|⟨y, z⟩| < kYZ.A keyword is w.The length of the attribute x is l.we denote B is a public matrix corresponding to keywords and choose l matrixs {A i } i∈ [l] corresponding to the attribute.Before presenting details of our construction, we give a technique overview for better understanding.
Technical Overview.Our proposed scheme is inspired by the key homomorphic technique in Boneh et al. (2014) and the noise rerandomization used in inner product encryption (Agrawal, Libert, & Stehle, 2016).Note that, we call the inner product encryption scheme in (Agrawal et al., 2016) as ALS scheme.First, we adopt ExtendRight and RandBasis to generate the secret key for the user with access policy.In addition, for generating the trapdoor corresponding to the keyword, we continue to use ExtendRight and RandBasis algorithms.Besides that, the algorithm SamplePre connects the trapdoor generation and the encryption by a random matrix.In the encryption phase, the ciphertext consists of three parts corresponding to LWE instances, the one is corresponding to the attribute, another is corresponding to the (private) attribute vector and ciphertext in ALS scheme, and the rest is corresponding to the keyword.
We show our concrete construction as follows (the relevant parameters are described after correctness): Setup(1 λ ) : Take as input a security parameter λ.The trust authority computes the master public key and master secret key as follows: 1. Generate (A, T A ) from TrapGen(n, m, q).
4. Output the master public key and master secret key KeyGen(mpk, msk, f ) : Take as input a master public key mpk, a master secret key msk and an access policy f .The trust authority computes the secret key corresponding to the access policy f as follows: 1. Compute A f = Eval pk ( f, (A 1 , . . ., A l )).

Sample a random basis
3. Output the secret key sk f = T f .
Trapdoor(sk f , f, w, y) : Take as input a secret key corresponding to access policy f , an access policy f , a keyword w and attribute vector y.The data receiver computes the trapdoor corresponding to the access policy f , the keyword w and the attribute vector y as follows: 1. Compute A f = Eval pk ( f, (A 1 , . . ., A l )).

Sample a random basis
where 4. Output the trapdoor R = (y, r f,y,w ) where r f,y,w = R f,w y.
Enc(mpk, w, x, z) : Take as input a master public key mpk, a keyword w, an attribute x and an access policy vector z.
The data sender computes the ciphertext corresponding to the keyword w, the attribute x and the access policy vector z as follows: q where x = (x 1 , . . ., x l ).

Sample four noise vector e
Test(mpk, ct, R) : Take as input a master public key mpk, a ciphertext ct and a trapdoor R. The server tests the searching as follows: 1.If f (x) 0, the searching is abort, otherwise do as follows: 2. Parse ct = (c H , c D , c w ), R = (y, r f,y,w = R f,w y) and c H = (c 0 , c 1 , . . ., c l ).
Correctness.We consider correctness in our scheme as follows: where e ′ = (e 1 |e f |S T w e 1 ).If f (x) = 0 and ⟨y, z⟩ = 0, the test process returns 1, otherwise returns 0. We have that ∥e For the correctness and security of our proposed scheme, we give the setting of parameters as follows: • m ≥ 6nlogq.
where q is prime.

Security Analysis
In this section, we consider the security of our proposed scheme.The proof idea of IND-sAF-CKA is inspired by inner product functional encryption (IPFE) schemes (Agrawal et al., 2016, Abdalla, Catalano, Gay, & Ursu, 2020, Pal & Dutta, 2021), but we makes some modifications and improvements to them, which is suitable for our security requirements.
Recall that, besides naming the inner product encryption scheme in (Agrawal et al., 2016) as ALS scheme, the challenger in the security proof of ALS scheme is referred to as ALS challenger.
Theorem 2 Our proposed scheme with parameters as above is IND-sAF-CKA secure provided that the LWE q,α,n assumption holds.
Proof.Although we can give the reduction between our scheme and LWE assumption, for succinct proof, we use oracles from the scheme in Agrawal et al. (2016) (Since the scheme in Agrawal et al. (2016) is under LWE problem and the proof idea of our scheme follows it).
Game 0: This game is identical to the real game described above.
Game 1: This game is identical to the Game 0 except that the challenger C select a uniformly random matrix A ∈ Z n×m q , instead of sampling (A, T A ) ← TrapGen(n, m, q).This game is inefficient since we must enumerate all short possible basis T A of Λ ⊥ q (A) and use one of short basis to answer key queries and trapdoor queries.For realizing that, we use Lemma 2 and Theorem 1 with appropriate parameters set in Parameters to ensure that the lattice spanned by A has a short basis.By Lemma 4, this game is indistinguishable from the previous one.
Game 2: This game is identical to the Game 1 except that the answer of the trapdoor queries.For the trapdoor queries, the challenger C programs the D. First, We can apply Lemma 7 and argue that D 1 is close to uniformly random over Z n×k q statistically, so D is also close to uniformly random over Z n×k q statistically.C can answer the trapdoor queries with r f,y,w = Z • y where the distributions of Z and real R f,w are the same (D 3m×k,σ ) by Lemma 6; otherwise, if A make queries for ( f, w, y) and f (x * ) 0, C computes A f , T f,w , R f,w and R the same as the real algorithm Trapdoor.
Game 3: This game is identical to the Game 2 except that the For trapdoor queries and key queries, the adversary A first make a polynomial number of key queries on After that, C can answer the key queries which is identical to the previous game.By Lemma 3, this game is statistically indistinguishable from the Game 2.
Game 4: This game is identical to the Game 3 except that the challenger C is efficient.In this game, the short basis T A is not required in key queries and trapdoor queries.Both the trapdoor queries ( f, y, w) and key queries f should satisfy 3 ) to answer the trapdoor as Z • y that is identical to the previous game.If f (x * ) = y 0, the challenger computes The challenger can return T f for key queries with f (x * ) = y 0. Furthermore, the challenger computes ) and outputs trapdoor R f • y.By Lemma 5 and Lemma 6, the public parameters and queries are statistically close to the previous game.
Game 5: This game is identical to the Game 4 except that the ciphertext corresponding to keyword is replaced with the uniform one from Z m q .Follow the LWE definition in (Regev, 2009), this game is indistinguishable to Game 4 computationally.
Game 6: In this game, we use the security proof of ALS scheme described in (Agrawal et al., 2016) to get the indistinguishability of challenge ciphertext.we recall that we consider the interaction between the challenger C and the ALS challenger for succinct proof.The challenger C receives public key (A ALS , D ALS ) from the ALS challenger and target f * , x * from the adversary A. The challenger C can simulate the view of the adversary A as follows: ).The challenger C sends the master public key mpk = (A, B, A 1 , . . ., A l , D).
• Key queries: These key queries are the same as ones in the previous game.
• Trapdoor queries: The adversary A queries for f, w, y.If f = f * , the challenger asks decryption key sk y for y from the ALS challenger.When the challenger obtains sk y , it returns r f,w,y = (sk T y ||Z 2 y||Z 3 y).Otherwise, the output is identical to the previous game. where Then the challenger computes by features in Section 2.4.Note that c * w corresponding to the keyword is identical to the one in Game 5.
It remains to show that Game 5 is indistinguishable from Game 6.First, we consider the master public key and secret key for queries.In the ALS scheme, Then we notice that we can rewrite the ciphertext as follows: Also, we consider the c * D as follows: Note that, by Corollary 1 and Lemma 8, the noise Z T 2 (e f * + e ′ 3 ) + NoiseGen(Z T 2 , s) and Z T 3 e 1 + NoiseGen(Z T 3 , s) in c * D is statistically close to e 3 and e 4 respectively (in real scheme), so we have c * D = D T s + e 2 + e 3 + e 4 + ⌊q/K⌋ • z β .Finally, all ciphertexts are indistinguishable between Game 5 and Game 6.From what has been discussed above, we may safely draw a conclusion that, the first game Game 0 and the last game Game 6 are indistinguishable computationally, so the theorem is proved.

Performance
In this section, we present the performance of our scheme in terms of computation and storage.

Theoretical Performance
The costs of computation and storage listed in Table 2 and Table 3 are  Let T exppairing denotes the exponentiation computation in prime-order group G T .Let T mul denote the computation cost of multiplication operation in Z q .Let κ denotes the length of keyword.Let λ denotes the security parameter.Let T pkf and T ctf denote the computational cost of Eval pk and Eval ct respectively.Additionally, we consider the following scalar in (He et al., 2018): S is the number of user's attributes; W is the number of keywords in the ciphertext; N is the number of attributes in the access structure of the ciphertext, M is the number of keywords in the access structure of the search token.
Table 2 presents the comparison of computational cost.We use similar techniques to Li et al. (2019), so the approximate computational cost can be observed obviously.However, we achieve more complex access control which is dual finegrained including functional access control and matching on vectors.As the techniques mentioned, our scheme considers the computational costs of evaluation function Eval pk and Eval ct .If we adopt the algorithms in Boneh et al. (2014), the computational costs of Eval pk and Eval ct are lnm 2 T mul and lnmT mul with addition function, respectively.Correspondingly, the computational costs of Eval pk and Eval ct are nm 2 T mul and l 2 nmT mul with multiplication function, respectively.
Table 3 presents the comparison of space overhead.The analysis is analogous to the computational cost.Notably, our scheme enjoying dual access control makes the ciphertext and trapdoor, with two pairs access control, tighter respectively.
Specifically, according to Table 1, Table 2 and Table 3, the computation cost and space overhead of the ciphertext and trapdoor in our scheme is nearly half of the ones in Li et al. (2019), if we directly adopt the scheme (single access control) in Li et al. (2019) to realize dual access control.

Experimental Evaluation
Our implementations are built on a Linux system with i5-10210U CPU and 16GB DDR RAM.We exploit C++ language and NTL library version 11.5.1.For the correctness and security of our scheme, we set the parameters satisfying the parameters setting based on both dimensions n = 10 and m = 600.We fix the parameters except the attribute length l which is an independent variable.We show the comparison of space overhead and running time among our and recent PEKS schemes.We evaluate the experimental result, 10 trials on average displaying the running time of the five algorithms, as attribute length l grows.It is clear as Table 4 shows that the algorithm Trapdoor is time-consuming.The substantial reason is the generation of the lattice basis.Theoretically, the running time of KeyGen and Trapdoor should be close since they are almost identical except for the dimensions.Furthermore, considering the reality, we pull away from the algorithm Eval pk from KeyGen and reuse it in Trapdoor.We implement the algorithm Eval pk and Eval ct based on Boneh et al. (2014) and Dai et al. (2017), using evaluation of public keys and ciphertexts on gates.However, the running time of Trapdoor is more than KeyGen, which is because of the dimension of matrices.Note that, not the same as the implementations based on ring-LWE in Dai et al. (2017), we have greatly improved the implementations of Eval pk and Eval ct by the optimization on the standard lattice.
As shown in Figure 1.a, the running times of Trapdoor and KeyGen in our scheme are independent of the increase of l.This is caused mainly by two reasons: From the previous analysis, the stability of Trapdoor is mainly dependent on the generation of the lattice basis and the reuse of Eval pk .Moreover and similarly, the stability of KeyGen is mainly dependent on the algorithm Eval pk which is high complexity algorithm and is independent of the increase of l.Subsequently, we give 4. When U g search successfully with g(x) = 0, U g returns the result (encrypted data) to U f .Finally, we analyses the correctness with delegation.In key delegation, we omit the verification since it is essentially relying on the delegation algorithm in Boneh et al. (2014).In trapdoor delegation, we focus on the Test algorithm: since F f,w • V g,w = F g and F g • R g = D, we have y T (R T g V T g,w ) • ((A|A f |B + H(w)) T s + e ′ ) = y T D T s + y T R T g V T g,w e ′ .After that, we can get the equation similar to the one in the correctness without delegation.For correctness, we need ∥y T (e 2 + e 3 + e 4 − R T g V T g,w e ′ )∥ < Yk(σ 1 + σ 2 + σ 3 ) + 9σ 2 σ 1 Yk 2 m 2 (1 + α F (n)).

Conclusions
In this paper, we proposed a lattice-based public key encryption with keyword search which is dual fine-grained and provable for chosen keyword attacks.Additionally, we implement our scheme and present the computation costs and space overheads.Furthermore, we give extensions and discussions about conjunctive keywords and delegation based on our proposed scheme.In our future work, we will focus on the optimization of our scheme which can be applied to real scenarios by reducing complex algorithms like TrapGen and SamplePre.

with probability at most 2 e πt 2 .
Gaussian Distribution.For any positive parameter σ ∈ R, let ρ σ (x) := exp(−π ∥x∥ 2 /σ 2 ) be the Gaussian function on R n of center 0 and parameter σ.For any n ∈ N and any subset D of Z n , we define ρ σ (D) := ∑ x∈D ρ σ (x) the discrete integral of ρ σ over D, and D D,σ the discrete Gaussian distribution over D of parameter σ.That is, for any y ∈ D, we have D D,σ (y) = ρ σ (y)/ρ σ (D).For succinct description, D n,σ denotes the n-dimensional discrete Gaussian distribution with parameter σ.
devided into five algorithms among Setup, KeyGen, Enc, Trapdoor and Test.For precise evaluation, let |Z|, |G| and |G T | represent the size of one element in Z q , G and G T .Let T TrapGen , T SamplePre , T RandBasis , T ExtendRight , T SampleLeft , T SampleD denote the running time of algorithms TrapGen, SamplePre, RandBasis, ExtendRight, SampleLeft and SampleD, respectively.Let T NewBasisDel denotes the running time of algorithm NewBasisDel from Zhang et al. (2019) Let T H denote the running time of hash function H. Let T expmod and T pairing denote the running time of modular exponentiation and bilinear pairing operation in group G respectively.

Figure 1 .
Figure 1.Running time of Enc, KeyGen and Trapdoor

Figure 1 .
b to show the running time of Enc increases as the paramater l grows clearly in the result of theoretical performance.

Table 1 .
Comparison between ours and recent PEKS schemes * IND-CKA: ciphertext indistinguishability against chosen keyword attacks.1.2Related Works (Katsumata & Yamada, 2016)-row of Z.Lemma 8(Katsumata & Yamada, 2016)(Noise Rerandomization) Given a matrix R ∈ Z m×t and s ∈ R + such that s 2 ≥ s 1 (RR T ),there is an algorithm NoiseGen(R, s) as follows: It first samples e 1 = Re + √ (s 2 I m − RR T )e ′ where I m ∈ Z m×m denotes the identity matrix, e ← D t,σ and e ′ ← D m, √ 2σ are independent spherical continuous Gaussian noises.Then it samples e 2 ← D Z m −e 1 ,s

Table 3 .
Space overhead among ours and recent PEKS schemes

Table 5 .
The space overheads of our scheme when l grows