High-Speed High-Security Public Key Encryption with Keyword Search

,


Introduction
The emergence of cloud storage and computing services has revolutionized the IT industry.One of the most prominent cloud services is data storage outsourcing [3], which can drastically reduce the cost of data management via continuous service, expertise and maintenance for the resource-limited clients (e.g., small/medium size businesses).Despite its merits, data outsourcing raises significant privacy concerns for users.Traditional data encryption techniques (e.g., symmetric ciphers) can be used to mitigate this concern.However, they abolish the data owner from performing any efficient search (and therefore retrieval) operation over the data that is remotely stored on the cloud.Various privacy enhancing technologies have been proposed towards addressing this limitation.
Searchable Encryption (SE) schemes allow a keyword-based search functionality over the encrypted data.SE schemes are generally applied to a client/server architecture, in which the client stores her encrypted data on a remote server.There are two main types of SE technologies: (i) Dynamic Symmetric SE (DSSE) (e.g., [41,43,30]) permits a client to perform encrypted search on her data via her own private key.DSSE is efficient as it relies on symmetric primitives, but it is rather suitable for a single client outsourcing/searching her own data.(ii) Public Key Encryption with Keyword Search (PEKS) [6] schemes allows any client to encrypt her data under a public key such that the server can later test whether the encrypted records contain certain keywords via search trapdoors produced by an entity holding the private key.PEKS is suitable for distributed applications (e.g., email, audit logging for Internet of Things), in which large number of entities generate encrypted data to be searched/analyzed by a particular auditor.The focus of this paper is on PEKS schemes.In Fig. 1, we provide some example applications of PEKS with their corresponding system model.
One of the potential application scenarios for PEKS schemes is illustrated in Fig. 1-a.Alice has a number of devices (e.g., desktop, pager), and her email gateway is supposed to route her emails based on the keywords associated with each email.For instance, when one of the originators (i.e., Bob) sends her an email with keyword "urgent" the email should be routed to her pager.To achieve this, Bob encrypts his email using a standard public key encryption and uses PEKS algorithm to generate a searchable ciphertext of keyword w = "urgent" to be associated with the email.Alice can then provide the server with trapdoor t w computed for keyword w and enable the gateway to test whether any of the stored emails is associated with w via the Test algorithm of PEKS.
As depicted in Fig. 1-b, another possible scenario of employing PEKS schemes is for storing private log files on a remote server.In Internet of Things (IoT) applications, PEKS schemes can enable a set of heterogeneous devices to send their log files (encrypted under the auditor's public key) along with a searchable ciphertext of the keyword related to the logs to a storage server.To look for a specific event, the auditor can compute and send a trapdoor (of any keywords of his interest) to the server and receive all the files that contain the keyword.

Research Gap
There have been various PEKS schemes with additional features proposed in the literature [37,8,39,11].We have identified two main research gaps that pose an obstacle towards the adoption of PEKS schemes in practice.
• Extreme Computational Overhead: Most of the proposed PEKS schemes are based on heavy pairing computations, and the schemes that are devised by pairing-free tools are even more costly than their pairing-based counterparts [15].Despite their elegance, the existing constructions introduce a significant cryptographic delay as the server has to run a costly algorithm (i.e., Test(.)requiring at least one pairing operation per item) linear to the size of database.
• Lack of Long-term Security: When dealing with sensitive user data, most applications require long-term cryptographic security (e.g., sensitive medical data).However, due to algorithmic breakthroughs and the rise of powerful computers, the size of cryptographic keys are required to be steadily increased to ensure the same level of security.This causes the conventional cryptographic tools (e.g., RSA, ECC) to become increasingly inefficient.Therefore, there is a need for PEKS schemes that have a more efficient response against increasing key sizes.More importantly, with the predictions on the emergence of quantum computers, it is necessary to devise PEKS schemes that can achieve post-quantum security.However, current PEKS schemes are built on ECC or quadratic residuosity problems [15], which do not offer post-quantum security.

Our Contribution
Towards addressing aforementioned problems, we introduce the first (to the best of our knowledge) NTRU-Based PEKS scheme which we refer to as NTRU-PEKS hereafter.In the following, we outline our contributions.
• A New PEKS via NTRU: In the initial proposal of PEKS [6], Boneh et al. showed how one could derive a PEKS scheme from an IBE scheme.Abdalla et al. [1] supported this claim and provided requirements for the underlying IBE scheme to ensure the security and correctness of the derived PEKS.This led to the proposal of a large number of PEKS schemes (e.g., [44,15,31]) based on different IBE schemes.In this paper, we rigorously prove that Ducas et al.'s IBE scheme [17] meets these requirements and put forth the first NTRU-based PEKS scheme by leveraging this IBE.Furthermore, we prove the security and  [6] and Zhang-Imai scheme [44], respectively.
¶ QC stands for Quantum Computer.
consistency of our PEKS scheme and suggest parameter sizes to avoid potential decryption errors.
• High Efficiency: We devise a highly efficient PEKS scheme that significantly reduces the cryptographic delay by harnessing the latest advancements in lattice-based cryptography, ring-LWE [38] and fast arithmetic operations over polynomial rings Z[x]/(x N + 1).We implement our scheme1 for 80-bit and 192bit security and compare its efficiency with the most prominent PEKS schemes.As it is shown in Table 1, our scheme has significantly more efficient Test and PEKS algorithms than those in in [6,44].The efficiency of Test algorithm is of vital importance, since it is executed by the server linearly with the total number encrypted keywords to be searched.The efficiency of the PEKS algorithm facilitates the implementation of PEKS schemes on battery-limited devices.
• Long-term Security: We develop the first practical NTRU-based PEKS that offers long-term security, while being (currently) secure against quantum computers, thanks to the security guarantees of lattice-based cryptography.

Preliminaries
In this section, we provide definitions and notations that are used by our scheme.For the sake of compliance, we use the same notation as in [17].
Notations.a $ ← − X denotes that a is randomly selected from distribution X .H i for i ∈ {1, . . ., n} denotes a hash function which is perceived to behave as a random oracle in this paper.A O1...On (.) denotes algorithm A is provided with access to oracles O 1 . . .O n .We denote scalars in plain (e.g., x) and vectors in bold (e.g., x).The norm of a vector v is denoted by v .x rounds x to the closest integer.x = ∆ y means x is defined as y.The function gcd(x, y) returns the greatest common divisor of values x and y.

NTRU-Based Cryptographic Tools
Ajtai [2] introduced the Short Integer Solution (SIS) problem and demonstrated the connection between average-case SIS problem and worst-case problems over lattices.Hoffstein et al. [26] proposed an efficient public key encryption scheme called NTRU-based on polynomial rings.Regev [38] introduced the Learning with Error (LWE) problem.The SIS and LWE problems have been used as the building blocks of many lattice-based schemes.
NTRU encryption works over rings of polynomials which are parametrized with N as a power-of-two integer.
Definition 1.For prime integer q and f, g ∈ R, h = g * f −1 mod q, the NTRU lattice with h and , where I is an identity matrix.
Note that one can generate this basis using a single polynomial h ∈ R q .However, the lattice generated from A h,q has a large orthogonal defect which results in inefficiency of standard lattice operations.As proposed by [25], another basis (which is much more orthogonal) can be efficiently [17] generated by selecting Definition 2. (Gram-Schmidt norm [22]) Given B = (b i ) i∈I as a finite basis and B = ( bi ) i∈I as its Gram-Schmidt orthogonalization, the Gram-Schmidt norm Using Gaussian sampling, Gentry et al. [22] proposed a technique to use a short basis as trapdoor without disclosing any information about the short basis and prevent attacks similar as in [36].
If we pick a noise vector over a Gaussian distribution with the radius not smaller than the smoothing parameter [34], and reduce the vector to the fundamental parallelepiped of our lattice, the resulting distribution is close to uniform.We formally define this parameter through the following definition.Definition 4. (Smoothing Parameter [34]) For any n-dimensional lattice Λ, its dual Λ * and > 0, the smoothing parameter η (Λ) is the smallest s > 0 such that ρ 1/s √ 2π,0 (Λ * \0) . A scaled version of the smoothing parameter is defined in [17] as Gentry et al. [22] defined a requirement on the size of σ related to the smoothing parameter.In [17], Ducas et al. showed that using Kullback-Leibler divergence, the required width of σ can be reduced by factor of √ 2. Based on [18,22,17], for positive integers n, λ, , any basis B ∈ Z N ×N and any target vector c ∈ Z 1×n , the algorithm (v 0 ← Gaussian-Sampler(B, σ, c)) as defined in [22,17] In this paper, we will use the same algorithm in our Trapdoor algorithm.
) and an error distribution X over R. For s as a random secret ring element, uniformly random a i 's ∈ R and small error elements e i ∈ X , the decision LWE problem asks to distinguish between samples of the form (a i , a i s + e i ) and randomly selected

Identity-Based Encryption
Definition 7.An IBE scheme is a tuple of four algorithms IBE = (Setup, Extract,Enc,Dec) defined as follows.
-(mpk, msk) ← Setup(1 k ): On the input of the security parameter(s), this algorithm publishes system-wide public parameters params, outputs the master public key mpk and the master secret key msk.sk ← Extract(id, msk, mpk):On the input of a user's identity id ∈ {0, 1} * , mpk, and msk, this algorithm outputs the user's private key sk.c ← Enc(m, id, mpk): On the input of a message m ∈ {0, 1} * , identity id, and mpk, this algorithm outputs a ciphertext c. m ← Dec(c, sk): On the input of a ciphertext c, the receiver's private key sk and mpk, this algorithm recovers the message m from the ciphertext c.
Following the work of [1], the following definition defines anonymity in the sense of [24].
Definition 8. Anonymity under chosen plaintext attack (IBE-ANO-RE-CPA) for an IBE scheme is defined as follows.Given an IBE scheme, we associate a bit b ∈ {0, 1} to the adversary A in the following experiment. Experiment

Public Key Encryption with Keyword Search
A PEKS scheme consists of the following algorithms.

Consistency of PEKS
Due to the properties of NTRU-based encryption scheme, and following the work of [15], we investigate the consistency of our scheme from two aspects, namely, right-keyword consistency and adversary-based consistency [1].Right-keyword consistency implies the success of a search query to retrieve records associated with keyword w for which the PEKS algorithm had computed a searchable ciphertext.On the other hand, adversary-based consistency [1] ensures the inability of an adversary to generate two distinct keywords that the Test algorithm returns 1 on the input of a trapdoor for one keyword, and the searchable ciphertext of the other.We define the adversary-based consistency [1] as follows.
Definition 11.Adversary-based consistency of a PEKS scheme is defined in the following experiment.Experiment Exp PEKS-Consist if w 0 = w 1 and [Test H (pk, t w1 , s w0 ) = 1] return 1 else, return 0 A's advantage in the above experiment is defined as Adv P EKS-Consist P EKS,A

Proposed Scheme
In this section, we present our scheme that consists of the following algorithms.
(h, B) ← KeyGen(q, N ): Given a power-of-two integer N and a prime q, this algorithm works as follows.
1. Compute σ f ← 1.17 q 2N and select f, g ← D N,σ f to compute Bf,g and Norm ← max( (g, −f ) , ( q proceed to the next step.Otherwise, if N orm ≥ 1.17 √ q, this process is repeated by sampling new f and g.

Using extended euclidean algorithm, compute ρ
or gcd(R f , q) = 1, start from the previous step by sampling new f and g.

Using extended euclidean algorithm
q , the receiver's public key pk and a keyword w ∈ {0, 1} * to be encrypted, the sender performs as follows.
Finally, the algorithm outputs s w = A, B, H 2 (k, B) .t w ← Trapdoor(sk, w): Given the receiver's private key sk, and a keyword w ∈ {0, 1} * , the receiver computes t ← H 1 (w) and using the sampling algorithm Gaussian-Sampler(B, σ, (t, 0)), samples s and t w such that s + t w * h = t.b ← Test(pk, t w , s w ): On the input of a receiver's public key pk, a trapdoor t w and a searchable ciphertext and outputs b = 1 if H 2 (y, B) = H 2 (k, B) and b = 0, otherwise.

Completeness and Consistency
In this section, we show the completeness and consistency of our scheme.
Lemma 1.Given a public-private key pair (h, B) ← KeyGen(q, N ), a searchable ciphertext s w ← PEKS(pk, w), and a trapdoor generate by the receiver t w ← Trapdoor(sk, w) our proposed scheme is complete.
Proof.To show the completeness of our scheme for s w = A, B, H 2 (k, B) , the Test algorithm should return 1 when B−A * tw q/2 = k .To affirm this, we work as follows.
Given r, e 1 , e 2 , t w and s are all short vectors (due to the parameters of our sampling algorithm), all the coefficients of r * s + e 2 − t w * e 1 will be in (− q 4 , q 4 ), and therefore, B−A * tw q/2 = k.
To address right-keyword consistency issues related to the decryption error of encryption over NTRU lattices, we need to make sure that all the coefficients of z = r * s + e 2 − e 1 * tw are in the range (− q 4 , q 4 ) and q ≈ 2 24 for κ = 80 and q ≈ 2 27 for κ = 192.
Theorem 1.The NTRU-PEKS scheme is consistent in the sense of Definition 11.
Proof.Upon inputting q and N , the challenger C initiates the experiment (h, B) ← KeyGen(q, N ).It passes h to the adversary A and keeps B secret.(w 0 , w 1 ) ← A H1 (pk): A sends C two keywords (w 0 , w 1 ).Note that in the above game, A wins when w = w and H 2 (z 1 , z 1 ) = H 2 (z 2 , z 2 ).Let's assume A makes q 1 queries to H 1 and q 2 queries to H 2 oracles.Let E 1 be the event that there exist (x 1 , x 2 ) such that H 1 (x 1 ) = H 1 (x 2 ) and x 1 = x 2 and let E 2 be the event that there exist two pairs (z 1 , z 1 ) and represents the probability of consistency definition, Given the domain of our hash functions, the first and second terms are upper bounded by (q1+2) 2 /N2 log 2 q and (q2+2) 2 /N2 log 2 q , respectively.For the last term, if H 1 (x 1 ) = H 1 (x 2 ), then in our scheme, the probability that B 1 = B 2 is negligible due to the decryption error.Therefore, H 2 (y 1 , B 1 ) = H 2 (y 2 , B 2 ), hence, the probability of the last term is also negligible.

Discussion on Alternative NTRU-based Constructions
Bellare et al. [5] proposed a new variation of public key encryption with search capability called Efficiently Searchable Encryption (ESE).The idea behind ESE is to store a deterministically computed "tag" along with the ciphertext.To respond to search queries, the server only needs to lookup for a tag in a list of sorted tags.This significantly reduces the search time on the server.For ESE to provide privacy, the keywords need to be selected from a distribution with a high min-entropy.To compensate for privacy in absence of high min-entropy distribution for keywords, the authors suggested truncating the output of the hash function to increase the probability of collisions.However, this directly affects the consistency of the scheme and shifts the burden of decrypting unrelated responds to the receiver.As compared to PEKS schemes, in ESE schemes, the tag can be computed from both the plaintext and ciphertext.This highly differentiates the applications of these two searchable encryption schemes.
In this paper, we focused on PEKS scheme as it does not have consistency issues or min-entropy distribution requirement, and fits better for our target real-life applications (as discussed in Section 1).Nevertheless, for the sake of completeness, to extend the advantages of NTRU-based encryption [42] to ESE, we also instantiated an NTRU-based ESE scheme based on the encrypt-withhash transformation proposed in [5].We compared it with its counterpart which was instantiated based on El-Gamal encryption.Our implementations of NTRUbased ESE and El-Gamal ESE (developed on elliptic curves) were run on an Intel i7 6700HQ 2.6GHz CPU with 12GB of RAM .We observed that encryption for NTRU-based ESE takes 0.011ms where encryption in El-Gamal ESE takes 2.595ms.As for decryption, NTRU-based ESE takes 0.013ms and El-Gamal ESE takes 0.782ms.The differences are substantial, since the NTRU-base ESE is 236× and 60× faster in encryption and decryption, respectively.

Security Analysis
In this section, we focus on analyzing the security of our proposed schemes.
The security of lattice-based schemes is determined by hardness of the underlying lattice problem (in our case, ring-LWE).Based on [21], the hardness of lattice problems is measured using the root Hermite factor.For a vector v in an N-dimension lattice that is larger than the n th root of the determinant, the root Hermite factor is computed as γ = v det(Λ h,q ) 1/n .According to [16], for a short planted vector v in an NTRU lattice, the associated root Hermite factor is com- . Based on [21,13], γ ≈ 1.004 guarantees intractability and provides at least 192-bit security.
Lemma 2. If an IBE scheme is IBE-IND-CPA and IBE-ANO-RE-CPA-secure, then it is also IBE-ANO-CPA-secure.
Proof.Please see appendix.
Following Lemma 2, to establish the security of our NTRU-PEKS scheme, we need to rely on the security of the underlying IBE scheme.Ducas et al. provided the proof of IBE-IND-CPA of their scheme in [17].Therefore, we are left to prove the anonymity of their scheme via Theorem 2. Proof.Since the output of the PEKS algorithm of our scheme corresponds to the encryption algorithm of [32,33], for A to determine s w corresponds to which keyword with any probability Pr ≥ 1 2 + -for any non-negligible , it has to solve the decision ring-LWE.Our scheme works over the polynomial ring Z[x]/(x N + 1), for a power-of-two N and a prime q ≡ 1 mod 2N .The ring-LWE based PEKS algorithm computes a pseudorandom ring-LWE vector A = r * h + e 1 (for a uniform r, e 1 $ ← − {−1, 0, 1} N ) and uses H(w) to compute B = r * H(w) + e 2 + q 2 k that is also statistically close to uniform.Therefore, the adversary's view of A, B, H 2 (A, k) is indistinguishable from uniform distribution under the hardness of decision ring-LWE.The pseudorandomness is preserved when t w is chosen from the error distribution (by adopting the transformation to Hermite's normal form) similar to the one in standard LWE [35].Theorem 3. If there exists an adversary A that can break IND-CKA of NTRU-PEKS scheme as in Definition 10, one can build an adversary F that uses A as subroutine and breaks the security of the IBE scheme as in Definition 8.
Proof.The proof works by having adversaries F and A initiating the find phase as in Definition 8 and Definition 10 respectively.Algorithm F KeyQuery(.),H (find , mpk) -(mpk, msk) $ ← − Setup(q, N ): F receives mpk and passes it to A.
Algorithm A T dQuery(.),H(find , pk) -Queries on TdQuery(.):Upon such queries, F queries KeyQuery(.)which keeps a list idSet maintaining all the previously requested queries and responses.If the submitted query exists, the same response is returned, otherwise, to sample short vectors s, t w , the oracle uses msk to run (s, t w ) $ ← − Gaussian-Sampler(msk, σ, (H(w), 0)) and passes t w to F. F sends t w to A.
After the find phase, a hidden fair coin b ∈ {0, 1} is flipped.Execute (w 0 , w 1 ) ← A TdQuery(.),H (guess, pk) -Upon receiving (w 0 , w 1 ), F selects a message m ∈ {0} N and calls Enc(m, w 0 , w 1 ) that runs encryption on (w b , m) which works as in Definition 7 and outputs s w = A, B, H 2 (k, B) .F relays s w to A.
Finally, A outputs its decision bit b ∈ {0, 1}.F also outputs b as its response.
Omitting the terms that are negligible in terms of q and N , the upper bound on IND-CKA of NTRU-PEKS is as follows.
Secure channel requirement.Baek et al. [4] highlighted the requirement of a secure channel for trapdoor transmission between the receiver and the server and proposed the notion of Secure-Channel Free (SCF) PEKS schemes where the keywords are encrypted by both the server's and receiver's public key.Offline keyword-guessing attack, as introduced by Byun et al. [12], implies the ability of an adversary to find which keyword was used to generate the trapdoor.This inherent issue is due to low-entropy nature of the commonly selected keywords and public availability of the encryption key [10].Since Byun et al.'s work [12], there have been many attempts in proposing schemes that are secure against keyword guessing attacks [27,20,28].However, in all the proposals, once the trapdoor is received by the server, the keyword guessing attacks remain a perpetual problem [28].Jeong et al. [28] showed the trade-off between the security of a PEKS scheme against keyword-guessing attacks and its consistency -by mapping a trapdoor to multiple keywords.For our scheme, we can assume a conventional or even post quantum secure [9] SSL/TLS connection between the receiver and the server.We believe such reliable protocols provide the best mean for communicating trapdoors to the servers.Establishing a secure line through SSL/TLS could be much more efficient than using any public key encryption as in SFC-PEKS.Since in such protocols, after the hand shake protocol, all communications are encrypted using symmetric encryption.

Performance Evaluation
We first describe our experimental setup and evaluation metrics.We then provide a detailed performance analysis of our scheme by also comparing its efficiency with the pairing-based schemes proposed in [6,44] .To the best of our knowledge, and based on [10], the selected pairing-based counterparts are the most efficient schemes proposed in random oracle and standard models.
For 192-bit security, we set N = 1024 and q ≈ 2 27 which gives us a root Hermite factor γ = 1.0042 for our scheme and for BCO and ZI schemes, we set q ≈ 2 192 .PK and SK denote public key and private key, respectively.SC and TD refer to the searchable ciphertext and trapdoor, receptively.Conv denotes convolution product as defined in Section 2.
GSamp denotes a Gaussian Sampling function as in [17].bp denotes a bilinear pairing operation [7], pa and sm denote point addition and scalar multiplication in G, respectively, and ex denotes exponentiation in G T .
Public key, private key and SC are stored on the sender, receiver and server's machines, respectively.PEKS, Trapdoor and Test algorithms are run by the the senders, receiver and server machines, respectively.
‡ With a slight storage sacrifice, sender can pre-compute one of the convolution products.
† The value of s defines the norm of the Gram-Schmidt coefficient.In [17], the authors set the norm , where e is the base of natural logarithm.

Experimental Setup and Evaluation Metrics
We implemented our PEKS scheme in C++2 , using NTL [40] and GNU MP [23] libraries.The implementations of the pairing-based counterparts [6,44] were obtained from MIRACL library.We used the MIRACL suggested elliptic curves, MNT (with embedding degree k = 6) and KSS (with embedding degree k = 18) for 80-bit and 192-bit security, respectively.The implementations were done on an Intel Core i7-6700HQ laptop with a 2.6GHz CPU and 12GB RAM.Our evaluation metrics are computation, storage, and communication that are required by the sender, receiver and server.

Performance Evaluation and Comparisons
The Test algorithm of our scheme only requires one convolution product, which is much more efficient than the bilinear pairing operation required in all of the existing pairing-based PEKS schemes.Referring to Table 1, running the Test algorithm for one keyword and one record our scheme is 36× and 97× faster than BCO and ZI schemes, respectively.This gap significantly increases as the Fig. 2: Search Time of Server Fig. 3: Efficiency PEKS algorithm number of keywords/records increases, for instance, as depicted in Fig. 2, the search time for 10000 (with distinct keywords) records in database, is 10s in our scheme, and 400s and 1100s for BCO and ZI schemes, respectively.For 10000 records (which is rather small comparing to the number of records in actual databases), our scheme is 40 times faster than Boneh et al.'s scheme.For realworld cases with a large database, our scheme seems to be the only practical solution at this moment.We believe that this is one of the main aspects of our scheme which makes it an attractive candidate to be implemented for real-world applications.As it is shown in Table 2, the dominant operations of the PEKS algorithm in our scheme are two convolution products of form x 1 * x 2 .However, since one of the operands has very small coefficients (i.e., r $ ← − {−1, 0, 1} N ), the convolution products can be computed very rapidly.Specifically, in our case, since N has been selected as a power-of-two integer, the convolution product can be computed in N log N operations by Fast Fourier Transform.In Fig. 3, we compare the efficiency of the PEKS algorithm of our scheme with ones in [6,44].Generating one searchable encryption in our scheme is 19× and 78× faster than that of BCO and ZI schemes, respectively.Therefore, in our scheme, the sender can generate 2000 searchable encryptions with distinct keywords in 4s while this time is increased to 100s and 400s in BCO and ZI schemes, respectively.The sender needs to store the receiver's public key of size N |q|, referring to Table 3, for 192-bit security, it can be up to 27.2Kb.The resulting searchable encryption of our PEKS algorithm is to be sent to the server is of size 52Kb, based on Table 3.This is larger than the searchable encryption size of BCO and ZI scheme.Due to the structure of our PEKS algorithm, the computation of A in searchable ciphertext can be done prior to having knowledge of the keyword.Therefore, with a slight storage sacrifice (i.e., storing N |q| bits), the PEKS algorithm can become twice as fast.Fig. 4: Efficiency of Trapdoor algorithm The Trapdoor algorithm in our scheme requires a Gaussian Sampling similar as in [22,17].This is the most costly operation in our scheme.As it is shown in Table 1, for 192-bit security, one trapdoor generation is 6.4× and 3× slower than those of BCO and ZI schemes, respectively.In Fig. 4 we compare the efficiency of the Trapdoor algorithm of our scheme with the ones in [6,44].This algorithm in Boneh et al's scheme only requires one scalar multiplication and consequently, it is the fastest.Trapdoor algorithm in BCO scheme is capable of generating 2000 trapdoors for distinct keywords in 5s, ZI scheme generates the same number of trapdoor in 10s comparing to our scheme which takes 30s.Each trapdoor in our scheme is 27Kb which is much larger than those in BCO and ZI schemes.With the sacrifice of storage, the receiver can pre-compute and securely store the trapdoors locally.As discussed in Section 4, the trapdoors are to be transmitted to the server via a secure channel.

Discussion
To the best of our knowledge, our scheme is the first post-quantum secure PEKS scheme in the literature.Except the Trapdoor algorithm, which is only run O(1) times for each keyword, our algorithm enjoys from a very efficient PEKS and Test algorithms.While the PEKS algorithm is run O(1) times for each keyword and record, the efficiency of our Test algorithm, which is run O(L) times (for a database of size L), significantly decreases the search time on the server and minimizes the cryptographic end-to-end delay.Note that achieving a low end-toend delay is of great importance, since even small delays (e.g., a few milliseconds) could incur significant financial costs for companies like Amazon [19].
One limitation of our scheme is that its searchable ciphertext sizes are larger than its pairing-based counterparts, as our scheme relies on NTRU.This incurs a larger storage overhead on the server.However, given its significantly efficiency advantage for PEKS and especially critical algorithm Test, and also high storage capability of the modern cloud servers with a relatively low storage cost, this can be considered as a highly favorable trade-off.Moreover, as discussed, a faster response time (i.e., lower end-to-end delay) seems a much critical ecumenical parameter for modern cloud services than having a relatively higher storage.

Related Work
Searchable encryption can be instantiated from both symmetric or asymmetric key settings.Song et al. [41] proposed the first SE scheme that relies on symmetric key cryptography.Kamara et al. [29] proposed the first DSSE scheme to address the limitation of its static ancestors.While being highly efficient, symmetric SE schemes are more suitable for applications that involve a single client who outsources her own data to the cloud relying on her private key.
In this paper, given the target applications that need multiple heterogeneous entities to create searchable encrypted data, our focus is on SE schemes instanced in asymmetric settings.In particular, we concentrate on PEKS, as it requires neither specific probability distributions on keywords nor performance/consistency trade-offs as dictated by some other asymmetric alternatives (e.g., ESE as discussed in Section 3.2).In PKES, decryption and trapdoor generation take place using the private key of the receiver, while any user can use the corresponding public key to generate searchable ciphertext.With a few exceptions, all of the proposed PEKS schemes are developed using costly bilinear pairing operations.The first instance of pairing-free PEKS schemes is constructed by Crescenzo and Saraswat [15] based on the IBE scheme in [14], which is constructed using quadratic residue for a composite modulus.Khader [31] proposed the first instance of such schemes in the standard model based on a k-resilient IBE, she also put forth a scheme which supports multiple-keyword search.Nonetheless, due to their costly operations, the proposed schemes are not practical to be implemented in real-world applications.

Conclusion
In this paper, we proposed (to the best of our knowledge) the first NTRU-based PEKS scheme, which harnesses some of the most recent cryptographic tools in lattice-based cryptography, IBE scheme based on ring-LWE and efficient polynomial arithmetics at the same time.We formally proved that our scheme is secure and consistent in IND-CKA model, and also showed that our base IBE scheme achieves anonymity property required by our PEKS construction.Our theoretical and experimental analysis confirmed that our NTRU-based PEKS scheme is significantly more computationally efficient than its most efficient pairing-based counterparts at the server and sender side, which offer the lowest end-to-end cryptographic delay among the existing PEKS schemes.In addition to its efficiency, our PEKS scheme demonstrated a much smoother performance for increasing key sizes and inherits the (current) post-quantum security properties of its underlying NTRU primitives.The high efficiency and long-term security of NTRU-based PEKS are expected to pave a path towards potential consideration of PEKS schemes for real-life applications.

Definition 9 .
A PEKS scheme is a tuple of four algorithms PEKS = (KeyGen, PEKS,Trapdoor,Test) defined as follows.-(pk,sk) ← KeyGen(1 k ): On the input of the security parameter(s), this algorithm outputs the public and private key pair (pk, sk).s w ← PEKS(pk, w):On the input of user's public key pk and a keyword w ∈ {0, 1} * , this algorithm outputs a searchable ciphertext s w .t w ← Trapdoor(sk, w): On the input of a user's private key sk and a keyword w ∈ {0, 1} * , this algorithm outputs a trapdoor t w .b ← Test(t w , s w ): On the input of a trapdoor t w = Trapdoor(sk, w ) and a searchable ciphertext s w = PEKS(pk, w), this algorithm outputs a bit b = 1 if w = w , and b = 0 otherwise.Definition 10.Keyword indistinguishability against an adaptive chosen-keyword attack (IND-CKA) is defined as follows.Given a PEKS scheme, we associate a bit b ∈ {0, 1} to the adversary A in the following experiment.Experiment Exp PEKS-IND-CKA-b

Theorem 2 .
The IBE scheme of Ducas et al. is anonymous in the sense of Definition 8 under the decision ring-LWE problem.

Table 1 :
Comparison of our NTRU-PEKS scheme with state-of-the-art Experimental setup and evaluation metrics are given is Section 5. BCO and ZI denote Boneh et al.'s scheme *

Table 2 :
Analytical performance analysis and comparison.

Table 3 :
Parameter sizes of our scheme and its pairing-based counterparts