Designated server-aided revocable identity-based keyword search on lattice

Public key encryption scheme with keyword search is a promising technique supporting search on encrypted data without leaking any information about the keyword. In real applications, it’s critical to find an effective revocation method to revoke users in multi-user cryptosystems, when user’s secret keys are exposed. In this paper, we propose the first designated server-aided revocable identity-based encryption scheme with keyword search (dSR-IBKS) from lattice. The dSR-IBKS model requires each user to keep just one private key corresponding with his identity and does not need to communicate with the key generation center or the server during key updating. We have proved that our scheme can achieve chosen keyword indistinguishability in the standard model. In particular, our scheme can designate a unique tester to test and return the search results, therefore no other entity can guess the keyword embedded in the ciphertext by generating search queries and doing the test by itself. We provide a formal security proof of our scheme assuming the hardness of the learning with errors problem on the standard model.

To the best of our knowledge, [10] is the first identity-based encryption scheme with keyword search from lattice assumption, which is a combination of identitybased encryption (IBE) and searchable encryption. One practical issue of IBE in real applications is to find an effective revocation method to revoke users in multi-user cryptosystems, because users may behave inappropriately or their secret keys may be compromised.
In Boneh et al. [14] proposed a revocation mechanism for IBE, in which the up-to-date revocation list is controlled by a trusted authority called Key Generation Center (KGC), who issues secret key sk id||t for each non-revoked user id in every time period t . In this mechanism, only non-revoked users can decrypt ciphertext bound to their identity and the same time slot (i.e., id||t ). However, this approach is inefficient since the KGC have to generate O(N − r) new secret keys in each time period, where N is the total number of users and r is the number of revoked users in time period t. That is, the workload of the KGC is proportional to the number of users N.
In Boldyreva et al. [15] proposed another revocation mechanism based on the treebased revocation scheme of [16], and formalized the notion of revocable IBE (RIBE). In this mechanism, each user keeps O(log N ) long-term secret keys and the KGC broadcasts O(r log(N /r)) update keys for each time period t . Only non-revoked users can obtain their decryption keys from their long-term secret keys and the update keys. Compared with Boldyreval et al. [14], this mechanism significantly reduces the size of update key from linear (i.e., O(N − r) ) to logarithmic (i.e., O(r log(N /r)) ) in the number of users. However, this revocation mechanism still does not provide an efficient revocation for the following limitations: (1) it requires KGC to stay online regularly and all non-revoked users need to communicate with KGC and update their decryption keys periodically; (2) the sizes of both update keys (i.e., O(r log(N /r)) ) and users' secret keys O(log N ) are logarithmical in the number of users.
To overcome the two limitations in Boldyreva et al. [15], Qin et al. [17] proposed a novel RIBE system model called server-aided revocable IBE (SR-IBE) under the decisional bilinear diffie-hellman (DBDH) assumption. The server is assumed to be untrusted in the sense that it doesn't keep any secret data and only performs public storage and computation operations according to the system specification. In SR-IBE system model, no communication is required between users and the KGC during key update. In addition, although the size of update keys from the KGC to the server is still logarithmic (i.e. O(r log(N /r)) ), the size of every user's private key is constant (i.e. O(1)) here instead of O(log N ) in [15].
In addition, making use of the binary-tree data structure of [15,18] proposed the first RIBE from lattice. Following the security model of [17], Nguyen et al. [19] considered selective-identity security and proposed the first SR-IBE from lattices. One application of SR-IBE is encrypted email supporting lightweight devices in which an email server plays the role of the untrusted server so that only non-revoked users can read their email messages.

Notations
For a binary string α and a positive integer n, let |α| denote its binary length and [n] denote the set {1, . . . , n} . If S is a finite set then x ← S is the operation of choosing an element uniformly at random from S. For a probability distribution D , x ← D denotes the operation of choosing an element according to D . If α is either an algorithm or a set then x ← α is a simple assignment statement.
Let denote the security parameter. A function f ( ) is negligible, denoted as negl( ) , if for every c > 0 there exists an c such that f ( ) < 1/ c for all > c . An algorithm is probabilistic polynomial-time (PPT) computable if it is modeled as a probabilistic Turing machine whose running time is bounded by some polynomial function poly( For a matrix T = [t 1 . . . t k ] ∈ R m×k , let T denote the L 2 length of the longest column vector in T , i.e., �T� := max i �t i � for 1 ≤ i ≤ k ; let s 1 (T) denote the largest singular value of T , i.e., s 1 (T) := sup u∈R k ,�u�=1 �Tu� . If t 1 , . . . , t k in T are linearly independent, let T = [t 1 , . . . ,t k ] denote the Gram-Schmidt orthogonalization of T . For two matrices X ∈ R n×m and Y ∈ R m×k , we have �X�, �X ⊤ � ≤ s 1 (X) , and s 1 (XY) ≤ s 1 (X) · s 1 (Y) . For two matrices X ∈ R n×m 1 and Y ∈ R n×m 2 , [X | Y] ∈ R n×(m 1 +m 2 ) is the concatenation of the columns of X and Y . For two matrices X ∈ R n 1 ×m and Y ∈ R n 2 ×m , [X; Y] ∈ R (n 1 +n 2 )×(m) is the concatenation of the rows of X and Y.

The binary tree data structure and the CS method
The complete subtree (CS) method was introduced by Naor et al. [16]. A binary tree along with the CS method is an efficient revocation mechanism, which has been widely used in systems [20][21][22]. To introduce this mechanism, we use the following notations: BT denotes a binary-tree; root denotes the root node of BT ; θ denotes a node in the binary tree and η emphasizes that the node θ is a leaf node. The set Path(BT, η ID ) stands for the collection of nodes on the path from the leaf η ID to the root (including η ID and the root ). If θ is a non-leaf node then θ ℓ , θ r denote the left and right child of θ , respectively.
Before introducing the CS method, we describe the KUNodes algorithm [16] as follows. The KUNode algorithm takes as input a binary tree BT , a revocation list RL , and outputs a set of nodes Y , such that the subtrees with root θ ∈ Y cover all leaves η ID in BT\RL and do not cover any leaves η ID for ID ∈ RL . The description of KUNode algorithm is as follows: We adopt the definition of the CS method given by Katsumata et al. [22], which consists of the following four algorithms: on input the number of users N, it outputs a binary tree BT with at least N and at most 2N leaves. CS.Assign(BT, ID) → (η ID , BT): on input a binary tree BT and an identity ID , it randomly assigns the identity ID to a leaf node η ID , to which no other identities have been assigned yet. Then, it outputs a leaf node η ID and an "updated" binary tree BT. if it exists. Otherwise, it outputs ∅.

Background on lattice
For any positive integers n, m and q ≥ 2 , a matrix A ∈ Z n×m q and a vector u ∈ Z n q , we define the m-dimensional lattice � ⊥ q (A) = {z ∈ Z m : A · z = 0 n mod q} and � u q (A) = {z ∈ Z m : A · z = u mod q}.
Let be a lattice in Z m . For any vector c ∈ R m and any parameter s ∈ R + , define ρ s,c (x) = exp(−π �x−c� 2 s 2 ) and ρ s,c (�) = x∈� ρ s,c (x) . The discrete Gaussian distribution over with center c and Gaussian parameter s is D �,s,c = ρ s,c(y) ρ s,c (�) for ∀y ∈ . If c = 0 , we conveniently use ρ s and D ,s .

Lemma 2 ([23])
Let n, m, q > 0 be positive integers with m ≥ 2n⌈log q⌉ and q a prime. Let σ be any positive real such that σ ≥ ω( log m). Then for A ← Z n×m q and e ← D Z m ,σ , the distribution of u = Ae mod q is statistically close to uniform over Z n q . Furthermore, for a fixed u ∈ Z n q , the conditional distribution of e ← D Z m ,σ , given Ae = u mod q for a uniformly random A in Z n×m q is D � u q ,σ with all but negligible probability.
We first recall two algorithms. The first in [23][24][25] generates a matrix A ∈ Z n×m q that is statistically close to uniform, together with a short trapdoor basis for the associated lattice � ⊥ q (A) . The second in [25] generates the basis for lattice � ⊥ q (G) , where G is what they called the primitive matrix.

Lemma 3 ([23-25])
Let n, m, q > 0 be positive integers with m ≥ 2n⌈log q⌉ and q a prime. Then, we have: • a PPT algorithm TrapGen(n, m, q) that outputs a pair (A, T A ) ∈ Z n×m q × Z m×m such that A is statistically close to uniform and T A is a basis for � ⊥ q (A) satisfying � T A � ≤ O( n log q).
• a fixed full rank matrix G ∈ Z n×m q such that the lattice � ⊥ q (G) has a publicly known basis T G ∈ Z m×m with � T G � ≤ √ 5.
We review some of the algorithms that allow one to securely delegate a trapdoor of a lattice to an arbitrary higher-dimensional extension given a short basis for the lattice. They can be obtained by combining corresponding results in [26,27]. 26,27]) Let n, m,m, q > 0 be positive integers with m > n and q a prime. Then, there exist PPT algorithms as follows: The following algorithms allow one to sample short vectors from a given lattice equipped with a short basis.
Lemma 5 ([25, 26]) Let n, m,m, q > 0 be positive integers with m ≥ 2n⌈log q⌉ and q a prime. Then, we have the following algorithms: , and a Gaussian parameter σ ≥ � T A � · ω( log(m +m)), it outputs a vector e ∈ Z m+m sampled from a distribution statisti- The learning with errors (LWE) assumption was introduced by Regev [28]. For integers n, m, a prime q, a real α ∈ (0, 1) such that αq > 2 √ n , and a PPT algorithm A , the advantage for learning with errors problem LWE n,m,q,D Z m ,αq of A is defined as We say that the LWE assumption holds if the above advantage is negligible for all PPT adversary A.

Lemma 7 ([30])
Suppose that m > (n + 1) log q + ω(log n) and that q is a prime. Let A, B be matrices chosen uniformly in Z n×m q and let R be an m × m matrix chosen uniformly in {−1, 1} m×m mod q. Then, for all vectors w in Z m q , the distribution of (A, AR, R ⊤ w) is statistically close to the distribution of (A, B, R ⊤ w). [26]) Let n, q be positive integers with q a prime. We say that a func-

Definition 1 (FRD
is full rank, and H is computable in polynomial time in n log q.

Framework of dSR-IBKS
As shown in Fig. 1, our dSR-IBKS involves four parties: KGC, sender, recipient and server. Algorithms among the parties are as following: is run by the KGC. It takes as input a security parameter and outputs a public parameter pp , and the KGC's secret key sk kgc (also called a master key). We assume that the system parameter params is contained in pp and pp is an implicit input of all other algorithms. PrivKG(sk kgc , ID) → Priv ID is run by the KGC. It takes as input the KGC's secret key sk kgc and the recipient's identity ID , and outputs a private key Priv ID for the recipient. The private key must be sent to the recipient through a secure channel. ServKG(sk kgc , S ID ) → Serv ID is run by the KGC. It takes as input the KGC's secret key sk kgc and the server's identity S ID , and outputs a private key Serv ID for the server. The private key must be sent to the server through a secure channel.
is run by the KGC. It takes as input the KGC's secret key sk kgc , an identity ID , and may update the KGC's secret key sk kgc . Then, it outputs a long-term transformation key sk ID and the KGC's "updated" state sk ′ kgc . The long-term transformation key sk ID is sent to the server through a public channel.
is run by the KGC. It takes as input the KGC's secret key sk kgc , a time period t , a revocation list RL t , and may update the KGC's secret key sk kgc . Then, it outputs an update key uk t and the KGC's "updated" state sk ′ kgc . The updated key uk t is sent to the server through a public channel.
is run by the server. It takes as input a longterm transformation key sk ID for identity ID , an update key uk t for time period t , and outputs a short-term transformation key e ID,t or the special symbol ⊥ indicating that ID has been revoked. Enc(ID, S ID , t, kw) → ct ID,t,kw is run by the sender. It takes as input the recipient's identity ID , server's identity S ID , a time period t , a ciphertext keyword kw , and outputs a ciphertext ct ID,t,kw . The ciphertext is sent to the server. QueKG(Priv ID , S ID , t, kw ′ ) → q ID,t,kw is run by the recipient himself. It takes as input his private key Priv ID , the server's identity S ID , a time period t and a target keyword kw ′ , and outputs a search query q ID,t,kw ′.
On input a ciphertext ct ID,t,kw , a time period t , and the short-term transformation key e ID,t , recipient's query q ID,t,kw ′ and its own secret key Serv ID , the server checks whether kw = kw ′ . If kw = kw ′ , server outputs 1 and otherwise outputs 0.
The correctness for a dSR-IBKS requires that for all security parameter ∈ N , if ID is not revoked at time period t and if all parties follow the prescribed algorithms, then the Test algorithm outputs 1 only if kw = kw ′ .

Security model of dSR-IBKS
We considered the selective security, dSR-sID-CKA security, in which the adversary should announce the challenge identities ID * , S * ID , time period t * and challenge keyword (kw * 0 , kw * 1 ) before the execution of algorithm Setup . Let SKList be a set that initially contains (kgc, sk kgc ) , and into which identity/long-term transformation key pairs (ID, sk ID ) generated during the security game will be stored. From now on, whenever a new secret key sk ID is generated for ID or the secret key sk kgc is updated during the execution of L − TranKG or UpdKG , the challenger will store the pair (ID, sk ID ) or update (kgc, sk kgc ) in SKList , and we will not explicitly mention this addition/update. Also, set PrivList to a set that stores the identity/private key pair (ID, Priv ID ) generated during the secure game. The challenger will store the pair (ID, Priv ID ) in PrivList whenever a new private key Priv ID is generated for ID during the execution of PrivKG and we will not explicitly mention this addition as well. On this basis, the long-term transformation key generation and reveal queries are explicitly separated to describe situations where some sk ID has been generated but not revealed to an adversary. And, the same processing is done for private key generation and reveal queries. In addition, the "revoke" and "update key" queries in [17,19] are merged into a single "revoke & update key" query, and the concept of the current time period t cu coordinated with the adversary's "revoke & update key" query is introduced. and returns nothing to A . We require that all identities ID appearing in the following queries be "activated" in the sense that sk ID is generated via this query and hence (ID, sk ID ) ∈ SKList. Long-term Transformation Key Reveal Query: upon a query ID from A , C finds sk ID from SKList and returns it to A. Revoke [MYAMP Update Key Query:] upon a query RL (which represents the set of identities that are going to be revoked in the next time period) from A , C checks whether RL t cu ⊂ RL . If not, it returns ⊥ ; otherwise, it increments the current time period by t cu ← t cu + 1 , sets RL t cu ← RL , runs (uk tcu , sk ′ kgc ) ← UpdKG(sk kgc , t cu , RL tcu ) and returns uk t cu to A. Short-term Transformation Key Reveal Query: upon a query (ID, t) from A , C checks whether conditions t ≤ t cu , ID / ∈ RL t and (ID, t) = (ID * , t * ) meet at the same time. If not, it returns ⊥ ; otherwise, it finds sk ID from SKList , runs e ID,t ← S − TranKG(sk ID , uk t ) and returns e ID,t to A. Private Key Generation Query: upon a query ID (resp. S ID )from A , where it is required that (ID, * ) / ∈ PrivList , C runs Priv ID ← PrivKG(sk kgc , ID) and returns nothing to A (resp. Serv S ID ← ServKG(sk kgc , S ID ) ). Similarly, we require that all identities ID appearing in the following queries be "activated" in the sense that Priv ID is generated via this query and hence (ID, Priv ID ) ∈ PrivList. Private Key Reveal Query: upon a query ID (resp. S ID ) from A , C finds Priv ID (resp. Serv S ID ) from PrivList and returns it to A. Search Query: upon a query (ID, t, kw) from A , C finds Priv ID from PrivList , runs q ID,t,kw ← QueKG(Priv ID , t, kw) and returns q ID,t,kw to A. 1 If both ServKG(S * ID ) and PrivKG(ID * ) were queried, then ID * ∈ RL t for some t ≤ t * . 2 If PrivKG(ID * ) was not queried, then QueKG(·) can not be queried on (id, kw, t) = (id * , kw * , t * ). 3 If ServKG(S * ID ) was queried and ID * � ∈ RL t * , then PrivKG(ID * ) can not be queried.

Our lattice-based dSR-IBKS scheme
In the following, we formally describe our dSR-IBKS scheme.
Setup(1 ) → (pp, sk kgc ): On input a security parameter , the KGC proceeds as follows: 1 Choose positive integers n, N , q, k, m, s 0 , s 1 , a real α and a prime q, where k = ⌈log q⌉ and N is the maximal number of users that the system will support. Select an FRD map H : Z n q → Z n×n q (see Sect. 2.1.4). Let the identity space ID = Z n q , the time space T ⊂ ID = Z n q , the keyword space KW ⊂ ID = Z n q . Set the system parameter params = (n, N , q, k, m, s 0 , s 1 , α, H, ID, T , KW).

2
Generate three independent pairs (A, T A ) , (B, T B ) and (C, T C ) by running TrapGen(n, m, q).
3 Select u ← Z n q and A 1 , Create a binary tree by running BT kgc ← CS.Setup(N ). 5 Set the public parameter pp = (A, B, C, A 1 , A 2 , B 1 , B 2  key sk kgc = (T A , T B , T C , BT kgc ). 6 Output pp and sk kgc .
PrivKG(sk kgc , ID) → Priv ID : On input the KGC's secret key sk kgc and the recipient's identity ID , the KGC goes as follows: 1 Extend its basis by running Output Priv ID = T B ID as the private key of user ID. 3 Send Priv ID to the user ID through a secret channel.
ServKG(sk kgc , S ID ) → Serv ID : On input the KGC's secret key sk kgc and the designated server's identity S ID ∈ ID , the KGC proceeds as follows: Output the private key Serv ID = T C S ID ∈ Z 2m×2m .
If not, pick u kgc,θ ← Z n q , update sk kgc by storing u kgc,θ in node θ ∈ BT kgc . Sample Note that e t,θ ∈ Z 2m and A t · e t,θ = u − u kgc,θ . 2 Output uk t = KUNodes(BT kgc , RL t ), (e t,θ ) θ∈KUNodes(BT kgc ,RL t ) as the update key and the (possibly) updated secret key sk ′ kgc . (2) On input a long-term transformation key sk ID for identity ID ∈ ID , an update key uk t for time period t ∈ T , the server goes as follows: 1 Extract path(BT kgc , η ID ) in sk ID and KUNodes(BT kgc , RL t ) in uk t and run θ/∅ ← CS.Match(path(BT kgc , η ID ), KUNodes(BT kgc , RL t )) . If the output is ∅ , output ⊥ . Otherwise, extract e ID,θ , e t,θ ∈ Z 2m in sk ID , uk t , respectively, and parse it as where e L ID,θ , e R ID,θ , e L t,θ , e R t,θ ∈ Z m . Compute Note that e ID,t ∈ Z 3m and [A | Output the short-term transformation key e ID,t .
Enc(ID, S ID , t, kw) → ct ID,t,kw : On input user identity ID ∈ ID , server identity S ID ∈ ID , a time period t ∈ T , a ciphertext keyword kw ∈ KW , the sender works as follows: QueKG(Priv ID , S ID , t, kw ′ ) → q ID,t,kw ′: On input the private key of recipient Priv ID = T B ID , the server's identity S ID , a time period t and the target keyword kw ′ , the algorithm does the follows: (4) e ID,t = [e L ID,θ + e L t,θ | e R ID,θ | e R t,θ ].
Test(ct ID,t,kw , b, t, e ID,t , q ID,t,kw ′ , Serv ID ) → {0, 1}: On input a ciphertext (ct ID,t,kw , b) , a time period t , and the shortterm transformation key e ID,t , recipient's query q ID,t,kw ′ and its own secret key Serv ID the server works as follows: 1 Compute Since both T C S ID and [g t � g kw ′ ] is sufficiently small, therefore the above equation holds for an overwhelming probability. 2 Recover Output the partially decrypted ciphertext ct ′ Compare c and ⌊ q 2 ⌋ by treating them as integers in Z , output b ′ = 1 in case |c − ⌊ q 2 ⌋| < ⌊ q 4 ⌋ and b ′ = 0 otherwise. 8 If b ′ = b , the algorithm outputs 1 and 0 otherwise.
Proof Since ID is non-revoked at time period t, there exists one node θ ∈ path(BT kgc , η ID ) ∩ KUNodes(BT kgc , RL t ) . If kw = kw ′ , we have (e ID,t , g ID,t,kw ) such that where e ID,t = [e L ID,θ + e L t,θ | e R ID,θ | e R t,θ ] . During the Test algorithm performed by the server, we have The server's decryption key is of the form dk ID,t = s ID,t such that During the Test algorithm performed by the server, we have If we set the parameters appropriately, by Lemmas 1 and 5 , we know that By Lemmas 1, 5 and 6 , we have By Lemma 1 and the standard tail bound in [23], we have . Thus, the noise z can be bounded with overwhelming probability as follows: Since O α + αs 1 m · ω( log m) · q ≤ q/5 holds with overwhelming probability, so �z� ≤ q/5 holds with overwhelming probability. If b = 1 , then |c − ⌊ q 2 ⌋| = �z� < ⌊ q 4 ⌋ with overwhelming probability; If b = 0 , then |c − ⌊ q 2 ⌋| = |z − ⌊ q 2 ⌋| > ⌊ q 4 ⌋ with overwhelming probability. So we prove this lemma.

Parameter selection and efficiency
In this section, we provide an example of parameter selection of our dSR-IBKS scheme. Note that we need to ensure that • the "noise" term in the above section is less than q/5 with overwhelming probability (i.e., O α + αs 1 m · ω( log m) · q ≤ q/5 by Lemma 8).
According to the above restrictions, we can set the parameters of our SR-IBKS as follows:
Proof Let A be a PPT adversary who succeeds in breaking the dSR-sID-CPA security of our SR-IBKS scheme with advantage Adv dSR−sID−CPA A,O SR-IBks ( ) = ǫ , let ID * and S * ID be the challenge identities, t * be the challenge time period, and kw be the two challenge keywords. Observe that the strategy taken by A can be further divided into three types of strategies that are mutually exclusive as follows. (13) �z� ≤ |x| + �e ⊤

Type-I:
A issues private key reveal query on both ID * and S * ID , and the long-term transformation key reveal query on ID * . In this case, the challenge identity ID * must be revoked before the challenge time t * .
Type-II: A does not issue private key reveal query on the challenge identity ID * , and A can issue any keyword search query on the tuple (id, t, kw) with the restriction that (id, t, kw) = (id * , t * , kw * 0 ) and (id, t, kw) = (id * , t * , kw * 1 ). Type-III: A does not issue private key reveal query on the S * ID .
As A always follows one of the above strategies, we only need to show that the advantage of A is negligible regardless of the strategy taken by A . We proceed with a sequence of games where the first game is identical to the dSR-sID-CPA game from Definition 2 and the adversary has no advantage in the last game. We will show that A cannot distinguish between the games, which will prove that the adversary has negligible advantage in winning the original dSR-sID-CPA game and will complete our proof.

Lemma 9
The advantage of an adversary A 1 using the Type-I strategy is negligible assuming the hardness of the LWE n,m+1,q,χ , where χ = D Z m+1 ,αq .
of BT kgc that is not η ID * . Since the random assignment of ID * made by the challenger is statistically hidden from A 1 , Game I−1 and Game I−2 are indistinguishable.
Game I−3 : In this game, we change the challenger so he does not have to use the trapdoor T A when generating short vectors as follows: (e ID,θ ) θ∈path(BT kgc ,η ID ) in sk ID , (e t,θ ) θ∈KUNodes(BT kgc ,RL t ) in uk t , and e ID,t . To achieve this goal, we modify when and how the vectors u kgc,θ for each node θ ∈ BT kgc is chosen. By the definition of the Type-I strategy, ID * must be revoked before time period t * . Hence, we have path(BT kgc , η ID * ) ∩ KUNodes(BT kgc , RL t * ) = ∅ by the property of the CS scheme.
Whenever A 1 issues a long-term transformation key query, a revoke & update key query, or a short-term transformation key reveal query, the Game I−3 challenger generates the vectors u kgc,θ for each node θ ∈ BT kgc as follows: • If θ ∈ path(BT kgc , η ID * ) , then it samples e ID * ,θ ← D Z 2m ,s , sets A ID * · e ID * ,θ = u kgc,θ , stores u kgc,θ in the node θ and keeps e ID * ,θ secret. • If θ / ∈ path(BT kgc , η ID * ) , then it samples e t * ,θ ← D Z 2m ,s , sets A t * · e t * ,θ = u kgc,θ by implicitly setting t cu = t * , stores u kgc,θ in the node θ and keeps e t * ,θ secret. and Gaussian parameter s 1 . Otherwise, if t cu = t * , the challenger simply returns (e t * ,θ ) θ which he has already created without using T A . Furthermore, if A 1 issued a short-term transformation key reveal query on (ID, t) = (ID * , t * ) , the challenger simply creates e ID,t from combing (e ID,θ ) θ and (e t,θ ) θ . Since path(BT kgc , η ID * ) ∩ KUNodes(BT kgc , RL t * ) = ∅ , the procedure described above is well-defined. Finally, according to Lemmas 2, 4 and 5 , the distribution of the short vectors given to A 1 are distributed statistically close to those of the previous game. Therefore, Game I−2 and Game I−3 are indistinguishable. Game I−4 : In this game we change how A is sampled. We generate A as a random matrix in Z n×m q instead of generating it by running TrapGen . By Lemma 3, Game I−3 and Game I−4 are indistinguishable.
Game I−5 : In this game, we change the way the challenge ciphertext ct ID * ,t * ,kw * b is created. In this game, when the Game I−5 challenger is issued a challenge query on {kw * 0 , kw * 1 } by A 1 , the challenger chooses a random bit b ← {0, 1} , samples v ← Z q , v ← Z n q , s ′ , s ′′ ← Z n q , x ′ , x ′′ ← D Z m ,αq , R 21 , R 22 , R 23 , R 31 , R 32 ← {−1, 1} m×m and sets Finally, the challenger outputs the challenge ciphertext as ct ID * ,t * ,kw * b = (c 0 , c 1 , c 2 , c 3 ) . Since v is distributed uniformly at random over Z q and independently of all other terms, the probability of A 1 guessing whether b = 0 or b = 1 is exactly 1/2. In the following, we only need to show that Game I−4 and Game I−5 are indistinguishable assuming the hardness of the LWE n,m+1,q,χ to complete the proof. To this end, we use A 1 to construct a LWE adversary B 1 as follows: B 1 is given the problem instance of LWE as (Ā,v) ∈ Z n×(m+1) q × Z (m+1) q and aims to distinguish whether v =Ā ⊤ s +x for some s ← Z n q , x ← D Z m+1 ,αq or v ← Z (m+1) q . Let the first column of Ā be u * ∈ Z n q and the remaining columns be A * ∈ Z n×m q . Let the first element of v be v and the remaining elements be v . Now, B 1 sets (A, u) = (A * , u * ) and proceeds the setup as the Game I−3 challenger. Furthermore, whenever A 1 issues a query, B 1 works as the Game I−3 challenger and answers them without T A . To generate the challenge ciphertext, B 1 chooses b ← {0, 1} and generate the challenge ciphertext as in Eq. (16) using v, v , and returns it to A 1 . Let b ′ denote the output of A 1 , then B 1 outputs 1 if b ′ = b and 0 otherwise. Note that if (Ā,v) is a valid LWE sample, i.e., v =Ā ⊤ s +x for some s ← Z n q , then the view of A 1 is the same as that of Game I−4 . Otherwise, i.e., v ← Z (m+1) q , it is the same as that of Game I−5 . Therefore, Game I−4 and Game I−5 are indistinguishable assuming the hardness of the LWE n,m+1,q,χ , where χ = D Z m+1 ,αq .

Lemma 10
The advantage of an adversary A 2 using the Type-II strategy is negligible assuming the hardness of the LWE n,m+1,q,χ , where χ = D Z m+1 ,αq .
Proof The outline of this proof is essentially the same as that of Lemma 9. The difference is that in this proof, we modify the challenger so that he is able to simulate the game without T B .

Discussion
One weaknesses of the current lattice-based IBKS schemes is that the system does not have the ability to revoke user's authority. This property does not satisfy certain application scenarios. For example, when a user leaves his job or loses the key, his secret key must be revoked, otherwise the privacy of the encrypted data will be exposed, which means that he can still search for the target encrypted files in the system. Moreover, the keyword space is supposed to be large enough like super-polynomial, but in the real application, keywords are often chosen from a relatively small space. In this case, any outside malicious user or tester can guess the keywords containing in the ciphertext by keyword guessing attack. Lattice-based PEKS schemes like [8,9] are all vulnerable to such kinds of attack, since given a ciphertext, the adversary can generate the search query by itself and then run the Test algorithm to guess keyword in the ciphertext.

Result
Motivated by the above observation, in this paper, we propose the first designated server-aided revocable identity-based encryption scheme with keyword search (dSR-IBKS) from lattice as shown in Fig. 1. Specifically, the dSR-IBKS model requires each user to keep just one private key and does not need to keep communicating with the key generation center in order to update his secret key when another is revoked. This property is much applicable for resource-limited end users. In addition, our scheme designates a unique tester to test and return the search results, which makes it resist the keyword guess attack of external adversary. In other words, any other entities cannot guess the keyword embedded in the ciphertext by generating search queries and doing the text by itself. We prove our scheme achieving chosen keyword security under the hardness of the learning with errors (LWE) problem.
In Table 1, we compare our scheme with other PEKS schemes from lattices. From Table 1, we can clearly observe that our scheme is the first lattice-based server-aided revocable IBKS scheme supporting keyword guessing resistance in the standard model.

Conclusion
In this paper, we propose the first designated server-aided revocable identity-based encryption scheme with keyword search (dSR-IBKS) from lattice. In our scheme, recipient doesn't need to keep in touch with KGC to update his secret key when some one is revoked by the KGC. Moreover, our scheme designates a unique cloud server to conduct the Test algorithm. So any other adversaries cannot launch the keyword guessing attack on the ciphertext by generating search queries and doing the test by itself.