WO2016073059A2 - Public-key encryption with keyword search - Google Patents

Abstract

The present principle relate to new public-key cryptosystems with searchable encryption, in particular, public key encryption with keyword search. Public key encryption with keyword search is a form of encryption that allows searching on data that is encrypted using a public key system. Notably, these new public key cryptosystems rely on standard security assumptions. Namely, their semantic security follows from the standard quadratic residuosity assumption (in the random oracle model). The resulting ciphertexts are also much shorter than the concurrent scheme of Di Crescenzo and Saraswat.

Description

PUBLIC-KEY ENCRYPTION WITH KEYWORD SEARCH

RELATED APPLICATIONS

This patent application claims the benefit of U.S. Provisional Applications

62/055743 filed on September 26, 2014 with the same title, 62/055428 filed on December 31, 2014 also with the same title , 62/055722 filed on September 26, 2014, entitled Key-Private Cryptosystems Based on Quadratic Residuosity, 62/055731 filed on September 26, 2014, entitled Anonymous Identity Based Cryptosystems, and 62/055738 filed on September 26, 2014, entitled Making Cocks Ciphertexts Anonymous without Ciphertext Expansion, the disclosures of which are incorporated by reference herein in their entirety.

Field of the invention

The present principles relate to cryptography, and more specifically, to cryptographic systems directed to public-key encryption with keyword search (PEKS).

Related Art

This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the embodiments that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the described embodiments.

Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.

Referenced Documents

[1] Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, Tadayoshi Kohno,

Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, and Haixia Shi. Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. In V. Shoup, editor, Advances in Cryptology — CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 205-222. Springer, 2005.

[2] Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, Tadayoshi Kohno,

Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, and Haixia Shi. Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. /. Cryptology, 21(3):350-391 , 2008. An extended abstract appears in [1].

[3] Giuseppe Ateniese and Paolo Gasti. Universally anonymous IBE based on the quadratic residuosity assumption. In M. Fischlin, editor, Topics in Cryptology — CT-RSA 2009, volume 5473 of Lecture Notes in Computer Science, pages 32-47. Springer, 2009.

[4] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In st ACM Conference on Computer and Communications Security, pages 62-73. ACM Press, 1993.

[5] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In C. Cachin and J. Camenisch, editors,

Advances in Cryptology — EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 506-522. Springer, 2004.

[6] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. SI AM J. Comput. , 32(3):586-615, 2003.

[7] Clifford Cocks. An identity based encryption scheme based on quadratic residues. In B. Honary, editor, Cryptography and Coding, volume 2260 of Lecture Notes in Computer Science, pages 360-363. Springer, 2001.

[8] Giovanni Di Crescenzo and Vishal Saraswat. Public key encryption with searchable keywords based on Jacobi symbols. In K. Srinathan, CP. Rangan, and M. Yung, editors, Progress in Cryptology — INDOCRYPT 2007 , volume 4859 of Lecture Notes in Computer Science, pages 282-296. Springer, 2007.

[9] Marc Joye. Key-private cryptosystems based on the quadratic residuosity.

Technical Report v0.4, Technicolor, Los Altos, September 2014. US Provisional Patent Application 62/055722, filed September 26, 2014, docket number PU140141.

[10] Marc Joye. Anonymous identity-based cryptosystems. Technical Report v0.3, Technicolor, Los Altos, September 2014. US Provisional Patent Application 62/055731, filed September 26, 2014, docket number PU 140143.

[11] Marc Joye. Making Cocks ciphertexts anonymous without ciphertext expansion.

Technical Report v0.4, Technicolor, Los Altos, September 2014. US Provisional Patent Application 62/055738, filed September 26, 2014, docket number PU140145.

Abbreviations

PEKS Public-key encryption with keyword search

QR Quadratic residuosity

RSA Rivest- Shamir- Adleman

Table 1. List of used abbreviations

Public-key encryption with keyword search [5] is a form of encryption that allows searching for keywords that may be included on data that is encrypted using a public-key system. A typical application, for example, is for an email gateway to test whether or not the keyword "urgent" is present in an email. The gateway then routes the email if it is the case. Of course the gateway should only learn whether the word "urgent" is present but nothing else about the email. In the email use-case, another practical application is to test the sender' s name of the email.

Formally, we define a publicly encryption with keyword search scheme [6] (or PEKS in short) as a tuple of four algorithms (KEYGEN, PEKS, TRAPDOOR, TEST). The generalized framework of the process is illustrated as process 300 in Figure 3.

Key generation The key generation algorithm KEYGEN 310 is a randomized algorithm that takes as input some security parameter κ and outputs a matching pair

R

(upk, usk) of public key and private key: (upk, usk) <- KEYGEN(1^K).

Public-key encryption with keyword search (PEKS) Let W denote the keyword space. The PEKS algorithm PEKS 320 takes as input a public key upk and a keyword w £ W illustrated as element 340, and returns a searchable ciphertext S. We write

S <- PEKS_upk(w).

Trapdoor The trapdoor algorithm TRAPDOOR 330 takes as input the private key usk (corresponding to upk) and a keyword w 340, and returns a trapdoor T_w for keyword w. We write T_w <- TRAPD00R_usk(w). This algorithm may be performed by a receiving terminal, which transmits the trapdoor T_w to a proxy device.

Test The test algorithm TEST 350 takes on input a searchable ciphertext S and a trapdoor T_w, and returns a bit b. A bit b with 1 means "accept" or "yes", and a bit b with 0 means "reject" or "no". We write b <- TEST(S, T_w). This algorithm may be performed by a proxy device, which receives the trapdoor T_w and the searchable ciphertext S, to determine the presence of the keyword in the ciphertext, and then processes the message accordingly, for example, forward the message to the receiving terminal in a designated manner.

We require that, with non-negligible probability,

TEST(PEKS_upk(w), TRAPDOOR_usk(w)) = 1 for all keywords w≡ W.

The keys generated in process step 310 are provided as necessary for the PEKS step 320 and Trapdoor step 330. The specific processes associated with each of these steps as they relate to the present principles is described in further detail below. Complexity assumptions

It is useful to introduce some notation. Let N = pq be the product of two (odd) primes p and q. The Jacobi symbol modulo N of an integer a is denoted by /_w (a) . The set of integers whose Jacobi symbol is 1 is denoted by _N , _N = {a G Έ_Ν* \]_Ν ά) = 1); the set of quadratic residues is denoted by Q _W, Q _W = {a G ¾ |/_p (a) = J_q (a) = 1). Note that Q _W is a subset of J _N.

Definition 1 (Quadratic Residuosity Assumption). Let RSAGen be a probabilistic algorithm which, given a security parameter κ, outputs primes p and q and their product N = pq . The Quadratic Residuosity (QR) assumption asserts that the success probability defined as the distance

Pr [ V(x, N) = l \x - QR_N] - Pr [ V (x, N) = l |x j_w \ QM_w] is negligible for any probabilistic polynomial-time distinguisher D ; the probabilities are taken over the experiment of running (N, p, q) <- RSAGen ( 1^K) and choosing at random x G QR_N and x G j_N \ QR_N.

Random oracle model: The random oracle model is an idealized model introduced by

Bellare and Rogaway [4] to analyze the security of certain cryptographic constructions using hash functions. Informally, the random oracle model assumes that the output of a hash function behaves as the output of a random generator.

Technical problems to solve

Most implementations of PEKS schemes rely on somewhat non-standard assumptions. In particular, it might desirable to have PEKS schemes that are not based on bilinear maps. There is therefore a need for PEKS schemes whose security rely on more standard

assumptions like the quadratic residuosity assumption (QR). Such a scheme was put forward in [8] by Di Crescenzo and Saraswat. We note that, in the original version, Di Crescenzo and Saraswat introduced a new security assumption which was later shown in [3] to be equivalent to the QR assumption. The ciphertexts are somewhat long: they require 4/ elements of Έ/ΝΈ where k is the length of the keywords represented as bit-strings.

SUMMARY OF THE INVENTION

The present principles provide practical PEKS schemes (including, by reducing the size of the searchable ciphertexts by a typical factor of 2) and without impacting the security: security is based on the standard quadratic residuosity assumption.

In one aspect, the present principles provide a method of generating a public-key encryption with keyword search (PEKS) ciphertext S based on a message m having a keyword w associated with the message, comprising: accessing the keyword w; accessing a user public key upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely

£_W : {0,1}^*→ 1/N1, s■→ d = Q_w (s such that J_N(d² - K (w)) = J_N(d² - uK(w =

— 1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \

Q _W generating a ciphertext S of the keyword w associated with the message m, by selecting fc-bit integer x =∑ ^~^ x_t 2' (with x_t G {0,1}), R = Jf(w) ; for i = 0, ... , k - 1, choosing t_it tj G Έ/ΝΈ, determining

¾ = (-!)¾(¼). ^{mod N}'

¼ = od N , where

d = Q_w(s), choosing random bits ?i,;, ?2,i G {0_<1}, and setting q = c^¹ ^ and = c^² ^ and returning S = PEKS_upk(w) = {x, ε₀, c₀, έ₀, c₀, ... , c_fc_₁₍ c_{fc-- 1}}; and transmitting the ciphertext S via a communications channel. An apparatus for

implementing the above method is also provided in another aspect of the present principles.

In another aspect, the present principles provide a method for determining the presence of a keyword w associated with a message m, in a public-key encryption with keyword search (PEKS) ciphertext C = {c, S}, wherein c = ENCRYPT_upk(m) , and S = PEKS_upk(w), comprising: accessing the ciphertext portion S from the ciphertext C, where S = PEKS_upk(w) = {x, ε₀, c₀, ₀, c₀, ... , ε^, ε^, έ^, δ^}; accessing a trapdoor T_w; and determining whether the ciphertext portion S corresponds to a keyword w using the trapdoor T_w by setting R = J{(w) and d = Q_w (^<?) , where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, wherein if T_w ²≡ R (mod N), where N is a composite number , then setting

vi ^{= ε}ί _> Yi ^{= c}i f°^r 0 < i < k— 1, and Δ = R, otherwise

vi ⁼ ^i , Yi = Ci for 0 < i < k— 1, and Δ = uR, where u E _N \ Q _W

and determining the following:

^ana

bi = 1 if Tj = j · (1— 2xj), otherwise fej = 0, and determining that ciphertext S corresponds to keyword w if b_t = 1 for all 0 < i < k— 1. An apparatus for implementing the above method is also provided in another aspect of the present principles.

In another aspect, the present principles provide a method of generating and processing a public-key encryption with keyword search (PEKS) ciphertext S based on a message m having a keyword w associated with the message, comprising:

a sending terminal: generating, by an encryption device, the ciphertext S by:

accessing the keyword w associated to the message m; accessing a user public key upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and (£_/w) is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely £_W: {0,1}^*→ %/N%, s >→ d = Q_w (s) such that J_N (d² - Jf (w)) = J_N(d²— uJf (w)) =— 1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ Q _W; generating a ciphertext S of the keyword w in the message m, by selecting k -bit integer x = jo X; 2^l (with x_t G {0,1}), R = Ή (w) ; for ί = 0, k— 1, choosing tj, t; G Έ/ΝΈ, determining

β c-⁽⁰⁾d + 4ff

= (-!)¾(¼). c_iW = t_i + - mod N, _c.⁽ⁱ⁾ = -L___ _{mod Ni} i = -l^)¾i7_W(ti), ¼⁽⁰⁾ = ii + f mod N, i¹⁾ = )₊ ^mod _' ^where d = Q_w(s), choosing random bits ?i,;, ?2_,i G {0_<1}, and setting q = c^¹ ^ and q = ^^{2 ΐ} and returning S = PEKS_upk(w) = {x, ε_0< c₀, ε_0< c₀, ... , ε_¾_₁₍ accessing the message m, generating a ciphertext of the message c = ENCRYPT_upk(m) ; generating a keyword searchable ciphertext message C = {c, S}; and transmitting the keyword searchable ciphertext message C = {c, S} to a proxy device; and

a proxy device: receiving the searchable ciphertext message C = {c, S] and a trapdoor T_w for the keyword w; and processing, by the proxy device, to determine whether the keyword w is associated with the ciphertext message C = {c, S] using the trapdoor T_w . An apparatus for implementing the above method is also provided in another aspect of the present principles.

In another aspect the present principles provide A method of processing a trapdoor T_w associated with a keyword w, comprising: accessing a user public key

upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely £_W: {0,1}^*→ %/N%, s >→ d = Q_w (s) such that J_N (d² - Jf (w)) = J_N(d²— uJf (w)) =— 1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ Q _W; generating the trapdoor T_w by setting R = J (w), and if R G Q _N then setting T_w = ff ^1/2 mod N, otherwise setting T_w = (uR)^1/2 mod N; and transmitting the trapdoor T_w to a proxy device. An apparatus for implementing the above method is also provided in another aspect of the present principles.

DETAILED DESCRIPTION OF THE DRAWINGS

The above-mentioned and other features and advantages of the present principles, and the manner of attaining them, will become more apparent and the principles will be better understood by reference to the following description of embodiments of the invention taken in conjunction with the accompanying drawings, wherein:

Figure 1 shows an exemplary apparatus according to the present principles;

Figure 2 shows an exemplary system according to the present principles; and

Figure 3 shows an exemplary system including exemplary processes according to the present principles.

The examples set out herein illustrate exemplary embodiments of the invention.

Such examples are not to be construed as limiting the scope of the invention in any manner.

DETAILED DESCRIPTION The present principles provide for a PEKS scheme based on the anonymous identity-based cryptosystems described in [10] (Marc Joye. Anonymous identity-based cryptosystems. Technical Report v0.3, Technicolor, Los Altos, September 2014. US

Provisional Patent Application 62/055731, filed September 26, 2014, docket number PU140143), and [11] (Marc Joye. Making Cocks ciphertexts anonymous without ciphertext expansion. Technical Report v0.4, Technicolor, Los Altos, September 2014. US Provisional Patent Application 62/055738, filed September 26, 2014, docket number PU140145).

Informally, in a PEKS scheme, a sender can send messages in encrypted form to a receiver so that the receiver can allow a designated proxy to search for keywords in the encrypted messages without incurring any (additional) loss of privacy. In [5], Boneh et al. suggest the following methodology: The sender encrypts the message being sent with a (regular) public -key cryptosystem; She appends to the resulting ciphertext a PEKS for each keyword.

In more detail, to encrypt a message m with searchable keywords w₁₍ ... , w_n for the receiver with public key upk, the sender computes and sends

c = ENCRYPT_upk(m) , S_t = PEKS_upk(_Wl) S_n = PEKS_upk(w_n).

The whole ciphertext is C = {c, 5₁₍ ... , S_n). Now if the receiver has given a proxy a trapdoor T_w . for keyword Wj then this proxy can test whether the corresponding plaintext m contains the keyword w_j , but nothing more.

A conversion to turn an anonymous identity-based scheme (under certain conditions) into a PEKS scheme is developed in [5]. Some subsequent refinements are described in [2]. Exemplary embodiments

First exemplary embodiment

The exemplary embodiments are now described in detail in the framework of the generalized process 300.

Our first exemplary cryptosystem makes use of [10] as building block. For slightly better efficiency, instead of verifying whether x_t =— j— - (for 0 < i < k— 1), the TEST algorithm equivalently verifies whether Tj = j · (1— 2x;). In detail, the cryptosystem is as follows.

KEYGEN(1^K) Given a security parameter κ, KEYGEN generates an RSA modulus

N = pq where p and q are prime. It defines a security parameter k depending on κ. It selects a bit-string 5 and an element u E _N \ Q _W. The user's public key is upk = {N, k, u,K, [Q_w], s] where Ή is a cryptographic hash function mapping bit- strings to J_N (i.e., Jq: {0,1}*^→ J_J ) ^and {Qw} is ^a family of functions mapping bit-strings to a subset of Έ/ΝΈ, namely

Q_w: {0,1}*→ Έ/ΝΈ,σ >→ d = Q_w s) such that J_N(d² - 4K(w)) = J_N(d² - 4uM (w)) = -1.

The user's private key is usk = {p, q}.

PEKS_upk(w) To encrypt a keyword w G {0,1}*, PEKS selects a k -bit integer x =∑i=o *i 2^; (with x_t G {0,1}). It defines R = K(w .

Next, for i = 0, ... , k— 1, it does the following:

choose at random t_i( q G Έ/ΝΈ;

let

^ = (-l)^¾i ta q^ ^-mod N, _c.(ⁱ) ==-L___ _{mod Ni ί Λ} uR _{( Λ} q⁽⁰⁾d + 4uff

l = (-l)^XiJ_N(t_i), c_£ W = t_£ + mod N, W = ' mod N, q ^J + d

where d = Q_w(s);

choose random bits β_1ιί,β₂,ί £ {0,1} and set q = c^^{l l)} and q = ^²

PEKS returns the searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , E_fc_₁₍ c_k__lt i_k_₁, <?_¾_ι}·

TRAPDOOR_usk(w) Given keyword w, trapdoor algorithm TRAPDOOR first sets

R = Ή (w). If R G Q _W it computes 7_W = ff¹/² mod N; otherwise it computes

T_w = (uR)^1/2 mod N. TRAPDOOR returns T_w.

TEST(5, T_w) For keyword w, TEST uses trapdoor T_w. Let ff = Ή (w) and d = Q_w(s). From searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , £_k__lt c_k__lt i_k__lt c_k_₁], if

T_w ²≡ R (mod N), TEST sets V; = q, 7; = q for 0 < i≤ k - 1, and A = R;

otherwise it sets _j = q, 7; = q for 0 < i < k— 1, and Δ = uR.

Next, for i = 0, ... , k— 1, it does the following:

set σ_; =;_w 7;² -4Δ);

set

^Τί

1 ' set bi = 1 if T_j = _j · (1— 2x_;); set fe_j = 0 otherwise;

TEST returns 1 if and only if q = 1 for all 0 < i < k— 1; and 0 otherwise. Remark 1. As an alternative, the test algorithm can evaluate q as τ = /_w(7i— 2T_W) when σ_; = 1 and as r_t = (7ί - 2T_w)(d + 2T_w)(d - y;)) = -;_w((7i - 2T_w)(d - 2T_w)(d - Yi)) = -JN((YI + 2T_w)(d + 2T_w)(d - γ)) when σ = -1. Also the value of J_N(d + 2T_W) or of J_N(d— 2T_W) can be precomputed.

Remark 2. Input 5 can be the empty string in the PEKS/test algorithm.

Remark 3. In a practical implementation, for better efficiency, the PEKS algorithm can randomly draw t_it tj G Έ/ΝΈ, 0 < i < k— 1.

Second exemplary embodiment

Let £ represent the bit-length of RSA modulus N. Similarly to [9], the previous scheme can be adapted so that the searchable ciphertext needs at most (2£ + l)k bits for its representation— the previous implementation needs (2£ + 3)k bits. Here is an

implementation of a so-obtained cryptosystem.

KEYGEN(1^K) Given a security parameter κ, KEYGEN generates an RSA modulus

N = pq where p and q are prime. It defines a security parameter k depending on κ. It selects a bit-string 5 and an element u G _N \ QM_W. The user's public key is upk =

{N,k,u,J ,{Q_w},s} where Ή is a cryptographic hash function mapping bit- strings to _N

(i.e., Jfj: {0,1}*^→ Jw) and (£/_w) is a family of functions mapping bit-strings to a subset of

Έ/ΝΈ, namely

g_w: {0,1}*→ Έ/ΝΈ, σ i→d =g_w(s) such that J_N(d² - H (w)) = J_N(d² - uH (w))

= -1.

The user's private key is usk = (p, q}.

PEKS_upk(w) To encrypt a keyword w G {0,1}*, PEKS selects a k -bit integer x ^xi ²ⁱ (with xt G {0,1}). It defines R = K(w .

Next, for i = 0, ... , k— 1, it does the following:

choose at random tj,tj G Έ/ΝΈ;

let

, (o) R , (l) c^d + R

£'i = (-iyⁱJ_N(t_i), c i = ti +- mod N, c i = _{(0) + d} mod N, ε i = (-1)^¾ί ¾ mod N,

where d = Q_w(s);

, (βι,ΰ , , (β₂,ΰ choose random bits β_1>ί,β_2ιί G {0,1} and set c _t = c _t and c _t = c _t

define C_j =min(c' _it N— c' ) and =min(c' i,N— c'j) ; if q = c'i then define q = ε' i , otherwise define

^' likewise, if q = 'j then define q = έ';; otherwise define

PEKS returns the searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , c_k__lt i_k__lt <?_¾_ι}.

TRAPDOOR_usk(w) Given keyword w, trapdoor algorithm TRAPDOOR first sets

R = Ή (w) . If R £ Q _W it computes T_w = R¹^² mod N; otherwise it computes

T_w = (uR)¹/² mod N. TRAPDOOR returns T_w.

TEST(S, T_w) For keyword w, TEST uses trapdoor T_w. Let ff = (w) and d = Q_w(s). From searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , £_k__lt c_k__lt i_k__lt c_k_₁], if T_w ²≡ R (mod N), TEST sets v_£ = q, 7; = q for 0 < i < k - 1, and Δ = R;

otherwise it sets j = q, 7; = q for 0 < i < k— 1, and Δ = uR.

Next, for i = 0, ... , k— 1, it does the following:

set σ_; = ;_w(7_i ² - 4Δ);

set

set bi = 1 if Tj = j · (1— 2x;); set fej = 0 otherwise;

TEST returns 1 if and only if b_t = 1 for all 0 < i < k— 1; and 0 otherwise.

Remark 4. For slightly better efficiency, as a variant, the PEKS algorithm can directly evaluate q as q = J_N(— ( d + 2R)(d + 2q)) when q≠ c j and ^ j = 1. Likewise, it can evaluate q as q = (qd + 2uR) (d + 2q)) when q≠ c' _£ and ?_2,; ⁼ 1·

Remark 5. As an alternative, the test algorithm can evaluate q as τ = /_w(7i — 2T_W) when aj = 1 and as q = /_w((7i - 27_w)(d + 27_w)(d - y ) = -;_w((7; - 27_w)(d - 2T_w)(d - 7;)) = -y_w((7; + 2T_w)(d + 2T_w)(d - 7;)) when σ = -1. Also the value of J_N (d + 2T_W) or of J_N(d— 2T_W) can be precomputed. Third exemplary embodiment

Analogously to [7], instead of choosing q (resp. ) as a random element in Έ/ΝΈ in the PEKS algorithm, one can select t_t (resp. tj) such that = (— l)^¾i (resp.

= (^— 1)^¾9· In this case, we always have q = 1 (resp. q = 1) and it is therefore no longer needed to transmit it as part of the searchable ciphertext. In this case too the searchable ciphertext needs at most (2£ + l)k bits for its representation

KEYGEN(1^K) Given a security parameter κ, KEYGEN generates an RSA modulus

N = pq where p and q are prime. It defines a security parameter k depending on κ. It selects a bit-string 5 and an element u

QM_W. The user's public key is upk =

{N,k,u,J ,{Q_w},s} where Ή is a cryptographic hash function mapping bit- strings to _N (i.e., J . {0,1}*^→ JJ ) ^and {Qw} is ^a family of functions mapping bit-strings to a subset of Έ/ΝΈ, namely

Q_w: {0,1}*→ Έ/ΝΈ, σ■→ d = Q_w(s such that J_N(d² - K (w)) = J_N(d² - uK(w

= -1.

The user's private key is usk = {p, q}.

PEKS_upk(w) To encrypt a keyword w G {0,1}*, PEKS selects a k -bit integer x ^xi ²ⁱ (with x_t G {0,1}). It defines R = K(w .

Next, for i = 0, ... , k— 1, it does the following:

choose at random t^ G Έ/ΝΈ such that /_w(t;) = =

let

R c^d + R

q(°) = q + - mod N, q⁽¹⁾ = — mod N,

^{1 1} ti ¹ q(°) + d

uR _{( Λ} q⁽⁰⁾d + 4uff

c °) = t _; +— mod N, q⁽¹⁾ = mod N,

ti Ci^W + d

where d = Q_w(s);

choose random bits ?i,;, ?2,i ^G {0,1} and set q = c^^ll) and q = ^²'-¹.

PEKS returns the searchable ciphertext S = {x, c₀, c₀, ... , c_k_₁, <?¾_ι}.

TRAPDOOR_usk(w) Given keyword w, trapdoor algorithm TRAPDOOR first sets

R = Ή (w). If R G Q _W it computes T_w = ff¹/² mod N; otherwise it computes

7_w = (uR)¹/² mod N. TRAPDOOR returns T_w.

TEST(S, T_w) For keyword w, TEST uses trapdoor T_w. Let ff = (w) and d = i/_w(s). From searchable ciphertext S = {x, c₀, c₀, ... , c_k_₁, c_k_₁], if

T_w ²≡ R (mod N), TEST sets y_t = q for 0 < i < fc— 1, and A = R; otherwise it sets

7; = q for 0 < i < k— 1, and Δ = uR.

Next, for i = 0, / — 1, it does the following: set σ; =]_Nji² - 4Δ);

set

1 ' set bi = 1 if Tj = (1— 2x;); set = 0 otherwise;

TEST returns 1 if and only if b^ = 1 for all 0 < i < k— 1; and 0 otherwise.

As an alternative, the test algorithm can evaluate τ as τ = /_w(7i— 2T_W) when σ_; = 1 and as τ_{ = - 2T_w)(d + 2T_w)(d - γ)) = -]_N(fyi - 2T_w)(d - 2T_w)(d -

Yi)) = -JN((YI + 2T_w)(d + 2T_w)(d - γ)) when σ = -1. Also the value of J_N(d + 2T_W) or of J_N(d— 2T_W) can be precomputed.

Fourth exemplary embodiment

Instead of selecting parameter d as the output of a family of functions, it can be chosen as, for example, the smallest nonnegative integer d such that J_N(d²— Jf (w)) = J_N(d²— uJf (w)) =— 1. We give below an illustration with the first exemplary embodiment. A similar embodiment can be obtained for the second or the third exemplary embodiments.

The advantage is that the user's public -key is smaller since {Q_w} and string 5 are not explicitly included in upk.

KEYGEN(1^K) Given a security parameter κ, KEYGEN generates an RSA modulus N = pq where p and q are prime. It defines a security parameter k depending on κ. It also selects an element ii £j_w\ Q _W. The user's public key is upk = {N, k, u, Ή } where Ή is a cryptographic hash function mapping bit- strings to _N (i.e., J . {0,1}*^→ Jw). The user's private key is usk = {p, q}.

PEKS_upk(w) To encrypt a keyword w G {0,1}*, PEKS selects a k -bit integer x

(w). Next, it tries d = 0,1,2, ... until J_N(d² - 4ff) = J_N(d² - 4uR) = -1.

For ί = 0, ... , k— 1, it does the following:

choose at random tj,tj G Έ/ΝΈ;

let

i = (-!)¾(¼). Ci⁽⁰⁾ = ti +- mod N, qm mod N,

c;(° + d ε, c-i)^¾i ta mod N;

choose random bits β , β_2,ί ^G {0_*1} and set q = q ^¹ ') and q = ^²

PEKS returns the searchable ciphertext S = (x, ε₀, c₀, έ₀, c₀, ... , £_k__lt c_k_₁, i_k_₁, <?_¾_ι}·

TRAPDOOR_usk(w) Given keyword w, trapdoor algorithm TRAPDOOR first sets R = Ή (w) . If R £ Q _W it computes T_w = ff¹/² mod N; otherwise it computes

T_w = (uR)^1/2 mod N. TRAPDOOR returns T_w.

TEST(5, T_w) For keyword w, TEST uses trapdoor T_w. Let ff = (w). From searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , _k_ , c_k_ , i_k_ , c_k_ i), if T_w ²≡ R (mod N), TEST sets j = q , 7; = Cj for 0 < i < k— 1, and Δ = R; otherwise it sets j = q ,

7; = q for 0 < i < k— 1, and Δ = uR.

Next, for i = 0, k— 1, it does the following:

set σ_; = ;_w(7;² - 4Δ);

set

set q = 1 if q = v_t ^■ (1— 2x_t ; set q = 0 otherwise;

TEST returns 1 if and only if bi = 1 for all 0 < i < k— 1; and 0 otherwise.

The value d used by TEST is the smallest nonnegative integer d such that

J_N (d²— 4ff) = J_N(d²— 4wff) =—1. This value can also be precomputed.

Remark 7. As an alternative, the test algorithm can evaluate -q as τ = ]_Ν{γι— 2T_W) when σ_; = 1 and as q = ]_N{(ji - 2T_w)(d + 2T_w)(d - 7;)) = -J_N ((YI ^~ 2T_w)(d - 2T_w)(d - 7;)) = -J_N((ji + 2T_w)(d + 2T_w)(d - 7;)) when σ = -1. Also the value of J_N (d + 2T_W) or of J_N(d— 2T_W) can be precomputed.

Fifth exemplary embodiment

It is possible to x the value of d as a global value to be used with all keywords and to include it in the user' s public-key. We again illustrate the technique with the first exemplary embodiment. A similar embodiment can be obtained for the second or third exemplary embodiments.

This can be achieved by specializing hash function Ή . Instead of considering a function mapping bit-strings to any element of _N, we require that, in addition, on input w, the output must satisfy the extra condition J_N(d²— 4ff) = J_N(d²— 4wff) =— 1 for some given d:

K_d:{0,l}*→J„,W H K_d(w) satisfying J_N(d² - 4K_d(w))

= ]_N{d² - _d(w)) = -1.

KEYGEN(1^K) Given a security parameter κ, KEYGEN generates an RSA modulus N = pq where p and q are prime. It defines a security parameter k depending on κ. It also selects an element u G _N \ Q _W and a global integer d. The user's public key is upk = {N, k, u, d, Ή_ά} where Ή_ά is a cryptographic hash function mapping bit-strings to N as per Eq. (1). The user's private key is usk = {p, q}.

PEKS_upk(w) To encrypt a keyword w G {0,1}*, PEKS selects a k -bit integer x =∑i=o X_t 2^l (with x_t G {0,1})· It defines R = K_d w .

For i = 0, ... , k— 1, it does the following:

choose at random t_i( q G Έ/ΝΈ;

let

β c-(°)d + 4ff

^ = (-!)¾(¼). q⁽⁰⁾ = q +- mod N, c_;W = '_c,(o) _{+ d} ^{mod N}- ί _Λ uR _i. q⁽⁰⁾d + 4uff

^ = = t_£ mod N, ⁽¹⁾ = ' mod N;

q q + a choose random bits β ,β₂,ί ^G {0_*1} and set q = q^¹') and q = ^²

PEKS returns the searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , c_fc_₁₍ ¾-ι}·

TRAPDOOR_usk(w) Given keyword w, trapdoor algorithm TRAPDOOR first sets

R = Ή (w). If ff G Q _W it computes T_w = R¹^² mod N; otherwise it computes

T_w = (uR)^1/2 mod N. TRAPDOOR returns T_w.

TEST(S, T_w) For keyword w, TEST uses trapdoor T_w. Let ff = Jf_d(w). From searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , _k_₁, c_k_₁, i_k_₁, c_k_ _i}, if T_w ²≡ R (mod N),

TEST sets j = q, y; = q for 0 < i < k— 1, and Δ = R; otherwise it sets V; = q,

Yi = q for 0 < ί < k— 1, and Δ = uR.

Next, for i = 0, k— 1, it does the following:

set σ_{ =]_{N {} ² -4Δ);

set

set bi = 1 if Tj = j · (1— 2x;); set b^ = 0 otherwise;

TEST returns 1 if and only if b_t = 1 for all 0 < i < k— 1; and 0 otherwise.

Remark 8. As an alternative, the test algorithm can evaluate T; as T =J_N(ji - 2T_W when a_i = 1 and as r_t =]_N((y_t - 2T_w)(d + 2T_w (d - y ) = -;_w((7i - 2r_w)(d - 2T_w)(d - Yi)) = -J_N((Yi + 2T_w)(d + 2T_w)(d - y_£)) when σ = -1. Also the value of y_w(d + 2T_W) or of 7_w(d— 2T_W) can be precomputed. Sixth exemplary embodiment

Assume now primes p and q satisfy the extra condition p≡— q (mod 4). In this case, we know that J_p(—1) =—J_q(—1) and therefore J_N(— 1) =—1. Note that it is easily verified that N is the product of two primes that are congruent modulo 4 by checking that N≡ 3 (mod 4).

This setting simplifies the cryptosystem. A nice observation is that d = 0 is a valid parameter when N≡ 3 (mod 4) since then ]_N(d²— J-C (w)) = ]_N(d²— uJ-C (w)) = 7JV(— 1) =— 1 as desired. Any cryptographic hash function Ή mapping bit-strings to _N can be used.

Again we illustrate the technique with the exemplary embodiment. A similar embodiment can be obtained for the second or third exemplary embodiments.

KEYGEN(1^K) Given a security parameter κ, KEYGEN generates an RSA modulus N = pq where p and q are prime and p≡—q (mod 4). It defines a security parameter k depending on κ. It also selects an element u G _N \ Q _W. The user's public key is upk = {TV, k,u, Ή} where Ή is a cryptographic hash function mapping bit-strings to _N. The user's private key is usk = (p, q}.

PEKS_upk(w) To encrypt a keyword w G {0,1}*, PEKS selects a k -bit integer x =∑i=o *i 2^l (with x_t G {0,1})· It defines R = K(w .

For ί = 0, ... , k— 1, it does the following:

choose at random t_j,t_j G Έ/ΝΈ;

let ff 4ff⁽⁰⁾

i = (-l)^XiJ_N(t_i), q^ t_;+-mod N, q⁽¹⁾ =— mod N,

q

uR uR (0)

= t;+— mod N, c,-^{1) = mod N;

1 ct choose random bits β_\ ,β2_,ί ^G {0,1} and set q = c^¹^ and q = c^²ⁱ

PEKS returns the searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , c_fc_₁₍ <?_¾_ι}.

TRAPDOOR_usk(w) Given keyword w, trapdoor algorithm TRAPDOOR first sets ff = Ή (w). If ff £ Q _W it computes T_w = ff¹/² mod N; otherwise it computes

T_w = (uR)¹/² mod N. TRAPDOOR returns T_w.

TEST(5, T_w) For keyword w, TEST uses trapdoor 7_W. Let ff = Ή (w). From searchable ciphertext S = {x, ε₀, c₀, έ₀, c₀, ... , _k_ , c_k_ , i_k_ , c_k_ i), if T_w ²≡ ff (mod

TEST sets j = q, Yi = c_t for 0 < i < k— 1, and A = R; otherwise it sets

Yi = Ci for 0 < i < k— 1, and Δ = uR.

Next, for i = 0, k— 1, it does the following:

set σ_; = 7;² -4Δ);

set

set bi = 1 if Tj = j · (1— 2x;); set bi = 0 otherwise;

TEST returns 1 if and only if b_t = 1 for all 0 < i < k— 1; and 0 otherwise.

Remark 9. For better efficiency, as a variant, the PEKS algorithm can first choose βι_,ί'βι_,ί at random in {0,1} and then sets q = t_t +— mod N if = 0 and q = mod N if β _ί = 1; and q = t,■ + ^ mod N if β₂ ,· = 0 and q = ⁴^^Rti mod N ti²+R ^¹'^{1 1 1} ti ¹ ii +UR

Remark 10. As an alternative, the test algorithm can evaluate Tj as τ = /_w(7i— 2T_W) when σ_; = 1 and as τ_; =— /_w((7i— 27_w)(27^, _wy_i)) when σ =—1. Also the value of J_N (2 T_w) can be precomputed.

Seventh exemplary embodiment

The seventh exemplary embodiment is to use any previous exemplary embodiments wherein the PEKS algorithm selects x at random in (0,l}^fe.

Eighth preferred embodiment

The eighth exemplary embodiment is to use any previous exemplary embodiments wherein the PEKS algorithm uses a fixed x in (0,l}^fe.

Ninth exemplary embodiment

The ninth preferred embodiment is to use any previous exemplary embodiments (except sixth exemplary embodiment) wherein p≡ q≡ 3 (mod 4) and u =— 1.

The new cryptosystems described hereinabove provide several advantages, including: shorter searchable ciphertexts; non- interactive (i.e., the sender does not interact with the receiver when producing a searchable ciphertext); numerous variants; and strong security guarantees.

The proposed encryption schemes can be used in any application requiring searching keywords in encrypted data, without any further (additional) loss in data privacy

(confidentiality). An example application is for an email gateway to test whether or not a particular keyword that requires specific handling, for example, the keyword "urgent," is present in an email. The gateway then routes the email in the specified manner if the keyword is found in the email. Of course, in this example, the gateway should only learn whether the word "urgent" is present but nothing else about the email. In the email use-case, another useful application is to test the sender's name of the email. Further applications for PEKS can be found in [5] and [2]. Of particular interest is the concept of temporarily searchable encryption [2]. It is clear that the present principles may be used in any application where an encrypted ciphertext is sent, and a proxy should determine the presence of designated keywords, and process or route the ciphertext accordingly.

FIG. 1 illustrates a block diagram of an exemplary system in which various exemplary embodiments, in whole or in part, of the present principles may be implemented. System 100 may be embodied as a device including the various components described below and is configured to performed the processes described above. Examples of such devices, include, but is not limited to, personal computers, laptop computers, smartphones, tablet computers, digital multimedia set top boxes, digital television receivers, personal video recording systems, connected home appliances, and servers. System 100 may be communicatively coupled to other similar systems, and to a proxy device via a communication channel as shown in FIG. 2 and as known by those skilled in the art to implement the exemplary cryptosystems described above.

The system 100 may include at least one processor 110 configured to execute instructions loaded therein for implementing the various processes as discussed above.

Processor 110 may include embedded memory, input output interface and various other circuitry as known in the art. The system 100 may also include at least one memory 120 (e.g., a volatile memory device, a non-volatile memory device). System 100 may additionally include a storage device 140, which may include non-volatile memory, including, but not limited to, EEPROM, ROM, PROM, RAM, DRAM, SRAM, flash, magnetic disk drive, and/or optical disk drive. The storage device 140 may comprise an internal storage device, an attached storage device and/or a network accessible storage device, as non-limiting examples. System 100 may also include an encryption/decryption module 130 configured to process data to provide an encrypted message or decrypted message.

Encryption/decryption module 130 represents the encryption and/or decryption module(s) that may be included in a device to perform its appropriate functions. As is known, a device may include one or both of the encryption and decryption modules, for example, encryption may be done on a regular PC since encryption does not involve secret key so that the PC need not include secure memory for storing the encryption key.

Decryption however, requires secret keys (i.e., the decryption key) and is done in a secure device, for example a smart card. As memory is expensive on smart card, the encryption functionality may not always be provided on a smart card. The encryption and/or decryption may be performed using shared resources as known to those skilled in the art. Additionally, encryption/decryption module 130 may be implemented as a separate element of system 100 or may be incorporated within processors 110 as a combination of hardware and software as known to those skilled in the art.

It is clear that the algorithms for Trapdoor 330, and PEKS 320 may be implemented within various components of system 100. For example, these algorithms may be implemented in part, or in whole, in portions of the encryption/decryption module 130 or in processor 110, as either hardware, software, or some combination of both as known by those skilled in the art.

Program code to be loaded onto processors 110 to perform the various processes described hereinabove may be stored in storage devices 140 and subsequently loaded onto memory 120 for execution by processors 110. In accordance with the exemplary embodiments of the present principles, one or more of the processor(s) 110, memory 120, storage device 140 and encryption/decryption module 130 may store one or more of the various items during the performance of the processes discussed herein above, including, but not limited to a public key, a private keys, encrypted messages, equations, formula, matrices, variables, operations, and operational logic.

The system 100 may also include communication interface 150 that enables communication with other devices via communication channel 160. The communication interface 150 may include, but is not limited to a transceiver configured to transmit and receive data from communication channel 160. The communication interface may include, but is not limited to, a modem or network card and the communication channel may be implemented within a wired and/or wireless medium. The various components of system 100 may be connected or communicatively coupled together using various suitable connections, including, but not limited to internal buses, wires, and printed circuit boards.

As a non-limiting example, one or more of the above-identified components may receive and/or store the information (e.g., to be encrypted) and/or the ciphertext (e.g., to be decrypted, to be operated on homomorphically, resulting from encryption). As a further non- limiting example, one or more of the above-identified components may receive and/or store the encryption function(s) and/or the decryption function(s), as described herein above.

The exemplary embodiments of this invention may be carried out by computer software implemented by the processor 110 or by hardware, or by a combination of hardware and software. As a non-limiting example, the exemplary embodiments of this invention may be implemented by one or more integrated circuits. The memory 120 may be of any type appropriate to the technical environment and may be implemented using any appropriate data storage technology, such as optical memory devices, magnetic memory devices,

semiconductor-based memory devices, fixed memory and removable memory, as non- limiting examples. The processor 110 may be of any type appropriate to the technical environment, and may encompass one or more of microprocessors, general purpose computers, special purpose computers and processors based on a multi-core architecture, as non-limiting examples.

FIG. 2 illustrates an arrangement wherein data is exchanged between two terminals

210 and 220, via proxy device 260 in accordance with the present principles. Each of the terminals 210 and 220 include encryptor/decryptor modules 230 and 240, respectively, and may additionally include each of the other components of system 100 described above, as appropriate. Terminals 210 and 220 are communicatively coupled to each other via communication channel 250, which may be implemented via wired and/or wireless medium. Additionally, arrangement 200 includes a proxy 260 communicatively coupled to terminals 210 and 220, wherein proxy 260 receives the ciphertext generated by terminal A (or terminal B), and checks for the presence of keyword(s) in the ciphertext and processes the ciphertext accordingly, by for example, by forwarding the ciphertext to terminal B (or terminal A) in a designated manner. In an exemplary embodiment: terminal 210, for example, possesses the public key and private key pair and generates the trapdoor; terminal 220 encrypts the message, including a keyword, and transmits the encrypted message via communication channel 250, where it is received by proxy 260; and proxy 260 checks for the presence of the keyword in the encrypted message, and processes the message accordingly, by for example expediting the transmission of urgent messages or delaying transmission of low priority messages.

Proxy 260 may be disposed with or separately with either terminals A and/or B as desired.

The foregoing has provided by way of exemplary embodiments and non-limiting examples a description of the method and systems contemplated by the inventor. It is clear that various modifications and adaptations may become apparent to those skilled in the art in view of the description. However, such various modifications and adaptations fall within the scope of the teachings of the various embodiments described above.

The embodiments described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed may also be implemented in other forms (for example, an apparatus or program). An apparatus may be implemented in, for example, appropriate hardware, software, and firmware. The methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs"), and other devices that facilitate communication of information between end-users.

Reference to "one embodiment" or "an embodiment" or "one implementation" or "an implementation" of the present principles, as well as other variations thereof, mean that a particular feature, structure, characteristic, and so forth described in connection with the embodiment is included in at least one embodiment of the present principles. Thus, the appearances of the phrase "in one embodiment" or "in an embodiment" or "in one

implementation" or "in an implementation", as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment. Additionally, this application or its claims may refer to "determining" various pieces of information. Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory.

Further, this application or its claims may refer to "accessing" various pieces of information. Accessing the information may include one or more of, for example, receiving the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.

Additionally, this application or its claims may refer to "receiving" various pieces of information. Receiving is, as with "accessing", intended to be a broad term. Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory). Further, "receiving" is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.

As will be evident to one of skill in the art, implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted. The information may include, for example, instructions for performing a method, or data produced by one of the described embodiments. For example, a signal may be formatted to carry the bitstream of a described embodiment. Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal. The formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream. The information that the signal carries may be, for example, analog or digital information. The signal may be transmitted over a variety of different wired and/or wireless links, as is known. The signal may be stored on a processor-readable medium.

Claims

CLAIMS:

A method of generating a public -key encryption with keyword search (PEKS) ciphertext S based on a message m having a keyword w associated with the message, comprising:

accessing the keyword w;

accessing a user public key u pk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely Q_w : {0,1}* ^→ /N , s i→ d = Q_w (s) such that J_N (d² - 4Jf (w)) = J_N (d² - AuK(w)) = -1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ generating a ciphertext S of the keyword w associated with the message m, by selecting k -bit integer x = jo X; 2^l (with x_t G {0,1}), R = Jf (w) ; for i =

0, ... , k - 1, choosing t_it t_t G Έ/ΝΈ, determining here

d = _w (s), choosing random bits ?i,;, ?2,i £ {0,1}, and setting c_i = c_i^¹¹^ and Cj = Ci ^^{2 i} and returning S = PEKS_upk(w)

= {x, £₀, c₀, £₀, c₀, ... , c¾_i, ¾_ι}; and

transmitting the ciphertext S via a communications channel.

The method according to claim 1 , further comprising: accessing the message m;

generating a ciphertext of the message c = ENCRYPT_upk(m) , and generating a keyword searchable ciphertext message C = {c, S}; and transmitting the keyword searchable ciphertext message C via the communications channel.

3. The method according to claims 1-2, wherein the generating step randomly draws q, G Έ/ΝΈ, 0 < i≤ k - 1.

4. The method according claims 1 -2, wherein if £ represents the bit-length of RSA modulus N, the searchable ciphertext S is represented by at most (2£ + l)k bits.

5. The method according to claim 4, wherein the setting of q, c_it e_it and q in the

generating step is replaced with the following

ε'ί = (-l)^¾i ti), c'^ ^- mod N, ^ = ,) _{+ d} ^{mod N}> r_m uR _m q⁽⁰⁾d + 4uR

έ'ί = c'_f ⁽⁰⁾ = t_f +^mod N c'_f ⁽¹⁾ = ' mod N q + d

choosing random bits β_ί ι,β_2ιί £ {0,1} and setting c'j =

defining q = min (c'^N— c'_t) and q = min (c';,N— c'j);

if C_j = c'_j then define q = otherwise define

^£i

'

likewise, if q = c'_t then define q = έ ; otherwise define

^"

The method according to claim 5, wherein q = J_N(— (qd + 2R)(d + 2q)) when q≠ c'j and

= 1, and q = J_N(— (qd + 2uR)(d + 2q)) when q≠ c'j and

7. The method according to claims 1-2, wherein q, q G 7L/N7L are chosen such that h(t_t) =]_N(t_t) = (-l ^Xi.

8. The method according to claims 1-2 or 5-7, wherein the parameter d is chosen as the smallest nonnegative integer d such that J_N(d² — 4Jf(w)) = J_N(d² — uJf (w)) = — 1, and {Q_w} and string 5 are not explicitly included in the user' s public key upk so that u p k = {N, k, u, J-C]

9. The method according to claims 1-2 or 5-7, wherein d is a fixed global value used with all keywords and is included in the user public key, and wherein for a given d: K_d:{0,l}*→ J„,W H K_d(w) satisfying J_N(d² - 4K_d(w)) =

J_N(d²— 4wJf_d(w)) =—1, and wherein the user's public key upk = {N, k, u, d, Ή}.

10. The method according to claims 1-2 or 5-7, wherein p and q are primes that satisfy the condition p≡— q (mod 4), such that ]_v{— 1) =— Jq(^~ 1) and J_N(— 1)

1. and wherein the user's public key upk = {N, k, u, Ή }, where Ή is a cryptographic hash function mapping bit- strings to _N.

11. An apparatus for generating and transmitting a public -key encryption with keyword search (PEKS) ciphertext C, comprising:

an encryption device configured to access a keyword w associated to a message m and a user public key upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely Q_w: {0,1}*^→

/N ,s i→ d = Q_w(s) such that J_N(d² - 4Jf(w)) = J_N(d² - 4uK(w)) = -1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ Q _W, and to generate a ciphertext S of the keyword w associated with the message m, by

selecting k -bit integer x =

Xj 2^l (with x_t G {0,1}), R = Jf(w);for i =

0, ...,k - 1, choosing t_it tj G Έ/ΝΈ, determining

£i = (-!)¾(¼). ^{mod N}'

¼ = (-l)^¾i ta od N , where

d = Q_w (s), choosing random bits β_{1 :}ι,β₂,ί G {0,1}, and setting c_t = c^¹^ and Cj = Ci^^{2 i} and returning

ciphertext S = PEKS_upk(w) = {x, ε₀, c₀, έ₀, c₀, ... , c_fc_₁₍ c_fe__!}; and a communications interface, coupled to the encryption device and a communications interface, and configured to receive the ciphertext S and to transmit the ciphertext S via the communications channel.

12. The apparatus according to claim 11, wherein the encryption device is further

configured to access the message m, generate a ciphertext of the message c = ENCRYPT_upk(m), generate a keyword searchable ciphertext message C = {c, S}, and to transmit the keyword searchable ciphertext message C to the communications interface.

13. The apparatus according to claims 11-12, wherein the encryption device is further configured to randomly draw t_it i_t £ Έ/ΝΈ, 0 < i < k— 1.

14. The apparatus according to claims 11-12, wherein if £ represents the bit- length of RSA modulus N, the searchable ciphertext S is represented by at most (2£ + l k.

15. The apparatus according to claim 11-12, wherein for setting q, q, q, and q, the encryption device is instead configured to set

ε'_ί = (-l)^¾i ti), C^ t^ - mod N, c'_f ⁽¹⁾ = mod N,

Cj q T

r_m uR _m q⁽⁰⁾d + 4uR έ'ί = (-!)¾(¼). c'i^m = ti + ^ mod N, c _f ⁽¹⁾ = ' mod N,

Cj T il choose random bits ?i,; , ?2_,i £ {0,1} and set c'_t = c'

define q = min ( c' , N— c'j) and q = min ( c';, N— c'j);

if Cj = c' j then define q = ε'^ ; otherwise define

'

likewise, if q = c' j then define q = έ'; ; otherwise define

16. The apparatus according to claim 15, wherein ε; = J_N — (t;d + 2R (d + 2tj)) when Cj ≠ c'i and β_χί = 1, and i_t = J_N(— (t_td + 2uR)(d + 2t_j)) when q≠ c'j and

17. The apparatus according to claims 11-12, wherein the encryption device is further configured to choose t^t_j G Έ/ΝΈ such that J_N(t) = J_N(i) = (—

18. The apparatus according to claim 11-12 or 15-17, wherein the encryption device is further configured to choose the parameter d as the smallest nonnegative integer d such that J_N(d²— 4Jf (w)) = J_N(d²— 4wJf (w)) =—1, and {Q_w} and string 5 are not explicitly included in the user public key upk so that upk = {N, k, u, Ή }

19. The apparatus according to claims 11-12 or 15-17, wherein the encryption device is further configured to choose a fixed global value d that is used with all keywords and included in the user public key, and wherein for a given d:

π_α:{0,ΐγ→ J«,W H K_d w satisfying J_N(d² - Jf_d(w)) =

J_N(d²— 4uJf_d(w)) =— 1, and wherein the user public key upk = {N, k,u, d,J }.

20. The apparatus according to claims 11-12 or 15-17, wherein the encryption device is further configured to choose p and q that are primes that satisfy the condition p≡— q (mod 4), such that ]_v{— 1) =— J_q{— 1) and J_N(—1) =—1, and wherein the user public key upk = {N, k, u, Ή }, where Ή is a cryptographic hash function mapping bit-strings to _N.

21. A method for determining the presence of a keyword w associated with a message m, in a public-key encryption with keyword search (PEKS) ciphertext C = {c,S}, wherein c = ENCRYPT_upk(m) , andS = PEKS_upk(w), comprising:

accessing the ciphertext portion S from the ciphertext C, where

S = PEKS_upk(w) = x, ε₀, c₀, έ₀, c₀, ... , _k_₁, c_k_₁, i_k_₁, c_k_₁};

accessing a trapdoor T_w; and

determining whether the ciphertext portion S corresponds to a keyword w using the trapdoor T_w by setting R = Ή (w) and d = Q_w (s) , where Ή is a cryptographic hash function mapping bit-strings to elements of J_N and [Q_w] is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, wherein if T_w ²≡

R (mod N) , where N is a composite number , then setting

vi ^{= ε}ί _> Yi ^{= c}i f°^r 0 < i < k— 1, and Δ = R, otherwise

vi ⁼ ^i , Yi = Ci for 0 < i < k— 1, and Δ = uR, where u E _N \ QM_W and determining the following:

set σι = J_N (Yi² - 4Δ) ;

_ ₌ ϋ_Ν (Ύί + 2T_W) if σ_{ = 1

¹ U_N ((Yi + 2T_wXd - 2T_wXd - _Yi)) if _{i =} - l ' ^ana

b_t = 1 if Tj = j · (1— 2x_j) , otherwise b_t = 0, and determining that ciphertext S corresponds to keyword w if bi = 1 for all 0 < i < k— 1.

22. The method according to claim 21 , wherein the determining step comprises:

determining τ_; as τ = ]_N{ji— 2T_W) when σ_; = 1 and as τ_; = ]_N(S i— 2T_w) (d +

2T_w) (d - _Yi)) = -j_N ((_Yi - 2T_w)(d - 2T_w) (d - _Yi)) = -j_N ((_Yi + 2T_w)(d +

2T_w) (d - Yi)) when σ = -1.

23. The method according to claims 21 -22, wherein the trapdoor T_w corresponds to T_w = R¹'² mod N if R G QR_N, where R = Ή (w), otherwise

T_w = (uR)¹'² mod N.

24. The method according to claims 21 -23, further comprising forwarding the ciphertext C to a receiver via a communication channel if keyword w is determined to be included in the ciphertext C.

25. An apparatus for determining the presence of a keyword w associated with a

message m, in a public-key encryption with keyword search (PEKS) ciphertext C = {c, S}, wherein c = ENCRYPT_upk(m) , and S = PEKS_upk(w), comprising: an input configured to access the ciphertext portion S from the ciphertext C, where S = PEKS_upk(w) = x, ε₀, c₀, έ₀, c₀, s_k_₁, c_k_₁, i_k_₁, c_k_₁],

the input configured to access a trapdoor T_w ; and

a processor configured to determine whether the ciphertext portion S corresponds to a keyword w using the trapdoor T_w by setting R = Ή (w) and d = Q_w (s) , where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, wherein if T_w ²≡ R (mod N), where N is a composite number , then setting

j = Si , Yi = Cj for 0 < i < k— 1, and Δ = R, otherwise

vi ⁼ Yi ⁼ Q f°^r 0 < i < k— 1, and Δ = uR, where u E _N \ Q _W

and determining the following:

_ ₌ ϋ_Ν(Ύ_ί + 2T_W) if σ_{ = 1

^; l;_W((7_i + 2r_w)(d - 2r_w)(d - _7i)) ίί _σί = -1' ^αηα

bi = 1 if Tj = j · (1— 2xj), otherwise fe; = 0, wherein the processor determines that ciphertext S corresponds to keyword w if = 1 for all 0 < i < k— 1.

26. The apparatus according to claim 25, wherein the processor is configured to

determine

T; as τ = J_N{Y_t - 2T_W when σ_{ = 1 and as τ_{ = ]_Ν γι - 2T_w)(d + 2T_w)(d -

Yi)) = -J_N((Yi - 2T_w)(d - 2T_w)(d - _Yi)) = -J_N((Yi + 2T_w)(d + 2T_w)(d - _Yi)) when σ =—1.

27. The apparatus according to claims 25-26, wherein the processor is configured to determine that the trapdoor T_w corresponds to T_w = R¹^² mod N if R G Q _W, where R = H " (w), otherwise T_w = (uR)¹^² mod N.

28. The apparatus according to claims 25-27, further comprising an output configured to forward the ciphertext C to a receiver via a communication channel if keyword w is determined to be included in the ciphertext C.

29. A method of generating and processing a public-key encryption with keyword search (PEKS) ciphertext S based on a message m having a keyword w associated with the message, comprising: a sending terminal:

generating, by an encryption device, the ciphertext S by:

accessing the keyword w associated to the message m; accessing a user public key upk = {N, k,u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely Q_w: {0,1}^{* →} /N ,s i→ d = Q_w(s) such that J_N(d² - 4Jf (w)) = J_N(d² - 4uK(w)) = -1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ generating a ciphertext S of the keyword w in the message m, by selecting /c-bit integer x

2^l (with x_t G {0,1}), R = Ή (w) ; for i = 0, ...,k— 1, choosing t_j, t_j G Έ/ΝΈ, determining

,_n, R Ci⁽⁰⁾d + ?

i = ^^ = ^ +- Γηοά N, _c.(ⁱ) =-L___ _{mod <} έ_£ = (-l)^¾i/_W(ta ^^ ti +^mod N, c ¹) = ^et mod N, where d = Q_w (5), choosing random bits β₁ ι,β₂ G {0,1}, and setting c_t = c^¹^ and Cj = Ci^^{2 i} and returning S = PEKS_upk(w)

= {x, ε₀, c₀, έ₀, c₀, ... , c_fc_₁₍ £fe_i, ¾__!};

accessing the message m, generating a ciphertext of the message

c = ENCRYPT_upk(m);

generating a keyword searchable ciphertext message C = {c,S}; and

transmitting the keyword searchable ciphertext message C = {c,S} to a proxy device; and

a proxy device:

receiving the searchable ciphertext message C = {c, S] and a trapdoor T_w for the keyword w; and

processing, by the proxy device, to determine whether the keyword w is associated with the ciphertext message C = {c,S] using the trapdoor T_w. 30. The method according to claim 29, wherein the processing by the proxy device

comprises: accessing the ciphertext portion S from the ciphertext C;

accessing the trapdoor T_w; and

setting R = Jf(w) and d = Q_w(s), where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, wherein if T_w ²≡ R (mod N), where N is a composite number , then setting

j = Si, Yi = Cj for 0 < i < k— 1, and Δ = R, otherwise

vi ⁼ Yi ⁼ Q f°^r 0 < ί < / — 1, and Δ = wff, where u G _N \ QM_W

and determining the following:

1'^αηα

b_t = 1 if Tj = j · (1— 2x_j), otherwise fe; = 0, and wherein the receiver determines that ciphertext portion S corresponds to keyword w if b_t = 1 for all 0 < i < k-1.

31. The method according to claim 30, wherein the determining step comprises:

determining τ_; as τ = ]_N{ji— 2T_W) when σ_; = 1 and as τ_; = J_N((Yi— 2T_w)(d + 2T_w)(d - _7i)) = - (7i - 2T_w)(d - 2T_w)(d - _7i)) = -JN((YI + 2T_w)(d + 2T_w)(d— Yi when σ =— 1.

32. A system for generating and processing a public-key encryption with keyword search (PEKS) ciphertext C based on a message m having a keyword w associated with the message, comprising: an encryption device, comprising a processor configured to generate a ciphertext

S = PEKS_upk(w) by

accessing the keyword w associated with the message m,

accessing a user public key upk, wherein upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and (£/_w) is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely

£_W:{0,1}*→ %/N%,s ^ d = Q_w(s) such that J_N(d² - AM (w)) = J_N(d² - uJf (w)) =— 1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ Q _W,

generating a ciphertext S of the keyword w in the message m, by selecting /c-bit integer x

2^l (with x_t G {0,1}), R = H(w), for i = 0, ...,k - 1, choosing t_i( tj G Έ/ΝΈ, determining £i = _{mod <}

¼ = (-!)¾(¼). CiW = ti +^ mod N ⁽¹⁾ =≤¾^≤ mod N, where d = Q_w (^<?), choosing random bits β₁ ι,β₂ £ {0,1}, and setting c_t = c^¹^ and Cj = Ci^^{2 i} and returning

S = PEKS_up|<(w) = x, ε₀, c₀, έ₀, c₀, ... , s_k_₁, c_k_₁, i_k_₁, c_k_₁],

to access the message m and generate a ciphertext of the message

c = ENCRYPT_upk(m),

to generate a keyword searchable ciphertext message C = {c, S], and

transmit the ciphertext S to a proxy device via a communication channel; and a proxy device, comprising a processor configured to access a trapdoor T_w for the keyword w, receive the keyword searchable ciphertext message C = {c, S], and determine whether the keyword w is included in the ciphertext message C = {c, S] using the trapdoor T_w.

33. The system according to claim 32, wherein the proxy device is configured to:

access the ciphertext portion S from the ciphertext C; and

determine whether the keyword w is associated with the ciphertext message C by setting R = Jf(w) and d = Q_w(s), where Ή is a cryptographic hash function mapping bit-strings to elements of _N and (£/_w) is a family of functions mapping bit-strings to elements of a subset of TL/NTL, wherein if T_w ²≡ R (mod N), where N is a composite number, then setting

vi ^{= ε}ί_> Yi ^{= c}i f°^r 0 < i < k— 1, and Δ = R, otherwise

j = έι, Yi = Cj for 0 < i < k— 1, and Δ = uR, where u G _N \ Q _W and determining the following:

r = V^{N(li + 2Tw}^ if σ; = 1 .

^; U_N((Yi + 2T_wXd-2T_wXd-_Yi)) if _{i =} -l'^ana

bi = 1 if Tj = j · (1— 2xj), otherwise bi = 0, and wherein ciphertext S is determined to correspond to keyword w if b^ = 1 for all 0 < i < k— 1.

34. The system according to claim 33, wherein the proxy device is configured to

determine τ as τ = ]_Ν{γι— 2T_W) when a_t = 1 and as τ = ]_Ν{{γι— 2T_w)(d + 2T_w (d - _7ί)) = - (7_ί - 2T_w (d - 2T_w (d - _7ί)) = - (7_ί + 2T_w (d + 2T_w)(d - ft when σ = -1.

35. A method of processing a trapdoor T_w associated with a keyword w, comprising: accessing a user public key upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit-strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely Q_w: {0,1}^{* →} /N , s i→ d = Q_w (s) such that J_N(d² - 4Jf(w)) = J_N(d² - 4uK(w)) = -1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ QR_N;

generating the trapdoor T_w by setting R = J (w), and if R G Q _W then setting T_w = R¹/² mod N, otherwise setting T_w = (uR)¹^² mod N; and

transmitting the trapdoor T_w to a proxy device. 36. The method according to claim 35, wherein N = pq, and p and q are prime.

37. The method according to claim 36, wherein p≡—q (mod 4).

38. The method according to claim 36, wherein p≡ q≡ 3 (mod 4) and u =—1.

39. An apparatus for processing a trapdoor T_w associated with a keyword w, comprising: an input configured to access a user public key upk = {N, k, u, Ή, {Q_w}, s], where Ή is a cryptographic hash function mapping bit- strings to elements of _N and {Q_w} is a family of functions mapping bit-strings to elements of a subset of Έ/ΝΈ, namely £_W : {0,1}^*→ /N , s >→ d = Q_w (s) such that J_N(d² - 4Jf (w)) = J_N(d² -

4uJf (w)) =— 1, N is a composite number, k is a security parameter, 5 is a bit-string, and u G _N \ Q _W; and

a processor configured to generate the trapdoor T_w by setting R = J (w), and if R G Q _N then setting T_w = ff ^1/2 mod N, otherwise setting

T_w = (uR)¹'² mod N; and

transmitting the trapdoor T_w to a proxy device.

40. The apparatus according to claim 39, wherein N = pq, and p and q are prime.

41. The apparatus according to claim 40, wherein p≡—q (mod 4).

42. The apparatus according to claim 40, wherein p≡ q≡ 3 (mod 4) and u =— 1.