Verifiable Multi-Authority Attribute-Based Encryption with Keyword Search Based on MLWE

Abstract

Searchable Encryption (SE) schemes enable data users to securely search over outsourced encrypted data stored in the cloud. To support fine-grained access control, Attribute-Based Encryption with Keyword Search (ABKS) extends SE by associating access policies with user attributes. However, existing ABKS schemes often suffer from limited security and functionality, such as lack of verifiability, vulnerability to collusion, and insider keyword-guessing attacks (IKGA), or inefficiency in multi-authority and post-quantum settings, restricting their practical deployment in real-world distributed systems. In this paper, we propose a verifiable ciphertext-policy multi-authority ABKS (MA-CP-ABKS) scheme based on the Module Learning with Errors (MLWE) problem, which provides post-quantum security, verifiability, and resistance to both collusion and IKGA. Moreover, the proposed scheme supports multi-keyword searchability and forward security, enabling secure and efficient keyword search in dynamic environments. We formally prove the correctness, verifiability, completeness, and security of the scheme under the MLWE assumption against selective chosen-keyword attacks (SCKA) in the standard model and IKGA in the random oracle model. The scheme also maintains efficient computation and manageable communication overhead. Implementation results confirm its practical performance, demonstrating that the proposed MA-CP-ABKS scheme offers a secure, verifiable, and efficient solution for multi-organizational cloud environments.

1. Introduction

With the exponential growth of data and the increasing complexity of its storage and management, outsourcing data to cloud servers (CS) has become a common practice among data owners (DO). To preserve confidentiality, data is typically encrypted before outsourcing. However, this encryption complicates efficient retrieval by data users (DU). Searchable encryption (SE) schemes have been proposed to enable secure search operations over encrypted data. These schemes are generally classified into two main categories: symmetric and asymmetric types [1,2]. In symmetric SE, the DO and DU share a common secret key, requiring a secure channel for key exchange. This limitation has spurred the development of asymmetric schemes, such as public-key encryption with keyword search (PEKS), in which the DO encrypts data using the DU’s public key and the DU performs searches using a private key. However, PEKS schemes become inefficient in multi-user settings, as they require encrypting data for each DU individually under individual public keys. To achieve fine-grained access to encrypted data in cloud environments, Attribute-based Encryption with Keyword Search (ABKS) schemes have been introduced [3]. These schemes are categorized into Key-Policy (KP-ABKS) and Ciphertext-Policy (CP-ABKS). Further enhancements have introduced key features such as multi-authority support [4], collusion resistance [5], forward security [6], multi-keyword search, and resistance to insider keyword guessing attacks (IKGA) [7].

In Multi-Authority ABKS (MA-ABKS), attribute management is distributed across independent authorities, each handling a specific subset of attributes. This decentralized structure enhances scalability, fault tolerance, and DU privacy, making it ideal for multi-organizational environments like cross-institutional healthcare systems.

A practical application of MA-ABKS is the secure sharing of sensitive medical data across healthcare institutions, including hospitals, clinics, and research centers. In such settings, patient records, such as medical histories or laboratory results, must be accessible only to authorized personnel with specific attributes, such as medical specialization or institutional affiliation. MA-ABKS provides fine-grained attribute-based access control while preserving DU privacy, as it does not reveal DU identities. It also allows authorized DUs to perform keyword-based searches over encrypted medical data, ensuring that only legitimate DUs can retrieve relevant information. Moreover, each institution can operate as an independent attribute authority, managing its own attribute domain, thereby reducing dependence on a single trusted authority (TA) and enhancing both scalability and privacy. These features make MA-ABKS particularly suitable for distributed, multi-organizational environments where data confidentiality and controlled access are essential.

Quantum computing threatens classical schemes based on the discrete logarithm problem via Shor’s algorithm [8]. Consequently, lattice-based cryptography has emerged as a promising foundation for post-quantum secure designs. The first lattice-based ABKS scheme was proposed in [9], followed by works incorporating multi-authority support and collusion resistance [10], and multi-keyword search with IKGA resistance [11].

Despite these advancements, combining these features in a lattice-based multi-authority CP-ABKS (MA-CP-ABKS) framework remains a challenge. Specifically, achieving verifiability, full security against collusion and IKGA, forward security, and efficient multi-keyword search simultaneously has yet to be addressed.

This work aims to provide a secure, efficient, and verifiable MA-CP-ABKS solution for distributed cloud environments involving multiple independent organizations.

1.1. Our Contribution

In this paper, we propose a lattice-based MA-CP-ABKS scheme based on the Module-LWE (MLWE) problem, improving efficiency. The scheme enables a DU to generate a search trapdoor through interaction with the TA. We integrate verifiability, completeness, and collusion resistance into the ABKS framework. Inspired by [12], the scheme also supports multi-keyword search and introduces methods for forward security and IKGA security. Formal security proofs are provided against Selective Chosen Keyword Attacks (SCKA) and IKGA in the standard and Random Oracle (RO) models, respectively.

The main contributions of this paper are as follows:

• Lattice-based MA-CP-ABKS scheme: We propose a novel scheme based on the MLWE problem, enhancing both efficiency and security.
• Verifiability and completeness: We achieve verifiability and completeness by embedding proof components into the searchable ciphertext, derived from the keyword, the DO’s private key, and a shared secret between the DO and authorized DUs.
• Collusion resistance: We prevent collusion by binding each DU’s trapdoor to its global identity (GID), ensuring that trapdoors cannot be combined to gain unauthorized search capabilities.
• Post-quantum security: We prove that the scheme is secure against SCKA through a formal reduction from the MLWE problem.
• TA Dependency: As the DU needs a private key for trapdoor generation and does not receive the key, each DU must interact with the TA for each trapdoor.
• Multi-keyword search: We propose a method enabling DUs to perform simultaneous multi-keyword searches.
• Forward security: We propose a method to integrate forward security into our scheme.
• IKGA resistance: We enhance IKGA resistance by incorporating the DO’s private key into keyword encryption and the DO’s public key into trapdoor generation.
• Efficiency: We leverage the structured properties of the MLWE problem to achieve efficient computation. The implementation results confirm practical execution times and manageable communication overhead under realistic parameter settings.

1.2. Roadmap

The paper is organized as follows: Section 2 reviews the related work. Section 3 presents the problem statement. Section 4 introduces the required definitions and concepts. In Section 5, we propose a verifiable ABKS scheme based on the MLWE problem, analyzing its correctness, verifiability, completeness, and collusion resistance, along with a formal security proof. We extend the scheme to support multi-keyword search and IKGA resistance. Section 6 discusses implementation results and efficiency evaluation. Finally, Section 7 concludes the paper and suggests future research directions.

2. Related Work

Many ABKS schemes have been proposed, incorporating features such as verifiability [13,14], revocation [4,13,15,16], multi-authority support [4,5,17], multi-keyword search [13,18], forward security [6], dual policies [19], policy hiding [20], and anonymity [21]. Since centralized TAs generate key pairs for each DU, creating a single point of failure, MA-ABKS schemes have been proposed to address this issue [4,5,10,16,22].

When the CS behaves maliciously, it may return incorrect or incomplete results. Verifiable ABKS schemes [14,23,24] address this by embedding proofs generated by the DO, enabling DUs to verify result correctness. Forward-secure SE [6,25,26] further protects past data by periodically updating keys, limiting the impact of key exposure.

The KGA, introduced by Byun et al. [27], enables adversaries to identify searched keywords by testing encrypted candidates against a trapdoor. To mitigate this threat, several countermeasures have been proposed [28,29], with the most effective ensuring that the encrypted keyword depends on the DO’s private key [29,30,31].

Collusion attacks are another threat to ABKS schemes, where multiple DUs collaborate maliciously to gain unauthorized access. Such attacks are prevented by deriving DUs’ specific cryptographic information from their unique identifiers, ensuring that one DU’s information cannot be utilized by others and thus effectively preventing collusion.

With the emergence of quantum computers, classical cryptographic algorithms based on the discrete logarithm problem have become vulnerable. Consequently, post-quantum cryptography has gained significant attention [8], with lattice-based cryptography standing out for its simple structure, linear computations, and provable security

The first lattice-based ABKS scheme, proposed in 2017 [9], employed multiple CS to generate partial search results that are combined to obtain the final output. However, this approach suffers from low efficiency due to the computation being distributed across multiple CSs. In 2019, a lattice-based ABKS scheme [32] combined attribute-based encryption (ABE) with PEKS, where the DU must contact the TA to obtain a trapdoor for each keyword. However, it allowed unauthorized access to encrypted documents. A lattice-based KP-ABKS scheme introduced in 2020 [33] addressed some of these issues but lacked verifiability, remained vulnerable to IKGA, and relied on the RO model. In 2021, a CP-ABKS scheme [34] was proposed using linear secret sharing (LSSS), but it lacked correctness, formal reduction from LWE to the scheme, and collusion resistance. In 2023, another KP-ABKS scheme was introduced [35]; it improved resistance to KGAs and provided a security proof in the RO model. Nevertheless, it fails to ensure correctness, often retrieving irrelevant documents. In 2024, a CP-MA-ABKS scheme [10] based on the LWE problem extended MA-ABE with searchability and revocation, allowing any DU to perform searches. In 2025, a revocable and authenticated ABKS scheme based on LWE was proposed [11], supporting multi-keyword search. The scheme has proven to be secure against CKA and IKGA in the RO model. However, it still lacks verifiability and remains vulnerable to collusion attacks, which undermines its security and applicability in multi-user scenarios.

Most existing lattice-based ABKS schemes that rely on LWE are inefficient due to high matrix dimensionality. To address this, structured variants of the LWE problem have been proposed [36,37,38]. In this work, we adopt the MLWE problem [38] aligned with the assumptions underlying the NIST-standardized Kyber scheme [39,40].

Despite advances, existing lattice-based ABKS schemes still lack key features like verifiability, forward security, IKGA and collusion resistance, and multi-keyword search. Integrating the MLWE assumption into a verifiable MA-ABKS framework with strong security guarantees remains largely unexplored. This work addresses these gaps, advancing practical post-quantum searchable encryption for distributed cloud environments.

3. Problem Statement

3.1. ABKS Scheme

A CP-ABKS scheme consists of five algorithms [23,24]:

1.

$Setup\left(1^n\right)\to \left(PP,MSK\right)$: The TA takes a security parameter $n$ as input and outputs the public parameters $PP$ and a master secret key $MSK$.

2.

$KeyGen\left(MSK,X\right)\to {sk}_R$: The TA uses the master secret key $MSK$ and the DU’s Attribute set $X$ to generate the DU’s private key ${sk}_R$, which is then sent to the DU.

3.

$ABKS\left(\tau ,w\right)\to C_w$: The DO uses access policy $\tau$ to generate an ABKS corresponding to the keyword $w$, which is uploaded to the CS.

4.

$Trapdoor\left(s{k}_R,w^{\prime }\right)\to T_{w^{\prime }}$: The DU uses $s{k}_R$ to generate a trapdoor $T_{w^{\prime }}$ for the searched keyword $w^{\prime }$, which is then sent to the CS.

5.

$Search(C_w,T_{w^{\prime }})\to \left\{\begin{array}{c}1 if w=w^{\prime }, \tau \left(X\right)=1\\ 0 O.w \end{array}\right.$: The CS verifies $\tau \left(X\right)=1$. If this is the case, using the trapdoor $T_{w^{\prime }}=TrapdoorGen\left(s{k}_R,w^{\prime }\right)$ for each encrypted keyword $C_w=ABKS\left(\tau ,w\right)$, the CS checks if $w=w^{\prime }$. If so, it returns 1 and sends the encrypted documents corresponding to the ABKS that passed the search to the DU.

In MA-ABKS schemes, each authority manages a subset of attributes and generates corresponding public and private keys within its domain.

3.1.1. Correctness

The correctness of a CP-ABKS scheme is defined as follows [23]:

Given $Setup\left(1^n\right)\to \left(PP,MSK\right)$, $KeyGen\left(MSK,X\right)\to \left(s{k}_R\right)$, $ABKS\left(\tau ,w\right)\to C_w$, $Trapdoor\left(sk,w^{\prime }\right)\to T_{w^{\prime }}$, the search algorithm $Search(C_w,T_{w^{\prime }})$ outputs 1 when $w=w^{\prime }$ and $\tau \left(X\right)=1$, and 0 otherwise.

3.1.2. Security Against SCKA

The security of a CP-ABKS scheme is defined through the SCKA game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$, as follows [23]:

1.

$\mathcal{A}$ outputs a challenge access policy ${\tau }^{\ast }.$

2.

$\mathcal{C}$ runs the $Setup\left(1^n\right)$ algorithm, obtaining $PP$ and $MSK$, and sends $PP$ to $\mathcal{A}$.

3.

$\mathcal{A}$ adaptively queries the following oracles a polynomial number of times.

(a)

$KeyGen$ Oracle: Given attribute set $X$, if ${\tau }^{\ast }\left(X\right)=1$, the oracle aborts; otherwise, it returns $KeyGen\left(msk,X\right)\to s{k}_R$ to $\mathcal{A}$.

(b)

$Trapdoor$ Oracle: Given $\left(X,w\right)$, it returns $Trapdoor\left(s{k}_R,w\right)\to T_w$. If ${\tau }^{\ast }\left(X\right)=1$, the keyword $w$ is added to $L_w$.

4.

$\mathcal{A}$ outputs the challenge keyword $w^{\ast }$ such that $w^{\ast }\notin L_w$.

5.

$\mathcal{C}$ randomly selects $b\in \left\{\mathrm{0,1}\right\}$ and sends the ciphertext, either random if $b=0$ or $C^{\ast }=ABKS\left({\tau }^{\ast },w^{\ast }\right)$ if $b=1$, to $\mathcal{A}$.

6.

$\mathcal{A}$ can query both oracles, but $(X,w^{\ast })$ cannot be queried if $T^{\ast }\left(X\right)=1$.

7.

Finally, $\mathcal{A}$ returns a bit $b^{\prime }\in \left\{\mathrm{0,1}\right\}$. The adversary wins if $b=b^{\prime }$, distinguishing the challenge ciphertext from random one.

The adversary’s advantage is defined as $Ad{v}_{\mathcal{A}}^{SCKA}(n)=\left|\mathrm{Pr}\left[b=b^{\prime }\right]-{\displaystyle \frac{1}{2}}\right|$.

An ABKS scheme achieves SCKA security if, for every probabilistic polynomial time (PPT) adversary $\mathcal{A}$, the advantage $Ad{v}_{\mathcal{A}}^{SCKA}\left(n\right)$ is negligible in the security parameter $n$.

3.2. Verifiability

In searchable encryption, a malicious CS may return incomplete or tampered search results. To ensure integrity, the DU verifies that all retrieved documents were encrypted by the DO and that no documents are omitted. The DO generates a proof for the presence of each keyword in the documents using its private key. The CS returns the encrypted documents along with the proof, which the DU verifies before decryption.

We propose two algorithms, $ProofGen$ and $Verify$.

$ProofGen(w,F_{i{d}_1},\dots ,F_{i{d}_z},s{k}_s,p{k}_s)\to v_w$: The DO generates a proof $v_w$ for a keyword $w$ and the documents $F_{i{d}_1},\dots ,F_{i{d}_z}$ using its keys $\left(p{k}_S,s{k}_S\right)$, then sends it to the CS.

$Verify\left(v_w,Result\right)\to 0 or 1$: The DU verifies $v_w$ upon receiving the results. If the verification fails, the DU requests a research.

In this paper, a verification method similar to [24] is adopted to ensure verifiability.

3.3. Collusion Attack

In a collusion attack, DUs may share private keys to gain unauthorized access. In CP-ABKS, this occurs when DUs combine key components to emulate another DU with a different attribute set, deceiving the system into granting access to restricted documents.

To prevent collusion, each private key component must be cryptographically bound to the DU’s global identifier (GID), preventing independent use. This method, introduced in an ABE scheme [41], can be adapted for ABKS schemes to ensure collusion resistance.

In lattice-based collusion-resistant ABKS, the private key, derived from the master secret key, serves as the basis for trapdoor generation. This ensures that only authorized entities can generate valid trapdoors. A legitimate DU can solve a hard lattice problem, proving key possession and enabling trapdoor generation. Since the private key is GID-bound, the corresponding lattice is also GID-dependent. To ensure compatibility with trapdoors, the DO must generate distinct encrypted keywords for each GID, affecting the multi-user functionality of ABKS. To preserve collusion-resistance, the DU must interact with the TA for each trapdoor generation. The TA, using the master secret key as a good lattice basis, solves a preimage-finding problem for a function of the DU’s GID.

3.4. Keyword Guessing Attack

The KGA, first identified by Byun et al. in 2006 [27], is a common threat in asymmetric SE, where an adversary, often an insider like the CS, tests candidate keywords against the trapdoor. The IKGA is more severe, as it exploits both trapdoors and a known keyword set $\mathcal{W}$. In this attack, the adversary encrypts each keyword in $\mathcal{W}$ with the public key, creating a keyword–ciphertext mapping. Upon receiving a trapdoor, the adversary runs the search algorithm on each mapping entry. If a match is found, the queried keyword is revealed. Hence, with access to both the trapdoor and the keyword space, the adversary can recover the searched term through exhaustive trials. To mitigate IKGA, countermeasures such as covert keyword-to-index mappings [28], authenticated searchable encryption, and fuzzy keyword search mechanisms have been proposed. Among these, encrypting keywords with the DO’s private key is the most effective [29], as it prevents adversaries from constructing a keyword–ciphertext dictionary and ensures only keywords encrypted by the DO match trapdoors generated with the corresponding public key.

The security of an ABKS scheme against IKGA is modeled as a game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$, as described in the following steps [27]:

1.

$\mathcal{A}$ outputs the attribute set $X^{\ast }.$

2.

$\mathcal{C}$ runs the $Setup\left(1^n\right)$ algorithm, obtaining $PP$ and $MSK$, and sends $PP$ to $\mathcal{A}$.

3.

$\mathcal{A}$ can adaptively query the following oracles a polynomial number of times:

(a)

$ABKS$ Oracle: Given access policy $\tau ,$ the oracle returns $ABKS\left(\tau ,w\right)\to C_w$. If $\tau \left(X^{\ast }\right)=1$, $w$ is added to $L_w$.

(b)

$Trapdoor$ Oracle: Given $\left(X,w\right)$, it returns $Trapdoor\left(s{k}_R,w\right)\to T_w$.

4.

$\mathcal{A}$ outputs the challenge keyword $w^{\ast }$ such that $w^{\ast }\notin L_w$.

5.

$\mathcal{C}$ selects a random bit $b\in \left\{\mathrm{0,1}\right\}$. If $b=0$, $\mathcal{C}$ samples a trapdoor randomly. If $b=1$, $\mathcal{C}$ computes the trapdoor as $T_{w^{\ast }}=Trapdoor\left(X^{\ast },w^{\ast }\right)$. $\mathcal{C}$ sends the trapdoor to $\mathcal{A}$.

6.

$\mathcal{A}$ may query both oracles, except that for any $\tau$ satisfying $\tau \left(X^{\ast }\right)=1$, $(\tau ,w^{\ast })$ cannot be queried to the ABKS Oracle.

7.

$\mathcal{A}$ returns a bit $b^{\prime }\in \left\{\mathrm{0,1}\right\}$. $\mathcal{A}$ wins if $b = b\prime$.

The advantage of adversary $\mathcal{A}$ is defined as $Ad{v}_{\mathcal{A}}^{IKGA}\left(n\right)=\left|\mathit{Pr}\left[b=b^{\prime }\right]-{\displaystyle \frac{1}{2}}\right|$.

An ABKS scheme is secure against IKGA if, for every PPT adversary $\mathcal{A}$, the advantage $Ad{v}_{\mathcal{A}}^{IKGA}\left(n\right)$ is negligible in the security parameter $n$.

In this work, we adopt a strategy similar to [30,31], with improved efficiency.

3.5. Multi-Keyword Search

In conventional SE, a DU generates separate trapdoors for each keyword, causing inefficiency in multi-keyword queries. To address this, multi-keyword SE schemes allow the DU to search a set of keywords with a single trapdoor, enabling the CS to retrieve all matching documents. Common query types include conjunctive (AND) and disjunctive (OR) searches. Advanced schemes support arbitrary Boolean expressions.

The proposed scheme integrates multi-keyword search as introduced in [12].

3.6. Forward Security

In some SE schemes, trapdoors valid for one time interval may be misused across others. Forward-secure SE mitigates this by binding the private keys and the trapdoors to specific time intervals, ensuring validity only within designated periods.

The proposed scheme adopts this mechanism to enhance long-term key security.

4. Preliminaries

This section presents the fundamental definitions and concepts essential for the development of this paper.

4.1. Notation

In this section, vectors and polynomials are denoted by lowercase letters, while matrices are represented by uppercase letters. The finite field of integers modulo a prime $q$ is denoted by ${\mathbb{Z}}_q$, and ${\mathbb{Z}}_q\left[x\right]$ denotes the polynomials with coefficients in ${\mathbb{Z}}_q$. The notation ${‖x‖}_{\infty }$ refers to the infinity norm of a polynomial $x$, defined as the largest coefficient magnitude, and $⌊x⌋$ denotes the greatest integer less than or equal to $x$. The distribution $D_{{\mathcal{R}}^d,\sigma }$ represents a discrete Gaussian distribution over ${\mathcal{R}}^d$ with zero mean and standard deviation $\sigma$. A function $negl\left(n\right)$ is negligible if there exists an integer $N$ such that for all $n>N$, it is smaller than the inverse of any polynomial in $n$. Let $\chi$ be a distribution over ${\mathcal{R}}_q^{m\times d}$; the notation $X\stackrel{\$}{\leftarrow }\chi {(\mathcal{R}}_q^{m\times d})$ denotes sampling a random matrix $X$ from $\chi$ with independent entries. Similarly, $X\stackrel{\$}{\leftarrow }{U(\mathcal{R}}_q^{m\times d})$ denotes a uniform sampling from ${\mathcal{R}}_q^{m\times d}$. The notation $A‖B$ indicates column-wise concatenation of $A$ and $B$. For an integer $k$, $\left[k\right]=\{1,\dots ,k\}$. For the two functions $f$ and $g$, $f=\mathcal{O}\left(g\right)$ means there exist constants $a$ and $b$ such that for all $n\ge b$, $f\left(n\right)\le ag\left(n\right)$ and $f=\omega \left(g\right)$ if $\underset{n\to \infty }{\lim }{\displaystyle \frac{g\left(n\right)}{f\left(n\right)}}=0$.

4.2. Lattice

Definition 1

(Lattice [42]). Let  $b_1,\dots ,b_n\in {\mathbb{R}}^m$ be linearly independent vectors. The m-dimensional lattice $\mathcal{L}(b_1,\dots ,b_n)$ generated by the basis ${\left[\begin{array}{ccc}|& \dots & |\\ b_1& \ddots & b_n\\ |& \dots & |\end{array}\right]}_{m\times n}$ is defined as:

$$\mathcal{L}\left(b_1,\dots ,b_n\right)=\left\{{\sum }_{i=1}^n{x}_i{b}_i|x_i\in \mathbb{Z}\right\}.$$

For $b_1,\dots ,b_n\in {\mathbb{Z}}^m$, the lattice $\mathcal{L}(b_1,\dots ,b_n)$ is referred to as an integer lattice.

Definition 2

(q-ary lattices [43]). Let $q$ be an integer, $A\in {\mathbb{Z}}_q^{n\times m}$ be a matrix, and $u\in {\mathbb{Z}}_q^n$ be a vector. The q-ary lattices ${\Lambda }_q^{\perp }\left(A\right),{\Lambda }_q^u\left(A\right)$ are defined as follows:

$${\Lambda }_q^{\perp }\left(A\right)=\left\{e\in {\mathbb{Z}}^m|Ae=0 mod q\right\},{\Lambda }_q^u\left(A\right)=\left\{e\in {\mathbb{Z}}^m|Ae=u mod q\right\}.$$

4.3. Gaussian Distribution

Definition 3

(Gaussian distribution [44]). Let $c\in {\mathbb{R}}^m$, and $\sigma \in {\mathbb{R}}^{>0}$. The discrete Gaussian distribution over a lattice $\mathsf{\Lambda }$, denoted as $D_{\mathsf{\Lambda },\mathsf{\sigma },\mathrm{c}}\left(x\right)$, is defined as follows:

$$\forall x\in \mathsf{\Lambda }:D_{\mathsf{\Lambda },\mathsf{\sigma },\mathrm{c}}\left(x\right)={\displaystyle \frac{{\rho }_{\sigma ,c}\left(x\right)}{{\rho }_{\sigma ,c}\left(\mathsf{\Lambda }\right)}}={\displaystyle \frac{e^{-\pi \frac{{‖x-c‖}^2}{{\sigma }^2}}}{\sum _{x\in \mathsf{\Lambda }}{\rho }_{\sigma ,c}\left(x\right)}}.$$

Unless otherwise specified, the parameters are assumed to be $\sigma =1$ and $c=0$.

4.4. Module-LWE

Let $q$ be a prime and $n$ a power of 2. Define the rings $\mathcal{R}={\displaystyle \frac{\mathbb{Z}\left[x\right]}{<x^n+1>}}$ and ${\mathcal{R}}_q={\displaystyle \frac{{\mathbb{Z}}_q\left[x\right]}{<x^n+1>}}$, where $x^n+1$ is a cyclotomic polynomial of order $2n$. We introduce two problems, Module Short Integer Solution (MSIS) and MLWE. Here, $d$ is the module rank, and $nd$ is the module lattice dimension. Their hardness has been established through worst-case to average-case reduction on module lattices [38,45].

Definition 4

(MSIS problem [46]). Given a matrix $A\in {\mathcal{R}}_q^{d\times m}$ and a bound $\beta$, the goal is to find a vector $x\in {\mathcal{R}}^m$ such that $Ax=0 \mathrm{m}\mathrm{o}\mathrm{d} q$ and $‖x‖\le \beta$.

Definition 5

(MLWE problem [46]). Let $A\in {\mathcal{R}}_q^{d\times m}$ and $b=A^{T}s+e \mathrm{m}\mathrm{o}\mathrm{d} q$, where $\mathit{s}\stackrel{\$}{\leftarrow }U\left({\mathcal{R}}_q^d\right)$ and $e\stackrel{\$}{\leftarrow }{D}_{{\mathcal{R}}^m.\sigma }$. The decision MLWE problem is to distinguish between pairs $(A,b)\in {\mathcal{R}}_q^{d\times m}\times {\mathcal{R}}_q^m$, generated as above and those drawn uniformly from ${\mathcal{R}}_q^{d\times m}\times {\mathcal{R}}_q^m$.

Trapdoors for MLWE

We present two trapdoor algorithms for MLWE-based schemes:

1.

$TrapGen\left(H,\sigma \right)\to (A,T_A)$: Given integers $q$, $d$, $k=⌈{\log }_{b}q⌉$, $m=d\left(k+2\right),\mathrm{a}\mathrm{n}\mathrm{d} \sigma >0$, this algorithm takes a tag $H\in {\mathcal{R}}_q^{d\times d}$ as input. It outputs a matrix $A\in {\mathcal{R}}_q^{d\times m}$ and its trapdoor $T_A\in {\mathcal{R}}^{2d\times dk}$, where $A$ is indistinguishable from the a uniformly random matrix and $T_A$ is sampled from the discrete Gaussian distribution $D_{{\mathcal{R}}^{2d\times dk},\sigma }$, ensuring a small norm [46,47,48]. If not specified, assume $H=I$.

2.

$SamplePre\left(A,T_A,H,u,\zeta ,\alpha \right)\to x$: Given a trapdoor $T_A\in {\mathcal{R}}^{2d\times dk}$ for matrix $A\in {\mathcal{R}}_q^{d\times m}$ with tag $H\in {\mathcal{R}}_q^{d\times d}$, vector $u\in {\mathcal{R}}_q^d$ and Gaussian parameters $\zeta$ and $\alpha$, the algorithm outputs a vector $x\in {\mathcal{R}}^m$, such that $Ax=u$ and $x\stackrel{\mathrm{\$}}{\leftarrow }{D}_{{\mathsf{\Lambda }}_q^u\left(A\right),\zeta }$ [46].

To guarantee correctness and security, the parameters must satisfy [46]:

$$\alpha \ge \sqrt{2b}·\left(2b+1\right)·\sqrt{\log \left(2k\left(1+{\displaystyle \frac{1}{\epsilon }}\right)\right)/\pi },\zeta >\sqrt{\left({\alpha }^2+1\right)s_1^2\left(T\right)+{\eta }_{\epsilon }^2\left({\mathbb{Z}}^{nm}\right)}$$

where $s_1\left(T\right)$ is the spectral norm of $T$, and ${\eta }_{\epsilon }$ is the smoothing parameter.

4.5. Linear Secret Sharing Scheme

A secret sharing scheme $\mathsf{\Pi }$ over ${\mathbb{Z}}_p$, with users (or attributes) $\mathcal{P}$, is linear [49] if: (1) Each user’s share is a vector over ${\mathbb{Z}}_p$. (2) There is a share-generating matrix $A_{l\times n}$, where each row $x=1,\dots ,l$ is labeled by a mapping $\rho \left(x\right)$, from $\{1,\dots ,l\}$ to $\mathcal{P}$.

To share a secret $s\in {\mathbb{Z}}_p$, the dealer forms $v={\left(s,r_2,\dots ,r_n\right)}^T$ with random $r_2,\dots ,r_n\in {\mathbb{Z}}_p$. Each share ${\lambda }_x$ is the $x^{th}$ row of $Av$. For an authorized set $S$ of DUs (or attributes), define $I=\left\{x|\rho \left(x\right)\in S\right\}\subseteq \left\{1,\dots ,l\right\}$. The vector $\left(\mathrm{1,0},\dots ,0\right)$ lies in the span of the rows of $A$ indexed by $I$, so there exist coefficients ${\left\{{\alpha }_x\in {\mathbb{Z}}_p\right\}}_{x\in I}$ such that, ${\sum }_{x\in I}{\alpha }_x{\lambda }_x=s$. These coefficients can be computed in polynomial time with respect to the size of $A$ [49].

Access structures are represented as monotonic Boolean formulas with the upward-closure property, where any superset of an authorized set is also authorized. To construct an LSSS share-generating matrix, the formula is converted into a tree with leaf nodes for attributes and internal nodes for AND/OR gates [41]. The construction is as follows:

1.

The root node is initialized with the label vector $1$, and the counter $c=1$.

2.

Each internal node derives its label from its parent based on the Boolean gate:

• OR gate: Children inherit the parent’s label and the counter $c$ remains unchanged.
• AND gate: For a label $\theta$ as a parent label, zeros are appended to $\theta$ to match the length $c$. One child is assigned the label $\theta |1$, and the other is labeled $\left(0,\dots ,0\right)|-1$, where $(0,\dots ,0)$ is a zero vector of length $c$. The counter $c$ is incremented by one. Notably, the sum of these vectors is $\theta |0$, preserving linear consistency.

3.

This process continues recursively until all leaf nodes are labeled.

The rows of matrix $A$ are obtained by zero-padding the leaf label vectors to make them equal in length, forming the final access policy representation.

In this work, we adopt the LSSS construction of [41] for monotone access structures consisting of AND and OR gates, where ${\left\{{\alpha }_x\in \left\{\mathrm{0,1}\right\}\right\}}_{x\in I}$.

5. Our Scheme

In this section, we propose a verifiable CP-MA-ABKS scheme based on MLWE problem. We introduce two MLWE-based trapdoor algorithms, followed by the CP-MA-ABKS construction, formal proofs of correctness, verifiability, and collusion resistance. Security against SCKA is proven via a reduction from the MLWE problem in the standard model. The scheme is then extended to support multi-keyword queries and resist IKGA.

5.1. Two Trapdoor Functions for MLWE

Let $q$ be a prime modulus and $n$ a power of 2. Define the rings $\mathcal{R}={\displaystyle \frac{\mathbb{Z}\left[x\right]}{<x^n+1>}}$ and ${\mathcal{R}}_q={\displaystyle \frac{{\mathbb{Z}}_q\left[x\right]}{<x^n+1>}}$, where $x^n+1$ is the cyclotomic polynomial of order $2n$. Let $d$ denote the module rank so that the underlying module lattice has dimension $nd$. Given integers $q$, $d$, $k=⌈{\log }_{b}q⌉$, $m=d\left(k+2\right),$ and standard deviations $\sigma ,\zeta ,\alpha >0$ of the corresponding discrete Gaussian distributions, and a trapdoor generation algorithm $TrapGen\left(I,\sigma \right)\to (A\in {\mathcal{R}}_q^{d\times m},T_A\in {\mathcal{R}}^{2d\times dk})$, we present $SampleLeft$ and $SampleRight$ algorithms, in accordance with the methodology proposed in [50], as follows:

1.

$SampleLeft(A\in {\mathcal{R}}_q^{d\times m},B\in {\mathcal{R}}_q^{d\times m^{\prime }},T_A,u\in {\mathcal{R}}_q^d,\zeta ,\alpha )\to x$: The algorithm first samples $x_2\stackrel{\mathrm{\$}}{\leftarrow }{D}_{{\mathcal{R}}^{m^{\prime }},\zeta }$, then computes $SamplePre\left(A,T_A,u-B{x}_2,\zeta ,\alpha \right)\to x_1,$ and finally outputs $x=\left(\begin{array}{c}{x}_1\\ x_2\end{array}\right)\in {\mathcal{R}}^{m+m^{\prime }}$. So, we have $\left(A‖B\right)x=A{x}_1+B{x}_2=u$. Moreover, by Theorem 3 and 4 in [51], the distribution of $x$ is statistically close to $D_{{\mathsf{\Lambda }}_q^u(A|B),\zeta }$.

2.

$SampleRight(A\in {\mathcal{R}}_q^{n\times m},B\in {\mathcal{R}}_q^{n\times m^{\prime }},R\in {\mathcal{R}}^{m\times m^{\prime }},T_B,u\in {\mathcal{R}}_q^n,\zeta ,\alpha )\to x$: Let $F=\left(A|AR+B\right)$. The algorithm first constructs a matrix $T_F$, containing $m+k$ linearly independent short vectors from ${\mathsf{\Lambda }}_q^{\perp }\left(F\right)$ following [50]. It then computes $SamplePre\left(F,T_F,u,\zeta ,\alpha \right)\to x$, where the distribution of $x$ is statistically close to $D_{{\mathsf{\Lambda }}_q^u\left(A\right|AR+B),\zeta }$ and $\left(A|AR+B\right)x=u$ [50]. According to [46]:

$$\alpha \ge 10\sqrt{\log \left(2k\left(1+{\displaystyle \frac{1}{\epsilon }}\right)\right)/\pi },\zeta >\sqrt{\left({\alpha }^2+1\right)s_1^2\left(T\right)+{\eta }_{\epsilon }^2\left({\mathbb{Z}}^{nm}\right)}$$

where $s_1\left(T\right)$ is the spectral norm of $T$, and ${\eta }_{\epsilon }$ is the smoothing parameter.

5.2. MLWE-Based VABKS Scheme

In this section, we present our proposed CP-ABKS scheme. Let $\mathcal{R}={\displaystyle \frac{\mathbb{Z}\left[x\right]}{x^n+1}}$ and ${\mathcal{R}}_q={\displaystyle \frac{{\mathbb{Z}}_q\left[x\right]}{x^n+1}}$, where $q$ is a prime and $n$ a power of two. Let $m=d\left(k+2\right)$ with $k=⌈{\log }_{2}q⌉$. The discrete Gaussian distribution $\chi :=D_{\mathcal{R},\sigma }\left[x\right]$ samples coefficients independently with standard deviation $\sigma$ and rounds to the nearest integer. Let $Att=\left[l\right]$ be the universal attribute set. We assume a hash function $H:{\left\{\mathrm{0,1}\right\}}^{\ast }\to {\mathcal{R}}_q^d$ that outputs values uniformly distributed over ${\mathcal{R}}_q^d$. Additionally, we assume hash functions: $H^{\prime }:{\mathcal{R}}_q^{\ast }\to {\mathcal{R}}_q^d$ and $H^{″}:\mathcal{W}\to {\mathcal{R}}_q^d$ are one-way and collision-resistant. The proposed scheme is described as follows.

1.

$Setup\left(1^n\right)\to \left(PP,MSK\right)$: Given the security parameter $n$, each TA generates the public parameters $PP$ and the master secret key $MSK$ for its assigned attributes and publishes $PP$.

$$\begin{array}{l}TrapGen\left(I_{2d\times 2d},\sigma \right)\to \left(A_i,T_{A_i}\right),\forall i\in \left[l\right],\\ u\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^d\right),B,B_h\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^{2d\times 2m}\right),\forall h\in \left[\eta \right],\\ PP:=\left(A_1,\dots ,A_l,B,B_1,\dots ,B_{\eta },u\right),MSK:={\left(T_{A_i}\right)}_{i\in \left[l\right]}.\end{array}$$

2.

$KeyGen\left(n\right)\to \left(p{k}_S,s{k}_S\right)$: Given the security parameter $n$, the TA generates the DO’s key pair and sends them to the DO:

$$TrapGen\left(I_{d\times d},\sigma \right)\to \left(Q,T_Q\right)=\left(p{k}_S,s{k}_S\right)$$

3.

$ABKS\left(w,\tau \right)\to C_w$: To encrypt a keyword $w$ under policy $\tau$, the DO first converts $\tau$ into a share-generating matrix $M\in {\left\{\pm \mathrm{1,0}\right\}}^{l\times d^{\prime }}$ using an LSSS [49]. For each $k\in \left[\delta \right]$, the DO samples $s_k\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^d\right)$ and $R_k,R_k^{\prime }\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^{(d^{\prime }-1)\times d}\right)$, and computes:

$${\mathsf{\Lambda }}_{\mathrm{k}}=\left[\begin{array}{ccc}-& {\lambda }_{1k}^T& -\\ & ⋮& \\ -& {\lambda }_{lk}^T& -\end{array}\right]:=M·\left[\begin{array}{c}{s}_k^T\\ R_k\end{array}\right],{\mathsf{\Gamma }}_{\mathrm{k}}=\left[\begin{array}{ccc}-& {\gamma }_{1k}^T& -\\ & ⋮& \\ -& {\gamma }_{lk}^T& -\end{array}\right]:=M·\left[\begin{array}{c}{0}^d\\ R_k^{\prime }\end{array}\right].$$

For any authorized set $Y=\{y_1,\dots ,y_q\}$, there exists a set of coefficients ${\left\{{\alpha }_i\in \left\{\mathrm{0,1}\right\}\right\}}_{i\in I}$, where $I:=\left\{i\in \left[l\right]\left|\rho \right(i)\in Y\right\}$ such that $\sum _{i\in I}{\alpha }_i{\gamma }_{ik}=0^d$ and $\sum _{i\in I}{\alpha }_i{\lambda }_{ik}=s_k$.

The DO computes $F_w:=B+\sum _{h=1}^{\eta }{B}_h{H}_h^{″}\left(w\right)$, where $H_h^{″}\left(w\right)$ denotes the $h^{th}$ component of $H^{″}\left(w\right)$. Next, the DO samples $x_k\stackrel{\mathrm{\$}}{\leftarrow }\chi , y_{ik}\stackrel{\mathrm{\$}}{\leftarrow }{\chi }^{2m} \mathrm{f}\mathrm{o}\mathrm{r} \mathrm{a}\mathrm{l}\mathrm{l} i\in \tau ,k\in [\delta ]$ and $R_h\stackrel{\mathrm{\$}}{\leftarrow }U\left({\left\{-1,+1\right\}}^{2m\times 2m}\right)$. It then computes the encrypted keyword $C_w:={\left(p_k,{\left(c_{ik}\right)}_{i\in \left[l\right]}\right)}_{k\in \left[\delta \right]}$, as follows, and sends $C_w$ and $\tau$ to the CS:

$$\left\{\begin{array}{c}{p}_k:=u^T{s}_k+x_k \\ c_{ik}:={\left(A_i‖F_w\right)}^T\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]+\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{"}\left(w\right)\right)}^T{y}_{ik}\end{array}\right], \forall i\in [l]\end{array}\right.,\forall k\in \left[\delta \right].$$

4.

$ProofGen(w,F_{i{d}_1},\dots ,F_{i{d}_z},s{k}_S,p{k}_S)\to v_w$: To prove the existence of a keyword $w$ in the corresponding documents $F_{i{d}_1},\dots ,F_{i{d}_z}$, the DO concatenates $H^{\prime \prime }\left(w\right)$ with $Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)$ and computes $h_w:=H^{\prime }\left(H^{″}\left(w\right),Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)\right)+\mu$, where $\mu \stackrel{\$}{\leftarrow }U\left({\mathcal{R}}_q^d\right)$. Then, the DO, using its key pair, computes the proof $SamplePre\left(p{k}_S,s{k}_S,h_w,\zeta ,\alpha \right)\to v_w$, such that $p{k}_S{v}_w=h_w$. Finally, for each $w\in \mathcal{W}$, the DO sends $\left(C_w,v_w\right)$, and $En{c}_{ABE}\left(\mu \right)$ to the CS publicly.

5.

$Trapdoor\left(F_{w^{\prime }},X,GID,MSK\right)\to T_{w^{\prime }}$: To search for a keyword $w^{\prime }$, the DU computes $F_{w^{\prime }}=B+\sum _{h=1}^{\eta }{B}_h{H}_h^{″}\left(w^{\prime }\right)$. The DU then submits $F_{w^{\prime }}$ and its attribute set $X\subseteq Att$ to the corresponding TAs. Each TA, using $F_{w^{\prime }}$, $X$, and the master secret key $MSK$, computes the trapdoor $T_{w^{\prime }}:={\left(t_i\right)}_{i\in X}$, satisfying $\left(A_i‖F_{w^{\prime }}\right)t_i=\left[\begin{array}{c}H\left(GID\right)\\ u\end{array}\right]$, as follows:

$$SampleLeft\left(A_i,F_{w^{\prime }},T_{A_i},\left[\begin{array}{c}H\left(GID\right)\\ u\end{array}\right],\zeta ,\alpha \right)\to t_i,\forall i\in X.$$

The generated trapdoor is sent securely to the DU and then forwarded with $X$ to the CS.

6.

$Search\left(C_w,T_{w^{\prime }}\right)\to 0 or 1$: Upon receiving $T_{w^{\prime }}$ from the DU, and given $C_w$, attribute set $X$ and access policy $\tau$, the CS first verifies whether $X$ satisfies $\tau$. If so, it computes $I\triangleq \left\{i\in \left[l\right]\left|\rho \right(i)\in X\right\}$ and determines coefficients ${\left\{{\alpha }_i\in \left\{\mathrm{0,1}\right\}\right\}}_{i\in I}$ such that $\sum _{i\in I}{\alpha }_i{M}_i=(\mathrm{1,0},\dots ,0)$, where $M_i$ is the $i^{th}$ row of $M$. For each $k\in \left[\delta \right]$, the CS computes:

$$b_k:=p_k-{\sum }_{i\in I}{\alpha }_i{t}_i^T{c}_{ik} mod q,\forall k\in \left[\delta \right].$$

If ${‖b_k‖}_{\infty }<\left[q/4\right]$ for all $k\in \left[\delta \right]$, the search algorithm outputs 1, indicating a keyword match. The CS then sends the associated encrypted documents and verification proof to the DU.

7.

$Verify\left(v_w,Result\right)\to 0or1$: Upon receiving the encrypted documents $Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)$, with the proof $v_w$, the DU first verifies that $‖v_w‖<\zeta \sqrt{mn}$ holds. If satisfied, it decrypts $En{c}_{ABE}\left(\mu \right)$ to recover $\mu$ and computes $h_w=H^{\prime }\left(H^{\prime \prime }\left(w\right),Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)\right)+\mu$. The verification succeeds if $p{k}_S{v}_w=h_w$. Otherwise, the DU rejects the results and may reissue the query.

If the CS is assumed honest, the DO’s key generation, proof generation, and verification algorithm in steps 2, 4, and 7, respectively, may be omitted from the initial analysis.

5.2.1. Correctness

We analyze the correctness for $w=w^{\prime }$, considering two cases based on whether the attribute set $X$ satisfies the access policy $\tau$ (i.e., $\tau \left(X\right)=1$) or not.

• Case 1: $w=w^{\prime }$ and $\tau \left(X\right)=1$

$$\begin{array}{ll}{b}_k& =p_k-\sum _{i\in I}{\alpha }_i{t}_i^T{c}_{ik}\\ & =u^T{s}_k+x_k-\sum _{i\in I}{\alpha }_i{t}_i^T{\left(A_i‖F_w\right)}^T\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]-\sum _{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =u^T{s}_k+x_k-\sum _{i\in I}{\alpha }_i\left[H{\left(GID\right)}^T‖u^T\right]\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]-\sum _{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =u^T{s}_k+x_k-\left[H{\left(GID\right)}^T‖u^T\right]\left[\begin{array}{c}{0}^d\\ s_k\end{array}\right]-\sum _{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =x_k-\sum _{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\end{array}$$

We have:

$$\begin{array}{ll}{‖b_k‖}_{\mathrm{\infty }}& ={‖x_k-\sum _{i\in I}{\alpha }_i\left({\left(t_{i1}+\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)t_{i2}\right)}^T{y}_{ik}\right)‖}_{\mathrm{\infty }}\\ & \le {‖x_k‖}_{\mathrm{\infty }}+\sum _{i\in I}{\alpha }_i{‖\left({\left(t_{i1}+\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)t_{i2}\right)}^T{y}_{ik}\right)‖}_{\mathrm{\infty }}\end{array}$$

From the Section 4.4 of [52] and the lemma 24 of [50], it follows that:

$${‖x_k‖}_{\mathrm{\infty }}+{\sum }_{i\in I}{\alpha }_i{‖\left({\left(t_{i1}+\left({\sum }_{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)t_{i2}\right)}^T{y}_{ik}\right)‖}_{\mathrm{\infty }}\le t\sigma \sqrt{n}+l{t}^2\zeta \sigma mn\eta \le \left[q/4\right]$$

Moreover, ref. [46] requires that $\alpha \ge 10\sqrt{\log \left(2k\left(1+{\displaystyle \frac{1}{\epsilon }}\right)\right)/\pi } , \zeta >\sqrt{\left({\alpha }^2+1\right)s_1^2\left(T\right)+{\eta }_{\epsilon }^2\left({\mathbb{Z}}^{nm}\right)}$.

• Case 2: $w=w^{\prime }$ and $\tau \left(X\right)=0$

$$\begin{array}{ll}{b}_k& =u^T{s}_k+x_k-\sum _{i\in I}{\alpha }_i\left[H{\left(GID\right)}^T‖u^T\right]\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]-\sum _{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =u^T\left(s_k-{\sum _{i\in I}{\alpha }_i\lambda }^{ik}\right)+x_k-H{\left(GID\right)}^T{\sum _{i\in I}{\alpha }_i\gamma }^{ik}-\sum _{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\end{array}$$

Since $X$ is an unauthorized set, for any coefficients ${\left\{{\alpha }_i\right\}}_{i\in I}$, ${\sum _{i\in I}{\alpha }_i\lambda }_{ik}\ne s_k$. Thus, $s_k-{\sum _{i\in I}{\alpha }_i\lambda }_{ik}\in {\mathcal{R}}_q^d\backslash \{0^d\}$ with an arbitrary distribution. Moreover, the vector $u$ is uniformly distributed over ${\mathcal{R}}_q^d$ and independent of $s_k-{\sum _{i\in I}{\alpha }_i\lambda }_{ik}$. By Theorem 1, which we subsequently state, $u^T\left(s_k-{\sum _{i\in I}{\alpha }_i\lambda }_{ik}\right)$ has uniformly distributed coefficients over ${\mathcal{R}}_q$. Moreover, since $u$, $s_k$, and ${\sum _{i\in I}{\alpha }_i\lambda }_{ik}$ are independent of the remaining terms, Lemma 1 (stated below) implies that the entire expression exhibits uniformly distributed coefficients. Let $b_k=b_k^0+b_k^{1}x+\cdots +b_k^{n-1}{x}^{n-1}$. Then, for all $k\in \left[\delta \right]$, we have:

$$\mathrm{Pr}\left[{‖b_k‖}_{\mathrm{\infty }}<\left[q/4\right]\right]=\mathrm{Pr}\left[\left|b_k^i\right|<\left[q/4\right],\forall i\in \{0,..,n-1\}\right]\le \mathrm{Pr}\left[\left|b_k^i\right|<\left[q/4\right]\right]=1/4$$

Therefore, the probability that ${‖b_k‖}_{\infty }<\left[q/4\right], \forall k\in \left[\delta \right]$ is ${\left(1/4\right)}^{\delta }$. Thus, setting $\delta =\omega \left(\log n\right)$ ensures the search algorithm returns 1 with negligible probability.

To state Theorem 1, we first establish Lemmas 1 and 2, presented below.

Lemma 1.

Let $a\stackrel{\$}{\leftarrow }U\left({\mathcal{R}}_q\right)$ and  $b\stackrel{\$}{\leftarrow }\phi \left({\mathcal{R}}_q\right)$ be independent, where $\phi$ is an arbitrary distribution. Then $c=a+b$ is uniformly distributed over ${\mathcal{R}}_q$.

Proof. 

For any $\alpha \in {\mathcal{R}}_q$, we have:

$$\begin{array}{ll}\mathrm{Pr}\left[c=\alpha \right]& =\mathrm{Pr}\left[a+b=\alpha \right]=\sum _{\beta }\mathrm{Pr}\left[a+b=\alpha |b=\beta \right]·\mathrm{Pr}\left[b=\beta \right]\\ & =\sum _{\beta }\mathrm{Pr}\left[a=\alpha -\beta \right]·\mathrm{Pr}\left[b=\beta \right]={\displaystyle \frac{1}{q^n}}\sum _{\beta }\mathrm{Pr}\left[b=\beta \right]={\displaystyle \frac{1}{q^n}}\end{array}$$

□

Lemma 2.

Let $a\stackrel{\$}{\leftarrow }U\left({\mathbb{Z}}_q^n\right)$and $b\stackrel{\$}{\leftarrow }\phi ({\mathbb{Z}}_q^n\backslash \{0\})$ be independent, where $\phi$ is an arbitrary distribution. Then $d=a^{T}b$ is uniformly distributed over ${\mathbb{Z}}_q$.

Proof. 

For any $\theta \in {\mathbb{Z}}_q$ we have:

$$\begin{array}{ll}\mathrm{Pr}\left[d=\theta \right]& =\mathrm{Pr}\left[a^{T}b=\theta \right]=\sum _{\beta \ne 0}\mathrm{Pr}\left[a^{T}b=\theta |b=\beta \right]·\mathrm{Pr}\left[b=\beta \right]\\ & =\sum _{\beta \ne 0}\mathrm{Pr}\left[a^T\beta =\theta \right]·\mathrm{Pr}\left[b=\beta \right]\end{array}$$

Let $a={\left(a_1,\dots ,a_n\right)}^T$ and $\beta ={\left({\beta }_1,\dots ,{\beta }_n\right)}^T$ with $\beta \ne 0^n$. Hence, there exists $j\in \left[n\right]$ such that ${\beta }_j\ne 0$. Let $A_{-j}$ denote the event that $a_i={\alpha }_i$ for all $i\in \left[n\right]\backslash \left\{j\right\}$. Conditioning on this event, we obtain:

$$\begin{array}{ll}\mathrm{Pr}\left[d=\theta \right]& =\sum _{\beta \ne 0}\mathrm{Pr}\left[\sum _{i\in \left[n\right]}{a}_i{\beta }_i=\theta \right]·\mathrm{Pr}\left[b=\beta \right]\\ & ={\sum }_{{\alpha }_i,\forall i\in \left[n\right]\backslash \left\{j\right\}}\sum _{\beta \ne 0}\mathrm{Pr}\left[\sum _{i\in \left[n\right]}{a}_i{\beta }_i=\theta |A_{-j}\right]·\mathrm{Pr}\left[b=\beta \right]·\mathrm{Pr}\left[A_{-j}\right]\\ & =\sum _{{\alpha }_i,\forall i\in \left[n\right]\backslash \left\{j\right\}}\sum _{\beta \ne 0}\mathrm{Pr}\left[a_j={\beta }_j^{-1}\left(\theta -\sum _{i\in \left[n\right]\backslash \left\{j\right\}}{\alpha }_i{\beta }_i\right)\right]·\mathrm{Pr}\left[b=\beta \right]·{\displaystyle \frac{1}{q^{n-1}}}\\ & =\sum _{{\alpha }_i,\forall i\in \left[n\right]\backslash \left\{j\right\}}\sum _{\beta \ne 0}{\displaystyle \frac{1}{q}}·\mathrm{Pr}\left[b=\beta \right]·{\displaystyle \frac{1}{q^{n-1}}}={\displaystyle \frac{1}{q}}\end{array}$$

□

Theorem 1.

Let $a\stackrel{\$}{\leftarrow }U\left({\mathcal{R}}_q^d\right)$ and $b\stackrel{\$}{\leftarrow }\Phi \left({\mathcal{R}}_q^d\backslash \left\{0^d\right\}\right)$ be independent, where $\Phi$ is an arbitrary distribution. Then, the coefficients of $a^{T}b$ are uniformly distributed over  ${\mathcal{R}}_q$.

Proof. 

Let $a={\left(a^1\dots a^d\right)}^T$ and $b={\left(b^1\dots b^d\right)}^T$, so that $a^{T}b={\sum }_{i=1}^d{a}^i{b}^i$. Since $b\ne 0$, there exists $i^{\ast }\in \left[d\right]$ with $b^{i^{\ast }}\ne 0$. Since $a^i,b^i,a^j,b^j$ are independent for $i\ne j$, it suffices to show that $a^{i^{\ast }}{b}^{i^{\ast }}$ has uniformly distributed coefficients. By Lemma 1, $a^{T}b$ then also has uniformly distributed coefficients. Assume $a^{i^{\mathrm{*}}}={\sum }_{j=1}^{n-1}{a}_j{x}^j$ and $b^{i^{\mathrm{*}}}={\sum }_{j=1}^{n-1}{b}_j{x}^j$. By defining $c:=a^{i^{\mathrm{*}}}{b}^{i^{\mathrm{*}}}={\sum }_{k=1}^{2n-2}{c}_k{x}^k$ and $d={\sum }_{j=1}^{n-1}{d}_j{x}^j:=cmod\left(x^n+1\right)$, we obtain:

$$d_j=\left[\begin{array}{ccc}\begin{array}{cc}{a}_0& \begin{array}{cc}\cdots & a_j\end{array}\end{array}& \begin{array}{cc}-a_{j+1}& -a_{j+2}\end{array}& \begin{array}{cc}\cdots & -a_{n-1}\end{array}\end{array}\right]{\left[\begin{array}{cc}{b}_j& \begin{array}{ccc}\dots & b_0& \begin{array}{ccc}{b}_{n-1}& \begin{array}{cc}{b}_{n-2}& \dots \end{array}& b_{j+1}\end{array}\end{array}\end{array}\right]}^T$$

Since $a\in {\mathcal{R}}_q^d$ is uniformly distributed and $b^{i^{\ast }}\ne 0$, Lemma 2 implies that $d_j$ is uniformly distributed over ${\mathbb{Z}}_q$. Thus, by Lemma 1, $a^{T}b$ has uniformly distributed coefficients. □

5.2.2. Verifiability and Completeness

We show that the scheme satisfies completeness and verifiability: Valid proofs are accepted by the $Verify$ algorithm with overwhelming probability, while there is a negligible probability that any PPT adversary could forge or reuse a valid proof.

When the DU searches for a keyword $w$ and receives $\left(Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)\right)$ from the CS, it decrypts $En{c}_{ABE}\left(\mu \right)$, computes $h_w=H^{\prime }\left(H^{″}\left(w\right),Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)\right)+\mu$, and checks whether $‖v_w‖<\zeta \sqrt{mn}$ and $p{k}_S{v}_w=h_w$. These conditions hold with overwhelming probability for correct documents, since $SamplePre\left(p{k}_S,s{k}_S,h_w,\zeta ,\alpha \right)\to v_w$.

Assume a PPT adversary forges a valid proof $v_w$ for a keyword $w$ and document set $\left\{F_{i{d}_1}^{\prime },\dots ,F_{i{d}_{z^{\prime }}}^{\prime }\right\}$, such that verification succeeds with non-negligible probability. Since $v_w$ satisfies $‖v_w‖<\sigma \sqrt{m}$ and $p{k}_S{v}_w=h_w$, the adversary finds a short preimage of $h_w$, contradicting the MSIS hardness assumption [38]. Hence, no PPT adversary can forge a valid proof, except with negligible probability.

If the CS reuses a valid proof $v_w$ for a different keyword $w^{\prime }$ or different document set $\left\{F_{i{d}_1}^{\prime },\dots ,F_{i{d}_{z^{\prime }}}^{\prime }\right\}\ne \left\{F_{{id}_1},\dots ,F_{{id}_z}\right\}$, it must hold that $H^{\prime }\left(H^{″}\left(w^{\prime }\right),Enc\left(F_{i{d}_1}^{\prime }\right),\dots ,Enc\left(F_{i{d}_{z^{\prime }}}^{\prime }\right)\right)=H^{\prime }\left(H^{″}\left(w\right),Enc\left(F_{i{d}_1}\right),\dots ,Enc\left(F_{i{d}_z}\right)\right)$. This contradicts the collision resistance of $H^{\prime }$ and $H^{″}$. Thus, each proof $v_w$ is bound to its keyword and document set and cannot be reused.

The one-way nature of $H^{\prime }$ ensures that revealing $\mu$ does not expose $H^{″}\left(w\right)$ or the documents containing the keyword $w$ from $h_w$. Similarly, even if the DU discloses $\mu$, $H^{″}\left(w\right)$, and the encrypted documents to prove the CS misbehavior, the one-way nature of $H^{″}$ prevents the recovery of $w$. Moreover, since $\mu$ is known only to the DO and authorized DUs, an attacker, even with access to the corresponding encrypted documents and $h_w=p{k}_S{v}_w$, cannot determine the underlying searched keyword.

Remark 1. 

In the proposed verifiability framework, adding or deleting a file requires updating only the proofs linked to its keywords. To enable parallelization, the scheme generates separate proofs for each keyword-file pair. Although this increases the total number of verifiability proofs, completeness proofs remain unaffected and each verifiability proof can be generated in parallel.

5.2.3. Resistance to Collusion Attack

In this section, we demonstrate that the proposed scheme is collusion-resistant.

Suppose Alice and Bob collude to access documents they are not individually authorized to view. Alice holds the attribute set $X_{Alice}$ and identifier $GI{D}_{Alice}$, while Bob holds $X_{Bob}$ and $GI{D}_{Bob}$. Each independently requests a trapdoor for $w$ from TAs:

$$\begin{array}{l}SampleLeft\left(A_i,F_w,T_{A_i},\left[\begin{array}{c}H\left(GI{D}_{Alice}\right)\\ u\end{array}\right],\zeta ,\alpha \right)\to t_i^{Alice},\forall i\in X_{Alice},T_{w^{\prime }}={\left(t_i\right)}_{i\in X_{Alice}}\\ SampleLeft\left(A_i,F_w,T_{A_i},\left[\begin{array}{c}H\left(GI{D}_{Bob}\right)\\ u\end{array}\right],\zeta ,\alpha \right)\to t_i^{Bob},\forall i\in X_{Bob},T_{w^{\prime }}={\left(t_i\right)}_{i\in X_{Bob}}\end{array}$$

Now, they try to impersonate Carl by forging a trapdoor for an authorized attribute set $X_{Carl}=X_1\cup X_2$, where $X_1\subseteq X_{Alice}$, $X_2\subseteq X_{Bob}$, and $X_1\cap X_2=\varnothing$. They compute a collusion trapdoor for $X_{Carl}$, as $T_w={\left(t_i^{Carl}\right)}_{i\in X_{Carl}}$, where $t_i^{Carl}:=\left\{\begin{array}{c} t_i^{Alice}, \forall i\in X_1\\ t_i^{Bob}, \forall i\in X_2\end{array}\right.$. Now, this trapdoor along with $X_{Carl}$ is sent to the CS. Upon receipt, the CS first verifies whether $X_{Carl}$ is authorized. Since $X_{Carl}$ is valid, there exists an index set $I_{Carl}\triangleq \left\{i\in \left[l\right]\left|\rho \right(i)\in X_{Carl}\right\}$, and coefficients ${\left\{{\alpha }_i\in \left\{\mathrm{0,1}\right\}\right\}}_{i\in I_{Carl}}$ such that $\sum _{i\in I_{Carl}}{\alpha }_i{M}_i=(\mathrm{1,0},\dots ,0)$, where $M_i$ denotes the $i^{th}$ row of the matrix $M$. Assume $I_{Carl}=I_1\cup I_2$ with $I_1\cap I_2=\varnothing$, $I_1\subseteq X_1$ and $I_2\subseteq X_2$. The CS then proceeds with the search as follows:

$$\begin{array}{ll}{b}_k& =p_k-\sum _{i\in I_{Carl}}{\alpha }_i{t_i^{Carl}}^T{c}_{ik}\\ & =u^T{s}_k+x_k-\sum _{i\in I_{Carl}}{\alpha }_i{t_i^{Carl}}^T{\left(A_i‖F_w\right)}^T\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]-\sum _{i\in I_{Carl}}{\alpha }_i{t_i^{Carl}}^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =u^T{s}_k+x_k-\sum _{i\in I_1}{\alpha }_i\left[H{\left(GI{D}_{Alice}\right)}^T‖u^T\right]\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]-\sum _{i\in I_2}{\alpha }_i\left[H{\left(GI{D}_{Bob}\right)}^T‖u^T\right]\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]\\ & \hspace{1em} \hspace{1em}-\sum _{i\in I_{Carl}}{\alpha }_i{t_i^{Carl}}^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =x_k-H{\left(GI{D}_{Alice}\right)}^T{\sum }_{i\in I_1}{\alpha }_i{\gamma }_{ik}-H{\left(GI{D}_{Bob}\right)}^T{\sum }_{i\in I_2}{\alpha }_i{\gamma }_{ik}\\ & \hspace{1em}\hspace{1em}-\sum _{i\in I_{Carl}}{\alpha }_i{t_i^{Carl}}^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\end{array}$$

Since $I_{Carl}$ is valid and partitioned into two disjoint subsets $I_1$ and $I_2$, it follows that:

$${\sum }_{i\in I_{Carl}}{\alpha }_i{\gamma }_{ik}=0^d⟹{\sum }_{i\in I_1}{\alpha }_i{\gamma }_{ik}+{\sum }_{i\in I_2}{\alpha }_i{\gamma }_{ik}=0^d⟹{\sum }_{i\in I_1}{\alpha }_i{\gamma }_{ik}=-{\sum }_{i\in I_2}{\alpha }_i{\gamma }_{ik}$$

By substituting the above expression into the original equation, we obtain:

$$b_k=x_k-{\left(H\left(GI{D}_{Alice}\right)-H\left(GI{D}_{Bob}\right)\right)}^T{\sum }_{i\in I_1}{\alpha }_i{\gamma }_{ik}-{\sum }_{i\in I_{Carl}}{\alpha }_i{t_i^{Carl}}^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]$$

Since $I_1$ is unauthorized, any linear combinations of ${\gamma }_{ik}$ for $i\in I_1$ satisfies ${\sum }_{i\in I_1}{\alpha }_i{\gamma }_{ik}\ne 0$. By Theorem 1, the coefficients of ${\left(H\left(GI{D}_{Alice}\right)-H\left(GI{D}_{Bob}\right)\right)}^T{\sum }_{i\in I_1}{\alpha }_i{\gamma }_{ik}$ are uniformly distributed, since $H\left(GI{D}_{Alice}\right)-H\left(GI{D}_{Bob}\right)$ has uniform distribution. Therefore, by Lemma 1 and the independence of terms, the coefficients of $b_k$ are uniformly distributed.

Therefore, the probability that ${‖b_k‖}_{\infty }<\left[q/4\right]$ for all $k\in \left[\delta \right]$ is ${\left(1/4\right)}^{\delta }$, which is negligible in $n$ when $\delta =\omega \left(\log n\right)$. Hence, in the presence of collusion, the search algorithm outputs zero with overwhelming probability.

5.2.4. SCKA Security

In this section, we prove SCKA security in the standard model under the MLWE assumption. As each DU interacts with TAs to obtain a trapdoor for a specific keyword, the adversary is restricted to trapdoor queries for authorized attributes and that keyword.

Definition 6

(Multi-MLWE Problem). Given $\delta (m+1)$ samples$\left(u_i,v_i^k\right)$ for $i=0,\dots ,m,$ and $k=1,\dots ,\delta$, where $u_i\stackrel{\mathrm{\$}}{\leftarrow }U({\mathcal{R}}_q^d),$ $e_i^k\stackrel{\mathrm{\$}}{\leftarrow }\chi ,s_k\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^d\right)$, and $v_i^k$ are computed as $v_i^k\stackrel{\mathrm{\$}}{\leftarrow }{U(\mathcal{R}}_q)or{v}_i^k=u_i^T{s}_k+e_i^k$, the Multi-MLWE problem is to distinguish between these two distributions with a non-negligible advantage.

The Multi-MLWE problem directly reduces from the standard MLWE problem.

Theorem 2.

The proposed scheme achieves indistinguishability-based security against SCKA in the standard model, assuming the hardness of the Multi-MLWE problem.

Proof. 

We define a sequence of games, each computationally indistinguishable from the previous for any PPT adversary. Let $adv(Game i)$ denote the adversary’s advantage in Game $i$. The games are defined as follows:

Game 0: This game is identical to the IKGA game. Thus: $adv(Game 0)=adv\left(SCKA\right)$.

Game 1: This game is identical to Game 0, except $B_h^i:=A_i{R}_h^{\ast }+d_{h}B$, instead of chosen uniformly. By Lemma 13 in [50]: $adv(Game 1)=adv(Game 0)$.

Game 2: This game is identical to Game 1, except $A_i{\leftarrow }^{\$}U\left(R_q^{2d\times 2m}\right)$ and $TrapGen\left(I_{2d\times 2d},\sigma \right)\to (B,T_B)$. When the adversary requests a trapdoor for $w$ and $X$, the challenger verifies $d_w\ne 0$, where $d_w=1+\sum _{h=1}^{\eta }{H}_h^{″}\left(w\right)d_h$ with $H_h^{″}$ denoting the abort-resistant hash functions [50]. Let $R_w^{\ast }=\sum _{h=1}^{\eta }{H}_h^{″}\left(w\right)R_h^{\ast }$. The challenger computes:

$$SampleRight\left(A_i,d_{w}B,R_w^{\mathrm{*}},T_B,\left[\begin{array}{c}H\left(GID\right)\\ u\end{array}\right],\zeta ,\alpha \right)\to t_w$$

Analogous to the original scheme, we also have:

$$\left(A_i‖d_{w}B+A_i{R}_w^{\mathrm{*}}\right)=\left(A_i‖B+{\sum }_{h=1}^{\eta }{H}_h^{″}\left(w\right)(d_{h}B+A_i{R}_h^{\mathrm{*}}\right)=\left(A_i‖F_w\right)$$

The adversary keeps a $List$ of keywords associated with the attribute set $X$, satisfying ${\tau }^{\ast }$. Based on Lemma 28 in [50]: $adv(Game 2)\ge 1/4q·adv(Game 1)$.

Game 3: This game is identical to Game 2, except that the encrypted challenge keyword is replaced with a random value, yielding: $adv(Game 3)=0$.

Reduction from Multi-MLWE: Assume a PPT adversary $\mathcal{A}$ distinguishes Game 2 and Game 3 with a non-negligible advantage. Then, a PPT challenger $\mathcal{C}$ can employ $\mathcal{A}$ to distinguish Multi-MLWE samples from uniform with non-negligible advantage, contradicting the Multi-MLWE hardness assumption. The challenger proceeds as follows:

Upon receiving the samples ${\left(u_j,v_j^k\right)}_{j=0}^{2m}$, for $k\in \left[\delta \right]$, $\mathcal{C}$ selects $z_j^i\stackrel{\$}{\leftarrow }U\left({\mathcal{R}}_q^d\right), \forall j\in \left[2m\right],i\in [l]$ and sets $A_i:=\left[\begin{array}{ccc}{z}_1^i& \dots & z_{2m}^i\\ u_1& \dots & u_{2m}\end{array}\right]$ and $u:=u_0$. It then generates $B_h$ and $B$ with trapdoors as in Game 2 and sends $PP:=\left({\left(A_i\right)}_{i\in \left[l\right]},B,{\left(B_h^i\right)}_{i\in \left[l\right],h\in \left[n\right]},u\right)$ to $\mathcal{A}$. Then $\mathcal{C}$ answers the trapdoor queries as in Game 2.

Upon receiving the challenge keyword $w^{\ast }$ from $\mathcal{A}$, $\mathcal{C}$ checks $w^{\ast }\notin List$ and $d_{w^{\ast }}=0$. By Lemma 27 in [50], $d_{w^{\ast }}=0$ holds with a probability of at least $1/4q$ for fewer than $q/2$ queries. Subsequently, to encrypt the challenge keyword, $\mathcal{C}$ constructs the share-generating matrix $M^{\ast }$ for ${\tau }^{\ast }$, selects $r_i\stackrel{\$}{\leftarrow }U\left({\mathbb{Z}}_q^n\right),i\in \left[d^{\prime }\right]$, and computes the following, where $m^i$ denotes the $i^{th}$ column of $M^{\ast }$.

$$m^1{v_j^k}^T+m^2{r}_2^T{u}_j+\dots +m^{d^{\prime }}{r}_{d^{\prime }}^T{u}_j=\left[\begin{array}{ccc}-& {\lambda }_{1k}^T& -\\ & ⋮& \\ -& {\lambda }_{lk}^T& -\end{array}\right]u_j+m^1{e}_j^k,j\in \left[m\right]$$

$\mathcal{C}$ also computes the following by sampling $r_i^{\prime }\stackrel{\$}{\leftarrow }U\left({\mathbb{Z}}_q^n\right)$:

$$m^1{(0}^T{z}_j^i+e_j^{\prime })+m^2{r_2^{\prime }}^T{z}_j^i+\dots +m^{d^{\prime }}{r_{d^{\prime }}^{\prime }}^T{z}_j^i=\left[\begin{array}{ccc}-& {\gamma }_{1k}^T& -\\ & ⋮& \\ -& {\gamma }_{lk}^T& -\end{array}\right]z_j^i+m^1{e}_j^{\prime },i\in \left[l\right],j\in \left[2m\right]$$

$\mathcal{C}$ then computes the values ${\gamma }_{ik}^T{z}_j^i+{\lambda }_{ik}^T{u}_j+m_i^1(e_j^{k }+e_j^{\prime })$ for all $j\in \left[2m\right]$, $i\in \left[l\right]$, and $k\in \left[\delta \right]$ by summing the corresponding rows, yielding:

$${{v_k}^i}^{\mathrm{*}}:=\left[\begin{array}{c}{z_1^i}^T{\gamma }_{ik}+u_1^T{\lambda }_{ik}+m_i^1({e_1}^k+e_1^{\prime })\\ ⋮\\ {z_{2m}^i}^T{\gamma }_{ik}+u_{2m}^T{\lambda }_{ik}+m_i^1(e_{2m}^k+e_{2m}^{\prime })\end{array}\right]=\left[\begin{array}{cc}{z_1^i}^T& u_1^T\\ ⋮& ⋮\\ {z_{2m}^i}^T& u_{2m}^T\end{array}\right]\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]+m_i^1\left[\begin{array}{c}{e}_1^k+e_1^{\prime }\\ ⋮\\ e_{2m}^k+e_{2m}^{\prime }\end{array}\right]=A_i^T\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]+m_i^1\left[\begin{array}{c}{e}_1^k+e_1^{\prime }\\ ⋮\\ e_{2m}^k+e_{2m}^{\prime }\end{array}\right]$$

Thus, based on the above computations, $\mathcal{C}$ derives the encrypted challenge as follows:

$$\left\{\begin{array}{c}{p}_k^{\mathrm{*}}:=v_0^k\\ c_{ik}^{\mathrm{*}}:=\left[\begin{array}{c}{v_k^i}^{\mathrm{*}}\\ {R_{w^{\mathrm{*}}}^{\mathrm{*}}}^T{v_k^i}^{\mathrm{*}}\end{array}\right]\end{array}\right.$$

Analogous to the original scheme, the following relation holds for $y_i^k:=m_i^1\left[\begin{array}{c}{e}_1^k+e_1^{\prime }\\ ⋮\\ e_{2m}^k+e_{2m}^{\prime }\end{array}\right]$:

$$p_k^{\mathrm{*}}=v_0^k=u_0^T{s}_k+{e_0}^k=u^T{s}_k+e_0^k$$

$$c_{ik}^{\mathrm{*}}=\left[\begin{array}{c}{v_k^i}^{\mathrm{*}}\\ {R_{w^{\mathrm{*}}}^{\mathrm{*}}}^T{v_k^i}^{\mathrm{*}}\end{array}\right]=\left[\begin{array}{c}{A}_i^T\\ {R_{w^{\mathrm{*}}}^{\mathrm{*}}}^T{A}_i^T\end{array}\right]\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]+\left[\begin{array}{c}{y}_i^k\\ {R_{w^{\mathrm{*}}}^{\mathrm{*}}}^T{y}_i^k\end{array}\right]={\left(A_i‖F_{w^{\mathrm{*}}}\right)}^T\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]+\left[\begin{array}{c}{y}_i^k\\ {R_{w^{\mathrm{*}}}^{\mathrm{*}}}^T{y}_i^k\end{array}\right]$$

Given $d_{w^{\ast }}=0$ for $w^{\ast }$, we have $\left(A_i‖F_{w^{\mathrm{*}}}\right)=\left(A_i‖d_{w^{\mathrm{*}}}B+A_i{R}_{w^{\mathrm{*}}}^{\mathrm{*}}\right)=\left(A_i‖A_i{R}_{w^{\mathrm{*}}}^{\mathrm{*}}\right)$.

• Thus, if $\mathcal{C}$’s input samples follow the Multi-MLWE distribution, the adversary’s view corresponds to Game 2; otherwise, if the samples are uniform, $\mathcal{A}$ interacts with random values as in Game 3. Therefore, $\mathcal{C}$ sets its output to that of $\mathcal{A}$, i.e., $output:=b^{\prime }$. Thus:

$$ad{v}_{\mathcal{C}}\left(Multi-MLWE\right)\ge \left|Ad{v}_{\mathcal{A}}\left(Game2\right)-Ad{v}_{\mathcal{A}}\left(Game3\right)\right|\ge 1/4q·ad{v}_{\mathcal{A}}\left(SCKA\right)$$

Here, $1/4q$ is the probability of not aborting the challenge. Hence, any PPT adversary breaking semantic security of the scheme with non-negligible advantage implies a distinguisher breaking the Multi-MLWE assumption, contradicting its assumed hardness.

• We summarize the security proof through the security game illustrated in Figure 1.

□

Figure 1. Semantic security against SCKA for ABKS scheme.

5.2.5. Multi-Keyword Search

In this section, we present a multi-keyword search method adapted from [12]. First, the DO encrypts each keyword of document $F_i$ using Step 3 from Section 5.2 (ABKS) and sends them to the CS. The DU then computes the leaf node values ${\tau }_{w_j}^{\prime }$ for each $w_j$ in the search policy ${\tau }^{\prime }$, using Search Tree Labeling Algorithm [12]:

Search Tree Labeling Algorithm [12]: Until all leaf nodes receive label vectors ${\tau }_{w_j}^{\prime }$:

• Assign the identity matrix $I_{2d\times 2d}$ to the root node.
• OR gates: Each child node inherits the parent’s label.
• AND gates: Split the parent’s label into child labels from ${\left\{-\mathrm{1,0},1\right\}}^{2d\times 2d}$ whose sum equals the parent’s label.

Subsequently, for each $w_j^{\prime }\in {\tau }^{\prime }$, the DU computes $F_{w_j^{\prime }}=B+\sum _{h=1}^{\eta }{B}_h{H}_h^{″}\left(w_j^{\prime }\right)$ and sends it to the TAs. Each TA computes the trapdoor components $SampleLeft\left(A_i,F_{w_j^{\prime }},T_{A_i},{\tau }_{w_j^{\prime }}^{\prime }\left[\begin{array}{c}H\left(GID\right)\\ u\end{array}\right],\zeta ,\alpha \right)\to t_{ij},\forall i\in X$. The DU then forwards $T_{{\tau }^{\prime }}:={\left(t_{ij}\right)}_{i\in X,j:w_j^{\prime }\in {\tau }^{\prime }}$ and $X$ to the CS. Upon receiving the trapdoor $T_{{\tau }^{\prime }}$ and accessing the encrypted keywords $C_w$, the CS executes Step 6 of Section 5.2 (Search). It first checks whether the DU’s attribute set $X$ satisfies the access policy $\tau$. If so, it computes coefficients ${\left\{{\alpha }_i\in {\mathbb{Z}}_q\right\}}_{i\in I}$, satisfying $\sum _{i\in I}{\alpha }_i{M}_i=(\mathrm{1,0},\dots ,0)$. For each keyword set $\left\{w_1,\dots ,w_{\vartheta }\right\}$ matching the search policy ${\tau }^{\prime }$, it computes $b_k=p_k-\sum _{i\in I}{\sum }_{j=1}^{\vartheta }{\alpha }_i{t}_{ij}^T{c}_{ik}^j mod q$. If ${‖b_k‖}_{\infty }<\left[q/4\right]$ for all $k\in \left[\delta \right]$, the search algorithm outputs 1. In this case, the correctness of the scheme is established as follows:

$$\begin{array}{ll}{b}_k& =p_k-{\displaystyle \sum _{i\in I}}{{\displaystyle \sum }}_{j=1}^{\vartheta }{\alpha }_i{t}_{ij}^T{c}_{ik}^j\\ & =u^T{s}_k+x_k-\sum _{i\in I}{\sum }_{j=1}^{\vartheta }{\alpha }_i\left[H{\left(GID\right)}^T‖u^T\right]{{\tau }_{w_j}^{\prime }}^T\left[\begin{array}{c}{\gamma }_{ik}\\ {\lambda }_{ik}\end{array}\right]\\ & -\sum _{i\in I}{\sum }_{j=1}^{\vartheta }{\alpha }_i{t}_{ij}^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{"}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\\ & =x_k-\sum _{i\in I}{\sum }_{j=1}^{\vartheta }{\alpha }_i{t}_{ij}^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{"}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]\end{array}$$

As shown in Section 5.2.1, Case 1, $b_k$ has a low norm. Hence, the search algorithm returns 1 with overwhelming probability.

If the keyword set does not satisfy ${\mathsf{\tau }}^{\prime }$, then ${\sum }_{j=1}^{\vartheta }{{\tau }_{w_j}^{\prime }}^T=\left[\begin{array}{cc}{{\tau }_{11}^{″}}^T& {{\tau }_{21}^{″}}^T\\ {{\tau }_{12}^{″}}^T& {{\tau }_{22}^{″}}^T\end{array}\right]\ne I$, and so:

$$\begin{array}{ll}{b}_k& =p_k-\sum _{i\in I}{\sum }_{j=1}^{\vartheta }{\alpha }_i{t}_{ij}^T{c}_{ik}^j=u^T{s}_k+x_k-\left[H{\left(GID\right)}^T‖u^T\right]{{\tau }^{″}}^T\left[\begin{array}{c}{0}^d\\ s_k\end{array}\right]-error\\ & ={\left(\left(I-{\tau }_{22}^{″}\right)u-{\tau }_{21}^{″}H\left(GID\right)\right)}^T{s}_k+x_k-error\end{array}$$

By Theorem 1, ${\left(\left(I-{\tau }_{22}^{″}\right)u-{\tau }_{21}^{″}H\left(GID\right)\right)}^T{s}_k$ has uniformly distributed coefficients, since $\left(I-{\tau }_{22}^{″}\right)u-{\tau }_{21}^{″}H\left(GID\right)\ne 0^d$ with overwhelming probability and $s_k$ is uniform and independent of other components. Thus, by Lemma 1, each $b_k$ has uniformly distributed coefficients, and the search algorithm outputs 1 with negligible probability.

The security analysis follows the same approach as the original scheme in Section 5.2.4.

5.2.6. Forward Security

To incorporate forward security into an ABKS scheme, each attribute is assigned a temporal tag specifying its validity period. When a DU requests a trapdoor, the TA verifies the attribute is valid for the given time interval. If so, the TA issues a trapdoor embedding both the attribute and its temporal tag. Simultaneously, the DO encrypts keywords under an access structure binding attributes to their temporal tags, preventing trapdoor reuse across different time intervals and ensuring temporal access control.

Alternatively, forward security can be achieved by periodically refreshing each TA’s keys via $TrapGen\left(I_{2d\times 2d},\sigma \right)\to \left(A_{i,t},T_{A_{i,t}} \right),$ for all $i\in \left[l\right]$ and $t\in \left[Time\right]$ at each predefined time interval. In this construction, a trapdoor generated for one time interval cannot be used for others, as encrypted keywords are bound to the public parameters $A_{i,t}$ and incompatible with trapdoors derived from $T_{A_{i,t^{\prime }}}$.

5.2.7. Resistance to IKGA

To strengthen against IKGA, we propose two countermeasures. The first employs a Non-Interactive Key Exchange (NIKE) protocol based on the MLWE assumption [53], where each keyword is XORed with a shared secret established between the DO and the DU before the ABKS and Trapdoor algorithms. Since insider adversaries lack this secret, they cannot forge valid keywords, thereby preventing IKGA. This method imposes low overhead, as the secret can be established in advance, and it can be readily integrated into existing schemes. Nevertheless, it relies on a Public Key Infrastructure (PKI) for secret establishment, scales poorly to multi-user settings, and requires prior coordination between parties, limiting its applicability in dynamic or large-scale environments.

The second approach binds the searchable encrypted keywords to the DO’s private key, while the trapdoor generation relies on the DO’s public key. This prevents insider adversaries from generating valid searchable ciphertexts without the DO’s private key, thus mitigating IKGA. However, this approach depends on a PKI, posing challenges analogous to those in verifiability mechanisms. Specifically, the DO’s public key must be accessible to all DUs, resulting in trapdoors that are unique to each DO’s document set.

Below, we present the modified algorithms of the baseline ABKS scheme (Section 5.2) to achieve IKGA resistance. Let $H:{\left\{\mathrm{0,1}\right\}}^{\ast }\to {\mathcal{R}}_q^{d\times d}$ be a hash function with uniform output.

1.

$Setup\left(1^n\right)\to \left(PP,MSK\right)$: In this algorithm, the only modifications involve the matrix selection: $U\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^{d\times d}\right)$ and $P,P_h\stackrel{\mathrm{\$}}{\leftarrow }U\left({\mathcal{R}}_q^{d\times m}\right),$ for $h\in \left[\eta \right]$.

2.

$ABKS\left(w,\tau \right)\to C_w$: In this algorithm, only the first ciphertext component is modified as $SampleLeft(Q,P_w,T_Q,U^T{s}_k+x_k,\zeta ,\alpha )\to p_k,\forall k\in \left[\delta \right],\mathrm{w}$ here $s_k,x_k\stackrel{\mathrm{\$}}{\leftarrow }{\chi }^d$ and $P_w:=P+\sum _{h=1}^{\eta }{P}_h{H}_h^{″}\left(w\right)$. Thus: $\left(Q‖P_w\right)p_k=U^T{s}_k+x_k$.

3.

$Trapdoor\left(F_{w^{\prime }},X,GID,MSK\right)\to T_{w^{\prime }}$: In this algorithm, the DU samples $s^{\prime }\stackrel{\mathrm{\$}}{\leftarrow }{\chi }^d$,$e\stackrel{\mathrm{\$}}{\leftarrow }{\chi }^m$ and $e_i^{\prime }\stackrel{\mathrm{\$}}{\leftarrow }{\chi }^{2d}$, then computes $T_{w^{\prime }}:=\left({\left(t_i\right)}_{i\in X},r\right)$ as follows:

$$\left\{\begin{array}{c}r:={\left(Q‖P_{w^{\prime }}\right)}^T{s}^{\prime }+\left[\begin{array}{c}e\\ {\left(\sum _{h=1}^{\eta }{R}_h^{\prime }{H}_h^{″}\left(w^{\prime }\right)\right)}^{T}e\end{array}\right] \\ SampleLeft\left(A_i,F_{w^{\prime }},T_{A_i},\left[\begin{array}{c}H\left(GID\right)\\ U\end{array}\right]s^{\prime }+e^{\prime },\zeta ,\alpha \right)\to t_i , \forall i\in X\end{array}\right.$$

4.

$Search\left(C_w,T_{w^{\prime }}\right)\to 0or1$: In this algorithm, the CS computes $b_k=r^T{p}_k-\sum _{i\in I}{\alpha }_i{t}_i^T{c}_{ik} mod q,\forall k\in \left[\delta \right]$.

Next, we examine the correctness of the scheme. For $w=w^{\prime }$ and $\tau \left(X\right)=1$:

$$b_k={s^{\prime }}^T{x}_k+{e_2^{\prime }}^T{s}_k-{\left[\begin{array}{c}e\\ {\left(\sum _{h=1}^{\eta }{R}_h^{\prime }{H}_h^{″}\left(w\right)\right)}^{T}e\end{array}\right]}^T{p}_k-{\sum }_{i\in I}{\alpha }_i{t}_i^T\left[\begin{array}{c}{y}_{ik}\\ {\left(\sum _{h=1}^{\eta }{R}_h{H}_h^{″}\left(w\right)\right)}^T{y}_{ik}\end{array}\right]$$

where $e^{\prime }=\left[\begin{array}{c}{e}_1^{\prime }\\ e_2^{\prime }\end{array}\right]$. By Section 4.4 of [52] and Lemma 24 of [50], we have:

$${‖b_k‖}_{\mathrm{\infty }}\le t^2{\sigma }^{2}dn+t^2{\sigma }^{2}dn+\left(l+1\right)t^2\zeta \sigma mn\eta$$

According to [46], the parameters must satisfy $\alpha \ge 10\sqrt{\log \left(2k\left(1+{\displaystyle \frac{1}{\epsilon }}\right)\right)/\pi }$ and $\zeta >\sqrt{\left({\alpha }^2+1\right)s_1^2\left(T\right)+{\eta }_{\epsilon }^2\left({\mathbb{Z}}^{nm}\right)}$, ensuring sufficiently large standard deviations in the $SampleLeft$ and $SamplePre$ algorithms. Moreover, $\delta =\omega \left(\log n\right)$ is required to keep the error term negligible.

Furthermore, we analyze the security of the IKGA-secure ABKS scheme against two attacks: IKGA (trapdoor indistinguishability) and SCKA (ciphertext indistinguishability). First, we define the Multi-Short Secret MLWE problem (Multi-ssMLWE), analogous to Definition 6 except that $s_k\leftarrow {\chi }^d$, where $\chi$ is as in [54].

Theorem 3. 

The IKGA-secure scheme achieves semantic security against SCKA in the standard model, under the hardness assumption of the Multi-ssMLWE problem.

Proof. 

The proof follows the methodology of Theorem 2, summarized in Figure 2. □

Figure 2. Semantic security against SCKA for IKGA-secure ABKS scheme.

Theorem 4. 

The IKGA-secure scheme achieves semantic security against IKGA in the random oracle model, under the hardness assumption of the ssMLWE problem.

Proof. 

The proof follows the methodology of Theorem 2, summarized in Figure 3. □

Figure 3. Semantic security against IKGA for IKGA-secure ABKS scheme.

6. Efficiency and Experimental Evaluation

This section first presents a qualitative comparison of the features of our scheme with existing ones. Then, it analyzes the computational overhead and communication complexity of the proposed scheme. Table 1 compares the proposed scheme with recent ABKS schemes across ten key aspects: hardness, security model, collusion resistance, IKGA resistance, forward security, fine grained access control, verifiability, multi-authority, multi-keyword searchability and secret sharing mechanisms.

Table 1. Comparison between ABKS schemes in terms of security and features.

Scheme	Hardness	Security Model	${\mathit{F}}_{\mathbf{1}}$	${\mathit{F}}_{\mathbf{2}}$	${\mathit{F}}_{\mathbf{3}}$	${\mathit{F}}_{\mathbf{4}}$	${\mathit{F}}_{\mathbf{5}}$	${\mathit{F}}_{\mathbf{6}}$	${\mathit{F}}_{\mathbf{7}}$	Secret Sharing
[55]	BDH	RO	🗴	🗴	🗴	✓	🗴	🗴	🗴	LSS
[7]	BDH	RO	🗴	✓	🗴	✓	🗴	🗴	✓	LSS
[4]	BDH	RO	🗴	🗴	🗴	✓	🗴	✓	🗴	Pedersen
[6]	BDH	standard	🗴	🗴	✓	✓	🗴	🗴	🗴	LSS
[5]	BDH	standard	✓	🗴	🗴	✓	🗴	✓	🗴	LSS
[34]	LWE	standard	🗴	🗴	🗴	✓	🗴	🗴	🗴	LSS
[10]	LWE	standard	✓	🗴	🗴	🗴	🗴	✓	🗴	Shamir
[11]	LWE	RO	🗴	✓	🗴	✓	🗴	🗴	✓	Threshold
Ours	MLWE	Standard/RO	✓	✓	✓	✓	✓	✓	✓	LSS

Note: Symbols ✓ and 🗴 denote the presence or absence of each feature, respectively. The features are defined as follow: $F_1$: Collusion resistant; $F_2$: IKGA resistant; $F_3$: Forward security; $F_4$: Fine-grained access; $F_5$: Verifiability; $F_6$: Multi-authority; and $F_7$: Multi-keyword.

Let $n$ be the security parameter (a power of two), $q=poly\left(n\right)$ a prime, $m=d(k+2)$ with $k=⌈{\log }_{2}q⌉$, $l$ the total number of attributes, and $\eta$ the keyword vector length. Sampling from ${\mathbb{Z}}_q$ and evaluating hash functions are assumed to have negligible complexity. Since the error probability ${(\frac{1}{4})}^{\delta }$ is negligible, $\delta =\omega \left(\log n\right)$ must hold. Given these parameters, the communication overhead of our schemes is summarized in Table 2.

Table 2. Communication overheads.

Parameter	Basic Scheme	IKGA Secure Scheme
Public parameter	$\left[4m\left(l+\eta +1\right)+1\right]dnk$	$\left[m\left(4l+5\eta +5\right)+d\right]dnk$
Master secret key	$8d^2{k}^{2}ln$	$8d^2{k}^{2}ln$
DO’s public key	$dmnk$	$dmnk$
DO’s secret key	$2d^2{k}^{2}n$	$2d^2{k}^{2}n$
Encrypted keyword	$\left(1+4ml\right)n\delta k$	$\left(1+2l\right)2mn\delta k$
Trapdoor	$4mnk\left|X\right|$	$\left(1+2\left|X\right|\right)2mnk$
Proof	$mnk$	$mnk$

The computational complexity of our schemes is summarized in Table 3, where $C_{TrapGen}$, $C_{SamplePre}$, and $C_{SampleLeft}$ denote the complexities of the $TrapGen$, $SamplePre$, and $SampleLeft$ algorithms, respectively.

Table 3. Computational complexity.

Algorithms	Basic Scheme	IKGA-Secure Scheme
$Setup$	$l·C_{TrapGen}$	$l·C_{TrapGen}$
$KeyGen$	$C_{TrapGen}$	$C_{TrapGen}$
$ABKS$	$\left(1+8lm\right) dn\log n\delta$	$\delta .C_{SampleLeft}+8dlmn\log n\delta$
$Trapdoor$	$\left|X\right|C_{SampleLeft}$	$\left|X\right|C_{SampleLeft}+2dmn\log n$
$Search$	$4mn\log n$	$6mn\log n$
$ProofGen$	$C_{SamplePre}$	$C_{SamplePre}$
$Verify$	$dmn\log n$	$dmn\log n$

The proposed scheme was implemented on a workstation running Ubuntu 22.04.5 LTS with an Intel^® Core™ i7-12700H processor (4 cores), 8 GB of RAM, and a 60 GB hard disk, and the source code was developed using Visual Studio Code (version 1.104.2). The scheme described in Section 5.2 was executed 100 times, and the average runtime was recorded to minimize fluctuations. Following the methodology of [46], Table 4 summarized the computational complexity of the core algorithms per attribute for each keyword under the parameters: $n=256,$ $d=2,$ $q=\mathrm{1,073,707,009},$ $k=30,$ $\sigma =7,$ $\alpha =48.34,$ $\zeta =\mathrm{83,832},$ $t=12,$ $d\prime =5$, $\eta =5,$ $\delta =8,$ corresponding to a 128-bit security level.

Table 4. Computational complexity (ms).

Algorithms	Basic Scheme	IKGA-Secure Scheme
$Setup$	201.5477	$199.2275$
$KeyGen$	$6.2233$	$6.0120$
$ABKS$	$290.8191$	$332.7155$
$Trapdoor$	$16.1195$	$18.5$
$Search$	$0.619$	$0.96$
$ProofGen$	6.2152	$6.4905$
$Verify$	0.0245	$0.0266$

The schemes demonstrate practical computation complexities, as shown in Table 4. Setup is relatively slower (~200 ms) but is performed only once by the TA. $KeyGen$ is fast (~6 ms), while $ABKS$ encryption is the most time-consuming operation (~291–333 ms), yet it can be executed offline. $Trapdoor$ generation (~16–18.5 ms) and $ProofGen$ (~6.2–6.5 ms) are efficient, whereas $Search$ (<1 ms) and $Verify$ (~0.025 ms) are extremely fast, which is crucial for frequent and real-time access by the DU. The storage and communication overheads are reported in Table 5.

Table 5. Storage and communication overheads (KB).

Parameter	Basic Scheme	IKGA Secure Scheme
Public parameter	$7201.875$	$7923.75$
Master secret key	$8100$	$8100$
DO’s public key	$120$	$120$
DO’s secret key	$225$	$225$
Encrypted keyword	$\mathrm{17,287.5}$	$\mathrm{18,240}$
Trapdoor	$240$	$360$
Proof	$60$	$60$

The storage and communication overheads of our schemes are practical, as shown in Table 5. The public parameters (~7.2–7.9 MB) can also be derived from a seed via a pseudorandom function to further reduce storage and transmission costs. The master secret key is securely held by the TA and the DO’s keys remain compact (~120–225 KB), making the scheme suitable for real-world cloud deployments. Encrypted keywords (~17–18 MB) are stored only on the server, while trapdoors (~240–360 KB) are transmitted on demand and proofs (~60 KB) impose minimal overhead. Overall, these are reasonable and provide a balanced trade-off between security and efficiency in multi-organizational settings.

Remark 2. 

A direct numerical comparison with the most relevant lattice-based CP-ABKS schemes [11,34] is not feasible. The scheme in [34] lacks correctness and a formal reduction from the LWE problem, while [11] reports performance only for $n=16$, which does not achieve the 128-bit security level. Also, it is not collusion resistant. Moreover, neither [34] nor [11] support several essential features provided by our scheme, such as verifiability, forward security, and multi-authority support. Other works in Table 1 are not lattice-based ABKS schemes and differ fundamentally in structure and functionality. Therefore, a numerical comparison would be misleading.

Finally, it is worth noting that structured LWE-based schemes, particularly MLWE-based constructions, offer inherent efficiency advantages over standard LWE-based designs. Their underlying ring/module structure enables polynomial multiplications to be computed efficiently via the Number Theoretic Transform (NTT) [40]. This efficiency has led to their adoption in NIST post-quantum standards such as Kyber [40].

7. Conclusions

Attribute-Based Encryption with Keyword Search (ABKS) schemes enable authorized DUs to search over encrypted data using attribute sets. To counter quantum threats, post-quantum ABKS schemes have been developed, primarily leveraging the LWE problem. However, some existing schemes exhibit limitations, such as missing correctness proofs, verifiability, formal security proofs, and collusion resistance.

In this paper, we introduce a verifiable multi-authority ABKS scheme based on the MLWE problem. We formally prove the scheme is correct, verifiable, complete, and robust against collusion attacks. Additionally, we propose mechanisms to support multi-keyword search, forward security, and resistance to IKGA. After providing a rigorous security analysis, we evaluate the efficiency of the proposed scheme through both parametric analysis and an experimental implementation. The evaluation considers the computational complexity of Setup, KeyGen, ABKS, ProofGen, Trapdoor, Search, and Verify algorithms as well as communication overhead. Overall, the proposed scheme highlights the growing need for verifiable multi-authority encryption in real-world cloud infrastructures where sensitive records, such as medical, legal, and governmental datasets, must remain both confidential and searchable over long periods of time. The broader implications of this research extend to inter-organizational collaboration, reduced trust centralization, and sustainable cloud security in the presence of emerging quantum threats.

As a direction for future work, and while preserving all current security and functionality properties of the proposed scheme, private keys may be issued directly to DUs to eliminate reliance on TA interaction during trapdoor generation. Furthermore, incorporating mechanisms to conceal access policies represents a promising enhancement that could further strengthen the overall security and privacy guarantees of the scheme.