Quantum-Resistant Multi-Feature Attribute-Based Proxy Re-Encryption Scheme for Cloud Services

Jinqiu Hou,Changgen Peng,★,Weijie Tan,2 and Hongfa Ding

1State Key Laboratory of Public Big Data,College of Computer Science and Technology,Guizhou University,Guiyang,550025,China

2Key Laboratory of Advanced Manufacturing Technology,Ministry of Education,Guizhou University,Guiyang,550025,China

3College of Information,Guizhou University of Finance and Economics,Guiyang,550025,China

ABSTRACT

Cloud-based services have powerful storage functions and can provide accurate computation.However,the question of how to guarantee cloud-based services access control and achieve data sharing security has always been a research highlight.Although the attribute-based proxy re-encryption(ABPRE)schemes based on number theory can solve this problem,it is still difficult to resist quantum attacks and have limited expression capabilities.To address these issues,we present a novel linear secret sharing schemes (LSSS) matrix-based ABPRE scheme with the fine-grained policy on the lattice in the research.Additionally,to detect the activities of illegal proxies,homomorphic signature(HS)technology is introduced to realize the verifiability of re-encryption.Moreover,the non-interactivity,unidirectionality,proxy transparency,multi-use,and anti-quantum attack characteristics of our system are all advantageous.Besides,it can efficiently prevent the loss of processing power brought on by repetitive authorisation and can enable precise and safe data sharing in the cloud.Furthermore,under the standard model,the proposed learning with errors(LWE)-based scheme was proven to be IND-sCPA secure.

KEYWORDS

Lattice;learning with errors;attribute-based proxy re-encryption;linear secret sharing schemes

1 Introduction

It is worth noting that sensitive data is being shared and held increasingly in the third party,such as AWS,AliCloud,iCloud,etc.In the current era of cloud computing and data protection,finegrained access management of encrypted data is a crucial requirement.While sharing data in an open,complicated network environment,there is a chance that personal information will be compromised.For example,in telemedicine system,patients have to store the medical data to the cloud server of the hospital,so that medical service personnel can better analyze the health status of patients after downloading from the cloud.While sharing medical data brings about much convenience to patients and medical service personnel in the system,it also causes new privacy and security issues.Medical data usually contains patients’sensitive information,thus,it is extremely important for patients.In addition,patients would only like the medical data to be obtained by authorized medical service personnel.In an ideal situation,people hope to encrypt data to a semi-trusted cloud service provider for privacy protection purposes.At the same time,the encrypted data can realize data access control and ciphertext selection calculation as well.In other words,a cryptographic mechanism is needed to make sure “who” can access the encrypted data,and that they can get “what” from the encrypted data.

Proxy re-encryption (PRE) [1] is regarded as a particular primitive in public key cryptography that can give flexible data access authorization for encrypted data in accordance with user needs.Additionally,due to the capability of PRE to securely convert ciphertext,this technology has undergone extensive research and has proven to be quite useful in the cloud context.Currently,PRE is widely employed in many areas of the cloud computing environment,including access control,distributed file systems,encrypted mail forwarding systems,spam filtering systems,etc.ABPRE provides a good solution for the above scenarios.A semi-trusted proxy in an ABPRE system having access to a re-encryption key (created by a delegator) can convert ciphertext that satisfies an access policy into another ciphertext for a delegatee that complies with a new access policy.This greatly reduces the overhead of the data encryption process,enhances non-interactive fine-grained access control,and significantly improves efficiency.Users can share or access data securely,and reliably through a semi-trusted cloud computing service provider.It should be noted that in this process,the proxy is unable to obtain anything about the plaintext.Users achieve the goal of sharing data file safely and efficiently in this way.Due to its characteristics,ABPRE is very suitable for cloud storage environment.

1.1 Related Works

In 2011,Boneh et al.[2]put forth the idea of functional encryption(FE),which broke the deadlock of the original “all or nothing” access mode.FE can not only accomplish the objective of fine-grained access control (only users who meet certain policies can decrypt),but also can select ciphertext.Compared with traditional public-key cryptography(PKC),FE has stronger expression ability.Later,the fuzzy identity-based encryption was constructed by Sahai et al.[3],which was also regarded as the original form of attribute-based encryption (ABE).Especially,ABE is a special FE.In an ABE system,the ciphertext and the secrect key correspond to the attribute set and access policy respectively.The user can decode and access the ciphertext via the secret key after the attribute set of the ciphertext fulfills the access policy.

Lattice cryptography is a kind of PKC,which is widely considered to not be threatened by quantum computing.What’s more,the security of lattice cryptography is based on the difficulty of solving lattice problems in the average case.Based on this superior feature,scholars began to focus on the design of the FE schemes on lattice.Boyen [4] realized FE for access structures based on the LWE hardness assumptions in 2013.More specifically,the key-policy attribute-based encryption(KP-ABE)scheme with monotonic access structure was the first ABE scheme on lattice that supported general Boolean expressions.In 2018,Dai et al.[5] first reported their implementation of a lattice-based KP-ABE scheme,which used short secret keys.What’s more,the homomorphism of the public key and the ciphertext was considered in their proposed scheme as well.In 2019,Tsabary [6] constructed a fully secure ciphertext-policy attribute-based encryption (CP-ABE) for t-CNF from LWE.Varri et al.[7]presented a CP-ABE scheme from the lattice.It is noteworthy that their scheme only allowed valid users of the access policy to conduct keyword searches on the encrypted index,but users who were not in the access policy could not obtain documents in the ciphertext.Recently,to realize attribute revocation,Zhao et al.[8] presented a revocable ABE scheme,which can expediently renew users’attributes to revoke or grant their access rights.Besides,Fu et al.[9] put forward an offline/online CP-ABE,which had better computational performance for mobile device scenario.In the same year,Fu et al.[10]comprehensively summarized various kinds of ABE schemes from the lattice in terms of complexity assumptions,expressiveness,security,efficiency.In addition,they discussed ABE schemes on lattices which were deserving further research.

With the rapid development of cloud storage technology,the problems of data security and sharing have received extensive attention from industry and academia.PRE is an encryption method that can safely convert ciphertext.It allows that a non-completely trusted third party can directly convert the user Alice’s ciphertext into other users’ciphertext without decryption,which guarantees the privacy and security of the data left with the third party.

The following desired characteristics should be met by a pretty PRE scheme:

· Proxy transparency: In the transparent PRE scheme,neither the delegator nor the delegatee knows the existence of the proxy,meanings that the ciphertext sent to the delegatee after reencryption is indistinguishable from the ciphertext originally sent to the delegatee;

· Non-interactivity:The delegator does not require the assistance of the delegatee or any other third party for the generation of the proxy re-encryption key;

· Unidirectionality:The non-reliable proxy can only change the ciphertext of the delegator into the ciphertext of the delegatee;Conversely,it cannot change the delegatee’s ciphertext;

· Multi-use:The non-reliable proxy can also repeatedly re-encrypt the ciphertext that has already been re-encrypted in the unidirectional PRE,as shown in Fig.1.

Figure 1 :Schematic of multi-use PRE

The initial proposal for a lattice-based multi-bit encryption,unidirectional,and multi-use PRE scheme was made by Jiang et al.[11].They improved the encryption efficiency.Besides,they proved that in the standard model under LWE,the scheme achieved CPA security.In 2016,PRE with multiple properties was put forward by Kim et al.[12].What’s more,the scheme was key optimality,noninteractivity,unidirectional,invisibility,collusion-resistant and non-transferability.But unfortunately,only in the random oracle model was it demonstrated to be secure.In 2021,Dutta et al.[13]presented the concrete constructions identity-based PRE,which proved both selective and adaptive security.Furthermore,the scheme they came up with satisfied the nature of unidirectionality and anti-collusion.However,fine-grained access control was not supported by the proposed scheme.Therefore,the subsequent research work was aimed at designing a new cryptographic primitive combining ABE and PRE[14,15]in order to meet the requirements.

The ABPRE scheme combines ABE with PRE.This not only ensures that the new encryption scheme has the special conversion property of PRE,but also enables accessing the encrypted data of users who satisfy the access structure.This is achieved by setting up a corresponding access structure.The owner of the data has total authority over the data,while ensuring data confidentiality.Nowadays,ABPRE is widely used in distributed file systems,electronic medical systems,cloud storage services and other scenarios.Li et al.[16]constructed a key-policy attribute-based proxy re-encryption(KPABPRE)scheme based on the matrix access structure,but it was difficult to resist quantum attacks.Although lattice-based ABE and PRE schemes have been realized with the continuous development of lattice theory,the ABPRE schemes against quantum attacks have been realized only in the last few years.Therefore,there is less relevant literature about lattice-based ABPRE.Li et al.[17] designed the first ciphertext-policy ABPRE under the LWE assumption.Their scheme only supported the access structure of the AND gate,and the access policy’s expressiveness was relatively weak.To be able to control the proxy’s ability to re-encrypt the original ciphertext,Liang et al.[18] constructed the conditional ABPRE from lattice firstly,which met the requirements of more fine-grained data sharing.However,the schemes of[17]and[18]only satisfied the nature of single-use.This limited the practicality of the scheme.In addition,Susilo et al.[19] constructed an ABPRE that is honest and secure against re-encryption attacks,improving the security of ABPRE.To illustrate the potential of our research,we compare the existing(attribute-based)PRE schemes with our put forward scheme in Table 1.

Table 1 : Qualitative comparison of(attribute-based)PRE schemes

From the Table 1,we can see that the existing PRE schemes generally have the following obvious problems:

· The majority of the assumptions underlying current ABPRE scheme research come from traditional number theory.However,these traditional encryption schemes can not resist quantum attacks;

· The feasibility of the existing PRE schemes is somewhat hampered by the fact that they only meet two or three characteristics.Besides,the proxy is regarded as a semi-trusted party,but there are few restrictive measures to check the legitimacy on the malicious proxy’s activities;

· At present,most ABPRE schemes expression strategies are limited,which seriously hinders the feasibility of the ABPRE schemes in practical applications.

In summary,it is crucial to create a powerful ABPRE scheme to withstand quantum attacks in cryptography.Fortunately,the lattice-based cryptosystems can effectively resist quantum attacks.Consequently,constructing lattice-based ABPRE schemes with multiple properties has important theoretical significance and broad application prospects.

1.2 Our Contributions

Designing a post-quantum secure ABPRE scheme with a variety of properties under the standard model is a very meaningful research project.Therefore,we constructed an ABPRE scheme based on key-policy with re-encryption verifiability in the research(named KPAB-VPRE):

· LSSS matrix is adopted to obtain a KP-ABPRE scheme that supports any monotonic policies.The delegator can formulate the corresponding attribute sets and encrypt the message on these attribute sets.Only when the attribute sets on the ciphertext meet the delegatee’s access policy can the ciphertext be decrypted.Our KP-ABPRE scheme uses the access structure constructed by the attribute sets to control the delegatee that can realize the flexible PRE.The delegatee can be one person,one organization or multiple organizations;

· Taking the activities of corrupt proxy into consideration,the scheme is combined with homomorphic signature technology to realize the verifiability of re-encryption.In other words,during the re-encryption process,our KP-ABPRE with re-encryption verifiability (KPAB-VPRE)scheme can be verified whether the proxy performed an honest re-encryption operation.This property greatly enhances the security of the PRE;

· In general,few ABPRE schemes can satisfy three or more properties.While,we design a multifeature KPAB-VPRE scheme with proxy transparency,non-interactivity,unidirectionality multi-use and anti-quantum attack,which can greatly enhance the practicability of the program.What’s more,under the standard model,our KPAB-VPRE scheme is proven to be selectively IND-CPA secure.

1.3 Organization

In order to better obtain an understanding of this article,we introduce the relevant notations in the next Section 2,and briefly discuss some basic knowledge that we use.The definition and security model of the KPAB-VPRE scheme are described in the part of Section 3.Then,we construct a KPABVPRE scheme with various properties based on LWE.Besides,the security and properties of KPABVPRE are analyzed in Section 4.Furthermore,we also assess the effectiveness of the KPAB-VPRE in comparison to relevant literature in Subsection 4.5.Finally,Section 5 presents the conclusions.

2 Preliminaries

2.1 Notations

In this paper,we apply some initial symbols,as shown in the Table 2.Z and R represent the sets of integers and real numbers,respectively.For a matrix A ∈Rn×m,we adopt ATto mark the transposed matrix.What’s more,we shorten algorithm names.For example,ReEncrypt is recorded as re-encryption algorithm.

Table 2 : Symbol description

2.2 Preliminaries

We give the following useful definitions and lemmas according to literature[4,24–27],consisting of lattice,some algorithms,decision LWE,LSSS and HS.

2.2.1Lattice

Definition 2.1.Given an×mmatrix A=[a1,a2,...,am]∈Rn×mwith linearly independent columns a1,a2,...,am∈Rn.The A forms a latticeΛ.Besides,Λ*is called dual lattice.

Lemma 2.1.Set the following parameters,q≥3,m=.Then,there exists a probability polynomial time(PPT)algorithmTrapGen(n,m,q,σ),which generates a random matrix A ∈Znq×mand a basis TA∈Zm×mqforΛ⊥q(A)meeting the following equation:

Lemma 2.2.We assume that given a prime numberq＞2,a matrixwhere TAis the basis ofΛ⊥q(A).Next,we choose two vectors u ∈Znqand c ∈Zm.Then,

· There exists a PPT algorithmSamplePre(A,TA,σ,u),which makes it output a vector x ∈Λuq(A)with statistical properties similar to the discrete Gaussian distributionDΛuq(A),σ,c;

· There is a PPT algorithmSampleBasisLeft(A,B,TA,σ),which makes it output a set of basis T(A|B)on the latticeΛ⊥q(A|B)that is statistically close to the distribution

· Given three matrices A,G ∈Zn×mand S ∈Zm×m,TGis a short basis for the latticeΛ⊥q(G).Then,there is a PPT algorithmSampleBasisRight(A,G,S,TG,σ),which makes it output a basis T(A|AS+G)for the latticeΛ⊥q(A|AS + G) distributed statistically close to the distribution

Lemma 2.3.Given a posi tive integern,a prime numberq,a matrix A ∈Znq×m,and a vector e ∈DZm,σ.We setm≥2nlog2q,σ≥If so,the distribution of the vector u=Ae modqis statistically close to the uniform distribution on Znq.

The above lemmas are used in the security proof of our scheme to show that the simulated system is indistinguishable from the real system.

2.2.2DecisionLWEq,Ψ

Definition 2.2.We assume that the positive integersn,m,q∈Z,and setΨαmbe an error distribution on Zmq.Let A and e be uniformly chosen at random from Zn×mqandΨmα,respectively.Then,select secretly a vector s ∈Znqwith uniform distribution.There is a LWE oracle with two algorithms:

·Os:Outputs the samples(A,b) ∈Znq×m×Zmqaccording to LWE distribution,where b=ATs+e(modq);

·O$:Outputs the samples(A,b)from the uniformly random distribution Znq×m×Zmq.

The attackerAcould find a solution to the decision LWEq,Ψproblem,if and only if its advantagesAdv(A)=|Pr[AOs=1]-Pr[AO$=1]|＞negl(n).

2.2.3LSSS

Definition 2.3.If the following requirements are met by a secret sharing systemΠover a group of participantsP,we call it LSSS over ZP:

· Each participant’s shares compose a vector over ZP;

· The share generating matrix M forΠis a matrix oflrows andθcolumns.Additionally,the functionρis defined by the participant labeling rowiasρ(i) for all thei-th row of M(i=1,2,...,l).Besides,the column vector v=(s,r2,...,rn) is predetermined,wheres∈ZPis a secret that is about to be shared,r2,...,rn∈ZPare selected at random.Moreover,M ·v is the vector oflshares ofsin the light ofΠ.Furthermore,the participantρ(i) owns the shareλi=(M·v)i.

In addition,a LSSS has linear reconstruction’s characteristics.

2.2.4HomomorphicSignature-HS

Lemma 2.4.The HS scheme typically makes up the following four algorithms:

·HS.KeyGen(λ,d,n):The algorithm returns a pair of keys(hssk,hsvk)by inputting the security parameterλ,the depthdof a circuit,and the message lengthn.

·HS.Sign(hssk,m):The algorithm entershsskand a messagem,produces the original signatureσ.

·HS.SignEval(δ,(mi,σi)):The algorithm inputs an evaluation circuitδ: {0,1}N→{0,1}Nwith maximum depthd,and the pair(mi,σi),outputs an evaluation signatureσm′.

·HS.Verify(hsvk,δ,m′,σm′): The algorithm inputshsvk,δ,an evaluation massagem′,and an evaluation signatureσm′.If verification is successful,returns result 1,otherwise returns 0.

Correctness:The HS scheme is correct if the following equation holds for anyλ,d,n,δ,m∈{0,1}n,

HS.KeyGen(λ,d,n)→(hssk,hsvk),HS.Sign(hssk,mi)→σi,m′=δ(mi):

3 Defnition and the Security Model of KPAB-VPRE

3.1 System Model

Fig.2 is an illustration of KPAB-VPRE.And in this encryption system,if user 1 and user 2 want to share encrypted data files,they need to execute the following series of algorithms(Setup,KeyGen,Encrypt,ReKeyGen,ReEncrypt,ReEncVer,Decrypt).Especially,an additional verification algorithmReEncVer,executed by the verification server,is used to determine whether the ciphertext is an honest transformation.First,User 2 sends a sharing request to User 1,and uploads the access policy to the key generation center.Next,the key generation center issues public and private keys to User 1 and User 2,respectively.After receiving the request,user 1 encrypts the data to be shared with its own private key and calculates the re-encryption key.Then sends the original ciphertext and re-encrypted key to the proxy.The proxy re-encrypts the ciphertext with the re-encryption key and sends the re-encryption ciphertext to the verification server.The verification server sends the re-encrypted ciphertext to User 2 after judgment.Finally,User 2 decrypts the shared data of User 1 by its private key.

Figure 2 :The system model of our proposed KPAB-VPRE

Definition 3.1.The following seven algorithms make up a KPAB-VPRE scheme:

·Setup(1λ,U): Inputs a security parameter 1λand an attribute domainU,then the algorithm returns the public parametersppand the master keymsk.

·KeyGen(pp,msk,P):Inputs the parametersppgenerated bySetupand an access policyPon an attribute domainUto return the secret keysk.

·Encrypt(pp,m,Att):Enterspp,messagemand an attribute setAtton the attribute domainUto return the original ciphertextC1.

·ReKeyGen(pp,sk1,Att′):Enterspp,sk1and a new attribute setAtt′to return the re-encryption keyrk1→2.

·ReEncrypt(pp,rk1→2,C1): Enterspp,rk1→2and the original ciphertextC1,ifAtt′|=P,outputs the re-encrypted ciphertextC2;otherwise,outputs the symbol ⊥.

·ReEncVer(pp,hsvk,C1,C2):Enterspp,hsvk,the ciphertextC1andC2,ifC2is correctly converted fromC1,outputs the result 1,which means the verification is passed;otherwise,outputs 0.

·Decrypt(pp,sk,C):Enterspp,skandCi(i=1,2),then returns the messagem.Note that

(i) For the original ciphertextC1,enters the user 1’s secret keysk1.Finally,decryption successfully returnsm;otherwise,the error mark ⊥is output.

(ii) For the converted ciphertextC2,inputs another user 2’s secret keysk2.After that,the decryption successfully outputs the underlying messagem;otherwise,the error mark ⊥is output.

Correctness:For parametersλ,m,Att∈U,if the attribute sets satisfy the access policy,then a correct KPAB-VPRE scheme should meet the following Eqs.(5)–(7)requirements:

3.2 Security Model

In the part,we mainly describe the security model of KPAB-VPRE,which is based on the indistinguishability under chosen-plaintext attack in the selective security model (IND-sCPA).And we illustrate the model through the interactive games between the adversaryAand the challengerC.First,we input the security parameterλ,an attribute domainU={Att1,Att2,...,Attl},whereAtti={atti1,atti2,...,attit},(t≤l).Then,the game is comprised ofA’s operations and the following oracles(Osk,Ork,Orv),which could be called more than once in any order.Besides,the following is the interaction process between them:

·Target.The adversaryAinitially chooses a set of target attributesAtt*to challenge.

·Instance.The adversaryAreceives the system settings as a consequence of the challengerC’s execution of theSetupalgorithm.

·Phase 1.The adversaryAis allowed to perform the following inquiries multiple times:

(i) Secret Key QueryOsk:The attackerAsends the access policyPto a challengerCfor secret key queriesOsk.However,the target attributeAtt*onPcannot be queried.Finally,the challengerCcalls the secret key generation algorithmKeyGen(pp,msk,P)to return the generated users’secret keysktoA.

(ii) Re-Encryption Key QueryOrk:The adversaryAinitiatesOrkto the challengerC.When the challengerCreceives the query,first runs the private key generation algorithmKeyGen(pp,msk,P) to generatesk,and next carries out theReKeyGen(pp,sk,Att′)algorithm to sendsrk1→2toA.

(iii) Re-Encryption Verification QueryOrv: After receiving the converted ciphertextC2,Cneeds to access the oracleOrvand implement an algorithmReEncVer(pp,hsvk,C1,C2)to check whether theC2is legal.

·Challenge.First,Achooses two plaintext messagesm0andm1of equal length.Next,sends them toC.AfterCobtains two messages,a valueb∈{0,1}is randomly selected.Besides,Cenforces the algorithmEncrypt(pp,m,Att),and finally exports the resulting ciphertext toA.

·Phase 2:Aproceeds withPhase 1queries during this process.

·Guess.Agives out his guessb′∈{0,1}toC.What’s more,whenb′=b,means thatAwins the interactive game.In addition,theA’s advantage to victory is

For any PPTA,ifA’s advantage(1λ,U) against the KPAB-VPRE scheme is negligible,then the KPAB-VPRE scheme is IND-sCPA secure.

4 Scheme of our KPAB-VPRE

4.1 Construction

·Setup(λ,n,q,m,U): This algorithm takes security parametersλ,positive integern＞Ω(λ),prime numberq＞2,lattice dimensionm＞5nlogqand an attribute domainU={Att1,Att2,...,Attl},whereAtti={att1,att2,...,attt},(t≤l)as input.Then,

(i) For each attributeatti∈U,performs the algorithmTrapGen(n,m,q,σ)to produce two matrices,one is the uniform and random matrix Aatti∈Zn×mq,i∈[l].The other is a small norm matrix TAatti∈Zmq×m,which is a trapdoor basis forΛ⊥q(Aatti),where‖‖≤

(ii) Chooses a uniform random variables∈Zq;

(iii) Finally,returns the public parameterspp={Aatti,s}atti∈Uand the master keymsk=TAatti.

·KeyGen(pp,msk,P):pp,mskand the access policyPare inputs into this algorithm.Next,the algorithm extracts the private key as follows:

(i) Converts the user’s access policyPinto a shared access policy(M,ρ)by the linear secret sharing theory.Here,M is an×nshare-generating matrix.Additionally,ρ(i):[n]→Uis a function which maps thei-th row of the matrix M to the attribute domainU;

(ii) Lets H=MG,G ∈Zn×mis the gadget matrix.Generates an extended trapdoor T(Aatti|H)∈by running theSampleBasisLeft(Aatti,H,TAatti,σ)algorithm,and then sets F1=(Aatti|H)∈Zn×2mq;

(iii) Finally,outputssk=T(Aatti|H)=TF1.

·Encrypt(pp,m,Atti):As input,the algorithm acceptspp,m∈{0,1}and an attribute setAtti={atti1,atti2,...,attit},(t≤l),then does:

(i) Chooses uniformly at random a matrix S ∈{±1}m×m,a vectoru∈Znqand two noises e1∈Ψ2mα,e2∈Ψα;

(ii) Sets

(iii) Computes

(iv) Outputs the ciphertextC1=(c1,0,c1,1).

·ReKeyGen(pp,sk,Attj): This algorithm enterspp,skand a new attribute setAttj={attj1,attj2,...,attjt},(t≤l)to return the re-encryption keyrk1→2in the following way:

(i) For each attributeattj∈U,chooses a uniformly random matrix Aattj∈Zn×mq,j∈[l].Then sets

(ii) Creates a low-norm matrix R1→2∈Z2m×2mqwith theSamplePre(F1,TF1,F2,σ),with the goal of ensuring that

Therefore,we setrk1→2=R1→2as re-encryption key.

(iii) Runs the algorithmHS.KeyGen(λ,d,n)to generate a key pair(hssk,hsvk),and parses each row of R1→2to zx∈Z2mq,(1 ≤x≤2m),using the algorithmHS.Sign(hssk,zx)to each zxto get the signσx,(1 ≤x≤2m),wherehsvkis used to verify the signature;

(iv) Finally,deliversrk1→2and the associated signatureσxover a secure channel to the proxy server.

·ReEncrypt(pp,rk1→2,C1): This algorithm accepts as inputspp,rk1→2andC1.The proxy then produces the re-encrypted ciphertext in the manner described below:

(i) Finds the vector g=(g1,g2,...,gn),?i∈[n]:(gi=0)∨(i∈[Atti])so that

(ii) Sets two vectors

(iii) Computes a signatureσ1→2←HS.SignEval(δC1,σx)homomorphically where the evaluation circuitδC1(rk1→2)is defined by the original ciphertext as follows:

(iv) Finally,outputs the re-encryption ciphertextC2=(c2,0,c2,1)and the signatureσ1→2.

·ReEncVer(pp,hsvk,C1,C2):pp,hsvk,C1withσ*→2(ifC1is generated by encrypting a plaintextm,σ*→2is empty)and the transformed ciphertextC2withσ1→2are all inputted into this algorithm.Then,executes the algorithmHS.Verify(hsvk,δC1,C2,σ1→2).If it outputs 1,it means that the reencryption ciphertext is legal,otherwise,outputs 0 indicates that the re-encryption ciphertext is illegal.

·Decrypt(sk,C):The user inputs the secret keyskand a ciphertextC.If the attribute sets satisfy the access policy,then follow the steps below to decrypt.

(i) Construct two new vectors

where v2,v3,...,vm,v′2,v′3,...,v′k∈Zqare chosen at random,and computes the matrix multiplication Mi·v,·v′,denotes the result by

where{Mi}i∈[n]is the i-th row of M ∈Znq×mandis the j-th row of M′∈Znq×m;

(iii) Given a Gaussian parameter σ,and then runs theSamplePrealgorithm to sample a vector kt∈Z2mq,t ∈{1,2}such that F1·k1=μ1mod q,F2·k2=μ2mod q;

(iv) Calculates

(v) Outputs the result:

4.2 Correctness and Parameter

4.2.1 Proof of Correctness

(i) The accuracy of unconverted ciphertext decoding.When t=1,if Atti(M,ρ),the original ciphertext C1is decrypted as follows:

(ii) Decryption correctness of converted ciphertext.When t=2,for the re-encryption ciphertext C2,if Attj(M,ρ),we need to compute

(iii) Correctness of re-encryption ciphertext verification.The effectiveness of the re-encryption ciphertext verification depends on the output of the verification algorithmHS.Verify.Besides,in theReEncrypt(pp,rk1→2,C1),the the evaluation circuit is defined byδC1(rk1→2)=cj,0with the original ciphertext ci,0andrk1→2.From the correctness definition of HS,it can be seen that if the signatureσ1→2is the result of an honest calculation by the proxy,then the algorithmHS.Verify(hsvk,δC1,C2,σ1→2)will be accepted with overwhelming probability.In summary,the validity of the converted ciphertext has been verified.

Remark 4.1.If the parameter setting is reasonable and the noise item in Eqs.(23)and(24)is small enough,the plaintext message can be recovered correctly after decryption.

4.2.2ParameterSettings

(i) According to the assumption of the LWE problem,for the Gaussian noise distribution ei←Ψαmand the normalized varianceα≥the length of the vector satisfiesin Regev’s proof[26];

(ii) According to the algorithmTrapGen(n,m,q,σ),for the safety parametern=Ω(λ),we require that the prime modulusq＞2,the Gaussian parameterσ≥m·ω(logn)and the dimension of the lattice basem≥5nlogq.If the constraints of each parameter can be satisfied,the length of the lattice base generated by the trapdoor generation algorithm is at mostm·

(iii) According to the algorithmSamplePre(F1,TF1,F2,σ),we set the discrete Gaussian distribution parameterσ≥the parameterq≥2 andm≥2nlogq.If the above constraints are met,rk1→2=R1→2is created with overwhelming probability advantage.Besides,the length of therk1→2satisfies‖R1→2‖≤2σm;

(iv) In order to make the error term|noise|＜5/q,αmust satisfy the conditions

Sinceqα≥qmust meet

Thus,we decided on the following scheme parameters:

wherelis the count of attributes on the access policy.If the parameters are set reasonably,it can be correctly recovered after the above decryption.

4.3 Security Analysis

Theorem 4.1.Assume thatσ,m,n,αandqare the same as in the previous sentence.In the standard model,our KP-ABPRE scheme is IND-sCPA secure under the assumption that the decision LWEq,Ψproblem is difficult.

Proof.We utilize the assumption that there is a PPT adversaryAwith a non-negligible advantage to attack our system under the selective security model via “game-hopping” in order to demonstrate the theorem.The basic idea is to construct three games.The first game is an actual IND-sCPA attack,however the last game is impossible for the attacker to win;Then,based on some difficult assumptions on lattice,it is proved that the first game and the last game are equivalent.We have to demonstrate that these three games are indistinguishable from each other for PPT adversaryAin the following ways.

Game sequence:

· Game0:CandAare playing a typical IND-sCPA game.Besides,Cfaithfully responds to differentskandrk1→2queries in accordance with the real scheme’s algorithms.

· Game1:This game changes the generation of Aattiandsk.

(i)TrapGen(n,m,q,σ)algorithm produces a matrix AattiinGame0,but inGame1,Aattidoes not contain trapdoor,the matrix Aatti∈Zn×mqis a uniformly distributed matrix randomly selected by the challengerC;

(ii) The challengerCsets H=AattiS+G,and then runs theSampleBasisRight(Aatti,G,S,TG,σ)algorithm to get the private keysk=T(Aatti|H)=TF1;

(iii) Finally,the attackerAreceives theskback from the challengerC.And the settings of other parameters are the same asGame0.

· Game2:The production of the challenge ciphertextC*distinguishes this game fromGame1.InGame1,theEncrypt(pp,m,Atti) algorithm createsC*.However,inGame2,theC*is a uniformly random and independent matrix from×Zq.The rest of the settings are the same asGame1.In this case,the advantage of the attackerAis zero.

IfGame1is indistinguishable fromGame0,andGame2is indistinguishable fromGame1,our KPAB-VPRE scheme is IND-sCPA secure in the standard model.

Game transfer:

·Game0toGame1: We now prove thatGame0andGame1are indistinguishable through the Lemma 4.1.

· Lemma 4.1.Ifmn＞(n+1)log2q+ω(lgn),thenGame1andGame0are indistinguishable,and the answer to the attackerA’s inquiries become indistinguishable from the true scheme.

Proof.

(i) The matrix Aatti∈Zn×mqinGame0is produced by theTrapGen(n,m,q,σ)algorithm.In addition,it is random.However,inGame1,the matrix Aattiis randomly selected from,so,for the attackerAin polynomial time,the public parameter Aattiis taken from uniformly distributed Znq×m;

(ii) For the private key,skis generated by theSampleBasisLeftalgorithm inGame0,but inGame1,skis generated by theSampleBasisRightalgorithm.By definition ofSampleBasisRight,we have thatsk=T(Aatti|H)is distributed as required.Thus,the challengerC’s response to the secret key question is indistinguishable from that inGame1for theA.

From the Lemma 4.1,we can see that theA’s advantage inGame1is equal to that inGame0.Therefore,Game0andGame1are indistinguishable.

·Game1toGame2:Assuming that in the selective security model,an attackerAcan discriminate betweenGame1andGame2with a non-negligible advantage by chosen plaintext attack,the challengerCwill construct an algorithmBto solve the decision LWE problem with a nonnegligible probability.In the LWE problem,the decision algorithm has access to a sampling oracleO,which can be either a really random samplerOsor a pseudo-random samplerO$with an embedded secret u ∈Znq.Following is the reduction’s progression:

–Target.The challengerCreceives a statement from the adversaryAannouncing the target attribute setAtt*ito attack.

–Instance.The challengerCdemandsl+1 LWE samples from the oracleO,which we denote as:

–Setup.The challengerCprepares the public parameters as follows once it has obtained the target attribute setAtt*i:

(i) The central authority selects the appropriate system parametersn,m,q,σ;

(ii) If the attributeattiis in the target attribute set,then the challengerCconstructs a matrixand a vector[s,0,...,0]T=w0,where wi(i∈[l])comes from LWE sampling;

(iii) The remaining parameters are the same asGame1settings.

Remark 4.2.The above settings have the correct distribution.

–Phase 1.The attackerAcan ask the following questions:

Secret Key QueryOsk:

(i) The attackerAsends the access policyPto a challengerCfor private key queries,However,the target attribute on(M,ρ)cannot be queried,that is,ρ(i) ∈/Att*i,whereρ(i)is the attribute on the access policy(M,ρ).Ifρ(i)∈Att*i,a random bit is output and terminated;

(ii) According to the parameters inGame1,the challengerCgeneratesskas previously mentioned and gives it back to the attackerA.

Re-Encryption Key QueryOrk:

(i) The challengerCfirst generatesskas inOsk.Then,the challengerCreplies withrk1→2by running the algorithmReKeyGen(pp,sk,Attj);

(ii)rk1→2is sent by the the challengerCto the attackerA.The attackerAcan query multiple times.

Re-Encryption Verification QueryOrv:

(i) AfterAgets the queriesOrkfrom one access policyPto another access policyP′,Acan also make some queriesOrvtoC.Next,Conly executes the algorithmReEncVerfaithfully;

(ii) Finally,Csends the result toAaccording to the verification algorithm.

Remark 4.3.Because of the unforgeability of HS,the algorithmReEncVercannot provide any additional capabilities forAin the selectively IND-CPA security game.That is to say,Acannot offer invalid ciphertext to pass the algorithmReEncVer.This is very critical.What’s more,we are aware that the security features of the underlying algorithmHS.Verifydetermine if the algorithmReEncVeris valid.Furthermore,Amust be able to counterfeit the signatureand pass the algorithmHS.Verifyin order to pass the game of re-encryption verification,as this is also a legal signature for HS.In other words,Ahas the same benefits as violating the unforgeability of HS when it comes to our KPABVPRE scheme’s re-encryption verifiability.

–Challenge.In order to indicate that it is open to a challenge,Aselects two messages{m0,m1} ←Zmqof equal-length.A messagemφ(φ←{0,1}) is selected at random byCfor encryption.At last,Creplies withC*built as follows applying the LWE instance:

(i) Constructing ciphertextC*=(c*0,1,c*1,1)based on LWE samplings.Let

whereviis taken from the LWE instance;

(ii) The challengerCrandomly selects a bitφ←{0,1},ifφ=0,C*=(c*1,0,c*1,1) that will be returned to the attacker as challenge ciphertext.Ifφ=1,C*as a challenge ciphertext will be randomly chosen from Z2qm×Zqand returned to the attackerA.

Remark 4.4.The above challenge ciphertextC*=(c*1,0,c*1,1)has the correct distribution.A simple analysis reveals that:

* IfO=Osin the instantiation process,it is a pseudo random sampling oracle embedded in the secret u ∈Znq.Well,

Due to the setting of public parameters,the ciphertext obtained is

where e1∈Ψ2mα.

wheree2∈Ψα.

The aboveC*=(c*1,0,c*1,1)obeys uniform random distribution in statistics;

*C*=(c*1,0,c*1,1)is chosen at random in Z2qm×ZqifO=O$.

–Phase 2.The simulatorBoperates in a similar manner toPhase 1,the attackerAis able to query secret keys multiple times,and the set of attributesthat have done so have not yet met the access structure(M,ρ).

–Guess.After enough questioning,the attacker outputs his guess ofφasφ′.Ifφ′=φ,the challenger outputsO′=O$,otherwiseO′=Os.

In the attackerA’s view,the challengerC’s behavior is close to that of a real,adaptive security experiment.In this game,the attackerAhas the advantage sinceε=|Pr[φ′=φ]-|.Therefore,the advantages of the LWE predictor are as follows:

(i) In a pseudo-random sampler,an attackerAhas the advantageous valueε.In this case,O=O$,Pr[φ′=φ|O=O$]=+εand the challenger’s advantage is

(ii) In a true random predictor,an attackerAhas an advantage of 0.In this case,O=Os,Pr[φ′=φ|O=Os]=+ε,the challenger’s advantage is

Therefore,assuming that an attackerAguesses the correct probability isPr[φ′=φ] ≥+ε,a challengerChas the advantage

to solve the decision LWEq,Ψproblem.

As a result,Game2andGame1cannot be distinguished under the assumption of the decision LWEq,Ψproblem.

In conclusion,the security of our designed KPAB-VPRE scheme is compactly reduced to the decision LWEq,Ψdifficulty assumption by the use of the three equivalent games mentioned above.Additionally,under the standard model,the KPAB-VPRE scheme is selectively IND-CPA secure.This completes the proof.

4.4 Performance Analysis

·Non-interactivity.Our scheme is non-interactive,because the re-encryption keyrk1→2is generated by theSamplePre(F1,TF1,F2,σ) algorithm,which is created only depends on the private keysk1=TF1in the list of the delegator Alice’s attributes,and does not need the private key of the delegatee Bob’s access structure.Therefore,the scheme is non-interactive.

·Proxy transparency.Our scheme satisfies this property,because the size of the re-encrypted ciphertextC2∈Z2mq×Zqis the same as the size of the original ciphertextC1∈Z2mq×Zq.

·Unidirectionality.This property requires that the ciphertext direction can only be converted from Alice to Bob,not in reverse.This is true,because the proxy can get the re-encryption keyrk1→2←SamplePre(F1,TF1,F2,σ)from Alice to Bob.However,the re-encryption key generation method requires Alice’s private key.Thus,if the proxy wants to obtain the re-encryption keyrk2→1from Bob to Alice,without Bob’s private key,the proxy cannot convert Bob’s ciphertext into Alice’s ciphertext.

·Multi-use.We suppose thatC1=(c1,0,c1,1)is the ciphertext of the attribute list 1 for the attribute lists 1,2,...,k.The re-encryption process is carried out in the ranges of 1 tokand 2 tok-1.In order to create a low-norm matrix Ri→i+1∈Z2qm×2msuch that Fi·Ri→i+1=Fi+1andrki→i+1=Ri→i+1,we run the algorithmSamplePre(Fi,TFi,Fi+1,σ),i∈[1,k-1].The re-encryption procedures are shown in the Eq.(35).

Setck,1=c1,1.Obviously,Ck=(ck,0,ck,1) in the Eq.(35) is the ciphertext of the attribute listk.Using reasonable parameter settings,the noise item is sufficiently small to be decrypted correctly.

4.5 Comparison

In this part,we compare our KPAB-VPRE with other relevant schemes[13,17,28–30]in terms of the size of the ciphertext,access policy,multi-use,security model,and re-encryption verifiability.And Table 3 displays the comparison’s findings.

Table 3 : Comparison with previous related work

As can be seen from Table 3,in the same type of schemes,the literature[13,28–30]did not support the expression of access policy,while the literature[17]only supports “AND” expression.While,our scheme adopts the LSSS matrix to express the access policy and supports the operations of “AND,OR,THRESHOLD”.What’s more,matrix operation is used to realize encryption and decryption algorithm,which has higher efficiency.In terms of the re-encryption verification,only Wu et al.[30]supported this property,but this scheme cannot support arbitrary access policies.Therefore,the proposed scheme realizes fine-grained access and sharing of encrypted data,as well as meets the multiuse and re-encryption verification,which makes the scheme more practical.Especially,our KPABVPRE achieves IND-sCPA security under the standard model.

5 Conclusion

We present a multi-functional LSSS matrix-based KPAB-VPRE scheme from lattice that is proven to be IND-sCPA secure under the standard model.The scheme based on the lattice is implemented by matrix operation,which can facilitate parallel algorithm design and has superior efficiency,as opposed to the classic ABPRE schemes based on bilinear mapping.This scheme is based on the construction of LWE difficult problems from lattice.From the complexity of lattice difficult problems in the worst case,we can see that under the appropriate parameter selection,there is no effective algorithm to solve these difficult problems in polynomial time,even if it is a quantum computer.Therefore,this scheme can resist quantum attacks.In addition,the data owner can encrypt messages on any attribute sets.The ciphertext cannot be actively decoded until the attribute put on it complies with the user’s access policy.Furthermore,the verification of re-encryption is realized by introducing homomorphic signature technology,thereby detecting the activities of corrupt proxies,which has higher security and enforceability in practical scenarios.However,in our KPAB-VPRE scheme,the size of the ciphertext is not fixed,and it grows linearly as the number of attributes increases.Therefore,the next study will focus on creating a multi-functional ABPRE system with fixed ciphertext length in the future.

Acknowledgement: The authors are willing to express our appreciation to the reviewers for their constructive comments which significantly enhanced the presentation of the study.

Funding Statement: The project is provided funding by the Natural Science Foundation of China(Nos.62272124,2022YFB2701400),the Science and Technology Program of Guizhou Province(No.[2020]5017),the Research Project of Guizhou University for Talent Introduction (No.[2020]61),the Cultivation Project of Guizhou University (No.[2019]56),the Open Fund of Key Laboratory of Advanced Manufacturing Technology,Ministry of Education,GZUAMT2021KF[01] and the Postgraduate Innovation Program in Guizhou Province(No.YJSKYJJ[2021]028).

Author Contributions: The authors confirm contribution to the paper as follows: study conception and design:Jinqiu Hou;data collection:Weijie Tan;analysis and interpretation of results:Changgen Peng.Hongfa Ding;draft manuscript preparation:Jinqiu Hou.All authors reviewed the results and approved the final version of the manuscript.

Availability of Data and Materials: All data generated or analysed during this study are included in this published article.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.