Keywords

1 Introduction

Sensitive data should not propagate arbitrarily without restriction; encryption techniques can enforce access control over the read but not write permissions. Meanwhile, enforcing control over who can write to whom is equally important. Consider a CEO who worries about leaking any strategic plan to arbitrary staff (e.g., interns), say, via a malware-infected program s/he used for processing the related sensitive data. Note that digital signatures do not help since the recipient of the sensitive data can ignore any verification. Even worse, the data can be sent via a subliminal means, e.g., embedding it as the randomness of a ciphertext. It seems necessary to have a sanitizer to “monitor” the traffic for enforcing access control, especially over the write permissions. Ideally, the sanitization process should be “blindfolded,” i.e., without the need to know who the sender is, who the recipient is, and what the access control policy is. Such an idea is formalized by Damgård, Haagh, and Orlandi [12] as access control encryption (ACE).

1.1 Designs from Two Ends of a Spectrum, and Open Problems

Sanitizing a ciphertext blindfolded is not an easy task. Damgård et al.  [12] proposed two constructions. They first started with ACE for a single user (1-ACE) from standard (e.g., decisional Diffie-Hellman) assumptions. To make it a fully-fledged ACE scheme, i.e., supporting the general policy \(\mathsf {P}: \{0, 1\}^\ell \times \{0, 1\}^\ell \rightarrow \{0, 1\}\) which sender \(\mathsf {ID}_s \in \{0, 1\}^\ell \) can write to receiver \(\mathsf {ID}_r \in \{0, 1\}^\ell \) if and only if \(\mathsf {P}(\mathsf {ID}_s, \mathsf {ID}_r) = 1\), it runs \(2^\ell \) parallel copies of 1-ACE, making both the master public key and the ciphertext \(O(2^\ell )\)-long. This is not only for hiding the intended reader but also for a uniform treatment in sanitization without knowing who the writer is. They also proposed a construction that offers efficiency, yet, it relies on a sanitizable variant of general-purpose functional encryption (FE) [6]. While FE for limited functionality (mostly inner-product) can be efficient, general-purpose FE is much more powerful and less efficient. Damgård et al. instantiated it with indistinguishability obfuscation.

Follow-up works mostly fall into two extremes: using practically-inefficient techniques to construct a regular ACE scheme, or practically-efficient techniques to construct an ACE scheme with limited functionality. Kim and Wu [18] built an ACE scheme from FE for randomized functionality (rFE) [2] and predicate-encryption (PE). Sanitization uses an FE key to create a PE ciphertext. Although the FE scheme can be instantiated by the LWE (learning-with-error) assumption, expressing the encryption algorithm of PE as a circuit is not that efficient. For the second paradigm, Fuchsbauer et al.  [13] proposed a generic construction and a pairing-based construction for equality policy (ACE-EP), i.e., the receiver is the sender. They also proposed to use many ACE-EP instances for interval membership policy, which is useful, albeit still not general.

A concurrent work by Wang and Chow [26] does not fall into the above two categories. In some sense, their generic construction can be considered as a “dual” of our proposed approach here. However, most of its building blocks, specifically structure-preserving signatures and broadcast encryption, are more “pairing-friendly,” meaning that lattice-based instantiations are still limited now.

One of the open problems left by Damgård et al. in their original work [12] is as follows: “to construct practically interesting ACE from noisy, post-quantum assumptions such as LWE” and they commented that “the challenge here is that it always seems possible for a malicious sender to encrypt with just enough noise that any further manipulation by the sanitizer makes the decryption fail.

Tan et al.  [25] use Gentry–Sahai–Waters fully-homomorphic encryption [14] to instantiate 1-ACE. Their \(2^\ell \)-extension still suffers from \(O(2^{\ell })\) ciphertext size. The scheme of Kim and Wu [18] still relies on a general-purpose rFE scheme for arbitrary functions (albeit it can be LWE-based). Both fail to close the above open problem. Furthermore, both require the sanitizer to have a private sanitization key. Removing this requirement is also left as an open problem by Kim and Wu [18]. In this work, we ask ourselves a bigger question: “Can we achieve the best of both worlds, i.e., using practically interesting lattice-based building blocks to build a general-policy ACE scheme, supporting keyless sanitization?

1.2 Viewing ACE Through the Lens of Group Encryption (GE)

Recurrent research activities in the cryptography community include identifying similarities and differences between primitives and connecting them if possible (e.g., [11]). Our starting point is group encryption (GE), introduced by Kiayias Tsiounis, and Yung [17]. GE is like public-key encryption (PKE). Anyone can encrypt to a certified group member. GE shares one basic feature of ACE, which is hiding who can decrypt a given ciphertext. In normal circumstances, this group member remains anonymous. When needed, an opening authority can reveal him/her. These features make GE an attractive primitive for privacy-preserving applications [17], e.g., filtering encrypted traffic or “oblivious retriever storage systems” [10]. There are a few existing GE schemes [3, 8, 21]. Notably, Libert et al.  [20] proposed a lattice-based scheme (to be adapted by this paper).

However, GE falls short as ACE in many regards, notably the writing permission control: 1) Anyone can encrypt (no policy enforcement). 2) It does not feature a sanitization algorithm that randomizes a ciphertext (still without the need to know who can decrypt). It also falls short in terms of the reading permission control: 3) It encrypts to a single reader (not for the general policy).

The first two features can be added generically. Recall that an encryptor in GE first retrieves the public key of the intended receiver and its certificate issued by the group manager (GM) as a signature. The ciphertext contains a zero-knowledge proof of the certificate. By viewing the decryptor in GE also as the encryptor, we get ACE-EP. Sanitization, roughly, can be done by randomizing the ciphertext based on this hidden public key “accordingly” (which turns out to be tricky, see below). Indeed, these tricks are just rediscovery of the generic ACE-EP construction of Fuchsbauer et al.  [13], who also mentioned, “A similar concept had previously been introduced in [15]Footnote 1.” We do not claim any novelty of extending GE with sanitizability [15]. What we deem important is that revisiting this conceptual connection allows us to borrow the existing results in lattice-based GE to solve our problems in ACE, forming the starting point of this work.

1.3 Sanitizable Group Encryption for Sanitization in ACE

We first describe what sanitizable group encryption (SGE) is and how its sanitizability is defined. Similar to how sanitizable PKE [13] (SPKE, see Sect. 3.3) extends PKE, SGE extends GE with a \(\mathsf {San}\) algorithm sanitizing ciphertexts. \(\mathsf {San}\) essentially randomizes its input ciphertext without knowing the public key of its intended receipt. We expect sanitizability, which requires sanitized versions of an adversarially generated ciphertext and honest encryption of a random message remain computationally (instead of statistically [12]) indistinguishable. This definition is a variant of the subliminal-channel freeness of mediated traceable anonymous encryption [15] and similar to the no-write rule requirement of ACE.

With the working mechanisms of ACE-EP and SGE as outlined above, this paper starts with a generic construction of ACE-EP from any SGE. As a by-product, we obtain traceable ACE, with traceability analogous to the anonymity revocation of SGE, which traces the information (leakage) flow.

1.4 Meaningful Chosen-Ciphertext Security Under Sanitizability

It would be nice if there is a generic upgrade from any GE to SGE. However, the development of GE emphasizes security against chosen-ciphertext attacks (CCA) [3, 8, 20, 21]. A CCA-secure GE is unsanitizable by definition. For example, the lattice-based GE construction of Libert et al.  [20] (the scheme we will modify) uses the transformation of Canetti, Halevi, and Katz (CHK) [7] to achieve CCA security. Encryption starts by picking a one-time signature key. The verification key is attached to the label of an underlying encryption that is secure against chosen-plaintext attacks (CPA-secure), such that no one can modify the label. The whole ciphertext is then signed by this one-time key, intuitively providing the integrity needed by CCA security. However, the label for tightly coupling the signature key with the ciphertext forms a convenient channel for a malicious writer that the sanitizer cannot easily randomize/sanitize.

This illustrates why most ACE literature did not consider CCA security. Notably, Badertscher, Matt, and Maurer [4] formulate a meaningful CCA security notion for ACE that protects the integrity of unsanitized ciphertexts. Consider a non-CCA-secure scheme and an attacker without any write permission. By capturing only one ciphertext before it reached the sanitizer, the attacker might be able to maul it to encrypt an arbitrary message and write to whomever the original creator is authorized to. Their CCA notion prevents such attacks.

Similarly, our SGE notion aims for such a flavor of CCA security. Following the generic GE construction of El Aimani and Joye [3], we propose a generic SGE construction from a CPA-secure, key private, and sanitizable PKE scheme that still features a “compatible” public ciphertext validity check. Roughly, similar to the trick of Badertscher et al., the ciphertext produced by our SGE scheme allows the sanitizer to easily check (for CCA security) and drop the “validity tag.” Any potential subliminal channel formed by this tag will be completely killed off, while the remaining parts can be sanitized.

1.5 Challenges in Sanitization

The property we stipulated above, namely, “rerandomizability without knowing the underlying public key,” turns out to be non-trivial to achieve in lattices. Although rerandomization can be done by applying similar tricks of the existing ACE-EP construction via additive homomorphism, there is a mismatch in the threat models. In normal PKE usage, the encryptor has no intention to use imperfect randomness, while it is completely the opposite case for ACE, in which a malicious encryptor is motivated to establish a subliminal channel. To the best of our knowledge, no existing lattice-based PKE scheme is proven sanitizable.

To prevent the encryptor from cheating, i.e., crafting a ciphertext c such that even an honest rerandomization of c will not result in a perfectly rerandomized ciphertext, we propose an efficient technique to detect such kind of adversarial behavior. At a high level, the vectors of randomness are required to be linearly independent to span the whole randomness space, so the sanitizer can use it to fully rerandomize a ciphertext. To filter out the randomness that fails to span the whole space, we leverage the lemma for rank relation of matrix multiplication for a ciphertext component formed by a multiplication between the public key and the randomness. This structure is not readily available, and we need to adapt an existing LWE-based scheme (see Footnote 4). The underlying sanitization technique requires a dedicated analysis, which may own independent interest.

1.6 Efficient ACE for General Policy from ACE for Equality Policy

Finally, we propose a generic upgrade extending an ACE for equality policy to a general-policy scheme for \(2^\ell \) users. Our crucial observation is to strategically manage the credentials, which does not require \(2^\ell \)-repetition of an underlying ACE scheme [12]. We still set the “legitimate decryptor” as the sender itself as in ACE for equality policy. Instead of granting the decryption key to the sender, we grant the decryption key to all the users that this particular sender can encrypt to. In this way, we obtain an ACE scheme for general policy, featuring constant-size ciphertexts, but at the cost of a decryption key that can be as long as the maximum number of senders a particular user can receive messages from.

1.7 Putting It Altogether

Our instantiation mostly uses the building blocks underlying the lattice-based GE scheme of Libert et al.  [20], but with two major changes as explained above. We replace the underlying encryption scheme with a modified version of Regev’s LWE encryption [23], in which we build an efficient detection technique for confirming if its ciphertext “spans.” For CCA security, we use the Naor–Yung transformation [22, 24]. This leads to our lattice-based construction of SGE. With our generic transformation, we get a lattice-based ACE scheme for general policy, featuring keyless sanitization and constant-size ciphertexts. It provides a solution to two open problems: one from Damgård et al.  [12] since it does not use general-purpose FE for circuits, and another from Kim and Wu [18] that asks for a general-policy ACE scheme with public sanitizer key (which rules out FE-based sanitization [12, 18]). It is also the second in the ACE literature that features CCA security. Like other LWE-based schemes, it is also post-quantum secure.

Organization. Section 2 recalls the definitions of ACE. Section 3 defines the SGE notion and presents our generic SGE construction. We upgrade it to ACE-EP and ultimately general-policy ACE in Sect. 4. Finally, Sect. 5 presents our SGE instantiation from lattices, which leads to our general-policy ACE.

2 Access Control Encryption with Keyless Sanitization

2.1 Definition

ACE is defined by the following probabilistic polynomial-time (PPT) algorithms.

  • \(\mathsf {Setup}(1^{\lambda }, \mathsf {P}) \rightarrow \mathsf {pp}\): This algorithm takes the security parameter \(\lambda \) and a policy \(\mathsf {P}: \{0, 1\}^{\ell } \times \{0, 1\}^{\ell }\rightarrow \{0, 1\}\) as input. It outputs the public parameter \(\mathsf {pp}\), which includes the message space \(\mathcal {M}\) and two ciphertext spaces \(\mathcal {C}\) and \(\mathcal {C}'\).

  • \(\mathsf {MKGen}(\mathsf {pp}) \rightarrow (\mathsf {mpk}, \mathsf {msk})\): This algorithm takes \(\mathsf {pp}\) as input. It outputs a master public-secret key pair \((\mathsf {mpk}, \mathsf {msk})\). We assume \(\mathsf {mpk}\) is an implicit input for all algorithms below.

  • \(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_i) \rightarrow \mathsf {ek}_{\mathsf {ID}_i}\): This algorithm takes the master secret key \(\mathsf {msk}\) and an identity \(\mathsf {ID}_i \in \{0, 1\}^{\ell }\) as input. It outputs an encryption key \(\mathsf {ek}_{\mathsf {ID}_i}\).

  • \(\mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_j) \rightarrow \mathsf {dk}_{\mathsf {ID}_j}\): This algorithm takes the master secret key \(\mathsf {msk}\) and an identity \(\mathsf {ID}_j \in \{0, 1\}^{\ell }\) as input. It outputs a decryption key \(\mathsf {dk}_{\mathsf {ID}_j}\).

  • \(\mathsf {Enc}(\mathsf {ek}, M) \rightarrow c\): This algorithm takes an encryption key \(\mathsf {ek}\) and a message \(M\) as input. It outputs a ciphertext \(c \in \mathcal {C}\).

  • \(\mathsf {San}(c) \rightarrow c'\): This algorithm transforms an incoming ciphertext \(c \in \mathcal {C}\) into a sanitized ciphertext \(c' \in \mathcal {C}' \cup \{\bot \}\). We only consider keyless sanitization.

  • \(\mathsf {Dec}(\mathsf {dk}, c') \rightarrow M\): The algorithm takes a decryption key \(\mathsf {dk}\) and a ciphertext \(c \in \mathcal {C}'\) as input. It outputs a message \(M\in \mathcal {M}\cup \{\bot \}\).

For all \(M\in \mathcal {M}\) and \(\mathsf {ID}_i, \mathsf {ID}_j \in \{0, 1\}^{\ell }\) with \(\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1\), an ACE scheme is correct if: where \(\mathsf {pp}\leftarrow \mathsf {Setup}(1^{\lambda }, \mathsf {P})\), \((\mathsf {mpk}, \mathsf {msk}) \leftarrow \mathsf {MKGen}(\mathsf {pp})\), \(\mathsf {ek}_{\mathsf {ID}_i} \leftarrow \mathsf {EKGen}(\mathsf {msk}, {\mathsf {ID}_i})\), and \(\mathsf {dk}_{\mathsf {ID}_j} \leftarrow \mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_j)\). The probability space is over the coin flips of all the algorithms.

2.2 Security

ACE is for enforcing two access-control rules: the no-read rule and the no-write rule. Most existing works [12, 13, 18, 25] consider them under only CPA-based definitions, where the adversary is given access to the oracles for encryption, encryption-key generation, and decryption-key generation. Badertscher et al.  [4] consider a CCA-based definition with a malicious insider who can maul an honestly-generated and unsanitized ACE ciphertext into a carrier for sending a message to a receiver that is forbidden by the policy otherwise. Even though ACE needs to assume an operational environment where ciphertexts must be routed through the sanitizer before reaching their final destination, it does not assume that no one can eavesdrop and maul them before reaching the sanitizer.

Instead of a typical decryption oracle, Badertscher et al. proposed an oracle that first sanitizes the ciphertext then decrypts it, i.e., a sanitize-then-decrypt oracle. If an ACE scheme remains CCA-secure in this sense, no one can maul an unsanitized ciphertext. Note that the CCA protection does not extend to a sanitized ciphertext. Also, in practice, the sanitizer can sign on the sanitized ciphertexts and publish them on a public bulletin board for (anonymous) retrieval.

Let \(\mathcal {ACE}= (\mathsf {Setup}, \mathsf {MKGen}, \mathsf {EKGen}, \mathsf {DKGen}, \mathsf {Enc}, \mathsf {San}, \mathsf {Dec})\) be an ACE scheme for policy \(\mathsf {P}: \{0, 1\}^{\ell } \times \{0, 1\}^{\ell } \rightarrow \{0,1\}\) over a message space \(\mathcal {M}\). For a security parameter \(\lambda \) and a random bit b drawn from a fair coin flip, the general experiment \(\mathsf {Exp}_{\mathcal {ACE}, \mathcal {A}}(\lambda )\) for a PPT adversary \(\mathcal {A}\) starts with the challenger sampling \(\mathsf {pp}\leftarrow \mathsf {Setup}(1^{\lambda }, \mathsf {P})\) and \((\mathsf {mpk}, \mathsf {msk}) \leftarrow \mathsf {MKGen}(\mathsf {pp})\). Then \(\mathsf {Exp}_{\mathcal {ACE}, \mathcal {A}}(\lambda )\) diverges into no-read rule experiment \(\mathsf {Exp}_{\mathcal {ACE}, \mathcal {A}}^{\mathsf {NoRead}}(\lambda )\) or no-write experiment \(\mathsf {Exp}_{\mathcal {ACE}, \mathcal {A}}^{\mathsf {NoWrite}}(\lambda )\) with a different challenge oracle and a different set of training oracles as below.

  • \(\mathcal {O}^{\mathsf {Enc}}(M, \mathsf {ID}_i) \rightarrow c\): On input \(M\in \mathcal {M}\) and a sender identity \(\mathsf {ID}_i \in \{0, 1\}^{\ell }\), the encryption oracle outputs \(c \leftarrow \mathsf {Enc}(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_i), M).\)

  • \(\mathcal {O}^{\mathsf {\mathsf {San}\mathsf {Enc}}}(M, \mathsf {ID}_{i}) \rightarrow c'\): On input a message \(M\in \mathcal {M}\) and a sender identity \(\mathsf {ID}_{i} \in \{0, 1\}^{\ell }\), it outputs \(c' \leftarrow \mathsf {San}(\mathsf {Enc}(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_{i}), M)).\)

  • \(\mathcal {O}^{\mathsf {EKGen}}(\mathsf {ID}_i) \rightarrow \mathsf {ek}_{\mathsf {ID}_i}\): On input a sender identity \(\mathsf {ID}_i \in \{0, 1\}^{\ell }\), the encryption key generation oracle outputs \(\mathsf {ek}_{\mathsf {ID}_i} \leftarrow \mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_i).\)

  • \(\mathcal {O}^{\mathsf {DKGen}}(\mathsf {ID}_j) \rightarrow \mathsf {dk}_{\mathsf {ID}_j}\): On input a receiver identity \(\mathsf {ID}_j \in \{0, 1\}^{\ell }\), the decryption key generation oracle outputs \(\mathsf {dk}_{\mathsf {ID}_j} \leftarrow \mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_j).\)

  • \(\mathcal {O}^{\mathsf {Dec}}(\mathsf {ID}_j, c) \rightarrow M\): With a receiver identity \(\mathsf {ID}_j \in \{0, 1\}^{\ell }\) and an unsanitized ciphertext \(c \in \mathcal {C}\), it outputs \(M\leftarrow \mathsf {Dec}(\mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_j), \mathsf {San}(c)).\)

  • \(\mathcal {O}^{\mathsf {NoRead}}((M_0, M_1), (\mathsf {ID}_0, \mathsf {ID}_1)) \rightarrow c_b\): This is the challenge oracle for the no-read experiment. On input a pair of messages \((M_0, M_1) \in \mathcal {M}\times \mathcal {M}\) and a pair of sender indices \((\mathsf {ID}_0, \mathsf {ID}_1) \in \{0, 1\}^{\ell } \times \{0, 1\}^{\ell }\), the challenger responds with \(c_b \leftarrow \mathsf {Enc}(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_b), M_b).\)

  • \(\mathcal {O}^{\mathsf {NoWrite}}(c, \mathsf {ID}^*) \rightarrow c_b\): This is the challenge oracle for the no-write experiment. On input an unsanitized ciphertext \(c \in \mathcal {C}\) and a sender identity \(\mathsf {ID}^* \in \{0, 1\}^{\ell }\), it sets \(c^*_0 \leftarrow c\). Then the challenger samples \(M^* \leftarrow \mathcal {M}\), computes \(c^*_1 \leftarrow \mathsf {Enc}(\mathsf {EKGen}( \mathsf {msk}, \mathsf {ID}^*), M^*)\), and responds with \(c_b \leftarrow \mathsf {San}(c^*_b).\)

\(\mathcal {A}\) outputs a bit \(b' \in \{0,1\}\) as the output of the experiment at the end.

Definition 1

(No-Read Rule).  \(\mathcal {A}\) wins the no-read game with \(\mathcal {O}^{\mathsf {Enc}}\), \(\mathcal {O}^{\mathsf {EKGen}}\), \(\mathcal {O}^{\mathsf {DKGen}}\), \(\mathcal {O}^{\mathsf {Dec}}\), and \(\mathcal {O}^{\mathsf {NoRead}}\) if \(b' = b\), \(|M_0| = |M_1|\), for all queries \(\mathsf {ID}_j \in \{0, 1\}^{\ell }\) that \(\mathcal {A}\) makes to the \(\mathcal {O}^{\mathsf {DKGen}}\), \(\mathsf {P}(\mathsf {ID}_0, \mathsf {ID}_j) = \mathsf {P}(\mathsf {ID}_1, \mathsf {ID}_j) = 0\), and \(c_b\) has never been queried to \(\mathcal {O}^{\mathsf {Dec}}\). ACE satisfies the no-read rule if for all PPT \(\mathcal {A}\), the advantage for \(\mathcal {A}\) to win the no-read game is .

The adversary can compromise the sanitizer under the above definition since the challenge ciphertext is not sanitized, and our ACE notion does not have any sanitizer key. The no-read rule ensures payload privacy, i.e., no unintended receivers can learn anything about the message. It also guarantees (outsider) sender anonymity, which holds against any coalition of receivers that cannot decrypt the challenge ciphertext. This definition is weaker than requiring sender anonymity to hold even against an adversary who can decrypt the ciphertext.

Definition 2

(No-Write Rule).  Given the oracles of \(\mathcal {O}^{\mathsf {\mathsf {San}\mathsf {Enc}}}\), \(\mathcal {O}^{\mathsf {EKGen}}\), \(\mathcal {O}^{\mathsf {DKGen}}\), \(\mathcal {O}^{\mathsf {Dec}}\), and \(\mathcal {O}^{\mathsf {NoWrite}}\), \(\mathcal {A}\) wins the no-write game if \(b' = b\), \(\mathsf {San}(c) \ne \bot \), and:

  • The adversary \(\mathcal {A}\) makes at most one queryFootnote 2 to the challenge oracle \(\mathcal {O}^{\mathsf {NoWrite}}\).

  • For all identities \(\mathsf {ID}_i \in \{0, 1\}^{\ell }\) that \(\mathcal {A}\) submits to \(\mathcal {O}^{\mathsf {EKGen}}\) prior to its challenge and all identities \(\mathsf {ID}_j \in \{0, 1\}^{\ell }\) that \(\mathcal {A}\) submits to \(\mathcal {O}^{\mathsf {DKGen}}\), \(\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 0\).

We say that an ACE scheme satisfies the no-write rule if for all PPT adversary \(\mathcal {A}\), the advantage of \(\mathcal {A}\) is .

The no-write rule means that a sender can only encrypt to receivers permitted by the policy. Even an adversary can somehow embed in a ciphertext some subliminal information, it will be killed off after sanitization. Likewise, this property should hold even when multiple senders and receivers collude.

Sender Policy and Message Policy. The formulation of Kim and Wu [18] additionally considers “fine-grained sender policy” with the access control policy also governs the messages a sender can send. This policy is embedded in and authorized via the encryption key. They also suggested that an encryption key for multiple policies over the message can be supported in a straightforward manner by granting the sender multiple certified encryption keys.

In this paper, we consider a variant definition that the message policy can be ad hoc, i.e., the sender can create ciphertexts encrypting different messages satisfying different relations to any legitimate receiver. This flexibility has (seemingly inherent) implications on privacy and the no-write rule since the sanitizer needs to know about the relation and cannot “sanitize” the relation.

2.3 Traceable ACE

To obtain traceable ACE (tACE), we equip the traceability feature via two algorithms below, and with \(\mathsf {Enc}\) algorithm now takes, besides the user encryption key \(\mathsf {ek}\), also an input of opening-authority public key \(\mathsf {tpk}\) for the tracing feature.

  • \(\mathsf {TKGen}(\mathsf {pp}) \rightarrow (\mathsf {tpk}, \mathsf {tsk})\): This algorithm takes as input the public parameter \(\mathsf {pp}\) and outputs the tracer public/secret key pair \((\mathsf {tpk}, \mathsf {tsk})\).

  • \(\mathsf {Trace}(\mathsf {tsk}, c') \rightarrow \mathsf {ID}\): This algorithm takes the input of the tracer secret key \(\mathsf {tsk}\) and a sanitized ciphertext \(c' \in \mathcal {C}'\). It outputs the sender identity \(\mathsf {ID}\) of \(c'\).

Tracing the sender can be desirable in the context of ACE since we can locate which user has his/her machine compromised that tried to leak information. One may consider an alternative formulation that traces the receiver.

Here, we only consider a primitive form of tracing that recovers a user identity \(\mathsf {ID}\) associated with a ciphertext [15]. Akin to traceable signatures [16], one could consider using a user-specific trapdoor for \(\mathsf {ID}\) to check [1] whether \(\mathsf {ID}\) is associated with a ciphertext [21] or to trace [9] all ciphertexts associated with a specific \(\mathsf {ID}\).

Traceability Correctness and Soundness. For all \(M\in \mathcal {M}\) and \(\mathsf {ID}_i \in \{0, 1\}^{\ell }\), \(\mathsf {pp}\leftarrow \mathsf {Setup}(1^{\lambda }, \mathsf {P})\), \((\mathsf {mpk}, \mathsf {msk}) \leftarrow \mathsf {MKGen}(\mathsf {pp})\), \((\mathsf {tpk}, \mathsf {tsk}) \leftarrow \mathsf {TKGen}(\mathsf {pp})\), and \(c \leftarrow \mathsf {Enc}(\mathsf {EKGen}(\mathsf {msk}, {\mathsf {ID}_i}), M)\), traceability correctness means . The probabilities are taken over the randomness of all algorithms.

A tACE scheme has traceability soundness if, for any PPT adversary \(\mathcal {A}\) who queries to \(\mathcal {O}^{\mathsf {EKGen}}\) and outputs a ciphertext c, the advantage for \(\mathcal {A}\) to win, defined to be \(\Pr [\mathsf {ID}\notin \mathcal {Q}^{\mathsf {EKGen}} | \mathsf {Trace}(\mathsf {tsk}, \mathsf {San}(c)) = \mathsf {ID}]\), is negligible, where \(\mathcal {Q}^{\mathsf {EKGen}}\) denotes the set of queries to \(\mathcal {O}^{\mathsf {EKGen}}\), i.e., c should not trace to an uncompromised user.

3 Sanitizable Group Encryption

3.1 Syntax of Sanitizable Group Encryption

A sanitizable group encryption scheme consists of the following algorithms.

  • \(\mathsf {Setup}(1^{\lambda }) \rightarrow \mathsf {pp}\): On input a security parameter \(\lambda \), this probabilistic algorithm outputs the public parameter \(\mathsf {pp}\) as an implicit input of what follows.

  • \((\mathsf {G}_r, \mathsf {Sample}_{\mathcal {R}})\): On input of \(\lambda \), \(\mathsf {G}_r\) generates the key pair \((\mathsf {pk}_{\mathcal {R}}, \mathsf {sk}_{\mathcal {R}})\) of the relation \(\mathcal {R}\) concerning a message \(M\) one might want to prove about. \(\mathsf {sk}_{\mathcal {R}}\) can be empty if \(\mathcal {R}\) is publicly sampleable. We assume there is a PPT algorithm that can check if \((\mathsf {pk}_{\mathcal {R}}, \mathsf {sk}_{\mathcal {R}})\) is a valid output of \(\mathsf {G}_r\). On input of \((\mathsf {pk}_{\mathcal {R}}, \mathsf {sk}_{\mathcal {R}})\), \(\mathsf {Sample}_{\mathcal {R}}\) produces \((x, M)\) where x is an instance and \(M\) is a witness for \(\mathcal {R}\).

  • \(\mathsf {KeyGen}_E(\mathsf {pp}) \rightarrow (\mathsf {pk}_E, \mathsf {sk}_E)\): This algorithm outputs the key pair \((\mathsf {pk}_E, \mathsf {sk}_E)\) of the entity E in the system. E can either be the group manager \(\mathsf {GM}\), the opening authority \(\mathsf {OA}\), or a group member \(\mathsf {u}\) identified by \(\mathsf {ID}\).

  • \(\mathsf {Join}(\mathsf {sk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}) \rightarrow \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\): This algorithm outputs a certificate \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\) on public key \(\mathsf {pk}_{\mathsf {ID}}\) and stores \((\mathsf {ID}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\) in a directory \(\mathsf {db}\).

  • \(\mathsf {Vf}\mathsf {cert}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\): It verifies the validity of \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\) for \(\mathsf {pk}_{\mathsf {ID}}\).

  • \(\mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, (\mathsf {pk}_{\mathcal {R}}, x,)~M) \rightarrow c\): On input the respective public key \(\mathsf {pk}_{\mathsf {GM}}\), \(\mathsf {pk}_{\mathsf {OA}}\), and \(\mathsf {pk}_{\mathsf {ID}}\) of \(\mathsf {GM}\), \(\mathsf {OA}\), and a group member certified by \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\), and optionally a relation \(\mathsf {pk}_{\mathcal {R}}\) with a public value x, it returns a ciphertext c of the plaintext \(M\), which \((x, M) \in \mathcal {R}\) is supposed to hold.

  • \(\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, (\mathsf {pk}_{\mathcal {R}}, x,)~c) \rightarrow \{0, 1\}\): It outputs 1 if c is valid; 0 otherwise.

  • \(\mathsf {San}(c) \rightarrow c'\): On input a valid ciphertext c, this algorithm outputs its sanitization \(c'\) (or a rejection symbol \(\bot \)).

  • \(\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, c') \rightarrow M\): On input the private key \(\mathsf {sk}_{\mathsf {ID}}\) and a sanitized ciphertext \(c'\), this algorithm decrypts \(c'\) and outputs the message \(M\) (or \(\bot \)).

  • \(\mathsf {Open}(\mathsf {sk}_{\mathsf {OA}}, c') \rightarrow \mathsf {pk}_{\mathsf {ID}}\): On input the private key \(\mathsf {sk}_{\mathsf {OA}}\) of \(\mathsf {OA}\) and a sanitized ciphertext \(c'\), this algorithm recovers from \(c'\) the public key \(\mathsf {pk}_{\mathsf {ID}}\).

Similar to the application scenario of ACE, we consider SGE ciphertexts to be (verified and) sanitized before reaching the final destination. This explains why our \(\mathsf {Dec}\) and \(\mathsf {Open}\) algorithms only work on sanitized ciphertexts. One might consider an alternative definition that they also work on unsanitized ciphertexts.

Our SGE formulation is kept as non-interactive as possible. Instead of having an explicit \(\mathsf {Prove}\) algorithm/protocol in the prior GE formulation, the ciphertext produced by \(\mathsf {Enc}\) contains a non-interactive proof. Existing schemes can indeed be formulated in this setting, some at the cost of using Fiat–Shamir heuristics. Also, the \(\mathsf {Join}\) protocol is reduced to a pair of algorithms that the GM uses the algorithm \(\mathsf {Join}\) to sign on a given public key for generating a certificate on itFootnote 3, which the user can then run \(\mathsf {Vf}\mathsf {cert}\) to verify its validity. This helps to simplify the security definitions. We remark that the security definition for existing non-interactive GE schemes [8, 21] still separates the proof from the ciphertext.

Correctness. We require for an SGE scheme, the correctness game \(\mathsf {Corr}\) defined in Fig. 1 returns 1 with overwhelming probability.

Fig. 1.
figure 1

Experiment for the correctness of SGE

Full size image

3.2 Security Model of Sanitizable Group Encryption

In the following, we assume the adversary \(\mathcal {A}\) is stateful. By maintaining the state information \(\mathsf {state}\), \(\mathcal {A}\) becomes aware of at which stage it is.

Message Indistinguishability (IND). An SGE scheme meets the IND-CCA notion if the success probability of any PPT adversary \(\mathcal {A}\) to distinguish among encryptions of a chosen message and of a random message is at most negligibly better (in parameter \(\lambda \)) than \(\frac{1}{2}\) in the experiment \(\mathsf {Ind}\) in Fig. 2a, where the oracles are defined as below.

  • \(\mathcal {O}^{\mathsf {Join}^*}_{\mathcal {L}}()\) is a stateful oracle that simulates executions for honest users who request to join the group. It maintains as state information an initially empty list \(\mathcal {L}\). For its i-th invocation, the simulator executes \((\mathsf {pk}_{\mathsf {ID}_i}, \mathsf {sk}_{\mathsf {ID}_i}) \leftarrow \mathsf {KeyGen}_{\mathsf {u}}(\mathsf {pp})\), sends it to the adversary, which responds with \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}}\). The output \((\mathsf {pk}_{\mathsf {ID}_i}, \mathsf {sk}_{\mathsf {ID}_i}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}})\) of the user is stored in \(\mathcal {L}\) if the \(\mathsf {Join}()\)-executing \(\mathcal {A}\) provides a valid certificate \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}}\).

  • \(\mathcal {O}^{\mathsf {Dec}}_{\lnot (\mathsf {ID}^*, c_b)}(\mathsf {ID}, c_i)\) is a stateless decryption oracle. On input a ciphertext \(c_i\), it runs \(M' \leftarrow \mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathsf {San}(c_i))\) and returns \(M'\) if \((\mathsf {ID}, c_i) \ne (\mathsf {ID}^*, c_b)\).

  • \(\mathcal {O}^{\mathsf {RoR}}_b(\mathsf {pk}_{\mathsf {ID}}, \mathsf {pk}_{\mathcal {R}}, x, M)\) is a real-or-random challenge oracle that is only queried once. For a bit b, it samples a random plaintext \(M_0\) uniformly from \(\mathcal {M}\), and sets \(M_1 = M\). It returns \(c_b \leftarrow \mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, (\mathsf {pk}_{\mathcal {R}}, x,)~M_b)\).

Fig. 2.
figure 2

Experiments for (2a) IND-CCA and (2b) ANO-CCA notions of SGE

Full size image

Anonymity. The formal definition of anonymity against chosen-ciphertext attacks (ANO-CCA) is as follows. The notion is met if the success probability of any PPT adversary \(\mathcal {A}\) is at most negligibly better than \(\frac{1}{2}\). We introduce the following oracles and the game \(\mathsf {Ano}\) in Fig. 2b.

  • \(\mathcal {O}^{\mathsf {Open}}_{\lnot c_b}(\mathsf {sk}_{\mathsf {OA}}, \cdot )\) returns \(\mathsf {Open}(\mathsf {sk}_{\mathsf {OA}}, \mathsf {San}(c))\) on input of a ciphertext \(c \ne c_b\),

  • \(\mathcal {O}^{\mathsf {Ano}}_b(\mathsf {pk}_{\mathsf {GM}}, \{\mathsf {pk}_{\mathsf {ID}_d}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_d}}\}_{d \in \{0,1\}}, \mathsf {pk}_{\mathcal {R}}, x, M)\) is a challenge oracle that is only queried once. It returns \(c_b \leftarrow \mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}_b}, \mathsf {cert}_{\mathsf {pk}_b}, (\mathsf {pk}_{\mathcal {R}}, x,)~M)\).

Soundness. In a soundness attack, \(\mathcal {A}\) creates adaptively the intended group of receivers communicating with the genuine \(\mathsf {GM}\). \(\mathcal {A}\) is successful if it can output a ciphertext c and a chosen \(\mathsf {pk}_{\mathcal {R}}\) such that (1) c is not in the valid ciphertext space denoted by \(\mathcal {C}^{\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {db}, \mathsf {pk}_{\mathcal {R}}, x} = \{ \mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, (\mathsf {pk}_{\mathcal {R}}, x,)~M): ((x, M) \in \mathcal {R}) \wedge (\mathsf {pk}_{\mathsf {ID}} \in \mathsf {db}) \wedge \mathsf {Vf}\mathsf {cert}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}) = 1 \}\), and (2) opening c results in a public key that does not belong to any group member.

An SGE scheme is sound if, for any PPT \(\mathcal {A}\), the experiment \(\mathsf {Exp}_{\mathcal {A}}^{\mathsf {Sound}}(\lambda )\) outputs 1 with negligible probability. We introduce the following oracle and the game \(\mathsf {Sound}\) in Fig. 3a.

  • \(\mathcal {O}^{\mathsf {Join}}_{\mathsf {db}}(\mathsf {sk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {GM}}, \cdot )\) is a stateful oracle that simulates \(\mathsf {GM}\) and maintains \(\mathsf {db}\) storing each registered public key \(\mathsf {pk}_{\mathsf {ID}}\) along with its certificate \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\).

Fig. 3.
figure 3

Experiments for the (3a) Soundness and (3b) Sanitizability of SGE

Full size image

Sanitizability. Sanitizability requires that sanitization of two ciphertexts, one given by the adversary and the other randomly picked from the ciphertext space, cannot be distinguished as long as the adversary has no decryption key that decrypts any one of the ciphertexts. An SGE scheme is sanitizable if, for any PPT \(\mathcal {A}\), the experiment \(\mathsf {Exp}_{\mathcal {A}}^{\mathsf {wSan}}(\lambda )\) outputs 1 with negligible probability. With the two oracles \(\mathcal {O}^{\mathsf {Join}^*}_{\mathcal {L}}()\) and \(\mathcal {O}^{\mathsf {Dec}}_{\lnot (\mathsf {ID}^*, c)}(\mathsf {ID}, c_i)\) introduced in Fig. 2a, we introduce an additional oracle below and the game \(\mathsf {wSan}\) in Fig. 3b.

  • \(\mathcal {O}^{\mathsf {wSan}}(\mathsf {pk}_{\mathcal {R}}, \mathsf {sk}_{\mathcal {R}}, c) \rightarrow c_b\) is a real-or-random challenge oracle that is only queried once, It aborts if \(\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathcal {R}}, x, c) = 0\). For a bit b, it first sets \(c^*_0 \leftarrow c\) and runs \((x, M^*) \leftarrow \mathsf {Sample}_{\mathcal {R}}(\mathsf {pk}_{\mathcal {R}}, \mathsf {sk}_{\mathcal {R}})\) to sample \(M^*\) uniformly from \(\mathcal {M}\) under the constraint that \((x, M^*) \in \mathcal {R}\). It then computes \(c^*_1 \leftarrow \mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, (\mathsf {pk}_{\mathcal {R}}, x,)~M^*)\) and returns \(c_b \leftarrow \mathsf {San}(c^*_b)\).

3.3 Sanitizable Public-Key Encryption

Let \({\mathcal {E}} = (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {San}, \mathsf {Dec})\) be a key-private sanitizable PKE scheme. We omit to repeat the standard definitions of correctness, key privacy, and CPA security here [13]. Sanitizability requires any adversary generating two pairs of message and randomness \((M_0, r_0), (M_1, r_1)\) cannot distinguish the random bit b when given a sanitized ciphertext \(\mathsf {San}(\mathsf {Enc}(\mathsf {pk}, M_b; r_b))\), where \(\mathsf {Enc}(\mathsf {pk}, M; r)\) refers to using r as its internal randomness.

3.4 Generic SGE Construction

We construct SGE by adapting the generic GE construction of El Aimani and Joye [3]. In a nutshell, the membership certificate is a signature. To create a GE ciphertext, the message and the public key are encrypted in two ciphertexts, and the validity of the certificate and well-formedness of the GE ciphertext are proven by non-interactive zero-knowledge (NIZK) proof. To achieve CCA security, they use tag-based public-key encryption with label and employ the CHK transform. A one-time signature verification key is put as the label, which is not sanitizable.

Instead of the CHK transform, we use the Naor–Yung technique [22, 24] to upgrade from CPA- to CCA-security. At a high level, two “component” ciphertexts, both encrypting the same message, are proven to be so via non-malleable NIZK. To simulate the decryption oracle, the reduction knows the decryption key for one of the two PKE instances, and hence decryption is trivial. The challenge ciphertext can be simulated via simulation soundness of NIZK, which ensures that the adversary has no advantage even if the simulated NIZK for the challenge query is for a wrong statement, and can easily be achieved via, e.g., Fiat–Shamir heuristic. With this approach, we can achieve a CCA-security definition akin to that of ACE we defined in Sect. 2.2, following the prior definition [4]. Namely, the sanitizer first checks the well-formedness of the ciphertexts, drops the proof and the redundant ciphertext, and then performs rerandomization.

Let \(\varSigma = (\mathsf {Gen}, \mathsf {Sign}, \mathsf {Vf})\) be a signature scheme that is existentially unforgeable against chosen-message attacks (EUF-CMA). Let h be a collision-resistant hash function from the public-key space to the message space of \(\mathcal {E}\). With an NIZK proof system, an SGE scheme is constructed as follows.

  • \(\mathsf {Setup}(1^{\lambda }) \rightarrow \mathsf {pp}\): This algorithm runs the setup algorithms (if any) for the building blocks and outputs all the public parameters as \(\mathsf {pp}\). Let \(\mathcal {R}\) be a relation with a key pair \((\mathsf {pk}_{\mathcal {R}}, \mathsf {sk}_{\mathcal {R}})\) for sampling pairs \((x, M) \in \mathcal {R}\).

  • \(\mathsf {KeyGen}_{\mathsf {GM}}(\mathsf {pp}) \rightarrow (\mathsf {pk}_{\mathsf {GM}}, \mathsf {sk}_{\mathsf {GM}})\): This key generation algorithm for the group manager outputs \((\mathsf {pk}_{\mathsf {GM}}, \mathsf {sk}_{\mathsf {GM}})\), which is set to be \((\varSigma .\mathsf {pk}, \varSigma .\mathsf {sk}) \leftarrow \varSigma .\mathsf {Gen}(1^\lambda )\).

  • \(\mathsf {KeyGen}_{\mathsf {OA}}(\mathsf {pp}) \rightarrow (\mathsf {pk}_{\mathsf {OA}}, \mathsf {sk}_{\mathsf {OA}})\): It runs \(\mathcal {E}.\mathsf {KeyGen}(1^\lambda )\), which output the pairs \((\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathcal {E}.\mathsf {sk}_{\mathsf {OA}})\) and \((\mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}, \mathcal {E}.\mathsf {sk}^*_{\mathsf {OA}})\). It returns \(((\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}), \mathcal {E}.\mathsf {sk}_{\mathsf {OA}})\).

  • \(\mathsf {KeyGen}_{\mathsf {u}}(\mathsf {pp}) \rightarrow (\mathsf {pk}_{\mathsf {ID}}, \mathsf {sk}_{\mathsf {ID}})\): It runs \(\mathcal {E}.\mathsf {KeyGen}(1^\lambda )\) twice. Let the outputs be \((\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathcal {E}.\mathsf {sk}_{\mathsf {ID}})\) and \((\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}, \mathcal {E}.\mathsf {sk}^*_{\mathsf {ID}})\). It outputs \(((\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}), \mathcal {E}.\mathsf {sk}_{\mathsf {ID}})\).

  • \(\mathsf {Join}(\mathsf {sk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}) \rightarrow \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\): It runs \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}} \leftarrow \varSigma .\mathsf {Sign}(\mathsf {sk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}})\) and returns \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\) to user \(\mathsf {ID}\). \(\mathsf {GM}\) also stores \((\mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\) in \(\mathsf {db}\).

  • \(\mathsf {Vf}\mathsf {cert}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\): It outputs \(\varSigma .\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\).

  • \(\mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, (\mathsf {pk}_{\mathcal {R}}, x,)~M) \rightarrow c\): It firstly generates \(c_{M} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, M)\), \(c^*_{M} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}, M)\), \(c_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, h(\mathsf {pk}_{\mathsf {ID}}))\), and \(c^*_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}, h(\mathsf {pk}_{\mathsf {ID}}))\), and a non-malleable NIZK proof \(\pi \) for:

    $$\begin{aligned} (x, M) \in \mathcal {R},&\qquad \varSigma .\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, \mathsf {pk}_{\mathsf {ID}}) = 1, \\ c_{M} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, M),&\qquad c^*_{M} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}, M), \\ c_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, h(\mathsf {pk}_{\mathsf {ID}})),&\qquad c^*_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}, h(\mathsf {pk}_{\mathsf {ID}})) \end{aligned}$$

    with statement \((\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathcal {R}}, x)\) and witness \((M, \mathsf {coins}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\), and \(\mathsf {coins}\) denotes the randomness used in all invocations of \(\mathcal {E}.\mathsf {Enc}()\) above. It outputs \(c = (c_{M}, c^*_{M}, c_{\mathsf {OA}}, c^*_{\mathsf {OA}}, \pi )\). Note that \((\mathsf {pk}_{\mathcal {R}}, x)\) can be optional.

  • \( \mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, (\mathsf {pk}_{\mathcal {R}}, x,)~c) \rightarrow \{0, 1\} :\) For \(c = (c_{M}, c^*_{M}, c_{\mathsf {OA}}, c^*_{\mathsf {OA}}, \pi )\), it verifies the NIZK proof \(\pi \), and outputs 1 if the proof is accepted, 0 otherwise.

  • \(\mathsf {San}(c) \rightarrow c'\): It calls \(\mathsf {Vf}\) on c and returns \(\bot \) if it is invalid. It then parses c into \((c_{M}, c^*_{M}, c_{\mathsf {OA}}, c^*_{\mathsf {OA}})\), and outputs \(c' = (\mathcal {E}.\mathsf {San}(c_{M}), \mathcal {E}.\mathsf {San}(c_{\mathsf {OA}}))\).

  • \(\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, c') \rightarrow M\): Parsing \(c' = (c'_{M}, c'_{\mathsf {OA}})\), it returns \(M\leftarrow \mathcal {E}.\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, c'_{M})\).

  • \(\mathsf {Open}(\mathsf {sk}_{\mathsf {OA}}, c') \rightarrow \mathsf {pk}_{\mathsf {ID}}\): It parses \(c' = (c'_{M}, c'_{\mathsf {OA}})\), runs \(h^* \leftarrow \mathcal {E}.\mathsf {Dec}(\mathsf {sk}_{\mathsf {OA}}, c'_{\mathsf {OA}})\), then looks up at \(\mathsf {db}\) and outputs the public key \(\mathsf {pk}_{\mathsf {ID}}\) such that \(h(\mathsf {pk}_{\mathsf {ID}}) = h^*\).

The following theorems assert the security of our generic construction.

Theorem 1

Our SGE scheme satisfies IND-CCA security if \(\mathcal {E}\) is IND-CCA-secure, \(\varSigma \) is EUF-CMA-secure, and NIZK is zero-knowledge proof-of-knowledge.

Theorem 2

Our SGE scheme satisfies ANO-CCA anonymity if \(\mathcal {E}\) is ANO-CCA-anonymous, \(\varSigma \) is EUF-CMA-secure, and NIZK is zero-knowledge proof-of-knowledge.

Theorem 3

Our SGE scheme satisfies soundness if \(\varSigma \) is EUF-CMA-secure and NIZK is zero-knowledge proof-of-knowledge.

Theorem 4

Our SGE scheme satisfies sanitizability if \(\varSigma \) is EUF-CMA-secure, \(\mathcal {E}\) is key-private and sanitizable, and NIZK is zero-knowledge proof-of-knowledge.

The proofs for the first three mostly follow those for the generic GE construction of El Aimani and Joye [3]. The proof for the sanitizability mostly follows that for the no-write rule of the generic ACE construction of Fuchsbauer et al.  [13]. Their details are deferred to the full version.

4 ACE from Sanitizable Group Encryption

4.1 Our Generic Construction of (t)ACE-EP

Using an SGE scheme, we can construct a (t)ACE scheme for the equality policy, i.e., \(\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1\) iff \(\mathsf {ID}_i = \mathsf {ID}_j\) as follows. \(\mathsf {Setup}\) of (t)ACE includes \(\mathsf {Setup}\) of SGE. \((\mathsf {G}_r, \mathsf {Sample}_{\mathcal {R}})\) is optional. ACE, by default, does not expect the message as a witness of some relation. However, incorporating so means that we can also enforce what kind of messages (even) a legitimate sender can send (cf., [18]).

The key generator takes the roles of \(\mathsf {GM}\) of SGE. It generates keys for users in the system by calling \(\mathsf {KeyGen}_{\mathsf {u}}\) and \(\mathsf {Join}\) to generate the public/secret key pair and create a certificate on the public key sequentially. To support sender tracing, the key generator stores \((\mathsf {ID}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\) in a directory \(\mathsf {db}\).

For access control, any sender of (t)ACE should be a group member in SGE. The group member keeps the certificate \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\) on \(\mathsf {pk}_{\mathsf {ID}}\) returned from \(\mathsf {GM}\) privately as the encryption key for proving the write permission and keeps \(\mathsf {sk}_{\mathsf {ID}}\) as the decryption key for exercising the read permission. During encryption, the sender calls the algorithm \(\mathsf {Enc}\) of SGE to generate a ciphertext consists of an NIZK proof for the following relation: (1) the anonymous decryptor is a group member, (2) the payload message is encrypted under the public key of that decryptor, and for tACE (3) the hash of the public key of the decryptor is encrypted in a ciphertext attached which is decryptable by the secret tracing key. The ciphertext is sent to the sanitizer. If the sanitizer accepts the proof embedded inside the ciphertext, it sanitizes the ciphertext and broadcasts it. Finally, the receiver calls the algorithm \(\mathsf {Dec}\) of SGE to decrypt. The tracer can call the algorithm \(\mathsf {Open}\) of SGE to search for the corresponding \(\mathsf {ID}\) if the need arises.

Let \(\mathcal {GE}= (\mathsf {Setup}, (\mathsf {G}_r, \mathsf {Sample}_{\mathcal {R}}), \mathsf {KeyGen}_{\mathsf {GM}}, \mathsf {KeyGen}_{\mathsf {OA}}, \mathsf {KeyGen}_{\mathsf {u}}, \mathsf {Join}, \mathsf {Vf}\mathsf {cert}, \mathsf {Enc}, \mathsf {Vf}, \mathsf {San}, \mathsf {Dec}, \mathsf {Open})\) be an SGE scheme. Our (t)ACE scheme for equality policy, or (t)ACE-EP, is constructed as follows.

  • \(\mathsf {Setup}(1^{\lambda }, \mathsf {P}) \rightarrow \mathsf {pp}_{\mathcal {ACE}}\): With security parameter \(\lambda \) and the policy \(\mathsf {P}\), this algorithm runs \(\mathsf {pp}\leftarrow \mathcal {GE}.\mathsf {Setup}(1^{\lambda })\) and returns \(\mathsf {pp}_{\mathcal {ACE}} = \mathsf {pp}\).

  • \(\mathsf {MKGen}(\mathsf {pp}_{\mathcal {ACE}}) \rightarrow (\mathsf {mpk}, \mathsf {msk})\): It runs \((\mathsf {pk}_{\mathsf {GM}}, \mathsf {sk}_{\mathsf {GM}}) \leftarrow \mathcal {GE}.\mathsf {KeyGen}_{\mathsf {GM}}(\mathsf {pp})\) and returns master public/secret key tuple as \((\mathsf {mpk}, \mathsf {msk}) = (\mathsf {pk}_{\mathsf {GM}}, \mathsf {sk}_{\mathsf {GM}})\).

  • \(\mathsf {TKGen}(\mathsf {pp}_{\mathcal {ACE}}) \rightarrow (\mathsf {tpk}, \mathsf {tsk})\): It runs \((\mathsf {pk}_{\mathsf {OA}}, \mathsf {sk}_{\mathsf {OA}}) \leftarrow \mathcal {GE}.\mathsf {KeyGen}_{\mathsf {OA}}(\mathsf {pp})\) and returns \((\mathsf {tpk}, \mathsf {tsk}) = (\mathsf {pk}_{\mathsf {OA}}, \mathsf {sk}_{\mathsf {OA}})\).

  • \(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_i) \rightarrow \mathsf {ek}_{\mathsf {ID}_i}\): With the input of \(\mathsf {ID}_i\), it first calls \((\mathsf {pk}_{\mathsf {ID}_i}, \mathsf {sk}_{\mathsf {ID}_i}) \leftarrow \mathcal {GE}.\mathsf {KeyGen}_{\mathsf {u}}(\mathsf {pp})\) then \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}} \leftarrow \mathcal {GE}.\mathsf {Join}(\mathsf {sk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}_i})\) (and stores in a directory \(\mathsf {db}\) \((\mathsf {ID}, \mathsf {pk}_{\mathsf {ID}_i}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}})\) for tracing). Finally, \(\mathsf {ek}_{\mathsf {ID}_i} = (\mathsf {pk}_{\mathsf {ID}_i}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}})\).

  • \(\mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_j) \rightarrow \mathsf {dk}_{\mathsf {ID}_j}\): For a receiver with identity \(\mathsf {ID}_j\), this algorithm returns \(\mathsf {sk}_{\mathsf {ID}_j}\) that has been generated by \(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_i)\). In practice, the key generator can use a pseudorandom function output of \(\mathsf {ID}_j\) as the randomness used by \(\mathcal {GE}.\mathsf {KeyGen}_{\mathsf {u}}(\mathsf {pp})\) within \(\mathsf {EKGen}(\mathsf {msk}, \mathsf {ID}_i)\). It outputs \(\mathsf {dk}_{\mathsf {ID}_j} = \mathsf {sk}_{\mathsf {ID}_j}\).

  • \(\mathsf {Enc}(\mathsf {ek}_{\mathsf {ID}_i}, \mathsf {tpk}, M) \rightarrow c\): Using an encryption key \(\mathsf {ek}_{\mathsf {ID}_i} = (\mathsf {pk}_{\mathsf {ID}_i}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}})\), possibly with a tracer public key \(\mathsf {tpk}= \mathsf {pk}_{\mathsf {OA}}\) (in tACE), this algorithm encrypts a message \(M\) via \(c \leftarrow \mathcal {GE}.\mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}_i}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}_i}}, M)\), or \(c \leftarrow \mathcal {GE}.\mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, \mathsf {pk}_{\mathcal {R}}, x, M)\) if the message policy with respect to \((\mathsf {pk}_{\mathcal {R}}, x)\) where \((x, M) \in \mathcal {R}\) is also enforced.

  • \(\mathsf {San}(c) \rightarrow c'\): Output \(c' \leftarrow \mathcal {GE}.\mathsf {San}(c)\) if \(\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, c)\) returns true; \(\bot \) otherwise. If the policy also mandates \((x, M) \in \mathcal {R}\), \(\mathsf {San}\) takes additional inputs of \((\mathsf {pk}_{\mathcal {R}}, x)\) and runs \(\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathcal {R}}, x, c)\) instead.

  • \(\mathsf {Dec}(\mathsf {dk}_{\mathsf {ID}_j}, c') \rightarrow M\): On input a ciphertext \(c'\) and secret key \(\mathsf {dk}_{\mathsf {ID}_j} = \mathsf {sk}_{\mathsf {ID}_j}\), this algorithm runs \(M\leftarrow \mathcal {GE}.\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}_j}, c')\), which either returns \(M\) or \(\bot \).

  • \(\mathsf {Trace}(\mathsf {tsk}, c') \rightarrow \mathsf {ID}\): On input a ciphertext \(c'\) and the tracing secret key \(\mathsf {tsk}\), it runs \(\mathsf {pk}_{\mathsf {ID}} \leftarrow \mathcal {GE}.\mathsf {Open}(\mathsf {sk}_{\mathsf {OA}}, c')\) and returns \(\mathsf {ID}\) by looking up stored \(\mathsf {db}\).

The correctness of this (t)ACE-EP scheme directly follows from the correctness of the SGE scheme \(\mathcal {GE}\). Since the SGE does not require any sanitizer key, the sanitization of our construction is done without any sanitizer key as well.

The proofs for correctness and security are mostly straightforward since sanitizable group encryption and (traceable) access control encryption are almost equivalent, modulo to the terminologies. They are deferred to the full version.

4.2 Extension to General Policy

Similar to the scheme of Fuchsbauer et al.  [13], this (t)ACE-EP construction can also be extended to support range policies and a disjunction clause over them, with both the ciphertext size and decryption key size being .

Beyond the above policies, we show that (t)ACE-EP can be extended to support general policy. Our intuition is as follows. For a receiver \(\mathsf {ID}_j\), the system generates the decryption key \(\mathsf {sk}_{\mathsf {ID}_i}\) of the (t)ACE-EP scheme for each \(\mathsf {ID}_i\) where \(\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1\), i.e., receiver \(\mathsf {ID}_j\) holds a set of decryption keys \(\{\mathsf {dk}_{\mathsf {ID}_i}\}_{\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1}\).

Let \((t)\mathcal {ACE}_{\mathsf {eq}} = (\mathsf {Setup}, \mathsf {MKGen}, (\mathsf {TKGen}), \mathsf {EKGen}, \mathsf {DKGen}, \mathsf {Enc}, \mathsf {San}, \mathsf {Dec}, (\mathsf {Trace}))\) be an (t)ACE-EP scheme for \(\mathsf {P}_{\mathsf {eq}}(\mathsf {ID}_i, \mathsf {ID}_j) = 1\) iff \(\mathsf {ID}_i = \mathsf {ID}_j\). We construct out (t)ACE scheme for general policy by changing the \(\mathsf {DKGen}\) and \(\mathsf {Dec}\) algorithms (all other algorithms remain unchanged).

  • \(\mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_j) \rightarrow \mathsf {dk}_{\mathsf {ID}_j}\): With the input of \(\mathsf {msk}\) and an identity \(\mathsf {ID}_j\), for any identities \(\mathsf {ID}_i\) with predicate \(\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1\), this algorithm computes \(\mathsf {dk}_{\mathsf {ID}_i} \leftarrow \mathcal {ACE}_{\mathsf {eq}}.\mathsf {DKGen}(\mathsf {msk}, \mathsf {ID}_i)\) and returns the set \(\{\mathsf {dk}_{\mathsf {ID}_i}\}_{\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1}\) as the decryption key for receiver \(\mathsf {ID}_j\).

  • \(\mathsf {Dec}(\mathsf {dk}, c) \rightarrow M\): With the input of a ciphertext \(c'\) and decryption key \(\mathsf {dk}_{\mathsf {ID}_j} = \{\mathsf {dk}_{\mathsf {ID}_i}\}_{\mathsf {P}(\mathsf {ID}_i, \mathsf {ID}_j) = 1}\), this algorithm decrypts \(c'\) using each \(\mathsf {dk}_{\mathsf {ID}_i}\). It outputs the message \(M\) if one of the decryptions succeeds, \(\bot \) otherwise.

Our method needs not to replicate the whole cryptosystem for \(2^\ell \) copies [12]. The ciphertext size of our ACE scheme for the general policy is the same as the underlying (t)ACE-EP scheme, which is O(1). The encryption key size remains the same as the underlying, i.e., O(1) too. The decryption key size is bounded by the maximum number of senders any user can receive messages from (denoted by \(s_{\max }\)). Theoretically speaking, this can still be as long as \(2^\ell \) when a particular user can receive from all other users. In practice, we can always heuristically assign a special identity to this kind of users to reduce the key size. Table 1 compares the size of the parameters of interests for our general-policy ACE instantiation (from ACE-EP) and the existing one (from 1-ACE [12, §3]).

Note that this scheme only achieves sender anonymity against outsiders. In other words, a legitimate decryptor can learn information about who the sender is. This matches the level of Kim–Wu ACE [18]. As argued [18], it suffices for all application scenarios originally envisioned [12].

Table 1. Comparison of key size and ciphertext (Ctxt.) sizes
Full size table

5 Lattice-Based Access Control Encryption

To achieve our final goal, we adapt Libert et al.  [20]’s lattice-based GE scheme, which is not sanitizable due to a non-randomizable tag. We thus disassemble it and replace its encryption scheme with a new lattice-based SPKE scheme.

5.1 Lattice Background

We quickly review some preliminaries in lattice-based cryptography. We cite a special version of the leftover hash lemma [23], which argues the indistinguishability from a uniform distribution. For our scheme, we consider \(\mathbb {Z}_q^n\) as the Abelian group \(\mathbb {G}\) and \(m = 2 n \log q\) be the maximum number of samples to be summed up.

Theorem 5

([23]). Let \(\mathbb {G}\) be some finite Abelian group and let k be some integer. For any m elements \(g_1,\dots , g_m \in \mathbb {G}\), consider the statistical distance between the uniform distribution on \(\mathbb {G}\) and the distribution given by the sum of a random subset of \(g_1,\dots , g_m\). The expectation of this statistical distance over a uniform choice of \(g_1,\dots , g_m \in \mathbb {G}\) is at most \(\sqrt{|\mathbb {G}|/2^m}\). In particular, the probability that this statistical distance is more than \(\root 4 \of {|\mathbb {G}|/2^m}\) is at most \(\root 4 \of {|\mathbb {G}|/2^m}\).

The decisional-LWE problem asks to distinguish samples from a perturbed linear system and random elements from the uniform distribution.

Definition 3

(Decisional Learning with Error [23]). Let \(\mathbb {Z}_{q}\) be the ring of integers modulo a positive integer q, and \(\mathbb {Z}_{q}^{n}\) be the set of n-vectors over \(\mathbb {Z}_{q}\). Given a probability distribution \(\chi \) over \(\mathbb {Z}\), a positive integer n, and a positive integer q of size dependent on n, the goal of learning with error \(\mathsf {LWE}_{q, \chi }\) is to distinguish between the sample \((\mathbf {a}, \mathbf {b})\) from distribution \(A_{\mathbf {s}, \chi }\), defined as \(b = \mathbf {a}\mathbf {s} + e\) with \(e \leftarrow \chi \) for some uniform secret \(\mathbf {s} \leftarrow \mathbb {Z}^n_q\) and \((\mathbf {a}, \mathbf {u})\) is sampled (via oracle accesses) from a uniform distribution on \(\mathbb {Z}^n_q \times \mathbb {Z}_q\) for randomly sampled \(\mathbf {a}\).

Definition 4

(Noise Sample Space [23]). For \(\alpha \in (0, 1)\) and a prime q, let \(\varPsi _{\alpha }\) denote the distribution over \(\mathbb {Z}_q\) of the random variable \(\lfloor qX \rceil \bmod q\), where X is a normal random variable with mean 0 and standard deviation \(\alpha /2\sqrt{\pi }\).

Specifically, if the noise added to the perturbed linear system being an amplified-then-quantized Gaussian noise (as mentioned in the above definition of noise sample space), one can apply the following theorem to reduce the hardness of LWE to existing lattice problems, which helps us to decide the parameters.

Theorem 6

(Regev’s Reduction [23]). For \(\alpha \in (0, 1)\) and prime q, if there exists an efficient, possibly quantum, algorithm for deciding the \((\mathbb {Z}_q, n, \varPsi _{\alpha })\)-LWE problem for \(\alpha q > 2\sqrt{n}\), then there is an efficient quantum algorithm for approximating the shortest independent vector problem and the gap shortest vector problem, to within \(\tilde{O}(n/\alpha )\) factors in \(\ell _2\) norm, in the worst case.

5.2 Lattice-Based Sanitizable Encryption

We start with Regev’s encryption scheme based on the LWE problem [23]. It features ciphertext indistinguishability, meaning that an honestly generated ciphertext is indistinguishable from a random element in the ciphertext space, which implies key privacy. Sanitization relies on encryption of 0 as randomizers. When the randomizers form a basis for spanning the randomness space of Regev’s scheme, the ciphertext can be rerandomized by adding a random subset-sum of the randomizers. This requires additive homomorphism. However, the noise accumulates after homomorphic evaluations. We thus change the parameters of the scheme such that the evaluation correctness (decryption correctness of an evaluated ciphertext) holds for a bounded number of additions. Namely, we scale up the modulo size to increase the noise tolerance of decryption.

This sanitization technique assumes an honest encryptor to prepare linearly independent randomness components, which mismatches the threat model that randomness is adversarially picked. We address this by a specific structure of the randomizer that allows us to check the rank of the randomizer, which implies the rank of the underlying randomness used by the randomizer.

Denote matrix and vector by bold capital and small letter, respectively; our SPKE scheme \((\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {San})\) is as follows.

  • \(\mathsf {Setup}(1^{\lambda }) \rightarrow \mathsf {pp}\): Set \(n = O(\lambda ) \), prime \(q =\tilde{O}(n) > 16m(m+1)\), \(m = 2n \log q\), . The probability distribution \(\chi \) is taken to be \(\varPsi _{\alpha }\), with \(\alpha = 1 / (\sqrt{m}\omega (\sqrt{\log {n}}) ) \). Sample \(\bar{\mathbf {A}} \leftarrow \mathbb {Z}_q^{n\times m}\) and compute \(r_{\bar{\mathbf {A}}} = \mathsf {Rank}(\bar{\mathbf {A}}) \). Output \(\mathsf {pp}= (q, n, m, k, \chi , \bar{\mathbf {A}}, r_{\bar{\mathbf {A}}}) \).

  • \(\mathsf {KeyGen}(\mathsf {pp}) \rightarrow (\mathsf {pk}, \mathsf {sk}) \): Sample \(\mathbf {s} \in \mathbb {Z}_q^{n}\) and \(\mathbf {e} \leftarrow \chi ^{m}\). Compute \(\mathbf {b} = \bar{\mathbf {A}}^\intercal \mathbf {s}+\mathbf {e} \in \mathbb {Z}_q^m\). Output \((\mathsf {pk}, \mathsf {sk}) = (\mathbf {b}, \mathbf {s})\).

  • \(\mathsf {Enc}(\mathsf {pk}, \mathbf {m}) \rightarrow \mathbf {c}\): Given \(\mathbf {m} \in \{0,1\}^k\), sample \(\mathbf {R}_{\mathbf {m}} \leftarrow \{0,1\}^{k \times m}\) and linearly independent \(\mathbf {R}_r \leftarrow \{0,1\}^{m \times m}\). Set \(\mathbf {c}_{\mathbf {m}} = (\mathbf {R}_{\mathbf {m}} \bar{\mathbf {A}}^\intercal , \mathbf {R}_{\mathbf {m}} \mathbf {b} + \mathbf {m} \cdot \lfloor q/2 \rfloor ) \in \mathbb {Z}_q^{ (k+1) \times n}\) and \(\mathbf {c}_r = (\mathbf {R}_r \bar{\mathbf {A}}^\intercal , \mathbf {R}_r \mathbf {b}) \in \mathbb {Z}_q^{ (m+1) \times n}\). Output \(\mathbf {c} = (\mathbf {c}_{\mathbf {m}},\mathbf {c}_r)\).

  • \(\mathsf {Dec}(\mathsf {sk}, \mathbf {c}')\rightarrow \mathbf {m}\): We suppose \(\mathbf {c}'\) has been sanitized by \(\mathsf {San}\). Parse \(\mathbf {c}' = (\mathbf {c}_0, \mathbf {c}_1) \). Set \(\mathbf {m}' = \mathbf {c}_1 - \mathbf {c}_0 \mathbf {s} \bmod q\). For each entry i of \(\mathbf {m}'\), say \(\mathbf {m}'_i\), set \(\mathbf {m}_i = 0\) if \(\mathbf {m}'_i\) is closer to 0 than \(\lfloor q/2 \rfloor \). Otherwise, set \(\mathbf {m}_i = 1\). Output \(\mathbf {m}\).

  • \(\mathsf {San}(\mathbf {c}) \rightarrow \mathbf {c}'\): Parse \(\mathbf {c} = ( (\mathbf {c}_{\mathbf {m}, 0}, \mathbf {c}_{\mathbf {m}, 1}), (\mathbf {c}_{r, 0}, \mathbf {c}_{r, 1}) ) \). Check if \(\mathsf {Rank}(\mathbf {c}_{r, 0}) = r_{\bar{\mathbf {A}}}\), output \(\bot \) if it is not. Otherwise, sample \(\mathbf {R} \in \{0, \pm 1\}^{k \times m}\) and output \(\mathbf {c}' = (\mathbf {c}_{\mathbf {m}, 0} + \mathbf {R} \mathbf {c}_{r, 0}, \mathbf {c}_{\mathbf {m}, 1} + \mathbf {R} \mathbf {c}_{r, 1}) \in \mathbb {Z}_q^{ (k+1) \times n}\).

Correctness. The decryption correctness of sanitized ciphertext largely follows the original scheme [23] and by scaling up the modulo q by \(m+1\) times to preserve the correctness after the additions done by \(\mathsf {San}\). Decryption outputs

$$\begin{aligned} \mathbf {c}_1-\mathbf {c}_0 \mathbf {s}&= (\mathbf {c}_{\mathbf {m}, 1} + \mathbf {R} \mathbf {c}_{r, 1}) - (\mathbf {c}_{\mathbf {m}, 0} + \mathbf {R} \mathbf {c}_{r, 0}) \mathbf {s} \\&= (\mathbf {R}_{\mathbf {m}} \mathbf {b} + \mathbf {m} \cdot \lfloor q/2 \rfloor + \mathbf {R} \mathbf {R}_r \mathbf {b}) - (\mathbf {R}_{\mathbf {m}} \bar{\mathbf {A}}^\intercal + \mathbf {R} \mathbf {R}_r \bar{\mathbf {A}}^\intercal ) \mathbf {s} \\&= (\mathbf {R}_{\mathbf {m}} + \mathbf {R} \mathbf {R}_r) (\mathbf {b} - \bar{\mathbf {A}}^\intercal \mathbf {s}) + \mathbf {m} \cdot \lfloor q/2 \rfloor \\&= (\mathbf {R}_{\mathbf {m}} + \mathbf {R} \mathbf {R}_r) \mathbf {e} + \mathbf {m} \cdot \lfloor q/2 \rfloor . \end{aligned}$$

Since \(\mathbf {R}_{\mathbf {m}}\), \(\mathbf {R}\) and \(\mathbf {R}_r\) are binary matrices, the absolute value of entries in \(\mathbf {R}' \mathbf {e}\) for \(\mathbf {R}' = \mathbf {R}_{\mathbf {m}} + \mathbf {R} \mathbf {R}_r\) is upper bounded by \((m+1) \sum _{i=1}^m e_i\), where \(e_i\) is the i-th entry of vector \(\mathbf {e}\). To recover \(\mathbf {m}\), we need to show that the entry of \(\mathbf {R}' \mathbf {e}\) is upper bounded by q/16; in other words, \(\sum _{i=1}^m e_i\) is upper bounded by \(q/16(m+1)\).

By the definition of \(\varPsi _{\alpha }\), \(e_i = \lfloor q x_i \rceil \bmod q\), where \(x_i\)’s are independent normal variables with mean 0 and variances \(\alpha ^2\). Note that \(\sum _{i=1}^m e_i\) is at most \(m/2 \le q/32\) away from \(\sum _{i=1}^m q x_i \bmod q\). It suffices to show that \(|\sum _{i=1}^m q x_i \bmod q| \le q/16(m+1)\) with high probability. Since \(x_i\)’s are independent, \(|\sum _{i=1}^m x_i \bmod q|\) is distributed as a normal variable with mean 0 and standard deviation \(\sqrt{m} \cdot \alpha \le 1/ \omega (\sqrt{\log {n}}) \). Thus, by the tail inequality on normal variables, the probability that the absolute value of the entry in \(\mathbf {R}' \mathbf {e}\) greater than q/16 is negligible.

Security. The proof mostly follows the existing [23]. We sketch its two hybrids.

The first hybrid game shows that a “well-formed” public key is indistinguishable from a random element based on the decisional-LWE assumption (Definition 3). By this assumption, replacing the component of the public key \( \mathbf {b}\) (the LWE instance) with a random element \( \mathbf {u} \) is indistinguishable.

The second hybrid game shows that a ciphertext is statistically indistinguishable from a random element by the leftover hash lemma (Theorem 5). Since the ciphertext \((\mathbf {r}^\intercal \bar{\mathbf {A}}^\intercal , \mathbf {r}^\intercal \mathbf {u})\) is a random subset-sum of \((\bar{\mathbf {A}}^\intercal , \mathbf {u}) \) as \( \mathbf {r} \in \{0,1\}^{m}\), it is statistically indistinguishable from a uniform distribution. It completes our argument for indistinguishability from random.

Sanitizability. Although checking for uniformly-sampled randomizer is difficult, one can check whether the randomizers are linearly independent (for randomness space being a vector) instead so that the randomizers always span the whole randomness space. Recall that one of the components of the ciphertext is \( \mathbf {c}_{r, 0} = \mathbf {R}_r \bar{\mathbf {A}}^\intercal \), we leverage the following lemma for the rank of matrix multiplication in linear algebra to check whether the randomness \( \mathbf {R}_r \) is linearly independent or not.Footnote 4 Given m-dimensional square matrix \(\mathbf {R}\) and \((n \times m)\)-dimensional matrix \(\mathbf {A} \), if \(\mathbf {R}\) is full rank, \(\mathsf {Rank}(\mathbf {R}\mathbf {A}^\intercal ) = \mathsf {Rank}(\mathbf {A}^\intercal ) \). Hence, if \(\mathsf {Rank}(\mathbf {c}_{r, 0}) = \mathsf {Rank}(\bar{\mathbf {A}}^\intercal \)), it implies that \(\mathbf {R}_r\) is full rank (linearly independent), and the corresponding randomizers can be used to span the whole randomness space. For example, sanitization changes the randomness from \(\mathbf {R}_{\mathbf {m}}\) to \(\mathbf {R}_{\mathbf {m}} + \mathbf {R} \mathbf {R}_r\).

For the indistinguishability of sanitized ciphertexts from a random element in the space of sanitized ciphertexts because of the changes in randomness space (from binary to integer), an appropriate version of the leftover hash lemma can be used. In its proof [23, Sect. 5], selecting a subset-sum or an integer combination of the basis vector does not affect the argument.

Verifiable Encryption. We show the proof system [20] for the ciphertext’s well-formedness of our SPKE scheme. The ciphertext is transformed into a linear relation in the form of \(\mathbf {P} \cdot \mathbf {x} = \mathbf {v}\), where witness \(\mathbf {x}\) has the same Hamming weight for 0 and 1. Consider the payload-part of a single-bit encryption \(\mathbf {c}_{\mathbf {m}} = (\mathbf {r}_{\mathbf {m}} \bar{\mathbf {A}}^\intercal , \mathbf {r}_{\mathbf {m}} \mathbf {b} + {\mathbf {m}} \cdot \lfloor q/2 \rfloor ) \) as an example. One can trivially extend to the multi-bit version as in our scheme since the matrix witness can be formulated as a single vector by concatenating the columns of the matrix one-by-one. Also, the randomizer \(\mathbf {c}_{r}\) is an encryption of 0. By matrix arrangement (joining two relations via an “AND” relation), the well-formedness of the whole ciphertext is guaranteed. Consider the relation:

$$\begin{aligned} \mathcal {R}= \{&( (\mathbf {c}_{{\mathbf {m}}, 0}, \mathbf {c}_{{\mathbf {m}}, 1} , \bar{\mathbf {A}}), (\mathbf {r}_{{\mathbf {m}}}, \mathbf {b}) ):\\&\mathbf {c}_{{\mathbf {m}}, 0} = \mathbf {r}_{{\mathbf {m}}} \bar{\mathbf {A}}^\intercal \wedge \mathbf {c}_{{\mathbf {m}}, 1} = \mathbf {r}_{{\mathbf {m}}} \mathbf {b} + {\mathbf {m}} \cdot \lfloor q/2 \rfloor \wedge \mathbf {r}_{{\mathbf {m}}} \in \{0, 1\}^{m} \wedge {\mathbf {m}} \in \{0, 1\} \}. \end{aligned}$$

With the techniques of Libert et al.  [20], the quadratic relation \(\mathbf {c}_{\mathbf {m}, 1} = \mathbf {r}_{\mathbf {m}} \mathbf {b} + \mathbf {m} \cdot \lfloor q/2 \rfloor \) boils down to \((\mathbf {c}_{\mathbf {m}, 1} = \mathbf {q} \mathbf {z} + \mathbf {m} \cdot \lfloor q/2 \rfloor ) \wedge (\mathbf {z} = \mathsf {expand}^{\otimes }(\mathbf {r}_{\mathbf {m}}, \mathsf {vdec}_{m, q }(\mathbf {b})))\), where \(\mathsf {expand}^{\otimes }\) is a function that exhausts all possibilities of two binary vectors, one obtained from the binary decomposition function \(\mathsf {vdec}\), and \(\mathbf {z} \in \{0, 1 \}^{4 m^2 \log q}\) such that \(\mathbf {q} \mathbf {z} = \mathbf {r}_{{\mathbf {m}}} \mathbf {b}\). Hence, we have

$$\mathbf {P} = \begin{bmatrix} \mathbf {A} &{} \mathbf {0}^{n \times m} &{} \mathbf {0} &{} 0 &{} 0 \\ \mathbf {0} &{} \mathbf {0} &{} \mathbf {q} &{} \lfloor q/2 \rfloor &{} 0 \end{bmatrix}, \qquad \mathbf {x} = \begin{bmatrix} \mathbf {r}_{\mathbf {m}} \\ \mathbf {r}_{\mathbf {m}}^c \\ \mathbf {z} \\ \mathbf {m} \\ \mathbf {m}^c \end{bmatrix}, \qquad \mathbf {v} = \begin{bmatrix} \mathbf {c}_{\mathbf {m}, 0} \\ \mathbf {c}_{\mathbf {m}, 1} \end{bmatrix}, $$

with \(\mathbf {z} = \mathsf {expand}^{\otimes }(\mathbf {r}_{\mathbf {m}}, \mathsf {vdec}_{m, q }(\mathbf {b}))\) as an additional part to be verified. Within \(\mathbf {x}\), \(\mathbf {r}_{\mathbf {m}}^c\) is a padding (complement) to make the concatenation of \(\mathbf {r}_{\mathbf {m}}\) and \(\mathbf {r}_{\mathbf {m}}^c\) having the same Hamming weight for 0 and 1. The term \(\mathbf {m}^c\) is for similar usage.

5.3 Lattice-Based Sanitizable Group Encryption

With our generic ACE construction from any SGE, it remains to instantiate our generic SGE construction. We mostly adopt the building blocks of Libert et al.  [20], i.e., the signature scheme \(\varSigma = (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Vf})\) based on the short-integer-solution assumption they used [5, 19] (its detailed description [20, Appendix A.1] is not repeated here) and their techniques in zero-knowledge arguments for matrix-vector relations, but with the encryption scheme replaced by our SPKE scheme \(\mathcal {E}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {San}, \mathsf {Dec})\).

We omitted \((\mathsf {G}_r, \mathsf {Sample}_{\mathcal {R}})\) and the related inputs and steps of \(\mathsf {Enc}\) below since they are independent of the cryptosystem. The encryptor can add the NIZK proof for the desired relation, e.g., for inhomogeneous SIS [20], if needed.

  • \(\mathsf {Setup}(1^{\lambda }) \rightarrow \mathsf {pp}\):

    1. 1.

      Run \(\mathcal {E}.\mathsf {pp}\leftarrow \mathcal {E}.\mathsf {Setup}(1^\lambda )\) and \(\varSigma .\mathsf {pp}\leftarrow \varSigma .\mathsf {Setup}(1^{\lambda })\).

    2. 2.

      Pick two random matrices \(\mathbf {F}, \mathbf {F}^* \leftarrow \mathbb {Z}_q^{n \times m \log q}\), which will be used to hash a user public key from \(\mathbb {Z}_q^{m \log q}\) to \(\mathbb {Z}_q^n\).

    3. 3.

      Set matrix \(\mathbf {H}_{n, q} \in \mathbb {Z}_q^{n \times \bar{m}}\) such that for any \(\mathbf {x}\in \mathbb {Z}_q^n\), \(\mathbf {x} = \mathbf {H}_{n, q} \cdot \mathsf {vdec}_{n, q}(\mathbf {x})\), and \(\mathsf {vdec}_{n, q}: \mathbb {Z}_q^{n} \rightarrow \{0,1\}^{\bar{m}}\) is an injective vector-decomposition function [20, Sect. 3.1 ].

    Output \(\mathsf {pp}= (\mathcal {E}.\mathsf {pp}, \varSigma .\mathsf {pp}, \mathbf {F}, \mathbf {F}^*)\).

  • \(\mathsf {KeyGen}_{\mathsf {GM}}(\mathsf {pp}) \rightarrow (\mathsf {pk}_{\mathsf {GM}}, \mathsf {sk}_{\mathsf {GM}})\): Output \((\mathsf {pk}, \mathsf {sk}) \leftarrow \varSigma .\mathsf {KeyGen}(1^\lambda )\).

  • \(\mathsf {KeyGen}_{\mathsf {OA}}(\mathsf {pp}) \rightarrow (\mathsf {pk}_{\mathsf {OA}}, \mathsf {sk}_{\mathsf {OA}})\):

    1. 1.

      Run \(\mathcal {E}.\mathsf {KeyGen}(1^\lambda )\) for twice to get \((\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathcal {E}.\mathsf {sk}_{\mathsf {OA}})\) and \((\mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}, \mathcal {E}.\mathsf {sk}^*_{\mathsf {OA}})\).

    2. 2.

      Output \(((\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}), \mathcal {E}.\mathsf {sk}_{\mathsf {OA}})\).

  • \(\mathsf {KeyGen}_{\mathsf {u}}(\mathsf {pp}) \rightarrow (\mathsf {pk}_{\mathsf {ID}}, \mathsf {sk}_{\mathsf {ID}})\):

    1. 1.

      Run \(\mathcal {E}.\mathsf {KeyGen}(1^\lambda )\) for twice to get \((\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathcal {E}.\mathsf {sk}_{\mathsf {ID}})\) and \((\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}, \mathcal {E}.\mathsf {sk}^*_{\mathsf {ID}})\).

    2. 2.

      Output \(((\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}), \mathcal {E}.\mathsf {sk}_{\mathsf {ID}})\).

  • \(\mathsf {Join}(\mathsf {sk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}) \rightarrow \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\):

    1. 1.

      Parse \(\mathsf {pk}_{\mathsf {ID}}\) as \((\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}})\) and compute a single hash value of them: \(\mathbf {h}_{\mathsf {ID}} = \mathbf {F} \cdot \mathsf {vdec}_{m, q}(\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}) + \mathbf {F}^* \cdot \mathsf {vdec}_{m, q}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}) \in \mathbb {Z}_q^n\).

    2. 2.

      Output \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}} \leftarrow \varSigma .\mathsf {Sign}(\mathsf {sk}_{\mathsf {GM}}, \mathbf {h}_{\mathsf {ID}})\) and store \((\mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\) in \(\mathsf {db}\).

  • \(\mathsf {Vf}\mathsf {cert}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\): Output \(\varSigma .\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}})\).

  • \(\mathsf {Enc}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathsf {ID}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, (\mathsf {pk}_{\mathcal {R}}, x,)~\mathbf {m}) \rightarrow \mathbf {c}\): To encrypt \(\mathbf {m} \in \{0,1\}^m\),

    1. 1.

      Parse \(\mathsf {pk}_{\mathsf {OA}}\) as \((\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}) = (\mathbf {b}_{\mathsf {OA}}, \mathbf {b}^*_{\mathsf {OA}})\).

    2. 2.

      Parse \(\mathsf {pk}_{\mathsf {ID}}\) as \((\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}) = (\mathbf {b}_{\mathsf {ID}}, \mathbf {b}^*_{\mathsf {ID}})\).

    3. 3.

      Compute the hash value \(\mathbf {h}_{\mathsf {ID}} = \mathbf {F} \cdot \mathsf {vdec}_{m, q}(\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}) + \mathbf {F}^* \cdot \mathsf {vdec}_{m, q}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}})\).

    4. 4.

      Compute the ciphertexts \(\mathbf {c}_{\mathbf {m}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathbf {m})\), \(\mathbf {c}^*_{\mathbf {m}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}, \mathbf {m})\), \(\mathbf {c}_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathsf {vdec}_{n, q}(\mathbf {h}_{\mathsf {ID}}))\), and \(\mathbf {c}^*_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}, \mathsf {vdec}_{n, q}(\mathbf {h}_{\mathsf {ID}}))\).

    5. 5.

      Generate the non-interactive proof \(\pi \) with witnesses:

      • for signature verification: \([\mathbf {d}_1^\intercal || \mathbf {d}_2^\intercal || \tau [1]\cdot \mathbf {d}_{2}^\intercal || \cdots || \tau [l]\cdot \mathbf {d}_2^\intercal ]^\intercal \), \(\mathbf {b}\), \(\mathbf {b}^*\), \(\mathbf {r}\),

      • for vector decomposition: \(\mathbf {w} = \mathsf {vdec}_{n, q}(\mathbf {D}_0 \cdot \mathbf {r} + \mathbf {D}_1 \cdot \mathbf {h})\), \(\mathbf {h} = \mathsf {vdec}_{n, q}(\mathbf {h}_{\mathsf {ID}})\),

      • for encryption of message: \(\mathbf {R}_{\mathbf {m}}\), \(\mathbf {b}\), \(\mathbf {m}\), \(\mathbf {R}_{\mathbf {m}, r}\), \(\mathbf {R}^*_{\mathbf {m}}\), \(\mathbf {b}^*\), \(\mathbf {R}^*_{\mathbf {m}, r}\),

      • for encryption of hash of public key: \(\mathbf {R}_{\mathsf {OA}}\), \(\mathbf {h}_{\mathsf {ID}}\), \(\mathbf {R}_{\mathsf {OA}, r}\), \(\mathbf {R}^*_{\mathsf {OA}}\), \(\mathbf {R}^*_{\mathsf {OA}, r}\),

      in the following relations:

      • \(\varSigma .\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}, \mathsf {pk}_{\mathsf {ID}}) = 1\) with \((\mathbf {A}, \mathbf {A}_0, \dots , \mathbf {A}_l, \mathbf {D}, \mathbf {D}_0, \mathbf {D}_1)\) from \(\mathsf {pk}_{\mathsf {GM}}\) and \((\tau , \mathbf {d}, \mathbf {r})\) from \(\mathsf {cert}_{\mathsf {pk}_{\mathsf {ID}}}\):

        $$\begin{aligned}&\mathbf {u} = [\mathbf {A} | \mathbf {A}_0 | \cdots |\mathbf {A}_l]\cdot [\mathbf {d}_1^\intercal || \mathbf {d}_2^\intercal || \tau [1] \mathbf {d}_{2}^\intercal || \cdots || \tau [l] \mathbf {d}_2^\intercal ]^\intercal + (-\mathbf {D}) \cdot \mathbf {w} \bmod q, \\&\mathbf {0} = \mathbf {H}_{n, q} \cdot \mathbf {w} + (-\mathbf {D}_0) \cdot \mathbf {r} + (-\mathbf {D}_1) \cdot \mathbf {h} \bmod q\\&\mathbf {0} = \mathbf {H}_{m, q} \cdot \mathbf {h} + (-\mathbf {F}) \cdot \mathsf {vdec}_{m, q}(\mathbf {b}) + (-\mathbf {F}^*) \cdot \mathsf {vdec}_{m, q}(\mathbf {b}^*) \bmod q. \end{aligned}$$

      • \(\mathbf {c}_{\mathbf {m}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {ID}}, \mathbf {m})\) and \(\mathbf {c}^*_{\mathbf {m}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {ID}}, \mathbf {m})\) with \((\mathbf {b}, \mathbf {b}^*)\) from public key \(\mathsf {pk}_{\mathsf {ID}}\) and \((\mathbf {R}_{\mathbf {m}}, \mathbf {R}_{\mathbf {m}, r}, \mathbf {R}^*_{\mathbf {m}}, \mathbf {R}^*_{\mathbf {m}, r})\) as the randomness:

        $$\begin{aligned} \mathbf {c}_{\mathbf {m}, 0}&= \mathbf {R}_{\mathbf {m}} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}_{\mathbf {m}, 1}&= \mathbf {R}_{\mathbf {m}} \mathbf {b} + \mathbf {m} \cdot \lfloor q/2 \rfloor , \\ \mathbf {c}_{\mathbf {m}, r, 0}&= \mathbf {R}_{\mathbf {m}, r} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}_{\mathbf {m}, r, 1}&= \mathbf {R}_{\mathbf {m}, r} \mathbf {b}, \\ \mathbf {c}^*_{\mathbf {m}, 0}&= \mathbf {R}^*_{\mathsf {OA}} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}^*_{\mathbf {m}, 1}&= \mathbf {R}^*_{\mathbf {m}} \mathbf {b}^* + \mathbf {m} \cdot \lfloor q/2 \rfloor , \\ \mathbf {c}^*_{\mathbf {m}, r, 0}&= \mathbf {R}^*_{\mathbf {m}, r} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}^*_{\mathbf {m}, r, 1}&= \mathbf {R}^*_{\mathbf {m}, r} \mathbf {b}^*. \end{aligned}$$

      • \(\mathbf {c}_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}_{\mathsf {OA}}, \mathbf {h})\) and \(\mathbf {c}^*_{\mathsf {OA}} \leftarrow \mathcal {E}.\mathsf {Enc}(\mathcal {E}.\mathsf {pk}^*_{\mathsf {OA}}, \mathbf {h})\) with \(\mathbf {h} = \mathsf {vdec}_{n, q}(\mathbf {h}_{\mathsf {ID}})\), \((\mathbf {b}_{\mathsf {OA}}, \mathbf {b}^*_{\mathsf {OA}})\) from \(\mathsf {pk}_{\mathsf {OA}}\) and \((\mathbf {R}_{\mathsf {OA}}, \mathbf {R}_{\mathsf {OA}, r}, \mathbf {R}^*_{\mathsf {OA}}, \mathbf {R}^*_{\mathsf {OA}, r})\) as the randomness:

        $$\begin{aligned} \mathbf {c}_{\mathsf {OA}, 0}&= \mathbf {R}_{\mathsf {OA}} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}_{\mathsf {OA}, 1}&= \mathbf {R}_{\mathsf {OA}} \mathbf {b}_{\mathsf {OA}} + \mathbf {h} \cdot \lfloor q/2 \rfloor , \\ \mathbf {c}_{\mathsf {OA}, r, 0}&= \mathbf {R}_{\mathsf {OA}, r} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}_{\mathsf {OA}, r, 1}&= \mathbf {R}_{\mathsf {OA}, r} \mathbf {b}_{\mathsf {OA}}, \\ \mathbf {c}^*_{\mathsf {OA}, 0}&= \mathbf {R}^*_{\mathsf {OA}} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}^*_{\mathsf {OA}, 1}&= \mathbf {R}^*_{\mathsf {OA}} \mathbf {b}^*_{\mathsf {OA}} + \mathbf {h} \cdot \lfloor q/2 \rfloor , \\ \mathbf {c}^*_{\mathsf {OA}, r, 0}&= \mathbf {R}^*_{\mathsf {OA}, r} \bar{\mathbf {A}}^\intercal ,&\qquad \mathbf {c}^*_{\mathsf {OA}, r, 1}&= \mathbf {R}^*_{\mathsf {OA}, r} \mathbf {b}^*_{\mathsf {OA}}. \end{aligned}$$

      Some witnesses are transformed to binary representation, which fits with the existing proof for the linear system [20] that uses binary witness.

    6. 6.

      Output the ciphertext \(\mathbf {c} = (\mathbf {c}_{\mathbf {m}}, \mathbf {c}^*_{\mathbf {m}}, \mathbf {c}_{\mathsf {OA}}, \mathbf {c}^*_{\mathsf {OA}}, \pi )\).

  • \(\mathsf {Vf}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_{\mathcal {R}}, x, \mathbf {c})\): Return the verification result of proof \(\pi \) against \(\mathbf {c}\).

  • \(\mathsf {San}(\mathbf {c}) \rightarrow \mathbf {c}'\): Call \(\mathsf {Vf}\) over \(\mathbf {c}\) and output \(\bot \) if it is invalid; otherwise, parse \(\mathbf {c} = (\mathbf {c}_{\mathbf {m}}, \mathbf {c}^*_{\mathbf {m}}, \mathbf {c}_{\mathsf {OA}}, \mathbf {c}^*_{\mathsf {OA}}, \pi )\) and output \((\mathcal {E}.\mathsf {San}(\mathbf {c}_{\mathbf {m}}), \mathcal {E}.\mathsf {San}(\mathbf {c}_{\mathsf {OA}}))\).

  • \(\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathbf {c}') \rightarrow \mathbf {m}\): Parse \(\mathbf {c}'\) as \((\mathbf {c}'_{\mathbf {m}}, \mathbf {c}'_{\mathsf {OA}})\) and output \(\mathbf {m} \leftarrow \mathcal {E}.\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathbf {c}'_{\mathbf {m}})\).

  • \(\mathsf {Open}(\mathsf {sk}_{\mathsf {OA}}, \mathbf {c}') \rightarrow \mathsf {pk}_{\mathsf {ID}}\): Parse \(\mathbf {c}'\) as \((\mathbf {c}'_{\mathbf {m}}, \mathbf {c}'_{\mathsf {OA}})\) and run \(\mathbf {h} \leftarrow \mathcal {E}.\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathbf {c}'_{\mathsf {OA}})\). Compute \(\mathbf {h}^* = \mathbf {H}_{m,q} \cdot \mathbf {h}\) and search for the public key hashes to the value \(\mathbf {h}^*\) by \(\mathbf {F} \cdot \mathsf {vdec}_{m, q}(\cdot ) + \mathbf {F}^* \cdot \mathsf {vdec}_{m, q}(\cdot )\). Output the corresponding public key \(\mathsf {pk}_{\mathsf {ID}}\); or \(\bot \) if it is not found.

Optimization. Instantiating our generic construction as above is not optimized. Specifically, for the ciphertexts marked with \(^*\), i.e., \(\mathbf {c}^*_{\mathbf {m}, r}\) and \(\mathbf {c}^*_{\mathsf {OA}, r}\), their randomizer components are redundant because these ciphertexts are not sanitized at \(\mathsf {San}\) but simply dropped instead. One can remove these randomizers from the ciphertexts, which also reduces the size of the witness.

Furthermore, the randomizers for encryption of \(\mathbf {m}\) for a user and \(\mathsf {vdec}_{n, q}(\mathbf {h}_{\mathsf {ID}})\) for \(\mathsf {OA}\) can be shared by using only single randomness \(\mathbf {R}\) as a witness instead of two \(\mathbf {R}_{\mathbf {m}, r}, \mathbf {R}_{\mathsf {OA}, r}\). Specifically, \(\mathbf {c}_{\mathbf {m}, r, 0}\) and \(\mathbf {c}_{\mathsf {OA}, r, 0}\) can be shared, i.e., \(\mathbf {c}_{\mathbf {m}, r}\) and \(\mathbf {c}_{\mathsf {OA}, r}\) are changed into \((\mathbf {c}_{r} = \mathbf {R}_r \bar{\mathbf {A}}^\intercal , \mathbf {c}_{\mathbf {m}, r} = \mathbf {R}_r \mathbf {b}, \mathbf {c}_{\mathsf {OA}, r} = \mathbf {R}_r \mathbf {b}_{\mathsf {OA}})\), with \(\mathsf {San}\) algorithm inputs \((\mathbf {c}_{r}, \mathbf {c}_{\mathbf {m}, r})\) for \(\mathbf {c}_{\mathbf {m}}\) and \((\mathbf {c}_{r}, \mathbf {c}_{\mathsf {OA}, r})\) for \(\mathbf {c}_{\mathsf {OA}}\) as randomizers.

Concerns with Subliminal Channel over Error. One may concern that the error term may form a subliminal channel, as mentioned in the open problem of Damgård et al.  [12]. We briefly explain how our construction prevents it. First, the public key is certified that the error term there cannot be changed. Second, our encryption algorithm by itself does not need any other noises (beyond the involvement of the public key). Third, if the adversary tries to introduce an error term to the ciphertext, it will fail the proof verification.

Our sanitization mechanism critically relies on homomorphism. As argued before, a sanitized ciphertext of our construction, which is a homomorphically-evaluated HE ciphertext, remains a random element in the ciphertext space to any adversary without the decryption key. The noise analysis of lattice-based encryption schemes, e.g., for breaking circuit privacy, is not applicable here since it requires the knowledge of the decryption key.

6 Concluding Remarks

We connect two seemingly related but different primitives, namely, access control encryption and group encryption. We borrowed the wisdom from the group encryption literature and proposed a new access control encryption scheme. Together with our sanitization technique for LWE-based encryption, we provide a candidate solution to the open problem left by Damgård in their seminal work in access control encryption, namely, a practically interesting access control encryption scheme from noisy, post-quantum assumptions, instead of using heavyweight tools such as indistinguishability obfuscation or fully homomorphic encryption.

While we slightly optimized our instantiation (compared to the existing lattice-based group encryption scheme), there is still room for improvement, especially for the delicate proof techniques. For practical efficiency, our suggestion is to use the latest access control encryption scheme of Wang and Chow [26], which comes with timing figures for a prototype implementation (and appears to be adaptive secure in the random oracle model, or selective secure in the common reference string model by replacing Fiat–Shamir proof with ZK non-interactive succinct argument of knowledge). A long-term research problem is to improve the efficiency of cryptosystems with resiliency to potential quantum computers.