Abstract
Proxy re-encryption plays an important role in cloud sharing. Ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme supports access control and can convert the ciphertext under an access policy to a ciphertext under another access policy, which is flexible and efficient for cloud sharing. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps which are fragile when the post-quantum comes. In this paper, a unidirectional single-hop CP-ABPRE scheme with small size of public parameters was presented by using trapdoor sampling, and proved secure under learning with errors assumption which is widely believed secure in quantum computer attacks.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Proxy re-encryption (PRE) allows the proxy to convert the ciphertext of delegator to the ciphertext of delegatee who can be specified by the delegator, while the proxy will not know the message in this process, which can be used for cloud sharing. At present, many types of PRE have been constructed such as conditional proxy re-encryption (CPRE) [1], homomorphic proxy re-encryption (HPRE) [2], proxy broadcast re-encryption (PBRE) [3], identity-based proxy re-encryption (IBPRE) [4], Attribute-Based Proxy Re-Encryption (ABPRE) [5].
Attribute-Based Encryption (ABE) was introduced by Sahai et al. [6] which is an extension of identity-based encryption (IBE). ABE can achieve fine-grained access control of encrypted data and provide a one-to-many encryption. Goyal et al. [7] introduced two variants of ABE, that is key policy attribute-based encryption (KP-ABE) and ciphertext policy attribute-based encryption (CP-ABE). In a KP-ABE (CP-ABE) system, the ciphertext (private key) is associated with an attribute set S, the private key (ciphertext) is associated with an access structure W, the private key can decrypt the ciphertext if and only if S satisfies W.
Because of the resource-limited of the terminal device, it is impossible for users to backup all data (in the plain format) and make heavy compute. In cloud networks, a user (e.g., Alice) can use CP-ABE to encrypt her data with access structure W, and then store the ciphertext to cloud for sharing data and protecting her privacy. Suppose the access structure W needs to be updated to another policy \(W'\) for the new needs of other users (e.g., Bob), then Alice should download and decrypt the ciphertext, and then again encrypt the data with \(W'\). If the access structure is renewed frequently, the computational overhead of this strategy at Alice will be too heavy.
Ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) can make data cloud sharing more effective. ABPRE only needs Alice to generate a re-encryption key and send it to proxy who can convert the ciphertext under W to a ciphertext under another \(W'\). Cloud sharing should also consider issues such as authentication [8,9,10]. Liang et al. [11] constructed the first CP-ABPRE supporting AND gates over positive and negative attributes. Luo et al. [12] extended [5]to a CP-ABPRE supporting AND gates on multi-valued and negative attributes. Liang et al. [13] constructed the first adaptively CCA-secure CP-ABPRE. Zhang et al. [14] presented a ciphertext policy attribute-based encryption (ABE) scheme based on LWE which is widely believed secure in quantum computer attacks.
In this paper, we constructed a CP-ABE scheme by modifying the ABE scheme of Zeng et al. [15]. Compared with the ABE scheme of [14, 15], our CP-ABE scheme has smaller size of public parameters. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps which are fragile when the post-quantum comes. We constructed a CP-ABPRE based on the new CP-ABE scheme by using trapdoor sampling from LWE which is widely believed secure in quantum computer attacks. Our CP-ABPRE scheme is the first CP-ABPRE from LWE and can implement the transfer of ciphertext access structure.
The rest of this paper is organized as follows. Section 2 is preliminaries. Section 3 describes the constructed ABPRE scheme. At last, our work is concluded in Sect. 4.
2 Preliminaries
In this section, we introduce some notations, Gaussian distribution, the LWE hardness assumption and the definition of CP-ABPRE.
2.1 Notation
We employ some initial notations listed in Table 1. For an integer q and a vector \({{\varvec{x}}} \in {{\mathbb {Z}_q}^n}\), let \(l = \left\lceil {\log q} \right\rceil \), \(P2\left( {\varvec{x}} \right) = {\left( {1{\varvec{x}};2{\varvec{x}}; \cdots ;{2^{l - 1}}{\varvec{x}}} \right) } \in {\mathbb {Z}}_q^{nl }\), \(BD\left( {{{\varvec{x}}}} \right) = \left( {{{\varvec{u}}_1}| \cdots |{{\varvec{u}}_l }} \right) \in {\left\{ {0,1} \right\} ^{nl }}\), where \({{\varvec{x}}} = \sum \limits _{k = 1}^l {{2^{k - 1}}{{\varvec{u}}_k}}\). When A is a matrix, let P2(A) (BD(A)) be the matrix formed by applying the operation to each row (column) of A.
2.2 Gaussian Distributions and the LWE Hardness Assumption
For any positive parameter \(\sigma > 0\), define the Gaussian function on \({ { {\mathbb {R}}}^m}\), centered at \({{\varvec{c}}}\): \(\forall {{\varvec{x}}} \in { { {\mathbb {R}}}^m}\),
Let \(\varLambda \) be a discrete subset of \({ { {\mathbb {Z}}}^m}\). For any vector \({{\varvec{c}}} \in { { {\mathbb {R}}}^m}\) and any positive parameter \(\sigma > 0\), define the discrete Gaussian distribution over \(\varLambda \) as: \(\forall {{\varvec{x}}} \in { { {\mathbb {R}}}^m}\),
where \({\rho _{\sigma ,{{\varvec{c}}}}}\left( \varLambda \right) = \sum \nolimits _{{{\varvec{x}}} \in \varLambda } {{\rho _{\sigma ,{{\varvec{c}}}}}\left( {{\varvec{x}}} \right) }\).
Lemma 1
([16]). For any \({\varvec{c}}\in \varLambda \subset { \mathbb {Z}}^m\), let \({{\varvec{x}}} \leftarrow {D_{ \varLambda +{\varvec{c}},\sigma }}\), \(\sigma > \eta _\epsilon (\varLambda )\) for some \(\epsilon \in (0,1)\), then with overwhelming probability \(\left\| {{\varvec{x}}} \right\| < \sigma \sqrt{m} \). Moreover, if \({\varvec{c}}=0\) then the bound holds for any \(\sigma >0\), with \(\epsilon =0\).
Lemma 2
([17]). Let q, n, m be positive integers with \(q \ge 2\) and \(\mathrm{{m}} \ge 6nlogq\). There is a probabilistic polynomial-time algorithm TrapGen(q, n, m) that outputs a pair \(\left( {{{A, T}}} \right) \in { \mathbb {Z}}_q^{n \times m} \times { { \mathbb {Z}}^{m \times m}}\) such that A is statistically close to uniform in \( { \mathbb {Z}}_q^{n \times m}\) and T is a basis for \(\varLambda _q^ \bot \left( {{A}} \right) = \left\{ {{{\varvec{e}}} \in {{ { \mathbb {Z}}}^m}, s.t.{A{\varvec{e}}} = {0}\bmod q} \right\} \), satisfying \(\left\| {T} \right\| \le O(nlogq)\) and \(\left\| {\widetilde{{T}}} \right\| \le O\left( {\sqrt{n\log q} } \right) \) (Alwen and Peikert assert that the constant hidden in the first \(O(\cdot )\) is no more than 20).
Lemma 3
([18]). Let \(q \ge 2\) and a matrix \({{A}} \in { \mathbb {Z}}_q^{n \times m}\). Let \({{{T}}_\mathrm{{A}}}\) be a basis for \(\varLambda _q^{^ \bot }\left( {{A}} \right) \), \(\sigma \ge \left\| {\widetilde{{T}}} \right\| \omega \left( {\sqrt{\log m} } \right) \). Then for \({{\varvec{c}}} \in { { \mathbb {Z}}^m},{{\varvec{u}}} \in { \mathbb {Z}}_q^n\). There is a PPT algorithm SamplePre(\({{A}},{{{T}}_\mathrm{{A}}},{{\varvec{u}}},{{\varvec{ c}}}\)) that returns \({{\varvec{x}}} \in \varLambda _q^{{\varvec{u}}}({{A}})=\left\{ {{{\varvec{e}}} \in {{ { \mathbb {Z}}}^m}, s.t.{A{\varvec{e}}} = {{\varvec{u}}}\bmod q} \right\} \) sampled from a distribution statistically close to \({D_{\varLambda _q^{{\varvec{u}}}({{\varvec{A}}}),\sigma ,{{\varvec{c}}}}}\).
For the correctness of our CP-ABPRE, we recall a distribution \({\overline{\varPsi }_\alpha }\) over \(\mathbb {Z}_q\) in which the random variable is \(\lfloor q X\rceil \mod q\), where \(\alpha \in (0,1)\) is a real, p is a prime, X is a normal random variable with mean 0 and deviation \({{\alpha ^2}}\)/ \({2\pi }\).
Lemma 4
([18]). Let \({\varvec{r}} \in {\mathbb {Z}^m}\), \({\varvec{e}} \leftarrow \overline{\varPsi }_\alpha ^m\). Then with overwhelming probability in m
In particularly, we have\(\left| e \right| \le q\alpha \omega \left( {\sqrt{\log m} } \right) + {1/2}\) with overwhelming probability in m if \( e \leftarrow \overline{\varPsi }_\alpha \).
The LWE (learning with errors) problem is a classic hard problem on lattices, which is as hard as the worst-case SIVP and GapSVP with certain noise distributions \(\chi \), such as \(\overline{\varPsi }_\alpha \).
Theorem 1
([19]). Let \(q \ge 2\), and \(\chi \) be a distribution over \(\mathbb {Z}\). The decisional \(LWE_{n,q,\chi }\) problem is to distinguish the following two distributions: one is \(({{\varvec{a}}}_{{\varvec{i}}}; b_i) \leftarrow \mathbb {Z}^{n+1}_q\), the other is \(({\varvec{a}}_{\varvec{i}}, b_i) \in \mathbb {Z}_q^{n+1}\), where \( {\varvec{a}}_{\varvec{i}} \leftarrow \mathbb {Z}^n_q, b_i = {\varvec{a}}_{\varvec{i}}^T{\varvec{s}}+e_i\), \( {\varvec{s}}\leftarrow \mathbb {Z}^n_q\), \( e_i\leftarrow \chi \). The \(LWE_{n,q,\chi } \) assumption is that the \(LWE_{n,q,\chi } \) problem is infeasible.
2.3 Attribute and Access Structure
In this paper, we study CP-ABE that supports and-gates on positive and negative attributes. Let \(L = \left[ {\left| L \right| } \right] \) be the set of all attributes in system. For \(i \in [L]\), each user has or does not have attribute i. If a user does not have attribute i, we say the user has attribute \(-i\) which means each attribute i is associated with \(-i\). We use i and \(-i\) as positive and negative attribute, respectively.
Definition 1
For an access structure W organized by and-gates on positive and negative attributes, an attribute set S satisfies W if and only if
\({S^ + } \subseteq S,{S^ - } \subseteq L\backslash S\),
where \({S^ + }\left( {{S^ - }} \right) \) is the positive (negative) attribute set in W, L is the set of all attributes in system.
For instance, let \(L=[4]\), access structure \(W=(1 and -3)\), if \(S \vDash W\), then we only need \(1 \in S,3 \notin S\), and don’t need consider 2, 4. The attribute sets \({S_1} = \{ 1\} ,{S_2} = \{ 1,2\} ,{S_3} = \{ 1,4\} ,{S_4} = \{ 1,2,4\} \) all satisfy W.
2.4 Definition and Security Model of CP-ABPRE
A Single-Hop Unidirectional CP-ABPRE scheme has four participants.
-
(1)
Trusted Authority (TA). TA generates public parameters, master secret key, re-encryption key and can be trusted by all participants.
-
(2)
Cloud Services Provider (CSP). CSP can store data which were uploaded by DO, compute the re-encrypted ciphertext by the original ciphertext and re-encryption key. CSP is semi-trusted.
-
(3)
Data Owner (DO). DO encrypts his data and stores the encrypted data in cloud.
-
(4)
Data User (DU). DU queries the CSP for re-encrypted data which belongs to DO.
Based on the definition and the security model of Liang et al. [5], we give the following definition.
Definition 2
A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms:
-
1.
Setup (\(\kappa , L\)): Given a security parameter \(\kappa \), a set of attribute L, the TA returns public parameters pp and master secret key msk.
-
2.
KeyGen (pp, msk, S): Given pp, msk and an attribute set S of the DO or DU, the TA returns secret key \(sk_S\) for S. Note that each secret key \(sk_S\) is associated with an attribute set S.
-
3.
Encrypt (\(pp, W, \mu \)): Given pp, a message \(\mu \), and an access structure W over the attribute set L, the DO returns ciphertext \(C_W\). Note that each ciphertext \(C_W\) is associated with an access structure W.
-
4.
Decrypt (\(pp, sk_S, C_W, S\)): Given \(pp, C_W, S\) and its corresponding secret key \(sk_S\), the DO or DU returns plaintext \(\mu \) if \(S\vDash W\) or a symbol \(\bot \) indicating either \(C_W\) is invalid or \(S\nvDash W\).
-
5.
ReKeyGen (\(pp, S, W, W^1\)): Given pp, attribute set S and two access structures \(W, W^1\), the TA returns a re-encryption key \(rk_{W\rightarrow W^1}\) which can be used to transform a ciphertext with W to another ciphertext with \(W^1\) if \(S\vDash W\) or a symbol \(\bot \) if \(S\nvDash W\). The access structure W and \(W^1\) are required to be disjoint, that is \(S^+\subseteq S^{1,-}, S^-\subseteq S^{1,+}\), where \(S^+,S^{1,+}(S^-,S^{1,-})\) are the positive (negative) attribute set in \(W, W^1\).
-
6.
ReEnc (\(pp, C_W, rk_{W\rightarrow W^1}\)): Given pp, \(C_W\), \(rk_{W\rightarrow W^1}\), the CSP outputs the re-encrypted ciphertext \(C_{W^1}\) or a symbol \(\perp \) indicating W and \(W^1\) are not disjoint.
Correctness: There are two requirements for correctness,
-
1.
Decrypt(\(pp, sk_S,C_W)\)= \(\mu \), where \(C_W=Encrypt(pp, W, \mu )\) and \(S\vDash W\).
-
2.
Decrypt(\(pp, sk_{S^1}, C_{W^1}\))= \(\mu \), where \(C_{W^1}=ReEnc(pp, rk_{W\rightarrow W^1},C_W)\), \(C_W=Encrypt(pp, W, \mu )\), \(rk_{W\rightarrow W^1}=ReKeyGen(pp, W, W^1)\), \(S^1\vDash W^1\).
Definition 3
For a single-hop unidirectional CP-ABPRE scheme, let \(\kappa \) be a security parameter. Consider the following games, denoted by \(\mathrm{{Expt}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - \mathrm{{Or}}}\left( \kappa \right) \), between challenger and adversary.
Initialization. The adversary chooses a challenge access structure \(W^*\) to challenger.
Setup Phase: The challenger runs Setup (\(\kappa \), L) and sends pp to adversary.
Learning Phase: In this phase, the adversary can access to the following oracles polynomially many times, and the challenger needs to answer these oracles.
-
(1)
Secret key oracle \({\mathcal{O}_{\mathrm{{sk}}}}\left( S \right) \): The adversary inputs an attribute set S. If \(\mathrm{{S}} \nvDash {\mathrm{{W}}^*}\), then the challenger returns \(\mathrm{{s}}{\mathrm{{k}}_S} \leftarrow \mathrm{{KeyGen}}\left( {\mathrm{{pp}},\mathrm{{ msk}},\mathrm{{ S}}} \right) \). Otherwise, the challenger returns \(\bot \).
-
(2)
Re-encryption key oracle \({\mathcal{O}_{\mathrm{{rk}}}}\left( {W,W'} \right) \): The adversary inputs two access structure \(W, W'\). If \(W=W^*\) and \({\mathcal{O}_{\mathrm{{sk}}}}\left( {S'} \right) \) has been accessed for any \(\mathrm{{S'}} \vDash \mathrm{{W'}}\), then challenger returns \(\perp \). Otherwise, the challenger returns \(r{k_{W \rightarrow W'}} \leftarrow \mathrm{{ReKeyGen}}(\mathrm{{pp}},\mathrm{{ W}},W')\).
-
(3)
Re-encryption oracle \({\mathcal{O}_{\mathrm{{re}}}}\left( {r{k_{W \rightarrow W'}},W',{C_W}} \right) \): The adversary inputs \(W'\), \(C_W\), \(r{k_{W \rightarrow W'}}\). If \(r{k_{W \rightarrow W'}} \leftarrow \mathrm{{ReKeyGen}}(\mathrm{{pp}},\mathrm{{ W}},W')\), \(\mathrm{{s}}{\mathrm{{k}}_S} \leftarrow \mathrm{{KeyGen}}\left( {\mathrm{{pp}},\mathrm{{ msk}},\mathrm{{ S}}} \right) \), \(S\vDash W\), then the challenger returns \({C_{W'}} \leftarrow \mathrm{{ReEnc}}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{C}}_W},r{k_{W \rightarrow W'}})\). Otherwise, the challenger returns \(\perp \).
Challenge: If the adversary finishes all of the oracles’ queries, then he sends \(\mu \in \left\{ {0,1} \right\} \) to the challenger. For a coin \(b \in \left\{ {0,1} \right\} \), the challenger returns a random ciphertext C if \(b=0\) or the real ciphertext \({\mathrm{{C}}_{{W^*}}} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{W}}^*},\mathrm{{ }}\mu )\) if \(b = 1\).
Gauss: Finally, the adversary outputs a guess \(b' \in \left\{ {0,1} \right\} \). If \(b'=b\), the adversary wins.
We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at original ciphertext if for any PPT adversary, the advantage
of adversary is negligible.
Definition 4
For a single-hop unidirectional CP-ABPRE scheme, let \(\kappa \) be a security parameter. We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext if for any PPT adversary, the advantage
of adversary is negligible, where \({\mathcal{O}_1} = \left\{ {{\mathcal{O}_{\mathrm{{sk}}}},{\mathcal{O}_{\mathrm{{rk}}}},{\mathcal{O}_{\mathrm{{re}}}}} \right\} \) and \(\mathcal{O}_\mathrm{{sk}}\) (it is forbidden to \(S\vDash W^*\)), \(\mathcal{O}_\mathrm{{rk}},\mathcal{O}_\mathrm{{re}}\) (it is forbidden to \(C_W\) is an valid original ciphertext or a re-encrypted ciphertext) as in Definition 3, \(State_1\) and \(State_2\) are the state information, \(W^*\) is challenge access structure and \(W, W^*\) are disjoint, \(C_W\) is a random ciphertext C if \(b=0\) or the real ciphertext \({\mathrm{{C}}_W} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ W}},\mathrm{{ }}\mu )\) if \(b = 1\), \(\mu \in \left\{ {0,1} \right\} \).
3 A CP-ABPRE Scheme
In this section, a single-hop unidirectional CP-ABPRE scheme was presented at first, then the correctness and security of CP-ABPRE were proved.
3.1 Concrete Scheme
A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms.
-
1.
Setup(n, m, q, L): Given positive integers n, m, q, and a set of attribute L, the TA samples \({\varvec{u}} \leftarrow \mathbb {Z}_q^n\), computes \(\left( {{A_{i,b}},{T_{i,b}}} \right) \leftarrow TrapGen\left( {q,n} \right) \) for \(i\in L\), where \(b\in \{0,1\}\) and returns public parameters \(pp = \left( {\left\{ {{A_{i,b}}} \right\} _{i \in L}^{b \in \left\{ {0,1} \right\} },{\varvec{u}}} \right) \) and master secret key \(msk = \left( {\left\{ {{T_{i,b}}} \right\} _{i \in L}^{b \in \left\{ {0,1} \right\} }} \right) \).
-
2.
KeyGen(pp, msk, S): Given pp, msk and an attribute set S of the DU, where \(S \subseteq L\), the TA lets \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash S} \\ {{A_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \), computes \({\varvec{s}} \leftarrow \mathrm{{SamplePre}}\left( {A,T,{\varvec{u}}} \right) \) and returns secret key \(s{k_S} = {\varvec{s}}\), where \(A = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \), \(T = \left[ {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right] \), \(T_i\) is the basis for \(\varLambda _q^ \bot \left( {{A_i}} \right) \), \(i \in L\).
-
3.
Encrypt(\(pp, W, \mu \)): Given pp, a message \(\mu \in \{0,1\}\), and an access structure W, the DO denotes \({S^ + }\left( {{S^ - }} \right) \) as the positive (negative) attribute set in W, computes
$$\begin{aligned} c = {{\varvec{u}}^T}{\varvec{f}} + {x_c} + \left\lfloor {\frac{q}{2}} \right\rfloor \mu , \end{aligned}$$$${{\varvec{c}}_{i,0}} = \left\{ {\begin{array}{*{20}{c}} {{{{\varvec{z}}}_{i,0}},} &{} {i \in {S^ + }} \\ {A_{_{i,0}}^T{\varvec{f}} + {{{\varvec{x}}}_{i,0}},} &{} {i \in {S^\_}} \\ \end{array}} \right. ,$$$${{\varvec{c}}_{i,1}} = \left\{ {\begin{array}{*{20}{c}} {A_{_{i,1}}^T{\varvec{f}} + {{{\varvec{x}}}_{i,1}},} &{} {i \in {S^ + }} \\ {{{{\varvec{z}}}_{i,1}},} &{} {i \in {S^ - }} \\ \end{array}} \right. ,$$$$\left( {\begin{array}{*{20}{c}} {{{{\varvec{c}}}_{j,0}}} \\ {{{{\varvec{c}}}_{j,1}}} \\ \end{array}} \right) = \left( {\begin{array}{*{20}{c}} {A_{_{j,0}}^T} \\ {A_{_{j,1}}^T} \\ \end{array}} \right) {\varvec{f}} + \left( {\begin{array}{*{20}{c}} {{{{\varvec{x}}}_{j,0}}} \\ {{{{\varvec{x}}}_{j,1}}} \\ \end{array}} \right) , $$\(j \in L\backslash \left( {{S^ + } \cup {S^ - }} \right) \), and returns ciphertext
$$\begin{aligned} {C_W} = \left( {c;{{\left\{ {{{{\varvec{c}}}_{i,0}},{{{\varvec{c}}}_{i,1}}} \right\} }_{i \in L}}} \right) , \end{aligned}$$where \({x_c} \leftarrow \chi \), \({\varvec{f}} \leftarrow {\chi ^n}\), \({{\varvec{z}}_{i,0}},{{\varvec{z}}_{i,1}},{{\varvec{x}}_{i,0}},{{\varvec{x}}_{i,1}} \leftarrow {\chi ^m}\).
-
4.
Decrypt(\(pp, C_W, sk_S, S\)): After receiving the cipthertext \(C_W\) from CSP, the DU computes \({\varvec{y}} = \left( {{{{\varvec{y}}}_1}; \cdots ;{{{\varvec{y}}}_{\left| L \right| }}} \right) \) by \({{\varvec{y}}_i} = \left\{ {\begin{array}{*{20}{c}} {{{{\varvec{c}}}_{i,1}},} &{} {i\, \in S} \\ {{{{\varvec{c}}}_{i,0}},} &{} {else} \\ \end{array}} \right. \), and then outputs 0 if \(\left( { - {{{\varvec{s}}}^T}|1} \right) \left( {{{{\varvec{y}}}^T};c} \right) = c - {{\varvec{y}}^T}{\varvec{s}}\) is closer to 0 than to \(\left\lfloor {\frac{q}{2}} \right\rfloor \) modulo q, and 1 otherwise.
-
5.
ReKeyGen(\(pp, S, W, W^1\)): After receiving pp, S, two access structures \(W, W^1\) from DO, If \(W, W^1\) are not disjoint or \(S\nvDash W\), then the TA outputs \(\perp \), otherwise, denotes the positive (negative) attribute set in \(W^1\) as \({S^{1, + }}\left( {{S^{1, - }}} \right) \), noting \({S^{1, + }} \subseteq L,{S^{1, - }} \subseteq L\), then computes
$${Q_{i,0}} \leftarrow \left\{ {\begin{array}{*{20}{l}} {{{\overline{X} }_i},} &{} {i \in {S^{1, + }}} \\ {\mathrm{{P2}}\left( {R_{i,1 \rightarrow 0}^T} \right) + {X_i},} &{} {i \in {S^{1, - }}} \\ \end{array}} \right. ,$$$${Q_{i,1}} \leftarrow \left\{ {\begin{array}{*{20}{l}} {\mathrm{{P2}}\left( {R_{_{i,0 \rightarrow 1}}^T} \right) + {X_i},} &{} {i \in {S^{1, + }}} \\ {\overline{{X_i}} ,} &{} {i \in {S^{1, - }}} \\ \end{array}} \right. ,$$$$\begin{aligned} {Q_{i,0}} \leftarrow P2\left( {R_{_{i,1 \rightarrow 0}}^T} \right) + {X_{i,0}},i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) , \end{aligned}$$$$\begin{aligned} {Q_{i,1}} \leftarrow P2\left( {R_{_{i,0 \rightarrow 1}}^T} \right) + {X_{i,1}},i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) , \end{aligned}$$Where \({R_{i,1 \rightarrow 0}} \leftarrow \mathrm{{SamplePre}}\left( {{A_{i,1}},{T_{i,1}},{A_{i,0}}} \right) \), \({R_{i,0 \rightarrow 1}} \leftarrow \mathrm{{SamplePre}}\left( {A_{i,0}},\right. \left. {T_{i,0}},{A_{i,1}} \right) \), \({X_i},{X_{i,0}},{X_{i,1}} \leftarrow {\chi ^{m \times m\left\lceil {\log q} \right\rceil }}\), \(\overline{{X_i}} \leftarrow \mathbb {Z}_q^{m \times m\left\lceil {\log q} \right\rceil }\) and finally returns re-encryption key \(r{k_{S \rightarrow {W^1}}} = \left( {{{\left\{ {{Q_{i,0}},{Q_{i,1}}} \right\} }_{i \in L}}} \right) \).
-
6.
ReEnc(\(pp, C_W, r{k_{W \rightarrow {W^1}}}\)): Given \(pp, C_W, r{k_{W \rightarrow {W^1}}}\), the CSP computes
$${\varvec{c}}_{_{i,0}}^1 = \left\{ {\begin{array}{*{20}{l}} {{Q_{i,0}}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1,} &{} {i \in {S^{1, - }}} \\ {{\varvec{z}}_{_{i,0}}^1,} &{} {i \in {S^{1, + }}} \\ \end{array}} \right. ,$$$${\varvec{c}}_{_{i,1}}^1 = \left\{ {\begin{array}{*{20}{l}} {{Q_{i,1}}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1,} &{} {i \in {S^{1, + }}} \\ {{\varvec{z}}_{_{i,1}}^1,} &{} {i \in {S^{1, - }}} \\ \end{array}} \right. ,$$$$\begin{aligned} {\varvec{c}}_{j,0}^1 = {Q_{i,0}}BD\left( {{{{\varvec{c}}}_{j,1}}} \right) + {\varvec{x}}_{j,0}^1, \end{aligned}$$$$\begin{aligned} {\varvec{c}}_{_{j,1}}^1 = {Q_{i,1}}BD\left( {{{{\varvec{c}}}_{j,0}}} \right) + {\varvec{x}}_{_{j,1}}^1, \end{aligned}$$$$\begin{aligned} j \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) , \end{aligned}$$where \({\varvec{x}}_{_{i,0}}^1,{\varvec{x}}_{_{j,0}}^1 \leftarrow {\chi ^m}\), \({\varvec{z}}_{_{i,0}}^1,{\varvec{z}}_{_{i,1}}^1 \leftarrow \mathbb {Z}_q^m\) and outputs the re-encrypted ciphertext
$$\begin{aligned} {C_{{W^1}}} = \left( {c;{{\left\{ {{\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^1} \right\} }_{i \in L}}} \right) . \end{aligned}$$
3.2 Correctness and Parameters
We show the correctness and parameters in this subsection.
Firstly, we prove that Decrypt(\(pp, sk_S ,C_W)\)= \(\mu \), where \(C_W=Encrypt(pp, W, \mu )\) and \(S\vDash W\).
For an attribute set S, let \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash S} \\ {{A_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \), \(A = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \). Since \(T_i\) is the basis for \(\varLambda _q^ \bot \left( {{A_i}} \right) \), \(i \in L\), \(AT = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \left[ {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right] = 0\), and \(\left| T \right| = \prod \limits _{i \in L} {\left| {{T_i}} \right| } \ne 0\), we have \(T = \left[ {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right] \) is the basis for \(\varLambda _q^ \bot \left( A \right) \), then TA can compute \({\varvec{s}} = \left( {{{{\varvec{s}}}_1}; \cdots ,{{{\varvec{s}}}_{\left| L \right| }}} \right) \leftarrow \mathrm{{SamplePre}}\left( {A,T,{\varvec{u}}} \right) \) such that \({\varvec{u}} = A{\varvec{s}} = \sum \limits _{i = 1}^{\left| L \right| } {{A_i}} {{\varvec{s}}_i}\). Since \(S\vDash W\), we know that
where \({\varvec{x}} = \left( {{{{\varvec{x}}}_1}; \cdots ;{{{\varvec{x}}}_{\left| L \right| }}} \right) \), \({{\varvec{x}}_i} = \left\{ {\begin{array}{*{20}{c}} {{{{\varvec{x}}}_{i,0}},} &{} {i \in L\backslash S} \\ {{{{\varvec{x}}}_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \). Thus,
If \(\left| {x_c} - {{{{\varvec{s}}}^T}{\varvec{x}}} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2, then we can get \(\mu \).
Then, we prove that Decrypt(\(pp, sk_{S^1}, C_{W^1}\))= \(\mu \), where \(C_{W^1}=ReEnc(pp, rk_{W\rightarrow W^1},C_W)\), \(rk_{W\rightarrow W^1}=ReKeyGen(pp, W, W^1)\), \(C_W=Encrypt(pp, W, \mu )\), \(S^1\vDash W^1\).
Let \({S^{1, + }},{S^{1, - }}\) are the positive and negative attribute set in \(W^1\), \({C_W} = \left( {c;{{\left\{ {{{{\varvec{c}}}_{i,0}},{{{\varvec{c}}}_{i,1}}} \right\} }_{i \in L}}} \right) \) is a ciphertext under W, and \(r{k_{W \rightarrow {W^1}}} = \left( {{{\left\{ {{Q_{i,0}},{Q_{i,1}}} \right\} }_{i \in L}}} \right) \) is a re-encryption key. Since the access structure W and \(W^1\) are disjoint, we know that if \(i \in {S^{1, - }}\), then
that is
where \({\varvec{x}}_{_{i,0}}^2\; = R_{i,1 \rightarrow 0}^T{{\varvec{x}}_{i,1}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1\). Similarly, we have
where \({\varvec{x}}_{_{i,1}}^2\; = R_{i,0 \rightarrow 1}^T{{\varvec{x}}_{i,0}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1\),
where \({\varvec{x}}_{_{i,0}}^2\; = R_{i,1 \rightarrow 0}^T{{\varvec{x}}_{i,1}} + {X_{i,0}}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1\), \({\varvec{x}}_{_{i,1}}^2\; = R_{i,0 \rightarrow 1}^T{{\varvec{x}}_{i,0}} + {X_{i,1}}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1\), \(i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \).
For the attribute set \(S^1\), let \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash {S^1}} \\ {{A_{i,1}},} &{} {i \in {S^1}} \\ \end{array}} \right. \), \(A^1 = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \). TA can compute \({{\varvec{s}}^1} \leftarrow \mathrm{{SamplePre}}\left( {{A^1},{T^1},{\varvec{u}}} \right) \) such that \({A^1}{{\varvec{s}}^1} = {\varvec{u}}\), where \({T^1} = \left( {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right) \) is the basis for \(\varLambda _q^ \bot \left( {{A^1}} \right) \). Since \(S^1\vDash W^1\), we know that \({{\varvec{y}}^1} = \left( {{\varvec{y}}_1^1; \cdots ;{\varvec{y}}_{_{\left| L \right| }}^1} \right) = {A^1}^T{\varvec{f}} + {{\varvec{x}}^1}\), where \({{\varvec{x}}^1} = \left( {{\varvec{x}}_1^1; \cdots ;{\varvec{x}}_{_{\left| L \right| }}^1} \right) \), \({\varvec{x}}_i^1 = \left\{ {\begin{array}{*{20}{c}} {{\varvec{x}}_{_{i,0}}^2,} &{} {i \in L\backslash {S^1}} \\ {{\varvec{x}}_{_{i,1}}^2,} &{} {i \in {S^1}} \\ \end{array}} \right. \). Thus,
If \(\left| {x_c} - {{{\varvec{s}}}^{1T}{\varvec{x}}^1} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2, then we can get \(\mu \).
Finally, we set the parameters.
-
(1)
Algorithm TrapGen requires \(m\ge 6n\log q\).
-
(2)
Algorithm SamplePre requires \(\sigma \ge \left\| {\widetilde{\mathbf{T}}} \right\| \omega \left( {\sqrt{\log m} } \right) \).
-
(3)
Correctly decrypt the ciphertext requires \(\left| {{x_c} - {{{\varvec{s}}}^T}{\varvec{x}}} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2.
-
(4)
Correctly decrypt the re-encrypted ciphertext requires \(\left| {x_c} - {{{{\varvec{s}}}^{1T}}{\varvec{x}}^1} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2.
-
(5)
The hardness of LWE requires \(\alpha q >2\sqrt{n}\).
Let \(\chi = {\overline{\varPsi }_\alpha }\), we set the parameters as follows:
\(n=\kappa \), q=the prime nearest to \({2^{{n^\delta }}}\), \(m = 6n\left\lceil {\log q} \right\rceil \), \(\sigma = m\omega \left( {\sqrt{\log m} } \right) \), \(\alpha = {\left[ {5{m^3}{\sigma ^2}\left| L \right| \omega \left( {\sqrt{\log m} } \right) } \right] ^{ - 1}}\), where \(\delta \) is constant between 0 and 1.
We only verify (4) that is \(\left| {x_c} - {{{{\varvec{s}}}^{1T}}{\varvec{x}}^1} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2. The others can be easily computed.
From the element of \({\varvec{x}}^1\), we know
where \({\varvec{x}}',{\varvec{x}}''' \leftarrow {\chi ^m}\), \({\varvec{x}}'' \leftarrow {\chi ^{m \times m\left\lceil {\log q} \right\rceil }}\), \({\varvec{r}}\) is a column of \({R_{i,1 \rightarrow 0}},{R_{i,0 \rightarrow 1}}\). By Lemmas 1 and 3, we have \(||{\varvec{r}}||\le \sigma \sqrt{ m}\). By Lemma 4, we have
Thus,
3.3 Security
Theorem 2
Let \(n, q, m, \sigma , \alpha \) be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at original ciphertext.
Proof
Consider the following games.
\(Game^b_0\): This is the real game \(\mathrm{{Expt}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - \mathrm{{Or}}}\left( \kappa \right) \) with \(b \in \{0,1\}\). Suppose \(W^*\) is the adversary’s access structure, the challenger denotes the positive (negative) attribute set in \(W^*\) as \({S^{*, + }}\left( {{S^{*, - }}} \right) \). The challenger answers the ciphertext of the adversary’s issue about \(\mu \in \{0,1\}\) as follow,
-
If \(b=0\), output \({\varvec{c}} \leftarrow \mathbb {Z}_q^{1 + 2\left| L \right| m}\).
-
If \(b=1\), output \({\mathrm{{C}}_{{W^*}}} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{W}}^*},\mathrm{{ }}\mu )\).
Finally, the adversary outputs a guess \(b' \in \{0,1\}\).
\(Game^b_1\): We modify the secret key oracle \({\mathcal{O}_{\mathrm{{sk}}}}\left( S \right) \). If the adversary inputs an attribute set S and \(S\vDash W^*\), then the challenger returns \(\perp \). If \(S\nvDash W^*\), the challenger lets \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash S} \\ {{A_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \), samples \({\varvec{s}}_i^ + \leftarrow {D_{{\mathbb {Z}^m},\sigma }}\), \(i \in [|L|-1]\), computes \({\varvec{u}}' = {\varvec{u}} - \sum \limits _{i = 1}^{\left| L \right| - 1} {{A_i}{\varvec{s}}_i^ + }\), \({\varvec{s}}_{\left| L \right| }^ + \leftarrow \mathrm{{SamplePre}}\left( {{A_{\left| L \right| }},{T_{\left| L \right| }},{\varvec{u}}'} \right) \) and outputs the secret key \({{\varvec{s}}^ + } = \left( {{\varvec{s}}_1^ + , \cdots ,{\varvec{s}}_{\left| L \right| }^ + } \right) \). The others are the same as \(Game^b_0\).
Since the distribution of \({{\varvec{s}}^ + }\) is same as the real secret key \({{\varvec{s}} }\), and \(A{{\varvec{s}}^ + } = {\varvec{u}}\), we have \({{\varvec{s}}^ + }{ \approx _s}{\varvec{s}}\). Thus, \(\mathrm{{Game}}_0^b{ \approx _s}\mathrm{{Game}}_1^b\).
\(Game^b_2\): We modify the re-encryption key oracle \({\mathcal{O}_{\mathrm{{rk}}}}\left( {W,W'} \right) \). We replace \(\mathrm{{P2}}\left( {R_{i,1 \rightarrow 0}^T} \right) + {X_i}\), \(i \in {S^{1, - }}\), \(\mathrm{{P2}}\left( {R_{_{i,0 \rightarrow 1}}^T} \right) + {X_i}\), \(i \in {S^{1, + }}\), and \({Q_{i,0}},{Q_{i,1}}\), \(i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \) with \(Q_{_{i,1 \rightarrow 0}}^*,Q_{_{i,0 \rightarrow 1}}^*,Q_{_{i,0}}^*,Q_{_{i,1}}^* \leftarrow {D_{{\mathbb {Z}^{m \times m\left\lceil {\log q} \right\rceil }},\sigma }}\), respectively. The others are the same as \(Game^b_1\).
Since the distribution of \(Q_{_{i,0}}^*,Q_{_{i,1}}^* \leftarrow {D_{{\mathbb {Z}^{m \times m\left\lceil {\log q} \right\rceil }},\sigma }}\) are the same as \(Q_{_{i,0}}, Q_{_{i,1}}\), respectively, we have \(Q_{_{i,0}}^*{ \approx _s}{Q_{i,0}}\), \(Q_{_{i,1}}^*{ \approx _s}{Q_{i,1}}\). Thus, \(\mathrm{{Game}}_0^b{ \approx _s}\mathrm{{Game}}_1^b\).
\(Game^b_3\): We modify the re-encryption oracle \({\mathcal{O}_{\mathrm{{re}}}}\left( {r{k_{S \rightarrow W'}},W',{C_W}} \right) \). We replace \({\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^1\) with \({\varvec{c}}_{i,0}^{1, + },{\varvec{c}}_{i,1}^{1, + } \leftarrow {D_{\mathbb {Z}_q^m,\sigma }}\), respectively, \(i \in [|L|]\). The others are the same as \(Game^b_2\).
Since \(Q_{_{i,0}}^*,Q_{_{i,1}}^* \leftarrow {D_{{Z^{m \times m\left\lceil {\log q} \right\rceil }},\sigma }}\) and \({\varvec{x}}_{_{i,0}}^1,{\varvec{x}}_{_{i,1}}^1 \leftarrow {D_{{Z^m},\sigma }}\), we have the distribution of \({\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^1\) and \({\varvec{c}}_{i,0}^{1, + },{\varvec{c}}_{i,1}^{1, + }\) are same. Thus, \({\varvec{c}}_{i,0}^{1, + }{ \approx _s}{\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^{1, + }{ \approx _s}{\varvec{c}}_{i,1}^1\). Furthermore, \(\mathrm{{Game}}_3^b{ \approx _s}\mathrm{{Game}}_2^b\).
\(Game^b_4\): we replace \({\mathrm{{C}}_{{W^*}}} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{W}}^*},\mathrm{{ }}\mu )\) with \({{\varvec{c}}^ + } \leftarrow \mathbb {Z}_q^{1 + 2\left| L \right| m}\), where \({{\varvec{c}}^ + } = \left( {{c^ + };{{\left\{ {{\varvec{c}}_{_{i,0}}^ + ,{\varvec{c}}_{_{i,1}}^ + } \right\} }_{i \in L}}} \right) \). The others are the same as \(Game^b_3\).
We have \({c^ + }{ \approx _c}c\), \({\varvec{c}}_{_{i,1}}^ + { \approx _c}{{\varvec{c}}_{i,1}}\),\(i \in {S^ + } \cup L\backslash \left( {{S^ + } \cup {S^ - }} \right) \), \({\varvec{c}}_{_{i,0}}^ + { \approx _c}{{\varvec{c}}_{i,0}}\), \(i \in {S^ - } \cup L\backslash \left( {{S^ + } \cup {S^ - }} \right) \) under the LWE assumption and \({\varvec{c}}_{_{i,1}}^ + { \approx _s}{{\varvec{c}}_{i,1}}\), \(i \in {S^ - }\), \({\varvec{c}}_{_{i,0}}^ + { \approx _s}{{\varvec{c}}_{i,0}}\), \(i \in {S^ + }\). Thus \({\mathrm{{C}}_{{W^*}}}{ \approx _c}{{\varvec{c}}^ + }\). Furthermore, \(\mathrm{{Game}}_3^b{ \approx _c}\mathrm{{Game}}_4^b\).
Finally, we can get \(\mathrm{{Game}}_0^0{ \approx _c}\mathrm{{Game}}_0^1\) by \(\mathrm{{Game}}_4^0{ \approx _c}\mathrm{{Game}}_4^1\). This completes the proof.
Theorem 3
Let \(n, q, m, \sigma , \alpha \) be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext.
Proof
For \(\left( {{W^*},stat{e_1}} \right) \leftarrow \mathcal{A}\left( {{1^\kappa }} \right) \), \(\left( {\mu ,W,stat{e_2}} \right) \leftarrow {\mathcal{A}^{{\mathcal{O}_1}}}\left( {pp,stat{e_1}} \right) \) which are chosen by the adversary, The challenger encrypts \(\mu \in \{0,1\}\) under access structure W and gets a corresponding ciphertext \(C_W\) which is a random ciphertext C if \(b=0\) or the real ciphertext \({\mathrm{{C}}_W} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ W}},\mathrm{{ }}\mu )\) if \(b = 1\). By the \(Game^b_4\) of Theorem 2, we know that the adversary can’t distinguish a random ciphertext C from the real ciphertext \({\mathrm{{C}}_W} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ W}},\mathrm{{ }}\mu )\). For the re-encryption key \(r{k_{W \rightarrow {W^*}}}\), the adversary can’t distinguish the real \(r{k_{W \rightarrow {W^*}}}\) from a random Gaussian distribution by the \(Game^b_2\) of Theorem 2. Thus, the adversary can’t obtain any useful things for winning the game. At last, the challenger outputs the challenge re-encrypted ciphertext \(C_{{W^*}}^* \leftarrow ReEnc\left( {r{k_{S \rightarrow {W^*}}},{C_W}} \right) \). By the LWE, we have \({Q_{i,0}}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1\), \(i \in {S^{1, - }} \cup \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \) and the random uniform distribution are computationally indistinguishable, \({Q_{i,1}}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1\), \(i \in {S^{1, + }} \cup \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \) and the random uniform distributions are computationally indistinguishable. Thus, the advantage \(\mathrm{{Adv}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - {\mathop {\text {Re}}\nolimits } }\left( \kappa \right) \) of adversary is negligible.
3.4 Comparison
We compare the related works in this subsection.
-
(1)
Our scheme was constructed based on [14]. Compared with the ABE scheme of [14, 15], our scheme not only supports proxy re-encryption but also has smaller size of public parameters. The comparison results in Table 2. The S is a set of all attribute in access structure.
-
(2)
The existing CP-ABPRE schemes are constructed by bilinear pairing [5, 13, 20], which are fragile when the post-quantum comes. Our CP-ABPRE was constructed based on LWE which is widely believed secure in quantum computer attacks.
-
(3)
Compared with the PRE based on LWE, our scheme is the first CP-ABPRE scheme based on LWE and has the same computational complexity \(O(n^2)\). The comparison results in Table 3.
4 Conclusion
This paper constructs a ciphertext-policy attribute-based proxy re-encryption over lattice. The lattice-based cryptography is an alternative to resist quantum computer attacks. The constructed scheme not only supports access control but also can convert the ciphertext \(C_W\) under access structure W to a ciphertext \(C_{W'}\) under another access structure \(W'\) without decrypt the ciphertext \(C_W\). Thus, the scheme is flexible for cloud sharing. At last, the scheme is proved secure under LWE assumption.
References
Ma, C., Li, J., Ouyang, W.: Lattice-based identity-based homomorphic conditional proxy re-encryption for secure big data computing in cloud environment. Int. J. Found. Comput. Sci. 28(6), 645–660 (2017)
Ma, C., Li, J., Ouyang, W.: A homomorphic proxy re-encryption from lattices. In: Chen, L., Han, J. (eds.) ProvSec 2016. LNCS, vol. 10005, pp. 353–372. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47422-9_21
Chow, S.S.M., Weng, J., Yang, Y., Deng, R.H.: Efficient unidirectional proxy re-encryption. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 316–332. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9_19
Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_19
Liang, K., Fang, L., Susilo, W., et al.: A ciphertext-policy attribute-based proxy re-encryption with chosen-ciphertext security. In: Proceedings of the 5th International Conference on Intelligent Networking and Collaborative Systems, INCoS 2013, Xi’an, China, October, pp. 55–559 (2013)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: Wright, R., Vimercati, S. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 89–98 (2006)
Wang, D., Ma, C., Shi, L., Wang, Y.: On the security of an improved password authentication scheme based on ECC. In: Liu, B., Ma, M., Chang, J. (eds.) ICICA 2012. LNCS, vol. 7473, pp. 181–188. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34062-8_24
He, D., Wang, D., Wu, S.: Cryptanalysis and improvement of a password-based remote user authentication scheme without smart cards. Inf. Technol. Control 42(2), 105–112 (2013)
Wang, D., Ma, C., Zhang, Q., et al.: Secure password-based remote user authentication scheme against smart card security breach. J. Netw. 8(1), 148 (2013)
Liang, X., Cao, Z., Lin, H., Shao, J.: Attribute based proxy re-encryption with delegating capabilities. In: Safavi-Naini, R., Varadharajan, V. (eds.) proceedings of the 4th International Symposium on Information, Computer, and Communications Security, Sydney, Australia, pp. 276–286 (2009)
Luo, S., Hu, J., Chen, Z.: Ciphertext policy attribute-based proxy re-encryption. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 401–415. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_28
Liang, K., Man, H., Liu, J., et al.: A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing. Futur. Gener. Comput. Syst. 52, 95–108 (2015)
Zhang, J., Zhang, Z.: A ciphertext policy attribute-based encryption scheme without pairings. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 324–340. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_23
Zeng, F., Xu, C.: A novel model for lattice-based authorized searchable encryption with special keyword. Math. Probl. Eng. (2015). Article ID 314621 https://doi.org/10.1155/2015/314621
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Alwen, J., Peikert, C.: generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)
Agrawal, S., Boneh, D., Boyen, X.: Efficient Lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84C93. ACM (2005)
Zeng, P., Choo, K.: A new kind of conditional proxy re-encryption for secure cloud storage. IEEE Access. 6, 70017–70024 (2018)
Xagawa, K.: Cryptography with Lattices. Ph.D. thesis. Department of Mathematical and Computing Sciences Tokyo Institute of Technology (2010)
Jiang, M., Hu, Y., Wang, B., et al.: Lattice-based multi-use unidirectional proxy re-encryption. Secur. Commun. Netw. 8(18), 3796–3803 (2016)
Hou, J., Jiang, M., Guo, Y., Song, W.: Identity-based multi-bit proxy re-encryption over lattice in the standard model. In: Li, F., Takagi, T., Xu, C., Zhang, X. (eds.) FCS 2018. CCIS, vol. 879, pp. 110–118. Springer, Singapore (2018). https://doi.org/10.1007/978-981-13-3095-7_9
Acknowledgements
This work was supported by the National Natural Science Foundation of China (61472097), the Natural Science Foundation of Heilongjiang Province of China (JJ2019LH1770), the Special Funds of Heilongjiang University of the Fundamental Research Funds for the Heilongjiang Province (RCCXYJ201812) and the Open Fund of the State Key Laboratory of Information Security (2019-ZD-05).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Li, J., Ma, C., Zhang, K. (2019). A Novel Lattice-Based Ciphertext-Policy Attribute-Based Proxy Re-encryption for Cloud Sharing. In: Meng, W., Furnell, S. (eds) Security and Privacy in Social Networks and Big Data. SocialSec 2019. Communications in Computer and Information Science, vol 1095. Springer, Singapore. https://doi.org/10.1007/978-981-15-0758-8_3
Download citation
DOI: https://doi.org/10.1007/978-981-15-0758-8_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0757-1
Online ISBN: 978-981-15-0758-8
eBook Packages: Computer ScienceComputer Science (R0)