Keywords

1 Introduction

Proxy re-encryption (PRE) allows the proxy to convert the ciphertext of delegator to the ciphertext of delegatee who can be specified by the delegator, while the proxy will not know the message in this process, which can be used for cloud sharing. At present, many types of PRE have been constructed such as conditional proxy re-encryption (CPRE) [1], homomorphic proxy re-encryption (HPRE) [2], proxy broadcast re-encryption (PBRE) [3], identity-based proxy re-encryption (IBPRE) [4], Attribute-Based Proxy Re-Encryption (ABPRE) [5].

Attribute-Based Encryption (ABE) was introduced by Sahai et al. [6] which is an extension of identity-based encryption (IBE). ABE can achieve fine-grained access control of encrypted data and provide a one-to-many encryption. Goyal et al. [7] introduced two variants of ABE, that is key policy attribute-based encryption (KP-ABE) and ciphertext policy attribute-based encryption (CP-ABE). In a KP-ABE (CP-ABE) system, the ciphertext (private key) is associated with an attribute set S, the private key (ciphertext) is associated with an access structure W, the private key can decrypt the ciphertext if and only if S satisfies W.

Because of the resource-limited of the terminal device, it is impossible for users to backup all data (in the plain format) and make heavy compute. In cloud networks, a user (e.g., Alice) can use CP-ABE to encrypt her data with access structure W, and then store the ciphertext to cloud for sharing data and protecting her privacy. Suppose the access structure W needs to be updated to another policy \(W'\) for the new needs of other users (e.g., Bob), then Alice should download and decrypt the ciphertext, and then again encrypt the data with \(W'\). If the access structure is renewed frequently, the computational overhead of this strategy at Alice will be too heavy.

Ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) can make data cloud sharing more effective. ABPRE only needs Alice to generate a re-encryption key and send it to proxy who can convert the ciphertext under W to a ciphertext under another \(W'\). Cloud sharing should also consider issues such as authentication [8,9,10]. Liang et al. [11] constructed the first CP-ABPRE supporting AND gates over positive and negative attributes. Luo et al. [12] extended [5]to a CP-ABPRE supporting AND gates on multi-valued and negative attributes. Liang et al. [13] constructed the first adaptively CCA-secure CP-ABPRE. Zhang et al. [14] presented a ciphertext policy attribute-based encryption (ABE) scheme based on LWE which is widely believed secure in quantum computer attacks.

In this paper, we constructed a CP-ABE scheme by modifying the ABE scheme of Zeng et al. [15]. Compared with the ABE scheme of [14, 15], our CP-ABE scheme has smaller size of public parameters. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps which are fragile when the post-quantum comes. We constructed a CP-ABPRE based on the new CP-ABE scheme by using trapdoor sampling from LWE which is widely believed secure in quantum computer attacks. Our CP-ABPRE scheme is the first CP-ABPRE from LWE and can implement the transfer of ciphertext access structure.

The rest of this paper is organized as follows. Section 2 is preliminaries. Section 3 describes the constructed ABPRE scheme. At last, our work is concluded in Sect. 4.

2 Preliminaries

In this section, we introduce some notations, Gaussian distribution, the LWE hardness assumption and the definition of CP-ABPRE.

2.1 Notation

We employ some initial notations listed in Table 1. For an integer q and a vector \({{\varvec{x}}} \in {{\mathbb {Z}_q}^n}\), let \(l = \left\lceil {\log q} \right\rceil \), \(P2\left( {\varvec{x}} \right) = {\left( {1{\varvec{x}};2{\varvec{x}}; \cdots ;{2^{l - 1}}{\varvec{x}}} \right) } \in {\mathbb {Z}}_q^{nl }\), \(BD\left( {{{\varvec{x}}}} \right) = \left( {{{\varvec{u}}_1}| \cdots |{{\varvec{u}}_l }} \right) \in {\left\{ {0,1} \right\} ^{nl }}\), where \({{\varvec{x}}} = \sum \limits _{k = 1}^l {{2^{k - 1}}{{\varvec{u}}_k}}\). When A is a matrix, let P2(A) (BD(A)) be the matrix formed by applying the operation to each row (column) of A.

Table 1. Notation
Full size table

2.2 Gaussian Distributions and the LWE Hardness Assumption

For any positive parameter \(\sigma > 0\), define the Gaussian function on \({ { {\mathbb {R}}}^m}\), centered at \({{\varvec{c}}}\): \(\forall {{\varvec{x}}} \in { { {\mathbb {R}}}^m}\),

$$\begin{aligned} {\rho _{\sigma ,{{\varvec{c}}}}} ({\varvec{x}})= \exp \left( {{{{ - \pi {{\left\| {{{\varvec{x}} - {\varvec{c}}}} \right\| }^2}}} / {{{\sigma ^2}}}}} \right) . \end{aligned}$$

Let \(\varLambda \) be a discrete subset of \({ { {\mathbb {Z}}}^m}\). For any vector \({{\varvec{c}}} \in { { {\mathbb {R}}}^m}\) and any positive parameter \(\sigma > 0\), define the discrete Gaussian distribution over \(\varLambda \) as: \(\forall {{\varvec{x}}} \in { { {\mathbb {R}}}^m}\),

$$\begin{aligned} {\chi _{\varLambda ,\sigma ,{{\varvec{c}}}}}({\varvec{x}}) = \frac{{{\rho _{s,{{\varvec{c}}}}}\left( {{\varvec{x}}} \right) }}{{{\rho _{\sigma ,{{\varvec{c}}}}}\left( \varLambda \right) }}, \end{aligned}$$

where \({\rho _{\sigma ,{{\varvec{c}}}}}\left( \varLambda \right) = \sum \nolimits _{{{\varvec{x}}} \in \varLambda } {{\rho _{\sigma ,{{\varvec{c}}}}}\left( {{\varvec{x}}} \right) }\).

Lemma 1

([16]). For any \({\varvec{c}}\in \varLambda \subset { \mathbb {Z}}^m\), let \({{\varvec{x}}} \leftarrow {D_{ \varLambda +{\varvec{c}},\sigma }}\), \(\sigma > \eta _\epsilon (\varLambda )\) for some \(\epsilon \in (0,1)\), then with overwhelming probability \(\left\| {{\varvec{x}}} \right\| < \sigma \sqrt{m} \). Moreover, if \({\varvec{c}}=0\) then the bound holds for any \(\sigma >0\), with \(\epsilon =0\).

Lemma 2

([17]). Let qnm be positive integers with \(q \ge 2\) and \(\mathrm{{m}} \ge 6nlogq\). There is a probabilistic polynomial-time algorithm TrapGen(qnm) that outputs a pair \(\left( {{{A, T}}} \right) \in { \mathbb {Z}}_q^{n \times m} \times { { \mathbb {Z}}^{m \times m}}\) such that A is statistically close to uniform in \( { \mathbb {Z}}_q^{n \times m}\) and T is a basis for \(\varLambda _q^ \bot \left( {{A}} \right) = \left\{ {{{\varvec{e}}} \in {{ { \mathbb {Z}}}^m}, s.t.{A{\varvec{e}}} = {0}\bmod q} \right\} \), satisfying \(\left\| {T} \right\| \le O(nlogq)\) and \(\left\| {\widetilde{{T}}} \right\| \le O\left( {\sqrt{n\log q} } \right) \) (Alwen and Peikert assert that the constant hidden in the first \(O(\cdot )\) is no more than 20).

Lemma 3

([18]). Let \(q \ge 2\) and a matrix \({{A}} \in { \mathbb {Z}}_q^{n \times m}\). Let \({{{T}}_\mathrm{{A}}}\) be a basis for \(\varLambda _q^{^ \bot }\left( {{A}} \right) \), \(\sigma \ge \left\| {\widetilde{{T}}} \right\| \omega \left( {\sqrt{\log m} } \right) \). Then for \({{\varvec{c}}} \in { { \mathbb {Z}}^m},{{\varvec{u}}} \in { \mathbb {Z}}_q^n\). There is a PPT algorithm SamplePre(\({{A}},{{{T}}_\mathrm{{A}}},{{\varvec{u}}},{{\varvec{ c}}}\)) that returns \({{\varvec{x}}} \in \varLambda _q^{{\varvec{u}}}({{A}})=\left\{ {{{\varvec{e}}} \in {{ { \mathbb {Z}}}^m}, s.t.{A{\varvec{e}}} = {{\varvec{u}}}\bmod q} \right\} \) sampled from a distribution statistically close to \({D_{\varLambda _q^{{\varvec{u}}}({{\varvec{A}}}),\sigma ,{{\varvec{c}}}}}\).

For the correctness of our CP-ABPRE, we recall a distribution \({\overline{\varPsi }_\alpha }\) over \(\mathbb {Z}_q\) in which the random variable is \(\lfloor q X\rceil \mod q\), where \(\alpha \in (0,1)\) is a real, p is a prime, X is a normal random variable with mean 0 and deviation \({{\alpha ^2}}\)/ \({2\pi }\).

Lemma 4

([18]). Let \({\varvec{r}} \in {\mathbb {Z}^m}\), \({\varvec{e}} \leftarrow \overline{\varPsi }_\alpha ^m\). Then with overwhelming probability in m

$$\begin{aligned} \left| {{{{\varvec{r}}}^T}{\varvec{e}}} \right| \le \left\| {{\varvec{r}}} \right\| q\alpha \omega \left( {\sqrt{\log m} } \right) + \left\| {{\varvec{r}}} \right\| {{\sqrt{m} } / 2}. \end{aligned}$$

In particularly, we have\(\left| e \right| \le q\alpha \omega \left( {\sqrt{\log m} } \right) + {1/2}\) with overwhelming probability in m if \( e \leftarrow \overline{\varPsi }_\alpha \).

The LWE (learning with errors) problem is a classic hard problem on lattices, which is as hard as the worst-case SIVP and GapSVP with certain noise distributions \(\chi \), such as \(\overline{\varPsi }_\alpha \).

Theorem 1

([19]). Let \(q \ge 2\), and \(\chi \) be a distribution over \(\mathbb {Z}\). The decisional \(LWE_{n,q,\chi }\) problem is to distinguish the following two distributions: one is \(({{\varvec{a}}}_{{\varvec{i}}}; b_i) \leftarrow \mathbb {Z}^{n+1}_q\), the other is \(({\varvec{a}}_{\varvec{i}}, b_i) \in \mathbb {Z}_q^{n+1}\), where \( {\varvec{a}}_{\varvec{i}} \leftarrow \mathbb {Z}^n_q, b_i = {\varvec{a}}_{\varvec{i}}^T{\varvec{s}}+e_i\), \( {\varvec{s}}\leftarrow \mathbb {Z}^n_q\), \( e_i\leftarrow \chi \). The \(LWE_{n,q,\chi } \) assumption is that the \(LWE_{n,q,\chi } \) problem is infeasible.

2.3 Attribute and Access Structure

In this paper, we study CP-ABE that supports and-gates on positive and negative attributes. Let \(L = \left[ {\left| L \right| } \right] \) be the set of all attributes in system. For \(i \in [L]\), each user has or does not have attribute i. If a user does not have attribute i, we say the user has attribute \(-i\) which means each attribute i is associated with \(-i\). We use i and \(-i\) as positive and negative attribute, respectively.

Definition 1

For an access structure W organized by and-gates on positive and negative attributes, an attribute set S satisfies W if and only if

\({S^ + } \subseteq S,{S^ - } \subseteq L\backslash S\),

where \({S^ + }\left( {{S^ - }} \right) \) is the positive (negative) attribute set in W, L is the set of all attributes in system.

For instance, let \(L=[4]\), access structure \(W=(1 and -3)\), if \(S \vDash W\), then we only need \(1 \in S,3 \notin S\), and don’t need consider 2, 4. The attribute sets \({S_1} = \{ 1\} ,{S_2} = \{ 1,2\} ,{S_3} = \{ 1,4\} ,{S_4} = \{ 1,2,4\} \) all satisfy W.

2.4 Definition and Security Model of CP-ABPRE

A Single-Hop Unidirectional CP-ABPRE scheme has four participants.

  1. (1)

    Trusted Authority (TA). TA generates public parameters, master secret key, re-encryption key and can be trusted by all participants.

  2. (2)

    Cloud Services Provider (CSP). CSP can store data which were uploaded by DO, compute the re-encrypted ciphertext by the original ciphertext and re-encryption key. CSP is semi-trusted.

  3. (3)

    Data Owner (DO). DO encrypts his data and stores the encrypted data in cloud.

  4. (4)

    Data User (DU). DU queries the CSP for re-encrypted data which belongs to DO.

Based on the definition and the security model of Liang et al. [5], we give the following definition.

Definition 2

A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms:

  1. 1.

    Setup (\(\kappa , L\)): Given a security parameter \(\kappa \), a set of attribute L, the TA returns public parameters pp and master secret key msk.

  2. 2.

    KeyGen (ppmskS): Given ppmsk and an attribute set S of the DO or DU, the TA returns secret key \(sk_S\) for S. Note that each secret key \(sk_S\) is associated with an attribute set S.

  3. 3.

    Encrypt (\(pp, W, \mu \)): Given pp, a message \(\mu \), and an access structure W over the attribute set L, the DO returns ciphertext \(C_W\). Note that each ciphertext \(C_W\) is associated with an access structure W.

  4. 4.

    Decrypt (\(pp, sk_S, C_W, S\)): Given \(pp, C_W, S\) and its corresponding secret key \(sk_S\), the DO or DU returns plaintext \(\mu \) if \(S\vDash W\) or a symbol \(\bot \) indicating either \(C_W\) is invalid or \(S\nvDash W\).

  5. 5.

    ReKeyGen (\(pp, S, W, W^1\)): Given pp, attribute set S and two access structures \(W, W^1\), the TA returns a re-encryption key \(rk_{W\rightarrow W^1}\) which can be used to transform a ciphertext with W to another ciphertext with \(W^1\) if \(S\vDash W\) or a symbol \(\bot \) if \(S\nvDash W\). The access structure W and \(W^1\) are required to be disjoint, that is \(S^+\subseteq S^{1,-}, S^-\subseteq S^{1,+}\), where \(S^+,S^{1,+}(S^-,S^{1,-})\) are the positive (negative) attribute set in \(W, W^1\).

  6. 6.

    ReEnc (\(pp, C_W, rk_{W\rightarrow W^1}\)): Given pp, \(C_W\), \(rk_{W\rightarrow W^1}\), the CSP outputs the re-encrypted ciphertext \(C_{W^1}\) or a symbol \(\perp \) indicating W and \(W^1\) are not disjoint.

Correctness: There are two requirements for correctness,

  1. 1.

    Decrypt(\(pp, sk_S,C_W)\)= \(\mu \), where \(C_W=Encrypt(pp, W, \mu )\) and \(S\vDash W\).

  2. 2.

    Decrypt(\(pp, sk_{S^1}, C_{W^1}\))= \(\mu \), where \(C_{W^1}=ReEnc(pp, rk_{W\rightarrow W^1},C_W)\), \(C_W=Encrypt(pp, W, \mu )\), \(rk_{W\rightarrow W^1}=ReKeyGen(pp, W, W^1)\), \(S^1\vDash W^1\).

Definition 3

For a single-hop unidirectional CP-ABPRE scheme, let \(\kappa \) be a security parameter. Consider the following games, denoted by \(\mathrm{{Expt}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - \mathrm{{Or}}}\left( \kappa \right) \), between challenger and adversary.

Initialization. The adversary chooses a challenge access structure \(W^*\) to challenger.

Setup Phase: The challenger runs Setup (\(\kappa \), L) and sends pp to adversary.

Learning Phase: In this phase, the adversary can access to the following oracles polynomially many times, and the challenger needs to answer these oracles.

  1. (1)

    Secret key oracle \({\mathcal{O}_{\mathrm{{sk}}}}\left( S \right) \): The adversary inputs an attribute set S. If \(\mathrm{{S}} \nvDash {\mathrm{{W}}^*}\), then the challenger returns \(\mathrm{{s}}{\mathrm{{k}}_S} \leftarrow \mathrm{{KeyGen}}\left( {\mathrm{{pp}},\mathrm{{ msk}},\mathrm{{ S}}} \right) \). Otherwise, the challenger returns \(\bot \).

  2. (2)

    Re-encryption key oracle \({\mathcal{O}_{\mathrm{{rk}}}}\left( {W,W'} \right) \): The adversary inputs two access structure \(W, W'\). If \(W=W^*\) and \({\mathcal{O}_{\mathrm{{sk}}}}\left( {S'} \right) \) has been accessed for any \(\mathrm{{S'}} \vDash \mathrm{{W'}}\), then challenger returns \(\perp \). Otherwise, the challenger returns \(r{k_{W \rightarrow W'}} \leftarrow \mathrm{{ReKeyGen}}(\mathrm{{pp}},\mathrm{{ W}},W')\).

  3. (3)

    Re-encryption oracle \({\mathcal{O}_{\mathrm{{re}}}}\left( {r{k_{W \rightarrow W'}},W',{C_W}} \right) \): The adversary inputs \(W'\), \(C_W\), \(r{k_{W \rightarrow W'}}\). If \(r{k_{W \rightarrow W'}} \leftarrow \mathrm{{ReKeyGen}}(\mathrm{{pp}},\mathrm{{ W}},W')\), \(\mathrm{{s}}{\mathrm{{k}}_S} \leftarrow \mathrm{{KeyGen}}\left( {\mathrm{{pp}},\mathrm{{ msk}},\mathrm{{ S}}} \right) \), \(S\vDash W\), then the challenger returns \({C_{W'}} \leftarrow \mathrm{{ReEnc}}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{C}}_W},r{k_{W \rightarrow W'}})\). Otherwise, the challenger returns \(\perp \).

Challenge: If the adversary finishes all of the oracles’ queries, then he sends \(\mu \in \left\{ {0,1} \right\} \) to the challenger. For a coin \(b \in \left\{ {0,1} \right\} \), the challenger returns a random ciphertext C if \(b=0\) or the real ciphertext \({\mathrm{{C}}_{{W^*}}} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{W}}^*},\mathrm{{ }}\mu )\) if \(b = 1\).

Gauss: Finally, the adversary outputs a guess \(b' \in \left\{ {0,1} \right\} \). If \(b'=b\), the adversary wins.

We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at original ciphertext if for any PPT adversary, the advantage

$$\begin{aligned} \mathrm{{Adv}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - \mathrm{{Or}}}\left( \kappa \right) = \left| {Pr\left[ {b = b'} \right] - \frac{1}{2}} \right| \end{aligned}$$

of adversary is negligible.

Definition 4

For a single-hop unidirectional CP-ABPRE scheme, let \(\kappa \) be a security parameter. We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext if for any PPT adversary, the advantage

$$\begin{array}{l} \mathrm{{Adv}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - {\mathop {\hbox {Re}}\nolimits } }\left( \kappa \right) = \left| {Pr\left[ \begin{array}{l} b = b': \\ \left( {{W^*},stat{e_1}} \right) \leftarrow \mathcal{A}\left( {{1^\kappa }} \right) ; \\ \left( {pp,msk} \right) \leftarrow Setup({1^\kappa },L); \\ \left( {\mu ,W,stat{e_2}} \right) \leftarrow {\mathcal{A}^{{\mathcal{O}_1}}}\left( {pp,stat{e_1}} \right) ; \\ b \leftarrow \left\{ {0,1} \right\} ; \\ C_{{W^*}}^* \leftarrow ReEnc\left( {r{k_{W \rightarrow {W^*}}},{C_W}} \right) ; \\ b' \leftarrow {\mathcal{A}^{{\mathcal{O}_1}}}\left( {C_{{W^*}}^*,stat{e_2}} \right) \\ \end{array} \right] - \frac{1}{2}} \right| \\ \end{array}$$

of adversary is negligible, where \({\mathcal{O}_1} = \left\{ {{\mathcal{O}_{\mathrm{{sk}}}},{\mathcal{O}_{\mathrm{{rk}}}},{\mathcal{O}_{\mathrm{{re}}}}} \right\} \) and \(\mathcal{O}_\mathrm{{sk}}\) (it is forbidden to \(S\vDash W^*\)), \(\mathcal{O}_\mathrm{{rk}},\mathcal{O}_\mathrm{{re}}\) (it is forbidden to \(C_W\) is an valid original ciphertext or a re-encrypted ciphertext) as in Definition 3, \(State_1\) and \(State_2\) are the state information, \(W^*\) is challenge access structure and \(W, W^*\) are disjoint, \(C_W\) is a random ciphertext C if \(b=0\) or the real ciphertext \({\mathrm{{C}}_W} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ W}},\mathrm{{ }}\mu )\) if \(b = 1\), \(\mu \in \left\{ {0,1} \right\} \).

3 A CP-ABPRE Scheme

In this section, a single-hop unidirectional CP-ABPRE scheme was presented at first, then the correctness and security of CP-ABPRE were proved.

3.1 Concrete Scheme

A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms.

  1. 1.

    Setup(nmqL): Given positive integers nmq, and a set of attribute L, the TA samples \({\varvec{u}} \leftarrow \mathbb {Z}_q^n\), computes \(\left( {{A_{i,b}},{T_{i,b}}} \right) \leftarrow TrapGen\left( {q,n} \right) \) for \(i\in L\), where \(b\in \{0,1\}\) and returns public parameters \(pp = \left( {\left\{ {{A_{i,b}}} \right\} _{i \in L}^{b \in \left\{ {0,1} \right\} },{\varvec{u}}} \right) \) and master secret key \(msk = \left( {\left\{ {{T_{i,b}}} \right\} _{i \in L}^{b \in \left\{ {0,1} \right\} }} \right) \).

  2. 2.

    KeyGen(ppmskS): Given ppmsk and an attribute set S of the DU, where \(S \subseteq L\), the TA lets \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash S} \\ {{A_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \), computes \({\varvec{s}} \leftarrow \mathrm{{SamplePre}}\left( {A,T,{\varvec{u}}} \right) \) and returns secret key \(s{k_S} = {\varvec{s}}\), where \(A = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \), \(T = \left[ {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right] \), \(T_i\) is the basis for \(\varLambda _q^ \bot \left( {{A_i}} \right) \), \(i \in L\).

  3. 3.

    Encrypt(\(pp, W, \mu \)): Given pp, a message \(\mu \in \{0,1\}\), and an access structure W, the DO denotes \({S^ + }\left( {{S^ - }} \right) \) as the positive (negative) attribute set in W, computes

    $$\begin{aligned} c = {{\varvec{u}}^T}{\varvec{f}} + {x_c} + \left\lfloor {\frac{q}{2}} \right\rfloor \mu , \end{aligned}$$
    $${{\varvec{c}}_{i,0}} = \left\{ {\begin{array}{*{20}{c}} {{{{\varvec{z}}}_{i,0}},} &{} {i \in {S^ + }} \\ {A_{_{i,0}}^T{\varvec{f}} + {{{\varvec{x}}}_{i,0}},} &{} {i \in {S^\_}} \\ \end{array}} \right. ,$$
    $${{\varvec{c}}_{i,1}} = \left\{ {\begin{array}{*{20}{c}} {A_{_{i,1}}^T{\varvec{f}} + {{{\varvec{x}}}_{i,1}},} &{} {i \in {S^ + }} \\ {{{{\varvec{z}}}_{i,1}},} &{} {i \in {S^ - }} \\ \end{array}} \right. ,$$
    $$\left( {\begin{array}{*{20}{c}} {{{{\varvec{c}}}_{j,0}}} \\ {{{{\varvec{c}}}_{j,1}}} \\ \end{array}} \right) = \left( {\begin{array}{*{20}{c}} {A_{_{j,0}}^T} \\ {A_{_{j,1}}^T} \\ \end{array}} \right) {\varvec{f}} + \left( {\begin{array}{*{20}{c}} {{{{\varvec{x}}}_{j,0}}} \\ {{{{\varvec{x}}}_{j,1}}} \\ \end{array}} \right) , $$

    \(j \in L\backslash \left( {{S^ + } \cup {S^ - }} \right) \), and returns ciphertext

    $$\begin{aligned} {C_W} = \left( {c;{{\left\{ {{{{\varvec{c}}}_{i,0}},{{{\varvec{c}}}_{i,1}}} \right\} }_{i \in L}}} \right) , \end{aligned}$$

    where \({x_c} \leftarrow \chi \), \({\varvec{f}} \leftarrow {\chi ^n}\), \({{\varvec{z}}_{i,0}},{{\varvec{z}}_{i,1}},{{\varvec{x}}_{i,0}},{{\varvec{x}}_{i,1}} \leftarrow {\chi ^m}\).

  4. 4.

    Decrypt(\(pp, C_W, sk_S, S\)): After receiving the cipthertext \(C_W\) from CSP, the DU computes \({\varvec{y}} = \left( {{{{\varvec{y}}}_1}; \cdots ;{{{\varvec{y}}}_{\left| L \right| }}} \right) \) by \({{\varvec{y}}_i} = \left\{ {\begin{array}{*{20}{c}} {{{{\varvec{c}}}_{i,1}},} &{} {i\, \in S} \\ {{{{\varvec{c}}}_{i,0}},} &{} {else} \\ \end{array}} \right. \), and then outputs 0 if \(\left( { - {{{\varvec{s}}}^T}|1} \right) \left( {{{{\varvec{y}}}^T};c} \right) = c - {{\varvec{y}}^T}{\varvec{s}}\) is closer to 0 than to \(\left\lfloor {\frac{q}{2}} \right\rfloor \) modulo q, and 1 otherwise.

  5. 5.

    ReKeyGen(\(pp, S, W, W^1\)): After receiving ppS, two access structures \(W, W^1\) from DO, If \(W, W^1\) are not disjoint or \(S\nvDash W\), then the TA outputs \(\perp \), otherwise, denotes the positive (negative) attribute set in \(W^1\) as \({S^{1, + }}\left( {{S^{1, - }}} \right) \), noting \({S^{1, + }} \subseteq L,{S^{1, - }} \subseteq L\), then computes

    $${Q_{i,0}} \leftarrow \left\{ {\begin{array}{*{20}{l}} {{{\overline{X} }_i},} &{} {i \in {S^{1, + }}} \\ {\mathrm{{P2}}\left( {R_{i,1 \rightarrow 0}^T} \right) + {X_i},} &{} {i \in {S^{1, - }}} \\ \end{array}} \right. ,$$
    $${Q_{i,1}} \leftarrow \left\{ {\begin{array}{*{20}{l}} {\mathrm{{P2}}\left( {R_{_{i,0 \rightarrow 1}}^T} \right) + {X_i},} &{} {i \in {S^{1, + }}} \\ {\overline{{X_i}} ,} &{} {i \in {S^{1, - }}} \\ \end{array}} \right. ,$$
    $$\begin{aligned} {Q_{i,0}} \leftarrow P2\left( {R_{_{i,1 \rightarrow 0}}^T} \right) + {X_{i,0}},i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) , \end{aligned}$$
    $$\begin{aligned} {Q_{i,1}} \leftarrow P2\left( {R_{_{i,0 \rightarrow 1}}^T} \right) + {X_{i,1}},i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) , \end{aligned}$$

    Where \({R_{i,1 \rightarrow 0}} \leftarrow \mathrm{{SamplePre}}\left( {{A_{i,1}},{T_{i,1}},{A_{i,0}}} \right) \), \({R_{i,0 \rightarrow 1}} \leftarrow \mathrm{{SamplePre}}\left( {A_{i,0}},\right. \left. {T_{i,0}},{A_{i,1}} \right) \), \({X_i},{X_{i,0}},{X_{i,1}} \leftarrow {\chi ^{m \times m\left\lceil {\log q} \right\rceil }}\), \(\overline{{X_i}} \leftarrow \mathbb {Z}_q^{m \times m\left\lceil {\log q} \right\rceil }\) and finally returns re-encryption key \(r{k_{S \rightarrow {W^1}}} = \left( {{{\left\{ {{Q_{i,0}},{Q_{i,1}}} \right\} }_{i \in L}}} \right) \).

  6. 6.

    ReEnc(\(pp, C_W, r{k_{W \rightarrow {W^1}}}\)): Given \(pp, C_W, r{k_{W \rightarrow {W^1}}}\), the CSP computes

    $${\varvec{c}}_{_{i,0}}^1 = \left\{ {\begin{array}{*{20}{l}} {{Q_{i,0}}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1,} &{} {i \in {S^{1, - }}} \\ {{\varvec{z}}_{_{i,0}}^1,} &{} {i \in {S^{1, + }}} \\ \end{array}} \right. ,$$
    $${\varvec{c}}_{_{i,1}}^1 = \left\{ {\begin{array}{*{20}{l}} {{Q_{i,1}}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1,} &{} {i \in {S^{1, + }}} \\ {{\varvec{z}}_{_{i,1}}^1,} &{} {i \in {S^{1, - }}} \\ \end{array}} \right. ,$$
    $$\begin{aligned} {\varvec{c}}_{j,0}^1 = {Q_{i,0}}BD\left( {{{{\varvec{c}}}_{j,1}}} \right) + {\varvec{x}}_{j,0}^1, \end{aligned}$$
    $$\begin{aligned} {\varvec{c}}_{_{j,1}}^1 = {Q_{i,1}}BD\left( {{{{\varvec{c}}}_{j,0}}} \right) + {\varvec{x}}_{_{j,1}}^1, \end{aligned}$$
    $$\begin{aligned} j \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) , \end{aligned}$$

    where \({\varvec{x}}_{_{i,0}}^1,{\varvec{x}}_{_{j,0}}^1 \leftarrow {\chi ^m}\), \({\varvec{z}}_{_{i,0}}^1,{\varvec{z}}_{_{i,1}}^1 \leftarrow \mathbb {Z}_q^m\) and outputs the re-encrypted ciphertext

    $$\begin{aligned} {C_{{W^1}}} = \left( {c;{{\left\{ {{\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^1} \right\} }_{i \in L}}} \right) . \end{aligned}$$

3.2 Correctness and Parameters

We show the correctness and parameters in this subsection.

Firstly, we prove that Decrypt(\(pp, sk_S ,C_W)\)= \(\mu \), where \(C_W=Encrypt(pp, W, \mu )\) and \(S\vDash W\).

For an attribute set S, let \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash S} \\ {{A_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \), \(A = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \). Since \(T_i\) is the basis for \(\varLambda _q^ \bot \left( {{A_i}} \right) \), \(i \in L\), \(AT = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \left[ {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right] = 0\), and \(\left| T \right| = \prod \limits _{i \in L} {\left| {{T_i}} \right| } \ne 0\), we have \(T = \left[ {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right] \) is the basis for \(\varLambda _q^ \bot \left( A \right) \), then TA can compute \({\varvec{s}} = \left( {{{{\varvec{s}}}_1}; \cdots ,{{{\varvec{s}}}_{\left| L \right| }}} \right) \leftarrow \mathrm{{SamplePre}}\left( {A,T,{\varvec{u}}} \right) \) such that \({\varvec{u}} = A{\varvec{s}} = \sum \limits _{i = 1}^{\left| L \right| } {{A_i}} {{\varvec{s}}_i}\). Since \(S\vDash W\), we know that

$$\begin{aligned} {\varvec{y}} = \left( {{{{\varvec{y}}}_1}; \cdots ;{{{\varvec{y}}}_{\left| L \right| }}} \right) = {A^T}{\varvec{f}} + {\varvec{x}}, \end{aligned}$$

where \({\varvec{x}} = \left( {{{{\varvec{x}}}_1}; \cdots ;{{{\varvec{x}}}_{\left| L \right| }}} \right) \), \({{\varvec{x}}_i} = \left\{ {\begin{array}{*{20}{c}} {{{{\varvec{x}}}_{i,0}},} &{} {i \in L\backslash S} \\ {{{{\varvec{x}}}_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \). Thus,

$$\begin{array}{l} c - {{{\varvec{s}}}^T}{\varvec{y}} \\ = {{{\varvec{u}}}^T}{\varvec{f}} + {x_c} + \left\lfloor {\frac{q}{2}} \right\rfloor \mu - {{{\varvec{s}}}^T}\left( {{A^T}{\varvec{f}} + {\varvec{x}}} \right) \\ = \left\lfloor {\frac{q}{2}} \right\rfloor \mu + \left( {{x_c} - {{{\varvec{s}}}^T}{\varvec{x}}} \right) . \\ \end{array}.$$

If \(\left| {x_c} - {{{{\varvec{s}}}^T}{\varvec{x}}} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2, then we can get \(\mu \).

Then, we prove that Decrypt(\(pp, sk_{S^1}, C_{W^1}\))= \(\mu \), where \(C_{W^1}=ReEnc(pp, rk_{W\rightarrow W^1},C_W)\), \(rk_{W\rightarrow W^1}=ReKeyGen(pp, W, W^1)\), \(C_W=Encrypt(pp, W, \mu )\), \(S^1\vDash W^1\).

Let \({S^{1, + }},{S^{1, - }}\) are the positive and negative attribute set in \(W^1\), \({C_W} = \left( {c;{{\left\{ {{{{\varvec{c}}}_{i,0}},{{{\varvec{c}}}_{i,1}}} \right\} }_{i \in L}}} \right) \) is a ciphertext under W, and \(r{k_{W \rightarrow {W^1}}} = \left( {{{\left\{ {{Q_{i,0}},{Q_{i,1}}} \right\} }_{i \in L}}} \right) \) is a re-encryption key. Since the access structure W and \(W^1\) are disjoint, we know that if \(i \in {S^{1, - }}\), then

$$\begin{array}{l} {\varvec{c}}_{_{i,0}}^1 = Q_{i,0}^TBD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1 \\ \;\,\,\,\;\, = \left[ {\mathrm{{P2}}\left( {R_{i,1 \rightarrow 0}^T} \right) + {X_i}} \right] BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1 \\ \;\,\,\,\;\, = R_{i,1 \rightarrow 0}^T{{{\varvec{c}}}_{i,1}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1 \\ \;\,\,\,\;\, = R_{i,1 \rightarrow 0}^TA_{_{i,1}}^T{\varvec{f}} + R_{i,1 \rightarrow 0}^T{{{\varvec{x}}}_{i,1}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1 \\ \;\,\,\,\;\, = A_{_{i,0}}^T{\varvec{f}} + R_{i,1 \rightarrow 0}^T{{{\varvec{x}}}_{i,1}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1 \\ \end{array}$$

that is

$${\varvec{c}}_{_{i,0}}^1 = \left\{ {\begin{array}{*{20}{l}} {A_{_{i,0}}^T{\varvec{f}} + {\varvec{x}}_{_{i,0}}^2,} &{} {i \in {{S'}^ - }} \\ {{\varvec{z}}_{_{i,0}}^1,} &{} {i \in {{S'}^ + }} \\ \end{array}} \right. ,$$

where \({\varvec{x}}_{_{i,0}}^2\; = R_{i,1 \rightarrow 0}^T{{\varvec{x}}_{i,1}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1\). Similarly, we have

$${\varvec{c}}_{_{i,1}}^1 = \left\{ {\begin{array}{*{20}{l}} {A_{_{i,1}}^T{\varvec{f}} + {\varvec{x}}_{_{i,1}}^2,} &{} {i \in {{S'}^ + }} \\ {{\varvec{z}}_{_{i,1}}^1} &{} {i \in {{S'}^ - }} \\ \end{array}} \right. ,$$

where \({\varvec{x}}_{_{i,1}}^2\; = R_{i,0 \rightarrow 1}^T{{\varvec{x}}_{i,0}} + {X_i}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1\),

$$\begin{aligned} {\varvec{c}}_{_{j,0}}^1 = A_{_{j,0}}^T{\varvec{f}} + {\varvec{x}}_{_{j,0}}^2, \end{aligned}$$
$$\begin{aligned} {\varvec{c}}_{_{j,1}}^1 = A_{j,1}^T{\varvec{f}} + {\varvec{x}}_{_{j,1}}^2, \end{aligned}$$

where \({\varvec{x}}_{_{i,0}}^2\; = R_{i,1 \rightarrow 0}^T{{\varvec{x}}_{i,1}} + {X_{i,0}}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1\), \({\varvec{x}}_{_{i,1}}^2\; = R_{i,0 \rightarrow 1}^T{{\varvec{x}}_{i,0}} + {X_{i,1}}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1\), \(i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \).

For the attribute set \(S^1\), let \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash {S^1}} \\ {{A_{i,1}},} &{} {i \in {S^1}} \\ \end{array}} \right. \), \(A^1 = \left( {{A_1}| \cdots |{A_{\left| L \right| }}} \right) \). TA can compute \({{\varvec{s}}^1} \leftarrow \mathrm{{SamplePre}}\left( {{A^1},{T^1},{\varvec{u}}} \right) \) such that \({A^1}{{\varvec{s}}^1} = {\varvec{u}}\), where \({T^1} = \left( {\begin{array}{*{20}{c}} {{T_1}} &{} {} &{} {} \\ {} &{} \ddots &{} {} \\ {} &{} {} &{} {{T_{\left| L \right| }}} \\ \end{array}} \right) \) is the basis for \(\varLambda _q^ \bot \left( {{A^1}} \right) \). Since \(S^1\vDash W^1\), we know that \({{\varvec{y}}^1} = \left( {{\varvec{y}}_1^1; \cdots ;{\varvec{y}}_{_{\left| L \right| }}^1} \right) = {A^1}^T{\varvec{f}} + {{\varvec{x}}^1}\), where \({{\varvec{x}}^1} = \left( {{\varvec{x}}_1^1; \cdots ;{\varvec{x}}_{_{\left| L \right| }}^1} \right) \), \({\varvec{x}}_i^1 = \left\{ {\begin{array}{*{20}{c}} {{\varvec{x}}_{_{i,0}}^2,} &{} {i \in L\backslash {S^1}} \\ {{\varvec{x}}_{_{i,1}}^2,} &{} {i \in {S^1}} \\ \end{array}} \right. \). Thus,

$$\begin{aligned} c - {{\varvec{s}}^{1T}}{{\varvec{y}}^1} = \left\lfloor {\frac{q}{2}} \right\rfloor \mu + \left( {{x_c} - {{{\varvec{s}}}^{1T}}{{{\varvec{x}}}^1}} \right) . \end{aligned}$$

If \(\left| {x_c} - {{{\varvec{s}}}^{1T}{\varvec{x}}^1} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2, then we can get \(\mu \).

Finally, we set the parameters.

  1. (1)

    Algorithm TrapGen requires \(m\ge 6n\log q\).

  2. (2)

    Algorithm SamplePre requires \(\sigma \ge \left\| {\widetilde{\mathbf{T}}} \right\| \omega \left( {\sqrt{\log m} } \right) \).

  3. (3)

    Correctly decrypt the ciphertext requires \(\left| {{x_c} - {{{\varvec{s}}}^T}{\varvec{x}}} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2.

  4. (4)

    Correctly decrypt the re-encrypted ciphertext requires \(\left| {x_c} - {{{{\varvec{s}}}^{1T}}{\varvec{x}}^1} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2.

  5. (5)

    The hardness of LWE requires \(\alpha q >2\sqrt{n}\).

Let \(\chi = {\overline{\varPsi }_\alpha }\), we set the parameters as follows:

\(n=\kappa \), q=the prime nearest to \({2^{{n^\delta }}}\), \(m = 6n\left\lceil {\log q} \right\rceil \), \(\sigma = m\omega \left( {\sqrt{\log m} } \right) \), \(\alpha = {\left[ {5{m^3}{\sigma ^2}\left| L \right| \omega \left( {\sqrt{\log m} } \right) } \right] ^{ - 1}}\), where \(\delta \) is constant between 0 and 1.

We only verify (4) that is \(\left| {x_c} - {{{{\varvec{s}}}^{1T}}{\varvec{x}}^1} \right| \) < \({\left\lfloor {\frac{q}{2}} \right\rfloor }\)/2. The others can be easily computed.

From the element of \({\varvec{x}}^1\), we know

$$\begin{aligned} {\left\| {{{{\varvec{x}}}^1}} \right\| _\infty } \le \left| {{{{\varvec{r}}}^T}{\varvec{x}}'} \right| + m\left\lceil {\log q} \right\rceil {\left\| {{\varvec{x}}''} \right\| _\infty } + {\left\| {{\varvec{x}}'''} \right\| _\infty }, \end{aligned}$$

where \({\varvec{x}}',{\varvec{x}}''' \leftarrow {\chi ^m}\), \({\varvec{x}}'' \leftarrow {\chi ^{m \times m\left\lceil {\log q} \right\rceil }}\), \({\varvec{r}}\) is a column of \({R_{i,1 \rightarrow 0}},{R_{i,0 \rightarrow 1}}\). By Lemmas 1 and 3, we have \(||{\varvec{r}}||\le \sigma \sqrt{ m}\). By Lemma 4, we have

$$\begin{array}{l} {\left\| {{{{\varvec{x}}}^1}} \right\| _\infty } \le \left| {{{{\varvec{r}}}^T}{\varvec{x}}'} \right| + m\left\lceil {\log q} \right\rceil {\left\| {{\varvec{x}}''} \right\| _\infty } + {\left\| {{\varvec{x}}'''} \right\| _\infty } \\ \le \sigma \sqrt{m} q\alpha \omega \left( {\sqrt{\log m} } \right) + \sigma {m/2} + m\left\lceil {\log q} \right\rceil \left( {q\alpha \omega \left( {\sqrt{\log m} } \right) + {1/2}} \right) + q\alpha \omega \left( {\sqrt{\log m} } \right) + {1/2} \\ = q\alpha \omega \left( {\sqrt{\log m} } \right) \left[ {\sigma \sqrt{m} + m\left\lceil {\log q} \right\rceil + 1} \right] + \sigma {m/2} + {{m\left\lceil {\log q} \right\rceil }/2} + {1/2} \\ \le 2\sigma \sqrt{m} q\alpha \omega \left( {\sqrt{\log m} } \right) + \sigma m \\ \end{array}.$$

Thus,

$$\begin{array}{l} \left| {{x_c} - {{{\varvec{s}}}^{1T}}{{{\varvec{x}}}^1}} \right| \le \left| {{x_c}} \right| + \left| {{{{\varvec{s}}}^{1T}}{{{\varvec{x}}}^1}} \right| \le \left| {{x_c}} \right| + m\sqrt{\left| L \right| } \left\| {{{{\varvec{s}}}^1}} \right\| {\left\| {{{{\varvec{x}}}^1}} \right\| _\infty } \\ \le q\alpha \omega \left( {\sqrt{\log m} } \right) + {1/2} + m\sqrt{\left| L \right| } \sigma \sqrt{\left| L \right| m} \left[ {2\sigma \sqrt{m} q\alpha \omega \left( {\sqrt{\log m} } \right) + \sigma m} \right] \\ = q\alpha \omega \left( {\sqrt{\log m} } \right) \left[ {1 + 2{m^2}{\sigma ^2}\left| L \right| } \right] + {1/2} + {m^{\frac{5}{2}}}{\sigma ^2}\left| L \right| \\ < q\alpha \omega \left( {\sqrt{\log m} } \right) {m^3}{\sigma ^2}\left| L \right| \\ \le \frac{q}{5} \\ \end{array}.$$

3.3 Security

Theorem 2

Let \(n, q, m, \sigma , \alpha \) be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at original ciphertext.

Proof

Consider the following games.

\(Game^b_0\): This is the real game \(\mathrm{{Expt}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - \mathrm{{Or}}}\left( \kappa \right) \) with \(b \in \{0,1\}\). Suppose \(W^*\) is the adversary’s access structure, the challenger denotes the positive (negative) attribute set in \(W^*\) as \({S^{*, + }}\left( {{S^{*, - }}} \right) \). The challenger answers the ciphertext of the adversary’s issue about \(\mu \in \{0,1\}\) as follow,

  • If \(b=0\), output \({\varvec{c}} \leftarrow \mathbb {Z}_q^{1 + 2\left| L \right| m}\).

  • If \(b=1\), output \({\mathrm{{C}}_{{W^*}}} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{W}}^*},\mathrm{{ }}\mu )\).

Finally, the adversary outputs a guess \(b' \in \{0,1\}\).

\(Game^b_1\): We modify the secret key oracle \({\mathcal{O}_{\mathrm{{sk}}}}\left( S \right) \). If the adversary inputs an attribute set S and \(S\vDash W^*\), then the challenger returns \(\perp \). If \(S\nvDash W^*\), the challenger lets \({A_i} = \left\{ {\begin{array}{*{20}{c}} {{A_{i,0}},} &{} {i \in L\backslash S} \\ {{A_{i,1}},} &{} {i \in S} \\ \end{array}} \right. \), samples \({\varvec{s}}_i^ + \leftarrow {D_{{\mathbb {Z}^m},\sigma }}\), \(i \in [|L|-1]\), computes \({\varvec{u}}' = {\varvec{u}} - \sum \limits _{i = 1}^{\left| L \right| - 1} {{A_i}{\varvec{s}}_i^ + }\), \({\varvec{s}}_{\left| L \right| }^ + \leftarrow \mathrm{{SamplePre}}\left( {{A_{\left| L \right| }},{T_{\left| L \right| }},{\varvec{u}}'} \right) \) and outputs the secret key \({{\varvec{s}}^ + } = \left( {{\varvec{s}}_1^ + , \cdots ,{\varvec{s}}_{\left| L \right| }^ + } \right) \). The others are the same as \(Game^b_0\).

Since the distribution of \({{\varvec{s}}^ + }\) is same as the real secret key \({{\varvec{s}} }\), and \(A{{\varvec{s}}^ + } = {\varvec{u}}\), we have \({{\varvec{s}}^ + }{ \approx _s}{\varvec{s}}\). Thus, \(\mathrm{{Game}}_0^b{ \approx _s}\mathrm{{Game}}_1^b\).

\(Game^b_2\): We modify the re-encryption key oracle \({\mathcal{O}_{\mathrm{{rk}}}}\left( {W,W'} \right) \). We replace \(\mathrm{{P2}}\left( {R_{i,1 \rightarrow 0}^T} \right) + {X_i}\), \(i \in {S^{1, - }}\), \(\mathrm{{P2}}\left( {R_{_{i,0 \rightarrow 1}}^T} \right) + {X_i}\), \(i \in {S^{1, + }}\), and \({Q_{i,0}},{Q_{i,1}}\), \(i \in \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \) with \(Q_{_{i,1 \rightarrow 0}}^*,Q_{_{i,0 \rightarrow 1}}^*,Q_{_{i,0}}^*,Q_{_{i,1}}^* \leftarrow {D_{{\mathbb {Z}^{m \times m\left\lceil {\log q} \right\rceil }},\sigma }}\), respectively. The others are the same as \(Game^b_1\).

Since the distribution of \(Q_{_{i,0}}^*,Q_{_{i,1}}^* \leftarrow {D_{{\mathbb {Z}^{m \times m\left\lceil {\log q} \right\rceil }},\sigma }}\) are the same as \(Q_{_{i,0}}, Q_{_{i,1}}\), respectively, we have \(Q_{_{i,0}}^*{ \approx _s}{Q_{i,0}}\), \(Q_{_{i,1}}^*{ \approx _s}{Q_{i,1}}\). Thus, \(\mathrm{{Game}}_0^b{ \approx _s}\mathrm{{Game}}_1^b\).

\(Game^b_3\): We modify the re-encryption oracle \({\mathcal{O}_{\mathrm{{re}}}}\left( {r{k_{S \rightarrow W'}},W',{C_W}} \right) \). We replace \({\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^1\) with \({\varvec{c}}_{i,0}^{1, + },{\varvec{c}}_{i,1}^{1, + } \leftarrow {D_{\mathbb {Z}_q^m,\sigma }}\), respectively, \(i \in [|L|]\). The others are the same as \(Game^b_2\).

Since \(Q_{_{i,0}}^*,Q_{_{i,1}}^* \leftarrow {D_{{Z^{m \times m\left\lceil {\log q} \right\rceil }},\sigma }}\) and \({\varvec{x}}_{_{i,0}}^1,{\varvec{x}}_{_{i,1}}^1 \leftarrow {D_{{Z^m},\sigma }}\), we have the distribution of \({\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^1\) and \({\varvec{c}}_{i,0}^{1, + },{\varvec{c}}_{i,1}^{1, + }\) are same. Thus, \({\varvec{c}}_{i,0}^{1, + }{ \approx _s}{\varvec{c}}_{i,0}^1,{\varvec{c}}_{i,1}^{1, + }{ \approx _s}{\varvec{c}}_{i,1}^1\). Furthermore, \(\mathrm{{Game}}_3^b{ \approx _s}\mathrm{{Game}}_2^b\).

\(Game^b_4\): we replace \({\mathrm{{C}}_{{W^*}}} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ }}{\mathrm{{W}}^*},\mathrm{{ }}\mu )\) with \({{\varvec{c}}^ + } \leftarrow \mathbb {Z}_q^{1 + 2\left| L \right| m}\), where \({{\varvec{c}}^ + } = \left( {{c^ + };{{\left\{ {{\varvec{c}}_{_{i,0}}^ + ,{\varvec{c}}_{_{i,1}}^ + } \right\} }_{i \in L}}} \right) \). The others are the same as \(Game^b_3\).

We have \({c^ + }{ \approx _c}c\), \({\varvec{c}}_{_{i,1}}^ + { \approx _c}{{\varvec{c}}_{i,1}}\),\(i \in {S^ + } \cup L\backslash \left( {{S^ + } \cup {S^ - }} \right) \), \({\varvec{c}}_{_{i,0}}^ + { \approx _c}{{\varvec{c}}_{i,0}}\), \(i \in {S^ - } \cup L\backslash \left( {{S^ + } \cup {S^ - }} \right) \) under the LWE assumption and \({\varvec{c}}_{_{i,1}}^ + { \approx _s}{{\varvec{c}}_{i,1}}\), \(i \in {S^ - }\), \({\varvec{c}}_{_{i,0}}^ + { \approx _s}{{\varvec{c}}_{i,0}}\), \(i \in {S^ + }\). Thus \({\mathrm{{C}}_{{W^*}}}{ \approx _c}{{\varvec{c}}^ + }\). Furthermore, \(\mathrm{{Game}}_3^b{ \approx _c}\mathrm{{Game}}_4^b\).

Finally, we can get \(\mathrm{{Game}}_0^0{ \approx _c}\mathrm{{Game}}_0^1\) by \(\mathrm{{Game}}_4^0{ \approx _c}\mathrm{{Game}}_4^1\). This completes the proof.

Theorem 3

Let \(n, q, m, \sigma , \alpha \) be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext.

Proof

For \(\left( {{W^*},stat{e_1}} \right) \leftarrow \mathcal{A}\left( {{1^\kappa }} \right) \), \(\left( {\mu ,W,stat{e_2}} \right) \leftarrow {\mathcal{A}^{{\mathcal{O}_1}}}\left( {pp,stat{e_1}} \right) \) which are chosen by the adversary, The challenger encrypts \(\mu \in \{0,1\}\) under access structure W and gets a corresponding ciphertext \(C_W\) which is a random ciphertext C if \(b=0\) or the real ciphertext \({\mathrm{{C}}_W} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ W}},\mathrm{{ }}\mu )\) if \(b = 1\). By the \(Game^b_4\) of Theorem 2, we know that the adversary can’t distinguish a random ciphertext C from the real ciphertext \({\mathrm{{C}}_W} \leftarrow \mathrm{{Encrypt }}(\mathrm{{pp}},\mathrm{{ W}},\mathrm{{ }}\mu )\). For the re-encryption key \(r{k_{W \rightarrow {W^*}}}\), the adversary can’t distinguish the real \(r{k_{W \rightarrow {W^*}}}\) from a random Gaussian distribution by the \(Game^b_2\) of Theorem 2. Thus, the adversary can’t obtain any useful things for winning the game. At last, the challenger outputs the challenge re-encrypted ciphertext \(C_{{W^*}}^* \leftarrow ReEnc\left( {r{k_{S \rightarrow {W^*}}},{C_W}} \right) \). By the LWE, we have \({Q_{i,0}}BD\left( {{{{\varvec{c}}}_{i,1}}} \right) + {\varvec{x}}_{_{i,0}}^1\), \(i \in {S^{1, - }} \cup \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \) and the random uniform distribution are computationally indistinguishable, \({Q_{i,1}}BD\left( {{{{\varvec{c}}}_{i,0}}} \right) + {\varvec{x}}_{_{i,1}}^1\), \(i \in {S^{1, + }} \cup \left( {L\backslash \left( {{S^{1, + }} \cup {S^{1, - }}} \right) } \right) \) and the random uniform distributions are computationally indistinguishable. Thus, the advantage \(\mathrm{{Adv}}_{\mathrm{{CP - ABPRE,}}\mathcal{A}}^{\mathrm{{IND}} - \mathrm{{sAS}} - \mathrm{{CPA }} - {\mathop {\text {Re}}\nolimits } }\left( \kappa \right) \) of adversary is negligible.

3.4 Comparison

We compare the related works in this subsection.

  1. (1)

    Our scheme was constructed based on [14]. Compared with the ABE scheme of [14, 15], our scheme not only supports proxy re-encryption but also has smaller size of public parameters. The comparison results in Table 2. The S is a set of all attribute in access structure.

  2. (2)

    The existing CP-ABPRE schemes are constructed by bilinear pairing [5, 13, 20], which are fragile when the post-quantum comes. Our CP-ABPRE was constructed based on LWE which is widely believed secure in quantum computer attacks.

  3. (3)

    Compared with the PRE based on LWE, our scheme is the first CP-ABPRE scheme based on LWE and has the same computational complexity \(O(n^2)\). The comparison results in Table 3.

Table 2. Comparison for CP-ABE
Full size table
Table 3. Comparison for PRE
Full size table

4 Conclusion

This paper constructs a ciphertext-policy attribute-based proxy re-encryption over lattice. The lattice-based cryptography is an alternative to resist quantum computer attacks. The constructed scheme not only supports access control but also can convert the ciphertext \(C_W\) under access structure W to a ciphertext \(C_{W'}\) under another access structure \(W'\) without decrypt the ciphertext \(C_W\). Thus, the scheme is flexible for cloud sharing. At last, the scheme is proved secure under LWE assumption.