A Novel Lattice-Based CP-ABPRE Scheme for Cloud Sharing

Abstract

The ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme supports access control and can transform a ciphertext under an access policy to a ciphertext under another access policy without decrypting the ciphertexts, which is flexible and efficient for cloud sharing. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps which are fragile when the post-quantum future comes. This paper presents an efficient unidirectional single-hop CP-ABPRE scheme with small public parameters from a lattice. For the transformation between two access structures, they are required to be disjoint. This paper uses the trapdoor sampling technique to generate the decryption key and the re-encryption key in constructing the scheme, and uses the decompose vectors technique to produce the re-encrypted ciphertexts in order to control their noise. Finally, we extended the scheme to a unidirectional single-hop CP-ABPRE scheme with keyword search for searching the encrypted data. Both schemes were proved secure under the learning with errors assumption, which is widely believed to be secure in quantum computer attacks. To the best of our knowledge, our scheme is the first CP-ABPRE scheme based on the learning with errors assumption.

1. Introduction

The encryption of cloud data can protect the security of data effectively. There are two types of encryption system: symmetric and asymmetric. In a symmetric encryption system, the encryption key and decryption key are the same. In an asymmetric encryption system, the encryption key and the decryption key are different. Attribute-based encryption (ABE) is an asymmetric approach.

In an ABE system, ciphertexts are labeled with a public attribute x, and private keys are associated with some descriptive values y. A private key decrypts the ciphertext and recovers the message if and only if x satisfies y. By assigning common attributes of these decryptors, a user can use ABE to encrypt data and store the encrypted data in the cloud for sharing data, protecting privacy, and obtaining fine-grained access control. Hierarchical key assignment schemes (HKASs) [1,2] can be used to achieve fine-grained access control. There are two variants of ABE [3]: key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). In a CP-ABE (KP-ABE) system, the private key (ciphertext) is associated with an arbitrary number of attributes expressed as strings S, the ciphertext (private key) is associated with an access structure W over attributes, and the private key can decrypt the ciphertext if and only if S satisfies W.

Using CP-ABE, a user (e.g., Alice) can encrypt her data under access structure W, then any user with attribute S can decrypt the encrypted data, where S satisfies W. If Alice wants to share the encrypted data with Bob, but the attribute set of Bob does not satisfy W, then Bob can not get them from the cloud. Due to the resource-limited nature of the terminal device, it is impossible for users to backup all data with plain format. Thus, Alice needs to download and decrypt the ciphertext, and encrypt the data with another access structure $W^{\prime }$. The computational overhead of this strategy is too heavy for Alice.

For example, in an electronic health record (EHR) system [4], the set L of all attributes in the EHR system consists of all kinds of diseases, such as cold, lipomyoma, lung cancer, diabetes, and nephropathy. A patient encrypts their detailed personal information under access structure W, where W may be (cold and lipomyoma) or (diabetes and nephropathy). The physician’s attributes S consist of many kinds of diseases that the physician is professional in, where S could be {cold, lipomyoma}.

Proxy re-encryption (PRE) allows a proxy to transform a ciphertext of a delegator to a ciphertext of a delegatee specified by the delegator, and the proxy will not know the message in this process, which can be used for cloud sharing. The cloud sharing can become more efficient with ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE). In the CP-ABPRE scheme, Alice only needs to generate a re-encryption key and send it to a proxy, then the proxy can transform the ciphertext under W to another ciphertext under $W^{\prime }$ [5,6,7]. Although CP-ABPRE can effectively achieve cloud sharing, the search on the encrypted data is powerless. It is interesting to combine the concept of CP-ABPRE and keyword search to construct CP-ABPRE with keyword search (CP-ABPRE-KS), which can not only achieve the data sharing effectively, but can also search the encrypted data.

1.1. Related Work

At present, many types of lattice-based PRE scheme have been constructed. One example is conditional proxy re-encryption (CPRE) [8], whereby only ciphertexts satisfying a condition set by a delegator can be transformed by the proxy. Homomorphic proxy re-encryption (HPRE) [9,10] can homomorphically evaluate original or re-encrypted ciphertexts. In identity-based proxy re-encryption (IBPRE) [11], ciphertexts are transformed from one identity to another. Proxy re-encryption with keyword search (PRE-KS) [12] simultaneously realizes the functionality of proxy re-encryption and keyword search. However, there is no lattice-based attribute-based proxy re-encryption (ABPRE) [13] whereby ciphertexts are transformed from one access policy to another.

Liang et al. [13] constructed the first CP-ABPRE scheme based on bilinear maps, supporting and-gates over positive and negative attributes. Luo et al. [14] extended [13] to a CP-ABPRE supporting and-gates on multi-valued and negative attributes, but the scheme is selective-policy chosen plaintext secure. Liang et al. [15] constructed the first adaptively CCA-secure CP-ABPRE. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps, which are fragile when the post-quantum future comes. Zhang et al. [16] presented a ciphertext policy attribute-based encryption (ABE) scheme based on learning with errors (LWE), which is widely believed to be secure in quantum computer attacks. Zeng et al. [17] presented an authorized searchable encryption with special keyword based on [16].

Boneh et al. [18] constructed a public key encryption with keyword search for searching encrypted data. Shao et al. [19] constructed the first PRE-KS, which simultaneously realizes the functionality of proxy re-encryption and keyword search. Wang et al. [20] extended [19] to a constrained single-hop unidirectional proxy re-encryption supporting conjunctive keywords search. Shi et al. [21] formalized the syntax and security definitions for ABPRE with keyword search (ABPRE-KS), and constructed two ABPRE-KS by multi-linear maps; that is, CP-ABPRE-KS and KP-ABPRE-KS. Hong et al. [22] also presented an ABPRE-KS by bilinear pairing for flexible and secure data sharing in the cloud. None of these schemes can resist quantum computation attacks. Yang et al. [12] proposed a novel lattice-based semantic keyword searchable proxy re-encryption scheme for secure cloud storage which is resistant to quantum attack.

1.2. Our Contributions

In this paper, (1) we constructed a lattice-based CP-ABE scheme by modifying the ABE scheme of Zeng et al. [17]. Compared with the ABE schemes of [16,17], our CP-ABE scheme has smaller public parameters. (2) We constructed a CP-ABPRE scheme based on the new CP-ABE scheme by using trapdoor sampling from LWE, which is widely believed to be secure in quantum computer attacks. The CP-ABPRE scheme is the first CP-ABPRE based on LWE. (3) We extended the CP-ABPRE scheme to a CP-ABPRE-KS scheme.

The rest of this paper is organized as follows: Section 2 presents preliminaries; Section 3 describes the constructed ABPRE scheme; Section 4 extends the ABPRE to the ABPRE-KS scheme; finally, our work is concluded in Section 5.

2. Preliminaries

We introduce some notations, Gaussian distribution, the LWE hardness assumption, and the definition of CP-ABPRE in this section.

2.1. Notation

We employed some initial notations, as listed in

Table 1. Notation.

x	scalar
$\overrightarrow{x}$	vector
A	matrix or set
$\left|\right|\overrightarrow{x}{\left|\right|}_{\infty }$	$l_{\infty }$ norm of $\overrightarrow{x}$
$\left|\right|\overrightarrow{x}\left|\right|$	$l_2$ norm of $\overrightarrow{x}$
$\left[k\right]$	set $\{1,2,\cdots ,k\}$
$\left|L\right|$	the order of set L
$S\vDash (⊭)W$	attribute set S satisfies (or does not satisfy) access structure W
$\left[X|Y\right]$$\in {\mathbb{Z}}_q^{m\times (n_1+n_2)}$	the concatenation of the columns of $X\in {\mathbb{Z}}_q^{m\times n_1},Y\in {\mathbb{Z}}_q^{m\times n_2}$
$\left[X;Y\right]$$\in {\mathbb{Z}}_q^{(n_1+n_2)\times m}$	the concatenation of the rows of $X\in {\mathbb{Z}}_q^{n_1\times m},Y\in {\mathbb{Z}}_q^{n_2\times m}$
$x\leftarrow \chi$	x is sampled according to a probability distribution $\chi$
$x\leftarrow S$	x is sampled uniformly from a set S
$X{\approx }_c\left({\approx }_s\right)Y$	X and Y are computationally (statistically) indistinguishable

. For an integer q and a vector $\overrightarrow{x}\in {{\mathbb{Z}}_q}^n$, let $l=⌈logq⌉$, $P2\left(\overrightarrow{x}\right)=\left(1\overrightarrow{x};2\overrightarrow{x};\cdots ;2^{l-1}\overrightarrow{x}\right)\in {\mathbb{Z}}_q^{nl}$, $BD\left(\overrightarrow{x}\right)=\left({\overrightarrow{u}}_1|\cdots |{\overrightarrow{u}}_l\right)\in {\left\{0,1\right\}}^{nl}$, where $\overrightarrow{x}={\displaystyle \sum _{k=1}^l}{2}^{k-1}{\overrightarrow{u}}_k$. When A is a matrix, let $P2\left(A\right)$$\left(BD\right(A\left)\right)$ be the matrix formed by applying the operation to each row (column) of A.

2.2. Gaussian Distributions and the LWE Hardness Assumption

For any positive parameter $\sigma >0$, define the Gaussian function on ${\mathbb{R}}^m$, centered at $\overrightarrow{c}$: $\forall \overrightarrow{x}\in {\mathbb{R}}^m$,

$${\rho }_{\sigma ,\overrightarrow{c}}\left(\overrightarrow{x}\right)=exp\left(-\pi {∥\overrightarrow{x}-\overrightarrow{c}∥}^2/\phantom{-\pi {∥\overrightarrow{x-c}∥}^2{\sigma }^2}{\sigma }^2\right.).$$

For any vector $\overrightarrow{c}\in {\mathbb{R}}^m$ and positive parameter $\sigma >0$, let $\Lambda$ be a discrete subset of ${\mathbb{Z}}^m$, define the discrete Gaussian distribution over $\Lambda$ as: $\forall \overrightarrow{x}\in {\mathbb{R}}^m$,

$$D_{\Lambda ,\sigma ,\overrightarrow{c}}\left(\overrightarrow{x}\right)=\frac{{\rho }_{s,\overrightarrow{c}}\left(\overrightarrow{x}\right)}{{\rho }_{\sigma ,\overrightarrow{c}}\left(\Lambda \right)},$$

where ${\rho }_{\sigma ,\overrightarrow{c}}\left(\Lambda \right)={\sum }_{\overrightarrow{x}\in \Lambda }{\rho }_{\sigma ,\overrightarrow{c}}\left(\overrightarrow{x}\right)$.

For constructing the CP-ABPRE scheme, we sample vectors from the discrete Gaussian distribution D. The algorithm $SamplePre$ can sample vectors from a distribution statistically close to $D_{\Lambda \left(A\right)}$, but it needs the basis of ${\Lambda }^{\perp }\left(A\right)$. Lemmas 1 and 2 can meet our needs. Lemma 1 can output a basis of ${\Lambda }^{\perp }\left(A\right)$, and Lemma 2 can sample vectors from a distribution statistically close to $D_{\Lambda \left(A\right)}$.

Lemma 1

([23]). For any positive integers n, $\mathrm{m}\ge 6nlogq$, $q\ge 2$, the probabilistic polynomial-time algorithm TrapGen $(q,n,m)$ can output a pair $\left(A,T\right)\in {\mathbb{Z}}_q^{n\times m}\times {\mathbb{Z}}^{m\times m}$, where

(1) 

A is statistically close to uniform in ${\mathbb{Z}}_q^{n\times m}$;

(2) 

T is a basis for ${\Lambda }_q^{\perp }\left(A\right)=\left\{\overrightarrow{e}\in {\mathbb{Z}}^m,s.t.A\overrightarrow{e}=\overrightarrow{0}modq\right\}$;

(3) 

$∥T∥\le O(nlogq)$ and $∥\tilde{T}∥\le O\left(\sqrt{nlogq}\right)$.

Alwen and Peikert assert that the constant hidden in the first $O(·)$ is no more than 20.

Lemma 2

([24]). For any positive integer $q\ge 2$, vector $\overrightarrow{c}\in {\mathbb{Z}}^m,\overrightarrow{u}\in {\mathbb{Z}}_q^n$ and matrix $A\in {\mathbb{Z}}_q^{n\times m}$, the probabilistic polynomial-time algorithm SamplePre($A,T_{\mathrm{A}},\overrightarrow{u},\overrightarrow{c}$) can output vector $\overrightarrow{x}\in {\Lambda }_q^{\overrightarrow{u}}\left(A\right)=\left\{\overrightarrow{e}\in {\mathbb{Z}}^m,s.t.A\overrightarrow{e}=\overrightarrow{u}modq\right\}$, which in a distribution statistically close to $D_{{\Lambda }_q^{\overrightarrow{u}}\left(A\right),\sigma ,\overrightarrow{c}}$, where $T_{\mathrm{A}}$ is a basis of ${\Lambda }_q^{{}^{\perp }}\left(A\right)$, $\sigma \ge ∥\tilde{T}∥\omega \left(\sqrt{logm}\right)$.

Let X be a normal random variable with mean 0 and deviation ${\alpha }^2/\phantom{{\alpha }^{2}2\pi }$2π$,\mathrm{where}$ α∈(0,1) is a real number. For prime q, define the random variable in distribution ${\overline{\Psi }}_{\alpha }$ over ${\mathbb{Z}}_q$ as ⎣ qX ⎤ mod q. For the correctness of our CP-ABPRE scheme, we need Lemmas 3 and 4, which show bounds for random variables.

Lemma 3

([25]). For any $\overrightarrow{c}\in \Lambda \subset {\mathbb{Z}}^m$, let $\overrightarrow{x}\leftarrow D_{\Lambda +\overrightarrow{c},\sigma }$, $\sigma >{\eta }_{ϵ}(\Lambda )$ for some $ϵ\in (0,1)$, then with overwhelming probability $∥\overrightarrow{x}∥<\sigma \sqrt{m}$. Moreover, if $\overrightarrow{c}=0$ then the bound holds for any $\sigma >0$, with $ϵ=0$.

Lemma 4

([24]). For any $\overrightarrow{r}\in {\mathbb{Z}}^m$, let $\overrightarrow{e}\leftarrow {\overline{\Psi }}_{\alpha }^m$, then with overwhelming probability in m

$$\left|{\overrightarrow{r}}^T\overrightarrow{e}\right|\le ∥\overrightarrow{r}∥q\alpha \omega \left(\sqrt{logm}\right)+∥\overrightarrow{r}∥\sqrt{m}/\phantom{\sqrt{m}2}2.$$

In particular, if $e\leftarrow {\overline{\Psi }}_{\alpha }$, then $\left|e\right|\le q\alpha \omega \left(\sqrt{logm}\right)+1/2$ with overwhelming probability in m.

The LWE (learning with errors) problem [26] is as hard as the worst-case SIVP and GapSVP with certain noise distributions D (e.g., ${\overline{\Psi }}_{\alpha }$), which is a classic hard problem on lattices. The decisional $LW{E}_{n,q,\chi }$ problem is to distinguish $(\overrightarrow{{\overline{a}}_i};{\overline{b}}_i)\leftarrow {\mathbb{Z}}_q^{n+1}$ and $(\overrightarrow{a_i},b_i)\in {\mathbb{Z}}_q^{n+1}$, where $\overrightarrow{a_i}\leftarrow {\mathbb{Z}}_q^n,b_i={\overrightarrow{a_i}}^T\overrightarrow{s}+e_i$, $\overrightarrow{s}\leftarrow {\mathbb{Z}}_q^n$, $e_i\leftarrow D$, $q\ge 2$, and D is a distribution over $\mathbb{Z}$.

2.3. Attribute and Access Structure

We denote $L=\left[\left|L\right|\right]$ as the set of all attributes in the system. For $i\in \left[L\right]$, the user either has the attribute i or does not have it. If a user does not have attribute i, we say the user has attribute $-i$. Thus, i and $-i$ appear in pairs. We denote i and $-i$ as positive and negative attribute, respectively. In this paper, we study the CP-ABE scheme which supports and-gates on positive and negative attributes.

Definition 1.

Let L be the set of all attributes. If the access structure W is organized by and-gates on positive and negative attributes, then an attribute set S satisfies W if and only if

$$S^{+}\subseteq S,S^{-}\subseteq L\backslash S$$

, where $S^{+}\left(S^{-}\right)$ is the positive (negative) attribute set in W.

For instance, let $L=\left[4\right]$, access structure $W=(1and-3)$, if $S\vDash W$, then we only need $1\in S,3\notin S$, and do not need to consider $2,4$. The attribute sets $S_1=\left\{1\right\},S_2=\{1,2\},S_3=\{1,4\},S_4=\{1,2,4\}$ all satisfy W.

For two access structures W and $W^1$, let $S^{+},S^{1,+}(S^{-},S^{1,-})$ be the positive (negative) attribute set in W and $W^1$. If $S^{+}\subseteq S^{1,-},S^{-}\subseteq S^{1,+}$, then we say W and $W^1$ are disjoint.

2.4. Definition and Security Model of CP-ABPRE Scheme

There are four participants in the single-hop unidirectional CP-ABPRE scheme for cloud sharing, as shown in Figure 1.

(1) Trusted authority (TA). The TA is trusted by all participants. TA generates master secret key, public parameters and re-encryption key.

(2) Cloud services provider (CSP). The CSP is semi-trusted by all participants. The CSP stores data uploaded by the DO, and computes the re-encrypted ciphertext using the original ciphertext and re-encryption key.

(3) Data owner (DO). The DO encrypts their data and stores the encrypted data in the cloud.

(4) Data user (DU). The DU queries the CSP for re-encrypted data which belongs to them.

We give the following definition based on the definition and security model of Liang et al. [27].

Definition 2.

A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms:

1. 

Setup($\kappa ,L$): For a set L of attribute and security parameter κ, the TA outputs public parameters $pp$ and master secret key $msk$.

2. 

KeyGen($pp,msk,S$): For $pp,msk$ and an attribute set S of user (DO or DU), the TA outputs secret key $s{k}_S$ for S. Note that each secret key $s{k}_S$ is associated with an attribute set S.

3. 

Encrypt($pp,W,\mu$): For $pp$, a message μ, and an access structure W over the attribute set L, the DO outputs ciphertext $C_W$. Note that each ciphertext $C_W$ is associated with an access structure W.

4. 

Decrypt($pp,s{k}_S,C_W,S$): For $pp,C_W,S$ and its corresponding secret key $s{k}_S$, the user (DO or DU) outputs plaintext μ if $S\vDash W$ or a symbol ⊥ indicating either $C_W$ is invalid or $S⊭W$.

5. 

ReKeyGen($pp,S,W,W^1$): For $pp$, two access structures $W,W^1$ and an attribute set S, if $S\vDash W$, and W and $W^1$ are disjoint, the TA outputs the re-encryption key $r{k}_{W\to W^1}$, and otherwise outputs a symbol ⊥.

6. 

ReEnc($pp,C_W,r{k}_{W\to W^1}$): For $pp$, $C_W$, $r{k}_{W\to W^1}$, the CSP outputs the re-encrypted ciphertext $C_{W^1}$.

Correctness—There are two requirements for correctness:

1. 

Decrypt($pp,s{k}_S,C_W)$= μ, where $C_W=Encrypt(pp,W,\mu )$ and $S\vDash W$.

2. 

Decrypt($pp,s{k}_{S^1},C_{W^1}$)= μ, where $C_{W^1}=ReEnc(pp,r{k}_{W\to W^1},C_W)$, $C_W=Encrypt(pp,W,\mu )$, $r{k}_{W\to W^1}=ReKeyGen(pp,W,W^1)$, $S^1\vDash W^1$.

Definition 3.

For a single-hop unidirectional CP-ABPRE scheme, let κ be a security parameter. Consider the following games, denoted by ${\mathrm{Expt}}_{\mathrm{CP}-\mathrm{ABPRE},\mathcal{A}}^{\mathrm{IND}-\mathrm{sAS}-\mathrm{CPA}-\mathrm{Or}}\left(\kappa \right)$, between challenger and adversary.

Initialization. The adversary chooses a challenge access structure $W^{*}$ for the challenger.

Setup Phase: The challenger runs Setup( κ, L) and sends $pp$ to the adversary.

Learning Phase: In this phase, the adversary can access the following oracles polynomially many times, and the challenger needs to answer these oracles.

(1) 

Secret key oracle ${\mathcal{O}}_{\mathrm{sk}}\left(S\right)$: The adversary inputs an attribute set S. If $\mathrm{S}⊭{\mathrm{W}}^{*}$, then the challenger returns $\mathrm{s}{\mathrm{k}}_S\leftarrow \mathrm{KeyGen}\left(\mathrm{pp},\mathrm{msk},\mathrm{S}\right)$, and otherwise returns ⊥.

(2) 

Re-encryption key oracle ${\mathcal{O}}_{\mathrm{rk}}\left(S,W,W^{\prime }\right)$: The adversary inputs two access structures $W,W^{\prime }$ and S. If $S\vDash W$, W and $W^{\prime }$ are disjoint, and ${\mathcal{O}}_{\mathrm{sk}}\left(S^{\prime }\right)$ has been accessed for any ${\mathrm{S}}^{\prime }\vDash {\mathrm{W}}^{\prime }$, then the challenger returns $r{k}_{W\to W^{\prime }}\leftarrow \mathrm{ReKeyGen}(\mathrm{pp},S,\mathrm{W},W^{\prime })$, and otherwise returns ⊥.

(3) 

Re-encryption oracle ${\mathcal{O}}_{\mathrm{re}}\left(r{k}_{W\to W^{\prime }},W^{\prime },C_W\right)$: The adversary inputs $W^{\prime }$, $C_W$, $r{k}_{W\to W^{\prime }}$. If $r{k}_{W\to W^{\prime }}\leftarrow \mathrm{ReKeyGen}(\mathrm{pp},S,\mathrm{W},W^{\prime })$, $\mathrm{s}{\mathrm{k}}_S\leftarrow \mathrm{KeyGen}\left(\mathrm{pp},\mathrm{msk},\mathrm{S}\right)$, $S\vDash W$, then the challenger returns $C_{W^{\prime }}\leftarrow \mathrm{ReEnc}(\mathrm{pp},{\mathrm{C}}_W,r{k}_{W\to W^{\prime }})$, and otherwise returns ⊥.

Challenge: If the adversary finishes all of the oracles’ queries, then the adversary sends $\mu \in \left\{0,1\right\}$ to the challenger. For a coin $b\in \left\{0,1\right\}$, the challenger returns a random ciphertext C if $b=0$ or the real ciphertext ${\mathrm{C}}_{W^{*}}\leftarrow \mathrm{Encrypt}(\mathrm{pp},{\mathrm{W}}^{*},\mu )$ if $b=1$.

Gauss: Finally, the adversary outputs a guess $b^{\prime }\in \left\{0,1\right\}$. If $b^{\prime }=b$, the adversary wins.

We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext if for any PPT adversary, the advantage

$${\mathrm{Adv}}_{\mathrm{CP}-\mathrm{ABPRE},\mathcal{A}}^{\mathrm{IND}-\mathrm{sAS}-\mathrm{CPA}-\mathrm{Or}}\left(\kappa \right)=\left|Pr\left[b=b^{\prime }\right]-\frac{1}{2}\right|$$

of the adversary is negligible.

Definition 4.

For a single-hop unidirectional CP-ABPRE scheme, let κ be a security parameter. We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext if for any PPT adversary, the advantage

$$\begin{array}{c}{\mathrm{Adv}}_{\mathrm{CP}-\mathrm{ABPRE},\mathcal{A}}^{\mathrm{IND}-\mathrm{sAS}-\mathrm{CPA}-\mathrm{Re}}\left(\kappa \right)=\left|Pr\left[\begin{array}{c}b=b^{\prime }:\hfill \\ \left(W^{*},stat{e}_1\right)\leftarrow \mathcal{A}\left(1^{\kappa }\right);\hfill \\ \left(pp,msk\right)\leftarrow Setup(1^{\kappa },L);\hfill \\ \left(\mu ,W,stat{e}_2\right)\leftarrow {\mathcal{A}}^{{\mathcal{O}}_1}\left(pp,stat{e}_1\right);\hfill \\ b\leftarrow \left\{0,1\right\};\hfill \\ C_{W^{*}}^{*}\leftarrow ReEnc\left(r{k}_{W\to W^{*}},C_W\right);\hfill \\ b^{\prime }\leftarrow {\mathcal{A}}^{{\mathcal{O}}_1}\left(C_{W^{*}}^{*},stat{e}_2\right)\hfill \end{array}\right]-\frac{1}{2}\right|\hfill \end{array}$$

of the adversary is negligible, where ${\mathcal{O}}_1=\left\{{\mathcal{O}}_{\mathrm{sk}},{\mathcal{O}}_{\mathrm{rk}},{\mathcal{O}}_{\mathrm{re}}\right\}$ and ${\mathcal{O}}_{\mathrm{sk}}$ (it is forbidden to $S\vDash W^{*}$), ${\mathcal{O}}_{\mathrm{rk}},{\mathcal{O}}_{\mathrm{re}}$ (it is forbidden to $C_W$ is an valid original ciphertext or a re-encrypted ciphertext) as in Definition 3, $Stat{e}_1$ and $Stat{e}_2$ are the state information, $W^{*}$ is challenge access structure, and $W,W^{*}$ are disjoint, $C_W$ is a random ciphertext C if $b=0$ or the real ciphertext ${\mathrm{C}}_W\leftarrow \mathrm{Encrypt}(\mathrm{pp},\mathrm{W},\mu )$ if $b=1$, $\mu \in \left\{0,1\right\}$.

3. A CP-ABPRE Scheme

First, we propose a single-hop unidirectional CP-ABPRE scheme, then prove the correctness and security of the scheme, and finally compare the schemes.

3.1. Concrete Scheme

A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms.

• Setup($n,m,q,L$): Given positive integers $n,m,q$, and a set of attributes L, the TA samples $\overrightarrow{u}\leftarrow {\mathbb{Z}}_q^n$, computes $\left(A_{i,b},T_{i,b}\right)\leftarrow TrapGen\left(q,n\right)$ for $i\in L$, where $b\in \{0,1\}$ and returns public parameters $pp=\left({\left\{A_{i,b}\right\}}_{i\in L}^{b\in \left\{0,1\right\}},\overrightarrow{u}\right)$ and master secret key $msk=\left({\left\{T_{i,b}\right\}}_{i\in L}^{b\in \left\{0,1\right\}}\right)$.
• KeyGen($pp,msk,S$): Given $pp,msk$ and an attribute set S of the DU, where $S\subseteq L$, the TA lets $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S\\ A_{i,1},& i\in S\end{array}\right.$, computes $\overrightarrow{s}\leftarrow \mathrm{SamplePre}\left(A,T,\overrightarrow{u}\right)$, and returns secret key $s{k}_S=\overrightarrow{s}$, where $A=\left(A_1|\cdots |A_{\left|L\right|}\right)$, $T=\left[\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_{\left|L\right|}\end{array}\right]$, $T_i$ is the basis for ${\Lambda }_q^{\perp }\left(A_i\right)$, $i\in L$.
• Encrypt($pp,W,\mu$): Given $pp$, a message $\mu \in \{0,1\}$, and an access structure W, the DO denotes $S^{+}\left(S^{-}\right)$ as the positive (negative) attribute set in W, computes

  $$c={\overrightarrow{u}}^T\overrightarrow{f}+x_c+⌊\frac{q}{2}⌋\mu ,$$

  $${\overrightarrow{c}}_{i,0}=\left\{\begin{array}{cc}{\overrightarrow{z}}_{i,0},& i\in S^{+}\\ A_{{}_{i,0}}^T\overrightarrow{f}+{\overrightarrow{x}}_{i,0},& i\in S^{\_}\end{array}\right.,$$

  $${\overrightarrow{c}}_{i,1}=\left\{\begin{array}{cc}{A}_{{}_{i,1}}^T\overrightarrow{f}+{\overrightarrow{x}}_{i,1},& i\in S^{+}\\ {\overrightarrow{z}}_{i,1},& i\in S^{-}\end{array}\right.,$$

  $$\left(\begin{array}{c}{\overrightarrow{c}}_{j,0}\\ {\overrightarrow{c}}_{j,1}\end{array}\right)=\left(\begin{array}{c}{A}_{{}_{j,0}}^T\\ A_{{}_{j,1}}^T\end{array}\right)\overrightarrow{f}+\left(\begin{array}{c}{\overrightarrow{x}}_{j,0}\\ {\overrightarrow{x}}_{j,1}\end{array}\right),$$

  $j\in L\backslash \left(S^{+}\cup S^{-}\right)$, and returns ciphertext

  $$C_W=\left(c;{\left\{{\overrightarrow{c}}_{i,0},{\overrightarrow{c}}_{i,1}\right\}}_{i\in L}\right),$$

  where $x_c\leftarrow \chi$, $\overrightarrow{f}\leftarrow {\chi }^n$, ${\overrightarrow{z}}_{i,0},{\overrightarrow{z}}_{i,1},{\overrightarrow{x}}_{i,0},{\overrightarrow{x}}_{i,1}\leftarrow {\chi }^m$.
• Decrypt($pp,C_W,s{k}_S,S$): After receiving the cipthertext $C_W$ from the CSP, the DU computes $\overrightarrow{y}=\left({\overrightarrow{y}}_1;\cdots ;{\overrightarrow{y}}_{\left|L\right|}\right)$ by ${\overrightarrow{y}}_i=\left\{\begin{array}{cc}{\overrightarrow{c}}_{i,1},& i\in S\\ {\overrightarrow{c}}_{i,0},& else\end{array}\right.$, and then outputs 0 if $\left(-{\overrightarrow{s}}^T|1\right)\left({\overrightarrow{y}}^T;c\right)=c-{\overrightarrow{y}}^T\overrightarrow{s}$ is closer to 0 than to $⌊\frac{q}{2}⌋$ modulo q, and 1 otherwise.
• ReKeyGen($pp,S,W,W^1$): After receiving $pp,S$, two access structures $W,W^1$ from the DO, if $W,W^1$ are not disjoint or $S⊭W$, then the TA outputs ⊥, and otherwise denotes the positive (negative) attribute set in $W^1$ as $S^{1,+}\left(S^{1,-}\right)$, noting $S^{1,+}\subseteq L,S^{1,-}\subseteq L$, then computes

  $$Q_{i,0}\leftarrow \left\{\begin{array}{cc}{\overline{X}}_i,\hfill & i\in S^{1,+}\hfill \\ \mathrm{P}2\left(R_{i,1\to 0}^T\right)+X_i,\hfill & i\in S^{1,-}\hfill \end{array}\right.,$$

  $$Q_{i,1}\leftarrow \left\{\begin{array}{cc}\mathrm{P}2\left(R_{{}_{i,0\to 1}}^T\right)+X_i,\hfill & i\in S^{1,+}\hfill \\ \overline{X_i},\hfill & i\in S^{1,-}\hfill \end{array}\right.,$$

  $$Q_{i,0}\leftarrow P2\left(R_{{}_{i,1\to 0}}^T\right)+X_{i,0},i\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right),$$

  $$Q_{i,1}\leftarrow P2\left(R_{{}_{i,0\to 1}}^T\right)+X_{i,1},i\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right),$$

  where $R_{i,1\to 0}\leftarrow \mathrm{SamplePre}\left(A_{i,1},T_{i,1},A_{i,0}\right)$, $R_{i,0\to 1}\leftarrow \mathrm{SamplePre}\left(A_{i,0},T_{i,0},A_{i,1}\right)$, $X_i,X_{i,0},X_{i,1}\leftarrow D_{{\mathbb{Z}}^{m\times m⌈logq⌉}}$, $\overline{X_i}\leftarrow D_{{\mathbb{Z}}_q^{m\times m⌈logq⌉}}$ and finally returns the re-encryption key $r{k}_{W\to W^1}=\left({\left\{Q_{i,0},Q_{i,1}\right\}}_{i\in L}\right)$.
• ReEnc($pp,C_W,r{k}_{W\to W^1}$): Given $pp,C_W,r{k}_{W\to W^1}$, the CSP computes

  $${\overrightarrow{c}}_{{}_{i,0}}^1=\left\{\begin{array}{cc}{Q}_{i,0}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1,\hfill & i\in S^{1,-}\hfill \\ {\overrightarrow{z}}_{{}_{i,0}}^1,\hfill & i\in S^{1,+}\hfill \end{array}\right.,$$

  $${\overrightarrow{c}}_{{}_{i,1}}^1=\left\{\begin{array}{cc}{Q}_{i,1}BD\left({\overrightarrow{c}}_{i,0}\right)+{\overrightarrow{x}}_{{}_{i,1}}^1,\hfill & i\in S^{1,+}\hfill \\ {\overrightarrow{z}}_{{}_{i,1}}^1,\hfill & i\in S^{1,-}\hfill \end{array}\right.,$$

  $${\overrightarrow{c}}_{j,0}^1=Q_{i,0}BD\left({\overrightarrow{c}}_{j,1}\right)+{\overrightarrow{x}}_{j,0}^1,$$

  $${\overrightarrow{c}}_{{}_{j,1}}^1=Q_{i,1}BD\left({\overrightarrow{c}}_{j,0}\right)+{\overrightarrow{x}}_{{}_{j,1}}^1,$$

  $$j\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right),$$

  where ${\overrightarrow{x}}_{{}_{i,0}}^1,{\overrightarrow{x}}_{{}_{j,0}}^1\leftarrow D_{{\mathbb{Z}}^m}$, ${\overrightarrow{z}}_{{}_{i,0}}^1,{\overrightarrow{z}}_{{}_{i,1}}^1\leftarrow {\mathbb{Z}}_q^m$ and outputs the re-encrypted ciphertext

  $$C_{W^1}=\left(c;{\left\{{\overrightarrow{c}}_{i,0}^1,{\overrightarrow{c}}_{i,1}^1\right\}}_{i\in L}\right).$$

3.2. Correctness and Parameters

We show the correctness and parameters in this subsection.

Firstly, we prove that Decrypt ($pp,s{k}_S,C_W)$= $\mu$, where $C_W=Encrypt(pp,W,\mu )$ and $S\vDash W$.

For an attribute set S, let $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S\\ A_{i,1},& i\in S\end{array}\right.$, $A=\left(A_1|\cdots |A_{\left|L\right|}\right)$. Since $T_i$ is the basis for ${\Lambda }_q^{\perp }\left(A_i\right)$, $i\in L$, $AT=\left(A_1|\cdots |A_{\left|L\right|}\right)\left[\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_{\left|L\right|}\end{array}\right]=0$, and $\left|T\right|={\displaystyle \prod _{i\in L}}\left|T_i\right|\ne 0$, we have $T=\left[\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_{\left|L\right|}\end{array}\right]$ is a basis for ${\Lambda }_q^{\perp }\left(A\right)$, then TA can compute $\overrightarrow{s}=\left({\overrightarrow{s}}_1;\cdots ,{\overrightarrow{s}}_{\left|L\right|}\right)\leftarrow \mathrm{SamplePre}\left(A,T,\overrightarrow{u}\right)$ such that $\overrightarrow{u}=A\overrightarrow{s}={\displaystyle \sum _{i=1}^{\left|L\right|}}{A}_i{\overrightarrow{s}}_i$. Since $S\vDash W$, we know that

$$\overrightarrow{y}=\left({\overrightarrow{y}}_1;\cdots ;{\overrightarrow{y}}_{\left|L\right|}\right)=A^T\overrightarrow{f}+\overrightarrow{x},$$

where $\overrightarrow{x}=\left({\overrightarrow{x}}_1;\cdots ;{\overrightarrow{x}}_{\left|L\right|}\right)$, ${\overrightarrow{x}}_i=\left\{\begin{array}{cc}{\overrightarrow{x}}_{i,0},& i\in L\backslash S\\ {\overrightarrow{x}}_{i,1},& i\in S\end{array}\right.$. Thus,

$$\begin{array}{c}c-{\overrightarrow{s}}^T\overrightarrow{y}\hfill \\ ={\overrightarrow{u}}^T\overrightarrow{f}+x_c+⌊\frac{q}{2}⌋\mu -{\overrightarrow{s}}^T\left(A^T\overrightarrow{f}+\overrightarrow{x}\right)\hfill \\ =⌊\frac{q}{2}⌋\mu +\left(x_c-{\overrightarrow{s}}^T\overrightarrow{x}\right).\hfill \end{array}.$$

If $\left|x_c-{\overrightarrow{s}}^T\overrightarrow{x}\right|<⌊\frac{q}{2}⌋/\phantom{⌊\frac{q}{2}⌋2}$2, then we can get μ.

Then, we prove that Decrypt ($pp,s{k}_{S^1},C_{W^1}$)= $\mu$, where $C_{W^1}=ReEnc(pp,r{k}_{W\to W^1},C_W)$, $r{k}_{W\to W^1}=ReKeyGen(pp,W,W^1)$, $C_W=Encrypt(pp,W,\mu )$, $S^1\vDash W^1$.

Let $S^{1,+},S^{1,-}$ be the positive and negative attribute set in $W^1$, $C_W=\left(c;{\left\{{\overrightarrow{c}}_{i,0},{\overrightarrow{c}}_{i,1}\right\}}_{i\in L}\right)$ be a ciphertext under W, and $r{k}_{W\to W^1}=\left({\left\{Q_{i,0},Q_{i,1}\right\}}_{i\in L}\right)$ be a re-encryption key. Since the access structures W and $W^1$ are disjoint, we know that if $i\in S^{1,-}$, then

$$\begin{array}{cc}{\overrightarrow{c}}_{{}_{i,0}}^1\hfill & =Q_{i,0}^{T}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1\hfill \\ & =\left[\mathrm{P}2\left(R_{i,1\to 0}^T\right)+X_i\right]BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1\hfill \\ & =R_{i,1\to 0}^T{\overrightarrow{c}}_{i,1}+X_{i}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1\hfill \\ & =R_{i,1\to 0}^T{A}_{{}_{i,1}}^T\overrightarrow{f}+R_{i,1\to 0}^T{\overrightarrow{x}}_{i,1}+X_{i}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1\hfill \\ & =A_{{}_{i,0}}^T\overrightarrow{f}+R_{i,1\to 0}^T{\overrightarrow{x}}_{i,1}+X_{i}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1\hfill \end{array}$$

that is

$${\overrightarrow{c}}_{{}_{i,0}}^1=\left\{\begin{array}{cc}{A}_{{}_{i,0}}^T\overrightarrow{f}+{\overrightarrow{x}}_{{}_{i,0}}^2,\hfill & i\in {S^{\prime }}^{-}\hfill \\ {\overrightarrow{z}}_{{}_{i,0}}^1,\hfill & i\in {S^{\prime }}^{+}\hfill \end{array}\right.,$$

where ${\overrightarrow{x}}_{{}_{i,0}}^2=R_{i,1\to 0}^T{\overrightarrow{x}}_{i,1}+X_{i}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1$. Similarly, we have

$${\overrightarrow{c}}_{{}_{i,1}}^1=\left\{\begin{array}{cc}{A}_{{}_{i,1}}^T\overrightarrow{f}+{\overrightarrow{x}}_{{}_{i,1}}^2,\hfill & i\in {S^{\prime }}^{+}\hfill \\ {\overrightarrow{z}}_{{}_{i,1}}^1\hfill & i\in {S^{\prime }}^{-}\hfill \end{array}\right.,$$

where ${\overrightarrow{x}}_{{}_{i,1}}^2=R_{i,0\to 1}^T{\overrightarrow{x}}_{i,0}+X_{i}BD\left({\overrightarrow{c}}_{i,0}\right)+{\overrightarrow{x}}_{{}_{i,1}}^1$,

$${\overrightarrow{c}}_{{}_{j,0}}^1=A_{{}_{j,0}}^T\overrightarrow{f}+{\overrightarrow{x}}_{{}_{j,0}}^2,$$

$${\overrightarrow{c}}_{{}_{j,1}}^1=A_{j,1}^T\overrightarrow{f}+{\overrightarrow{x}}_{{}_{j,1}}^2,$$

where ${\overrightarrow{x}}_{{}_{i,0}}^2=R_{i,1\to 0}^T{\overrightarrow{x}}_{i,1}+X_{i,0}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1$, ${\overrightarrow{x}}_{{}_{i,1}}^2=R_{i,0\to 1}^T{\overrightarrow{x}}_{i,0}+X_{i,1}BD\left({\overrightarrow{c}}_{i,0}\right)+{\overrightarrow{x}}_{{}_{i,1}}^1$, $i\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right)$.

For the attribute set $S^1$, let $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S^1\\ A_{i,1},& i\in S^1\end{array}\right.$, $A^1=\left(A_1|\cdots |A_{\left|L\right|}\right)$. TA can compute ${\overrightarrow{s}}^1\leftarrow \mathrm{SamplePre}\left(A^1,T^1,\overrightarrow{u}\right)$ such that $A^1{\overrightarrow{s}}^1=\overrightarrow{u}$, where $T^1=\left(\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_{\left|L\right|}\end{array}\right)$ is the basis of ${\Lambda }_q^{\perp }\left(A^1\right)$. Since $S^1\vDash W^1$, we know that ${\overrightarrow{y}}^1=\left({\overrightarrow{y}}_1^1;\cdots ;{\overrightarrow{y}}_{{}_{\left|L\right|}}^1\right)={A^1}^T\overrightarrow{f}+{\overrightarrow{x}}^1$, where ${\overrightarrow{x}}^1=\left({\overrightarrow{x}}_1^1;\cdots ;{\overrightarrow{x}}_{{}_{\left|L\right|}}^1\right)$, ${\overrightarrow{x}}_i^1=\left\{\begin{array}{cc}{\overrightarrow{x}}_{{}_{i,0}}^2,& i\in L\backslash S^1\\ {\overrightarrow{x}}_{{}_{i,1}}^2,& i\in S^1\end{array}\right.$. Thus,

$$c-{\overrightarrow{s}}^{1T}{\overrightarrow{y}}^1=⌊\frac{q}{2}⌋\mu +\left(x_c-{\overrightarrow{s}}^{1T}{\overrightarrow{x}}^1\right).$$

If $\left|x_c-{\overrightarrow{s}}^{1T}{\overrightarrow{x}}^1\right|<⌊\frac{q}{2}⌋/\phantom{⌊\frac{q}{2}⌋2}$2, then we can get μ.

Finally, we set the parameters.

• Algorithm TrapGen requires $m\ge 6nlogq$.
• Algorithm SamplePre requires $\sigma \ge ∥\tilde{\mathbf{T}}∥\omega \left(\sqrt{logm}\right)$.
• Decrypting the ciphertext requires $\left|x_c-{\overrightarrow{s}}^T\overrightarrow{x}\right|<⌊\frac{q}{2}⌋/\phantom{⌊\frac{q}{2}⌋2}$2.
• Decrypting the re-encrypted ciphertext requires $\left|x_c-{\overrightarrow{s}}^{1T}{\overrightarrow{x}}^1\right|<⌊\frac{q}{2}⌋/\phantom{⌊\frac{q}{2}⌋2}$2.
• The hardness of LWE requires $\alpha q>2\sqrt{n}$.

Let $\chi ={\overline{\Psi }}_{\alpha }$, the parameters can be set as follows:

$n=\kappa$, $q=$ the prime nearest to $2^{n^{\delta }}$, $m=6n⌈logq⌉$, $\sigma =m\omega \left(\sqrt{logm}\right)$, $\alpha ={\left[5m^3{\sigma }^2\left|L\right|\omega \left(\sqrt{logm}\right)\right]}^{-1}$, where $\delta$ is constant between 0 and 1.

We verify (4), the others can be easily computed. From the element of ${\overrightarrow{x}}^1$, we know

$${∥{\overrightarrow{x}}^1∥}_{\infty }\le \left|{\overrightarrow{r}}^T{\overrightarrow{x}}^{\prime }\right|+m⌈logq⌉{∥{\overrightarrow{x}}^{\prime \prime }∥}_{\infty }+{∥{\overrightarrow{x}}^{\prime \prime \prime }∥}_{\infty },$$

where ${\overrightarrow{x}}^{\prime },{\overrightarrow{x}}^{\prime \prime \prime }\leftarrow {\chi }^m$, ${\overrightarrow{x}}^{″}\leftarrow {\chi }^{m\times m⌈logq⌉}$, $\overrightarrow{r}$ is a column of $R_{i,1\to 0},R_{i,0\to 1}$. By Lemmas 2 and 3, we have $\left|\right|\overrightarrow{r}\left|\right|\le \sigma \sqrt{m}$. By Lemma 4, we have

$$\begin{array}{c}{∥{\overrightarrow{x}}^1∥}_{\infty }\le \left|{\overrightarrow{r}}^T{\overrightarrow{x}}^{\prime }\right|+m⌈logq⌉{∥{\overrightarrow{x}}^{\prime \prime }∥}_{\infty }+{∥{\overrightarrow{x}}^{\prime \prime \prime }∥}_{\infty }\hfill \\ \le \sigma \sqrt{m}q\alpha \omega \left(\sqrt{logm}\right)+\sigma m/\phantom{m2}2+m⌈logq⌉\left(q\alpha \omega \left(\sqrt{logm}\right)+1/2\right)+q\alpha \omega \left(\sqrt{logm}\right)+1/2\hfill \\ =q\alpha \omega \left(\sqrt{logm}\right)\left[\sigma \sqrt{m}+m⌈logq⌉+1\right]+\sigma m/\phantom{m2}2+m⌈logq⌉/\phantom{m⌈logq⌉2}2+1/2\hfill \\ \le 2\sigma \sqrt{m}q\alpha \omega \left(\sqrt{logm}\right)+\sigma m\hfill \end{array}.$$

Thus,

$$\begin{array}{c}\left|x_c-{\overrightarrow{s}}^{1T}{\overrightarrow{x}}^1\right|\le \left|x_c\right|+\left|{\overrightarrow{s}}^{1T}{\overrightarrow{x}}^1\right|\le \left|x_c\right|+m\sqrt{\left|L\right|}∥{\overrightarrow{s}}^1∥{∥{\overrightarrow{x}}^1∥}_{\infty }\hfill \\ \le q\alpha \omega \left(\sqrt{logm}\right)+1/2+m\sqrt{\left|L\right|}\sigma \sqrt{\left|L\right|m}\left[2\sigma \sqrt{m}q\alpha \omega \left(\sqrt{logm}\right)+\sigma m\right]\hfill \\ =q\alpha \omega \left(\sqrt{logm}\right)\left[1+2m^2{\sigma }^2\left|L\right|\right]+1/2+m^{\frac{5}{2}}{\sigma }^2\left|L\right|\hfill \\ <q\alpha \omega \left(\sqrt{logm}\right)m^3{\sigma }^2\left|L\right|\hfill \\ \le \frac{q}{5}\hfill \end{array}.$$

3.3. Security

We show the CP-ABPRE scheme is IND-sAS-CPA secure under the LWE problem in this subsection. Theorem 1 shows that the CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext, Theorem 2 shows the CP-ABPRE scheme is IND-sAS-CPA secure at the re-encrypted ciphertext.

Theorem 1.

Let $n,q,m,\sigma ,\alpha$ be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext.

Proof. 

Consider the following games.

$Gam{e}_0^b$: This is the real game ${\mathrm{Expt}}_{\mathrm{CP}-\mathrm{ABPRE},\mathcal{A}}^{\mathrm{IND}-\mathrm{sAS}-\mathrm{CPA}-\mathrm{Or}}\left(\kappa \right)$ with $b\in \{0,1\}$. Suppose $W^{*}$ is the adversary’s access structure, the challenger denotes the positive (negative) attribute set in $W^{*}$ as $S^{*,+}\left(S^{*,-}\right)$. The challenger answers the ciphertext of the adversary’s issue about $\mu \in \{0,1\}$ as follows:

–

If $b=0$, output $\overrightarrow{c}\leftarrow {\mathbb{Z}}_q^{1+2\left|L\right|m}$.

–

If $b=1$, output ${\mathrm{C}}_{W^{*}}\leftarrow \mathrm{Encrypt}(\mathrm{pp},{\mathrm{W}}^{*},\mu )$.

Finally, the adversary outputs a guess $b^{\prime }\in \{0,1\}$.

$Gam{e}_1^b$: We modify the secret key oracle ${\mathcal{O}}_{\mathrm{sk}}\left(S\right)$. If the adversary inputs an attribute set S and $S\vDash W^{*}$, then the challenger returns ⊥. If $S⊭W^{*}$, the challenger lets $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S\\ A_{i,1},& i\in S\end{array}\right.$, samples ${\overrightarrow{s}}_i^{+}\leftarrow D_{{\mathbb{Z}}^m,\sigma }$, $i\in \left[\right|L|-1]$, computes ${\overrightarrow{u}}^{\prime }=\overrightarrow{u}-{\displaystyle \sum _{i=1}^{\left|L\right|-1}}{A}_i{\overrightarrow{s}}_i^{+}$, ${\overrightarrow{s}}_{\left|L\right|}^{+}\leftarrow \mathrm{SamplePre}\left(A_{\left|L\right|},T_{\left|L\right|},{\overrightarrow{u}}^{\prime }\right)$ and outputs the secret key ${\overrightarrow{s}}^{+}=\left({\overrightarrow{s}}_1^{+},\cdots ,{\overrightarrow{s}}_{\left|L\right|}^{+}\right)$. The others are the same as $Gam{e}_0^b$.

From Lemma 2, we know the distribution of ${\overrightarrow{s}}^{+}$ statistically closes to $D_{{\Lambda }_q^{\overrightarrow{u^{\prime }}}\left(A\right),\sigma }$. The distribution of the real secret key $\overrightarrow{s}$ in the CP-ABPRE scheme also statistically closes to $D_{{\Lambda }_q^{\overrightarrow{u^{\prime }}}\left(A\right),\sigma }$. Thus the distribution of ${\overrightarrow{s}}^{+}$ is same as the real secret key $\overrightarrow{s}$. In addition, because $A{\overrightarrow{s}}^{+}=\overrightarrow{u}$, we have ${\overrightarrow{s}}^{+}{\approx }_s\overrightarrow{s}$. Thus, ${\mathrm{Game}}_0^b{\approx }_s{\mathrm{Game}}_1^b$.

$Gam{e}_2^b$: We modify the re-encryption key oracle ${\mathcal{O}}_{\mathrm{rk}}\left(W,W^{\prime }\right)$. We replace $\mathrm{P}2\left(R_{i,1\to 0}^T\right)+X_i$, $i\in S^{1,-}$, $\mathrm{P}2\left(R_{{}_{i,0\to 1}}^T\right)+X_i$, $i\in S^{1,+}$, and $Q_{i,0},Q_{i,1}$, $i\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right)$ with $Q_{{}_{i,1\to 0}}^{*},Q_{{}_{i,0\to 1}}^{*},Q_{{}_{i,0}}^{*},Q_{{}_{i,1}}^{*}\leftarrow D_{{\mathbb{Z}}^{m\times m⌈logq⌉},\sigma }$, respectively. The others are the same as $Gam{e}_1^b$.

Since $R_{i,1\to 0}\leftarrow \mathrm{SamplePre}\left(A_{i,1},T_{i,1},A_{i,0}\right)$, $R_{i,0\to 1}\leftarrow \mathrm{SamplePre}\left(A_{i,0},T_{i,0},A_{i,1}\right)$, $X_i,X_{i,0},X_{i,1}\leftarrow D_{{\mathbb{Z}}^{m\times m⌈logq⌉}}$ in the CP-ABPRE scheme, we know the distribution of $\mathrm{P}2\left(R_{i,1\to 0}^T\right)+X_i$, $i\in S^{1,-}$, $\mathrm{P}2\left(R_{{}_{i,0\to 1}}^T\right)+X_i$, $i\in S^{1,+}$, $Q_{i,0},Q_{i,1}$ statistically close to $D_{{\mathbb{Z}}^{m\times m⌈logq⌉},\sigma }$. Since the distribution of $Q_{{}_{i,0}}^{*},Q_{{}_{i,1}}^{*}\leftarrow D_{{\mathbb{Z}}^{m\times m⌈logq⌉},\sigma }$ are the same as $Q_{{}_{i,0}},Q_{{}_{i,1}}$, respectively, we have $Q_{{}_{i,0}}^{*}{\approx }_s{Q}_{i,0}$, $Q_{{}_{i,1}}^{*}{\approx }_s{Q}_{i,1}$. Thus, ${\mathrm{Game}}_0^b{\approx }_s{\mathrm{Game}}_1^b$.

$Gam{e}_3^b$: We modify the re-encryption oracle ${\mathcal{O}}_{\mathrm{re}}\left(r{k}_{S\to W^{\prime }},W^{\prime },C_W\right)$. We replace ${\overrightarrow{c}}_{i,0}^1,{\overrightarrow{c}}_{i,1}^1$ with ${\overrightarrow{c}}_{i,0}^{1,+},{\overrightarrow{c}}_{i,1}^{1,+}\leftarrow {\mathbb{Z}}_q^m$, respectively, $i\in \left[\right|L\left|\right]$. The others are the same as $Gam{e}_2^b$.

Since $Q_{{}_{i,0}}^{*},Q_{{}_{i,1}}^{*}\leftarrow D_{{\mathbb{Z}}^{m\times m⌈logq⌉},\sigma }$ and ${\overrightarrow{x}}_{{}_{i,0}}^1,{\overrightarrow{x}}_{{}_{i,1}}^1\leftarrow D_{{\mathbb{Z}}^m,\sigma }$, we cannot distinguish between the distribution of ${\overrightarrow{c}}_{i,0}^1,{\overrightarrow{c}}_{i,1}^1$ and the uniform distribution on ${\mathbb{Z}}_q^m$ under the LWE problem. Since ${\overrightarrow{c}}_{i,0}^{1,+},{\overrightarrow{c}}_{i,1}^{1,+}\leftarrow {\mathbb{Z}}_q^m$, we have ${\overrightarrow{c}}_{i,0}^{1,+}{\approx }_s{\overrightarrow{c}}_{i,0}^1,{\overrightarrow{c}}_{i,1}^{1,+}{\approx }_s{\overrightarrow{c}}_{i,1}^1$. Furthermore, ${\mathrm{Game}}_3^b{\approx }_s{\mathrm{Game}}_2^b$.

$Gam{e}_4^b$: We replace ${\mathrm{C}}_{W^{*}}\leftarrow \mathrm{Encrypt}(\mathrm{pp},{\mathrm{W}}^{*},\mu )$ with ${\overrightarrow{c}}^{+}\leftarrow {\mathbb{Z}}_q^{1+2\left|L\right|m}$, where ${\overrightarrow{c}}^{+}=\left(c^{+};{\left\{{\overrightarrow{c}}_{{}_{i,0}}^{+},{\overrightarrow{c}}_{{}_{i,1}}^{+}\right\}}_{i\in L}\right)$. The others are the same as $Gam{e}_3^b$.

We have $c^{+}{\approx }_{c}c$, ${\overrightarrow{c}}_{{}_{i,1}}^{+}{\approx }_c{\overrightarrow{c}}_{i,1}$,$i\in S^{+}\cup L\backslash \left(S^{+}\cup S^{-}\right)$, ${\overrightarrow{c}}_{{}_{i,0}}^{+}{\approx }_c{\overrightarrow{c}}_{i,0}$, $i\in S^{-}\cup L\backslash \left(S^{+}\cup S^{-}\right)$ under the LWE assumption and ${\overrightarrow{c}}_{{}_{i,1}}^{+}{\approx }_s{\overrightarrow{c}}_{i,1}$, $i\in S^{-}$, ${\overrightarrow{c}}_{{}_{i,0}}^{+}{\approx }_s{\overrightarrow{c}}_{i,0}$, $i\in S^{+}$. Thus ${\mathrm{C}}_{W^{*}}{\approx }_c{\overrightarrow{c}}^{+}$. Furthermore, ${\mathrm{Game}}_3^b{\approx }_c{\mathrm{Game}}_4^b$.

Finally, we can get ${\mathrm{Game}}_0^0{\approx }_c{\mathrm{Game}}_0^1$ by ${\mathrm{Game}}_4^0{\approx }_c{\mathrm{Game}}_4^1$. This completes the proof. □

Theorem 2.

Let $n,q,m,\sigma ,\alpha$ be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at the re-encrypted ciphertext.

Proof. 

For $\left(W^{*},stat{e}_1\right)\leftarrow \mathcal{A}\left(1^{\kappa }\right)$, $\left(\mu ,W,stat{e}_2\right)\leftarrow {\mathcal{A}}^{{\mathcal{O}}_1}\left(pp,stat{e}_1\right)$ which are chosen by the adversary, The challenger encrypts $\mu \in \{0,1\}$ under access structure W and gets a corresponding ciphertext $C_W$ which is a random ciphertext C if $b=0$ or the real ciphertext ${\mathrm{C}}_W\leftarrow \mathrm{Encrypt}(\mathrm{pp},\mathrm{W},\mu )$ if $b=1$. By the $Gam{e}_4^b$ of Theorem 1, we know that the adversary cannot distinguish a random ciphertext C from the real ciphertext ${\mathrm{C}}_W\leftarrow \mathrm{Encrypt}(\mathrm{pp},\mathrm{W},\mu )$. For the re-encryption key $r{k}_{W\to W^{*}}$, the adversary cannot distinguish the real $r{k}_{W\to W^{*}}$ from a random Gaussian distribution by $Gam{e}_2^b$ of Theorem 1. Thus, the adversary cannot obtain any useful things for winning the game. At last, the challenger outputs the challenge re-encrypted ciphertext $C_{W^{*}}^{*}\leftarrow ReEnc\left(r{k}_{S\to W^{*}},C_W\right)$. By the LWE, we have $Q_{i,0}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1$, $i\in S^{1,-}\cup \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right)$ and the random uniform distributions are computationally indistinguishable, $Q_{i,1}BD\left({\overrightarrow{c}}_{i,0}\right)+{\overrightarrow{x}}_{{}_{i,1}}^1$, $i\in S^{1,+}\cup \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right)$ and the random uniform distributions are computationally indistinguishable. Thus, the advantage ${\mathrm{Adv}}_{\mathrm{CP}-\mathrm{ABPRE},\mathcal{A}}^{\mathrm{IND}-\mathrm{sAS}-\mathrm{CPA}-\mathrm{Re}}\left(\kappa \right)$ of the adversary is negligible. □

3.4. Comparison

We compare the related works in this subsection.

(1) Our scheme was constructed based on the LWE problem, and supports and-gates on positive and negative attributes. There are only two lattice-based ABE schemes that support this operation. Compared with the ABE scheme of [16,17], our scheme not only supports proxy re-encryption but also has smaller public parameters. The comparison results are given in

Table 2. Comparison of ciphertext-policy attribute-based encryption (CP-ABE) schemes. LWE: learning with errors; pp: public parameters; sk: secret key.

Cryptosystem	The Size of pp	Sizeof sk	Sizeof Ciphertext	Support and-Gateson Positive and Negative Attributes	LWE Assumption
[28]	$\left(2\left|L\right|+1\right)n\times \left(2\left|L\right|+1\right)m+n$	$\left|L\right|m$	$\left(2\right|L|+1-|S\left|\right)m$	YES	YES
[17]	$\left(2\left|L\right|+1\right)n\times \left(2\left|L\right|+1\right)m+n$	$\left|L\right|m$	1+$\left(2\right|L|+1)m$	YES	YES
Our scheme	$2\left|L\right|n\times 2\left|L\right|m+n$	$\left|L\right|m$	1+$2\left|L\right|m$	YES	YES

. S is a set of all attributes in the access structure.

(2) The existing CP-ABPRE schemes are constructed by bilinear pairing [15,27,29], which are fragile when the post-quantum future comes. Our CP-ABPRE was constructed based on LWE, which is widely believed to be secure in quantum computer attacks.

(3) Compared with the PRE based on LWE, our scheme is the first CP-ABPRE scheme based on LWE and has the same computational complexity $O\left(n^2\right)$. The comparison results are in

Table 3. Comparison for proxy re-encryption (PRE) schemes.

Cryptosystem	Interactivity	Directionality	Security	LWE Assumption	Access Control
[8]	NO	Unidirectional	CPA	YES	NO
[9]	NO	Unidirectional	CPA	YES	NO
[10]	NO	Unidirectional	CPA	YES	NO
[30]	YES	Bidirectional	CPA	YES	NO
[31]	NO	Unidirectional	CPA	YES	NO
[32]	NO	Unidirectional	CPA	YES	NO
Our scheme	NO	Unidirectional	CPA	YES	YES

.

4. Extension

In this section, we extend our CP-ABPRE scheme to a CP-ABPRE-KS scheme based on [17].

Definition 5.

A single-hop unidirectional CP-ABPRE-KS scheme consists of the following eight algorithms:

1. Setup($n,m,q,L$): For positive integers $n,m,q$, and a set of attributes L, the TA outputs public parameters $pp$ and master secret key $msk$.

2. KeyGen($pp,msk,S$): For $pp,msk$ and an attribute set S of user (DO or DU), the TA outputs secret key $s{k}_S$ for S.

3. Encrypt($pp,W,kw,\mu$): For $pp$, a message μ, a keyword $kw$, and an access structure W over the attribute set L, the DO outputs ciphertext $C_W$.

4. Decrypt($pp,C_{W,kw},s{k}_S,S$): For $pp,C_{W,kw},S$ and its corresponding secret key $s{k}_S$, the user (DO or DU) outputs plaintext μ if $S\vDash W$ or a symbol ⊥ indicating either $C_W$ is invalid or $S⊭W$.

5. ReKeyGen($pp,S,W,W^1$): For $pp$, two access structures $W,W^1$ and an attribute set S, if $S\vDash W$, and W and $W^1$ are disjoint, the TA outputs re-encryption key $r{k}_{W\to W^1}$, otherwise outputs a symbol ⊥.

6. ReEnc($pp,C_{W,kw},r{k}_{W\to W^1}$): For $pp$, $C_{W,kw}$, $r{k}_{W\to W^1}$, the CSP outputs the re-encrypted ciphertext $C_{W^1,kw}$.

7. Trapdoor($pp,msk,S,kw$): For $pp,msk,kw$, and a DU’s attribute set S, the TA returns the trapdoor $T_{kw}$.

8. Test ($pp,T_{kw},C_{W,k{w}^{\prime }},R$): For $pp,T_{kw}=\overrightarrow{e},C_{W,k{w}^{\prime }}$, the DU constructs a list R about the positive or negative information of attributes, and sends R to CSP. The CSP returns η, where $\eta =1$ means $kw=k{w}^{\prime }$, $\eta =0$ means $kw\ne k{w}^{\prime }$.

The CP-ABPRE-KS scheme is shown below.

1. Setup($n,m,q,L$): Given positive integers $n,m,q$, and a set of attributes L, the TA chooses a hash function $H:{\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_q^n$, samples $\overrightarrow{u}\leftarrow {\mathbb{Z}}_q^n$, computes $\left(A_{i,b},T_{i,b}\right)\leftarrow TrapGen\left(q,n\right)$ for $i\in L$, where $b\in \{0,1\}$ and returns public parameters $pp=\left({\left\{A_{i,b}\right\}}_{i\in L}^{b\in \left\{0,1\right\}},\overrightarrow{u},H\right)$ and master secret key $msk=\left({\left\{T_{i,b}\right\}}_{i\in L}^{b\in \left\{0,1\right\}}\right)$.

2. KeyGen($pp,msk,S$): Given $pp,msk$, and an attribute set S of the DU, where $S\subseteq L$, the TA lets $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S\\ A_{i,1},& i\in S\end{array}\right.$, computes $\overrightarrow{s}\leftarrow \mathrm{SamplePre}\left(A,T,\overrightarrow{u}\right)$, and returns secret key $s{k}_S=\overrightarrow{s}$, where $A=\left(A_1|\cdots |A_{\left|L\right|}\right)$, $T=\left[\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_{\left|L\right|}\end{array}\right]$, $T_i$ is the basis for ${\Lambda }_q^{\perp }\left(A_i\right)$, $i\in L$.

3. Encrypt($pp,W,kw,\mu$): Given $pp$, a message $\mu \in \{0,1\}$, a keyword $kw$, and an access structure W, the DO denotes $S^{+}\left(S^{-}\right)$ as the positive (negative) attribute set in W, computes

$$c={\overrightarrow{u}}^T\overrightarrow{f}+x_c+⌊\frac{q}{2}⌋\mu ,$$

$$p=H{\left(kw\right)}^T\overrightarrow{f}+x_p,$$

$${\overrightarrow{c}}_{i,0}=\left\{\begin{array}{cc}{\overrightarrow{z}}_{i,0},& i\in S^{+}\\ A_{{}_{i,0}}^T\overrightarrow{f}+{\overrightarrow{x}}_{i,0},& i\in S^{\_}\end{array}\right.,$$

$${\overrightarrow{c}}_{i,1}=\left\{\begin{array}{cc}{A}_{{}_{i,1}}^T\overrightarrow{f}+{\overrightarrow{x}}_{i,1},& i\in S^{+}\\ {\overrightarrow{z}}_{i,1},& i\in S^{-}\end{array}\right.,$$

$$\left(\begin{array}{c}{\overrightarrow{c}}_{j,0}\\ {\overrightarrow{c}}_{j,1}\end{array}\right)=\left(\begin{array}{c}{A}_{{}_{j,0}}^T\\ A_{{}_{j,1}}^T\end{array}\right)\overrightarrow{f}+\left(\begin{array}{c}{\overrightarrow{x}}_{j,0}\\ {\overrightarrow{x}}_{j,1}\end{array}\right),$$

$j\in L\backslash \left(S^{+}\cup S^{-}\right)$, and returns ciphertext

$$C_{W,kw}=\left(c;p;{\left\{{\overrightarrow{c}}_{i,0},{\overrightarrow{c}}_{i,1}\right\}}_{i\in L}\right),$$

where $x_c,x_p\leftarrow \chi$, $\overrightarrow{f}\leftarrow {\chi }^n$, ${\overrightarrow{z}}_{i,0},{\overrightarrow{z}}_{i,1},{\overrightarrow{x}}_{i,0},{\overrightarrow{x}}_{i,1}\leftarrow {\chi }^m$.

4. Decrypt($pp,C_{W,kw},s{k}_S,S$): After receiving the cipthertext $C_{W,kw}$ from CSP, the DU computes $\overrightarrow{y}=\left({\overrightarrow{y}}_1;\cdots ;{\overrightarrow{y}}_{\left|L\right|}\right)$ by ${\overrightarrow{y}}_i=\left\{\begin{array}{cc}{\overrightarrow{c}}_{i,1},& i\in S\\ {\overrightarrow{c}}_{i,0},& else\end{array}\right.$, and then outputs 0 if $\left(-{\overrightarrow{s}}^T|1\right)\left({\overrightarrow{y}}^T;c\right)=c-{\overrightarrow{y}}^T\overrightarrow{s}$ is closer to 0 than to $⌊\frac{q}{2}⌋$ modulo q, and 1 otherwise.

5. ReKeyGen($pp,S,W,W^1$): After receiving $pp,S$, two access structures $W,W^1$ from DO, if $W,W^1$ are not disjoint or $S⊭W$, then the TA outputs ⊥, and otherwise denotes the positive (negative) attribute set in $W^1$ as $S^{1,+}\left(S^{1,-}\right)$, noting $S^{1,+}\subseteq L,S^{1,-}\subseteq L$, then computes

$$Q_{i,0}\leftarrow \left\{\begin{array}{cc}{\overline{X}}_i,\hfill & i\in S^{1,+}\hfill \\ \mathrm{P}2\left(R_{i,1\to 0}^T\right)+X_i,\hfill & i\in S^{1,-}\hfill \end{array}\right.,$$

$$Q_{i,1}\leftarrow \left\{\begin{array}{cc}\mathrm{P}2\left(R_{{}_{i,0\to 1}}^T\right)+X_i,\hfill & i\in S^{1,+}\hfill \\ \overline{X_i},\hfill & i\in S^{1,-}\hfill \end{array}\right.,$$

$$Q_{i,0}\leftarrow P2\left(R_{{}_{i,1\to 0}}^T\right)+X_{i,0},i\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right),$$

$$Q_{i,1}\leftarrow P2\left(R_{{}_{i,0\to 1}}^T\right)+X_{i,1},i\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right),$$

where $R_{i,1\to 0}\leftarrow \mathrm{SamplePre}\left(A_{i,1},T_{i,1},A_{i,0}\right)$, $R_{i,0\to 1}\leftarrow \mathrm{SamplePre}\left(A_{i,0},T_{i,0},A_{i,1}\right)$, $X_i,X_{i,0},X_{i,1}\leftarrow {\chi }^{m\times m⌈logq⌉}$, $\overline{X_i}\leftarrow {\mathbb{Z}}_q^{m\times m⌈logq⌉}$ and finally returns re-encryption key $r{k}_{W\to W^1}=\left({\left\{Q_{i,0},Q_{i,1}\right\}}_{i\in L}\right)$.

6. ReEnc($pp,C_{W,kw},r{k}_{W\to W^1}$): Given $pp,C_{W,kw},r{k}_{W\to W^1}$, the CSP computes

$${\overrightarrow{c}}_{{}_{i,0}}^1=\left\{\begin{array}{cc}{Q}_{i,0}BD\left({\overrightarrow{c}}_{i,1}\right)+{\overrightarrow{x}}_{{}_{i,0}}^1,\hfill & i\in S^{1,-}\hfill \\ {\overrightarrow{z}}_{{}_{i,0}}^1,\hfill & i\in S^{1,+}\hfill \end{array}\right.,$$

$${\overrightarrow{c}}_{{}_{i,1}}^1=\left\{\begin{array}{cc}{Q}_{i,1}BD\left({\overrightarrow{c}}_{i,0}\right)+{\overrightarrow{x}}_{{}_{i,1}}^1,\hfill & i\in S^{1,+}\hfill \\ {\overrightarrow{z}}_{{}_{i,1}}^1,\hfill & i\in S^{1,-}\hfill \end{array}\right.,$$

$${\overrightarrow{c}}_{j,0}^1=Q_{i,0}BD\left({\overrightarrow{c}}_{j,1}\right)+{\overrightarrow{x}}_{j,0}^1,$$

$${\overrightarrow{c}}_{{}_{j,1}}^1=Q_{i,1}BD\left({\overrightarrow{c}}_{j,0}\right)+{\overrightarrow{x}}_{{}_{j,1}}^1,$$

$$j\in \left(L\backslash \left(S^{1,+}\cup S^{1,-}\right)\right),$$

where ${\overrightarrow{x}}_{{}_{i,0}}^1,{\overrightarrow{x}}_{{}_{j,0}}^1\leftarrow {\chi }^m$, ${\overrightarrow{z}}_{{}_{i,0}}^1,{\overrightarrow{z}}_{{}_{i,1}}^1\leftarrow {\mathbb{Z}}_q^m$ and outputs the re-encrypted ciphertext

$$C_{W^1,kw}=\left(c;p;{\left\{{\overrightarrow{c}}_{i,0}^1,{\overrightarrow{c}}_{i,1}^1\right\}}_{i\in L}\right).$$

7. Trapdoor($pp,msk,S,kw$): Given $pp,msk,kw$ and a DU’s attribute set S, the TA computes $H\left(kw\right)$ and a matrix $A=\left(A_1|\cdots |A_{\left|L\right|}\right)$, where $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S\\ A_{i,1},& i\in S\end{array}\right.$, and computes $\overrightarrow{e}\leftarrow \mathrm{SamplePre}\left(A,T,H\left(kw\right)\right)$ and returns the trapdoor $T_{kw}=\overrightarrow{e}$, where $T=\left[\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_n\end{array}\right]$, $T_i$ is the basis for ${\Lambda }_q^{\perp }\left(A_i\right)$, $i\in L$.

8. Test ($pp,T_{kw},C_{W,k{w}^{\prime }},R$): Given $pp,T_{kw}=\overrightarrow{e},C_{W,k{w}^{\prime }}$, the DU constructs a list R about the positive or negative information of attributes, and sends R to CSP. The CSP computes $\overrightarrow{y}=\left({\overrightarrow{y}}_1;\cdots ;{\overrightarrow{y}}_{\left|L\right|}\right)$ by ${\overrightarrow{y}}_i=\left\{\begin{array}{cc}{\overrightarrow{c}}_{i,1},& iispositiveattribute\\ {\overrightarrow{c}}_{i,0},& else\end{array}\right.$, and returns $\eta =\left\{\begin{array}{cc}1,& \left|p-{\overrightarrow{e}}^T\overrightarrow{y}\right|<\frac{q}{4}\\ 0,& else\end{array}\right.$, where $\eta =1$ means $kw=k{w}^{\prime }$, $\eta =0$ means $kw\ne k{w}^{\prime }$.

Figure 2 shows the sequence diagram of the whole scheme. Since the $c,p$ in the original ciphertext are same as the c in the re-encrypted ciphertext, and the construction of $c={\overrightarrow{u}}^T\overrightarrow{f}+x_c+⌊\frac{q}{2}⌋\mu$ and $p=H{\left(kw\right)}^T\overrightarrow{f}+x_p$ are similar. Therefore, the correctness of the CP-ABPRE-KS scheme can be proved by the correctness of the CP-ABPRE scheme.

Based on the security definition of [17,21], we can define the IND-sAS-CKA (chosen keyword attacks) secure at the original ciphertext for the CP-ABPRE-KS scheme by modifying Definition 3 as follows:

(1) Adding Trapdoor oracle ${\mathcal{O}}_{\mathrm{tr}}\left(pp,S,kw\right)$ to the Learning Phase.

${\mathcal{O}}_{\mathrm{tr}}\left(pp,S,kw\right)$: The adversary inputs an attribute set S and $H\left(kw\right)$. If $\mathrm{S}⊭{\mathrm{W}}^{*}$, then challenger returns $\overrightarrow{e}\leftarrow Trapdoor(pp,msk,S,kw)$, where $A=\left(A_1|\cdots |A_{\left|L\right|}\right)$, $A_i=\left\{\begin{array}{cc}{A}_{i,0},& i\in L\backslash S\\ A_{i,1},& i\in S\end{array}\right.$, $T=\left[\begin{array}{ccc}{T}_1& & \\ & \ddots & \\ & & T_n\end{array}\right]$, $T_i$ is the basis for ${\Lambda }_q^{\perp }\left(A_i\right)$, $i\in L$.

(2) Modifying the $\mathbf{Challenge}$.

Challenge: If the adversary finishes all of the oracles’ queries, then the adversary sends $k{w}_0,k{w}_1$ to the challenger. For a coin $b\in \left\{0,1\right\}$, the challenger returns a random ciphertext C if $b=0$ or the real ciphertext ${\mathrm{C}}_{W^{*}}\leftarrow \mathrm{Encrypt}(\mathrm{pp},{\mathrm{W}}^{*},kw)$ if $b=1$.

The others are the same as Definition 3.

Note that H is a hash function (random oracle) and $\overrightarrow{e}\in D_{{\mathbb{Z}}^m,\sigma }$, the security of the CP-ABPRE-KS scheme in the random model can be proved by the security of the CP-ABPRE scheme.

5. Conclusions

Focusing on the safe and efficient issue of cloud sharing, we construct the first CP-ABPRE scheme based on LWE. The CP-ABPRE scheme consists of six algorithms, and has small public parameters. Then, we show the correctness and parameters of the scheme, and prove the security under LWE. Because the data owner encrypts the data using the ABE scheme and then uploads the ciphertexts to the cloud, the data owner can implement fine-grained access control on the data. When the data owner wants to share the data with the data user who cannot access the data, the data owner only needs to send the re-encryption key to the cloud. The cloud implements the tedious re-encrypted ciphertexts generation calculation, and converts the ciphertexts under one access structure into re-encrypted ciphertexts under another access structure without decrypting the ciphertexts. The CP-ABPRE-KS scheme can search data without compromising data confidentiality, and can also transfer heavy data search operations to the cloud which reduces the computing burden of the user. In addition, because the LWE assumption is generally considered to be able to resist quantum computing attacks, the two schemes in this paper can guarantee the security under quantum computing attacks. However, the two schemes can only transform the ciphertexts under disjoint access structures. We will further study the conversion under more general access structures and the hierarchical key assignment schemes (HKASs) to achieve fine-grained access control.