Journal of Information Security and Applications 65 (2022) 103108

Contents lists available at ScienceDirect

Journal of Information Security and Applications

journal homepage: www.elsevier.com/locate/jisa

Practical revocable and multi-authority CP-ABE scheme from RLWE for

Cloud Computing
Yang Yang, Jianguo Sun, Zechao Liu ∗, YuQing Qiao
Department of Computer Science and Technology, Harbin Engineering University, Harbin 150001, China

ARTICLE INFO ABSTRACT

Keywords: Cloud computing provides enterprises and individuals with unlimited computing resources and expandable
Attribute-based encryption storage space. However, data leakage occurs frequently due to the lack of protection measures in the cloud
RLWE storage environment. Consequently, how to protect data security in the cloud has become a critical issue.
Multi-authority
Attribute-based encryption (ABE) is an emerging encryption technique, which protects sensitive information
Attribute revocation
and provides access control for data stored in the cloud. However, most of existing ABE schemes cannot
Multi-valued attributes
resist quantum attacks and lack the capability of implementing flexible revocation on user or attribute
when the attributes of a user change, which hinders the practical application of ABE. In this research, we
present a Revocable and Multi-authority ciphertext-policy attribute-based encryption (RM-CP-ABE) from the
ring learning with errors (RLWE) assumption, which supports multi-authority and multi-valued attributes.
The scheme allows multiple authorities to involve in key distribution, and achieves the attribute revocation
when the user’s access rights change. Also, the scheme enjoys reasonable computational cost and storage
overhead, and is proven selectively secure under the RLWE assumption. The simulation results indicate that
the performance of the proposed scheme is acceptable for practical applications.

1. Introduction
Cloud computing, which is known as a promising service, pro-
vides both adequate computing resources and scalable storage space
for enterprises or individuals on demand. Currently, many dominant
IT companies provide users with cloud computing services, such as
Google, Microsoft and Amazon, etc. The data in the cloud can be
used by customers for various purpose [1], including developing ap-
plications, sharing documents, browsing emails or enjoying videos,
etc.
In the neoteric cloud computing architecture, data is believed as
one of the ingredients, which is stored, transferred and accessed in the
remote servers provided by cloud service providers (CSP), instead of the
local host computers. However, it raises a crucial challenge as remote
servers cannot support original the technique like access control of
local computers to protect data confidentiality [2]. Consumers naturally
concern with data leakage. Moreover, CSP are generally not regarded as
fully trusted. What happens in this context is that data owners lose the
security control of their data to some extent, which may result in the
unauthorized disclosure of confidential information by the CSP. In such
case, when customers access the data in the cloud, malicious attackers
may collect this information without authentication, and further infer
their behaviors, which makes users unwilling to migrate the data into
the cloud. Therefore, how to ensure the confidentiality of the data has
become a predominant challenge in the cloud.
Clearly, a desirable measure is to encrypt sensitive data before up-
loading it to the cloud. Several user authentication schemes [3,4] have
been constructed to alleviate the risk of personal data, but they cannot
support flexible access control. For example, a message is encrypted
with the public key of a recipient, and the only recipient’s private
key can decrypt it. However, in practical applications, data security is
no longer the only security requirement for cloud computing. A more
practical solution is to assign individuals access rights depending on
their privileges and attributes.
Attribute-based encryption (ABE) is a prospective cryptography
paradigm providing fine-grained access control for outsourced data.
The seminal notion of ABE was first proposed by Sahai and Waters [5]
termed fuzzy identity-based encryption (FIBE). Goyal et al. [6] con-
structed the first ABE cryptosystem and divided ABE into Key-Policy
Attribute-based encryption (KP-ABE) and Ciphertext-Policy Attribute-
based encryption (CP-ABE). From the perspective of application, CP-
ABE is considered as a suitable tool to protect the integrity of private
data stored in cloud. It allows data owners to define an authorized
attribute set as the access control policy which embeds into the ci-
phertext. Each consumer can obtain a secret key corresponding to

∗ Corresponding author.
E-mail address: liuzechao@hrbeu.edu.cn (Z. Liu).

https://doi.org/10.1016/j.jisa.2022.103108

Available online 10 February 2022

2214-2126/© 2022 Elsevier Ltd. All rights reserved.
Y. Yang et al.
their attribute set. The condition for successful decryption is that the
attribute set satisfies the access policy.
More recently, many effective ABE schemes have been applied to
preserve data privacy for IoT environment [7], healthcare systems [8]
and vehicular networks [9]. Agrawal et al. [10] proposed a general
ABE construction that supports arbitrary length input. Mandal [11]
proposed an ABE scheme with constant-size secret keys that can signif-
icantly reduce computing and storage overhead. Li et al. [12] provided
a novel CP-ABE scheme with policy updating, which allows the data
owner to update the access policy in ciphertext dynamically. However,
there remain several challenges for the practical application of ABE. In
standard ABE schemes, the attribute universe is managed by a single
central authority instead of being divided into sub-domains maintained
by different authorities. Once the central authority is compromised
by adversary, any user with unauthorized attributes will be able to
decrypt the ciphertext. For instance, a user or an engineer can freely
access the project developed by universities together with enterprises.
In this case, the attributes of ‘‘student’’ and ‘‘engineer’’ should be con-
trolled by school and enterprise, respectively. Chase [13] first provided
the construction of multi-authority attribute-based encryption (MA-
ABE) scheme, which enables multiple attribute authorities to distribute
keys corresponding to the attributes in its sub-domain respectively.
Another aspect is that users’ attributes may change in terms of the
actual situation, and their access rights should be modified corre-
spondingly. Consequently, it is necessary to construct schemes that
realizes revoking for user attributes. Many prominent revocable ABE
schemes [14,15], which hold desirable computational overhead, have
been designed for this requirement. Horng et al. [16] proposed a multi-
authority CP-ABE scheme supporting attribute and user revocation. In
particular, relying on outsourced computation, the scheme alleviates
computational loads of resource-constrained devices.
Importantly, these aforesaid researches are constructed on bilinear
pairings so that they cannot resist the threat of current quantum algo-
rithms. The capabilities of quantum computers are far beyond the reach
of the classical computers, this means that once quantum computers
are widely used, these schemes based on the discrete logarithm prob-
lem will become vulnerable and fail to ensure data confidentiality in
cloud computing. Lattice-based cryptography construction is one of the
excellent candidates in the post-quantum era because it is universally
considered to be secure under quantum computers’ attack. Ajtai [17]
first presented the primitive construction on lattices and proved that
attacking the scheme is as hard as solving the Shortest Vector Problem
(SVP) problem. Regev [18] first proposed the learning with errors
(LWE) problem and formally provided a reduction from worst-case
lattice problems to the LWE problem. Gentry et al. [19] proposed
a striking building block to generate a lattice trapdoor in the form
of a short basis, and presented an LWE-based IBE scheme using the
block. Agrawal et al. [20] proposed a hierarchical IBE scheme. Singh
et al. [21] proposed an identity-based proxy re-encryption from lattice,
which is non-interactive and enjoys strong trapdoor function. Tian
et al. [22] proposed a lattice-based MA-ABE with hidden policies, but
it costs a huge amount of computing resources. Because their scheme
involves costly computations of matrix inverses.
One inherent flaw in the above schemes is that the trapdoor gen-
eration operation requires particularly complex inversion algorithms
and matrix multiplication so that the concrete is not desirable for
practical. Micciancio et al. [23] proposed an efficient trapdoor con-
struction, which can significantly improve computing efficiency and
reduce storage overhead. The authors proposed the ring learning with
errors (RLWE) problem to improve the inherent computational over-
head of LWE in the work [24]. Furthermore, Bansarkhani et al. [25]
constructed a Gaussian sampler based on the RLWE problem, and
clarified that the ring-based construction is more capable than the
matrix version in the aspects of computational complexity and storage
requirement. Two practical ABE schemes are proposed by [26] and
[27], whereas neither of them considers supporting attribute revocation
2
Journal of Information Security and Applications 65 (2022) 103108
and the multiple authority mechanism. Nonetheless, the secret keys
of users inherently remain valid when their attributes are changed
depending on requirements, i.e., the original keys can still successfully
decrypt the message.
1.1. Our contributions
The objective of this work is to implement an RLWE-based CP-ABE
scheme with attribute revocation and multi-authority for the practical
environment of cloud storage. Our scheme introduces multi-valued
attributes. Namely, the value of each attribute in our scheme can
be a certain value in a range, such as the attribute ‘‘age=20’’. The
primary challenge in our work is how to construct a ring version of the
SampleRight algorithm to reply the secret key queries of the adversary.
Here we utilize the contribution of [25] to design a RingSampleRight
algorithm. Briefly speaking, we make the following contributions:
1. We construct a Revocable and Multi-authority CP-ABE scheme
from the hardness of the RLWE problem (RM-CP-ABE), which
supports multi-valued attributes. The scheme provides the prop-
erty of attribute revocation to the user whose attributes are
changed. Additionally, the multi-authority mechanism makes
our scheme suitable for practice.
2. The theoretical analyzes demonstrate that our scheme enjoys
reasonable computational efficiency and storage overhead. More
importantly, we provide an implementation of the proposed
scheme. The simulation results indicate that the performance of
this work is acceptable for practical applications.
3. The security proof shows that our scheme is selectively secure
under the (decisional) ring learning with errors assumption.
1.2. Related work
In 2011, Lewko et al. [28] constructed a CP-ABE with multi-
authorities. The critical characteristic of the scheme is that it can resist
collision attacks of illegal users. However, the construction relies on
composite order bilinear group so that it contains expensive exponenti-
ations. Since then, plenty of lightweight constructions [29–31] were
proposed to resolve the bottleneck of performance caused by heavy
computational cost.
Several lattice-based ABE schemes have been proposed to consider
post-quantum security for truly scenarios. Chen et al. [32] presented
an LWE-based revocable IBE scheme whose revocation function relies
on the binary-tree structure. To achieve fine-grained access policy,
Boyen [33] proposed a key-policy attribute-based encryption scheme
for monotone access structures. Unfortunately, the scheme is not sat-
isfactory in terms of storage overhead and computational efficiency.
Zhang et al. [34] proposed a CP-ABE scheme, in which the access policy
is defined as a set of positive and negative attributes. The condition
for a user to decrypt successfully is that she/he holds all the positive
attributes and without negative attributes in the access policy. Zhang
et al. [35] introduced a CP-ABE scheme with the property of the
multi-valued attributes.
A natural problem is that only one attribute authority generates
key components, which may bring about excessive load. Thus, Zhang
et al. [36] designed the first MA-ABE scheme from lattices utilizing
the building block of [37]. In fact, the scheme only generate one-
bit ciphertext by performing an encryption operation once. Towards
solving this problem, Liu et al. [38] proposed a MA-ABE scheme for
cloud computing. However, attribute revocation is not considered in
the scheme. Both the LWE-based constructions [39] and [40] attempt to
support revocation mechanisms with respect to user attributes, but they
still remain heavy computational cost. Most recently, Wang et al. [41]
proposed a decentralized ABE based on functional encryption for inner
products. Nevertheless, the scheme requires complex matrix multiplica-
tions, which slightly limits its applicability to practical environments.
Y. Yang et al.
Datta et al. [42] constructed an elegant decentralized MA-ABE scheme
relying on LWE assumption. Technically, by introducing the secret
sharing scheme, the scheme enjoys expressive access policy. While au-
thors declared that the construction is not more efficient than existing
schemes. One closely related construction was proposed in Ref. [43],
which supports threshold access policies. One highlight is that we
employ some more efficient sampling algorithms, which significantly
improves the computational efficiency. Moreover, once the attribute
revocation operation is required in the scheme, one needs to re-execute
the Encrypt algorithm to generate the ciphertext. In this setting, data
owners have to endure a high computational load, which runs counter
to the actual scenario.
1.3. Organization
The rest of the paper is organized as follows: Section 2 describes the
preliminaries and definitions required for this paper. The background
and related sampling algorithms of lattices are provided in Section 3.
In Section 4, we give the concrete construction and security proof
of the proposed scheme. The performance analysis is represented in
Section 5. Finally, we conclude this work in Section 6.
2. Preliminaries
In this section, we introduce the notation and define the system
model, syntax and security model of our work.
2.1. Notation
Let  = Z[𝑥]∕ ⟨𝑥𝑛 + 1⟩ be a cyclotomic polynomial ring, where each
ring element is a polynomial of degree at most 𝑛−1, and its coefficients
are integers. Throughout this paper, we take 𝑛 as a power of 2. Also,
let 𝑞 = ∕𝑞 denote an irreducible integer polynomial, and 𝑞 is the
modulus. 1×𝑚 (or 𝑚 ) represents a row (or column) vector whose
elements are in 𝑞 . We use bold lowercase and uppercase letters to
stand for vectors and matrices respectively, and regular letters stand
for scalars.
Define 𝐀 ← 𝑇 𝑟𝑎𝑛𝑉 →𝑀 (𝐚) as a function that maps 𝐚 ∈ 𝑚 𝑞 to matrix
𝐀 ∈ Z𝑚×𝑛
𝑞 whose rows consist of the coefficient vectors in 𝐚. We denote
the 𝓁2 norm of 𝐚 as ‖𝐚‖. For a matrix 𝐑, ‖𝐑‖ denotes the norm of its
longest column, i.e., ‖𝐑‖ = max𝑖 ‖𝐫‖. Let 𝐚 ← 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝐀) denote
mapping each row of matrix 𝐀 to an element in 𝐚. 𝑎←𝑈 𝑞 denotes
the element 𝑎 is sampled uniformly from 𝑞 . For integer 𝑀 and 𝑁
(0 < 𝑀 < 𝑁), [𝑀, 𝑁] stands for the set {𝑀, … , 𝑁}. In particular, [𝑁]
denotes {1, … , 𝑁}. For an access policy A and an attribute set 𝑆, let
𝑆 ⊨ A denote 𝑆 satisfies A. Moreover, the ring vector [𝐚|𝐛] ∈ 1×2𝑚 𝑞
denotes the concatenation of row vectors 𝐚, 𝐛 ∈ 1×𝑚 𝑞 , and the ring
vector [𝐚; 𝐛] ∈ 2𝑚
𝑞 denotes the concatenation of column vectors 𝐚, 𝐛 ∈
𝑚𝑞.
2.2. System model
The system model, as shown in Fig. 1, includes five entities: central
authority (CA), attribute authorities (AAs), data owner (DO), users and
cloud server (CS).
• CA is a completely credible entity in the system. It processes
registration requests from users and AAs and assign a unique
identity 𝑔𝑖𝑑 for a user and an 𝑎𝑖𝑑𝜃 (𝜃 ∈ [𝑁]) for the 𝜃th attribute
authority, where 𝑁 is the number of attribute authorities.
• Each AA in charge of its attribute sub-domain and produces
a secret key for the user possessing attributes under its con-
trol. Moreover, it involves attribute revocation and key update
operations. Note that there is no interaction between AAs.
3
Journal of Information Security and Applications 65 (2022) 103108
Fig. 1. The framework of system model.
• DO can encrypt data using the specified access policy in the
light of their requirements and upload the encrypted data to CS.
The access policy in the form of (𝑘, 𝑙)-threshold contains normal
attributes and virtual attributes. Essentially, the normal attributes
can be viewed as some characteristics of a user, and the virtual
attributes are introduced to support threshold access policies in
our construction. For concreteness, users hold the whole virtual
attributes by default. The only condition to satisfy the access
policy is that the number of normal attributes hold by the user
exceeds the threshold 𝑘.
• Users in the system have a set of normal attributes and virtual
attributes, and those with legal identities can request key compo-
nents from AAs. Additionally, any user can download data from
CS but can access to the plaintext only if his/her attributes satisfy
the access policy defined by DO.
• The role of CS is providing a scalable storage space for registered
DO.
2.3. Syntax of RM-CP-ABE
The RM-CP-ABE scheme consists of the following definitions.
• 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝(1𝜆 , 𝑁) → 𝑝𝑝: The central authority takes in a security
parameter 𝜆 and the number of authorities 𝑁. It returns a public
parameter 𝑝𝑝.
• 𝐴𝐴𝑆𝑒𝑡𝑢𝑝(𝑝𝑝, 𝜃) → (𝑃 𝐾𝜃 , 𝑆𝐾𝜃 ): Each attribute authority 𝐴𝐴𝜃 re-
ceives the public parameter 𝑝𝑝 and a number 𝜃 represented 𝜃th
authority. It publishes a pair (𝑃 𝐾𝜃 , 𝑆𝐾𝜃 ) as the public and secret
key of 𝐴𝐴𝜃 .
• 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝, 𝑆𝐾𝜃 , 𝑔𝑖𝑑, 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 ) → 𝑆𝐾𝑔𝑖𝑑,𝜃 : The algorithm takes
in 𝑝𝑝, 𝑆𝐾𝜃 , an identity 𝑔𝑖𝑑 and a set of attributes 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 issued
by 𝐴𝐴𝜃 . It produces a private key 𝑆𝐾𝑔𝑖𝑑,𝜃 associated with 𝐴𝐴𝜃 .
We note that one can interact with multiple authorities to obtain
an entire private key 𝑆𝐾𝑔𝑖𝑑 .
• 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛(𝑝𝑝, 𝑃 𝐾𝜃 , 𝑆𝐾𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) → 𝐾𝑈𝑡,𝜃 : The algorithm
takes in 𝑝𝑝, the public key 𝑃 𝐾𝜃 , the secret key 𝑆𝐾𝜃 , a revocation
list 𝑅𝐿𝑔𝑖𝑑,𝜃 belonging to an 𝐴𝐴𝜃 and an attribute updating time 𝑡𝜃 .
It returns an update key 𝑆𝐾𝑔𝑖𝑑,𝜃 associated with 𝐴𝐴𝜃 . Also, a user
interacts with multiple authorities to obtain an entire update-key
𝐾𝑈𝑡 .
• 𝐷𝑒𝑐𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝, 𝑆𝐾𝑔𝑖𝑑 , 𝐾𝑈𝑡 , A) → 𝐷𝐾𝑔𝑖𝑑,𝑡 : The algorithm takes in
𝑝𝑝, 𝑆𝐾𝑔𝑖𝑑 , 𝐾𝑈𝑡 and an access policy A. It returns a decryption key
𝐷𝐾𝑔𝑖𝑑,𝑡 .
• 𝐸𝑛𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, A, {𝑃 𝐾𝜃 }𝜃∈[𝑁] , 𝑀, 𝑡) → 𝐶𝑇 : The algorithm takes in 𝑝𝑝,
the access policy A, the set of public key {𝑃 𝐾𝜃 }𝜃∈[𝑁] , a message
𝑀 and an encryption time 𝑡. It generates a ciphertext 𝐶𝑇 .
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

• 𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, 𝐷𝐾𝑔𝑖𝑑,𝑡 , 𝐶𝑇 ) → (𝑀∕⊥): The algorithm takes in 𝑝𝑝, 3.2. Discrete Gaussians
𝐷𝐾𝑔𝑖𝑑,𝑡 and the ciphertext 𝐶𝑇 . It returns the message 𝑀 if de-
( )
cryption is successful, otherwise returns a distinctive symbol ⊥. Let 𝜌𝐜,𝜎 (𝐱) = exp −𝜋‖𝐱 − 𝐜‖∕𝜎 2 be a Gaussian function [44], where
• 𝑅𝐿𝑈 𝑝𝑑(𝐴𝑡𝑡
̃ 𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) → 𝑅𝐿 ̂ 𝑔𝑖𝑑,𝜃 : The algorithm takes in a 𝜎 ∈ R is the distribution parameter and 𝐜 ∈ R𝑛 is the center.
revocation attribute set 𝐴𝑡𝑡 ̃ 𝑔𝑖𝑑,𝜃 , the revocation list 𝑅𝐿𝑔𝑖𝑑,𝜃 and the ∑
Also, let 𝜌𝐜,𝜎 (𝛬) = 𝐱∈𝛬 𝜌𝐜,𝜎 (𝐱) for lattice 𝛬. Define discrete Gaussian
revocation time 𝑡𝜃 related to 𝐴𝐴𝜃 . It returns updated lists 𝑅𝐿 ̂ 𝑔𝑖𝑑,𝜃 . distribution 𝛬,𝐜,𝜎 over 𝛬 as:

For correctness, it is required that for the user’s attribute set 𝐴𝑡𝑡𝑔𝑖𝑑 = 𝜌𝐜,𝜎 (𝐲)
⋃ 𝛬,𝐜,𝜎 (𝐲) = , ∀𝐲 ∈ 𝛬.
𝜃∈[𝑁] 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 and the access policy A satisfy the constraint 𝐴𝑡𝑡𝑔𝑖𝑑 ⊨ A, 𝜌𝐜,𝜎 (𝛬)
the algorithm 𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, 𝐷𝐾𝑔𝑖𝑑,𝑡 , 𝐶𝑇 ) returns the correct message 𝑀
The following lemma defines a bound for smoothing parameter.
with overwhelming probability.

2.4. Security model Lemma 1 ([19]). For 𝑛-dimensional lattice 𝛬 with basis 𝐁 and 𝜖 > 0, we
have
We now provide the selective-revocable-ID security game [32] be- √
𝜂𝜖 (𝛬) ⩽ ‖ ̃‖
‖𝐵 ‖ ⋅ ln(2𝑛(1 + 1∕𝜖))∕𝜋.
tween a challenger  and an adversary .
√
Initialization:  declares a challenge access structure A∗ and time Then√ any 𝜔( log 𝑛) function, there is a negligible 𝜖(𝑛) for which 𝜂𝜖 (𝛬) ⩽
𝑡∗ , and sends them to . Besides,  publishes a 𝐶𝑜𝑟𝐴𝐴 , which is a list ‖𝐵̃ ‖ ⋅ 𝜔( log 𝑛), where 𝐵̃ is the Gram–Schmidt orthogonalized basis for 𝐁.
‖ ‖
composed of corrupted authorities.
Setup:  performs the 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝 and 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 algorithm to acquire Lemma 2 ([23]). Let 𝛬 be a 𝑛-dimensional lattice and 𝐜 ∈ 𝑠𝑝𝑎𝑛(𝛬). For
𝑝𝑝 and the pair (𝑃 𝐾𝜃 , 𝑆𝐾𝜃 ). Each authority obtains 𝑝𝑝 and 𝑃 𝐾𝜃 , if it is real 𝜖 ∈ (0, 1) and 𝑠 > 𝜂𝜖 (𝛬), we have
not corrupted. Otherwise, it additionally obtains 𝑆𝐾𝜃 . [ √ ] 1 + 𝜖 −𝑛
Phase 1: The adversary  who holds attribute set 𝐴𝑡𝑡𝑔𝑖𝑑 , adaptively Pr 𝐱 ∼ 𝐷𝛬,𝐜,𝑠 ∶ ‖𝐱 − 𝐜‖ ⩾ 𝑠 𝑛 ⩽ ⋅2 .
performs a polynomial number of the following queries. 1−𝜖

•  submits the attribute set 𝐴𝑡𝑡𝑔𝑖𝑑 to  repeatedly. Then  returns 3.3. RLWE hardness assumption
a private key 𝑆𝐾𝑔𝑖𝑑 by performing the algorithm 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛(⋅).
•  submits a revocation list 𝑅𝐿𝑔𝑖𝑑 and a time 𝑡 to  repeatedly. Let 𝑠 ∈ 𝑞 be an 𝑛-dimensional random cyclotomic polynomial.
Then  returns an update-key 𝐾𝑈𝑡 by performing the algorithm Consider several pairs (𝑎𝑖 , 𝑎𝑖 𝑠 + 𝑒𝑖 ), where 𝑎←𝑈 𝑞 and 𝑒𝑖 ← ,𝜎 with
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛(⋅). a relatively small parameter 𝜎.
•  submits a attribute set 𝐴𝑡𝑡
̃ 𝑔𝑖𝑑 , a revocation list 𝑅𝐿𝑔𝑖𝑑 and a time
̂ 𝑔𝑖𝑑,𝜃 by performing the
𝑡 to . Then  returns a revocation list 𝑅𝐿 Definition 4 (Decisional RLWE [26]). The decisional RLWE problem
algorithm 𝑅𝐿𝑈 𝑝𝑑(⋅). is defined as distinguishing between the polynomials (𝑎𝑖 𝑠 + 𝑒𝑖 ) from a
pseudo-random sampler 𝑂𝑠 and 𝑏𝑖 from a truly random sampler 𝑂$ with
The implicit constraints in this phase require that 𝐴𝑡𝑡𝑔𝑖𝑑 cannot a negligible advantage for any secret 𝑠 ∈ 𝑞 and 𝑖 ∈ [0, 𝑡], where 𝑡 is
satisfy A∗ , and the query operations of the adversary are only permitted the number of samples available to a polynomial-time adversary, and
to be performed in a non-decreasing time sequence.
each 𝑏𝑖 is uniformly randomly sampled in 𝑞 .
Challenge:  specifies two messages 𝑚0 , 𝑚1 with equal length. Then
 randomly picks 𝑏 ∈ {0, 1}, and performs 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 to generate 𝐶𝑇 ∗ for We argue that for an adversary  can solve the decisional RLWE
. assumption if its advantage
Phase 2:  repeatedly makes the same queries as Phase 1, but 𝐴𝑡𝑡𝑔𝑖𝑑
cannot satisfy A. 𝐴𝑑𝑣() = | Pr[𝑂𝑠 = 1] − Pr[𝑂$ = 1]|
Guess:  outputs a guess 𝑏′ ∈ {0, 1} of 𝑏.
is non-negligible for any secret 𝑠.
The advantage of adversary  in above game is represented as
Pr[𝑏′ = 𝑏] − 12 .
3.4. Sampling algorithms
Definition 1. The proposed RM-CP-ABE scheme is selective CPA secure
if any adversary have at most a negligible advantage of winning the 3.4.1. Trapdoor generation
above game. The trapdoor construction of [27] is described in Algorithm 1.
Specifically, the random ring vector 𝐠̄ ∈ 1×𝑚
𝑞 is based on RLWE. And
3. Lattices the trapdoor 𝐓𝐠̄ ∈ 2𝑘
𝑞 contains two vectors 𝐫 and 𝐞 with the parameter
𝜎.
3.1. Integer lattices
Algorithm 1 RingTrapGen [27]
Definition 2. Given a basis 𝐁 = (𝐛𝟏 , … , 𝐛𝐧 ) of 𝑛-dimensional real space Input:
R𝑛 . A full rank lattice 𝛬 which is an integer span of 𝐁 can be represented The security parameter 𝜆;
as: Output:
{ }
∑𝑛 The pseudo-random ring vector 𝐠̄ ;
𝛬 = (𝐁) = 𝐁𝐱 = 𝑥𝑖 𝐛𝐢 |𝐱 ∈ Z𝑛 . The trapdoor 𝐓𝐠̄ for 𝐠̄ ;
𝑖=1
1: Take 𝑘 = ⌊log𝑏 (𝑞) + 1⌋, 𝜎, 𝑞 and 𝑛, where 𝑏 ⩾ 2 is a base for the
Additionally, the two categories of 𝑞-ary lattices defined in [20] are G-lattice.
adopted in this work. 2: Pick 𝑎←𝑈 𝑞 ;
3: 𝐫 ← (𝑟1 , … , 𝑟𝑘 ), where 𝑖 ∈ [𝑘], 𝑟𝑖 ← ,𝜎 ;
Definition 3. For an uniformly randomly matrix 𝐀 ∈ Z𝑛×𝑚
𝑞 and 𝑢 ∈ Z𝑛𝑞 , 4: 𝐞 ← (𝑒1 , … , 𝑒𝑘 ), where 𝑖 ∈ [𝑘], 𝑒𝑖 ← ,𝜎 ;
the 𝑞-ary lattices are defined as: 5: 𝐠̄ ← [1, 𝑎, 𝑔1 − (𝑎𝑟1 + 𝑒1 ), ⋯ , 𝑔𝑘 − (𝑎𝑟𝑘 + 𝑒𝑘 )], where 𝑖 ∈ [𝑘], 𝑔𝑖 ← 𝑏𝑖−1 ;
𝛬⊥ 𝑚
𝑞 (𝐀) = {𝐳 ∈ Z s.t. 𝐀𝐳 = 𝟎(mod𝑞)} ,
6: return (̄𝐠, 𝐓𝐠̄ = (𝐫, 𝐞));

𝛬𝐮𝑞 (𝐀) = {𝐳 ∈ Z𝑚 s.t. 𝐀𝐳 = 𝐮(mod𝑞)} .

4
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

3.4.2. Ring Gaussian Preimage Sampling

Algorithm 2 utilized the G-lattice construction in [23]. It executes 𝐅̄𝐞 = (̄𝐠|̄𝐠 ⋅ 𝐒 + ̄𝐛) ⋅ 𝐞̄
Perturb(⋅) to generate a perturbation 𝐩, enabling 𝐲 obeying spherical ( 𝑚 )
∑ ∑
𝑚
Gaussian distribution with the parameter 𝜎𝑠 . Finally, the algorithm = − 𝑔̄1 𝑥𝑗 𝑠𝑗1 + ⋯ + 𝑔̄𝑚 𝑥𝑗 𝑠𝑗𝑚
produces a preimage 𝐲 that satisfies the condition 𝐠̄ 𝐲 = 𝑢, where 𝑗=1 𝑗=1
𝐲 ← 𝛬,𝜎𝑠 , 𝐳 ∈ 𝑘𝑞 , 𝑢 ∈ 𝑞 and 𝐩 ∈ 𝑚
𝑞 for 𝑚 = 𝑘 + 2. + 𝑥1 (̄𝐠𝐬1 + 𝑏̄ 1 ) + ⋯ + 𝑥𝑚 (̄𝐠𝐬𝑚 + 𝑏̄ 𝑚 )
∑
𝑚 ∑
𝑚 ∑
𝑚 ∑
𝑚
Algorithm 2 RingSamplePre [25] =− 𝑔̄𝑖 𝑥𝑗 𝑠𝑗𝑖 + 𝑏̄ 𝑖 𝑥𝑖 + 𝑥𝑗 𝐠̄ 𝐬𝑗
𝑖=1 𝑗=1 𝑖=1 𝑗=1 (1)
Input:
The uniformly randomly ring vector 𝐠̄ ; ∑𝑚 ∑𝑚 ∑
𝑚
=− 𝑥𝑗 𝑔̄𝑖 𝑠𝑗𝑖 + 𝑢 + 𝑥𝑗 𝐠̄ 𝐬𝑗
The trapdoor 𝐓𝐠̄ for 𝐠̄ ; 𝑗=1 𝑖=1 𝑗=1
The syndrome 𝑢;
∑𝑚 ∑
𝑚
The distribution parameters 𝜎 and 𝜎𝑠 ; =− 𝑥𝑗 𝐠̄ 𝐬𝑗 + 𝑢 + 𝑥𝑗 𝐠̄ 𝐬𝑗
Output: 𝑗=1 𝑗=1
The result vector, 𝐲; = 𝑢.
1: 𝐩 ← Perturb((𝐫, 𝐞), (𝑏 + 1)𝜎, 𝜎𝑠 , 𝑞, 𝑛);
2: 𝐳 ← SampleG(𝜎, 𝑞, 𝑢 − 𝐠̄ 𝐩); 3.5. Encoding function
3: Compute 𝐲 ← [𝑝1 + 𝐞𝐳, 𝑝2 + 𝐫𝐳, 𝑝3 + 𝑧1 , ⋯ , 𝑝𝑚 + 𝑧𝑘 ].
4: return 𝐲; Our scheme relies on an encoding function H ∶ 𝑞 → Z𝑛×𝑛 that
𝑞
maps attributes and times in 𝑞 to matrices in Z𝑛×𝑛
𝑞 [20].

3.4.3. RingSampleLeft
Definition 5. For positive integer 𝑞, 𝑛, a full rank difference (FRD)
By the Algorithm 3, we can construct the ingredients of secret keys.
function satisfies the following properties:
It is essentially a ring variant of SampleLeft defined in [20], which aims
to construct a ring vector 𝐞̄ ∈ 2𝑚 ,𝜎 , such that for 𝐠̄ , ̄𝐛 ∈ 1×𝑚
𝑞 satisfy • for any unequal 𝑥, 𝑦 ∈ 𝑞 , the matrix H(𝑥) − H(𝑦) ∈ Z𝑛×𝑛 is full
𝑞 𝑠 𝑞
̄
(̄𝐠|𝐛)̄𝐞 = 𝑢. rank;
• H is computable in polynomial time in 𝑛 log 𝑞.
Algorithm 3 RingSampleLeft
Input: 4. RM-CP-ABE From RLWE
The uniformly randomly ring vectors 𝐠̄ , ̄𝐛 ∈ 1×𝑚
𝑞 ;
The trapdoor 𝐓𝐠̄ for 𝐠̄ ; 4.1. Overview
The syndrome 𝑢;
The distribution parameters 𝜎 and 𝜎𝑠 ; Our scheme implements the revocation function assisted by the
Output:
infrastructure of the binary tree [40]. In the scheme, the attribute set
The result vector, 𝐞̄ ∈ 2𝑚 ,𝜎 ;
𝑞 𝑠 of a user with identity 𝑔𝑖𝑑, which requests from authority 𝐴𝐴𝜃 , is
1: Sample 𝐞̄ 2 ← 𝑚 ,𝜎𝑠 ; represented as a binary tree 𝐵𝑇𝑔𝑖𝑑,𝜃 , where each leaf node 𝑖 is associated
𝑞
2: Execute 𝐞̄ 1 ← RingSamplePre(̄𝐠, 𝐓𝐠̄ , 𝑣, 𝜎, 𝜎𝑠 ), where 𝑣 = 𝑢 − ̄𝐛̄𝐞2 ; with a time 𝑡𝑖 and corresponds to an attribute that belongs to the
3: 𝐞̄ ← [̄𝐞1 ; 𝐞̄ 2 ], such that (̄𝐠|̄𝐛)̄𝐞 = 𝑢; attribute sub-domain of 𝐴𝐴𝜃 . 𝑃 𝑎𝑡ℎ𝜃 (𝑖) stands for the set of path from
4: return 𝐞̄ ; node 𝑖 to the root node. For node 𝜂 ∈ 𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝜂𝑙 and 𝜂𝑟 are used to
represent its left and right child node respectively, and let 𝑣𝑎𝑙𝜂 be the
attribute set stored in 𝜂. The condition of performing revocation is that
3.4.4. RingSampleRight the time 𝑡𝑖 related to attribute 𝑖 satisfies 𝑡𝑖 < 𝑡.
We extend the work of [25] to construct a ring-based SampleRight When a data owner performs the revocation operation, 𝐴𝐴𝜃 exe-
used to respond to key queries, as depicted in Algorithm 4. Specifically, cutes Algorithm 5 to generate the set 𝑆, ̄ including the unrevoked child
the algorithm is meant to generate a vector 𝐞̄ such that 𝐅̄𝐞 = 𝑢. Eq. (1) nodes of revoked nodes.
explains the correctness of the algorithm. It is noted that 𝐞̄ is not subject
to spherical distribution [19]. We can adopt the technique of [25] to 4.2. Construction
produce a spherical distributed preimage.
Here we provide detailed construction of our scheme with multi-
Algorithm 4 RingSampleRight
valued attributes, in which a user attribute can be set to a specific
Input: value (e.g., ‘‘time = 16:51’’), instead of true or false. In the scheme,
The uniformly randomly ring vectors 𝐠̄ , ̄𝐛 ∈ 1×𝑚 𝑞 ; we suppose that there are 𝑁 AAs in the system. And 𝐴𝐴𝜃 controls the
The matrix 𝐒←𝑈 {±1}𝑚×𝑚 ; attribute set 𝐴𝑡𝑡𝜃 = 𝑁𝜃 ∪ 𝑉𝜃 , where 𝑁𝜃 = {1, … , 𝑑𝜃 } and 𝑉𝜃 = {𝑑𝜃 +
The trapdoor 𝐓̄𝐛 for ̄𝐛; 1, … , 2𝑑𝜃 } represent the normal and virtual attribute sets, respectively.
The syndrome 𝑢; 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝(1𝜆 , 𝑁) → 𝑝𝑝: The algorithm takes in a security parame-
The distribution parameters 𝜎 and 𝜎𝑠 ;
ter 𝜆, then executes:
Output:
The result vector, 𝐞̄ ∈ 2𝑚 𝑞 ; 1. Specify a FRD function H.
1: Execute 𝐱 ← RingSamplePre(̄𝐛, 𝐓̄𝐛 , 𝑢, 𝜎, 𝜎𝑠 ) such that ̄𝐛𝐱 = 𝑢. Also, let 2. Generate ̄𝐛1 , ̄𝐛2 ∈ 1×𝑚 and 𝑢 ∈ 𝑞 .
𝑞
𝐅 ← (̄𝐠|̄𝐠 ⋅ 𝐒 + ̄𝐛), where 𝐬𝑖 ∈ 𝑚 𝑞 denotes the 𝑖-th column of the
∑ 3. Output the public parameter
matrix 𝐒 such that 𝐠̄ 𝐬𝑖 = 𝑚 𝑖=1 𝑔̄𝑖 𝑠𝑗𝑖 for 𝑗 ∈ [𝑚]; ∑𝑚
2: Take 𝐞̄ ← (𝑒1 , ⋯ , 𝑒𝑚 , 𝑒𝑚+1 , ⋯ , 𝑒2𝑚 ), where 𝑒𝑖 = − 𝑗=1 𝑥𝑗 𝑠𝑗𝑖 for 𝑖 ∈ 𝑝𝑝 = (𝑞, 𝑛, 𝑚, 𝛼, 𝜎, 𝜎𝑠 , H, ̄𝐛1 , ̄𝐛2 , 𝑢),
[𝑚]; 𝑒𝑖 = 𝑥𝑖 for 𝑖 ∈ [𝑚 + 1, 2 𝑚];
where the values 𝑞, 𝑛, 𝑚, 𝛼, 𝜎, 𝜎𝑠 are depicted in Section 4.3. It
3: return 𝐞̄ ;
implies that 𝑝𝑝 is used as input in all operations below.

5
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

Algorithm 5 KUNodes 6. Output the secret key as

{ }
Input: 𝑆𝐾𝑔𝑖𝑑,𝜃 = (𝜂, 𝐞̄ 𝜃,𝑖,𝜂,1 ) 𝜂∈𝑃 𝑎𝑡ℎ .
𝜃 (𝑖)
The binary tree, 𝐵𝑇𝑔𝑖𝑑,𝜃 ;
The non-empty revocation list, 𝑅𝐿𝑔𝑖𝑑,𝜃 ; After interacting with 𝑁 AAs, one can obtain an entire private key
The time, 𝑡 ∈ 𝑞 ; 𝑆𝐾𝑔𝑖𝑑 = {𝑆𝐾𝑔𝑖𝑑,𝜃 }𝜃∈𝑃 𝑎𝑡ℎ𝜃 (𝑖) .
Output: 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛(𝑝𝑝, 𝑃 𝐾𝜃 , 𝑆𝐾𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) → 𝐾𝑈𝑡,𝜃 : The algorithm takes
̄
The unrevoked child nodes of revoked nodes, 𝑆; in 𝑃 𝐾𝜃 , 𝑆𝐾𝜃 and 𝑅𝐿𝑔𝑖𝑑,𝜃 corresponding to 𝐴𝐴𝜃 and a revocation time
1: Initialize empty set, 𝑆 and 𝑆; ̄ 𝑡𝜃 . Do:
2: for each leaf node (𝑖, 𝑡𝑖 ) ∈ 𝑅𝐿𝑔𝑖𝑑,𝜃 do
1. Execute KUNodes(𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) to generate the set 𝑆. ̄ For
3: if 𝑡𝑖 < 𝑡 then
node 𝜂 ∈ 𝑆,̄ if 𝑢𝜃,𝑖,𝜂,1 , 𝑢𝜃,𝑖,𝜂,2 are undefined, then sample them
4: add 𝑃 𝑎𝑡ℎ𝜃 (𝑖) to 𝑆;
5: end if depending on the 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛 algorithm.
6: end for 2. For each normal attribute 𝑖 in node 𝜂, calculate 𝝋 ̄ 𝜃,𝑖,2 ∈ 1×𝑚
𝑞 as
7: for each node 𝜂 ∈ 𝑆 do ̄ 𝜃,𝑖,2 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 ) ⋅ H(𝑡𝜃 ))⊤ .
2
8: if 𝜂𝑙 ∉ 𝑆 then
9: add 𝑣𝑎𝑙𝜂 to 𝑆; ̄ Then compute 𝐡′𝑖 = 𝐚̄ ′𝑖 + 𝝋
̄ 𝜃,𝑖,2 , and sample 𝐞̄ 𝜃,𝑖,𝜂,2 ∈ 2𝑚
𝑞 as
𝑙
10: end if
𝐞̄ 𝜃,𝑖,𝜂,2 ← RingSampleLef t(̄𝐠𝜃 , 𝐡′𝑖 , 𝐓𝐠̄ 𝜃 , 𝑢𝜃,𝑖,𝜂,2 ).
11: if 𝜂𝑟 ∉ 𝑆 then
12: ̄
add 𝑣𝑎𝑙𝜂𝑟 to 𝑆; 3. For each attribute 𝑖, calculate ̄𝐡′𝑖 = 𝐚̄ ′𝑖 + ̄𝐛2 , and sample
13: end if
14: end for 𝐞̄ 𝜃,𝑖,𝜂,2 ← RingSampleLef t(̄𝐠𝜃 , ̄𝐡′𝑖 , 𝐓𝐠̄ 𝜃 , 𝑢𝜃,𝑖,𝜂,2 ).
15: if 𝑆̄ = ∅ then { }
̄ 4. Output the update key 𝐾𝑈𝑡,𝜃 = (𝜂, 𝐞̄ 𝜃,𝑖,𝜂,2 ) 𝜂∈𝑆̄ for 𝐴𝐴𝜃 .
16: add root to 𝑆;
17: end if After interacting with different AAs, one can obtain an entire update
18: return 𝑆; ̄
key 𝐾𝑈𝑡 = {𝐾𝑈𝑡,𝜃 }𝜃∈[𝑁] .
𝐷𝑒𝑐𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝, 𝑆𝐾𝑔𝑖𝑑 , 𝐾𝑈𝑡 , A) → 𝐷𝐾𝑔𝑖𝑑,𝑡 : On input the private
⋃ { }
key 𝑆𝐾𝑔𝑖𝑑 = (𝜉, 𝐞̄ 𝜃,𝑖,𝜉,1 ) 𝜉∈𝑃 𝑎𝑡ℎ (𝑖) , the update key 𝐾𝑈𝑡 =
⋃ { }𝜃∈[𝑁] 𝜃 { }
𝐴𝐴𝑆𝑒𝑡𝑢𝑝(𝑝𝑝, 𝜃) → (𝑃 𝐾𝜃 , 𝑆𝐾𝜃 ): 𝐴𝐴𝜃 takes as input the number 𝜃. 𝜃∈[𝑁] (𝛾, 𝐞̄ 𝜃,𝑖,𝛾,2 ) 𝛾∈𝑆̄ and the access policy A = (𝑘𝜃 , 𝑇𝜃 ) 𝜃∈[𝑁] for
Suppose each normal attribute 𝑖 corresponds to a value in the value 𝑘𝜃 ∈ [1, min{𝑑𝜃 , |𝑇𝜃 |}]. For ∀𝜃 ∈ [𝑁], execute the following processes:
space 𝑅̃ 𝑖 ⊆ 𝑞 ∖{0}. Then, perform the following operations:
1. For ∀(𝜉, 𝐞̄ 𝜃,𝑖,𝜉,1 ), (𝛾, 𝐞̄ 𝜃,𝑖,𝛾,2 ), if ∃(𝜉, 𝛾) such that 𝜉 = 𝛾, then store
{ } (̄𝐞𝜃,𝑖,𝜉,1 , 𝐞̄ 𝜃,𝑖,𝛾,2 ) in 𝐷𝐾𝑔𝑖𝑑,𝑡 . For simplicity, we write 𝐷𝐾𝑔𝑖𝑑,𝑡 =
1. Choose the normal attribute set 𝑁𝜃 = 1, … , 𝑑𝜃 and the virtual { }
{ } (𝐞𝜃,𝑖,1 , 𝐞𝜃,𝑖,2 ) 𝜃∈[𝑁] .
attribute set 𝑉𝜃 = 𝑑𝜃 + 1, … , 2𝑑𝜃 .
2. Output 𝐷𝐾𝑔𝑖𝑑,𝑡 .
2. Perform (̄𝐠𝜃 , 𝐓𝑔̄𝜃 ) ← RingTrapGen(1𝜆 ).
3. Randomly select 𝐚̄ 𝑖 , 𝐚̄ ′𝑖 ∈ 1×𝑚
𝑞 for 𝑖 ∈ 𝐴𝑡𝑡𝜃 . The objective of the algorithm is to find the elements 𝐞𝜃,𝑖,1 and 𝐞𝜃,𝑖,2
4. Output public key and secret key as such that (̄𝐠𝜃 |𝐟̄𝜃,𝑖 )𝐞𝜃,𝑖,1 + (̄𝐠𝜃 |𝐟̄𝜃,𝑡 )𝐞𝜃,𝑖,2 = 𝑢𝜃,𝑖 for all 𝐴𝐴𝜃 .
𝐸𝑛𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, A, {𝑃 𝐾𝜃 }𝜃∈[𝑁] , 𝑀, 𝑡) → 𝐶𝑇 : The algorithm takes in the
𝑃 𝐾𝜃 = { 𝐠̄ 𝜃 , {𝐚̄ 𝑖 , 𝐚̄ ′𝑖 }𝑖∈𝐴𝑡𝑡𝜃 } ,
access policy A = {A𝜃 }𝜃∈[𝑁] , a message 𝑀 = (𝑚0 , 𝑚1 , … , 𝑚𝑛−1 ) that
𝑆𝐾𝜃 = {𝐓𝐠̄ 𝜃 }. is denoted as a ring vector 𝑀(𝑥) = 𝑚0 + 𝑚1 𝑥 + ⋯ + 𝑚𝑛−1 𝑥𝑛−1 ∈ 𝑞
[ ]
and a time 𝑡 ∈ 𝑞 , where A𝜃 = (𝑘𝜃 , 𝑇𝜃 ) and 𝑘𝜃 ∈ 1, min{𝑑𝜃 , |𝑇𝜃 |} .
𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝, 𝑆𝐾𝜃 , 𝑔𝑖𝑑, 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 ) → 𝑆𝐾𝑔𝑖𝑑,𝜃 : On input the secret key ⋃
Let 𝑉𝜃′ = {𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘𝜃 + 1}, 𝑇̄𝜃 = 𝑇𝜃 ∪ 𝑉𝜃′ , 𝑇̄ = 𝜃∈[𝑁] 𝑇̄𝜃 and
𝑆𝐾𝜃 of 𝐴𝐴𝜃 , the user identity 𝑔𝑖𝑑 and user attribute set that requests
𝑑 = max{𝑑1 , … , 𝑑𝑁 }. Define 𝐷̂ = (𝑁!(2𝑑)!)2 . For 𝜃 ∈ [𝑁], perform the
from 𝐴𝐴𝜃 , execute:
following processes:
∑
1. CA randomly takes a polynomial 𝑃 (𝑥) = 𝑢 + 𝑁−1 𝑖
𝑖=1 𝑎𝑖 𝑥 of degree 1. Sample 𝑠←𝑈 𝑞 , 𝑥 ← ,𝜎 , 𝐲̄ ← 1×𝑚 ,𝜎 .
𝑁 − 1 for 𝑎𝑖 ←𝑈 𝑞 . Next distributes 𝑢𝜃 = 𝑃 (𝜃) ∈ 𝑞 to 𝐴𝐴𝜃 .
2. For all normal attributes in 𝑇𝜃 , calculate
2. 𝐴𝐴𝜃 randomly takes a 𝑑𝜃 -degree polynomial 𝑃𝜃 (𝑥) = 𝑢𝜃 +
∑𝑑𝜃 ̄ 𝜃,𝑖,1 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 ) ⋅ H(𝑎𝑡𝑡𝜃,𝑖 ))⊤ ,
𝑖=1 𝑖
𝑏 𝑥𝑖 such that 𝑃𝜃 (0) = 𝑢𝜃 , where 𝑏𝑖 is sampled from 𝑞 1
at random. Let the set 𝐴𝑡𝑡𝜃 = 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 ∪ 𝑉𝜃 . For each attribute ̄ 𝜃,𝑖,2 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛 ) ⋅ H(𝑡))⊤ .
𝝋 ⊤
2
𝑖 ∈ 𝐴𝑡𝑡𝜃 , compute 𝑃𝜃 (𝑖) = 𝑢𝜃,𝑖 .
Then construct 𝐟̄𝜃,𝑖 , 𝐟̄𝜃,𝑡 ∈ 1×𝑚
𝑞 as
3. For each node 𝜂 ∈ 𝑃 𝑎𝑡ℎ𝜃 (𝑖), sample 𝑢𝜃,𝑖,𝜂,1 ←𝑈 𝑞 , and calculate
𝑢𝜃,𝑖,𝜂,2 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,1 . Then store them in node 𝜂. ̄ 𝜃,𝑖,1 ), 𝐟̄𝜃,𝑡 = (𝐚̄ ′𝑖 + 𝝋
𝐟̄𝜃,𝑖 = (𝐚̄ 𝑖 + 𝝋 ̄ 𝜃,𝑖,2 ).
4. For each attribute 𝑎𝑡𝑡𝜃,𝑖 ∈ 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 of user 𝑔𝑖𝑑, calculate 𝝋
̄ 𝜃,𝑖,1 ∈
3. For all virtual attributes in 𝑉𝜃′ , calculate
1×𝑚
𝑞 as
𝐟̄𝜃,𝑖 = (𝐚̄ 𝑖 + ̄𝐛1 ), 𝐟̄𝜃,𝑡 = (𝐚̄ ′𝑖 + ̄𝐛2 ).
̄ 𝜃,𝑖,1 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 1
) ⋅ H(𝑎𝑡𝑡𝜃,𝑖 ))⊤ .
4. For all attributes in the set 𝑇̄ , sample two matrices 𝐑𝑖,1 , 𝐑𝑖,2 ←𝑈
̄ 𝜃,𝑖,1 and sample 𝐞̄ 𝜃,𝑖,𝜂,1 ∈ 2𝑚
Next, compute 𝐡𝑖 = 𝐚̄ 𝑖 + 𝝋 𝑞 as {±1}𝑚×𝑚 . Then compute
𝐞̄ 𝜃,𝑖,𝜂,1 ← RingSampleLef t(̄𝐠𝜃 , 𝐡𝑖 , 𝐓𝐠̄ 𝜃 , 𝑢𝜃,𝑖,𝜂,1 ). ⌊ ⌋
𝑐0 = 𝑢𝑠 + 𝐷𝑥 ̂ + 𝑀 𝑞 ∈ 𝑞 ,
2
For convenience, we omitted some distribution parameters.
𝐜̄𝜃,0 = 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ ∈ 1×𝑚
𝑞 ,
5. For each virtual attribute 𝑎𝑡𝑡𝑣𝜃,𝑖 ∈ 𝑉𝜃 , compute ̄𝐡𝑖 = 𝐚̄ 𝑖 + ̄𝐛1 and
sample 𝐜𝜃,𝑖 = (𝐟̄𝜃,𝑖 |𝐟̄𝜃,𝑡 )𝑠 + 𝐷(
̂ 𝐲𝐑 ̄ 𝑖,2 ) ∈ 1×2𝑚
̄ 𝑖,1 |𝐲𝐑 𝑞 .
{ }
𝐞̄ 𝜃,𝑖,𝜂,1 ← RingSampleLef t(̄𝐠𝜃 , ̄𝐡𝑖 , 𝐓𝐠̄ 𝜃 , 𝑢𝜃,𝑖,𝜂,1 ). 5. Output 𝐶𝑇 = 𝑐0 , {𝐜̄𝜃,0 }𝜃∈[𝑁] , {𝐜𝜃,𝑖 }𝑖∈𝑇̄ ,𝜃∈[𝑁] .

6
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, 𝐷𝐾𝑔𝑖𝑑,𝑡 , 𝐶𝑇 ) → (𝑀∕⊥): On input the decrypt key 𝐷𝐾𝑔𝑖𝑑,𝑡 where 𝑛̂ is the maximum ring dimension and 𝜖 ∈ (0, 1) is the bound of
related to the
{ attribute
} set 𝐴𝑡𝑡𝑔𝑖𝑑 and the ciphertext related to the access error for rounding process. According to [27], we take the value of 𝜎
policy A = (𝑘𝜃 , 𝑇𝜃 ) 𝜃∈[𝑁] . For ∀𝜃 ∈ [𝑁], if |𝐴𝑡𝑡𝑔𝑖𝑑 ∩ 𝑇𝜃 | < 𝑘𝜃 , then as 4.578. By Lemma 2.9 in [23], we have that
{ }
output ⊥. Otherwise, let 𝑇̄𝜃 = 𝑇𝜃 ∪ 𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘𝜃 + 1 , Take a √ √
subset 𝜃 ⊆ 𝑇̄𝜃 ∩ 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 such that ||𝜃 || = 𝑑𝜃 + 1. Then, perform the 𝜎𝑠 > 𝐶 ⋅ 𝜎 2 ⋅ (𝑏 + 1) ⋅ ( 𝑛𝑘 + 2𝑛 + 𝑡),
following operations: where the constants 𝐶 and 𝑡 take 1.7 and 4.7, respectively. Let 𝛽𝑘
and 𝛽𝑒 denote upper bounds for 𝐞𝜃,𝑖 and 𝐲, ̄ respectively. For 𝑑 =
1. Parse 𝐜𝜃,𝑖 as
max{𝑑1 , … , 𝑑𝑁 }, the upper bound 𝛽 of 𝐲𝐞
̄ 𝜃,𝑖 can be calculated as
( )
𝐜𝜃,𝑖,1 |𝐜𝜃,𝑖,2 √
( ) ( ) 𝛽 = 𝐷̂ 2 (𝑑̂𝜃 + 1)𝛽𝑘 𝛽𝑒 𝑛𝑚.
= (𝐚̄ 𝑖 + 𝝋 ̄ 𝜃,𝑖,1 )|(𝐚̄ ′𝑖 + 𝝋 ̄ 𝑖,1 |𝐲𝐑
̄ 𝜃,𝑖,2 ) 𝑠 + 𝐷̂ 𝐲𝐑 ̄ 𝑖,2 .
As expressed in [27], we choose 𝛽𝑘 = 8𝜎 and 𝛽𝑒 = 8𝜎𝑠 , respectively.
2. Calculate In this context, the decryption can be performed correctly if 𝛽 < 𝑞∕4.
( ) ( )
𝑐̃𝜃,𝑖 = 𝐜̄𝜃,0 |𝐜𝜃,𝑖,1 𝐞𝜃,𝑖,1 + 𝐜̄𝜃,0 |𝐜𝜃,𝑖,2 𝐞𝜃,𝑖,2 Consequently, by Lemma 2 and Lemma 12 of [20], we have
(( ) ( )) √
= 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ | (𝐚̄ 𝑖 + 𝝋̄ 𝜃,𝑖,1 )𝑠 + 𝐷̂ 𝐲𝐑
̄ 𝑖,1 𝐞𝜃,𝑖,1
𝑞 > 256𝐷̂ 2 (𝑑̂𝜃 + 1)𝜎𝜎𝑠 𝑛𝑚.
(( ) ( ))
+ 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ | (𝐚̄ ′𝑖 + 𝝋̄ 𝜃,𝑖,2 )𝑠 + 𝐷̂ 𝐲𝐑
̄ 𝑖,2 𝐞𝜃,𝑖,2 .
∏
∑ 𝑖∈𝜃 ,𝑖≠𝑗 (−𝑖) 4.4. Security proof
3. Compute 𝑐̄𝜃 = 𝑖∈𝜃 𝜃,𝑖 𝑐̃𝜃,𝑖 , where 𝜃,𝑖 = ∏ is the
𝑖∈𝜃 ,𝑖≠𝑗 (𝑗−𝑖)
Lagrangian coefficient. The security of our scheme relies on the (decisional) RLWE assump-
∑
4. Calculate 𝑀 ′ ∏
= 𝑐0 − 𝜃∈[𝑁] 𝜃 𝑐̄𝜃 , where the Lagrangian coeffi- tion clarified in Definition 4. Here we demonstrate that the RM-CP-ABE
𝜃∈[𝑁],𝜃≠𝜏 (−𝜃)
cient is 𝜃 = ∏ . scheme is secure in Theorem 1.
𝜃∈[𝑁],𝜃≠𝜏 (𝜏−𝜃)
| ′ |
5. For ∀𝑖 ∈ [0, 𝑛 − 1], if |𝑚𝑖 − ⌊𝑞∕2⌋| < 𝑞∕4, then output 𝑚′𝑖 = 0,
| | Theorem 1. Given the appropriate parameters 𝑛, 𝑚, 𝑞, 𝜎, the proposed
otherwise output 𝑚′𝑖 = 1. RM-CP-ABE scheme is secure against chosen plaintext attack (CPA) if the
(decisional) RLWE holds.
̃ 𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) → 𝑅𝐿
𝑅𝐿𝑈 𝑝𝑑(𝐴𝑡𝑡 ̂ 𝑔𝑖𝑑,𝜃 : On input the attribute to be
revoked of the user 𝑔𝑖𝑑, the revocation list 𝑅𝐿𝑔𝑖𝑑,𝜃 and a time 𝑡𝜃 . The Proof. The proposed scheme is reduced to the (decisional) RLWE
algorithm executes the following procedures. assumption. This means if there exists an adversary  who can break
̃ 𝑔𝑖𝑑,𝜃 , insert (𝑖, 𝑡𝜃 ) into 𝑅𝐿
1. For all attributes in 𝐴𝑡𝑡 ̂ 𝑔𝑖𝑑,𝜃 . the proposed scheme with non-negligible advantage 𝜀 > 0, then there
̂ 𝑔𝑖𝑑,𝜃 . is an algorithm , which can solve the (decisional) RLWE by the same
2. Output 𝑅𝐿
advantage. To be precise, we rely on a sequence of games to prove
the security of the scheme, in which the definition of the first one is
4.3. Correctness and parameters
the same as the game in Section 2.4, and the adversary  in the last
Suppose that for 𝜃 ∈ [𝑁], the user attribute set 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 ⊨ A𝜃 . This one has a negligible advantage. Besides, assuming that adversary  can
means |𝐴𝑡𝑡𝑔𝑖𝑑 ∩𝑇𝜃 | ⩾ 𝑘𝜃 . Take the set 𝜃 , which contains 𝑘𝜃 +1 legitimate corrupt at most 𝑁 − 1 AAs. Let 𝐿̂ 𝐶𝑜𝑟 = {𝐴𝐴2 , 𝐴𝐴3 , … , 𝐴𝐴𝑁 } denote the
attributes. Then compute list of corrupted AAs. Furthermore, consider the following two types of
∑ adversaries:
𝐜̄𝜃 = 𝜃,𝑖 𝐜̄𝜃,𝑖 Type I: For each 𝐴𝐴𝜃 (𝜃 ∈ [𝑁]), an adversary , holding the
𝑖∈𝜃 ⋃
∑ (( ) ( ) ) attribute set 𝐴𝑡𝑡∗𝑔𝑖𝑑 = 𝜃∈[2,𝑁] 𝐴𝑡𝑡∗𝑔𝑖𝑑,𝜃 , challenges the access structure
= 𝜃,𝑖 𝐜𝜃,0 |𝐜𝜃,𝑖,1 𝐞𝜃,𝑖,1 + 𝐜𝜃,𝑖,0 |𝐜𝜃,𝑖,2 𝐞𝜃,𝑖,2 ∗ ∗ ∗
A𝜃 = (𝑘𝜃 , 𝑇𝜃 ), in which the attributes have been revoked at or before a
𝑖∈𝜃
∑ time 𝑡∗𝜃 .
= 𝜃,𝑖 (𝐟̄𝜃,𝑖 𝐞𝜃,𝑖,1 + 𝐟̄𝜃,𝑡 𝐞𝜃,𝑖,2 )𝑠 + 𝑒𝑟 Type II:  does not challenge the access structure A∗𝜃 of 𝐴𝐴𝜃 for
𝑖∈𝜃 𝜃 ∈ [𝑁].
∑
= 𝜃,𝑖 𝑢𝜃,𝑖 𝑠 + 𝑒𝑟 , 𝑮𝒂𝒎𝒆𝟎 . This game is consistent with that described in Section 2.4.
𝑖∈𝜃 𝑮𝒂𝒎𝒆𝟏 . In this game, for any attribute set 𝐴𝑡𝑡𝜃 held by 𝐴𝐴𝜃 , we
∑ ( ) change the generation of 𝐚̄ 𝑖 , 𝐚̄ ′𝑖 , instead of using random sampling,
where 𝑒𝑟 = 𝑖∈𝜃 𝐷 ̂ 𝜃,𝑖 (𝐲| ̄ 𝑖,1 )𝐞𝜃,𝑖,1 |(𝐲|
̄ 𝐲𝐑 ̄ 𝑖,1 )𝐞𝜃,𝑖,2 denotes the noise
̄ 𝐲𝐑
term. For ∀𝜃 ∈ [𝑁], calculate let 𝑉𝜃∗ = {𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘∗𝜃 + 1} and 𝑇̄𝜃∗ = 𝑇𝜃∗ ∪ 𝑉𝜃∗ .  samples
∑ 𝐑∗𝑖,1 , 𝐑∗𝑖,2 ←𝑈 {±1}𝑚×𝑚 , and executes
𝑐′ = 𝜃 𝐜̄𝜃 For each attribute 𝑖 ∈ 𝑇𝜃∗ ,  computes 𝝋 ̄ 𝜃,𝑖,1 and 𝝋
̄ 𝜃,𝑖,2 as
𝜃∈[𝑁]
( )
∑ ∑ ∑ ̄ 𝜃,𝑖,1 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 1
) ⋅ H(𝑎𝑡𝑡∗𝜃,𝑖 ))⊤ ,
=𝑠 𝜃 𝜃,𝑖 𝑢𝜃,𝑖 + ̂ 𝜃 𝑒𝑟
𝐷
𝜃∈[𝑁] 𝑖∈𝜃 𝜃∈[𝑁]
̄ 𝜃,𝑖,2 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 2
) ⋅ H(𝑡∗𝜃 ))⊤ .
∑ ∑
=𝑠 𝜃 𝑢𝜃 + ̂ 𝜃 𝑒𝑟 .
𝐷 Then construct the vectors 𝐚̄ 𝑖 and 𝐚̄ ′𝑖 as
𝜃∈[𝑁] 𝜃∈[𝑁]
𝐚̄ 𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1 − 𝝋
̄ 𝜃,𝑖,1 ,
Next calculate
𝐚̄ ′𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,2 − 𝝋
̄ 𝜃,𝑖,2 .
𝑀 ′ = 𝑐0 − 𝑐 ′
( ) For each attribute 𝑖 ∈ 𝑉𝜃∗ , calculate
⌊𝑞⌋ ∑ ∑
= 𝑢𝑠 + 𝑥 + 𝑀 − 𝑠 𝜃 𝑢𝜃 + ̂ 𝜃 𝑒𝑟
𝐷
2 𝜃∈[𝑁] 𝜃∈[𝑁] 𝐚̄ 𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1 − ̄𝐛1 ,
⌊𝑞⌋ ∑
=𝑀 ̂ −
+ 𝐷𝑥 ̂ 𝜃 𝑒𝑟 .
𝐷 𝐚̄ ′𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,2 − ̄𝐛2 .
2 𝜃∈[𝑁]
For each attribute 𝑖 ∈ 𝐴𝑡𝑡𝜃 ∖𝑇̄𝜃∗ , calculate
The correctness of the decryption operation requires that the noise
|̂ ∑ ̂ 𝜃 𝑒𝑟 || < 𝑞∕4. According to Lemma 1, the distribu-
term |𝐷𝑥 − 𝜃∈[𝑁] 𝐷 𝐚̄ 𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1 ,
| | √
tion parameter 𝜎 is needed to satisfy the constraint 𝜎 ≈ ln(2𝑛∕𝜖)∕𝜋,
̂ 𝐚̄ ′𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,2 .

7
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

The rest of this game remains the same. It can be observed that For the attribute 𝑖 ∈ 𝑉𝜃 ∖𝑉𝜃∗ , let |𝐴𝑡𝑡∗𝑔𝑖𝑑,𝜃 ∩ 𝐴𝑡𝑡𝜃 | = 𝓁𝜃 . Calculate
𝑮𝒂𝒎𝒆𝟎 and 𝑮𝒂𝒎𝒆𝟏 are statistically indistinguishable in ’s view. Ac- 𝑢𝜃,𝑖 = 𝑃𝜃 (𝑖) and sample 𝑢𝜃,𝑖,𝜂,1 ←𝑈 𝑞 for 𝑖 ∈ [𝓁𝜃 + 1, 𝑑𝜃 ]. Also, compute
cording to the leftover hash lemma [45], (̄𝐠𝜃 , 𝐠̄ 𝜃 𝐑∗𝑖,1 , 𝐳1 ) is statistically 𝑢𝜃,𝑖,𝜂,2 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,1 . Then perform the processes described in Eq. (2),
close to (̄𝐠𝜃 , ̃𝐛1 , 𝐳1 ), and (̄𝐠𝜃 , 𝐠̄ 𝜃 𝐑∗𝑖,2 , 𝐳2 ) is statistically close to (̄𝐠𝜃 , ̃𝐛2 , 𝐳2 ), i.e., sampling 𝐞̄ 𝜃,𝑖,𝜂,1 and 𝐞̄ 𝜃,𝑖,𝜂,2 .
where 𝐳1 ← 𝐷̂ 𝐲𝑅 ̄ ∗ , 𝐳2 ← 𝐷̂ 𝐲𝑅 ̄ ∗ and ̃𝐛1 , ̃𝐛2 ←𝑈 1×𝑚 . From the above processes, we can find that 𝐞̄ 𝜃,𝑖,𝜂,1 and 𝐞̄ 𝜃,𝑖,𝜂,2 sam-
𝑖,1 𝑖,2 𝑞
𝑮𝒂𝒎𝒆𝟐 . In this game, we explain how to change 𝑢𝜃,𝑖,𝜂,1 and 𝑢𝜃,𝑖,𝜂,2 for pled from the RingSampleRight algorithm, are also statistically close
private key queries for A∗𝜃 and update key queries for 𝑡∗𝜃 . The operations to  𝑢𝜃,𝑖,𝜂,1 ̄ and  𝑢𝜃,𝑖,𝜂,2 ̄ . From the perspective of ,
𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑖 ),𝜎𝑠 𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑡 ),𝜎𝑠
performed by this game are as follows. 𝑆𝐾𝑔𝑖𝑑,𝜃 and 𝐾𝑈𝑡,𝜃 in 𝑮𝒂𝒎𝒆𝟑 are statistically close to those in 𝑮𝒂𝒎𝒆𝟐 .
If it is an adversary  of Type I, for each node 𝜂 in 𝐵𝑇𝑔𝑖𝑑,𝜃 , we have Consequently,  can distinguish between 𝑮𝒂𝒎𝒆𝟐 and 𝑮𝒂𝒎𝒆𝟑 with
that negligible advantage.
• If 𝜂 ∈ 𝑃 𝑎𝑡ℎ(𝑖), then sample 𝐞̄ 𝜃,𝑖,𝜂,1 ← 2𝑚 ,𝜎 . Set 𝑢𝜃,𝑖,𝜂,1 = 𝑮𝒂𝒎𝒆𝟒 . The operations in 𝑮𝒂𝒎𝒆𝟒 are the same as those in 𝑮𝒂𝒎𝒆𝟑 ,
𝑞 𝑠 except that the challenge ciphertext is randomly sampled in 𝑞 ×1×𝑚 ×
(̄𝐠𝜃 |𝐟̄𝜃,𝑖 )̄𝐞𝜃,𝑖,𝜂,1 , 𝑢𝜃,𝑖,𝜂,2 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,1 . 𝑞
1×2𝑚
𝑞 . Hence  has little ability to distinguish 𝑮𝒂𝒎𝒆𝟑 from 𝑮𝒂𝒎𝒆 𝟒.
• If 𝜂 ∉ 𝑃 𝑎𝑡ℎ(𝑖), then sample 𝐞̄ 𝜃,𝑖,𝜂,2 ← 2𝑚 ,𝜎 . Set 𝑢𝜃,𝑖,𝜂,2 = Here we provide a reduction to prove that if  can distinguish 𝑮𝒂𝒎𝒆𝟑
𝑞 𝑠
(̄𝐠𝜃 |𝐟̄𝜃,𝑖 )̄𝐞𝜃,𝑖,𝜂,2 , 𝑢𝜃,𝑖,𝜂,1 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,2 . and 𝑮𝒂𝒎𝒆𝟒 with non-negligible advantage 𝜀, then  can solve the
decisional RLWE problem.
Since the attributes in A∗𝜃 have been revoked before requesting the
Reduction. Suppose that there are 𝑁 AAs in the system. We
update key related to 𝑡∗𝜃 . This means that
∗ consider the worst-case that 𝑁 − 1 AAs are corrupted. Let 𝐿̂ 𝐶𝑜𝑟 =
KUNodes(𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝑅𝐿 { 𝑔𝑖𝑑,𝜃 , 𝑡𝜃 )}∩ 𝑃 𝑎𝑡ℎ(𝑖) = ∅. Then  returns a pri- {𝐴𝐴2 , 𝐴𝐴3 , … , 𝐴𝐴𝑁 } be the corrupted list.
vate key 𝑆𝐾𝑔𝑖𝑑,𝜃 = (𝜂, 𝐞𝜃,𝑖,𝜂,1 ) 𝜂∈𝑃 𝑎𝑡ℎ (𝑖) and an update key 𝐾𝑈𝑡,𝜃 =
̄
{ } 𝜃
(𝜂, 𝐞̄ 𝜃,𝑖,𝜂,2 ) 𝜂∈𝑆̄ from 𝐴𝐴𝜃 , where 𝑆̄ ← KUNodes(𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡∗𝜃 ). • Instance.  { requests sampling oracle } to generate the instances
⋃ 𝜃 , 𝑣𝜃 )|(𝑢𝜃 , 𝑣𝜃 ) ∈  × 
For adversary  of Type II, sample 𝐞̄ 𝜃,𝑖,𝜂,2 ← 2𝑚 ,𝜎 and set 𝑢𝜃,𝑖,𝜂,2 = 𝑗∈[𝑚],𝜃∈[𝑁] (𝑢 𝑗 𝑗 𝑗 𝑗 𝑞 𝑞 and (𝑢0 , 𝑣0 ) ∈ 𝑞 × 𝑞 .
𝑞 𝑠
(̄𝐠𝜃 |𝐟̄𝜃,𝑖 )̄𝐞𝜃,𝑖,𝜂,2 , 𝑢𝜃,𝑖,𝜂,1 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,2 . ⋃
• Initial.  declares the access structure A∗ = 𝜃∈[𝑁] A∗𝜃 and the
Since the adversary  does not challenge the access structure,  time 𝑡∗𝜃 to be challenged, where 𝑡∗𝜃 ∈ 𝑞 and A∗𝜃 = (𝑘∗𝜃 , 𝑇𝜃∗ ) for
only returns the update key 𝐾𝑈𝑡,𝜃 . 𝑘∗𝜃 ∈ [1, min{𝑘∗𝜃 , |𝑇𝜃∗ |}].
In this context, we have that both 𝐞̄ 𝜃,𝑖,𝜂,1 and 𝐞̄ 𝜃,𝑖,𝜂,2 distributed
• Setup.  performs the following operations.
from 2𝑚 ,𝜎 . Therefore, we further have that 𝐞̄ 𝜃,𝑖,𝜂,1 ∈  𝑢𝜃,𝑖,𝜂,1 ̄ ,
𝑞 𝑠 𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑖 ),𝜎𝑠
1. For 𝜃 ∈ [𝑁], construct 𝐠̄ 𝜃 = (𝑢𝜃1 , … , 𝑢𝜃𝑚 ) using the instances.
𝐞̄ 𝜃,𝑖,𝜂,2 ∈  𝑢𝜃,𝑖,𝜂,2 ̄ , where 𝐠̄ 𝜃 is the ring vector in 𝑃 𝐾𝜃 , 𝐟̄𝜃,𝑖 and
𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑡 ),𝜎𝑠 Set 𝑇̄𝜃∗ = 𝑇𝜃∗ ∪ 𝑉𝜃∗ = {𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘∗𝜃 + 1} and 𝑢 = 𝑢0 .
̄𝐟𝜃,𝑡 are considered to be uniform ring vectors in 1×2𝑚 . Hence, we Simultaneously, choose a FRD function H.
𝑞
argue that 𝑢𝜃,𝑖,𝜂,1 and 𝑢𝜃,𝑖,𝜂,2 are statistically close to uniform over 𝑞 2.  adopts the way in 𝑮𝒂𝒎𝒆𝟑 to construct components 𝐚̄ 𝑖 , 𝐚̄ ′𝑖 ,
according to the Theorem 4.1 of [19]. In summary,  has a negligible (̄𝐛1 , 𝐓̄𝐛1 ), (̄𝐛2 , 𝐓̄𝐛2 ) and 𝐑∗𝑖,1 , 𝐑∗𝑖,2 .
advantage to distinguish 𝑮𝒂𝒎𝒆𝟏 and 𝑮𝒂𝒎𝒆𝟐 .
3.  eventually outputs elements ̄𝐛1 , ̄𝐛2 , 𝑢, H for 𝑝𝑝, 𝑃 𝐾𝜃 =
𝑮𝒂𝒎𝒆𝟑 . The main objective of this game is to change ̄𝐛1 , ̄𝐛2 in public { }
parameters 𝑝𝑝. Let ̄𝐛1 and ̄𝐛2 be generated by RingTrapGen(1𝜆 ). Perform 𝐠̄ 𝜃 , {𝐚̄ 𝑖 , 𝐚̄ ′𝑖 }𝑖∈𝐴𝑡𝑡 , and keeps 𝐓̄𝐛1 , 𝐓̄𝐛2 , {𝐑∗𝑖,1 , 𝐑∗𝑖,2 }𝑖∈𝐴𝑡𝑡𝜃 for
𝜃
the following operations. secret. In particular,  can additionally capture the secret
For each normal attribute 𝑖 ∈ 𝐴𝑡𝑡∗𝑔𝑖𝑑,𝜃 and 𝑡𝜃 ≠ 𝑡∗𝜃 , calculate elements from  if 𝐴𝐴𝜃 is corrupt (𝜃 ∈ [2, 𝑁]).
̂𝐛1 = 𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤ ) ∈ 1×𝑚 , • Phase 1.  performs the same operations as 𝑮𝒂𝒎𝒆𝟑 in response to
1 𝑞
̂𝐛2 = 𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤ ) ∈ 1×𝑚 . 𝐴𝐴𝜃 ’s private key queries, provided that 𝜃 = 1. This means that
2 𝑞
for any corrupted AA,  can obtain the components related to the
Then 𝐟̄𝜃,𝑖 and 𝐟̄𝜃,𝑡 can be calculated as key from , whereas for a uncorrupted AA,  can only receive the
public elements generated by .
𝐟̄𝜃,𝑖 = (𝐚̄ 𝑖 + 𝝋
̄ 𝜃,𝑖,1 )
( ( )) • Challenge.  encrypts a message 𝑚𝑏 ∈ 𝑞 , when  submits
= 𝐠̄ 𝜃 𝐑𝑖,1 + 𝑇 𝑟𝑎𝑛𝑀→𝑉 ̂𝐛1 ⋅ (H(𝑎𝑡𝑡𝜃,𝑖 ) − H(𝑎𝑡𝑡∗𝜃,𝑖 )) ,
∗
𝑚0 , 𝑚1 ∈ 𝑞 . The ciphertext is calculated as follows.
𝐟̄𝜃,𝑡 = (𝐚̄ ′𝑖 + 𝝋̄ 𝜃,𝑖,2 ) 1. Compute 𝑐0∗ = 𝐷𝑣 ̂ 0 + 𝑚𝑏 ⌊𝑞∕2⌋ ∈ 𝑞 .
( ( ))
= 𝐠̄ 𝜃 𝐑𝑖,2 + 𝑇 𝑟𝑎𝑛𝑠𝑀→𝑉 ̂𝐛1 ⋅ (H(𝑡𝜃 ) − H(𝑡∗𝜃 )) .
∗
2. For attribute 𝑖 ∈ 𝑇̄𝜃∗ ,  chooses 𝐯∗𝜃,𝑖 = (𝐷𝑣 ̂ 𝜃, … ,
1
̂ 𝜃 1×𝑚 ∗
𝐷𝑣𝑚 ) ∈ 𝑞 . Then, set 𝐜̄𝜃,0 = 𝐯𝜃,𝑖 and calculate 𝐜∗𝜃,𝑖 =
∗
As explained in Definition 5, both matrices (H(𝑎𝑡𝑡𝜃,𝑖 ) − H(𝑎𝑡𝑡∗𝜃,𝑖 )) and
(H(𝑡𝜃 ) − H(𝑡∗𝜃 )) are full rank. Therefore, 𝐓̄𝐛1 and 𝐓̄𝐛2 are also trapdoors (𝐯∗𝜃,𝑖 𝐑∗𝑖,1 |𝐯∗𝜃,𝑖 𝐑∗𝑖,2 ) ∈ 1×2𝑚
𝑞 .
for 𝛬⊥ ̄′ ⊥ ̄′ ̄′ ̂ ∗ 3. Select 𝜏←𝑈 {0, 1}. If 𝜏 = 0,  sends 𝐶𝑇 ∗ = (𝑐0∗ , {𝐜̄∗𝜃,0 }𝜃∈[𝑁] ,
𝑞 (𝐛1 ) and 𝛬𝑞 (𝐛2 ) respectively, where 𝐛1 = 𝐛1 ⋅ (H(𝑎𝑡𝑡𝜃,𝑖 ) − H(𝑎𝑡𝑡𝜃,𝑖 ))
and ̄𝐛2 = ̂𝐛1 ⋅ (H(𝑡𝜃 ) − H(𝑡𝜃 )). In this context, for any private key query
′ ∗ {𝐜∗𝜃,𝑖 }𝑖∈𝑇̄ ∗ ,𝜃∈[𝑁] ) to , otherwise sends a random 𝐶𝑇 ∗ to .
𝜃
operations,  executes
• Phase 2. Repeat the operations in Phase 1.
𝐞̄ 𝜃,𝑖,𝜂,1 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛′1 , 𝐑∗𝑖,1 , 𝐓̄𝐛1 , 𝑢𝜃,𝑖,𝜂,1 ). • Guess.  returns 𝑏′ as a guess for 𝑏. If 𝑏′ = 𝑏,  guesses that it
interacts with 𝑮𝒂𝒎𝒆𝟑 , otherwise it interacts with 𝑮𝒂𝒎𝒆𝟒 .
And for update key query operations,  executes
As we have proved, if  can distinguish between 𝑮𝒂𝒎𝒆𝟑 and 𝑮𝒂𝒎𝒆𝟒 ,
𝐞̄ 𝜃,𝑖,𝜂,2 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛′2 , 𝐑∗𝑖,2 , 𝐓̄𝐛2 , 𝑢𝜃,𝑖,𝜂,2 ).
then  has the ability to solve the (decisional) RLWE problem. It can be
For each virtual attribute 𝑖 ∈ 𝑉𝜃∗ , we have that observed that the distribution of 𝐶𝑇 and 𝐶𝑇 ∗ is statistically indistin-
guishable from the perspective of . If the instances are sampled from
𝐟̄𝜃,𝑖 = (𝐚̄ 𝑖 + ̄𝐛1 ), 𝑂𝑠 , we have that 𝐜∗𝜃,0 = 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ for 𝐲̄ ← 1×𝑚 ,𝜎 . Also, 𝐟̄𝜃,𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1
𝐟̄𝜃,𝑡 = (𝐚̄ ′𝑖 + ̄𝐛2 ). and 𝐟̄𝜃,𝑡 = 𝐠̄ 𝜃 𝐑∗𝑖,2 for attribute 𝑖 ∈ 𝑇̄𝜃∗ . Thus 𝐜∗𝜃,𝑖 calculated in step (2) of
Then sample Challenge phase satisfies
( )
𝐞̄ 𝜃,𝑖,𝜂,1 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛1 , 𝐑∗𝑖,1 , 𝐓̄𝐛1 , 𝑢𝜃,𝑖,𝜂,1 ), ̄ ∗ )|(̄𝐠𝜃 𝐑∗ 𝑠 + 𝐷̂ 𝐲𝑅
𝐜∗𝜃,𝑖 = (̄𝐠𝜃 𝐑∗𝑖,1 𝑠 + 𝐷̂ 𝐲𝑅 ̄ ∗ )
𝑖,1 𝑖,2 𝑖,2
(2)
𝐞̄ 𝜃,𝑖,𝜂,2 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛2 , 𝐑∗𝑖,2 , 𝐓̄𝐛2 , 𝑢𝜃,𝑖,𝜂,2 ). = (𝐟̄𝜃,𝑖 |𝐟̄𝜃,𝑡 )𝑠 + 𝐷( ̄ ∗ |𝐲𝑅
̂ 𝐲𝑅 ̄ ∗ ).
𝑖,1 𝑖,2

8
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

Table 1
List of notation.
Symbol Description
𝑁 The number of AAs
𝑛 The number of bits to encrypt
𝑛𝑣 The number of virtual attributes in the system
𝑛𝑎 The number of attributes in access structure
𝑛𝑢 The number of attributes held by the user
𝑛𝑑 The number of attributes for decryption
𝑛𝑟 The number of revoked attributes
𝑛𝑇 𝑛𝑇 = 𝑛𝑎 + 𝑛𝑣 − 𝑛𝑑 + 1
𝑇̂𝑝 The computational cost of SamplePre
𝑇̂𝑙 The computational cost of SampleLeft
𝑇𝑝 The computational cost of RingSamplePre
𝑇𝑙 The computational cost of RingSampleLeft

Table 2
Scheme characteristics.
Scheme Multi-valued Multi-authority Revocable Assumption
Zhang et al. [34] × × × LWE
Zhang et al. [35] ✓ × × LWE
Zhang et al. [36] × ✓ × LWE
Chen et al. [46] ✓ × × RLWE Fig. 2. Time cost of our construction.
Yang et al. [40] × × ✓ LWE
Our scheme ✓ ✓ ✓ RLWE

and 𝑣0 = 𝑢0 𝑠 + 𝑥 is just a component of 𝑐0∗ in 𝑮𝒂𝒎𝒆𝟑 .
If the instances are sampled from 𝑂$ , 𝑣0 and 𝐯∗𝜃,𝑖 are close to the
uniform distribution over 𝑞 and 1×𝑚 ∗
𝑞 , respectively. Therefore 𝐶𝑇 is
uniform in 𝑞 × 1×𝑚 × 1×2𝑚 . For this, 𝑮𝒂𝒎𝒆𝟑 and 𝑮𝒂𝒎𝒆𝟒 cannot be
𝑞 𝑞
distinguished in the view of adversary . □
5. Performance analysis
The efficiency analysis and implementation of our scheme are ex-
plained in this section.
5.1. Efficiency analysis
Here we compared the related schemes with our scheme in terms of
characteristics, storage overhead and computation cost. The notation
used in this subsection are illustrated in Table 1.
Table 2 provides a comparison of certain characteristics between
our RM-CP-ABE and other schemes. The practicability of the scheme
is somewhat limited due to the lack of characteristics suitable for the
actual scenes. Both constructions [35] and [46] introduce multi-valued
attributes, allowing users to set access policies flexibly. In contrast, our
scheme considers more characteristics, and can be reduced to the RLWE
assumptions.
We give the performance of the schemes in terms of storage over-
head in Table 3. Observe that our scheme is slightly inferior to other
schemes in aspects of storage overhead, it still yields desirable results.
Applying the trapdoor construction of [25], the secret key of our
scheme grows only linearly in the lattice dimension 𝑚, rather than
quadratically as a short basis of other schemes does. Consequently,
their storage requirements are generally close. The advantage of our
scheme is that it can perform operations on 𝑛-bit plaintext. Namely,
the scheme supports encryption and decryption operations for an 𝑛-bit
message using public parameters and the decryption key. Additionally,
out scheme supports more characteristics. Therefore, the storage cost
of our construction is acceptable in practical scenarios.
Table 4 shows the computational cost of 𝐾𝑒𝑦𝐺𝑒𝑛, 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 and
𝐷𝑒𝑐𝑟𝑦𝑝𝑡 operations in comparison with those in constructions [34–
36,40,46], where the computational cost of 𝐾𝑒𝑦𝐺𝑒𝑛 operation is equal
to the sum of 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛 and 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛. We can see that our scheme
enjoys significant advantages in terms of 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 and 𝐷𝑒𝑐𝑟𝑦𝑝𝑡. In addi-
tion, Our scheme adopts the sampling algorithms in ring version, which
supports faster arithmetic operation. Also, we employ the trapdoor
proposed in [27], instead of the trapdoor in the form of a short basis.
That is to say, 𝑇𝑝 (resp. 𝑇𝑙 ) is much smaller than 𝑇̂𝑝 (resp. 𝑇̂𝑙 ). For
this, we conclude that the efficiency of key generation in our scheme
is also better than other schemes. What is more, by using the number
theoretic transform (NTT), our implementation improves the efficiency
of matrix multiplication operations. Therefore, the RM-CP-ABE scheme
has a reasonable performance in computational cost perspective.
5.2. Implementation and evaluation
We implement our construction in the Palisade library [47] v1.10
using standard C++ 11. The implement is evaluated on a computer
with the Intel(R) Xeon(R) Platinum 8260 CPU@ 2.40 GHz running
Ubuntu 18.04 operating system. All evaluation results are taken from
the average of 20 runs of the program.
As shown in Fig. 2, we evaluated the relationship between user at-
tributes and the computational cost of 𝐴𝐴𝑆𝑒𝑡𝑢𝑝, 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛,
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 algorithms. We set the number of 𝐴𝐴𝑠 to
4, the number of attributes held by each 𝐴𝐴 to 8, and the ring size
𝑛 = 1024 and base 𝑏 = 512. The time consumption of 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛,
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 increases linearly with the number of at-
tributes. And 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 only takes 122.8 ms when the number of
attributes is set to 15. Nevertheless, the 𝐸𝑛𝑐𝑟𝑦𝑝𝑡, 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛 and
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and algorithms are somewhat slower. The matrix multi-
plication operations of generating the ring polynomials related to the
normal attributes occupy the main computation cost in these algo-
rithms. In particular, the time consumption of these operations is about
75–80%, 73–85% and 90–93% of the time consumed by 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛,
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 algorithms respectively. A feasible attempt
is to utilize parallel algorithms on GPU to accelerate arithmetic opera-
tions, similar to [26,48]. Observe that the time consumed by decryption
is about 9 ms in Fig. 3. This is obviously acceptable for users. Fig. 4
shows the relationship between the cost time to generate the decryption
key and the number of revoked attributes. We observe that the time
cost decreases linearly with the increase of the number of revoked

9
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

Table 3
Comparison of storage overhead.
Scheme Public parameter size Ciphertext Size Decryption key size Plaintext size
Zhang et al. [34] (2𝑛𝑣 𝑚 + 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑣 𝑚 + 𝑚 + 1) ⌈log 𝑞⌉ (𝑛𝑣 + 1)𝑚 ⌈log 𝑞⌉ 1
Zhang et al. [35] (2𝑛𝑣 𝑚 + 2 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑇 𝑚 + 𝑚 + 1) ⌈log 𝑞⌉ 2(𝑛𝑢 + 𝑛𝑣 )𝑚 ⌈log 𝑞⌉ 1
Zhang et al. [36] (𝑛𝑣 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑎 + 1)𝑚 ⌈log 𝑞⌉ 𝑛𝑢 𝑚 ⌈log 𝑞⌉ 1
Chen et al. [46] (2𝑛𝑣 𝑚 + 2 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑇 𝑚 + 𝑚 + 1)𝑛 ⌈log 𝑞⌉ 4(𝑛𝑢 + 𝑛𝑣 )𝑚𝑛 ⌈log 𝑞⌉ 𝑛
Yang et al. [40] (2𝑛𝑣 𝑚 + 4 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (3𝑛𝑇 𝑚 + 1) ⌈log 𝑞⌉ 2(2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑚 ⌈log 𝑞⌉ 1
Our scheme (4𝑛𝑣 𝑚 + 𝑁𝑚 + 2 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (2𝑛𝑇 𝑚 + 𝑚 + 1)𝑛 ⌈log 𝑞⌉ 2(2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑚𝑛 ⌈log 𝑞⌉ 𝑛

Table 4
Comparison of computational cost.
Scheme KeyGen Encrypt Decrypt
Zhang et al. [34] 2𝑛𝑣 𝑇̂𝑝 (𝑛𝑣 𝑚 + 𝑚 + 1)𝑛2 (𝑛𝑣 + 1)𝑚𝑛2
Zhang et al. [35] (𝑛𝑢 + 𝑛𝑣 )𝑇̂𝑙 (2𝑛𝑇 𝑚 + 𝑚 + 𝑚)𝑛2 2𝑛𝑇 𝑚𝑛2
Zhang et al. [36] 𝑛𝑢 𝑇̂𝑙 (𝑛𝑇 𝑚 + 1)𝑛2 𝑛𝑑 𝑚𝑛2
Chen et al. [46] (𝑛𝑢 + 𝑛𝑣 )𝑇𝑙 (𝑛𝑇 𝑚 + 𝑚 + 1)𝑛 log 𝑛 2𝑛𝑣 𝑚𝑛 log 𝑛
Yang et al. [40] (2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑇̂𝑙 (3𝑛𝑇 𝑚 + 1)𝑛2 4𝑛𝑣 𝑚𝑛2
Our scheme (2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑇𝑙 (2𝑛𝑇 𝑚 + 𝑁𝑚 + 1)𝑛 log 𝑛 4𝑛𝑣 𝑚𝑛 log 𝑛

Fig. 4. The relationship between the cost time by the user to obtain the key and the
number of revoked attributes.

reveal that our construction enjoys favorable performance with respect

Fig. 3. Time cost of decrypt operation.
attributes. Despite this stage is time-consuming, the scheme remains
well-disposed results.
Considering post-quantum security [49], we explored the compu-
tational efficiency of the proposed scheme in the case of selecting
different ring dimensions (i.e., different security levels), as depicted
in Tables 5 and 6. In fact, whenever the base is doubled, the com-
putational efficiency increases by about 8%. Besides, when the ring
dimension 𝑛 = 512, the time cost of the scheme is significantly higher
than that when the ring dimension is 1024. One can select appropriate
parameters depending on security requirements.
6. Conclusion
to computational efficiency. In storage requirements, the scheme re-
mains a satisfactory result from the practical perspective. Besides, our
scheme is secure against chosen plaintext attack (CPA) under the RLWE
assumption in the selective security model. We also evaluated the im-
plementation efficiency of our scheme in reality. The simulation results
indicate that our implementation enjoys reasonable performance.
In future work, we will focus on how to further improve the compu-
tational efficiency of the scheme. For this, we consider offloading mul-
tiplications to GPUs, whereby the highly parallel and multi-threaded
characteristics of the GPU. Another possible extension is to improve the
expressiveness of access structures. We investigate more general access
structure, such as the linear secret-sharing schemes (LSSS).
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Acknowledgments

In this work, we propose a revocable CP-ABE scheme from RLWE.
The scheme supports both multiple authorities and multi-valued at-
tributes, which makes it appropriate to be applied in cloud computing.
Moreover, we provide a theoretical analysis of computational effi-
ciency and storage overhead of the proposed scheme. The results
This work is supported by National Key R&D Program of China (No.
2021YFB3101602), Basic Research Program (No. JCKY2020604C011),
Fundamental Research Funds for the Central Universities (No.
3072020CFJ0601). All authors approved the version of the manuscript
to be published.

10
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108

Table 5
Runtimes for our scheme at different bases when 𝑁 = 3, 𝑛 = 1024 and 𝑛𝑣 = 4∕6∕8∕10∕12.
Base PriKeyGen (ms) KeyUpdGen (ms) Encrypt (ms) Decrypt (ms)
64 1946/2764/3411/4377/4832 1944/2895/3443/4319/4985 2755/4085/5440/6762/7881 9/8/9/9/8
128 1874/2609/3394/4208/4728 1865/2665/3382/4118/4836 2696/3977/5339/6604/7693 9/8/9/9/9
256 1836/2461/3085/3830/4595 1819/2526/3075/3867/4558 2533/3653/4831/6090/7310 9/9/9/9/8
512 1646/2265/2846/3483/4133 1600/2228/2835/3480/4115 2218/3303/4407/5471/6685 9/9/9/8/9

Table 6
Runtimes for our scheme at different bases when 𝑁 = 3, 𝑛 = 512 and 𝑛𝑣 = 4∕6∕8∕10∕12.
Base PriKeyGen (ms) KeyUpdGen (ms) Encrypt (ms) Decrypt (ms)
64 638/875/1137/1339/1520 632/861/1053/1244/1456 686/1045/1373/1674/2031 4/4/5/5/5
128 632/857/1024/1248/1423 611/841/974/1188/1370 624/929/1228/1549/1844 5/4/5/5/5
256 628/814/1007/1193/1364 589/813/975/1167/1350 639/949/1156/1528/1801 5/5/4/4/5
512 558/761/968/1139/1328 576/719/898/1062/1253 582/851/1110/1403/1699 5/4/5/4/5

References [22] Tian Q, Han D, Liu X, Yu X. LWE-based multi-authority attribute-

[1] Wang C, Wang D, Tu Y, Xu G, Wang H. Understanding node capture attacks in
user authentication schemes for wireless sensor networks. IEEE Trans Dependable
Secure Comput 2020.
[2] Zhu L, Lwamo NMR, Sharif K, Xu C, Du X, Guizani M, Li F. T-CAM: time-based
content access control mechanism for ICN subscription systems. Future Gener
Comput Syst 2020;106:607–21.
[3] Wang D, Zhang X, Zhang Z, Wang P. Understanding security failures of multi-
factor authentication schemes for multi-server environments. Comput Secur
2020;88:101619.
[4] Qiu S, Wang D, Xu G, Kumari S. Practical and provably secure three-factor
authentication protocol based on extended chaotic-maps for mobile lightweight
devices. IEEE Trans Dependable Secure Comput 2020.
[5] Sahai A, Waters B. Fuzzy identity-based encryption. In: Proc. 24th annu. int.
conf. theory appl. cryptographic techn.; 2005, p. 457–73.
[6] Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-
grained access control of encrypted data. In: Proc. 13th ACM conf. comput.
commun. security; 2006, p. 89–98.
[7] Zhang Z, Zhang W, Qin Z. A partially hidden policy CP-ABE scheme against
attribute values guessing attacks with online privacy-protective decryption testing
in IoT assisted cloud computing. Future Gener Comput Syst 2021;123:181–95.
[8] Zhong H, Zhou Y, Zhang Q, Xu Y, Cui J. An efficient and outsourcing-supported
attribute-based access control scheme for edge-enabled smart healthcare. Future
Gener Comput Syst 2021;115:486–96.
[9] Zhou J, Dong X, Cao Z, Vasilakos AV. Secure and privacy preserving
protocol for cloud-based vehicular DTNs. IEEE Trans Inf Forensics Secur
2015;10(6):1299–314.
[10] Agrawal S, Maitra M, Yamada S. Attribute based encryption for deterministic
finite automata from DLIN. In: Proc. 17th conf. theory of cryptography; 2019,
p. 91–117.
[11] Mandal M. Privacy-preserving fully anonymous ciphertext policy attribute-based
broadcast encryption with constant-size secret keys and fast decryption. J Inf
Secur Appl 2020;55:102666.
[12] Li J, Wang S, Li Y, Wang H, Wang H, Wang H, Chen J, You Z. An efficient
attribute-based encryption scheme with policy update and file update in cloud
computing. IEEE Trans Ind Inform 2019;15(12):6500–9.
[13] Chase M. Multi-authority attribute based encryption. In: Proc. 4th conf. theory
of cryptography; 2007, p. 515–34.
[14] Liu Z, Jiang ZL, Wang X, Yiu S. Practical attribute-based encryption: Outsourcing
decryption, attribute revocation and policy updating. J Netw Comput Appl
2018;108:112–23.
[15] Manna ML, Perazzo P, Dini G. SEA-BREW: a scalable attribute-based encryption
revocable scheme for low-bitrate IoT wireless networks. J Inf Secur Appl
2021;58:102692.
[16] Horng S, Lu C, Zhou W. An identity-based and revocable data-sharing scheme
in VANETs. IEEE Trans Veh Technol 2020;69(12):15933–46.
[17] Ajtai M. Generating hard instances of lattice problems. In: Proc. 28th annu. ACM
symp. theory comput.; 1996, p. 99–108.
[18] Regev O. On lattices, learning with errors, random linear codes, and
cryptography. In: Proc. 37th annu. ACM symp. theory comput.; 2005, p. 84–93.
[19] Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new
cryptographic constructions. In: Proc. 40th annu. ACM symp. theory comput.;
2008, p. 197–206.
[20] Agrawal S, Boneh D, Boyen X. Efficient lattice (H)IBE in the standard model. In:
Proc. 29th annu. int. conf. theory appl. cryptographic techn.; 2010, p. 553–72.
[21] Singh K, Rangan CP, Agrawal R, Sheshank S. Provably secure lattice based
identity based unidirectional PRE and pre+ schemes. J Inf Secur Appl
2020;54:102569.
based encryption scheme with hidden policies. Int J Comput Sci Eng
2019;19(2):233–41.
[23] Micciancio D, Peikert C. Trapdoors for lattices: Simpler, tighter, faster, smaller.
In: Proc. 31st annu. int. conf. theory appl. cryptographic techn., Vol. 7237; 2012,
p. 700–18.
[24] Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors
over rings. In: Proc. 29th annu. int. conf. theory appl. cryptographic techn.;
2010, p. 1–23.
[25] Bansarkhani RE, Buchmann J. Improvement and efficient implementation of a
lattice-based signature scheme. In: Proc. selected areas in cryptography; 2013,
p. 48–67.
[26] Dai W, Doröz Y, Polyakov Y, Rohloff K, Sajjadpour H, Savas E, Sunar B.
Implementation and evaluation of a lattice-based key-policy ABE scheme. IEEE
Trans Inf Forensics Secur 2018;13(5):1169–84.
[27] Gür KD, Polyakov Y, Rohloff K, Ryan GW, Sajjadpour H, Savas E. Practical
applications of improved Gaussian sampling for trapdoor lattices. IEEE Trans
Comput 2019;68(4):570–84.
[28] Lewko AB, Waters B. Decentralizing attribute-based encryption. In: Proc. 30th
annu. int. con. theory appl. cryptographic techn.; 2011, p. 568–88.
[29] Wei J, Liu W, Hu X. Secure and efficient attribute-based access control for
multi-authority cloud storage. IEEE Syst J 2018;12(2):1731–42.
[30] Li J, Chen X, Chow SSM, Huang Q, Wong DS, Liu Z. Multi-authority fine-grained
access control with accountability and its application in cloud. J Netw Comput
Appl 2018;112:89–96.
[31] Sandor VKA, Lin Y, Li X, Lin F, Zhang S. Efficient decentralized multi-authority
attribute based encryption for mobile cloud data storage. J Netw Comput Appl
2019;129:25–36.
[32] Chen J, Lim HW, Ling S, Wang H, Nguyen K. Revocable identity-based encryption
from lattices. In: Proc. 17th Australasian conf. inform. security privacy; 2012, p.
390–403.
[33] Boyen X. Attribute-based functional encryption on lattices. In: Theory of
cryptography conference. 2013, p. 122–42.
[34] Zhang J, Zhang Z. A ciphertext policy attribute-based encryption scheme without
pairings. In: Proc. 7th conf. inform. security cryptology; 2011, p. 324–40.
[35] Zhang J, Zhang Z, Ge A. Ciphertext policy attribute-based encryption from
lattices. In: Proc. 7th ACM conf. comput. commun. security; 2012, p. 16–7.
[36] Zhang G, Qin J, Qazi S. Multi-authority attribute-based encryption scheme from
lattices. J Univ Comput Sci 2015;21(3):483–501.
[37] Agrawal S, Boyen X, Vaikuntanathan V, Voulgaris P, Wee H. Fuzzy identity based
encryption from lattices. IACR Cryptol 2011;2011:414, EPrint Arch..
[38] Liu Z, Jiang ZL, Wang X, Wu Y, Yiu S. Multi-authority ciphertext policy attribute-
based encryption scheme on ideal lattices. In: IEEE int. conf. parallel & distrib.
processing appl.. 2018, p. 1003–8.
[39] Dong X, Zhang Y, Wang B, Chen J. Server-aided revocable attribute-based
encryption from lattices. Secur Commun Netw 2020;2020:1–13.
[40] Yang K, Wu G, Dong C, Fu X, Li F, Wu T. Attribute based encryption with
efficient revocation from lattices. Int J Netw Secur 2020;22(1):161–70.
[41] Wang Z, Fan X, Liu F-H. FE for inner products and its application to decentralized
ABE. In: IACR international workshop on public key cryptography. 2019, p.
97–127.
[42] Datta P, Komargodski I, Waters B. Decentralized multi-authority ABE for DNFs
from LWE. In: Annual international conference on the theory and applications
of cryptographic techniques. 2021, p. 177–209.
[43] Cheng L, Meng F, Meng X, Zhang Q. AKC-based revocable ABE schemes from
LWE assumption. Secur Commun Netw 2020;2020:1–16.
[44] Yang X, Wu L, Zhang M, Chen X. An efficient CCA-secure cryptosystem over ideal
lattices from identity-based encryption. Comput Math Appl 2013;65(9):1254–63.
[45] Dodis Y, Ostrovsky R, Reyzin L, Smith AD. Fuzzy extractors: How to gen-
erate strong keys from biometrics and other noisy data. SIAM J Comput
2008;38(1):97–139.

11
Y. Yang et al.
[46] Chen Z, Zhang P, Zhang F, Huang J. Ciphertext policy attribute-based encryption
supporting unbounded attribute space from R-LWE. KSII Trans Internet Inf Syst
2017;11(4):2292–309.
[47] Polyakov Y, Rohloff K, Sahu G, Vaikuntanathan V. Fast proxy re-encryption for
publish/subscribe systems. ACM Trans Priv Secur 2017;20(4):1–31.
12
Journal of Information Security and Applications 65 (2022) 103108
[48] Akleylek S, Dagdelen O, Tok ZY. On the efficiency of polynomial multiplication
for lattice-based cryptography on GPUs using CUDA. In: Int. conf. cryptography
inform. security. 9540, 2015, p. 155–68.
[49] Albrecht MR. On dual lattice attacks against small-secret LWE and parame-
ter choices in helib and SEAL. In: Proc. 36th annu. int. conf. theory appl.
cryptographic techn.; 2017, p. 103–129.