Professional Documents
Culture Documents
1 s2.0 S2214212622000011 Main
1 s2.0 S2214212622000011 Main
Keywords: Cloud computing provides enterprises and individuals with unlimited computing resources and expandable
Attribute-based encryption storage space. However, data leakage occurs frequently due to the lack of protection measures in the cloud
RLWE storage environment. Consequently, how to protect data security in the cloud has become a critical issue.
Multi-authority
Attribute-based encryption (ABE) is an emerging encryption technique, which protects sensitive information
Attribute revocation
and provides access control for data stored in the cloud. However, most of existing ABE schemes cannot
Multi-valued attributes
resist quantum attacks and lack the capability of implementing flexible revocation on user or attribute
when the attributes of a user change, which hinders the practical application of ABE. In this research, we
present a Revocable and Multi-authority ciphertext-policy attribute-based encryption (RM-CP-ABE) from the
ring learning with errors (RLWE) assumption, which supports multi-authority and multi-valued attributes.
The scheme allows multiple authorities to involve in key distribution, and achieves the attribute revocation
when the user’s access rights change. Also, the scheme enjoys reasonable computational cost and storage
overhead, and is proven selectively secure under the RLWE assumption. The simulation results indicate that
the performance of the proposed scheme is acceptable for practical applications.
1. Introduction the cloud. Therefore, how to ensure the confidentiality of the data has
become a predominant challenge in the cloud.
Cloud computing, which is known as a promising service, pro- Clearly, a desirable measure is to encrypt sensitive data before up-
vides both adequate computing resources and scalable storage space loading it to the cloud. Several user authentication schemes [3,4] have
for enterprises or individuals on demand. Currently, many dominant been constructed to alleviate the risk of personal data, but they cannot
IT companies provide users with cloud computing services, such as support flexible access control. For example, a message is encrypted
Google, Microsoft and Amazon, etc. The data in the cloud can be with the public key of a recipient, and the only recipient’s private
used by customers for various purpose [1], including developing ap- key can decrypt it. However, in practical applications, data security is
plications, sharing documents, browsing emails or enjoying videos, no longer the only security requirement for cloud computing. A more
etc. practical solution is to assign individuals access rights depending on
In the neoteric cloud computing architecture, data is believed as their privileges and attributes.
one of the ingredients, which is stored, transferred and accessed in the
Attribute-based encryption (ABE) is a prospective cryptography
remote servers provided by cloud service providers (CSP), instead of the
paradigm providing fine-grained access control for outsourced data.
local host computers. However, it raises a crucial challenge as remote
The seminal notion of ABE was first proposed by Sahai and Waters [5]
servers cannot support original the technique like access control of
termed fuzzy identity-based encryption (FIBE). Goyal et al. [6] con-
local computers to protect data confidentiality [2]. Consumers naturally
structed the first ABE cryptosystem and divided ABE into Key-Policy
concern with data leakage. Moreover, CSP are generally not regarded as
Attribute-based encryption (KP-ABE) and Ciphertext-Policy Attribute-
fully trusted. What happens in this context is that data owners lose the
based encryption (CP-ABE). From the perspective of application, CP-
security control of their data to some extent, which may result in the
unauthorized disclosure of confidential information by the CSP. In such ABE is considered as a suitable tool to protect the integrity of private
case, when customers access the data in the cloud, malicious attackers data stored in cloud. It allows data owners to define an authorized
may collect this information without authentication, and further infer attribute set as the access control policy which embeds into the ci-
their behaviors, which makes users unwilling to migrate the data into phertext. Each consumer can obtain a secret key corresponding to
∗ Corresponding author.
E-mail address: liuzechao@hrbeu.edu.cn (Z. Liu).
https://doi.org/10.1016/j.jisa.2022.103108
their attribute set. The condition for successful decryption is that the and the multiple authority mechanism. Nonetheless, the secret keys
attribute set satisfies the access policy. of users inherently remain valid when their attributes are changed
More recently, many effective ABE schemes have been applied to depending on requirements, i.e., the original keys can still successfully
preserve data privacy for IoT environment [7], healthcare systems [8] decrypt the message.
and vehicular networks [9]. Agrawal et al. [10] proposed a general
ABE construction that supports arbitrary length input. Mandal [11] 1.1. Our contributions
proposed an ABE scheme with constant-size secret keys that can signif-
icantly reduce computing and storage overhead. Li et al. [12] provided The objective of this work is to implement an RLWE-based CP-ABE
a novel CP-ABE scheme with policy updating, which allows the data scheme with attribute revocation and multi-authority for the practical
owner to update the access policy in ciphertext dynamically. However, environment of cloud storage. Our scheme introduces multi-valued
there remain several challenges for the practical application of ABE. In attributes. Namely, the value of each attribute in our scheme can
standard ABE schemes, the attribute universe is managed by a single be a certain value in a range, such as the attribute ‘‘age=20’’. The
central authority instead of being divided into sub-domains maintained primary challenge in our work is how to construct a ring version of the
by different authorities. Once the central authority is compromised SampleRight algorithm to reply the secret key queries of the adversary.
by adversary, any user with unauthorized attributes will be able to Here we utilize the contribution of [25] to design a RingSampleRight
decrypt the ciphertext. For instance, a user or an engineer can freely algorithm. Briefly speaking, we make the following contributions:
access the project developed by universities together with enterprises.
In this case, the attributes of ‘‘student’’ and ‘‘engineer’’ should be con- 1. We construct a Revocable and Multi-authority CP-ABE scheme
trolled by school and enterprise, respectively. Chase [13] first provided from the hardness of the RLWE problem (RM-CP-ABE), which
the construction of multi-authority attribute-based encryption (MA- supports multi-valued attributes. The scheme provides the prop-
ABE) scheme, which enables multiple attribute authorities to distribute erty of attribute revocation to the user whose attributes are
keys corresponding to the attributes in its sub-domain respectively. changed. Additionally, the multi-authority mechanism makes
Another aspect is that users’ attributes may change in terms of the our scheme suitable for practice.
actual situation, and their access rights should be modified corre- 2. The theoretical analyzes demonstrate that our scheme enjoys
spondingly. Consequently, it is necessary to construct schemes that reasonable computational efficiency and storage overhead. More
realizes revoking for user attributes. Many prominent revocable ABE importantly, we provide an implementation of the proposed
schemes [14,15], which hold desirable computational overhead, have scheme. The simulation results indicate that the performance of
been designed for this requirement. Horng et al. [16] proposed a multi- this work is acceptable for practical applications.
authority CP-ABE scheme supporting attribute and user revocation. In 3. The security proof shows that our scheme is selectively secure
particular, relying on outsourced computation, the scheme alleviates under the (decisional) ring learning with errors assumption.
computational loads of resource-constrained devices.
Importantly, these aforesaid researches are constructed on bilinear 1.2. Related work
pairings so that they cannot resist the threat of current quantum algo-
rithms. The capabilities of quantum computers are far beyond the reach In 2011, Lewko et al. [28] constructed a CP-ABE with multi-
of the classical computers, this means that once quantum computers authorities. The critical characteristic of the scheme is that it can resist
are widely used, these schemes based on the discrete logarithm prob- collision attacks of illegal users. However, the construction relies on
lem will become vulnerable and fail to ensure data confidentiality in composite order bilinear group so that it contains expensive exponenti-
cloud computing. Lattice-based cryptography construction is one of the ations. Since then, plenty of lightweight constructions [29–31] were
excellent candidates in the post-quantum era because it is universally proposed to resolve the bottleneck of performance caused by heavy
considered to be secure under quantum computers’ attack. Ajtai [17] computational cost.
first presented the primitive construction on lattices and proved that Several lattice-based ABE schemes have been proposed to consider
attacking the scheme is as hard as solving the Shortest Vector Problem post-quantum security for truly scenarios. Chen et al. [32] presented
(SVP) problem. Regev [18] first proposed the learning with errors an LWE-based revocable IBE scheme whose revocation function relies
(LWE) problem and formally provided a reduction from worst-case on the binary-tree structure. To achieve fine-grained access policy,
lattice problems to the LWE problem. Gentry et al. [19] proposed Boyen [33] proposed a key-policy attribute-based encryption scheme
a striking building block to generate a lattice trapdoor in the form for monotone access structures. Unfortunately, the scheme is not sat-
of a short basis, and presented an LWE-based IBE scheme using the isfactory in terms of storage overhead and computational efficiency.
block. Agrawal et al. [20] proposed a hierarchical IBE scheme. Singh Zhang et al. [34] proposed a CP-ABE scheme, in which the access policy
et al. [21] proposed an identity-based proxy re-encryption from lattice, is defined as a set of positive and negative attributes. The condition
which is non-interactive and enjoys strong trapdoor function. Tian for a user to decrypt successfully is that she/he holds all the positive
et al. [22] proposed a lattice-based MA-ABE with hidden policies, but attributes and without negative attributes in the access policy. Zhang
it costs a huge amount of computing resources. Because their scheme et al. [35] introduced a CP-ABE scheme with the property of the
involves costly computations of matrix inverses. multi-valued attributes.
One inherent flaw in the above schemes is that the trapdoor gen- A natural problem is that only one attribute authority generates
eration operation requires particularly complex inversion algorithms key components, which may bring about excessive load. Thus, Zhang
and matrix multiplication so that the concrete is not desirable for et al. [36] designed the first MA-ABE scheme from lattices utilizing
practical. Micciancio et al. [23] proposed an efficient trapdoor con- the building block of [37]. In fact, the scheme only generate one-
struction, which can significantly improve computing efficiency and bit ciphertext by performing an encryption operation once. Towards
reduce storage overhead. The authors proposed the ring learning with solving this problem, Liu et al. [38] proposed a MA-ABE scheme for
errors (RLWE) problem to improve the inherent computational over- cloud computing. However, attribute revocation is not considered in
head of LWE in the work [24]. Furthermore, Bansarkhani et al. [25] the scheme. Both the LWE-based constructions [39] and [40] attempt to
constructed a Gaussian sampler based on the RLWE problem, and support revocation mechanisms with respect to user attributes, but they
clarified that the ring-based construction is more capable than the still remain heavy computational cost. Most recently, Wang et al. [41]
matrix version in the aspects of computational complexity and storage proposed a decentralized ABE based on functional encryption for inner
requirement. Two practical ABE schemes are proposed by [26] and products. Nevertheless, the scheme requires complex matrix multiplica-
[27], whereas neither of them considers supporting attribute revocation tions, which slightly limits its applicability to practical environments.
2
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
1.3. Organization
3
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
• 𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, 𝐷𝐾𝑔𝑖𝑑,𝑡 , 𝐶𝑇 ) → (𝑀∕⊥): The algorithm takes in 𝑝𝑝, 3.2. Discrete Gaussians
𝐷𝐾𝑔𝑖𝑑,𝑡 and the ciphertext 𝐶𝑇 . It returns the message 𝑀 if de-
( )
cryption is successful, otherwise returns a distinctive symbol ⊥. Let 𝜌𝐜,𝜎 (𝐱) = exp −𝜋‖𝐱 − 𝐜‖∕𝜎 2 be a Gaussian function [44], where
• 𝑅𝐿𝑈 𝑝𝑑(𝐴𝑡𝑡
̃ 𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) → 𝑅𝐿 ̂ 𝑔𝑖𝑑,𝜃 : The algorithm takes in a 𝜎 ∈ R is the distribution parameter and 𝐜 ∈ R𝑛 is the center.
revocation attribute set 𝐴𝑡𝑡 ̃ 𝑔𝑖𝑑,𝜃 , the revocation list 𝑅𝐿𝑔𝑖𝑑,𝜃 and the ∑
Also, let 𝜌𝐜,𝜎 (𝛬) = 𝐱∈𝛬 𝜌𝐜,𝜎 (𝐱) for lattice 𝛬. Define discrete Gaussian
revocation time 𝑡𝜃 related to 𝐴𝐴𝜃 . It returns updated lists 𝑅𝐿 ̂ 𝑔𝑖𝑑,𝜃 . distribution 𝛬,𝐜,𝜎 over 𝛬 as:
For correctness, it is required that for the user’s attribute set 𝐴𝑡𝑡𝑔𝑖𝑑 = 𝜌𝐜,𝜎 (𝐲)
⋃ 𝛬,𝐜,𝜎 (𝐲) = , ∀𝐲 ∈ 𝛬.
𝜃∈[𝑁] 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 and the access policy A satisfy the constraint 𝐴𝑡𝑡𝑔𝑖𝑑 ⊨ A, 𝜌𝐜,𝜎 (𝛬)
the algorithm 𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, 𝐷𝐾𝑔𝑖𝑑,𝑡 , 𝐶𝑇 ) returns the correct message 𝑀
The following lemma defines a bound for smoothing parameter.
with overwhelming probability.
2.4. Security model Lemma 1 ([19]). For 𝑛-dimensional lattice 𝛬 with basis 𝐁 and 𝜖 > 0, we
have
We now provide the selective-revocable-ID security game [32] be- √
𝜂𝜖 (𝛬) ⩽ ‖ ̃‖
‖𝐵 ‖ ⋅ ln(2𝑛(1 + 1∕𝜖))∕𝜋.
tween a challenger and an adversary .
√
Initialization: declares a challenge access structure A∗ and time Then√ any 𝜔( log 𝑛) function, there is a negligible 𝜖(𝑛) for which 𝜂𝜖 (𝛬) ⩽
𝑡∗ , and sends them to . Besides, publishes a 𝐶𝑜𝑟𝐴𝐴 , which is a list ‖𝐵̃ ‖ ⋅ 𝜔( log 𝑛), where 𝐵̃ is the Gram–Schmidt orthogonalized basis for 𝐁.
‖ ‖
composed of corrupted authorities.
Setup: performs the 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝 and 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 algorithm to acquire Lemma 2 ([23]). Let 𝛬 be a 𝑛-dimensional lattice and 𝐜 ∈ 𝑠𝑝𝑎𝑛(𝛬). For
𝑝𝑝 and the pair (𝑃 𝐾𝜃 , 𝑆𝐾𝜃 ). Each authority obtains 𝑝𝑝 and 𝑃 𝐾𝜃 , if it is real 𝜖 ∈ (0, 1) and 𝑠 > 𝜂𝜖 (𝛬), we have
not corrupted. Otherwise, it additionally obtains 𝑆𝐾𝜃 . [ √ ] 1 + 𝜖 −𝑛
Phase 1: The adversary who holds attribute set 𝐴𝑡𝑡𝑔𝑖𝑑 , adaptively Pr 𝐱 ∼ 𝐷𝛬,𝐜,𝑠 ∶ ‖𝐱 − 𝐜‖ ⩾ 𝑠 𝑛 ⩽ ⋅2 .
performs a polynomial number of the following queries. 1−𝜖
• submits the attribute set 𝐴𝑡𝑡𝑔𝑖𝑑 to repeatedly. Then returns 3.3. RLWE hardness assumption
a private key 𝑆𝐾𝑔𝑖𝑑 by performing the algorithm 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛(⋅).
• submits a revocation list 𝑅𝐿𝑔𝑖𝑑 and a time 𝑡 to repeatedly. Let 𝑠 ∈ 𝑞 be an 𝑛-dimensional random cyclotomic polynomial.
Then returns an update-key 𝐾𝑈𝑡 by performing the algorithm Consider several pairs (𝑎𝑖 , 𝑎𝑖 𝑠 + 𝑒𝑖 ), where 𝑎←𝑈 𝑞 and 𝑒𝑖 ← ,𝜎 with
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛(⋅). a relatively small parameter 𝜎.
• submits a attribute set 𝐴𝑡𝑡
̃ 𝑔𝑖𝑑 , a revocation list 𝑅𝐿𝑔𝑖𝑑 and a time
̂ 𝑔𝑖𝑑,𝜃 by performing the
𝑡 to . Then returns a revocation list 𝑅𝐿 Definition 4 (Decisional RLWE [26]). The decisional RLWE problem
algorithm 𝑅𝐿𝑈 𝑝𝑑(⋅). is defined as distinguishing between the polynomials (𝑎𝑖 𝑠 + 𝑒𝑖 ) from a
pseudo-random sampler 𝑂𝑠 and 𝑏𝑖 from a truly random sampler 𝑂$ with
The implicit constraints in this phase require that 𝐴𝑡𝑡𝑔𝑖𝑑 cannot a negligible advantage for any secret 𝑠 ∈ 𝑞 and 𝑖 ∈ [0, 𝑡], where 𝑡 is
satisfy A∗ , and the query operations of the adversary are only permitted the number of samples available to a polynomial-time adversary, and
to be performed in a non-decreasing time sequence.
each 𝑏𝑖 is uniformly randomly sampled in 𝑞 .
Challenge: specifies two messages 𝑚0 , 𝑚1 with equal length. Then
randomly picks 𝑏 ∈ {0, 1}, and performs 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 to generate 𝐶𝑇 ∗ for We argue that for an adversary can solve the decisional RLWE
. assumption if its advantage
Phase 2: repeatedly makes the same queries as Phase 1, but 𝐴𝑡𝑡𝑔𝑖𝑑
cannot satisfy A. 𝐴𝑑𝑣() = | Pr[𝑂𝑠 = 1] − Pr[𝑂$ = 1]|
Guess: outputs a guess 𝑏′ ∈ {0, 1} of 𝑏.
is non-negligible for any secret 𝑠.
The advantage of adversary in above game is represented as
Pr[𝑏′ = 𝑏] − 12 .
3.4. Sampling algorithms
Definition 1. The proposed RM-CP-ABE scheme is selective CPA secure
if any adversary have at most a negligible advantage of winning the 3.4.1. Trapdoor generation
above game. The trapdoor construction of [27] is described in Algorithm 1.
Specifically, the random ring vector 𝐠̄ ∈ 1×𝑚
𝑞 is based on RLWE. And
3. Lattices the trapdoor 𝐓𝐠̄ ∈ 2𝑘
𝑞 contains two vectors 𝐫 and 𝐞 with the parameter
𝜎.
3.1. Integer lattices
Algorithm 1 RingTrapGen [27]
Definition 2. Given a basis 𝐁 = (𝐛𝟏 , … , 𝐛𝐧 ) of 𝑛-dimensional real space Input:
R𝑛 . A full rank lattice 𝛬 which is an integer span of 𝐁 can be represented The security parameter 𝜆;
as: Output:
{ }
∑𝑛 The pseudo-random ring vector 𝐠̄ ;
𝛬 = (𝐁) = 𝐁𝐱 = 𝑥𝑖 𝐛𝐢 |𝐱 ∈ Z𝑛 . The trapdoor 𝐓𝐠̄ for 𝐠̄ ;
𝑖=1
1: Take 𝑘 = ⌊log𝑏 (𝑞) + 1⌋, 𝜎, 𝑞 and 𝑛, where 𝑏 ⩾ 2 is a base for the
Additionally, the two categories of 𝑞-ary lattices defined in [20] are G-lattice.
adopted in this work. 2: Pick 𝑎←𝑈 𝑞 ;
3: 𝐫 ← (𝑟1 , … , 𝑟𝑘 ), where 𝑖 ∈ [𝑘], 𝑟𝑖 ← ,𝜎 ;
Definition 3. For an uniformly randomly matrix 𝐀 ∈ Z𝑛×𝑚
𝑞 and 𝑢 ∈ Z𝑛𝑞 , 4: 𝐞 ← (𝑒1 , … , 𝑒𝑘 ), where 𝑖 ∈ [𝑘], 𝑒𝑖 ← ,𝜎 ;
the 𝑞-ary lattices are defined as: 5: 𝐠̄ ← [1, 𝑎, 𝑔1 − (𝑎𝑟1 + 𝑒1 ), ⋯ , 𝑔𝑘 − (𝑎𝑟𝑘 + 𝑒𝑘 )], where 𝑖 ∈ [𝑘], 𝑔𝑖 ← 𝑏𝑖−1 ;
𝛬⊥ 𝑚
𝑞 (𝐀) = {𝐳 ∈ Z s.t. 𝐀𝐳 = 𝟎(mod𝑞)} ,
6: return (̄𝐠, 𝐓𝐠̄ = (𝐫, 𝐞));
4
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
3.4.3. RingSampleLeft
Definition 5. For positive integer 𝑞, 𝑛, a full rank difference (FRD)
By the Algorithm 3, we can construct the ingredients of secret keys.
function satisfies the following properties:
It is essentially a ring variant of SampleLeft defined in [20], which aims
to construct a ring vector 𝐞̄ ∈ 2𝑚 ,𝜎 , such that for 𝐠̄ , ̄𝐛 ∈ 1×𝑚
𝑞 satisfy • for any unequal 𝑥, 𝑦 ∈ 𝑞 , the matrix H(𝑥) − H(𝑦) ∈ Z𝑛×𝑛 is full
𝑞 𝑠 𝑞
̄
(̄𝐠|𝐛)̄𝐞 = 𝑢. rank;
• H is computable in polynomial time in 𝑛 log 𝑞.
Algorithm 3 RingSampleLeft
Input: 4. RM-CP-ABE From RLWE
The uniformly randomly ring vectors 𝐠̄ , ̄𝐛 ∈ 1×𝑚
𝑞 ;
The trapdoor 𝐓𝐠̄ for 𝐠̄ ; 4.1. Overview
The syndrome 𝑢;
The distribution parameters 𝜎 and 𝜎𝑠 ; Our scheme implements the revocation function assisted by the
Output:
infrastructure of the binary tree [40]. In the scheme, the attribute set
The result vector, 𝐞̄ ∈ 2𝑚 ,𝜎 ;
𝑞 𝑠 of a user with identity 𝑔𝑖𝑑, which requests from authority 𝐴𝐴𝜃 , is
1: Sample 𝐞̄ 2 ← 𝑚 ,𝜎𝑠 ; represented as a binary tree 𝐵𝑇𝑔𝑖𝑑,𝜃 , where each leaf node 𝑖 is associated
𝑞
2: Execute 𝐞̄ 1 ← RingSamplePre(̄𝐠, 𝐓𝐠̄ , 𝑣, 𝜎, 𝜎𝑠 ), where 𝑣 = 𝑢 − ̄𝐛̄𝐞2 ; with a time 𝑡𝑖 and corresponds to an attribute that belongs to the
3: 𝐞̄ ← [̄𝐞1 ; 𝐞̄ 2 ], such that (̄𝐠|̄𝐛)̄𝐞 = 𝑢; attribute sub-domain of 𝐴𝐴𝜃 . 𝑃 𝑎𝑡ℎ𝜃 (𝑖) stands for the set of path from
4: return 𝐞̄ ; node 𝑖 to the root node. For node 𝜂 ∈ 𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝜂𝑙 and 𝜂𝑟 are used to
represent its left and right child node respectively, and let 𝑣𝑎𝑙𝜂 be the
attribute set stored in 𝜂. The condition of performing revocation is that
3.4.4. RingSampleRight the time 𝑡𝑖 related to attribute 𝑖 satisfies 𝑡𝑖 < 𝑡.
We extend the work of [25] to construct a ring-based SampleRight When a data owner performs the revocation operation, 𝐴𝐴𝜃 exe-
used to respond to key queries, as depicted in Algorithm 4. Specifically, cutes Algorithm 5 to generate the set 𝑆, ̄ including the unrevoked child
the algorithm is meant to generate a vector 𝐞̄ such that 𝐅̄𝐞 = 𝑢. Eq. (1) nodes of revoked nodes.
explains the correctness of the algorithm. It is noted that 𝐞̄ is not subject
to spherical distribution [19]. We can adopt the technique of [25] to 4.2. Construction
produce a spherical distributed preimage.
Here we provide detailed construction of our scheme with multi-
Algorithm 4 RingSampleRight
valued attributes, in which a user attribute can be set to a specific
Input: value (e.g., ‘‘time = 16:51’’), instead of true or false. In the scheme,
The uniformly randomly ring vectors 𝐠̄ , ̄𝐛 ∈ 1×𝑚 𝑞 ; we suppose that there are 𝑁 AAs in the system. And 𝐴𝐴𝜃 controls the
The matrix 𝐒←𝑈 {±1}𝑚×𝑚 ; attribute set 𝐴𝑡𝑡𝜃 = 𝑁𝜃 ∪ 𝑉𝜃 , where 𝑁𝜃 = {1, … , 𝑑𝜃 } and 𝑉𝜃 = {𝑑𝜃 +
The trapdoor 𝐓̄𝐛 for ̄𝐛; 1, … , 2𝑑𝜃 } represent the normal and virtual attribute sets, respectively.
The syndrome 𝑢; 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝(1𝜆 , 𝑁) → 𝑝𝑝: The algorithm takes in a security parame-
The distribution parameters 𝜎 and 𝜎𝑠 ;
ter 𝜆, then executes:
Output:
The result vector, 𝐞̄ ∈ 2𝑚 𝑞 ; 1. Specify a FRD function H.
1: Execute 𝐱 ← RingSamplePre(̄𝐛, 𝐓̄𝐛 , 𝑢, 𝜎, 𝜎𝑠 ) such that ̄𝐛𝐱 = 𝑢. Also, let 2. Generate ̄𝐛1 , ̄𝐛2 ∈ 1×𝑚 and 𝑢 ∈ 𝑞 .
𝑞
𝐅 ← (̄𝐠|̄𝐠 ⋅ 𝐒 + ̄𝐛), where 𝐬𝑖 ∈ 𝑚 𝑞 denotes the 𝑖-th column of the
∑ 3. Output the public parameter
matrix 𝐒 such that 𝐠̄ 𝐬𝑖 = 𝑚 𝑖=1 𝑔̄𝑖 𝑠𝑗𝑖 for 𝑗 ∈ [𝑚]; ∑𝑚
2: Take 𝐞̄ ← (𝑒1 , ⋯ , 𝑒𝑚 , 𝑒𝑚+1 , ⋯ , 𝑒2𝑚 ), where 𝑒𝑖 = − 𝑗=1 𝑥𝑗 𝑠𝑗𝑖 for 𝑖 ∈ 𝑝𝑝 = (𝑞, 𝑛, 𝑚, 𝛼, 𝜎, 𝜎𝑠 , H, ̄𝐛1 , ̄𝐛2 , 𝑢),
[𝑚]; 𝑒𝑖 = 𝑥𝑖 for 𝑖 ∈ [𝑚 + 1, 2 𝑚];
where the values 𝑞, 𝑛, 𝑚, 𝛼, 𝜎, 𝜎𝑠 are depicted in Section 4.3. It
3: return 𝐞̄ ;
implies that 𝑝𝑝 is used as input in all operations below.
5
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
6
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑝𝑝, 𝐷𝐾𝑔𝑖𝑑,𝑡 , 𝐶𝑇 ) → (𝑀∕⊥): On input the decrypt key 𝐷𝐾𝑔𝑖𝑑,𝑡 where 𝑛̂ is the maximum ring dimension and 𝜖 ∈ (0, 1) is the bound of
related to the
{ attribute
} set 𝐴𝑡𝑡𝑔𝑖𝑑 and the ciphertext related to the access error for rounding process. According to [27], we take the value of 𝜎
policy A = (𝑘𝜃 , 𝑇𝜃 ) 𝜃∈[𝑁] . For ∀𝜃 ∈ [𝑁], if |𝐴𝑡𝑡𝑔𝑖𝑑 ∩ 𝑇𝜃 | < 𝑘𝜃 , then as 4.578. By Lemma 2.9 in [23], we have that
{ }
output ⊥. Otherwise, let 𝑇̄𝜃 = 𝑇𝜃 ∪ 𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘𝜃 + 1 , Take a √ √
subset 𝜃 ⊆ 𝑇̄𝜃 ∩ 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 such that ||𝜃 || = 𝑑𝜃 + 1. Then, perform the 𝜎𝑠 > 𝐶 ⋅ 𝜎 2 ⋅ (𝑏 + 1) ⋅ ( 𝑛𝑘 + 2𝑛 + 𝑡),
following operations: where the constants 𝐶 and 𝑡 take 1.7 and 4.7, respectively. Let 𝛽𝑘
and 𝛽𝑒 denote upper bounds for 𝐞𝜃,𝑖 and 𝐲, ̄ respectively. For 𝑑 =
1. Parse 𝐜𝜃,𝑖 as
max{𝑑1 , … , 𝑑𝑁 }, the upper bound 𝛽 of 𝐲𝐞
̄ 𝜃,𝑖 can be calculated as
( )
𝐜𝜃,𝑖,1 |𝐜𝜃,𝑖,2 √
( ) ( ) 𝛽 = 𝐷̂ 2 (𝑑̂𝜃 + 1)𝛽𝑘 𝛽𝑒 𝑛𝑚.
= (𝐚̄ 𝑖 + 𝝋 ̄ 𝜃,𝑖,1 )|(𝐚̄ ′𝑖 + 𝝋 ̄ 𝑖,1 |𝐲𝐑
̄ 𝜃,𝑖,2 ) 𝑠 + 𝐷̂ 𝐲𝐑 ̄ 𝑖,2 .
As expressed in [27], we choose 𝛽𝑘 = 8𝜎 and 𝛽𝑒 = 8𝜎𝑠 , respectively.
2. Calculate In this context, the decryption can be performed correctly if 𝛽 < 𝑞∕4.
( ) ( )
𝑐̃𝜃,𝑖 = 𝐜̄𝜃,0 |𝐜𝜃,𝑖,1 𝐞𝜃,𝑖,1 + 𝐜̄𝜃,0 |𝐜𝜃,𝑖,2 𝐞𝜃,𝑖,2 Consequently, by Lemma 2 and Lemma 12 of [20], we have
(( ) ( )) √
= 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ | (𝐚̄ 𝑖 + 𝝋̄ 𝜃,𝑖,1 )𝑠 + 𝐷̂ 𝐲𝐑
̄ 𝑖,1 𝐞𝜃,𝑖,1
𝑞 > 256𝐷̂ 2 (𝑑̂𝜃 + 1)𝜎𝜎𝑠 𝑛𝑚.
(( ) ( ))
+ 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ | (𝐚̄ ′𝑖 + 𝝋̄ 𝜃,𝑖,2 )𝑠 + 𝐷̂ 𝐲𝐑
̄ 𝑖,2 𝐞𝜃,𝑖,2 .
∏
∑ 𝑖∈𝜃 ,𝑖≠𝑗 (−𝑖) 4.4. Security proof
3. Compute 𝑐̄𝜃 = 𝑖∈𝜃 𝜃,𝑖 𝑐̃𝜃,𝑖 , where 𝜃,𝑖 = ∏ is the
𝑖∈𝜃 ,𝑖≠𝑗 (𝑗−𝑖)
Lagrangian coefficient. The security of our scheme relies on the (decisional) RLWE assump-
∑
4. Calculate 𝑀 ′ ∏
= 𝑐0 − 𝜃∈[𝑁] 𝜃 𝑐̄𝜃 , where the Lagrangian coeffi- tion clarified in Definition 4. Here we demonstrate that the RM-CP-ABE
𝜃∈[𝑁],𝜃≠𝜏 (−𝜃)
cient is 𝜃 = ∏ . scheme is secure in Theorem 1.
𝜃∈[𝑁],𝜃≠𝜏 (𝜏−𝜃)
| ′ |
5. For ∀𝑖 ∈ [0, 𝑛 − 1], if |𝑚𝑖 − ⌊𝑞∕2⌋| < 𝑞∕4, then output 𝑚′𝑖 = 0,
| | Theorem 1. Given the appropriate parameters 𝑛, 𝑚, 𝑞, 𝜎, the proposed
otherwise output 𝑚′𝑖 = 1. RM-CP-ABE scheme is secure against chosen plaintext attack (CPA) if the
(decisional) RLWE holds.
̃ 𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡𝜃 ) → 𝑅𝐿
𝑅𝐿𝑈 𝑝𝑑(𝐴𝑡𝑡 ̂ 𝑔𝑖𝑑,𝜃 : On input the attribute to be
revoked of the user 𝑔𝑖𝑑, the revocation list 𝑅𝐿𝑔𝑖𝑑,𝜃 and a time 𝑡𝜃 . The Proof. The proposed scheme is reduced to the (decisional) RLWE
algorithm executes the following procedures. assumption. This means if there exists an adversary who can break
̃ 𝑔𝑖𝑑,𝜃 , insert (𝑖, 𝑡𝜃 ) into 𝑅𝐿
1. For all attributes in 𝐴𝑡𝑡 ̂ 𝑔𝑖𝑑,𝜃 . the proposed scheme with non-negligible advantage 𝜀 > 0, then there
̂ 𝑔𝑖𝑑,𝜃 . is an algorithm , which can solve the (decisional) RLWE by the same
2. Output 𝑅𝐿
advantage. To be precise, we rely on a sequence of games to prove
the security of the scheme, in which the definition of the first one is
4.3. Correctness and parameters
the same as the game in Section 2.4, and the adversary in the last
Suppose that for 𝜃 ∈ [𝑁], the user attribute set 𝐴𝑡𝑡𝑔𝑖𝑑,𝜃 ⊨ A𝜃 . This one has a negligible advantage. Besides, assuming that adversary can
means |𝐴𝑡𝑡𝑔𝑖𝑑 ∩𝑇𝜃 | ⩾ 𝑘𝜃 . Take the set 𝜃 , which contains 𝑘𝜃 +1 legitimate corrupt at most 𝑁 − 1 AAs. Let 𝐿̂ 𝐶𝑜𝑟 = {𝐴𝐴2 , 𝐴𝐴3 , … , 𝐴𝐴𝑁 } denote the
attributes. Then compute list of corrupted AAs. Furthermore, consider the following two types of
∑ adversaries:
𝐜̄𝜃 = 𝜃,𝑖 𝐜̄𝜃,𝑖 Type I: For each 𝐴𝐴𝜃 (𝜃 ∈ [𝑁]), an adversary , holding the
𝑖∈𝜃 ⋃
∑ (( ) ( ) ) attribute set 𝐴𝑡𝑡∗𝑔𝑖𝑑 = 𝜃∈[2,𝑁] 𝐴𝑡𝑡∗𝑔𝑖𝑑,𝜃 , challenges the access structure
= 𝜃,𝑖 𝐜𝜃,0 |𝐜𝜃,𝑖,1 𝐞𝜃,𝑖,1 + 𝐜𝜃,𝑖,0 |𝐜𝜃,𝑖,2 𝐞𝜃,𝑖,2 ∗ ∗ ∗
A𝜃 = (𝑘𝜃 , 𝑇𝜃 ), in which the attributes have been revoked at or before a
𝑖∈𝜃
∑ time 𝑡∗𝜃 .
= 𝜃,𝑖 (𝐟̄𝜃,𝑖 𝐞𝜃,𝑖,1 + 𝐟̄𝜃,𝑡 𝐞𝜃,𝑖,2 )𝑠 + 𝑒𝑟 Type II: does not challenge the access structure A∗𝜃 of 𝐴𝐴𝜃 for
𝑖∈𝜃 𝜃 ∈ [𝑁].
∑
= 𝜃,𝑖 𝑢𝜃,𝑖 𝑠 + 𝑒𝑟 , 𝑮𝒂𝒎𝒆𝟎 . This game is consistent with that described in Section 2.4.
𝑖∈𝜃 𝑮𝒂𝒎𝒆𝟏 . In this game, for any attribute set 𝐴𝑡𝑡𝜃 held by 𝐴𝐴𝜃 , we
∑ ( ) change the generation of 𝐚̄ 𝑖 , 𝐚̄ ′𝑖 , instead of using random sampling,
where 𝑒𝑟 = 𝑖∈𝜃 𝐷 ̂ 𝜃,𝑖 (𝐲| ̄ 𝑖,1 )𝐞𝜃,𝑖,1 |(𝐲|
̄ 𝐲𝐑 ̄ 𝑖,1 )𝐞𝜃,𝑖,2 denotes the noise
̄ 𝐲𝐑
term. For ∀𝜃 ∈ [𝑁], calculate let 𝑉𝜃∗ = {𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘∗𝜃 + 1} and 𝑇̄𝜃∗ = 𝑇𝜃∗ ∪ 𝑉𝜃∗ . samples
∑ 𝐑∗𝑖,1 , 𝐑∗𝑖,2 ←𝑈 {±1}𝑚×𝑚 , and executes
𝑐′ = 𝜃 𝐜̄𝜃 For each attribute 𝑖 ∈ 𝑇𝜃∗ , computes 𝝋 ̄ 𝜃,𝑖,1 and 𝝋
̄ 𝜃,𝑖,2 as
𝜃∈[𝑁]
( )
∑ ∑ ∑ ̄ 𝜃,𝑖,1 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 1
) ⋅ H(𝑎𝑡𝑡∗𝜃,𝑖 ))⊤ ,
=𝑠 𝜃 𝜃,𝑖 𝑢𝜃,𝑖 + ̂ 𝜃 𝑒𝑟
𝐷
𝜃∈[𝑁] 𝑖∈𝜃 𝜃∈[𝑁]
̄ 𝜃,𝑖,2 = 𝑇 𝑟𝑎𝑛𝑀→𝑉 (𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤
𝝋 2
) ⋅ H(𝑡∗𝜃 ))⊤ .
∑ ∑
=𝑠 𝜃 𝑢𝜃 + ̂ 𝜃 𝑒𝑟 .
𝐷 Then construct the vectors 𝐚̄ 𝑖 and 𝐚̄ ′𝑖 as
𝜃∈[𝑁] 𝜃∈[𝑁]
𝐚̄ 𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1 − 𝝋
̄ 𝜃,𝑖,1 ,
Next calculate
𝐚̄ ′𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,2 − 𝝋
̄ 𝜃,𝑖,2 .
𝑀 ′ = 𝑐0 − 𝑐 ′
( ) For each attribute 𝑖 ∈ 𝑉𝜃∗ , calculate
⌊𝑞⌋ ∑ ∑
= 𝑢𝑠 + 𝑥 + 𝑀 − 𝑠 𝜃 𝑢𝜃 + ̂ 𝜃 𝑒𝑟
𝐷
2 𝜃∈[𝑁] 𝜃∈[𝑁] 𝐚̄ 𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1 − ̄𝐛1 ,
⌊𝑞⌋ ∑
=𝑀 ̂ −
+ 𝐷𝑥 ̂ 𝜃 𝑒𝑟 .
𝐷 𝐚̄ ′𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,2 − ̄𝐛2 .
2 𝜃∈[𝑁]
For each attribute 𝑖 ∈ 𝐴𝑡𝑡𝜃 ∖𝑇̄𝜃∗ , calculate
The correctness of the decryption operation requires that the noise
|̂ ∑ ̂ 𝜃 𝑒𝑟 || < 𝑞∕4. According to Lemma 1, the distribu-
term |𝐷𝑥 − 𝜃∈[𝑁] 𝐷 𝐚̄ 𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1 ,
| | √
tion parameter 𝜎 is needed to satisfy the constraint 𝜎 ≈ ln(2𝑛∕𝜖)∕𝜋,
̂ 𝐚̄ ′𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,2 .
7
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
The rest of this game remains the same. It can be observed that For the attribute 𝑖 ∈ 𝑉𝜃 ∖𝑉𝜃∗ , let |𝐴𝑡𝑡∗𝑔𝑖𝑑,𝜃 ∩ 𝐴𝑡𝑡𝜃 | = 𝓁𝜃 . Calculate
𝑮𝒂𝒎𝒆𝟎 and 𝑮𝒂𝒎𝒆𝟏 are statistically indistinguishable in ’s view. Ac- 𝑢𝜃,𝑖 = 𝑃𝜃 (𝑖) and sample 𝑢𝜃,𝑖,𝜂,1 ←𝑈 𝑞 for 𝑖 ∈ [𝓁𝜃 + 1, 𝑑𝜃 ]. Also, compute
cording to the leftover hash lemma [45], (̄𝐠𝜃 , 𝐠̄ 𝜃 𝐑∗𝑖,1 , 𝐳1 ) is statistically 𝑢𝜃,𝑖,𝜂,2 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,1 . Then perform the processes described in Eq. (2),
close to (̄𝐠𝜃 , ̃𝐛1 , 𝐳1 ), and (̄𝐠𝜃 , 𝐠̄ 𝜃 𝐑∗𝑖,2 , 𝐳2 ) is statistically close to (̄𝐠𝜃 , ̃𝐛2 , 𝐳2 ), i.e., sampling 𝐞̄ 𝜃,𝑖,𝜂,1 and 𝐞̄ 𝜃,𝑖,𝜂,2 .
where 𝐳1 ← 𝐷̂ 𝐲𝑅 ̄ ∗ , 𝐳2 ← 𝐷̂ 𝐲𝑅 ̄ ∗ and ̃𝐛1 , ̃𝐛2 ←𝑈 1×𝑚 . From the above processes, we can find that 𝐞̄ 𝜃,𝑖,𝜂,1 and 𝐞̄ 𝜃,𝑖,𝜂,2 sam-
𝑖,1 𝑖,2 𝑞
𝑮𝒂𝒎𝒆𝟐 . In this game, we explain how to change 𝑢𝜃,𝑖,𝜂,1 and 𝑢𝜃,𝑖,𝜂,2 for pled from the RingSampleRight algorithm, are also statistically close
private key queries for A∗𝜃 and update key queries for 𝑡∗𝜃 . The operations to 𝑢𝜃,𝑖,𝜂,1 ̄ and 𝑢𝜃,𝑖,𝜂,2 ̄ . From the perspective of ,
𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑖 ),𝜎𝑠 𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑡 ),𝜎𝑠
performed by this game are as follows. 𝑆𝐾𝑔𝑖𝑑,𝜃 and 𝐾𝑈𝑡,𝜃 in 𝑮𝒂𝒎𝒆𝟑 are statistically close to those in 𝑮𝒂𝒎𝒆𝟐 .
If it is an adversary of Type I, for each node 𝜂 in 𝐵𝑇𝑔𝑖𝑑,𝜃 , we have Consequently, can distinguish between 𝑮𝒂𝒎𝒆𝟐 and 𝑮𝒂𝒎𝒆𝟑 with
that negligible advantage.
• If 𝜂 ∈ 𝑃 𝑎𝑡ℎ(𝑖), then sample 𝐞̄ 𝜃,𝑖,𝜂,1 ← 2𝑚 ,𝜎 . Set 𝑢𝜃,𝑖,𝜂,1 = 𝑮𝒂𝒎𝒆𝟒 . The operations in 𝑮𝒂𝒎𝒆𝟒 are the same as those in 𝑮𝒂𝒎𝒆𝟑 ,
𝑞 𝑠 except that the challenge ciphertext is randomly sampled in 𝑞 ×1×𝑚 ×
(̄𝐠𝜃 |𝐟̄𝜃,𝑖 )̄𝐞𝜃,𝑖,𝜂,1 , 𝑢𝜃,𝑖,𝜂,2 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,1 . 𝑞
1×2𝑚
𝑞 . Hence has little ability to distinguish 𝑮𝒂𝒎𝒆𝟑 from 𝑮𝒂𝒎𝒆 𝟒.
• If 𝜂 ∉ 𝑃 𝑎𝑡ℎ(𝑖), then sample 𝐞̄ 𝜃,𝑖,𝜂,2 ← 2𝑚 ,𝜎 . Set 𝑢𝜃,𝑖,𝜂,2 = Here we provide a reduction to prove that if can distinguish 𝑮𝒂𝒎𝒆𝟑
𝑞 𝑠
(̄𝐠𝜃 |𝐟̄𝜃,𝑖 )̄𝐞𝜃,𝑖,𝜂,2 , 𝑢𝜃,𝑖,𝜂,1 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,2 . and 𝑮𝒂𝒎𝒆𝟒 with non-negligible advantage 𝜀, then can solve the
decisional RLWE problem.
Since the attributes in A∗𝜃 have been revoked before requesting the
Reduction. Suppose that there are 𝑁 AAs in the system. We
update key related to 𝑡∗𝜃 . This means that
∗ consider the worst-case that 𝑁 − 1 AAs are corrupted. Let 𝐿̂ 𝐶𝑜𝑟 =
KUNodes(𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝑅𝐿 { 𝑔𝑖𝑑,𝜃 , 𝑡𝜃 )}∩ 𝑃 𝑎𝑡ℎ(𝑖) = ∅. Then returns a pri- {𝐴𝐴2 , 𝐴𝐴3 , … , 𝐴𝐴𝑁 } be the corrupted list.
vate key 𝑆𝐾𝑔𝑖𝑑,𝜃 = (𝜂, 𝐞𝜃,𝑖,𝜂,1 ) 𝜂∈𝑃 𝑎𝑡ℎ (𝑖) and an update key 𝐾𝑈𝑡,𝜃 =
̄
{ } 𝜃
(𝜂, 𝐞̄ 𝜃,𝑖,𝜂,2 ) 𝜂∈𝑆̄ from 𝐴𝐴𝜃 , where 𝑆̄ ← KUNodes(𝐵𝑇𝑔𝑖𝑑,𝜃 , 𝑅𝐿𝑔𝑖𝑑,𝜃 , 𝑡∗𝜃 ). • Instance. { requests sampling oracle } to generate the instances
⋃ 𝜃 , 𝑣𝜃 )|(𝑢𝜃 , 𝑣𝜃 ) ∈ ×
For adversary of Type II, sample 𝐞̄ 𝜃,𝑖,𝜂,2 ← 2𝑚 ,𝜎 and set 𝑢𝜃,𝑖,𝜂,2 = 𝑗∈[𝑚],𝜃∈[𝑁] (𝑢 𝑗 𝑗 𝑗 𝑗 𝑞 𝑞 and (𝑢0 , 𝑣0 ) ∈ 𝑞 × 𝑞 .
𝑞 𝑠
(̄𝐠𝜃 |𝐟̄𝜃,𝑖 )̄𝐞𝜃,𝑖,𝜂,2 , 𝑢𝜃,𝑖,𝜂,1 = 𝑢𝜃,𝑖 − 𝑢𝜃,𝑖,𝜂,2 . ⋃
• Initial. declares the access structure A∗ = 𝜃∈[𝑁] A∗𝜃 and the
Since the adversary does not challenge the access structure, time 𝑡∗𝜃 to be challenged, where 𝑡∗𝜃 ∈ 𝑞 and A∗𝜃 = (𝑘∗𝜃 , 𝑇𝜃∗ ) for
only returns the update key 𝐾𝑈𝑡,𝜃 . 𝑘∗𝜃 ∈ [1, min{𝑘∗𝜃 , |𝑇𝜃∗ |}].
In this context, we have that both 𝐞̄ 𝜃,𝑖,𝜂,1 and 𝐞̄ 𝜃,𝑖,𝜂,2 distributed
• Setup. performs the following operations.
from 2𝑚 ,𝜎 . Therefore, we further have that 𝐞̄ 𝜃,𝑖,𝜂,1 ∈ 𝑢𝜃,𝑖,𝜂,1 ̄ ,
𝑞 𝑠 𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑖 ),𝜎𝑠
1. For 𝜃 ∈ [𝑁], construct 𝐠̄ 𝜃 = (𝑢𝜃1 , … , 𝑢𝜃𝑚 ) using the instances.
𝐞̄ 𝜃,𝑖,𝜂,2 ∈ 𝑢𝜃,𝑖,𝜂,2 ̄ , where 𝐠̄ 𝜃 is the ring vector in 𝑃 𝐾𝜃 , 𝐟̄𝜃,𝑖 and
𝛬𝑞 (̄𝐠𝜃 |𝐟𝜃,𝑡 ),𝜎𝑠 Set 𝑇̄𝜃∗ = 𝑇𝜃∗ ∪ 𝑉𝜃∗ = {𝑑𝜃 + 1, … , 2𝑑𝜃 − 𝑘∗𝜃 + 1} and 𝑢 = 𝑢0 .
̄𝐟𝜃,𝑡 are considered to be uniform ring vectors in 1×2𝑚 . Hence, we Simultaneously, choose a FRD function H.
𝑞
argue that 𝑢𝜃,𝑖,𝜂,1 and 𝑢𝜃,𝑖,𝜂,2 are statistically close to uniform over 𝑞 2. adopts the way in 𝑮𝒂𝒎𝒆𝟑 to construct components 𝐚̄ 𝑖 , 𝐚̄ ′𝑖 ,
according to the Theorem 4.1 of [19]. In summary, has a negligible (̄𝐛1 , 𝐓̄𝐛1 ), (̄𝐛2 , 𝐓̄𝐛2 ) and 𝐑∗𝑖,1 , 𝐑∗𝑖,2 .
advantage to distinguish 𝑮𝒂𝒎𝒆𝟏 and 𝑮𝒂𝒎𝒆𝟐 .
3. eventually outputs elements ̄𝐛1 , ̄𝐛2 , 𝑢, H for 𝑝𝑝, 𝑃 𝐾𝜃 =
𝑮𝒂𝒎𝒆𝟑 . The main objective of this game is to change ̄𝐛1 , ̄𝐛2 in public { }
parameters 𝑝𝑝. Let ̄𝐛1 and ̄𝐛2 be generated by RingTrapGen(1𝜆 ). Perform 𝐠̄ 𝜃 , {𝐚̄ 𝑖 , 𝐚̄ ′𝑖 }𝑖∈𝐴𝑡𝑡 , and keeps 𝐓̄𝐛1 , 𝐓̄𝐛2 , {𝐑∗𝑖,1 , 𝐑∗𝑖,2 }𝑖∈𝐴𝑡𝑡𝜃 for
𝜃
the following operations. secret. In particular, can additionally capture the secret
For each normal attribute 𝑖 ∈ 𝐴𝑡𝑡∗𝑔𝑖𝑑,𝜃 and 𝑡𝜃 ≠ 𝑡∗𝜃 , calculate elements from if 𝐴𝐴𝜃 is corrupt (𝜃 ∈ [2, 𝑁]).
̂𝐛1 = 𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤ ) ∈ 1×𝑚 , • Phase 1. performs the same operations as 𝑮𝒂𝒎𝒆𝟑 in response to
1 𝑞
̂𝐛2 = 𝑇 𝑟𝑎𝑛𝑉 →𝑀 (̄𝐛⊤ ) ∈ 1×𝑚 . 𝐴𝐴𝜃 ’s private key queries, provided that 𝜃 = 1. This means that
2 𝑞
for any corrupted AA, can obtain the components related to the
Then 𝐟̄𝜃,𝑖 and 𝐟̄𝜃,𝑡 can be calculated as key from , whereas for a uncorrupted AA, can only receive the
public elements generated by .
𝐟̄𝜃,𝑖 = (𝐚̄ 𝑖 + 𝝋
̄ 𝜃,𝑖,1 )
( ( )) • Challenge. encrypts a message 𝑚𝑏 ∈ 𝑞 , when submits
= 𝐠̄ 𝜃 𝐑𝑖,1 + 𝑇 𝑟𝑎𝑛𝑀→𝑉 ̂𝐛1 ⋅ (H(𝑎𝑡𝑡𝜃,𝑖 ) − H(𝑎𝑡𝑡∗𝜃,𝑖 )) ,
∗
𝑚0 , 𝑚1 ∈ 𝑞 . The ciphertext is calculated as follows.
𝐟̄𝜃,𝑡 = (𝐚̄ ′𝑖 + 𝝋̄ 𝜃,𝑖,2 ) 1. Compute 𝑐0∗ = 𝐷𝑣 ̂ 0 + 𝑚𝑏 ⌊𝑞∕2⌋ ∈ 𝑞 .
( ( ))
= 𝐠̄ 𝜃 𝐑𝑖,2 + 𝑇 𝑟𝑎𝑛𝑠𝑀→𝑉 ̂𝐛1 ⋅ (H(𝑡𝜃 ) − H(𝑡∗𝜃 )) .
∗
2. For attribute 𝑖 ∈ 𝑇̄𝜃∗ , chooses 𝐯∗𝜃,𝑖 = (𝐷𝑣 ̂ 𝜃, … ,
1
̂ 𝜃 1×𝑚 ∗
𝐷𝑣𝑚 ) ∈ 𝑞 . Then, set 𝐜̄𝜃,0 = 𝐯𝜃,𝑖 and calculate 𝐜∗𝜃,𝑖 =
∗
As explained in Definition 5, both matrices (H(𝑎𝑡𝑡𝜃,𝑖 ) − H(𝑎𝑡𝑡∗𝜃,𝑖 )) and
(H(𝑡𝜃 ) − H(𝑡∗𝜃 )) are full rank. Therefore, 𝐓̄𝐛1 and 𝐓̄𝐛2 are also trapdoors (𝐯∗𝜃,𝑖 𝐑∗𝑖,1 |𝐯∗𝜃,𝑖 𝐑∗𝑖,2 ) ∈ 1×2𝑚
𝑞 .
for 𝛬⊥ ̄′ ⊥ ̄′ ̄′ ̂ ∗ 3. Select 𝜏←𝑈 {0, 1}. If 𝜏 = 0, sends 𝐶𝑇 ∗ = (𝑐0∗ , {𝐜̄∗𝜃,0 }𝜃∈[𝑁] ,
𝑞 (𝐛1 ) and 𝛬𝑞 (𝐛2 ) respectively, where 𝐛1 = 𝐛1 ⋅ (H(𝑎𝑡𝑡𝜃,𝑖 ) − H(𝑎𝑡𝑡𝜃,𝑖 ))
and ̄𝐛2 = ̂𝐛1 ⋅ (H(𝑡𝜃 ) − H(𝑡𝜃 )). In this context, for any private key query
′ ∗ {𝐜∗𝜃,𝑖 }𝑖∈𝑇̄ ∗ ,𝜃∈[𝑁] ) to , otherwise sends a random 𝐶𝑇 ∗ to .
𝜃
operations, executes
• Phase 2. Repeat the operations in Phase 1.
𝐞̄ 𝜃,𝑖,𝜂,1 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛′1 , 𝐑∗𝑖,1 , 𝐓̄𝐛1 , 𝑢𝜃,𝑖,𝜂,1 ). • Guess. returns 𝑏′ as a guess for 𝑏. If 𝑏′ = 𝑏, guesses that it
interacts with 𝑮𝒂𝒎𝒆𝟑 , otherwise it interacts with 𝑮𝒂𝒎𝒆𝟒 .
And for update key query operations, executes
As we have proved, if can distinguish between 𝑮𝒂𝒎𝒆𝟑 and 𝑮𝒂𝒎𝒆𝟒 ,
𝐞̄ 𝜃,𝑖,𝜂,2 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛′2 , 𝐑∗𝑖,2 , 𝐓̄𝐛2 , 𝑢𝜃,𝑖,𝜂,2 ).
then has the ability to solve the (decisional) RLWE problem. It can be
For each virtual attribute 𝑖 ∈ 𝑉𝜃∗ , we have that observed that the distribution of 𝐶𝑇 and 𝐶𝑇 ∗ is statistically indistin-
guishable from the perspective of . If the instances are sampled from
𝐟̄𝜃,𝑖 = (𝐚̄ 𝑖 + ̄𝐛1 ), 𝑂𝑠 , we have that 𝐜∗𝜃,0 = 𝐠̄ 𝜃 𝑠 + 𝐷̂ 𝐲̄ for 𝐲̄ ← 1×𝑚 ,𝜎 . Also, 𝐟̄𝜃,𝑖 = 𝐠̄ 𝜃 𝐑∗𝑖,1
𝐟̄𝜃,𝑡 = (𝐚̄ ′𝑖 + ̄𝐛2 ). and 𝐟̄𝜃,𝑡 = 𝐠̄ 𝜃 𝐑∗𝑖,2 for attribute 𝑖 ∈ 𝑇̄𝜃∗ . Thus 𝐜∗𝜃,𝑖 calculated in step (2) of
Then sample Challenge phase satisfies
( )
𝐞̄ 𝜃,𝑖,𝜂,1 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛1 , 𝐑∗𝑖,1 , 𝐓̄𝐛1 , 𝑢𝜃,𝑖,𝜂,1 ), ̄ ∗ )|(̄𝐠𝜃 𝐑∗ 𝑠 + 𝐷̂ 𝐲𝑅
𝐜∗𝜃,𝑖 = (̄𝐠𝜃 𝐑∗𝑖,1 𝑠 + 𝐷̂ 𝐲𝑅 ̄ ∗ )
𝑖,1 𝑖,2 𝑖,2
(2)
𝐞̄ 𝜃,𝑖,𝜂,2 ← RingSampleRight(̄𝐠𝜃 , ̄𝐛2 , 𝐑∗𝑖,2 , 𝐓̄𝐛2 , 𝑢𝜃,𝑖,𝜂,2 ). = (𝐟̄𝜃,𝑖 |𝐟̄𝜃,𝑡 )𝑠 + 𝐷( ̄ ∗ |𝐲𝑅
̂ 𝐲𝑅 ̄ ∗ ).
𝑖,1 𝑖,2
8
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
Table 1
List of notation.
Symbol Description
𝑁 The number of AAs
𝑛 The number of bits to encrypt
𝑛𝑣 The number of virtual attributes in the system
𝑛𝑎 The number of attributes in access structure
𝑛𝑢 The number of attributes held by the user
𝑛𝑑 The number of attributes for decryption
𝑛𝑟 The number of revoked attributes
𝑛𝑇 𝑛𝑇 = 𝑛𝑎 + 𝑛𝑣 − 𝑛𝑑 + 1
𝑇̂𝑝 The computational cost of SamplePre
𝑇̂𝑙 The computational cost of SampleLeft
𝑇𝑝 The computational cost of RingSamplePre
𝑇𝑙 The computational cost of RingSampleLeft
Table 2
Scheme characteristics.
Scheme Multi-valued Multi-authority Revocable Assumption
Zhang et al. [34] × × × LWE
Zhang et al. [35] ✓ × × LWE
Zhang et al. [36] × ✓ × LWE
Chen et al. [46] ✓ × × RLWE Fig. 2. Time cost of our construction.
Yang et al. [40] × × ✓ LWE
Our scheme ✓ ✓ ✓ RLWE
to the sum of 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛 and 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛. We can see that our scheme
enjoys significant advantages in terms of 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 and 𝐷𝑒𝑐𝑟𝑦𝑝𝑡. In addi-
and 𝑣0 = 𝑢0 𝑠 + 𝑥 is just a component of 𝑐0∗ in 𝑮𝒂𝒎𝒆𝟑 . tion, Our scheme adopts the sampling algorithms in ring version, which
If the instances are sampled from 𝑂$ , 𝑣0 and 𝐯∗𝜃,𝑖 are close to the supports faster arithmetic operation. Also, we employ the trapdoor
uniform distribution over 𝑞 and 1×𝑚 ∗
𝑞 , respectively. Therefore 𝐶𝑇 is proposed in [27], instead of the trapdoor in the form of a short basis.
uniform in 𝑞 × 1×𝑚 × 1×2𝑚 . For this, 𝑮𝒂𝒎𝒆𝟑 and 𝑮𝒂𝒎𝒆𝟒 cannot be That is to say, 𝑇𝑝 (resp. 𝑇𝑙 ) is much smaller than 𝑇̂𝑝 (resp. 𝑇̂𝑙 ). For
𝑞 𝑞
distinguished in the view of adversary . □ this, we conclude that the efficiency of key generation in our scheme
is also better than other schemes. What is more, by using the number
5. Performance analysis theoretic transform (NTT), our implementation improves the efficiency
of matrix multiplication operations. Therefore, the RM-CP-ABE scheme
The efficiency analysis and implementation of our scheme are ex- has a reasonable performance in computational cost perspective.
plained in this section.
5.2. Implementation and evaluation
5.1. Efficiency analysis
We implement our construction in the Palisade library [47] v1.10
Here we compared the related schemes with our scheme in terms of using standard C++ 11. The implement is evaluated on a computer
characteristics, storage overhead and computation cost. The notation
with the Intel(R) Xeon(R) Platinum 8260 CPU@ 2.40 GHz running
used in this subsection are illustrated in Table 1.
Ubuntu 18.04 operating system. All evaluation results are taken from
Table 2 provides a comparison of certain characteristics between
the average of 20 runs of the program.
our RM-CP-ABE and other schemes. The practicability of the scheme
As shown in Fig. 2, we evaluated the relationship between user at-
is somewhat limited due to the lack of characteristics suitable for the
tributes and the computational cost of 𝐴𝐴𝑆𝑒𝑡𝑢𝑝, 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛,
actual scenes. Both constructions [35] and [46] introduce multi-valued
𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 algorithms. We set the number of 𝐴𝐴𝑠 to
attributes, allowing users to set access policies flexibly. In contrast, our
4, the number of attributes held by each 𝐴𝐴 to 8, and the ring size
scheme considers more characteristics, and can be reduced to the RLWE
𝑛 = 1024 and base 𝑏 = 512. The time consumption of 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛,
assumptions.
We give the performance of the schemes in terms of storage over- 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 increases linearly with the number of at-
head in Table 3. Observe that our scheme is slightly inferior to other tributes. And 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 only takes 122.8 ms when the number of
schemes in aspects of storage overhead, it still yields desirable results. attributes is set to 15. Nevertheless, the 𝐸𝑛𝑐𝑟𝑦𝑝𝑡, 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛 and
Applying the trapdoor construction of [25], the secret key of our 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and algorithms are somewhat slower. The matrix multi-
scheme grows only linearly in the lattice dimension 𝑚, rather than plication operations of generating the ring polynomials related to the
quadratically as a short basis of other schemes does. Consequently, normal attributes occupy the main computation cost in these algo-
their storage requirements are generally close. The advantage of our rithms. In particular, the time consumption of these operations is about
scheme is that it can perform operations on 𝑛-bit plaintext. Namely, 75–80%, 73–85% and 90–93% of the time consumed by 𝑃 𝑟𝑖𝐾𝑒𝑦𝐺𝑒𝑛,
the scheme supports encryption and decryption operations for an 𝑛-bit 𝐾𝑒𝑦𝑈 𝑝𝑑𝐺𝑒𝑛 and 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 algorithms respectively. A feasible attempt
message using public parameters and the decryption key. Additionally, is to utilize parallel algorithms on GPU to accelerate arithmetic opera-
out scheme supports more characteristics. Therefore, the storage cost tions, similar to [26,48]. Observe that the time consumed by decryption
of our construction is acceptable in practical scenarios. is about 9 ms in Fig. 3. This is obviously acceptable for users. Fig. 4
Table 4 shows the computational cost of 𝐾𝑒𝑦𝐺𝑒𝑛, 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 and shows the relationship between the cost time to generate the decryption
𝐷𝑒𝑐𝑟𝑦𝑝𝑡 operations in comparison with those in constructions [34– key and the number of revoked attributes. We observe that the time
36,40,46], where the computational cost of 𝐾𝑒𝑦𝐺𝑒𝑛 operation is equal cost decreases linearly with the increase of the number of revoked
9
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
Table 3
Comparison of storage overhead.
Scheme Public parameter size Ciphertext Size Decryption key size Plaintext size
Zhang et al. [34] (2𝑛𝑣 𝑚 + 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑣 𝑚 + 𝑚 + 1) ⌈log 𝑞⌉ (𝑛𝑣 + 1)𝑚 ⌈log 𝑞⌉ 1
Zhang et al. [35] (2𝑛𝑣 𝑚 + 2 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑇 𝑚 + 𝑚 + 1) ⌈log 𝑞⌉ 2(𝑛𝑢 + 𝑛𝑣 )𝑚 ⌈log 𝑞⌉ 1
Zhang et al. [36] (𝑛𝑣 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑎 + 1)𝑚 ⌈log 𝑞⌉ 𝑛𝑢 𝑚 ⌈log 𝑞⌉ 1
Chen et al. [46] (2𝑛𝑣 𝑚 + 2 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (𝑛𝑇 𝑚 + 𝑚 + 1)𝑛 ⌈log 𝑞⌉ 4(𝑛𝑢 + 𝑛𝑣 )𝑚𝑛 ⌈log 𝑞⌉ 𝑛
Yang et al. [40] (2𝑛𝑣 𝑚 + 4 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (3𝑛𝑇 𝑚 + 1) ⌈log 𝑞⌉ 2(2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑚 ⌈log 𝑞⌉ 1
Our scheme (4𝑛𝑣 𝑚 + 𝑁𝑚 + 2 𝑚 + 1)𝑛 ⌈log 𝑞⌉ (2𝑛𝑇 𝑚 + 𝑚 + 1)𝑛 ⌈log 𝑞⌉ 2(2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑚𝑛 ⌈log 𝑞⌉ 𝑛
Table 4
Comparison of computational cost.
Scheme KeyGen Encrypt Decrypt
Zhang et al. [34] 2𝑛𝑣 𝑇̂𝑝 (𝑛𝑣 𝑚 + 𝑚 + 1)𝑛2 (𝑛𝑣 + 1)𝑚𝑛2
Zhang et al. [35] (𝑛𝑢 + 𝑛𝑣 )𝑇̂𝑙 (2𝑛𝑇 𝑚 + 𝑚 + 𝑚)𝑛2 2𝑛𝑇 𝑚𝑛2
Zhang et al. [36] 𝑛𝑢 𝑇̂𝑙 (𝑛𝑇 𝑚 + 1)𝑛2 𝑛𝑑 𝑚𝑛2
Chen et al. [46] (𝑛𝑢 + 𝑛𝑣 )𝑇𝑙 (𝑛𝑇 𝑚 + 𝑚 + 1)𝑛 log 𝑛 2𝑛𝑣 𝑚𝑛 log 𝑛
Yang et al. [40] (2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑇̂𝑙 (3𝑛𝑇 𝑚 + 1)𝑛2 4𝑛𝑣 𝑚𝑛2
Our scheme (2𝑛𝑢 + 2𝑛𝑣 − 𝑛𝑟 )𝑇𝑙 (2𝑛𝑇 𝑚 + 𝑁𝑚 + 1)𝑛 log 𝑛 4𝑛𝑣 𝑚𝑛 log 𝑛
Fig. 4. The relationship between the cost time by the user to obtain the key and the
number of revoked attributes.
In this work, we propose a revocable CP-ABE scheme from RLWE. This work is supported by National Key R&D Program of China (No.
The scheme supports both multiple authorities and multi-valued at- 2021YFB3101602), Basic Research Program (No. JCKY2020604C011),
tributes, which makes it appropriate to be applied in cloud computing. Fundamental Research Funds for the Central Universities (No.
Moreover, we provide a theoretical analysis of computational effi- 3072020CFJ0601). All authors approved the version of the manuscript
ciency and storage overhead of the proposed scheme. The results to be published.
10
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
Table 5
Runtimes for our scheme at different bases when 𝑁 = 3, 𝑛 = 1024 and 𝑛𝑣 = 4∕6∕8∕10∕12.
Base PriKeyGen (ms) KeyUpdGen (ms) Encrypt (ms) Decrypt (ms)
64 1946/2764/3411/4377/4832 1944/2895/3443/4319/4985 2755/4085/5440/6762/7881 9/8/9/9/8
128 1874/2609/3394/4208/4728 1865/2665/3382/4118/4836 2696/3977/5339/6604/7693 9/8/9/9/9
256 1836/2461/3085/3830/4595 1819/2526/3075/3867/4558 2533/3653/4831/6090/7310 9/9/9/9/8
512 1646/2265/2846/3483/4133 1600/2228/2835/3480/4115 2218/3303/4407/5471/6685 9/9/9/8/9
Table 6
Runtimes for our scheme at different bases when 𝑁 = 3, 𝑛 = 512 and 𝑛𝑣 = 4∕6∕8∕10∕12.
Base PriKeyGen (ms) KeyUpdGen (ms) Encrypt (ms) Decrypt (ms)
64 638/875/1137/1339/1520 632/861/1053/1244/1456 686/1045/1373/1674/2031 4/4/5/5/5
128 632/857/1024/1248/1423 611/841/974/1188/1370 624/929/1228/1549/1844 5/4/5/5/5
256 628/814/1007/1193/1364 589/813/975/1167/1350 639/949/1156/1528/1801 5/5/4/4/5
512 558/761/968/1139/1328 576/719/898/1062/1253 582/851/1110/1403/1699 5/4/5/4/5
11
Y. Yang et al. Journal of Information Security and Applications 65 (2022) 103108
[46] Chen Z, Zhang P, Zhang F, Huang J. Ciphertext policy attribute-based encryption [48] Akleylek S, Dagdelen O, Tok ZY. On the efficiency of polynomial multiplication
supporting unbounded attribute space from R-LWE. KSII Trans Internet Inf Syst for lattice-based cryptography on GPUs using CUDA. In: Int. conf. cryptography
2017;11(4):2292–309. inform. security. 9540, 2015, p. 155–68.
[47] Polyakov Y, Rohloff K, Sahu G, Vaikuntanathan V. Fast proxy re-encryption for [49] Albrecht MR. On dual lattice attacks against small-secret LWE and parame-
publish/subscribe systems. ACM Trans Priv Secur 2017;20(4):1–31. ter choices in helib and SEAL. In: Proc. 36th annu. int. conf. theory appl.
cryptographic techn.; 2017, p. 103–129.
12