ResearchArticle Server-AidedRevocableAttribute...

Research ArticleServer-AidedRevocable Attribute-Based Encryption fromLattices

Xingting Dong1 Yanhua Zhang 2 Baocang Wang 1 and Jiangshan Chen 3

1State Key Laboratory of Integrated Services Networks Xidian University Xirsquoan 710071 China2School of Computer and Communication Engineering Zhengzhou University of Light Industry Zhengzhou 450002 China3School of Mathematics and Statistics Minnan Normal University Zhangzhou 363000 China

Correspondence should be addressed to Yanhua Zhang yhzhangzzulieducn

Received 16 October 2019 Accepted 18 December 2019 Published 12 February 2020

Academic Editor Bruce M Kapron

Copyright copy 2020 XingtingDong et alis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Attribute-based encryption (ABE) can support a fine-grained access control to encrypted data When the userrsquos secret-key iscompromised the ABE system has to revoke its decryption privileges to prevent the leakage of encrypted data Although there aremany constructions about revocable ABE from bilinear maps the situation with lattice-based constructions is less satisfactory anda few efforts were made to close this gap In this work we propose the first lattice-based server-aided revocable attribute-basedencryption (SR-ABE) scheme and thus the first such construction that is believed to be quantum resistant In the standard modelour scheme is proved to be secure based on the hardness of the Learning With Errors (LWE) problem

1 Introduction

Attribute-based encryption (ABE) [1 2] which was firstintroduced in 2006 as a generalization of identity-basedencryption (IBE) [3 4] and fuzzy identity-based encryption(FIBE) [1 5] is such a notion for public-key encryptionwhich is used to implement fine-grained access control ABEsystem includes two types key-policy ABE (KP-ABE) andciphertext-policy ABE (CP-ABE) In KP-ABE the keygeneration center (KGC) generates a master secret key(msk) and a master public key (mpk) and each user has apolicy function f e KGC computes and sends to the user asecret key skf corresponding to its policy function f Toencrypt a message μ a sender selects some required attri-butes from the attribute set to form a subset att and generatesthe ciphertext ctatt labeled with att e recipient owning thepolicy function f can decrypt ctatt by applying the secret keyskf if and only if f(att) 1 e different between CP-ABEand KP-ABE is that in CP-ABE each user has its own at-tribute subset att and a ciphertext is corresponding to apolicy function f

Several important results are proposed to realize ABE inthe last few years ese schemes have several types One ofthese can be implemented to predicates computable by

Boolean formulas [2 6ndash11] (which are limited to log-depthcomputations) Another of these has made some importantprogress [12ndash16] which can apply to sophisticated circuitsIn 2013 based on Learning With Errors (LWE) problemGorbunov et al proposed a KP-ABE scheme [16] which iscalled GVW13 where its predicate can be arbitrary poly-nomial-size circuits It is one of the important candidates forBoolean circuit ABE

When the users in ABE system changed for examplesome users leave the system or their secret keys are leakedthese usersrsquo secret keys should be revoked from the systemIn other words although these users have legal secret keysskf they cannot decrypt ciphertext after leaving the systemSo for an ABE system with a large number of users anefficient revocable mechanism is very necessary andimportant

In the beginning revocation mechanism is introducedinto IBE To address the user revocation mechanism in2008 Boldyreva et al [17] proposed the first revocationscheme by combining the complete subtree method [18]with FIBE After the work of Boldyreva et al [17] a lot ofstudies [19 20] have been put forward In 2013 in responseto many realistic threats and attack scenarios a new securitynotion unique to the revocation scheme called decryption

HindawiSecurity and Communication NetworksVolume 2020 Article ID 1460531 13 pageshttpsdoiorg10115520201460531

key exposure resistance (DKER) was proposed by Seo andEmura [20ndash23] Since then DKER has quickly become animportant security requirement for RIBE and many follow-up RIBE schemes with DKER [24ndash28] were proposed Inorder to improve the efficiency of revocation in 2015 Qinet al [29] proposed an interesting solution called server-aided revocable IBE (SR-IBE) In their scheme a publiclyaccessible server with powerful computational capabilitieswhich can be untrusted in the sense that it does not possessany secret information is used to outsource most of theusers workload

e revocable ABE scheme appears later In 2009Attrapadung and Imai [30] put forward two revocablemethods One is direct revocation which is that the sendershould specify the revocation list while encrypting and theother is indirect revocation In the indirect revocationscheme in order to achieve the key revocation mechanismeach userrsquos secret key cannot be allowed to decrypt ci-phertexts alone To complete the decryption the KGCbroadcasts key update through a public channel for everytime period e key update is useless for revoked users butnonrevoked users will be allowed to combine their secretkeys with the key update to derive a decryption key whichcan finally decrypt ciphertexts And they proposed the firsthybrid revocable ABE scheme

In 2010 Yu et al [31] proposed a indirect revocable ABEhowever policy function only supports logical AND In2012 Amit et al [32] provided a more generic way to achieveindirect revocation in ABE schemes In order to alleviate theworkload of users in 2013 Yang et al [33] proposed a directrevocable ABE scheme by delegating part of the users de-cryption capability to a semitrusted server however whichresults in an increase in traffic over the secret channel Tomitigate userrsquos workload and the traffic of the secret channelin 2016 Cui et al [34] proposed a scheme called server-aidedrevocable ABE (SR-ABE) based on the large universe CP-ABE scheme If the server in their scheme was colluded withan adversary however the SR-ABE may be not DKER Tosolve this problem based on [34] in 2017 Qin et al [35]proposed a SR-ABE with DKER About direct revocable in2018 Liu et al [36] proposed an efficient revocable CP-ABEscheme by embedding the revocation list into ciphertextAnd they have a shorter revocation list

ese RIBE and RABE schemes operate in the bilinearpairing setting however the system has narrowed in the raceto protect sensitive electronic information from the threat ofquantum computers which one day could render theseconstructions obsolete Up to now known quantum algo-rithms have no obvious advantages (beyond polynomialspeedup) over classical ones in solving problems in latticesuch as shortest vector problem (SVP) closest vectorproblem (CVP) short integer solution (SIS) and LWELattice-based cryptography is considered as an ideal can-didate for postquantum cryptography (PQC) and possessesseveral noticeable advantages over conventional number-theoretic cryptography (ie based on integer factoring ordiscrete logarithm problems) such as conjectured resistanceagainst quantum computers faster arithmetic operationsand provable security under the worst-case hardness

assumptions And among the PQC schemes submitted toNIST lattice-based schemes are the most

In 2012 Chen et al [37] proposed the first RIBE schemefrom lattices without DKER In 2017 Takayasu andWatanabe [38] proposed a variant of [37] and partiallysolved the problem of achieving RIBE with DKER In 2019Katsumata et al [39] completely solved the problem ofachieving RIBE with DKER by proposing the first lattice-based RIBE scheme with DKER secure under the LWEassumption

But the progress in constructing revocable ABE schemesfrom lattices is slow In 2018 Ling et al [40] proposed aserver-aided revocable Predicate Encryption (SR-PE) fromLWE is scheme employs the Predicate Encryption (PE)scheme of Agrawal et al [41] and the complete subtreemethod of Naor et al [18] as the two main ingredients andplus some additional techniques In the security proof of theSR-PE however since the LWE secret vector in the originalPE scheme is unknown an unreasonable challenge ci-phertext is constructed leading to an invalid proof

11 Our Contributions In order to solve the security ofrevocable ABE against quantum attack we propose the firstSR-ABE from LWE which is indirect revocable and satisfiesefficient and secure user revocation in lattices In order tomitigate the burden of users all the work caused by therevocation will be delegated to a powerful untrusted servere powerful server is similar to cloud computing with alarge number of computing resources and storage resourceswhich can ensure the correctness of the calculation butcannot guarantee the security of the data In order to achievethe key revocation mechanism in our scheme each userrsquossecret key cannot be allowed to decrypt ciphertexts alone Tocomplete the decryption KGC should bind the userrsquosidentity and corresponding circuit when generating thepublic key and bind the period time when generating updatekey When the userrsquos identity is not revoked and its circuitmatches the attribute subset of the ciphertext the server cangenerate a transformation key from KGC to convert theciphertext into a partially decrypted ciphertext bound onlywith the identity In this way only the secret key of theidentity can be used to decrypt e framework of our SR-ABE scheme is depicted in Figure 1

In the scheme there are four types of participants aKGC a powerful untrusted server data sender and datarecipient among which the KGC and the server are theservice of the system the data sender and the data recipientare the client of the system e server is opened to anyoneincluding the adversary In our scheme a userrsquos policyfunction is a boolean circuit Cid with its identity id

According to the system parameter the KGC generatesan msk and an mpk and broadcasts the mpk to all users Byusing its msk and a userrsquos identity id KGC can generate asecret key skid which is sent to the user When a data micro needsto be sent a data sender specifies an attribute subset att forthe data encrypts it over the att and a time period t by usingthe mpk and sends the ciphertext cttatt to the server And alldata users can see the ciphertext on the server If needing to

2 Security and Communication Networks

decrypt a ciphertext cttatt a data recipient with identity idforwards its identity i d and corresponding circuitCid to theserver and points out the ciphertext that it wants the serverto decrypt And the server sends Cid and id to the KGC IfCid corresponds to the attribute subset of the ciphertextKGC can generate a public key pkid binding identity id forthis user and send pkid to server And also the KGC cangenerate a key update kut for nonrevoked user in a timeperiod t and send it to server If the recipientrsquos identity id isnot in revocation list RL then the server is able to generate atransformation key tktid by using the key update kut andpublic key pkid With the key tktid the server can getpartially decrypted ciphertext ctid of binding identity id andsend it to the data recipient Finally the recipient can decryptctid completely by using its secret key

e public key pkid is bound to an identity id andcorresponding circuit Cid which results in the transfor-mation key tktid binding the identity and circuit as well IftheCid(att) 1 then the server can use tktid to separate theattribute subset att and time t from the ciphertext and bindthe identity id to generate the partial decrypted ciphertextctid e partial decrypted ciphertext can only be decryptedby the secret key skid corresponding the identity which therecipient sends to the server

According to the security model of GVW13ABE [16] wedefine selective security model for our SR-ABE from LWEwhich takes into account the possible realistic threats inselective security model and formalizes all attack strategies ofan adversary against the SR-ABE scheme e selectivesecurity model is that the adversary needs to give thechallenge attributes attlowast and challenge time period tlowast beforeseeing the master public key mpk ere are two attackstrategies one is that when the adversary can access thesecret key skidlowast of a user with identity idlowast whose circuitCidlowast

matches attlowast within tlowast the identity idlowast should be in revo-cation list before tlowast and the other is that if this identity idlowasthas not been revoked in tlowast the adversary can not querythe secret key skidlowast corresponding to this idlowast withCidlowast(attlowast) 1

In short our contributions in this paper can be summedup in the following three points

(i) We formally define the SR-ABE model from latticesthat support Boolean circuit of any arbitrary pol-ynominal size We give the definition of the cor-rectness and security of SR-ABE from LWE

(ii) We propose a concrete SR-ABE construction fromlattice for this model based on the KP-ABE con-structed by Gorbunov et al [16]

(iii) We give a strict proof of security for our schemebased on the hardness of Learning With Errorsproblem and prove that our SR-ABE scheme isselective security if the GVW13 is selective security

12 Organization In the forthcoming sections we firstintroduce the nations and definitions relevant to this paperin Section 2 We construct the first lattice-based SR-ABEscheme in Section 3 and analyze the correctness and securityand compare our scheme with previous revocable schemesin Section 4 We conclude the paper in Section 5

2 Preliminaries

21 Notation Bold capital letters (eg A) denote matricesbold lowercase letters (eg a) denote vectors e proba-bilistic polynomial time algorithm is denoted by PPT [ℓ]denotes the set of 1 ℓ where ℓ isin Z For a vector a a

KGC skididmpk

pkid

ctid ctid

Cid

idCid

Cid

cttatt

cttatt

cttatt

t + att

tktid

kut

skid

Recipient

Untrustedserver

Sender

micro micro

Figure 1 Framework of server-aided revocable attribute-based encryption

Security and Communication Networks 3

denotes its Euclidean norm A nonnegative function negl(n)

is negligible if for every polynomial p(n) it holds thatnegl(n)le 1p(n) for all sufficiently large ngt 0

22 Server-Aided Revocable Attribute-Based EncryptionIn order to support a class of boolean circuits C we addseveral parameters to conventional SR-ABE where ℓ denotesthe length of attributes and dmax denotes the depth of aboolean circuit C

221 Syntax of SR-ABE A SR-ABE scheme consists of tenfollowing polynomial-time algorithms

(1) System(1λ 1ℓ dmax)⟶ (pp) the KGC takes asecurity parameter λ an attribute length ℓ and acircuit depth dmax as input and outputs the systemparameter pp

(2) Setup(pp)⟶ (mpkmskRL st) the KGC takesthe parameter pp as input and outputs a masterpublic key mpk a master secret key msk a revo-cation list RL and a state st

(3) GenSK(msk id)⟶ (skid) the KGC takes mskidentity id as input outputs the user secret key skidand sends it to the user with the identity id

(4) Encrypt(mpk t μ att)⟶ (cttatt) the sendertakes mpk a time t isin T a message μ isinM and anattribute subset att as input outputs the ciphertextcttatt and sends it to the server

(5) GenPK(msk idCid st)⟶ (pkid stprime) the KGCtakes msk an identity id a circuit Cid corre-sponding to id and a state st as input outputs thepublic key pkid with identity id and updates the stateto stprime and sends pkid to the server

(6) KeyUp(msk tRL st)⟶ (kut stprime) the KGCtakes msk a time t isin T a revocation list RL and astate st as input outputs a key update kut andupdates the state to stprime and sends kut to the server

(7) TranKG(pkid kut)⟶ (tktidperp) the server takesthe public key pkid with identity id and a key updatekut as input and if id notin RL and outputs a transformkey tktid for a user with identity id else outputs perp

(8) Transform(cttatt tktid)⟶ (ctidperp) the servertakes the ciphertext cttatt and a transform key tktidas input and if the circuitCid corresponding to pkidin tktid satisfies Cid(att) 1 outputs a partiallydecrypted ciphertext ctid with identity id and sendsit to the recipient else outputs perp

(9) Dec(ctid skid)⟶ (μprime) the recipient with identityid takes the partially decrypted ciphertext ctid andits secret key skid as input and outputs the messageμprime

(10) Revoke( id idisinU tRL st)⟶ (RL stprime) the KGCtakes an identity set id idisinU time t the revocationlist RL and the current state st and outputs a newRL and updates the state to stprime

Definition 1 (correctness of SR-ABE) e correctness ofSR-ABE requires that for all security parameter λ the circuitdepth dmax the attribute length ℓ all message μ isinM allt isin T and (mskmpkRL st)⟵ Setup(pp) if the userwith identity id notin RL by time t and Cid(att) 1 and allparties follow the schemersquos algorithms then for all ci-phertexts cttatt⟵Encrypt(mpk t μ att) there existsskid⟵GenSK (msk id) for tktid⟵TranKG(pkid kut)

and ctid⟵Transform(cttatt tktid) such that it has Dec(ctid skid) μ where pkid⟵GenPK(msk idCid st) andkut⟵KeyUp(msk tRL st)

Chen et al [37] formalized and defined the selective-revocable-identity security revocable IBE from latticesQin et al [35] defined the IND-CPA security model forSR-ABE from bilinear pairings In this subsection wegive the definition of selective attribute security server-aided revocable attribute-based encryption fromlattices

222 Selective Security Game An adversary A and achallenger S play the following game

Initial A first gives the challenge attributes attlowast andtime tlowast and some information state it wants topreserve

Setup S runs the Setup(middot) generates the msk mpk RLand st and sends mpk RL and st to AQuery A can adaptively make a polynomial number offollowing queries to S

GenSK(middot) on input identity id and circuit Cid cor-responding to id return a secret key skidGenPK(middot) on input identity id circuit Cid corre-sponding to id and a state st return pkidKeyUp(middot) on input time t revocation list RL andstate st return kutTranKG(middot) on input kut and pkid with identity id ifid notin RL return tktid and else return perpTransform(middot) on input the ciphertext cttatt andcircuit Cid with identity id and tktid if Cid(att) 1outputs partially decrypted ciphertext ctatt else out-puts perpRevoke(middot) on input identity id time t and state streturn updated revocation list RL

e following restrictions must always hold

If idlowast with Cidlowast(attlowast) 1 has been queried toGenSK(middot) at tlowast the Revoke(middot) must be queried on(idlowast t) for any tle tlowastIf idlowast with Cidlowast(attlowast) 1 is not revoked at tlowast(idlowastCid) should not be queried to the GenSK(middot)

Challenge A outputs two equal length messageμ0 μ1 isinM and sends them toSS randomly chooses abit β isin 0 1 and sends Encrypt(mpk tlowast μβ attlowast) toAGuess A can continue to make a polynomial numbersof queries as in Query phase and outputs a bit βprimeAwillwin if βprime β


Definition 2 (selective security) e advantage of A isdefined as the quantity

AdvSRminus ABEA 1λ 1ℓ dmax1113872 1113873 ≔ Pr β βprime1113858 1113859 minus

12 (1)

e scheme SR-ABE is called to be selective security ifthe advantage of adversary AdvSRminus ABE

A (1λ 1ℓ dmax) is neg-ligible in λ ℓ dmax for an efficient A

23 Background on Lattices

Definition 3 (lattices) Let q n m be positive integers for amatrix A isin Zntimesm

q Λperpq (A) x isin Zmq Ax 0 mod q1113966 1113967

denotes an certain family of integer lattices which was in-troduced by Ajtai [42] More generally for u isin Zn

q Λuq(A)

denotes the coset x isin Zmq Ax u mod q1113966 1113967

Definition 4 (discrete Gaussians) For a vector c isin Rm aparameter sgt 0 and an integer lattice Λ define ρsc(x)

exp(minus π(x minus c2s2)) and ρsc(Λ) 1113936xisinΛρsc(x)e discreteGaussians distribution over latticeΛwith center vector c anda parameter s is forallx isin ΛDΛsc(x) ρsc(x)ρsc(Λ) We willsimplify to use notations DΛs when c 0

Definition 5 (learning with errors (LWE)) LWE was in-troduced by Regev [43] For positive integers n m a primeinteger q and a discrete Gaussians distribution χ DZsedecisional LWEnqχ problem is to distinguish the followingtwo distributions a uniform distribution pair (A b) where(A b)⟵Zntimesm

q times Zmq and the other distribution pair

(A b ATs + e) where (A s)⟵Zntimesmq times Zn

q and e⟵ χmSome efficient sampling algorithms which find some

short vectors from specific lattice were introduced byAgrawal et al [44] and Micciancio and Peikert [45] Werecall these sampling algorithms

Lemma 1 For positive integers nge 1 qge 2 and efficientlylarge m O(n log q) Cere are polynomial time algorithmswith the properties below

(1) TrapGen(n m q)⟶ ATA an efficient random-ized algorithm [45ndash47] outputs a matrix A isin Zntimesm

q

and a basis TA isin Zmtimesm of Λperpq (A) such that the dis-tribute of A is close to uniform and1113958TAleO(

m log q

1113968) ||TA||leO(m log q) where 1113958TA

denotes GramndashSchmidt orthogonalization of TA(2) SampleLeft(AMTA u s) inputting A isin Zntimesm

q a trapdoor TA of Λperpq (A) a matrix M isin Zntimesm

q avector u isin Zn

q and a sufficiently large Gaussianparameter sge 1113958TA middot ω(

log 2m

1113968) it outputs a vector

z isin Z2m with a distribute statistically close toDΛu

q ([A |M])s(3) SampleRight(ARGTG u s) inputting G isin Zntimesm

q a trapdoor TG of Λperpq (G) a matrix A isin Zntimesm

q R isin Zmtimesm

q a vector u isin Znq and a sufficiently large

Gaussian parameter sge TG middot R middot ω(log m

1113968) it

outputs a vector z isin Z2m with a distribute statisticallyclose to DΛu

q ([A |AR+G]])s

24 Two-To-One Recoding Scheme In this subsection wewill introduce the Two-to-One Recoding (TOR) schemesimply presented by Gorbunov et al based on LWE in [16]And its idea is introduced in [44 46 48 49]

Lemma 2 Assuming the Decisional LWEnqχ there is a TOR

(1) Params(1λ dmax) on input parameter λ and dmaxoutput (m n q)

(2) Keygen(m n q) on input parameter m n q runTrapGen(n m q) and get a matrix A isin Zntimesm

q and atrapdoor T of Λperpq (A) And output pk A sk T

(3) Encode(pk s isin Znq) output the encoding ψ ATs+

e isin Zm where e⟵DZms ψ is called an encoding ofs and e is called error vector

(4) ReKeygen(pk0 pk1 skb pktgt) let pkb Ab skb Tb

pktgt Atgt for b isin 0 1 Compute R isin Z2mtimesm

R R0

R11113890 1113891Ri isin Z

mtimesm i 0 1 (2)

where R1⟵DZmtimesms and R0⟵ SamplePre(A0T0U s) where U Atgt minus A1R1 Outputrk

tgt01 R

(5) SimReKeyGen(pk0 pk1) let pk0 A0 pk1 A1 andsample a matrix R⟵ (DZ2mtimesms) DefineAtgt ≔ [A0 |A1]R isin Zntimesm

q and output the pair(pktgt Atgt rk

tgt01 R)

(6) Recode(rktgt01ψ0ψ1) let rktgt01 R and compute

ψtgt RTψ0

ψ11113890 1113891 isin Zm

q (3)

where ψ0 Encode(A0 s) ψ1 Encode(A1 s) for sames isin Zn It is clear that ψtgt Encode(Atgt s) for sames isin Zn as long as the error-tolerance is large enoughOutput ψtgt

e ABE scheme needs a one-time symmetric encryp-tion scheme (E D) which is in the following

Lemma 3 Let μ isin 0 1 m denote the plaintext c denotecorresponding ciphertext ψ and ψprime isin Zm

q then

(i) E(ψ μ) compute the ciphertextc ψ + [q2]μ(mod q) And output c

(ii) D(ψprime c) let ψprime (ψ0prime ψmminus 1prime ) isin Zmq and a ci-

phertext c (c0 cmminus 1) isin Zmq compute

μprime Round c0 minus ψ0prime( 1113857Round c1 minus ψ1prime( 1113857 Round(

middot cmminus 1 minus ψmminus 1prime( 11138571113857

(4)


where

Round(x) 0 if |xmod q|lt q4

1 otherwise1113896 (5)

Output μprime

25 Full-Rank Different Map

Definition 6 (full-rank different map [37]) Let q be a primeand n a positive integer A function H Zn

q⟶ Zntimesnq is a full-

rank different map if for all different vectors u v isin Znq the

matrix H(u) minus H(v) isin Zntimesnq is full rank and H is computable

in polynomial time in nlogq

26 Complete Subtree Method Like previous revocableschemes our scheme also needs to use the complete subtreemethod which was proposed by Naor et al [18] In themethod there is a complete binary BT with at least N leafnodes where N is the maximum number of users in thesystem and each leaf node of BT is corresponding to a userWith this binary tree BT a KUNode algorithm is used tocompute the minimal set of nodes for which key updateneeds to be published so that only the nonrevoked users inthis tree at a time period t are able to decrypt the ciphertexts

KUNode(BTRL t) takes the binary tree BT a revocationlist RL and a time period t as input and does the following

(1) X Y⟵empty(2) forall(xi ti) isin RL if ti le t then add Path(xi) to X(3) forally isin X if yl notin X then add yl to Y if yr notin X then

add yr to Y where yl is left child of y and yr is rightchild of y

(4) if Y empty then add root to Y(5) Return Y

e set Y is the smallest subset of nodes that containsancestors of all the leaf nodes corresponding to nonrevokedusers In [18] it proves that the set Y generated byKUNodes(BTRL t) has a size at most O(R logNR) whereR is the number of users in RL

3 SR-ABE from Lattices

31 GVWrsquo13 ABE Scheme In this subsection we will brieflydescribe GVW13 ABE scheme [16] which will be used as thebuilding block for our SR-ABE

ere are three key parameters in GVW13 ABE Schemewhich are security parameter λ attribute length ℓ and circuitdepth dmax respectively e master public key is

Aij1113966 1113967iisin[ℓ]jisin 01

Aout1113882 1113883 and master secret key is

Tij1113966 1113967iisin[ℓ]jisin 01

where (AijTij)⟵KeyGen(middot) fori isin [ℓ] j isin 0 1 e generation of the secret key for a userwith a circuit C is complex First of all the KGC assigns the(AibTib)⟵Kengen(middot) to every output b isin 0 1 of the i-th gate of the circuit C for i isin ℓ + 1 |C| minus 1 Wheni |C| the last gate is assigned Aout only when the output of

the gate is 1 en according to every gate Ci of thecircuit C the conversation keys are generated by rki

bc⟵ReKeyGen(Aiminus 2bAiminus 1cTiminus 2bAia) where a Ci(b c) andb c isin 0 1 Finally these conversation keys are combined asuserrsquos secret key and distributed to the user If a message microneeds to be sent according to the att a1 a21113864

aℓ isin 0 1 ℓ a sender selects Aiai1113966 1113967

iisin[ℓ] to encrypt it andgets the ciphertext att Encode (Aiai

u)iisin[ℓ]

E(Encode(Aout u) μ) where u⟵Znq When a recipient

with the circuit C wants to decrypt the ciphertext ifC(att) 1 then it can use secret key to get the code of Aoutaccording to the code of Aiai

1113966 1113967iisin[ℓ] and can easily get the

message μ else it can do nothingIn the selective security model the adversary announces

a challenge attribute set attlowast before the challenger gives itpublic master key According to [16] the GVW13 scheme isselectively secure

32 Our SR-ABE Scheme In this subsection we give aconcrete construction of our scheme

321 System(1λ 1ℓ dmax) On input the λ ℓ and dmax theKGC does the following

(1) Set n O(λ) m O(n log q) the modulusq O(n2dmax)

dmaxn and Gaussian parameters O(

n log q

1113968) Error distribution is χ DZ

n

radic N poly(λ) is the maximal number of users thesystem can support An efficient full-rank differentmap H Zn

q⟶ Zntimesnq

(2) Let the identify space be IsubeZnq the time space be

TsubeZnq the message space be Msube 0 1 m and the

attribute space be Asube 0 1 ℓ(3) Output pp (ℓ n m q s N χITM HA)

322 Setup(pp) On input pp the KGC does the following

(1) For b isin 0 1 i 1 ℓ run Keygen(m n q) andoutput (ATA) (BTB) and (BibTB

ib)1113966 1113967iisin[ℓ]bisin 01

Output

pk1 (AB)

sk1 TATB( 1113857

pk2 B10 B20 middot middot middot Bℓ0B11 B21 middot middot middot Bℓ1

1113888 1113889

sk2 TB10 TB

20 middot middot middot TBℓ0

TB11 TB


1113888 1113889

(6)

(2) Choose randomly A1B1CDG⟵Zntimesmq and let

msk (sk1 sk2A1B1) and mpk (pk1 pk2C

DG)(3) Initialize the revocation list RL empty Obtain a binary

tree BT with at least N leaf nodes and set the statest BT

(4) Output (mpkmskRL st)


323 GenSK(msk id) On input msk an identity id isin Ithe KGC does the following

(1) If the Fid corresponding to id is undefined setFid A1 + H(id)G sample Rid⟵ SampleLeft(AFidTAD s) and note that [A | Fid]Rid D

(2) Output skid Rid

324 Encrypt(mpk t μ att) On input mpk a time t isin Tand a message μ isinM the sender selects an attribute subsetatt (a1 a2 aℓ) isin A and does the following

(1) Set Ct C + H(t)G isin Zntimesmq and sample u⟵Zn

q(2) Output cttatt (att c ψi1113864 1113865iisin[ℓ]ψ ξφ) where

c E(Encode(D u) μ)

ψi Encode Biaiu1113872 1113873 i isin [ℓ]

ψ Encode(B u)

ξ Encode Ctu( 1113857

φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)

325 GenPK(msk idCid st) On input msk an identity ida circuit Cid and state st the KGC does the following

(1) For every leaf node θ from BT store the corre-sponding identity id in this node If the Bid corre-sponding to id is undefined set Bid B1 + H(id)G

(2) After getting the circuitCid from server with identityid for ilt |Cid| minus ℓ or b 0 run Keygen(pp) and get(Bℓ+ibTB

ℓ+ib) Set B|Cid|1 Bid For the gate xℓ+i

Cidi(xui

xvi) (bprime bPrime) isin 0 1 2 i 1 |Cid| minus ℓ

there is R(uiviℓ+i)

B(bprime bPrimeCidi(bprime bPrime))⟵ReKeygen (BuibprimeBvibPrime

TBuibprime

Bℓ+iCidi(bprime bPrime)) Let sid RB(bprimebPrime Cidi

(bprime bPrime))1113882

(ui vi ℓ + i) (bprime bPrime) isin 0 1 2 i 1 |Cid| minus ℓ(3) For each node x isin Path(θ) if its Ux is undefined

choose Ux⟵Zntimesmq and store it on x If the Fid

corresponding to id is undefined setFid A1 + H(id)G Sample Z1x⟵ SampleLeft(BBidTB Fid minus Ux s) and such that [B |Bid]Z1x

Fid minus Ux where Z1x isin DΛBid minus Ux ([B |Bid])s And updatethe state to stprime

(4) Output pkid (sid (xZ1x)1113966 1113967xisinPath(id)

) and theupdated stprime

326 KeyUp(msk tRL st) On input msk a time t isin T arevocation list RL and the state st the KGC dose thefollowing

(1) Set Ct C + H(t)G isin Zntimesmq

(2) For all x isin KUNodes(BTRL t) fetch Ux from nodex and sample Z2x⟵ SampleLeft(BCtTBUx s)Note that Z2x isin DΛUx ([B |Ct])s

and [B |Ct]Z2x Ux

(the corresponding Ux is predefined in GenPK andalways exists) And update the state to stprime

(3) Output kut (xZ2x)1113966 1113967xisinKUNodes(BTRLt)

and theupdated stprime

327 TranKG(pkid kut) On input pkid and kut the servergenerates a transformation key tktid for every i d not lyingthe revocation list RL as the following

(1) Parse pkid (sid (xZ1x)1113966 1113967xisinI) and kut

(xZ2x)1113966 1113967xisinJ for some set of nodes I J

(2) If Icap J empty output perp(3) Else choose x Icap J and output tktid

(sidZ1xZ2x) Note that [B |Bid]Z1x + [B |Ct]Z2x

Fid

328 Transform(cttatt tktid) Receiving tktid (sidZ1x

Z2x) the server does the following

(1) If Cid(att) 1 use the key sid to obtainψCid

Encode(Bid u) else output perp

(2) Compute ψid ZT1x

ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891

(3) Output ctid (id cφψid)

e server sends ctatt to the recipient with identify id

329 Dec(ctid skid) On input ctid and secret key skid the

recipient can obtain μprime⟵D RTid

φψid

1113890 1113891 c1113888 1113889 by using thesecret key skid

3210 Revoke( id idisinU tRL st) Taking an identity setid idisinU where U is a set of revoked users time t therevocation list RL and the current state st as input theKGC adds id isin U to RL updates the state to stprime and outputsRL

4 Correctness and Security Analysis

41 Correctness When a recipient with id notin RL sends thecircuit Cid with Cid(att) 1 to server and wants to decryptthe ciphertext cttatt (att c ψi1113864 1113865iisin[ℓ]ψ ξφ) the server andrecipient perform as following

(1) After accepting the circuitCid from the recipient theserver can send the Cid to KGC and getpkid (sid (xZ1x)1113966 1113967

xisinPath(id)) And using the

kut (xZ2x)1113966 1113967xisinKUNodes(BTRLt)

the server can gettktid (sidZ1xZ2x) By using the secret key sid intktid and ψi1113864 1113865iisin[ℓ] in cttatt the server computesψCid

Encode(Bid u) ie ψCid BT

idu + e1 wheree1le 2(n3 log2 q)dmax

(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)

where e2 e3 isin χmBecause of ei O(n) Zixle s

m

radicfor i isin 2 3 then

we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891

le 4(n3 log2 q)dmax and then

ψid Encode(Fid u) FTidu + e4 where e4 ZT

1x

e2e1

1113890 1113891+

ZT2x

e2e3

1113890 1113891 e server hands ctid (id cφψid) to recipient

Receiving ctid the recipient uses the secret key skid andcomputes

c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT

idATu + e6FTidu + e4

1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891

le 8(n3 log2 q)dmax lt (q4) then run-

ning decryption algorithm D RTid

φψid

1113890 1113891 c1113888 1113889 the recipient

will obtain the message micro

42 Security

Theorem 1 Our SR-ABE scheme with attribute length ℓ isselective security defined in Definition 2 if the GVW13 schemewith attribute length ℓ + 2 is selective security

Proof If there exists a PPT adversary A against selectivesecurity of the SR-ABE scheme with attribute length ℓ thenwe can construct a PPT adversary B against selective se-curity of the GVW13 scheme with attribute length ℓ + 2esecurity of GVW13 scheme is based on LWE so is ourscheme

Before proving this theorem let us summarize our ideasof proof In the GVW13 scheme with attribute length +2 we

set A Bl+10 B Bl+20 And then our schemersquos challengeciphertext with attlowast alowast1 alowast2 alowastℓ1113864 1113865 can be regarded as atransformation of the challenge ciphertext of GVW13scheme under attribute attlowastprime alowast1 alowast2 alowastℓ 0 01113864 1113865 Let usstart with our proof

In the GVW13 selective security model after gen-erating the system parameters λ ℓ and dmax the chal-lenger S runs the System gets pp and gives the pp to BB hands it over to A en A chooses a challenge at-tribute attlowast isin A a challenge time tlowast isin T and a revoca-tion list RLlowast and gives them toB enB gives attlowast 0 0

to S Now we consider two type of adversaries asfollows

Type I it is assumed that every identity idlowast whosecircuit Cidlowast satisfies that Cidlowast(attlowast) 1 must be in-cluded in RLlowast In this caseA is allowed to issue a queryto oracle GenSK(middot) on idlowastType II it is assumed that there is an idlowast notin RLlowast whosecircuitCidlowast satisfies thatCidlowast(attlowast) 1 In this case idlowastis not revoked at tlowast andA never issues a query to oracleGenSK(middot) on (idlowastCidlowast)

e following steps are taken afterB receiving the publickey

mpkGVW13 B10 B20 middot middot middot Bl0 Bl+10 Bl+20

B11 B21 middot middot middot Bl1 Bl+11 Bl+21 Bout1113888 1113889

(10)

from S

(1) Generate (GTG)⟵TrapGen(n q m) and setA Bl+10 B Bl+20

(2) Sample R1R2R3⟵ minus 1 1 mtimesm Choose an effi-cient full-rank different map H Zn

q⟶ Zntimesnq

Choose an identity idlowast with Cidlowast(attlowast) 1 and setA1 AR1 minus H(idlowast)G B BR2 minus H(idlowast)G andC BR3 minus H(tlowast)G

(3prime) Type I adversary B can set revocation list RLlowast and

then sample Ridlowast RprimeRPrime1113890 1113891⟵DZ2ms Set

D [A |AR1]Ridlowast and then let mpk ((AB)

( Bib1113966 1113967iisin[l]bisin 01

)CDG) and send mpk to theadversary A

(3Prime) Type II adversary B can set revocation list RLlowastD Bout and let mpk ((AB) ( Bib1113966 1113967

iisin[l]bisin 01 )

CDG) and send mpk to the adversary A

e B answers Arsquos query to the O as follows

GenSK(middot)

Type I adversary when queried idlowast from A Bcan return skidlowast Rlowastid When queried idne idlowastfrom A B can set Fid A1 + H(id)G AR1+

(H(id) minus (idlowast))G and then run sample algorithmRid⟵ SampleRight(A R1 (H(id) minus H(idlowast))G

TGD s) Finally B can return skid Rid


Type II adversary when queried idne idlowast fromABcan set Fid A1 + H(id)G AR1 + (H(id)minus

(idlowast))G and then sample Rid⟵ SampleRight

(AR1 (H(id) minus H(idlowast))G TGD s) Finally B

can return skid Rid

GenPK(middot) when A queries GenPK for id andCidBcan set Fid A1 + H(id)G AR1 + (H(id) minus (idlowast))G and Bid B1 + H(id)G BR2 + (H(id) minus

(idlowast))G And then B does the following

(1) When A queries GenPK for idlowast such thatCidlowast(attlowast) 1 store idlowast in leaf node θ from BT andset Fid as above If x isin Path(idlowast) pickZ1x⟵DZ2mtimesms and set Ux Fidlowast minus [B |Bidlowast]Z1xAnd then for the gate xℓ+i Cidlowast

(xui xvi

) (bprime bPrime) isin 0 1 2 i 1 |Cidlowast | minus ℓ(R(uiviℓ+i)

(bprime brsquorsquoidlowast iC

(bprime bPrime))Bℓ+iCidlowast

i(bprime bPrime)) And B can output

sidlowast R(uiviℓ+i)

(bprime bPrimeCidlowasti

(bprime bPrime)) (bprime bPrime) isin 0 1 2 i 1 1113896

|Cidlowast | minus ℓ WhenA queries GenPK for idlowast andCidlowast

B can return pkidlowast sidlowast (xZ1x)1113966 1113967xisinPath(idlowast)1113882 1113883 If

x notin Path(idlowast) Z2x⟵DZ2mtimesms and setUx [BCtlowast]Z2x

(2) When A queries GenPK for i d such thatCid(attlowast)ne 1 for x isin Path(id) B SampleZ1x⟵ SampleRight(BR2 (H(id) minus H

(idlowast))G TGD s) Note that [B |Bid]Z1x Fid minus UxB can askA for a matrix Bid to run KeyGen by using

Cid and get sid R(uiviℓ+i)

B(bprime bPrime Cidi(bprime bPrime)) (bprime bPrime) isin 0 1 21113882

i 1 |Cid| minus ℓ such that B can only get acode of Bid from sid by using Bib1113966 1113967

iisin[l]bisin 01 at

is A sets pktgt Bid Other than that B did not getany secret information is will not endangerthe security of GVW13 en B outputs pkid

sid xZ1x1113966 1113967xisinpath(id)

1113882 1113883

KeyUp(middot) for key update of time tne tlowast and allx isin KUNodes(BTRL t) set Ct BR + (H(t)minusH(tlowast))G B can compute kut as Z2x⟵SampleRight(BR3 (H(t) minus H(tlowast))G TGD s)

where Ux has been defined in GenPK(middot) and returnkut (xZ2x)1113966 1113967

xisinKUNodes(BTRLlowastt)TranKG(middot) and Transform(middot) by using a key up-date kut and a public key pkid with identity id Bcan execute these two algorithmsRevoke(middot) after accepting the query about updatingthe revocation list on an identity id a revocation listRL and a state st theB adds id to RL outputs a newRL and gives it to A

en A gives two message μ0 μ1 isinM to B who pre-pares the challenge ciphertext as follows

(1) Send μ0 μ1 which are seen as two challengemessagese A chooses β⟵ 0 1 and returns a ciphertext

ctattlowastprime (attlowastprime c φj1113966 1113967

jisin[ℓ+2]) as a GVW13rsquos encryp-

tion of μb under attribute attlowast(2) Output cttlowast attlowast (attlowast cprimeφprimeψprime ξ ψi1113864 1113865iisin[ℓ]) as an

SR-ABE ciphertext of μβ under attlowast tlowast where

cprime c

ψi φi i isin [ℓ]

ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)

After being allowed to make additional queries A

outputs βprime isin 0 1 en the adversary B returns it to A asthe guess of the bit B

Because of assuming that A can break the selectivesecurity of SR minus ABE with probability ε which means

AdvSRminus ABEA λ ℓ dmax( 1113857 Pr βprime β1113858 1113859 minus

12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have

AdvGVW13B λ ℓ dmax( 1113857 Pr βprime β1113858 1113859 minus

12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)

43 Comparison In the past few years a large body of workon revocable ABE [34 35] and revocable IBE [37 39] hasbeen proposed In these revocable ABE schemes [34 35]there is a powerful but untrustworthy server And most ofdata usersrsquo workloads are delegated to the powerfuluntrusted server such that the KGC indirectly revokes usersin revocation list by stopping updating the keys without anyoperation by the user In [34] a revocable CP-ABE isproposed where a user can generate its local secret key andpublic key and decrypt a ciphertext by using the local secretkey And in [35] a key-randomization was introduced suchthat a userrsquos local decryption keys can be exposed if the useris not revoked In these revocable IBE schemes [37 39] theKGC can revoke the users in the revocation list by stoppingposting key update for these users thereby forcing revokedusers to be unable to generate their decryption keys In [37]a revocable IBE from LWE is proposed where users cantransform a long-term secret key and a key update fromKGC into decryption keys And in [39] a generic con-struction of an RIBE scheme with DKER was proposedwhich consists of any two-level standard HIBE scheme andRIBE scheme without DKER

Table 1 compares our SR-ABE scheme with revocableABEIBE schemes [34 35 37 39] In Table 1 N denotes thenumber of all users in system R denotes the number of usersin revocation list ldquo-rdquo denotes not-applicable or not-com-parable Tm denotes the time taken for matrix multiplica-tion Tg denotes the time running the Gaussian sample Tkdenotes the time running Keygen(middot) and Ts denotes the time


Tabl

e1

Com

parisons

ofou

rSR

-ABE

with

otherrevocableschemes

CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)


running SampleLeft(middot) e schemes [34 35] are based ondecisional Bilinear DiffiendashHellman (DBDH) assumptionfrom discrete logarithm problem and insecure when facedwith the adversaries using quantum computers Comparedwith them our scheme is based on LWE and secure againstthe quantum computers Compared with the schemes[37 39] in our scheme KGC needs more computation costdue to the complexity of current strategy function in ABEbut users need less computation cost in decryption In theschemes [34 35] storage overhead is O(logN)+

O(R log(NR)) which is related to the number of users insystem and users in revocation list Our scheme mitigatesuserrsquos storage overheads by delegating the most of usersrsquoworkload to a powerful untrusted server Our goal in thispaper is to achieve user revocation in a KP-ABE system fromLWE such that most of the userrsquos workload is delegated to apowerful untrusted server and our scheme can be secureagainst quantum computers

5 Conclusion

In this paper we propose a new model called server-aidedrevocable attribute based encryption (SR-ABE) from latticeto achieve efficient user revocation and security againstquantum computers in attribute-based encryption (ABE)We formally define an SR-ABE model and give the defi-nitions of the correctness and security of SR-ABE fromLWE Based on a standard (nonrevocable) ABE [16] wepropose the first concrete construction of SR-ABE fromlattices And we provide a more rigorous proof of securitybased on the hardness of LWE

Data Availability

e data used to support the findings of this study are in-cluded within the article

Conflicts of Interest

e authors declare that they have no conflicts of interest

Acknowledgments

is work was supported by the National Key RampD Programof China under grants no 2017YFB0802000 NationalNatural Science Foundations of China (Nos 61672412 and61972457) National Cryptography Development Fundunder grant no MMJJ20170104 National Natural ScienceFoundation of China under Grant nos U19B2021 andU1736111 National Cryptography Development Fund un-der Grant no MMJJ20180111 and Key Foundation ofScience and Technology Development of Henan Province(no202102210356)

References

[1] S Amit and B Waters ldquoFuzzy identity-based encryptionrdquo inProceedings of the Annual International Conference on theCeory and Applications of Cryptographic Techniquespp 457ndash473 Springer Aarhus Denmark 2005

[2] V Goyal O Pandey S Amit and BWaters ldquoAttribute-basedencryption for fine-grained access control of encrypted datardquoin Proceedings of the 13th ACM Conference on Computer andCommunications Security pp 89ndash98 ACM Chicago ILUSA 2006

[3] Adi Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Proceedings of the Workshop on the Ceory andApplication of Cryptographic Techniques pp 47ndash53 SpringerParis France April 1984

[4] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo SIAM Journal on Computing vol 32 no 3pp 586ndash615 2003

[5] Y Li Y Yu G Min W Susilo J Ni and K-K R ChooldquoFuzzy identity-based data integrity auditing for reliable cloudstorage systemsrdquo IEEE Transactions on Dependable and Se-cure Computing vol 16 no 1 pp 72ndash83 2019

[6] L Allison T Okamoto S Amit K Takashima and BWatersldquoFully secure functional encryption attribute-based encryp-tion and (hierarchical) inner product encryptionrdquo in Pro-ceedings of the Annual International Conference on the Ceoryand Applications of Cryptographic Techniques pp 62ndash91Springer French Riviera Monaco 2010

[7] T Okamoto and K Takashima ldquoFully secure functionalencryption with general relations from the decisional linearassumptionrdquo in Proceedings of the Annual Cryptology Con-ference pp 191ndash208 Springer Barbara CA USA August2010

[8] X Boyen ldquoAttribute-based functional encryption on latticesrdquoin Ceory of Cryptography pp 122ndash142 Springer BerlinGermany 2013

[9] S Hohenberger and B Waters ldquoAttribute-based encryptionwith fast decryptionrdquo in Proceedings of the InternationalWorkshop on Public Key Cryptography pp 162ndash179 SpringerBeijing China April 2013

[10] L Allison and B Waters ldquoNew proof methods for attribute-based encryption achieving full security through selectivetechniquesrdquo in Annual Cryptology pp 180ndash198 SpringerBerlin Germany 2012

[11] B Waters ldquoFunctional encryption for regular languagesrdquo inAnnual Cryptology pp 218ndash235 Springer Berlin Germany2012

[12] Z Brakerski D Cash R Tsabary and H Wee ldquoTargetedhomomorphic attribute-based encryptionrdquo in Ceory ofCryptography pp 330ndash360 Springer Berlin Germany 2016

[13] D Boneh G Craig S Gorbunov et al ldquoFully key-homo-morphic encryption arithmetic circuit abe and compactgarbled circuitsrdquo in Proceedings of the Annual InternationalConference on the Ceory and Applications of CryptographicTechniques pp 533ndash556 Springer Copenhagen DenmarkMay 2014

[14] Z Brakerski and V Vaikuntanathan ldquoCircuit-abe from lweunbounded attributes and semi-adaptive securityrdquo in Pro-ceedings of the Annual International Cryptology Conferencepp 363ndash384 Springer Santa Barbara CA USA August 2016

[15] S Garg G Craig S Halevi S Amit and B Waters ldquoAttri-bute-based encryption for circuits from multilinear mapsrdquo inProceedings of the Annual Cryptology Conference pp 479ndash499 Springer Santa Barbara CA USA August 2013

[16] S Gorbunov V Vaikuntanathan and H Wee ldquoAttribute-based encryption for circuitsrdquo in Proceedings of the Forty-FifthAnnual ACM Symposium on Ceory of Computing pp 545ndash554 ACM Palo Alto CA USA June 2013

[17] A Boldyreva V Goyal and V Kumar ldquoIdentity-based en-cryption with efficient revocationrdquo in Proceedings of the 15th


ACM Conference on Computer and Communications Securitypp 417ndash426 ACM Alexandria VA USA October 2008

[18] D Naor M Naor and J Lotspiech ldquoRevocation and tracingschemes for stateless receiversrdquo in Proceedings of the AnnualInternational Cryptology Conference pp 41ndash62 SpringerSanta Barbara CA USA August 2001

[19] B Libert and D Vergnaud ldquoAdaptive-ID secure revocableidentity-based encryptionrdquo in Proceedings of the Cryptogra-phers Track at the RSA Conference pp 1ndash15 Springer SanFrancisco CA USA April 2009

[20] J H Seo and K Emura ldquoRevocable identity-based encryptionrevisited security model and constructionrdquo in Proceedings ofthe 16th International Conference on Practice and Ceory inPublic-Key Cryptography pp 216ndash234 Nara Japan February2013

[21] J H Seo and K Emura ldquoRevocable identity-based crypto-system revisited security models and constructionsrdquo IEEETransactions on Information Forensics and Security vol 9no 7 pp 1193ndash1205 2014

[22] Against Insiders ldquoRevocable hierarchical identity-based en-cryption history-free update security against insiders and shortciphertextsrdquo in Proceedings of the Topics in CryptologymdashCT-RSA2015Ce Cryptographerrsquos Track at the RSA Conference vol 9048p 106 Springer San Francisco CA USA April 2015

[23] J H Seo and K Emura ldquoRevocable hierarchical identity-based encryption via history-free approachrdquo CeoreticalComputer Science vol 615 pp 45ndash60 2016

[24] X Mao J Lai K Chen J Weng and Q Mei ldquoEfficientrevocable identity-based encryption from multilinear mapsrdquoSecurity and Communication Networks vol 8 no 18pp 3511ndash3522 2015

[25] S Park K Lee and D H Lee ldquoNew constructions of rev-ocable identity-based encryption from multilinear mapsrdquoIEEE Transactions on Information Forensics and Securityvol 10 no 8 pp 1564ndash1577 2015

[26] Y Ishida J Shikata and YWatanabe ldquoCCA-secure revocableidentity-based encryption schemes with decryption key ex-posure resistancerdquo International Journal of Applied Cryp-tography vol 3 no 3 pp 288ndash311 2017

[27] K Lee D H Lee and J H Park ldquoEfficient revocable identity-based encryption via subset difference methodsrdquo DesignsCodes and Cryptography vol 85 no 1 pp 39ndash76 2017

[28] Y Park K Emura and J H Seo ldquoNew revocable ibe in prime-order groups adaptively secure decryption key exposureresistant and with short public parametersrdquo in Proceedings ofthe Cryptographers Track at the RSA Conference pp 432ndash449Springer San Francisco CA USA March 2017

[29] B Qin R H Deng Y Li and S Liu ldquoServer-aided revocableidentity-based encryptionrdquo in Proceedings of the EuropeanSymposium on Research in Computer Security pp 286ndash304Springer Vienna Austria September 2015

[30] N Attrapadung and H Imai ldquoAttribute-based encryptionsupporting directindirect revocation modesrdquo in Proceedingsof the IMA International Conference on Cryptography andCoding pp 278ndash300 Springer Cirencester UK December2009

[31] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharing with attribute revocationrdquo in Proceedings of the 5thACM Symposium on Information Computer and Commu-nications Security pp 261ndash270 ACM Beijing China April2010

[32] S Amit H Seyalioglu and B Waters ldquoDynamic credentialsand ciphertext delegation for attribute-based encryptionrdquo in

Proceedings of the Annual Cryptology Conference pp 199ndash217Springer Santa Barbara CA USA 2012

[33] Y Yang X Ding H Lu Z Wan and J Zhou ldquoAchievingrevocable fine-grained cryptographic access control overcloud datardquo in Proceedings of the 16th International Con-ference on Information Security vol 7807 pp 293ndash308Springer-Verlag New York Inc Dallas TX USA 2013

[34] H Cui R H Deng Y Li and B Qin ldquoServer-aided revocableattribute-based encryptionrdquo in Proceedings of the EuropeanSymposium on Research in Computer Security pp 570ndash587Springer Heraklion Greece September 2016

[35] B Qin Q Zhao Z Dong and H Cui ldquoServer-aided revocableattribute-based encryption resilient to decryption key expo-surerdquo in Proceedings of the International Conference onCryptology and Network Security pp 504ndash514 SpringerHong Kong China November 2017

[36] J K Liu T H Yuen P Zhang and K Liang ldquoTime-baseddirect revocable ciphertext-policy attribute-based encryptionwith short revocation listrdquo in Proceedings of the InternationalConference on Applied Cryptography and Network Securitypp 516ndash534 Springer London UK 2018

[37] J Chen H W Lim S Ling H Wang and K NguyenldquoRevocable identity-based encryption from latticesrdquo in Pro-ceedings of the Australasian Conference on Information Se-curity and Privacy pp 390ndash403 Springer WollongongAustralia July 2012

[38] A Takayasu and Y Watanabe ldquoLattice-based revocableidentity-based encryption with bounded decryption key ex-posure resistancerdquo in Proceedings of the Australasian Con-ference on Information Security and Privacy pp 184ndash204Springer Auckland New Zealand July 2017

[39] S Katsumata T Matsuda and A Takayasu ldquoLattice-basedrevocable (hierarchical) ibe with decryption key exposureresistancerdquo in Proceedings of the IACR International Work-shop on Public Key Cryptography pp 441ndash471 SpringerBeijing China April 2019

[40] S Ling K Nguyen H Wang and J Zhang ldquoServer-aidedrevocable predicate encryption formalization and lattice-based instantiationrdquo 2018 httparxivorgabs180107844

[41] S Agrawal D M Freeman and V VaikuntanathanldquoFunctional encryption for inner product predicates fromlearning with errorsrdquo in Proceedings of the InternationalConference on the Ceory and Application of Cryptology andInformation Security pp 21ndash40 Springer Seoul South KoreaDecember 2011

[42] M Ajtai ldquoGenerating hard instances of lattice problemsrdquo inProceedings of the Twenty-Eighth Annual ACM Symposium onCeory of Computing pp 99ndash108 ACM Philadephia PAUSA 1996

[43] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the ACMSymposium on Ceory of Computing Baltimore MD USA2005

[44] S Agrawal D Boneh and X Boyen ldquoEfficient lattice (h) ibe inthe standard modelrdquo in Proceedings of the Annual Interna-tional Conference on the Ceory and Applications of Crypto-graphic Techniques pp 553ndash572 Springer Tallinn EstoniaMay 2010

[45] D Micciancio and C Peikert ldquoTrapdoors for lattices simplertighter faster smallerrdquo in Proceedings of the Annual Inter-national Conference on the Ceory and Applications ofCryptographic Techniques pp 700ndash718 Springer CambridgeUK April 2012


[46] G Craig C Peikert and V Vaikuntanathan ldquoTrapdoors forhard lattices and new cryptographic constructionsrdquo in Pro-ceedings of the Fortieth Annual ACM Symposium onCeory ofComputing pp 197ndash206 ACM Columbia Canada May2008

[47] M Ajtai ldquoGenerating hard instances of the short basisproblemrdquo in Proceedings of the International Colloquium onAutomata Languages and Programming pp 1ndash9 SpringerPrague Czech Republic July 1999

[48] S Agrawal D Boneh and X Boyen ldquoLattice basis delegationin fixed dimension and shorter-ciphertext hierarchical iberdquo inProceedings of the Annual Cryptology Conference pp 98ndash115Springer Barbara CA USA August 2010

[49] D Cash D Hofheinz E Kiltz and C Peikert ldquoBonsai treesor how to delegate a lattice basisrdquo Journal of Cryptologyvol 25 no 4 pp 601ndash639 2012


key exposure resistance (DKER) was proposed by Seo andEmura [20ndash23] Since then DKER has quickly become animportant security requirement for RIBE and many follow-up RIBE schemes with DKER [24ndash28] were proposed Inorder to improve the efficiency of revocation in 2015 Qinet al [29] proposed an interesting solution called server-aided revocable IBE (SR-IBE) In their scheme a publiclyaccessible server with powerful computational capabilitieswhich can be untrusted in the sense that it does not possessany secret information is used to outsource most of theusers workload

e revocable ABE scheme appears later In 2009Attrapadung and Imai [30] put forward two revocablemethods One is direct revocation which is that the sendershould specify the revocation list while encrypting and theother is indirect revocation In the indirect revocationscheme in order to achieve the key revocation mechanismeach userrsquos secret key cannot be allowed to decrypt ci-phertexts alone To complete the decryption the KGCbroadcasts key update through a public channel for everytime period e key update is useless for revoked users butnonrevoked users will be allowed to combine their secretkeys with the key update to derive a decryption key whichcan finally decrypt ciphertexts And they proposed the firsthybrid revocable ABE scheme

In 2010 Yu et al [31] proposed a indirect revocable ABEhowever policy function only supports logical AND In2012 Amit et al [32] provided a more generic way to achieveindirect revocation in ABE schemes In order to alleviate theworkload of users in 2013 Yang et al [33] proposed a directrevocable ABE scheme by delegating part of the users de-cryption capability to a semitrusted server however whichresults in an increase in traffic over the secret channel Tomitigate userrsquos workload and the traffic of the secret channelin 2016 Cui et al [34] proposed a scheme called server-aidedrevocable ABE (SR-ABE) based on the large universe CP-ABE scheme If the server in their scheme was colluded withan adversary however the SR-ABE may be not DKER Tosolve this problem based on [34] in 2017 Qin et al [35]proposed a SR-ABE with DKER About direct revocable in2018 Liu et al [36] proposed an efficient revocable CP-ABEscheme by embedding the revocation list into ciphertextAnd they have a shorter revocation list

ese RIBE and RABE schemes operate in the bilinearpairing setting however the system has narrowed in the raceto protect sensitive electronic information from the threat ofquantum computers which one day could render theseconstructions obsolete Up to now known quantum algo-rithms have no obvious advantages (beyond polynomialspeedup) over classical ones in solving problems in latticesuch as shortest vector problem (SVP) closest vectorproblem (CVP) short integer solution (SIS) and LWELattice-based cryptography is considered as an ideal can-didate for postquantum cryptography (PQC) and possessesseveral noticeable advantages over conventional number-theoretic cryptography (ie based on integer factoring ordiscrete logarithm problems) such as conjectured resistanceagainst quantum computers faster arithmetic operationsand provable security under the worst-case hardness

assumptions And among the PQC schemes submitted toNIST lattice-based schemes are the most

In 2012 Chen et al [37] proposed the first RIBE schemefrom lattices without DKER In 2017 Takayasu andWatanabe [38] proposed a variant of [37] and partiallysolved the problem of achieving RIBE with DKER In 2019Katsumata et al [39] completely solved the problem ofachieving RIBE with DKER by proposing the first lattice-based RIBE scheme with DKER secure under the LWEassumption

But the progress in constructing revocable ABE schemesfrom lattices is slow In 2018 Ling et al [40] proposed aserver-aided revocable Predicate Encryption (SR-PE) fromLWE is scheme employs the Predicate Encryption (PE)scheme of Agrawal et al [41] and the complete subtreemethod of Naor et al [18] as the two main ingredients andplus some additional techniques In the security proof of theSR-PE however since the LWE secret vector in the originalPE scheme is unknown an unreasonable challenge ci-phertext is constructed leading to an invalid proof

11 Our Contributions In order to solve the security ofrevocable ABE against quantum attack we propose the firstSR-ABE from LWE which is indirect revocable and satisfiesefficient and secure user revocation in lattices In order tomitigate the burden of users all the work caused by therevocation will be delegated to a powerful untrusted servere powerful server is similar to cloud computing with alarge number of computing resources and storage resourceswhich can ensure the correctness of the calculation butcannot guarantee the security of the data In order to achievethe key revocation mechanism in our scheme each userrsquossecret key cannot be allowed to decrypt ciphertexts alone Tocomplete the decryption KGC should bind the userrsquosidentity and corresponding circuit when generating thepublic key and bind the period time when generating updatekey When the userrsquos identity is not revoked and its circuitmatches the attribute subset of the ciphertext the server cangenerate a transformation key from KGC to convert theciphertext into a partially decrypted ciphertext bound onlywith the identity In this way only the secret key of theidentity can be used to decrypt e framework of our SR-ABE scheme is depicted in Figure 1

In the scheme there are four types of participants aKGC a powerful untrusted server data sender and datarecipient among which the KGC and the server are theservice of the system the data sender and the data recipientare the client of the system e server is opened to anyoneincluding the adversary In our scheme a userrsquos policyfunction is a boolean circuit Cid with its identity id

According to the system parameter the KGC generatesan msk and an mpk and broadcasts the mpk to all users Byusing its msk and a userrsquos identity id KGC can generate asecret key skid which is sent to the user When a data micro needsto be sent a data sender specifies an attribute subset att forthe data encrypts it over the att and a time period t by usingthe mpk and sends the ciphertext cttatt to the server And alldata users can see the ciphertext on the server If needing to











2 Preliminaries


KGC skididmpk

pkid

ctid ctid

Cid

idCid

Cid

cttatt

cttatt

cttatt

t + att

tktid

kut

skid

Recipient

Untrustedserver

Sender

micro micro






























12 (1)







q Λuq(A)











q


m log q




q avector u isin Zn


log 2m





q R isin Zmtimesm



1113968) it


q ([A |AR+G]])s










R R0

R11113890 1113891Ri isin Z

mtimesm i 0 1 (2)


tgt01 R



tgt01 R)


ψtgt RTψ0

ψ11113890 1113891 isin Zm

q (3)




q then






(4)


where



Output μprime
























u)iisin[ℓ]










n log q


n


q⟶ Zntimesnq






ib)1113966 1113967iisin[ℓ]bisin 01

Output

pk1 (AB)

sk1 TATB( 1113857


1113888 1113889

sk2 TB10 TB


TB11 TB


1113888 1113889

(6)









(2) Output skid Rid




c E(Encode(D u) μ)


ψ Encode(B u)


φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)





Cidi(xui




TBuibprime












and [B |Ct]Z2x Ux









Fid






ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891





φψid











(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References
































































2 Preliminaries


KGC skididmpk

pkid

ctid ctid

Cid

idCid

Cid

cttatt

cttatt

cttatt

t + att

tktid

kut

skid

Recipient

Untrustedserver

Sender

micro micro






























12 (1)







q Λuq(A)











q


m log q




q avector u isin Zn


log 2m





q R isin Zmtimesm



1113968) it


q ([A |AR+G]])s










R R0

R11113890 1113891Ri isin Z

mtimesm i 0 1 (2)


tgt01 R



tgt01 R)


ψtgt RTψ0

ψ11113890 1113891 isin Zm

q (3)




q then






(4)


where



Output μprime
























u)iisin[ℓ]










n log q


n


q⟶ Zntimesnq






ib)1113966 1113967iisin[ℓ]bisin 01

Output

pk1 (AB)

sk1 TATB( 1113857


1113888 1113889

sk2 TB10 TB


TB11 TB


1113888 1113889

(6)









(2) Output skid Rid




c E(Encode(D u) μ)


ψ Encode(B u)


φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)





Cidi(xui




TBuibprime












and [B |Ct]Z2x Ux









Fid






ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891





φψid











(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References


















































































12 (1)







q Λuq(A)











q


m log q




q avector u isin Zn


log 2m





q R isin Zmtimesm



1113968) it


q ([A |AR+G]])s










R R0

R11113890 1113891Ri isin Z

mtimesm i 0 1 (2)


tgt01 R



tgt01 R)


ψtgt RTψ0

ψ11113890 1113891 isin Zm

q (3)




q then






(4)


where



Output μprime
























u)iisin[ℓ]










n log q


n


q⟶ Zntimesnq






ib)1113966 1113967iisin[ℓ]bisin 01

Output

pk1 (AB)

sk1 TATB( 1113857


1113888 1113889

sk2 TB10 TB


TB11 TB


1113888 1113889

(6)









(2) Output skid Rid




c E(Encode(D u) μ)


ψ Encode(B u)


φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)





Cidi(xui




TBuibprime












and [B |Ct]Z2x Ux









Fid






ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891





φψid











(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References

























































12 (1)







q Λuq(A)











q


m log q




q avector u isin Zn


log 2m





q R isin Zmtimesm



1113968) it


q ([A |AR+G]])s










R R0

R11113890 1113891Ri isin Z

mtimesm i 0 1 (2)


tgt01 R



tgt01 R)


ψtgt RTψ0

ψ11113890 1113891 isin Zm

q (3)




q then






(4)


where



Output μprime
























u)iisin[ℓ]










n log q


n


q⟶ Zntimesnq






ib)1113966 1113967iisin[ℓ]bisin 01

Output

pk1 (AB)

sk1 TATB( 1113857


1113888 1113889

sk2 TB10 TB


TB11 TB


1113888 1113889

(6)









(2) Output skid Rid




c E(Encode(D u) μ)


ψ Encode(B u)


φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)





Cidi(xui




TBuibprime












and [B |Ct]Z2x Ux









Fid






ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891





φψid











(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References























































where



Output μprime
























u)iisin[ℓ]










n log q


n


q⟶ Zntimesnq






ib)1113966 1113967iisin[ℓ]bisin 01

Output

pk1 (AB)

sk1 TATB( 1113857


1113888 1113889

sk2 TB10 TB


TB11 TB


1113888 1113889

(6)









(2) Output skid Rid




c E(Encode(D u) μ)


ψ Encode(B u)


φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)





Cidi(xui




TBuibprime












and [B |Ct]Z2x Ux









Fid






ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891





φψid











(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References

























































(2) Output skid Rid




c E(Encode(D u) μ)


ψ Encode(B u)


φ Encode(A u)

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(7)





Cidi(xui




TBuibprime












and [B |Ct]Z2x Ux









Fid






ψψCid

1113890 1113891 + ZT2x

ψξ1113890 1113891





φψid











(2) Compute


ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References























































ψid ZT1x

ψ

ψCid

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

ψ

ξ⎡⎢⎣ ⎤⎥⎦

ZT1x

BTu + e2

BTidu + e1

⎡⎢⎢⎣ ⎤⎥⎥⎦ + ZT2x

BTu + e2

CTt u + e3

⎡⎢⎢⎣ ⎤⎥⎥⎦

ZT1x B Bid

11138681113868111386811138681113960 1113961Tu + ZT

1x B Ct

11138681113868111386811138681113960 1113961Tu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦

+ ZT2x

e2

e3⎡⎢⎣ ⎤⎥⎦

FTidu + ZT

1x

e2

e1⎡⎢⎣ ⎤⎥⎦ + ZT

2x

e2

e3⎡⎢⎣ ⎤⎥⎦

(8)


m


we have ZT1x

e2e1

1113890 1113891 + ZT2x

e2e3

1113890 1113891



1x

e2e1

1113890 1113891+

ZT2x

e2e3



c minus RTid

φψid

1113890 1113891 DTu + e5 + μq

21113878 1113881 minus RT


1113890 1113891

DTu + e5 + μq

21113878 1113881 minus RT

id A Fid11138681113868111386811138681113960 1113961

Tu minus RT

ide6e4

1113890 1113891

μq

21113878 1113881 + e5 minus RT

ide6e4

1113890 1113891

(9)

If e5 minus RTid

e6e4

1113890 1113891



φψid

1113890 1113891 c1113888 1113889 the recipient


42 Security











(10)

from S



q⟶ Zntimesnq





( Bib1113966 1113967iisin[l]bisin 01



iisin[l]bisin 01 )



GenSK(middot)








can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References


























































can return skid Rid




(xui xvi
















iisin[l]bisin 01 at



1113882 1113883










cprime c


ψprime φℓ+20

ξ RT1ψprime

φprime φℓ+10

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

(11)





12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (12)

then we have


12

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868 ε (13)




Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References























































Tabl

e1

Com

parisons

ofou

rSR

-ABE

with


CDLQ

[34]

QZZ

C[35]

CLL

+[37]

KMT[39]

Ours

Prob

lem

DBD

HDBD

HLW

ELW

ELW

EMod

elCP-ABE

CP-ABE

IBE

IBE

KP-ABE

PQC

No

No

Yes

Yes

Yes

Server

Yes

Yes

mdashmdash

Yes

DKER

No

Yes

No

Yes

No

Encryptio

ntim

emdash

mdash4(

Tm

+Tg)

7(Tm

+Tg)

(ℓ+

4)middot(

Tm

+Tg)

Userrsquos

decryptio

ntim

emdash

mdash4T

m6T

m2T

mGenSK

+GenPK

+KeyUpTime

mdashmdash

Tk

+(logN

+Rlog(

NR

))3T

k+

(logN

+Rlog(

NR

))2|C

id|T

k+

(logN

+1R

log(

NR

))

Server-key

size

O(

Rlog(

NR

))O

(Rlog(

NR

))mdash

mdashO

(Rlog(

NR

))

User-keysiz

eO

(1)

O(1)

O(logN

)+

O(

Rlog(

NR

))O

(logN

)+

O(

Rlog(

NR

))O

(1)




5 Conclusion


Data Availability




Acknowledgments


References

























































5 Conclusion


Data Availability




Acknowledgments


References
































































































Date post:	29-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

ResearchArticle Server-AidedRevocableAttribute...

Documents