Revocable attribute-based proxy re-encryption

1 Introduction

With the rapid spread of modern applications, such as cloud computing, the issues of data security and privacy attract increasing attention. Hence, various cryptographic primitives have been proposed to alleviate these problems. An important example of such potential primitives is proxy re-encryption (PRE), which was shown to be useful in many applications such as distributed file system [3], data storage [12] and publish/subscribe system [36]. PRE, initially introduced by Blaze et al. [6], is an attractive cryptographic primitive that allows a semi-trusted proxy with re-encryption key to efficiently convert a ciphertext encrypted for a delegator (e.g., Alice) into another ciphertext of the same message encrypted under a delegatee’s (e.g., Bob’s) key, without revealing the underlying plaintext and the private keys of the delegator and the delegatee. However, in the traditional PRE systems, the communication model is one-to-one (i.e., one delegator to one delegatee), which means that a message can be re-encrypted for only a single public key. This limits their utility in many applications, where the re-encryption may be used for arbitrary recipients. One such important application is data sharing in untrusted cloud storage. In a cloud storage system, data owners are often interested in sharing their encrypted data with users satisfying a specific access policy. To enable such granular data sharing requirement, Liang et al. [26] introduced the notion of attribute-based proxy re-encryption (ABPRE) that combines PRE with attribute-based encryption (ABE) and presented the first ABPRE scheme based on Augment Decisional Bilinear Diffie–Hellman problem.

Attribute-based proxy re-encryption. ABPRE is an extension of PRE with additional features that allow fine-grained and role-based access to encrypted data. Similar to the ABE system, there are two types of ABPRE: Key-Policy ABPRE (KP-ABPRE) and Ciphertext-Policy ABPRE (CP-ABPRE). In an ABPRE system, a semi-trusted proxy with access to a re-encryption key (generated by delegators) can transform ciphertexts for delegators satisfying an access policy (e.g., f ( x ) = 0 ^[1] for some policy function f and attribute x ) into ciphertexts for delegatees satisfying a new access policy (e.g., some policy function g which satisfies g ( x ) = 1 ). Since the introduction of ABPRE by Liang et al. [26], there have been many proposals for ABPRE schemes on different settings based on different hardness assumptions [17,18,25,26,43], but all of these schemes are based on classical number-theoretic assumptions, which are not quantum-resistant. The only exception is the CP-ABPRE scheme based on learning with errors (LWE) problem proposed by Li et al. [24], which is proven CPA secure in the selective security model. LWE problem was widely used to construct various quantum-resistant schemes due to its simple algebraic structure and the classical (quantum) reduction from some lattice problems (e.g., GapSVP), which were conjectured to be resistant against quantum attacks. However, to the best of our knowledge, the problem of constructing quantum-resistant KP-ABPRE schemes remains open.

2 Preliminaries

We use lower-case bold letter to denote vector x and upper-case bold letter to denote matrix A. The i th component of any set r is represented by r i . Throughout the paper, we consider truncated discrete Gaussian distribution D σ , Z m and we let [ n ] ≜ { 1 , … , n } . Let A T (resp. x T ) be the transpose of A (resp. x ). For any vector b ∈ Z m , we use ∥ b ∥ to denote its ℓ 2 length, i.e., ∥ b ∥ ≔ ∑ i = 1 m b i 2 . The norm of any matrix A ∈ Z m × k is represented by ∥ A ∥ which denotes the ℓ 2 length of its longest column vector, we use ∥ A ∥ GS to denote the norm of its Gram–Schmidt (GS) orthogonalization, and we define ∥ A ∥ 2 ≔ sup ∥ e ∥ = 1 ∥ Ae ∥ . Then, we have ∥ A ∥ GS ≤ ∥ A ∥ ≤ ∥ A ∥ 2 ≤ m ⋅ ∥ A ∥ and ∥ AB ∥ 2 ≤ ∥ A ∥ 2 ⋅ ∥ B ∥ 2 for any B ∈ Z k × k ′ .

3 Revocable key-policy ABPRE

We introduce the notion of revocable KP-ABPRE and its game-based definition of security. Let ℳ be a message space, X be an attribute space, and ℐ be an index space. A revocable KP-ABPRE scheme for a family of functions ℱ = { f : X → { 0 , 1 } } contains polynomial-time algorithms (Setup, KeyGen, Enc, Dec, ReKeyGen, ReEnc, and ReDec), which is defined as follows:

• Setup( 1 λ ). Take as input a security parameter λ , output a state information ST , a public key p k , and a master secret key m s k .

• KeyGen( m s k , f ). Take as input m s k and a function f ∈ ℱ , output a secret key s k f .

• Enc( m p k , μ , x , RL ). Take as input m p k , a message μ ∈ ℳ , an attribute x ∈ X , and a revocation list RL ⊆ ℐ , output a ciphertext c . We call it “fresh” ciphertext.

• Dec( s k f , c , x ). Take as input s k f , c , and x ∈ { 0 , 1 } ℓ , output a message μ ∈ ℳ if f ( x ) = 0 , and ⊥ otherwise.

• ReKeyGen ( s k f , ST , g , I ) . Take as input s k f , a state ST , a function g ∈ ℱ , and an index I ∈ ℐ , output a re-encryption key r k f → ( g , I ) , and an updated state ST .

• ReEnc ( r k f → ( g , I ) , c , x ) . Take as input a re-encryption key r k f → ( g , I ) , a ciphertext c , and x ∈ X , output a re-encrypted ciphertext c f → ( g , I ) if f ( x ) = 0 .^[3] Otherwise, output ⊥ . Note that the ciphertext c with respect to x is invalid for the re-encryption key r k f → ( g , I ) if f ( x ) = 1 .

• ReDec ( s k g , c f → ( g , I ) ) . Take s k g (which, like s k f , was generated by the KeyGen algorithm) and a re-encrypted ciphertext c f → ( g , I ) as input, output a message μ ′ ∈ ℳ or ⊥ otherwise.

Correctness. There are two cases for the correctness of the revocable KP-ABPRE scheme: one case for fresh ciphertext, and the other case for re-encrypted ciphertext. We say the correctness of the revocable KP-ABPRE scheme is guaranteed if the following holds:

• For all ( ST , p k , m s k ) ← Setup ( 1 λ ) , all s k f ← KeyGen ( m s k , f ) for f ∈ ℱ , all message μ ∈ ℳ , all RL ⊆ ℐ , and all attribute x ∈ X , we have

  Pr [ Dec ( s k f , Enc ( p k , μ , x , RL ) , x ) = μ ] = 1 − negl ( λ )

  if f ( x ) = 0 .

• For all ( ST , p k , m s k ) ← Setup ( 1 λ ) , all s k f ← KeyGen ( m s k , f ) , s k g ← KeyGen ( m s k , g ) for f , g ∈ ℱ , all message μ ∈ ℳ , all RL ⊆ ℐ , and all attribute x ∈ X , we have

  Pr [ ReDec ( s k g , ReEnc ( r k f → ( g , I ) , c , x ) ) = μ ] = 1 − negl ( λ )

  if f ( x ) = 0 and I ∉ RL , where c = Enc ( p k , μ , x , RL ) and r k f → ( g , I ) ← ReKeyGen ( s k f , ST , g , I ) . Otherwise, we have

  Pr [ ReDec ( s k g , ReEnc ( r k f → ( g , I ) , c , x ) ) = ⊥ ] = 1 − negl ( λ ) .

4 Revocable KP-ABPRE from LWE

In this section, we construct a revocable KP-ABPRE scheme based on the LWE problem, building upon the selectively secure LWE-based ABE [8]. To satisfy the correctness requirement that the decryption algorithm outputs ⊥ with all but negligible probability when I ∈ RL , like ref. [27], we define the encoding function encode : { 0 , 1 } → { 0 , 1 } k for k = ω ( log λ ) , such that for each μ ∈ { 0 , 1 } , we have encode ( μ ) = ( μ , 0 , … , 0 ) ∈ { 0 , 1 } k . Given a family of functions ℱ = { f : { 0 , 1 } ℓ → { 0 , 1 } } of depth ≤ d (represented as Boolean circuits), an attribute space X = { 0 , 1 } ℓ , a message space ℳ = { 0 , 1 } , and an index space ℐ = [ N ] , our revocable KP-ABPRE construction that works for any ℓ , d = poly ( λ ) is described as follows:

• Setup( 1 λ , ℓ , N , L ). Take as input the security parameter λ , the maximum length of the attributes ℓ , and the maximum expected number of users N , the setup algorithm proceeds as follows:

  1. Generate GenTrap ( 1 n , m , q ) → ( A , T A ) .

  2. Sample a uniformly random matrix D ∈ Z q n × k .

  3. Sample ℓ uniformly random matrices B 1 , … , B ℓ ∈ Z q n × m .

  4. Build a complete binary tree BT with N leaf nodes, and choose uniformly random matrix U γ ∈ Z q n × m as the “identifier” for each node γ ∈ BT .

  5. Initialize the state ST = ∅ , which records the assigned indices so far.

  Output a state ST , a public key p k ≔ ( A , D , B 1 , … , B ℓ , BT ) , and a master secret key m s k ≔ ( T A ) .

• KeyGen ( m s k , f ∈ ℱ ) . Take as input m s k and a function f ∈ ℱ , compute B f = Eval p k ( f , ( B 1 , … , B ℓ ) ) and generate an extended trapdoor T ( A ∣ B f ) ∈ Z 2 m × 2 m by running

  T ( A ∣ B f ) ← SampleBasisLeft ( A , B f , T A , s ) .

  Output a secret key s k f ≔ T ( A ∣ B f ) .

• Enc ( p k , μ , x , RL ) . Take as input p k , a message μ ∈ { 0 , 1 } , an attribute x ∈ { 0 , 1 } ℓ , and a revocation list RL ⊆ [ N ] , the encryption algorithm does:

  1. Choose uniformly at random a vector s ∈ Z q n , two error vectors e 0 ∈ χ m , e 1 ∈ χ k , and matrices S γ ˆ , S i ∈ { ± 1 } m × m for each γ ˆ ∈ KUNodes(BT,RL) and i ∈ [ ℓ ] .

  2. Set

     H = ( A ∣ B 1 + x 1 G ∣ ⋯ ∣ B ℓ + x ℓ G ) ∈ Z q n × ( ℓ + 1 ) m , e = ( I m ∣ S 1 ∣ ⋯ ∣ S ℓ ) T ⋅ e 0 ∈ Z q ( ℓ + 1 ) m ,

     and compute c 0 = H T s + e ∈ Z q ( ℓ + 1 ) m .

  3. For each node γ ˆ ∈ KUNodes(BT,RL) , compute c ˆ γ ˆ = U γ ˆ T s + S γ ˆ T e 0 ∈ Z q m . Set c 1 = { c ˆ γ ˆ } γ ˆ ∈ KUNodes(BT,RL) .

  4. Compute c 2 = D T s + e 1 + ⌊ q / 2 ⌋ ⋅ encode ( μ ) ∈ Z q k .

  Output a ciphertext c = ( c 0 , c 1 , c 2 ) .

• Dec( s k f , c , x ). Parse c = ( c 0 , c 1 , c 2 ) and c 0 = ( c i n , c 0 1 , … , c 0 ℓ ) . If f ( x ) = 1 , output ⊥ . Otherwise, the decryption algorithm does:

  1. Run SamplePre ( ( A ∣ B f ) , T ( A ∣ B f ) , D , σ 1 ) to generate a low-norm matrix R f ∈ Z 2 m × k such that ( A ∣ B f ) ⋅ R f = D .

  2. Compute c f = Eval c t ( f , { ( B i , x i , c 0 i ) } i ∈ [ ℓ ] ) ∈ Z q m .

  3. Compute w = c 2 − R f T ( c i n ∣ c f ) . Output μ ′ = 1 if ∣ ⌊ q / 2 ⌋ − w 1 ∣ < q / 4 . Otherwise, output μ ′ = 0 .

• ReKeyGen( s k f , ST , g , I ). Take as input a secret key s k f , a state ST , a function g ∈ ℱ , and an index I ∈ [ N ] , the re-encryption key generation algorithm does:

  1. If I ∈ ST , output ⊥ . Otherwise, update ST ← ST ∪ { I } .

  2. Compute B g = Eval p k ( g , ( B 1 , … , B ℓ ) ) and B f = Eval p k ( f , ( B 1 , … , B ℓ ) ) .

  3. For each node γ ∈ Path ( I ) , generate a low-norm matrix R γ ∈ Z 3 m × 2 m such that ( A ∣ B f ∣ U γ ) ⋅ R γ = ( A ∣ B g ) by running R γ ← SampleLeft ( ( A ∣ B f ) , U γ , T ( A ∣ B f ) , ( A ∣ B g ) , σ 2 ) .

  Output a re-encryption key r k f → ( g , I ) ≔ ( f , g , I , { R γ } γ ∈ Path ( I ) ) and an updated state ST .

• ReEnc( r k f → ( g , I ) , c , x ). Parse r k f → ( g , I ) = ( f , g , I , { R γ } γ ∈ Path ( I ) ) , c = ( c 0 , c 1 , c 2 ) , c 0 = ( c i n , c 0 1 , … , c 0 ℓ ) , and c 1 = { c ˆ γ ˆ } γ ˆ ∈ KUNodes(BT,RL) . The re-encryption algorithm proceeds as follows:

  1. Compute c f = Eval c t ( f , { ( B i , x i , c 0 i ) } i ∈ [ ℓ ] ) ∈ Z q m .

  2. For all γ ∈ Path ( I ) , γ ˆ ∈ KUNodes(BT,RL) , compute c γ , γ ˆ = R γ T ⋅ ( c i n ∣ c f ∣ c ˆ γ ˆ ) ∈ Z q 2 m .

  Output a re-encrypted ciphertext c f → ( g , I ) = ( c ˜ , c 2 ) , where c ˜ = { c γ , γ ˆ } γ ∈ Path ( I ) , γ ˆ ∈ KUNodes(BT,RL) .

• ReDec( s k g , c f → ( g , I ) ). Take as input s k g = T ( A ∣ B g ) and c f → ( g , I ) = ( c ˜ , c 2 ) , where c ˜ = { c γ , γ ˆ } γ ∈ Path ( I ) , γ ˆ ∈ KUNodes(BT,RL) . The re-decryption algorithm does:

  1. Compute B g = Eval p k ( g , ( B 1 , … , B ℓ ) ) and run SamplePre ( ( A ∣ B g ) , T ( A ∣ B g ) , D , σ 1 ) to generate a low-norm matrix R g ∈ Z 2 m × k such that ( A ∣ B g ) ⋅ R g = D .

  2. For all pairs ( γ , γ ˆ ) , compute w γ , γ ˆ = c 2 − R g T c γ , γ ˆ ∈ Z q k .

  3. If there exists a pair ( γ , γ ˆ ) such that 2 q ⋅ w γ , γ ˆ = encode ( μ ′ ) for some μ ′ ∈ { 0 , 1 } , output μ ′ . Otherwise, output ⊥ .