Revocable policy-based chameleon hash using lattices

Jean Belo Klamti; Mohammed Anwarul Hasan

doi:10.1515/jmc-2023-0012

Article Open Access

Revocable policy-based chameleon hash using lattices

Jean Belo Klamti and Mohammed Anwarul Hasan

Published/Copyright: November 28, 2024

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

A chameleon hash function is a type of hash function that involves a trapdoor to help find collisions, i.e., it allows the rewriting of a message without modifying the hash. For some applications, it is important to have the feature of revoking the rewriting privilege of the trapdoor holder. In this paper, using lattice-based hard problems that are considered quantum-safe, we first introduce a lattice-based chameleon hash with an ephemeral trapdoor ( CHET ) and then a revocable attribute-based encryption ( RABE ) scheme that is adaptively indistinguishable. We also give security analyses of our schemes and compare our RABE scheme to two relevant schemes proposed recently. Furthermore, we combine our CHET and RABE to design a new revocable policy-based chameleon hash.

Keywords: lattice-based cryptography; hash function; chameleon hash function; attribute-based encryption

MSC 2010: 94A60

1 Introduction

Chameleon hash ( CH ) function, introduced by Krawczyk and Rabin [1], is a collision-resistant hash function that involves a trapdoor, without which, it has all the properties of the standard cryptographic hash function. Specifically, CH schemes are parameterized by public keys such that a trapdoor holder can compute a second pre-image of a given hash. As an extended variant, a chameleon hash with an ephemeral trapdoor ( CHET ) is a CH scheme in which in addition to the main trapdoor, an ephemeral trapdoor is necessary to compute a second pre-image of the given hash [2]. The ephemeral trapdoor is usually chosen by the party computing the hash value. Therefore, a holder of the main trapdoor is not able to compute a second pre-image of the hash unless also provided with the ephemeral trapdoor. Since their introduction, CH and CHET schemes have received considerable attention and have now become a part of the construction of many cryptographic primitives. They are used, for instance, in the design of chameleon, sanitizable, and online/offline signature schemes [3–7].

One of the recent and important applications of CH is in the design of a mutable blockchain. It was the work of Ateniese et al. [8] who first proposed a way to allow blockchain rewriting. However, one issue of the Ateniese et al. scheme is that any trapdoor holder can rewrite a block of its choice. To address this issue, Derler et al. [9] recently introduced the concept of policy-based chameleon ( PCH ), which is a type of CH where for computing a second pre-image of a hash, only the trapdoor holders satisfying its access policy are authorized to do it. PCH schemes are designed by combining CH and attribute-based encryption ( ABE ) schemes^[1]. Although access policies allow the controlling of computation of the second pre-image in PCH schemes, a compromised trapdoor or malicious behaviour can constitute a serious security issue. To address this issue, Xu et al. have recently introduced the concept of revocable policy-based chameleon hash ( RPCH ) [10], which allows the revoking of the rewriting privilege of trapdoor holders. Similar to PCH , RPCH schemes are designed by combining revocable attribute-based encryption ( RABE ) and CHET schemes.

In this paper, we construct a lattice-based CHET by applying Derler et al.’s approach to a modified version of Cash et al.’s CH [11]. Furthermore and still using lattices, we introduce an RABE scheme that is adaptively indistinguishable. In addition, we combine our CHET and RABE schemes to design a new RPCH .

1.1 Related works

After being introduced in [1], several new variants of CH have been published. These include CH with ephemeral trapdoor [2] and identity-based [12–15], policy-based, tag-based [16], and RPCH functions.

RPCH is a combination of an RABE and CHET . Thus, designing an efficient RPCH using lattice requires designing an efficient lattice-based RABE and CHET . For the construction of CHET , two frameworks were introduced by Derler et al. [2]. The first one is based on zero-knowledge proof and a commitment scheme. The second technique consists of transforming a secure and unique CH into a CHET where the hash of a message m will be a pair h = ( h 1 , h 2 ) . h 1 and h 2 correspond to the hash of m computed using the public key and an ephemeral public key, respectively. The CHET designed in this paper is based on the second technique using Cash et al.’s CH [11]. In Cash et al.’s scheme, the public key is a pair of matrices ( A 1 ∣ ∣ A 2 ) , and the hash of a message m is given by h = A 1 m + A 2 r , where r is a random vector chosen from a Gaussian distribution. Using a CHET designed from Cash et al.’s CH to build a RPCH would require a slight modification. The ephemeral trapdoor has to be encrypted using an ABE scheme. Therefore, the ephemeral trapdoor needs to be a binary string instead of a matrix.

For the design of the proposed RPCH , an adaptive secure RABE scheme is required. However, most of the revocable attribute-based schemes using lattice in the literature are selectively secure. For this purpose, we introduce a new adaptive secure RABE scheme on top of Tsabary’s attribute-based encryption [17], which is one of the efficient and adaptive secure ABEs. The Tsabary scheme is a ciphertext-policy ABE scheme that uses as policies the conjunctive normal form policies.

1.2 Motivation

Our motivation is mainly two-fold. First, there exist lattice-based hard problems that are considered resistant to attacks using future quantum computers, but to our knowledge, there is no work in the literature on the design of adaptive indistinguishable RABE based on such hard problems. Although there is a recent article on adaptive indistinguishable RABE introduced by Xiong et al. [18], the security of their scheme relies on the decisional linear ( DLIN ) assumption, which is not quantum secure either. Second, and with regard to RPCH , it appears that Xu et al.’s work [10] is the only one published in the literature so far and the security of their scheme relies on the DLIN assumption, and hence, it is not quantum secure. With the continued progress in the development of quantum computers, it is therefore of interest to design RPCH with post-quantum security assumptions.

1.3 Our contributions

In this paper, we propose a slight modification of Micciancio and Peikert’s trapdoor generation algorithm [19, Algorithm 1] using a random oracle ( RO ) to reduce the size of trapdoors. We use the modified trapdoor generation algorithm to introduce a lattice-based CHET . Our scheme is designed using a modified version of Cash et al.’s CH [11] and Derler et al.’s framework [9]. We show that the security of the proposed lattice-based CHET relies on short integer solution ( SIS ) and inhomogeneous short integer solution ( ISIS ) problems. We design an adaptive indistinguishable RABE from lattice assumptions. We combine our proposed lattice-based RABE and CHET schemes to design a lattice-based RPCH scheme from Xu et al.’s construction [10]. Finally, we show that our schemes are secure and compare our RABE with relevant lattice-based schemes proposed recently.

1.4 Organization of this article

In this article, we recall the necessary prerequisites in Section 2. In Section 3, we introduce a modified version of Micciancio and Peikert’s trapdoor generator algorithm, construct a lattice-based CHET scheme, and give a security analysis of the proposed CHET . Section 4 contains the description of our RABE scheme and its security analysis. In Section 5, we describe our RPCH scheme using lattice and provide its security analysis. Finally, we conclude in Section 6.

2 Preliminaries

In this paper, we consider row vectors and denote vectors by bold lowercase and matrices by bold uppercase letters. In addition, we consider the following definition of norms: ‖ a ‖ = ∑ i = 1 m a i 2 , ‖ a ‖ 1 = ∑ i = 1 m ∣ a i ∣ , ‖ a ‖ ∞ = max i ∣ a i ∣ , ‖ A ‖ 1 = max j ∑ i = 1 m ∣ a i j ∣ and ‖ A ‖ ∞ = max i ∑ j = 1 m ∣ a i j ∣ .

2.1 Lattices

Let m be a nonzero positive integer { b 1 , … , b m } be a set of m linearly independent vectors of R m . A (full-rank) m -dimensional lattice generated by { b 1 , … , b m } is the set denoted by Λ ( b 1 , … , b m ) and defined by Λ ( b 1 , … , b m ) = { ∑ i = 1 m x i b i : x i ∈ Z } . Equivalently, if B is a matrix where its rows are vectors b 1 , … , b m , the lattice Λ ( b 1 , … , b m ) can be denoted by Λ ( ℬ ) and described by Λ ( ℬ ) = { x B : x ∈ Z m } .

For a prime number q , a lattice Λ is called a q -ary lattice if q Z m ⊆ Λ ⊆ Z m . With this condition, it is easy to verify that for all y ∈ Z m , y is an element of a q -ary lattice Λ if and only if y mod q ∈ Λ .

Let 0 < n ≤ m and A ∈ Z q n × m be a full rank matrix. We denote by Λ q ( A ) the set defined by

Λ q ( A ) = { y ∈ Z m : y mod q = x A mod q for some x ∈ Z n } .

Similarly, Λ q ⊥ ( A ) is defined by

Λ q ⊥ ( A ) = { y ∈ Z m : A y T = 0 mod q } .

Λ q ( A ) and Λ q ⊥ ( A ) are q -ary lattices. In addition, we can verify that Λ q ( A ) satisfies Λ q ( A ) = Z n A + q Z m . For all u ∈ Z q n , we denote by Λ q u ( A ) the set

Λ q u ( A ) = { y ∈ Z m : A y T = u mod q } .

2.2 Discrete Gaussian, bounded distributions, lattice trapdoors, and hard problems

2.2.1 Discrete Gaussian

For a positive real number σ > 0 , the Gaussian function with parameter σ and center c ∈ R n is defined by

ρ σ , c ( x ) = exp − ‖ x − c ‖ 2 σ 2 π , for all x ∈ R n .

When c is the origin, the corresponding Gaussian function is said to be centered. Later, in this article, we simply say the Gaussian function to refer to the centered Gaussian function and denote it by ρ σ . For an n -dimensional lattice Λ , the discrete Gaussian distribution on Λ is the function defined by

D Λ , σ ( x ) = ρ σ ( x ) ρ σ ( Λ ) , for all x ∈ Λ ,

where ρ σ ( Λ ) = ∑ x ∈ Λ ρ σ ( x ) . We denote the discrete Gaussian distribution supported over Z (resp. Z q ) with parameter σ by D σ (resp. D q , σ ). For a given lattice Λ , we denote this distribution by D Λ , σ . We now state the following lemma:

Lemma 1

[20] Let n, m, and q be the positive integers such that m ≥ 2 n log ( q ) , where q is a prime number. Let σ be any positive real number such that σ ≥ n + log ( m ) . Then, for A ← $ Z q n × m and e ← $ D σ m , the distribution of u = A e T mod q is 2 − Ω ( n ) -statistically close to uniform over Z q n . Furthermore, for a fixed u ∈ Z q n , the conditional distribution of e ← $ D σ m , given A e T = u mod q for a uniformly random A ∈ Z q n × m , is D Λ q u ( A ) , σ .

2.2.2 Bounded distribution [17]

Let χ be a distribution supported over Z . If there exists B ∈ R + and 0 < ε < 1 such that Pr x ← $ χ [ ∣ x ∣ > B ] < ε , χ is said to be ( B , ε ) -bounded. When ε is a negligible function, for brevity, χ is the said B -bounded distribution instead of ( B , ε ) -bounded. χ is said to be ( B , ε ) -swallowing if for all y ∈ [ − B , B ] ∩ Z , the statistical distance between χ and y + χ is equal to ε . A second distribution χ ˜ supported over Z is said to be ( χ , ε ) -swallowing if the statistical distance between χ and χ + χ ˜ is equal to ε .

2.2.3 Lattice trapdoor

Let n , q ∈ Z , g = ( 1 , 2 , 4 , … , 2 ⌈ log ( q ) ⌉ − 1 ) and m 0 = n ⌈ log ( q ) ⌉ . The gadget matrix G is defined as the diagonal matrix given by G = I n ⊗ g ∈ Z q n × m 0 , where ⊗ is the Kronecker product [17]. For all t ∈ Z , let G − 1 : Z q n × t ⟶ { 0 , 1 } m 0 × t be the function that converts each entry a i j ∈ Z q of a matrix in a binary column vector of size ⌈ log ( q ) ⌉ corresponding to the binary representation of a i j . It holds that for all A ∈ Z q n × m 0 , we have G G − 1 ( A ) = A [17].

Let A ∈ Z q n × m be a matrix. For all v ∈ Z q n (resp. V ∈ Z q n × m ), let A σ − 1 ( v ) (resp. A σ − 1 ( V ) ) be an output distribution of D σ m 0 (resp. of D σ m 0 × m ).

A σ -trapdoor for a matrix A ∈ Z q n × m 0 is a trapdoor that enables to sample from the distribution A σ − 1 ( v ) (resp. A σ − 1 ( V ) ) in time poly( n , m 0 , log ( q ) ) (resp. poly( n , m 0 , m , log ( q ) )) for all v ∈ Z q n (resp. V ∈ Z q n × m ). We denote a σ -trapdoor of matrix A by A σ − 1 . In the following proposition, we recall some properties of trapdoors [11,17,19,21–23].

Proposition 1

There exist an efficiently computable value m 0 = O ( n log ( q ) ) and an efficient procedure GenTrap such that for all m ≥ m 0 , GenTrap outputs ( A , A σ − 1 ) = GenTrap ( 1 n , m , q ) , where A ∈ Z q n × m is 2 − n -uniform and σ = O ( n log ( q ) log ( n ) ) .
Let A ∈ Z q n × m be a matrix with a trapdoor A τ − 1 . Then, it is efficient to generate a trapdoor [ A ‖ B ] τ ′ − 1 , for all B ∈ Z q n × m ′ , any m ′ ∈ N , and τ ′ ≥ τ .
Let A ∈ Z q n × m and R ∈ Z q m × m 0 with m 0 = n ⌈ log ( q ) ⌉ . Then, it is efficient to compute [ A ‖ A R + G ] τ − 1 for τ = O ( m 0 m ‖ R ‖ ∞ ) .

Note that if A is chosen uniformly and R uniformly in { − 1 , 0 , 1 } m × m 0 , then part 3 of Proposition 1 is a special case of the leftover hash lemma [17].

2.2.4 Hard lattice problems

Now, we briefly recall some hard lattice problems that we use as security assumptions in our schemes. For more details, the reader is referred to [21,24–29].

Short integer solution ( SIS q , n , m , γ ): Given a random matrix A ∈ Z q n × m , find a vector x ∈ Z m \ { 0 } such that A x T = 0 and ‖ x ‖ ≤ γ .
Inhomogeneous short integer solution ( ISIS q , n , m , γ ) : Given a random matrix A ∈ Z q n × m and a vector y ∈ Z q n , find a vector x ∈ Z m \ { 0 } such that A x T = y and ‖ x ‖ ≤ γ
Decisional learning with errors ( DLWE q , n , m , χ ) [28]: Let n , m , and q be positive integers such that q is prime. Let χ be a noise distribution over Z . Distinguish the following two distributions:
( A , s A + e ) and ( A , u ) ,
where A ← $ Z q n × m , s ← $ Z q n , u ← $ Z q m , and e ← $ χ m are independently sampled.

We are interested in the case where q < 2 n ; therefore, we have the following corollary:

Corollary 1

[19,28] For all ε > 0 , there exist functions q = q ( n ) ≤ 2 n , and χ = χ ( n ) such that χ is B-bounded for some B = B ( n ) , q ⁄ B ≥ 2 n ε , and DLWE q , n , m , χ is at least as hard as the classical hardness of the gap shortest vector problem ( GapSVP γ ) and the quantum hardness of the shortest independent vector problem ( SIVP γ ) for γ = 2 Ω ( n ε ) and all m = poly ( n ) .

2.3 Pseudo-random function (PRF) and conjunctive normal form policy

2.3.1 PRF

PRF defined over a key space K , a domain X , and a range Y , is a function F : K × X ⟶ Y that can be computed by a deterministic polynomial time algorithm. On input ( K , x ), the algorithm outputs F ( K , x ) = y ∈ Y . Moreover, for a given key K , the function F ( K , . ) is efficiently evaluated at all points x ∈ X . Thus, a PRF is defined by a set of two algorithms F = ( F . Setup , F . Eval ) such that [17,30]:

( PP , K ) ← F . Setup ( 1 λ ) is the setup algorithm that takes as input a security parameter λ and outputs a key K ∈ { 0 , 1 } λ and public parameters PP .
y ← F . Eval ( K , x ) is the evaluation algorithm that for a given secret key K , takes as input a binary string x ∈ { 0 , 1 } ℓ and outputs y ∈ { 0 , 1 } n , where n = n ( λ ) and ℓ = ℓ ( λ ) .

It is important to note that there are different types of PRFs, however, in this paper, we are interested in the constrained pseudo-random functions ( cPRF ) introduced by Boneh and Waters [31]. Indeed, for a given ℱ , a class of functions f defined from { 0 , 1 } ℓ onto { 0 , 1 } , cPRF with policies in ℱ , is a tuple of algorithms F = ( F . Setup , F . Eval , F . Constrain , F . ConstrainEval ) such that [32]:

( PP , msk ) ← F . Setup ( 1 λ ) takes as input the security parameter λ and outputs PP and a master secret key msk .
r x ← F . Eval ( msk , x ) is a deterministic algorithm that outputs a bit-string r x of length n = n ( λ ) by taking as input a master secret key msk and a bit-string x of length ℓ .
csk f ← F . Constrain ( msk , f ) takes as input a master secret key msk and a function f ∈ ℱ and returns a constrained key csk f .
r x ′ ← F . ConstrainEval ( csk f , x ) is a deterministic algorithm that takes as input a constrained key csk f and a bit-string of length ℓ . It returns a bit-string r x ′ of length n .

A cPRF is said to be correct when for all x ∈ { 0 , 1 } ℓ and f ∈ ℱ , if f ( x ) = 1 , we have F . Eval ( msk , x ) = F . ConstrainEval ( csk f , x ) where ( PP , msk ) = F . Setup ( 1 λ ) and csk f = F . Constrain ( msk , f ) . However, there are two notions of pseudo-randomness for cPRFs namely, adaptive pseudo-randomness and selective pseudo-randomness. A cPRF is said to be adaptive pseudo-random if the probability of a PPT adversary A , to win the adaptive pseudo-randomness game is negligible.

In this paper, for the design of our RABE , we are interested in a particular type of cPRF introduced by Tsabary called conforming cPRF . These functions, in addition to being pseudo-random, satisfy the following two properties [17]:

Gradual evaluation: for all f ∈ ℱ and x ∈ { 0 , 1 } ℓ , if f ( x ) = 1 , it holds that the circuit descriptions of the algorithms F . Eval ( ⋅ , x ) and F . ConstrainEval ( F . Constrain ( ⋅ , f ) , x ) are identical.
Key simulation: it means that there exists an additional public algorithm F . KeySim ( f ) ← σ f that allows a simulation of constrained keys. Moreover, simulated keys should be indistinguishable from real constrained keys to any distinguisher with no access to evaluations on points x , where f ( x ) = 1 .

The adaptive pseudo-random game for cPRFs [17,32]:

cPRF . PseudoRand Game ̲

( PP , F.msk ) ← Setup ( 1 λ ) ,
x * ← A O Eval , Constrain ( PP ) ,
r b * ← Eval ( F.msk , x * ) ,
b ˜ ← A O Eval , Constrain ( r b * ) .

An adversary A wins in the adaptive pseudo-random game when the guessed value b ˜ is equal to b . The advantage of an adversary A in the adaptive pseudo-random game is given by Adv A , cPRF PseudoRand = ∣ Pr [ b ˜ = b ] − 1 ⁄ 2 ∣ . Thus, a cPRF is adaptive pseudo-random if the advantage of any PPT adversary A in the adaptive pseudo-random game is negligible in λ , i.e.,

Adv A , cPRF PseudoRand ≤ ε ( λ ) .

2.3.2 Conjunctive normal form policy [17]

Let ℓ and t be nonzero positive integers such that t ≤ ℓ . A t -conjunctive normal form ( t - CNF ) policy f : { 0 , 1 } ℓ ⟶ { 0 , 1 } is a set of clauses f = { ( T i , f i ) } i such that for all x ∈ { 0 , 1 } ℓ , f ( x ) = ⋀ i f i ( x T i ) , and for all i , T i ⊆ { 1 , … , ℓ } , ∣ T i ∣ = t , f i : { 0 , 1 } t ⟶ { 0 , 1 } and x T i = ( x j ) j ∈ T i is a vector formed by components of x indexed by T i . A class of functions ℱ is said to be t - CNF when it consists of only t - CNF policies for some fixed ℓ ∈ N and t ≤ ℓ .

2.4 Revocable attribute-based encryption

ABE scheme is a generalization of cryptographic primitives such as identity-based encryption scheme that allows us to target the recipients of a message according to access policies. It was introduced by Sahai and Waters [33] and developed later by Goyal et al. [34]. There are two categories of ABE schemes: ciphertext policy ( CP - ABE ) and key policy ( KP - ABE ) ABE schemes. In CP - ABE schemes, the ciphertexts are associated with access policies, i.e., senders can decide who can decrypt the sent ciphertexts. On the other hand, in KP - ABE , secret keys are associated with access structures that specify which ciphertexts the user will be able to decrypt. In this article, we are interested in the ciphertext policy revocable ABE scheme ( CP - RABE ), which is a generalization of the ciphertext policy ABE scheme where, it is possible to revoke a malicious secret holder. For brevity, when the context is clear, we sometimes denote CP - RABE simply as RABE .

2.4.1 Definition

Let ℱ be a class of functions defined from { 0 , 1 } ℓ onto { 0 , 1 } . Let T be a time space, ℳ a message space, and ℐD an identity space. A CP - RABE scheme associated with T , ℳ for policies f ∈ ℱ is a tuple of algorithms ( Setup RABE , SKGen RABE , DKGen RABE , Enc RABE , Dec RABE , Rev RABE , KUpd RABE ) defined as follows:

( msk RABE , mpk RABE , st , RL ) ← Setup RABE ( 1 λ ) takes as input a security parameter λ . It returns a master secret key msk RABE , a master public key mpk RABE , a state st , and a revocation list RL . We assume that the master public key contains all information about the plaintext message space ℳ , time period space T ∈ { 1 , … , T max } , and identity space ℐD , where T max is polynomial in λ . We also assume that the revocation list RL is initialized to RL = ∅ .
sk id ← SKGen RABE ( msk RABE , st , id , x ) takes as input a master secret key msk RABE , a state st , an identity id with its corresponding attribute x ∈ { 0 , 1 } ℓ , and outputs a secret key sk id .
ku T ← KUpd RABE ( msk RABE , T , RL ) takes as input a master secret key msk RABE , a time period T , and a revocation list RL . It outputs an updated key material ku T .
dk T , id ← DKGen RABE ( sk id , ku T ) takes as input a secret key sk id and a key update material ku T corresponding to a time period T. It outputs a decryption key dk id , T .
ct ← Enc RABE ( mpk RABE , m , f , T ) outputs a ciphertext ct . It takes as input a master public key mpk RABE , a time period T ∈ T , a plaintext message m ∈ ℳ , and an access policy f ∈ ℱ .
m ← Dec RABE ( dk id , T , ct ) takes as input a decryption key dk id , T and a ciphertext ct and outputs a plaintext m ∈ ℳ .
RL ← Rev RABE ( id , RL , T ) outputs an updated revocation list RL . It takes as input an identity id , a time period T , and a revocation list RL .

2.4.2 Correctness

The correctness requires that the decryption of all ciphertext ct = Enc RABE ( mpk RABE , m , f , T ) by an honest user with non-revoked identity id always gives the message m with high probability if the user attribute x satisfies the ciphertext-policy f . Otherwise, an RABE is correct when the probability of a failed decryption of an honest computed ciphertext by an honest and non-revoked user satisfying the access policy is negligible. Indeed, for a chosen security parameter λ ∈ N and a fixed pair of master public/secret keys ( mpk RABE , msk RABE ) , the following inequality is satisfied:

Pr Dec RABE ( dk id , T , ct ) ≠ m ct = Enc RABE ( mpk RABE , m , f , T ) sk id = SKGen RABE ( msk RABE , st , id , x ) id ∉ RL and f ( x ) = 1 ku T = KUpd RABE ( msk RABE , T , RL ) dk id , T = DKGen RABE ( sk id , ku T ) ≤ ε ( λ ) ,

where ε is a negligible function in λ .

2.4.3 Security model

Note that, as in ABE schemes, there are two kinds of IND - CPA security notions in RABE : the selective and the adaptive IND - CPA security. The main difference between the two is that in the selective IND - CPA game, the adversary must declare to the challenger the access policy and a revocation list RL on a time period T before receiving the secret key and public parameters from the challenger. However, in the adaptive IND - CPA game, it should declare the policy after receiving the secret key and public parameters from the challenger. Hence, different phases in the adaptive IND - CPA game of RABE can be described as follows:

Setup:

During the setup phase of the RABE adaptive IND-CPA game, the challenger C computes ( msk RABE , mpk RABE , st , RL ) = Setup ( 1 λ ) and prepares a list SKList in which all tuples ( id , x , sk id ) generated during the game will be stored. Indeed, when a new secret key sk id is generated from a pair ( id , x ) of identity id and attribute x due to the execution of SKGen , the challenger C will store ( id , x , sk id ) in SKList . Then, the challenger computes the updated key material ku T c u = KUpd ( msk RABE , RL T c u , T c u = 1 ) for initial time period T c u = 1 , where T c u corresponds to current time period. Finally, the challenger C sends mpk RABE and ku T c u to the adversary A .

Queries:

During the query phases, the adversary A may adaptively (possibly many times) make the following queries:
- Secret key generation query: Until the challenge query, upon a query ( id , x ) from the adversary A , the challenger C first checks if ( id , * ) ∉ RL T c u and ( id , * , * ) ∉ SKList T c u . If the condition is not satisfied, the challenger returns ⊥ . Otherwise, it computes ( sk id , st ) = SKGen ( msk RABE , st , id , x ) and then stores ( id , x , sk id ) in SKList T c u . Finally, it returns sk id to the adversary A .
- Revoke and key update query: Until the challenge query, upon a query RL * from the adversary A , where RL * is a set of identities that are going to be revoked in the next time period, the challenger C checks if the following condition is satisfied:
  RL T c u ⊆ RL * .
  This is for ensuring that identities that have already been revoked will remain revoked in the next period. After the challenge query, C also checks if T c u = T * − 1 and all id ∈ ℐD such that ( id , * , * ) ∈ SKList T c u are revoked, i.e., ( id , * ) ∈ RL * . If the conditions are not satisfied, the challenger returns ⊥ to the adversary A . Otherwise, the challenger computes T c u = T c u + 1 and sets RL T c u = RL * . Then, it computes ku T c u = KUpd ( msk RABE , RL T c u , T c u ) . Finally, it returns ku T c u to the adversary A .
The adversary A is allowed to query only during increased time T > T c u .

Challenge:

For the challenge query, the adversary A is allowed to make the query only once. Upon a query ( m * , x * ∈ { 0 , 1 } ℓ , f * , T * ) , the challenger verifies that T * ≤ T c u and for all id ∈ ℐD such that ( id , * , * ) ∈ SKList * , ( id , * ) ∈ RL * . Then, the challenger picks b ∈ { 0 , 1 } . If b = 0 , the challenger computes ct b * = Enc ( mpk RABE , m * , f * , T * ) ; otherwise, it samples ct b * from the ciphertext space uniformly at random. Finally, it returns ct * to the adversary A .

Guess:

During this phase, the adversary guesses b ˜ ∈ { 0 , 1 } and terminates the game.

The aforementioned description of the RABE adaptive IND - CPA game can be summed up in four steps as follows.

RABE.IND - aCPAGame : ̲

( msk RABE , mpk RABE , st , RL ) ← $ Setup ( 1 λ ) ,
( m * , x * ∈ { 0 , 1 } ℓ , f * , T * ) ← $ A O ( mpk RABE ) ,
ct b * ← Enc ( mpk RABE , m * , f * , T * ) ,
b ˜ ← A O ( ct b * ) ,

where IND - aCPA denotes the adaptive IND - CPA . At the end of the IND - aCPA game, the adversary A is successful with the attack when b ˜ = b and ( f * ( x * ) = 0 or id ∈ RL T * ). Moreover, its advantage in RABE.IND - aCPAGame is given by Adv A RABE ( λ ) = ∣ Pr [ b ˜ = b ] − 1 ⁄ 2 ∣ . Therefore, an RABE is said to be adaptively indistinguishable if for all PPT adversary A , the following inequality holds:

∣ Pr [ b ˜ = b ] − 1 ⁄ 2 ∣ ≤ ε ( λ ) ,

where ε is a negligible function in λ .

2.5 CHET

In this section, we briefly recall the formal definition and security model of CHET and highlight some of the differences among CHET , PCH , and RPCH . For more details CH schemes, the reader is referred to [2,9,10,35,36].

2.5.1 Definition

A CH ( CHET ) is a set of five algorithms ( Setup CHET , KGen CHET , Hash CHET , Verif CHET , and Adapt CHET ) described as follows:

PP CHET ← Setup CHET ( 1 λ ) generates public parameters PP CH of the scheme; it takes as input the security parameter λ .
( sk CHET , pk CHET ) ← KGen CHET ( PP CHET ) takes as input the public parameters PP CHET and outputs a pair of secret and public keys ( sk CHET , pk CHET ) .
( h , r , etd ) ← Hash CHET ( pk CHET , m ) takes as input the message m to hash and the public key pk CHET ; it outputs a hash h , a random value r , and an ephemeral trapdoor etd .
b ∈ { 0 , 1 } ← Verif CHET ( pk CHET , h , r ) is a deterministic algorithm that outputs b ∈ { 0 , 1 } ; it takes as input the public key pk CHET , a message m , a hash h and a random value r .
r ′ ← Adapt CHET ( sk CHET , etd , m , m ′ , h , r ) takes as input the secret key sk CHET , an ephemeral trapdoor etd , the original message m , a hash h of m with its corresponding random value r , and a new message m ′ . It returns a new random value r ′ such that h remains a CH of m ′ .

The ephemeral trapdoor etd in CHET is chosen by the party that computes the hash value such that holders of the main trapdoor are unable to compute a collision of the hash unless they are provided with an ephemeral trapdoor. Note that CHET can be constructed from a CH using from However, PCH scheme is a combination of ABE and CH schemes. An editor or a trapdoor holder will be able to rewrite data if its attribute satisfies the access policy. Unlike PCH , RPCH allows a revocation of a malicious trapdoor holder. Compared to PCH , RPCH is designed by combining RABE and CH scheme.

2.5.2 Security model

In the following, we briefly recall the CHET security model. Note that the security requirements of CHET are indistinguishability, public collision-resistance, private collision-resistance, and uniqueness. For more information, the reader is referred to [2,9].

2.5.2.1. Indistinguishability

The indistinguishability in CHET requires that it should be intractable for an adversary to distinguish whether a given random value r is returned by Hash CHET or Adapt CHET . However, the level of indistinguishability, which is of our interest, is the full indistinguishability. We denote the corresponding game by CHET.FIndGame .

CHET.FIndGame : ̲

PP CHET ← $ Setup CHET ( 1 λ )
b ← $ { 0 , 1 }
b * ← A O CHashOrCAdapt CHET ( ⋅ , ⋅ , ⋅ , b ) ( PP CHET )
Return b = b *

O CHashOrCAdapt CHET ( ⋅ , ⋅ , ⋅ , b ) : ̲

Input : sk CHET , pk CHET , m and m ′ .

Output : ( h b , r b , etd b )

( h 0 , r 0 , etd 0 ) ← Hash CHET ( pk CHET , m ′ )
( h 1 , r 1 , etd 1 ) ← Hash CHET ( pk CHET , m )
r 1 ← Adapt ( sk CHET , etd 1 , m , m ′ , r 1 , h 1 )
Return ( h b , r b , etd b ) .

Let A be an adversary in the CHET full indistinguishability game. A wins the game when it guesses b ˜ such that b ˜ = b . Its advantage denoted by Adv A CH.FInd is given by

Adv A CHET.FInd = ∣ Pr [ CHET.FIndGame ( λ ) = 1 ] − 1 ⁄ 2 ∣ .

A CHET scheme is said to be fully indistinguishable if the advantage of any polynomial time adversary A in the CHET.FIndGame is negligible.

2.5.2.2. Public collision-resistance

In the public collision-resistance game of CHET , the adversary is authorized to have access to a collision oracle O Adapt CHET ′ . The public collision resistance requires that it should be infeasible to produce collisions, other than the ones produced by O Adapt CHET ′ .

CHET.PubColResGame : ̲

PP CHET ← $ Setup CHET ( 1 λ )
( sk CHET , pk CHET ) ← $ KeyGen CHET ( PP CHET )
Q ← ∅
( m ˜ , r ˜ , m ˜ ′ , r ˜ ′ , h ˜ ) ← A O Adapt CHET ′ ( sk CHET , ⋅ , ⋅ , ⋅ , ⋅ , ⋅ ) ( pk CHET )
If Verif CHET ( pk CHET , m ˜ , r ˜ , h ˜ ) = 1 ∧ Verif CHET ( pk CHET , m ˜ ′ , r ˜ ′ , h ˜ ) = 1 ∧ m ˜ ≠ m ˜ ′ ∧ m ˜ ′ ∉ Q :

Return 1

Return 0.

O Adapt CHET ′ ( sk CHET , ⋅ , ⋅ , ⋅ , ⋅ , ⋅ ) : ̲

Input : etd , m , r , m ′ , and h .

Output : r ′ .

If Verif CHET ( pk CHET , m , h , r ) :

Return ⊥

r ′ ← Adapt CHET ( sk CHET , etd , m , m ′ , h , r )
If r ′ = ⊥ :

Return ⊥

Q ← Q ∪ { m , m ′ }
Return r ′

The advantage of an adversary in the public collision-resistance game of CHET is the probability that the value 1 is returned. If we denote it by Adv A , CHET CHET.PubColRes , we have:

Adv A , CHET CHET.PubColRes = Pr [ CHET.PubColResGame ( λ ) = 1 ] .

Thus, a CHET scheme is public collision secure if the advantage of any probabilistic polynomial time (PPT) adversary A in CHET.PubColResGame is negligible. Note that since our security proof is based on [9, Theorem 4] RPCH , we are not concerned with the public collision-resistance property. For more detail on the public collision-resistance in CHET , see [2,9].

2.5.2.3. Private collision-resistance

The aim of the private collision-resistance in CHET is to ensure that even if the adversary holds one of the trapdoors, it should not be able to find collisions unless it holds both the secret key and the ephemeral trapdoor etd . For the formal definition of private collision-resistance in CHET , see [2]. However, in this paper we are interested in the strong private collision-resistance in CHET introduced in [9]. The strong private collision-resistance is similar to the private collision-resistance game but with a small difference. Indeed, a trapdoor holder adversary A should not be able to provide a collision of a hash without the knowledge of etd even if it is allowed to request arbitrarily many collisions. The strong private collision-resistance game CHET.SPrivColResGame in CHET is described as follows [9]:

CHET.SPrivColResGame : ̲

PP CHET ← $ Setup CHET ( 1 λ )
Q ← ∅
i ← 0
( pk ∼ CHET , m ˜ , r ˜ , m ˜ ′ , r ˜ ′ , h ˜ ) ← A O Hash CHET ′ ( ⋅ , ⋅ ) , O Adapt CHET ′ ( ⋅ , ⋅ , ⋅ , ⋅ , ⋅ ) ( PP CHET )
If Verif CHET ( pk ∼ CHET , m ˜ , r ˜ , h ˜ ) = 1 ∧ Verif CHET ( pk ˜ CHET , m ˜ ′ , r ˜ ′ , h ˜ ) = 1 ∧ m ˜ ≠ m ˜ ′ ∧ ( pk ˜ CHET , m ˜ , h ˜ , ⋅ , ⋅ )

∉ Q ∧ ( pk ˜ CHET , ⋅ , h ˜ , ⋅ , ⋅ ) ∉ Q :

Return 1
Return 0.

O Hash CHET ′ ( ⋅ , ⋅ ) : ̲

Input : pk , m .

Output : ( h , r ) .

( h , r , etd ) ← Hash CHET ( pk , m )
If r = ⊥ :

Return ⊥

i = i + 1
Q ← Q ∪ { ( pk , h , m , etd , i ) }
Return ( h , r ) .

O Adapt CHET ′ ( ⋅ , ⋅ , ⋅ , ⋅ , ⋅ ) : ̲

Input : sk , h , m , r , m ′ , i .

Output : r ′ .

If ( pk , h ′ , m ″ , etd , i ) ∉ Q for some pk h ′ , m ″ , etd :

Return ⊥ .

r ′ ← Adapt CHET ( sk , etd , m , m ′ , h , r )
If r ′ ≠ ⊥ :

Q ← Q ∪ { ( pk , h ′ , m , etd , i ) , ( pk , h ′ , m ′ , etd , i ) }

Return r ′ .

An adversary A wins in the strong private collision-resistance game CHET.SPrivColResGame when 1 is returned at the end of the game. Therefore, the advantage of an adversary in CHET.SPrivColResGame corresponds to the probability that the value 1 is returned as the of CHET.SPrivColResGame , i.e.,

Adv A , CHET CHET.SPrivColRes = Pr [ CHET.SPrivColResGame ( λ ) = 1 ] .

A CHET scheme is said to be strongly private collision-resistant when this advantage is negligible for any PPT adversary A .

2.5.2.4. Uniqueness

Uniqueness in CHET requires that for an adversarially given public key pk ˜ , it will be difficult for the adversary to find two different random values r ˜ and r ˜ ′ for the same message m ˜ such that the hashes are equal.

CHET.UniGame : ̲

PP CHET ← $ Setup CH ( 1 λ )
( pk ˜ , m ˜ , r ˜ , r ˜ ′ , h ˜ ) ← $ A ( PP CHET )
If Verif CH ( pk ˜ , m ˜ , r ˜ , h ˜ ) = 1 ∧ Verif CH ( pk ˜ , m ˜ ′ , r ˜ ′ , h ˜ ) = 1 ∧ r ˜ ≠ r ˜ ′ :

Return 1

Return 0.

The advantage of an adversary in the uniqueness game corresponds to the probability that 1 is returned at the end of CHET.UniGame . If we denote this advantage by Adv A , CHET CHET.Uni , we have:

Adv A , CHET CHET.Uni = Pr [ CHET.UniGame ( λ ) = 1 ] .

A CHET scheme is said to be unique when the advantage of any PPT adversary is negligible.

3 Lattice-based CHET scheme

In this section, based on the work of Derler et al. [9], we introduce a CH function with an ephemeral trapdoor. To this end, we first give a modified version of the trapdoor generation algorithm of Micciancio and Peikert [19, Algorithm 1] by including RO . Then, we describe our CHET and finally show that our CHET is secure under lattice problems, namely, the SIS and ISIS problems.

3.1 Trapdoor generator algorithm

In the Micciancio and Peikert trapdoor generator algorithm, the trapdoor is usually a matrix. However, for the purpose of our design, we need to generate a trapdoor that we would be able to transmit easily through a secure channel. To this end, we propose to generate the trapdoor matrix using an RO with a random seed as input. The seed is a random binary string of length λ . Therefore, in addition to the public matrix, the algorithm returns the seed as the trapdoor instead of a matrix. We denote the modified algorithm by GenTrap RO and describe it as follows:

GenTrap RO : ̲

Input : Integers n and q where q is a prime number.

Output : Public matrix A ∈ Z q n × m and the seed for the trapdoor A σ − 1 where m = n ( ⌈ log ( q ) ⌉ + 2 ) .

Choose randomly A ¯ ← $ Z q n × m ¯ with m ¯ = 2 n .
seed ← $ { 0 , 1 } λ .
Compute R ← RO ( seed ) , where R ∈ { − 1 , 0 , 1 } m ¯ × m 0 and m 0 = n ⌈ log ( q ) ⌉ .
Compute A = [ A ¯ ‖ G − A ¯ R ] , where G ∈ Z q n × m 0 .
Output seed and A .

Note that in the modified trapdoor generator algorithm GenTrap RO , the matrix G corresponds to the gadget matrix defined in Section 2.2. The trapdoor A σ − 1 is computed by using the RO and the secret seed A σ − 1 = RO ( seed ) . As the seed is a binary string, it can be encrypted and transmitted through a communication channel in a relatively efficient manner.

3.2 Construction

In this section, we discuss the design of a CHET based on our CH scheme. The public key and secret key in our lattice-based CHET scheme are computed using the Micciancio and Peikert trapdoor generator algorithm ( sk CHET , pk CHET ) = ( A σ 1 − 1 , A ) ← $ KeyGen CHET ( n 1 , q 1 , D σ 1 ) . The scheme is designed using a slightly modified version of Cash et al’s CH [11] and Derler et al.’s framework [2,9]. In fact, in Cash et al.’s CH two public matrices A 0 and A 1 ∈ Z q n × m are used. The CH of a message m is computed by h = A 0 m T + A 1 r T , where r is a random vector. However, we propose to use only one public matrix A ∈ Z q n × m instead of two matrices. The CH of a message m will be computed by h = A r 2 + ℋ q ( pk CHET , m , r 1 ) , where ℋ q is a cryptographic hash function defined from Z q * onto Z q m . The random value r is given by r = ( r 1 , r 2 ) , where r 1 and r 2 are randomly chosen for computing h .

For hashing a message m using a public matrix A ∈ Z q 1 n 1 × m 1 , we first generate an ephemeral key pair ( seed , A ˜ ) ← $ GenTrap RO ( n 2 , q 2 ) by executing the modified trapdoor generator algorithm. Then, we set m ˜ = ( pk CHET , pk CHET ′ , m ) and choose randomly r 1 = ( r 1 , 1 , r 1 , 2 ) ← $ D σ 1 m 1 × Z q 1 κ and r 2 = ( r 2 , 1 , r 2 , 2 ) ← $ D σ 2 m 2 × Z q 2 κ . We compute h 1 = A r 1 , 2 + ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ) and h 2 = A ˜ r 2 , 2 + ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ) , where ℋ q 1 and ℋ q 2 are two hash functions defined from Z q 1 * onto Z q 1 m 1 and Z q 2 * onto Z q 2 m 2 , respectively. Finally, we return ( h , r , etd ) , where h = ( h 1 , h 2 ) , r = ( r 1 , r 2 ) , and etd = seed .

KeyGen CHET : ̲

Input : Integers n 1 and q 1 where q 1 is a prime number. A Gaussian distribution D σ 1 .

Output : ( sk CHET , pk CHET ) = ( A σ 1 − 1 , A )

( A , A σ 1 − 1 ) ← $ KeyGen CH ( n 1 , q 1 , D σ 1 )
Set sk CHET = A σ 1 − 1 and pk CHET = A ∈ Z q 1 n 1 × m 1 where m 1 = n 1 ( ⌈ log ( q 1 ) ⌉ + 2 ) .
Return ( sk CHET , pk CHET ) .

Hash CHET : ̲

Input : Public parameters PP CHET , public key pk CHET = A , message to hash m .

Output : A hash h , a random value r and an ephemeral trapdoor etd .

Generate a pair ( sk CHET ′ , pk CHET ′ ) = ( etd , A ˜ ) ← $ GenTrap RO ( n 2 , q 2 ) of an ephemeral secret/public keys and set the ephemeral trapdoor sk CHET ′ = etd .
Set m ˜ = ( pk CHET , pk CHET ′ , m )
Choose randomly and uniformly ( r 1 , 1 , r 2 , 1 ) ← $ Z q 1 κ × Z q 2 κ
Compute y 1 = ℋ q ( pk CHET , m ˜ , r 1 , 1 ) and y 2 = ℋ q ( pk CHET ′ , m ˜ , r 2 , 1 )
Choose uniformly and randomly ( r 1 , 2 , r 2 , 2 ) ← $ D σ 1 m 1 × D σ 2 m 2
Compute h 1 = A r 1 , 2 T + y 1 and h 2 = A ˜ r 2 , 2 T + y 2
Set r 1 = ( r 1 , 1 , r 1 , 2 ) and r 2 = ( r 2 , 1 , r 2 , 2 )
Set h ′ = ( h 1 , h 2 ) and r = ( r 1 , r 2 )
Return h , r and etd where h = ( h ′ , pk CHET ′ ) .

Verif CHET : ̲

Input : pk CHET = A , message m , hash h and random value r .

Output : b ∈ { 0 , 1 }

Parse h as ( h ′ , pk CHET ′ ) , h ′ as ( h 1 , h 2 ) and r as ( r 1 , r 2 ) where pk CHET ′ = A ˜
Parse r 1 as ( r 1 , 1 , r 1 , 2 ) and r 1 as ( r 2 , 1 , r 2 , 2 ) .
Set m ˜ = ( pk CHET , pk CHET ′ , m )
Compute z 1 = A r 1 , 2 T + ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ) , and z 2 = A ˜ r 2 , 2 T + ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 )
If h 1 = z 1 and h 2 = z 2

Return 1.

Return 0.

For adaptiveness, we take as input a pair of secret/public keys ( sk CHET , pk CHET ) , an ephemeral trapdoor etd , where A ˜ σ − 1 = RO ( etd ) , an original message m , a hash h = ( h ′ , pk CHET ′ ) of m with the corresponding random value r = ( r 1 , r 2 ) , and a modified message m ′ . We set m ˜ = ( pk CHET , pk CHET ′ , m ) , m ˜ ′ = ( pk CHET , pk CHET ′ , m ′ ) and randomly choose ( r 1 , 1 ′ , r 2 , 1 ′ ) ← $ Z q 1 κ × Z q 2 κ . Then, we compute r 1 , 2 ′ = A σ − 1 ( h 1 − ℋ q 1 ( pk CHET , m ˜ ′ , r 1 , 1 ′ ) ) and r 2 , 2 ′ = A ˜ σ − 1 ( h 2 − ℋ q 2 ( pk CHET , m ˜ ′ , r 2 , 1 ′ ) ) . We output the random value r ′ = ( r 1 ′ , r 2 ′ ) where r 1 ′ = ( r 1 , 1 ′ , r 1 , 2 ′ ) and r 2 ′ = ( r 2 , 1 ′ , r 2 , 2 ′ ) .

Adapt CHET : ̲

Input : A secret key sk CHET = A σ − 1 , an ephemeral trapdoor etd , a message m ′ , a hash h with its corresponding random value r , the modified message m ′ .

Output : A new random value r ′ .

If Verif CH ( pk CHET , m , h , r ) = 0

Return ⊥ .

Compute A ˜ σ − 1 = RO ( etd ) .
Parse h as ( h ′ , pk CHET ′ ) , and h ′ as ( h 1 , h 2 ) .
Set m ˜ ′ = ( pk CHET , pk CHET ′ , m ′ ) .
Choose randomly ( r 1 , 1 ′ , r 2 , 1 ′ ) ← $ Z q 1 κ × Z q 2 κ .
Compute r 1 , 2 ′ = A σ 1 − 1 ( h 1 − ℋ q 1 ( pk CHET , m ˜ ′ , r 1 , 1 ′ ) ) and r 2 , 2 ′ = A ˜ σ 2 − 1 ( h 2 − ℋ q 2 ( pk CHET ′ , m ˜ ′ , r 2 , 1 ′ ) ) .
Set r ′ = ( r 1 ′ , r 2 ′ ) where r 1 ′ = ( r 1 , 1 ′ , r 1 , 2 ′ ) and r 2 ′ = ( r 2 , 1 ′ , r 2 , 2 ′ ) .
Return r ′ .

For the correctness of our proposed lattice-based CHET , we have the following proposition:

Proposition 2

The proposed lattice-based CHET is correct.

Proof

Let m be an original message and the pair ( h , r ) its CH with a random value where h = ( h ′ , pk CHET ′ ) and h ′ = ( h 1 , h 2 ) . Let m ′ be a modification of m . Suppose that the CH is computed honestly and we are in the presence of an honest trapdoor owner. For forging a hash, the trapdoor holder first chooses randomly and uniformly ( r 1 , 1 ′ , r 2 , 1 ′ ) ∈ Z q 1 κ × Z q 2 κ and computes u 1 = h 1 − ℋ q 1 ( pk CHET , m ˜ ′ , r 1 , 1 ′ ) and u 2 = h 2 − ℋ q 2 ( pk CHET ′ , m ˜ ′ , r 2 , 1 ′ ) . Then, it uses the trapdoor A σ 1 − 1 and A ˜ σ 2 − 1 = RO ( etd ) for sampling r 1 , 2 ′ and r 2 , 2 ′ , respectively, such that A r 1 , 2 ′ T = u 1 and A ˜ r 2 , 2 ′ T = u 2 . The probability that ‖ r 1 , 2 ′ ‖ > η 1 σ 1 m 1 or ‖ r 2 , 2 ′ ‖ > η 2 σ 2 m 2 is negligible [29], and moreover, we have

(1) A r 1 , 2 ′ T = h 1 − ℋ q 1 ( pk CHET , m ˜ ′ , r 1 , 1 ′ ) ⇒ A r 1 , 2 ′ T + ℋ q 1 ( pk CHET , m ˜ ′ , r 1 , 1 ′ ) = h 1 ,

(2) A r 2 , 2 ′ T = h 2 − ℋ q 2 ( pk CHET ′ , m ˜ ′ , r 2 , 1 ′ ) ⇒ A r 2 , 2 ′ T + ℋ q 2 ( pk CHET ′ , m ˜ ′ , r 2 , 1 ′ ) = h 2 .

Thus, we have

(3) A r 1 , 2 ′ T + ℋ q 1 ( pk CHET , m ˜ ′ , r 1 , 1 ′ ) = h 1 = A r 1 , 2 T + ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ) ,

(4) A r 2 , 2 ′ T + ℋ q 2 ( pk CHET ′ , m ˜ ′ , r 2 , 1 ′ ) = h 2 = A r 2 , 2 T + ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ) .

From (3) and (4), we have Verif CHET ( pk CHET , m ′ , h , r ′ ) = Verif CHET ( pk CHET , m , h , r ) = 1 .□

3.3 Security analysis

For the security analysis of our CHET scheme, it is important to note that in addition to the correctness, there are four required security properties for a CHET : indistinguishability, public collision-resistance, private collision-resistance, and uniqueness.

Proposition 3

The proposed lattice-based CHET is fully indistinguishable.

Proof

Let A be an adversary against our scheme in the full indistinguishability game. As mentioned in Section 2.5, in the full indistinguishability game, A is allowed to generate the secret and the public keys. Suppose that A is able to win the full indistinguishability game with a probability more than 1 2 , i.e., with a probability equal to 1 2 + ν , where ν is not negligible. That means that for h b and r b as given in Subsection 2.5, the adversary is able to distinguish at least from which message h b is computed or from which algorithm r b is computed with a probability equal to 1 2 + ν with ν non-negligible. We have:

For b ∈ { 0 , 1 } , we have r b = ( r b , 1 , r b , 2 ) , where r b , 1 = ( r b , 1 , 1 , r b , 1 , 2 ) ∈ Z q 1 κ × D σ 1 m 1 , and r b , 2 = ( r b , 2 , 1 , r b , 2 , 2 ) ∈ Z q 2 κ × D σ 2 m 2 . Hence, the distribution of the products A r b , 1 , 2 T and A ˜ r b , 2 , 2 T are is statistically close to uniform over Z q 1 n 1 and Z q 2 n 2 , respectively [20]; the distribution of h b , 1 = A r b , 1 , 2 T + ℋ q ( pk CHET , m b , r b , 1 , 1 ) and h b , 2 = A ˜ r b , 2 , 2 T + ℋ q ( pk CHET ′ , m b , r b , 2 , 1 ) are statistically close to uniform over Z q 1 n 1 and Z q 2 n 2 respectively. Therefore, the distribution of h ′ = ( h b , 1 , h b , 2 ) is statistically close to uniform over Z q 1 n 1 × Z q 2 n 2 . Moreover, p k CHET ′ is independent from the message m ; thus, A cannot distinguish h b = ( h ′ , pk CHET ′ ) with a probability 1 2 + ν with ν being non-negligible.
For b ∈ { 0 , 1 } , the distributions of h b , 1 and h b , 2 are statistically close to uniform over Z q 1 n 1 and Z q 2 n 2 respectively. Moreover, r b , 1 , 1 and r b , 2 , 1 are chosen randomly, uniformly, and independently from r b , 1 , 2 and r b , 2 , 2 , respectively. Thus, the distributions of u 1 = h b , 1 − ℋ q 1 ( pk CHET , m b , r b , 1 , 1 ) and u 2 = h b , 2 − ℋ q 2 ( pk CHET ′ , m b , r b , 2 , 1 ) are also statistically close to uniform over Z q 1 n 1 and Z q 2 n 2 , respectively. Thus, r b , 1 , 2 and r b , 2 , 2 are the sampled solutions from Gaussian distributions of random equations A x 2 T = u 1 and A ˜ x 2 T = u 2 , respectively. Hence, A cannot distinguish r b , 1 = ( r b , 1 , 1 , r b , 1 , 2 ) or r b , 1 = ( r b , 1 , 1 , r b , 1 , 2 ) with a probability 1 2 + ν ′ with ν ′ being non-negligible, and consequently, it will not be able to distinguish r b = ( r b , 1 , r b , 2 ) with a probability 1 2 + ν with ν being non-negligible.

From ( i ) and ( i i ), we conclude that our scheme is fully indistinguishable.□

Proposition 4

If the ISIS q , n , m , β and SIS q , n , m , δ assumptions hold, the proposed lattice-based CHET is unique.

Proof

Let A be an adversary against the proposed CHET in the uniqueness game. The goal of A is to find a random value a public key pk CHET , a message m , a hash h = ( h ′ , pk CHET ′ ) , and two random values r and r ′ such that r ≠ r ′ and Verif CHET ( pk CHET , m , h , r ) = Verif CHET ( pk CHET , m , h , r ′ ) = 1 . This means that the following holds:

(5) A r 1 , 2 T + ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ) = A r 1 , 2 ′ T + ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ′ ) = h 1 ,

(6) A ˜ r 2 , 2 T + ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ) = A ˜ r 2 , 2 ′ T + ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ′ ) = h 2 ,

where pk CHET ′ = A ˜ . The adversary A can proceed from different ways as follows:

A decides to keep ( r 1 , 2 ′ , r 2 , 2 ′ ) = ( r 1 , 2 , r 2 , 2 ) , and thus, it should find r 1 , 1 ′ and r 2 , 1 ′ such that ( r 1 , 1 ′ , r 2 , 1 ′ ) ≠ ( r 1 , 1 , r 2 , 1 ) . A will try to proceed by finding collisions r 1 , 1 ′ and r 2 , 1 ′ of r 1 , 1 and r 2 , 1 , respectively. In fact, it will try to find ( r 1 , 1 ′ , r 2 , 1 ′ ) ≠ ( r 1 , 1 , r 2 , 1 ) such that ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ′ ) = ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ) and ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ′ ) = ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ) . Finally, it will return r ′ = ( r 1 ′ , r 2 ′ ) with r 1 ′ = ( r 1 , 1 ′ , r 1 , 2 ) and r 2 ′ = ( r 2 , 1 ′ , r 2 , 2 ) . As the underlying hash functions ℋ q 1 and ℋ q 2 are collision-resistant, the probability that A succeeds is negligible and less than 2 q ℋ q q κ + q ℋ q q κ 2 , where q ℋ q is the maximum of number of queries that the adversary is authorized to make to the hash oracles and q = min ( q 1 , q 2 ) .
A decides to have ( r 1 , 1 ′ , r 2 , 1 ′ ) ≠ ( r 1 , 1 , r 2 , 1 ) and ( r 1 , 2 ′ , r 2 , 2 ′ ) ≠ ( r 1 , 2 , r 2 , 2 ) . This means that A is able to solve at least one of the equations A x 1 T = s 1 and A ˜ x 2 T = s 2 where s 1 = h − ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ′ ) and s 2 = h − ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ′ ) by choosing randomly ( r 1 , 1 ′ , r 2 , 1 ′ ) ∈ Z q 1 κ × Z q 2 κ . Thus, the probability that A will be able to produce the random value in this case is less than 2 ε ISIS q , n , m , β + ε ISIS q , n , m , β 2 , where ε ISIS q , n , m , β = max ( ε ISIS q 1 , n 1 , m 1 , β 1 , ε ISIS q 2 , n 2 , m 2 , β 2 ) . ε ISIS q 1 , n 1 , m 1 , β 1 and ε ISIS q 2 , n 2 , m 2 , β 2 are the advantage of an adversary to solve an instance of ISIS q 1 , n 1 , m 1 , β 1 and ISIS q 2 , n 2 , m 2 , β 2 , respectively, where β 1 = η 1 σ 1 m 1 and β 2 = η 2 σ 2 m 2 for a well-chosen value of η 1 and η 2 .
A decides to keep ( r 1 , 1 ′ , r 2 , 1 ′ ) = ( r 1 , 1 , r 2 , 1 ) . According to the fact that r ≠ r ′ , A should find ( r 1 , 2 ′ , r 2 , 2 ′ ) ≠ ( r 1 , 2 , r 2 , 2 ) such that A r 1 , 2 T = A r 1 , 2 ′ T and A ˜ r 2 , 2 T = A ˜ r 2 , 2 ′ T . This means that A is able to solve at least an instance of SIS q 1 , n 1 , m 1 , δ 1 or SIS q 2 , n 2 , m 2 , δ 2 with δ 1 = 2 β 1 and δ 2 = 2 β 2 , i.e., we have
(7) A r 1 , 2 T = A r 1 , 2 ′ T ⇒ A ( r 1 , 2 − r 1 , 2 ′ ) T = 0 ,

(8) A ˜ r 2 , 2 T = A ˜ r 2 , 2 ′ T ⇒ A ˜ ( r 2 , 2 − r 2 , 2 ′ ) T = 0 .
Thus, the probability that A will be able to produce the random value in this case is less than 2 ε SIS q , n , m , δ + ε SIS q , n , m , δ 2 , where ε SIS q , n , m , δ = max ( ε SIS q 1 , n 1 , m 1 , δ 1 , ε SIS q 2 , n 2 , m 2 , δ 2 ) . ε SIS q 1 , n 1 , m 1 , δ 1 and ε SIS q 2 , n 2 , m 2 , δ 2 are the advantage of an adversary to solve an instance of SIS q 1 , n 1 , m 1 , δ 1 and SIS q 2 , n 2 , m 2 , δ 2 , respectively.

To sum up, if Adv A CHET.Uni is the advantage of an adversary A in the uniqueness game, the following holds:

Adv A CHET.Uni ( λ ) ≤ 2 ε SIS q , n , m , δ ( λ ) + ε ISIS q , n , m , β ( λ ) + q ℋ q q κ + ε ISIS q , n , m , β 2 ( λ ) + ε SIS q , n , m , δ 2 ( λ ) + q ℋ q q κ 2 .

This concludes the proof.□

Proposition 5

If ISIS q , n , m , β assumption holds, the proposed lattice-based CHET scheme is strongly private collision-resistant.

Proof

Let ( m , r ) ≠ ( m ′ , r ′ ) be collision for the proposed CHET . It immediately yields to a solution of the system:

(9) A ( r 1 , 2 − r 1 , 2 ′ ) T = ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ′ ) − ℋ q 1 ( pk CHET , m ˜ , r 1 , 1 ) ,

(10) A ˜ ( r 2 , 2 − r 2 , 2 ′ ) T = ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ′ ) − ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ) .

As in the strong private collision-resistance game, the adversary A has access to the secret key sk CHET = A σ − 1 but not to the ephemeral trapdoor etd ; thus, winning means that it is able to solve A ˜ ( r 2 , 2 − r 2 , 2 ′ ) T = ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ′ ) − ℋ q 2 ( pk CHET ′ , m ˜ , r 2 , 1 ) . A ˜ ∈ Z q 2 n 2 × m 2 is an ephemeral public key, and r 2 , 1 ′ ∈ Z q 2 κ is a random vector. Consequently, A is able to solve an instance of ISIS q , n , m , β .□

4 New lattice-based RABE scheme

In this section, we introduce an adaptive secure lattice-based ciphertext policy RABE scheme. We design it using Tsabary’s lattice-based ABE [17] for which the secure assumption relies on decisional learning with errors. Unlike similar other lattice-based RABE , our scheme is based on a single attribute per user instead of a set of attributes. Attributes are represented by a binary string of length ℓ corresponding to the length of input points of t - CNF policies. For the purpose of managing the revocation, we use a binary tree where the leaves correspond to the user identities in the system. In the following, we first briefly recall the use of a binary tree in this context where we consider user identities id i to be binary strings of length k id . Then, we describe our scheme and show that it is correct. Near the end of this section, we give a security analysis of our scheme followed by a comparison of our scheme with two other lattice-based RABE schemes in terms of the size of the master secret key, the master public key, and the user secret key of our scheme.

4.1 Binary tree structure

For the design of our RABE , we consider user identities id as a binary string of length k id . We use a binary tree with 2 k id leaves labeled by a key j ∈ [ 2 k id , 2 k id + 1 − 1 ] and an identity id i , where k id corresponds to the binary size of identities id i . We denote a user leaf path from the root by Path ( id i ) , where id i is the user identity. When a user with identity id i is revoked at time T , we have Path ( id i ) ∩ Node T = ∅ , where Node T is an updated set of nodes obtained by executing the key updated nodes algorithm KUNode as described in the paper by Naor et al. [37]. Otherwise, there is an unique integer i ′ ∈ [ 1 , 2 k id + 1 − 1 ] such that Path ( id i ) ∩ Node T = { i ′ } .

For instance, in Figure 1, leaves 11, 14, and 15 are unassigned. Thus, if there is a new user in the system, it should be randomly assigned to one of these leaves. Moreover, each node contains a list of user identities that are under its control. The updated set of nodes will only contain the root when the revocation list is empty, i.e., Node T = { 1 } if RL = ∅ . When a user is revoked, none of the nodes from its identity path will be included in the updated set of nodes Node T . For instance, if the users with identity id 1 and id 5 are revoked, i.e, RL = { id 1 , id 5 } , the updated set of nodes Node T will become Node T = { 9 , 5 , 7 , 12 } . Thus, we have Node T ∩ Path ( id 1 ) = ∅ and Node T ∩ Path ( id 5 ) = ∅ . However, the user identity id 2 and id 3 are not revoked; thus, we have Node T ∩ { id 5 } = { 9 } and Node T ∩ { id 5 } = { 5 } . For all unassigned leaves or leaves with non-revoked identity, there is only one node from their path hat is included in Node T . We can summarize the key updated nodes algorithm as follows:

Figure 1

Binary tree.

KUNode ̲

Input : st , RL = { ( i , id , T i ) } , T

Output : Node T

Initialize S = ∅ and Node T = ∅
For all ( i , id , T i ) ∈ RL :
- If T i ≤ T :
  - Compute S = S ∪ Path ( id )
For all θ ∈ S :
- If θ l e f t ∉ S :
  - Node T = Node T ∪ { θ l e t f }
- If θ r i g h t ∉ S :
  - Node T = Node T ∪ { θ r i g h t }
Return Node T

4.2 Construction

The main tool used in the design of our adaptive secure RABE scheme is the conforming cPRF . Let F = ( F . Setup , F . Eval , F . Constrain , F . ConstrainEval ) be a conforming cPRF for a class of functions ℱ with input length ℓ and output length k . Let F.msk be a fixed master secret key of F and F.PP its public parameters. For all f ∈ ℱ and x ∈ { 0 , 1 } ℓ , let us consider the following circuits:

U σ ⟶ x : { 0 , 1 } λ ⟶ { 0 , 1 } k ,

F.msk ⟼ Eval ( F.msk , x )
U σ ⟶ f : { 0 , 1 } λ ⟶ { 0 , 1 } ℓ f ,

F.msk ⟼ Constrain ( F.msk , f )
U f ⟶ x : { 0 , 1 } ℓ f ⟶ { 0 , 1 } k

csk f ⟼ ConstrainEval ( csk f , x ) .

where ℓ f is the length of constrained key csk f of f . Note that F is a conforming cPRF , and hence, the gradual evaluation requirement is held by definition. However, for all f ∈ ℱ and for all x ∈ { 0 , 1 } ℓ , if f ( x ) = 1 , we have U σ ⟶ x ≡ U f ⟶ x ∘ U σ ⟶ f (see Section 2.3).

For the design of RABE , we need to consider the master secret key size λ of the conforming cPRF satisfying λ = k . However, instead of taking only the security parameter λ as input, our algorithm Setup takes as input the security parameter λ and the maximum number ∣ ℐD ∣ = 2 k id = N of users in the system. In our algorithm Setup , we first execute the algorithm P.Setup for generating the master secret key F.msk and public parameters F.PP for F . Then, we execute the trapdoor generator matrix algorithm GenTrap for sampling ( B , B τ 0 − 1 ) with B ∈ Z q n × m ′ , and then, we sample uniformly a matrix A ∈ Z q n × m 0 λ and a vector y ∈ Z q n . To finish, we set RL = ∅ , st = BT , mpk = ( A , B , y , F.PP ) and msk = ( B τ 0 − 1 , F.msk ) . We sum up the description of the algorithm Setup of our scheme as follows:

Setup : ̲

Input : Security parameter 1 λ , number N = 2 k id = ∣ ℐD ∣ of users in the system.

Output : Master public key mpk , master secret key msk , state st and revocation list RL with additional public parameter PP .

Generate the master key and public parameters ( F.msk , F.PP ) = P.Setup ( 1 λ ) of F and set σ = F.msk .
Choose randomly B ¯ ← $ Z q n × w with w = ⌈ log ( q ) ⌉ + 2 λ
Compute ( B , B τ 0 − 1 ) ← GenTrap D τ 0 ( B ¯ , H ) where B ∈ Z q n × m ′ , H ∈ Z q n × n is a random invertible matrix of size n × n and m ′ = ( n + 1 ) ⌈ log ( q ) ⌉ + 2 λ .
Choose two hash functions ℋ q and ℋ q ′ , where ℋ q takes as input a vector over Z q with arbitrary length and outputs a vector of Z q n and ℋ q ′ takes as input a vector over Z q with arbitrary length and outputs a binary vector of length m ′ .
Sample uniformly a matrix A ← $ Z q n × m 0 λ and sample randomly y ← $ Z q n .
Set st = BT and RL = ∅ .
Set mpk = ( A , B , y , F.PP , ℋ q , ℋ q ′ ) and msk = ( B τ 0 − 1 , σ ) .

Note that in our scheme, we consider that the users in the system are identified by an identity id ∈ { 0 , 1 } k id , where k id is a well-chosen positive integer while taking into account the scalability of the system. The secret key generation algorithm SKGen takes as input a master key msk , an identity id , a state st , and an attribute x . It outputs a secret key sk id for the user with identity id . Now, we recall the following theorem, which is necessary for the description of our secret key generation algorithm SKGen and encryption algorithm Enc .

Theorem 1

[17] There exist efficient deterministic algorithms EvalF and EvalFX such that for all n , q , ℓ ∈ N , and m 0 = n ⌈ log ( q ) ⌉ , for any depth d Boolean circuit f : { 0 , 1 } ℓ ⟶ { 0 , 1 } k , for every x ∈ { 0 , 1 } ℓ , and for any matrix A ∈ Z q n × m 0 ℓ , the outputs H ← EvalF ( f , A ) and H ^ ← EvalFX ( f , x , A ) are both in Z q m 0 ℓ × m 0 k , and it holds that ‖ H ‖ ∞ , ‖ H ^ ‖ ∞ ≤ ( 2 m 0 ) d and [ A − x ⊗ G ] H ^ = A H − f ( x ) ⊗ G ( mod q ) 2 , where ⊗ denotes the tensor product.

Moreover, for any f : { 0 , 1 } ℓ ⟶ { 0 , 1 } k , g : { 0 , 1 } k ⟶ { 0 , 1 } t , for any matrix A ∈ Z q n × m 0 ℓ , the outputs H f ← EvalF ( f , A ) , H g ← EvalF ( g , A H f ) and H f ∘ g ← EvalF ( g ∘ f , A ) satisfy H f H g = H g ∘ f .

We apply Theorem 1 to circuits U σ ⟶ f , U σ ⟶ x and U x ⟶ f for designing our secret key generation algorithm SKGen as follows:

SKGen : ̲

Input : Master secret key msk , state st , identity id and attribute x ∈ A

Output : A secret key sk id for the user with identity id and an updated state st .

Sample an unassigned leaf node in st and label it by the identity id .
Compute H σ → x = EvalF ( U σ → x , A )
Compute A x = A H σ → x
Compute r x = P.Eval σ ( x )
Compute H r x = EvalF ( I r x , A x ) where I r x : { 0 , 1 } k ⟶ { 0 , 1 } is a function such that I r x ( r ) = 1 if r x = r
Compute [ B ‖ A x , r x ] τ − 1 by using B τ 0 − 1 where A x , r x = A x H r x
Compute e id = ℋ q ′ ( A , B , q , id , z ) ∈ { 0 , 1 } m ′ and y 2 = y + y 1 , where z ← $ Z q λ 0 and y 1 = B e id with 2 λ = λ 0 ⌊ log ( q ) ⌋ .
Sample s id = [ B ‖ A x , r x ] τ − 1 ( y 2 )
Set sk id = ( x , r x , s id , e id ) ,

Note that, for a binary tree with 2 k id leaves, we have for each leaf k id + 1 nodes from the root. Therefore, as mentioned earlier if an assigned leaf is identified by ( j , id ) , where id ∈ { 1 , … , 2 k id } and j ∈ [ 2 k id , 2 k id + 1 − 1 ] , we can denote the path of each identity id in the tree by Path ( id ) , which is a subset of [ 1 , 2 k id + 1 − 1 ] of size k id + 1 containing 1 and j . In the algorithm KUpd , we first execute the update node algorithm KUNode ( st , RL , T ) to compute the updated node set Node T ; then, for all node θ ∈ Node T , we sample e θ , 1 ← $ { 0 , 1 } m ′ , and compute z = B e θ , 1 T , u θ , T = z ′ − z ∈ Z q n and e θ , 2 = B τ 0 − 1 ( u θ , T ) , where z ′ = ∑ i = 1 2 k id + 1 − 1 ℋ q ( A , B , q , i , T ) . Finally, we output the updated key material ku T = { ( θ , e θ , T , T ) : θ ∈ Node T } with e θ , T = ( e θ , 1 , e θ , 2 ) .

KUpd : ̲

Input : Master secret key msk , state st , time period T and revocation list RL .

Output : updated key material ku T for the time period T .

Compute Node T = KUNode ( st , RL , T )
For each θ ∈ Node T :
- (a) Sample e θ , 1 ← $ { 0 , 1 } m ′
- (b) Compute z = B e θ , 1 T , u θ , T = z ′ − z ∈ Z q n and e θ , 2 = B τ 0 − 1 ( u θ , T ) where z ′ = ∑ i = 1 2 k id + 1 − 1 ℋ q ( A , B , q , i , T )
Return ku T = { ( θ , e θ , T , T ) : θ ∈ Node T } with e θ , T = ( e θ , 1 , e θ , 2 )

Rev : ̲

Input : Identity id ∈ ℐD , revocation list RL and time period T ∈ T .

Output : Updated revocation list RL

Return RL = RL ∪ { ( i , id , T ) } , where i is the key of the leaf assigned to the identity id .

As a conforming cPRF F for access policies ℱ is used, a key simulation algorithm P.KeySim is required for generating the constrained key csk f of the access policy f ∈ ℱ (see [17, Definition 9]). Therefore, for encrypting a message m , we compute u 0 = s B + e 0 and u 1 = s [ A f − csk f ⊗ G ] + e 1 , where s is chosen uniformly and randomly in Z q n , e 0 and e 1 are chosen from the distributions χ m ′ and χ ˜ m 0 ℓ f , respectively. The matrix A f is defined by A f = A H σ → f , where H σ → f = EvalF ( U σ → f , A ) . Then, we compute u 2 = s y ′ T + s y T + e 2 + ⌊ q ⁄ 2 ⌉ m , where y ′ = ∑ i = 1 2 k id + 1 − 1 ℋ q ( A , B , q , i , T ) and e 2 ← $ χ . Finally, we output ct = ( csk f , u 0 , u 1 , u 2 ) as a ciphertext of m .

Enc : ̲

Input : Master public key mpk , message m ∈ { 0 , 1 } and access policy f and time period T .

Output : Ciphertext ct

Sample csk f ← $ P.KeySim ( F.PP , f )
Sample uniformly s ← $ Z q n , e 0 ← $ χ m ′ , e 1 ← $ χ ˜ m o ℓ f and e 2 ← $ χ
Compute u 0 = s B + e 0 and u 1 = s [ A f − csk f ⊗ G ] + e 1
Compute y ′ = ∑ i = 1 2 k id + 1 − 1 ℋ q ( A , B , q , i , T )
Compute and u 2 = s y ′ T + s y T + e 2 + ⌊ q ⁄ 2 ⌉ m
Set ct = ( csk f , u 0 , u 1 , u 2 ) .

Before presenting the decryption algorithm Dec , we describe the decoding-key generation algorithm DKGen . In our algorithm DKGen , if Path ( id ) ∩ Node T = ∅ , we return the fail symbol ⊥ . Otherwise, note that there is only one node θ ∈ Path ( id ) ∩ Node T and the output is decoding-key dk id , T = ( s θ , T , e T ) , where s θ , T = e θ , 2 and e T = e θ , 1 − e id with ( θ , e θ , T , T ) ∈ ku T and e θ , T = ( e θ , 1 , e θ , 2 ) .

For the decryption algorithm Dec , we first parse ct as ( csk f , u 0 , u 1 , u 2 ) . Then, we compute c = u 2 − [ u 0 ‖ u 1 H ^ csk f → r ′ H ^ r x , r ′ ] s id T − u 0 s θ , T T − u 0 e T T , where r ′ = U f → x ( csk f ) , H ^ csk f → r ′ = EvalFX ( U f → x , csk f , A f ) and H ^ r x , r ′ = EvalFX ( I x , r ′ , A x ) . Finally, if ∣ c ∣ > q ⁄ 4 , we output m = 1 as the plaintext; else, we output m = 0.

DKGen : ̲

Input : Secret key sk id and updated key material ku T

Output : Decryption key dk id , T or ⊥

Find node θ ∈ Path ( id ) ∩ Node T .
If Path ( id ) ∩ Node T = ∅ return ⊥ .
Otherwise, find ( θ , * , * ) in ku T and output dk id , T = ( s θ , T , e T ) with e T = e θ , 1 − e id and s θ , T = e θ , 2

Dec : ̲

Input : Decryption key dk id , T and ciphertext ct

Output : Plaintext m ∈ { 0 , 1 }

Parse dk id , T as ( x , r x , s id , s θ , T , e T ) and ct as ( csk f , u 0 , u 1 , u 2 ) .
Compute r ′ = U f → x ( csk f ) .
If r x = r ′ , then abort. Otherwise, compute A f and A x .
Compute H ^ csk f → r ′ = EvalFX ( U f → x , csk f , A f ) and H ^ r x , r ′ = EvalFX ( I x , r ′ , A x ) .
Compute c = u 2 − [ u 0 ‖ u 1 H ^ csk f → r ′ H ^ r x , r ′ ] s id T − u 0 s θ , T T − u 0 e T T
Output m = 0 if ∣ c ∣ ≤ q ⁄ 4 . Otherwise, output m = 1 .

Correctness ̲

As mentioned earlier, in our decryption algorithm, we compute r ′ = U f → x ( s f ) and then abort the decoding if r ′ = r x . Otherwise, we compute c = u 2 − [ u 0 ‖ u 1 H ^ csk f → r ′ H ^ r x , r ′ ] s id T − u 0 s θ , T T − u 0 e T T . Note that based on the random value of the conforming cPRF , it was shown in [17] that r ′ ≠ r x with all but negligible probability. It was shown also that if r ′ ≠ r x , we have:

u 1 H ^ csk f → r ′ H ^ r x , r ′ = s A x , r x + e 1 ′ ,

with e 1 ′ = e 1 H ^ csk f → r ′ H ^ r x , r ′ . Therefore, we have

c = u 2 − [ u 0 ‖ u 1 H ^ csk f → r ′ H ^ r x , r ′ ] s id T − u 0 s θ , T T − u 0 e T T = s y T + s y ′ T + e 2 + ⌊ q ⁄ 2 ⌉ m − [ u 0 ‖ u 1 H ^ csk f → r ′ H ^ r x , r ′ ] s id T − u 0 s θ , T T − u 0 e T T = e 2 + ⌊ q ⁄ 2 ⌉ m − [ e 0 ‖ e 1 ′ ] s id T − e 0 s θ , T T − e 0 e T T .

Based on the properties of the discrete Gaussian distribution, we have ‖ s id ‖ ∞ ≤ τ m ′ + m 0 (respectively, ‖ s θ , T ‖ ∞ ≤ τ 0 m ′ ) with all but 2 − ( m ′ + m 0 ) (respectively, 2 − m ′ ) probability. In addition, due to the fact that ‖ e 1 ′ ‖ ∞ ≤ m 0 2 ℓ f k B ˜ ( 2 m 0 ) d C o n E v + 1 (see [17]), if m ′ , k , ℓ f ∈ O ( n , ⌈ log ( q ) ⌉ ) , B ˜ ∈ O ( B , n ) , τ ∈ O ( k , λ , ( 2 m 0 ) d + 3 ) , and u = e 2 − [ e 0 ‖ e 1 ′ ] s id T − e 0 s θ , T T − e 0 e T T , we have with all but negligible probability that:

∣ u ∣ ≤ ∣ e 2 ∣ + ( m ′ ‖ e 0 ‖ ∞ + m 0 ‖ e 1 ′ ‖ ∞ ) ‖ s id ‖ ∞ + m ′ ‖ e 0 ‖ ∞ ‖ s θ , T ‖ ∞ + m ′ ‖ e 0 ‖ ∞ ‖ e T ‖ ∞ ≤ B + ( m ′ B + m 0 3 ℓ k B ˜ ( 2 m 0 ) d C o n E v + 1 ) τ m ′ + m 0 + m ′ B τ 0 m ′ + m ′ B ≤ B + ( 3 m ′ B + m 0 3 ℓ f k B ˜ ( 2 m 0 ) d C o n E v + 1 ) τ m ′ + m 0 ≤ B . p o l y ( n , ⌈ log ( q ) ⌉ ) ( 2 m 0 ) d C o n E v + d + 4 .

By denoting E ′ = 4 . p o l y ( n , ⌈ log ( q ) ⌉ ) ( 2 m 0 ) d C o n E v + d + 4 and E = B . p o l y ( n , ⌈ log ( q ) ⌉ ) ( 2 m 0 ) d C o n E v + d + 4 , if we choose E ′ to be bounded by q ⁄ B , then E is bounded by q ⁄ 4 . Therefore, if m = 0 , then ∣ c ∣ ≤ q ⁄ 4 ; otherwise, ∣ c ∣ > q ⁄ 4 . We now have the following proposition:

Proposition 6

The proposed lattice-based RABE is correct.

4.3 Security analysis and key size comparison

With regard to the security of the proposed RABE , we present the following theorem:

Theorem 2

Given a conforming cPRF for a function class ℱ , the RABE designed in Section 4.2 is IND - aCPA secure with respect to ℱ and under the hardness of DLWE q , n , m , χ .

Proof

The proof of Theorem 2 is similar to that of [17, Lemma 2]. It can be done by a sequence of hybrids; the only difference is that we need to take into account the way the challenger C should answer to updated key material queries from the adversary A . We will proceed by considering a sequence of hybrids:

Hybrid 0 : ̲ This game is the adaptive game described in Section 2.4.

Hybrid 1 : ̲ This hybrid is the same as Hybrid 0 except the way that C answers the challenger query f * . It computes csk f ← F . Constrain σ ( f * ) instead of csk f ← P.KeySim σ ( f * ) . Therefore, we have csk f = U σ ⟶ f ( σ ) . However, based on a reduction to the key simulation game of conforming cPRF , it was shown in [17, Proof of Lemma 2] that the advantage for distinguishing Hybrid 0 and Hybrid 1 corresponds to the advantage of an adversary A F in the key simulation game of conforming cPRF . That means that Hybrid 0 and Hybrid 1 are indistinguishable.

Hybrid 2 : ̲ The difference between Hybrid 1 and Hybrid 2 is the way that the challenger C generates the matrix A . It computes the matrix A as follows: A = B R + σ ⊗ G , where R ← $ { 0 , 1 } m ′ × m 0 λ . From Proposition 1, B is statistically close to uniform, and therefore, from the extended leftover lemma, Hybrid 1 and Hybrid 2 are indistinguishable.

Hybrid 3 : ̲ This hybrid is similar to Hybrid 2 but we change how the challenger computes u 1 during the challenge query f * . However, u 0 and u 2 are computed as described in the scheme. Indeed, the challenger computes u 1 as u 1 = u 0 R H ^ msk → r x + e 1 , where H ^ msk → r x ← EvalFX ( U σ → x , σ , A ) , A f − csk f ⊗ G = B R H ^ msk → r x and u 0 = s B + e 0 with s ← $ Z q n , e 0 ← $ χ m ′ , e 1 ← $ χ ˜ m ℓ . We then have

u 1 = u 0 R H ^ msk → r x + e 1 = s B R H ^ msk → r x + e 0 R H ^ msk → r x + e 1

and B ′ = ‖ R H ^ msk → r x ∣ ∞ ≤ ( m 0 + m ′ ) λ ‖ e 0 ‖ ∞ ‖ R ‖ ∞ ‖ H ^ msk → r x ‖ ∞ ≤ ( m 0 + m ′ ) λ B ( 2 m 0 ) d c o n , where d c o n is the depth of U σ → f . Since χ ˜ is B ′ -swallowing, the difference between Hybrid 2 and Hybrid 3 is statistically indistinguishable.

Hybrid 4 : ̲ The difference between this hybrid and Hybrid 3 is the way that the challenger answers to key queries. Indeed, if ( id , x ) is submitted, C fixes r x ← P.Eval σ ( x ) and H ^ msk → r x ← EvalFX ( U σ → x , σ , A ) . It also samples y id ← $ Z q n . Due to the fact that I r x = 1 , it was shown in [17] that

[ B ‖ A x , r x ] = [ B ‖ B R H ^ msk → r x H ^ r x , r x + G ] with H ^ r x , r x = EvalFX ( I r x , r x , A x ) .

We now have

‖ R H ^ msk → r x H ^ r x , r x ‖ ∞ ≤ m 0 2 k λ ‖ R ‖ ∞ ‖ H msk → r x ‖ ∞ ‖ H r x , r x ‖ ∞ ≤ m 0 2 k λ ( 2 m 0 ) d + 1

According to Proposition 1, given B and R H ^ msk → r x H ^ r x , r x the challenger can efficiently compute [ B ‖ A x , r x ] τ ′ − 1 for some τ ′ = O ( k , λ , ( 2 m 0 ) d + 3 ) . Thus, if τ ≥ τ ′ , the challenger can sample [ B ‖ A x , r x ] τ ′ − 1 ( y id − ( q − 1 ) y ′ ) without using the trapdoor B τ 0 − 1 , where y ′ = y − y id .

Hybrid 5 : ̲ This game is similar to the previous game with the only difference being in the computing of the updated key material ku T . Indeed, for all θ ∈ Node T , instead of computing e θ , T = B τ 0 − 1 ( ℋ ( A , B , q , θ , T ) ) , the challenger C first randomly chooses e ¯ θ , T ← $ χ m ′ , then computes y θ , T = B e ¯ θ , T , and finally set e θ , T = e ¯ θ , T . It stores ( θ , y θ , T , e θ , T , T ) and configures an RO such that when the adversary queries with input ( θ , T ) for ℋ ( A , B , q , θ , T ) , the challenger C returns u θ , T . Therefore, we can see that with a well-chosen set of parameters the change between Hybrid 4 and Hybrid 5 is statistically indistinguishable.

Hybrid 6 : ̲ This game is similar to the previous game with the only difference being in the way that the adversary chooses the matrix B . It chooses the matrix B randomly from Z q n × m ′ instead of using the trapdoor generation algorithm. According to Proposition 1, this change between Hybrid 5 and Hybrid 6 is statistically indistinguishable.

Hybrid 7 : ̲ The difference between Game 6 and Game 7 is in the way that the challenger computes ct * in the challenge query. Indeed, in the computation of ct * , the challenger chooses randomly u 0 ← $ Z q m ′ and u 2 ← $ Z q . We can see that this change is computationally indistinguishable under the DLWE q , n , m , χ assumption. Therefore, from this step, we can see that the challenger is able to hide completely b , and then, the adversary A has no advantage.□

In Table 1, we make a brief comparison of our scheme with that of the RABE schemes from previous studies [38,39], noting that the underlying hard problems that these three schemes rely on are considered quantum secure. Our comparison is based on the sizes of master secret key msk , master public key mpk , secret key sk , and the security model. In terms of access policy, similar to the proposed scheme, the scheme of Dong et al. and Luo et al. used boolean circuit as the access policy [39,40]. However, their schemes are key policy attribute-based schemes instead of ciphertext policy attribute-based schemes. In Dong et al.’s scheme [38], an arithmetic circuit is used as the access policy. In the scheme of Huang et al. and Yang et al. [41,42], linear secret sharing scheme (LSSS) access structures are used for access policy. We also note that the proposed scheme is adaptive secure compared to the other schemes in the table.

Table 1

Comparison of the proposed scheme with relevant schemes

Scheme	Model	mpk	msk	sk	Sec. Model	PQC
LAWWC23 [40]	KP - ABE	n ( m ℓ + m + ω log ( n ) ) log ( q )	m 2 log ( q )	2 m ω log ( n ) log ( q )	Selective	Yes
HGL23 [41]	CP - ABE	( 2 ℓ + 3 ) m n log ( q )	m n log ( q )	2 m n ( log ( N ) + ℓ + 2 ) log ( q )	Selective	Yes
YWDFLW20 [42]	CP - ABE	n ( 5 m + ℓ + 1 ) log ( q )	m 2 log ( q )	2 m log ( ℓ ) log ( q )	Selective	Yes
KMT [43]	IBE	6 n m log ( q )	2 n m log ( q )	2 m n log ( N ) log ( q ) + 4 m 2 log ( q )	Selective	Yes
CLLWN12 [44]	IBE	5 n m log ( q )	n m log ( q )	2 m log ( q )	Selective	Yes
DZWC20 [39]	KP - ABE	( 4 ℓ + 3 ) m n log ( q )	( 4 ℓ + 2 ) m n log ( q )	2 m n log ( q )	Selective	yes
DHWLG21 [38]	KP - ABE	( ℓ + 3 ) m n log ( q )	2 m n log ( q )	2 m 2 log ( q ) ( log ( N ) + 2 )	Selective	Yes
Our	CP - ABE	( λ + 4 ) m n log ( q )	λ + m n log ( q )	λ + ℓ + ( ℓ + 6 ) m 2 log ( q )	Adaptive	Yes

5 Lattice-based RPCH scheme

In this section, we describe our lattice-based RPCH . Its design follows Xu et al.’s [10] construction, and hence, it is a combination of our RABE and CHET schemes. Since we will use the modified version of the trapdoor generator algorithm, the message space in our underlying RABE will be { 0 , 1 } μ . Therefore, we will consider as a security assumption the version of the decisional learning with errors problem for which the secret key is a matrix of Z q m × μ instead of a vector of Z q m . We denote this version by DLWE q , n × μ , m , χ . Note that when μ = 1 , it just becomes the main decisional learning with error problem DLWE q , n , m , χ . It is also important to recall that Micciancio established in [45, Lemma 8] that there is a polynomial-time reduction from DLWE q , n , m , χ to DLWE q , n × μ , m , χ . Moreover, if there is a PPT adversary A that can distinguish DLWE q , n × μ , m , χ with an advantage ε , it can then distinguish DLWE q , n , m , χ with an advantage ε ⁄ μ (see [45, Proof of Lemma 8]). Therefore, it is important to choose parameters to have a security level close to that of DLWE q , n , m , χ .

In the design of our RPCH , μ is chosen to be equal to the security parameters λ . The key update KUpd and the revocation list Rev algorithms correspond to that of our RABE . However, the secret key generation and the setup algorithms are designed by taking into account our CH scheme.

Setup RPCH : ̲

Input : Security parameter λ and number N = 2 k id = ∣ ℐD ∣ of users in the system.

Output : mpk RPCH and msk RPCH

Compute ( msk RABE , mpk RABE ) ← Setup RABE ( 1 λ , N ) where N = 2 k id .
Compute PP CHET ← Setup CHET ( 1 λ )
Generate a pair ( sk CHET , pk CHET ) ← KeyGen CHET ( n 1 , q 1 , D σ 1 ) of public and secret keys of our chameleon hash sk CHET = A σ 1 − 1 and pk CHET = A 1 ∈ Z q 1 n 1 × m 1 .
Set mpk RPCH = ( mpk RABE , pk CHET ) and msk RPCH = ( msk RABE , sk CHET )

SKGen RPCH : ̲

Input : Master secret key msk RPCH , state st , user identity id with its attribute x

Output : Secret key sk id for a user with identity id and attribute x .

Parse msk RPCH as ( msk RABE , A σ 1 − 1 ) .
Compute sk RABE , id ← SKGen RABE ( msk RABE , st , id , x ) .
Set sk id ← ( sk RABE , id , A σ 1 − 1 ) .
Return sk id .

In the design of our hash algorithm Hash , we use the Fujisaki–Okamoto transformation to our underlying RABE . For that, we use a symmetric encryption scheme with security parameter λ . We choose λ as the length of plaintext in our RABE . Let us denote the symmetric encryption scheme by SymEnc . We also use a hash function ℋ 2 : { 0 , 1 } λ × { 0 , 1 } λ ⟶ { 0 , 1 } λ .

Hash RPCH : ̲

Input : Master public key mpk RPCH , message to hash m .

Output : A pair ( h , r ) of a hash h and a random value r .

Parse mpk RPCH as ( mpk RABE , pk CHET )
Compute ( h ′ , r , etd ) = Hash CHET ( pk CHET , m )
Generate seed Sym ← $ { 0 , 1 } λ
Generate the symmetric key k ← RO Sym ( seed Sym ) .
Compute ct s ← SymEnc ( k , etd ) and ct ← Enc RABE ( mpk RABE , seed Sym , f , T )
Set c = ( ct s , ct , ct h a s h ) , where ct h a s h = ℋ 2 ( seed Sym , etd )
Return h = ( h ′ , c ) and r , where h ′ = ( h 1 , h 2 , pk CHET ′ ) and r = ( r 1 , r 2 ) .

Verif RPCH : ̲

Input : Master public key mpk , message m , hash h and random value r .

Output : b ∈ { 0 , 1 }

Parse mpk as ( mpk RABE , pk CHET ) and h as ( h ′ , c )
If Verif CHET ( pk CHET , m , h ′ , r ) = 1

Return 1.
Return 0.

DKGen RPCH : ̲

Input : A secret key sk id , and the updated key material ku T .

Output : A decryption key dk id , T .

Parse sk id as ( sk RABE , id , sk CHET )
Compute dk RABE , id , T = DKGen RABE ( sk RABE , id , ku T )
Set dk id , T = ( dk RABE , id , T , sk CHET )

Adapt RPCH : ̲

Input : Decoding key dk id , T , master secret key msk , master public key mpk , original message m , new message m ′ , hash h , and random value r .

Output : A new random value r ˜

Parse mpk as ( mpk RABE , pk CHET ) and h as ( h ′ , c ) .
If Verif CHET ( pk CHET , m , h ′ , r ) = 0 :

Return ⊥ .
Parse c as ( ct s , ct , ct h a s h ) .
Parse dk id , T as ( dk RABE , id , T , sk CHET ) .
Compute seed Sym ← Dec RABE ( dk RABE , id , T , ct ) .
Compute k ← RO Sym ( seed Sym ) .
Compute etd ← Dec Sym ( k , ct s ) .
If ℋ 2 ( seed Sym , etd ) ≠ ct h a s h :

Return ⊥ .
Compute r ˜ ← Adapt CHET ( sk CHET , etd , m , m ′ , h ′ , r ) .
Return r ˜ .

Note that the RPCH designed in this paper is based on an IND - aCPA secure RABE and a CHET , which is fully indistinguishable, strongly private collision-resistant, unique, and correct. Therefore, according to [10, Theorem 2], we have the following:

Theorem 3

The proposed RPCH is fully indistinguishable, insider collision-resistant, unique, and correct.

6 Conclusion

To our knowledge, this article presents the first-ever lattice-based RPCH . For its design, we have designed a lattice-based CHET scheme. Due to the fact that our RPCH scheme is based on the generic construction of Derler et al., which requires a RABE scheme, we have presented a new lattice-based RABE scheme. We have proven that the proposed RABE scheme is adaptively secured and compared it to recent and relevant schemes.

Acknowledgements

The majority of the work was done when the corresponding author was affiliated with the University of Waterloo as a Post-doctoral researcher. The authors would like to thank the anonymous reviewers for their comments on an earlier version of this article.

Funding information: This work was supported by Ripple Impact Fund/Silicon Valley Community Foundation (Grant 2018-188473).
Author contributions: All authors have accepted responsibility for the entire content of this manuscript and consented to its submission and publication to the journal, reviewed all the results, and approved the final version of the manuscript. JBK designed, performed the security proof of the proposed schemes and drafted the manuscript. MAH provided technical review and editing of the manuscript.
Conflict of interest: The authors state that there is no conflict of interest.

References

[1] Krawczyk H, Rabin T. Chameleon hashing and signatures; 1998. https://ia.cr/1998/010. Cryptology ePrint Archive, Report 1998/010. Search in Google Scholar

[2] Camenisch J, Derler D, Krenn S, Pöhls HC, Samelin K, Slamanig D. Chameleon-Hashes with ephemeral trapdoors - and applications to invisible sanitizable signatures. In: Fehr S, editor. Public-Key Cryptography - PKC 2017 - 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28–31, 2017, Proceedings, Part II. vol. 10175 of Lecture Notes in Computer Science. Springer; 2017. p. 152–82. 10.1007/978-3-662-54388-7_6Search in Google Scholar

[3] Ateniese G, Chou DH, Medeiros Bd, Tsudik G. Sanitizable signatures. In: European Symposium on Research in Computer Security. Springer, Berlin, Heidelberg; 2005. p. 159–77. 10.1007/11555827_10Search in Google Scholar

[4] Even S, Goldreich O, Micali S. On-line/offline digital signatures. J Cryptol. 1996;9(1):35–67. 10.1007/BF02254791Search in Google Scholar

[5] Krawczyk H, Rabin T. Chameleon signatures. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2000, San Diego, California, USA. The Internet Society; 2000. p. 143–54. Search in Google Scholar

[6] Shamir A, Tauman Y. Improved online/offline signature schemes. In: Annual International Cryptology Conference. Springer; 2001. p. 355–67. 10.1007/3-540-44647-8_21Search in Google Scholar

[7] Chen X, Zhang F, Susilo W, Mu Y. Efficient generic on-line/offline signatures without key exposure. In: International Conference on Applied Cryptography and Network Security. Springer; 2007. p. 18–30. 10.1007/978-3-540-72738-5_2Search in Google Scholar

[8] Ateniese G, Magri B, Venturi D, Andrade E. Redactable blockchain or rewriting history in Bitcoin and friends. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE; 2017. p. 111–26. 10.1109/EuroSP.2017.37Search in Google Scholar

[9] Derler D, Samelin K, Slamanig D, Striecks C. Fine-grained and controlled rewriting in blockchains: Chameleon-Hashing gone attribute-based. In: 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24–27, 2019. The Internet Society; 2019. 10.14722/ndss.2019.23066Search in Google Scholar

[10] Xu S, Ning J, Ma J, Xu G, Yuan J, Deng RH. Revocable policy-based Chameleon Hash. In: European Symposium on Research in Computer Security. Springer International Publishing; 2021. p. 327–47. 10.1007/978-3-030-88418-5_16Search in Google Scholar

[11] Cash D, Hofheinz D, Kiltz E, Peikert C. Bonsai trees, or how to delegate a lattice basis. J Cryptol. 2012;25(4):601–39. 10.1007/s00145-011-9105-2Search in Google Scholar

[12] Ateniese G, de Medeiros B. Identity-based chameleon hash and applications. In: Financial Cryptography: 8th International Conference, FC 2004, Key West, FL, USA, February 9–12, 2004. Revised Papers 8. Springer; 2004.p. 164–80. 10.1007/978-3-540-27809-2_19Search in Google Scholar

[13] Bao F, Deng RH, Ding X, Lai J, Zhao Y. Hierarchical identity-based chameleon hash and its applications. In: Applied Cryptography and Network Security: 9th International Conference, ACNS 2011, Nerja, Spain, June 7–10, 2011. Proceedings 9. Springer; 2011. p. 201–19. 10.1007/978-3-642-21554-4_12Search in Google Scholar

[14] Chen X, Tian H, Zhang F, Ding Y. Comments and improvements on key-exposure free chameleon hashing based on factoring. In: International Conference on Information security and Cryptology. Springer; 2010. p. 415–26. 10.1007/978-3-642-21518-6_29Search in Google Scholar

[15] Zhang F, Safavi-Naini R, Susilo W. ID-based chameleon hashes from bilinear pairings. Cryptology ePrint Archive. 2003. Search in Google Scholar

[16] Brzuska C, Fischlin M, Freudenreich T, Lehmann A, Page M, Schelbert J, et al. Security of sanitizable signatures revisited. In: Public Key Cryptography-PKC 2009: 12th International Conference on Practice and Theory in Public Key Cryptography, Irvine, CA, USA, March 18–20, 2009. Proceedings 12. Springer; 2009. p. 317–36. 10.1007/978-3-642-00468-1_18Search in Google Scholar

[17] Tsabary R. Fully secure attribute-based encryption for t-CNF from LWE. In: Annual International Cryptology Conference. Springer; 2019. p. 62–85. 10.1007/978-3-030-26948-7_3Search in Google Scholar

[18] Xiong H, Huang X, Yang M, Wang L, Yu S. Unbounded and efficient revocable attribute-based encryption with adaptive security for cloud-assisted internet of things. IEEE Internet Things J. 2022;9(4):428–41.10.1109/JIOT.2021.3094323Search in Google Scholar

[19] Micciancio D, Peikert C. Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval D, Johansson T, editors. Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings. Vol. 7237 of Lecture Notes in Computer Science. Springer; 2012. p. 700–18. 10.1007/978-3-642-29011-4_41Search in Google Scholar

[20] Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the fortieth annual ACM symposium on Theory of computing; 2008. p. 197–206. 10.1145/1374376.1374407Search in Google Scholar

[21] Ajtai M. Generating hard instances of lattice problems. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing; 1996. p. 99–108. 10.1145/237814.237838Search in Google Scholar

[22] Alwen J, Peikert C. Generating shorter bases for hard random lattices. Theory Comput Syst. 2011;48(3):535–53. 10.1007/s00224-010-9278-3Search in Google Scholar

[23] Agrawal S, Boneh D, Boyen X. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Annual Cryptology Conference. Springer; 2010. p. 98–115. 10.1007/978-3-642-14623-7_6Search in Google Scholar

[24] Laarhoven T, van De Pol J, De Weger B. Solving hard lattice problems and the security of lattice-based cryptosystems. Cryptology ePrint Archive. 2012. Search in Google Scholar

[25] Albrecht MR, Deo A. Large modulus Ring-LWE ≥ module-LWE. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2017. p. 267–96. 10.1007/978-3-319-70694-8_10Search in Google Scholar

[26] Koo Z, Lee Y, Lee JW, No JS, Kim YS. Improved reduction between SIS problems over structured lattices. IEEE Access. 2021;9:157083–92. 10.1109/ACCESS.2021.3128139Search in Google Scholar

[27] Micciancio D, Peikert C. Hardness of SIS and LWE with small parameters. In: Annual Cryptology Conference. Springer; 2013. p. 21–39. 10.1007/978-3-642-40041-4_2Search in Google Scholar

[28] Regev O. On lattices, learning with errors, random linear codes, and cryptography. J ACM (JACM). 2009;56(6):1–40. 10.1145/1568318.1568324Search in Google Scholar

[29] Lyubashevsky V. Lattice signatures without trapdoors. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer; 2012. p. 738–55. 10.1007/978-3-642-29011-4_43Search in Google Scholar

[30] Goldreich O, Goldwasser S, Micali S. How to construct random functions. J ACM. 1986;33(4):792–807. 10.1145/6490.6503Search in Google Scholar

[31] Boneh D, Waters B. Constrained pseudorandom functions and their applications. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2013. p. 280–300. 10.1007/978-3-642-42045-0_15Search in Google Scholar

[32] Peter N, Tsabary R, Wee H. One-one constrained pseudorandom functions. In: 1st Conference on Information-theoretic Cryptography (ITC 2020). Schloss Dagstuhl-Leibniz-Zentrum für Informatik; 2020. Search in Google Scholar

[33] Sahai A, Waters B. Fuzzy identity-based encryption. In: Cramer R, editor. Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings. vol. 3494 of Lecture Notes in Computer Science. Springer; 2005. p. 457–73. Search in Google Scholar

[34] Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security; 2006. p. 89–98. 10.1145/1180405.1180418Search in Google Scholar

[35] Derler D, Samelin K, Slamanig D. Bringing order to Chaos: the case of collision-resistant Chameleon-Hashes. In: Kiayias A, Kohlweiss M, Wallden P, Zikas V, editors. Public-Key Cryptography - PKC 2020 - 23rd IACR International Conference on Practice and Theory of Public-Key Cryptography, Edinburgh, UK, May 4–7, 2020, Proceedings, Part I. vol. 12110 of Lecture Notes in Computer Science. Springer; 2020. p. 462–92. 10.1007/978-3-030-45374-9_16Search in Google Scholar

[36] Derler D, Krenn S, Samelin K, Slamanig D. Fully collision-resistant Chameleon-Hashes from simpler and post-quantum assumptions. In: International Conference on Security and Cryptography for Networks. Springer; 2020. p. 427–47. 10.1007/978-3-030-57990-6_21Search in Google Scholar

[37] Naor D, Naor M, Lotspiech J. Revocation and tracing schemes for stateless receivers. In: Annual International Cryptology Conference. Springer; 2001. p. 41–62. 10.1007/3-540-44647-8_3Search in Google Scholar

[38] Dong X, Hu Y, Wang B, Liu M, Gao W. Lattice-based revocable attribute-based encryption with decryption key exposure resistance. IET inform security. 2021;15(6):428–41.10.1049/ise2.12033Search in Google Scholar

[39] Dong X, Zhang Y, Wang B, Chen J. Server-aided revocable attribute-based encryption from lattices. Security Commun Netw. 2020;2020:1460531. 10.1155/2020/1460531Search in Google Scholar

[40] Luo F, Al-Kuwari S, Wang H, Wang F, Chen K. Revocable attribute-based encryption from standard lattices. Comput Standards Interfaces. 2023;84:103698. 10.1016/j.csi.2022.103698Search in Google Scholar

[41] Huang B, Gao J, Li X. Efficient lattice-based revocable attribute-based encryption against decryption key exposure for cloud file sharing. J Cloud Comput. 2023;12(1):1–15. 10.1186/s13677-023-00414-wSearch in Google Scholar PubMed PubMed Central

[42] Yang K, Wu G, Dong C, Fu X, Li F, Wu T. Attribute based encryption with efficient revocation from lattices. Int J Netw Secur. 2020;22(1):161–70. Search in Google Scholar

[43] Katsumata S, Matsuda T, Takayasu A. Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance. Theoretic Comput Sci. 2020;809:103–36. 10.1016/j.tcs.2019.12.003Search in Google Scholar

[44] Chen J, Lim HW, Ling S, Wang H, Nguyen K. Revocable identity-based encryption from lattices. In: Information Security and Privacy: 17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, July 9–11, 2012. Proceedings 17. Springer; 2012. p. 390–403. 10.1007/978-3-642-31448-3_29Search in Google Scholar

[45] Micciancio D. On the hardness of learning with errors with binary secrets. Theory Comput. 2018;14(1):1–17. 10.4086/toc.2018.v014a013Search in Google Scholar

Received: 2023-05-15

Revised: 2024-03-05

Accepted: 2024-09-16

Published Online: 2024-11-28

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2023-0012

Keywords for this article

lattice-based cryptography; hash function; chameleon hash function; attribute-based encryption

Creative Commons

BY 4.0