mRLWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography

Marco Cianfriglia; Elia Onofri; Marco Pedicini

doi:10.1515/jmc-2023-0026

Article Open Access

mR_LWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography

Marco Cianfriglia , Elia Onofri and Marco Pedicini

Published/Copyright: February 14, 2024

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

We address the problem of user fast revocation in the lattice-based Ciphertext Policy Attribute-Based Encryption (CP-ABE) by extending the scheme originally introduced by Zhang and Zhang [Zhang J, Zhang Z. A ciphertext policy attribute-based encryption scheme without pairings. In: International Conference on Information Security and Cryptology. Springer; 2011. p. 324–40. doi: https://doi.org/10.1007/978-3-642-34704-7_23.]. While a lot of work exists on the construction of revocable schemes for CP-ABE based on pairings, works based on lattices are not so common, and – to the best of our knowledge – we introduce the first server-aided revocation scheme in a lattice-based CP-ABE scheme, hence being embedded in a post-quantum secure environment. In particular, we rely on semi-trusted “mediators” to provide a multi-step decryption capable of handling mediation without re-encryption. We comment on the scheme and its application, and we provide performance experiments on a prototype implementation in the Attribute-Based Encryption spin-off library of Palisade to evaluate the overhead compared with the original scheme.

Keywords: mediated CP-ABE; lattice-based cryptography; learning with errors; post-quantum cryptography; cloud cryptography

MSC 2010: 94A60; 68P25; 68Q25

1 Introduction

In this work, we tackle the problem of designing a fast key-revoking system in a Ciphertext Policy Attribute-Based Encryption (CP-ABE) constructed on some presumed post-quantum resistant algebraic setting. The presented approach involves a Dual-Regev CP-ABE scheme, which combines the advantages of attribute-based encryption with the security properties of the Regev encryption scheme [1] and provides a flexible and secure mechanism for access control and data encryption.

The Regev encryption scheme is a lattice-based encryption scheme based on the hardness of the Learning with Errors problem (the so-called learning with errors (LWE) assumption), which is considered to be resistant to quantum attacks by the worst-case complexity of the decision version of the shortest vector problem (GapSVP) and shortest independent vector problem (SIVP) on lattices. It represents messages as vectors, and encryption is achieved by adding noise to those vectors. Decryption, conversely, can only be efficiently done by the intended recipient who possesses a secret key.

In a Dual-Regev CP-ABE scheme, ciphertexts are associated with access policies represented as pattern strings, where symbols can be 0, 1, or *. Users possess secret keys corresponding to their attributes (represented as bit strings). Decryption succeeds if the user’s attribute matches the policy pattern specified in the ciphertext. This allows for fine-grained access control, where access to encrypted data is granted based on attribute matching. In contrast to most of the CP-ABE schemes that are based on bilinear maps, these schemes do not rely on pairings. The absence of pairings in such schemes offers advantages in terms of simplicity and efficiency.

In this context, revocation implies the capability of making the user’s attributes/keys no longer valid, if needed; situations where revocation is required are typical in the business context, where, e.g., a product owner requires the ability to revoke privileges to users without needing to re-encrypt all the data. This is particularly true if the product owner has no direct control over the data, e.g., if they are hosted on third-party platforms or they actually belong to other users (like in the case of sharing platforms). Although this last example might seem unusual, it is common that cloud storage companies store data on servers that are, e.g., located in different countries and are hence subject to different laws concerning data regulation and privacy. In such a scenario, a company might want to retain complete control over data access without having to store them in first person.

To address the issue of user revocation, we propose mR_LWE-CP-ABE, a novel solution that builds upon the Dual Regev CP-ABE scheme introduced in the study by Zhang and Zhang [2] by enforcing a security-mediated public key encryption (PKE). In particular, mR_LWE-CP-ABE shares similarities with the ideas introduced in USENIX 2001 Boneh et al.’s article, [3].

The main idea presented in this article is the use of a (semi)trusted third party, called the security mediator (SM), to check the user whenever she wants to decrypt a ciphertext. The user requires assistance of the security mediator because the secret key is separated into two (or more) portions during key generation, with one portion given to the user while the remaining parts are given to (possibly multiple) SMs. The user requires the security mediator’s help in order to enable full user secret key recovery, and decrypt or sign messages.

We implement the proposed scheme in Palisade [4]. In particular, by building such practical tests on the implementation of the Palisade attribute-based encryption (ABE) project spin-off, we implicitly show its effectiveness.

1.1 Related works

ABE, first proposed in the study by Sahai and Waters [5], is an asymmetric cryptographic primitive for one-to-many encryption that, as highlighted by high number of surveys in the last few years on it [6–10], attracted many interests along the years as it provides fine-grained access control over data. An ABE scheme allows a data owner to encrypt some data once and to share them with many along with a set of required attributes that define an access policy; the set of valid recipients is not required to be known in advance: all we need is that an authorised user must retain a set of valid attributes that satisfy the access policy. Each user is identified by the set of attributes of his/her owns. Over the years, two variants of ABE have been proposed in the literature: the CP-ABE [11] and the Key Policy Attribute-Based Encryption (KP-ABE) [12]. In CP-ABE, the access policy is applied to the ciphertext, conversely, in KP-ABE it is associated with the secret key, so usually CP-ABE is preferred as it is more flexible. Different from classical public key schemes where a user who wants to share encrypted data with many others is required to perform many encryptions, one for each of valid recipient, in ABE schemes, the encryption is performed only once for many users: for this reason, in cloud environments, ABE schemes are a common choice. However, in this context, usually, the set of users changes frequently so the ability to revoke some users is a necessary requirement for any ABE scheme.

In the literature [13], the revocation mechanism was categorised into three classes: direct, indirect, and server-aided.

The direct revocation follows the approach of conventional public key management systems (PKMS) where a certificate revocation list (CRL) is distributed. Once a user needs to be revoked, the key authority in the PKMS adds the user identifier to the CRL and shares the updated list. Some examples of ABE schemes that implement direct revocation were given in the studies by Liu et al. [14] and Phuong et al. [15]. The major drawback of direct revocation is, of course, related to the distribution of the updated CRL. Any data owner must update his/her CRL before encrypting new data to exclude revoked users. Furthermore, as the revoked user set grows, so does the size of the CRL. Liu et al. [14] proposed a solution to overcome both issues by setting expiration dates on keys, by embedding the revocation list along with the ciphertext, and by removing revoked keys from the list once expired; however, in such schemes, data owner still needs to update his/her CRL to be sure not to miss any recently revoked user.

In indirect revocation, every time a user is revoked, the key authority generates new keys only for the remaining non-revoked users. The benefit of this approach is that the server only needs to work on the subset of still active users and does not need to periodically share the CRL. A few examples of CP-ABE indirect revocable schemes were mentioned in the studies by Sahai et al. [16] and Yu et al. [17] and in the study by Xie et al. [18]. For instance, in both studies by Sahai et al. [16] and by Yu et al. [17], the authors proposed to update both the keys for still active users and the older ciphertexts, stored on the cloud, to not letting a revoked user to decrypt them anymore. The approach proposed in in the study by Xie et al. [18] is slightly different: they update the keys but each user has two different keys, an individual and a group key, both needed for the decryption.

Server-aided revocation solutions try to avoid the need for key updates and the distribution of the CRL. They required, as the system we propose in this article, to leverage third-party cooperation to decrypt. Here, following the approach first proposed in the study by Boneh et al. [3] and then applied also in the studies by Yang et al. [19] and Cul et al. [20], we rely on key-splitting feature for the revocation. Different from the literature, to the best of our knowledge, mR_LWE-CP-ABE is the first application of such a revocation technique to a lattice-based ABE scheme; we believe this is an important step as our system, uniquely with respect to all the previous works, is embedded in a post-quantum secure environment.

1.2 Contributions

Here, in the following, we list the main contributions of this work

Inspired by the study by Boneh et al. [3], we propose mR_LWE-CP-ABE the first, to the best of our knowledge, CP-ABE revocation scheme based on lattices, a presumed post-quantum resistant algebraic setting. We start with the CP-ABE scheme presented in the study by Zhang and Zhang [2], and we extend and modify it to support key revocation. We rely on (semi)trusted third party, called the security mediator, to perform fast and efficient user key revocation.
We provide a formal description of the proposed scheme along with the analysis of its parameter and its security proof.
We implement mR_LWE-CP-ABE scheme on Palisade, a well-known crypto library, and we experimentally evaluate the overhead introduced by the revocation mechanism in terms of performance.
We will release the implementation of our scheme to let the community independently test and evaluate it.

1.3 Organisation of the article

The rest of this article is organised as follows. Section 2 wraps up the notation and the mathematical basics used in the rest of this article. Section 3 reviews the mathematical background used throughout this article (a confident reader can safely skip this section): in particular, the SIVP problem (Section 3.1), the discrete Gaussian (Section 3.2), the learning with error problem (Section 3.3), and some useful algorithms on lattices (Section 3.4) are recalled. Section 4 introduces the system model of CP-ABE (Section 4.1) and analyses the scheme presented in the study by Zhang and Zhang [2] by reworking its definition (Section 4.2) and analysing its parameters (Section 4.3), providing a few small changes in the notation to better prepare the ground for the mediated scheme. Section 5 holds the main contribution of the article, defining the mediated CP-ABE system model (Section 5.1), introducing the novel scheme (Section 5.2), and analysing its parameters (Section 5.3). Section 6 analyses both the threat model (Section 6.1) and the classical security (Section 6.2) of the proposed scheme. Section 7 introduces the multi-bit variation on the original and mediated scheme, following the build from the study by Zhang and Zhang [2]. Section 8 presents some benchmarks and results on the proposed scheme. Finally, Section 9 closes this article resuming the contributions and providing some hints on future works.

2 Notation

Numeric sets of positive integers, integers, and real numbers are denoted with blackboard bold letters N , Z , and R , respectively. The quotient group modulo q , q ∈ N , is denoted by Z q = Z ∕ q Z = { 0 , … , q − 1 } . Probabilities are defined by capital letter P [ ⋅ ] , and distributions are denoted usually with χ , and we say that a is sampled from it by writing a ← $ χ . In particular, the uniform distribution over a set S is denoted by U ( S ) .

Matrices are usually denoted by upper-case letters ( A , B , … ), while vectors are interpreted as single-column matrices and usually denoted by lower-case letters ( a , b , … ). Matrices (and vectors) can be transposed ( A T ), concatenated by columns ( [ A ‖ B ] ), or concatenated by rows ( A ; B ). The scalar product is denoted by ⟨ ⋅ , ⋅ ⟩ , while the Euclidean and the infinity norm of a vector are denoted by ‖ a ‖ and ‖ a ‖ ∞ , respectively. By the abuse of notation, we define the norm of a matrix as the infinity norm over the Euclidean norm of its columns, i.e. if A = [ a 1 ‖ … ‖ a n ] , then ‖ A ‖ = max i ‖ a i ‖ . Finally, if the columns of a matrix A = [ a 1 ‖ … ‖ a n ] are linearly independent, we denote with A ˜ = [ a ˜ 1 ‖ … ‖ a ˜ n ] the Gram-Schmidt orthogonalisation of vectors a 1 , … , a n taken in that order.

We refer to attributes with calligraphic capital letters; in particular, ℛ denotes the admissible attributes, S denotes the user attribute specifications, and W denotes the ciphertext access structures. If S is compatible with W , we say that it satisfies the access structure and we write S ⊢ W ; otherwise, we write S ⊬ W .

The security parameter throughout this article is n , and all other quantities are the implicit functions of it. We use standard notations big- O , big- O ˜ , and small- ω to denote asymptotic classes, we write poly ( n ) to determine functions f ( n ) = O ( n c ) for some constant c , and we write negl ( n ) to determine negligible functions f ( n ) , i.e., eventually upper bounded by 1 n c . Finally, we say that a probability is overwhelming if it is 1 − negl ( n ) .

3 Prerequisites on lattices

An n -dimensional lattice of rank m ≤ n is a subset of R n given by the span of m linear independent vectors b 1 , … , b m ∈ R n . In formulas, we have

Λ = ℒ ( B ) = { ⟨ B , c ⟩ ∣ c ∈ Z m } ,

where B ∈ R n × m = [ b 1 ‖ … ‖ b m ] is called the basis of the lattice.

The set of linear functionals that take integer values on each point of Λ is called dual lattice, and it is denoted by:

Λ * = { x ∈ R n ∣ ⟨ x , v ⟩ ∈ Z , for all v ∈ Λ } .

Given a matrix A ∈ Z n × m , the set of vectors that nullifies A is an m -dimensional lattice, called orthogonal lattice of A , and it is denoted by:

Λ ⊥ ( A ) = { e ∈ Z m ∣ ⟨ A , e ⟩ = 0 } .

Orthogonal lattices are particularly useful when working in modular arithmetic; given a matrix A ∈ Z q n × m , we analogously define

Λ q ⊥ ( A ) = { e ∈ Z m ∣ ⟨ A , e ⟩ ≡ q 0 } .

We further observe that for any square matrix B ∈ Z q n × n , we have ⟨ A , x ⟩ = 0 ⇔ ⟨ B , ⟨ A , x ⟩ ⟩ = 0 ; hence, Λ q ⊥ ( A ) = Λ q ⊥ ( ⟨ B , A ⟩ ) .

3.1 Hard problems

Many cryptographic primitives have been constructed whose security is based on the (worst-case) hardness of SIVP or closely related lattice problems. In particular, the (worst-case) hardness of the SIVP for poly ( n ) approximation factors implies the existence of several fundamental cryptographic primitives. Blömer and Seifert [21] showed that the SIVP is NP-hard to approximate for any constant approximation factor γ . Their result is shown only for the Euclidean norm, and their proofs were extended to arbitrary norms by the study by Aggarwal and Chung [22].

The norm of vector x , denoted by ‖ x ‖ , is defined with respect to integer p :

‖ x ‖ p ≔ ∑ i = 1 n ∣ x i ∣ p 1 ∕ p .

We write SIVP p as a notation respective to p . Hence, SIVP 2 is the case considered in the study by Blömer and Seifert [21].

Hereinafter, we suppose fixed p = 2 and we omit from explicitly mentioning it in the norm.

A basic parameter of the lattice Λ is the length of the shortest non-zero vector in the lattice. The parameter λ 1 is also indicated as the first successive of Λ and denoted by λ 1 . It is important to know the lower and upper bounds for λ 1 , which, of course, depend on p : a lower bound is given by the length of the shortest vector in the Gram–Schmidt reduced form of the basis: λ 1 ≤ min i ‖ b ˜ i ‖ . Similarly, for i = 1 , … , n , the i -th successive minimum, denoted by λ i ( Λ ) , is the smallest l such that there are i non-zero linearly independent lattice vectors that have length at most l .

The SIVP consists in finding n independent and “short” vectors: given a basis B ∈ Z n × n , find independent vectors u 1 , … , u n such that ∣ ∣ u i ∣ ∣ ≤ λ n for i = 1 , … , n , [23].

Proposition 1

(Theorem 2 from [22]) Under the (randomised) gap exponential time hypothesis, for any p ≥ 1 , there exists γ > 1 , ε > 0 such that γ -SIVP p with rank n is not solvable in 2 ε n time.

The Gap-Exponential Time Hypothesis is a fine-grained complexity-theoretic hypothesis introduced in the study by Impagliazzo and Paturi [24], and it is required to exclude sub-exponential algorithms.

3.2 Discrete Gaussians

We recall the definition of Gaussian function centred in c and scaled by a factor of s to be

ρ s , c ( x ) = exp − π ‖ x − c ‖ 2 s 2 , x ∈ R n .

A Gaussian function is typically used to build (continuous) probability distributions as:

D s , c ( x ) = ρ s , c ( x ) s N , x ∈ R n ,

being s N = ∫ x ∈ R n ρ s , c ( x ) d x the total measure associated with ρ s , c .

Given a lattice Λ ⊂ Z n , we can discretise the distributions D s , c on it by distributing x ∈ R n according to D s , c and conditioning x ∈ Λ , thus obtaining

D Λ , s , c ( x ) = D s , c ( x ) D s , c ( Λ ) = ρ s , c ( x ) ρ s , c ( Λ ) ,

with ρ s , c ( Λ ) being the proper normalisation constant evaluated as ρ s , c ( Λ ) = ∑ y ∈ Λ ρ s , c ( y ) . We call such distribution a discrete Gaussian function with centre c and parameter s , and we omit the subscripts s and c if equal, respectively, to 1 and to the origin 0 .

Given a parameter ε ∈ R + , we further recall from the study by Micciancio and Regev [25] the definition of smoothing parameter η ε as:

η ε = min { s ∈ R + ∣ ρ 1 s ( Λ * \ { 0 } ) ≤ ε } .

In particular, if s ≥ η ε , we can bound the dispersion of the Gaussian as per the following.

Lemma 1

(Lemma 4.4 from [25]) For any n-dimensional lattice Λ , for any centre c ∈ R n , and for any ε ∈ ( 0 , 1 ) , we have that if s ≥ η ε ( Λ ) , then

P x ← $ D Λ , s , c [ ‖ x − c ‖ > s n ] ≤ 1 − ε 1 + ε ⋅ 2 − n .

3.3 LWE

Originally presented in the study by Regev [1] and later extended in the study [26], LWE is a hard lattice problem founding in Fully Homomorphic Encryption. Its hardness has been proven in the study by Regev [1] via a quantum reduction to SIVP and GapSVP and in the study by Peikert [27] via a classical reduction to a variation of GapSVP.

Let q ∈ N and let χ be a probability distribution on Z q . For any s ∈ Z q n , LWE instances with secret s are defined as samples from:

A s , χ = { ( a , y ) ∈ Z q n × Z q ∣ y = a T s + x , with a ← $ U ( Z q ) n , x ← $ χ } .

LWE can be either formulated as a search or a decision problem, being the first to recover s given multiple samples of A s , χ and the second to distinguish between A s , χ and U ( Z q ) n × U ( Z q ) . In particular, if q = poly ( n ) , the two problems are polynomially equivalent [26]. In the following, we denote with LWE q , χ a generic instance of LWE with a specific parameter q ∈ N .

Let us denote by Ψ α , a periodisation of the normal distribution with mean 0 and variance β 2 2 π and by Ψ ¯ α its discretisation, then we have:

Proposition 2

(Theorem 1.1 from [26]) Let α = α ( n ) ∈ ( 0 , 1 ) and let q ∈ N be such that α q > 2 n holds. Assuming we have access to an oracle that solves LWE q , Ψ ¯ α given a polynomial number of samples, then there exists an efficient quantum algorithm for solving the decision version of GapSVP and SIVP to within O ˜ ( n α ) in the worst case.

More formally, for r ∈ [ 0 , 1 ) , we have

Ψ α ( r ) = ∑ k = − ∞ ∞ 1 α ⋅ exp − π r − k α 2 mod 1

and

Ψ ¯ α ( r ) = ⌊ q ⋅ Ψ α ( r ) ⌉ mod q .

In particular, we can characterise the distribution Ψ ¯ α m as follows:

Lemma 2

(Lemma 12 from [28]) Let e ∈ Z m and y ← $ Ψ ¯ α m . Then, the following relation in Z q holds (but for negligible probability in m):

∣ e T y ∣ ≤ ‖ e ‖ ⋅ q α ⋅ ω ( log m ) + ‖ e ‖ m 2 .

In particular, for x ← $ Ψ ¯ α , it holds in Z q (but for negligible probability in m ):

∣ x ∣ ≤ q α ⋅ ω ( log m ) + 1 2 .

3.4 Literature algorithms on lattices

In the following, we recall four algorithms from the literature that are later used both in the original CP-ABE scheme and in mR_LWE-CP-ABE.

Function 1

(SampleGaussian, Theorem 4.1 from [29]) Let Λ = ℒ ( B ) ⊂ R m be a m -dimensional lattice with basis B . Given a Gaussian parameter s ∈ R + such that s ≥ ‖ B ˜ ‖ ⋅ ω ( log m ) and for any centre c ∈ R m , there exists a probabilistic polynomial-time algorithm SampleGaussian( B , s , c ) that samples a vector x ∈ Λ with a distribution statistically close to the discrete Gaussian D Λ , s , c .

Function 2

(TrapGen, Algorithm 1 from [30]) Let q ∈ N be an odd prime associated with a security parameter n and let m ∈ N be a dimension such that m ≥ ( 5 + 3 δ 0 ) n log q , for any δ 0 ∈ R + . There exists a probabilistic polynomial-time algorithm TrapGen( n , m , q ) that generates a statistically ( m q − δ 0 n 2 ) -close to uniform matrix A ∈ Z q n × m and a with-overwhelming-probability-short basis T A of the orthogonal lattice Λ q ⊥ ( A ) , i.e., such that ‖ T A ‖ ≤ O ( n log q ) and ‖ T ˜ A ‖ ≤ O ( n log q ) .

In the following, we choose δ 0 = 1 3 so that we obtain m ≥ ⌈ 6 n log q ⌉ .

Function 3

(SamplePre, Section 5.2 from [29]) Let q ∈ N be an odd prime associated with a security parameter n , let m ∈ N be a dimension such that m ≥ 2 n log q , and let s ∈ R be a Gaussian parameter such that s ≥ ω ( log m ) . In general, for all (but a 2 q − n fraction of) A ∈ Z q n × m , the distribution of the syndrome u = A e mod q yielded by e ← $ D Z m , s is statistically close to U ( Z q n ) . In particular, for such values, there exists a probabilistic polynomial time algorithm SamplePre( A , T A , s , u ) that samples e given a short basis T A of the orthogonal lattice Λ q ⊥ ( A ) , conditioned on s being such that s ≥ ‖ T ˜ A ‖ ⋅ ω ( log m ) .

Function 4

(GenSamplePre, Theorem 3.4 from [31]) Let q ∈ N be an odd prime associated with a security parameter n and let m ∈ N be a dimension such that m ≥ 2 n log q . Assume A = [ A 1 ‖ … ‖ A k ] ∈ Z q n × m k and consider J = { j 1 , … j ∣ J ∣ } ⊂ { 1 , … , k } be a set of indices of the A i matrices^[1]. Let A J = [ A j 1 ‖ … ‖ A j ∣ J ∣ ] and let T A J be a basis of the orthogonal lattice Λ q ⊥ ( A J ) . There exists a probabilistic polynomial-time algorithm GenSamplePre( A , T A J , J , s , u ) that samples e ← $ D Z m k , s condition on ⟨ A , e ⟩ = u , with s ≥ ‖ T ˜ A J ‖ ⋅ ω ( log k m ) (hence independent of the choice and size of J ).

In particular, to build such an algorithm, consider J ¯ = { 1 , … , k } \ J . We can retrieve e i for i ∈ J ¯ directly from e J ¯ ← $ D Z m ⋅ ( k − ‖ J ‖ ) , s , while e j for j ∈ J can be retrieved from e J = SamplePre ( B , T B , s , u − ⟨ A , e J ¯ ⟩ ) , so building e such that ⟨ A , e ⟩ = u .

4 CP-ABE scheme on lattices

We open this section by recalling the formal definition of a CP-ABE scheme and a possible security model for it. Then, we review the CP-ABE scheme presented in the study by Zhang and Zhang [2], we extend later in Section 5, and we discuss its parameters requirements and security.

4.1 System model

A CP-ABE scheme is a framework to perform secure data sharing where recipients are not specific users – like in classic PKE schemes – but rather users with specific attributes. A trusted central authority is needed for what concerns user key creation; however, data encryption and decryption can be performed without its further collaboration; in particular, also data owners outside the accredited users can encrypt data.

More formally, we have

Scheme 1

(CP-ABE) A CP-ABE scheme consists of four algorithms:

Setup ( σ , ℛ ) → ( msk , pk ) is the initialisation algorithm executed by a central authority to set up a pair of public key ( pk ) and master secret key ( msk ) starting from a set of security parameters σ and a set of admissible attributes ℛ . msk is used for the creation of users’ keys, while pk is used for message encryption.
KGen ( msk , S ) → sk is the algorithm the authority runs to accredit a user with an attribute specification S , hence building a private key sk capable of decrypt ciphertexts only with access structure W such that S ⊢ W .
Enc ( pk , W , M ) → C is the encryption algorithm run by a data owner to encrypt the message M in a ciphertext C with access structure W . Only the public key pk is needed to perform this operation.
Dec ( sk , C ) → M ′ or ⊥ is the decryption algorithm run by a user to retrieve the message M associated with the ciphertext C . The equality M = M ′ is required with overwhelming probability if the attribute specification S of the private key pk satisfies the access structure W of the ciphertext C (i.e., S ⊢ W ). On the contrary, if S ⊬ W , the output must be ⊥ .

Following the structure of the original article [2], we propose the selective chosen plaintext attack (sCPA) for assessing security. In sCPA, a challenge access structure W is initially specified by the attacker and then an interactive game is run. In the game, the attacker submits two plaintexts, one of which is randomly chosen and encrypted by the challenger. The attacker is then required to determine which plaintext corresponds to the given ciphertext.

More formally, consider the following indistinguishability game (IND-sCPA) between a challenger C that acts as a central authority and an adversary A that acts as an attacker:

Init. A chooses a challenge access structure W and prompts it to C .

Setup. C performs all the setup tasks and eventually prompts the public key pk to A .

Key generation queries. A is allowed us to make a polynomial number of adaptive key generation queries on any attribute specification S such that S ⊬ W .

Challenge. A submits two messages of equal length M 0 and M 1 to C , who randomly chooses b ∈ { 0 , 1 } and returns to A the ciphertext associated with M b , i.e. returns Enc ( pk , W , M b ) .

Guess. A is allowed us to perform one more round of Key generation queries and eventually outputs a bit b ′ .

The advantage of an adversary A w.r.t. the previous game is defined as:

Adv A IND-sCPA ( σ ) = P [ b = b ′ ] − 1 2 .

We can further define a CP-ABE scheme to be secure against sCPA if, for any polynomial time adversary A , the advantage Adv A IND-sCPA ( σ ) is a negligible function in the security parameters σ .

As shown in the recent literature (see e.g., [32]), carefulness should, however, be made if protocol security is obtained via classical proofs, since their translation to the post-quantum context (in particular when interactive proofs are considered, like in this case) is not guaranteed. In light of these recent results, in the present work, we only discuss classical security. More work is to be carried out in this direction; although the scheme here presented is based, under the LWE assumption, on a problem that is commonly thought to be hard also in a quantum computing setting, the security of the scheme is assessed as in the study by Zhang and Zhang [2] only against a classical attacker.

4.2 Scheme

The scheme we work on was originally introduced by Zhang and Zhang [2], and it is somehow inspired by Shamir Secret Sharing [33] technique, where a randomly chosen shared secret s ← $ Z q n is hidden through multiple LWE samples and it is used in a LWE-PKE [29] fashion to build a ciphertext.

The main idea is to provide a given user with a fixed attribute (say 0) and a set of variable attributes ℛ = { 1 , … , ∣ ℛ ∣ } that can either be assigned (say i + ) or not (say i − ) for a total of r = ∣ ℛ ∣ + 1 attributes. Then, access structures W can either specify a given attribute (both in a positive or in a negative way) or not (actually providing them both).

More formally, a user attribute specification is a 2-partition S = ( S + , S − ) of ℛ (i.e., S + ∪ S − = ℛ and S + ∩ S − = ∅ ), while an access structure is a 2-covering W = ( W + , W − ) of ℛ (i.e. W + ∪ W − = ℛ , but W + ∩ W − = ∅ is not required), where S + and W + represent the sets of positive attributes; moreover, S − and W − are the sets of negative attributes. In particular, we say that user attributes S satisfy the access structure W if S + ⊆ W + and S − ⊆ W − : in such case, we write S ⊢ W ; otherwise, we write S ⊬ W .

The advantage of providing user-attribute specifications as 2-partition consists in always having the same number of attributes, hence being able to build a matrix D ∈ Z q n × m r to be used in GenSamplePre. At the same time, the fixed attribute 0 provides an excellent point to evaluate the short basis needed by GenSamplePre(hence assuming J = { 0 } ): in fact, it is fixed amongst all the possible user attribute specifications and it can be pre-evaluated efficiently via TrapGen algorithm.

Formally, the scheme is parameterised on the modulus q , the dimension m , the security parameter n , the Gaussian parameter s , and the error distribution χ with parameter α . Requirements on these parameters are analysed later in the next section.

The definition of the four functions from Scheme 1 are provided in Algorithms from 1 to 4.

Algorithm 1: Setup ( n , m , q , ℛ ) → ( pk , msk )
	Input: the parameters n , m , q ∈ N and the set of attributes ℛ = { 1 , … , r − 1 }
	Output: the public key pk and the master secret key msk
1	( B 0 , T B 0 ) ← TrapGen ( n , m , q ) ;
2	for each i ∈ ℛ do
3	⌊ B i + , B i − ← $ U ( Z q n × m ) ;
4	u ← $ U ( Z q n ) ;
5	pk ← ( B 0 , { B i + , B i − } i ∈ ℛ , u ) ;
6	msk ← ( pk , T B 0 )

Algorithm 2: KGen ( msk , S ) → sk
	Input: the master secret key msk and a user attribute spec. S = ( S + , S − )
	Output: the user secret key sk holding the attribute specification S and the private secret e ← $ D Z m r , s
1	for each i ∈ ℛ
2	A i ← B i + if i ∈ S + B i − if i ∈ S − ;
3	A ← [ B 0 ‖ A 1 ‖ … ‖ A ∣ ℛ ∣ ] ;
4	e ← GenSamplePre ( A , T B 0 , { 0 } , s , u ) ;
5	sk ← ( S , e ) ;

Algorithm 3: Enc ( pk , W , M ) → C
	Input: the public key pk , an access structure W = ( W + , W − ) and a message M ∈ { 0 , 1 }
	Output: the ciphertext structure C holding the LWE-PKE encrypted message z ∈ Z q and the coefficients c i ± to allow the random secret retrieval (if the access structure is satisfied)
1	s ← $ U ( Z q n ) ;
2	x z ← $ χ ;
3	z ← ⟨ u T , s ⟩ + x z + M ⌊ q 2 ⌋ ;
4	x ← $ χ m ;
5	c 0 ← ⟨ B 0 T , s ⟩ + x ;
6	for each i ∈ W +
7 8	x ← $ χ m ; c i + ← ⟨ B i + T , s ⟩ + x ;
9	for each i ∈ W − do
10 11	x ← $ χ m ; c i − ← ⟨ B i − T , s ⟩ + x ;
12	C ← ( W , z , c 0 , { c i + } i ∈ W + , { c i − } i ∈ W − ) ;

Algorithm 4: Dec ( C , sk ) → M or ⊥
	Input: a ciphertext structure C and a secret key sk
	Output: the message M ′ ∈ { 0 , 1 } which corresponds to the original message M if ∣ x z − x ′ ∣ < q 4 (say ≤ q ℓ for each ℓ > 4 )
1	if S ⊬ W
2	return ⊥ ;
3	for each i ∈ ℛ do
4	y i ← c i + if i ∈ S + c i − if i ∈ S − ;
5	y ← [ c 0 ; y 1 ; … ; y ∣ ℛ ∣ ] ;
6	a ← ⟨ e T , y ⟩ ; // ⟨ e T , y ⟩ = ⟨ e T , ⟨ A T , s ⟩ ⟩ + ⟨ e T , x ⟩ = ⟨ u T , s ⟩ + x ′
7	b ← z − a ; // z − a = x z − x ′ + M ⌊ q 2 ⌋
8	M ′ ← 1 if ⌊ q 4 ⌋ ≤ b ≤ ⌊ 3 q 4 ⌋ 0 otherwise ;

4.3 Parameter requirements and security

We analyse the scheme parameters considering the requisites (i) of having a correct decryption (cf. Algorithm 4), (ii) required by Proposition 2, and (iii) required by Functions 1–4. Then, we obtain:

m ≥ ⌈ 6 n log q ⌉ as required by TrapGen (Function 2);
s ≥ ‖ T ˜ B 0 ‖ ⋅ ω ( log ( m r ) ) as required by GenSamplePre (Function 4) and by the security proof;
∣ x z − x ′ ∣ ≤ q ℓ , with ℓ > 4 , for correct decryption (Algorithm 4);
α q ≥ 2 n for LWE hardness (Proposition 2).

( i ) suggests us to parameterise m over a value δ ∈ R being such that n δ > ⌈ log q ⌉ , thus obtaining

m = 6 n 1 + δ .

Furthermore, we know from Function 2 that ‖ T ˜ B 0 ‖ ≤ O ( n log q ) , or, in other terms, that ‖ T ˜ B 0 ‖ ≤ O ( m ) ; hence, from the second condition, we obtain

s = m ⋅ ω ( log ( m r ) ) .

In order to tackle ( i i i ) , we recall from Lemma 2 that ∣ x z ∣ ≤ q α ⋅ ω ( log m ) + 1 2 and ∣ x ′ ∣ = ∣ ⟨ e T , x ⟩ ∣ ≤ ‖ e ‖ ⋅ q α ⋅ ω ( log m ) + ‖ e ‖ m 2 and from Lemma 1 that ‖ e ‖ ≤ s m r ; hence, due to triangular inequality, we obtain

∣ x z − x ′ ∣ ≤ ∣ x z ∣ + ∣ x ′ ∣ ≤ q α ⋅ ( ω ( log m ) + ‖ e ‖ ⋅ ω ( log ( m r ) ) ) + 1 2 ( 1 + ‖ e ‖ m ) ≤ q α ⋅ s m r ⋅ ω ( log ( m r ) ) + 1 2 ( 1 + s m r ) ≤ s q α m r ⋅ ω ( log ( m r ) ) + s m r .

Plugging the inequality in ( i i i ) and letting ω ˆ = ω ( log ( m r ) ) , we obtain

ℓ s q α ⋅ m r ⋅ ω ˆ + ℓ s m r ≤ q q ⋅ ( ℓ s α ⋅ m r ⋅ ω ˆ − 1 ) ≤ ℓ s m r ,

which suggests us requiring

α = ( s ⋅ m r ⋅ ω ( log ( m r ) ) ) − 1 ,

hence obtaining from the previous inequality that

q ⋅ ( ℓ ⋅ ω ( 1 ) − 1 ) ≤ ℓ s m r .

Furthermore, in order to satisfy ( i v ) , we obtain

q > 2 n ⋅ α − 1 = s ⋅ 4 n m r ⋅ ω ˆ .

Recalling from ( i ) that m > 4 n , a suitable solution is given by:

q = s m r ⋅ ω ( log ( m r ) ) ,

solution yet still satisfying the sequence of inequalities we built for ( i i i ) .

We can resume the above-stated conditions as follows:

(†) m = 6 n 1 + δ , with δ ∈ R ∣ n δ > ⌈ log q ⌉ , s = m ⋅ ω ( log ( m r ) ) , q = s m r ⋅ ω ( log ( m r ) ) , α = ( s ⋅ m r ⋅ ω ( log ( m r ) ) ) − 1 ,

in order to provide the scheme security claim.

Proposition 3

(Theorem 1 from [2]) Let χ = Ψ ¯ α and let m , s , q , and α be as from ( † ). Then, if LWE q , χ is hard, the CP-ABE scheme (Setup, KGen, Enc, Dec) defined by Algorithms 1–4 is secure against sCPA.

In particular, if there exists an adversary A that breaks its sCPA security with advantage ε , then there exists an algorithm ℬ solving LWE q , χ with probability ε .

5 mR_LWE-CP-ABE

In this section, we describe the architecture of mR_LWE-CP-ABE, our new CP-ABE encryption scheme, based on lattices, able to efficiently revoke a target user; in particular, we propose a general scheme that extends Scheme 1 by considering the addition of SMs. Then, we provide a full description of the mediated scheme built on top of Zhang and Zhang’s scheme from Section 4.2, and we discuss the requirements changes on the scheme parameters.

5.1 The system model

We rely on a new server-aided approach to provide a fast and reliable solution in order to avoid some inefficiency intrinsically derived by direct and indirect revocation mechanisms. Our system is logically composed by four kinds of entities:

the key generation server (KGS): a trusted server that is able to generate a public key and, for each user, the corresponding secret key.
A set of k SM: each SM is a semi-trusted entity that has access to the mediator keys of a (sub)set of users.
The data owner: someone who wants to encrypt some data for a set of, possibly unknown, users.
A set of users that belong to the system: each user has an attribute specification that specifies his/her access rights. The attributes are associated with the secret user key generated by the KGS.

We define our scheme on top of the one introduced in Section 4.2; namely, for each user, the KGS generates a tuple of keys, ( sk , mk 1 , … , mk k ) ; the sk is the user key and it is given to the user while the keys mk j , with 1 ≤ j ≤ k , are the mediator keys that are distributed one for each SM involved. In order for a user to successfully decrypt a ciphertext, two conditions are required: first, as usually in CP-ABE, the user must have an attribute specification S that satisfies the ciphertext policy; second, all the k SMs must contribute to the decryption.

Scheme 2

(Revocable CP-ABE) Our revocable CP-ABE scheme consists of five algorithms:

Setup ( σ , R ) → ( msk , pk ) is the initialisation algorithm executed by the KGS. It behaves like in regular CP-ABE.
MKGen ( msk , S , k ) → ( sk , { mk j } j = 1 k ) is the algorithm the KGS runs to accredit a user with an attribute specification S . In contrast to regular CP-ABE, the key is segmented in k + 1 parts, k of which are provided to k SMs. The specified access structure W is stored with the user private key sk only, making mediators unaware of users’ capabilities.
Enc ( pk , W , M ) → C is the encryption algorithm the data owner runs to encrypt the message M . It behaves like in regular CP-ABE schemes. As a consequence, data owners are not influenced by any means by this scheme.
MDec ( C , sk ) → M or ⊥ is the decryption algorithm a user runs to retrieve the message M associated with the ciphertext C . It requires the cooperation of all the k SMs that should return the result of PDec in order to make the user able to evaluate M ′ = M with overwhelming probability (if S ⊢ W ). Like in regular CP-ABE schemes, if S ⊬ W , the output must be ⊥ (regardless of the possible collusion with SMs).
PDec ( y , mk ) → a is the algorithm run by SMs that allows them to produce a partial decryption information a from y and the mediator key mk . Here, y is derived from the ciphertext C by the user requiring the partial decryption within MDec function.

If a user is revoked, the KGS only needs to send this information to the SMs that have a mediator key for that user and they will stop to collaborate in the decryption process. In particular, it is sufficient that just a single SM refuses to cooperate to defeat the decryption process. This guarantees that, if at least one SM follows the protocol, a revoked user cannot decrypt anymore.

Please note that, differently from previous schemes in the literature, we do not require to update keys or re-encrypt ciphertexts, in order to revoke a user, we just need to notify the SMs. Furthermore, already encrypted ciphertexts that have not been decrypted before revoke occurs, are evenly secure against the revoked user. This is also different from direct revocation where the CRL, as this revocation process does, does not involve the encryption process. In order to support fast and secure revocation, our system incurs, of course, in some overhead compared to that in the study by Zhang and Zhang [2]. For instance,

The KGS has to generate k + 1 keys for each user;
The decryption process of a ciphertext C requires k + 1 partial decryption plus k error generation that is added by each SM to protect their mediator keys.

To experimentally evaluate the impact of revocation, we report some experiments in Section 8.

It is important to highlight that, despite SM’s need to be reachable at decryption time, hence making the protocol interactive, the approach preserves the advantages of CP-ABE over classical PKE schemes. In fact, data owners still produce encrypted data offline and without suffering any overhead w.r.t. non-mediated CP-ABE schemes. Furthermore, access to data is still preserved by data owners and final users only, since SMs have blind-access to data.

It is, however, important to note that the here proposed scheme is weak against any kind of denial of service attack since being a single SM unreachable or uncooperative causes the decryption procedure to fail. This outcome is common in any ( k , k ) secret sharing scheme, where k participants out of k are required to collaborate to retrieve the key. Just analogously to secret sharing schemes, it is hence possible, depending on the use case requirement, to mitigate this issue by building a ( t , k ) threshold scheme where only t out of k SMs are required to carry out the partial decryption. Simpler solutions are also available, e.g., the possibility to give SM keys with a certain amount of redundancy, actually creating a (possibly) non-homogeneous network of SMs. Such a solution also allows us to distribute the decryption workload amongst multiple parties. Further description of these approaches is, however, out of the scope of this article and will be the object of further future analysis.

5.2 Scheme

mR_LWE-CP-ABE shares the same parameter structure with the regular CP-ABE scheme presented in Section 4. Requirements on these parameters are very similar too and are discussed in the next section. For this reason, Setup function is defined as in Algorithm 1 without any particular changes.

Concurrently, as described in Section 5.1, the encryption procedure is not modified by the mediation process; hence, Enc function is defined as in Algorithm 3.

The definition of the three remaining functions defining a revocable CP-ABE scheme follows in Algorithms 5 to 7.

Algorithm 5: MKGen ( msk , S , k ) → ( sk , { mk j } j = 1 k )
	Input: the master secret key msk , a user attribute specification S = ( S + , S − ) , and the number of mediators k
	Output: the user secret key sk holding the attribute specification S and the private secret e ← $ D Z m r , s
	Output: the mediator secret key mk j holding the private secret mk j ← $ D Z m r , s , for each 0 < j ≤ k
1	for each i ∈ ℛ do
2	A i ← B i + if i ∈ S + B i − if i ∈ S − ;
3	A ← [ B 0 ‖ A 1 ‖ … ‖ A ∣ ℛ ∣ ] ;
4	for j = 1 , … , k
5	⌊ u j ← $ U ( Z q n ) ;
6	mk j ← GenSamplePre ( A , T B 0 , { 0 } , s , u j ) ;
7	u 0 ← u − ∑ j = 1 k u j ;
8	e ← GenSamplePre ( A , T B 0 , { 0 } , s , u 0 ) ;
9	sk ← ( S , e ) ;
10	mk j ← ( mk j ) ;

Algorithm 6: PDec ( y , mk j ) → a j
	Input: a vector y holding the information about the shared secret of a ciphertext and a mediator key mk j
	Output: the decryption information a j
1	x j ← $ χ ;
2	a j ← ⟨ mk j T , y ⟩ + x j ; // ⟨ mk j T , y ⟩ + x j = ⟨ mk j T , ⟨ A T , s ⟩ ⟩ + ⟨ mk j T , x ⟩ + x j = ⟨ u j T , s ⟩ + x j ′ + x j

Algorithm 7: MDec ( C , sk ) → M or ⊥
	Input: a ciphertext structure C and a user secret key sk
	Output: the message M ′ ∈ { 0 , 1 } which corresponds to the original message M if ∣ x z − ∑ j = 0 k x j ′ − ∑ j = 1 k x j ∣ < q 4 (say ≤ q ℓ ˆ for each ℓ ˆ > 4 )
1	if S ⊬ W
2	⌊ return ⊥
3	for each i ∈ ℛ do
4	y i ← c i + if i ∈ S + c i − if i ∈ S − ;
5	y ← [ c 0 ‖ y 1 ‖ … ‖ y ∣ ℛ ∣ ] ;
6	a 0 ← ⟨ e T , y ⟩ ; // ⟨ e T , y ⟩ = ⟨ e T , ⟨ A T , s ⟩ ⟩ + ⟨ e T , x ⟩ = ⟨ u 0 T , s ⟩ + x 0 ′
7	for j = 1 , … , k // Queries to SMs can be performed asynchronously
8	⌊ Request to the j -th mediator a j ← PDec ( y , ∘ ) ;
9	a ← ∑ j = 0 k a j ; // ∑ j = 0 k a j = ∑ j = 0 k ( ⟨ u j T , s ⟩ + x j ′ ) + ∑ j = 1 k x j = ⟨ u T , s ⟩ + ∑ j = 0 k x j ′ + ∑ j = 1 k x j
10	b ← z − a ; // z − a = x z − ∑ j = 0 k x j ′ − ∑ j = 1 k x j + M ⌊ q 2 ⌋
11	M ′ ← 1 if ⌊ q 4 ⌋ ≤ b ≤ ⌊ 3 q 4 ⌋ 0 otherwise ;

5.3 Parameter requirements

Requirements introduced in Section 4.3 still hold. However, error grows higher in MDec if compared to the lattice-based CP-ABE scheme Dec. In fact, the requirement for correct decryption is as follows:

x z − ∑ j = 0 k x j ′ − ∑ j = 1 k x j ≤ q ℓ ˆ .

Do note that { x j } j = 1 k are sampled from the same distribution as x z and { x j ′ } j = 1 k are obtained as it was for x ′ in the original algorithm; hence, Lemma 2 still applies. Due to triangular inequality and following the same reductions as mentioned earlier, we obtain

x z − ∑ j = 0 k x j ′ − ∑ j = 1 k x j ≤ ∣ x z ∣ + ∑ j = 0 k ∣ x j ′ ∣ + ∑ j = 1 k ∣ x j ∣ ≤ ( k + 1 ) s q α m r ⋅ ω ˆ + ( k + 1 ) s m r .

Plugging the inequality in the requirement for decryption, we obtain

( k + 1 ) ℓ ˆ s q α ⋅ m r ⋅ ω ˆ + ( k + 1 ) ℓ ˆ s m r ≤ q q ⋅ ( ( k + 1 ) ℓ ˆ s α ⋅ m r ⋅ ω ˆ − 1 ) ≤ ( k + 1 ) ℓ ˆ s m r ,

whose solution is comparable to the one of the original scheme if we consider ℓ = ℓ ˆ ⋅ ( k + 1 ) since the only requirement imposed on ℓ is ℓ > 4 , which still holds.

6 About threat and security to mR_LWE-CP-ABE

In this section, we analyse the security of our proposed scheme by first defining a suitable threat model, including the possible collusion of one or more mediators with the attacker. Then, we discuss the security of our solution against the IND-sCPA game described in Section 4.1 suitably tackled in terms of the proposed threat model.

6.1 Threat model

We now describe the threat model of our system by means of five entities: the KGS, the set of SMs, the data owner, the set of users, and an external attacker. We remember that the KGS is a trusted entity, whereas the SMs are semi-trusted. The data owner is also trusted, whereas the users and, of course, the external attacker are untrusted. We identify the following possible threats that may affect our system:

SMs collusion: multiple SMs involved in the decryption of the same ciphertext may collude together to decrypt without the user’s aid;
Users collusion: multiple users may collude to decrypt a ciphertext they are not authorised to;
Ineffective revocation: a revoked user is still able to decrypt;
DOS-decryption: an attacker who compromises at least one SM can prevent legitimate users to decrypt.

We formally analyse the security of SMs and user collusion and the ineffective revocation in Theorem 1.

The DOS-decryption attack, indeed, can be mitigated by providing redundant mediated keys to SM as already described in Section 5.1.

6.2 Security analysis

The here presented mediated scheme is equivalent to the original scheme from the point of view of an external attacker. In fact, the encryption and decryption functions behave the same as in the original scheme but for the addition of more noise (the more the mediators, the higher the noise). We can further claim, analogously to Proposition 3, the security of the scheme under sCPA:

Theorem 1

(Security of mR_LWE-CP-ABE (external)) Let χ = Ψ ¯ α and let m , s , q , and α be as from ( † ). Then, if LWE q , χ is hard, the revocable CP-ABE scheme (Setup, MKGen, Enc, PDec, MDec) defined by Algorithms 1, 5, 3, 6, and 7 is secure against the sCPA.

In particular, if there exists an adversary A that breaks its sCPA security, then there exists an adversary ℬ that solves the LWE q , χ decision problem.

The proof of the theorem is analogous to the one from the study by Zhang and Zhang [2]; however, we report it for completeness.

Proof

Assume there exists a polynomial-time adversary A capable of breaking IND-sCPA for the mediated scheme with advantage ε using at most q key generation queries by obtaining both user and mediator keys.

Let O ( ∘ ) be an oracle that samples always either from A s , χ or from the uniform distribution U ( Z q ) . Let ℬ be an attacker who cooperates with A and wants to decide whether one of the two distributions O ( ∘ ) is sampling from.

The idea of the cooperation is to build a CP-ABE game – with A as the attacker and ℬ as the challenger – that can be won with probability noticeably greater than 1 2 if and only if O ( ∘ ) is sampling from s , χ . Assume that such a game exists, and then, ℬ can discriminate between the two distributions.

We recall that in order to run the game, the challenger ℬ is only required to be able to (i) provide a public key to A , (ii) encrypt a message, and (iii) make q generations of valid keys (with respect to the provided public key) on attribute specifications that do not satisfy the challenged access structure; decryption is hence not required as well as being able to generate secret keys for attribute specification satisfying the challenged access structure.

Let us formally define the game:

Init. A chooses a challenge W = ( W + , W − ) and prompts it to ℬ .

Setup. ℬ samples ( a , y ) ∈ Z q n × Z q pairs multiple times from O ( ∘ ) in order to build the matrices B 0 and B i ± needed by the chosen access structure (out of the vectors a i ) and to save (potentially) LWE-valid vectors c i for the ciphertext creation. The total number of samples required is ( ∣ S + ∣ + ∣ S − ∣ + 1 ) ⋅ m + 1 , and they are used to build the following couples:

( B 0 , v 0 ) ∈ Z q n × m × Z q m ;
( u , v u ) ∈ Z q n × Z q ;
( B i + , v i + ) ∈ Z q n × m × Z q m for each i ∈ S + ;
( B i − , v i − ) ∈ Z q n × m × Z q m for each i ∈ S − .

Then, in order to create the missing matrices B i + and B i − (respectively, for i ∉ S + and i ∉ S − ) and coherently being able to run MKGen algorithm on S such that S ⊬ W , the challenger ℬ computes the following:

( B i + , T B i + ) ← TrapGen ( n , m , q ) for each i ∉ S + ;
( B i − , T B i − ) ← TrapGen ( n , m , q ) for each i ∉ S − .

Finally, the challenger stores ( { T B i + } i ∈ S + , { T B i + } i ∈ S + ) for the key generation, stores ( v 0 , v u , { v i + } i ∈ S + , { v i − } i ∈ S − ) for the ciphertext creation, and outputs the public key pk = ( B 0 , { B i + , B i − } i ∈ ℛ , u ) to the attacker A .

Keygen query. Upon receiving a user attribute specification S from A , if S ⊢ W , then ℬ outputs ⊥ . Otherwise, there exists at least one attribute i ∈ S + such that i ∉ W + or i ∈ S − such that i ∉ W − ; let T ˆ be the short basis generated by TrapGen during setup associated with such an attribute. ℬ finally runs and outputs MKGen ( ( pk , T ˆ ) , S ) to A . Do note that the so-formed master secret key is valid for S (and for all the user specifications containing i as does S ) since, according with Function 4, GenSamplePre requires whatever short basis generated from a subset of m linearly independent vectors of A (the matrix in Z q n × m k defined in Algorithm 5).

Challenge. The attacker A submits M 0 , M 1 ∈ { 0 , 1 } to the challenger ℬ , who randomly chooses b ∈ { 0 , 1 } and returns the (possibly valid) ciphertext associated with M b . However, since ℬ wants to output a valid ciphertext only if O ( ∘ ) is sampling from A c , s , the idea is to use the stored values from the setup in order to emulate the LWE instances of the Enc function. Therefore, ℬ computes and outputs C = ( W , z , c 0 , { c i + } i ∈ W + , { c i − } i ∈ W − ) with:

z ← v u + M b ⌊ q 2 ⌋ , where v u emulates ⟨ u T , s ⟩ + x z ;
c 0 ← v 0 to emulate ⟨ B 0 T , s ⟩ + x ;
c i + ← v i + to emulate ⟨ B i + T , s ⟩ + x , for each i ∈ W + ;
c i − ← c i − to emulate ⟨ B i − T , s ⟩ + x , for each i ∈ W − .

A is allowed us to make more key generation queries after the challenge has been set. Eventually, it outputs a guess b ′ for b that is correct either with probability 1 2 + ε if O ( ∘ ) is sampling from A c , s or with probability 1 2 if it is sampling from U ( Z q n × Z q ) . Hence, ℬ guesses A c , s if b = b ′ (i.e. A is correct) or guesses U ( Z q n × Z q ) if b ≠ b ′ (i.e. A is wrong).

Do note that if O ( ∘ ) is sampling from A c , s , then ℬ guesses right with the same non-negligible advantage as A does. So, if such A does exist, ℬ can solve LWE problems, which yields the claim.□

However, due to the revocation requirement, security must also be ensured if the attacker is one or more users, in the sense that

A user is not able to decrypt as far as at least an SM denies its cooperation;
A user cannot reject a revocation in polynomial time, even after a polynomial number of correct decryptions (meaning that he can neither break nor forge an SM key);
Multiple users cannot collude to retrieve an SM key or to decrypt a message;

and if the attacker is one or more SMs, in the sense that:

One or more SM cannot collude to decrypt a message, even upon receiving many mediator keys from different users;
One or more SM cannot collude to retrieve a user secret e .

We do note that mediator keys and user keys are complementary in the decryption phase and they are generated all starting from u i distributed uniformly at random: u 0 is given by the difference of vector distributed uniformly at random; hence, it is still distributed uniformly at random. Since u i are generated randomly for each user, it follows that different users e are independent one from the other; hence, combining information from different keys ensures no further knowledge, ensuring (iii-u).

A similar outcome can be derived for SMs holding mediator keys related to different users. Moreover, SM and users receive no information about mutual keys by-design and mediator keys, if equipped with S , are equivalent to the user ones (i.e., SM keys are weaker than user ones), we have that (i-u) implies (i-m) (i.e., if a user is not able to decrypt without even a single SM, then decryption cannot occur without the collaboration of k parties out of the k + 1 , no matters which one is missing).

We claim the following theorem to prove (i-u):

Theorem 2

(Security of PDec algorithm (break)) Let χ = Ψ ¯ α and let m , s , q , and α be as from ( † ). Then, if LWE q , χ is hard, the CP-ABE scheme (Setup, MKGen, Enc, PDec, MDec) defined by Algorithms 1, 5, 3, 6, and 7 is secure against the sCPA carried out by a user if at least one mediator does not participate in the decryption.

In particular, if there exists an adversary A that breaks its sCPA security, then there exists an adversary ℬ that solves the LWE q , χ decision problem.

Proof

If at least a mediator (say j ˆ ) does not take part in the decryption procedure, from client’s perspective, the problem resembles solving the non-mediated version of the scheme with higher noise on z . In fact, he can compute z ′ ← z − ∑ j = 0 , j ≠ j ˆ k a j and C ′ = ( W , z ′ , c 0 , { c i + } i ∈ W + , { c i − } i ∈ W − ) is a valid ciphertext (apart from the potentially higher noise) for the non-mediated scheme with public key pk = ( B 0 , { B i + , B i − } i ∈ ℛ , u j ˆ ) .

The only advantage the client has is the knowledge of its e that, however, reveals further information neither about the short basis T B 0 nor about other keys^[2] since they are obtained from GenSamplePre applied to uniformly random u .

It follows that if there exists an adversary A that breaks sCPA for the mediated scheme under these assumptions, then there exists an adversary A ′ that breaks sCPA for the non-mediated scheme, and hence, by Proposition 3, there exists an adversary ℬ that solves the LWE q , χ decision problem.□

Furthermore, by design, SMs receive no information about the decryption procedure when a request is submitted by a user; hence, they can learn anything about the user’s secret neither from the query itself nor from other sources. Analogously, (ii-m) follows.

Do also consider that mediators receive no information about the attribute specification S as well; however, if mediators do have access to the database of ciphertexts and can guess which ciphertext was delivered by the user, they can guess the attribute specification by matching vector y with the allowed c i ± . In particular, guessing the correct match between delivered y and ciphertext is mainly a combinatorial matter that has not received much attention in the literature. However, we point out that, whenever it would get important to preserve the privacy between which users required which ciphertext (e.g., to prevent user profiling), a possible solution for the user would be to protect y by adding a noise x ← $ χ m r . It is out of the scope of this article to show the complete proof of correctness; however, do note that y + x would still be considered as a valid LWE sample (see also later the proof of Theorem 3) with higher noise and decryption would still be correct with some correction on total noise size.

Finally, we claim the following theorem that tackles (ii-u):

Theorem 3

(Security of PDec algorithm) Let χ = Ψ ¯ α and let m , s , q , and α be as from ( † ). Then, if LWE q , χ is hard, the function PDec defined by Algorithm 6 is hard to:

Break, in the sense that there exists no polynomial-time algorithm to retrieve mk from a polynomially bounded number of pair ( y , a ) , where a ← PDec ( y , mk ) .
Forge, in the sense that there exists no polynomial-time algorithm to evaluate a * from an arbitrary y * , where a * ← PDec ( y * , mk ) , without knowing mk from a priorly obtained polynomially bounded number of pair ( y i , a i ) , where a i ← PDec ( y i , mk ) .

In particular, if there exists an adversary A that breaks (forges) PDec, then there exists an adversary ℬ that breaks the LWE q , χ search (decision) problem.

Proof

We recall y ← $ A s , χ since y = ⟨ A , s ⟩ + x ; hence, y is indistinguishable from the uniform distribution for the LWE q , χ hardness.

It is easy to see that a ∈ A mk , s ; in fact, a = ⟨ mk T , y ⟩ + x , where y is statistically uniform to random and x ← $ χ . It follows that PDec is an actual instance of LWE q , χ , hence proving the claim.□

7 Multiple-bit encryption

The original CP-ABE scheme introduced in Section 4 was also proposed as an N -bit encryption scheme (with N ∈ N ), where the same shared secret s was used to encrypt a vector of message bits M ∈ { 0 , 1 } N .

The authors introduced a public matrix U ∈ Z q n × N and a user secret matrix E of size m r × N , where each of the N columns is generated by applying GenSamplePre to a different column of U . Here, encryption works analogously, with the only difference within the evaluation of z , now being a vector z :

z ← ⟨ U T , s ⟩ + x z + M ⌊ q 2 ⌋ , with x z ← $ χ N .

Decryption, at the same glance, does not require any further care; in fact, once retrieved the suitable y vector, we can perform:

a ← ⟨ E T , y ⟩ = ⟨ E T , ⟨ A T , s ⟩ ⟩ + ⟨ E T , x ⟩ = ⟨ U T , s ⟩ + x ′ , b ← z − a = x z − x ′ + M q 2 ,

and, finally, by identifying M = ( M 1 , … , M N ) and b = ( b 1 , … , b N ) :

M i ← 1 , if q 4 ≤ b i ≤ 3 q 4 0 , otherwise , for i = 1 , … , N .

A notable advantage of this approach is given by the size of the ciphertext, since only a single copy of c 0 , c i + (for each i ∈ W + ) and c i − (for each i ∈ W − ) is needed regardless of the number N of encrypted bits. Therefore, C is made of N + m ⋅ ∣ W + ∣ ⋅ ∣ W − ∣ ≤ N + 2 m r values in Z q , compared with the 2 N m r generated by N different single-bit encryptions.

Clearly, the mediated scheme introduced in this article can benefit from the same approach, where mediators and user both receive a matrix MK j and E of size m r × N , built upon random matrices U j ← $ U ( Z q n × N ) and upon U 0 = U − ∑ j = 1 k U j , respectively.

Furthermore, security is ensured with the same claims as per the original manuscript.

8 Experiments with mR_LWE-CP-ABE

Here, we report the results of the performance experiments we carry out to evaluate the overhead introduced by the generation of the mediator keys and by their application in the decryption phase. In order to do that, we implement mR_LWE-CP-ABE on top of the Palisade-ABE implementation^[3] of the study by Zhang and Zhang [2] and we compare the execution time of KGen vs MKGen and of Dec vs (PDec + MDec) vs Enc. In particular, we compare the time for (PDec + MDec) also against the time needed for Enc algorithm as the procedure PDec spends most of the time generating the error x j (cf. Algorithm 6 l.1) to protect the mediator key (which corresponds to actually performing an LWE scheme). It is important to note that such an error generation does not depend on the inputs of PDec and can be also generated offline to save computational time.

We carry out the following performance experiments on an Nvidia DGX-1 equipped with 512 GB of memory; for each experiment, we report in Table 1 the average execution time over 20 repetitions for the three different security levels, namely, HEStd_128_classic, HEStd_192_classic, and HEStd_256_classic, and for five values for the number of attributes, for instance, 6, 8, 16, 20, and 34. We conduct experiments fixing the number of encrypted bits to 10,000 and setting k = 1 .

Table 1

Average execution time (ms) of KGen, MKGen, Dec, PDec, MDec, and Enc algorithms. We run experiments by varying the security level and the values for attributes. We fix the number of SMs to k = 1 and the size of plaintext to 10,000 bits

Parameters		Time (ms)
Security level	#Attributes	`KGen`	`MKGen`	`Dec`	`PDec` + `MDec`	`Enc`
HEStd_128_classic	6	179	354	1	54	47
HEStd_128_classic	8	223	451	2	75	73
HEStd_128_classic	16	386	769	3	141	129
HEStd_128_classic	20	465	938	4	185	174
HEStd_128_classic	32	725	1,463	7	309	276
HEStd_192_classic	6	108	212	0	23	21
HEStd_192_classic	8	125	248	1	32	31
HEStd_192_classic	16	195	387	1	59	56
HEStd_192_classic	20	227	454	2	80	73
HEStd_192_classic	32	336	657	3	117	112
HEStd_256_classic	6	341	681	3	103	99
HEStd_256_classic	8	435	864	4	149	147
HEStd_256_classic	16	771	1,550	8	282	272
HEStd_256_classic	20	929	1,869	9	381	363
HEStd_256_classic	32	1,470	2,947	16	687	574

As mentioned earlier, by seeing Table 1, it is clear that the decryption in our system (PDec + MDec) requires almost the time of the encryption. For what concern the KGen vs MKGen, the latter requires to double the time of the former; the behaviour is what we expect as MKGen needs to generate both the user key and the mediator keys and in the experiments setup, as mentioned, k = 1 so actually it generates two keys.

When k is increased, we experience a linear growth of both the MKGen and the MDec execution time. However, it is worthwhile noticing that, despite the total execution time for MDec clearly scales linearly with k , the time of a single PDec does not. As a consequence, if in MDec the queries to the SMs are implemented asynchronously (cf. Algorithm 7 ll.7–8), then the resulting computational time is the same regardless of the number of SMs.

9 Conclusions and further work

In this article, we have presented – to the best of our knowledge – the first scheme for revocable CP-ABE based on the LWE problem over lattices, hence being embedded in a post-quantum secure environment. The scheme takes advantage of the lattice-based CP-ABE scheme first presented in the study by Zhang and Zhang [2] by building upon it a server-aided fine-grained revoking system (mR_LWE-CP-ABE). The servers involved are considered semi-trusted; hence, the security proofs are given against different threat models. Security and applications are discussed both in the single-bit and in the multi-bit approach. For the sake of completeness, the here proposed scheme mR_LWE-CP-ABE is implemented on the ABE spin-off of the well-established open-source library Palisade to experimentally validate and provide some early performance estimation with particular attention to the overhead with respect to the original scheme. The implementation will be released as open source to let the community independently test and evaluate it.

In future implementations, we plan to develop a similar approach on two schemes similar to the one presented in Section 4.2: the first, proposed by Zhang et al. [34], introduced support to multi-valued attributes, while the second, introduced by Chen et al. [35], extends over [34] to support Ring-LWE. Furthermore, we also plan to provide support to other libraries, including e.g., Microsoft SEAL [36] and Pyfhel, as well as to carry out a more in-depth performance analysis of the system. On the side, future work might also be focused on investigating threshold systems for allowing more complex distribution of secrets amongst the SMs, hence providing more strength and robustness to the proposed system. Finally, and arguably most importantly, work is currently in progress to provide a formal proof of the post-quantum resistance of mR_LWE-CP-ABE, in particular to tackle the problems highlighted by Lombardi et al. in the recent literature [32].

Acknowledgements

E. Onofri acknowledges the Gruppo Nazionale per il Calcolo Scientifico (GNCS) of Istituto Nazionale di Alta Matematica (INdAM). M. Pedicini acknowledges the Gruppo Nazionale per le Strutture Algebriche, Geometriche e le loro Applicazioni (GNSAGA) of Istituto Nazionale di Alta Matematica (INdAM). This work has been accepted for presentation at CIFRIS23, the Congress of the Italian association of cryptography “De Componendis Cifris.”

Funding information: The authors state no funding involved.
Conflict of interest: The authors state no conflict of interest.

References

[1] Regev O. On lattices, learning with errors, random linear codes, and cryptography. In: STOC’05: Proceedings of the 37th Annual ACM Symposium on Theory of Computing. New York: ACM; 2005. p. 84–93. https://doi.org/10.1145/1060590.1060603. Search in Google Scholar

[2] Zhang J, Zhang Z. A ciphertext policy attribute-based encryption scheme without pairings. In: International Conference on Information Security and Cryptology. Springer; 2011. p. 324–40. https://doi.org/10.1007/978-3-642-34704-7_23. Search in Google Scholar

[3] Boneh D, Ding X, Tsudik G, Wong C. A method for fast revocation of public key certificates and security capabilities. In: Wallach DS, editor. 10th USENIX Security Symposium, August 13–17, 2001, Washington, D.C., USA. USENIX; 2001. http://www.usenix.org/publications/library/proceedings/sec01/boneh.html. Search in Google Scholar

[4] PALISADE Lattice Cryptography Library (release 1.11.2); 2021. https://palisade-crypto.org/. Search in Google Scholar

[5] Sahai A, Waters B. Fuzzy identity-based encryption. In: Cramer R, editor. Advances in Cryptology - EUROCRYPT 2005. Berlin, Heidelberg: Springer; 2005. p. 457–73. https://doi.org/10.1007/11426639_27. Search in Google Scholar

[6] Al-Dahhan RR, Shi Q, Lee GM, Kifayat K. Survey on revocation in Ciphertext-policy attribute-based encryption. Sensors (Basel). 2019 Apr;19(7):1695. https://doi.org/10.3390/s19071695. Search in Google Scholar PubMed PubMed Central

[7] Mascia C, Sala M, Villa I. A survey on functional encryption. Adv Math Commun. 2023;17(5):1251–89. https://doi.org/10.3934/amc.2021049. Search in Google Scholar

[8] Moffat S, Hammoudeh M, Hegarty R. A survey on ciphertext-policy attribute-based encryption (CP-ABE) approaches to data security on mobile devices and its application to IoT. In: Proceedings of the International Conference on Future Networks and Distributed Systems. ICFNDS ’17. New York, NY, USA: Association for Computing Machinery; 2017. https://doi.org/10.1145/3102304.3102338. Search in Google Scholar

[9] Rasori M, Manna ML, Perazzo P, Dini G. A survey on attribute-based encryption schemes suitable for the Internet of things. IEEE Internet Things J. 2022 June;9(11):8269–90. https://doi.org/10.1109/JIOT.2022.3154039. Search in Google Scholar

[10] Zhang Y, Deng RH, Xu S, Sun J, Li Q, Zheng D. Attribute-based encryption for cloud computing access control: a survey. ACM Comput Surv. 2020 Aug;53(4):1–41. https://doi.org/10.1145/3398036. Search in Google Scholar

[11] Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy (SP ’07); 2007. p. 321–34. https://doi.org/10.1109/SP.2007.11. Search in Google Scholar

[12] Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security. CCS ’06. New York, NY, USA: Association for Computing Machinery; 2006. p. 89–98. https://doi.org/10.1145/1180405.1180418. Search in Google Scholar

[13] Xu S, Yang G, Mu Y. Revocable attribute-based encryption with decryption key exposure resistance and ciphertext delegation. Inform Sci. 2019;479:116–34. https://doi.org/10.1016/j.ins.2018.11.031. Search in Google Scholar

[14] Liu JK, Yuen TH, Zhang P, Liang K. Time-based direct revocable ciphertext-policy attribute-based encryption with short revocation list. In: Preneel B, Vercauteren F, editors. Applied Cryptography and Network Security. Cham: Springer International Publishing; 2018. p. 516–34. https://doi.org/10.1007/978-3-319-93387-0_27. Search in Google Scholar

[15] Phuong TVX, Yang G, Susilo W, Chen X. Attribute based broadcast encryption with short ciphertext and decryption key. In: Pernul G, Y A Ryan P, Weippl E, editors. Computer Security - ESORICS 2015. Cham: Springer International Publishing; 2015. p. 252–69. https://doi.org/10.1007/978-3-319-24177-7_13. Search in Google Scholar

[16] Sahai A, Seyalioglu H, Waters B. Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Safavi-Naini R, Canetti R, editors. Advances in Cryptology - CRYPTO 2012. Berlin, Heidelberg: Springer; 2012. p. 199–217. https://doi.org/10.1007/978-3-642-32009-5. Search in Google Scholar

[17] Yu S, Wang C, Ren K, Lou W. Attribute based data sharing with attribute revocation. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ASIACCS ’10. New York, NY, USA: Association for Computing Machinery; 2010. p. 261–70. https://doi.org/10.1145/1755688.1755720. Search in Google Scholar

[18] Xie X, Ma H, Li J, Chen X. An efficient ciphertext-policy attribute-based access control towards revocation in cloud computing. J Universal Comput Sci. 2013;19(16):2349–67. https://doi.org/10.3217/jucs-019-16-2349. Search in Google Scholar

[19] Yang Y, Ding X, Lu H, Wan Z, Zhou J. Achieving revocable fine-grained cryptographic access control over cloud data. In: Desmedt Y, editor. Information security. Cham: Springer International Publishing; 2015. p. 293–308. https://doi.org/10.1007/978-3-319-27659-5_21. Search in Google Scholar

[20] Cui H, Deng RH, Ding X, Li Y. Attribute-based encryption with granular revocation. In: Deng R, Weng J, Ren K, Yegneswaran V, editors. Security and Privacy in Communication Networks. Cham: Springer International Publishing; 2017. p. 165–81. https://doi.org/10.1007/978-3-319-59608-2_9. Search in Google Scholar

[21] Blömer J, Seifert JP. On the complexity of computing short linearly independent vectors and short bases in a lattice. In: Proceedings of the Thirty-First Annual ACM Symposium on Theory of Computing. STOC ’99. New York, NY, USA: Association for Computing Machinery; 1999. p. 711–20. https://doi.org/10.1145/301250.301441. Search in Google Scholar

[22] Aggarwal D, Chung E. A note on the concrete hardness of the shortest independent vector in lattices. Inform Process Lett. 2021;167:106065. https://doi.org/10.1016/j.ipl.2020.106065. Search in Google Scholar

[23] Bennett H, Golovnev A, Stephens-Davidowitz N. On the quantitative hardness of CVP. In: 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS); 2017. p. 13–24. https://doi.org/10.1109/FOCS.2017.11. Search in Google Scholar

[24] Impagliazzo R, Paturi R. On the Complexity of k-SAT. J Comput Syst Sci. 2001;62(2):367–75. https://doi.org/10.1006/jcss.2000.1727. Search in Google Scholar

[25] Micciancio D, Regev O. Worst-case to average-case reductions based on Gaussian measures. SIAM J Comput. 2007;37(1):267–302. https://doi.org/10.1137/S0097539705447360. Search in Google Scholar

[26] Regev O. On lattices, learning with errors, random linear codes, and cryptography. J ACM (JACM). 2009;56(6):1–40. https://doi.org/10.1145/1568318.1568324. Search in Google Scholar

[27] Peikert C. Some recent progress in lattice-based cryptography. In: Theory of Cryptography. Berlin Heidelberg: Springer; 2009. p. 72–2. https://doi.org/10.1007/978-3-642-00457-5_5. Search in Google Scholar

[28] Agrawal S, Boneh D, Boyen X. Efficient Lattice (H) IBE in the standard model. Eurocrypt’10 and PKC’10 joint work.2010. http://boneh.com/pubs/papers/latticebb.pdf. 10.1007/978-3-642-13190-5_28Search in Google Scholar

[29] Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the fortieth annual ACM symposium on Theory of computing; 2008. p. 197–206. https://doi.org/10.1145/1374376.1374407. Search in Google Scholar

[30] Alwen J, Peikert C. Generating shorter bases for hard random lattices. In: Albers S, Marion JY, editors. 26th International Symposium on Theoretical Aspects of Computer Science STACS 2009. Proceedings of the 26th Annual Symposium on the Theoretical Aspects of Computer Science. Freiburg, Germany: IBFI Schloss Dagstuhl; 2009. p. 75–86. https://hal.inria.fr/inria-00359718. Search in Google Scholar

[31] Cash D, Hofheinz D, Kiltz E. How to delegate a Lattice basis; 2009. Cryptology ePrint Archive, Paper 2009/351. https://eprint.iacr.org/2009/351. Search in Google Scholar

[32] Lombardi A, Mook E, Quach W, Wichs D. Post-quantum insecurity from LWE. In: Theory of Cryptography. Springer Nature Switzerland; 2022. p. 3–32. https://doi.org/10.1007/978-3-031-22318-1_1. Search in Google Scholar

[33] Shamir A. How to share a secret. Commun ACM. 1979 Nov;22(11):612–3. https://doi.org/10.1145/359168.359176. Search in Google Scholar

[34] Zhang J, Zhang Z, Ge A. Ciphertext policy attribute-based encryption from lattices. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security; 2012. p. 16–7. https://doi.org/10.1145/2414456.2414464. Search in Google Scholar

[35] Chen Z, Zhang P, Zhang F, Huang J. Ciphertext policy attribute-based encryption supporting unbounded attribute space from R-LWE. KSII Trans Internet Inform Syst (TIIS). 2017;11(4):2292–309. 10.3837/tiis.2017.04.025Search in Google Scholar

[36] Microsoft SEAL (release 4.0); 2022. Microsoft Research, Redmond, WA. https://github.com/Microsoft/SEAL. Search in Google Scholar

Received: 2023-09-04

Revised: 2023-10-30

Accepted: 2023-10-31

Published Online: 2024-02-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2023-0026

Keywords for this article

mediated CP-ABE; lattice-based cryptography; learning with errors; post-quantum cryptography; cloud cryptography

Creative Commons

BY 4.0

mRLWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography

Article

Abstract

1 Introduction

1.1 Related works

1.2 Contributions

1.3 Organisation of the article

2 Notation

3 Prerequisites on lattices

3.1 Hard problems

Proposition 1

3.2 Discrete Gaussians

Lemma 1

3.3 LWE

Proposition 2

Lemma 2

3.4 Literature algorithms on lattices

Function 1

Function 2

Function 3

Function 4

4 CP-ABE scheme on lattices

4.1 System model

Scheme 1

4.2 Scheme

4.3 Parameter requirements and security

Proposition 3

5 mRLWE-CP-ABE

5.1 The system model

Scheme 2

5.2 Scheme

5.3 Parameter requirements

6 About threat and security to mRLWE-CP-ABE

6.1 Threat model

6.2 Security analysis

Theorem 1

Proof

Theorem 2

Proof

Theorem 3

Proof

7 Multiple-bit encryption

8 Experiments with mRLWE-CP-ABE

9 Conclusions and further work

Acknowledgements

References

Articles in the same Issue

Articles in the same Issue

Articles in the same Issue

mR_LWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography

5 mR_LWE-CP-ABE

6 About threat and security to mR_LWE-CP-ABE

8 Experiments with mR_LWE-CP-ABE