AKC-Based Revocable ABE Schemes from LWE Assumption

Cheng, Leixiao; Meng, Fei; Meng, Xianmeng; Zhang, Qixin

doi:https://doi.org/10.1155/2020/8834872

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Appendix Data Availability Conflicts of Interest Authors’ Contributions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8834872 | https://doi.org/10.1155/2020/8834872

AKC-Based Revocable ABE Schemes from LWE Assumption

Leixiao Cheng,¹Fei Meng,^2,3Xianmeng Meng,⁴and Qixin Zhang⁵

Academic Editor: Barbara Masucci

Received12 Jun 2020

Revised26 Aug 2020

Accepted23 Sept 2020

Published17 Nov 2020

Abstract

The emergence of quantum computing threatens many classical cryptographic schemes, leading to the innovations in public-key cryptography for postquantum cryptography primitives and protocols that resist to quantum attacks. Lattice-based cryptography is considered to be one of the promising mathematical approaches to achieving security resistant to quantum attacks, which could be built on the learning with errors (LWE) problem and its variants. The fundamental building blocks of protocols for public-key encryption (PKE) and key encapsulation mechanism (KEM) submitted to the National Institute of Standards and Technology (NIST) based on LWE and its variants are called key consensus (KC) and asymmetric key consensus (AKC) by Jin et al. They are powerful tools for constructing PKE schemes. In this work, we further demonstrate the power of KC/AKC by proposing two special types of PKE schemes, namely, revocable attribute-based encryption (RABE). To be specific, on the basis of AKC and PKE/KEM protocols submitted to the NIST based on LWE and its variants, combined with full-rank difference, trapdoor on lattices, sampling algorithms, leftover hash lemma, and binary tree structure, we propose two directly revocable ciphertext-policy attribute-based encryption (DR-ABE) schemes from LWE, which support flexible threshold access policies on multivalued attributes, achieving user-level and attribute-level user revocation, respectively. Specifically, the construction of the ciphertext is derived from AKC, and the revocation list is defined and embedded into the ciphertext by the message sender to revoke a user in the user-level revocable scheme or revoke some attributes of a certain user in the attribute-level revocable scheme. We also discuss how to outsource decryption and reduce the workload for the end user. Our schemes proved to be secure in the standard model, assuming the hardness of the LWE problem. The two schemes imply the versatility of KC/AKC.

1. Introduction

In the 1990s, Shor [1] proposed a quantum algorithm that is capable of solving the integer factorization problem (IFP) and the discrete logarithm problem (DLP) in polynomial time, which aroused the attention of all parties to the development of quantum computers. Practical quantum computing, when available to cyber adversaries, will break the security of nearly all modern public-key cryptographic systems (including RSA and ECC) [2, 3]. In response to the upcoming quantum computer, cryptography researchers have begun to devote themselves to work on replacing the classical public-key cryptosystem with a cryptographic system that can resist quantum attacks, that is, postquantum cryptography [4]. Among all computational problems that believed to be quantum-safe, lattice-based problems emerged as more economical and quantum-safe encryption providers due to their strong security proof, simplicity, and efficient implementation. In particular, the learning with errors (LWE) problem [5] has turned out to be an amazing versatile basis for cryptographic constructions due to its rigorous reduction from the worst case of the lattice problems. Recently, based on the hardness assumptions of the LWE problem and its variants, many postquantum cryptographic schemes [5–17] have been proposed, and they mainly focus on public-key encryption (PKE).

The National Institute of Standards and Technology (NIST) [18] announced a formal call for proposals for postquantum cryptography, which promoted the update of public-key cryptographic algorithms and the research of postquantum cryptographic algorithms. Thereafter, it provided the first-round submissions of postquantum cryptographic standard protocols [19]. Among them, PKE and key encapsulation mechanism (KEM) based on LWE and its variants constitute the dominating set of PKE/KEM proposals. The fundamental building tools of these proposals, i.e., the algorithms that show how to agree on an exact shared key from two close key exchange values, are referred to as key consensus (KC) or asymmetric key consensus (AKC) in [9–11, 16]. The inequation of parameters for any KC and AKC reveals the inherent constraints among security, bandwidth, correctness, and consensus range. KC/AKC and its inequation are the basis for many lattice-based public-key encryption schemes, and they are also powerful tools for constructing public-key encryption.

In this work, we further demonstrate the power of KC/AKC by proposing two special types of public-key encryption schemes, i.e., revocable attribute-based encryption (RABE). As an extension of attribute-based encryption (ABE) [20], RABE [21–26] provides both fine-grained access control on encrypted data and revocation mechanisms when user’s attributes change, key exposure, and so on. The revocation mechanism in ABE can be roughly divided into two types: user-level user revocation [27–29] and attribute-level user revocation [30]. In user-level user revocation, when a user leaves the system, he/she should be revoked and cannot decrypt any ciphertext. In attribute-level user revocation, when some attributes of a user are removed, he/she will lose the authorities corresponding to these attributes. The methods for revocation can be divided into two types: indirect revocation [24, 31, 32] and direct revocation [33–35]. In indirect revocation schemes, the authority needs to master the revocation list and issues key update for nonrevoked users regularly. In addition, all nonrevoked users need to communicate with the authority and update their decryption keys periodically as well. However, in direct revocation schemes, the revocation list is defined by the message sender, who “embeds” it into the ciphertext during encryption. Therefore, the authority does not need to generate and issue key update. We find that KC and AKC are fundamental and powerful tools for constructing RABE schemes, combined with full-rank difference (FRD) [36, 37], trapdoor for lattices [38–40], sampling algorithms [36, 41], leftover hash lemma [36], and binary tree structure [31, 42–45].

1.1. Motivation

The basic building blocks of the PKE/KEM protocols based on LWE and its variants submitted to the NIST, namely, KC/AKC, are significant for constructing general or special PKE schemes. Revocable ABE is an advanced form of PKE. Note that the existing lattice-based revocable ABE schemes are limited: [46] cannot resist collusion attacks, while [47] cannot really use the binary tree structure; In addition, as shown in Table 1, their models are incomplete to capture the security requirements for revocable ABE. Therefore, we manage to put forward LWE-based RABE scheme resistant to collusion attacks with a reasonable security model, inspired by PKE/KEM protocols submitted to NIST [19], AKC [10–12, 16], and Zhang et al. [48].

1.2. Our Contributions

In this work, we further demonstrate the power of KC/AKC by proposing two special types of PKE schemes, namely, RABE. To be specific, on the basis of AKC and PKE/KEM protocols submitted to the NIST based on LWE and its variants, combined with full-rank difference, trapdoor on lattices, sampling algorithms, leftover hash lemma, and binary tree structure, we propose two directly revocable ciphertext-policy attribute-based encryption (DR-ABE) schemes from LWE. One achieves user-level user revocation, while the other achieves attribute-level user revocation. Both schemes support flexible threshold access policies on multivalued attributes. The size of the public key of our schemes can be reduced in the random oracle model. The two schemes imply the versatility of KC/AKC. The main advantages of our DR-ABE schemes are as follows: Multibit encryption: the message sender is allowed to encrypt instead of . Direct revocation: the revocation list is embedded into the ciphertext by the message sender; the authority does not have to generate and issue key update; all nonrevoked users do not need to communicate with the authority to update their decryption keys. User-level and attribute-level user revocation: we provide two DR-ABE schemes with user-level and attribute-level user revocation, respectively. We use different techniques to construct these two schemes because the method of constructing the user-level scheme cannot be directly extended to the attribute-level scheme. Fine-grained access control: our schemes support flexible threshold access policies on multivalued attributes. Collusion resistance: users in the system cannot combine their information together to illegitimately gain unauthorized data through collaboration. Resistant against quantum attacks: the security of our schemes is reduced to the learning with errors (LWE) problem. Decryption outsourced: most computational overhead of the end user in our DR-ABE schemes can be outsourced to a third party (Appendix D).

In Table 1, we compare the features of our schemes with other lattice-based ABE and revocable ABE schemes.

Note that Zhang et al. [48] did not consider revocation. Wang et al. [46] and Kang et al. [47] achieved attribute-level user revocation. In the security model of Wang et al. [46], after submitting the challenge access structure and challenge revocation list , the adversary can only issue key generation queries under the restriction , while in [47], there is a stricter restriction, . However, these restrictions are unreasonable. Because the private key of the key generation query should be given to the adversary as long as the nonrevoked attribute set does not satisfy , which is the case in our security model for DR-ABE with attribute-level user revocation. In other words, Wang et al. [46] and Kang et al. [47] did not take into account all the key queries that an adversary could issue, while both of our schemes have considered all the situations of the key generation queries from the adversary. In Appendix D, we discuss how to outsource most computational overhead of the end user to an honest-but-curious third party.

In Table 2, we compare the efficiency of our schemes with other lattice-based ABE and revocable ABE schemes. Here, and stand for the number of users and attributes in the system, respectively. means the number of revoked users in the -th attribute binary tree. represents the number of revoked attributes in the -th user binary tree. is a number such that .

Zhang et al.’s scheme [48] has relatively small size in every aspect because it does not take revocation into account. Wang et al.’s scheme [46] has smaller public key size than our schemes since it is an indirect revocation mechanism which gives rise to a large updated key size. Kang et al.’s scheme [47] is also an indirect revocation mechanism and has the smallest public key size; however, its security model is relatively unreasonable. It can be seen that the size of the public key and ciphertext in our schemes is larger than that of other schemes. This is because we adopt the direct revocation method, which allows senders to define the revocation list and greatly reduces the workload of the authority. Specifically, the authority does not need to generate and issue updated key periodically. In Appendix C, we describe how to reduce the size of the public key in our schemes in the random oracle model. Briefly speaking, the size of the public key in “our 1” and “our 2” schemes can be reduced from and to and , respectively.

1.3. Related Works

The underlying consensus mechanism of most PKE/KEM protocols submitted to the NIST based on LWE and its variants is based on KC/AKC and its variants [16, 49–60]. Specifically, [16, 51, 53] are based on the learning with rounding (LWR) problem [61] and its variant. [50] is based on both the LWE and the LWR problems. [16, 49, 52, 54, 56, 60] are based on the LWE or the ring learning with errors [62] or the module learning with errors [63] problems. To further reduce the error probability, the underlying consensus mechanism for some of PKE/KEM protocols submitted to the NIST based on LWE and its variants additionally employs some error correction codes [16, 54, 64, 65], while others directly use lattice codes [16, 66].

Attribute-based encryption (ABE) [20] is a promising cryptographic primitive of public-key encryption that provides fine-grained access control on encrypted data. In 2006, Goyal et al. [67] extended the idea of ABE and classified ABE as key-policy ABE (KP-ABE) [68, 69] and ciphertext-policy ABE (CP-ABE) [70, 72]. In a KP-ABE scheme, the private key of a user is associated with an access policy, while the ciphertext is associated with a set of attributes. On the contrary, in a CP-ABE scheme, the private key of a user is associated with a set of attributes, and the ciphertext is associated with an access policy. Generally, CP-ABE is more flexible than KP-ABE since the former allows users to set their access policies when encrypting messages.

Many revocable attribute-based encryption schemes [21–26] based on classic assumptions (e.g., pairing-related assumptions) have been proposed. However, these schemes would not be secure against attacks from quantum computes. To mitigate this issue, Wang et al. [46] and Kang et al. [47] proposed indirectly revocable CP-ABE schemes from lattices. Both of their schemes had achieved attribute-level user revocation. However, Wang et al. [46] did not resist to collusion attacks, that is, two users who do not satisfy the access structure can successfully decrypt the ciphertext through cooperation. In Kang et al. [47], they built user binary trees , where is the maximum number of users. Each binary tree has leaf nodes, and each attribute is assigned to a leaf node in the binary tree, where is the number of attributes in the system. To revoke attributes of a user, the authority actually needs to issue -(rather than as they claimed) associated key update in the key updating phase since each attribute is assigned a different secret-shared key. In other words, they did not actually take advantage of the binary-tree data structure to reduce the burden of the authority during the key updating phase as [24, 31, 32].

2. Preliminaries

For notational convenience, we sometimes regard a matrix as simply a set of its column vectors. For a matrix , let denote the length of its longest column, i.e., ; let denote the largest singular value of , i.e., . Furthermore, if the columns of are linearly independent, let denote the Gram–Schmidt orthogonalization of vectors taken in that order. For two matrices and , let denote the concatenation of the columns of followed by the columns of . For two matrices and , let denote the concatenation of the rows of followed by the rows of .

For nonnegative integers , let denote the set . If is an attribute set and is an access structure, then means that satisfies . If is a finite set, then is the operation of choosing an element uniformly at random from . For a probability distribution , denotes the operation of choosing an element according to . If is either an algorithm or a set, then is a simple assignment statement.

The natural security parameter throughout this paper is . A function is negligible, denoted as , if for every , there exists such that for all . We say that a probability is overwhelming if it is . An algorithm is probabilistic polynomial-time (PPT) computable if it is modeled as a probabilistic Turing machine whose running time is bounded by some polynomial function.

2.1. Directly Revocable Attribute-Based Encryption

A directly revocable ciphertext-policy attribute-based encryption (DR-ABE) scheme with user-level (resp. attribute-level) user revocation consists of the following four algorithms : : this algorithm takes as input a security parameter , a system attribute set , and a maximal number of users in the system and returns a public key and a master secret key . : this algorithm takes as input a public key , a master secret key , an identity , and an attribute set for the user with identity and returns a private key . : this algorithm takes as input a public key , an access structure , a revocation list (resp. a family of attribute revocation lists , where consist of identities whose -th attribute is revoked), and a message and returns a ciphertext . : this algorithm takes as input a public key , a private key of identity with attribute set , and a ciphertext encrypted under access structure and ; it first checks whether and (resp. whether the set of nonrevoked attributes of the identity , ). If not, the algorithm returns a special symbol indicating decryption failure. Otherwise, it returns a message .

Note that, for the DR-ABE scheme with attribute-level user revocation, it is reasonable that the message sender only needs to consider attribute revocation lists associated with his/her access structure.

2.2. Security Model for DR-ABE

We now describe the selective security model for the DR-ABE scheme with user-level (resp. attribute-level) user revocation. The security model is described by the following game between a challenger and an adversary . Init: the adversary chooses an access structure with and a revocation list (resp. a family of attribute revocation lists ) and submits them to the challenger . Setup: runs the algorithm, gives the public key to , and keeps the master secret key private. Phase 1: can adaptively make a number of key generation queries , where . The restriction is that if , then (resp. the nonrevoked attribute set does not satisfy ). Challenge: submits two equal-length messages, . The challenger flips a random coin , computes , and gives to . Phase 2: it is the same as in Phase 1. Guess: output a guess for .

The advantage of adversary in the above game is defined as

Definition 1. A directly revocable ciphertext-policy attribute-based encryption scheme is secure if the advantage is negligible in for all polynomial-time adversaries .

2.3. Background on Lattices

Let consist of linearly independent vectors. The -dimensional full-rank lattice generated by the basis is the set . For any positive integers , and , a matrix , and a vector , we define and .

2.3.1. Discrete Gaussian

Let be an -dimensional lattice. For any vector and any parameter , define and . The discrete Gaussian distribution over with center and Gaussian parameter is for . If , we conveniently use and . In the following, we summarize some basic properties of the discrete Gaussian distribution.

Lemma 1 (see [73]). Let be positive integers with , be a matrix, be a vector, be a basis for , and . Then, .

Lemma 2 (see [73]). Let be positive integers with and being a prime. Let be any positive real number such that . Then, for and , the distribution of is statistically close to uniform over . Furthermore, for fixed , the conditional distribution of , given for uniformly random in , is with all but negligible probabilities.

2.4. The LWE Hardness Assumption

Security of our construction reduces to the learning with errors (LWE) problem defined by Regev [5].

Definition 2. Consider a prime , a positive integer , and a distribution over , all public. A -LWE problem instance consists of access to an unspecified challenge oracle , being either a noisy pseudo-random sampler carrying some constant random secret key or a truly random sampler , whose behaviors are, respectively, as follows: : outputs samples in of the form , where is a uniformly distributed persistent value invariant across invocations, is a fresh sample from , and is uniform in : outputs truly uniform random samples from The -LWE problem allows repeated queries to the challenge . We say that an algorithm decides the -LWE problem if is nonnegligible for random .
Regev [5] and Peikert [74] showed that, for certain noise distribution , denoted as , the LWE problem is hard.

Definition 3. Consider a real number and a prime . Let be the group of real numbers with addition modulo 1. Define by the distribution over of a normal variable with mean 0, standard deviation , and reduced modulo 1, i.e.,We denote by the discrete distribution over of the random variable , where the random variable has distribution .

Lemma 3. Consider and a prime such that . If there exists an efficient (possibly quantum) algorithm which solves the -LWE problem, then there exists an efficient quantum algorithm for approximating SIVP in the norm, in the worst case, to within factors.

The following lemma about the distribution will be used to analyze the correctness of our constructions in Sections 4 and 5.

Lemma 4 (see [36]). Let be some vector in and . Then, the quantity , treated as an integer in , satisfieswith all but negligible probabilities in . In particular, if is treated as an integer in , then with all but negligible probabilities in .

3. Technical Tools

In this section, we introduce the notion of AKC given in [9, 11, 17] and some other related technical tools in this paper.

3.1. Asymmetric Key Consensus

Definition 4. An asymmetric key consensus scheme is specified as follows:(i) denotes the system parameters, where are positive integers and denotes some auxiliary values that are usually determined by and could be set to be empty.(ii) on inputting , the probabilistic polynomial-time conciliation algorithm outputs the public hint signal .(iii) on inputting , the deterministic polynomial-time algorithm outputs . Correctness: an AKC scheme is correct if it holds for any such that . Security: an AKC scheme is secure if is independent of whenever is uniformly distributed over . Specifically, for arbitrary and arbitrary , it holds that , where the probability is taken over and the random coins are used by .

Theorem 1 (see [11]). Let be an asymmetric key consensus scheme with parameters . If is correct and secure, then .

Next, we review the construction and analysis of the instantiated AKC called asymmetric key consensus with noise (AKCN) in [11]. The illustration diagram is given in Algorithm 1. When the parameters and are powers of 2, AKCN can be simplified as AKCN power 2 [9].

(1)	, where .
(2)	procedure
(3)
(4)	return
(5)	end procedure
(6)	procedure
(7)
(8)	return
(9)	end procedure

Theorem 2 (see [11]). Suppose the parameters of AKCN satisfy , the AKCN scheme described in Algorithm 1 is correct.

Theorem 3 (see [11]). The AKCN scheme is secure, i.e., is independent of when .

3.2. Full-Rank Difference Encoding (FRD)

In our construction and proof of security, we need an encoding function to map attributes in to matrices in .

Definition 5 (see [36, 37]). Let be a prime and a positive integer. We say that a function is encoding with full-rank difference (FRD) if(1)For all distinct , the matrix is full rank(2) is computable in polynomial time

3.3. Trapdoors for Lattices

We review two trapdoor generation algorithms in the following lemma. The first algorithm generates a matrix that is statistically close to uniform, together with a short trapdoor basis for the associated lattice . The second algorithm generates a basis for the lattice , where is what they call the primitive matrix.

Lemma 5 (see [38–40]). Let be positive integers with and being a prime. Then, we have(i)[38–40], a PPT algorithm that outputs a pair such that is full rank and statistically close to uniform and is a basis for satisfying (ii)[40], a fixed full rank matrix such that the lattice has a publicly known basis with

3.4. Sampling Algorithms

The following [36, 41] and [36] algorithms will be used to sample short vectors in our construction and in the simulation, respectively.

Lemma 6. Let integers and . There is an efficient PPT algorithm which takes as input a full-rank matrix , a matrix , a vector , a basis of , and a Gaussian parameter outputs a vector distributed statistically close to .

Lemma 7. Let integers and . There is an efficient PPT algorithm which takes as input matrices , where is full rank, a uniform random matrix , a vector , a basis of , and a Gaussian parameter , and outputs a vector distributed statistically close to .

3.5. Leftover Hash Lemma

To prove correctness and security of our construction, we need more lemmas from [36] as follows.

Lemma 8. Let be an matrix chosen at random from ; then, there exists a universal constant such that .

Lemma 9 (leftover hash lemma). Suppose that is a prime and that . Let be matrices chosen uniformly in and be an matrix chosen uniformly in . Then, for all vectors in , the distribution is statistically close to the distribution .

3.6. The Binary-Tree Data Structure

Our construction makes use of the binary-tree data structure, as with [31, 42–45]. This structure uses a node selection algorithm called KUNodes. In the algorithm, we use the following notations: denotes a binary tree. denotes the root node of . denotes a node in the binary tree, and emphasizes that the node is a leaf node. The set stands for the collection of nodes on the path from the leaf to the (including and the ). If is a nonleaf node, then and denote the left and right child of , respectively. The KUNodes algorithm takes as input a binary tree and a revocation list and outputs a set of nodes , which is the smallest subset of nodes that contains an ancestor of all the leaf nodes corresponding to nonrevoked indexes. The description of the KUNodes algorithm is as follows: : ; ; add to : if , then add to ; if , then add to If , then add to ; return

4. DR-ABE with User-Level User Revocation

KC/AKC is fundamental and powerful for constructing PKE schemes. To demonstrate the versatility of KC/AKC, we propose two DR-ABE schemes from lattices based on AKCN (Algorithm 1), which supports user-level user revocation and attribute-level user revocation in Sections 4 and 5, respectively.

4.1. Construction Details

The main ideas behind our construction can be described as follows. We assign identity to a leaf node in the binary tree . Then, we store the attribute set of in every node : for each , the random vector in the public key is secret-shared into vectors , where is associated with attribute . If and , then there exists a node , and can be recovered using .

For convenience, it is assumed that there are attributes in our system, and the -th attribute is associated with a value space . Let denote the attribute space. We also define default attributes . Let and , , and . : on inputting a security parameter , a system attribute set , and a maximal number of users in the system, this algorithm sets the primitive matrix (with public trapdoor , see Lemma 5) and the parameters , , , , , , and as specified in Section 4.4. Then, it performs as follows:(1)Run .(2)Choose for .(3)Choose .(4)Choose a full-rank difference map .(5)Build a binary tree with leaf nodes. For each node , choose “identifier” .(6)Return and . : on inputting the public key , the master secret key , an identity , and the attribute set of , where and , it goes as follows:(1)Pick an unassigned leaf node from and store in that node. For each , randomly choose degree polynomials such that . For each , let .(2)For each , sample for , and sample , for . Let for and for ; note that .(3)Return as the private key. Note that for any and any subset with , we have , where the Lagrange coefficient . : on inputting a public key , an attribute set , an integer , a revocation list consisting of revoked identities, and a message , it works as follows:(1)Choose and compute and , where and .(2)For each , choose and compute .(3)Let , and for each , choose and compute .(4)For each , choose and compute .(5)Return as the ciphertext. : on inputting the public key , the private key of identity with attribute set , and a ciphertext encrypted under access structure and revocation list ,(1)If or , return .(2)Else, parse the private key and . Since , there exists . Let . Since , there exists a set with size . For all , compute , and , where . Finally, compute

4.2. Correctness

For and , we have

Denote ; then, for both cases. Thus, we have , where . Hence, , where . Finally, we have

Now, we begin to bound . By Lemmas 1 and 6, we have . Note that , where . Since , by Lemma 4, we have . Applying Lemma 9 in [75], we have . By Lemma 8, we have and . Thus, . Therefore, we have by Lemma 4. According to Theorem 2, if , then our scheme is correct.

4.3. Security

In this section, we prove the security of our construction of the DR-ABE scheme with user-level user revocation in the selective model in Definition 1. The proof is given in Appendix A.

Theorem 4. For appropriate parameters , the above DR-ABE scheme with user-level user revocation is secure provided that the -LWE problem is hard.

4.4. Parameters

In this section, we will instantiate the parameters to satisfy the correctness and security of DR-ABE with user-level user revocation. In particular, we need to set parameters so that the following conditions hold with overwhelming possibility:(i)For the algorithm , we need (i.e., Lemma 5)(ii)For the algorithm , we need (i.e., Lemma 5 and 6)(iii)For correctness, we need (iv)For security proof, we need for the algorithm (i.e., Lemmas 5, 7, and 8) and (i.e., Lemma 9)(v)For the hardness of LWE, we need (i.e., Lemma 3)

Assume that is a real number such that , and are determined as follows:(i).(ii).(iii).(iv).

5. DR-ABE with Attribute-Level Revocation

In this section, based on AKCN (Algorithm 1), we propose a DR-ABE scheme from lattices, achieving attribute-level user revocation and flexible threshold access policies on multivalued attributes, which further illustrates the utility and versatility of KC/AKC.

5.1. Construction Details

The idea of constructing DR-ABE with user-level user revocation in Section 4 cannot be extended to constructing DR-ABE with attribute-level user revocation directly for the following reason. Suppose we associate every attribute with a binary tree of depth . For each , we link to a leaf node of . Then, for each , the random vector in the public key is secret-shared into vectors , where is associated with the node of depth in of . Now, if the nonrevoked attribute set of satisfies the access structure, then should be recovered if the extension works. Now, for each , there exists , and thus, can be recovered. However, we cannot recover since may not be at the same depth.

The main ideas behind our construction can be described as follows. The random vector in the public key is secret-shared into vectors , where is associated with the -th attribute of the identity . To revoke of , we further split each into two random vectors and , corresponding to and , respectively. If of is revoked, , therefore, cannot be recovered. In this way, can be recovered only if the set of nonrevoked attributes of satisfies the threshold access policy, thereby achieving the revocation of part attributes of .

For convenience, we use the notations from Section 4. : on inputting a security parameter , a system attribute set , and a maximal number of users in the system, this algorithm sets the primitive matrix (with public trapdoor , see Lemma 5) and the parameters , , , , , , and as specified in Section 4.4. Then, it performs as follows:(1)Run .(2)Choose for .(3)Choose .(4)Choose a full-rank difference map .(5)Build a family of binary trees , where each has leaf nodes. For each and each node , choose “identifier” .(6)Return and . : on inputting the public key , the master secret key , an identity , and the attribute set of , where and , it goes as follows:(1)For , randomly choose degree polynomial such that . For each , let .(2)For each , pick an unassigned leaf node from and store in that node. Choose and set . Sample vector . Sample for . Let and ; note that and .(3)For each , sample . Let ; note that .(4)Return as the private key.

Note that, for any subset , , we have , where the Lagrange coefficient . : on inputting a public key , an attribute set , an integer , a family of attribute revocation lists , where each consists of identities whose -th attribute is revoked, and a message , it works as follows:(1)Choose and compute and , where and .(2)For each , choose and compute .(3)For each and each , choose and compute .(4)Let , and for each , choose and compute .(5)Return as the ciphertext. : on input the public key , the private key a ciphertext , it works as follows. Let .(1)If , then return .(2)Else, parse and . Let . Since , there exists a set with size . For all , there exists , and compute . For all , compute . Then, compute , where . Finally, compute

5.2. Correctness

For and ), we have

Thus,where and .

For , we have

Thus, , where .

Then, we havewhere .

Finally, we have

Now, we begin to bound . By Lemmas 1 and 6, we have and . For , , where . Since , by Lemma 4, we have . Similarly, for , we have . Applying Lemma 9 in [75], we have . By Lemma 8, we have . Thus, . Therefore, we have by Lemma 4. According to Theorem 2, if , then our scheme is correct.

5.3. Security

In this section, we prove the security of our DR-ABE scheme with attribute-level user revocation. The proof is given in Appendix B.

Theorem 5. For appropriate parameters , the above DR-ABE scheme with attribute-level user revocation is secure provided that the -LWE problem is hard.

5.4. Parameters

The parameters are the same as those of Section 4.4.

6. Conclusion

In this work, we demonstrate the power of KC/AKC by proposing two special types of PKE schemes. Specifically, on the basis of AKC, combined with PKE/KEM protocols submitted to the NIST, FRD, trapdoor for lattices, Gaussian sampling, leftover hash lemma, and the binary tree structure, we propose two special kinds of PKE schemes, i.e., directly revocable ciphertext-policy attribute-based encryption schemes from LWE. One achieves user-level user revocation, while the other achieves attribute-level user revocation. Both schemes inherit the main advantages of the direct revocation mechanism: the revocation list is defined by the message sender; the authority does not need to generate and issue key update anymore. In addition, both schemes support multibit encryption and flexible threshold access policies on multivalued attributes. The size of the public key of our schemes can be reduced in the random oracle model. Most parts of the decryption work can be outsourced to a third party as well. Our schemes proved to be secure against quantum attacks in the standard model, assuming the hardness of the LWE problem. The two schemes imply the versatility of KC/AKC. Compared with other existing lattice-based revocable CP-ABE schemes, our schemes have reasonable security guarantee.

Appendix

A. Proof of Theorem 4

Proof. Suppose there exists a PPT adversary which breaks the security of our DR-ABE scheme with user-level user revocation with nonnegligible probability, we can construct an algorithm that solves the LWE problem with the same advantage.
Note that has an oracle , and he wants to determine whether it is a noisy pseudo-random sampler for some or a truly random sampler . To this end, proceeds as follows: Init: submits a challenge access structure and a challenge revocation list to , where and . Let and . Setup: after receiving and , samples and from , chooses an FRD map , and builds a binary tree with leaf nodes.(i)For each , chooses and computes (ii)For each , chooses and computes (iii)For each , chooses and computes (iv)For each , chooses and computes (v)For each , chooses and computes if , and , otherwise Finally, sends the public key to and keeps secret. Phases 1 and 2: when receives a key generation query from , where , he outputs if and . Otherwise, picks an unassigned leaf node from and stores in that node.(i)For , note that, in this case, . For each node , first picks degree polynomials such that . Then, for each , sets . Note that for and for . Now, for each and each , first chooses , computes if and if , runs , where , and then sets .(ii)For and , there exists . For each , picks degree polynomials such that . Then, it sets and generates for by using the Gaussian sampling and the algorithms according to the above process. For , let ; then, . Thus, . chooses a set such that and . For each , chooses , and if , let ; else, let . Then, computes . Thus, we have -dimensional vectors . By the Lagrange interpolation formula, we can recover polynomials such that , and for each , . Now, for each , if , we have and ; else, we have and . For each , note that we have . Now, for , first chooses , computes and , then runs , and sets . In the end, returns to . Challenge: when submits two different messages , the adversary picks and computes , . Then, computes for each and for each . Finally, sends to the ciphertext . Guess: output a guess for . If , outputs 1; else, outputs 0.Note that, by Lemma 3, the pair is computationally indistinguishable from its distribution in the real attack. Applying Lemma 9, we know that and are statistically close to uniform even given more information about and , respectively. Hence, the distribution of the public key in the simulation is indistinguishable from that in the real attack, and gains negligible information about and from the public key. According to Lemmas 2, 6, and 7, the output distribution of the key generation simulation using the algorithm is statistical to that in the real attack.
If for some , we claim that the challenge ciphertext is a valid ciphertext for , , and : note that, for each , . For each , . For each , . Therefore, the ciphertext is the same as the view of in the real attack. Hence, if guesses right with noticeable probability more than 1/2, then can succeed in its game with the same probability. Else, if , by Theorem 3, and are independent. Since is uniformly distributed, the probability of guesses right is exactly 1/2. In a word, if breaks the security of our DR-ABE with user-level user revocation, then solves the underlying LWE problem.

B. Proof of Theorem 5

Proof. Suppose there exists a PPT adversary which breaks the security of our DR-ABE scheme with nonnegligible probability, we can construct an algorithm that solves the LWE problem with the same advantage.
Note that has an oracle , and he wants to determine whether it is a noisy pseudo-random sampler for some or a truly random sampler . To this end, proceeds as follows: Init: submits a challenge access structure and a family of challenge attribute revocation lists to , where and . Let and . Setup: after receiving and , samples and from , chooses an FRD map , and builds a family of binary trees , where each has leaf nodes.(i)For each and each , randomly chooses and computes and if and if (ii)For each and each , randomly chooses and computes and (iii)For each , chooses and computes (iv)For each , chooses and computes Finally, sends the public key to and keeps secret. Phases 1 and 2: when receives a key generation query from , where , he outputs if . Otherwise, for each , picks an unassigned leaf node from and stores in that node. Let , and we have ; thus, . Then, chooses a set such that and . For each ,(i)If , choose ; let ; then, compute . (1)If and , there exists . Choose , let , and compute . For each , let , and then sample such that . (2)Else, pick . For , let and sample such that . Then, computes .(i)If , choose , let , and compute . Let degree polynomials be such that and for each . Then, we can recover polynomials by the Lagrange interpolation formula. Compute for each . For each ,(i)If and , we have . Choose , let , and compute and . For each , let , and can sample by using the algorithm.(ii)If , , and , there exists . Choose , let , and compute . For , let and sample such that . Then, compute and sample by using the algorithm, where .(iii)Otherwise, choose and compute . For , sample for . Then, sample by using the algorithm, where if and if . For each , let and sample . Finally, sends to . Challenge: when submits two different messages , flips a random coin and computes , . For each and each , computes and . For each , computes . Finally, sends the ciphertext to . Guess: outputs a guess for . If , outputs 1; else, outputs 0.Note that, by Lemma 3, the pair is computationally indistinguishable from its distribution in the real attack. Applying Lemma 9, we know that and are statistically close to uniform even given more information about and , respectively. Hence, the distribution of the public key in the simulation is indistinguishable from that in the real attack, and gains negligible information about and from the public key. According to Lemmas 2, 6, and 7, the output distribution of the key generation simulation using the algorithm is statistical to that in the real attack.
If for some , we claim that the challenge ciphertext is a valid ciphertext for , , and : note that, for each and each , and . For each , . Therefore, the ciphertext is the same as the view of in the real attack. Hence, if guesses right with noticeable probability more than 1/2, then can succeed in its game with the same probability. Else, if , by Theorem 3, and are independent. Since is uniformly distributed, the probability of guesses right is exactly 1/2. In a word, if breaks the security of our DR-ABE, then solves the underlying LWE problem.

C. Reducing the Size of the Public Key

Our DR-ABE scheme with user-level (resp. attribute-level) revocation has a relatively large public key, and its dependence on the number of users in the system is due to the fact that each node in (resp. each ) is associated with a uniform random matrix (resp.). In fact, the size of the public key can be reduced in the random oracle model in a way similar to [34]: let be a random oracle. For each node in (resp. each ), we obtain uniformly random matrix (resp.) as (resp.). In the security proof, we first simulate the generation of (resp.) as in the proof of Theorem 4 (resp. Theorem 5) and then program the random oracle such that (resp.).

D. Decryption Outsourcing

To make our schemes more applicable for the resource-limited end user, we modify our DR-ABE schemes to outsource most computational overhead of the end user to an honest-but-curious third party in the following manner: we add an extra dummy attribute in the system. The algorithm chooses an extra matrix . To generate the private key for a user, the KGC splits the public vector into such that , samples , replaces with in the original algorithm to get , and finally returns along with as the private key of the user. Moreover, we add an extra ciphertext corresponding with , , into the output of the original algorithm. In this case, the end user can give to an untrusted third party to help decrypt the ciphertext except for . The third party will return and to the user, and the latter only needs to deal with using to recover the message.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Authors’ Contributions

Leixiao Cheng, Fei Meng, Xianmeng Meng, and Qixin Zhang are the main authors of the current paper. Specifically, Leixiao Cheng first brought the idea of AKC into this paper to construct revocable ABE resistant to quantum attacks and provided the main construction of two DR-ABE schemes and the formal security proof. She also wrote the initial draft of this paper. Fei Meng contributed to the construction detail and parameter analysis of those two schemes. Xianmeng Meng and Qixin Zhang contributed to carrying out additional analyses and revised the final version of this paper. All authors contributed to writing and revision and approved the final manuscript.

Acknowledgments

The authors were supported by the National Cryptography Development Fund (Grant no. MMJJ20180210) and the National Natural Science Foundation of China (Grant nos. 61832012 and 61672019).

References

P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Google Scholar
J. Proos and C. Zalka, “Shor’s discrete logarithm quantum algorithm for elliptic curves,” Quantum Information and Computation, vol. 3, no. 4, pp. 317–344, 2003.
View at: Google Scholar
W. S. Peter, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134, Santa Fe, NM, USA, November 1994.
View at: Google Scholar
D. Bernstein, Introduction to Post-Quantum Cryptography, Springer, Berlin, Germany, 2009.
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 84–93, Baltimore, MD, USA, May 2005.
View at: Google Scholar
E. Alkim, L. Ducas, T. Pöppelmann, and S. Peter, “Post-quantum key exchange—a new hope,” in Proceedings of the 25th USENIX Security Symposium, USENIX Security, pp. 327–343, Austin, TX, USA, August 2016.
View at: Google Scholar
J. Bos, C. Craig, D. Leo et al., “Frodo: take off the ring! practical, quantum-secure key exchange from LWE,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS’16, pp. 1006–1018, New York, NY, USA, 2016.
View at: Google Scholar
J. Ding, “A simple provably secure key exchange scheme based on the learning with errors problem,” IACR Cryptology ePrint Archive, vol. 688, 2012.
View at: Google Scholar
Z. Jin and Y. Zhao, “Optimal key consensus in presence of noise, CoRR, Abs/1611.06150,” 2016.
View at: Google Scholar
Z. Jin and Y. Zhao, “Optimal key consensus in presence of noise,” IACR Cryptology ePrint Archive, vol. 1058, p. 2017, 2017.
View at: Google Scholar
Z. Jin and Y. Zhao, “Generic and practical key establishment from lattice,” in Proceedings of the Applied Cryptography and Network Security—17th International Conference, ACNS 2019, pp. 302–322, Bogota, CO, USA, June 2019.
View at: Google Scholar
R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE-based encryption,” Topics in Cryptology—CT-RSA 2011, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” Journal of the ACM, vol. 60, no. 6, pp. 43:1–43:35, 2013.
View at: Publisher Site | Google Scholar
C. Peikert, “Lattice cryptography for the internet,” in Proceedings of the Post-Quantum Cryptography—6th International Workshop, PQCrypto 2014, pp. 197–219, Waterloo, Canada, October 2014.
View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, pp. 34:1–34:40, 2009.
View at: Publisher Site | Google Scholar
Y. Zhao, Z. jin, B. Gong, and G. Sui, “Supporting documentation: KCL,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017.
View at: Google Scholar
L. Cheng, Q. Wu, Y. Zhao et al., “Compact lossy and all-but-one trapdoor functions from lattice,” in Proceedings of the 13th International Conference on Information Security Practice and Experience (ISPEC-2017), Melbourne, Australia, December 2017.
View at: Google Scholar
NIST CSRC and Cryptographic Techology Group, Submission Requirements and Evaluation Criteria for Post-quantum Cryptography Standardization Process, NIST, Gaithersburg, MD, USA, 2016.
NIST, Post-quantum Cryptography, Round 1 Submissions, 2017, https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions.
S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Aarhus, Denmark, May 2005, , Advances in Cryptology—EUROCRYPT 2005.
View at: Google Scholar
H. Cui, R. H. Deng, Y. Li, and B. Qin, “Server-aided revocable attribute-based encryption,” in Proceedings of the Computer Security—ESORICS 2016—21st European Symposium on Research in Computer Security, pp. 570–587, Heraklion, Greece, September 2016.
View at: Google Scholar
J. K. Liu, T. H. Yuen, P. Zhang, and K. Liang, “Time-based direct revocable ciphertext-policy attribute-based encryption with short revocation list,” in Proceedings of the 16th International Conference, ACNS 2018, pp. 516–534, Leuven, Belgium, July 2018, , Applied Cryptography and Network Security.
View at: Google Scholar
B. Qin, Q. Zhao, Z. Dong, and H. Cui, “Server-aided revocable attribute-based encryption resilient to decryption key exposure,” in Proceedings of the 16th International Conference, CANS 2017, pp. 504–514, Hong Kong, China, November 2017, , Cryptology and Network Security.
View at: Google Scholar
S. Amit, H. Seyalioglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Proceedings of the 32nd Annual Cryptology Conference, pp. 199–217, Santa Barbara, CA, USA, August 2012, , Advances in Cryptology—CRYPTO 2012.
View at: Google Scholar
Y. Yang, X. Ding, H. Lu, Z. Wan, and J. Zhou, “Achieving revocable fine-grained cryptographic access control over cloud data,” in Proceedings of the Information Security, 16th International Conference, ISC 2013, pp. 293–308, Dallas, TX, USA, November 2013.
View at: Google Scholar
S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 261–270, Beijing, China, April 2010.
View at: Google Scholar
S. Jahid, P. Mittal, and N. Borisov, “Easier: encryption-based access control in social networks with efficient revocation,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 411–415, Hong Kong, China, March 2011.
View at: Google Scholar
H. Wang, Z. Zheng, L. Wu, and P. Li, “New directly revocable attribute-based encryption scheme and its application in cloud storage environment,” Cluster Computing, vol. 20, no. 3, pp. 2385–2392, 2017.
View at: Publisher Site | Google Scholar
Z. Xu and M. Keith, “Dynamic user revocation and key refreshing for attribute-based encryption in cloud storage,” in Proceedings of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2012, pp. 844–849, Liverpool, United Kingdom, June 2012.
View at: Google Scholar
H. Lian, Q. Wang, and G. Wang, “Large universe ciphertext-policy attribute-based encryption with attribute level user revocation in cloud storage,” The International Arab Journal of Information Technology, vol. 17, no. 1, pp. 107–117, 2020.
View at: Publisher Site | Google Scholar
J. Chen, H. W. Lim, S. Ling, H. Wang, and K. Nguyen, “Revocable identity-based encryption from lattices,” in Proceedings of the Information Security and Privacy—17th Australasian Conference, ACISP 2012, pp. 390–403, Wollongong Australia, July 2012.
View at: Google Scholar
M. Pirretti, P. Traynor, P. D. McDaniel, and B. Waters, “Secure attribute-based systems,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 99–112, Alexandria, VA, USA, November 2006.
View at: Google Scholar
N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Proceedings of the Third International Conference, pp. 248–265, Palo Alto, CA, USA, August 2009, , Pairing-Based Cryptography—Pairing 2009.
View at: Google Scholar
S. Ling, K. Nguyen, H. Wang, and J. Zhang, “Revocable predicate encryption from lattices,” in Proceedings of the Provable Security—11th International Conference, ProvSec 2017, pp. 305–326, Xi’an, China, October 2017.
View at: Google Scholar
R. Ostrovsky, S. Amit, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, pp. 195–203, Alexandria, VA, USA, October 2007.
View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 553–572, French Riviera, Monaco, May 2010, , Advances in Cryptology—EUROCRYPT 2010.
View at: Publisher Site | Google Scholar
R. Cramer and I. Damgård, “On the amortized complexity of zero-knowledge protocols,” in Proceedings of the 29th Annual International Cryptology Conference, pp. 177–191, Santa Barbara, CA, USA, August 2009, , Advances in Cryptology—CRYPTO 2009.
View at: Google Scholar
M. Ajtai, “Generating hard instances of the short basis problem,” in Proceedings of the Automata, Languages and Programming, 26th International Colloquium, ICALP’99, pp. 1–9, Prague, Czech Republic, July 1999.
View at: Google Scholar
J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp. 535–553, 2011.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 700–718, Cambridge, UK, April 2012, , Advances in Cryptology—EUROCRYPT 2012.
View at: Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” Journal of Cryptology, vol. 25, no. 4, pp. 601–639, 2012.
View at: Publisher Site | Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” IACR Cryptology ePrint Archive, vol. 52, p. 2012, 2012.
View at: Google Scholar
S. Katsumata, T. Matsuda, and A. Takayasu, “Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance,” in Proceedings of the 22nd IACR International Conference on Practice and Theory of Public-Key Cryptography, pp. 441–471, Beijing, China, April 2019, , Public-Key Cryptography—PKC 2019.
View at: Google Scholar
J. M. González Nieto, M. Manulis, and D. Sun, “Fully private revocable predicate encryption,” in Proceedings of the Information Security and Privacy—17th Australasian Conference, ACISP 2012, pp. 350–363, Wollongong, Australia, July 2012.
View at: Google Scholar
J. H. Seo and K. Emura, “Revocable identity-based encryption revisited: security model and construction,” in Proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography, pp. 216–234, Nara, Japan, February 2013, , Public-Key Cryptography—PKC 2013.
View at: Google Scholar
S. Wang, X. Zhang, and Y. Zhang, “Efficient revocable and grantable attribute-based encryption from lattices with fine-grained access control,” IET Information Security, vol. 12, no. 2, pp. 141–149, 2018.
View at: Publisher Site | Google Scholar
Y. Kang, G. Wu, C. Dong, X. Fu, F. Li, and T. Wu, “Attribute based encryption with efficient revocation from lattices,” International Journal of Network Security, vol. 22, no. 1, pp. 161–170, 2020.
View at: Google Scholar
J. Zhang, Z. Zhang, and A. Ge, “Ciphertext policy attribute-based encryption from lattices,” in Proceedings of the 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS’12, pp. 16-17, Seoul, South Korea, May 2012.
View at: Google Scholar
R. El Bansarkhani, “Supporting documentation: kindi,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
H. C. Jung, S. Park, J. Lee et al., “Supporting documentation: lizard,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
J.-P. D’Anvers, A. Karmakar, S. S. Roy, and F. Vercauteren, “Supporting documentation: saber,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
J. Ding, T. Takagi, X. Gao, and Y. Wang, “Supporting documentation: ding key exchange,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
O. Garcia-Morchon, Z. Zhang, S. Bhattacharya et al., “Supporting documentation: round2,” National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
X. Lu, Y. Liu, D. Jia, H. Xue, J. He, and Z. Zhang, “Supporting documentation: lac,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
M. Naehrig, E. Alkim, J. Bos et al., “Supporting documentation: frodokem,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
Le T. Phong, T. Hayashi, Y. Aono, and S. Moriai, “Supporting documentation: lotus,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
S. Peter, R. Avanzi, J. Bos et al., “Supporting documentation: kyber,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
M. Seo, J. Hwan Park, H. L. Dong, S. Kim, and S.-J. Lee, “Supporting documentation: emblem and r.emblem,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
N. P. Smart, M. R. Albrecht, Y. Lindell et al., “Supporting documentation: lima,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
R. Steinfeld, S. Amin, and K. Raymond, “Supporting documentation: titanium,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
A. Banerjee, C. Peikert, and A. Rosen, “Pseudorandom functions and lattices,” in Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques, pp. 719–737, Cambgridge, UK, April 2012.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2010, Advances in Cryptology—EUROCRYPT 2010.
View at: Google Scholar
A. Langlois and D. Stehle, “Worst-case to average-case reductions for module lattices. cryptology ePrint archive,” 2012, https://eprint.iacr.org/2012/090.
View at: Google Scholar
M. Hamburg, “Supporting documentation: threebears,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
M.-J. Saarinen, “Supporting documentation: hila5,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
T. Pöppelmann, E. Alkim, R. Avanzi et al., “Supporting documentation: newhope,” Tech. Rep., National Institute of Standards and Technology, Gaithersburg, MD, USA, 2017, Technical report.
View at: Google Scholar
V. Goyal, O. Pandey, S. Amit, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 89–98, Alexandria, VA, USA, October 2006.
View at: Google Scholar
N. Attrapadung, B. Libert, and E. de Panafieu, “Expressive key-policy attribute-based encryption with constant-size ciphertexts,” in Proceedings of the Public Key Cryptography—PKC 2011—14th International Conference on Practice and Theory in Public Key Cryptography, pp. 90–108, Taormina, Italy, March 2011.
View at: Google Scholar
S. Hohenberger and B. Waters, “Attribute-based encryption with fast decryption,” in Proceedings of the Public-Key Cryptography—PKC 2013—16th International Conference on Practice and Theory in Public-Key Cryptography, pp. 162–179, Nara, Japan, February 2013.
View at: Google Scholar
J. Bethencourt, S. Amit, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P 2007), pp. 321–334, Oakland, CA, USA, May 2007.
View at: Google Scholar
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography, pp. 53–70, Taormina, Italy, March 2011, , Public Key Cryptography—PKC 2011.
View at: Google Scholar
F. Meng, L. Cheng, M. Wang, P. Voulgaris, and H. Wee, “ABDKS: attribute-based encryption with dynamic keyword search in fog computing,” Frontiers of Computer Science.
View at: Publisher Site | Google Scholar
G. Craig, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 197–206, Victoria, Canada, May 2008.
View at: Google Scholar
C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem: extended abstract,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 333–342, Bethesda, MD, USA, May 2009.
View at: Google Scholar
S. Agrawal, X. Boyen, V. Vaikuntanathan, P. Voulgaris, and H. Wee, “Fuzzy identity based encryption from lattices,” IACR Cryptology ePrint Archive, vol. 414, p. 2011, 2011.
View at: Google Scholar

Copyright

Copyright © 2020 Leixiao Cheng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

483

Downloads

732

Citations