Attribute-Based Verifiable Conditional Proxy Re-Encryption Scheme

Abstract

There are mostly semi-honest agents in cloud computing, so agents may perform unreliable calculations during the actual execution process. In this paper, an attribute-based verifiable conditional proxy re-encryption (AB-VCPRE) scheme using a homomorphic signature is proposed to solve the problem that the current attribute-based conditional proxy re-encryption (AB-CPRE) algorithm cannot detect the illegal behavior of the agent. The scheme implements robustness, that is the re-encryption ciphertext, can be verified by the verification server, showing that the received ciphertext is correctly converted by the agent from the original ciphertext, thus, meaning that illegal activities of agents can be effectively detected. In addition, the article demonstrates the reliability of the constructed AB-VCPRE scheme validation in the standard model, and proves that the scheme satisfies CPA security in the selective security model based on the learning with errors (LWE) assumption.

1. Introduction

As a new resource sharing in the field of information, cloud computing is constantly changing people’s lives. As an important technology in cloud computing, cloud storage is used to organize a series of different types of network storage devices to facilitate data sharing. To ensure the confidentiality of data, before being uploaded to a cloud server, user data are encrypted, however, this poses difficulties in sharing data between different users. When dealing with a significant quantity of data recipients, general encryption algorithms can significantly increase the computational and communication expenses incurred by the data owner. Proxy re-encryption (PRE) effectively solves this problem.

In 1998, Blaze et al. [1] first introduced the concept of PRE at the Euromonitor Conference. PRE is a data cipher conversion in cloud computing, which ensures both user data security and flexible access and sharing of data. However, in the traditional PRE system, it is usually one delegator that corresponds to another delegator, that is, a one-to-one model; this implies that only one client’s message can be re-encrypted at a time, necessitating a large amount of communication overhead and computation expense, which is contrary to the initial aim of cloud computing customers wanting to save money. In 2007, GREEN et al. [2] simplified the public key certificate authentication process by proposing an encryption scheme based on user identity information instead of a public key. However, the encryption process is specific to particular users and requires explicit information about the recipient. In 2009, JIAN et al. [3] suggested a strategy for conditional PRE (CPRE) based on identity proxy re-encryption. By designing a conditional ciphertext conversion method, the ciphertext can only be converted when the ciphertext meets the set conditions, enabling the assignment of partial decryption rights, but it is still in the form of a one-to-one assignment between the authorizer and the authorized person, which not only severely restricts users’ ability to selectively share data with other users at a fine-grained level, but it also has the problems of high communication costs and high computational overhead when a large number of users need to access that shared data, as well as wasting a large amount of local memory space to hold a large number of decryption keys.

Being a novel cryptographic technique that differs from conventional public key cryptography, attribute-based encryption (ABE) [4] is ideally suited for resolving data confidentiality protection and access control of ciphertext problems in cloud storage applications [5]. ABE technology can provide an effective one-to-many, fine-grained ciphertext access control solution for cloud storage data security. AB-CPRE schemes have been presented that demonstrate the advantages and properties of ABE and CPRE. However, the existing AB-PRE schemes and AB-CPRE schemes are mostly based on constructs such as linear mappings or discrete logarithmic puzzles [6,7]. Due to the advent of quantum computers, the security of traditional number theory puzzles is threatened and these schemes will become insecure. To solve this problem, a lattice cipher is proposed. It is believed that lattice-based cryptography can resist quantum attacks and has high computational efficiency. Therefore, lattice-based public key cryptography schemes have attracted wide attention in recent years.

However, all the AB-CPRE schemes [8,9,10] that are currently in use are semi-trusted agents, so they may perform unreliable calculations, which bring security problems to data sharing. Most AB-CPRE efforts focus on data privacy and access control without considering re-encryption authentication, which can lead to incorrect results for users.

Therefore, it is of interest to ensure that the re-encryption ciphertext is converted correctly from the original ciphertext. In a homomorphic encryption algorithm, the user can perform some kind of secure proxy calculation with the untrusted remote server. In this process, the server cannot see any private information. The homomorphic signature algorithm supports the signature operation consistent with the message, and the generated signature does not disclose any information related to the data set, which can meet the security requirements in the cloud environment, and is very suitable for the sensor network, network coding, and other message operation scenarios to ensure information security. This paper introduces homomorphic signature techniques in AB-CPRE, provides a verification mechanism for re-encryption performed by a verification server, and proposes a verifiable PRE scheme.

Our main contributions in this article are as follows:

• An AB-VCPRE scheme based on LWE is proposed. The scheme ensures by verification that the re-encryption ciphertext is correctly converted from the encryption ciphertext;
• Fine-grained access control is implemented. In combination with fully homomorphic encryption, the delegation policy supports any polynomial-depth boolean circuit;
• Robustness is achieved. The scheme uses a validation algorithm to achieve robustness. Forged or incorrectly shared ciphertexts can be detected by validating the re-encryption ciphertext with a validation server;
• The scheme satisfies CPA security. The ciphertext in our scheme needs to be signed and verified using an unforgeable homomorphic signature. This paper demonstrates that the constructed AB-VCPRE scheme is CPA security based on a LWE problem.

The rest of the paper is organized into seven sections. In Section 2, the related studies are described. In Section 3, the relevant definitions are introduced. In Section 4 and Section 5, we state the details of the scheme and the security analysis. Section 6 presents the efficiency analysis. The last section is a summary of the paper.

2. Related Work

Liang et al. [7] present an AB-PRE cryptographic primitive based on the augmented decisional bilinear Diffie–Hellman (DBDH) problem combining ABE and PRE for the first time, which empowers users to authorize in an access control environment. Li et al. [11] propose a proxy re-encryption scheme for a re-splitable threshold multi-agent, which is different from the encryption scheme on the ciphertext input and output plane and the re-encryption surface, which means the noise boundary has a wider range of choices and can ensure the security of the re-encryption key. Nunez et al. [12] propose a typical threshold proxy re-encryption scheme, which is based on a DBDH assumption, vulnerable to quantum attacks. Luo et al. [13] construct a standard lattice multi-hop AB-PRE scheme, which supports circuit access, has a short key, the key size is dependent on the depth of the circuit policy, and satisfies CPA security requirements based on the LWE problem in the selection security model. However, these PRE schemes may not show sufficient flexibility and practicality when the data owner wishes to select some but not all of the data for dissemination to certain users. Weng et al. [3] proposed a CPRE scheme where only those that satisfy the conditions can be re-encrypted, but it can only be applied to simple keyword-based conditions and will be limited in practical applications. Then, Yang et al. [8] propose a ciphertext policy-based AB-CPRE scheme, which supports a fine-grained decryption delegation. The ciphertext in the scheme is related to the access policy while the re-encryption key is related to the attributes, and the ciphertext can be re-encrypted only when the access policy satisfies the attributes. Huang et al. [14] propose PRECISE, which combines AB-CPRE with IBBE to support fine-grained re-encryption conditions for IBBE ciphertexts. Yao et al. [15] combine ciphertext authorization, key update, and ciphertext evolution to propose an improved revocable, identity-based ciphertext evolution conditional proxy re-encryption scheme for secure and efficient cloud data sharing.

The universal CPRE algorithm cannot ensure the cloud server’s integrity during the re-encryption procedure, while the homomorphic signature algorithm has unforgettable security and privacy, which can effectively verify the honesty of the proxy during the re-encryption. Therefore, this paper uses a homomorphic signature algorithm to propose a PRE scheme with encryption validating on the lattice, which can effectively detect the illegal behavior of the proxy and provide a guarantee for the safe sharing of data.

3. Preliminaries

3.1. Lattice

Definition 1 (lattice).

The lattice is a linear combination of group $b_1,b_2,\dots ,b_n$’s linearly independent vectors’ $n\left(m\ge n\right)$ integer coefficients in m-dimensional Euclidean space $R^m$, which is defined as:

$$L\left(B\right)=\left\{{\displaystyle \sum _{i=1}^n{x}_i{b}_i:x_i\in \mathbb{Z},i=1,\dots ,n}\right\}.$$

(1)

Lemma 1

([16]). Take integer $q\ge 3$, $m\ge 6n\log q$, $\sigma \ge m^2\omega \left(\sqrt{\log m}\right)$, there exists a $PPT$ algorithm $TrapGen\left(1^n,1^m,q\right)$ that generates a matrix $A\in {\mathbb{Z}}_q^{n\times m}$ and a trapdoor $T_A\in {\mathbb{Z}}^{m\times m}$ for the lattice ${\wedge }_q^{\perp }\left(A\right)$, i.e., there is $A{T}_A=0\mathrm{mod}q$, such that the distribution statistics satisfied by the matrix $A$ are close to a uniform distribution on ${\mathbb{Z}}_q^{n\times m}$, and $\left|\right|{\tilde{T}}_A\left|\right|\le \mathcal{O}\left(\sqrt{n\log q}\right)$ holds by an absolute margin.

Lemma 2

([17]). Let $q>2$ and $m>\left(n+1\right)\log q+\omega \left(\log n\right)$. Select three uniform matrices $D\in {\left\{-1,1\right\}}^{m\times k}$, $E\in {\mathbb{Z}}_q^{n\times m}$, and $F\in {\mathbb{Z}}_q^{n\times k}$ at random for some polynomials with $k=k\left(n\right)$. Distribution $\left(E,ED,D^{T}r\right)$ and $\left(E,F,D^{T}r\right)$ are statistically indistinguishable for any vector $r\in {\mathbb{Z}}_q^m$.

LWE is a difficult problem under lattice. Regev [18] first proposed this in 2005 and proved that the average case is just as difficult to solve for several standard cells.

Definition 2 (LWE).

Given positive integer $n$, integer $m\ge n$ and $q\ge 2$, choosing uniform random matrix $A\in {\mathbb{Z}}_{\mathrm{q}}^{n\times m}$ and vector $s\in {\mathbb{Z}}_q^n$, vector $e\leftarrow {\chi }^m$ follows the error distribution. Given $\left(A,A^{T}s+e\right)$, the LWE problem is to find $s$ with non-negligible probability.

Definition 3 (Small integer solutions problem, SIS).

Let the defining parameters be $\beta$, $q$ is a prime number, given positive integers $m$ and $n$, select a matrix $A\in {\mathbb{Z}}_q^{n\times m}$ at random, solve for a non-zero vector of integers $z\in {\mathbb{Z}}^m\backslash \left\{0\right\}$ with $\left|\right|z\left|\right|\le \beta$. In 1996, Ajtai presented the SIS problem in the literature [16]. The homomorphic signature used for robustness in the paper is based on the SIS problem.

3.2. Related Functions and Tools

3.2.1. Functions of Bits and Power2

According to the article [19], decomposing the vector into the form of an inner product can effectively control the error range of the vector. The following describes how to decompose vectors into bit representations.

For any $x\in {\mathbb{Z}}^N$, let $x={\sum }_{i=0}^{g-1}{2}^i\cdot x^i\mathrm{mod}q$, $x_i\in {\left\{0,1\right\}}^N$. Output vector $Bit\left(x\right)=\left(x_0,x_1,\dots ,x_{g-1}\right)\in {\left\{0,1\right\}}^{1\times Ng}$, where $g=⌈\log q⌉$. For any $y=\left[y_1\left|y_2\right|\dots |y_{\ell }\right]\in {\mathbb{Z}}^{N\times \ell }$, where $y_i$ is a column vector, output matrix

$$Power2(y)=\left[\begin{array}{cccc}{y}_1& y_2& \cdots & y_{\ell }\\ 2y_1& 2y_2& \cdots & 2y_{\ell }\\ ⋮& ⋮& \ddots & ⋮\\ 2^{g-1}{y}_1& 2^{g-1}{y}_2& \cdots & 2^{g-1}{y}_{\ell }\end{array}\right]\in {\mathbb{Z}}_q^{Ng\times \ell }.$$

(2)

It can be verified that for any $q\in \mathbb{Z}$, there is $〈Bit\left(x\right),Power2\left(y\right)〉=〈x,y〉\in {\mathbb{Z}}_q^{1\times \ell }$.

3.2.2. Discrete Gaussian Distribution

For integer vectors $c\in {\mathbb{Z}}^m$, $\sigma >0$, the discrete Gaussian distribution on the m-dimensional lattice $\Lambda$ is:

$$D_{\wedge ,\sigma ,c}\left(x\right)=\frac{{\rho }_{\sigma ,c}\left(x\right)}{{\rho }_{\sigma ,c}\left(\wedge \right)}=\frac{{\rho }_{\sigma ,c}\left(x\right)}{{\sum }_{x\in \wedge }{\rho }_{\sigma ,c}\left(x\right)},\forall x\in {\mathbb{Z}}^m.$$

(3)

Lemma 3

([17]). Let $q\ge 2$, $B$ is a matrix over ${\mathbb{Z}}_q^{n\times m}$ and $m>n$. Let $T_B$ is the base of ${\wedge }_q^{\perp }\left(B\right)$, $\sigma \ge \left|\right|{\tilde{T}}_B\left|\right|\omega \left(\sqrt{{\log }_{2}m}\right)$. For $u\in {\mathbb{Z}}_q^n$, there are:

• Set the rank of $B\in {\mathbb{Z}}_q^{n\times m}$ is $n$, $E\in {\mathbb{Z}}_q^{n\times m}$, $R\in {\left\{-1,1\right\}}^{m\times m}$, $\sigma \ge \left|\right|{\tilde{T}}_B\left|\right|\omega \left(\sqrt{{\log }_{2}m}\right)$. Let $F=\left(B|BR+E\right)\in {\mathbb{Z}}_q^{n\times \left(2m\right)}$, PPT algorithms $SampleBasisLeft\left(B,BR+E,T_B,\sigma \right)$, where $T_B$ is the base of ${\wedge }_q^{\perp }\left(B\right)$, output a short base $T_F\in {\wedge }_q^{\perp }\left(F\right)$ statistical distribution to ${\psi }_{\sigma }^{\left(2m\right)\times \left(2m\right)}$ ;
• $Sample\mathrm{Pr}e\left(B,T_B,\sigma ,u\right)$: There is trapdoor $T_B$ of lattice ${\wedge }_q^{\perp }\left(B\right)$, the real number $\sigma \ge \left|\right|{\tilde{T}}_B\left|\right|\cdot \omega \left(\sqrt{\log n}\right)$, for any vector $u\in {\mathbb{Z}}_q^n$, a PPT algorithm $Sample\mathrm{Pr}e\left(B,T_B,\sigma ,u\right)$ capable of generating a vector $e$ from a distribution that is statistically close to $D_{{\mathbb{Z}}^m,\sigma }\left(x\right)$, satisfying $Be=u\left(\mathrm{mod}q\right)$;
• Let the rank of $G\in {\mathbb{Z}}_q^{n\times m}$ be $n$, $B\in {\mathbb{Z}}_q^{n\times m}$, a low-dimensional matrix $S\in {\left\{-1,1\right\}}^{m\times m}$, a trapdoor for the lattice ${\wedge }_q^{\perp }\left(G\right)$, and $\sigma \ge \left|\right|{\tilde{T}}_E\left|\right|\cdot \left|\right|R\left|\right|\omega \left(\sqrt{{\log }_{2}m}\right)$. PPT algorithm $SampleBasisRight\left(B,G,S,T_G,\sigma \right)$ output a short base $T_{\left(B|BS+G\right)}\in {\wedge }_q^{\perp }\left(B|BS+G\right)$ with a statistical distribution close to ${\mathsf{\Psi }}_{\sigma }^{\left(2m\right)\times \left(2m\right)}$.

3.3. Key Homomorphism

By embedding algorithmic circuits in LWE matrices, Boneh et al. suggested an ABE approach for algorithmic circuits in their paper [20], and the method was used in many LWE-based structures, for example, predicate encryption [21], constraint PRFs [22], watermarks for PRFs [23], etc.

Definition 4.

For any positive integer $k$, $d$, a $g$ of $depth\le d$ boolean circuit, defining families of functions ${\mathcal{F}}_{k,d}=\left\{g:{\left\{0,1\right\}}^k\to \left\{0,1\right\}\right\}$.

Lemma 4

(Fully homomorphic encryption [20,24]). Given parameters $t, h, k, d, q, \chi$, where $\chi$ is a B-bounded noise distribution, $h$ is a security parameter, $h\ge ⌈t\log q⌉$. For any matrices $B_1,B_2,\dots ,B_{\ell }\in {\mathbb{Z}}_q^{t\times h}$, any boolean circuit $g:{\left\{0,1\right\}}^k\to \left\{0,1\right\}$ for any depth$\le d$, $x\in {\left\{0,1\right\}}^k$, matrix $G\in Z_{\mathrm{q}}^{n\times m}$, vector $s\in {\mathbb{Z}}_q^t$, $e_i\leftarrow {\chi }^h$ for $i\in \left[k\right]$, if $p_i={\left(x_{i}G+B_i\right)}^{T}s+e_i,\forall i\in \left[k\right]$,

• $Eva{l}_{pk}\left(g,\left(B_1,\dots B_k\right)\right)$: Taking a circuit $g$, $k$ matrices ${\left\{B_i\right\}}_{i\in \left[k\right]}$ as input, outputs a matrix $B_g$;
• $Eva{l}_{ct}\left(g,{\left\{\left(x_i,p_i,B_i\right)\right\}}_{i\in \left[k\right]}\right)$: Given a circuit $g$, $k$ matrices ${\left\{B_i\right\}}_{i\in \left[k\right]}$, a vector $x\in {\left\{0,1\right\}}^k$ and $k$ vectors $\left\{p_1,\dots ,p_k\right\}$, outputs a vector $p_g$, satisfying $p_g={\left(B_g+g\left(x\right)G\right)}^{T}s+e_g$, where $B_g=Eva{l}_{pk}\left(g,\left\{B_1,\dots ,B_k\right\}\right)$, $\left|\right|e_g\left|\right|\le B\sqrt{h}{\left(1+h\right)}^d$ with all but negligible probability;
• $Eva{l}_{sim}\left(g,{\left\{S_i,x_i^{\ast }\right\}}_{i\in \left[k\right]},A\right)$: On input a circuit $g$, a vector $x^{\ast }\in {\left\{0,1\right\}}^k$, $k$ matrices ${\left\{S_i\right\}}_{i\in [k]}$, a matrix $A\in {\mathbb{Z}}_q^{t\times h}$, outputs a matrix $S_g$ satisfying $A{S}_g-g\left(x^{\ast }\right)=B_g$, where $\left|\right|S_g|{|}_2\le 20\sqrt{h}{\left(1+h\right)}^d<{\left(1+h\right)}^{d+1}$ with all but negligible probability.

3.4. Homomorphic Signature

A homomorphic signature is a valid signature that permits any entity to conduct a sequence of operations on the original message and its signature without the signing private key.

Definition 5 (Homomorphic signature).

The probabilistic polynomial-time algorithm $\left(KG,Sign,SignEval,Verify\right)$ is included in the following tuple is the homomorphic signature (HS) scheme:

• $HS.KG(\mathrm{p},d,N)$: Take a safety parameter $p$, a circuit depth $d$, and a message length $N$ as input, output a signature private key $hssk$ and a verification key $hsvk$;
• $HS.Sign\left(hssk,M\right)$: Accept as inputs the message $M$ requiring signature and $hssk$, output the signature $\sigma$;
• $HS.SEval(g,\sigma )$: Take an evaluation circuit $g:{\left\{0,1\right\}}^N\to \left\{0,1\right\}$ and signature $\sigma$ as input, output a homomorphic calculation signature ${\sigma }^{\ast }$;
• $HS.Verify(hsvk,y,g,{\sigma }^{*})$: Take $hsvk$, a message $y$, a circuit $g$ and a signature ${\sigma }^{\ast }$, the verification algorithm either accepts the signature (outputs 1) or rejects it (outputs 0).

Correctness. On input $p,d,N\in \mathbb{Z}$, $HS.KG(p,d,N)\to \left(hsvk, hssk\right)$, $M\in {\left\{0, 1\right\}}^N$, $HS.Sign(hssk,M)\to \sigma$, any circuit $g:{\left\{0, 1\right\}}^N\to \left\{0, 1\right\}$ with a depth $d$, $g\left(M\right)\to y$, the equation below holds:

$$\mathrm{Pr}\left[HS.Verify\left(hsvk,y,g,HS.SEval\left(g,\sigma \right)\right)=1\right]=1.$$

(4)

3.5. Robustness

A key component of the AB-VCPRE design is robustness. The fundamental tenet is that by re-encryption key sharing, an adversary cannot create ciphertext that is falsely obtained yet can be correctly authenticated. The following game $Exp{t}_{\mathcal{A}}^{Rb}$ describes the robustness of the AB-VCPRE scheme.

During the guessing phase, the adversary outputs the appropriate ciphertext $C{T}^{\ast }$ satisfies $Verfy\left(hsvk,C{T}^{\ast }\right)=1$ while $Setup$, $KeyGen query$, $\mathrm{Re}KeyGen query$, and $\mathrm{Re}Enc query$ interact as specified in Definition 6.

The adversary’s advantage is characterized as $Ad{v}_{\mathcal{A}}^{Rb}=\mathrm{Pr}\left[Exp{t}_{\mathcal{A}}^{Rb}\left(\lambda \right)=1 \right].$

4. The Model of AB-VCPRE with Re-Encryption Verification

4.1. Scheme Definition

An AB-VCPRE scheme consists of seven algorithms. The specific flow chart is shown in Figure 1. In comparison to the standard AB-VCPRE, a verification method called $\mathrm{Re}Enc-Ver$ is added to check for an honest transformation of the ciphertext. The $\mathrm{Re}Enc-Ver$ algorithm is publicly verifiable because all that is required are the original ciphertext and the corresponding re-encryption ciphertext.

• $Setup(n)$: Input security parameter $n$, output public parameters $pp$;
• $KeyGen(pp,\alpha )$: Given $pp$, output the public/private key pair $\left(p{k}_{\alpha },s{k}_{\alpha }\right)$ for user $\alpha$;
• $Enc\left(pp,p{k}_{\alpha },\mu ,x\right)$: Taking $pp$, $p{k}_{\alpha }$, plaintext $\mu$, and an attribute vector $x$ as input, output a related ciphertext $C{T}_{\alpha }$ with $x$;
• $Dec(pp,s{k}_{\alpha },C{T}_{\alpha })$: Taking $pp$, $s{k}_{\alpha }$, and $C{T}_{\alpha }$ as input, output a message $\mu$;
• $\mathrm{Re}KeyGen\left(pp,s{k}_{\alpha },p{k}_{\beta },f\right)$: Input $pp$, $s{k}_{\alpha }$ of user $\alpha$, $p{k}_{\beta }$ of user $\beta$, and a control policy/function $f$, returns the re-encryption key $R{K}_{\alpha ,f\to \beta }$ related to $f$ and the corresponding signature, outputs the re-encryption verification key $V{K}_{\alpha \to \beta }$ from user $\alpha$ to user $\beta$;
• $\mathrm{Re}Enc\left(pp,R{K}_{\alpha ,f\to \beta },C{T}_{\alpha }\right)$: With $pp$, $p{k}_{\alpha }$ of user $\alpha$, $C{T}_{\alpha }$ associated with $x$, and $R{K}_{\alpha ,f\to \beta }$ as input. When $f\left(x\right)=0$ remains constant, output the converted ciphertext $C{T}_{\beta }$, otherwise output $\perp$;
• $\mathrm{Re}Enc-Ver\left(V{K}_{\alpha \to \beta },C{T}_{\alpha },C{T}_{\beta }\right)$: If the original ciphertext’s conversion to the re-encryption ciphertext is performed correctly, the output of the authentication algorithm is valid, otherwise output $\perp$ (invalid ciphertext).

Correctness. In an AB-VCPRE scheme, correctness has the following two requirements:

• Decryption correctness.

For security parameter n, attribute vectors $x={\left\{x_i\right\}}_{i\in \left[l\right]}$, message $\mu \in {\left\{0,1\right\}}^m$, the equations below hold

$$Dec(\mathit{pp},s{k}_{\alpha },Enc\left(pp,p{k}_{\alpha },\mu ,x\right))=\mu ;$$

(5)

$$Dec\left(pp,s{k}_{\beta },\mathrm{Re}Enc\left(pp,R{K}_{\alpha ,f\to \beta },C{T}_{\alpha }\right)\right)=\mu ,$$

(6)

where the decryption error is negligible.

2.

Verification correctness.

Verification correctness is satisfied using an AB-VCPRE scheme. We have the probability $\mathrm{Pr}\left[\mathrm{Re}Enc-Ver(V{K}_{\alpha \to \beta },C{T}_{\alpha },C{T}_{\beta })=1\right]=1$ if all converted ciphertexts $C{T}_{\beta }$ are produced by the re-encryption keys $R{K}_{\alpha ,f\to \beta }$ and $\mathrm{Re}Enc(pp,R{K}_{\alpha ,f\to \beta },C{T}_{\alpha })$.

Figure 1. Flow chart of AB-VCPRE.

Figure 1. Flow chart of AB-VCPRE.

4.2. Security Model

Definition 6.

To demonstrate the CPA security of the AB-VCPRE scheme, the game between challenger $\mathcal{C}$ and adversary $\mathcal{A}$ is used.

Init. Before seeing the public parameter $pp$, adversary $\mathcal{A}$ declares a vector of attributes $x^{\ast }$.

Setup. Initialize the public parameters $pp$ in Challenger $\mathcal{C}$ and use the $KeyGen$ algorithm to obtain $\left(s{k}_{\theta },p{k}_{\theta }\right)$, and transmit $pp$ and $p{k}_{\theta }$ to $\mathcal{A}$.

Query phase 1. $\mathcal{A}$ chooses some queries as the following:

• $KeyGen query$${\mathcal{O}}_{KeyGen}$: $\mathcal{A}$ performs a key query. $\mathcal{C}$ runs $KeyGen\left(pp,\beta \right)$ to produce the $\left(p{k}_{\beta },s{k}_{\beta }\right)$;
• $\mathrm{Re}KeyGen query$${\mathcal{O}}_{\mathrm{Re}KeyGen}$: $\mathcal{C}$ runs $\mathrm{Re}KeyGen\left(pp,s{k}_{\alpha },p{k}_{\beta },f\right)$ to provide $r{k}_{\alpha ,f\to \beta }$ when $\mathcal{C}$ receives a re-encryption key query, where $f\left(x^{\ast }\right)=0$ and $p{k}_{\beta }=KeyGen\left(pp,\beta \right)$. And $\mathcal{C}$ responds with verification key by running algorithm $HS.KeyGen(n,d^{hs},N)$;
• $\mathrm{Re}Enc query$ ${\mathcal{O}}_{\mathrm{Re}Enc}$: $\mathcal{A}$ sends $\left(C{T}_{\alpha }, x, f\right)$ to $\mathcal{C}$ where $x\ne x^{\ast }$ and $f\left(x\right)=0$, $\mathcal{C}$ computes a re-encryption key $r{k}_{\alpha ,f\to \beta }$ as in ${\mathcal{O}}_{\mathrm{Re}KeyGen}$ and returns a re-encrypted ciphertext $C{T}_{\beta }$ by running $\mathrm{Re}Enc\left(pp,R{K}_{\alpha ,f\to \beta },C{T}_{\alpha }\right)$.

Challenge phase. $\mathcal{A}$ chooses two messages of the same length ${\mu }_0^{\ast }$ and ${\mu }_1^{\ast }$(${\mu }_0^{\ast }\ne {\mu }_1^{\ast }$), $\mathcal{C}$ executives $C{T}^{\ast }\leftarrow Enc\left(pp,p{k}_{\theta },x^{\ast },{\mu }_b^{\ast }\right)$, where $b\in \left\{0,1\right\}$, and gives back the original ciphertext from $C{T}^{\ast }$ to $\mathcal{A}$.

Query phase 2. Similar to phase 1, $\mathcal{A}$ keeps asking the query.

Guess. $b^{\prime }\in \left\{0,1\right\}$ is guessed by $\mathcal{A}$, and if $b=b^{\prime }$, the game winner is $\mathcal{A}$.

The benefits of $\mathcal{A}$ are described as $\mathrm{Pr}\left[b^{\prime }=b\right]=1/2+negl\left(n\right).$

5. Our Scheme

5.1. Our Scheme Composition

Using the LWE difficulty problem as a basis and the homomorphic signature algorithm, this paper proposes an AB-VCPRE scheme.

• $S\mathrm{et}up\left(n\right)$

Let security parameters $n\in Z$, where $m\ge ⌈6n\log \left(q\right)⌉$, $q/4\ge B\cdot {\left(m+1\right)}^{O\left(d\right)}$.

$①$

Central agency generates random security parameters prime $q$, an error sampling algorithm $\chi$ for B-bounded distributions, $B\ge \sqrt{\mathrm{n}}\cdot \omega \left(\log n\right)$. The boolean circuit’s maximum depth is $d$, the number of attributes is $\ell$, and the Gaussian parameter is $\sigma$, $\sigma =\omega \left({\left(\mathrm{m}+1\right)}^{d+1}\right)\cdot \omega \left(\sqrt{\log m}\right)$;

$②$

Create the corresponding trapdoor matrix $T_{A_{\alpha }}\in {\mathbb{Z}}_q^{m\times m}$ and the matrix $A_{\alpha }\in {\mathbb{Z}}_q^{n\times m}$ by running algorithm $TrapGen\left(1^n,1^m,q\right)$;

$③$

Select $\ell$ uniform matrices $B_1,\dots ,B_{\ell }\in {\mathbb{Z}}_q^{n\times m}$ with random.

$④$

Output public parameters $pp:=\left({\left\{B_i\right\}}_{i\in \left[\ell \right],\chi },\chi \right)$.

2.

$KeyGen\left(pp,\alpha \right)$

Randomly select a matrix $D_{\alpha }\in {\mathbb{Z}}_q^{n\times m}$, and run $R_{\alpha }\leftarrow Sample\mathrm{Pr}e\left(A_{\alpha },T_{\alpha },D_{\alpha },\sigma \right)$, such that $A_{\alpha }{R}_{\alpha }=-D_{\alpha }$.

Output $p{k}_{\alpha }=(A_{\alpha },D_{\alpha }),s{k}_{\alpha }=(R_{\alpha },T_{\alpha })$.

3.

$Enc(pp,p{k}_{\alpha },\mu ,x)$

$①$

Given the plaintext $\mu \in {\left\{0,1\right\}}^m$, attribute vectors $x\in {\left\{0,1\right\}}^{\ell }$, where $x={\left\{x_i\right\}}_{i\in \left[\ell \right]}$. Select random vectors $s\leftarrow {\mathbb{Z}}_q^n$, error vectors $e_1,e_2\leftarrow {\chi }^m$;

$②$

Compute $cc=(c_1,c_2)$:

$$c_1=A_{\alpha }^{T}s+e_1,c_2=D_{\alpha }^{T}s+e_2+⌊q/2⌋\mu .;$$

(7)

$③$

$\mathrm{ca}$ should be set to $\varnothing$ if $x$ is null or none. Or else randomly choose $\ell$ uniform matrices $S_i\leftarrow {\left\{-1,1\right\}}^{m\times m}$ at random, calculate

$$ca=\left({\left\{c_i={(x_{i}G+B_i)}^{T}s+S_i^T{e}_1\right\}}_{i\in \left[\ell \right]}\right)\in {\mathbb{Z}}_q^{\ell m}.$$

(8)

Output ciphertext $C{T}_{\alpha }:=(cc,ca)$;

4.

$Dec(pp,s{k}_{\alpha },C{T}_{\alpha })$

Input $s{k}_{\alpha }=(R_{\alpha },T_{\alpha })$, $C{T}_{\alpha }=(cc,ca)$.

$①$

Compute $\widehat{\mu }=c_2+R_{\alpha }^T{c}_1$. Set ${\mu }_i=1$ for $i\in \left[m\right]$ if $|q/2-{\widehat{\mu }}_i|<q/4$, or else set ${\mu }_i=0$.

Output $\mu \in {\left\{0,1\right\}}^m$;

5.

$\mathrm{Re}KeyGen(pp,s{k}_{\alpha },p{k}_{\beta },f)$

Input $p{k}_{\beta }=(A_{\beta },D_{\beta })$, $s{k}_{\alpha }=(T_{\alpha },R_{\alpha })$, $pp=\left({\left\{B_i\right\}}_{i\in \left[\ell \right],\chi },\chi \right)$, a policy $f\in {\mathcal{F}}_{\ell .d}$.

$①$

Randomly selected matrices $E_1\leftarrow {\chi }^{2km\times n}$, $E_2,E_3\leftarrow {\chi }^{2km\times m}$, $s$ is the Gaussian parameter, and $s=\omega ({\left(m+1\right)}^{\mathrm{d}+3/2})$.

$②$

Let $B_f=Eva{l}_{pk}(f,B_1,\dots ,B_{\ell })$, $F=(A_{\alpha }|B_f)\in {\mathbb{Z}}^{n\times 2m}$. Running $T_{\alpha ,f}\leftarrow SampleBasisLeft(A_{\alpha },B_f,T_{\alpha },\mathrm{s})$. Generate the basic $T_{\alpha ,f}$ for $F$.

$③$

Execute algorithm $Sample\mathrm{Pr}e(F,T_{\alpha ,f},-D_{\alpha },\sigma )$ to produce $R_{\alpha ,f}$, in order to obtain $F{R}_{\alpha ,f}=-D_{\alpha }$, of which $R_{\alpha ,f}\in {\mathbb{Z}}^{2m\times m}$. Compute the re-encryption key:

$$Q=\left[\begin{array}{cc}{E}_1{A}_{\beta }+E_2& E_1{D}_{\beta }+E_3+Power{2}_q(R_{\alpha ,f})\\ 0_{m\times m}& {\mathrm{I}}_{m\times m}\end{array}\right]\in {\mathbb{Z}}_q^{(2km+m)\times 2m};$$

(9)

$④$

Creating the verification key using algorithm $HS.KeyGen(n,d^{hs},N)$ and signature private key $(hsvk,hssk)$, parse each line of $Q$ as $w_i\in {\mathbb{Z}}_q^{2m}(1\le i\le 2mk+m)$, then use the signature algorithm to sign $w_i$ as ${\sigma }_i=HS.Sign(hssk,w_i)$;

$⑤$

To validate the signature, publish $hsvk$. Deliver $Q$ and the associated signature $\left\{R{K}_{\alpha ,f\to \beta }=Q,{\sigma }_i(1\le i\le 2mk+m)\right\}$ across a secure channel to the proxy server;

6.

$\mathrm{Re}Enc(pp,R{K}_{\alpha ,f\to \beta },C{T}_{\alpha })$

Input $pp=\left({\left\{B_i\right\}}_{i\in \left[\ell \right],\chi },\chi \right)$, $R{K}_{\alpha ,f\to \beta }=Q$, $C{T}_{\alpha }=(cc,ca)$.

$①$

Output $\perp$ if $f(x)\ne 0$ or $ca=\varnothing$, or else $c_3=Eva{l}_{ct}(f,{\left\{\left(x_i,B_i,p_i\right)\right\}}_{i\in \left[\ell \right]})$, ${\tilde{c}}_{1,3}=$$(\left[c_1;c_3\right])$. The proxy performs the ciphertext conversion $(c_1^{{}^{\prime }T}|c_2^{{}^{\prime }T})=\left[{\tilde{c}}_{1,3}^T|c_2^T\right]\cdot Q$;

$②$

The valuation circuit is $g_{C_{\alpha }}(Q)=\left[{\tilde{c}}_{1,3}^T|c_2^T\right]\cdot Q$, and the evaluation algorithm from HS creates a signature ${\sigma }_{\alpha \to \beta }=HS.SignEval(g_{C_{\alpha }},{\sigma }_i(1\le i\le 2mk+m))$.

Output $C{T}_{\beta }=\left(c{c}^{\prime }=(c^{\prime }{}_1,c^{\prime }{}_2),c{a}^{\prime }=\varnothing ,{\sigma }_{\alpha \to \beta }\right)$ as converted ciphertext;

7.

$\mathrm{Re}Enc-Ver(hsvk,C{T}_{\alpha },C{T}_{\beta })$

Input verification key $hsvk$, original ciphertext $C{T}_{\alpha }=(cc=(c_1,c_2),{\sigma }_{\ast \to \beta })$, converted ciphertext $C{T}_{\beta }=(c{c}^{\prime }=(c^{\prime }{}_1,c^{\prime }{}_2),{\sigma }_{\alpha \to \beta })$.

Verification algorithm output $HS.Verify(hsvk,g_{C_{\alpha }},c{c}^{\prime },{\sigma }_{\alpha \to \beta })$.

Figure 2 depicts the new AB-VCPRE scheme’s workflow. If Bob wants to share Alice’s content stored on the cloud server, first KGC generates a public key and private key for Alice and Bob and sends the keys to them. Then, Alice generates the re-encryption key and original ciphertext, which are sent to the cloud server and executes the re-encryption algorithm. The cloud server delivers both the original and the re-encryption ciphertext to the authentication server after the re-encryption operation is finished. The authentication server verifies the algorithm for re-encryption. If the verification algorithm outputs 1, the authentication server sends Bob the ciphertext, Bob recovers the message by decrypting the ciphertext matching to it, otherwise output $\perp$.

5.2. Correctness and Parameters

5.2.1. The Correctness of the Original Ciphertext

With the private key $R_{\alpha }$, the original ciphertext can be decrypted.

$$\begin{array}{cc}\hfill \widehat{\mu }& =c_2+R_{\alpha }^T{c}_1\hfill \\ & =D_{\alpha }^{T}s+e_2+⌊q/2⌋\mu +R_{\alpha }^T\left(A_{\alpha }^{T}s+e_1\right)\hfill \\ & =\underset{noise}{\underbrace{e_2+e_1{R}_{\alpha }}}+⌊q/2⌋\mu \hfill \end{array}.$$

(10)

Only if the error $e_2+e_1{R}_{\alpha }$ does not exceed $q/4$ the decryption algorithm is able to correctly recover the plaintext $\mu$. In fact, $\left|\right|e_2+e_1{R}_{\alpha }\left|\right|\le \sqrt{m}B+m\sqrt{m}\sigma B\le B\cdot {\left(1+\mathrm{m}\right)}^{O\left(d\right)}$$\le q/4$.

5.2.2. Correctness of Conversion Ciphertext

After passing one conversion, the corresponding conversion cipher is decrypted as follows:

$$\begin{array}{cc}(c_1^{{}^{\prime }T}\hfill & \left|c_2^{{}^{\prime }T}\right)=\left[{\tilde{c}}_{1,3}^T|c_2^T\right]·Q\hfill \\ \hfill & =\left[{\tilde{c}}_{1,3}^T|c_2^T\right]·\left[\begin{array}{cc}\hfill E_1{A}_{\beta }+E_2\hfill & E_1{D}_{\beta }+E_3+Power{2}_q\left(R_{\alpha ,f}\right)\\ \hfill 0_{m\times m}\hfill & \hfill {\mathrm{I}}_{m\times m}\hfill \end{array}\right]\hfill \\ & =\left[{\tilde{c}}_{1,3}^T·\left(E_1{A}_{\beta }+E_2\right)|{\tilde{c}}_{1,3}^T·\left(E_1{D}_{\beta }+E_3+Power{2}_q\left(R_{\alpha ,f}\right)\right)+c_2^T\right]\hfill \\ & =\left[{\tilde{c}}_{1,3}^T·\left(E_1{A}_{\beta }+E_2\right)|{\tilde{c}}_{1,3}^T·\left(E_1{D}_{\beta }+E_3\right)+{\tilde{c}}_{1,3}^T·Power{2}_q\left(R_{\alpha ,f}\right)+D_{\alpha }{s}^T+e_2^T+⌊q/2⌋{\mu }^T\right]\hfill \\ & =\left[{\tilde{c}}_{1,3}^T·\left(E_1{A}_{\beta }+E_2\right)|{\tilde{c}}_{1,3}^T·\left(E_1{D}_{\beta }+E_3\right)+\left[e_1^T|e_f^T\right]R_{\alpha ,f}+e_2^T+⌊q/2⌋{\mu }^T\right]\hfill \end{array}$$

(11)

Where $A_{\beta }$ and $D_{\beta }$ are the user $\beta$‘s public keys, $\left|\right|E_1\left|\right|\le \sqrt{2k}mB$, $\left|\right|E_2\left|\right|\le \sqrt{2k}mB$, $\left|\right|E_3\left|\right|\le \sqrt{2k}mB$ with overwhelming probability. By the theorem we have:

$$\begin{array}{cc}\hfill {\tilde{c}}_{1,3}^T\cdot Power{2}_q(R_{\alpha ,f})& ={\left[c_1;c_3\right]}^T\cdot R_{\alpha ,f}\hfill \\ & =\left[c_1^T|c_3^T\right]\cdot R_{\alpha ,f}\hfill \\ & =\left[\left(s^{T}A+e_1^T\right)|\left(s^T\left(f\left(x\right)G+B_f\right)+e_f^T\right)\right]\cdot R_{\alpha ,f}\hfill \\ & =\left[\left(s^{T}A+e_1^T\right)|\left(s^T{B}_f+e_f^T\right)\right]\cdot R_{\alpha ,f}\hfill \\ & =\left[s^T\left[A_{\alpha }|B_f\right]+\left[e_1^T|e_f^T\right]\right]\cdot R_{\alpha ,f}\hfill \\ & =-s^T{D}_{\alpha }+\left[e_1^T|e_f^T\right]\cdot R_{\alpha ,f}\hfill \end{array}$$

(12)

where $R_{\alpha ,f}\le \sqrt{2}m\sigma$, $\left|\right|e_f\left|\right|\le B\sqrt{m}{\left(m+1\right)}^d$ with overwhelming probability.

The conversion ciphertext is decrypted by the private key $R_{\beta }$.

$$\begin{array}{c}\left[c_1^{{}^{\prime }T}|c_2^{{}^{\prime }T}\right]\cdot \left[\begin{array}{l}{R}_{\beta }\\ I\end{array}\right]={\tilde{c}}_{1,3}^T\left(E_1{A}_{\beta }+E_2\right)\cdot R_{\beta }+{\tilde{c}}_{1,3}^T\left(E_1{D}_{\beta }+E_3\right)+\left[e_1^T|e_f^T\right]R_{\alpha ,f}+e_2^T+⌊q/2⌋{\mu }^T\\ =\underset{noise}{\underbrace{{\tilde{c}}_{1,3}^T{E}_2{R}_{\beta }+{\tilde{c}}_{1,3}^T{E}_3+\left[e_1^T|e_f^T\right]R_{\alpha ,f}+e_2^T}}+⌊q/2⌋{\mu }^T\end{array}$$

(13)

where:

$$\left|\right|{\tilde{c}}_{1,3}^T{E}_2{R}_{\beta }+{\tilde{c}}_{1,3}^T{E}_3+\left[e_1^T|e_f^T\right]R_{\alpha ,f}+e_2^T\left|\right|\le 2k{m}^2\sqrt{m}\sigma B+2km\sqrt{m}B+2m\sqrt{m}{\left(m+1\right)}^d\sigma B+\sqrt{m}B\le B{\left(m+1\right)}^{O\left(d\right)}\le q/4$$

(14)

with overwhelming probability. Therefore, the value of $\mu$ can be decrypted correctly, i.e., the transformed ciphertext can be decrypted correctly.

In fact, the algorithm can only obtain single-hop, because in $\mathrm{Re}Enc$, we set $c{a}^{\prime }=\varnothing$, which means that the re-encryption ciphertext cannot be encrypted again. This design is our first work and we will investigate this problem and extend it to multi-hop schemes in future work.

5.2.3. Correctness of Ciphertext Verification

In the HS scheme, the re-encryption verifiability is carried out using the algorithm $HS.Verify$. In $AB-VCPRE.\mathrm{Re}Enc\left(pp,R{K}_{\alpha ,f\to \beta },C{T}_{\alpha }\right)$, input the ciphertext $C{T}_{\alpha }$ and the re-encryption key $R{K}_{\alpha ,f\to \beta }$, using $g_{C_{\alpha }}(Q)=\left[Bit{s}_q{(\left[c_1;c_3\right])}^T|c_2^T\right]\cdot Q$ as a valuation circuit, re-encryption key as circuit input, $(c_1^{{}^{\prime }T}|c_2^{{}^{\prime }T})=\left[Bit{s}_q{(\left[c_1;c_3\right])}^T|c_2^T\right]\cdot Q$ can be seen as some computation at the message level and in ${\sigma }_{\alpha \to \beta }=HS.SignEval(g_{C_{\alpha }},{\sigma }_i(1\le i\le$$2mk+m))$, with signature ${\sigma }_i(1\le i\le 2mk+m)$ as input, and it can be interpreted as a computation of the signature level. If ${\sigma }_{\alpha \to \beta }$ is in fact the outcome of an honest computation based on $HS.SignEval(g_{C_{\alpha }},{\sigma }_i(1\le i\le 2mk+m))={\sigma }_{\alpha \to \beta }$, the concept of correctness for homomorphic signature schemes holds. Then $HS.Verify(hsvk,g_{C_{\alpha }},c{c}^{\prime },{\sigma }_{\alpha \to \beta })$ can pass the verification and the verification algorithm’s accuracy is demonstrated.

5.3. Security

Theorem 1 (Security).

The scheme we construct is CPA security under $LW{E}_{n,q,\chi }$ assumption.

Proof of Theorem 1.

A game-based approach is used in this proof. A challenger $\mathcal{C}$ can be built to resolve the LWE presumption if it is possible for an adversary $\mathcal{A}$ to breach the CPA’s security.

Game 0: In the original CPA attack paradigm described in Section 3, this is a true game between $\mathcal{A}$ and $\mathcal{C}$.

Game 1: Same as game 0, but with a change in the way the common matrix ${\left\{B_i\right\}}_{i\in \left[\ell \right]}$ is generated. On receipt of $x^{\ast }$, $\mathcal{C}$ generates $\ell$ uniformly random small parametric matrices $S_1^{\ast },\dots ,S_{\ell }^{\ast }\in {\left\{-1,1\right\}}^{m\times m}$, calculate $B_i=A^{\ast }{S}_i^{\ast }-x_i^{\ast }G$ where $i\in \left[\ell \right]$. □

Lemma 5.

Game 0 is statistically indistinguishable from game 1.

Proof of Lemma 5.

In game 0, ${\left\{B_i\right\}}_{i\in \left[\ell \right]}$ is a random uniform matrix on ${\mathbb{Z}}_q^{n\times m}$. In the challenge query, ${\left\{S_i^{\ast }\right\}}_{i\in \left[\ell \right]}$ is the construction of the generated challenge ciphertext $c^{\ast }$ random matrix. However, in game 1, $e\in {\chi }^m$ serves as the error vector and $S_i$ is used to generate $B_i$ and $c^{\ast }$. By Lemma 2, the distribution $\left(A^{\ast },{\left\{A^{\ast }{S}_i^{\ast }\right\}}_{i\in \left[\ell \right]},e\right)$ and $\left(A^{\ast },{\left\{A_i^{\ast }\right\}}_{i\in \left[\ell \right]},e\right)$ are statistically equivalent for any ${\left\{A_i^{\ast }\right\}}_{i\in \left[\ell \right]}\in {\mathbb{Z}}_q^{n\times m}$. Hence, no statistically significant difference exists between the common matrix ${\left\{B_i\right\}}_{i\in \left[\ell \right]}$ in games 0 and 1. This shows that there is no statistically significant difference between games 0 and 1. □

Game 2: Challenger $\mathcal{C}$ randomly selects $A_{\theta }$ on ${\mathbb{Z}}_q^{n\times m}$ with no trapdoor and utilizes the $TrapGen$ to produce $B$ and its trapdoor $T_B$.

KeyGen query ${\mathcal{O}}_{KeyGen}$. $\mathcal{A}$ performs a key query. $\mathcal{C}$ run $KeyGen\left(pp,\beta \right)$ to produce the $\left(p{k}_{\theta },s{k}_{\theta }\right)$, output $p{k}_{\beta }$ to $\mathcal{A}$.

ReKeyGen query ${\mathcal{O}}_{\mathrm{Re}KeyGen}$. When adversary $\mathcal{A}$ interrogates ${\mathcal{O}}_{\mathrm{Re}KeyGen}\left(p{k}_{\alpha },p{k}_{\beta },f\right)$ to make $f\left(x^{\ast }\right)\ne 0$, challenger $\mathcal{C}$ executes $Eva{l}_{sim}$ of Lemma 4 to create a re-encryption key.

• $pp=\left({\left\{B_i\right\}}_{i\in \left[\ell \right]},\chi \right)$, $p{k}_{\beta }=\left(A_{\beta },D_{\beta }\right)$, policy $f\in {\mathcal{F}}_{\ell ,d}$, set $B_f=Eva{l}_{pk}\left(f,\left(B_1,\dots ,B_{\ell }\right)\right)$, a policy $F=\left(A_{\theta }|B_f\right)\in {\mathbb{Z}}^{n\times 2m}$;
• Run $S_f^{\ast }\leftarrow Eva{l}_{sim}\left(f,{\left\{\left(S_i^{\ast },x_i^{\ast }\right)\right\}}_{i\in \left[\ell \right]},A\right)$ to make $A{S}_f^{\ast }-f\left(x^{\ast }\right)G=B_f$. It follows from the definition of $Eva{l}_{sim}$ that there is $\left|\right|S_f^{\ast }|{|}_2<{\left(1+m\right)}^{d+1}$;
• $\mathcal{C}$ executive $SampleBasisRight\left(A_{\theta },G,S_f^{\ast },T_G,s\right)$ to generate short basic $T_{\theta ,f}$ of $\left(A_{\theta }|B_f\right)$. Run $Sample\mathrm{Pr}e\left(F,T_{\theta ,f},-D_{\theta },\sigma \right)$ to produce $R_{\theta ,f}\in {\mathbb{Z}}^{2m\times m}$, hence, an equals $F{R}_{\theta ,f}=-D_{\theta }$;
• When $f\left(x^{\ast }\right)\ne 0$, let ${\overline{R}}_{\alpha ,f}=Power{2}_q\left(R_{\alpha ,f}\right)$, matrix $E_1\leftarrow {\chi }^{2km\times n}$, $E_2,E_3\leftarrow {\chi }^{2km\times m}$, create the matrix

$$Q=\left[\begin{array}{cc}{E}_1{A}_{\beta }+E_2& E_1{D}_{\beta }+E_3+Power{2}_q({\overline{R}}_{\theta ,f})\\ 0_{m\times m}& {\mathrm{I}}_{m\times m}\end{array}\right]\in {\mathbb{Z}}_q^{(2km+m)\times 2m};$$

(15)

5.

When $f\left(x^{\ast }\right)=0$, let ${\overline{R}}_{\alpha ,f}=Power{2}_q\left(R_{\alpha ,f}\right)$, matrix $E_1\leftarrow {\chi }^{2km\times n}$, $E_2,E_3\leftarrow {\chi }^{2km\times m}$, select a random uniform distribution matrix $M\in {\mathbb{Z}}_q^{2km\times m}$, create the matrix

$$Q=\left[\begin{array}{cc}{E}_1{A}_{\beta }+E_2& M+{\overline{R}}_{\theta ,f})\\ 0_{m\times m}& {\mathrm{I}}_{m\times m}\end{array}\right]\in {\mathbb{Z}}_q^{(2km+m)\times 2m}.$$

(16)

Then $\mathcal{A}$ send the challenger $\mathcal{C}$ some re-encryption verification questions, who will then carry out the operation honestly and report the results to the adversary $\mathcal{A}$.

ReEnc query ${\mathcal{O}}_{\mathrm{Re}Enc}$. $\mathcal{C}$ output $\mathrm{Re}Enc\left(pp,C{T}_{\alpha },R{K}_{\theta ,f\to \beta }\right)$.

Lemma 6.

Game 1 is computationally indistinguishable from game 2.

Proof of Lemma 6.

The technique employed to generate the re-encryption key differs between games 1 and 2. When $f\left(x^{\ast }\right)=0$ hold, here is the re-encryption key:

$$r{k}_{\theta ,f\to \beta }=\left\{\begin{array}{l}\left[\begin{array}{cc}{E}_1{A}_{\beta }+E_2& E_1{D}_{\beta }+E_3+{\overline{R}}_{\theta ,f}\\ 0_{m\times m}& {\mathrm{I}}_{m\times m}\end{array}\right]\hspace{1em}in Game 1\\ \left[\begin{array}{cc}{E}_1{A}_{\beta }+E_2& M+{\overline{R}}_{\theta ,f})\\ 0_{m\times m}& {\mathrm{I}}_{m\times m}\end{array}\right]\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}in Game 2\end{array}\right.$$

(17)

Corollary 1.

By applying the standard mixing parameters, the ensuing distributions cannot be distinguished computationally. Otherwise, there is a useful algorithm for resolving the $LW{E}_{n,q,\chi }$ problem.

 1.

$\left(D,DY+F\right)$ and $\left(D,V\right)$, where $D\leftarrow {\mathbb{Z}}_q^{n\times m}$, $Y\leftarrow {\chi }^{\mathrm{m}\times \ell }$, $F\leftarrow {\chi }^{n\times \ell }$, $V\leftarrow {\mathbb{Z}}_q^{n\times \ell }$;

 2.

$(D,K,DY+F,KY+F^{\prime })$ and $(D,K,DY+F,K{Y}^{\prime }+F^{\prime })$, where $D,K\leftarrow {\mathbb{Z}}_q^{n\times m}$, $Y,Y^{\prime },F,F^{\prime }\leftarrow {\chi }^{n\times m}$;

 3.

$(D,{\{D{Y}_i+F_i\}}_{i\in [t]})$ and $(D,{\left\{V_i\right\}}_{i\in [t]})$, where $D\leftarrow {\mathbb{Z}}_q^{n\times m}$, $Y_i\leftarrow {\chi }^{n\times m}$, $F_i\leftarrow {\chi }^{n\times \ell }$, $V_i\leftarrow {\mathbb{Z}}_q^{n\times \ell }$ for $i\in [t]$, $t=poly(n)$.

By Corollary 1, under the LWE assumption, it is evident that game 1 and game 2 are computationally indistinguishable.

Additionally, the private key creation mechanism is undetected from game 1 to game 2, and the produced private key continues to satisfy $A_{\alpha }{R}_{\alpha }=D_{\alpha }$, while the re-encryption key is selected from the uniform distribution, which is similar to the standard LWE distribution. Furthermore, because homomorphic signatures are non-negligible, the adversary in the CPA game cannot offer an invalid ciphertext to pass re-encryption verification, that is, re-encryption verification provides no auxiliary capacity to the adversary.

On the other side, to demonstrate it, if $\mathcal{A}$ succeeds in the re-encryption verifiability game, then by interacting with challenger $\mathcal{C}$, the simulator $\mathcal{S}$ can break the homomorphic signature’s unforgeability.

The verification key $hsvk$ is first acquired by the simulator $\mathcal{S}$ from $\mathcal{C}$. The re-encryption key $R{K}_{\theta ,f\to \beta }^{\ast }$ is then chosen by adversary $\mathcal{A}$ as the one it wants to assault, and the simulator s is provided $R{K}_{\theta ,f\to \beta }^{\ast }$ by $\mathcal{A}$. To create the signature, $\mathcal{S}$ asks the message $R{K}_{\theta ,f\to \beta }^{\ast }$ for a homomorphic signature to obtain ${\sigma }_i\left(1\le i\le 2mk+m\right)$ and then gives it back to $\mathcal{A}$. The challenger $\mathcal{C}$ then calculates $HS.Verify\left(hsvk,g_{C_{\alpha }},c{c}^{\ast },{\sigma }_{\theta \to \beta }^{\ast }\right)$ whenever $\mathcal{A}$ outputs a false re-encryption ciphertext $C{T}_{\beta }^{\ast }=\left(c{c}^{\ast }=\left(c_1^{\ast },c_2^{\ast }\right),c{a}^{\ast }=\varnothing ,{\sigma }_{\theta \to \beta }^{\ast }\right)$ after the simulator $\mathcal{S}$ has parsed it, where $g_{C_{\alpha }}$ is an evaluation circuit converted from the original ciphertext.

If $\mathcal{A}$ wins the verifiability of re-encryption, the forgery of $\mathcal{A}$‘s signature ${\sigma }_{\theta \to \beta }^{\ast }$ can pass $HS.Verify$, which also counts as a valid homomorphic signature. Therefore, breaking the unforgeability of the homomorphic signature provides the same advantage as breaking the re-encryption verifiability of the AB-VCPRE scheme. When all of the aforementioned factors are considered, game 1 and game 2 are similar from the standpoint of the adversary. □

Game 3: Similar to game 2, except that the challenge cipher $C{T}^{\ast }=(c_1^{\ast }, c_2^{\ast })\in {\mathbb{Z}}^{2m\times 1}$ given to the opponent is no longer honestly generated, but chosen evenly and randomly in ${\mathbb{Z}}^{2m\times 1}$. Due to the fact that the challenge cipher is a random factor in the cipher space, it is independent of ${\mu }_0^{\ast }$ and ${\mu }_1^{\ast }$, so there is zero advantage to the $\mathcal{A}$ in this game.

Lemma 7.

Game 2 is statistically indistinguishable from game 3.

Proof of Lemma 7.

If $\mathcal{A}$ distinguishes game 2 from game 3 with a non-negligible advantage, then there is a simulator $\mathcal{S}$ that can use the information acquired by $\mathcal{A}$ to resolve the $LW{E}_{n,q,\chi }$ problem. □

LWE instance. The simulator $\mathcal{S}$ requests the LWE prophesy device to acquire an LWE instance $\left(Y,b\right)\in {\mathbb{Z}}_q^{n\times 2m}\times {\mathbb{Z}}_q^{2m}$, possibly $\left(Y,b\right)$ is a truly random distribution or $b=Y^{T}s+e$ is a pseudo-random distribution of noise $e\in {\chi }^m$ from the LWE.

Public parameters. Let $\left[A_{\theta }|D_{\theta }\right]:=Y$, sample a uniform matrix $D_{\theta }\leftarrow {\mathbb{Z}}_q^{n\times m}$ to generate a randomly identified public key $A_{\theta }\leftarrow {\mathbb{Z}}_q^{n\times m}$, select $\ell$ random matrices $\left(S_1^{\ast },\dots ,S_{\ell }^{\ast }\right)\leftarrow {\left\{-1,1\right\}}^{m\times m}$, and let $B_i=A_{\theta }{S}_i^{\ast }-x_i^{\ast }G$ for $i\in \left[\ell \right]$. Then the common matrix $pp=({\{B_i=A_{\theta }{S}_i^{\ast }-x_i^{\ast }G\}}_{i\in [\ell ], \chi })$, public key $pk:=\left(A_{\theta },D_{\theta }\right)$.

Queries. As with game 2, $\mathcal{B}$ answers all of $\mathcal{A}$‘s queries.

Challenge ciphertext. Generate challenge cipher via LWE instance

$$\left[c_1;c_2\right]:=z;$$

(18)

$$\left[c_{11}^T|\dots |c_{\ell \ell }^T\right]=c_1^T\left[S_1^{\ast }|\dots |S_{\ell }^{\ast }\right].$$

(19)

The answer to $\mathcal{A}$ is then returned. In this case, the distribution of the challenge cipher is the same as that of game 2.

$$\begin{array}{cc}\hfill z& =\left[c_1;c_2\right]\hfill \\ & =Y^{T}s+e\hfill \\ & ={\left[A_{\theta }|D_{\theta }\right]}^{T}s+\left[e_1;e_2\right]\hfill \end{array}$$

(20)

where $Y\leftarrow {\mathbb{Z}}_q^{n\times 2m}$, $s\leftarrow {\mathbb{Z}}_q^n$, $e\leftarrow {\chi }^{2m}$.

Challenge ciphertext:

$$c_1=A_{\theta }^{T}s+e_1,c_2=D_{\theta }^{T}s+e_2+⌊q/2⌋\mu ;$$

(21)

$$ca={\left\{c_i={(x_i^{\ast }G+B_i)}^{T}s+{(S_i^{\ast })}^T{e}_1\right\}}_{i\in \left[\ell \right]}.$$

(22)

Then through $B_i=A_{\theta }{S}_i^{\ast }-x_i^{\ast }G$, there is

$$\begin{array}{cc}\hfill \left[c_{11}^T|\dots |c_{\ell \ell }^T\right]& =\left[s^T{A}_{\theta }{S}_1^{\ast }+e_1^T{S}_1^{\ast }|\dots \dots |s^T{A}_{\theta }{S}_{\ell }^{\ast }+e_1^T{S}_{\ell }^{\ast }\right]\hfill \\ & =\left(s^T{A}_{\theta }+e_1^T\right)\left[S_1^{\ast }|\dots \dots |S_{\ell }^{\ast }\right].\hfill \end{array}$$

(23)

Statistically, the challenge ciphertext is indistinguishable in the alternative scenario if $Y$ and $z$ are chosen consistently, according to the leftover hash lemma [25].

Output. The simulator $\mathcal{S}$ outputs $\mathcal{A}$‘s guess after $\mathcal{A}$ predicts whether it interacts with game 2 or game 3. $\mathcal{S}$ can solve the $LW{E}_{n,q,2m,\chi }$ problem with the same probability if $\mathcal{A}$ can distinguish between games 2 and 3. However, the $LW{E}_{n,q,2m,\chi }$ problem is mysterious, so game 3 cannot be won by $\mathcal{A}$.

The Proof of Theorem 1 is completed by considering game 0 to game 3.

Theorem 2 (Robustness).

The new AB-VCPRE scheme fulfills robustness if the homomorphic signature ${\Pi }_{HS}$ satisfies unforgeability.

Proof of Theorem 2.

Using a randomly selected evaluation circuit, a dishonest proxy server is able to obtain an invalid re-encryption ciphertext share and corresponding signature. However, the original ciphertext should describe the right evaluation circuit. When the correct evaluation circuit diverges from the forgery, verification fails, allowing the proxy server to convert the data truthfully.

Homomorphic signatures can be used to demonstrate the robustness of the new scheme. If $\mathcal{A}$ can defeat the game outlined in Definition 6, then by collaborating with $\mathcal{C}$ in the homomorphic signature security model, it is able to build a simulator $\mathcal{S}$ that compromises the homomorphic signatures’ unforgeability. Here is the procedure.

$\mathcal{A}$ picks the re-encryption key it wishes to attack once the simulator $\mathcal{S}$ receives the challenger $\mathcal{C}$‘s verification key $hsvk$. When $\mathcal{A}$ sends simulator $\mathcal{S}$ a forged re-encryption ciphertext share $C{T}_{\beta }^{\ast }=\left(c{c}^{\ast }=\left(c_1^{\ast },c_2^{\ast }\right),c{a}^{\ast }=\varnothing ,{\sigma }_{\theta \to \beta }^{\ast }\right)$, $\mathcal{S}$ processes it to obtain $\left(hsvk,c{c}^{\ast }=\left(c_1^{\ast },c_2^{\ast }\right),g_{C_{\alpha }},{\sigma }_{\theta \to \beta }^{\ast }\right)$ and submits it to an oracle as a forged homomorphic signature.

If $\mathcal{A}$ succeeds in the robustness game, then $C{T}_{\beta }^{\ast }\ne \mathrm{Re}Enc\left(pp,R{K}_{\theta ,f\to \beta },C{T}_{\theta }\right)$, but $HS.Verify\left(hsvk,c{c}^{\ast }\right)=1$, this also means that $HS.Verify\left(hsvk,g_{C_{\alpha }},c{c}^{\ast },{\sigma }_{\theta \to \beta }^{\ast }\right)$ was able to pass the verification, so the simulator $\mathcal{S}$ successfully forged an illegal signature, which will be submitted to oracle later. This indicates that the homomorphic signature algorithm’s unforgeability has been compromised.

Thus, if the homomorphic signature algorithm ${\Pi }_{HS}$ meets the requirement for unforgeability, the signature is considered unforgeable. The new AB-VCPRE is capable of achieving robustness. □

Theorem 3 (Weak collusion resistance).

The new AB-VCPRE scheme can realize weak collusion resistance, if the LWE problem is difficult.

Proof of Theorem 3.

Weak collusion resistance is that when an agent with a re-encryption key colludes with a trustee with a re-encryption key, the agent obtains only an approximate result, not an exact result.

The re-encryption key is $E_1{A}_{\beta }+E_2$ and $E_1{D}_{\beta }+E_3+Power{2}_q(R_{\alpha ,f})$, which can be further expressed as

$$\left[\begin{array}{l}{A}_{\beta }\\ D_{\beta }\end{array}\right],E_1\left[\begin{array}{l}{A}_{\beta }\\ D_{\beta }\end{array}\right]+\left[\begin{array}{l}{E}_2\\ E_3+Power{2}_q\left(R_{\alpha ,f}\right)\end{array}\right]$$

(24)

This is a standard LWE distribution that is not different from unified distribution, nor can anyone obtain any useful information about private keys. After collusion, Bob encrypted the above equation with his private key $R_{\beta }$ and got $E_2{R}_{\beta }+E_3+Power{2}_q\left(R_{\alpha ,f}\right)$. As the noise generated during re-encryption is very low, the encryption message can be well restored by $E_2{R}_{\beta }+E_3+Power{2}_q\left(R_{\alpha ,f}\right)$. Therefore, in the case of collusion, the private key seems to have all been compromised. However, this is not the case. We can restore an equivalent private key, but this equivalent private key is different from the original private key. We provide the following two explanations. On the one hand, any data that can initially be decrypted by $S{K}_{\alpha }$ can be easily re-encrypted and read by an enemy who possesses both $R{K}_{\alpha ,f\to \beta }$ and $S{K}_{\beta }$. On the other hand, they are unable to determine the delegator’s precise private key $S{K}_{\alpha }$ from the equation above. Although Power2 is an easy-to-reverse feature, because it contains some noise from $E_2{R}_{\beta }+E_3$, you cannot obtain an exact private key from the first n-line of $E_2{R}_{\beta }+E_3+Power{2}_q\left(R_{\alpha ,f}\right)$. Therefore, the method proposed in this project has weak collusion resistance. □

6. Efficiency Analysis

Paper [15] proposed a CPRE algorithm based on DBDH, which supports fine-grained authorization and collision resistance security, however, it cannot achieve robustness. Paper [11] and paper [12] are PRE schemes with verification, both of which are robust and the method for achieving robustness is zero-knowledge proof with a decisional discrete logarithm tool, but are not as low complexity as the schemes in this paper. In addition, paper [12] is based on discrete logarithmic constructions and is not resistant to quantum attacks. Although paper [11] is a scheme using lattice construction, which seems to be resistant to quantum attacks, the robustness verification tool is a decisional discrete logarithm, so in general the scheme is not resistant to quantum attacks.

Table 1. Comparison of related work.

	Construction Tool	Resisting Quantum Attack	Robustness	Method for Robustness	Tool for Robustness
Scheme [15]	DBDH	No	No	None	None
Scheme [12]	Discrete logarithm	No	Yes	zero-knowledge proof	Decisional discrete logarithm
Scheme [11]	Lattice	No	Yes	zero-knowledge proof	Decisional discrete logarithm
Our scheme	Lattice	Yes	Yes	Homomorphic signature	Lattice

demonstrates that the approach presented in this paper is not only robust to proxy re-encryption but also simple to implement and resistant to quantum attacks.

In

Table 2. Computational and communication complexity comparison.

	Message	Size of Ciphertext	Size of Re-Encryption Key	Encryption Complexity	Re-Encryption Complexity	Verification Complexity
Scheme [15]	$\{0,1\}$	8$\left|{\mathbb{Z}}_q\right|$	8$\left|{\mathbb{Z}}_q\right|$	$T_p+8T_e+T_s$	$2T_p+T_e+T_v$	None
Scheme [12]	${\{0,1\}}^m$	4$\left|{\mathbb{Z}}_q\right|$	6$\left|{\mathbb{Z}}_q\right|$	$3T_e+T_m$	$3T_e+T_m$	$2T_e+T_h$
Scheme [11]	$\{0,1\}$	$\left(n+1\right)\left|{\mathbb{Z}}_q\right|$	$\left(nm+1\right)\left(n+1\right)\left|{\mathbb{Z}}_q\right|$	$2T_m$	$2T_m$	$\left(nm+1\right)\left(\mathrm{n}+1\right)T_e$
Our scheme	${\{0,1\}}^m$	$\left(\ell +2\right)m\left|{\mathbb{Z}}_q\right|$	$\left(4k+2\right)m^2\left|{\mathbb{Z}}_q\right|$	$5T_m$	$3T_m+T_s$	$T_h+T_{GVP}$

, the efficiency of the scheme is analyzed through plaintext space, size of ciphertext, size of re-encryption key, encryption complexity, re-encryption complexity, and robustness verification complexity. $\left|{\mathbb{Z}}_q\right|$ represents an integer on modulo q. $T_p$, $T_e$, $T_s$, $T_v$, and $T_m$ denote the computation of pairing, modular exponentiation, signature, ciphertext verification, and multiplication operation, respectively. $T_h$, $T_{GVP}$, respectively, represent the time spent for the hash function and the GVP algorithm. Table 2 demonstrates that the computational complexity of the literature [15] is worse than that of the proposed scheme, and is not robust. In terms of robustness verification complexity, when a boolean circuit evaluates the original signature, homomorphic signature computation is a boolean operation that is more straightforward and effective. Here, we choose the linear homomorphic signature scheme based on the difficult problem of SIS on the lattice proposed in paper [26] for comparison. Compared with the scheme [12], the proposed scheme has better re-encryption complexity, encryption complexity, and robustness verification complexity. Compared with the scheme [11], the proposed scheme in this paper only needs to pay some extra cost to encrypt the message vector, and the robustness verification complexity is lower.

7. Conclusions

By using homomorphic signatures, this paper proposes an AB-VCPRE scheme, which solves the problem of being unable to detect illegal proxy behavior in traditional PRE schemes. The scheme is robust enough to allow proxy servers that have sent invalid transformed ciphertext shares to be detected. In terms of security, the scheme is CPA security based on a LWE problem and is resistant to quantum attacks. In terms of efficiency, the scheme has advantages in re-encryption and robustness verification computational efficiency. In addition, there is some room for improvement in the performance of our solutions, and constructing a multi-hopping PRE scheme will be the focus of our next work.