A Lattice-Based Homomorphic Proxy Re-Encryption Scheme with Strong Anti-Collusion for Cloud Computing

The homomorphic proxy re-encryption scheme combines the characteristics of a homomorphic encryption scheme and proxy re-encryption scheme. The proxy can not only convert a ciphertext of the delegator into a ciphertext of the delegatee, but also can homomorphically calculate the original ciphertext and re-encryption ciphertext belonging to the same user, so it is especially suitable for cloud computing. Yin et al. put forward the concept of a strong collusion attack on a proxy re-encryption scheme, and carried out a strong collusion attack on the scheme through an example. The existing homomorphic proxy re-encryption schemes use key switching algorithms to generate re-encryption keys, so it can not resist strong collusion attack. In this paper, we construct the first lattice-based homomorphic proxy re-encryption scheme with strong anti-collusion (HPRE-SAC). Firstly, algorithm TrapGen is used to generate an encryption key and trapdoor, then trapdoor sampling is used to generate a decryption key and re-encryption key, respectively. Finally, in order to ensure the homomorphism of ciphertext, a key switching algorithm is only used to generate the evaluation key. Compared with the existing homomorphic proxy re-encryption schemes, our HPRE-SAC scheme not only can resist strong collusion attacks, but also has smaller parameters.


Introduction
Lattice-based cryptography is a kind of public key cryptosystem, which is widely believed to resist quantum computer attacks. The lattice-based cryptographic systems have attracted the attention of many scholars, on the one hand, because of the simper linear operation than the power operation that is needed in the traditional theory-based cryptosystems (such as RSA); on the other hand, because their security can be based on worst-case hard problems (such as SIVP, GapSVP). There are two basic average-case problems that had been shown to enjoy worst-case hardness guarantee. One is the learning with error (LWE) problem [1,2] the other one is the small integer solution (SIS) problem [3].
Public-key encryption (PKE) is one of the most fundamental primitives in cryptography. In recent years, some lattice-based PKE schemes were constructed based on LWE and SIS [4][5][6]. Fully-homomorphic encryption (FHE) is a kind of PKE, but the FHE scheme allows one to compute arbitrary functions over encrypted data without the decryption key. In an FHE scheme, the data owner can obtain ciphertexts E(m 1 ), · · · , E(m n ) that encrypts data m 1 , · · · , m n by encryption key pk (the corresponding decryption key is sk), respectively. Anyone can efficiently compute compact ciphertext that encrypts f (m 1 , · · · , m n ) for any efficiently computable function f , but only the owner of decryption key sk can get f (m 1 , · · · , m n ) by decrypting the compact ciphertext [7,8]. The interesting property makes FHE more applicable in many scenarios, such as cloud computing [9,10].
With the emerging of the cloud computing, the situation has transformed from a single user to multiple users on one of both communication ends. Most of the existing FHE

Related Work
Proxy Re-Encryption (PRE) was introduced by Bleumer et al. [11], which can be applied in many scenarios, such as encrypted email forwarding, vehicular ad hoc network, the distributed file system [12], and the cloud sharing [13][14][15][16][17]. Many PRE schemes with special properties have been constructed to meet the increasingly complex cloud sharing environment. For example, conditional proxy re-encryption [18,19], which allows only the ciphertexts satisfying a condition to be converted by the proxy; attribute-based proxy re-encryption [20,21], which transforms a ciphertext under an access policy to a ciphertext under another access policy; broadcast proxy re-encryption [22,23], which converts a ciphertext to a set of ciphertexts under different users at a time; unidirectional proxy re-encryption [24,25], in which the proxy can use the re-encryption key to convert the delegator's ciphertext to the delegatee's ciphertext, but cannot reverse the conversion, otherwise it becomes bidirectional; multi-hop proxy re-encryption [26,27], in which the proxy can convert a re-encryption ciphertext into a re-encryption ciphertext of other users, otherwise it becomes single-hop; homomorphic proxy re-encryption (HPRE) scheme [19,28], and so on.
Security is an important index of the practicability of a PRE scheme. At present, the security of a PRE scheme mainly involves post quantum security, semantic security, key privacy, anti-collusion and so on. The construction of PRE can be based on the Diffie-Hellman assumption, but the Diffie-Hellman assumption is not considered post quantum secure. Therefore, it is necessary to construct a PRE based on LWE, because the LWE assumption is generally considered to be able to resist quantum computing attacks. Xagawa [29] constructs the first PRE based on LWE, but the scheme lacks a complete security analysis, and it is bidirectional and can not resist collusion attack. Compared with bidirectional PRE, unidirectional PRE is more in line with the security requirements of cloud sharing. Collusion attack means that the delegatee and the proxy can conspire to compute the decryption key of the delegator.
Aono et al. [30] constructed a unidirectional re-encryption scheme based on LWE and proved that the scheme has key privacy. Key privacy [31] means that even if an active proxy colludes with a set of malicious users in the system, it can not know the identity of the participants involved or the content of their encrypted messages from the re-encryption key. Singh et al. [32] pointed out that the scheme of Aono et al. [30] could not resist collusion attack, and constructed a PRE scheme against collusion attack based on [30]. Kirshanova [33] constructed the first chosen ciphertext attack (CCA) secure lattice-based PRE scheme. Nishimaki et al. [34] constructed two unidirectional single-hop key privacy PRE schemes based on LWE and proved the two schemes are chosen plaintext attack (CPA) secure. Hou et al. [35] constructed an efficient identity-based PRE over lattice and proved that the scheme is CPA secure in the standard model, but the scheme is bidirectional and cannot resist collusion attack. Yin et al. [36] constructed a unidirectional identity based PRE under LWE, and proved that the scheme is CPA secure in the standard model. Yin et al. [37] put forward the concept of a strong collusion attack (the strong collusion attack will be shown in Definition 7) relative to a traditional collusion attack, and called it a traditional collusion attack as weak collusion attack. Yin et al. pointed out through examples that if the adversary can not collude to attack the decryption key of the delegator, but can obtain an approximate value of the decryption key of the delegator, then it can also launch a strong collusion attack on the scheme of Aono et al. [30] and correctly decrypt the ciphertext of the delegator.
Zhong et al. [38] constructed a many-to-one homomorphic encryption scheme based on an approximate GCD problem, which can apply homomorphic addition and homomorphic multiplication to multi-party ciphertexts. However, the scheme is not a lattice-based scheme. Since its introduction, FHE [7,8] has attracted much attention and some FHE schemes have been constructed based on LWE. Since the noise is added at encryption for security, the noise will increase with every homomorphic operation in the FHE scheme based on LWE. For correct decryption, the magnitude of final noise must be less than some bound. How to control noise is an important issue. A number of techniques are proposed and used to control noise growth for building an FHE scheme based on LWE , for example, Brakerski et al. [39] proposed the re-linearization technique and the dimension modulus reduction technique; Brakerski et al. [40] proposed the modulus switching algorithm, Brakerski [41] proposed the scale-invariant technique; Gentry et al. [42] proposed the approximate eigenvector method. In addition, these techniques are also the main techniques for constructing homomorphic proxy re-encryption schemes to control noise growth.
Jiang et al. [26] based on [43] constructed a multi-hop unidirectional lattice-based proxy re-encryption. The scheme can only support one multiplicative homomorphic operation. Ma et al. [19,28] based on [42] constructed a single-hop homomorphic proxy re-encryption from lattices, which allows a user to homomorphically evaluate the original ciphertexts and the re-encrypted ciphertexts, which can come from different users. Li et al. [44,45] constructed a single-hop homomorphic proxy re-encryption via key homomorphic computation and obtained a multi-hop proxy re-encryption using a branching program. Li et al. [46] based on [47] constructed a homomorphic proxy re-encryption from a lattice, which is more flexible than [19,28]. All of these HPR schemes are CPA secure and can not resist strong collusion attack. For the sake of comparison, the comparison results are given in Table 1, which shows the comparison of these PRE schemes in LWE assumption, semantic security, multi-hop, unidirectional-direction (uni-direction), homomorphic encryption (HE) and strong anti-collusion. In this paper, we will construct a lattice-based homomorphic proxy re-encryption scheme with strong anti-collusion. Table 1 shows that our scheme meets all the above performance.

Our Contribution
At present, there are two main methods to construct the re-encryption key in the lattice-based proxy re-encryption scheme. One is to use the key switching algorithm (see Lemma 6) and the other is to use trapdoor sampling technology (see Lemma 3). In fact, the key switching algorithm uses the delegatee's encryption key to encrypt the delegator's decryption key and hides the decryption key by noise. Therefore, when the delegatee colludes with the proxy, an approximate value of the delegator's decryption key can be recovered, that is, the sum of the decryption key and the decryption noise. Thus, the reencryption key constructed by the key switching algorithm can only resist weak collusion attack, but not strong collusion attack. However, trapdoor sampling technology does not allow inverse operation, that is, we can not get T A or approximate value of T A by x, A, u, σ, c, where x ← SamplePre(A, T A , u, σ, c), so it can resist strong collusion attack.
Because HPRE schemes need to be constructed based on basic homomorphic encryption schemes, and lattice based on homomorphic encryption schemes mostly use a key switching algorithm, modulus switching technique and approximate eigenvector method to control the growth of homomorphic multiplication ciphertext noise, so the current HPRE [28,[44][45][46] schemes are constructed based on a key switching algorithm to generate a re-encryption key. The key switching algorithm can not only generate a re-encryption key, but also ensure the homomorphism of ciphertext. However, the re-encryption key generated by key switching algorithm can only resist weak anti-collusion, but not strong anti-collusion. However, the re-encryption key generated by trapdoor sampling technology can resist strong anti-collusion, but it cannot satisfy the homomorphism of ciphertext. This is the difficulty of the HPRE scheme with strong anti-collusion constructed in this paper. Therefore, it is necessary to use trapdoor sampling technology to generate a reencryption key satisfying the homomorphism of the ciphertext.
In this paper, the ciphertext is divided into two parts, one of which is used to encrypt the plaintext, while ensuring the homomorphism of the ciphertext. In the other part of ciphertext, trapdoor sampling technology can be used to generate the re-encryption key. Therefore, it is necessary to modify the existing homomorphic encryption scheme to make the ciphertext meet the above two requirements.
(1) Firstly, we use the trapdoor technology of [48] to modify the scheme of [1] and construct an L-homomorphic encryption scheme. (2) Then, based on the L-homomorphic encryption scheme proposed in this paper, we construct an HPRE-SAC scheme by using trapdoor sampling technology and a key switching algorithm. (3) Finally, a direct application of the HPRE-SAC scheme is given, that is, secure computing of personal health records (PHRs) in the cloud.
Compared with the existing HPRE schemes [28,[44][45][46], our HPRE-SAC scheme not only can resist the strong collusion attack, but also has smaller parameters. Therefore, it is more suitable for cloud computing scenarios.

Paper Organization
The rest of this paper is organized as follows. Section 2 is preliminaries. Section 3 describes the building blocks. Section 4 describes a L-Homomorphic Encryption Scheme. Section 5 describes the HPRE-SAC Scheme. Lastly, our work is concluded in Section 6.

Preliminaries
We employ some initial notations listed in Table 2 and let Z q = [−q/2, q/2) ∩ Z. When A is a matrix, let P2(A) be the matrix formed by applying the operation to each column of A. x scalar x rounding x to the nearest integer the concatenation of the rows of X, Y x ← χ x is sampled according to a probability distribution χ x ← S x is sampled uniformly from a set S X≈ c Y X and Y are computationally indistinguishable X≈ s Y X and Y are statistically indistinguishable

Lattice and Gaussian Distributions
In this section, we introduce the lattice, Gaussian distribution and some properties needed to construct the scheme. Definition 1. Let q be a prime, A ∈ Z n×m q , u ∈ Z n q , define: For any positive parameter σ > 0, define the Gaussian function on R m , centered at c: Let Λ be a discrete subset of Z m . Define the discrete Gaussian distribution over Λ as: .
Then for any c ∈ R m and u ∈ Z n q , there is a PPT algorithm SamplePre(A,

Definition 2 ([1]
). Let k be the security parameter, and χ = χ(k) be a distribution over Z q . The LWE n,m,q,χ assumption shows that, if A ← Z m×n q , s ← Z n q , e ← χ m , u ← Z m q , then It is well known that if χ m = D Z m ,αq , then when αq ≥ 2 √ n, this decision LWE problem is at least as hard as approximating several problems on n-dimensional lattices Λ in the worst-case to within O n / α factors with a quantum computer.

HE: Definition and Security
In this section, we show the definition and security model of the homomorphic encryption (HE) scheme based on [41].

Definition 3. (Homomorphic encryption scheme)
A homomorphic encryption scheme consists of the following five algorithms: 1. HE.Setup(1 k ) → pp : Input the security parameter k. Output the public parameters pp.

2.
HE.KeyGen(pp) → (pk, sk, evk) : Input the public parameters pp. Output the encryption key pk , the public evaluation key evk and the decryption key sk. 3.
HE.Dec(pp, sk, ct) → µ : Input pp, sk and ciphertext ct under secret key sk. Output the message µ.
Compared with the public key encryption scheme, the adversary obtains not only pk but also evk in the HE scheme. If the homomorphic encryption scheme is still semantically secure when the adversary obtains pk and evk, it is said that the HE scheme is secure. The security model of HE scheme is omitted here. Definition 4. (L-homomorphism) If for any depth L = L(k) arithmetic circuit f over GF (2) and any set of inputs µ 1 , · · · , µ l ∈ {0, 1}, it holds that HE.Dec HE.Eval(pp, f , ct 1 , · · · , ct l ) = f (µ 1 , · · · , µ l ) with overwhelming probability of k, where (pk, sk, evk) ← HE.KeyGen(pp), ct i ← HE.Enc (pp, pk, µ i ). Then the HE scheme is L-homomorphic.

HPRE: Definition and Security Model
In this subsection, we recall the definition and the security model of the homomorphic proxy re-encryption (HPRE) scheme. There are four participants in the unidirectional HPRE scheme for cloud sharing, as shown in Figure 2. (1) Trusted authority (TA). The TA is trusted by all participants. TA generates the public parameters pp.
(2) Proxy. The proxy is semi-trusted by all participants. Proxy is generally a cloud service provider. Users use the cloud service provider to store and calculate data. (3) Data owner (DO). The DO encrypts the data and stores the encrypted data in the cloud, and generates a proxy re-encryption key for data users. (4) Data user (DU). The DU downloads the result of the homomorphic operation from the cloud service provider.

Definition 5.
(Unidirectional homomorphic proxy re-encryption scheme ) A unidirectional HPRE scheme consists of the following seven algorithms: 1. HPRE.Setup(1 k , 1 L ) → pp: For the security parameter k, the upper bound on the maximal multiplicative depth L = L(k) that the scheme can homomorphically evaluate, the TA outputs the public parameters pp. 2.
HPRE.KeyGen(pp, L) → (pk i , sk i , evk i ): For pp, L, user i (DO or DU) outputs an encryption/decryption key pair (pk i , sk i ), and public evaluation key evk i . 3.
HPRE.Rekey pp, sk i , pk i , pk j → rk i→j : For pp, an encryption/decryption key pair (pk i , sk i ) of user i, and an encryption key pk j of user j, user i outputs a re-encryption key rk i→j . 5.
HPRE.ReEnc pp, rk i→j , ct i → ct j : For pp, a re-encryption key rk i→j , and an original ciphertext ct i of user i, the proxy outputs a re-encryption ciphertext ct j for the user j. 6.
HPRE.Dec(pp, sk, ct) → µ: For pp, sk and a ciphertext ct under sk, user outputs the message µ.
Now we define the security model of the HPRE scheme. Learning Phase: In this phase, the adversary can issue the queries to the following oracles polynomially many times, and the challenger needs to answer these oracles.
Encryption key generation oracle O pk : Given a user index i, the challenger obtains (pk i , sk i , evk i ) of user i by running HPRE.KeyGen (pp, L) which are recorded in a table, and returns pk i to the adversary.
Evaluation key generation oracle O evk : Given a user index i, the challenger first looks for the table and returns evk i if there is an evk i in the table. Otherwise, the challenger obtains (pk i , sk i , evk i ) of user i by running HPRE.KeyGen(pp, L), returns evk i to the adversary, and records (pk i , sk i , evk i ) in the table.
Decryption key generation oracle O sk : Given a user index i, if user i is an honest user, the challenger returns ⊥. If user i is a corrupted user, the challenger first looks for the table and returns sk i if there is a sk i in the table. Otherwise, the challenger obtains (pk i , sk i , evk i ) of user i by running HPRE.KeyGen(pp, L), returns sk i to the adversary, and records (pk i , sk i , evk i ) in the table.
Re-encryption key generation oracle O rk : Given two user indices (i, j), if user i and user j are honest or corrupted, the challenger obtains rk i→j by running HPRE.Rekey pp, sk i , pk i , pk j , and returns the rk i→j to the adversary, where i = j. Otherwise, the challenger returns ⊥.
Re-encryption ciphertext generation oracle O re : Given two user indices (i, j) and a ciphertext ct i of user i, if user i and user j are honest or corrupted, the challenger obtains a ciphertext ct j of user j by running HPRE.ReEnc pp, rk i→j , ct i and returns ct j to the adversary, where i = j, rk i→j ← HPRE.Rekey pp, sk i , pk i , pk j . Otherwise, the challenger returns ⊥.
Challenge: The adversary gives a target honest user i * and a message µ after finishing all queries. The challenger chooses b ← {0, 1}, computes ct i * 0 ← HPRE.Enc(pp, pk, µ), lets ct i * 1 be a random ciphertext, and sends the challenge ciphertext ct i * b to the adversary. Learning Phase 2: The adversary could ask extra queries that for decryption key query, reencryption key query and re-encryption query on the i = i * , the challenger responses are the same as in Learning Phase 1.
We say a unidirectional HPRE scheme is IND-CPA secure if for any PPT adversary, the advantage of adversary is negligible in k.
Yin et al. [37] put forward the concept of strong collusion attack relative to traditional collusion attack, and called traditional collusion attack as weak collusion attack. Yin et al. pointed out through examples that if the adversary can not collude to attack the decryption key of the delegator, but can obtain an approximate value of the decryption key of the delegator, then it can also launch a strong collusion attack on the scheme of Aono et al. [30] and correctly decrypt the ciphertext of the delegator. In fact, the approximate value of the decryption key obtained by the strong collusion attack is P2(S) + X, where S is the decryption key of the delegator, and X is an error distribution (generally Gaussian distribution). Therefore, an approximate value of S can be obtained. Combined with the definition of a strong collusion attack of Yin et al. [37], we give a new definition of strong collusion attack.

Definition 7.
In a unidirectional proxy re-encryption scheme, if the proxy (cloud service provider) and the delegatee (data user) can not collude to obtain the decryption key S or an approximate value P2(S) + X of the decryption key of the delegator (data owner), the scheme is called strong anti-collusion, where X is an error distribution. If the decryption key S can not be calculated by collusion, but the approximate value P2(S) + X of the decryption key can be obtained, it is called weak anti-collusion, where X is an error distribution.

Building Blocks
In this section, we construct a new encryption scheme based on [1,48]. Based on this new basic encryption scheme, we can construct a homomorphic proxy re-encryption (HPRE) scheme against strong collusion attack, which is named HPRE-SAC .

The Basic Encryption Scheme
The basic encryption scheme consists of the following four algorithms.
• E.Setup(1 k ) : Input the security parameter k, sample u ← Z n q . Output the public parameters pp = (1 k , 1 n , q, χ, u). • E.KeyGen(pp) : Input the public parameters pp, use algorithm TrapGen(q, n, m) to generate matrices A ∈ Z n×m q with trapdoor basis T, where m ≥ 6n log q. Then use algorithm SamplePre(A, T, u) to sample a vector s ∈ Z m q , where A s = u. Output the encryption key pk = ( u| − A) and the decryption key sk = ( s, T). (Note that the decryption key T is redundant here, we can instead just let sk = s. The decryption key T is needed to construct the PRE scheme, as described below.) • E.Enc(pp, pk, µ): Input the public parameters pp, the encryption key pk = ( u| − A) and a message µ ∈ {0, 1}. Output a ciphertext ct ∈ Z 1×m+1 where µ t = (µ, 0, · · · , 0), e ← χ 1×n , y ← χ 1×m+1 .
Because T <O(n log q), y , s ≤ σ √ m, we set the parameters as follows: n = k, q=the prime nearest to 2 n δ , m = 6n log q , σ = mω log m , where δ is constant between 0 and 1. So we have the following Lemma 5.

Security Analysis
We now outline the proof of security to show that the scheme is CPA secure based on LWE assumption. Since u ← Z n q , and A ← TrapGen(q, n, m), we have ( u|A) uniformly distributed by Lemma 1. From LWE, we know that e t ( u| − A) + y t is uniformly distributed and ct hides q 2 µ t . Therefore, the basic encryption scheme is IND-CPA secure.

Key Switching
Based on the technology of [41], and the basic encryption scheme, we construct a key switching algorithm, which can switch the ciphertext under the decryption key s 1 ∈ Z n 1 q into the ciphertext under the decryption key (1; SwitchKeyGen( s 1 , s 2 ) : Input decryption keys s 1 ∈ Z n 1 q , s 2 ∈ Z n 2 q . Sample A s 1 : s 2 ← Z n 1 logq ×n 2 q , x s 1 : s 2 ← χ n 1 logq , compute b s 1 : s 2 = A s 1 : s 2 s 2 + x s 1 : s 2 + P2( s 1 ).
Output a matrix P s 1 : • SwitchKey(P s 1 : s 2 , ct S 1 ) : Input a ciphertext ct s 1 under the decryption key s 1 , and P s 1 : s 2 . Output a ciphertext ct s 2 = P t s 1 : s 2 BD(ct s 1 ).

An L-Homomorphic Encryption Scheme
In this section, we construct an L-homomorphic encryption scheme based on the basic encryption scheme with the help of the technology of [41,47].

Construction
An L-homomorphic encryption scheme consists of the following five algorithms.
P (l−1):l ← SwitchKeyGen( s * l−1 , s l ), where l = 1, 2, · · · , L. Output the encryption key pk = ( u| − A), the decryption key sk = ( s L , T), evk = {P (l−1):l } l=1,2,··· ,L . (Note that the decryption key T is redundant here, we can instead just let sk = s L . The decryption key T is needed to construct the PRE scheme, as described below.) • HE.Enc(pp, pk, µ): Identical to the basic encryption scheme, output ct ← E.Enc(pp, pk, µ). • HE.Eval(.): As [41] and [47], We consider homomorphic addition and multiplication of depth L arithmetic circuits over GF(2) in a gate-to-gate manner. That is, the decryption key of the ciphertexts operated by the gate at level i of the circuit is s i−1 , and the decryption key of the ciphertexts output by the homomorphic operation is s i . −Add(ct 1 , ct 2 ): Input ciphertexts ct 1 , ct 2 under secret key S i−1 , compute and output ct add ← SwitchKey(P (l−1):l , ct add ).

Analysis for Homomorphism
We next show the homomorphism of the above L-Homomorphic Encryption scheme.

Lemma 8.
Let q, k, m, n, s, L, χ be parameters for the above homomorphic encryption scheme, χ be B-bounded, and (pk, sk, evk) ← HE.KeyGen(pp). Let ct 1 , ct 2 be such that Theorem 1. Let q, k, m, n, L be parameters for the above HE scheme, χ be B-bounded.
Proof. Let E i be the bound of noise after evaluation on the i − th level of gates in ciphertext. By Lemma 5, we have E 0 ≤ (m + 1)B 2 = O(m)B 2 . According to Lemma 8, when mlog 2 qB ≤ E holds at a certain point, then

Security Analysis
We now outline the proof of security to show that the HE scheme is CPA secure based on LWE assumption. We show (pk, evk, ct) = (( u|A), {P (l−1):l } l=1,2,··· ,L , ct) is indistinguishable from uniform by applying a hybrid argument. Since s L is only used to generate P (L−1):L , we can get P (L−1):L is indistinguishable from uniform by Lemma 7. Then we can proceed to replace all P (l−1):l with uniform in descending order. Finally, there is only (( u|A), ct) left, which is indistinguishable from uniform by the security analysis of the basic encryption scheme.

The HPRE-SAC Scheme
In this section, we will use the above homomorphic encryption (HE) scheme to construct the HPRE-SAC scheme by using Trapdoor Sampling [27,48].

Construction
The HPRE-SAC scheme consists of the following seven algorithms. HPRE.Enc(pp, pk, µ): Identical to the HE scheme, output ct ← HE.Enc(pp, pk, µ) • HPRE.ReKey(pp, sk i , pk i , pk j ): Input pp, the encryption key pk i = ( u| − A i ) and the decryption key sk i = ( s i L , T i ) of user i, the encryption key pk j = ( u| − A j ) of user j, sample X i→j ← χ n×m , use algorithm SamplePre output the re-encryption key rk i→j = R i→j .

Correctness Analysis
We show the correctness in this subsection. For a original ciphertext, we know the decryption is correct by Lemma 5. For a re- where σ t = y it 1 0 1×m 0 R i→j + ( z i→j ) t by (5), (6). Thus, So we have the following Lemma 9.
Next, we consider the homomorphic operations of ciphertexts (including original ciphertexts and re-encryption ciphertexts). According to Lemma 9, the decryption of reencryption ciphertext has the same form as the original ciphertext. Therefore, Lemma 8 shows that the homomorphism operation is feasible, including the homomorphic operation over the original ciphertexts, the homomorphic operation over the original ciphertexts and the re-encryption ciphertexts, and the homomorphic operation over the re-encryption ciphertexts. In addition, it is noted that the re-encryption ciphertexts has a larger decryption noise magnitude. Therefore, in order to prove that the HPRE scheme is L homomorphic, we only need to control the decryption noise magnitude of the homomorphic operations over the re-encryption ciphertexts. So similar to Theorem 1, we have Theorem 2.
Theorem 2. Let q, k, m, n, L be parameters for the above HPRE-SAC scheme, χ be B-bounded.
Proof. Let E i be the bound of noise after evaluation on the i − th level of gates in ciphertext. By Lemma 9, we have E 0 ≤ (m + 1)(mB + 1)B 2 + nmB 3 = O(m 2 )B 3 . According to Lemma 8, when mlog 2 qB ≤ E holds at a certain point, then E i+1 = O mlogq · E i and Finally, we show that the HPRE-SAC scheme is multi-hop.
Theorem 3. Let q, k, m, n, L be parameters for the above HPRE-SAC scheme, χ be B-bounded, then the HPRE-SAC scheme is multi-hop.
Similar to the proof of Lemma 9 and Theorem 2, we know that if O(mlogq) l+L+O(1) < q/B l+1 , the HPRE-SAC scheme is multi-hop.

Security Analysis
We show the security in this subsection.
Theorem 4. Let q, k, m, n, L be parameters for the above HPRE-SAC scheme, χ be B-bounded.
Proof. We consider the following games. Game G b 0 : This game is the original game Expt CPA HPRE,A (k) between challenger and adversary. Suppose that the index of target honest user is 0, the pk 0 = ( u| − A 0 ), The challenger computes the challenge ciphertext on query µ as follows: We modify the encryption key generation oracle O pk . This game is identical to game G 0 , except that the challenger replaces A i of user i with A i + , where (A i + , T i + ) ← TrapGen(q, n, m).
We modify the re-encryption key generation oracle O rk . the challenger samples R i→j + ← χ m×m and replaces R i→j with R i→j + . The rest are the same as G b 2 .

Because of
Therefore, the adversary cannot use R 1→2 , R 2→3 to verify the relationship between A 1 A 2 and A 3 . So R i→j is independent of each other. Since R i→j ←SamplePre (A i , T i , A j + X i→j ), we know R i→j statistically close to χ m×m by Lemma 3.That is R i→j ≈ s R i→j We modify re-encryption ciphertext generation oracle O re . The challenger replaces the re-encrypted ciphertext ct j with ct j + ← HPRE.ReEnc pp, r i→j , ct i . The rest are the same as G b 3 .
According to Lemma 3, we have the R i→j ≈ s R + i→j . It follows that G b 3 ≈ s G b 4 , for efficient adversary.
Finally, we have that G 1 4 ≈ c G 0 4 from LWE. Combining the above indistinguishability, we have shown that G 1 0 ≈ c G 0 0 . This completes the proof.
It should be noted that our HPRE-SAC scheme uses trapdoor to generate reencryption key and decryption key respectively, which not only ensures the homomorphism, but also ensures the resistance to strong collusion attack. By Lemma 4, we know that the trapdoor sampling algorithm is one-way and collision-resistant, so the delegatee and the proxy can not attack the decryption key of the delegator. In addition, the decryption key does not participate in the re-encryption key generation, and is only used for ciphertext decryption. Therefore, the adversary can not get any information of the decryption key, so the approximate value of the decryption key can not be obtained.
If the adversary obtains the approximate value P2( s) + x of the decryption key s, where x is an error distribution, then the adversary can decrypt the delegator's ciphertext.
Let ct = (ct 1 , ct 2 ) = e t u + y + q 2 µ, e t (−A) + y t , then we have If x ∞ < q 2 /2, then the decryption is correct. Thus, the IND-CPA security of the HPRE-SAC scheme does not hold, which is in contradiction with Theorem 4. Therefore, the adversary can not obtain the approximate value P2( s) + x of the decryption key s.
In addition, although our HPRE-SAC scheme is single bit encryption, we can use homomorphic ciphertext packing technology [51] and trapdoor based multi bit proxy reencryption scheme [27] to construct a multi bit homomorphic proxy re-encryption scheme against strong collusion attack.

Comparisons
We compare the related works in this subsection. At present, there are many PRE schemes. We only select some related works from the lattice based PRE and compare them with our schemes. It can be seen from Table 1 that Ma et al. [28], Li et al. [44,45], Li et al. [46] and our scheme are homomorphic proxy reencryption schemes. The following comparison is made from the length of the encryption key, decryption key, re-encryption key and ciphertext (including original ciphertexts and re-encryption ciphertexts). The comparison results are shown in Table 3.
It can be seen from Table 3 that the public key length of Ma et al. [28] is nlogq, that of Li et al. [44] is m(n + 1)logq, that of Li et al. [45] is the same as that of Li et al. [44], and that of Li et al. [46] is the longest, which is (nlogn + 2)logq. The length of the public key of our HPRE-SAC scheme is nm, which is smaller than that of Li et al. [44] and only one constant times different from that of Ma et al. [28]. From the length of re-encryption key, we can find that the complexity of Ma et al. [28] is O(n 3 logq), that of Li et al. [46] is only O(nlogq), and the rest is O(n 2 logq). However, by observing the length of the ciphertext (including original ciphertexts and re-encryption ciphertexts), we can find that the length of the ciphertext of Li et al. [46] is the largest, that is O((nlogq) 2 logq), while that of our scheme HPRE-SAC and [44,45] are the smallest, the complexity is only O(nlogq).
In conclusion, the comparison shows that our scheme HPRE-SAC has better parameters.
In addition, it should be noted from Table 1 that only our HPRE-SAC scheme can resist strong collusion attack.

An Application
In this section, we present an application of our scheme HPRE-SAC: Secure computing of personal healthcare records (PHRs) in the cloud.
At present, there are many applications of PRE in the cloud [52][53][54][55][56], especially in cloud based PHRs [57,58]. The overall system architecture of cloud based PHRs computing using the proposed HPRE-SAC scheme is shown in Figure 3. It includes four entities: patient (data owner), E-Healthcare cloud service provider (CSP), trusted authority (TA) and doctor (data receiver). The following steps are required. (1) Patients and the doctor use the algorithm HPRE.Setup to register in TA to obtain the public parameters of the system. (2) Patients and the doctor use the algorithm HPRE.KeyGen to generate their own encryption key, public evaluation key and decryption key.
(3) Patients use the algorithm HPRE.Enc to encrypt their PHRs and upload them to the E-healthcare cloud service provider for storage. The PHRs here includes not only diagnostic information from doctors, but also personal health information collected by smart wearable devices. We assume that the E-healthcare cloud service provider is not trusted, so the patients need to encrypt the data. (4) For a certain purpose (in addition to clinical purposes, it can also be for research purposes), the doctor asks patients for the right to decrypt their encrypted data. (5) After the patient agrees with the doctor's request, the algorithm HPRE.ReKey is used to generate the re-encryption key and send it to the proxy. (6) Suppose that the proxy residing in the cloud is semi-trusted, that is to say, it follows the protocol, but can collect information to infer private information, or collude with the data user to attack the data owner. The proxy re-encrypts the patient's ciphertext to generate the doctor's ciphertext by using the algorithm HPRE.ReEnc. (7) The doctor needs to analyze and calculate the PHRs of multiple patients for a certain purpose (in addition to clinical purpose, it can also be for research). In order to reduce the burden of local computation and communication, the doctor sends the function to the proxy. (8) The proxy uses the algorithm HPRE.Eval to perform homomorphic function operation on the re-encryption ciphertext belonging to the doctor. (9) The doctor downloads the results of homomorphic operation and decrypts them locally by using the algorithm HPRE.Dec to obtain the required data.
In this system architecture, it not only ensures the safety of the patient's data, but also meets the efficient needs of doctors for the statistical analysis of PHRs of multiple patients.

Conclusions
In order to adapt to efficient and secure cloud computing, this paper proposes a lattice based homomorphic proxy re-encryption scheme, namely HPRE-SAC, which can resist strong collusion attack. In particular, the HPRE-SAC scheme is unidirectional, multi-hop, and CPA secure under LWE. Compared with the existing HPRE scheme, the HPRE-SAC scheme has better parameters. However, the efficiency of the HPRE-SAC scheme is still low. The future work will be to construct a more efficient HPRE scheme based on the existing scheme, such as constructing an HPRE scheme on the ring LWE to meet the more comprehensive application requirements.