Next Article in Journal
Weighted h-index for Identifying Influential Spreaders
Next Article in Special Issue
Security-Oriented Architecture for Managing IoT Deployments
Previous Article in Journal
Experimental Study on Plasma Flow Control of Symmetric Flying Wing Based on Two Kinds of Scaling Models
Previous Article in Special Issue
Conceptualizing Distrust Model with Balance Theory and Multi-Faceted Model for Mitigating False Reviews in Location-Based Services (LBS)
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Novel Lattice-Based CP-ABPRE Scheme for Cloud Sharing

1
College of Data Science and Technology, Heilongjiang University, Harbin 150080, China
2
College of Computer Science and Engineering, Shandong University of Science and Technology, Qingdao 266590, China
3
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
*
Author to whom correspondence should be addressed.
Symmetry 2019, 11(10), 1262; https://doi.org/10.3390/sym11101262
Submission received: 7 September 2019 / Revised: 30 September 2019 / Accepted: 3 October 2019 / Published: 9 October 2019

Abstract

:
The ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme supports access control and can transform a ciphertext under an access policy to a ciphertext under another access policy without decrypting the ciphertexts, which is flexible and efficient for cloud sharing. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps which are fragile when the post-quantum future comes. This paper presents an efficient unidirectional single-hop CP-ABPRE scheme with small public parameters from a lattice. For the transformation between two access structures, they are required to be disjoint. This paper uses the trapdoor sampling technique to generate the decryption key and the re-encryption key in constructing the scheme, and uses the decompose vectors technique to produce the re-encrypted ciphertexts in order to control their noise. Finally, we extended the scheme to a unidirectional single-hop CP-ABPRE scheme with keyword search for searching the encrypted data. Both schemes were proved secure under the learning with errors assumption, which is widely believed to be secure in quantum computer attacks. To the best of our knowledge, our scheme is the first CP-ABPRE scheme based on the learning with errors assumption.

Graphical Abstract

1. Introduction

The encryption of cloud data can protect the security of data effectively. There are two types of encryption system: symmetric and asymmetric. In a symmetric encryption system, the encryption key and decryption key are the same. In an asymmetric encryption system, the encryption key and the decryption key are different. Attribute-based encryption (ABE) is an asymmetric approach.
In an ABE system, ciphertexts are labeled with a public attribute x, and private keys are associated with some descriptive values y. A private key decrypts the ciphertext and recovers the message if and only if x satisfies y. By assigning common attributes of these decryptors, a user can use ABE to encrypt data and store the encrypted data in the cloud for sharing data, protecting privacy, and obtaining fine-grained access control. Hierarchical key assignment schemes (HKASs) [1,2] can be used to achieve fine-grained access control. There are two variants of ABE [3]: key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). In a CP-ABE (KP-ABE) system, the private key (ciphertext) is associated with an arbitrary number of attributes expressed as strings S, the ciphertext (private key) is associated with an access structure W over attributes, and the private key can decrypt the ciphertext if and only if S satisfies W.
Using CP-ABE, a user (e.g., Alice) can encrypt her data under access structure W, then any user with attribute S can decrypt the encrypted data, where S satisfies W. If Alice wants to share the encrypted data with Bob, but the attribute set of Bob does not satisfy W, then Bob can not get them from the cloud. Due to the resource-limited nature of the terminal device, it is impossible for users to backup all data with plain format. Thus, Alice needs to download and decrypt the ciphertext, and encrypt the data with another access structure W . The computational overhead of this strategy is too heavy for Alice.
For example, in an electronic health record (EHR) system [4], the set L of all attributes in the EHR system consists of all kinds of diseases, such as cold, lipomyoma, lung cancer, diabetes, and nephropathy. A patient encrypts their detailed personal information under access structure W, where W may be (cold and lipomyoma) or (diabetes and nephropathy). The physician’s attributes S consist of many kinds of diseases that the physician is professional in, where S could be {cold, lipomyoma}.
Proxy re-encryption (PRE) allows a proxy to transform a ciphertext of a delegator to a ciphertext of a delegatee specified by the delegator, and the proxy will not know the message in this process, which can be used for cloud sharing. The cloud sharing can become more efficient with ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE). In the CP-ABPRE scheme, Alice only needs to generate a re-encryption key and send it to a proxy, then the proxy can transform the ciphertext under W to another ciphertext under W [5,6,7]. Although CP-ABPRE can effectively achieve cloud sharing, the search on the encrypted data is powerless. It is interesting to combine the concept of CP-ABPRE and keyword search to construct CP-ABPRE with keyword search (CP-ABPRE-KS), which can not only achieve the data sharing effectively, but can also search the encrypted data.

1.1. Related Work

At present, many types of lattice-based PRE scheme have been constructed. One example is conditional proxy re-encryption (CPRE) [8], whereby only ciphertexts satisfying a condition set by a delegator can be transformed by the proxy. Homomorphic proxy re-encryption (HPRE) [9,10] can homomorphically evaluate original or re-encrypted ciphertexts. In identity-based proxy re-encryption (IBPRE) [11], ciphertexts are transformed from one identity to another. Proxy re-encryption with keyword search (PRE-KS) [12] simultaneously realizes the functionality of proxy re-encryption and keyword search. However, there is no lattice-based attribute-based proxy re-encryption (ABPRE) [13] whereby ciphertexts are transformed from one access policy to another.
Liang et al. [13] constructed the first CP-ABPRE scheme based on bilinear maps, supporting and-gates over positive and negative attributes. Luo et al. [14] extended [13] to a CP-ABPRE supporting and-gates on multi-valued and negative attributes, but the scheme is selective-policy chosen plaintext secure. Liang et al. [15] constructed the first adaptively CCA-secure CP-ABPRE. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps, which are fragile when the post-quantum future comes. Zhang et al. [16] presented a ciphertext policy attribute-based encryption (ABE) scheme based on learning with errors (LWE), which is widely believed to be secure in quantum computer attacks. Zeng et al. [17] presented an authorized searchable encryption with special keyword based on [16].
Boneh et al. [18] constructed a public key encryption with keyword search for searching encrypted data. Shao et al. [19] constructed the first PRE-KS, which simultaneously realizes the functionality of proxy re-encryption and keyword search. Wang et al. [20] extended [19] to a constrained single-hop unidirectional proxy re-encryption supporting conjunctive keywords search. Shi et al. [21] formalized the syntax and security definitions for ABPRE with keyword search (ABPRE-KS), and constructed two ABPRE-KS by multi-linear maps; that is, CP-ABPRE-KS and KP-ABPRE-KS. Hong et al. [22] also presented an ABPRE-KS by bilinear pairing for flexible and secure data sharing in the cloud. None of these schemes can resist quantum computation attacks. Yang et al. [12] proposed a novel lattice-based semantic keyword searchable proxy re-encryption scheme for secure cloud storage which is resistant to quantum attack.

1.2. Our Contributions

In this paper, (1) we constructed a lattice-based CP-ABE scheme by modifying the ABE scheme of Zeng et al. [17]. Compared with the ABE schemes of [16,17], our CP-ABE scheme has smaller public parameters. (2) We constructed a CP-ABPRE scheme based on the new CP-ABE scheme by using trapdoor sampling from LWE, which is widely believed to be secure in quantum computer attacks. The CP-ABPRE scheme is the first CP-ABPRE based on LWE. (3) We extended the CP-ABPRE scheme to a CP-ABPRE-KS scheme.
The rest of this paper is organized as follows: Section 2 presents preliminaries; Section 3 describes the constructed ABPRE scheme; Section 4 extends the ABPRE to the ABPRE-KS scheme; finally, our work is concluded in Section 5.

2. Preliminaries

We introduce some notations, Gaussian distribution, the LWE hardness assumption, and the definition of CP-ABPRE in this section.

2.1. Notation

We employed some initial notations, as listed in Table 1. For an integer q and a vector x Z q n , let l = log q , P 2 x = 1 x ; 2 x ; ; 2 l 1 x Z q n l , B D x = u 1 | | u l 0 , 1 n l , where x = k = 1 l 2 k 1 u k . When A is a matrix, let P 2 ( A ) ( B D ( A ) ) be the matrix formed by applying the operation to each row (column) of A.

2.2. Gaussian Distributions and the LWE Hardness Assumption

For any positive parameter σ > 0 , define the Gaussian function on R m , centered at c : x R m ,
ρ σ , c ( x ) = exp π x c 2 π x c 2 σ 2 σ 2 ) .
For any vector c R m and positive parameter σ > 0 , let Λ be a discrete subset of Z m , define the discrete Gaussian distribution over Λ as: x R m ,
D Λ , σ , c ( x ) = ρ s , c x ρ σ , c Λ ,
where ρ σ , c Λ = x Λ ρ σ , c x .
For constructing the CP-ABPRE scheme, we sample vectors from the discrete Gaussian distribution D. The algorithm S a m p l e P r e can sample vectors from a distribution statistically close to D Λ ( A ) , but it needs the basis of Λ A . Lemmas 1 and 2 can meet our needs. Lemma 1 can output a basis of Λ A , and Lemma 2 can sample vectors from a distribution statistically close to D Λ ( A ) .
Lemma 1
([23]). For any positive integers n, m 6 n log q , q 2 , the probabilistic polynomial-time algorithm TrapGen ( q , n , m ) can output a pair A , T Z q n × m × Z m × m , where
(1) 
A is statistically close to uniform in Z q n × m ;
(2) 
T is a basis for Λ q A = e Z m , s . t . A e = 0 mod q ;
(3) 
T O ( n log q ) and T ˜ O n log q .
Alwen and Peikert assert that the constant hidden in the first O ( · ) is no more than 20.
Lemma 2
([24]). For any positive integer q 2 , vector c Z m , u Z q n and matrix A Z q n × m , the probabilistic polynomial-time algorithm SamplePre( A , T A , u , c ) can output vector x Λ q u ( A ) = e Z m , s . t . A e = u mod q , which in a distribution statistically close to D Λ q u ( A ) , σ , c , where T A is a basis of Λ q A , σ T ˜ ω log m .
Let X be a normal random variable with mean 0 and deviation α 2 α 2 2 π 2π , where α∈(0,1) is a real number. For prime q, define the random variable in distribution Ψ ¯ α over Z q as ⎣ qX ⎤ mod q. For the correctness of our CP-ABPRE scheme, we need Lemmas 3 and 4, which show bounds for random variables.
Lemma 3
([25]). For any c Λ Z m , let x D Λ + c , σ , σ > η ϵ ( Λ ) for some ϵ ( 0 , 1 ) , then with overwhelming probability x < σ m . Moreover, if c = 0 then the bound holds for any σ > 0 , with ϵ = 0 .
Lemma 4
([24]). For any r Z m , let e Ψ ¯ α m , then with overwhelming probability in m
r T e r q α ω log m + r m m 2 2 .
In particular, if e Ψ ¯ α , then e q α ω log m + 1 / 2 with overwhelming probability in m.
The LWE (learning with errors) problem [26] is as hard as the worst-case SIVP and GapSVP with certain noise distributions D (e.g., Ψ ¯ α ), which is a classic hard problem on lattices. The decisional L W E n , q , χ problem is to distinguish ( a ¯ i ; b ¯ i ) Z q n + 1 and ( a i , b i ) Z q n + 1 , where a i Z q n , b i = a i T s + e i , s Z q n , e i D , q   2 , and D is a distribution over Z .

2.3. Attribute and Access Structure

We denote L = L as the set of all attributes in the system. For i [ L ] , the user either has the attribute i or does not have it. If a user does not have attribute i, we say the user has attribute i . Thus, i and i appear in pairs. We denote i and i as positive and negative attribute, respectively. In this paper, we study the CP-ABE scheme which supports and-gates on positive and negative attributes.
Definition 1.
Let L be the set of all attributes. If the access structure W is organized by and-gates on positive and negative attributes, then an attribute set S satisfies W if and only if
S + S , S L \ S
, where S + S is the positive (negative) attribute set in W.
For instance, let L = [ 4 ] , access structure W = ( 1 a n d 3 ) , if S W , then we only need 1 S , 3 S , and do not need to consider 2 , 4 . The attribute sets S 1 = { 1 } , S 2 = { 1 , 2 } , S 3 = { 1 , 4 } , S 4 = { 1 , 2 , 4 } all satisfy W.
For two access structures W and W 1 , let S + , S 1 , + ( S , S 1 , ) be the positive (negative) attribute set in W and W 1 . If S + S 1 , , S S 1 , + , then we say W and W 1 are disjoint.

2.4. Definition and Security Model of CP-ABPRE Scheme

There are four participants in the single-hop unidirectional CP-ABPRE scheme for cloud sharing, as shown in Figure 1.
(1) Trusted authority (TA). The TA is trusted by all participants. TA generates master secret key, public parameters and re-encryption key.
(2) Cloud services provider (CSP). The CSP is semi-trusted by all participants. The CSP stores data uploaded by the DO, and computes the re-encrypted ciphertext using the original ciphertext and re-encryption key.
(3) Data owner (DO). The DO encrypts their data and stores the encrypted data in the cloud.
(4) Data user (DU). The DU queries the CSP for re-encrypted data which belongs to them.
We give the following definition based on the definition and security model of Liang et al. [27].
Definition 2.
A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms:
1. 
Setup( κ , L ): For a set L of attribute and security parameter κ, the TA outputs public parameters p p and master secret key m s k .
2. 
KeyGen( p p , m s k , S ): For p p , m s k and an attribute set S of user (DO or DU), the TA outputs secret key s k S for S. Note that each secret key s k S is associated with an attribute set S.
3. 
Encrypt( p p , W , μ ): For p p , a message μ, and an access structure W over the attribute set L, the DO outputs ciphertext C W . Note that each ciphertext C W is associated with an access structure W.
4. 
Decrypt( p p , s k S , C W , S ): For p p , C W , S and its corresponding secret key s k S , the user (DO or DU) outputs plaintext μ if S W or a symbol ⊥ indicating either C W is invalid or S W .
5. 
ReKeyGen( p p , S , W , W 1 ): For p p , two access structures W , W 1 and an attribute set S, if S W , and W and W 1 are disjoint, the TA outputs the re-encryption key r k W W 1 , and otherwise outputs a symbol ⊥.
6. 
ReEnc( p p , C W , r k W W 1 ): For p p , C W , r k W W 1 , the CSP outputs the re-encrypted ciphertext C W 1 .
Correctness—There are two requirements for correctness:
1. 
Decrypt( p p , s k S , C W ) = μ, where C W = E n c r y p t ( p p , W , μ ) and S W .
2. 
Decrypt( p p , s k S 1 , C W 1 )= μ, where C W 1 = R e E n c ( p p , r k W W 1 , C W ) , C W = E n c r y p t ( p p , W , μ ) , r k W W 1 = R e K e y G e n ( p p , W , W 1 ) , S 1 W 1 .
Definition 3.
For a single-hop unidirectional CP-ABPRE scheme, let κ be a security parameter. Consider the following games, denoted by Expt CP ABPRE , A IND sAS CPA Or κ , between challenger and adversary.
Initialization. The adversary chooses a challenge access structure W * for the challenger.
Setup Phase: The challenger runs Setup( κ, L) and sends p p to the adversary.
Learning Phase: In this phase, the adversary can access the following oracles polynomially many times, and the challenger needs to answer these oracles.
(1) 
Secret key oracle O sk S : The adversary inputs an attribute set S. If S W * , then the challenger returns s k S KeyGen pp , msk , S , and otherwise returns ⊥.
(2) 
Re-encryption key oracle O rk S , W , W : The adversary inputs two access structures W , W and S. If S W , W and W are disjoint, and O sk S has been accessed for any S W , then the challenger returns r k W W ReKeyGen ( pp , S , W , W ) , and otherwise returns ⊥.
(3) 
Re-encryption oracle O re r k W W , W , C W : The adversary inputs W , C W , r k W W . If r k W W ReKeyGen ( pp , S , W , W ) , s k S KeyGen pp , msk , S , S W , then the challenger returns C W ReEnc ( pp , C W , r k W W ) , and otherwise returns ⊥.
Challenge: If the adversary finishes all of the oracles’ queries, then the adversary sends μ 0 , 1 to the challenger. For a coin b 0 , 1 , the challenger returns a random ciphertext C if b = 0 or the real ciphertext C W * Encrypt ( pp , W * , μ ) if b = 1 .
Gauss: Finally, the adversary outputs a guess b 0 , 1 . If b = b , the adversary wins.
We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext if for any PPT adversary, the advantage
Adv CP ABPRE , A IND sAS CPA Or κ = P r b = b 1 2
of the adversary is negligible.
Definition 4.
For a single-hop unidirectional CP-ABPRE scheme, let κ be a security parameter. We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext if for any PPT adversary, the advantage
Adv CP ABPRE , A IND sAS CPA Re κ = P r b = b : W * , s t a t e 1 A 1 κ ; p p , m s k S e t u p ( 1 κ , L ) ; μ , W , s t a t e 2 A O 1 p p , s t a t e 1 ; b 0 , 1 ; C W * * R e E n c r k W W * , C W ; b A O 1 C W * * , s t a t e 2 1 2
of the adversary is negligible, where O 1 = O sk , O rk , O re and O sk (it is forbidden to S W * ), O rk , O re (it is forbidden to C W is an valid original ciphertext or a re-encrypted ciphertext) as in Definition 3, S t a t e 1 and S t a t e 2 are the state information, W * is challenge access structure, and W , W * are disjoint, C W is a random ciphertext C if b = 0 or the real ciphertext C W Encrypt ( pp , W , μ ) if b = 1 , μ 0 , 1 .

3. A CP-ABPRE Scheme

First, we propose a single-hop unidirectional CP-ABPRE scheme, then prove the correctness and security of the scheme, and finally compare the schemes.

3.1. Concrete Scheme

A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms.
  • Setup( n , m , q , L ): Given positive integers n , m , q , and a set of attributes L, the TA samples u Z q n , computes A i , b , T i , b T r a p G e n q , n for i L , where b { 0 , 1 } and returns public parameters p p = A i , b i L b 0 , 1 , u and master secret key m s k = T i , b i L b 0 , 1 .
  • KeyGen( p p , m s k , S ): Given p p , m s k and an attribute set S of the DU, where S L , the TA lets A i = A i , 0 , i L \ S A i , 1 , i S , computes s SamplePre A , T , u , and returns secret key s k S = s , where A = A 1 | | A L , T = T 1 T L , T i is the basis for Λ q A i , i L .
  • Encrypt( p p , W , μ ): Given p p , a message μ { 0 , 1 } , and an access structure W, the DO denotes S + S as the positive (negative) attribute set in W, computes
    c = u T f + x c + q 2 μ ,
    c i , 0 = z i , 0 , i S + A i , 0 T f + x i , 0 , i S _ ,
    c i , 1 = A i , 1 T f + x i , 1 , i S + z i , 1 , i S ,
    c j , 0 c j , 1 = A j , 0 T A j , 1 T f + x j , 0 x j , 1 ,
    j L \ S + S , and returns ciphertext
    C W = c ; c i , 0 , c i , 1 i L ,
    where x c χ , f χ n , z i , 0 , z i , 1 , x i , 0 , x i , 1 χ m .
  • Decrypt( p p , C W , s k S , S ): After receiving the cipthertext C W from the CSP, the DU computes y = y 1 ; ; y L by y i = c i , 1 , i S c i , 0 , e l s e , and then outputs 0 if s T | 1 y T ; c = c y T s is closer to 0 than to q 2 modulo q, and 1 otherwise.
  • ReKeyGen( p p , S , W , W 1 ): After receiving p p , S , two access structures W , W 1 from the DO, if W , W 1 are not disjoint or S W , then the TA outputs ⊥, and otherwise denotes the positive (negative) attribute set in W 1 as S 1 , + S 1 , , noting S 1 , + L , S 1 , L , then computes
    Q i , 0 X ¯ i , i S 1 , + P 2 R i , 1 0 T + X i , i S 1 , ,
    Q i , 1 P 2 R i , 0 1 T + X i , i S 1 , + X i ¯ , i S 1 , ,
    Q i , 0 P 2 R i , 1 0 T + X i , 0 , i L \ S 1 , + S 1 , ,
    Q i , 1 P 2 R i , 0 1 T + X i , 1 , i L \ S 1 , + S 1 , ,
    where R i , 1 0 SamplePre A i , 1 , T i , 1 , A i , 0 , R i , 0 1 SamplePre A i , 0 , T i , 0 , A i , 1 , X i , X i , 0 , X i , 1 D Z m × m log q , X i ¯ D Z q m × m log q and finally returns the re-encryption key r k W W 1 = Q i , 0 , Q i , 1 i L .
  • ReEnc( p p , C W , r k W W 1 ): Given p p , C W , r k W W 1 , the CSP computes
    c i , 0 1 = Q i , 0 B D c i , 1 + x i , 0 1 , i S 1 , z i , 0 1 , i S 1 , + ,
    c i , 1 1 = Q i , 1 B D c i , 0 + x i , 1 1 , i S 1 , + z i , 1 1 , i S 1 , ,
    c j , 0 1 = Q i , 0 B D c j , 1 + x j , 0 1 ,
    c j , 1 1 = Q i , 1 B D c j , 0 + x j , 1 1 ,
    j L \ S 1 , + S 1 , ,
    where x i , 0 1 , x j , 0 1 D Z m , z i , 0 1 , z i , 1 1 Z q m and outputs the re-encrypted ciphertext
    C W 1 = c ; c i , 0 1 , c i , 1 1 i L .

3.2. Correctness and Parameters

We show the correctness and parameters in this subsection.
Firstly, we prove that Decrypt ( p p , s k S , C W ) = μ , where C W = E n c r y p t ( p p , W , μ ) and S W .
For an attribute set S, let A i = A i , 0 , i L \ S A i , 1 , i S , A = A 1 | | A L . Since T i is the basis for Λ q A i , i L , A T = A 1 | | A L T 1 T L = 0 , and T = i L T i 0 , we have T = T 1 T L is a basis for Λ q A , then TA can compute s = s 1 ; , s L SamplePre A , T , u such that u = A s = i = 1 L A i s i . Since S W , we know that
y = y 1 ; ; y L = A T f + x ,
where x = x 1 ; ; x L , x i = x i , 0 , i L \ S x i , 1 , i S . Thus,
c s T y = u T f + x c + q 2 μ s T A T f + x = q 2 μ + x c s T x . .
If x c s T x < q 2 q 2 2 2, then we can get μ.
Then, we prove that Decrypt ( p p , s k S 1 , C W 1 )= μ , where C W 1 = R e E n c ( p p , r k W W 1 , C W ) , r k W W 1 = R e K e y G e n ( p p , W , W 1 ) , C W = E n c r y p t ( p p , W , μ ) , S 1 W 1 .
Let S 1 , + , S 1 , be the positive and negative attribute set in W 1 , C W = c ; c i , 0 , c i , 1 i L be a ciphertext under W, and r k W W 1 = Q i , 0 , Q i , 1 i L be a re-encryption key. Since the access structures W and W 1 are disjoint, we know that if i S 1 , , then
c i , 0 1 = Q i , 0 T B D c i , 1 + x i , 0 1 = P 2 R i , 1 0 T + X i B D c i , 1 + x i , 0 1 = R i , 1 0 T c i , 1 + X i B D c i , 1 + x i , 0 1 = R i , 1 0 T A i , 1 T f + R i , 1 0 T x i , 1 + X i B D c i , 1 + x i , 0 1 = A i , 0 T f + R i , 1 0 T x i , 1 + X i B D c i , 1 + x i , 0 1
that is
c i , 0 1 = A i , 0 T f + x i , 0 2 , i S z i , 0 1 , i S + ,
where x i , 0 2 = R i , 1 0 T x i , 1 + X i B D c i , 1 + x i , 0 1 . Similarly, we have
c i , 1 1 = A i , 1 T f + x i , 1 2 , i S + z i , 1 1 i S ,
where x i , 1 2 = R i , 0 1 T x i , 0 + X i B D c i , 0 + x i , 1 1 ,
c j , 0 1 = A j , 0 T f + x j , 0 2 ,
c j , 1 1 = A j , 1 T f + x j , 1 2 ,
where x i , 0 2 = R i , 1 0 T x i , 1 + X i , 0 B D c i , 1 + x i , 0 1 , x i , 1 2 = R i , 0 1 T x i , 0 + X i , 1 B D c i , 0 + x i , 1 1 , i L \ S 1 , + S 1 , .
For the attribute set S 1 , let A i = A i , 0 , i L \ S 1 A i , 1 , i S 1 , A 1 = A 1 | | A L . TA can compute s 1 SamplePre A 1 , T 1 , u such that A 1 s 1 = u , where T 1 = T 1 T L is the basis of Λ q A 1 . Since S 1 W 1 , we know that y 1 = y 1 1 ; ; y L 1 = A 1 T f + x 1 , where x 1 = x 1 1 ; ; x L 1 , x i 1 = x i , 0 2 , i L \ S 1 x i , 1 2 , i S 1 . Thus,
c s 1 T y 1 = q 2 μ + x c s 1 T x 1 .
If x c s 1 T x 1 < q 2 q 2 2 2, then we can get μ.
Finally, we set the parameters.
  • Algorithm TrapGen requires m 6 n log q .
  • Algorithm SamplePre requires σ T ˜ ω log m .
  • Decrypting the ciphertext requires x c s T x < q 2 q 2 2 2.
  • Decrypting the re-encrypted ciphertext requires x c s 1 T x 1 < q 2 q 2 2 2.
  • The hardness of LWE requires α q > 2 n .
Let χ = Ψ ¯ α , the parameters can be set as follows:
n = κ , q = the prime nearest to 2 n δ , m = 6 n log q , σ = m ω log m , α = 5 m 3 σ 2 L ω log m 1 , where δ is constant between 0 and 1.
We verify (4), the others can be easily computed. From the element of x 1 , we know
x 1 r T x + m log q x + x ,
where x , x χ m , x χ m × m log q , r is a column of R i , 1 0 , R i , 0 1 . By Lemmas 2 and 3, we have | | r | | σ m . By Lemma 4, we have
x 1 r T x + m log q x + x σ m q α ω log m + σ m m 2 2 + m log q q α ω log m + 1 / 2 + q α ω log m + 1 / 2 = q α ω log m σ m + m log q + 1 + σ m m 2 2 + m log q m log q 2 2 + 1 / 2 2 σ m q α ω log m + σ m .
Thus,
x c s 1 T x 1 x c + s 1 T x 1 x c + m L s 1 x 1 q α ω log m + 1 / 2 + m L σ L m 2 σ m q α ω log m + σ m = q α ω log m 1 + 2 m 2 σ 2 L + 1 / 2 + m 5 2 σ 2 L < q α ω log m m 3 σ 2 L q 5 .

3.3. Security

We show the CP-ABPRE scheme is IND-sAS-CPA secure under the LWE problem in this subsection. Theorem 1 shows that the CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext, Theorem 2 shows the CP-ABPRE scheme is IND-sAS-CPA secure at the re-encrypted ciphertext.
Theorem 1.
Let n , q , m , σ , α be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext.
Proof. 
Consider the following games.
G a m e 0 b : This is the real game Expt CP ABPRE , A IND sAS CPA Or κ with b { 0 , 1 } . Suppose W * is the adversary’s access structure, the challenger denotes the positive (negative) attribute set in W * as S * , + S * , . The challenger answers the ciphertext of the adversary’s issue about μ { 0 , 1 } as follows:
If b = 0 , output c Z q 1 + 2 L m .
If b = 1 , output C W * Encrypt ( pp , W * , μ ) .
Finally, the adversary outputs a guess b { 0 , 1 } .
G a m e 1 b : We modify the secret key oracle O sk S . If the adversary inputs an attribute set S and S W * , then the challenger returns ⊥. If S W * , the challenger lets A i = A i , 0 , i L \ S A i , 1 , i S , samples s i + D Z m , σ , i [ | L | 1 ] , computes u = u i = 1 L 1 A i s i + , s L + SamplePre A L , T L , u and outputs the secret key s + = s 1 + , , s L + . The others are the same as G a m e 0 b .
From Lemma 2, we know the distribution of s + statistically closes to D Λ q u ( A ) , σ . The distribution of the real secret key s in the CP-ABPRE scheme also statistically closes to D Λ q u ( A ) , σ . Thus the distribution of s + is same as the real secret key s . In addition, because A s + = u , we have s + s s . Thus, Game 0 b s Game 1 b .
G a m e 2 b : We modify the re-encryption key oracle O rk W , W . We replace P 2 R i , 1 0 T + X i , i S 1 , , P 2 R i , 0 1 T + X i , i S 1 , + , and Q i , 0 , Q i , 1 , i L \ S 1 , + S 1 , with Q i , 1 0 * , Q i , 0 1 * , Q i , 0 * , Q i , 1 * D Z m × m log q , σ , respectively. The others are the same as G a m e 1 b .
Since R i , 1 0 SamplePre A i , 1 , T i , 1 , A i , 0 , R i , 0 1 SamplePre A i , 0 , T i , 0 , A i , 1 , X i , X i , 0 , X i , 1 D Z m × m log q in the CP-ABPRE scheme, we know the distribution of P 2 R i , 1 0 T + X i , i S 1 , , P 2 R i , 0 1 T + X i , i S 1 , + , Q i , 0 , Q i , 1 statistically close to D Z m × m log q , σ . Since the distribution of Q i , 0 * , Q i , 1 * D Z m × m log q , σ are the same as Q i , 0 , Q i , 1 , respectively, we have Q i , 0 * s Q i , 0 , Q i , 1 * s Q i , 1 . Thus, Game 0 b s Game 1 b .
G a m e 3 b : We modify the re-encryption oracle O re r k S W , W , C W . We replace c i , 0 1 , c i , 1 1 with c i , 0 1 , + , c i , 1 1 , + Z q m , respectively, i [ | L | ] . The others are the same as G a m e 2 b .
Since Q i , 0 * , Q i , 1 * D Z m × m log q , σ and x i , 0 1 , x i , 1 1 D Z m , σ , we cannot distinguish between the distribution of c i , 0 1 , c i , 1 1 and the uniform distribution on Z q m under the LWE problem. Since c i , 0 1 , + , c i , 1 1 , + Z q m , we have c i , 0 1 , + s c i , 0 1 , c i , 1 1 , + s c i , 1 1 . Furthermore, Game 3 b s Game 2 b .
G a m e 4 b : We replace C W * Encrypt ( pp , W * , μ ) with c + Z q 1 + 2 L m , where c + = c + ; c i , 0 + , c i , 1 + i L . The others are the same as G a m e 3 b .
We have c + c c , c i , 1 + c c i , 1 , i S + L \ S + S , c i , 0 + c c i , 0 , i S L \ S + S under the LWE assumption and c i , 1 + s c i , 1 , i S , c i , 0 + s c i , 0 , i S + . Thus C W * c c + . Furthermore, Game 3 b c Game 4 b .
Finally, we can get Game 0 0 c Game 0 1 by Game 4 0 c Game 4 1 . This completes the proof. □
Theorem 2.
Let n , q , m , σ , α be as in the aforementioned. Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at the re-encrypted ciphertext.
Proof. 
For W * , s t a t e 1 A 1 κ , μ , W , s t a t e 2 A O 1 p p , s t a t e 1 which are chosen by the adversary, The challenger encrypts μ { 0 , 1 } under access structure W and gets a corresponding ciphertext C W which is a random ciphertext C if b = 0 or the real ciphertext C W Encrypt ( pp , W , μ ) if b = 1 . By the G a m e 4 b of Theorem 1, we know that the adversary cannot distinguish a random ciphertext C from the real ciphertext C W Encrypt ( pp , W , μ ) . For the re-encryption key r k W W * , the adversary cannot distinguish the real r k W W * from a random Gaussian distribution by G a m e 2 b of Theorem 1. Thus, the adversary cannot obtain any useful things for winning the game. At last, the challenger outputs the challenge re-encrypted ciphertext C W * * R e E n c r k S W * , C W . By the LWE, we have Q i , 0 B D c i , 1 + x i , 0 1 , i S 1 , L \ S 1 , + S 1 , and the random uniform distributions are computationally indistinguishable, Q i , 1 B D c i , 0 + x i , 1 1 , i S 1 , + L \ S 1 , + S 1 , and the random uniform distributions are computationally indistinguishable. Thus, the advantage Adv CP ABPRE , A IND sAS CPA Re κ of the adversary is negligible. □

3.4. Comparison

We compare the related works in this subsection.
(1) Our scheme was constructed based on the LWE problem, and supports and-gates on positive and negative attributes. There are only two lattice-based ABE schemes that support this operation. Compared with the ABE scheme of [16,17], our scheme not only supports proxy re-encryption but also has smaller public parameters. The comparison results are given in Table 2. S is a set of all attributes in the access structure.
(2) The existing CP-ABPRE schemes are constructed by bilinear pairing [15,27,29], which are fragile when the post-quantum future comes. Our CP-ABPRE was constructed based on LWE, which is widely believed to be secure in quantum computer attacks.
(3) Compared with the PRE based on LWE, our scheme is the first CP-ABPRE scheme based on LWE and has the same computational complexity O ( n 2 ) . The comparison results are in Table 3.

4. Extension

In this section, we extend our CP-ABPRE scheme to a CP-ABPRE-KS scheme based on [17].
Definition 5.
A single-hop unidirectional CP-ABPRE-KS scheme consists of the following eight algorithms:
1. Setup( n , m , q , L ): For positive integers n , m , q , and a set of attributes L, the TA outputs public parameters p p and master secret key m s k .
2. KeyGen( p p , m s k , S ): For p p , m s k and an attribute set S of user (DO or DU), the TA outputs secret key s k S for S.
3. Encrypt( p p , W , k w , μ ): For p p , a message μ, a keyword k w , and an access structure W over the attribute set L, the DO outputs ciphertext C W .
4. Decrypt( p p , C W , k w , s k S , S ): For p p , C W , k w , S and its corresponding secret key s k S , the user (DO or DU) outputs plaintext μ if S W or a symbol ⊥ indicating either C W is invalid or S W .
5. ReKeyGen( p p , S , W , W 1 ): For p p , two access structures W , W 1 and an attribute set S, if S W , and W and W 1 are disjoint, the TA outputs re-encryption key r k W W 1 , otherwise outputs a symbol ⊥.
6. ReEnc( p p , C W , k w , r k W W 1 ): For p p , C W , k w , r k W W 1 , the CSP outputs the re-encrypted ciphertext C W 1 , k w .
7. Trapdoor( p p , m s k , S , k w ): For p p , m s k , k w , and a DU’s attribute set S, the TA returns the trapdoor T k w .
8. Test ( p p , T k w , C W , k w , R ): For p p , T k w = e , C W , k w , the DU constructs a list R about the positive or negative information of attributes, and sends R to CSP. The CSP returns η, where η = 1 means k w = k w , η = 0 means k w k w .
The CP-ABPRE-KS scheme is shown below.
1. Setup( n , m , q , L ): Given positive integers n , m , q , and a set of attributes L, the TA chooses a hash function H : 0 , 1 * Z q n , samples u Z q n , computes A i , b , T i , b T r a p G e n q , n for i L , where b { 0 , 1 } and returns public parameters p p = A i , b i L b 0 , 1 , u , H and master secret key m s k = T i , b i L b 0 , 1 .
2. KeyGen( p p , m s k , S ): Given p p , m s k , and an attribute set S of the DU, where S L , the TA lets A i = A i , 0 , i L \ S A i , 1 , i S , computes s SamplePre A , T , u , and returns secret key s k S = s , where A = A 1 | | A L , T = T 1 T L , T i is the basis for Λ q A i , i L .
3. Encrypt( p p , W , k w , μ ): Given p p , a message μ { 0 , 1 } , a keyword k w , and an access structure W, the DO denotes S + S as the positive (negative) attribute set in W, computes
c = u T f + x c + q 2 μ ,
p = H ( k w ) T f + x p ,
c i , 0 = z i , 0 , i S + A i , 0 T f + x i , 0 , i S _ ,
c i , 1 = A i , 1 T f + x i , 1 , i S + z i , 1 , i S ,
c j , 0 c j , 1 = A j , 0 T A j , 1 T f + x j , 0 x j , 1 ,
j L \ S + S , and returns ciphertext
C W , k w = c ; p ; c i , 0 , c i , 1 i L ,
where x c , x p χ , f χ n , z i , 0 , z i , 1 , x i , 0 , x i , 1 χ m .
4. Decrypt( p p , C W , k w , s k S , S ): After receiving the cipthertext C W , k w from CSP, the DU computes y = y 1 ; ; y L by y i = c i , 1 , i S c i , 0 , e l s e , and then outputs 0 if s T | 1 y T ; c = c y T s is closer to 0 than to q 2 modulo q, and 1 otherwise.
5. ReKeyGen( p p , S , W , W 1 ): After receiving p p , S , two access structures W , W 1 from DO, if W , W 1 are not disjoint or S W , then the TA outputs ⊥, and otherwise denotes the positive (negative) attribute set in W 1 as S 1 , + S 1 , , noting S 1 , + L , S 1 , L , then computes
Q i , 0 X ¯ i , i S 1 , + P 2 R i , 1 0 T + X i , i S 1 , ,
Q i , 1 P 2 R i , 0 1 T + X i , i S 1 , + X i ¯ , i S 1 , ,
Q i , 0 P 2 R i , 1 0 T + X i , 0 , i L \ S 1 , + S 1 , ,
Q i , 1 P 2 R i , 0 1 T + X i , 1 , i L \ S 1 , + S 1 , ,
where R i , 1 0 SamplePre A i , 1 , T i , 1 , A i , 0 , R i , 0 1 SamplePre A i , 0 , T i , 0 , A i , 1 , X i , X i , 0 , X i , 1 χ m × m log q , X i ¯ Z q m × m log q and finally returns re-encryption key r k W W 1 = Q i , 0 , Q i , 1 i L .
6. ReEnc( p p , C W , k w , r k W W 1 ): Given p p , C W , k w , r k W W 1 , the CSP computes
c i , 0 1 = Q i , 0 B D c i , 1 + x i , 0 1 , i S 1 , z i , 0 1 , i S 1 , + ,
c i , 1 1 = Q i , 1 B D c i , 0 + x i , 1 1 , i S 1 , + z i , 1 1 , i S 1 , ,
c j , 0 1 = Q i , 0 B D c j , 1 + x j , 0 1 ,
c j , 1 1 = Q i , 1 B D c j , 0 + x j , 1 1 ,
j L \ S 1 , + S 1 , ,
where x i , 0 1 , x j , 0 1 χ m , z i , 0 1 , z i , 1 1 Z q m and outputs the re-encrypted ciphertext
C W 1 , k w = c ; p ; c i , 0 1 , c i , 1 1 i L .
7. Trapdoor( p p , m s k , S , k w ): Given p p , m s k , k w and a DU’s attribute set S, the TA computes H ( k w ) and a matrix A = A 1 | | A L , where A i = A i , 0 , i L \ S A i , 1 , i S , and computes e SamplePre A , T , H ( k w ) and returns the trapdoor T k w = e , where T = T 1 T n , T i is the basis for Λ q A i , i L .
8. Test ( p p , T k w , C W , k w , R ): Given p p , T k w = e , C W , k w , the DU constructs a list R about the positive or negative information of attributes, and sends R to CSP. The CSP computes y = y 1 ; ; y L by y i = c i , 1 , i i s p o s i t i v e a t t r i b u t e c i , 0 , e l s e , and returns η = 1 , p e T y < q 4 0 , e l s e , where η = 1 means k w = k w , η = 0 means k w k w .
Figure 2 shows the sequence diagram of the whole scheme. Since the c , p in the original ciphertext are same as the c in the re-encrypted ciphertext, and the construction of c = u T f + x c + q 2 μ and p = H ( k w ) T f + x p are similar. Therefore, the correctness of the CP-ABPRE-KS scheme can be proved by the correctness of the CP-ABPRE scheme.
Based on the security definition of [17,21], we can define the IND-sAS-CKA (chosen keyword attacks) secure at the original ciphertext for the CP-ABPRE-KS scheme by modifying Definition 3 as follows:
(1) Adding Trapdoor oracle O tr p p , S , k w to the Learning Phase.
O tr p p , S , k w : The adversary inputs an attribute set S and H ( k w ) . If S W * , then challenger returns e T r a p d o o r ( p p , m s k , S , k w ) , where A = A 1 | | A L , A i = A i , 0 , i L \ S A i , 1 , i S , T = T 1 T n , T i is the basis for Λ q A i , i L .
(2) Modifying the Challenge .
Challenge: If the adversary finishes all of the oracles’ queries, then the adversary sends k w 0 , k w 1 to the challenger. For a coin b 0 , 1 , the challenger returns a random ciphertext C if b = 0 or the real ciphertext C W * Encrypt ( pp , W * , k w ) if b = 1 .
The others are the same as Definition 3.
Note that H is a hash function (random oracle) and e D Z m , σ , the security of the CP-ABPRE-KS scheme in the random model can be proved by the security of the CP-ABPRE scheme.

5. Conclusions

Focusing on the safe and efficient issue of cloud sharing, we construct the first CP-ABPRE scheme based on LWE. The CP-ABPRE scheme consists of six algorithms, and has small public parameters. Then, we show the correctness and parameters of the scheme, and prove the security under LWE. Because the data owner encrypts the data using the ABE scheme and then uploads the ciphertexts to the cloud, the data owner can implement fine-grained access control on the data. When the data owner wants to share the data with the data user who cannot access the data, the data owner only needs to send the re-encryption key to the cloud. The cloud implements the tedious re-encrypted ciphertexts generation calculation, and converts the ciphertexts under one access structure into re-encrypted ciphertexts under another access structure without decrypting the ciphertexts. The CP-ABPRE-KS scheme can search data without compromising data confidentiality, and can also transfer heavy data search operations to the cloud which reduces the computing burden of the user. In addition, because the LWE assumption is generally considered to be able to resist quantum computing attacks, the two schemes in this paper can guarantee the security under quantum computing attacks. However, the two schemes can only transform the ciphertexts under disjoint access structures. We will further study the conversion under more general access structures and the hierarchical key assignment schemes (HKASs) to achieve fine-grained access control.

Author Contributions

All authors contributed to the paper. J.L. and K.Z. wrote the manuscript with supervision from C.M. and J.L. is responsible for the design of the cryptosystem.

Funding

This work was supported by the National Natural Science Foundation of China (61472097), the Natural Science Foundation of Heilongjiang Province of China (JJ2019LH1770), the Special Funds of Heilongjiang University of the Fundamental Research Funds for the Heilongjiang Province (RCCXYJ201812), and the Open Fund of the State Key Laboratory of Information Security (2019-ZD-05).

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Castiglione, A.; De Santis, A.; Masucci, B.; Palmieri, F.; Huang, X.; Castiglione, A. Supporting dynamic updates in storage clouds with the Akl-Taylor scheme. Inf. Sci. 2017, 387, 56–74. [Google Scholar] [CrossRef]
  2. Crampton, J.; Gagarin, A.; Gutin, G.; Jones, M.; Wahlström, M. On the workflow satisfiability problem with class-independent constraints for hierarchical organizations. ACM Trans. Priv. Secur. 2016, 19, 3. [Google Scholar] [CrossRef]
  3. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for finegrained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 89–98. [Google Scholar]
  4. Xhafa, F.; Li, J.; Zhao, G.; Li, J.; Chen, X.; Wong, D.S. Designing cloud-based electronic health record system with attribute-based encryption. Multimed. Tools Appl. 2015, 74, 3441–3458. [Google Scholar] [CrossRef]
  5. Wang, D.; Ma, C.; Shi, L.; Wang, Y. On the Security of an Improved Password Authentication Scheme Based on ECC. In Information Computing and Applications, ICICA 2012; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7473, pp. 181–188. [Google Scholar]
  6. He, D.; Wang, D.; Wu, S. Cryptanalysis and improvement of a password-based remote user authentication scheme without smart cards. Inf. Technol. Control. 2013, 42, 105–112. [Google Scholar] [CrossRef]
  7. Wang, D.; Ma, C.; Zhang, Q.; Zhao, S. Secure password-based remote user authentication scheme against smart card security breach. J. Netw. 2013, 8, 148–155. [Google Scholar] [CrossRef]
  8. Ma, C.; Li, J.; Ouyang, W. Lattice-Based Identity-Based Homomorphic Conditional Proxy Re-Encryption for Secure Big Data Computing in Cloud Environment. Int. J. Found. Comput. Sci. 2017, 28, 645–660. [Google Scholar] [CrossRef]
  9. Ma, C.; Li, J.; Ouyang, W. A Homomorphic Proxy Re-encryption from Lattices. In Provable Security. ProvSec 2016; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2016; Volume 10005, pp. 353–372. [Google Scholar]
  10. Li, J.; Ma, C.; Zhang, L.; Yuan, Q. Unidirectional FHPRE Scheme from Lattice for Cloud Computing. Int. J. Netw. Secur. 2019, 21, 592–600. [Google Scholar]
  11. Singh, K.; Rangan, C.P.; Banerjee, A.K. Lattice Based Identity Based Proxy Re-Encryption Scheme. J. Internet Serv. Inf. Secur. 2013, 3, 38–51. [Google Scholar]
  12. Yang, Y.; Zheng, X.; Chang, V.; Tang, C. Semantic keyword searchable proxy re-encryption for postquantum secure cloud storage. Concurr. Comput. Pract. Exp. 2017, 29, e4211. [Google Scholar] [CrossRef]
  13. Liang, X.; Cao, Z.; Lin, H.; Shao, J. Attribute based proxy re-encryption with delegating capabilities. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, Sydney, Australia, 10–12 March 2009; pp. 276–286. [Google Scholar]
  14. Luo, S.; Hu, J.; Chen, Z. Ciphertext Policy Attribute-Based Proxy Re-encryption. In Information and Communications Security, ICICS 2010; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6476, pp. 401–415. [Google Scholar]
  15. Liang, K.; Man, H.; Liu, J.; Susilo, W.; Wong, D.S.; Yang, G.; Yu, Y.; Yang, A. A secure and efficient Ciphertext-Policy Attribute-Based Proxy Re-Encryption for cloud data sharing. Future Gener. Comput. Syst. 2015, 52, 95–108. [Google Scholar] [CrossRef]
  16. Zhang, J.; Zhang, Z.; Ge, A. Ciphertext policy attribute-based encryption from lattices. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Korea, 2–4 May 2012; pp. 16–17. [Google Scholar]
  17. Zeng, F.; Xu, C. A novel model for lattice-based authorized searchable encryption with special keyword. Math. Probl. Eng. 2015, 314621. [Google Scholar] [CrossRef]
  18. Boneh, D.; Di Crescenzo, G.; Ostrovsky, R.; Persiano, G. Public key encryption with keyword search. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; pp. 506–522. [Google Scholar]
  19. Shao, J.; Cao, Z.; Liang, X.; Lin, H. Proxy re-encryption with keyword search. Inf. Sci. 2010, 180, 2576–2587. [Google Scholar] [CrossRef]
  20. Wang, X.; Huang, X.; Yang, X.; Liu, L.; Wu, X. Further observation on proxy re-encryption with keyword search. J. Syst. Softw. 2012, 85, 643–654. [Google Scholar] [CrossRef]
  21. Shi, Y.; Liu, J.; Han, Z.; Zheng, Q.; Zhang, R.; Qiu, S. Attribute-Based Proxy Re-Encryption with Keyword Search. PLoS ONE 2015, 9, e116325. [Google Scholar] [CrossRef] [PubMed]
  22. Hong, H.; Sun, Z. Towards secure data sharing in cloud computing using attribute based proxy re-encryption with keyword search. In Proceedings of the 2017 IEEE 2nd International Conference on Cloud Computing and Big Data Analysis, ICCCBDA2017, Chengdu, China, 28–30 April 2017; pp. 218–223. [Google Scholar]
  23. Alwen, J.; Peikert, C. Generating shorter bases for hard random lattices. Theory Comput. Syst. 2011, 48, 535–553. [Google Scholar] [CrossRef]
  24. Agrawal, S.; Boneh, D.; Boyen, X. Efficient Lattice (H)IBE in the Standard Model. In Advances in Cryptology-EUROCRYPT 2010, EUROCRYPT 2010; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6110, pp. 553–572. [Google Scholar]
  25. Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology-EUROCRYPT 2012, EUROCRYPT 2012; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 700–718. [Google Scholar]
  26. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 2005, 56, 34. [Google Scholar]
  27. Liang, K.; Fang, L.; Susilo, W.; Wong, D.S. A ciphertext-policy attribute-based proxy re-encryption with chosen-ciphertext security. In Proceedings of the 5th International Conference on Intelligent Networking and Collaborative Systems, INCoS2013, Xi’an, China, 9–11 September 2013; pp. 55–559. [Google Scholar]
  28. Zhang, J.; Zhang, Z. A Ciphertext Policy Attribute-Based Encryption Scheme without Pairings. In Information Security and Cryptology. Inscrypt 2011; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2011; Volume 7537, pp. 324–340. [Google Scholar]
  29. Zeng, P.; Choo, K. A New Kind of Conditional Proxy Re-Encryption for Secure Cloud Storage. IEEE Access 2018, 6, 70017–70024. [Google Scholar] [CrossRef]
  30. Xagawa, K. Cryptography with Lattices. Ph.D. Thesis, Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, Tokyo, Japan, 2010. [Google Scholar]
  31. Jiang, M.; Hu, Y.; Wang, B.; Wang, F.H.; Lai, Q.Q. Lattice-based multi-use unidirectional proxy re-encryption. Secur. Commun. Netw. 2016, 8, 3796–3803. [Google Scholar] [CrossRef]
  32. Hou, J.; Jiang, M.; Guo, Y.; Song, W. Identity-Based Multi-bit Proxy Re-encryption Over Lattice in the Standard Model. In Frontiers in Cyber Security, FCS 2018, Communications in Computer and Information Science; Springer: Singapore, 2018; Volume 879, pp. 110–118. [Google Scholar]
Figure 1. System model of the ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme. CSP: cloud services provider; DO: data owner; DU: data user; TA: trusted authority.
Figure 1. System model of the ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme. CSP: cloud services provider; DO: data owner; DU: data user; TA: trusted authority.
Symmetry 11 01262 g001
Figure 2. The sequence diagram of the CP-ABPRE with keyword search (CP-ABPRE-KS) scheme.
Figure 2. The sequence diagram of the CP-ABPRE with keyword search (CP-ABPRE-KS) scheme.
Symmetry 11 01262 g002
Table 1. Notation.
Table 1. Notation.
xscalar
x vector
Amatrix or set
| | x | | l norm of x
| | x | | l 2 norm of x
[ k ] set { 1 , 2 , , k }
| L | the order of set L
S ( ) W attribute set S satisfies (or does not satisfy) access structure W
X | Y Z q m × ( n 1 + n 2 ) the concatenation of the columns of X Z q m × n 1 , Y Z q m × n 2
X ; Y Z q ( n 1 + n 2 ) × m the concatenation of the rows of X Z q n 1 × m , Y Z q n 2 × m
x χ x is sampled according to a probability distribution χ
x S x is sampled uniformly from a set S
X c ( s ) Y X and Y are computationally (statistically) indistinguishable
Table 2. Comparison of ciphertext-policy attribute-based encryption (CP-ABE) schemes. LWE: learning with errors; pp: public parameters; sk: secret key.
Table 2. Comparison of ciphertext-policy attribute-based encryption (CP-ABE) schemes. LWE: learning with errors; pp: public parameters; sk: secret key.
CryptosystemThe Size of ppSizeof skSizeof CiphertextSupport and-Gateson Positive and Negative AttributesLWE Assumption
[28] 2 L + 1 n × 2 L + 1 m + n | L | m ( 2 | L | + 1 | S | ) m YESYES
[17] 2 L + 1 n × 2 L + 1 m + n | L | m 1+ ( 2 | L | + 1 ) m YESYES
Our scheme 2 L n × 2 L m + n | L | m 1+ 2 | L | m YESYES
Table 3. Comparison for proxy re-encryption (PRE) schemes.
Table 3. Comparison for proxy re-encryption (PRE) schemes.
CryptosystemInteractivityDirectionalitySecurityLWE AssumptionAccess Control
[8]NOUnidirectionalCPAYESNO
[9]NOUnidirectionalCPAYESNO
[10]NOUnidirectionalCPAYESNO
[30]YESBidirectionalCPAYESNO
[31]NOUnidirectionalCPAYESNO
[32]NOUnidirectionalCPAYESNO
Our schemeNOUnidirectionalCPAYESYES

Share and Cite

MDPI and ACS Style

Li, J.; Ma, C.; Zhang, K. A Novel Lattice-Based CP-ABPRE Scheme for Cloud Sharing. Symmetry 2019, 11, 1262. https://doi.org/10.3390/sym11101262

AMA Style

Li J, Ma C, Zhang K. A Novel Lattice-Based CP-ABPRE Scheme for Cloud Sharing. Symmetry. 2019; 11(10):1262. https://doi.org/10.3390/sym11101262

Chicago/Turabian Style

Li, Juyan, Chunguang Ma, and Kejia Zhang. 2019. "A Novel Lattice-Based CP-ABPRE Scheme for Cloud Sharing" Symmetry 11, no. 10: 1262. https://doi.org/10.3390/sym11101262

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop