A Novel Lattice-Based CP-ABPRE Scheme for Cloud Sharing

: The ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme supports access control and can transform a ciphertext under an access policy to a ciphertext under another access policy without decrypting the ciphertexts, which is ﬂexible and efﬁcient for cloud sharing. The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps which are fragile when the post-quantum future comes. This paper presents an efﬁcient unidirectional single-hop CP-ABPRE scheme with small public parameters from a lattice. For the transformation between two access structures, they are required to be disjoint. This paper uses the trapdoor sampling technique to generate the decryption key and the re-encryption key in constructing the scheme, and uses the decompose vectors technique to produce the re-encrypted ciphertexts in order to control their noise. Finally, we extended the scheme to a unidirectional single-hop CP-ABPRE scheme with keyword search for searching the encrypted data. Both schemes were proved secure under the learning with errors assumption, which is widely believed to be secure in quantum computer attacks. To the best of our knowledge, our scheme is the ﬁrst CP-ABPRE scheme based on the learning with errors assumption.


Introduction
The encryption of cloud data can protect the security of data effectively.There are two types of encryption system: symmetric and asymmetric.In a symmetric encryption system, the encryption key and decryption key are the same.In an asymmetric encryption system, the encryption key and the decryption key are different.Attribute-based encryption (ABE) is an asymmetric approach.
In an ABE system, ciphertexts are labeled with a public attribute x, and private keys are associated with some descriptive values y.A private key decrypts the ciphertext and recovers the message if and only if x satisfies y.By assigning common attributes of these decryptors, a user can use ABE to encrypt data and store the encrypted data in the cloud for sharing data, protecting privacy, and obtaining fine-grained access control.Hierarchical key assignment schemes (HKASs) [1,2] can be used to achieve fine-grained access control.There are two variants of ABE [3]: key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE).In a CP-ABE (KP-ABE) system, the private key (ciphertext) is associated with an arbitrary number of attributes expressed as strings S, the ciphertext (private key) is associated with an access structure W over attributes, and the private key can decrypt the ciphertext if and only if S satisfies W.
Using CP-ABE, a user (e.g., Alice) can encrypt her data under access structure W, then any user with attribute S can decrypt the encrypted data, where S satisfies W. If Alice wants to share the encrypted data with Bob, but the attribute set of Bob does not satisfy W, then Bob can not get them from the cloud.Due to the resource-limited nature of the terminal device, it is impossible for users to backup all data with plain format.Thus, Alice needs to download and decrypt the ciphertext, and encrypt the data with another access structure W .The computational overhead of this strategy is too heavy for Alice.
For example, in an electronic health record (EHR) system [4], the set L of all attributes in the EHR system consists of all kinds of diseases, such as cold, lipomyoma, lung cancer, diabetes, and nephropathy.A patient encrypts their detailed personal information under access structure W, where W may be (cold and lipomyoma) or (diabetes and nephropathy).The physician's attributes S consist of many kinds of diseases that the physician is professional in, where S could be {cold,lipomyoma}.
Proxy re-encryption (PRE) allows a proxy to transform a ciphertext of a delegator to a ciphertext of a delegatee specified by the delegator, and the proxy will not know the message in this process, which can be used for cloud sharing.The cloud sharing can become more efficient with ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE).In the CP-ABPRE scheme, Alice only needs to generate a re-encryption key and send it to a proxy, then the proxy can transform the ciphertext under W to another ciphertext under W [5][6][7].Although CP-ABPRE can effectively achieve cloud sharing, the search on the encrypted data is powerless.It is interesting to combine the concept of CP-ABPRE and keyword search to construct CP-ABPRE with keyword search (CP-ABPRE-KS), which can not only achieve the data sharing effectively, but can also search the encrypted data.

Related Work
At present, many types of lattice-based PRE scheme have been constructed.One example is conditional proxy re-encryption (CPRE) [8], whereby only ciphertexts satisfying a condition set by a delegator can be transformed by the proxy.Homomorphic proxy re-encryption (HPRE) [9,10] can homomorphically evaluate original or re-encrypted ciphertexts.In identity-based proxy re-encryption (IBPRE) [11], ciphertexts are transformed from one identity to another.Proxy re-encryption with keyword search (PRE-KS) [12] simultaneously realizes the functionality of proxy re-encryption and keyword search.However, there is no lattice-based attribute-based proxy re-encryption (ABPRE) [13] whereby ciphertexts are transformed from one access policy to another.
Liang et al. [13] constructed the first CP-ABPRE scheme based on bilinear maps, supporting and-gates over positive and negative attributes.Luo et al. [14] extended [13] to a CP-ABPRE supporting and-gates on multi-valued and negative attributes, but the scheme is selective-policy chosen plaintext secure.Liang et al. [15] constructed the first adaptively CCA-secure CP-ABPRE.The existing CP-ABPRE schemes are constructed by bilinear pairing or multi-linear maps, which are fragile when the post-quantum future comes.Zhang et al. [16] presented a ciphertext policy attribute-based encryption (ABE) scheme based on learning with errors (LWE), which is widely believed to be secure in quantum computer attacks.Zeng et al. [17] presented an authorized searchable encryption with special keyword based on [16].
Boneh et al. [18] constructed a public key encryption with keyword search for searching encrypted data.Shao et al. [19] constructed the first PRE-KS, which simultaneously realizes the functionality of proxy re-encryption and keyword search.Wang et al. [20] extended [19] to a constrained single-hop unidirectional proxy re-encryption supporting conjunctive keywords search.Shi et al. [21] formalized the syntax and security definitions for ABPRE with keyword search (ABPRE-KS), and constructed two ABPRE-KS by multi-linear maps; that is, CP-ABPRE-KS and KP-ABPRE-KS.Hong et al. [22] also presented an ABPRE-KS by bilinear pairing for flexible and secure data sharing in the cloud.None of these schemes can resist quantum computation attacks.Yang et al. [12] proposed a novel lattice-based semantic keyword searchable proxy re-encryption scheme for secure cloud storage which is resistant to quantum attack.

Our Contributions
In this paper, (1) we constructed a lattice-based CP-ABE scheme by modifying the ABE scheme of Zeng et al. [17].Compared with the ABE schemes of [16,17], our CP-ABE scheme has smaller public parameters.(2) We constructed a CP-ABPRE scheme based on the new CP-ABE scheme by using trapdoor sampling from LWE, which is widely believed to be secure in quantum computer attacks.The CP-ABPRE scheme is the first CP-ABPRE based on LWE.(3) We extended the CP-ABPRE scheme to a CP-ABPRE-KS scheme.
The rest of this paper is organized as follows: Section 2 presents preliminaries; Section 3 describes the constructed ABPRE scheme; Section 4 extends the ABPRE to the ABPRE-KS scheme; finally, our work is concluded in Section 5.

Preliminaries
We introduce some notations, Gaussian distribution, the LWE hardness assumption, and the definition of CP-ABPRE in this section.

Notation
We employed some initial notations, as listed in Table 1.For an integer q and a vector x ∈ Z q n , let When A is a matrix, let P2(A) (BD(A)) be the matrix formed by applying the operation to each row (column) of A.
x is sampled uniformly from a set S X≈ c (≈ s )Y X and Y are computationally (statistically) indistinguishable

Gaussian Distributions and the LWE Hardness Assumption
For any positive parameter σ > 0, define the Gaussian function on R m , centered at c: For any vector c ∈ R m and positive parameter σ > 0, let Λ be a discrete subset of Z m , define the discrete Gaussian distribution over Λ as: For constructing the CP-ABPRE scheme, we sample vectors from the discrete Gaussian distribution D. The algorithm SamplePre can sample vectors from a distribution statistically close to D Λ(A) , but it needs the basis of Λ ⊥ (A).Lemmas 1 and 2 can meet our needs.Lemma 1 can output a basis of Λ ⊥ (A), and Lemma 2 can sample vectors from a distribution statistically close to D Λ(A) .Lemma 1 ([23]).For any positive integers n, m ≥ 6n log q, q ≥ 2, the probabilistic polynomial-time algorithm TrapGen(q, n, m) can output a pair (A, T) ∈ Z n×m q × Z m×m , where (1) A is statistically close to uniform in Z n×m q ; (2) T is a basis for Λ ⊥ q (A) = e ∈ Z m , s.t.A e = 0 mod q ; (3) T ≤ O(n log q) and T ≤ O n log q .
Alwen and Peikert assert that the constant hidden in the first O(•) is no more than 20.

Lemma 2 ([24]
).For any positive integer q ≥ 2, vector c ∈ Z m , u ∈ Z n q and matrix A ∈ Z n×m q , the probabilistic polynomial-time algorithm SamplePre(A, T A , u, c) can output vector x ∈ Λ u q (A) = { e ∈ Z m , s.t.A e = u mod q}, which in a distribution statistically close to D Λ u q (A),σ, c , where T A is a basis of Let X be a normal random variable with mean 0 and deviation α 2 2π , where α ∈ (0, 1) is a real number.For prime q, define the random variable in distribution Ψ α over Z q as qX mod q.For the correctness of our CP-ABPRE scheme, we need Lemmas 3 and 4, which show bounds for random variables.
The LWE (learning with errors) problem [26] is as hard as the worst-case SIVP and GapSVP with certain noise distributions D (e.g., Ψ α ), which is a classic hard problem on lattices.The decisional LWE n,q,χ problem is to distinguish and D is a distribution over Z.

Attribute and Access Structure
We denote L = [|L|] as the set of all attributes in the system.For i ∈ [L], the user either has the attribute i or does not have it.If a user does not have attribute i, we say the user has attribute −i.Thus, i and −i appear in pairs.We denote i and −i as positive and negative attribute, respectively.In this paper, we study the CP-ABE scheme which supports and-gates on positive and negative attributes.Definition 1.Let L be the set of all attributes.If the access structure W is organized by and-gates on positive and negative attributes, then an attribute set S satisfies W if and only if S + ⊆ S, S − ⊆ L\S, where S + (S − ) is the positive (negative) attribute set in W. For two access structures W and W 1 , let S + , S 1,+ (S − , S 1,− ) be the positive (negative) attribute set in W and W 1 .If S + ⊆ S 1,− , S − ⊆ S 1,+ , then we say W and W 1 are disjoint.

Definition and Security Model of CP-ABPRE Scheme
There are four participants in the single-hop unidirectional CP-ABPRE scheme for cloud sharing, as shown in Figure 1.(1) Trusted authority (TA).The TA is trusted by all participants.TA generates master secret key, public parameters and re-encryption key.
(2) Cloud services provider (CSP).The CSP is semi-trusted by all participants.The CSP stores data uploaded by the DO, and computes the re-encrypted ciphertext using the original ciphertext and re-encryption key.
(3) Data owner (DO).The DO encrypts their data and stores the encrypted data in the cloud.
(4) Data user (DU).The DU queries the CSP for re-encrypted data which belongs to them.We give the following definition based on the definition and security model of Liang et al. [27].
Definition 2. A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms: 1. Setup(κ, L): For a set L of attribute and security parameter κ, the TA outputs public parameters pp and master secret key msk.2. KeyGen(pp, msk, S): For pp, msk and an attribute set S of user (DO or DU), the TA outputs secret key sk S for S. Note that each secret key sk S is associated with an attribute set S.
3. Encrypt(pp, W, µ): For pp, a message µ, and an access structure W over the attribute set L, the DO outputs ciphertext C W .Note that each ciphertext C W is associated with an access structure W. 4. Decrypt(pp, sk S , C W , S): For pp, C W , S and its corresponding secret key sk S , the user (DO or DU) outputs plaintext µ if S W or a symbol ⊥ indicating either C W is invalid or S W. 5. ReKeyGen(pp, S, W, W 1 ): For pp, two access structures W, W 1 and an attribute set S, if S W, and W and W 1 are disjoint, the TA outputs the re-encryption key rk W→W 1 , and otherwise outputs a symbol ⊥. 6. ReEnc(pp, C W , rk W→W 1 ): For pp, C W , rk W→W 1 , the CSP outputs the re-encrypted ciphertext C W 1 .
Correctness-There are two requirements for correctness: Definition 3.For a single-hop unidirectional CP-ABPRE scheme, let κ be a security parameter.Consider the following games, denoted by , between challenger and adversary.Initialization.The adversary chooses a challenge access structure W * for the challenger.Setup Phase: The challenger runs Setup( κ, L) and sends pp to the adversary.Learning Phase: In this phase, the adversary can access the following oracles polynomially many times, and the challenger needs to answer these oracles. (1)Secret key oracle O sk (S): The adversary inputs an attribute set S. If S W * , then the challenger returns sk S ← KeyGen (pp, msk, S), and otherwise returns ⊥.
(2) Re-encryption key oracle O rk (S, W, W ): The adversary inputs two access structures W, W and S. If S W, W and W are disjoint, and O sk (S ) has been accessed for any S W , then the challenger returns rk W→W ← ReKeyGen(pp, S, W, W ), and otherwise returns ⊥. (3) Re-encryption oracle O re (rk W→W , W , C W ): The adversary inputs W , C W , rk W→W .If rk W→W ← ReKeyGen(pp, S, W, W ), sk S ← KeyGen (pp, msk, S), S W, then the challenger returns C W ← ReEnc(pp, C W , rk W→W ), and otherwise returns ⊥.
Challenge: If the adversary finishes all of the oracles' queries, then the adversary sends µ ∈ {0, 1} to the challenger.For a coin b ∈ {0, 1}, the challenger returns a random ciphertext C if b = 0 or the real ciphertext Gauss: Finally, the adversary outputs a guess b ∈ {0, 1}.If b = b, the adversary wins.
We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext if for any PPT adversary, the advantage of the adversary is negligible.
Definition 4. For a single-hop unidirectional CP-ABPRE scheme, let κ be a security parameter.We say a single-hop unidirectional CP-ABPRE scheme is IND-sAS-CPA secure at re-encrypted ciphertext if for any PPT adversary, the advantage

A CP-ABPRE Scheme
First, we propose a single-hop unidirectional CP-ABPRE scheme, then prove the correctness and security of the scheme, and finally compare the schemes.

Concrete Scheme
A single-hop unidirectional CP-ABPRE scheme consists of the following six algorithms.
1. Setup(n, m, q, L): Given positive integers n, m, q, and a set of attributes L, the TA samples u ← Z n q , computes (A i,b , T i,b ) ← TrapGen (q, n) for i ∈ L, where b ∈ {0, 1} and returns public parameters , u and master secret key msk = T i,b b∈{0,1} i∈L .2. KeyGen(pp, msk, S): Given pp, msk and an attribute set S of the DU, where S ⊆ L, the TA lets , computes s ← SamplePre (A, T, u), and returns secret key sk S = s, where 3. Encrypt(pp, W, µ): Given pp, a message µ ∈ {0, 1}, and an access structure W, the DO denotes S + (S − ) as the positive (negative) attribute set in W, computes f + x j,0 x j,1 , j ∈ L\ (S + ∪ S − ), and returns ciphertext where x c ← χ, f ← χ n , z i,0 , z i,1 , x i,0 , x i,1 ← χ m .4. Decrypt(pp, C W , sk S , S): After receiving the cipthertext C W from the CSP, the DU computes y = , else , and then outputs 0 if − s T |1 y T ; c = c − y T s is closer to 0 than to q 2 modulo q, and 1 otherwise.5. ReKeyGen(pp, S, W, W 1 ): After receiving pp, S, two access structures W, W 1 from the DO, if W, W 1  are not disjoint or S W, then the TA outputs ⊥, and otherwise denotes the positive (negative) attribute set in W 1 as S 1,+ S 1,− , noting S 1,+ ⊆ L, S 1,− ⊆ L, then computes and finally returns the re-encryption key rk W→W 1 = {Q i,0 , Q i,1 } i∈L .

Correctness and Parameters
We show the correctness and parameters in this subsection.Firstly, we prove that Decrypt(pp, sk S , C W )= µ, where C W = Encrypt(pp, W, µ) and S W.
For an attribute set S, let , then we can get µ.Then, we prove that Decrypt(pp, sk S 1 , C W 1 )= µ, where Let S 1,+ , S 1,− be the positive and negative attribute set in W 1 , C W = c; { c i,0 , c i,1 } i∈L be a ciphertext under W, and rk W→W 1 = {Q i,0 , Q i,1 } i∈L be a re-encryption key.Since the access structures W and W 1 are disjoint, we know that if i ∈ S 1,− , then that is . Similarly, we have where For the attribute set S 1 , let , then we can get µ.Finally, we set the parameters.
Let χ = Ψ α , the parameters can be set as follows: , where δ is constant between 0 and 1.
We verify (4), the others can be easily computed.From the element of x 1 , we know . By Lemmas 2 and 3, we have || r|| ≤ σ √ m.By Lemma 4, we have

Security
We show the CP-ABPRE scheme is IND-sAS-CPA secure under the LWE problem in this subsection.Theorem 1 shows that the CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext, Theorem 2 shows the CP-ABPRE scheme is IND-sAS-CPA secure at the re-encrypted ciphertext.
Theorem 1.Let n, q, m, σ, α be as in the aforementioned.Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at the original ciphertext.(κ) with b ∈ {0, 1}.Suppose W * is the adversary's access structure, the challenger denotes the positive (negative) attribute set in W * as S * ,+ (S * ,− ).The challenger answers the ciphertext of the adversary's issue about µ ∈ {0, 1} as follows: - Finally, the adversary outputs a guess b ∈ {0, 1}.Game b 1 : We modify the secret key oracle O sk (S).If the adversary inputs an attribute set S and S W * , then the challenger returns ⊥.If S W * , the challenger lets and outputs the secret key The others are the same as Game b 0 .From Lemma 2, we know the distribution of s + statistically closes to D . The distribution of the real secret key s in the CP-ABPRE scheme also statistically closes to D . Thus the distribution of s + is same as the real secret key s.In addition, because A s + = u, we have s + ≈ s s.Thus, Game b 0 ≈ s Game b 1 .

Game b
2 : We modify the re-encryption key oracle O rk (W, W ). We replace P2 R T i,1→0 , respectively.The others are the same as Game b 1 . Since

Game b
3 : We modify the re-encryption oracle O re (rk S→W , W , C W ). We replace , we cannot distinguish between the distribution of c 1 i,0 , c 1 i,1 and the uniform distribution on Z m q under the LWE problem.Since , where c .
The others are the same as Game b 3 .We have Finally, we can get Game 0 0 ≈ c Game 1 0 by Game 0 4 ≈ c Game 1 4 .This completes the proof.
Theorem 2. Let n, q, m, σ, α be as in the aforementioned.Then if LWE is hard, our CP-ABPRE scheme is IND-sAS-CPA secure at the re-encrypted ciphertext.
Proof.For (W * , state 1 ) ← A (1 κ ), (µ, W, state 2 ) ← A O 1 (pp, state 1 ) which are chosen by the adversary, The challenger encrypts µ ∈ {0, 1} under access structure W and gets a corresponding ciphertext By the Game b 4 of Theorem 1, we know that the adversary cannot distinguish a random ciphertext C from the real ciphertext C W ← Encrypt(pp, W, µ).For the re-encryption key rk W→W * , the adversary cannot distinguish the real rk W→W * from a random Gaussian distribution by Game b 2 of Theorem 1.Thus, the adversary cannot obtain any useful things for winning the game.At last, the challenger outputs the challenge re-encrypted ciphertext C * W * ← ReEnc (rk S→W * , C W ). By the LWE, we have Q i,0 BD ( c i,1 ) + x 1 i,0 , i ∈ S 1,− ∪ L\ S 1,+ ∪ S 1,− and the random uniform distributions are computationally indistinguishable, Q i,1 BD ( c i,0 ) + x 1 i,1 , i ∈ S 1,+ ∪ L\ S 1,+ ∪ S 1,− and the random uniform distributions are computationally indistinguishable.Thus, the advantage Adv IND−sAS−CPA−Re CP−ABPRE,A (κ) of the adversary is negligible.

Comparison
We compare the related works in this subsection.
(1) Our scheme was constructed based on the LWE problem, and supports and-gates on positive and negative attributes.There are only two lattice-based ABE schemes that support this operation.Compared with the ABE scheme of [16,17], our scheme not only supports proxy re-encryption but also has smaller public parameters.The comparison results are given in Table 2. S is a set of all attributes in the access structure.(2) The existing CP-ABPRE schemes are constructed by bilinear pairing [15,27,29], which are fragile when the post-quantum future comes.Our CP-ABPRE was constructed based on LWE, which is widely believed to be secure in quantum computer attacks.
(3) Compared with the PRE based on LWE, our scheme is the first CP-ABPRE scheme based on LWE and has the same computational complexity O(n 2 ).The comparison results are in Table 3.

Extension
In this section, we extend our CP-ABPRE scheme to a CP-ABPRE-KS scheme based on [17].
Definition 5. A single-hop unidirectional CP-ABPRE-KS scheme consists of the following eight algorithms: 1. Setup(n, m, q, L): For positive integers n, m, q, and a set of attributes L, the TA outputs public parameters pp and master secret key msk.
2. KeyGen(pp, msk, S): For pp, msk and an attribute set S of user (DO or DU), the TA outputs secret key sk S for S.
3. Encrypt(pp, W, kw, µ): For pp, a message µ, a keyword kw, and an access structure W over the attribute set L, the DO outputs ciphertext C W .
4. Decrypt(pp, C W,kw , sk S , S): For pp, C W,kw , S and its corresponding secret key sk S , the user (DO or DU) outputs plaintext µ if S W or a symbol ⊥ indicating either C W is invalid or S W.
5. ReKeyGen(pp, S, W, W 1 ): For pp, two access structures W, W 1 and an attribute set S, if S W, and W and W 1 are disjoint, the TA outputs re-encryption key rk W→W 1 , otherwise outputs a symbol ⊥.The CP-ABPRE-KS scheme is shown below.
1. Setup(n, m, q, L): Given positive integers n, m, q, and a set of attributes L, the TA chooses a hash function  2. KeyGen(pp, msk, S): Given pp, msk, and an attribute set S of the DU, where S ⊆ L, the TA lets , computes s ← SamplePre (A, T, u), and returns secret key sk S = s, where 3. Encrypt(pp, W, kw, µ): Given pp, a message µ ∈ {0, 1}, a keyword kw, and an access structure W, the DO denotes S + (S − ) as the positive (negative) attribute set in W, computes 4. Decrypt(pp, C W,kw , sk S , S): After receiving the cipthertext C W,kw from CSP, the DU computes , else , and then outputs 0 if − s T |1 y T ; c = c − y T s is closer to 0 than to q 2 modulo q, and 1 otherwise.5. ReKeyGen(pp, S, W, W 1 ): After receiving pp, S, two access structures W, W 1 from DO, if W, W 1 are not disjoint or S W, then the TA outputs ⊥, and otherwise denotes the positive (negative) attribute set in and finally returns re-encryption key rk W→W 1 = {Q i,0 , Q i,1 } i∈L .
6. ReEnc(pp, C W,kw , rk W→W 1 ): Given pp, C W,kw , rk W→W 1 , the CSP computes where x 1 i,0 , x 1 j,0 ← χ m , z 1 i,0 , z 1 i,1 ← Z m q and outputs the re-encrypted ciphertext 7. Trapdoor(pp, msk, S, kw): Given pp, msk, kw and a DU's attribute set S, the TA computes H(kw) and , and computes e ← SamplePre (A, T, H(kw)) and returns the trapdoor T kw = e, where T = Figure 2 shows the sequence diagram of the whole scheme.Since the c, p in the original ciphertext are same as the c in the re-encrypted ciphertext, and the construction of c = u T f + x c + q 2 µ and p = H(kw) T f + x p are similar.Therefore, the correctness of the CP-ABPRE-KS scheme can be proved by the correctness of the CP-ABPRE scheme.Based on the security definition of [17,21], we can define the IND-sAS-CKA (chosen keyword attacks) secure at the original ciphertext for the CP-ABPRE-KS scheme by modifying Definition 3 as follows: (1) Adding Trapdoor oracle O tr (pp, S, kw) to the Learning Phase.
O tr (pp, S, kw): The adversary inputs an attribute set S and H(kw).If S W * , then challenger returns e ← Trapdoor(pp, msk, S, kw), where T i is the basis for Λ ⊥ q (A i ), i ∈ L.
Challenge: If the adversary finishes all of the oracles' queries, then the adversary sends kw 0 , kw 1 to the challenger.For a coin b ∈ {0, 1}, the challenger returns a random ciphertext C if b = 0 or the real ciphertext C W * ← Encrypt(pp, W * , kw) if b = 1.
The others are the same as Definition 3.
Note that H is a hash function (random oracle) and e ∈ D Z m ,σ , the security of the CP-ABPRE-KS scheme in the random model can be proved by the security of the CP-ABPRE scheme.

Conclusions
Focusing on the safe and efficient issue of cloud sharing, we construct the first CP-ABPRE scheme based on LWE.The CP-ABPRE scheme consists of six algorithms, and has small public parameters.Then, we show the correctness and parameters of the scheme, and prove the security under LWE.Because the data owner encrypts the data using the ABE scheme and then uploads the ciphertexts to the cloud, the data owner can implement fine-grained access control on the data.When the data owner wants to share the data with the data user who cannot access the data, the data owner only needs to send the re-encryption key to the cloud.The cloud implements the tedious re-encrypted ciphertexts generation calculation, and converts the ciphertexts under one access structure into re-encrypted ciphertexts under another access structure without decrypting the ciphertexts.The CP-ABPRE-KS scheme can search data without compromising data confidentiality, and can also transfer heavy data search operations to the cloud which reduces the computing burden of the user.In addition, because the LWE assumption is generally considered to be able to resist quantum computing attacks, the two schemes in this paper can guarantee the security under quantum computing attacks.However, the two schemes can only transform the ciphertexts under disjoint access structures.We will further study the conversion under more general access structures and the hierarchical key assignment schemes (HKASs) to achieve fine-grained access control.

Figure 1 .
Figure 1.System model of the ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) scheme.CSP : cloud services provider; DO: data owner; DU: data user; TA: trusted authority.

Proof.
Consider the following games.Game b 0 : This is the real game Expt IND−sAS−CPA−Or CP−ABPRE,A

6 .
ReEnc(pp, C W,kw , rk W→W 1 ): For pp, C W,kw , rk W→W 1 , the CSP outputs the re-encrypted ciphertext C W 1 ,kw .7. Trapdoor(pp, msk, S, kw): For pp, msk, kw, and a DU's attribute set S, the TA returns the trapdoor T kw .8. Test (pp, T kw , C W,kw , R): For pp, T kw = e, C W,kw , the DU constructs a list R about the positive or negative information of attributes, and sends R to CSP.The CSP returns η, where η = 1 means kw = kw , η = 0 means kw = kw .
where b ∈ {0, 1} and returns public parameters pp = A i,b b∈{0,1} i∈L , u, H and master secret key msk =

8 .
Test (pp, T kw , C W,kw , R): Given pp, T kw = e, C W,kw , the DU constructs a list R about the positive or negative information of attributes, and sends R to CSP.The CSP computes y = y 1 ; • • • ; y |L| by y i = c i,1 , i is positive attribute c i,0 , else , and returns η = 1, p − e T y < q 4 0, else , where η = 1 means kw = kw , η = 0 means kw = kw .
the adversary is negligible, where O 1 = {O sk , O rk , O re } and O sk (it is forbidden to S W * ), O rk , O re (it is forbidden to C W is an valid original ciphertext or a re-encrypted ciphertext) as in Definition 3, State 1 and State 2 are the state information, W * is challenge access structure, and W, W * are disjoint, C W is a random ciphertext C if b