Efficient Outsourced Decryption System with Attribute-Based Encryption for Blockchain-Based Digital Asset Transactions

Abstract

The rapid expansion of blockchain-based digital asset trading raises new challenges in security, privacy, and efficiency. Although traditional attribute-based encryption (ABE) provides fine-grained access control, it imposes considerable computational overhead and introduces additional vulnerabilities when decryption is outsourced. To address these limitations, we present EBODS, an efficient outsourced decryption framework that combines an optimized ABE scheme with a decentralized blockchain layer. By applying policy matrix optimization and leveraging edge decryption servers, EBODS reduces the public key size by 8% and markedly accelerates computation. Security analysis confirms the strong resistance of EBODS to collusion attacks, making it suitable for resource-constrained digital asset platforms.

1. Introduction

The proliferation of digital assets—such as cryptocurrencies and non-fungible tokens (NFTs)—is reshaping the global financial landscape [1]. While blockchain networks have introduced edge-computing techniques to offload intensive tasks [2,3,4], they still suffer from efficiency bottlenecks when securely processing transaction data. However, most current ledgers still assume a single credential issuer, which becomes a trust and performance bottleneck once multiple regulators or service providers need to co-govern digital-asset flows.

Ciphertext Policy Attribute-Based Encryption (CP-ABE) provides fine-grained, attribute-oriented access control as to matters of digital asset transaction [5,6,7,8]. However, there are some challenges to implementing these existing CP-ABE schemes on digital asset trading platforms. For bilinear pairing-based classical versions, the cost increases with the size of the attribute set, while the keys to be generated and matrix operations of lattice-based post-quantum ones are extremely large and expensive, which are unsuitable for resource-constrained devices. Existing solutions for outsourced decryption either delegate full ciphertexts to untrusted proxies, compromising security, or undertake most of the computation at the client, limiting both scalability and responsiveness [9,10,11]. Together, the above limitations cause performance bottlenecks, which in turn prevent the extensive application of CP-ABE in practice.

Equally important, almost all of the above schemes rely on a single Attribute Authority (AA) that issues secret keys. In real trading ecosystems, attributes such as “KYC-level”, “jurisdiction”, and “credit-rating” are certified by different organizations; a single-AA design therefore reintroduces central point of failure risks and invites collusion between the AA and users.

Recent blockchain-assisted outsourcing methods [12] introduce verifiable computation and fair-payment mechanisms. Nevertheless, they typically leave the underlying cryptographic operations untouched and still rely on centralized verifiers, which reintroduce single points of failure. Furthermore, existing schemes lack effective strategies to balance computational efficiency with security guarantees, especially in high-throughput digital asset scenarios.

In light of these challenges, we advocate for a symmetric allocation of computation and security responsibilities between edge decryption servers (EDSs) and end users. Such symmetry minimizes resource contention, mitigates bottlenecks, and enhances scalability under high-throughput workloads.

Challenges. This work addresses three primary challenges:

Computational Efficiency in ABE Operations. The demands of real-time digital-asset trading necessitate cryptographic operations that are highly efficient. In high-frequency trading environments, where thousands of transactions can occur within a single second, even delays measured in milliseconds have the potential to significantly impact overall system performance.

Security Risks in Outsourced Computation. Offloading decryption to edge servers inevitably expands the attack surface: a malicious or compromised proxy may mount chosen ciphertext attacks, collude with other entities, or infer users’ attribute information. Consequently, an effective outsourcing strategy must conceal sensitive data from the proxy while still relieving the client of heavy cryptographic workloads.

Centralized Trust Dependencies. Current verification frameworks often depend on a single trusted authority to validate outsourced results, which stands in contrast to the decentralized principles underlying blockchain systems. This reliance on centralization not only introduces a single point of failure but also creates an appealing target for potential adversaries. Eliminating this dependency is thus essential for building a resilient and trust-minimized decryption service.

Contributions. To tackle these challenges, we introduce EBODS (Efficient Blockchain-Based Outsourced Decryption System), a solution that combines optimized attribute-based encryption with blockchain-enhanced outsourced decryption. The key contributions of this work are as follows:

• Optimized ABE: We construct an optimized ABE scheme using strategy matrices and an efficient polynomial operations [13], it greatly improves the computational efficiency as well as scalability.
• Secure Blockchain-Based Outsourced Architecture: We design a secure and verifiable outsourced decryption architecture that is built in a decentralized manner over blockchain, which allows fine-grained and computation-efficient offloading of decryption operations to edge servers.
• Comprehensive Security Scheme: We construct a comprehensive security scheme with strong collusion attacks resistant and non-repudiable through the auditability provided by the blockchain.
• Practical Validation: We experimentally validate EBODS using large-scale experiments by comparing it with state-of-the-art ABE systems, and show that EBODS outperforms them in terms of efficiency, scalability and security.

The remainder of this paper is organized as follows: Section 2 presents the preliminaries, including essential concepts and cryptographic foundations. Section 3 introduces our system model and security assumptions. Section 4 details the design and implementation of EBODS. Section 5 reports the experimental results and performance evaluation. Section 6 concludes the paper and discusses possible future research directions. concludes the paper and outlines directions for future work.

1.1. Related Work

We survey four inter-connected research streams: (1) classical improvements of attribute-based encryption, (2) post-quantum and lattice-based CP-ABE, (3) multi-authority and blockchain-assisted frameworks, and (4) outsourced decryption techniques.

Table 1. Representative outsourced/multi-authority ABE schemes (2021–2025).

Scheme	Crypto Basis	PQ Secure	Multi-Auth.	Blockchain	Dyn. Rev.	Verif. Outs.
Chen [14]	Pairing	No	No	No	No	No
Fu [8]	Lattice	Yes	No	No	No	No
Hong [12]	Pairing	No	No	Yes	No	Yes
Wu [15]	Pairing	No	Yes	No	No	Yes (partial)
Adeoye [16]	Kyber/Dilithium	Yes	No	Yes	Yes	No
Lin [17]	Pairing	No	Yes	No	No	No
EBODS (ours)	Lattice	Yes	Yes	Yes	Yes	Yes

summarizes representative schemes published between 2021 and 2025 and highlights where our EBODS framework advances the state-of-the-art.

1.1.1. From Classical Optimization to Multi-Authority Blockchain ABE

Early optimization efforts in attribute-based encryption (ABE) primarily focused on minimizing policy size or reducing the number of pairing operations. For instance, Chen et al. [14] introduced a small policy matrix (SPM) CP-ABE scheme, achieving a 32% improvement in encryption speed. However, this approach remains limited by its reliance on a single authority, its pairing-based construction, lack of post-quantum security, and the absence of both revocation mechanisms and result verification features.

In efforts to advance decentralization, Wu et al. [15] and Lin et al. [17] developed multi-authority CP-ABE schemes. Despite these advancements, their frameworks continue to rely on pairing operations and do not provide quantum resistance. Meanwhile, Konda et al. [18] integrated PPO-optimized key issuance within mHealth applications, yet their approach lacks ciphertext-verifiable outsourcing and dynamic revocation capabilities. Cherukupalle [19] innovatively combined Kyber with AI-driven key rotation, achieving a throughput of 4.8 ktps/s. However, this method does not support fine-grained access policies.

EBODS inherits the consortium-chain governance model, but uniquely integrates (i) lattice-based SPM encryption for post-quantum security, (ii) multi-authority key management, and (iii) verifiable outsourced decryption with dynamic attribute revocation, thereby filling the gaps left by the above schemes.

1.1.2. Post-Quantum/Lattice CP-ABE

To be resistant to Shor-style attacks, they looked to hardness against lattices. Ma et al. [20] achieved Boolean-circuit CP-ABE over ideal lattices, but it incurs a high encryption latency ($T_{\mathrm{enc}}=1.78$ s for 40 attributes), which is unacceptable for wearables. Adeoye [16] used Kyber/Dilithium together with blockchain EHR sharing; quantum-secure, but again single-authority and not result verified. Fu et al. [8] suggested offline/online lattice CP-ABE and could reduce cost at the user side to $0.23$ s, but they needed to store 240 KB of pre-computation data.

EBODS keeps lattice resistance via a polynomial-domain SPM encoder, whilst pushing heavy algebra to auditable blockchain nodes.

1.1.3. Outsourced Decryption

Since Green & Chase (2011) [9], three lines evolved:

(i) full-ciphertext outsourcing (Riad [21]) exposes the whole CT to proxies;

(ii) partial outsourcing (Tao [22]) reduces leakage but still demands >200 ms local pairing;

(iii) task-division and verification. Sethi [23] adds MAC-based checks; Hong [12] uses Ethereum to settle fair payment.

EBODS follows line (iii) yet is the first to (a) support lattice-based PQ ciphertext, (b) employ consortium-chain smart contracts for both integrity proof and load balancing across proxy set. Compared with the six most recent schemes (2025), EBODS uniquely realizes the triple-goal “PQ-secure + multi-authority + verifiable outsourcing”.

As Table 1 makes evident that only EBODS simultaneously satisfies post-quantum resilience, decentralized authority, blockchain auditability, dynamic revocation, and lightweight decryption, precisely addressing the gaps identified by recent surveys.

2. Preliminaries

2.1. Notion

The ring of integers modulo q is denoted ${\mathbb{Z}}_q$, while the field of real numbers is denoted $\mathbb{R}$. Standard lowercase letters represent scalars, bold lowercase letters (e.g., $\mathbf{v}$) denote column vectors, and bold uppercase letters (e.g., $\mathbf{M}$) denote matrices. For any positive integer q, we write $logq$ as shorthand for $\lceil {log}_{2}q\rceil$. The Euclidean norm is denoted by $\parallel ·\parallel$.

For a vector $\mathbf{v}\in {\mathbb{Z}}^n$ with entries $v_i\in \{-\lfloor q/2\rfloor ,\dots ,\lfloor q/2\rfloor \}$, the norm of a polynomial $a={\sum }_{i=0}^{n-1}{a}_i{X}^i$ is defined as $\parallel a\parallel =\parallel (a_0,\dots ,a_{n-1})\parallel$. The norm of a matrix $\mathbf{M}$ is defined as the maximum norm of its column vectors, that is, $\parallel \mathbf{M}\parallel ={max}_{1\le j\le n}\parallel {\mathbf{M}}_j\parallel$, where ${\mathbf{M}}_j$ denotes the j-th column of $\mathbf{M}$.

We write $x\leftarrow D$ to indicate that the random variable x is sampled from distribution D. Additionally, the uniform distribution over a finite set S is denoted by $U\left(S\right)$.

The distributions $D_0$ and $D_1$, both defined over the same countable domain $\Omega$, are considered statistically indistinguishable if their statistical distance, denoted by $\Delta (D_0,D_1)={\displaystyle \frac{1}{2}}{\sum }_{\omega \in \Omega }|D_0\left(\omega \right)-D_1\left(\omega \right)|$, is negligible. Alternatively, they are deemed computationally indistinguishable if no efficient probabilistic algorithm can distinguish between them with non-negligible advantage.

2.2. Outsourced Decryption in Digital Asset Systems

The outsourced decryption framework for digital assets with CP-ABE comprises four entities:

• Attribute Authority (AA)—is responsible for generating the attribute-bound secret keys that embed user-specific randomness to prevent collusion;
• EDSs (Edge Decryption Servers)—perform lightweight partial decryption;
• Blockchain network—serves as the immutable ledger which keeps track of the access request and checks the correctness of computations that have been outsourced;
• End users: Encrypt, decrypt and manage data based on attribute-based access controls.

During encryption, data owners post the access policy and the encrypted metadata to the blockchain. For decryption, an EDS first transforms a ciphertext into an intermediate value, which the user then decrypts locally with her private key. Both steps are publicly verifiable through consensus on the blockchain.

Three of these security notions can be achieved by our scheme.

• Collusion resistance: Decryption keys are bound cryptographically to the attribute sets and blockchain-verified identities.
• Forward secrecy: A smart contract-based key-rotation scheme allowing stale keys to be automatically revoked when the policy expires.
• Non-repudiation: All important events are on-chain eternally recorded, making decentralized verification of the outsourcing calculable and eliminating the single point of failure about any one EDS node.

2.3. Lattices and Lattice Algorithms

The security of the cryptosystem is based on the infeasibility of solving certain lattice problems. Before presenting the security and the correctness of our scheme, it is useful to first present some basic lattice background and algorithms. The goal of this section is to give an intuitive and coherent summary of lattice theory at large, in the context of cryptography, in order to set up the analysis of security in later sections.

Definition of Lattice. A lattice in ${\mathbb{R}}^n$ is a discrete additive subgroup generated by integer linear combinations of basis vectors. Formally, given a basis matrix $\mathbf{B}=[{\mathbf{b}}_1,\dots ,{\mathbf{b}}_n]\in {\mathbb{R}}^{n\times n}$, the lattice generated by $\mathbf{B}$ is defined as:

$$\mathbb{L}\left(\mathbf{B}\right)=\left\{\mathbf{B}\mathbf{x}:\mathbf{x}\in {\mathbb{Z}}^n\right\}.$$

(1)

The structure and properties of lattices form the foundation for many post-quantum cryptographic schemes.

q-ary Lattices. In lattice-based cryptography, q-ary lattices play a central role. These are lattices that satisfy $q{\mathbb{Z}}^n\subseteq \mathbb{L}\subseteq {\mathbb{Z}}^n$ for some modulus q. Given a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, two important q-ary lattices are defined as follows:

$${\mathrm{\Lambda }}_q\left(\mathbf{A}\right)=\left\{\mathbf{y}\in {\mathbb{Z}}^m:\exists \mathbf{s}\in {\mathbb{Z}}^n,\mathbf{y}={\mathbf{A}}^T\mathbf{s}modq\right\}.$$

(2)

$${\mathrm{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)=\left\{\mathbf{y}\in {\mathbb{Z}}^m:\mathbf{A}\mathbf{y}=\mathbf{0}modq\right\}.$$

(3)

These lattices are essential for constructing cryptographic primitives such as encryption schemes and digital signatures.

Module Lattices. For efficiency and additional structure, cryptographic schemes often use module lattices, which are defined over polynomial rings. Specifically, let ${\mathbb{R}}_q={\mathbb{Z}}_q\left[X\right]/\langle X^n+1\rangle$, where n is a power of 2 and q is a prime. Module lattices generalize q-ary lattices and enable more efficient implementations, especially in schemes based on the Ring-LWE or Module-LWE assumptions.

Discrete Gaussian Distribution. A crucial concept in lattice cryptography is the discrete Gaussian distribution over a lattice. For a lattice $\mathrm{\Lambda }\subset {\mathbb{R}}^n$, a center $\mathbf{c}\in {\mathbb{R}}^n$, and a positive-definite covariance matrix $\mathrm{\Sigma }$, the discrete Gaussian is defined as:

$${\rho }_{\mathbf{c},{\mathrm{\Sigma }}^{1/2}}\left(\mathbf{x}\right)=exp\left(-\pi {(\mathbf{x}-\mathbf{c})}^{\mathrm{T}}{\mathrm{\Sigma }}^{-1}(\mathbf{x}-\mathbf{c})\right).$$

(4)

Sampling from the discrete Gaussian is fundamental for generating lattice-based trapdoors and for ensuring the security of cryptographic schemes.

Lemma 1.

For a lattice Λ with basis $\mathbf{B}$ and Gram–Schmidt orthogonalization $\tilde{\mathbf{B}}$, the smoothing parameter ${\eta }_{\epsilon }\left(\mathrm{\Lambda }\right)$ satisfies

$${\eta }_{\epsilon }\left(\mathrm{\Lambda }\right)\le \parallel \tilde{\mathbf{B}}\parallel ·\sqrt{{\displaystyle \frac{ln\left(2n\right(1+1/\epsilon \left)\right)}{\pi }}}.$$

(5)

for any $\epsilon >0$.

Hardness Assumption: M-LWE. The security of our scheme is based on the Module Learning With Errors (M-LWE) problem, which generalizes the well-known LWE problem to module lattices.

Definition 1

(Decision M-LWE). Given a uniformly random matrix $\mathbf{A}\in {\mathbb{R}}_q^{d\times m}$ and a vector $b^T=s^T\mathbf{A}+e^{T}modq$, where s is sampled uniformly from ${\mathbb{R}}_q^d$ and e is sampled from a discrete Gaussian $D_{{\mathbb{R}}^m,\sigma }$, the goal is to distinguish $(\mathbf{A},b)$ from a uniformly random pair in ${\mathbb{R}}_q^{d\times m}\times {\mathbb{R}}_q^m$.

The presumed hardness of the M-LWE problem underpins the security of many lattice-based cryptographic constructions.

Lattice Sampling Algorithms. Efficient and secure sampling algorithms are essential for lattice-based cryptography. The following are commonly used:

• SampleZ: Denoted as $SampleZ\_t(c,{\sigma }_{max})$, this algorithm samples from a discrete Gaussian over $\mathbb{Z}$, centered at $c\in [0,1)$ with a truncated support of $\mathbb{Z}\cap [c-t·{\sigma }_{max},c+t·{\sigma }_{max}]$. It is fundamental for generating vectors with desired statistical properties.
• SampleD: Generates a sample z such that its distribution $\mathbf{Dz}$ is statistically close to $D_{\mathcal{L}\left(D\right),-c,\sigma }$, i.e., the discrete Gaussian centered at $-c$ over the lattice D.
• SamplePre: Used in preimage sampleable functions, this probabilistic polynomial-time algorithm samples from the preimage of a function given trapdoor information. Given a trapdoor T and a target y, it outputs x such that $SamplePre\left(x\right)=y$, and x is distributed according to the conditional distribution defined by the sampling algorithm.

Threat Model and Security Definition.

The security of our lattice-based CP-ABE scheme is defined in the indistinguishability under chosen-ciphertext attack (IND-CCA) model:

Definition 2

(IND-CCA Game).

• Setup: The challenger runs Setup and gives the public key $pk$ to the adversary A, keeping the master secret key.
• Oracle Queries: A may
  • obtain decryptions of any ciphertexts of its choice, and 
  • request encryptions of arbitrary messages,
  as long as no query decrypts the forthcoming challenge.
• Challenge: A submits $(M_0,M_1,W^{★})$ with $|M_0|=|M_1|$ and no key satisfying $W^{★}$. The challenger picks $b\leftarrow \{0,1\}$, returns $c^{★}\leftarrow {\mathsf{Enc}}_{pk}(M_b,W^{★})$.
• Post-challenge Queries: Same oracles, except A cannot decrypt $c^{★}$ (or its variants).
• Guess: A outputs $b^{\prime }$ and wins if $b^{\prime }=b$.

The advantage of A is

$${\mathrm{Adv}}_{\mathrm{IND}-\mathrm{CCA}}^{\mathrm{CP}-\mathrm{ABE}}\left(A\right)=\left|Pr[b^{\prime }=b]-\frac{1}{2}\right|.$$

(6)

The scheme is IND-CCA secure if this advantage is negligible for every probabilistic polynomial-time adversary that never asks for secret keys authorized for $W^{★}$.

2.4. LSSS and Small Policy Matrix

Linear secret-sharing schemes (LSSS) are an access policy represented by a matrix $\mathbf{W}$, whose rows are labeled by attribute predicates. In the EBODS system, one row of $\mathbf{W}$ is allocated for each leaf node of the policy tree. After we have fixed both $\mathbf{W}$ and the random secret-sharing polynomial, all ciphertext shares can be computed in a single offline step.

Definition 3

(Small policy matrix [14]). Let q be a positive integer. A matrix $\mathbf{W}\in {\mathbb{Z}}_q^{a\times \ell }$ is called a small policy matrix (SPM) if it satisfies the following conditions:

(i) every entry lies in $1,0,-1$;

(ii) there exists a submatrix ${\mathbf{W}}^{*}$ whose inverse ${\left({\mathbf{W}}^{*}\right)}^{-1}$ has determinant $\pm 1$ and whose first row is $(1,1,\dots ,1)$.

In practice, the policy matrix $\mathbf{W}$ is relatively small. The matrix is sparse—at most three non-zero entries per row—and so inner products can be computed fast. It is also low-width: the number of columns ℓ is equal to the dimension of the underlying LSSS and usually $\ell \le a+5$ that makes the size of the ciphertext small.

Moreover, SPMs are composable. We also propose a theoretical framework where multiple policies can be combined together for the same user just by adding new rows, and policies cannot be altered once they are added, which enables the reuse of a single decryption key over multiple ciphertexts. This slim and modular design limits the cost of matrix–vector multiplications and controls the increase of noise in decryption, which leads to enhancement of speed and decoding efficiency.

3. System Overview

3.1. System Model

The EBODS system architecture consists of four main modules that allow for secure encryption and outsourced decryption of digital contents cumulatively, as shown in Figure 1, to work closely for the purpose of achieving both security and efficiency.

Attribute Authorities (AAs). There are n independent AAs with one attribute universe $\mathcal{U}$. A distributed key generation (DKG) outputs public params $\mathsf{PK}$ and secret shares ${\mathsf{MSK}}_i$ of a global master key in, according to a ($\tau ,n$) linear secret–sharing scheme. There is no polynomial-time computable AA that can retrieve $\mathsf{MSK}$.

For a user having an attributeset $\mathcal{A}$, every $\mathsf{AA}i$ contacted by him, both in round and for each iteration, leaks a signed partial key $\mathsf{SK}i,\mathcal{A}$ and spends it on-chain. Upon the availability of any $\tau$ valid shares, the user executes $\mathsf{Combine}$ to recover the entire key ${\mathsf{SK}}_{\mathcal{A}}$. Smaller than-$\tau$ AA Actions Collusion provides no information on $\mathsf{MSK}$ or user keys.

Edge Decryption Server (EDS): The EDS decrypts partially, and the computational work is off the end-users. It transmits the ciphertext and the user’s decryption-key pieces (obtained from the blockchain), and it computes partial results back to the user. Since the EDS never has entire private keys or plaintexts, trust and security are enhanced.

Blockchain Network: A blockchain serves as a distributed ledger, which (i) inappellably records the events of key management and data access, (ii) proofs for outsourced computations are maintained, and (iii) applies access-policy logic to deliver, and K-supports or cancel supporters that are not authorized with the power to access the supported item for delegations due to non-repudiation and full auditability. The Key Aggregator smart contract, embedded in this ledger, keeps the collection of public parameters $\mathsf{PK}$ and the set of posted key shares. It automatically verifies that at least $\tau$ unique jint values out of the total are valid $\mathsf{A}$ signatures that appear when a party replies without releasing a combination of instruction vehicles in the form of re-encrypted ciphertext pieces. Secret material is never available to the KA; it is only metadata, managing the workflow, and is thus unable to decipher messages on its own.

End-User: The data is encrypted locally by each end user and uploaded, then decrypted again when it is accessed. The user looks at the blockchain to figure out who has access rights and combines the EDS’s partial result with the user’s own key material to complete the decryption.

By employing the CP-ABE and blockchain combination, this model is able to provide fine-grained access control with verifiability and decentralized security. The system architecture describes the duty and responsibilities of each component.

One interesting characteristic of EBODS is its symmetric structure, in which both the EDS and end user share the computational and security burden. This design pressure ensures that no single party is a performance bottleneck and that the system’s robustness and efficiency are mutually determined. The resultant load balance also enhances fault tolerance, scalability, and ease of automation, as each constituent is capable to run independently while preserving overall coordination.

Design Overview: As will be shown in the performance analysis that follows, such a design allows EBODS to maintain a constant throughput and low latency despite the high number of incoming transactions. As a result, the scheme is a logical choice for large-scale distributed digital asset management.

We now link the system design to the actual operation by describing the workflow that is used to illustrate how these parts communicate to enable secure and efficient data sharing.

3.2. System Workflow

EBODS proceeds through six sequential phases, as illustrated in Figure 2.

The process includes the Data Owner (DO) proposed a group of independent Attribute Authorities (AAs), an on-chain Key Aggregator (KA) smart contract, Edge Decryption Server (EDS), the blockchain, and the End User (EU).

(1)

Key-share request.

We assume that a user first sends a Partial-SK Share Request to the n independent AAs over the blockchain. All requests are logged on-chain immutably, making it fully auditable.

(2)

Threshold key-share distribution and on-chain aggregation.

All $A{A}_i$ s running a DKG protocol, output their signed key share $d_i$ and submit it to be deposited to the KA contract. The KA accepts the transaction as valid once obtaining at least $\tau$ legitimate signatures.

The user now downloads the $\tau$ shares from the chain and computes locally $sk=Combine\left(d_i\in S,\tau \right)$ and computes from the $\tau$ shares the entire secret key $sk$. The public parameters $pk=(A,B,u)$ are publicly released in system setup time.

(3)

Data encryption and storage.

Given a plaintext M, the data owner first encrypts it under with the public key together with an access policy $\mathrm{\Pi }$, that is: $C=E_{pk}\left(M,\mathrm{\Pi }\right)$ and then stores the pair $\left(C,\mathrm{meta}\right)$ into an external storage (e.g., cloud or IPFS). A hash of the encrypted message, a timestamp and a hash of $\mathrm{\Pi }$ are written to the blockchain at the same time.

(4)

Access request.

When a data holder EU wants the data, it sends an Access Request that includes an attribute proof to the KA/Policy contract. The trust contract verifies whether the set of a user’s attributes is satisfied or not by $\pi$ and sends back if the authorization is true.

(5)

Outsourced decryption.

An authorized EU provides C and its $sk$ to the EDS. If the on-chain authorization and the user’s signature is valid, the EDS evaluates $C_{\mathrm{partial}}=D_{\mathrm{EDS}}\left(C,sk\right)$ (assuming Alice used the key $sk$) and outputs the partially decrypted ciphertext. Since it never has the complete key material, the EDS does not recover the plaintext.

(6)

Final decryption.

The EU locally applies a Finalize operation to $C_{\mathrm{partial}}$ with its private key and retrieves the original message M.

3.3. Security Model

Trust assumptions. The trusted DO, and the n independent PDPs are considered to reflect our model assumption. Attribute Authorities (AAs) are considered to be semi trusted: any collusion of a subset lower than the threshold $\tau$ may cooperate without compromising system secrecy. The correctness of the on-chain Key-Aggregator (KA) contract is being considered valid, since its rules are written in stone through blockchain consensus. The EDS is honest-but-curious, i.e., it closely follows the protocol and escapes the protocol while attempting to learn extra information. End users collude or have keys in common. Finally, the inbuilt blockchain provides a Byzantine-fault-tolerant, pubs- and-subscribe, sorted, meta-service network, which is an unfailing record of the history of all important actions.

Security goals. (1) Data confidentiality: the scheme is IND-CCA secure under the M-LWE assumption, so neither unauthorized users nor the EDS can distinguish encrypted messages. (2) Outsourced-decryption privacy and verifiability: the EDS learns nothing about plaintext and its output is publicly checkable. (3) Access-policy privacy: attributes remain hidden from parties that do not satisfy the policy. (4) Collusion resistance: any coalition of fewer than $\tau$ AAs together with arbitrary users cannot decrypt additional data.

IND-CCA game (sketch). A challenger $\mathcal{C}$ runs Setup$\left(1^{\lambda }\right)$ to produce public parameters $\mathsf{PP}$ and master key $\mathsf{MK}$, giving only $\mathsf{PP}$ to the adversary $\mathcal{A}$. During Query I, $\mathcal{A}$ adaptively requests secret keys or partial decryptions. Next, $\mathcal{A}$ chooses two equal-length messages $(M_0,M_1)$ and an access structure ${\mathrm{\Pi }}^{★}$ that none of its obtained keys satisfies. $\mathcal{C}$ selects a random bit $b\in \{0,1\}$, returns the challenge ciphertext $C^{★}=\mathsf{Enc}(M_b,{\mathrm{\Pi }}^{★})$, and Query II continues under the same restriction. Finally, $\mathcal{A}$ outputs a guess $b^{\prime }$. The advantage ${Adv}_{\mathcal{A}}=|Pr[b^{\prime }=b]-\frac{1}{2}|$ must be negligible in $\lambda$. A similar game shows that forging an incorrect partial decryption that still passes verification is also negligible.

4. CP-ABE Scheme with Policy Matrix on Ring

The scheme is a four-stage cycle, i.e., Setup, Extract, Encrypt,, and Decrypt between the Attribute Authority, the data owners, and the users, respectively. Setup is performed in the wild by each of the ℓ attribute authorities, resulting in their public/master–secret key pairs $({\mathsf{pk}}_1,\dots ,{\mathsf{pk}}_{\ell })$ and $({\mathsf{msk}}_1,\dots ,{\mathsf{msk}}_{\ell })$. Then, all the authorities perform the $\mathsf{Extract}$ to generate the user’s attribute secret keys $({\mathsf{sk}}_1,\dots ,{\mathsf{sk}}_{\ell })$. Encrypt returns a ciphertext (C) that encapsulates an access structure along with the protected message, which is later restored using Decrypt if the holder’s attributes satisfy this structure and a sufficient number of attribute authorities participate. Figure 3 consolidates these stages, indicating the specific entries, exits, and data-flow between modules.

4.1. Cryptographic Algorithm and Workflow

This section describes the algorithms used in the system. Inspired by Chen’s matrix-optimization method, we further extend it from the integer domain to the polynomial domain and apply the Number-Theoretic Transform (NTT) to boost the multiplication.

The parameters in

Table 2. Global symbols and parameter values.

Symbol	Definition	Value
n	Security parameter (ring dimension)	256
d	Dimension parameter	30
q	Modulus (prime)	1,073,738,753
m	Lattice dimension	186
$\theta$	Discrete Gaussian width	6.15

are chosen to provide 112-bit security level. At the same time, they are compatible with previous methods being compared with, thus providing a good baseline for evaluation. The security of the parameter is justified based on a security analysis of M-LWE and is also supported by the LWE estimator, being a trade-off between security level and computational efficiency with key and ciphertext sizes pruned to be competitive in practice.

4.1.1. Setup

The system setup process comprises two consecutive steps: GlobalSetup: all $n_{\mathrm{AA}}$ attribute authorities collectively publish the common ring parameters $\langle n,d,q,m,\theta \rangle$ and the global parity-check matrix $\mathbf{H}$. GlobalSetup: The global setup phase is a single time execution, where the result is written to the blockchain in the form of Genesis transaction, so that it can be fetched by other parties later for the correct parameters.

LocalSetup_i : each authority $\mathrm{AA}i$$(1\le i\le n\mathrm{AA})$ generates its private trapdoor and public-key share $(p{k}_i,ms{k}_i)$ for the shared modulus q. The system is based on a $(\tau ,n\mathrm{AA})$ threshold design such that any $\tau$ or more key shares are enough to recover a user’s secret key, whilst fewer than $\tau$ key shares provide no information about the global master secret. The details are presented in Algorithm 1. Each ${\mathrm{AA}}_i$ publishes the tuple $(p{k}_i,{\mathsf{sig}}_i)$ on-chain, and the consensus layer ensures the persistence and tamper-evident, auditable factor.

Algorithm 1. Setupi$(\mathbf{H},d,k)$—executed by the i-th AA

Require: Security parameters $\langle n,d,q,m,\theta \rangle$, parity-check matrix $\mathbf{H}$

Ensure: Public parameters $p{k}_i=({\mathbf{A}}_i,{\mathbf{B}}_i,{\mathbf{E}}_i,{\mathbf{u}}_i)$ and master secret key share $ms{k}_i={\mathbf{T}}_i$ for this AA 1: $\widehat{\mathbf{A}}\leftarrow \mathcal{U}\left({\mathbb{R}}_q^{d\times d}\right)$                          ▹ Uniform random matrix 2: ${\mathbf{A}}^{\prime }\leftarrow [{\mathbf{I}}_d\mid \widehat{\mathbf{A}}]$ 3: $\mathbf{T}i\leftarrow D{\mathbb{R}}^{2d\times dk},\sigma$               ▹ Discrete Gaussian sampling for trapdoor 4: ${\mathbf{A}}_i\leftarrow [{\mathbf{A}}^{\prime }\mid \mathbf{H}\mathbf{G}-{\mathbf{A}}^{\prime }{\mathbf{T}}_i]$ 5: ${\mathbf{B}}_i,{\mathbf{E}}_i\leftarrow \mathcal{U}\left({\mathbb{R}}_q^{d\times m}\right)$ 6: ${\mathbf{u}}_i\leftarrow \mathcal{U}\left({\mathbb{R}}_q^d\right)$ 7: Generate signature $\mathsf{sig}i\leftarrow \mathsf{Sign}ss{k}_i\left(p{k}_i\right)$ 8: Publish $\langle p{k}_i,{\mathsf{sig}}_i\rangle$ on-chain (transaction type: PublishPK) for Key-Aggregator contract audit 9: return  $(p{k}_i,ms{k}_i)$

4.1.2. Extract

Each authority ${\mathrm{AA}}_i$, as referenced in Algorithm 2, runs the usual sampling routine with its own $(p{k}_i,ms{k}_i)$ to produce a share $s{k}_i=({\left\{{\mathbf{d}}_{i,att}\right\}}_{att\in S},S)$, where every ${\mathbf{d}}_{i,att}$ is obtained from ${\mathbf{A}}_{i,att}=({\mathbf{A}}_i\mid {\mathbf{E}}_i+H\left(att\right){\mathbf{B}}_i)$ via $\mathsf{SampleLeft}$, satisfying ${\mathbf{A}}_{i,att}{\mathbf{d}}_{i,att}={\mathbf{u}}_i(modq)$. The hash of $s{k}_i$ and the AA’s signature is written to the blockchain.

The user gathers at least $\tau$ valid shares, verifies their signatures, and linearly combines the vectors with Lagrange coefficients to reconstruct a single private key $sk=({\left\{{\mathbf{d}}_{att}\right\}}_{att\in S},S)$. With fewer than $\tau$ shares no information about the master secret leaks, so the threshold scheme preserves both privacy and robustness.

The SampleLeft algorithm, as referenced in Algorithm 3, is used to sample short vectors from a specific lattice. This sampling algorithm, as detailed in [13], is employed in practical applications to generate users’ private keys. Specifically, SampleLeft receives a full-rank matrix $\mathbf{A}\in {\mathbb{R}}_q^{n\times m}$, a matrix $\mathbf{B}\in {\mathbb{R}}_q^{n\times m}$, a short basis ${\mathbf{T}}_{\mathbf{A}}$ of ${\mathrm{\Lambda }}_a^{\mathbf{u}}\left(\mathbf{A}\right)$, a Gaussian parameter $\sigma$, and a vector $\mathbf{u}$ as inputs. It then outputs a vector $\mathbf{e}\in {\mathbb{R}}_q^{m+m_1}$, which is statistically close to the distribution ${\mathbb{D}}_{{\mathrm{\Lambda }}_q^{\mathbf{u}}\left(\mathbf{F}\right),\sigma }$. Here, $\mathbf{Fe}=\mathbf{u}$, where $\mathbf{F}=(\mathbf{A}\parallel \mathbf{B})$.

Algorithm 2. Extracti  $(p{k}_i,ms{k}_i,S)$

Require: Public key share $p{k}_i$, master secret key share $ms{k}_i={\mathbf{T}}_i$, attribute set S

Ensure: Share private key $s{k}_i=\left({\left\{{\mathbf{d}}_{i,\ell }\right\}}_{at{t}_{\ell }\in S},S\right)$ 1: for each $at{t}_{\ell }\in S$ do 2:       ${\mathbf{A}}_{i,\ell }:=\left({\mathbf{A}}_i\parallel {\mathbf{E}}_i+H\left(at{t}_{\ell }\right){\mathbf{B}}_i\right)$ 3:       ${\mathbf{d}}_{i,\ell }\leftarrow \mathsf{SampleLeft}\left({\mathbf{A}}_i,{\mathbf{E}}_i+H\left(at{t}_{\ell }\right){\mathbf{B}}_i,{\mathbf{T}}_i,{\mathbf{u}}_i,\sigma \right)$ 4: end for 5: Generate signature ${\mathsf{sig}}_i\leftarrow {\mathsf{Sign}}_{ss{k}_i}\left(\mathsf{hash}\left(s{k}_i\right)\right)$ 6: On-chain event ShareCreated$(i,\mathsf{hash}\left(s{k}_i\right),{\mathsf{sig}}_i)$ 7: return  $s{k}_i$

Algorithm 3. $\mathbf{SampleLeft}(\mathbf{A},\mathbf{B},\mathbf{T},\mathbf{u},\sigma )$

Require: The public key $\mathit{pk}$, the master secret key $\mathit{msk}$, and a vector $\mathbf{u}\in {\mathbb{R}}_q^d$

Ensure: A vector $\mathbf{e}\in {\mathbb{R}}_q^{2m}$ that satisfies $\mathbf{Fe}=\mathbf{u}$, where $\mathbf{F}=(\mathbf{A}\parallel \mathbf{B})$ 1: Sample $e_0\leftarrow D_{\sigma }$                         ▹ Sample Gaussian noise 2: Compute $y=\mathbf{B}\times e$ 3: Sample $x=\mathrm{SamplePre}(\mathbf{A},\mathbf{T},y)$ 4: Return $x+e$

In our setting, we need a short user secret key $\mathbf{e}$ for which the following holds: $\mathbf{F}\mathbf{e}=\mathbf{u}(modq)$ where $\mathbf{F}=(\mathbf{A}\mid \mathbf{B})$. This is because we have a trapdoor basis $\mathbf{T}$ for $\mathbf{A}$ and so we can sample much more efficiently with (5); the entire matrix $\mathbf{F}$ is also impractical. To alleviate this problem, we model the task in two steps: the first stage is SamplePre, which uses a trapdoor $\mathbf{T}$ to create a short vector for the single matrix $\mathbf{A}$ under a linear constraint; then, SampleLeft calls a single time to SamplePre to address the workload. The sampling problem for the concatenated matrix $\mathbf{F}$ hence obtains a small secret key (in the sense of the security proof).

4.1.3. Encryption

The encryption process is initiated by assigning an access-policy matrix $\mathbf{W}\in \mathbb{Z}{q}^{a\times l}$ using the attribute set $\mathbf{R}$. Each line of $\mathbf{W}$ represents a separate attribute. A secret vector $\mathbf{s}$ is sampled uniformly from $\mathbb{R}{q}^k$, and then a random vector $\mathbf{v}={(\mathbf{s},r_2,\dots ,rl)}^T$ is created, where $r_2,\dots ,rl$ are drawn from a centered binomial distribution. The encryption process is detailed in Algorithm 4. The scheme works over a polynomial ring and guarantees security and efficiency.

The encryption steps are as follows:

Algorithm 4. $\mathbf{Encryption}(\mathbf{pk},\mathbf{W},\mathbf{M})$

Require: Public key $\mathit{pk}=(\mathbf{A},\mathbf{B},\mathbf{E},\mathbf{u})$, policy matrix $\mathbf{W}$ for access policy $\mathrm{\Pi }$, message $M\in {\{0,1\}}^n$

Ensure: Ciphertext $C=(c,\mathbf{Z},\mathbf{W})$   1: Randomly select $\mathbf{s}\leftarrow {\mathbb{R}}_q^k$   2: for  $j=2$ to l do   3:     Randomly select $r_j$ from the centered binomial distribution   4: end for   5: Set $\mathbf{v}={(\mathbf{s},r_2,\dots ,r_l)}^T$   6: Generate $e\leftarrow \mathcal{U}\left(\mathbb{R}\right)$   7: Compute $c={\mathbf{u}}^{\mathrm{T}}\mathbf{s}+e+M⌊{\displaystyle \frac{q}{2}}⌋\in {\mathbb{R}}_q$   8: for  $i=1$ to k do   9:     Let ${\mathbf{W}}_i$ be the i-th row of $\mathbf{W}$ 10:     Compute ${\lambda }_i={\mathbf{W}}_i\mathbf{v}\in {\mathbb{R}}^d$ 11:     Sample ${\mathbf{e}}_i\leftarrow {\chi }^{2m}$ 12:     Compute ${\mathbf{z}}_i={\mathbf{A}}_i^{\mathrm{T}}{\lambda }_i+{\mathbf{e}}_i\in {\mathbb{R}}_q^{2m}$ 13: end for 14: Set $\mathbf{Z}=({\mathbf{z}}_1,{\mathbf{z}}_2,\dots ,{\mathbf{z}}_k)\in {\mathbb{R}}_q^{2m\times k}$ 15: The blockchain logs the encryption event for transparency. 16: return  $C=(c,\mathbf{Z},\mathbf{W})$

In conclusion, the ciphertext $C=(c,\mathbf{Z},\mathbf{W})$ is generated with $c:={\mathbf{u}}^{\top }\mathbf{s}+e+M\lfloor {\displaystyle \frac{q}{2}}\rfloor$ and each ${\mathbf{z}}_i={\mathbf{A}}_i^{\top }{\lambda }_i+{\mathbf{e}}_i$, i = 1,..., k. This construction simply guarantees that only users with an attribute which satisfies the access policy can correctly decrypt the message. The detailed view on the computations in this appendix are an immediate match with those referred to by the correctness proof, thus enabling to maintain coherence between the algorithm’s specification and its theoretical treatment.

Complexity Analysis. The encryption operation is dominated by random vector sampling and the matrix–vector multiplication, specifically the products ${\mathbf{z}}_i={\mathbf{A}}_i^T{\lambda }_i+{\mathbf{e}}_i$ for each policy row. When the policy matrix has k and the public matrices have size $2m$, the time and space complexity are both $O\left(km\right)$. This is to guarantee the efficiency of the encryption when the number of attributes provided in the access policy remains relatively moderate.

4.1.4. Decryption

Decryption takes the ciphertext $C=(c,\mathbf{Z},\mathbf{W})$ and the user’s private key $sk=\mathbf{d}ii\in S$, where S is the user’s attribute set as input. The user can first confirm whether the attributes they hold meet the access policy set by $\mathbf{W}$. If it does, the user reconstructs the secret using the LSSS structure and polynomial-ring operations, as detailed in Algorithm 5.

Algorithm 5. Decryption (C, $sk$)

Require: Ciphertext $C=(c,\mathbf{Z},\mathbf{W})$ and user’s private key $sk={\left\{{\mathbf{d}}_i\right\}}_{i\in S}$

Ensure: The original message M 1: Attribute Verification: Check whether the user’s attribute set S satisfies the access policy defined by $\mathbf{W}$. 2: Compute $w_i$: For each corresponding attribute i in S, compute $w_i={\mathbf{z}}_i^{\mathrm{T}}{\mathbf{d}}_i$. 3: Secret Reconstruction: Let $\mathbf{w}={(w_1,w_2,\dots ,w_t)}^{\mathrm{T}}$. Compute $c^{\prime }={\left({\mathbf{W}}^{*}\right)}_1^{-1}·\mathbf{w}$, where ${\left({\mathbf{W}}^{*}\right)}_1^{-1}$ is the first row of the inverse of the candidate submatrix ${\mathbf{W}}^{*}$. 4: Message Recovery: Recover the message by $M=\mathrm{Dec}(c,c^{\prime })$, where $\mathrm{Dec}(c,c^{\prime })=⌊{\displaystyle \frac{c-c^{\prime }}{\lfloor q/2\rfloor }}⌉mod2$. 5: Blockchain Logging: The blockchain logs the decryption event to ensure integrity and auditability. 6: return  M

Remarks:

• Attribute verification: Step 1 makes sure only these users with their attribute sets satisfy the access policy are possible to decrypt the ciphertext.
• Computation of $w_i$: In step 2, the user’s private key exchanges with the corresponding ciphertext component to derive intermediate values needed for secret recovery.Secret reconstruction: In Step 3, the value $c^{\prime }$ is then evaluated by linear combinations over $w_i$ combined with the reconstruction vector from the access policy matrix.
• Message recovery: We extract the original message during step 4 by undoing the encryption offset and decoding according to the chosen message encoding.
• Blockchain auditing: Step 5 records an on-chain decryption transaction to provide an increased transparency and traceability mechanism for data access.

This decryption process aligns with the computational steps outlined in the correctness proof, thereby ensuring both theoretical consistency and practical clarity.

Complexity Analysis. The decryption algorithm essentially consists of checking if the user-instance attribute set satisfies the access policy, and carrying out some matrix–vector multiplications and additions to recover the plaintext message. In the case of an access policy of k rows and ciphertext components of dimension $2m$, the leading operations have time and space complexities in $O\left(km\right)$. Hence, the decryption operation is efficient and linear scaling is maintained with the number of attributes present in the access policy.

4.1.5. Verification

The verification function is employed to determine whether a user is authorized to access specific data. Implemented as a smart contract on the blockchain, this function checks whether the user’s attributes satisfy the system-defined access policy (Algorithm 6).

Algorithm 6. $\mathbf{Verify}(\mathbf{pk},\mathbf{S},\mathbf{C})$

Require: the public key $\mathit{pk}$, the user’s attribute set S, and the ciphertext C

Ensure: Access verification result (True/False) 1: Verify that the user’s attributes in S satisfy the access policy defined in C 2: if User’s attributes match the policy then 3:     return True 4: else 5:     return False 6: end if 7: The blockchain logs the verification process to ensure transparency and provide an immutable audit trail.

4.2. Correctness

Theorem 1.

The proposed ABE scheme can decrypt correctly with overwhelming probability.

Proof. 

With the optimization introduced by the minimum policy matrix algorithm, both the encryption and decryption processes are streamlined.

For the encryption process, the ciphertext components are computed as follows:

$$\left\{\begin{array}{c}c={\mathbf{u}}^{\mathbf{T}}\mathbf{s}+e+M\lfloor {\displaystyle \frac{q}{2}}\rfloor \in {\mathbb{R}}_q,\hfill \\ {\mathbf{z}}_{\mathbf{i}}={\mathbf{A}}_{\mathbf{i}}^{\mathbf{T}}{\lambda }_i+{\mathbf{e}}_{\mathbf{i}}\in {\mathbb{R}}_q^{2m},i=1,\dots ,k\hfill \end{array}\right.$$

(7)

where $\mathbf{Z}=({\mathbf{z}}_{\mathbf{1}},{\mathbf{z}}_{\mathbf{2}},\dots ,{\mathbf{z}}_{\mathbf{k}})\in {\mathbb{R}}_q^{2m\times k}$ contains the attribute control information. The final ciphertext, denoted as C, is transmitted as:

$$C=(c,\mathbf{Z},\mathbf{W}).$$

For the decryption process, the components are:

$$\left\{\begin{array}{cc}c\hfill & ={\mathbf{u}}^{\mathbf{T}}\mathbf{s}+e+M\lfloor {\displaystyle \frac{q}{2}}\rfloor \in {\mathbb{R}}_q,\hfill \\ {\mathbf{z}}_{\mathbf{i}}\hfill & ={\mathbf{A}}_{\mathbf{i}}^{\mathbf{T}}{\lambda }_i+{\mathbf{e}}_{\mathbf{i}}+c_u\in {\mathbb{R}}_q^{2m},i=1,\dots ,k,\hfill \end{array}\right.$$

(8)

where $\mathbf{Z}=({\mathbf{z}}_{\mathbf{1}},{\mathbf{z}}_{\mathbf{2}},\dots ,{\mathbf{z}}_{\mathbf{k}})\in {\mathbb{R}}_q^{2m\times k}$, and the ciphertext is $C=(c,\mathbf{Z},\mathbf{W})$.

Next, the decrypted value $c^{\prime }$ is computed as:

$$c^{\prime }={\left({\mathbf{W}}^{*}\right)}_1^{-1}·\mathbf{w}=\sum _{i=1}^t{w}_i.$$

(9)

Using the SampleLeft algorithm, we obtain ${\mathbf{A}}_i{\mathbf{d}}_i-{\mathbf{e}}_i=\mathbf{u}$. Subsequently, each $w_i$ is computed as:

$$w_i={\mathbf{z}}_i^{\mathrm{T}}{\mathbf{d}}_i=({\lambda }_i^{\mathrm{T}}{\mathbf{A}}_i+{\mathbf{e}}_i^{\mathrm{T}}){\mathbf{d}}_i={\lambda }_i^{\mathrm{T}}(\mathbf{u}-{\mathbf{e}}_i)+{\mathbf{e}}_i^{\mathrm{T}}{\mathbf{d}}_i.$$

(10)

Note that nodes leaves may reference the same attribute and the size of the policy matrix does not grow linearly with the number of attributes. For lattice-based ABE, the size of the ciphertext grows linearly with the number of rows in the policy matrix, i.e., number of leaf-nodes in the policy tree.

In the optimized method, the ciphertext $\mathbf{Z}$ is a k-dimensional polynomial vector, and $\mathbf{W}$ is a $k\times l$ polynomial matrix. The policy tree for this setting has k leaves. A larger policy matrix leads to a ciphertext size explosion, but does not influence the private key size.

The correctness of the algorithm is ensured by the private key generation process, in which each private key is constructed based on the user’s attributes. In the left sampling function, it holds that ${\mathbf{A}}_i{\mathbf{d}}_i=\mathbf{u}$, thus leading to:

$$w_i={\mathbf{z}}_{\mathbf{i}}^{\mathbf{T}}{\mathbf{d}}_{\mathbf{i}}=({\lambda }_i^{\mathrm{T}}{\mathbf{A}}_i+{\mathbf{e}}_i^{\mathrm{T}}){\mathbf{d}}_i={\lambda }_i^{\mathrm{T}}\mathbf{u}+{\mathbf{e}}_i^{\mathrm{T}}{\mathbf{d}}_i.$$

(11)

During decryption, if the user’s attributes satisfy the access policy, the decryption vector is:

$$\begin{array}{cc}\hfill \mathbf{w}& ={(w_1,w_2,\dots ,w_t)}^T\hfill \\ \hfill & =({\lambda }_1^{\mathrm{T}}\mathbf{u}+{\mathbf{e}}_1^{\mathrm{T}}{\mathbf{d}}_1,\dots ,{\lambda }_t^{\mathrm{T}}\mathbf{u}+{\mathbf{e}}_t^{\mathrm{T}}{\mathbf{d}}_t)\hfill \\ \hfill & =({\lambda }_1^{\mathrm{T}},\dots ,{\lambda }_t^{\mathrm{T}})\mathbf{u}+({\mathbf{e}}_1^{\mathrm{T}}{\mathbf{d}}_1,\dots ,{\mathbf{e}}_t^{\mathrm{T}}{\mathbf{d}}_t).\hfill \end{array}$$

(12)

In the linear secret sharing scheme, $\mathbf{v}={\left({\mathbf{W}}^{*}\right)}^{-1}\lambda =(\mathbf{s},r_2,\dots ,r_t)$, so the secret value $\mathbf{s}$ is the first element of this vector:

$$\mathbf{s}={\left({\mathbf{W}}^{*}\right)}_1^{-1}\lambda .$$

(13)

Therefore, we compute:

$$c^{\prime }={\left({\mathbf{W}}^{*}\right)}_1^{-1}\mathbf{w}={\left({\mathbf{W}}^{*}\right)}_1^{-1}\lambda \mathbf{u}+{\left({\mathbf{W}}^{*}\right)}_1^{-1}({\mathbf{e}}_{\mathbf{1}}^{\mathrm{T}}{\mathbf{d}}_{\mathbf{1}},\dots ,{\mathbf{e}}_{\mathbf{t}}^{\mathrm{T}}{\mathbf{d}}_{\mathbf{t}}).$$

(14)

The final decryption result is:

$$c^{\prime }=(1,0,\dots ,0){(\mathbf{s},{\mathbf{r}}_{\mathbf{2}},\dots ,{\mathbf{r}}_{\mathbf{t}})}^{\mathbf{T}}\mathbf{u}+\sum _{i=1}^t{\left({\mathbf{W}}^{*}\right)}_{1i}^{-1}\left({\mathbf{e}}_{\mathbf{i}}^{\mathrm{T}}{\mathbf{d}}_{\mathbf{i}}\right)={\mathbf{s}}^{\mathrm{T}}\mathbf{u}+e^{\prime }.$$

(15)

Here, the decryption noise term is defined as $e^{\prime }={\sum }_{i=1}^t{\left({\mathbf{W}}^{*}\right)}_{1i}^{-1}\left({\mathbf{e}}_{\mathbf{i}}^{\mathrm{T}}{\mathbf{d}}_{\mathbf{i}}\right)$. Therefore, the difference between the computed value and the original ciphertext is:

$$r=c-c^{\prime }={\mathbf{u}}^{\mathrm{T}}\mathbf{s}+e+M\lfloor {\displaystyle \frac{q}{2}}\rfloor -{\mathbf{s}}^{\mathrm{T}}\mathbf{u}-e^{\prime }=M\lfloor {\displaystyle \frac{q}{2}}\rfloor +e-e^{\prime }.$$

(16)

When $|e-e^{\prime }|<\lfloor {\displaystyle \frac{q}{4}}\rfloor$, the algorithm can correctly decrypt the ciphertext and recover the original message M. To guarantee correctness, the overall noise term, including e and $e^{\prime }$, must remain sufficiently small to satisfy the required condition with overwhelming probability.

□

4.3. Threat Model and Security Proofs

The system features n independent attribute authorities ${\left\{{\mathsf{AA}}_i\right\}}_{i=1}^n$. A $(\tau ,n)$ linear secret-sharing protocol generates master-key shares $\left\{{\mathsf{MSK}}_i\right\}$ such that any $\tau$ shares reconstruct the global master key $\mathsf{MSK}:=\mathsf{ShareCombine}\left(\left\{{\mathsf{MSK}}_i\right\}\right)$, while fewer than $\tau$ shares reveal no information about it. A user collects $\tau$ signed local keys and executes $\mathsf{Combine}$ to obtain her complete secret key.

Theorem 2

(CCA Security). Let the ring dimension be $n=256$ and let the policy matrix contain $l=\mathrm{poly}\left(n\right)$ rows. Under the hardness of theM–LWEproblem, any PPT adversary $\mathcal{A}$ that corrupts at most $\tau -1$ authorities have an advantage

$${\mathrm{Adv}}_{\mathrm{CCA}}^{\mathrm{CP}-\mathrm{ABE}}\left(\mathcal{A}\right)\le l·{\mathrm{Adv}}_{M-\mathrm{LWE}}\left(\mathcal{B}\right)+\mathrm{negl}\left(\lambda \right),$$

(17)

where $\mathcal{B}$ is a reduction toM–LWE.

Proof of Game-Hopping. 

We follow the standard sequence-of-games technique and highlight only the modifications required by the threshold multi-authority setting.

Game 0 (Real World). This is the normal IND-CCA experiment for our scheme:

(i)

Setup. All n authorities jointly run the DKG protocol, publishing the common parameters $\mathsf{PP}$ and holding shares $\left\{{\mathsf{MSK}}_i\right\}$.

(ii)

Corruption. The adversary chooses a subset $\mathcal{C}\subset \left[n\right]$ of at most $\tau -1$ authorities and obtains their internal states, including ${\mathsf{MSK}}_i$.

(iii)

Queries/Challenge. $\mathcal{A}$ interacts with the key-generation and decryption oracles exactly as in the single-authority game, subject to the usual rule that it may not obtain a key that satisfies the challenge policy ${\mathrm{\Pi }}^{★}$.

Game 1 (Embedding an M–LWE instance). Relative to Game 0 we make two changes.

(1)

Simulation of honest authorities. The reduction $\mathcal{B}$ randomly selects one honest authority index $i^{★}\notin \mathcal{C}$, keeps its trapdoor $T_{i^{★}}$, and uses SampleLeft to answer all key-extraction and partial-decryption queries with a single genuine share ${\mathsf{SK}}_{i^{★}}$. For every other honest authority ${\mathsf{MSK}}_j$ ($j\ne i^{★}$) it returns a placeholder ⊥; because the public reconstruction vector $\left\{{\lambda }_j\right\}$ satisfies

$$\mathsf{SK}=\sum _{j\in \mathcal{T}}{\lambda }_j{\mathsf{SK}}_j={\lambda }_i{\mathsf{SK}}_i,$$

(18)

one correct share is sufficient, so the view of $\mathcal{A}$ is unchanged.

(2)

Challenge ciphertext. $\mathcal{B}$ receives an M–LWE sample $(A,b)$, where b is either $s^{\top }A+e^{\top }(modq)$ (real) or uniform. It embeds b into the challenge ciphertext component u exactly as in the single-authority proof. If b is uniform, the ciphertext is statistically independent of the challenge bit.

Since the only difference with Game 0 is the possible replacement of u,

$$\left|Pr\left[\mathcal{A}\mathrm{wins}\mathrm{in}{G}_0\right]-Pr\left[\mathcal{A}\mathrm{wins}\mathrm{in}{G}_1\right]\right|\le {\mathrm{Adv}}_{\mathsf{M}-\mathsf{LWE}}\left(\mathcal{B}\right).$$

(19)

Games 2 to $\mathit{l}+\mathbf{1}$ (Hybrid Games). Let $\mathit{W}$ have rows ${\mathit{W}}_{\mathbf{1}},\dots ,{\mathit{W}}_{\mathit{l}}$. Starting from Game 1, we gradually replace, for $\mathit{j}=\mathbf{1},\dots ,\mathit{l}$, the component derived from ${\mathit{W}}_{\mathit{j}}$ by a uniformly random vector of the same dimension. Each step changes the distribution by at most ${\mathbf{Adv}}_{\mathrm{M}-\mathrm{LWE}}\left(\mathcal{B}\right)$, so after $\mathbf{l}$ steps we obtain Game $\mathbf{l}+\mathbf{1}$ in which the challenge ciphertext is independent of the plaintext and the adversary’s advantage is 0.

Final bound. By a telescoping sum over the $\mathbf{l}+\mathbf{1}$ games,

$${\mathbf{Adv}}_{\mathrm{CCA}}^{\mathrm{CP}-\mathrm{ABE}}\left(\mathcal{A}\right)\le \mathit{l}·{\mathbf{Adv}}_{\mathrm{M}-\mathrm{LWE}}\left(\mathcal{B}\right)+\mathbf{negl}\left(\mathbf{\lambda }\right).$$

(20)

Correctness. The threshold mechanism modifies only the way private keys are assembled; the encryption, decryption and noise analysis remain unchanged, hence correctness follows as in the single-authority case.

□

5. Performance Analysis

In this section, we review the performance of our proposed scheme from the following three aspects: (i) the security and functionality features, (ii) the key-storage overhead, and (iii) the computational eciency of encryption and decryption. All demonstrations were performed on the ChainMaker blockchain network, and deployed as smart contracts the decrypting functions. The comparative evaluation was carried out jointly with some state-of-the-art ABE schemes [8,24,25,26,27,28,29,30], with special attention given to those proposals involving blockchain technology and capable of supporting multi-authority deployments. For fairness, all the templates compared are evaluated based on the NIST 112-bit security strength.

5.1. Experimental Setup

Our experimental platform consists of a blockchain network and a client host. There are four ChainMaker consensus nodes in the network, and each of them is a 32-core AMD processor-based system with 32 GB memory, running the TBFT protocol. Client-side tests were performed on a desktop computer equipped with an eight-core Intel i5 (2.40 GHz) processor and 16 GB of RAM. The average communication node time was 0.023 ms because all blockchain nodes were executing on a single server. The prototype is written in Python 3.11 for the client side, and its smart contracts are deployed to the native framework of ChainMaker. Both client-side processing time and the blockchain confirmation time were performance metrics, for which polynomial multiplications and consensus were recognized as the main computational bottlenecks. The source code is publicly available in our repository https://github.com/Ant539/ML-ABE, accessed on 8 July 2025.

5.2. Comparative Analysis of Security and Functionality Features

Comparison

Table 3. Comparison of security and functionality features.

Scheme	Assump.	Model	Security	OMRA	Multi- Auth.	Large Univ.
Wang [24]	BDHP	SDM	IND-CPA	×	×	✓
Xiao [25]	LWE	SDM	IND-CCA	✓	×	✓
Ruan [26]	BDHP	SDM	IND-CPA	×	✓	✓
Chen [27]	LWE	SDM	IND-sCPA	×	×	✓
Yang [28]	LWE	SDM	IND-CPA	×	✓	✓
Fu [8]	R-LWE	SDM	None	×	×	✓
Zhao [29]	R-LWE	SDM	IND-CCA	×	×	×
Sravya [30]	M-LWE	SDM	IND-sCPA	×	×	×
Ours	M-LWE	SDM	IND-CCA	✓	✓	✓

compares eight representative ABE schemes in terms of their security assumptions, security models, and functional features. Our construction is based on the M-LWE assumption, believed to be post-quantum secure, following recent progress in lattice-based cryptography [14]. Moreover, the scheme achieves the security within the standard model rather than the random-oracle model, which is of more practical relevance. It also achieves IND-CCA, contrary to IND-CPA or IND-sCPA guarantees of some existing works. With regards to functionality, the scheme is multi-authority based and uses a large-universe construction to support the unbounded set of attributes without having to increase the size of the public parameters.

5.3. Storage Complexity

We also compared with state-of-the-art schemes that achieve the same statistical security levels, and also the same efficient group parameters for pairings if they are used: a 256-bit group order in the case of pairing-based construction and a 32-bit modulus q for lattice-based schemes. We report on

Table 4. Comparison of storage complexity ($\ell =logq$).

Scheme	$\mathit{pk}$	$\mathit{sk}$	C
Sravya [30]	$\left(Smk+k\right)n$	$mn{S}_i$	$\left[\left(2k+1\right)m{S}_i+k^2+2k\right]n\ell$
Zhao [29]	$\left(mn+kn+m^2\right)\ell$	$\left(1+kn\right)S_i\ell$	$\left[kn+\right(1+m\left)a\right]\ell$
Yang [28]	$S\left(nm+m^2+4n\right)\ell$	$S{m}^2\ell$	$\left(S_{i}n+1\right)\ell$
Fu [8]	$\left(nm+m^2\right)+2n$	$\left(2m+a\right)\ell$	$\left(2S_i+3\right)n\ell$
Chen [27]	$\left(3nm+n\right)\ell$	$2mS\ell$	$\left[\right(2m+1\left)a+1\right]\ell$
Wang [24]	G1(4n + 1) + G2(4n + 1) + GT	G2(l + 1) + Zp	G1(2n + 6) + G2(2n + 6) + 3GT + 7Zp
Xiao [25]	$2nm\ell$	$2nm{S}_i\ell$	$2\left(k+m\right)\ell$
Ruan [26]	${\sum }_1^4{G}_{p_i}+G_T$	$G_1\left(2+n\right)$	$G_1\left(n+2\right)+G_T+M$
Ours	$\left(n{k}^2+2kmn\right)$	$2nk{S}_i{log}^2\eta$	$(n{k}^{2}du+nk·dv)a$

the theoretical storage cost for ten attributes, which is also a common case in digital-asset platforms.

For a more engineering-oriented viewpoint, we also calculated storage costs using concrete parameters generated for each scheme. In particular, ciphertext length was set to 43, 52 bits (or 544 bytes), i.e., divisible by 256, to correspond to what is common in practice for digital assets, and to ease comparison.

We summarize the public-key ($pk$), secret-key ($sk$), ciphertexts (C) and lattice dimension m of the candidates in

Table 5. Comparison of the actual cost.

	$\mathit{pk}$	$\mathit{sk}$	C
Sravya [30]	37.38 KB	32.65 KB	4.81 KB
Zhao [29]	174.10 KB	12.7 KB	359.85 KB
Yang [28]	140.92 KB	48.88 KB	10.43 KB
Fu [8]	805.94 KB	43.53 KB	3.29 KB
Chen [27]	1.01 MB	120.32 KB	180.65 KB
Wang [24]	22.6 KB	5.76 KB	19.84 KB
Xiao [25]	243 KB	442 KB	623 KB
Ruan [26]	18.8 KB	4.5 KB	13 KB
Ours	16.23 KB	6.25 KB	9.37 KB

. Pursuing the guidelines of NIST, all parameters aim at 112-bit security level with a single-gate access policy. The offered $pk$ size by the proposed EBODS construction is ranked minimal and $sk$ is the second minimal size among all the competitors [8,27,28,29,30]. In massive installations (e.g., digital-twin platforms), this acceleration implies reduced bandwidth and storage requirements. Although our ciphertexts do not reach the optimal compactness, they have a competitive size with respect to the added security properties and the ability to use them in a blockchain-based trading case. Bold values indicate the best-performing scheme in each category ($pk$, $sk$, C).

5.4. Computation Complexity

We evaluated the computational efficiency of a blockchain-based outsourced-decryption service with three experiments in encryption time, decryption time, and key generation overhead with various settings. For reasonable comparison, we removed the schemes of Chen et al. [27] and Zhao et al. [29] which suffered from high runtime, as well as Ruan et al. [26], for which we get a more flat performance.

The first set of experiments reveals our scheme in comparison to typical lattice-based and outsourcing solutions under a simple access policy (A ∧ B) on 256-bit messages. As it can be seen in the comparative analysis of Figure 4, our circuit achieves competitive encryption and key-generation times, while outperforming all the baselines in terms of decryption time. These improvements are due to (i) a small policy matrix (SPM) that reduces the size and complexity of the underlying matrix operations, and (ii) an outsourced-decryption scheme offloading most of the computations to the edge servers and lightening the client’s cost. With the overhead of blockchain logging, computation of the key generation is still efficient which demonstrates the viability of the scheme in actual deployments.

The second experiment demonstrates scalability by varying the dimensions of the attributes from 10 to 100. It has been demonstrated in Figure 5 that the time costs of all the operations increase with the number of attributes. But the encryption time grows almost linearly, which comes from the effective SPM and the moderately chosen parameters that result in a smaller size of the matrix. Decryption time is only moderately increased because the most computationally expensive operations are outsourced to edge servers. The generation time of key, representing the largest growth, is nevertheless acceptable since this operation is performed only once during the system initialization stage. These experiments demonstrate that our approach is applicable for big applications with evolving attribute sets.

The third shows the performance for more complicated access policies, with the combination of several AND, OR, and threshold gates. The

Table 6. Performance evaluation under different access control policies (in milliseconds).

	A or B		A and B		10 or
	Enc	Dec	Enc	Dec	Enc	Dec
Fu [8]	28.47	1.92	55.66	3.86	215.25	6.62
Zhao [29]	5256.85	216.19	10,278.81	435.55	39,751.50	746.83
Sravya [30]	82.98	37.35	162.25	75.25	627.48	129.02
Yang [28]	173.46	768.12	339.16	1547.54	1311.66	2653.52
Wang [24]	61.48	1.49	120.21	3.01	464.90	5.16
Ours	35.81	7.48	70.02	15.07	270.79	25.84
	10 and		5 and 5 or		2 out of 3
	Enc	Dec	Enc	Dec	Enc	Dec
Fu [8]	372.61	12.29	245.00	13.47	121.88	7.34
Zhao [29]	68,811.68	1385.28	45,244.69	1518.22	22,507.11	827.18
Sravya [30]	1086.19	239.32	714.19	262.29	355.27	142.90
Yang [28]	2270.54	4921.94	1492.91	5394.32	742.65	2939.00
Wang [24]	804.76	9.57	529.14	10.49	263.22	5.71
Ours	468.75	47.93	308.21	52.53	153.32	28.62

shows that our system provides efficient performance even though the rules are complex. Moreover, for more complex policies, up to the energy available at the client device can be saved. The overhead of encryption increases moderately with the complexity of policy, but is still acceptable because of the resulting much smaller matrix dimensions and the NTT (Number Theoretic Transform) operations, which facilitate the operation of polynomials.

Scalability of our approach: We study the performance of the proposed approach with an increasing number of attributes, ranging from 10 to 100. As can be seen from Figure 6, all schemes exhibit a growing time cost as the number of attributes increases, and our combined scheme always achieves better performance in encryption and decryption efficiency. Such an almost linear speed-up in encryption time is due to SPM (Small Policy Matrix), where the matrix dimension is minimized for efficient parameter utilization. Decryption: The outsourced decryption scheme just passes on the heavy computation centers to edge servers for the client in order to cut the workload of the client, and only the decryption time increases slightly. On the other hand, other schemes like Yang and Fu show much higher time cost increments, which clearly indicates their scalability bottleneck. These results demonstrate the viability of our method for large-scale applications with dynamic and extensive attribute sets.

5.5. Gas Consumption Evaluation

The smart contract was deployed on the Chang’an Chain, a consortium blockchain platform, for the experiment to analyze the gas consumption of the core operation. Gas for key generation, encryption, and decryption was calculated using the platform’s native gas calculation tool. In

Table 7. Gas consumption for core smart contract operations.

Scheme	Key Generation	Encryption	Decryption
Fu [8]	160,548	21,991	36,217
Zhao [29]	90,253	34,428	3456
Sravya [30]	8402	9561	22,601
Yang [28]	12,115	8302	12,775
Wang [24]	17,676	19,911	18,113
Ours	10,156	7487	15,072

, we report the gas consumption of each function in five representative schemes, as well as that of our approach. Our scheme demonstrates the best gas performance, as indicated by the bold values in the table.

Our scheme has the smallest gas cost in both encryption and decryption (Table 7) compared with all these methods. Our construction naturally achieves (quasi-) optimal efficiency in key generation and consumes less gas than the vast majority of previous works. This has evidently proved that our design is more applicable for executing large-scale blockchains, which makes the operational cost lower and more scalable.

6. Future Work and Conclusions

Future Work: Future directions will move along three lines. First, we will tighten the existing conservative parameter set by a more fine-grained concrete security analysis and implementation-level optimizations such as NTT and SIMD sampling, aiming at reducing the size of ciphertext and the latency of decryption by 30–50% with the same level of security. Second, we intend to develop an on-chain revocation and attribute evolution mechanism that amortizes gas costs on a per-batch basis, and devoid of a requirement to re-encrypt historical ciphertexts, via key-insulated methods. Finally, we will generalize the policy matrix to model richer logical operations (including, for example, NOT supports), that can be used to model more complex access structures over a larger number of attributes.

Conclusions: In this paper, we present an efficient outsourced decryption scheme for ABE using matrix optimization technique. The technique generalizes the idea of matrix optimization from the integer domain to the polynomial domain, and speeds up algorithm by using the Number Theoretic Transform (NTT). When instantiated under some concrete parameter values, this leads to better efficiency for decryption under the standard model at no expense to selective security. However, the proposed scheme is not strong enough for complex access policies. In the future, we will improve the efficiency of matrix decomposition algorithms, and more flexible access structures will be supported, and efficient revocation mechanisms will also be developed.