Lattices-Inspired CP-ABE from LWE Scheme for Data Access and Sharing Based on Blockchain

Abstract

To address the quantum attacks on number theory-based ciphertext policy attribute-based encryption (CP-ABE), and to avoid private key leakage problems by relying on a trustworthy central authority, we propose a lattice-inspired CP-ABE scheme for data access and sharing based on blockchain in this paper. Firstly, a CP-ABE-based algorithm using learning with errors (LWE) assumption is constructed, which is selective security under linear independence restriction in the random oracle model. Secondly, the blockchain nodes can act as a distributed key management server to offer control over master keys used to generate private keys for different data users that reflect their attributes through launching transactions on the blockchain system. Finally, we develop smart contracts for proving the correctness of proxy re-encryption (PRE) and provide auditability for the whole data-sharing process. Compared with the traditional CP-ABE algorithm, the post-quantum CP-ABE algorithm can significantly improve the computation speed according to the result of the functional and experimental analysis. Moreover, the proposed blockchain-based CP-ABE scheme provides not only multi-cryptography collaboration to enhance the security of data access and sharing but also reduces average transaction response time and throughput.

1. Introduction

With the increasing popularity of blockchain technology, blockchain has been widely used in data access and sharing in weak-trusted or no-trusted networks. However, privacy data protection on the blockchain has become a challenge due to the characteristics of “non-tampering” and “open and transparent”. In recent years, many scholars have put forward some new solutions for privacy protection and data sharing on the blockchain [1,2,3,4,5,6], among which attribute-based encryption algorithm has been widely used in various schemes on the blockchain, such as in data traceability [1], cloud storage [7], medical data sharing [8,9], power systems [10] and Internet of Things [11] due to its advantages of “one-to-many” encryption, fine-grained access control and so on.

The attribute-based encryption (ABE) originated from the fuzzy identity-based encryption [12] proposed by Sahai and Waters in 2005 and then developed into ABE. In key policy attribute-based encryption [13] (KP-ABE), the ciphertext is associated with the attribute and the key with the access policy. However, in ciphertext policy attribute-based encryption (CP-ABE), the key is associated with the attribute and the ciphertext with the access policy. The CP-ABE allows the data owner to freely formulate the access control policy and is more suitable for the distributed storage environment and uncertain deciphering [14]. In recent years, the main research on the ABE mainly focused on computation efficiency [15,16], access policy and attribute hiding [17], and identity management [18,19]. In 2007, Bethencourt et al. [20] proposed a system for the CP-ABE algorithm which allows policies to be expressed as any monotonic tree access structure and is resistant to collusion attacks in which an attacker might obtain multiple private keys. In addition, the “one-to-many” encryption and fine-grained access control could be achieved this way. However, it is proved secure under the generic group heuristic. In 2011, Waters [21] proved the security of the CP-ABE under the standard model and put forward a CP-ABE adopting the linear secret sharing scheme, which improved the efficiency significantly. In 2012, Okamoto [22] et al. proposed the first unbounded inner product ABE scheme, which lifted the restrictions on the predicate terms and size attributes of the previous ABE scheme. In 2013, Gorbunov [23] proposed an ABE scheme based on the polynomial logic circuit. This scheme was designed to resist collusion attacks effectively, and its public parameter and ciphertext size increased linearly with the circuit depth. This scheme made it possible to transform from Boolean formula-based to circuit-based, which had better security by nature. In 2014, Waters [24] proposed an Online-Offline ABE scheme to address the computational bottleneck of encryption and key generation. This scheme was inspired by the ABE scheme put forward by Rouselakis et al. [25], and developed new techniques for ABE that split the computation for encryption into two phases, thus reducing the computation consumption in the online stage.

Recently, the blockchain-enhanced CP-ABE scheme using elliptic curve cryptography (ECC) has become a popular research area due to its potential to provide secure data access and sharing without involving a third party. In 2020, Yuwen Pu [26] presented a privacy-preserving, recoverable, and revocable edge data-sharing scheme based on blockchain technology to achieve attribute revocation in ciphertext-policy attribute-based encryption (CP-ABE), which can protect user’s privacy and resist many attacks. Sheng Gao [27] proposed a new trustworthy, secure ciphertext policy and attribute hiding access control scheme based on blockchain to achieve trustworthy access while guaranteeing the privacy of policy and attribute. Meanwhile, Xuanmei Qin [28] proposed a scheme that manages each attribute across different domains, eliminates the single-point bottleneck of the existing multi-authority blockchain-based CP-ABE schemes, and reduces computation and communication overhead between the user and the multiple attribute authorities. In 2022, Guofeng Zhang [29] proposed a secure and trusted agricultural product traceability system (BCST-APTS) supported by blockchain and CP-ABE encryption technology, thereby ensuring the efficient sharing and supervision of data stored in the Permissioned Blockchain.

However, most of the aforementioned works based their security on cryptographic assumptions related to bilinear maps. It is very natural to seek for solutions to the known attacks on group-based constructions by quantum computers. To address the threat of quantum computing, lattice-based cryptography is a promising approach that provides a new set of assumptions based on finding short vectors in lattices and is believed to be hard for quantum computers. Additionally, new cryptographic protocols have been proposed which rely on the hardness of solving certain lattice problems, including Learning with Errors (LWE). These protocols are expected to provide strong protection against the attacks of quantum computers. At present, lattice-difficulty problems that are provably secure mainly consist of small integer solution problems (SIS) and learning with errors problems (LWE). These two difficult problems are as hard as approximate lattice problems from the worst case to the average case reduction. Recently, several lattice-based encryption schemes have been proposed consecutively, which mainly focus on identity-based encryption [30,31,32] digital signature [33], and zero-knowledge proof [34]. In May 2021, Datta et al. [35] constructed an ABE algorithm based on ciphertext policy according to the LWE-difficulty problem and realized a CP-ABE scheme that could resist quantum attacks.

In addition, for a comprehensive analysis of our security measures, we considered the potential impacts of active and passive side-channel attacks (SCA), fault attacks, and power analysis attacks [36]. We recognize the increasing importance of Post-Quantum Cryptography (PQC) in secure applications, such as smartphones and blockchain systems, as it replaces traditional ECC/RSA algorithms. Therefore, we studied relevant literature [37,38,39]. Furthermore, we acknowledged the significance of NIST lightweight standardization and considered fault attacks as a consideration for side-channel attacks, referring to the research work of Mozaffari-Kermani et al. [40,41,42] in this field.

The contributions of this scheme are as follows:

(a) Form the LWE-CPABE algorithm suitable for blockchain to resist the quantum attacks, improve the CP-ABE scheme proposed by Datta, design the CP-ABE algorithm supporting policy update, and realize the dynamic access control of the data;

(b) Use a threshold proxy re-encryption scheme following a key encapsulation mechanism (KEM) approach to implement distributed key management for the LWE-CPABE algorithm, design the transaction generation algorithm and transaction verification contract, and realize the correctness and integrity verification of the intra-transaction data and the outsourcing storage data;

(c) Carry out the security analysis and simulation experiment, and the results show that this scheme is secure and efficient and is suitable for distributed data sharing and access control.

2. Preliminaries

2.1. Notations

In this paper, we use the following notations and conventions. The security parameter is denoted by λ. A function $\mathit{negl}:\mathbb{N}\to ℝ$ is considered negligible if it decreases faster than any inverse-polynomial function. Formally, for every constant $c>0$, there exists an integer $N_c$ such that $\mathit{negl}(\lambda )\le {\lambda }^{-c}$ for all $\lambda >N_c$, where $\left[n\right]=\left\{1,\cdots ,n\right\}$ is the negligible function.

The abbreviation PPT represents probabilistic polynomial-time algorithms. When sampling from a distribution $\mathcal{X}$, we use $x\leftarrow \mathcal{X}$ to denote the random value sampled from the $\mathcal{X}$ distribution. For a set X, the notation x $\leftarrow$ X indicates that x is sampled uniformly from the elements of set X. Bold lowercase letters, such as $\mathit{v}$, represent vectors, while bold uppercase letters, such as $\mathit{M}$, represent matrices. By default, all vectors in this paper are assumed to be row vectors. In the context of matrices, the $j$-th row is denoted as ${\mathit{M}}_j$, and ${\mathit{M}}_J$ represents the submatrix of $\mathit{M}$ composed of all rows indexed by $j\in J$, where $J$ is a set of row indexes. For a vector $\mathit{v}$, we use $\Vert \mathit{v}\Vert$ to denote its ${\ell }_2$-norm, and $\Vert \mathit{v}{\Vert }_{\infty }$ represents the ${\ell }_{\infty }$-norm of the vector.

For an integer $q\ge 2$, we let ${\mathbb{Z}}_q$ denote the ring of integers modulo $q$. We use ${\mathbb{Z}}_q$ to represent integers in the range $\left(-q/2,q/2\right]$.

2.2. B-Bounded

For a family of distributions $\mathcal{D}={\left\{{\mathcal{D}}_{\lambda }\right\}}_{\lambda \in \mathbb{N}}$ over the integers and there is a boundary $B=B\left(\lambda \right)>0$. If we denote that $\mathcal{D}$ is $B$-bounded for every $\lambda \in \mathbb{N}$, it holds that:

$${\mathrm{Pr}}_{x\leftarrow {\mathcal{D}}_{\lambda }}\left[\left|x\right|\le B\left(\lambda \right)\right]=1$$

(1)

Lemma 1.

Let $B_1=B_1\left(\lambda \right)$ and $B_2=B_2\left(\lambda \right)$ be positive, and let $\mathcal{D}={\left\{{\mathcal{D}}_{\lambda }\right\}}_{\lambda }$ be a B-bounded distribution family of $B_1$. We let $\mathcal{U}={\left\{{\mathcal{U}}_{\lambda }\right\}}_{\lambda }$ denote the uniform distribution over $\left[-B_2\left(\lambda \right),B_2\left(\lambda \right)\right]$. If there is a negligible function $\mathit{negl}(\cdot )$ such that for all $\lambda \in \mathbb{N}$ it holds that:

$$B_1\left(\lambda \right)/B_2\left(\lambda \right)\le \mathit{negl}\left(\lambda \right)$$

(2)

and then the distribution family $\mathcal{D}+\mathcal{U}$ and $\mathcal{U}$ are statistically indistinguishable.

2.3. Leftover Hash Lemma

Lemma 2.

(leftover hash lemma) Let $n:\mathbb{N}\to \mathbb{N}$, $q:\mathbb{N}\to \mathbb{N}$, $m>\left(n+1\right)\log q+\omega \left(\log n\right)$, and we donte $k=k\left(n\right)$ as some polynomial. Then, the following two distributions are statistically indistinguishable:

$$\begin{array}{l}{\mathcal{D}}_1\equiv \left\{\left(\mathit{A},\mathit{A}\mathit{R}\right)|\mathit{A}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathit{R}\leftarrow {\left\{-1,1\right\}}^{m\times k}\right\},\\ {\mathcal{D}}_2\equiv \left\{\left(\mathit{A},\mathit{S}\right)|\mathit{A}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathit{S}\leftarrow {\mathbb{Z}}_q^{n\times k}\right\}.\end{array}$$

(3)

2.4. Lattice

Here, we briefly describe the necessary background on lattices. A lattice $ℒ$ is defined as the discrete addition subgroup with the dimension being $m$ in ${ℝ}^m$, assuming the positive integers $n$, $m$, $q$ and the matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$, and let ${\lambda }_q^{\perp }\left(\mathit{A}\right)$ represent the lattice $\left\{\mathit{x}\in {\mathbb{Z}}^m|\mathit{A}{\mathit{x}}^{\perp }={\mathbf{0}}^{\perp }\mathrm{mod}q\right\}$. For $\mathit{u}\in {\mathbb{Z}}_q^n$, we let ${\lambda }_q^{\mathit{u}}\left(\mathit{A}\right)$ denote as the coset $\left\{\mathit{x}\in {\mathbb{Z}}^m|\mathit{A}{\mathit{x}}^{\perp }={\mathit{u}}^{\perp }\mathrm{mod}q\right\}$.

2.4.1. Discrete Gaussians

Let $\sigma$ be any positive real number. Generating a Gaussian distribution ${\mathcal{D}}_{\sigma }$ is defined by the probability distribution function (PDF) ${\rho }_{\sigma }\left(\mathit{x}\right)=\exp \left(-\pi \Vert x{\Vert }^2/{\sigma }^2\right)$. For any discrete set $ℒ\in {ℝ}^m$, we define ${\rho }_{\sigma }(ℒ)={\sum }_{\mathit{x}\in ℒ}{\rho }_{\sigma }\left(\mathit{x}\right)$. The discrete Gaussian distribution ${\mathcal{D}}_{ℒ,\sigma }$ over the lattice $ℒ$ with the parameter $\sigma$ is defined by PDF ${\rho }_{ℒ,\sigma }\left(\mathit{x}\right)$:

$${\rho }_{ℒ,\sigma }\left(\mathit{x}\right)={\rho }_{\sigma }\left(\mathit{x}\right)/{\rho }_{\sigma }(ℒ)$$

(4)

Lemma 3. 

If the parameter $\sigma$ of discrete Gaussian distribution is small, then any vector extracted from this distribution will possibly be short.

Lemma 4. 

Let m,n,q denote as the positive integers that satisfy $m>n$ and $q>2$. We define a matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ with parameter $\sigma =\tilde{\Omega }\left(n\right)$ and $ℒ={\lambda }_q^{\perp }\left(\mathit{A}\right)$. Then, there is a negligible function $\mathit{negl}(\cdot )$ such that:

$$\underset{\mathit{x}\leftarrow {\mathcal{D}}_{ℒ,\sigma }}{\mathrm{Pr}}\left[\Vert \mathit{x}\Vert >\sqrt{m}\sigma \right]\le \mathit{negl}\left(n\right)$$

(5)

where $\Vert \mathit{x}\Vert$ is the ${\ell }_2$ norm of x.

2.4.2. Truncated Discrete Gaussians

The truncated discrete Gaussian distribution ${\tilde{\mathcal{D}}}_{{\mathbb{Z}}^m,\sigma }$ with the parameter $\sigma$ over ${\mathbb{Z}}^m$ is the same as the discrete Gaussian distribution ${\mathcal{D}}_{{\mathbb{Z}}^m,\sigma }$. Expect that it outputs 0 when the ${\ell }_{\infty }$ norm is larger than $\sqrt{m}\sigma$. In addition, according to Lemma 1, ${\tilde{\mathcal{D}}}_{{\mathbb{Z}}^m,\sigma }$ and ${\mathcal{D}}_{{\mathbb{Z}}^m,\sigma }$ are statistically indistinguishable.

2.4.3. Lattice Trapdoors

Lattices with trapdoors function have certain “trapdoors” that allow efficient solutions to hard lattice problems. A trapdoor lattice consists of the following two algorithms:

➀

$\mathbf{TrapGen}\left(1^n,1^m,q\right)\mapsto \left(\mathit{A},T_{\mathit{A}}\right)$: The lattice generation algorithm is a randomized algorithm. It takes as input the dimensions n,m and modulus $q$ of the matrix and output a matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ together with a lattice trapdoors function $T_{\mathit{A}}$.

➁

$\mathbf{SamplePre}\left(\mathit{A},T_{\mathit{A}},\sigma ,\mathit{u}\right)\mapsto \mathit{s}$: The pre-sampling algorithm takes a matrix $\mathit{A}$, the lattice trapdoors function $T_{\mathit{A}}$, a vector $\mathit{u}\in {\mathbb{Z}}_q^n$, and a parameter $\sigma \in ℝ$ as the inputs. And it outputs the vector $\mathit{s}\in {\mathbb{Z}}_q^m$, which the vector $\mathit{s}$ satisfies $\mathit{A}\cdot {\mathit{s}}^{\top }={\mathit{u}}^{\top }$ $\Vert \mathit{s}\Vert \le \sqrt{m}\cdot \sigma$.

2.5. Learning with Errors (LWE)

For a security parameter $\lambda \in \mathbb{N}$, assuming that $n:\mathbb{N}\to \mathbb{N}$, $q:\mathbb{N}\to \mathbb{N}$ and $\sigma :\mathbb{N}\to {ℝ}^{+}$ are the function of $\lambda$. We define ${\mathrm{LWE}}_{n,q,\sigma }$ as the hypothesis of the LWE-hardness problem by parametric $q=q\left(\lambda \right)$, $n=n\left(\lambda \right)$ and $\sigma =\sigma \left(\lambda \right)$. For any PPT adversary $\mathcal{A}$, there exists a negligible function $\mathit{negl}(\cdot )$ for any $\lambda \in \mathbb{N}$:

$${\mathrm{Adv}}_{\mathcal{A}}^{{\mathrm{LWE}}_{n,q,\sigma }}\left(\lambda \right)\triangleq \left|\begin{array}{c}\mathrm{Pr}\left[\begin{array}{c}1\leftarrow {\mathcal{A}}^{{\mathcal{O}}_1^s(\cdot )}\left(1^{\lambda }\right)|\\ \mathit{s}\leftarrow {\mathbb{Z}}_q^n\end{array}\right]\\ -\mathrm{Pr}\left[1\leftarrow {\mathcal{A}}^{{\mathcal{O}}_2(\cdot )}\left(1^{\lambda }\right)\right]\end{array}\right|\le \mathit{negl}\left(\lambda \right)$$

(6)

where the Oracles ${\mathcal{O}}_1^{\mathit{s}}(\cdot )$ and ${\mathcal{O}}_2(\cdot )$ are defined as follows:

${\mathcal{O}}_1^{\mathit{s}}(\cdot )$ is strongly connected with $\mathit{s}\in {\mathbb{Z}}_q^n$, and it chooses $\mathit{a}\leftarrow {\mathbb{Z}}_q^n$ and $e\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma }$, and outputs $\left(\mathit{a},\mathit{s}{\mathit{a}}^{\top }+e\mathrm{mod}q\right)$ in each query. ${\mathcal{O}}_2(\cdot )$ on each query it chooses $\mathit{a}\leftarrow {\mathbb{Z}}_q^n$ and $u\leftarrow {\mathbb{Z}}_q$, and outputs $\left(\mathit{a},u\right)$.

Definition 1.

If there is a hypothesis that a PPT adversary can break the LWE assumption, then there exists a PPT quantum algorithm that can solve some hard lattice problems in the worst case.

Given the current technical schemes on the hard lattice problems, the LWE assumption is believed to be true for any polynomial $n(\cdot )$ and function $q(\cdot )$ when all $\lambda \in \mathbb{N}$, $n=n\left(\lambda \right)$, $q=q\left(\lambda \right)$, and $\sigma =\sigma \left(\lambda \right)$ satisfy the following conditions:

$$2\sqrt{n}<\sigma <q<2^n, n\cdot q/\sigma <2^{n^{ϵ}}, 0<ϵ<1/2$$

(7)

3. LWE-CP-ABE Scheme

3.1. Algorithm Construction

In this section, we present the LWE-CP-ABE scheme for access structures with LSSS using blockchain technology, which is associated with Proxy Re-Encryption (PRE) protocol under a subset of on-chain node client by transforming encrypted data from one public key to another. As shown in Figure 1, our CP-ABE system under LWE assumption LWE – CP − ABE = (Setup, KeyGen, Enc, Dec, AccGen, AccUpdate) mainly consists of six procedures with the following syntax:

(1) $\mathbf{Setup}\left(1^{\lambda },s_{\max },\mathbb{U}\right)\to \left(\mathrm{PK},\mathrm{MSK}\right)$

The setup algorithm takes as input the security parameter $\lambda$, the maximum width $s_{\max }=s_{\max }\left(\lambda \right)$ supported by an LSSS matrix supported by the scheme, and the attribute universe $\mathbb{U}$.

For each attribute u in the system, it selects ${\mathit{A}}_u\in {\mathbb{Z}}_q^{n\times m}$ to generate the trapdoors function ${\mathit{T}}_{{\mathit{A}}_u}$, and selects the uniformly distributed random matrix ${\mathit{H}}_u\leftarrow {\mathbb{Z}}_q^{n\times m}$ and random vector $\mathit{y}\leftarrow {\mathbb{Z}}_q^n$. It outputs the system’s public parameters and the master secret key.

$$\mathrm{PK}=\left(\mathit{y},\left\{{\mathit{A}}_u\right\},\left\{{\mathit{H}}_u\right\}\right), \mathrm{MSK}=\left\{T_{{\mathit{A}}_u}\right\}$$

(8)

(2) $\mathbf{KeyGen}\left(\mathrm{MSK},\mathit{U}\right)\to \mathrm{SK}$

The key generation algorithm takes as input the user’s attribute set U and MSK. We let a vector $\widehat{\mathit{t}}\leftarrow {\mathrm{noise}}^{m-1}$ and set the vector $\mathit{t}=\left(1,\widehat{\mathit{t}}\right)\in {\mathbb{Z}}^m$, The vector $\mathit{t}$ is a part of the user attribute SK, and every user has a different $\mathit{t}$, which can prevent conspiracy attacks. For each attribute $u\in U$, a short vector ${\tilde{\mathit{k}}}_u$ is generated by the trapdoors ${\mathit{T}}_{{\mathit{A}}_u}$ and satisfies ${\mathit{A}}_u{\tilde{\mathit{k}}}_u^{\top }={\mathit{H}}_u{\mathit{t}}^{\top }$. Finally, it outputs:

$$\mathrm{SK}=\left(\begin{array}{c}\left\{{\tilde{\mathit{k}}}_u\right\},\mathit{t}\end{array}\right)$$

(9)

(3) $\mathbf{Enc}\left(\mathrm{PK},m,\left(\mathit{M},\rho \right)\right)\to \mathrm{CT}$

The encryption algorithm takes as input the public parameter PK, a message bit $\mathbf{m}\in \{\mathbf{0},\mathbf{1}\}$ and access policy $(\mathit{M},\rho )$ from LSSS. Let $\rho$ be the mapping function that maps the attribute to the row of the matrix M. that is, $\rho \left(i\right)$ is the attribute $M={(M_{i,j})}_{l\times s_{max}}\in {\{-1,0,1\}}^{l\times s_{max}}\subset {\mathbb{Z}}_q^{l\times s_{max}}$ associated with the $i$ row in the matrix $\mathit{M}$. The procedure Randomly samples vectors $s\leftarrow {\mathbb{Z}}_q^n$, ${\mathit{v}}_2,\cdots ,{\mathit{v}}_{s_{\max }}\leftarrow {\mathbb{Z}}_q^m$ and $\left\{x_i\right\}\leftarrow {\mathbb{Z}}_q^n$, and then it computes as follows:

$$\begin{array}{ll}{\mathit{c}}_i=& \mathit{s}{\mathit{A}}_{\rho \left(i\right)}+\mathrm{noise}\\ {\widehat{\mathit{c}}}_i=& M_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },\stackrel{m-1}{\stackrel{}{\overbrace{0,\cdots ,0}}}\right)+\left[{\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{i,j}{\mathit{v}}_j}\right]\\ & -\mathit{s}{\mathit{H}}_{\rho \left(i\right)}+\mathrm{noise}\end{array}$$

(10)

and it outputs:

$$\mathrm{CT}=\left({\left\{{\mathit{c}}_i\right\}}_{i\in \left[\ell \right]},{\left\{{\widehat{\mathit{c}}}_i\right\}}_{i\in \left[\ell \right]},C=\mathrm{MSB}\left(\mathit{s}{\mathit{y}}^{\top }\right)\oplus m\right)$$

(11)

$$\mathrm{S}{\mathrm{K}}_{GID,u}={\widehat{k}}_{GID,u}+{\widehat{k}}_{GID,u}$$

(12)

(4) $\mathbf{Dec}\left(\mathrm{PK},\mathrm{CT},\mathrm{SK}\right)\to m$

The decryption algorithm takes as inputs the PK, the ciphertext CT generated with respect to an LSSS, and the user secret key SK related to some subset of attributes U. Let the attribute owned by the user meet the access control policy. We denote $\mathit{I}$ as the row vector set corresponding to the attribute and ${\left\{{\omega }_i\right\}}_{i\in \mathit{I}}\in \left\{0,1\right\}\subset {\mathbb{Z}}_q$ the reconstruction coefficient. For any $i\in \mathit{I}$, let $\rho \left(i\right)$ be the row-relevant attribute. The algorithm computes:

$$K={\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\left({\mathit{c}}_i{\tilde{\mathit{k}}}_{\rho \left(i\right)}^{\top }+{\widehat{\mathit{c}}}_i{\mathit{t}}^{\top }\right)}$$

(13)

and outputs:

$$m=C\oplus \mathrm{MSB}\left(K\right)$$

(14)

(6) $\mathbf{AccGen}\left({\mathit{M}}^{\prime },{\rho }^{\prime }\right)\to \left({{\mathit{c}}_i}^{\prime },{{\widehat{\mathit{c}}}_i}^{\prime }\right)$.

The ciphertext policy generation algorithm takes as input the new access control policy and outputs the updated policy ciphertext.

(7) $\mathbf{AccUpdate}\left({{\mathit{c}}_i}^{\prime },{{\widehat{\mathit{c}}}_i}^{\prime },C\right)\to {\mathrm{C}\mathrm{T}}^{\prime }$.

The ciphertext policy update algorithm takes the policy ciphertext generated by the policy generation algorithm as the input and outputs the new ciphertext ${\mathrm{C}\mathrm{T}}^{\prime }$.

3.2. Security Model

The proposed CP-ABE scheme is selectively secure under linear independence restriction in the random oracle model if the LWE assumption holds. To prove this assumption, the hybrid security game contains a challenger and an adversary. The challenger simulates the system and answers the adversary’s inquiries. The hybrid game starts as follows.

(1) Setup phase. The reduction algorithm receives a security parameter $1^{\lambda }$ and an access control policy $\left(\mathit{M},\rho \right)$ from the challenger and invokes an adversary. The challenger runs the $\mathbf{Setup}$ algorithm to generate the system PK and send it to the adversary.

(2) Secret key queried by an adversary. For each key query, the adversary sends a set of attributes $\mathit{U}\in \mathbb{U}$, but these attributes do not satisfy the access control policy $\left(\mathit{M},\rho \right)$. The challenger runs the $\mathbf{KeyGen}$ algorithm and sends the generated user attribute SK to the adversary.

(3) Challenge phase. To generate the challenge ciphertext, the challenger selects a random bit $b\leftarrow \left\{0,1\right\}$ and runs the ENC algorithm to encrypt it using the access control policy. Consequently, the challenger provides that to the adversary.

(4) Repeat step (2).

(5) Guess phase. The hybrid game terminates with an adversary outputting its guess $b^{\prime }\leftarrow \left\{0,1\right\}$ for the bit b encrypted within the challenge ciphertext.

The advantage of the adversary $\mathcal{A}$ in this game is:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{LWE}-\mathrm{CPABE}, \mathrm{SEL}-\mathrm{CPA}}\left(\lambda \right)\triangleq \left|\mathrm{Pr}\left[b=b^{\prime }\right]-1/2\right|$$

(15)

Definition 2.

If there exists a negligible function $\mathit{negl}(\cdot )$ for any PPT adversary $\mathcal{A}$, for all $\lambda \in \mathbb{N}$, there is ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{LWE}-\mathrm{CPABE},\mathrm{SEL}-\mathrm{CPA}}\left(\lambda \right)\le \mathit{negl}\left(\lambda \right)$. The LWE-CP-ABE scheme proposed in this paper is selectively secure under linear independence restriction.

4. Blockchain-Based LWE-CP-ABE Data Sharing Scheme

4.1. Overview of Blockchain-Based LWE-CP-ABE

To ensure efficient data sharing and access policy updating on the blockchain, all activities of the ciphertext access control scheme, such as generating the public parameters, secret keys, and oracle functions, are written into the distributed ledger on blockchain. Users can access the authorized data through their user attribute secret key controlled over the blockchain, which matches their attributes, and complete the secure and traceable data sharing. The blockchain-based data-sharing framework of the LWE-CP-ABE is shown in Figure 2. Here, the blockchain system is built with pre-quantum cryptography for master key management and immutable storage of transactions, and CP-ABE is constructed with post-quantum cryptography for access and sharing of ciphertext. The system characters play particular roles described as follows:

(1) User (DO, DU). It includes the data owner (DO) and the data user (DU).

When a DO wants to share this information with DU, they can create a policy with the LSSS matrix to grant access to DU. Thus DO generates the global parameters, encrypts the corresponding message, and uploads the transactions to the blockchain.

At the same time, if different DUs want to access the data, they must request the secret keys from the nodes on the blockchain. The DUs use it to decrypt the ciphertext obtained from the third-party storage;

(2) Third-party storage (TPS). It provides API storage services for encrypted data, such as distributed file-sharing network IPFS, and its hash addresses are stored on the blockchain;

(3) Blockchain Network (BN). It comprises a participant node on the blockchain that stands ready to provide decentralized key management services and creates a symmetric key for the master secret key of CP-ABE for the data users. Additionally, the blockchain system provides traceability and auditability of transactions involved in the LWE-CP-ABE access control protocol;

(4) Key Management Network (KMN). A group of blockchain nodes that provides an application of the Proxy Re-Encryption (PRE) scheme ensuring the security of the master secret key distribution in the LWE-CPABE encryption algorithm.

4.2. Data Sharing Scheme in Key Management Network and Blockchain Network

In our LWE-CP-ABE approach based on blockchain for data access and sharing, it is essential that DU can securely acquire the master secret key MSK without needing to involve a central authority or trusted third party. Thus, we introduce the PRE algorithm with ECC applied in the blockchain network, which acts as a decentralized key management service to carry out the master key distribution for data users. To grant the MSK to DU, DO creates a random symmetric key, encrypts the MSK for DUs, and each node is responsible for securely storing and managing the re-encryption keys or the key shares. DU must collect the fragments until he obtains a threshold, t, number of fragments to re-constructed and decrypt the ciphertext at the DU side. The mathematical details of the LWE-CP-ABE protocol running in KMN and BN are described as follows.

In the LWE-CP-ABE scheme, the algorithms select the parameters $n,m,\sigma ,q$ and the noise distributions ${\mathcal{X}}_{lwe}$, ${\mathcal{X}}_1$, ${\mathcal{X}}_2$, ${\mathcal{X}}_{big}$. For any $B\in \mathbb{N}$, the notation ${\mathcal{U}}_B$ represents the uniform distribution $\mathbb{Z}\cap \left[-B,B\right]$.

$$\begin{array}{l}n=\mathrm{play}\left(\lambda \right),\sigma <q,n\cdot q/\sigma <2^{n^{\epsilon }},{\mathcal{X}}_{lwe}={\tilde{\mathcal{D}}}_{\mathbb{Z},\sigma }\left(for LWE security\right)\\ m>2s_{\max }n\log q+\omega \log n+2\lambda \left(for enhanced trapdoor sampling and LHL\right)\\ \sigma >\sqrt{s_{\max }n\log q\log m}+\lambda \left(for enhanced trapdoor sampling\right)\\ {\mathcal{X}}_1={\tilde{\mathcal{D}}}_{{\mathbb{Z}}^{n-1},\sigma },{\mathcal{X}}_2={\tilde{\mathcal{D}}}_{{\mathbb{Z}}^n,\sigma }\left(for enhanced trapdoor sampling\right)\\ {\mathcal{X}}_{big}={\mathcal{U}}_{\widehat{B}},\widehat{B}>(m^{3/2}\sigma +1)2^{\lambda }\left(for smudging/security\right)\\ \left|\mathbb{U}\right|\cdot 3m^{3/2}\sigma \widehat{B}<q/4\left(for correctness\right)\end{array}$$

(16)

(1) System setup. The DO selects the security parameter $\lambda$ encoded in unary, the maximum width $s_{\max }$ supported by the LSSS matrix, and the user attribute set $\mathbb{U}$ associated with the system. The $\mathbf{Setup}$ algorithm (Algorithm 1) generates the public key PK and the master secret key MSK.

Algorithm 1: Setup

Input: the security parameter $\lambda$, the maximum width $s_{\max }$ of an LSSS matrix, and the user attribute set supported by the system; Output: the PK and the MSK, $\mathit{Choose} \mathit{an} \mathit{LWE} \mathit{modulus} \mathit{q}, \mathit{dimensions} \mathit{n}, \mathit{m} \mathit{and} \mathit{distributions}{\mathcal{X}}_{\mathit{l}\mathit{w}\mathit{e}}$$, {\mathcal{X}}_1$$, {\mathcal{X}}_2$$, {\mathcal{X}}_{big}$; $\mathit{Choose}a\mathit{vector}\mathit{y}\leftarrow {\mathbb{Z}}_q^n$ and a matrices ${\left\{{\mathit{H}}_u\right\}}_{u\in \mathbb{U}}\leftarrow {\mathbb{Z}}_q^{n\times m}$; $\mathbf{EnTrapGen}\left(1^n,1^m,q\right)\to \left\{\left({\mathit{A}}_u,T_{{\mathit{A}}_u}\right)\right\}$ /* trapdoors computation */ $$\mathrm{PK}=\left(\begin{array}{c}n,m,q,{\mathcal{X}}_{lwe},{\mathcal{X}}_1,{\mathcal{X}}_2,{\mathcal{X}}_{big},\mathit{y},\\ {\left\{{\mathit{A}}_u\right\}}_{u\in \mathbb{U}},{\left\{{\mathit{H}}_u\right\}}_{u\in \mathbb{U}}\end{array}\right)$$ $$\mathrm{MSK}={\left\{T_{{\mathit{A}}_u}\right\}}_{u\in \mathbb{U}}$$

The DO sends the transaction and uploads the PK on the blockchain BN. Specifically, all the public information is recorded in the block through the transaction Tx_UploadPK = {DO, BN, A, P, Timestamp, PK, Sig_DO, $Coin}, where A is the LSSS matrix of access control policy, and P represents the operation of a publishing contract, Timestamp is the time stamp of the transaction, Sig_DO is the signature of DO, and $Coin is the payment for transaction fee.

In addition, DO has the MSK they want to share with the DUs. DO can create a PRE protocol running on the nodes of KMN to grant access to DUs. Therefore, the KMN system still uses pre-quantum cryptography with a cyclic group $\mathbb{G}$ of prime order q. Let $g\in \mathbb{G}$ be the generator. Then, DO generates a pair of public and secret keys in the blockchain system. That is, sample $a\in {\mathbb{Z}}_q$ uniformly at random, computes $g^a$ and outputs the key pair (pk, sk) = ($g^a,a$). The re-encryption key generation algorithm takes as input the DO’s secret key a, the DU’s public key, ${pk}_{DU}=g^b$, several fragments N, and a threshold t, DO computes N fragments of the re-encryption key ${rk}_{DO\to DU}$ between DO and DU, each of them named kFrag. In this step, an ephemeral symmetric key generated by DO is used to encrypt the MSK, and the symmetric key is encrypted using DO’s asymmetric encryption key. The encrypted MSK and the encrypted symmetric key (the KEM portion, called a capsule) are stored together in TPS. Next, as shown in Figure 3, to gain the MSK, DU requests the capsule-associated key fragments kFrag to give to the KMN for re-encryption operation. Those n designated nodes in KMN perform a partial operation to produce a corresponding ciphertext fragment named cFrag. Meanwhile, a correctness proof $\pi$ for the resulting fragment is constructed using a non-interactive zero-knowledge proof of discrete logarithm equality to verify the correctness. These fragments are returned to DU, which collects cFrags until it obtains an m-of-n threshold. Finally, DU can decrypt the capsule to obtain the symmetric key K to decrypt the encrypted MSK.

Thus, to keep this paper compact, all above mentioned PRE protocol that we introduced uses the UMBERAL scheme [43] and is served as a decentralized key management system to distribute and manage the MSK that is applied to key generation and decryption for DU of LWE-CP-ABE. Meanwhile, the activities of DO/DU, including authorization, request, and policy making, are written into blockchain by a smart contract.

(2) Data encryption. The DO formulates the access control policy $\left(\mathit{M},\rho \right)$. $\left(\mathit{M},\rho \right)$ is the LSSS access control policy, in which $\mathit{M}={\left(M_{i,j}\right)}_{\ell \times s_{\max }}\in {\left\{-1,0,1\right\}}^{\ell \times s_{\max }}\subset {\mathbb{Z}}_q^{\ell \times s_{\max }}$, $\rho$ represents the mapping (monomorphism) function $\rho :\left[\ell \right]\to \mathbb{U}$, and it maps the access control matrix ${\mathit{M}}_i$ to the attribute set $\mathbb{U}$. After that, the DO runs the $\mathbf{Enc}$ algorithm, inputs the PK, the plaintext m, and the access control policy $\left(\mathit{M},\rho \right)$, and gets the CT.

The specific algorithm is shown in Algorithm 2.

Algorithm 2: Data Encryption Algorithm

Input: the PK, the plaintext m, and the access control policy $\left(\mathit{M},\rho \right)$; Output: the CT. Generate Access Policy $\left(\mathit{M},\rho \right)$; Select a random vector $\mathit{s}\leftarrow {\mathbb{Z}}_q^n$; /* the secret sharing key */ Sample a vector ${\left\{{\mathit{v}}_j\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^m$; for each $i\in \left[\ell \right]$    Select random noise ${\left\{{\mathit{e}}_i\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathcal{X}}_{lwe}^m$ $\mathrm{and} {\left\{{\widehat{\mathit{e}}}_i\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathcal{X}}_{big}^m$;   $\mathrm{Compute} {\mathit{c}}_i,{\widehat{\mathit{c}}}_i\in {\mathbb{Z}}_q^m$ We have; $$\begin{array}{ll}{\mathit{c}}_i=& \mathit{s}{\mathit{A}}_{\rho \left(i\right)}+{\mathit{e}}_i\\ {\widehat{\mathit{c}}}_i=& M_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },\stackrel{m-1}{\stackrel{}{\overbrace{0,\cdots ,0}}}\right)+\left[{\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{i,j}{\mathit{v}}_j}\right]\\ & -\mathit{s}{\mathit{H}}_{\rho \left(i\right)}+{\widehat{\mathit{e}}}_i\end{array}$$ 5. $\mathrm{CT}=\left(\left(\mathit{M},\rho \right),{\left\{{\mathit{c}}_i\right\}}_{i\in \left[\ell \right]},{\left\{{\widehat{\mathit{c}}}_i\right\}}_{i\in \left[\ell \right]},C=\mathrm{MSB}\left(\mathit{s}{\mathit{y}}^{\top }\right)\oplus m\right)$.

The DO uploads the CT to the TPS, which generates the contract transaction Tx_CTAddress = {TPS, BN, A, D, Timestamp, CT_Address, Sig_TPS, $Coin} to upload the hash address of CT on the blockchain. In this transaction, the parameter D denotes the operation type is a data message.

(3) User attribute secret key generation. Each DU firstly requires m of these interactions with m different nodes to obtain a fully re-encrypted capsule. Secondly, DU combines the fragments to decrypt the re-encrypted capsule using his private key. Finally, DU obtains the symmetric key to decrypt encrypted MSK.

DU inputs the attribute information $U$ and the MSK and runs the $\mathbf{KeyGen}$ algorithm to output the user attribute SK_GID corresponding to the attribute. The specific algorithm is shown in Algorithm 3.

Algorithm 3: User Attribute Secret Key Generation Algorithm

Input: the MSK and own attribute information $U$; Output: the user attribute SK, Select a random vector $\widehat{\mathit{t}}\leftarrow {\mathcal{X}}_1$; $\mathit{t}=\left(1,\widehat{\mathit{t}}\right)\in {\mathbb{Z}}^m$; for each $u\in \mathit{U}$        Select ${\widehat{\mathit{k}}}_u\leftarrow {\mathcal{X}}_{big}^m$;        Compute $\begin{array}{l}{\tilde{\mathit{k}}}_u\leftarrow \mathbf{EnSamplePre}\\ \left({\mathit{A}}_u,T_{{\mathit{A}}_u},\sigma ,\mathit{t}{\mathit{H}}_u^{\top }-{\widehat{\mathit{k}}}_u{\mathit{A}}_u^{\top }\right)\end{array}$   then Compute ${\mathit{k}}_u={\widehat{\mathit{k}}}_u+{\tilde{\mathit{k}}}_u$;    Output the user attribute SKGID: SK = ({ku}u∈U, t)

(4) Ciphertext decryption. When DU wants to access the data, he retrieves the ciphertext address from the blockchain BN, searches the corresponding CT from the TPS through the ciphertext address CT_Address and downloads it to the local through the transaction Tx_DownloadCT = {TPS, DU, D, P, Timestamp, CT, Sig_TPS, $Coin}, where P denotes the trading type as publishing contract. The DU uses the SK to decrypt the CT and obtain the plaintext.

During the process of ciphertext decryption, the SK corresponds to a certain subset $\mathit{U}\in \mathbb{U}$ of the attribute set $\mathbb{U}$. If $\left(1,0,\cdots ,0\right)$ is not in the row space of the matrix $\mathit{M}$ associated with $\mathit{U}$, then the decryption fails. Otherwise, let $\mathit{I}$ be a set of row indexes of the matrix $\mathit{M}$ and satisfy $\forall i\in \mathit{I}:\rho \left(i\right)\in \mathit{U}$. Let ${\left\{{\omega }_i\right\}}_{i\in \mathit{I}}\in \left\{0,1\right\}\subset {\mathbb{Z}}_q$ and ${\sum }_{i\in \mathit{I}}{\omega }_i{\mathit{M}}_i=\left(1,0,\cdots ,0\right)$ be scalar, where ${\mathit{M}}_i$ is the row $i$ of the matrix $\mathit{M}$. The specific algorithm is shown in Algorithm 4.

Algorithm 4: Decryption Algorithm

Input: the CT and the user attribute SKGID; Output: the plaintext m. Compute $K={\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\left({\mathit{c}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }+{\widehat{\mathit{c}}}_i{\mathit{t}}^{\top }\right)}$ Compute $m=C\oplus \mathrm{MSB}\left(K\right)$;

(5) Ciphertext policy generation. When the attribute set or access control policy needs to be changed, the DU can update the access control policy of the original ciphertext retention. To update the policy, the DO generates a new access control policy $(M^{\prime },{\rho }^{\prime })$, and runs the $\mathbf{AccGen}$ algorithm to get the updated policy ciphertext ${\mathit{Update}}_{CT}=\left({{\mathit{c}}_i}^{\prime },{{\widehat{\mathit{c}}}_i}^{\prime }\right)$:

$$\begin{array}{ll}{{\mathit{c}}_i}^{\prime }=& \mathit{s}{\mathit{A}}_{{\rho }^{\prime }\left(i\right)}+{\mathit{e}}_i\\ {{\widehat{\mathit{c}}}_i}^{\prime }=& {M^{\prime }}_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },\stackrel{m-1}{\stackrel{}{\overbrace{0,\cdots ,0}}}\right)+\left[{\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M^{\prime }}_{i,j}{\mathit{v}}_j}\right]\\ & -\mathit{s}{\mathit{H}}_{\rho \left(i\right)}+{\widehat{\mathit{e}}}_i\end{array}$$

(17)

At the same time, the DO sends transaction Tx_AccGen = {DO, TPS, A, N, Timestamp, Update_CT, Sig_DO, $Coin} to record the updating operation representing N on the blockchain. The DO store the ciphertext of the access policy on TPS, and its hash value is written in the transaction.

(6) Ciphertext policy update. When DO obtains the ciphertext C derived from the original CT, the updated access control policy ciphertext $\left({{\mathit{c}}_i}^{\prime },{{\widehat{\mathit{c}}}_i}^{\prime }\right)$ is used to run the $\mathbf{AccUpdate}$ algorithm to generate the new ciphertext ${\mathrm{CT}}^{\prime }$, which is still uploaded to the original ciphertext address to facilitate the decryption procedures for data users.

$${\mathrm{C}\mathrm{T}}^{\prime }=\left(\begin{array}{c}\left({\mathit{M}}^{\prime },{\rho }^{\prime }\right),{\left\{{{\mathit{c}}_i}^{\prime }\right\}}_{i\in \left[\ell \right]},{\left\{{{\widehat{\mathit{c}}}_i}^{\prime }\right\}}_{i\in \left[\ell \right]},\\ C=\mathrm{MSB}\left(\mathit{s}{\mathit{y}}^{\top }\right)\oplus m\end{array}\right)$$

(18)

To an extent, the users can quickly and efficiently retrieve the required information using the formatted transaction structure in the blockchain encryption protocol based on the LWE-CP-ABE. Meanwhile, the whole log of each node’s process event is recorded into the ledger on blockchain BN, which can offer better auditability and accountability in the dynamic access control system.

5. Analysis of the Scheme

5.1. Analysis of Correctness

Assuming that a data user has the attributes $\mathit{u}\in \mathbb{U}$ and the LSSS access control policy $\left(\mathit{M},\rho \right)$ for which U constitute an authorized set. By construction,

$$K={\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\left({\mathit{c}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }+{\widehat{\mathit{c}}}_i{\mathit{t}}^{\top }\right)}$$

(19)

Expanding ${\left\{{\mathit{c}}_i\right\}}_{i\in \mathit{I}}$ and ${\left\{{\widehat{\mathit{c}}}_i\right\}}_{i\in \mathit{I}}$, we get

$$\begin{array}{ll}K& ={\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\mathit{s}{\mathit{A}}_{\rho \left(i\right)}{\mathit{k}}_{\rho \left(i\right)}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{M}_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },0,\cdots ,0\right){\mathit{t}}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I},j\in \left\{2,\cdots ,s_{\max }\right\}}{\omega }_i{M}_{i,j}{\mathit{v}}_j{\mathit{t}}^{\top }}-{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\mathit{s}{\mathit{H}}_{\rho \left(i\right)}{\mathit{t}}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }}\end{array}$$

(20)

For each $u\in \mathit{U}$, we run $\mathbf{EnSamplePre}$ algorithm, and then ${\mathit{A}}_u{\tilde{\mathit{k}}}_u^{\top }={\mathit{H}}_u{\mathit{t}}^{\top }-{\mathit{A}}_u{\widehat{\mathit{k}}}_u^{\top }$ Therefore, for each $i\in \mathit{I}$, it holds that ${\mathit{A}}_{\rho \left(i\right)}{\mathit{k}}_{\rho \left(i\right)}^{\top }={\mathit{A}}_{\rho \left(i\right)}{\widehat{\mathit{k}}}_{\rho \left(i\right)}^{\top }+{\mathit{A}}_{\rho \left(i\right)}{\tilde{\mathit{k}}}_{\rho \left(i\right)}^{\top }={\mathit{H}}_{\rho \left(i\right)}{\mathit{t}}^{\top }$, Hence,

$$\begin{array}{ll}K& ={\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\mathit{s}{\mathit{H}}_{\rho \left(i\right)}{\mathit{t}}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{M}_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },0,\cdots ,0\right){\mathit{t}}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I},j\in \left\{2,\cdots ,s_{\max }\right\}}{\omega }_i{M}_{i,j}{\mathit{v}}_j{\mathit{t}}^{\top }}-{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i\mathit{s}{\mathit{H}}_{\rho \left(i\right)}{\mathit{t}}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\mathit{e}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }}\\ & ={\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{M}_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },0,\cdots ,0\right){\mathit{t}}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I},j\in \left\{2,\cdots ,s_{\max }\right\}}{\omega }_i{M}_{i,j}{\mathit{v}}_j{\mathit{t}}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\mathit{e}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }}\\ & =\left({\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{M}_{i,1}}\right)\left(\mathit{s}{\mathit{y}}^{\top },0,\cdots ,0\right){\mathit{t}}^{\top }\\ & +{\displaystyle \sum _{i\in \mathit{I},j\in \left\{2,\cdots ,s_{\max }\right\}}{\omega }_i{M}_{i,j}{\mathit{v}}_j{\mathit{t}}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\mathit{e}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }}\\ & +{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }}\end{array}$$

(21)

When ${\sum }_{i\in \mathit{I}}{\omega }_i{M}_{i,j}=1$ for $1<j\le s_{\max }$, it holds that ${\sum }_{i\in \mathit{I}}{\omega }_i{M}_{i,j}=0$. Also, $\mathit{t}=\left(1,\widehat{\mathit{t}}\right)$ is constructed using $\mathbf{KeyGen}$ in Section 3.1, and hence $\left(\mathit{s}{\mathit{y}}^{\top },0,\cdots ,0\right){\mathit{t}}^{\top }=\mathit{s}{\mathit{y}}^{\top }$. Thus,

$$K=\mathit{s}{\mathit{y}}^{\top }+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\mathit{e}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }}$$

(22)

As for the noise part ${\sum }_{i\in \mathit{I}}{\omega }_i{\mathit{e}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }+{\sum }_{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }$, the following inequalities hold except with negligible probability.

(1) According to Lemma 2, the positive integer $m$ coordinates in ${\mathit{e}}_i$ are from truncated discrete Gaussians distribution ${\tilde{\mathcal{D}}}_{\mathbb{Z},\sigma }$, so there is $\Vert {\mathit{e}}_i\Vert \le \sqrt{m}\sigma$.

(2) the positive integer $m$ coordinates in ${\widehat{\mathit{e}}}_i$ are from the uniform distribution $\mathbb{Z}\cap \left[-\widehat{B},\widehat{B}\right]$, so there is $\Vert {\widehat{\mathit{e}}}_i\Vert \le \sqrt{m}\widehat{B}$.

(3) $m$ coordinates in ${\widehat{\mathit{k}}}_{\rho \left(i\right)}$ are from the uniform distribution $\mathbb{Z}\cap \left[-\widehat{B},\widehat{B}\right]$, so there is $\Vert {\widehat{\mathit{k}}}_{\rho \left(i\right)}\Vert \le \sqrt{m}\widehat{B}$. And $m$ coordinates in ${\tilde{\mathit{k}}}_{\rho \left(i\right)}$ are statistically close to the truncated discrete Gaussians distribution ${\tilde{\mathcal{D}}}_{{\mathbb{Z}}^m,\sigma }$, so there is $\Vert {\tilde{\mathit{k}}}_{\rho \left(i\right)}\Vert \le \mathrm{m\sigma }$. To sum up, for $\Vert {\mathit{k}}_{\rho \left(i\right)}\Vert$, ${\mathit{k}}_{\rho \left(i\right)}={\widehat{\mathit{k}}}_{\rho \left(i\right)}+{\tilde{\mathit{k}}}_{\rho \left(i\right)}$, so the boundary on $\Vert {\mathit{k}}_{\rho \left(i\right)}\Vert$ is $\Vert {\mathit{k}}_{\rho \left(i\right)}\Vert \le \mathrm{m\sigma }+\sqrt{m}\widehat{B}$.

(4) if $\mathit{t}=\left(1,\widehat{\mathit{t}}\right)$, where $\widehat{\mathit{t}}$ comes from a truncated discrete Gaussians distribution ${\tilde{\mathcal{D}}}_{{\mathbb{Z}}^{m-1},\sigma }$, then it holds $\Vert \mathit{t}\Vert <m\sigma$.

Therefore, given the above conditions, we have that:

$$\begin{array}{l}\Vert {\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\mathit{e}}_i{\mathit{k}}_{\rho \left(i\right)}^{\top }}+{\displaystyle \sum _{i\in \mathit{I}}{\omega }_i{\widehat{\mathit{e}}}_i{\mathit{t}}^{\top }}\Vert \\ <\left|\mathbb{U}\right|\left(m^{3/2}{\sigma }^2+m\sigma \widehat{B}+m^{3/2}\sigma \widehat{B}\right)\\ <\left|\mathbb{U}\right|\cdot 3m^{3/2}\sigma \widehat{B}\\ <q/4\end{array}$$

(23)

Therefore, with almost negligible probability in $\lambda$, the MSB of sy^T is not affected by the noise mentioned above, which is bounded by q/4, and it does not affect the MSB. That is $\mathrm{MSB}\left(K\right)=\mathrm{MSB}\left(\mathit{s}{\mathit{y}}^{\top }\right)$ is the proof of correctness.

5.2. Security Analysis of Algorithm

Definition 3.

If the advantage of any PPT adversary $\mathcal{A}$ in the above game is negligible, then the LWE-CP-ABE encryption scheme based on the LSSS access control structure is selectively secure under the linear independent restriction.

Definition 4.

If the LWE assumption holds, the proposed LWE-CP-ABE scheme for all access structures is selectively secure.

To prove Definition 3, the hybrid games start with the adversary sending an access policy to the challenger and the challenger sending back the public parameters to the adversary. Then, $\mathcal{A}$ requests to the challenger a polynomial number of secret keys. For each key query, the attacker sends a series of attributes $U\in \mathbb{U}$ that do not satisfy the access control policy $\left(\mathit{M},\rho \right)$. In addition, the row of the access control in the matrix $\mathit{M}$ is marked by attribute in $U$; that is, the index of $\mathit{M}$ in ${\rho }^{-1}\left(U\right)$ must be linearly independent. After that, the challenger replies to the corresponding user attribute secret key $\mathrm{SK}\leftarrow \mathbf{KeyGen}\left(\mathrm{MSK},U\right)$. Finally, $\mathcal{A}$ outputs its guess for the bit b encrypted within the challenge ciphertext.

The advantage of the adversary $\mathcal{A}$ in this game is defined as

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{LWE}-\mathrm{CPABE},\mathrm{SEL}-\mathrm{LI}-\mathrm{CPA}}\left(\lambda \right)\triangleq \left|\mathrm{Pr}\right[b=b^{\prime }]-1/2|$$

(24)

Thus, how to generate the public parameters, secret keys, and challenge ciphertext in each hybrid game are described below.

Hyb₀: This hybrid game corresponds to the true weak security selective game of the ABE scheme.

Setup phase	5. $\forall u\in U:{\mathit{k}}_u={\widehat{\mathit{k}}}_u+{\tilde{\mathit{k}}}_u$
1. $\mathit{y}\leftarrow {\mathbb{Z}}_q^n$.	6. $\mathrm{SK}=\left({\left\{{\mathit{k}}_u\right\}}_{u\in \mathbb{U}},\mathit{t}\right)$
2. ${\left\{\left({\mathit{A}}_u,T_{{\mathit{A}}_u}\right)\right\}}_{u\in \mathbb{U}}\leftarrow \mathbf{EnTrapGen}\left(1^n,1^m,q\right)$.	Challenge phase
3. ${\left\{{\mathit{H}}_u\right\}}_{u\in \mathbb{U}}\leftarrow {\mathbb{Z}}_q^{n\times m}$.	1. $\mathit{s}\leftarrow {\mathbb{Z}}_q^n$
4. $\mathrm{PK}=\left(\begin{array}{c}\begin{array}{c}n,m,q,{\mathcal{X}}_{lwe},\end{array}{\mathcal{X}}_1,{\mathcal{X}}_2,{\mathcal{X}}_{big},\\ \mathit{y},{\left\{{\mathit{A}}_u\right\}}_{u\in \mathbb{U}},{\left\{{\mathit{H}}_u\right\}}_{u\in \mathbb{U}}\end{array}\right)$.	2. ${\left\{{\mathit{v}}_j\right\}}_{j\in \left\{2,\cdots ,{\mathit{s}}_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^m$
	3. ${\left\{{\mathit{e}}_i\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathcal{X}}_{lwe}^m$
Key query phase	4. ${\left\{{\mathit{e}}_i\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathcal{X}}_{big}^m$
1. ${\left\{{\widehat{\mathit{k}}}_u\right\}}_{u\in \mathbb{U}}\leftarrow {\mathcal{X}}_{big}^m$.	5. $\forall \mathit{i}\in \left[\ell \right]:{\mathit{c}}_{\mathit{i}}=\mathit{s}{\mathit{A}}_{\rho \left(i\right)}+{\mathit{e}}_{\mathit{i}}$
2. $\widehat{\mathit{t}}\leftarrow {\mathcal{X}}_1$.	6. $\begin{array}{l}\forall \mathit{i}\in \left[\ell \right]:{\widehat{\mathit{c}}}_{\mathit{i}}=M_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },\stackrel{m-1}{\stackrel{}{\overbrace{0,\cdots ,0}}}\right)+\\ \left[{\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{i,j}{\mathit{v}}_j}\right]-\mathit{s}{\mathit{H}}_{\rho \left(i\right)}+{\widehat{\mathit{e}}}_{\mathit{i}}\end{array}$ 7. $\mathrm{CT}=\left({\left\{{\mathit{c}}_{\mathit{i}}\right\}}_{i\in \left[\ell \right]},{\left\{{\widehat{\mathit{c}}}_{\mathit{i}}\right\}}_{i\in \left[\ell \right]},\mathrm{MSB}\left(\mathit{s}{\mathit{y}}^{\top }\right)\oplus b\right)$
3. $\mathit{t}=\left(1,\widehat{\mathit{t}}\right)$. 4. $\begin{array}{l}\forall u\in U:{\widehat{\mathit{k}}}_u\leftarrow \\ \mathbf{EnSamplePre}\left({\mathit{A}}_u,T_{{\mathit{A}}_u},\sigma ,\mathit{t}{\mathit{H}}_u^{\top }-{\widehat{\mathit{k}}}_u{\mathit{A}}_u^{\top }\right)\end{array}$

Hyb₁: This game is similar to Hyb₀. The changes between Hyb₀ and Hyb₁ are merely syntactic and indistinguishable. The main difference is described as follows:

1. In the Setup Phase, the generation of an additional matrix ${\left\{\mathit{B}\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^{n\times m}$ is added between Steps 2 and 3;

2. In the Challenge Phase, let the original $\left\{{\mathit{v}}_j\right\}$ to ${\left\{{\widehat{\mathit{v}}}_j\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^n$. The vectors $\left\{{\widehat{\mathit{c}}}_i\right\}$ are generated below using matrices while preparing the challenge ciphertext.

$$\begin{array}{l}\forall \mathit{i}\in \left[\ell \right]:{\widehat{\mathit{c}}}_{\mathit{i}}=M_{i,1}\left(\mathit{s}{\mathit{y}}^{\top },\stackrel{m-1}{\stackrel{}{\overbrace{0,\cdots ,0}}}\right)+\\ \left[{\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{i,j}{\widehat{\mathit{v}}}_j{\mathit{B}}_j}\right]-\mathit{s}{\mathit{H}}_{\rho \left(i\right)}+{\widehat{\mathit{e}}}_{\mathit{i}}\end{array}$$

Hyb₂: This game is the same as Hyb₁, except for the change of the generation of the matrix $\left\{{\mathit{H}}_u\right\}$ in the Setup Phase.

$$\begin{array}{l}1.{\left\{{\mathit{H}}_u^{\prime }\right\}}_{u\in \rho \left(\left[\ell \right]\right)}\leftarrow {\mathbb{Z}}_q^{n\times m}\\ \begin{array}{ll}2.\forall u\in \rho \left(\left[\ell \right]\right):{\mathit{H}}_u& =M_{{\rho }^{-1}\left(u\right),1}\left[{\mathit{y}}^{\top }\stackrel{m-1}{\stackrel{}{\overbrace{\left|0^{\top }\right|\cdots \left|0^{\top }\right|}}}\right]+\\ & {\sum }_{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{{\rho }^{-1}\left(u\right),j}{\mathit{B}}_j+{\mathit{H}}_u^{\prime }\end{array}\end{array}$$

The change between Hyb₂ and Hyb₁ is also only in syntax, so the two mixed games are indistinguishable.

Hyb₃: This game is identical to Hyb₂, except for the change of the generation of the matrix $\left\{{\mathit{H}}_u^{\prime }\right\}$ in the Setup phase:

$$\begin{array}{l}1.{\left\{{\mathit{R}}_u\right\}}_{u\in \rho \left(\left[\ell \right]\right)}\leftarrow {\left\{-1,1\right\}}^{m\times m}\\ 2. {\mathit{H}}_u^{\prime }={\mathit{A}}_u{\mathit{R}}_u\end{array}$$

According to Lemma 1, Hyb₃ and Hyb₂ are selectively indistinguishable.

Hyb₄: This game is the same as Hyb₃, except for the change of the matrix in the Setup Phase:

$$\begin{array}{cc}& {\mathit{B}}^{\prime }=[{\mathit{B}}_2^{\prime \top }|\cdots |{{\mathit{B}}_{s_{\max }}^{\prime }}^{\top },T_{{\mathit{B}}^{\prime }}]\leftarrow \hfill \\ \hfill 1.& \mathbf{EnTrapGen}\left(1^{n\left(s_{\max }-1\right)},1^{m-1},q\right):\hfill \\ & {\left\{{\mathit{B}}_j^{\prime }\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\in {\mathbb{Z}}_q^{n\times \left(m-1\right)}\hfill \\ \hfill 2.& {\left\{{\mathit{b}}_j^{\prime }\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^n\hfill \\ \hfill 3.& \forall j\in \left\{2,\cdots ,s_{\max }\right\}:{\mathit{B}}_j=[{\mathit{b}}_j^{\prime \top }\left|{\mathit{B}}_j^{\prime }\right]\hfill \end{array}$$

The indistinguishableness between Hyb₄ and Hyb₃ originates from the enhanced trapdoors lattice sampler function $\mathbf{EnLT}=\left(\mathbf{EnTrapGen},\mathbf{EnSamplePre}\right)$.

Hyb₅: This game is analogous to Hyb₄, except for the change of vector ${\left\{{\mathit{k}}_u\right\}}_{u\in U\cap \rho \left(\left[\ell \right]\right)}$ when answering the key query of the adversary $\mathcal{A}$:

$$\begin{array}{cc}& {\tilde{\mathit{k}}}_u\leftarrow \mathbf{EnSamplePre}\hfill \\ \hfill 1.& \left(\begin{array}{c}{\mathit{A}}_u,T_{{\mathit{A}}_u},\sigma ,\\ \mathit{t}{\left(M_{{\rho }^{-1}\left(u\right),1}\left[{\mathit{y}}^{\top }\stackrel{m-1}{\stackrel{}{\overbrace{\left|0^{\top }\right|\cdots |0^{\top }}}}|\right]\right)}^{\top }+\\ {\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}\begin{array}{c}\mathit{t}{\left(M_{{\rho }^{-1}\left(u\right),j}{\mathit{B}}_j\right)}^{\top }-{\widehat{\mathit{k}}}_u{\mathit{A}}_u^{\top }\end{array}}\end{array}\right).\hfill \\ \hfill 2.& {\mathit{k}}_u={\widehat{\mathit{k}}}_u+{\tilde{\mathit{k}}}_u+\mathit{t}{\mathit{R}}_u^{\top }\hfill \end{array}$$

The indistinguishableness between Hyb₅ and Hyb₄ follows from Lemma 1.

Hyb₆: This game is the same as Hyb₅ except for the generation of vector $\widehat{\mathit{t}}$ while answering the key query of the opponent $\mathcal{A}$. Let $\mathit{d}=\left(d_1,\cdots ,d_{s_{\max }}\right)\in {\mathbb{Z}}_q^{s_{\max }}$ be a vector such that $d_1=1$ and for all $u\in U$, there is ${\displaystyle \sum _{j\in \left[s_{\max }\right]}{M}_{{\rho }^{-1}\left(u\right),j}{d}_j=0}$. It is worth noting that due to the game restrictions, the set of the index of $\mathit{M}$ row in ${\rho }^{-1}\left(U\right)$ must be unauthorized to the access control policy $\left(\mathit{M},\rho \right)$, thus ensuring the existence of the vector $\mathit{d}$.

$$\begin{array}{l}1.\mathrm{In} \mathrm{the} \mathrm{Key} \mathrm{query} \mathrm{phase}, \mathrm{let}\widehat{\mathit{t}}\leftarrow {\mathcal{X}}_1 \mathrm{change} \mathrm{to} {\left\{{\mathit{f}}_j\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^n\\ 2.\mathrm{The} \mathrm{vectors} \mathrm{is} \widehat{\mathit{t}}\leftarrow \mathbf{EnSamplePre}\left(\begin{array}{c}{\mathit{B}}^{\prime },T_{{\mathit{B}}^{\prime }},\sigma ,\\ \left(\begin{array}{l}{d}_2\mathit{y}+{\mathit{f}}_2-{\mathit{b}}_2^{\prime },\cdots ,\\ d_{s_{\max }}\mathit{y}+{\mathit{f}}_{s_{\max }}-{\mathit{b}}_{s_{\max }}^{\prime }\end{array}\right)\end{array}\right)\end{array}$$

The indistinguishableness between Hyb₆ and Hyb₅ originates from the enhanced trapdoors function $\mathbf{EnLT}=\left(\mathbf{EnTrapGen},\mathbf{EnSamplePre}\right)$.

Hyb₇: This game is the same as Hyb₆, except for the change of key module while answering the key query of the adversary $\mathcal{A}$:

$$\begin{array}{l}1. {\left\{{\mathit{z}}_u\right\}}_{u\in U\cap \rho \left(\left[\ell \right]\right)}\leftarrow {\mathbb{Z}}_q^n\\ 2. {\left\{{\mathit{f}}_j\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^n \mathrm{exploits} \mathrm{the} \mathrm{constraint}\begin{array}{l}\forall u\in U\cap \rho \left(\left[\ell \right]\right):\\ {\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{{\rho }^{-1}\left(u\right),j}{\mathit{f}}_j}={\mathit{z}}_u+{\widehat{\mathit{k}}}_u{\mathit{A}}_u^{\top }\end{array}\\ 3.\begin{array}{l}\forall u\in U\cap \rho \left(\left[\ell \right]\right):\\ {\tilde{\mathit{k}}}_u\leftarrow \mathbf{EnSamplePre}\left({\mathit{A}}_u,T_{{\mathit{A}}_u},\rho ,{\mathit{z}}_u\right)\end{array}\end{array}$$

The change between Hyb₇ and Hyb₆ is only in syntax, so the hybrid games are indistinguishable.

Hyb₈: This game is analogous to Hyb₇, except for the generation of vector ${\left\{{\mathit{k}}_u\right\}}_{u\in U\cap \rho \left(\left[\ell \right]\right)}$ while answering the key query of the adversary $\mathcal{A}$. The changes are described as follows:

$$\begin{array}{l}1.{\left\{{\tilde{\mathit{k}}}_u\right\}}_{u\in U\cap \rho \left(\left[\ell \right]\right)}\leftarrow {\mathcal{X}}_2\\ 2.\begin{array}{l}\forall u\in U\cap \rho \left(\left[\ell \right]\right):\\ {\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}{M}_{{\rho }^{-1}\left(u\right),j}{\mathit{f}}_i}={\tilde{\mathit{k}}}_u{\mathit{A}}_u^{\top }+{\widehat{\mathit{k}}}_u{\mathit{A}}_u^{\top }\end{array}\end{array}$$

The indistinguishableness between Hyb₈ and Hyb₇ originates from the trapdoors function $\mathbf{EnLT}=\left(\mathbf{EnTrapGen},\mathbf{EnSamplePre}\right)$.

Hyb₉: This game is similar to Hyb₈, except for the matrix generation ${\left\{{\mathit{A}}_u\right\}}_{u\in U\cap \rho \left(\left[\ell \right]\right)}\leftarrow {\mathbb{Z}}_q^{n\times m}$ during the Setup phase. The indistinguishableness between Hyb₉ and Hyb₈ originates from the enhanced trapdoors function $\mathbf{EnLT}=\left(\mathbf{EnTrapGen},\mathbf{EnSamplePre}\right)$.

Hyb₁₀: This game is the same as Hyb₉ except for the generation of the vector $\left\{{\widehat{\mathit{c}}}_i\right\}$ in challenging ciphertext during the Challenge phase, i.e.,

$$\begin{array}{l}1.{\left\{{\mathit{e}}_i^{\prime }\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathcal{X}}_{big}^m\\ 2.\forall i\in \left[\ell \right]:{\widehat{\mathit{e}}}_i=-{\mathit{e}}_i{\mathit{R}}_{\rho \left(i\right)}+{\mathit{e}}_i^{\prime }\end{array}$$

According to Lemma 1, Hyb₁₀ and Hyb₉ are selectively indistinguishable.

Hyb₁₁: This game is the same as Hyb₁₀, except for the change in challenging ciphertext during the stage of Challenge:

In the Challenge Phase, we have:

$$\begin{array}{l}1.\tau \leftarrow {\mathbb{Z}}_q\\ 2.{\left\{{\widehat{\mathit{v}}}_j^{\prime }\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}\leftarrow {\mathbb{Z}}_q^n\\ 3.{\left\{{\mathit{e}}_i^{\prime }\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathcal{X}}_{big}^m\\ 4.{\left\{{\mathit{c}}_i\right\}}_{i\in \left[\ell \right]}\leftarrow {\mathbb{Z}}_q^m\\ 5.\begin{array}{l}\forall i\in \left[\ell \right]:\\ {\widehat{\mathit{c}}}_i=[{\displaystyle \sum _{j\in \left\{2,\cdots ,s_{\max }\right\}}}{M}_{i,j}{\widehat{\mathit{v}}}_j^{\prime }{\mathit{B}}_j]-{\mathit{c}}_i{\mathit{R}}_{\rho \left(i\right)}+{\mathit{e}}_i^{\prime }\end{array}\\ 6.\mathrm{CT}=\left({\left\{c_i\right\}}_{i\in \left[\ell \right]},{\left\{{\widehat{\mathit{c}}}_i\right\}}_{i\in \left[\ell \right]},\mathrm{MSB}\left(\tau \right)\right)\end{array}$$

According to the hypothesis of the LWE difficulty problem, Hyb₁₀ and Hyb₉ are selectively indistinguishable.

For any adversary $\mathcal{A}$ and any $x\in \left\{0,\cdots ,11\right\}$, let $p_{\mathcal{A},x}:\mathbb{N}\to \left[0,1\right]$ be a function. For all $\lambda \in \mathbb{N}$, we define the probability of the adversary winning the mixed game as $p_{\mathcal{A},x}\left(\lambda \right)$.

According to the definition of Hyb₀, for all $\lambda \in \mathbb{N}$:$\left|p_{\mathcal{A},0}\left(\lambda \right)-1/2\right|={\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{LWE}-\mathrm{CPABE},\mathrm{SEL}-\mathrm{CPA}}\left(\lambda \right)$. In addition, for all $\lambda \in \mathbb{N}$, there is $p_{\mathcal{A},11}=1/2$, there is no challenger’s information about selecting the challenge bit in the challenge ciphertext in Hyb₁₁. Therefore, for all $\lambda \in \mathbb{N}$, there is: ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{LWE}-\mathrm{CPABE}}\left(\lambda \right)\le {\displaystyle \sum _{x\in \left[11\right]}\left|p_{\mathcal{A},x-1}\left(\lambda \right)-p_{\mathcal{A},x}\left(\lambda \right)\right|}$.

In Hyb₀ and Hyb₁, the vector ${\left\{{\widehat{\mathit{v}}}_j\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}$ is uniformly and independently distributed on ${\mathbb{Z}}_q^n$, and the matrix ${\left\{{\mathit{B}}_{\begin{array}{c}j\end{array}}\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}$ is uniformly and independently distributed on ${\mathbb{Z}}_q^{m\times n}$, so ${\left\{{\widehat{\mathit{v}}}_j{\mathit{B}}_j\right\}}_{j\in \left\{2,\cdots ,s_{\max }\right\}}$ is also uniformly and independently distributed on ${\mathbb{Z}}_q^m$. It is concluded that for any opponent $\mathcal{A}$, there is $p_{\mathcal{A},0}\left(\lambda \right)=p_{\mathcal{A},1}\left(\lambda \right)$.

According to the analysis, in Hyb1 and Hyb2, $p_{\mathcal{A},1}\left(\lambda \right)=p_{\mathcal{A},2}\left(\lambda \right)$.

$\mathbf{EnLT}=\left(\mathbf{EnTrapGen},\mathbf{EnSamplePre}\right)$ satisfies the leftover hash theorem, so there is a negligible function ${\mathit{negl}}_i(\cdot )$ for any opponent $\mathcal{A}$ in Hyb₃ to Hyb₁₀. For all $\lambda \in \mathbb{N}$, there is $|p_{\mathcal{A},i-1}\left(\lambda \right)-p_{\mathcal{A},i}\left(\lambda \right)|\le {\mathit{negl}}_i(\cdot )$.

Because the hypothesis of the LWE-hardness problem is true, there is a negligible function ${\mathit{negl}}_{11}(\cdot )$ for any PPT opponent $\mathcal{A}$, which satisfies $|p_{\mathcal{A},10}\left(\lambda \right)-p_{\mathcal{A},11}\left(\lambda \right)|\le {\mathit{negl}}_{11}(\cdot )$ Therefore, the advantage of the opponent $\mathcal{A}$ in the mixed game is 0.

5.3. Analysis of Security on the Blockchain

This section will introduce the common blockchain attack models and how this scheme can resist these typical attacks.

Conspiracy attacks: In the distributed key management system, the attacker collusion attack would require M nodes to collect the shares of the master key. This means the attacker must pay a high cost for collecting all the pieces together. Furthermore, each user attribute secret key will generate a uniformly and independently distributed random vector $\widehat{\mathit{t}}\leftarrow {\mathcal{X}}_1$ when generating in our scheme, and the random vector of any user secret key is different; therefore, the user attribute secret key is hidden by information theory from anyone, so that the conspiracy attack cannot be realized.

Middleman attacks: middleman attack means that the attacker sets up independent exercises at both ends of the correspondence, exchanges the received data, and monitors or tampers the information. In this scheme, all the correspondences among the nodes are conducted in the form of transactions. The transaction is signed by the initiator using the blockchain secret key, and the returned secret data is encrypted by the other party’s public key, so the middleman cannot pass the verification by tampering with the address or forging the signature. Therefore, this scheme can greatly prevent middleman attacks.

Link attacks: link attacks mean the adversary searches for the user’s private data by linking multiple transactions with the same address. In our scheme, the related authorization process of user attributes can be determined by the user, and the user can choose to disclose his identity attributes or hide the identity information to protect privacy. In addition, the relevant data is the ciphertext on the blockchain, and the security is guaranteed by the algorithm security, so the attacker cannot get the relevant information of the user, thus resisting the link attacks.

5.4. Comparative Analysis of Performance

In this section, a comparative study of the proposed approach with other classical CP-ABE schemes is presented in

Table 1. Comparison with related schemes.

Scheme	[7]	[9]	[35,44]	Ours
Blockchain	√	√	×	√
Privacy Preservation	√	√	√	√
Anti-Quantum Attack	×	×	√	√
Provable Security	Not always provable	Provably secure	Provably secure	Provably secure
Hardness Problem	q-PBDHE	d-DDH problem	LWE, R-LWE	LWE
Multi-Authority	×	√	√	√
Access Structure	LSSS	LSSS	LSSS, Hierarchical LSSS	LSSS

Note: √ means the solution satisfies this characteristic, × means it does not.

. It is observed that all the works employ LSSS-based access structures, with [44] utilizing a hierarchical access structure. FAN [7] uses q-PBDHE as its hardness problem without adopting multi-authority mechanisms, which means that the secret key cannot be cracked and the one-way function cannot be inverted within polynomial time. However, there is a negligible probability of cracking it. Sammy [9] utilizes d-DDH hardness problems as security assumptions, providing an ECC scheme instead of a bilinear pairing in terms of computational complexity overhead. Additionally, it employs a multi-authority CP-ABE scheme with a hierarchical LSSS access structure. Datta [35] and Mohammad [45], on the other hand, separately employ LWE and R-LWE CP-ABE to enhance their security through a multi-authority scheme, achieving resistance against quantum attacks, although they are not based on blockchain and introduce a significant increase in computational complexity.

Our scheme extends the previous works by utilizing a lattice-based CP-ABE scheme in conjunction with blockchain-based PRE threshold networks to manage the master secret key. It provides automated verification and consensus of transactions through smart contracts, ensuring confidentiality, accountability, and traceability of transactions. Moreover, it is a security type based on the worst-case problem, where the cryptographic algorithm needs to be solved in the worst-case scenario if it is cracked. Lastly, other CP-ABE schemes described in the references require more expensive operations such as multiplication, modulus exponentiation, and bilinear mapping, while our scheme only requires addition operations with lower expense, thereby significantly improving operational efficiency.

5.5. Analysis of Experimental Simulation

To conduct a thorough evaluation of the proposed scheme’s practical effectiveness, a series of experiments were performed in this paper. All experiments were conducted on a computer running the Win10 operating system with the following hardware configuration: Intel Core i7-8750H CPU, 2.20 GHz clock frequency, and 8.0 GB RAM. The paper utilized the PBC [46] library based on pairings and the PALISADE API. A simulation framework was built using the C++ programming language. Additionally, a blockchain virtual network based on Ganache [47] was set up, and the Remix platform provided by Ethereum was used for compiling and deploying smart contract code online. When selecting the performance index, the scheme in this paper does not change the transaction process of the blockchain network but only encrypts the data in the network by LWE-CP-ABE, which will not affect the operation efficiency of the blockchain network. Therefore, this paper only evaluates the performance index of the LWE-CP-ABE scheme.

In this experiment, the plaintext data is set to 308B. The scheme in this paper does not need complex operations such as modulus exponentiation and bilinear mapping. Still, only the addition operation, so the time cost in each stage is better than that of the scheme in reference [7].

As shown in Figure 4 and Figure 5, with the continuous increase of attributes in the system, the time spent by the data owner in the setup and encryption under the blockchain in this scheme is shorter than that in the scheme of reference [7], which greatly improves the overall efficiency of the system.

As shown in Figure 6, in the key generation stage, with the continuous increase of attributes, this scheme is superior to that in reference [7], and it will be more practical in key generation with multi-user and multi-attribute sets.

As shown in Figure 7, in the decryption stage, the scheme in this paper takes about 0~2 ms, which is far lower than the scheme in reference [7]. Therefore, it is more suitable for blockchain data sharing.

In addition, considering the pre-quantum blockchain system, the transaction cost for executing the smart contract related to signature verification on KMS is around 1,091,035 gas, with an execution cost of 965,801 gas. The transaction cost for executing the smart contract related to the correctness of the re-encrypted results is 3,597,371 gas, with an execution cost of 3,300,467 gas. That means that we can create a multi-lateral market to provide incentive mechanisms to enhance the security of access control based on the blockchain system.

6. Conclusions

Privacy protection technology on the blockchain has always been a significant factor in data access and sharing. With the rapid development of quantum computation, the traditional public key cryptosystem based on number theory cannot resist quantum attacks. Therefore, this paper effectively integrates blockchain technology with the lattice attribute-based encryption algorithm and proposes a data-sharing scheme based on LWE-CP-ABE using blockchain technology. This paper improves the CPABE scheme put forward by Datta, designs the ABE algorithm against quantum attacks with the renewable strategy, and fulfills the dynamic protection of data. The lattice-based fine-grained access control of CP-ABE is constructed through the decentralized KMS and formatted transaction structure over a pre-quantum cryptographic blockchain system, which not only ensures the characteristics of the post-quantum CP-ABE algorithm against quantum attacks but also provides the traceable on-chain transactions of the participant’s activities. The simulation experiment shows that the performances (as can be seen in Figure 4, Figure 5, Figure 6 and Figure 7) is superior to the traditional CP-ABE scheme. Meanwhile, decentralized KMS powered by blockchain technology enables the distribution of the key management process between Data Owners and Data Users by applying a threshold proxy re-encryption scheme to eliminate any risk of centralization and collusion.

As a future research direction, we plan to extend our protocol to achieve IND-CCA security in the post-quantum setting. Specifically, we aim to develop a decentralized multi-authority CP-ABE scheme based on blockchain resistant to chosen-ciphertext attacks and can support any non-monotone access structure. Furthermore, we aim to explore comprehensive countermeasures against combined attacks, such as Differential Power Analysis (DPA) and Differential Fault Analysis (DFA). We will investigate and implement countermeasures based on techniques such as Time Insertion (TI) and error detection schemes to enhance the security of our system. These efforts will contribute to strengthening the resilience of our protocol against various differential analysis attacks, ensuring the reliability and security of the system.