OO-IB-MPRE: A Post-Quantum Secure Online/Offline Identity-Based Matchmaking Proxy Re-Encryption Scheme for Exercise Physiology Data

Abstract

As smart education evolves, there is an increasing need for the cloud-centric management and sharing of student exercise physiological data gathered through wearable devices in the physical education domain. However, challenges arise in achieving authentication for data sources, ensuring the security of sensitive data, and implementing efficient dynamic access control. Traditional cryptographic schemes face limitations in resisting quantum attacks, authenticating data sources, protecting identity privacy, handling dynamic permission changes, and computational efficiency. To tackle these challenges, we put forward a lattice-based Online/Offline Identity-Based Matchmaking Proxy Re-Encryption (OO-IB-MPRE) scheme. The scheme offers post-quantum security assurances grounded in lattice cryptography (under the LWE/ISIS assumptions); incorporates Identity-Based matchmaking encryption (IB-ME) to realize bidirectional identity matching, which not only enables identity authentication for data sources but also safeguards the sender’s identity privacy from exposure to other entities; leverages Proxy Re-Encryption (PRE) to support dynamic management of access control; and combines online/offline encryption to adapt to resource constrained sensors. The security of the OO-IB-MPRE scheme is verified under standard lattice assumptions to meet the security requirements of semi-selective privacy and authenticity. Performance analysis and experimental validation demonstrate that in comparison to existing lattice-based PRE schemes, the devised scheme shows notable advantages in both space and computational overhead. Therefore, the proposed OO-IB-MPRE offers a secure, efficient, and scalable solution for the sensitive health data in smart physical education.

1. Introduction

In the era of the rapidly developing field of smart education, the application of various sensor devices in educational settings is becoming increasingly widespread; among these applications, the security of sensitive health data is particularly critical in sports-related scenarios.

Taking athletic training and physical fitness testing as examples, two categories of key data regarding students must be collected in real-time via smart sensing devices (e.g., smart wristbands, electromyography sensors, wearable heart rate monitors, etc.). The first type: Physiological signal data—including heart rate, blood oxygen levels, and lactate concentration—is gathered during training and testing. This reflects whether exercise intensity is appropriate, assesses aerobic capacity, and determines fatigue levels. The second type: Performance data like speed, strength, and gait collected during training, which reflects technical proficiency and physical capabilities, aiding in movement correction or injury prevention. However, the computational and storage limitations of smart sensors severely hinder the data sharing. Leveraging the robust computing and storage power of cloud services, smart sensors can offload their collected physiological data to cloud servers for storage, eliminating the need for local data maintenance.

However, as sensitive student personal information, the security of physiological data during cloud storage and sharing faces significant challenges. First, such data may be maliciously accessed by cloud servers or unauthorized devices, leading to privacy breaches. For the secure transmission of motion physiological data from computationally constrained smart sensors, the Identity-Based Encryption scheme offers a distinct advantage. Its core innovation lies in using an identity directly as a public key, thereby eliminating the complex certificate management and verification processes inherent in traditional public key infrastructure. This not only significantly reduces the computational and storage burden on the endpoint devices but also simplifies system deployment and key management. Consequently, IBE is particularly suited for securing data in resource-limited IoT environments, providing efficient and robust security for sensitive health information.

Identity-Based Encryption (IBE) can ensure that unauthorized entities are unable to decrypt a message, but it cannot verify the sender’s identity. Consequently, if an attacker forges a “sensor device identity” to send fraudulent data, the recipient (such as a physical education teacher or cloud platform) cannot identify it. In other words, IBE lacks data-source authentication. To overcome this limitation, Matchmaking Encryption (ME) was proposed, formally defining two crucial security properties: privacy and authenticity. The privacy ensures that the sender’s attributes, the encrypted message, and the specified target receiver’s policy remain hidden from other users. Authenticity ensures that enc keys cannot be forged by malicious adversaries. By integrating Identity-Based Encryption (IBE) and Matchmaking Encryption (ME), Identity-Based Matchmaking Encryption (IB-ME) is a cryptographic technique that employs a user’s identity as both attributes and policies for matching. The receiver can only decrypt the ciphertext successfully if the attribute identity and policy identity embedded in the private key are respectively consistent with the policy identity and attribute identity defined in the ciphertext. Via a bidirectional matching mechanism, IB-ME ensures that only the intended recipient can decrypt the message while also allowing the recipient to verify whether the data comes from a legitimate sender (e.g., a designated wearable device or biometric system). This approach blocks the risk of “false data injection” at its source, making it particularly well-suited for the requirement that “authenticity and privacy are equally important” in the collected measurements.

However, the conventional cryptographic schemes display notable limitations in dynamic access control management. For instance, Identity-Based Matchmaking Encryption (IB-ME), though supporting identity-based attribute matching, necessitates re-encrypting all existing data during dynamic access right changes. For example, when providing access privileges to a newly onboarded nurse in the system, it is essential to reconstruct all ciphertexts. Proxy Re-Encryption (PRE) was originally proposed, and the technique has been widely noticed and researched in the academic community ever since; it optimizes the efficiency of data access, enabling a third-party proxy to convert a ciphertext encrypted under an original public key into a ciphertext encrypted under a new public key, without ever knowing the underlying plaintext. It offers a solution for dynamic access control management of cloud-based data. By using Identity-Based Matchmaking Proxy Re-Encryption (IB-MPRE), which integrates IB-ME and PRE, we can realize identity-based bidirectional identity matching and dynamic access control, thus achieving high levels of security and flexibility.

Quantum computing’s advancement means traditional cryptographic algorithms could be compromised by quantum computing systems. The development of quantum computing has spurred research and analysis into cryptographic algorithms resistant to quantum attacks. Lattice-based cryptosystems, with their simple structure and reliance on worst-case computational difficulty assumptions, possess inherent advantages against quantum attacks and represent the most promising category of post-quantum cryptographic technologies. However, lattice cryptography still suffers from significant computational inefficiencies, which severely impacts the overall efficiency of lattice-based cryptographic algorithms. To address this, lattice-based online/offline cryptography techniques can offload computationally intensive operations to the offline phase, requiring only lightweight computations during the online phase. This characteristic aligns perfectly with the data upload requirements of sensor systems.

To sum up, although Identity-based Matchmaking Encryption (IB-ME) already exists, it is difficult to meet the data sharing requirements of Exercise Physiology. We extend the functionality of Identity-based Matchmaking Encryption to construct Identity-Based Matchmaking Proxy Re-Encryption (IB-MPRE). In addition, to improve the enc speed, we introduce online/offline encryption. By incorporating lattice cryptography, Online/Offline computation, Identity-Based Matchmaking Encryption and Proxy Re-Encryption encryption, we put forward a lattice-based Online/Offline Identity-Based Matchmaking Proxy Re-Encryption (OO-IB-MPRE) scheme for exercise physiological data. The key contributions of the this research are outlined below:

1.

In our scheme, we develop a lattice-based Identity-Based Matchmaking Proxy Re-Encryption (IB-MPRE) scheme for exercise physiological data. The scheme not only effectively safeguards identity privacy and exercise physiological data security but also enables secure ciphertext transformation based on user identity attributes;

2.

By introducing online/offline technology, complex computations in the proposed scheme are pre-processed offline, significantly enhancing system performance to meet the requirement for sensor data upload. Experiment findings indicate that the suggested scheme is superior in efficiency to other existing approaches;

3.

We demonstrate the security of the OO-IB-MPRE scheme by proving its semi-selective privacy under the Learning With Errors (LWE) assumption and its authenticity under the Inhomogeneous Small Integer Solution (ISIS) problem.

2. Related Work

Identity-Based Encryption (IBE), first introduced by Shamir [1] in 1984, presents a notable cryptographic paradigm by employing user identity directly as a public key, thus removing the need for complex certificate management. This inherent simplicity makes it particularly suitable for resource-constrained devices. However, conventional IBE schemes that make them susceptible to quantum computing attacks, indicating they lack post-quantum security. To address this quantum threat, lattice-based cryptography has come to the fore as a primary solution. The theoretical groundwork for this transition was laid by Gentry et al. [2], who constructed foundational lattice-based IBE schemes. Building on this, Gao et al. [3] has further advanced the field by proposing concrete post-quantum IBE schemes that integrate the Learning With Errors (LWE) problem with quantum circuits. In summary, IBE technology is actively developing from its classical form towards anti-quantum versions based on hard lattice problems and other quantum-resistant mathematical foundations, ensuring its long-term security in the future quantum computing era.

Identity-based Matchmaking Encryption (IB-ME) has inherent application potential as an cryptographic paradigm that protects both parties’ identities and content privacy. Matchmaking Encryption (ME) was first proposed by Ateniese et al. [4]. It acts as the foundational prototype for Identity-Based Matchmaking Encryption (IB-ME). This scheme improves traditional identity-based encryption by integrating a bidirectional identity matching mechanism. Specifically, the encryptor must define the recipient’s identity (rcv) when generating the ciphertext, while the decryptor must specify the sender’s identity (snd) when attempting decryption. The condition for accurate plaintext retrieval is twofold: the sender’s true identity must correspond to the snd provided by the receiver, and the receiver’s true identity must correspond to the rcv established during enc. If the matching condition is not satisfied, the decryption fails and the user’ identity information remains uncompromised. In 2021, Francati et al. [5] presented an Identity-Based Matchmaking Encryption scheme that is secure in the Standard Model (SM) without depending on the Random Oracle Model, based on the non-standard q-Augmented Bilinear Diffie-Hellman Exponent (q-ABDHE) assumption. In 2023, Wu et al. [6] extended conventional IB-ME to fuzzy identity-based matchmaking encryption, which enables users to achieve non-interactive matching based on attribute set similarity (where the intersection size exceeds a threshold d). They also employed splitting techniques and global identifier binding to defend against identity leakage attacks. In an effort to resist quantum computing attacks, Wang et al. [7] extended identity-based matching encryption (IB-ME) to achieve post-quantum security. They pioneered a non-black-box construction based on the standard lattice assumptions (LWE/ISIS), replacing traditional cryptographic components with a primal sample function (PSF) and a non-interactive zero-knowledge proof system (NIZK). This approach ensures post-quantum security while optimizing performance. In 2022, Chen et al. [8] developed the first IB-ME scheme in the Standard Model. The security of this scheme is based on the Symmetric External Diffie-Hellman (SXDH) assumption over bilinear pairing groups, and it combines a two-level anonymous Hierarchical Identity-Based Encryption (HIBE) with an Identity-Based Signature (IBS) scheme. Inspired by his work, Wang et al. [9] conducted further enhancements on a lattice-based IBS to shorten its signature length, thus reducing the size of the final ciphertext and improving the efficiency of lattice-based IB-ME.

However, in practical applications, cloud data requires flexible access control to accommodate different scenarios. Traditional cryptographic schemes have limitations in dynamic permission management. For instance, while IBE supports identity-based access, it necessitates re-encrypting all data whenever permissions change—such as when granting access to a new hospital nurse, which requires reconstructing all ciphertext, resulting in additional overhead. Proxy Re-Encryption (PRE) can improve data access efficiency while maintaining security guarantees.

Blaze et al. [10] introduced the PRE scheme to realize secure and efficient data sharing. It empowers a semi-trusted proxy server to execute authorized ciphertext transformation for diverse users, without revealing either plaintext information or users’ private keys. Subsequently, Green [11] pioneered the proposal of Identity-Based Proxy Re-Encryption (IB-PRE) to streamline the Public Key Infrastructure (PKI). Within the IB-PRE, a user’s identity can directly act as a replacement for their public key. To enhance the security of IB-PRE, Wu et al. [12] developed an IND-ID-CPA-secure lattice-based IB-PRE by integrating the re-encryption algorithm into the IBE scheme put forward by Agrawal et al. [13], introducing a new feature termed “re-encryption verifiability.” Moreover, by expanding the basic IB-PRE scheme, they put forth a new primitive, “IB-VPRE” (Identity-Based Verifiable Proxy Re-Encryption), devised to fend off insider attacks. To combat collusion attacks, Dutta et al. [14] presented a construction for a collusion-resistant IB-PRE scheme within the standard model, tackling both selective identity and adaptive identity attacks. Dutta et al. [15] were the pioneers in constructing a concrete unidirectional Identity-Based Proxy Re-Encryption (IB-PRE) scheme grounded in the LWE problem, and they validated its security within the standard model. In the same year, Li et al. [16] integrated lattice cryptography with Auxiliary-Input to develop a lattice-based multi-use unidirectional deterministic public key proxy re-encryption scheme, resolving the applicability challenge of traditional PRE in scenarios featuring randomized enc defects. In contrast to traditional certificateless public key encryption (CL-PKE) schemes which rely on the difficulty of integer factorization and the discrete logarithm problem, Li et al. [17] constructed a lattice-based CL-PKE scheme against quantum computing attacks, thus enabling more secure big data sharing in the cloud.

IB-PRE can also be extended to Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Correspondingly, Li et al. [18] developed a Ciphertext-Policy Attribute-Based Proxy Re-Encryption (CP-ABPRE) scheme grounded in Ring Learning with Errors (RLWE). Ge et al. [19] presented a verifiable and fair Attribute-Based Proxy Re-Encryption scheme in 2021, which boosts the security and reliability of encrypted data sharing in cloud environments. Afterwards, in 2024, Zhao et al. [20] addressed the security issues of electronic health record sharing in cloud storage by proposing Lavida, an Attribute-Based Proxy Re-Encryption scheme. It integrates Non-Interactive Zero-Knowledge Proofs (NIZK) with a partially hidden policy to achieve verifiable and dynamic fine-grained access control. In the same year, Zhang et al. [21] also introduced a non-interactive IBE-ABE PRE scheme that cuts down the computational overhead for the data owner. This scheme not only offers fine-grained access control over ciphertext data but also allows the conversion of ciphertexts encrypted under IBE into those encrypted under ABE.

Although the IB-PRE scheme allows flexible authorization of user access, its data processing efficiency still needs enhancement. To further address this shortcoming, Guo et al. [22] first proposed the Identity-Based Online/Offline Encryption (IBOOE) scheme in 2008. Its main idea is to enable high-performance devices to finish resource-intensive computations in the offline phase, thus allowing for the rapid assembly of the encryption ciphertext or key in the online phase. The low efficiency of certain lattice-based IB-PRE schemes mainly arises from their strong reliance on Gaussian sampling. Since the current implementations of Gaussian sampling often depend on extensive simulation to approximate the target distribution, this dependence significantly restricts the overall computational efficiency. Furthermore, building on the scheme of Guo et al., Hohenberger et al. [23] extended the Identity-Based Online/Offline Encryption scheme to Attribute-Based Encryption (ABE). Building on the work of Guo et al., Lai et al. [24] presented a semi-generic transformation method to construct an Identity-Based Online/Offline cryptographic scheme. This method optimizes the identity computation splitting to cut down both offline storage and online computational overhead. To enhance the efficiency of existing lattice-based IBE schemes, Zuo et al. [25] employed an online/offline computation mechanism. This approach transfers most Gaussian sampling and computation tasks that do not depend on identity or message authentication to high-performance devices for offline processing. This optimization saves time and resources, allowing constrained devices, such as smart cards and sensors, to process the computation-intensive tasks in advance, with the real-time enc phase requiring only microsecond-level operations.

Due to security considerations for online/offline encryption schemes, Langrehr et al. [26] developed two tightly secure Hierarchical Identity-Based Encryption (HIBE) schemes based on the matrix Diffie–Hellman assumption. Zhang et al. [27] built an Identity-Based Online/Offline Encryption (IBOOE) scheme with a leakage-resilient property by using a private key extension technique. Meanwhile, Yu et al. [28] put forward a Leakage-Resilient Hierarchical Identity-Based Online/Offline Encryption (LR-HIOOE) scheme. By utilizing the binary extractor technique, this scheme can resist the leakage of the symmetric key used during enc.

3. Preliminaries

Lattice An m-dimensional lattice $\mathcal{L}$ is a discrete subgroup of ${\mathbb{R}}^m$. Let ${\mathcal{L}}_q^{\perp }\left(A\right)$ represent a q-ary lattice, defined as $\{x\in {\mathbb{Z}}^m\mid Ax=0modq\}$, where $n, m$ and q are positive integers, and A is a matrix in ${\mathbb{Z}}_q^{n\times m}$. For each $u\in {\mathbb{Z}}_q^n$, we define ${\mathcal{L}}_q^u\left(A\right)$ as the coset $\left\{x\in {\mathbb{Z}}^m\mid Ax=umodq\right\}$.

Discrete Gaussians For any $\sigma >0$, the discrete Gaussian distribution is given by ${\rho }_{\mathcal{L}, \sigma }\left(x\right)={\displaystyle \frac{{\rho }_{\sigma }\left(x\right)}{{\rho }_{\sigma }\left(\mathcal{L}\right)}}$, where ${\rho }_{\sigma }\left(x\right)$ is defined as $exp\left(-\pi {\displaystyle \frac{{\Vert x\Vert }^2}{{\sigma }^2}}\right)$ and ${\rho }_{\sigma }\left(\mathcal{L}\right)={\sum }_{x\in \mathcal{L}} {\rho }_{\sigma }\left(x\right)$ serves as the normalization factor. The following lemmas describe key properties of discrete Gaussians [2].

If $S=(s_1, s_2, \dots , s_m)\in {\mathbb{R}}^{n\times m}$, denote $\parallel S\parallel =max\{\parallel s_i{{\parallel }_2\}}_{i=1, 2, \dots , m}$.

Lemma 1

([13]). The following bounds hold for the matrix norm defined previously.

• Let $R\in {\{-1, 1\}}^{m\times m}$ be chosen at random, then $Pr[\parallel R\parallel >12\sqrt{2m}]<e^{-2m}$.
• Let R be sampled from ${\mathcal{D}}_{{\mathbb{Z}}^{m\times m}, \sigma }$, then we have $Pr[\parallel R\parallel >\sigma \sqrt{m}]<e^{-2m}$.

Lemma 2

([13]). Suppose that $m>\left(n+1\right)logq+w\left(logn\right)$. Let $R\in {\{-1, 1\}}^{m\times k}$ be chosen uniformly at random for some polynomial $k=k\left(n\right)$. Let $AandB$ be randomly chosen matrices from ${\mathbb{Z}}_q^{n\times m}and{\mathbb{Z}}_q^{n\times k}$ respectively. Then, for any vector $w\in {\mathbb{Z}}^m$, the following two distributions are statistically indistinguishable:

$$\left(A, AR, R^{\mathsf{T}}w\right)\approx \left(A, B, R^{\mathsf{T}}w\right)$$

Sampling Algorithms. We recall several sampling algorithms from [29,30,31].

Lemma 3.

For integers $n\ge 1, m\ge 2n⌈logq⌉, q\ge 2$, the following polynomial time algorithms are available:

• SamplePre$\left(A, T_A, \sigma , u\right)\to s$: Takes as input a matrix $A\in {\mathbb{Z}}_q^{n\times m}$, its trapdoor $T_A$, a vector $u\in {\mathbb{Z}}_q^n$, and a parameter $\sigma \ge \parallel \widetilde{T_A}\parallel ·\omega \left(\sqrt{logm}\right)$, output a vector $s\in {\mathbb{Z}}_q^m$, satisfying $A·s^{\top }=u^{\top }$ and $\left|\left|s\right|\right|\le \sqrt{m}\sigma$.
• SampleLeft$\left.{(A, M, T}_A, M, T_A, \sigma , u\right)\to s$: Takes as input a matrix $A\in {\mathbb{Z}}_q^{n\times m}$ and its trapdoor $T_A$, a matrix $M\in {\mathbb{Z}}_q^{n\times m_0}$, a vector $u\in {\mathbb{Z}}_q^n$, and a parameter $\sigma \ge \parallel \widetilde{T_A}\parallel ·\omega \left(\sqrt{log(m+m_0)}\right)$, output a vector $s\in {\mathbb{Z}}_q^{m+m_0}$ whose distribution is statistically close to ${\mathcal{D}}_{{\mathcal{L}}_q^u\left(\left[A\mid M\right]\right), \sigma }$.
• SampleRight$\left(A, G, R, T_G, \sigma , u\right)\to s$: Takes as input a matrix $A\in {\mathbb{Z}}_q^{n\times m}$, the gadget matrix G and its trapdoor $T_G$, a uniform random matrix $R\leftarrow {\{-1, 1\}}^{m\times m}$, a vector $u\in {\mathbb{Z}}_q^n$, and a parameter $\sigma \ge \parallel \widetilde{T_G}\parallel ·\sqrt{m}·\omega \left(\sqrt{logm}\right)$, output a vector $s\in {\mathbb{Z}}_q^{2m}$ whose distribution is statistically close to ${\mathcal{D}}_{{\mathcal{L}}_q^u\left(\left[A|AR+G\right]\right), \sigma }$.

Lemma 4.

Let $n, m, q$ be positive integers with $m>2nlogq$. For $A\leftarrow {\mathbb{Z}}_q^{n\times m}$ and $e\leftarrow {\mathcal{D}}_{{\mathbb{Z}}^m, \sigma }$, the distribution of $u=Aemodq$ is statistically indistinguishable from the uniform distribution over ${\mathbb{Z}}_q^n$.

Lemma 5

([2,32,33]). Let $n, m, q$ be integers with $n\ge 1, q\ge 2$, and $m=\lceil 2nlogq\rceil$. There exists a probabilistic polynomial-time (PPT) algorithm $TrapGen(q, n)$, that outputs $(A\in {\mathbb{Z}}_q^{n\times m}, T_A\in {\mathbb{Z}}_q^{m\times m})$, where A is statistically close to a matrix in ${\mathbb{Z}}_q^{n\times m}$ and $T_A$ is a basis of ${\Lambda }_q^{\perp }\left(A\right)$ in ${\mathbb{Z}}_q^{m\times m}$. $T_A$ satisfies $\parallel \widetilde{T_A}\parallel \le O\left(\sqrt{nlogq}\right)$, $\parallel T_A\parallel \le O\left(\sqrt{nlogq}\right)$ with almost negligible probability in n.

Definition 1

(Learning with Errors [33]). Let $n, q$ be positive integers and $\sigma \in \mathbb{R}$ be a parameter, for any PPT adversary $\mathcal{A}$, there exists a negligible function $negl\left(·\right)$ that satisfies

$$\left|Pr\left[\mathcal{A}(\alpha , s^{\top }\alpha +e)=1\right]-Pr\left[\mathcal{A}(\alpha , \gamma )=1\right]\right|\le \mathrm{negl}\left(\lambda \right)$$

where $\alpha \leftarrow {\mathbb{Z}}_q^n, s\leftarrow {\mathbb{Z}}_q^n, \gamma \leftarrow {\mathbb{Z}}_q, e\leftarrow {\mathcal{D}}_{\mathbb{Z}, \sigma }$.

Definition 2.

A function H: ${\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$ is called a full-rank different map if for any two distinct inputs $u, v\in {\mathbb{Z}}_q^n$, the difference $H\left(u\right)-H\left(v\right)$ is full rank matrix over ${\mathbb{Z}}_q^{n\times n}$, and H can be is computed in $𝒪\left(nlogq\right)$ time.

The Inhomogeneous Small Integer Solution (ISIS) problem was introduced by Gentry et al. in [2]. It involves finding a solution for specified parameters $(n, m, q, \beta )$, a random matrix $A\in {\mathbb{Z}}_q^{m\times n}$ and a target vector $y\in {\mathbb{Z}}^n$. Specifically, the problem requires determining an x that satisfies the equation: $xA\equiv y(modq)$ (1), where the norm of x is bounded by $\beta$. Gentry et al. further demonstrated that the ISIS problem is at least as challenging as approximating the ${\mathrm{SIVP}}_{\gamma }$ problem, with $\gamma =\beta ·\tilde{O}\left(\sqrt{n}\right)$ when $\beta =\mathrm{poly}\left(n\right)$ and $q\ge \beta ·\omega (nlogn)$. Solving Equation (1) can be viewed as a variant of the ISIS problem, albeit with a relaxed bound on the norm of x. In the following section, we employ an intersection-based approach to streamline the solution process.

4. Formal Definition and Security Model

4.1. System Model

As depicted in Figure 1, our scheme involves the following four participants: Trusted Authority (TA), Sender, Proxy, and Receiver.

• Trusted Authority (TA): Generates the system’s master public key and master private key. It generates the sender’s enc key based on the sender’s identity and the receiver’s decryption key based on the receiver’s identity, and can also generate the re-enc key based on the receiver’s identity.
• Sender: (a) Offline Phase: Pre-executes a large number of complex calculations to generate the intermediate ciphertext. (b) Online Phase: When real-time data needs to be encrypted, it combines the intermediate ciphertext, the target identity specified by the sender, and the plaintext to generate the final original ciphertext.
• Proxy (typically a cloud service provider): Decrypts the ciphertext stored in the cloud to generate the re-encrypted ciphertext.
• Receiver: Decrypts the data using their own decryption key and the ciphertext encrypted by the sender (including the original ciphertext and the re-encrypted ciphertext) and finally obtains the original plaintext.

4.2. Formal Definition

Definition: An OO-IB-MPRE scheme consists of the following eight algorithms:

• $Setup\left(1^{\lambda }\right)\to \left(mpk, msk\right)$: Inputs security parameter $\lambda$, TA outputs master public key and master private key pair $(mpk, msk)$.
• $EkGen\left(mpk, msk, \sigma \right)\to {ek}_{\sigma }$: Inputs $mpk, msk$, and sender’s identity $\sigma$, TA outputs enc key ${ek}_{\sigma }$.
• $DkGen\left(mpk, msk, \rho \right)\to {dk}_{\rho }$: Inputs mpk, msk, and receiver’s identity $\rho$, TA outputs decryption key ${dk}_{\rho }$.
• $RkGen(mpk, msk, rcv, rc{v}^{\prime })\to {rk}_{rcv\to rc{v}^{\prime }}$: Inputs $mpk, msk$, and sender-specified target identities $rcv$ and ${rcv}^{\prime }$, TA outputs re-enc key ${rk}_{rcv\to rc{v}^{\prime }}$ from $rcv$ to ${rcv}^{\prime }$.
• ${Enc}^{off}(mpk, {ek}_{\sigma })\to \overline{ct}$: Inputs $mpk$ and ${ek}_{\sigma }$, the algorithm outputs intermediate ciphertext $\overline{ct}$.
• ${Enc}^{on}\left(mpk, \overline{ct}, rcv, m\right)\to ct$: Inputs $mpk, \overline{ct}, rcv$ and plaintext m, the algorithm outputs complete original ciphertext $ct$.
• $ReEnc\left(mpk, ct, {rk}_{rcv\to rc{v}^{\prime }}\right)\to {ct}^{\prime }$: Inputs $mpk, ct$ and ${rk}_{rcv\to rc{v}^{\prime }}$, if ct is the ciphertext corresponding to rcv, the algorithm outputs the re-encrypted ciphertext ${ct}^{\prime }$ corresponding to ${rcv}^{\prime }$; otherwise, it outputs ⊥.
• $Dec(mpk, {dk}_{\rho }, snd, ct)\to m$: Inputs $mpk, {dk}_{\rho }$, receiver-specified target identity $snd$ and $ct$ (including original ciphertext and re-encrypted ciphertext), outputs m.

Correctness: The correctness of the OO-IB-MPRE scheme requires that the decryption works correctly for both original ciphertext $ct$ and re-encrypted ciphertext ${ct}^{\prime }$. If $snd$ and $rcv$ match $\sigma$ and $\rho$ respectively, then with a non-negligible probability, for original ciphertext, $Dec\left(mpk, snd, ct\right)\to m$, and for re-encrypted ciphertext, $Dec(mpk, {dk}_{\rho }, snd, c{t}^{\prime })\to m$, where $mpk, {dk}_{\rho }, snd, ct, {ct}^{\prime }$ are correctly generated according to the formal definitions above.

4.3. Security Model

In the security model of [7], Wang et al. pointed out that if the adversary sends two sender identities in addition to two receiver identities, a trivial attack exists here. They also indicated that [7] can only protect the sender’s identity against honest receivers. This section, similar to [7], defines the semi-selective security model for OO-IB-MPRE through a game ${Game}_{\pi , t}^{sspriv}$ between the adversary $\mathcal{A}$ and the challenger $\mathcal{C}$. In the security model, the adversary first submits two receiver identities before the master public key (mpk) is generated. After the mpk is generated, the adversary then submits a challenge tuple $\left(m_0^{*}, m_1^{*}, {\sigma }_0^{*}, {\sigma }_1^{*}\right)$ that contains two sets of messages and corresponding sender identities. The security strength of the semi-selective security model lies between that of the selective security model and the fully adaptive security model.

Initialization: The adversary $\mathcal{A}$ sends two challenge identities $({rcv}_0^{*}, {rcv}_1^{*})$ to the challenger $\mathcal{C}$.

Setup phase: $\mathcal{C}$ runs $Setup\left(1^{\lambda }\right)$ to generate $\left(mpk, msk\right)$. $\mathcal{C}$ keeps $msk$ secret and sends $mpk$ to $\mathcal{A}$.

Learning phase 1: In this phase, $\mathcal{A}$ can adaptively access the following oracles for any polynomial number of times.

➀

Enc Key Oracle ${\mathcal{O}}_{ek}\left(\sigma \right)$: $\mathcal{A}$ inputs sender’s identity $\sigma$, $\mathcal{C}$ returns enc key $e{k}_{\sigma }$.

➁

Decryption Key Oracle ${\mathcal{O}}_{dk}\left(\rho \right)$: $\mathcal{A}$ inputs receiver’s identity $\rho$, $\mathcal{C}$ returns decryption key $d{k}_{\rho }$.

➂

Re-Enc Key Oracle ${\mathcal{O}}_{rk}(rcv, rc{v}^{\prime })$: $\mathcal{A}$ inputs sender-specified target identities $rcv$ and $rc{v}^{\prime }$, $\mathcal{C}$ returns re-enc key $r{k}_{rcv\to rc{v}^{\prime }}$.

➃

Re-enc oracle ${\mathcal{O}}_{re}(ct, rcv, rc{v}^{\prime })$: $\mathcal{A}$ inputs $ct$, $rcv$ and $rc{v}^{\prime }$, if $ct$ is a valid ciphertext under $rcv$, $\mathcal{C}$ returns re-encrypted ciphertext $c{t}^{\prime }$.

Challenge: $\mathcal{A}$ sends the randomly selected message-identity pairs $\left(m_0^{*}, m_1^{*}, {\sigma }_0^{*}, {\sigma }_1^{*}\right)$ to $\mathcal{C}$. $\mathcal{C}$ randomly selects a bit $b\leftarrow \left\{0, 1\right\}$ and computes the challenge ciphertext ${c\overline{t}}^{*}\leftarrow {Enc}^{off}\left(mpk, {ek}_{{\sigma }_b^{*}}\right)$, $c{t}^{*}\leftarrow {\mathrm{Enc}}^{on}(mpk, rc{v}_b^{*}, \overline{c{t}^{*}}, m_b^{*})$. Finally, $\mathcal{C}$ sends ${ct}^{*}$ to $\mathcal{A}$.

Learning phase 2: In this phase, $\mathcal{A}$ can continue to query the oracles as in Learning phase 1, but it is not allowed to query the following oracles:

➀

${\mathcal{O}}_{dk}\left(\rho \right)$ for any $\rho \in \{rc{v}_0^{*}, rc{v}_1^{*}\}$.

➁

${\mathcal{O}}_{rk}(rcv, rc{v}^{\prime })$ for any $\rho \in \{rc{v}_0^{*}, rc{v}_1^{*}\}$, and ${\rho }^{\prime }=rc{v}^{\prime }$, ${\mathcal{O}}_{dk}\left(\rho \right)$ has been inquired.

➂

${\mathcal{O}}_{re}(ct, rcv, rc{v}^{\prime })$ for any $\rho \in \{rc{v}_0^{*}, rc{v}_1^{*}\}$, and $\rho =rc{v}^{\prime }$, ${\mathcal{O}}_{dk}\left(\rho \right)$ has been inquired.

• Guess: $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0, 1\}$

• Output: If $b=b^{\prime }$, output 1, otherwise output 0.

Definition 3

(semi-selective privacy). An OO-IB-MPRE scheme is semi-selectively private if for any PPT adversary $\mathcal{A}$, the advantage of winning the above game is negligible.

$$\left|Pr\left[{Game}_{\pi , t}^{\mathit{sspriv}}\left(\lambda \right)=1-{\displaystyle \frac{1}{2}}\right]\right|\le \epsilon$$

where ε is a negligible quantity.

Next, we define the authenticity security model of the OO-IB-MPRE scheme. Similar to the semi-selective privacy security model, we also characterize it through a game ${Game}_{\pi , t}^{Auth}$ between the adversary $\mathcal{A}$ and the challenger $\mathcal{C}$.

Setup phase: $\mathcal{C}$ runs $Setup\left(\lambda \right)$ to generate $\left(mpk, msk\right)$. $\mathcal{C}$ keeps $msk$ secret and sends $mpk$ to $\mathcal{A}$.

Learning phase 1: Identical to ${\mathrm{Game}}_{\pi , t}^{\mathrm{sspriv}}$, $\mathcal{A}$ can query the oracles ${\mathcal{O}}_{dk}\left(\rho \right)$, ${\mathcal{O}}_{ek}\left(\sigma \right)$, ${\mathcal{O}}_{rk}(rcv, rc{v}^{\prime })$ and ${\mathcal{O}}_{re}(ct, rcv, rc{v}^{\prime })$.

Forgery phase: $\mathcal{A}$ outputs a forgery tuple $(c{t}^{*}, {\rho }^{*}, {\mathrm{snd}}^{*})$ and sends it to $\mathcal{C}$.

Output: $\mathcal{C}$ generates $m\leftarrow \mathrm{Dec}(mpk, d{k}_{{\rho }^{*}}, {\mathrm{snd}}^{*}, c{t}^{*})$. If ${\mathcal{O}}_{ek}\left({\mathrm{send}}^{*}\right)$ has not been inquired and $m\ne \perp$, then $\mathcal{C}$ outputs 1, otherwise outputs 0.

Definition 4

(Authenticity). An OO-IB-MPRE scheme is authentic if for any PPT adversary $\mathcal{A}$:

$$\left|Pr\left[{Game}_{\pi , \mathcal{A}}^{\mathit{Auth}}\left(\lambda \right)=1\right]\right|\le \epsilon$$

where ε is a negligible quantity.

Definition 5.

If an OO-IB-MPRE scheme is secure in terms of privacy and authenticity, then it is said to be secure.

Remark: While the fully adaptive security model provides enhanced security guarantees, achieving full adaptivity in lattice-based cryptographic systems requires sophisticated techniques such as dual system encryption or admissible hash functions. This often leads to excessive parameter expansion, thereby increasing storage and computational overhead. Furthermore, generic transformation methods for achieving full adaptivity can compromise the efficiency of online/offline operations.

The core objective of the proposed scheme is to enable secure sharing of motion physiological data while maintaining lightweight performance for resource-constrained wearable sensors. Thus, the semi-adaptive security model represents a reasonable trade-off between security rigor and practical deployability, consistent with the established practices of lattice-based cryptography in resource-constrained scenarios.

5. OO-IB-MPRE from Lattices

5.1. Construction

• $\mathrm{Setup}\left(1^{\lambda }\right)\to (mpk, msk)$. Input security parameter $\lambda$. TA performs the following operations.

  (1)

  Generate $(A_0, T_{A_0}), (A, T_A)\leftarrow \mathrm{TrapGen}(q, n, m)$.

  (2)

  Randomly select $u_0\leftarrow {\mathbb{Z}}_q^n$, $A_1, B\leftarrow {\mathbb{Z}}_q^{n\times m}$.

  (3)

  Randomly select two hash functions $H_1:{\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^n, H_2:{\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$, where $H_2$ is a full-rank difference hash function [13].

  (4)

  Output the master public key $mpk=(A_0, A_1, A, B, H_1, H_2, u_0)$ and the master private key $msk=(T_{A_0}, T_A)$.

• $\mathrm{EkGen}(mpk, msk, \sigma )\to e{k}_{\sigma }$. Input $mpk$, $msk$ and sender’s identity $\sigma$. TA performs the following operations.

  (1)

  Generate $e_{\sigma }\leftarrow \mathrm{SamplePre}(A, T_A, H_1\left(\sigma \right))$, where $A{e}_{\sigma }=H_1\left(\sigma \right)$.

  (2)

  Output the enc key $e{k}_{\sigma }=e_{\sigma }\in {\mathbb{Z}}_q^m$.

• $\mathrm{DkGen}(mpk, msk, \rho )\to d{k}_{\rho }$. Input $mpk$, $msk$ and receiver’s identity $\rho$. TA performs the following operations.

  (1)

  Let $F_{\rho }=[A_0\mid A_1+H_2\left(\rho \right)B]\in {\mathbb{Z}}_q^{n\times 2m}$.

  (2)

  Generate $e_{\rho }\leftarrow \mathrm{SampleLeft}(A_0, T_{A_0}, F_{\rho })$, such that $F_{\rho }{e}_{\rho }=u_0$.

  (3)

  Output the decryption key $d{k}_{\rho }=e_{\rho }\in {\mathbb{Z}}_q^{2m}$.

• ReKeyGen$(mpk, msk, rcv, rc{v}^{\prime })$. Input $mpk, msk$, the identity of the original target receiver identity $rcv$ and the identity of the converted target receiver identity $rc{v}^{\prime }$. TA performs the following operations.

  (1)

  Let $F_{rcv}=\left[A_0|A_1+H_2\left(rcv\right)B\right]$ and $F_{rc{v}^{\prime }}=\left[{A_0|A}_1+H_2\left(rc{v}^{\prime }\right)B\right]$ be the two matrices corresponding to the original target receiver identity $rcv$ and the converted target receiver identity $rc{v}^{\prime }$ respectively.

  (2)

  Generate the re-enc key from $rcv$ to $rc{v}^{\prime }$ using the SampleLeft algorithm, i.e., compute $e_{rk}\leftarrow SampleLeft\left[F_{rcv}, T_{A_0}, A_1+H_2\left(rc{v}^{\prime }\right)B\right]$, such that

  $F_{rcv}{e}_{rk}=A_1+H_2\left(rc{v}^{\prime }\right)B$. It should be noted that for the subsequent security proof, there is no requirement for $F_{rcv}{e}_{rk}=F_{rc{v}^{\prime }}$.

  (3)

  Output the re-enc key $r{k}_{rcv\to rc{v}^{\prime }}=e_{rk}\in {\mathbb{Z}}_q^{2m\times m}$ from $rcv$ to $rc{v}^{\prime }$. Let $I_m$ be an m-order identity matrix, $e_{rk}=\left[\begin{array}{c}{e}_{rk}^1\\ e_{rk}^2\end{array}\right]\in {\mathbb{Z}}_q^{2m\times m}$, then we have

  $$F_{rcv}\left[\begin{array}{cc}{I}_m& e_{rk}^1\\ 0& e_{rk}^2\end{array}\right]=[A_0\mid A_1+H_2\left(rc{v}^{\prime }\right)B]=F_{rc{v}^{\prime }}.$$

• ${\mathrm{Enc}}^{off}\left(mpk, {ek}_{\sigma }\right)\to \overline{ct}$. Input $mpk$ and ${ek}_{\sigma }$. Sender performs the following operations.

  (1)

  Compute

  $${\overline{c}}_0=u_0^{T}s+x+\parallel Ae{k}_{\sigma }\parallel modq;{\overline{c}}_{11}=A_0^{T}s+y;{\overline{c}}_{12}=R^{T}y$$

  where $s\leftarrow {\mathbb{Z}}_q^n, x\leftarrow \chi , R\leftarrow {\{-1, 1\}}^{m\times m}, y\leftarrow {\chi }^m$, $\parallel Ae{k}_{\sigma }\parallel =\parallel Ae{k}_{\sigma }\parallel modq$, the following norm operations are analogous, meaning they implicitly involve a modulo q operation.

  (2)

  Output the intermediate ciphertext $\overline{ct}=({\overline{c}}_0, {\overline{c}}_{11}, {\overline{c}}_{12}, s)$.

• ${\mathrm{Enc}}^{on}(mpk, rcv, \overline{ct}, m)\to ct$. Input $mpk$, $\overline{ct}=({\overline{c}}_0, {\overline{c}}_{11}, {\overline{c}}_{12}, s)$, target receiver identity $rcv$, and plaintext m. Sender performs the following operations.

  (1)

  Compute

  $$\begin{array}{cc}\hfill c_0& ={\overline{c}}_0+⌊{\displaystyle \frac{q}{2}}⌋m, \hfill \\ \hfill c_1& =\left[\begin{array}{c}{\overline{c}}_{11}\\ {(A_1+H_2\left(rcv\right)B)}^{T}s\end{array}\right]+\left[\begin{array}{c}0\\ {\overline{c}}_{12}\end{array}\right]\hfill \\ \hfill & =\left[\begin{array}{c}{A}_0^{T}s+y\\ {(A_1+H_2\left(rcv\right)B)}^{T}s+R^{T}y\end{array}\right]\hfill \\ \hfill & =\left[\begin{array}{c}{A}_0^T\\ {(A_1+H_2\left(rcv\right)B)}^T\end{array}\right]s+\left[\begin{array}{c}y\\ R^{T}y\end{array}\right]\hfill \\ \hfill & =F_{rcv}^{T}s+\left[\begin{array}{c}y\\ R^{T}y\end{array}\right].\hfill \end{array}$$

  (2)

  Output the original ciphertext $ct=(c_0, c_1)$.

• $\mathrm{ReEnc}(mpk, ct, r{k}_{rcv\to rc{v}^{\prime }})\to c{t}^{\prime }$. Input $mpk$, $ct=(c_0, c_1)$ and $r{k}_{rcv\to rc{v}^{\prime }}$. Proxy computes and outputs the re-encrypted ciphertext $c{t}^{\prime }=(c_0^{\prime }, c_1^{\prime })=(c_0, r{k}_{rcv\to rc{v}^{\prime }}^T{c}_1)$, where $r{k}_{rcv\to rc{v}^{\prime }}^T{c}_1$ represents the multiplication of $r{k}_{rcv\to rc{v}^{\prime }}^T$ and $c_1$. It should be noted that

  $$\begin{array}{cc}\hfill & r{k}_{rcv\to rc{v}^{\prime }}^T{c}_1=e_{rk}^T{c}_1=e_{rk}^T(F_{rcv}^{T}s+\left[\begin{array}{c}y\\ R^{T}y\end{array}\right])\hfill \\ \hfill & =e_{rk}^T{F}_{rcv}^{T}s+e_{rk}^T\left[\begin{array}{c}y\\ R^{T}y\end{array}\right]={\left(F_{rcv}{e}_{rk}\right)}^{T}s+e_{rk}^T\left[\begin{array}{c}y\\ R^{T}y\end{array}\right]\hfill \\ \hfill & ={\left(F_{rc{v}^{\prime }}\right)}^{T}s+e_{rk}^T\left[\begin{array}{c}y\\ R^{T}y\end{array}\right].\hfill \end{array}$$
• $\mathrm{Dec}(mpk, d{k}_{\rho }, snd, ct)\to m$. Input $mpk$, $d{k}_{\rho }$, target sender identity $snd$ and $ct=(c_0, c_1)$. Receiver performs the following operations.

  (1)

  Compute $z=c_0-e_{\rho }^T{c}_1-\parallel H_1\left(snd\right)\parallel$.

  (2)

  Compared to 0, if z is closed to $⌊{\displaystyle \frac{q}{2}}⌋$, output 1; otherwise output 0.

5.2. Correctness

When $snd$ and $rcv$ match $\sigma$ and $\rho$ respectively, then $\parallel H_1\left(\mathrm{snd}\right)\parallel =\parallel H_1\left(\sigma \right)\parallel$, $F_{rcv}{e}_{\rho }=u_0$. For the original ciphertext $ct=\left(c_0, c_1\right)$, we have:

$$\begin{array}{cc}\hfill c_0-e_{\rho }^T{c}_1-\parallel H_1\left(\mathrm{snd}\right)\parallel & =\hfill \\ \hfill & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x+\parallel Ae{k}_{\sigma }\parallel -e_{\rho }^T\left(F_{rcv}^{T}s+\left[\begin{array}{c}y\\ Ry\end{array}\right]\right)-\parallel H_1\left(\mathrm{snd}\right)\parallel \hfill \\ \hfill & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x+\parallel Ae{k}_{\sigma }\parallel -{\left(F_{rcv}{e}_{\rho }\right)}^{T}s-e_{\rho }^T\left[\begin{array}{c}y\\ Ry\end{array}\right]-\parallel H_1\left(\sigma \right)\parallel \hfill \\ \hfill & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x-F_{rcv}{e}_{\rho }^{T}s-e_{\rho }^T\left[\begin{array}{c}y\\ Ry\end{array}\right]\hfill \\ \hfill & =⌊{\displaystyle \frac{q}{2}}⌋m+\underset{{\displaystyle \Delta }}{\underbrace{x-e_{\rho }^T\left[\begin{array}{c}y\\ Ry\end{array}\right]}}\hfill \\ \hfill & =⌊{\displaystyle \frac{q}{2}}⌋m+\Delta \hfill \end{array}$$

When $\parallel \Delta \parallel <⌊{\displaystyle \frac{q}{4}}⌋$ the decryption is correct.

For the re-encrypted ciphertext, $c{t}^{\prime }=(c_0^{\prime }, c_1^{\prime })$, if $snd$ and ${rcv}^{\prime }$ match $\sigma$ and ${\rho }^{\prime }$ respectively, we have:

$$\begin{array}{cc}& c_0^{\prime }-e_{{\rho }^{\prime }}^T{c}_1^{\prime }-\parallel H_1\left(\mathrm{snd}\right)\parallel \hfill \\ & =c_0-e_{{\rho }^{\prime }}^{T}r{k}_{rcv\to rc{v}^{\prime }}^T{c}_1-\parallel H_1\left(\mathrm{snd}\right)\parallel \hfill \\ & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x+\parallel Ae{k}_{\sigma }\parallel -e_{{\rho }^{\prime }}^T\left({\left(F_{rc{v}^{\prime }}\right)}^{T}s+e_{rk}^T\left[\begin{array}{c}y\\ R^{T}y\end{array}\right]\right)-\parallel H_1\left(\mathrm{snd}\right)\parallel \hfill \\ & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x+\parallel Ae{k}_{\sigma }\parallel -e_{{\rho }^{\prime }}^T\left({\left(F_{rc{v}^{\prime }}\right)}^{T}s+e_{rk}^T\left[\begin{array}{c}y\\ R^{T}y\end{array}\right]\right)-\parallel H_1\left(\mathrm{snd}\right)\parallel \hfill \\ & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x-e_{{\rho }^{\prime }}^T\left({\left(F_{rc{v}^{\prime }}\right)}^{T}s+e_{rk}^T\left[\begin{array}{c}y\\ R^{T}y\end{array}\right]\right)\hfill \\ & =⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x-{\left(F_{rc{v}^{\prime }}{e}_{{\rho }^{\prime }}\right)}^{T}s-e_{{\rho }^{\prime }}^T{e}_{rk}^T\left[\begin{array}{c}y\\ Ry\end{array}\right]\hfill \\ & =⌊{\displaystyle \frac{q}{2}}⌋m+\underset{{\displaystyle {\Delta }^{\prime }}}{\underbrace{x-e_{{\rho }^{\prime }}^T{e}_{rk}^T\left[\begin{array}{c}y\\ Ry\end{array}\right]}}\hfill \\ & =⌊{\displaystyle \frac{q}{2}}⌋m+{\Delta }^{\prime }\hfill \end{array}$$

When $\parallel {\Delta }^{\prime }\parallel <⌊{\displaystyle \frac{q}{4}}⌋$, the decryption is correct.

In addition, the OO-IB-MPRE scheme needs to meet the following conditions:

➀

Setup requires $m\ge 2n\lceil logq\rceil$;

➁

EkGen requires $\sigma \ge \parallel {\tilde{T}}_A\parallel \omega \sqrt{logm}$;

➂

DkGen requires $\sigma \ge \parallel {\tilde{T}}_A\parallel \omega \sqrt{log(m+m)}$;

➃

RekeyGen requires $\sigma \ge \parallel {\tilde{T}}_A\parallel \omega \sqrt{log(m+m)}$;

➄

LWE requires $\alpha q>2\sqrt{n}$.

Therefore, we can set $n=\lambda$, $m=2n\lceil logq\rceil$, $\chi =D_{\mathbb{Z}, \alpha q}$, $\sigma =\alpha q=m\omega \lceil logm\rceil$, ${\alpha }^3<{\displaystyle \frac{1}{20q^2{m}^2}}$. Let $e_{\rho }^T=[e_{\rho }^1, e_{\rho }^2]$.

According to Lemma 1, $\parallel x\parallel \le \sigma$,$\parallel e_{\rho }^1-e_{\rho }^{2}R\parallel \le \parallel e_{\rho }^1\parallel +\parallel e_{\rho }^{2}R\parallel \le \sigma \sqrt{m}+\sigma \sqrt{m}\sqrt{2m}$. We have:

$$\begin{array}{cc}\hfill \parallel \Delta \parallel & =∥x-e_{\rho }^T\left[\begin{array}{c}y\\ Ry\end{array}\right]∥=∥x-[e_{\rho }^1, e_{\rho }^2]\left[\begin{array}{c}y\\ Ry\end{array}\right]∥=∥x-[e_{\rho }^1-e_{\rho }^{2}R]y∥\hfill \\ \hfill & \le \parallel x\parallel +\parallel (e_{\rho }^1-e_{\rho }^{2}R)y\parallel \le \parallel x\parallel +\parallel e_{\rho }^1-e_{\rho }^{2}R\parallel \parallel y\parallel \hfill \\ \hfill & \le \sigma +\sigma \sqrt{m}\left(\sigma \sqrt{m}+\sigma \sqrt{m}\sqrt{2m}\right)\hfill \\ \hfill & \le 2{\sigma }^2{m}^{\frac{3}{2}}=2{\alpha }^2{q}^2{m}^{\frac{3}{2}}<{\displaystyle \frac{2q^2{m}^{\frac{3}{2}}}{{20}^{\frac{2}{3}}{q}^{\frac{4}{3}}{m}^{\frac{4}{3}}}}<{\displaystyle \frac{q}{5}}\hfill \end{array}$$

$\mathrm{Let}{e}_{{\rho }^{\prime }}^T=[e_{{\rho }^{\prime }}^1, e_{{\rho }^{\prime }}^2], e_{rk}^T=\left[\begin{array}{cc}I& e_{rk}^1\\ 0& e_{rk}^2\end{array}\right], \mathrm{we}\mathrm{have}\text{:}$

$$\begin{array}{cc}\hfill \parallel {\Delta }^{\prime }\parallel & =∥x-e_{{\rho }^{\prime }}^{T}r{k}_{rcv\to rc{v}^{\prime }}^T\left[\begin{array}{c}y\\ Ry\end{array}\right]∥\hfill \\ \hfill & =∥x+\left[e_{{\rho }^{\prime }}^1, e_{{\rho }^{\prime }}^1{e}_{rk}^1+e_{{\rho }^{\prime }}^2{e}_{rk}^2\right]\left[\begin{array}{c}y\\ Ry\end{array}\right]∥\hfill \\ \hfill & \le \parallel x\parallel +∥\left[e_{{\rho }^{\prime }}^1+(e_{{\rho }^{\prime }}^1{e}_{rk}^1+e_{{\rho }^{\prime }}^2{e}_{rk}^2)R\right]y∥\hfill \\ \hfill & \le \parallel x\parallel +\left(\parallel e_{{\rho }^{\prime }}^1\parallel +\parallel e_{{\rho }^{\prime }}^1{e}_{rk}^1+e_{{\rho }^{\prime }}^2{e}_{rk}^2\parallel +\parallel R\parallel \right)\parallel y\parallel \hfill \\ \hfill & \le \sigma +\left(\sigma \sqrt{m}+\left(2\sigma \sqrt{m}·\sigma \sqrt{m}\right)\sqrt{2m}\right)\sigma \sqrt{m}\hfill \\ \hfill & =\sigma +\left({\sigma }^{2}m+2\sqrt{2}{\sigma }^3{m}^2\right)\hfill \\ \hfill & \le 4{\sigma }^3{m}^2\hfill \end{array}$$

It can be inferred from the parameter settings that $\sigma =\alpha q$; so, $4{\sigma }^3{m}^2\le 4{\alpha }^3{q}^3{m}^2$. Since ${\alpha }^3<{\displaystyle \frac{1}{20q^2{m}^2}}$, we have $4{\alpha }^3{q}^3{m}^2\le {\displaystyle \frac{4q^3{m}^2}{20q^2{m}^2}}={\displaystyle \frac{q}{5}}$. That is $\left|\left|{\Delta }^{\prime }\right|\right|<⌊{\displaystyle \frac{q}{4}}⌋$.

5.3. Security

Theorem 1.

If the LWE problem is hard, then the above OO-IB-MPRE scheme satisfies semi-selective privacy.

Proof. 

The proof of the theorem is carried out through a series of games.

• $G_0$: Identical to the semi-selective privacy security game.
• $G_1$: Identical to $G_0$, except for the generation of $A_1$. In $G_1$, the challenger $\mathcal{C}$ randomly selects $R^{*}\leftarrow {\{1, -1\}}^{m\times m}$, $b\leftarrow \{0, 1\}$, and sets $A_1=A_0{R}^{*}-H_2\left(rc{v}_b^{*}\right)B$.

Here, $R^{*}$ is used solely for generating the subsequent ciphertext component ${\left(R^{*}\right)}^{T}y$. Since $A_0$ and $A_1$ is uniformly distributed over ${\mathbb{Z}}_q^{n\times m}$, by Lemma 2, the tuples $(A_0, A_0{R}^{*}, {\left(R^{*}\right)}^{T}y)$ and $(A_0, A_1, {\left(R^{*}\right)}^{T}y)$ are statistically indistinguishable. Hence, $G_0$ and $G_1$ are statistically indistinguishable.

• $G_2$: Identical to $G_1$, except for the generation of $A_0$ and B. In $G_2$, the challenger $\mathcal{C}$ randomly selects $A_0\leftarrow {\mathbb{Z}}_q^{n\times m}$ and generates $(B, T_B)\leftarrow \mathrm{TrapGen}(q, n, m)$.

In $G_1$, $T_{A_0}$ is used to generate the decryption key $e_{\sigma }\leftarrow \mathrm{SamplePre}(A, T_A, H_1\left(\sigma \right))$ and re-encryption key $e_{rk}\leftarrow SampleLeft\left[F_{rcv}, T_{A_0}, A_1+H_2\left(rc{v}^{\prime }\right)B\right]$, whereas in $G_2$, the challenger $\mathcal{C}$ utilizes $T_B$ for the same purpose. We next prove that the decryption keys and re-encryption keys generated in $G_1$ and $G_2$ are indistinguishable, thereby demonstrating the indistinguishability of $G_1$ and $G_2$.

For the decryption key $e_{\rho }$ of the receiver identity $\rho$, we have: $F_{\rho }=[A_0\mid A_1+H_2\left(\rho \right)B]=\left[A_0\mid (A_0{R}^{*}-H_2\left(rc{v}_b^{*}\right)B)+H_2\left(\rho \right)B\right]=\left[A_0\mid A_0{R}^{*}+\left(H_2\left(\rho \right)-H_2\left(rc{v}_b^{*}\right)\right)B\right]$. Since $\rho \notin \{rc{v}_0^{*}, rc{v}_1^{*}\}$, $H_2\left(\rho \right)-H_2\left(rc{v}_b^{*}\right)$ is a full-rank matrix. Thus, $T_B$ can be used to generate $e_{\rho }\leftarrow \mathrm{SampleRight}(A_0, \left(H_2\left(\rho \right)-H_2\left(rc{v}_b^{*}\right)\right)B, R^{*}, T_B, u_0)$ such that $F_{\rho }{e}_{\rho }=u_0$. By Lemma 3, the statistical distributions of $e_{\rho }$ in $G_2$ and $G_1$ are indistinguishable.

For the re-enc key $r{k}_{rcv\to rc{v}^{\prime }}$, the challenger selects $Q_{rcv\to rc{v}^{\prime }}\leftarrow D_{{\mathbb{Z}}^{2m\times m}, s}$, and computes $H_2\left(rc{v}^{\prime }\right)$ as the hash value of $rc{v}^{\prime }$ according to the equation $F_{rcv}{Q}_{rcv\to rc{v}^{\prime }}=A_1+H_2\left(rc{v}^{\prime }\right)B$, and stores $(rc{v}_1^{\prime }, F_{rc{v}^{\prime }}, Q_{rcv\to rc{v}^{\prime }}, H_2\left(rc{v}^{\prime }\right))$ in the table $\mathcal{T}$. By Lemma 3, $Q_{rcv\to rc{v}^{\prime }}$ is statistically indistinguishable from the re-enc key in $G_1$. Thus, $Q_{rcv\to rc{v}^{\prime }}$ serves as the re-enc key from $rcv\to rc{v}^{\prime }$.

Consequently, $G_2$ is statistically indistinguishable from $G_1$ by Lemma 3.

• $G_3$: Identical to $G_2$, except for the generation of the ciphertext $c_0^{*}$. The challenger randomly selects $Z^{*}\leftarrow {\mathbb{Z}}_q^n$. Let $Ae{k}_0=Z^{*}$, i.e., $c_0^{*}=⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x+\parallel Z^{*}\parallel$.

Since $e_{\rho }\leftarrow \mathrm{SampleRight}(A_0, \left(H_2\left(\rho \right)-H_2\left(rc{v}_b^{*}\right)\right)B, R^{*}, T_B, u_0)$, by Lemma 4, $Ae{k}_0$ and $Z^{*}$ are statistically indistinguishable. Therefore, $G_3$ is statistically indistinguishable from $G_2$.

• $G_4$: Identical to $G_3$ except for the generation of the challenge ciphertext $c{t}^{*}=(c_0^{*}, c_1^{*})$. The challenger randomly selects $c_0^{{*}^{\prime }}\leftarrow {\mathbb{Z}}_q, c_1^{{*}^{\prime }}\leftarrow {\mathbb{Z}}_q^{2m}$, setting $c_0^{*}=c_0^{{*}^{\prime }}$, $c_1^{*}=c_1^{{*}^{\prime }}$.

Based on the LWE assumption, $c_0^{*}$ and $c_0^{{*}^{\prime }}$, $c_1^{*}$ and $c_1^{{*}^{\prime }}$ are computationally indistinguishable. Therefore, $G_4$ and $G_3$ are computationally indistinguishable. At this point, the advantage of adversary $𝒜$ in $G_4$ is negligible.

From the indistinguishability of the above four games, $G_4$ and $G_0$ are computationally indistinguishable. Furthermore, the adversary’s advantage in winning $G_4$ is negligible. Therefore, Theorem 1 holds, i.e., the OO-IB-MPRE scheme satisfies semi-selective privacy. □

Theorem 2.

If the ISIS problem is hard, then the above OO-IB-MPRE scheme satisfies authenticity.

Proof. 

Suppose there exists an adversary $\mathcal{A}$ who can break the authenticity of the above OO-IB-MPRE scheme with a non-negligible advantage. Then we can construct an algorithm $\mathcal{B}$ that solves the ISIS problem with a non-negligible advantage.

• $G_0$: Identical to the semi-selective authenticity security game.
• $G_1$: Identical to $G_0$, except for the generation of $A_1$. In $G_1$, algorithm $\mathcal{B}$ randomly selects $R^{*}\leftarrow {\{1, -1\}}^{m\times m}$, $b\leftarrow \{0, 1\}$, and sets $A_1=A_0{R}^{*}-H_2\left(rc{v}_b^{*}\right)B$.
• $G_2$: Identical to $G_1$, except for the generation of $A_0$ and B. In $G_2$, algorithm $\mathcal{B}$ randomly selects $A_0\leftarrow {\mathbb{Z}}_q^{n\times m}$ and generates $(B, T_B)\leftarrow \mathrm{TrapGen}(q, n, m)$.

From the proof of Theorem 1, $G_0$ and Game $G_1$ are statistically indistinguishable, $G_1$ and $G_2$ are statistically indistinguishable. Consequently, $G_0$ and $G_2$ are statistically indistinguishable.

• $G_3$: Identical to $G_2$, except for the generation of the matrix A. In $G_3$, the algorithm $\mathcal{B}$ randomly selects $A\leftarrow {\mathbb{Z}}_q^{n\times m}$. When an adversary $\mathcal{A}$ initiates a query for the hash value $H_1\left(\sigma \right)$ of user $\sigma$, algorithm $\mathcal{B}$ first searches its local storage. If $(\sigma , {\rho }_0, A{e}_{\sigma })$ exists, it returns the corresponding hash value $A{e}_{\sigma }$. If not found, it selects $e_{\sigma }\leftarrow X^m$, then sets $H_1\left(\sigma \right)=A{e}_{\sigma }$, stores $(\sigma , A{e}_{\sigma }, e_{\sigma })$ locally, and returns the corresponding $H_1\left(\sigma \right)=A\sigma$.

From Lemma 3, A is identically distributed in $G_2$ and $G_3$, and $e_{\sigma }$ is also identically distributed in these two games. Consequently, $G_2$ and $G_3$ are statistically indistinguishable.

• $G_4$: Identical to $G_3$, except for the generation of the ciphertext $c_0^{*}$. The algorithm $\mathcal{B}$ randomly selects $Z^{*}\leftarrow {\mathbb{Z}}_q^n$. Let $Ae{k}_{\sigma }=Z^{*}$, i.e., $c_0^{*}=⌊{\displaystyle \frac{q}{2}}⌋m+u_0^{T}s+x+\parallel Z^{*}\parallel$.
• $G_5$: Identical to $G_4$ except for the generation of the challenge ciphertext $c{t}^{*}=(c_0^{*}, c_1^{*})$. The algorithm $\mathcal{B}$ randomly selects $c_0^{{*}^{\prime }}\leftarrow {\mathbb{Z}}_q, c_1^{{*}^{\prime }}\leftarrow {\mathbb{Z}}_q^{2m}$, setting $c_0^{*}=c_0^{{*}^{\prime }}$, $c_1^{*}=c_1^{{*}^{\prime }}$. At this point, the advantage of adversary $𝒜$ in $G_4$ is negligible.

From the proof of Theorem 1, $G_3$ and Game $G_4$ are statistically indistinguishable, $G_4$ and $G_5$ are computationally indistinguishable. Consequently, $G_0$ and $G_5$ are computationally indistinguishable. Furthermore, the adversary’s advantage in winning $G_5$ is negligible.

When $\mathcal{A}$ initiates an enc key query for $\sigma$, algorithm $\mathcal{B}$ first searches its local storage. If $(\sigma , e_{\sigma }, A{e}_{\sigma })$ exists, it returns $e{k}_{\sigma }=e_{\sigma }$. Otherwise, it selects $e_{\sigma }\leftarrow X^m$ and computes $H_1\left(\sigma \right)=A{e}_{\sigma }$. Then stores $(\sigma , e_{\sigma }, A{e}_{\sigma })$ locally, and finally returns $e{k}_{\sigma }=e_{\sigma }$.

If adversary $\mathcal{A}$ forges $(c{t}^{*}, {\rho }^{*}, sn{d}^{*})$ with a non-negligible advantage, and $c{t}^{*}$ can be correctly decrypted, i.e., $m\leftarrow \mathrm{Dec}(mpk, d{k}_{{\rho }^{*}}, sn{d}^{*}, c{t}^{*})$. Adversary $\mathcal{A}$ has successfully forged the public key $e{k}_{\sigma }$ of $sen{d}^{*}$, and adversary $\mathcal{A}$ has queried the hash value $H\left(sen{d}^{*}\right)$ of $sen{d}^{*}$, but $O_{ek}\left(sen{d}^{*}\right)$ has not been queried. Therefore, except with a probability of $2^{-\omega (logn)}$, we have $e{k}_{\sigma }\ne e{k}_{sen{d}^{*}}$, meaning a bounded solution $e{k}_{\sigma }$ to $Ax=H_1\left(sen{d}^{*}\right)$ has been found, thereby solving the ISIS problem.

□

Theorem 3.

The above OO-IB-MPRE scheme is secure.

Proof. 

By Theorem 1 and Theorem 2, we can conclude that Theorem 3 is correct. □

6. Performance

6.1. Space Overhead

In comparing space overhead, we primarily examined the overhead of the following terms: public key size, private key size, ciphertext size, and re-encryption key size. Specifically, the plaintext size for Wang et al.’s IB-ME scheme [7], Wu et al.’s IB-VPRE scheme [12], Dutta et al.’s IB-PRE scheme [15], Li et al.’s CL-PRE scheme [17] and our proposed OO-IB-MPRE scheme is 1. Setting $\lambda =n$, $q=2^{\sqrt{n}}$, $m=6n⌈logq⌉=6n^{1.5}$, $N=2n⌈logq⌉=2n^{1.5}$, $M=(n+1)⌈logq⌉+2n=n^{1.5}+2n+\sqrt{n}, k=⌈logq⌉$. Wang’s scheme [7] does not involve proxy re-encryption; so, we cannot compare its re-encryption key size. Wu’s scheme [12] and Dutta’s scheme [15] both use identity as the public key; so, we cannot compare their public key sizes. For ease of comparison, we set the length l of the identity code in Wu’s scheme [12] to 1. Subsequently, we can compute the size of the space overhead, as shown in

Table 1. The comparison of space overhead.

	Wang et al. [7]	Wu et al. [12]	Dutta et al. [15]	Li et al. [17]	Proposed Scheme
plaintext size	1	1	1	1	1
public key size	$6n^2$	—	—	$6n^3$	$6n^2$
private key size	$12n^2$	$12n^2$	$12n^{3.5}$	$72n^{3.5}$	$12n^2$
ciphertext size	$12n^2$	$12n^2$	$8n^2$	$72n^{3.5}$	$12n^2$
Re-encryption key size	—	$144n^4+12n^{2.5}+12n^2+\sqrt{n}$	$64n^{3.5}$	$108n^{3.5}+72n^4$	$72n^{3.5}$

. The symbol “—” indicates that this item is not included in the scheme.

When re-encrypting 1-bit plaintext, the proposed scheme has a public key size of $6n^2$, a private key size and ciphertext size of $12n^2$, and a re-encryption key size of $72n^{3.5}$. In comparison, the Wang’s scheme [7] has a public key size of $6n^2$, a private key size and ciphertext size of $12n^2$; the Wu’s scheme [12] has a private key size and ciphertext size of $12n^2$, and a re-encryption key size of $144n^4+12n^{2.5}+12n^2+\sqrt{n}$; the Dutta’s scheme [15] has a private key size of $12n^{3.5}$, a ciphertext size of $8n^2$, and a re-encryption key size of $64n^{3.5}$; the Li’s scheme [17] has a public key size of $6n^3$, a private key size and ciphertext size of $72n^{3.5}$, and a re-encryption key size of $108n^{3.5}+72n^4$. Thus, the proposed scheme demonstrates superior space efficiency over the Wu’s scheme and the Li’s scheme.

For the same security parameter n, the public key size, private key size, ciphertext size and re-encryption key size required by Wang’s scheme [7], Wu’s scheme [12], Dutta’s scheme [15], Li’s scheme [17] and our proposed scheme for encrypting 1-bit plaintext are shown in

Table 2. Comparison of Scheme size.

Scheme	n	Public Key Size (KB)	Private Key Size (KB)	Ciphertext Size (KB)	Re-Encryption Key Size (KB)
Wang et al. [7]	$n=32$	0.75	1.5	1.5	—
	$n=64$	3	6.0	6.0	—
	$n=128$	12	24.0	24.0	—
	$n=256$	48	96.0	96.0	—
	$n=512$	192	384.0	384.0	—
	$n=1024$	768	1536.0	1536.0	—
Wu et al. [12]	$n=32$	—	1.5	1.5	18,442.6107
	$n=64$	—	6.0	6.0	295,002.6611
	$n=128$	—	24.0	24.0	4,718,898.2084
	$n=256$	—	96.0	96.0	75,500,317
	$n=512$	—	384.0	384.0	1,208,823,118.5
	$n=1024$	—	1536.0	1536.0	19,327,408,403
Dutta et al. [15]	$n=32$	—	271.5302	1	1448.1547
	$n=64$	—	3072	4	16,384
	$n=128$	—	34,770	16	185,442
	$n=256$	—	393,216	64	2,097,152
	$n=512$	—	4,446,603.6	256	23,715,219.2
	$n=1024$	—	50,331,648	1024	268,435,456
Li et al. [17]	$n=32$	24	1629.1758	1629.1758	11,659.7637
	$n=64$	192	18,432	18,432	175,104
	$n=128$	1536	208,534.2715	208,534.2715	2,672,097.407
	$n=256$	12,288	2,359,296	2,359,296	41,287,680
	$n=512$	98,304	26,692,387.21	26,692,387.21	644,018,356.8
	$n=1024$	786,432	301,989,888	301,989,888	10,116,661,248
Proposed scheme	$n=32$	0.75	1.5	1.5	1629.1758
	$n=64$	3	6	6	18,432
	$n=128$	12	24	24	208,534.2715
	$n=256$	48	96	96	2,359,296
	$n=512$	192	384	384	26,692,387.21
	$n=1024$	768	1536	1536	301,989,888

. Figure 2, Figure 3, Figure 4 and Figure 5 further illustrate the experimental results under different security parameters n, demonstrating that our scheme exhibits significant advantages in terms of space overhead.

To facilitate size comparison with other schemes [7,12,15,17], Table 1 and Table 2 only account for online ciphertext size without considering offline ciphertext size. We now present a direct comparison between online and offline ciphertext sizes in our proposed scheme, with the results for security parameter n shown in

Table 3. The comparison of space overhead between online and offline ciphertext.

	Proposed Scheme
online ciphertext size	$12n^2$
offline ciphertext size	$12n^2+n^{1.5}$

and

Table 4. The size comparison of online and offline ciphertext.

Scheme	n	Online Ciphertext Size (KB)	Offline Ciphertext Size (KB)
Proposed scheme	$n=32$	1.5	1.5221
	$n=64$	6	6.0625
	$n=128$	24	24.1768
	$n=256$	96	96.5
	$n=512$	384	385.4142
	$n=1024$	1536	1540

. It can be seen that as the security parameter n increases, the difference in the size of online and offline ciphertexts becomes negligible.

6.2. Computational Overhead

This section makes a comparison of the computational overhead of the devised scheme with that of Wang’s scheme [7], Wu’s scheme [12], Dutta’s scheme [15] and Li’s scheme [17]. Let $T_{tg}, T_{sp}, T_{sd}, T_{sl}, T_{dt}, T_{iv}$ represent the time overhead of the TrapGen algorithm, the SamplePre algorithm, the SampleD algorithm, the SampleLeft algorithm, the DelTrap algorithm, the Invert algorithm, respectively. Let $T_{\alpha \beta \gamma }^{\mathrm{mul}}$ represent the time overhead of multiplying an $\beta \times \gamma$ matrix by an $\alpha \times \beta$ matrix, where $\alpha , \beta , \gamma \in \mathbb{Z}$. $T_{\left(m\sqrt{n}\right)}^{\mathrm{mul}}$ represents the time it takes to multiply a $1\times m$ vector by a number. $T_{mm}^{\mathrm{mul}}$ represents the time it takes to multiply a $m\times m$ matrix by a number. $T_{nm}^{\mathrm{mul}}$ represents the time it takes to multiply a $n\times m$ matrix by a number. $T_p^{\mathrm{zk}}$ represents the time overhead of the proof process for zero-knowledge proofs. $T_v^{\mathrm{zk}}$ represents the time overhead of the verification process for zero-knowledge proofs. The DelTrap algorithm in Dutta’s scheme [15] employs the trapdoor of $A_i$ for presampling. However, differing implementations of trapdoor result in variations in the algorithm’s design. For consistency, the SamplePre algorithm replaces the DelTrap algorithm for time simulation. Since the Invert algorithm can be executed offline, its computational overhead is negligible. For comparison purposes, the computational overheads of calculating $T_p^{\mathrm{zk}}$ and $T_v^{\mathrm{zk}}$ in Wang’s scheme [7] are also ignored. Furthermore, as Wang’s scheme [7] does not involve proxy re-encryption, we cannot compare its computational overhead for RekeyGen and ReEnc algorithms.

Table 5. The running time of every algorithm.

Basic Operation	When $\mathit{n}=32$ Execution Time (s)	When $\mathit{n}=64$ Execution Time (s)
$T_{tg}$	0.063	0.064
$T_{sp}$	2.080	2.076
$T_{sl}$	2.290	2.298
$T_{mm}^{\mathrm{mul}}$	0.004896	0.055118
$T_{mmm}^{\mathrm{mul}}$	3.2885	43.9306
$T_{mn\left(m\sqrt{n}\right)}^{\mathrm{mul}}$	0.6685625	8.40894
$T_{\left(2m\right)mm}^{\mathrm{mul}}$	5.61975	72.3685
$T_{nmn}^{\mathrm{mul}}$	0.053	0.376
$T_{mnm}^{\mathrm{mul}}$	0.111	1.09175
$T_{nnm}^{\mathrm{mul}}$	0.05625	0.34225
$T_{mn1}^{\mathrm{mul}}$	0.0000851	0.000352
$T_{m\left(2m\right)1}^{\mathrm{mul}}$	0.0001148	0.0004114
$T_{1\left(2m\right)1}^{\mathrm{mul}}$	0.0001127	0.0002909
$T_{2m(m\sqrt{n}+m)m}^{\mathrm{mul}}$	33.1398	661.1135
$(\sqrt{n}-1)T_{\left(m\sqrt{n}\right)}^{\mathrm{mul}}$	0.05656	1.519259
$T_{1n1}^{\mathrm{mul}}$	0.0000204025	0.0000143242
$T_{\left(2m\right)n1}^{\mathrm{mul}}$	0.000241805	0.00100945
$T_{1mm}^{\mathrm{mul}}$	0.000124472	0.000528142
$T_{1n\left(2m\right)}^{\mathrm{mul}}$	0.0000130828	0.0000200966
$T_{\left(2m\sqrt{n}\right)n\left(2m\right)}^{\mathrm{mul}}$	2.28288	41.8259
$T_{\left(2m\sqrt{n}\right)n1}^{\mathrm{mul}}$	0.002	0.012
$T_{1(2m\sqrt{n}+1)(2m+1)}^{\mathrm{mul}}$	1.6515	16.1692
$T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}$	0.017125	0.164375
$T_{1n(m+2n^{1.5})}^{\mathrm{mul}}$	0.003	0.02025
$T_{1(m-n^{1.5})\left(n^{1.5}\right)}^{\mathrm{mul}}$	0.011	0.11775
$T_{1\left(n^{1.5}\right)\left(n^{1.5}\right)}^{\mathrm{mul}}$	0.007625	0.023625
$T_{1(m+2n^{1.5})\left(2n^{1.5}\right)}^{\mathrm{mul}}$	0.0405	0.34625
$T_{nnn}^{\mathrm{mul}}$	0.002	0.019
$T_{nm}^{\mathrm{mul}}$	0.00220187	0.0133956

shows the specific comparison of computational overhead and presents the average time for these algorithms after ten executions.

The devised OO-IB-MPRE solution operates on a server outfitted with a 32-vCPU Intel^® Xeon^® Platinum 8352V processor @2.10GHz and 60GB of RAM, running under Ubuntu. To achieve better portability, we utilize the NTL library and C++ language to implement the program.

Considering that hash functions run in negligible time and matrix inversion can be carried out offline by users, the computational overhead of these operations is negligible. The specific computational overhead for the five algorithms—Public Key and Private Key Generation, Encryption, Rekey Generation, Re-Encryption, and Decryption are contrasted in

Table 6. Computational overhead comparison.

Scheme	Wang et al. [7]	Wu et al. [12]	Dutta et al. [15]	Li et al. [17]	Proposed Scheme
Public/Private key Gen	$T_{sp}+T_{sl}$	$T_{sp}+T_{nm}^{\mathrm{mul}}$	$3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}+2T_{dt}$	$T_{sp}+T_{tg}$	$T_{sp}+T_{sl}$
Enc	$T_{1n1}^{\mathrm{mul}}+T_{nnm}^{\mathrm{mul}}+T_{\left(2m\right)n1}^{\mathrm{mul}}+T_p^{\mathrm{zk}}$	$T_{nm}^{\mathrm{mul}}+T_{mm}^{\mathrm{mul}}+T_{1mm}^{\mathrm{mul}}+T_{1n\left(2m\right)}^{\mathrm{mul}}+T_{1n1}^{\mathrm{mul}}$	$T_{1n(m+2n^{1.5})}^{\mathrm{mul}}+3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}$	$2T_{mnm}^{\mathrm{mul}}+T_{nmn}^{\mathrm{mul}}$	$T_{nnm}^{\mathrm{mul}}+T_{mn1}^{\mathrm{mul}}$
RekeyGen	—	$T_{\left(2m\sqrt{n}\right)n\left(2m\right)}^{\mathrm{mul}}+T_{\left(2m\sqrt{n}\right)n1}^{\mathrm{mul}}$	$3T_{sp}+6T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+4T_{nnn}^{\mathrm{mul}}$	$T_{sp}+2T_{mn\left(m\sqrt{n}\right)}^{\mathrm{mul}}+(\sqrt{n}-1)T_{\left(m\sqrt{n}\right)}^{\mathrm{mul}}$	$T_{sl}+T_{nnm}^{\mathrm{mul}}$
ReEnc	—	$T_{1(2m\sqrt{n}+1)(2m+1)}^{\mathrm{mul}}$	$T_{1n(m+2n^{1.5})}^{\mathrm{mul}}+3T_{1(m-n^{1.5})\left(n^{1.5}\right)}^{\mathrm{mul}}+6T_{1\left(n^{1.5}\right)\left(n^{1.5}\right)}^{\mathrm{mul}}$	$T_{\left(2m\right)(m\sqrt{n}+m)m}^{\mathrm{mul}}+T_{\left(2m\right)mm}^{\mathrm{mul}}$	$T_{m\left(2m\right)1}^{\mathrm{mul}}$
Dec	$T_{1\left(2m\right)1}^{\mathrm{mul}}+T_v^{\mathrm{zk}}$	$T_{1\left(2m\right)1}^{\mathrm{mul}}$	$3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}+T_{1(m+2n^{1.5})\left(2n^{1.5}\right)}^{\mathrm{mul}}+T_{iv}$	$4T_{mmm}^{\mathrm{mul}}+T_{mm}^{\mathrm{mul}}$	$T_{1\left(2m\right)1}^{\mathrm{mul}}$

. For ease of comparison, the setup and private key generation algorithms have been integrated into a single category: Public Key and Private Key Generation.

For ease of comparison, set $t=n$, $q=2^{\sqrt{n}}$, $m=6n\lceil logq\rceil =6n^{1.5}$, $N=2n\lceil logq\rceil =2n^{1.5}$, $M=(n+1)\lceil logq\rceil +2n=n^{1.5}+2n+\sqrt{n}$, $k=\lceil logq\rceil$. When security parameter $n=32$, in Wang et al.’s scheme [7], the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{sl}\approx 4.37\mathrm{s}$, the Encryption algorithm is approximately $T_{1n1}^{\mathrm{mul}}+T_{nnm}^{\mathrm{mul}}+T_{\left(2m\right)n1}^{\mathrm{mul}}\approx 0.0565\mathrm{s}$, and the Decryption algorithm is approximately $T_{1\left(2m\right)1}^{\mathrm{mul}}\approx 0.0001\mathrm{s}$; in Wu et al.’s scheme [12], the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{nm}^{\mathrm{mul}}\approx 2.0822\mathrm{s}$, the Encryption algorithm is approximately $T_{nm}^{\mathrm{mul}}+T_{mm}^{\mathrm{mul}}+T_{1mm}^{\mathrm{mul}}+T_{1n\left(2m\right)}^{\mathrm{mul}}+T_{1n1}^{\mathrm{mul}}\approx 0.0073\mathrm{s}$, the Rekey Generation algorithm is approximately $T_{\left(2m\sqrt{n}\right)}^{\mathrm{mul}}+T_{\left(2m\sqrt{n}\right)n1}^{\mathrm{mul}}\approx 2.2849\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{1\left(2m\sqrt{n}\right)(2m+1)}^{\mathrm{mul}}\approx 1.6515\mathrm{s}$, and the Decryption algorithm is approximately $T_{1\left(2m\right)1}^{\mathrm{mul}}\approx 0.0001\mathrm{s}$; in Dutta et al.’s scheme [15], the time overhead of the Public Key and Private Key Generation algorithm is approximately $3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}+2T_{sp}\approx 4.2154\mathrm{s}$, the Encryption algorithm is approximately $T_{1n(m+2n^{1.5})}^{\mathrm{mul}}+3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}\approx 0.0584\mathrm{s}$, the Rekey Generation algorithm is approximately $3T_{sp}+6T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+4T_{nnn}^{\mathrm{mul}}\approx 6.3508\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{1n(m+2n^{1.5})}^{\mathrm{mul}}+3T_{1(m-n^{1.5})\left(n^{1.5}\right)}^{\mathrm{mul}}+6T_{1\left(n^{1.5}\right)\left(n^{1.5}\right)}^{\mathrm{mul}}\approx 0.0818\mathrm{s}$, and the Decryption algorithm is approximately $3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}+T_{1(m+2n^{1.5})\left(2n^{1.5}\right)}^{\mathrm{mul}}\approx 0.0959\mathrm{s}$; in Li et al.’s scheme [17], the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{tg}\approx 2.143\mathrm{s}$, the Encryption algorithm is approximately $2T_{mnm}^{\mathrm{mul}}+T_{nmn}^{\mathrm{mul}}\approx 0.275\mathrm{s}$, the Rekey Generation algorithm is approximately $T_{sp}+2T_{mn\left(m\sqrt{n}\right)}^{\mathrm{mul}}+\left(\sqrt{n}\right)T_{\left(m\sqrt{n}\right)}^{\mathrm{mul}}\approx 3.474\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{2m\left(m\sqrt{n}\right)m}^{\mathrm{mul}}+T_{\left(2m\right)mm}^{\mathrm{mul}}\approx 38.760\mathrm{s}$, and the Decryption algorithm is approximately $4T_{mmm}^{\mathrm{mul}}+T_{mm}^{\mathrm{mul}}\approx 13.159\mathrm{s}$.

In our scheme, the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{sl}\approx 4.37\mathrm{s}$, the Encryption algorithm is approximately $T_{nnm}^{\mathrm{mul}}+T_{mn1}^{\mathrm{mul}}\approx 0.056\mathrm{s}$, the Rekey Generation algorithm is approximately $T_{sl}+T_{nnm}^{\mathrm{mul}}\approx 2.3463\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{m\left(2m\right)1}^{\mathrm{mul}}\approx 0.0001\mathrm{s}$, and the Decryption algorithm is approximately $T_{1\left(2m\right)1}^{\mathrm{mul}}\approx 0.0001\mathrm{s}$.

When security parameter $n=64$, in Wang et al.’s scheme [7], the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{sl}\approx 4.374\mathrm{s}$, the Encryption algorithm is approximately $T_{1n1}^{\mathrm{mul}}+T_{nnm}^{\mathrm{mul}}+T_{\left(2m\right)n1}^{\mathrm{mul}}\approx 0.3433\mathrm{s}$, and the Decryption algorithm is approximately $T_{1\left(2m\right)1}^{\mathrm{mul}}\approx 0.0003\mathrm{s}$; in Wu et al.’s scheme [12], the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{nm}^{\mathrm{mul}}\approx 2.0894\mathrm{s}$, the Encryption algorithm is approximately $T_{nm}^{\mathrm{mul}}+T_{mm}^{\mathrm{mul}}+T_{1mm}^{\mathrm{mul}}+T_{1n\left(2m\right)}^{\mathrm{mul}}+T_{1n1}^{\mathrm{mul}}\approx 0.0691\mathrm{s}$, the Rekey Generation algorithm is approximately $T_{\left(2m\sqrt{n}\right)}^{\mathrm{mul}}+T_{\left(2m\sqrt{n}\right)n1}^{\mathrm{mul}}\approx 41.8379\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{1\left(2m\sqrt{n}\right)(2m+1)}^{\mathrm{mul}}\approx 16.1692\mathrm{s}$, and the Decryption algorithm is approximately $T_{1\left(2m\right)1}^{\mathrm{mul}}\approx 0.0003\mathrm{s}$; in Dutta et al.’s scheme [15], the time overhead of the Public Key and Private Key Generation algorithm is approximately $3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}+2T_{sp}\approx 4.6831\mathrm{s}$, the Encryption algorithm is approximately $T_{1n(m+2n^{1.5})}^{\mathrm{mul}}+3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}\approx 0.5512\mathrm{s}$, the Rekey Generation algorithm is approximately $3T_{sp}+6T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+4T_{nnn}^{\mathrm{mul}}\approx 7.2903\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{1n(m+2n^{1.5})}^{\mathrm{mul}}+3T_{1(m-n^{1.5})\left(n^{1.5}\right)}^{\mathrm{mul}}+6T_{1\left(n^{1.5}\right)\left(n^{1.5}\right)}^{\mathrm{mul}}\approx 0.5153\mathrm{s}$, and the Decryption algorithm is approximately $3T_{nn\left(n^{1.5}\right)}^{\mathrm{mul}}+2T_{nnn}^{\mathrm{mul}}+T_{1(m+2n^{1.5})\left(2n^{1.5}\right)}^{\mathrm{mul}}\approx 0.8778\mathrm{s}$; in Li et al.’s scheme [17], the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{tg}\approx 2.14\mathrm{s}$, the Encryption algorithm is approximately $2T_{mnm}^{\mathrm{mul}}+T_{nmn}^{\mathrm{mul}}\approx 2.5595\mathrm{s}$, the Rekey Generation algorithm is approximately $T_{sp}+2T_{mn\left(m\sqrt{n}\right)}^{\mathrm{mul}}+\left(\sqrt{n}\right)T_{\left(m\sqrt{n}\right)}^{\mathrm{mul}}\approx 20.4131\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{2m\left(m\sqrt{n}\right)m}^{\mathrm{mul}}+T_{\left(2m\right)mm}^{\mathrm{mul}}\approx 733.482\mathrm{s}$, and the Decryption algorithm is approximately $4T_{\mathrm{mmm}}^{\mathrm{mul}}+T_{\mathrm{mm}}^{\mathrm{mul}}\approx 175.7775\mathrm{s}$.

In our scheme, the time overhead of the Public Key and Private Key Generation algorithm is approximately $T_{sp}+T_{sl}\approx 4.374\mathrm{s}$, the Encryption algorithm is approximately $T_{nnm}^{\mathrm{mul}}+T_{mn1}^{\mathrm{mul}}\approx 0.3426\mathrm{s}$, the Rekey Generation algorithm is approximately $T_{sl}+T_{nnm}^{\mathrm{mul}}\approx 2.6403\mathrm{s}$, the Re-Encryption algorithm is approximately $T_{m\left(2m\right)1}^{\mathrm{mul}}\approx 0.0004\mathrm{s}$, and the Decryption algorithm is approximately $T_{1\left(2m\right)1}^{\mathrm{mul}}\approx 0.0003\mathrm{s}$.

As shown in Figure 6 and Figure 7, although our scheme requires more time than Wu et al.’s scheme [12] and Li et al.’s scheme [17] in the Public Key and Private Key Generation algorithms, the key generation algorithm only needs to be executed once when encrypting data. In terms of encryption algorithm and re-encryption key generation algorithm, our scheme exhibits lower computational overhead than Dutta et al.’s scheme [15] and Li et al.’s scheme [17]. For re-encryption algorithm specifically, our scheme demonstrates significant advantages, with computational overhead substantially lower than Wu et al.’s scheme [12], Dutta et al.’s scheme [15], and Li et al.’s scheme [17]. For the decryption algorithm, our scheme incurs lower computational overhead than Wu et al.’s scheme [12] and Li et al.’s scheme [17]. In terms of overall computational overhead, our scheme also incurs lower computational overhead than the schemes Wu et al.’s scheme [12] and Li et al.’s scheme [17].

6.3. Limitations and Discussion

While the OO-IB-MPRE scheme proposed herein achieves post-quantum security and optimizes online efficiency for resource-constrained sensors, we must explicitly acknowledge several limitations inherent to the scheme:

• Storage and Bandwidth Overhead: As detailed in Table 2, the dimensionality of the underlying matrices leads to relatively large key sizes. In particular, the re-encryption key $r{k}_{\mathrm{rcv}\to {\mathrm{rcv}}^{\prime }}$ generated by the SampleLeft algorithm is a matrix belonging to the space ${\mathbb{Z}}_q^{2m\times m}$. At elevated security parameter settings (e.g., $n=512$), the size of this key can reach the gigabyte (GB) scale.
• Computational Cost of Key Generation: Both the key generation and re-encryption key generation phases entail complex Gaussian sampling (as shown in Table 5). This computational overhead surpasses that of conventional bilinear pairing-based cryptographic schemes-a necessary trade-off to achieve resistance against quantum attacks. While such overhead is negligible in small-scale user deployment scenarios, it may create performance bottlenecks during the bulk registration of large user cohorts. This limitation can be alleviated through optimization strategies such as multi-authority hierarchical key generation.
• Trust Assumptions: The proposed system relies on a single Trusted Authority (TA) to generate all user private keys, which inherently introduces the key escrow problem prevalent in Identity-Based Encryption (IBE) systems. If the TA is compromised, the security of all system users will be irreparably jeopardized. Future research can address this vulnerability by decentralizing the trust architecture via multi-authority or threshold IBE techniques.

7. Real World Applications

In the context of smart physical education, the demand for the sharing and collaboration of exercise physiological data is growing increasingly. Specifically in the field of college physical education, there are three core data application scenarios:

• Management of College Physical Fitness Test Data. Students collect exercise physiological data (such as heart rate during endurance running and blood oxygen data related to lung capacity) during physical fitness tests via wearable sensors and upload the data to the cloud. The core requirements here are to protect data privacy (preventing the leakage of students’ physiological data) and ensure identity security (guaranteeing that data is accurately associated with the corresponding student), so as to support the authenticity and security of the physical fitness test results.
• Personalized Physical Education Instruction. Relying on the exercise physiological data stored in the cloud (such as a student’s running gait and lactic acid accumulation rate during strength training), teachers can develop differentiated training plans—for example, adjusting running postures for students with abnormal gaits or optimizing endurance training intensity for students with excessively fast lactic acid accumulation—thereby achieving targeted physical education teaching.
• Prevention of Sports Injuries and Rehabilitation Tracking. Injury Prevention: Real-time sports data (such as impact force when landing from a jump and joint movement angles) is monitored via sensors. When the data exceeds safety thresholds (e.g., excessive impact force), timely warnings are issued to avoid issues such as ankle sprains and knee joint injuries. Rehabilitation Tracking: It is necessary to synchronize the exercise data of students in the rehabilitation period (such as the range of motion of joints during rehabilitation training and the recovery status of muscle strength) to rehabilitation hospitals. Doctors adjust rehabilitation plans based on this data. Meanwhile, it is necessary to ensure the legitimate access of hospitals to data and prevent unrelated personnel from obtaining data.

For instance, in scenarios involving personalized physical education instruction and collaborative sports injury rehabilitation, a student’s data may require access by physical education teachers, fitness coaches, and even rehabilitation physicians. Access control must dynamically adjust based on the teaching or rehabilitation phase. The proposed lattice-based Online/Offline Identity-Based Matching Proxy Re-encryption (OO-IB-MPRE) scheme addresses these scenarios by establishing a secure, efficient data sharing framework. As illustrated in Figure 8, the system entities comprise the Sports Center, athletes (senders), coaches/proctors (receivers), and the proxy (cloud). The TA, as the system’s trusted entity, generates the master public key and master private key pair.

Initialization Phase:

• Students wear sensors to confirm proper functioning and bind personal information.
• TA executes the SetUp algorithm to generate a master public key and master private key pair.

Key Generation Phase:

3.

The sender (student) uploads their identity to TA, which then runs the EkGen algorithm to generate the enc key for the athlete.

4.

The TA runs the DkGen algorithm based on the recipient’s identity to generate the corresponding decryption key.

Physical Testing Phase:

5.

Coaches access data to analyze student status and develop personalized physical education instruction. Proctors access data to record physical test data.

6.

Offline Enc: During idle periods, sensors worn by students (e.g., wristbands) run offline enc algorithms to generate intermediate ciphertext.

7.

Online Enc: When uploading real-time data such as heart rate, step frequency, and blood oxygen saturation, the wristband executes an online enc algorithm. Combining the intermediate ciphertext, the designated target recipient, and the plaintext m (i.e., the data), it rapidly generates the final ciphertext.

8.

Upload and store the generated ciphertext to the cloud server.

Dynamic Access Control and Data Sharing:

9.

When it is necessary to expand the scope of data sharing (e.g., requiring physician involvement), the data owner runs the $RkGen$ algorithm to generate the re-enc key ${rk}_{rev\to {rev}^{\prime }}$ based on the original identity $rev$ and new identity ${rev}^{\prime }$, and sends it to the cloud server.

10.

Upon authorization, the cloud server runs the $ReEnc$ algorithm to the stored original ciphertext $ct$, generating re-encrypted ciphertext ${ct}^{\prime }$.

Data Decryption and Usage:

11.

When a data user (e.g., a doctor) needs to access data, they download the ciphertext (possibly $ct$ or ${ct}^{\prime }$) from the cloud server.

12.

The doctor runs the $Dec$ algorithm using their own decryption key ${dk}_{\rho }$, their desired sender (student) identity, and the ciphertext. Decryption succeeds and yields the plaintext data m.

8. Conclusions

To address the issues of missing data source authentication, weak security mechanisms, inefficient access control, and insufficient quantum-resistant capabilities in cloud-based management of exercise physiological data within smart sports education scenarios, this paper proposes a lattice-based online/offline identity-based matching proxy re-encryption scheme (OO-IB-MPRE). This scheme integrates lattice cryptography, identity-based matching encryption (IB-ME), proxy re-encryption (PRE), and online/offline technology. It achieves post-quantum security and protects the privacy of data source identities while effectively reducing computational overhead. This makes it suitable for the resource constraints of wearable devices and meets data upload requirements. Under the standard lattice assumption, formal security proofs demonstrate that the scheme satisfies privacy and authenticity requirements in the semi-selective attack model, providing theoretical security guarantees for practical applications. Thus, the OO-IB-MPRE scheme provides a comprehensive solution for securing exercise physiological data. Subsequent research will prioritize the improvement in computational efficiency, expanding applicable scenarios, and exploring deployment strategies under multi-proxy and multi-trusted-entity environments to further enhance the scheme’s practicality and adaptability.