Next Article in Journal
On a Linear Differential Game in the Hilbert Space 2
Next Article in Special Issue
AIOL: An Improved Orthogonal Lattice Algorithm for the General Approximate Common Divisor Problem
Previous Article in Journal
Prediction of the Health Status of Older Adults Using Oversampling and Neural Network
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Revocable-Attribute-Based Encryption with En-DKER from Lattices

1
College of Data Science and Technology, Heilongjiang University, Harbin 150080, China
2
School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai 200240, China
3
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China
*
Author to whom correspondence should be addressed.
Mathematics 2023, 11(24), 4986; https://doi.org/10.3390/math11244986
Submission received: 20 November 2023 / Revised: 14 December 2023 / Accepted: 15 December 2023 / Published: 17 December 2023
(This article belongs to the Special Issue New Advances in Cryptographic Theory and Application)

Abstract

:
Cloud computing offers abundant computing resources and scalable storage, but data leakage in the cloud storage environment is a common and critical concern due to inadequate protection measures. Revocable-attribute-based encryption (RABE) is introduced as an advanced form of identity-based encryption (IBE), which encrypts sensitive data while providing fine-grained access control and an effective user revocation mechanism. However, most existing RABE schemes are not resistant to quantum attacks and are limited in their application scenarios due to the revocation model. In this paper, we propose a RABE scheme constructed from lattices. Our scheme has several advantages, including a near-zero periodic workload for the key generation center (KGC), ensuring scalability as the number of users increases. Additionally, the encryptor is relieved from managing a revocation list. Moreover, our scheme guarantees the confidentiality and privacy of other ciphertexts even if the decryption key for a specific period is compromised. We validated the correctness of our scheme and demonstrated its security under the assumption of learning with errors (LWE), which is widely believed to be resistant to quantum attacks. Finally, we provide an application example of our RABE scheme in the electronic healthcare scenario.

1. Introduction

Attribute-based encryption (ABE), introduced by Sahai and Waters [1], is regarded as an advanced variant of identity-based encryption (IBE). Its decryption process only becomes viable when the attributes meet the specified policy, thereby providing a cryptographic primitive for encryption with fine-grained access control. ABE manifests in two distinct forms: ciphertext-policy and key-policy. In ciphertext-policy ABE (CP-ABE) [2,3], ciphertexts are associated with access policies and keys are associated with attributes. Conversely, in key-policy ABE (KP-ABE) [4,5], ciphertexts are associated with attributes and keys are associated with access policies. In this paper, we focus our discussion on KP-ABE.
Over the years, ABE has evolved into a foundational cryptographic primitive, displaying vast potential applications. Researchers have proposed numerous enhanced and extended ABE schemes [4,5,6,7,8] to address essential facets such as expressiveness, efficiency, and security. Notably, ABE schemes resistant to quantum computers, especially those based on lattice cryptography, have received significant attention. The development of these quantum-resistant schemes addresses vital aspects while also presenting new challenges.
In many practical applications of ABE, an efficient revocation mechanism is crucial when users become malicious or their secret keys are compromised. Boneh and Franklin [9] proposed a solution where the key generation center (KGC) periodically generates keys for all non-revoked users. However, this approach results in a periodic workload of O ( N r ) for the KGC, potentially becoming a bottleneck as the number of users grows, where N and r represent the maximum number of users and revoked users, respectively. Boldyreva et al. [10] introduced an indirect revocation model employing a binary tree structure and subset-cover framework, effectively reducing the periodic workload of the KGC to O ( r log ( N / r ) ) , a more scalable approach.
Following the work of Boldyreva et al. [10], Chen et al. [11] presented the first lattice-based indirect revocation IBE (RIBE) scheme. However, when extending this scheme to ABE, conflicts arise between fine-grained access control and the coarse-grained binary tree employed for user revocation, presenting challenges for security proofs. So is there a revocable-attribute-based encryption (RABE) from lattices that the encryptor does not need to manage the revocation list?
There have been a few exciting attempts towards addressing this problem [12,13,14]. However, these schemes adopt a direct revocation model proposed by Attrapadung and Imai [15] that eliminates the need for periodic key updates by both the KGC and users. Nevertheless, the encryptor must manage the revocation list and generate ciphertext that can only be decrypted by non-revoked users in specific scenarios.
In practical scenarios, the leakage of decryption keys from external attacks or user errors is frequently observed. Addressing this concern, Seo and Emura [16] introduced a significant security concept known as decryption key exposure resistance (DKER). DKER mandates that the exposure of decryption keys for any time period should not compromise the confidentiality of ciphertexts encrypted for distinct time periods within the context of RIBE schemes. By re-randomizing decryption keys, it is conceivable that the scheme can fulfill the DKER property. Several RABE schemes, relying on number theoretical assumptions, have been proposed to achieve DKER [17,18,19].
Nevertheless, the algebraic structure of lattices makes the re-randomization of a specific key challenging. This difficulty arises because, if a user generates a new decryption key that ensures correctness without possessing knowledge of the trapdoor, they would also have the capability to solve the Small Integer Solution (SIS) problem. So is there a RABE with DKER from lattices?
Katsumata et al. [20] proposed an approach to achieve the partial key re-randomization property from lattices and constructed the first lattice-based RIBE scheme with DKER. Their scheme adopts a two-level structure, where the first level incorporates [11] for revocation, while the second level relies on any lattice-based HIBE scheme [21,22] to fulfill the DKER property. However, this two-level structure cannot be extended to ABE. In ABE, multiple users may correspond to the same policy. Consequently, a revoked user can combine the decryption keys leaked by non-revoked users with the same policy to generate new decryption keys for other time periods.

1.1. Related Work

Qin et al. [23] proposed a server-aided revocation model, utilizing an untrusted server for periodic key updates instead of relying on the user. This innovative approach enables users to achieve arbitrary period decryption while maintaining only a constant-level secret key, thus significantly reducing the user’s workload. Recently, Wang et al. [24] proposed a novel revocation model with a nearly negligible periodic workload for the KGC. Unlike direct revocation, this model eliminates the need for the encryptor to manage a revocation list. Additionally, they introduced a lattice basis delegation approach, enabling the delegation of sampling operations to an untrusted server. This approach significantly reduces the periodic workload associated with user decryption key generation.
Takayasu and Watanabe [25,26] integrated anonymity and DKER for the first time, constructing a RIBE scheme with bounded DKER (B-DKER) and anonymity. Anonymity, as defined by Boyen [27], guarantees that encrypted ciphertext must not reveal the recipient’s identity. Simultaneously, B-DKER ensures the security of RIBE schemes under a priori bounded exposure of decryption keys, representing a weak version of DKER. In a subsequent development, Wang et al. [24] introduced an enhanced form of DKER, named enhanced DKER (En-DKER). En-DKER extends the requirement by ensuring that the exposure of decryption keys in any time period cannot compromise the confidentiality and anonymity of ciphertexts in other time periods.
Wang et al. [28] and Yang et al. [29] proposed two revocable CP-ABE schemes under the learning with errors (LWE) assumption. Furthermore, Yang et al. [30] presented a revocable and multi-authority CP-ABE from the ring learning with errors (RLWE) assumption. Dong et al. [31] proposed a lattice-based RABE scheme with DKER. Huang et al. [32] proposed a multiple authorities CP-ABE scheme with DKER from lattices.

1.2. Technical Overview

Here, we provide a detailed analysis of the difficulties associated with the two open problems mentioned earlier in the introduction. Subsequently, we present the construction approach for our lattice-based RABE with the En-DKER scheme.
First, we define the symbols that may be used in the following discussions. A , B , and W are matrices in Z q n × m , T A is the trapdoor of the matrix A , and u and s are random vectors in Z q n . B I D and W t are random matrices of identity I D and time period t in Z q n × m based on B and W , respectively. In addition, the KGC manages a binary tree B T and randomly selects a particular leaf node η I D for each identity I D . Path ( η I D ) and KUNodes ( RL t ) are two node sets, where the former represents all nodes on the path from the leaf node η I D to the root, and the latter represents the smallest nodes subset of non-revoked users in time period t. The detailed introduction of algorithm KUNodes is in Lemma 8. Assuming that an identity I D has not been revoked at time period t, there must be a node θ * = Path ( η I D ) KUNodes ( RL t ) . For each node θ BT , select a uniformly random vector u θ in Z q n .
We recall Chen et al.’s [11] RIBE scheme from lattices. As shown in Figure 1, the scheme consists of six algorithms: Setup , GenSK , KeyUp , GenDK , Enc , and Dec . The algorithm GenSK is run by the KGC to generate the secret key { sk I D , θ } θ Path ( η I D ) for the identity I D . The KGC periodically runs the algorithm KeyUp , inputs the revocation list RL t , and outputs and broadcasts the key update { ku t , θ } θ KUNodes ( RL t ) . If the user I D has not been revoked at time period t, he can generate the decryption key dk I D , t by adding sk I D , θ * and ku t , θ * in a component-wise fashion. Conversely, if the user I D is revoked, there is no intersection node between the two node sets, u θ cannot be eliminated, and thus the decryption key dk I D , t cannot be calculated.
However, when extending Chen et al.’s [11] RIBE to RABE, conflicts arise between fine-grained access control and the coarse-grained binary tree employed for user revocation, presenting challenges for security proofs.
Specifically, in the security proof of [11], if the challenge identity I D * is revoked, the adversary can still make secret key queries for I D * . It should be noted that, in this case, the challenger cannot utilize SampleRight for generation. Instead, for each θ Path ( η I D * ) , a random vector is chosen as the secret key sk I D * , θ , and u θ is assigned the value sk I D * , θ multiplied by [ A | B I D * ] . However, in ABE schemes, there may be multiple policies that satisfy the challenge attribute set x * , and a policy may correspond to multiple users as well. This means that there could be multiple revoked users who satisfy x * . When responding to the adversary’s secret key queries using the same method, there will be overlapping node sets in Path ( η I D ) , leading to conflicts in u θ . Furthermore, if we set u I D , θ for each I D , the update key will be directly related to the I D , which will bring us back to the original scheme [9], where the KGC’s period workload is O ( N r ) .
Chen et al.’s RIBE scheme from lattices [11] does not satisfy DKER. Specifically, if the decryption key d k I D , t in time period t is exposed, the adversary can use the key update ku t , θ * to recover the secret key sk I D , θ * . As a result, the adversary can do whatever the user with the identity I D can do. Katsumata et al. [20] constructed the first RIBE scheme with DKER from lattices. As shown in Figure 2, A ¯ is a matrix in Z q n × m , and T A ¯ is the trapdoor of the matrix A ¯ . s ¯ is a random vector in Z q n . They divided the ciphertext and decryption key into two levels, where the first level incorporates [11] for revocation, while the second level relies on any lattice-based HIBE scheme [21,22] to fulfill the DKER property.
However, this two-level structure cannot be extended to ABE. In ABE, multiple users may correspond to the same policy. Consequently, a revoked user can use his own partial secret key T [ A ¯ | B I D ] and combine the decryption keys leaked by non-revoked users with the same policy to generate new decryption keys for other time periods. Interestingly, this issue also leads to the inability of [20] to guarantee anonymity in the event of decryption key leakage.
As shown in Figure 3, Wang et al. [24] constructed the first RIBE scheme with En-DKER from lattices. Luckily, their scheme provided a good solution approach. First, it associates the ciphertext with KUNodes ( RL t ) so that, when the challenger replies to the secret key query, it can be separated according to the access structure as well as whether the node belongs to the challenge nodes set KUNodes ( RL t ) * . This effectively solves the problem encountered when [11] is extended to ABE. Furthermore, unlike partial secret key re-randomization using a two-level structure in [20], Wang et al.’s scheme [24] achieved full secret key re-randomization. In this way, we can cleverly avoid the collusion problem encountered when extending [20] to ABE. By combining Wang et al.’s revocation model [24] with the BGG+14 [33], we propose the first RABE with En-DKER from lattices.

1.3. Our Contributions

This paper makes the following contributions:
We extend the En-DKER property proposed by Wang et al. [24] in RIBE to RABE. Specifically, the leakage of any time period decryption keys should not compromise the confidentiality of ciphertexts from other time periods. At the same time, adversaries are unable to determine whether the attribute set of the ciphertext for the challenge time period satisfies a specific policy using keys from any other time periods or policies.
By combining Wang et al.’s revocation model [24] with the BGG+14 [33], we propose the first RABE with En-DKER from lattices. Our scheme cleverly avoids the security proof challenges faced when extending Chen et al.’s RIBE scheme [11] to RABE and the collusion issues encountered when extending Katsumata et al.’s RIBE with the DKER scheme [20] to ABE. It is noteworthy that our scheme retains the advantages of near-zero periodic workload for the KGC, and the encryptor does not need to manage a revocation list.
Finally, we validate the correctness and prove the security of our scheme under the LWE assumption.

2. Preliminaries

2.1. Notations

In this paper, we denote the underlying security parameter as λ . We use PPT to represent probabilistic polynomial time. We represent vectors with bold lowercase letters, e.g., v , and matrices with uppercase letters, e.g., A . By default, all vectors are considered column vectors. If n is a positive integer, [ n ] = { 1 , , n } . For a column vector x Z n , | | x | | denotes the standard Euclidean norm. For a matrix A R n × m , A ˜ is the Gram–Schmidt orthogonalization of A , and | | A | | is the Euclidean norm of the longest column in A .
The statistical distance between two distributions D and D is denoted as SD ( D , D ) . Two families of distributions D = { D λ } λ N and D = { D λ } λ N are considered statistically indistinguishable if there exists a negligible function negl ( · ) such that SD ( D λ , D λ ) negl ( λ ) for all λ N . Here, negl ( · ) is a function satisfying negl ( λ ) λ c for every constant c > 0 and an integer N c , where λ > N c .

2.2. Useful Facts

  • Smudging. The given lemma, originally established in [34], asserts that adding large noise often “smudges out” any small values.
Lemma 1 (Smudging Lemma).
Let  B 1 and B 2  be two polynomials over the integers, and let  D = { D λ } λ  be any  B 1 -bounded distribution family. Define  U = { U λ } λ  as the uniform distribution over  [ B 2 ( λ ) , B 2 ( λ ) ] . The families of distributions  D + U  and  U  are statistically indistinguishable if there exists a negligible function  negl ( · )  such that for all  λ N , B 1 ( λ ) / B 2 ( λ ) negl ( λ ) .
The definition of B -Bounded is as follows.
Definition 1 ( B -Bounded).
For a family of distributions  D = { D λ } λ N  over the integers and a bound  B = B ( λ ) > 0 , if for every  λ N  it holds that  P r x D λ [ | x | B ( λ ) ] = 1 , we say that  D  is  B -bounded.
  • Leftover Hash Lemma. Here, we recall the leftover hash lemma from [21].
Lemma 2.
Suppose  m > ( n + 1 ) log q + ω ( log n ) . Then, the distribution  ( A , AR )  is statistically indistinguishable from the distribution  ( A , B ) , where  A  and  B  are uniformly chosen matrices in  Z q n × m , and  R  is a uniformly chosen matrix in  { 1 , 1 } m × m . Simultaneously,  Pr [ | | R | | > 20 m ] negl ( m ) .
  • Full-Rank Different Map. We need this tool to encode identities and time periods as matrices in Z q n × n .
Definition 2.
A function  H : Z q n Z q n × n  is a full-rank different map if the matrix  H ( u ) H ( v ) Z q n × n  is full rank, for all distinct  u , v Z q n , and  H  is computable in  O ( n log q ) .

2.3. Background on Lattices

  • Lattice. Let n, m, and q be positive integers. An m-dimensional lattice, denoted as L , is a discrete subgroup within R m . Consider L q ( A ) , the q-ary lattice defined as { x Z m : A x = 0 in Z q } , where A is a matrix in Z q n × m . For any u in Z q n , let L q u ( A ) denote the coset { x Z m : A x = u in Z q } .
  • Discrete Gaussians. For any parameter σ > 0 , the discrete Gaussian distribution is defined ρ L , σ ( x ) = ρ σ ( x ) / ρ σ ( L ) , where ρ σ ( x ) = exp π x 2 / σ 2 and ρ σ ( L ) = x L ρ σ ( x ) .
  • The following lemmas represent crucial properties of the discrete Gaussian distribution [35].
Lemma 3.
For positive integers n, m, q with  m > n , q > 2 , and a matrix  A Z q n × m , there exists a negligible function  negl ( · )  such that  Pr [ | | x | | > σ m : x D L q ( A ) , σ ] negl ( n )  when  σ = Ω ˜ ( n ) .
Lemma 4.
For positive integers n, m, q with  m > 2 n log q , and given  A Z q n × m and e D Z m , σ , the distribution of  u = Ae  mod q is statistically close to the uniform distribution over  Z q n .
  • Trapdoor Generators. The ensuing lemma outlines properties of algorithms designed for generating short bases of lattices.
Lemma 5.
[36,37,38] For integers n, m,  q > 0 . There exist  PPT  algorithms with the following properties:
  • TrapGen ( 1 n , 1 m , q ) ( A , T A ) : On inputting n, m, q, output a matrix  A Z q n × m  and its trapdoor  T A Z m × m , satisfying  | | T A | | O ( n log q ) .
  • There exists a gadget matrix  G , which is a full-rank matrix in  Z q n × m  and has a publicly known trapdoor  T G  with  | | T G ˜ | | 5 .
  • Sampling Algorithms. We review some sampling algorithms from [36,37,38].
Lemma 6.
Let n, m, and q be positive integers. We have the following  PPT  algorithms:
  • SamplePre ( A , T A , σ , u ) s : Given a matrix  A Z q n × m  with trapdoor  T A , a vector u Z q n , and a parameter  σ | | T A ˜ | | · ω ( log m ) , output a vector  s Z q m  satisfying  A · s = u  and  | | s | | m σ .
  • SampleLeft ( A , M , T A , σ , u ) s : Given a matrix  A Z q n × m  with trapdoor  T A , a matrix  M Z q n × m 0 , a vector  u Z q n , and a parameter  σ | | T A ˜ | | · ω ( log ( m + m 0 ) ) , output a vector  s Z q m + m 0  distributed statistically close to  D L q u ( [ A | M ] ) , σ .
  • SampleRight ( A , G , R , T G , σ , u ) s : Given a matrix  A Z q n × m , the gadget matrix  G  with trapdoor  T G , a uniform random matrix  R { 1 , 1 } m × m , a vector  u Z q n , and a parameter  σ | | T G ˜ | | · m · ω ( log m ) , output a vector  s Z q 2 m  distributed statistically close to  D L q u ( [ A | AR + G ] ) , σ .
  • Hardness Assumption. The security of our revocable ABE scheme is reduced to the learning with errors (LWE) assumption.
Assumption 1
(Learning with Errors [39]). Let n, m, q be positive integers, and a parameter  σ R ; for any PPT adversary  A , there exists a negligible function  negl ( · )  that satisfies
| Pr [ A ( A , s A + e ) = 1 ] Pr [ A ( A , b ) = 1 ] | negl ( λ ) ,
where  A Z q n × m ,  s Z q n ,  b Z q n , and  e χ LWE m .
Here, we set χ LWE is a B LWE -bounded distribution. Moreover, Peikert [40] proved that, if B LWE ω ( log n ) · n , the hardness of the LWE assumption is equivalent to the worst-case GapSVP γ with parameter γ = 2 Ω ( n ε ) .
  • Lattice Evaluation. Here, we review some algorithms that implement the key-homomorphic features from [33,41].
Lemma 7.
Let n, m, and q be positive integers. For any matrices  B 1 , , B Z q n × m , any attribute sets  x { 0 , 1 } , and any Boolean circuit  f : x { 0 , 1 }  of depth  d , set c i = s ( B i + x i G ) + e i , where  i [ ] , s Z q n , and  e i χ LWE m , there exist algorithms ( Eval pk , Eval ct , Eval sim )  with the following properties:
  • Eval pk ( f , ( B 1 , , B ) ) B f : Given a Boolean circuit f and ℓ matrices  ( B 1 , , B ) , output the matrix  B f .
  • Eval ct ( f , { ( B i , x i , c i ) } i [ ] ) c f : For a Boolean circuit f, ℓ matrices  ( B 1 , , B ) , an attribute set  x , and ℓ vectors  ( c 1 , , c ) , output  c f . Here,  c f = s ( B f + f ( x ) G ) + e f , where  B f = Eval pk ( f , ( B 1 , , B ) ) , and  e f B m · ( m + 1 ) d  with almost negligible probability.
  • Eval sim ( f , { ( S i , x i * ) } i [ ] , A ) S f : Given a Boolean circuit f, ℓ matrices  S 1 , , S Z q m × m , a matrix  A Z q n × m , and an attribute set  x * , output  S f . Ensure  A S f f ( x * ) G = B f , where  B f = Eval pk ( f , ( A S 1 x 1 * G , , A S x * G ) ) . If  S 1 , , S { 1 , 1 } m × m , then  S f 20 m · ( m + 1 ) d  with almost negligible probability.

2.4. The Complete Subtree Method

The Complete Subtree (CS) method, introduced by Naor et al. [42], is utilized in indirect revocation schemes to alleviate the periodic workload of the KGC. In this approach, the system constructs a complete binary tree BT . For a non-leaf node θ BT , θ l and θ r denote the left and right child nodes of θ , and η denotes the leaf node in BT . Path ( η ) represents the set of nodes on the path from η to the root .
Lemma 8
( KUNodes ). On inputting the revocation list  RL t  for time period t, the  KUNodes  algorithm follows these steps: initializes two empty sets X and Y; adds  Path ( η )  to X for each  η RL t ; for each  θ X , adds  θ l  to Y if  θ l X , and adds  θ r  to Y if  θ r X ; if Y remains empty, adds  root  to Y; finally, outputs Y, which is the smallest subset of nodes representing non-revoked users during time period t.
In Figure 4a, there are no revoked users and KUNodes = { root } . However, in Figure 4b, User 2 has been revoked and KUNodes = { 2 , 3 } . For a non-revoked user, the node set Path ( User ) must have an intersection with the node set KUNodes . For example, in Figure 4b, we have Path ( User 1 ) = { root , 1 , 3 } and KUNodes Path ( User 1 ) = 3 .

3. The Notion of Revocable ABE with En-DKER

3.1. Syntax and Correctness

Let ID be an identity space, M be a message space, X be an attribute space, T be a time period space, and F be a sequence of sets of functions, namely F = { f : X { 0 , 1 } } . Our revocable ABE scheme consists of six algorithms ( Setup , GenSK , NodesUp , GenDK , Enc , Dec ) , defined as follows:
  • Setup ( 1 λ ) ( PP , MSK ) : Executed by the KGC, this algorithm takes as input a security parameter λ . It produces public parameters PP and a master secret key MSK .
  • GenSK ( PP , MSK , I D , f ) SK I D , f : Executed by the KGC, this algorithm takes as input the public parameters PP , the master secret key MSK , an identity I D ID , and a policy function f F . It produces a secret key SK I D , f .
  • NodesUp ( BT , t , RL t ) KUNodes ( RL t ) : Executed by the KGC, this algorithm takes as input the binary tree BT , a time period t T , and the revocation list RL t for the time period t. It produces and broadcasts a node set KUNodes ( RL t ) .
  • GenDK ( PP , SK I D , f , KUNodes ( RL t ) ) DK I D , f , t : Executed by the receiver, this algorithm takes as input the public parameters PP , the secret key SK I D , f , and the node set KUNodes ( RL t ) . It produces a decryption key DK I D , f , t .
  • Enc ( PP , x , KUNodes ( RL t ) , μ ) CT x , t : Executed by the sender, this algorithm takes as input the public parameters PP , an attribute set x X l , the node set KUNodes ( RL t ) , and a message μ M . It produces a ciphertext CT x , t .
  • Dec ( CT x , t , DK I D , f , t ) μ : Executed by the receiver, this algorithm takes as input the ciphertext CT x , t and the decryption key DK I D , f , t . It produces a message μ M .
  • Correctness. A revocable ABE scheme is correct if, for all λ N , I D ID , t T , μ M , x X , and f F that satisfy f ( x ) = 0 , it holds that
P r μ = μ | ( PP , MSK ) Setup ( 1 λ ) SK I D , f GenSK ( PP , MSK , I D , f ) KUNodes ( RL t ) NodesUp ( BT , t , RL t ) DK I D , f , t GenDK ( PP , SK I D , f , KUNodes ( RL t ) ) CT x , t Enc ( PP , x , t , KUNodes ( RL t ) , μ ) μ Dec ( CT x , t , DK I D , f , t ) = 1 negl ( λ ) .

3.2. Security Model of Revocable ABE with En-DKER

We first extend the En-DKER property proposed by Wang et al. [24] in RIBE to RABE. Specifically, the En-DKER property of the RABE scheme, in addition to possessing the features of DKER, also satisfies that adversaries are unable to determine whether the attribute set of the ciphertext for the challenge time period satisfies a specific policy using keys from any other time periods or policies, which is analogous to the anonymity property of the IBE scheme.
Then, we provide the formal definition of selective security via a game between an adversary A and the challenger C . Set a global variable t c u T with an initial value of 1 to facilitate the generation of the decryption key DK I D , f , t of any time period queried by A . This is particularly useful as the revocation list RL is dynamically updated following the time period t.
  • Initialize: C establishes a binary tree BT . A sets the challenge attribute sets x ( 0 ) and x ( 1 ) , the challenge time period t * , and the challenge node set KUNodes ( RL t * ) * .
  • Setup Phase: C executes the Setup algorithm, providing the public parameters PP to A .
  • Query Phase: A adaptively makes the following queries to C :
    • A sets Q 0 = { I D } for user registration queries. C randomly selects an unassigned leaf node η I D for I D . (At the conclusion of the query, C acquires RL t * * based on KUNodes ( RL t * ) * and BT ).
    • A sets Q 1 = { I D , f } for the secret key queries; C replies with the corresponding secret key SK I D , f GenSK ( PP , MSK , I D , f ) . This is subject to the constraint I D Q 0 ; if f ( x ( 0 ) ) = 0 or f ( x ( 1 ) ) = 0 , I D RL t * * .
    • Let t c u = 1 , and loop through the following steps:
      (a)
      A sets Q 2 = { ( I D , f , t c u ) } for the decryption key queries; C replies with the decryption key DK I D , f , t c u GenDK ( PP , SK I D , f , KUNodes ( RL t c u ) ) . This is subject to the constraint I D Q 0 ; I D RL t c u ; if t c u = t * , f ( x ( 0 ) ) 0 and f ( x ( 1 ) ) 0 .
      (b)
      A sets Q 3 = { ( I D , t c u ) } for revocation queries, C adds I D to the revocation list RL and updates RL t c u + 1 = RL . Then, C sent KUNodes ( RL t c u + 1 ) to A . This is subject to the constraint I D Q 0 ; RL t * = RL t * * .
      (c)
      t c u = t c u + 1 .
  • Challenge Phase: A sets challenge plaintexts μ ( 0 ) and μ ( 1 ) . C randomly chooses a bit b { 0 , 1 } and replies with the ciphertext CT x ( b ) , t * Enc ( PP , x ( b ) , t * , KUNodes ( RL t * ) * , μ ( b ) ) .
  • Guess: A outputs a guess b of b and succeeds if b = b . The advantage of A is defined as
    Adv RABE , A SEL En CPA ( λ ) = | Pr [ b = b ] 1 / 2 | .
Definition 3.
A revocable ABE with En-DKER scheme is selectively secure if, for any PPT adversaries  A , Adv RABE , A SEL En CPA ( λ )  is at most negligible.

4. Revocable ABE with En-DKER from Lattices

4.1. Our Construction

In our scheme, we set the message space M = { 0 , 1 } , the identity space ID Z q n { 0 n } , the attribute space X = { 0 , 1 } , a sequence of sets of functions F = f : { 0 , 1 } l { 0 , 1 } , and the time period space T Z q n . For any B N , let U B denote the uniform distribution on Z [ B , B ] . H ( · ) is a full-rank different map defined in Definition 2 and G is a gadget matrix defined in Lemma 5.
To ensure the decryption algorithm outputs ⊥ with almost negligible probability when f ( x ) = 1 , we follow the approach of [12,13] and set an encoding function encode : { 0 , 1 } { 0 , 1 } k with k = ω ( log λ ) . For each μ { 0 , 1 } , we define encode ( μ ) = ( μ , 0 , , 0 ) { 0 , 1 } k . In addition, our system parameters satisfy the following constraints:
  • For sampling: m > 2 n log q and σ > m · ω ( m ) .
  • For correctness: k = ω ( log λ ) , O ( ( m + 1 ) d ( m 5 / 2 σ + m 3 / 2 B big ) ) < q / 4 B LWE .
  • For security: n = O ( λ ) , χ LWE = U B LWE , where B LWE ω ( log n ) · n .
  • For smudging: χ big = U B big , where B big > ( m σ 2 + 1 ) 2 λ + 1 .
Now, we describe our revocable ABE with En-DKER from lattices construction.
  • Setup ( 1 λ ) ( PP , MSK ) : On inputting a security parameter λ , the detailed process is as follows:
    • Run the algorithm TrapGen ( 1 n , 1 m , q ) to generate ( A , T A ) , where A Z q n × m .
    • Choose random matrices { B i } i [ ] , W in Z q n × m , and a random matrix U in Z q n × k .
    • Build a binary tree BT with at least N leaf nodes. For each node θ BT , select a random matrix D θ in Z q n × m .
    • Output PP = { A , { B i } i [ ] , W , U , { D θ } θ BT } , MSK = { T A , BT } .
  • GenSK ( PP , MSK , I D , f ) SK I D , f : On inputting the public parameters PP , the master secret key MSK , an identity I D ID , and a policy function f F , the detailed process is as follows:
    • If I D belongs to a newly registered user in the system, then randomly pick an unassigned leaf node η I D from BT and store I D in it.
    • Compute B f = Eval pk ( f , ( B 1 , , B ) ) .
    • For each θ Path ( η I D ) , generate K I D , f , θ Z q 3 m × m , satisfying [ A | B f | D θ ] K I D , f , θ = G .
      (a)
      Choose a random matrix K I D , f in D Z , σ 2 m × m and set Z I D , f = [ A | B f ] K I D , f Z q m × m .
      (b)
      Sample K I D , f , θ SampleLeft ( A , D θ , T A , σ , G Z I D , f ) .
      (c)
      Divide K I D , f and K I D , f , θ into two parts, K 1 , I D , f , K 2 , I D , f and K 1 , I D , f , θ , K 2 , I D , f , θ with m rows per part. Then, generate
      K I D , f , θ = K 1 , I D , f + K 1 , I D , f , θ | K 2 , I D , f | K 2 , I D , f , θ .
    • Output SK I D , f = { K I D , f , θ } θ Path ( η I D ) .
  • NodesUp ( BT , t , RL t ) KUNodes ( RL t ) : On inputting the binary tree BT , a time period t T , and the revocation list RL t for the time period t, the KGC generates and broadcasts a set KUNodes ( RL t ) for the time period t.
  • GenDK ( PP , SK I D , f , KUNodes ( RL t ) ) DK I D , f , t : On inputting the public parameters PP , the secret key SK I D , f , and the node set KUNodes ( RL t ) , the detailed process is as follows:
    • Set θ * = Path ( η I D ) KUNodes ( RL t ) . If θ * = Ø , outputs ⊥. Otherwise, continue the following steps.
    • Compute W t = W + H ( t ) G .
    • Generate DK I D , f , t Z q 4 m × k , satisfying [ A | B f | D θ * | W t ] DK I D , f , t = U .
      (a)
      Choose a random matrix K ˜ I D , f , t χ big 4 m × k . Set H I D , f , t = [ A | B f | D θ * | W t ] K ˜ I D , f , t and send to the server.
      (b)
      The server samples K ˜ I D , f , t SamplePre ( G , T G , σ , U H I D , f , t ) and sends to the user.
      (c)
      Compute K ˜ I D , f , t = K f , θ * K ˜ I D , f , t , satisfying [ A | B f | D θ * ] K ˜ I D , f , t = U H I D , f , t , where K ˜ I D , f , t Z q 3 m × k .
      (d)
      Divide K ˜ I D , f , t into four parts: K ˜ 1 , I D , f , t , K ˜ 2 , I D , f , t , K ˜ 3 , I D , f , t , K ˜ 4 , I D , f , t , and K ˜ I D , f , t into three parts: K ˜ 1 , I D , f , t , K ˜ 2 , I D , f , t , K ˜ 3 , I D , f , t , with m rows per part. Then, generate
      DK I D , f , t = K ˜ 1 , I D , f , t + K ˜ 1 , I D , f , t K ˜ 2 , I D , f , t + K ˜ 2 , I D , f , t | K ˜ 3 , I D , f , t + K ˜ 3 , I D , f , t K ˜ 4 , I D , f , t .
    • Output DK I D , f , t = DK I D , f , t .
  • Enc ( PP , x , KUNodes ( RL t ) , μ ) CT x , t : On inputting the public parameters PP , an attribute set x = { x 1 , , x } X , the node set KUNodes ( RL t ) , and a message μ M , the detailed process is as follows:
    • Choose a random vector s in Z q n .
    • Choose random matrices R i , S θ , and V in { 1 , 1 } m × m , where i [ ] , θ KUNodes ( RL t ) .
    • Choose noise e χ LWE k and a noise vector e χ LWE m .
    • Generate CT x , t = { c i n , { c i } i [ ] , { c θ } θ KUNodes ( RL t ) , c t , c o u t } , where
      c o u t = s U + q 2 · encode ( μ ) + e Z q k , c i n = s A + e Z q m , c t = s W t + e V Z q m , i [ ] : c i = s ( B i + x i G ) + e R i Z q m , θ KUNodes ( RL t ) : c θ = s D θ + e S θ Z q m .
    • Output CT x , t .
  • Dec ( CT x , t , DK I D , f , t ) μ : On inputting the ciphertext CT x , t and the decryption key DK I D , f , t , the detailed process is as follows:
    • If f ( x ) = 1 , outputs ⊥. Otherwise, continue the following steps.
    • Compute c f = Eval ct ( f , { ( x i , B i , c i ) } i = 1 ) Z q m .
    • Compute c = c o u t [ c i n | c f | c θ * | c t ] DK I D , f , t Z q k .
    • Output μ by computing encode ( μ ) = q 2 · c .
  • Correctness. We analyze the correctness of the scheme.
    • When f ( x ) = 1 , the probability of the last k 1 coordinates being 0 is 2 ( k 1 ) = 2 ω ( log λ ) , which is negligible in λ . Consequently, the decryption algorithm outputs ⊥ with all but negligible probability.
    • When f ( x ) = 0 , according to the correctness of the Eval ct algorithm, we have c f = s B f + e R f . Therefore,
c = c o u t [ c i n | c f | c θ * | c t ] DK I D , f , t = s U + q 2 · encode ( μ ) s [ A | B f | D θ * | W t ] DK I D , f , t + noise = q 2 · encode ( μ ) + noise ,
where
noise = e e [ I m | R f | S θ * | V ] DK I D , f , t = e e [ I m | R f | S θ * | V ] K ˜ 1 , I D , f , t + K 1 , I D , f K ˜ I D , f , t + K 1 , I D , f , θ * K ˜ I D , f , t K ˜ 2 , I D , f , t + K 2 , I D , f K ˜ I D , f , t K ˜ 3 , I D , f , t + K 2 , I D , f , θ * K ˜ I D , f , t K ˜ 4 , I D , f , t .
Correctness now follows since noise is small and should not affect q 2 · encode ( μ ) . Moreover, the following inequalities hold except with negligible probability:
  • From Lemma 2, we have | | S | | and | | V θ * | | 20 m .
  • From Lemma 7, we have | | R f | | 20 m · ( m + 1 ) d .
  • Because e χ LWE k and e χ LWE m , we have | | e | | B LWE k and | | e | | B LWE m .
| | noise | | = | | e e [ I m | R | S θ * | V ] DK I D , f , t | | | | e | | + | | e | | · | | [ I m | R | S θ * | V ] DK I D , f , t | | O ( B LWE ( m + 1 ) d ( m 5 / 2 σ + m 3 / 2 B big ) ) < q / 4 ,
and we can obtain μ by computing encode ( μ ) = q 2 · c .

4.2. Security Proof

We show that our RABE construction is secure in the following theorem:
Theorem 1.
Our proposed RABE scheme with En-DKER is  IND - CPA  secure under the assumption that the  LWE  problem is hard.
Proof. 
We consider a sequence of games, and the change between each successive game is only by a negligible amount negl x ( λ ) . Let P A , x ( λ ) be the function that represents the probability of the adversary A correctly guessing the challenge bit b in Game x ( b ) . The first game is the original IND - CPA secure game for our RABE scheme, so the advantage of A is Adv RABE , A SEL En CPA ( λ ) = | P A , 0 ( λ ) 1 / 2 | . The final hybrid is one where the ciphertext is independent with the bit b, and the advantage of the adversary A is zero, so the advantage of A is P A , 4 ( λ ) = 1 / 2 . So, for all λ N , we have Adv RABE , A SEL En CPA ( λ ) x [ 4 ] | P A , x 1 ( λ ) P A , x ( λ ) | x [ 4 ] negl x ( λ ) .
  • The Series of Games. Let A be the adversary in the security definition of the RABE with En-DKER and adhere to the security model defined in Section 3.2. We consider the following series of games.
  • Game 0 ( b ) : This is the original IND - CPA secure game for our RABE scheme, and B chooses a random bit b { 0 , 1 } .
  • Game 1 ( b ) : In this game, we change the generation way of matrices { B i } i [ ] , { D θ } θ BT , and W .
    • Choose random matrices R i * , S θ * , and V * in { 1 , 1 } m × m , where i [ ] and θ BT .
    • For each i [ ] , θ BT , we set B i = AR i * x i ( b ) G , W = AV * H ( t * ) G ,
      D θ = A S θ * , i f θ KUNodes ( RL t * ) * A S θ * + G , o t h e r w i s e .
We show that Game 0 ( b ) is statistically indistinguishable from Game 1 ( b ) . By Lemma 2, ( A , AR i * , AS θ * , AV * ) is statistically close to ( A , B i , D θ , W ) , where B i , D θ , W are the independently random matrices in Z q n × m , i [ ] and θ BT . Moreover, the difference between ( AR i * , AS θ * , AV * ) and ( AR i * x i ( b ) G , AS θ * + G , AV * H ( t * ) G ) is merely syntactic. So, there exists a negligible function negl 1 ( · ) satisfying | P A , 0 ( λ ) P A , 1 ( λ ) | negl 1 ( λ ) for any adversary A .
  • Game 2 ( b ) : In this game, we change the generation way of the secret key SK I D , f for secret key query of ( I D , f ) , mainly divided into the following three cases:
    • Case 1: f ( x ( b ) ) = 0 . In this case, the user I D must have been revoked before the challenge time period t * , i.e., Path ( η I D ) KUNodes ( RL t * ) * = , as per the secret key query restriction in the security model. So, for each θ Path ( η I D ) , D θ = A S θ * + G .
      • Perform operation 3.(a) in algorithm GenSK .
      • Sample K I D , f , θ SampleRight ( A , S θ * , G , T G , σ , G Z I D , f ) .
    • Case 2: f ( x ( b ) ) 0 and I D RL t * . In this case, D θ * = A S θ * * , where θ * = Path ( η I D ) KUNodes ( RL t * ) . So, the challenger cannot use G and algorithm SampleRight to sample K I D , f , θ * . Furthermore, Z I D , f can only be randomly selected once, so we need to use the SampleRight algorithm to sample K I D , f .
      • Sample K I D , f , θ * D Z , σ 2 m × m and set Z I D , f = [ A | D θ * ] K I D , f , θ * .
      • For other nodes θ Path ( η I D ) and θ θ * , the challenger computes K I D , f , θ SampleRight ( A , S θ * , G , T G , σ , Z I D , f ) .
      • Compute R f * = Eval sim f , { ( x i ( b ) , R i * ) } i = 1 , A and obtain a low-norm matrix R f * Z q m × m such that A R f * f ( x ( b ) ) G = B f . By the definition, we have R f * 20 m · ( m + 1 ) d . Moreover, σ = 5 · ( 1 + | | R f * | | ) · ϖ ( log m ) as needed for algorithm SampleRight .
      • Sample K I D , f SampleRight ( A , R f * , f ( x ( b ) ) G , T G , σ , G Z I D , f ) .
    • Case 3: f ( x ( b ) ) 0 and I D RL t * . In this case, Path ( η I D ) KUNodes ( RL t * ) = , and D θ = A S θ * + G , for each θ Path ( η I D ) .
      • Perform the operation 3.(a) in algorithm GenSK .
      • Sample K I D , f , θ SampleRight ( A , S θ * , G , T G , σ , G Z I D , f ) .
We show that Game 1 ( b ) is statistically indistinguishable from Game 2 ( b ) . By Lemma 6, K I D , f and K I D , f , θ sampled via algorithm SampleLeft and algorithm SampleRight are statistically close to randomly chosen in D Z , σ 2 m × m . Moreover, Z I D , f = [ A | B f ] K I D , f and Z I D , f = [ A | D θ * ] K I D , f , θ * are statistically indistinguishable from a random matrix selected in Z q n × 2 m . So, there exists a negligible function negl 2 ( · ) satisfying | P A , 1 ( λ ) P A , 2 ( λ ) | negl 2 ( λ ) for any adversary A .
  • Game 3 ( b ) : In this game, we change the generation way of the decryption key DK I D , f , t for decryption key query of ( I D , f , t ) , when f ( x ( b ) ) = 0 , I D RL t * and t t * .
    • Sample K ^ t SampleRight ( A , V * , ( H ( t ) H ( t * ) ) G , T G , σ , G ) .
    • Perform the operation 2.(a) and 2.(b) in algorithm GenDK to generate K ˜ I D , f , t and K ˜ I D , f , t .
    • Compute K ^ I D , f , t = K ^ t K ˜ I D , f , t , satisfying [ A | W t ] K ^ I D , f , t = U H I D , f , t .
    • Divide K ^ I D , f , t into two parts: K ^ 1 , I D , f , t and K ^ 2 , I D , f , t , with m rows per part. Set
      DK ^ I D , f , t = K ˜ 1 , I D , f , t + K ^ 1 , I D , f , t K ˜ 2 , I D , f , t | K ˜ 3 , I D , f , t K ˜ 4 , I D , f , t + K ^ 2 , I D , f , t Z q 4 m × k .
We show that Game 2 ( b ) is statistically indistinguishable from Game 3 ( b ) . Recall in Game 2 ( b )
DK I D , f , t = K ˜ 1 , I D , f , t + K ˜ 1 , I D , f , t K ˜ 2 , I D , f , t + K ˜ 2 , I D , f , t | K ˜ 3 , I D , f , t + K ˜ 3 , I D , f , t K ˜ 4 , I D , f , t .
By the triangle inequality for statistical distance and Lemma 1, when B big > ( m σ 2 + 1 ) 2 λ + 1 , there exists a negligible function negl s m u d g e ( · ) for all λ N ,
SD ( K ˜ 1 , I D , f , t + K ˜ 1 , I D , f , t , K ˜ 1 , I D , f , t + K ^ 1 , I D , f , t ) SD ( K ˜ 1 , I D , f , t + K ˜ 1 , I D , f , t , K ˜ 1 , I D , f , t ) + SD ( K ˜ 1 , I D , f , t , K ˜ 1 , I D , f , t + K ^ 1 , I D , f , t ) m k · negl s m u d g e ( · ) + m k · negl s m u d g e ( · ) = 2 m k · negl s m u d g e ( · ) .
In the remaining 3m rows, each m row’s statistical distance is equal to m k · negl s m u d g e ( · ) . So, in the adversary’s view,
| P A , 2 ( λ ) P A , 3 ( λ ) | 5 m k · negl s m u d g e ( · ) .
  • Game 4 ( b ) : In this game, we change the generation way of the matrix A and the ciphertexts.
    • Choose a random matrix A in Z q n × m .
    • Choose c o u t * Z q k and c i n * , c i * , c θ * , c t * * Z q m , where θ KUNodes ( RL t * ) * and i [ ] .
It remains to be shown that Game 3 ( b ) and Game 4 ( b ) are computationally indistinguishable under the hardness of the LWE problem. If there exists a non-negligible function δ ( · ) such that | P A , 3 ( λ ) P A , 4 ( λ ) | δ ( · ) , we can also construct an LWE algorithm B under A such that Adv B LWE ( λ ) δ ( λ ) for all λ N .
  • LWE Instance: B begins by obtaining an LWE n , q , σ challenger of two random matrices A Z q n × m , U Z q n × k and two vectors c Z q k , c Z q m , where c Z q k and c Z q m are either random or c = s A + e and c = s U + e for some random vector s Z q n and e χ LWE k , e χ LWE m .
  • Public Parameters: A sets the challenge attributes x ( 0 ) and x ( 1 ) , time period t * , and node set KUNodes ( RL t * ) * . Then, B sets the public parameters PP as in Game 3 ( b ) : Uniformly random matrices R i * , S θ * , and V * in { 1 , 1 } m × m , B i = AR i * + x i ( b ) G , W = AV * H ( t * ) G ,
    D θ = A S θ * , i f θ KUNodes ( RL t * ) * A S θ * + G , o t h e r w i s e ,
    where i [ ] and θ BT .
  • Query Phase: B answers A ’s user registration, secret key, decryption key, and revocation queries as in Game 3 ( b ) .
  • Challenge Phase: A sets two messages μ ( 0 ) , μ ( 1 ) { 0 , 1 } . B computes c i n * = c , c i * = c R i * , c θ * = c S θ * , and c t * * = c V * , c o u t * = c + encode ( μ ( b ) ) · q 2 , where i [ ] and θ KUNodes ( RL t * ) * .
When the LWE challenge is pseudorandom,
c o u t * = c + encode ( μ ( b ) ) · q 2 = s U + encode ( μ ( b ) ) · q 2 + e , c i n * = c = s A + e , c t * * = s ( A V * H ( t * ) G + H ( t * ) G ) + e V * = s W t + e V * , i [ ] : c i * = s ( A R i * x i ( b ) G + x i ( b ) G ) + e R i * = s ( B i + x i ( b ) G ) + e R i * , θ KUNodes ( RL t * ) * : c θ * = ( s A + e ) S θ * = s D θ + e S θ * ,
the ciphertexts are distributed exactly as in Game 3 ( b ) . When the LWE challenge is random, the ciphertexts are distributed exactly as in Game 4 ( b ) .
  • Guess: A outputs a guess b of b. Then, B outputs A ’s guess as the answer to the LWE n , q , σ challenge it is trying to solve.
Note that, when the LWE challenge is pseudorandom, A ’s view is as in Game 3 ( b ) ; when the LWE challenge is random, A ’s view is as in Game 4 ( b ) . So, if the LWE assumption holds, there exists a negligible function negl 4 ( · ) , satisfying | P A , 3 ( λ ) P A , 4 ( λ ) | negl 4 ( λ ) .

5. Application in Practice

In this section, we provide an application example of our RABE scheme with En-DKER in the electronic healthcare scenario.
As shown in Figure 5, the system primarily consists of three entities: KGC, patient, and doctor. The KGC is responsible for generating secret keys for system users and periodically publishing a set of nodes representing the non-revoked users. As the data owner, the patient encrypts their electronic medical record (EMR) and shares with attending physicians. Additionally, doctors can periodically generate their decryption keys, and only doctors who satisfy the access policy and have not been revoked can decrypt and access the EMR information of the patient.
Our scheme also satisfies the En-DKER property, ensuring that the leakage of decryption keys from any time period should not compromise the confidentiality of ciphertexts from other time periods. Additionally, adversaries cannot determine whether the attribute set of ciphertext for the challenge time period satisfies a specific policy using keys from any other time periods or policies.

6. Conclusions

To enhance the practicality of the lattice-based RABE scheme, we extend the En-DKER property from RIBE to RABE. This extension ensures that the leakage of any time period decryption keys should not compromise the confidentiality of ciphertexts from other time periods. Additionally, adversaries are unable to determine whether the attribute set of the ciphertext for the challenge time period satisfies a specific policy using keys from any other time periods or policies. Building upon the BGG+14 scheme, we then construct the first RABE with En-DKER from lattices. Our scheme retains advantages such as near-zero periodic workload for the KGC, and the encryptor is relieved from managing a revocation list. Finally, we validate the correctness and prove the security of our scheme under the LWE assumption.
However, this scheme is based on the LWE assumption, which requires complex inverse algorithms and matrix multiplication for trapdoor generation, making it unsuitable for practical applications. In the future, we plan to extend the approach to the ring LWE assumption, aiming to develop a more advantageous scheme that addresses the computational complexity and storage requirements.

Author Contributions

Methodology, Q.W.; validation, J.L. and Z.W.; formal analysis, Y.Z.; writing—original draft preparation, Q.W.; writing—review and editing, Z.W. and Y.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data are contained within the article.

Acknowledgments

The authors are thankful to the anonymous referees for their helpful comments.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Proceedings of the Advances in Cryptology–EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Proceedings 24. Springer: Berlin/Heidelberg, Germany, 2005; pp. 457–473. [Google Scholar]
  2. Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-policy attribute-based encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP’07), Oakland, CA, USA, 20–23 May 2007; IEEE: Piscataway Township, NJ, USA, 2007; pp. 321–334. [Google Scholar]
  3. Waters, B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. In Proceedings of the International Workshop on Public Key Cryptography, Taormina, Italy, 6–9 March 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 53–70. [Google Scholar]
  4. Attrapadung, N.; Libert, B.; De Panafieu, E. Expressive key-policy attribute-based encryption with constant-size ciphertexts. In Proceedings of the Public Key Cryptography–PKC 2011: 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, 6–9 March 2011; Proceedings 14. Springer: Berlin/Heidelberg, Germany, 2011; pp. 90–108. [Google Scholar]
  5. Hohenberger, S.; Waters, B. Attribute-based encryption with fast decryption. In Proceedings of the Public-Key Cryptography–PKC 2013: 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, 26 February–1 March 2013; Proceedings 16. Springer: Berlin/Heidelberg, Germany, 2013; pp. 162–179. [Google Scholar]
  6. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Taormina, Italy, 6–9 March 2006; pp. 89–98. [Google Scholar]
  7. Lewko, A.; Waters, B. New proof methods for attribute-based encryption: Achieving full security through selective techniques. In Proceedings of the Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 180–198. [Google Scholar]
  8. Itkis, G.; Shen, E.; Varia, M.; Wilson, D.; Yerukhimovich, A. Bounded-collusion attribute-based encryption from minimal assumptions. In Proceedings of the Public-Key Cryptography–PKC 2017: 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, 28–31 March 2017; Proceedings, Part II 20. Springer: Berlin/Heidelberg, Germany, 2017; pp. 67–87. [Google Scholar]
  9. Boneh, D.; Franklin, M. Identity-based encryption from the Weil pairing. SIAM J. Comput. 2003, 32, 586–615. [Google Scholar] [CrossRef]
  10. Boldyreva, A.; Goyal, V.; Kumar, V. Identity-based encryption with efficient revocation. In Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 27–31 October 2008; pp. 417–426. [Google Scholar]
  11. Chen, J.; Lim, H.W.; Ling, S.; Wang, H.; Nguyen, K. Revocable identity-based encryption from lattices. In Proceedings of the Information Security and Privacy: 17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, 9–11 July 2012; Proceedings 17. Springer: Berlin/Heidelberg, Germany, 2012; pp. 390–403. [Google Scholar]
  12. Luo, F.; Al-Kuwari, S.; Wang, H.; Wang, F.; Chen, K. Revocable attribute-based encryption from standard lattices. Comput. Stand. Interfaces 2023, 84, 103698. [Google Scholar] [CrossRef]
  13. Ling, S.; Nguyen, K.; Wang, H.; Zhang, J. Revocable predicate encryption from lattices. In Proceedings of the Provable Security: 11th International Conference, ProvSec 2017, Xi’an, China, 23–25 October 2017; Proceedings 11. Springer: Berlin/Heidelberg, Germany, 2017; pp. 305–326. [Google Scholar]
  14. Meng, F. Directly Revocable Ciphertext-Policy Attribute-Based Encryption from Lattices. Cryptology ePrint Archive, Paper 2020/940. 2020. Available online: https://eprint.iacr.org/2020/940 (accessed on 31 July 2020).
  15. Attrapadung, N.; Imai, H. Attribute-based encryption supporting direct/indirect revocation modes. In Proceedings of the Cryptography and Coding: 12th IMA International Conference, Cryptography and Coding 2009, Cirencester, UK, 15–17 December 2009; Proceedings 12. Springer: Berlin/Heidelberg, Germany, 2009; pp. 278–300. [Google Scholar]
  16. Seo, J.H.; Emura, K. Revocable identity-based encryption revisited: Security model and construction. In Proceedings of the Public-Key Cryptography–PKC 2013: 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, 26 February–1 March 2013; Proceedings 16. Springer: Berlin/Heidelberg, Germany, 2013; pp. 216–234. [Google Scholar]
  17. Qin, B.; Zhao, Q.; Zheng, D.; Cui, H. (Dual) server-aided revocable attribute-based encryption with decryption key exposure resistance. Inf. Sci. 2019, 490, 74–92. [Google Scholar] [CrossRef]
  18. Cheng, L.; Meng, F. Server-aided revocable attribute-based encryption revised: Multi-user setting and fully secure. In Proceedings of the Computer Security–ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, 4–8 October 2021; Proceedings, Part II 26. Springer: Berlin/Heidelberg, Germany, 2021; pp. 192–212. [Google Scholar]
  19. Xu, S.; Yang, G.; Mu, Y. Revocable attribute-based encryption with decryption key exposure resistance and ciphertext delegation. Inf. Sci. 2019, 479, 116–134. [Google Scholar] [CrossRef]
  20. Katsumata, S.; Matsuda, T.; Takayasu, A. Lattice-Based Revocable (Hierarchical) IBE with Decryption Key Exposure Resistance. In Proceedings of the Public-Key Cryptography–PKC 2019: 22nd IACR International Conference on Practice and Theory of Public-Key Cryptography, Beijing, China, 14–17 April 2019; Proceedings, Part II 22. Springer: Berlin/Heidelberg, Germany, 2019; pp. 441–471. [Google Scholar]
  21. Agrawal, S.; Boneh, D.; Boyen, X. Efficient lattice (h) ibe in the standard model. In Proceedings of the Eurocrypt, Nice, Frence, 30 May–3 June 2010; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6110, pp. 553–572. [Google Scholar]
  22. Cash, D.; Hofheinz, D.; Kiltz, E.; Peikert, C. Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 2012, 25, 601–639. [Google Scholar] [CrossRef]
  23. Qin, B.; Deng, R.H.; Li, Y.; Liu, S. Server-aided revocable identity-based encryption. In Proceedings of the Computer Security–ESORICS 2015: 20th European Symposium on Research in Computer Security, Vienna, Austria, 21–25 September 2015; Proceedings, Part I 20. Springer: Berlin/Heidelberg, Germany, 2015; pp. 286–304. [Google Scholar]
  24. Wang, Q.; Huang, H.; Li, J.; Yuan, Q. Revocable IBE with En-DKER from Lattices: A Novel Approach for Lattice Basis Delegation. Cryptology ePrint Archive, Paper 2023/1028. 2023. Available online: https://eprint.iacr.org/2023/1028 (accessed on 3 July 2023).
  25. Takayasu, A.; Watanabe, Y. Lattice-based revocable identity-based encryption with bounded decryption key exposure resistance. In Proceedings of the Information Security and Privacy: 22nd Australasian Conference, ACISP 2017, Auckland, New Zealand, 3–5 July 2017; Proceedings, Part I 22. Springer: Berlin/Heidelberg, Germany, 2017; pp. 184–204. [Google Scholar]
  26. Takayasu, A.; Watanabe, Y. Revocable identity-based encryption with bounded decryption key exposure resistance: Lattice-based construction and more. Theor. Comput. Sci. 2021, 849, 64–98. [Google Scholar] [CrossRef]
  27. Boyen, X.; Waters, B. Anonymous hierarchical identity-based encryption (without random oracles). In Proceedings of the Advances in Cryptology-CRYPTO 2006: 26th Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 2006; Proceedings 26. Springer: Berlin/Heidelberg, Germany, 2006; pp. 290–307. [Google Scholar]
  28. Wang, S.; Zhang, X.; Zhang, Y. Efficient revocable and grantable attribute-based encryption from lattices with fine-grained access control. IET Inf. Secur. 2018, 12, 141–149. [Google Scholar] [CrossRef]
  29. Yang, K.; Wu, G.; Dong, C.; Fu, X.; Li, F.; Wu, T. Attribute Based Encryption with Efficient Revocation from Lattices. Int. J. Netw. Secur. 2020, 22, 161–170. [Google Scholar]
  30. Yang, Y.; Sun, J.; Liu, Z.; Qiao, Y. Practical revocable and multi-authority CP-ABE scheme from RLWE for Cloud Computing. J. Inf. Secur. Appl. 2022, 65, 103108. [Google Scholar] [CrossRef]
  31. Dong, X.; Hu, Y.; Wang, B.; Liu, M.; Gao, W. Lattice-based revocable attribute-based encryption with decryption key exposure resistance. IET Inf. Secur. 2021, 15, 428–441. [Google Scholar] [CrossRef]
  32. Huang, B.; Gao, J.; Li, X. Efficient lattice-based revocable attribute-based encryption against decryption key exposure for cloud file sharing. J. Cloud Comput. 2023, 12, 1–15. [Google Scholar] [CrossRef] [PubMed]
  33. Boneh, D.; Gentry, C.; Gorbunov, S.; Halevi, S.; Nikolaenko, V.; Segev, G.; Vaikuntanathan, V.; Vinayagamurthy, D. Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In Proceedings of the Advances in Cryptology–EUROCRYPT 2014: 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May 2014; Proceedings 33. Springer: Berlin/Heidelberg, Germany, 2014; pp. 533–556. [Google Scholar]
  34. Asharov, G.; Jain, A.; López-Alt, A.; Tromer, E.; Vaikuntanathan, V.; Wichs, D. Multiparty computation with low communication, computation and interaction via threshold FHE. In Proceedings of the Advances in Cryptology–EUROCRYPT 2012: 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Proceedings 31. Springer: Berlin/Heidelberg, Germany, 2012; pp. 483–501. [Google Scholar]
  35. Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar]
  36. Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Proceedings of the Eurocrypt, Cambridge, UK, 15–19 April 2012; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 700–718. [Google Scholar]
  37. Ajtai, M. Generating hard instances of the short basis problem. In Proceedings of the Automata, Languages and Programming: 26th International Colloquium, ICALP’99, Prague, Czech Republic, 11–15 July 1999; Proceedings 26. Springer: Berlin/Heidelberg, Germany, 1999; pp. 1–9. [Google Scholar]
  38. Alwen, J.; Peikert, C. Generating shorter bases for hard random lattices. Theory Comput. Syst. 2011, 48, 535–553. [Google Scholar] [CrossRef]
  39. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 2009, 56, 1–40. [Google Scholar] [CrossRef]
  40. Peikert, C. Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, Bethesda, MD, USA, 31 May–2 June 2009; pp. 333–342. [Google Scholar]
  41. Gorbunov, S.; Vaikuntanathan, V.; Wee, H. Predicate encryption for circuits from LWE. In Proceedings of the Annual Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 503–523. [Google Scholar]
  42. Naor, D.; Naor, M.; Lotspiech, J. Revocation and tracing schemes for stateless receivers. In Proceedings of the Advances in Cryptology—CRYPTO 2001: 21st Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001; Proceedings 21. Springer: Berlin/Heidelberg, Germany, 2001; pp. 41–62. [Google Scholar]
Figure 1. Chen et al.’s [11] RIBE scheme.
Figure 1. Chen et al.’s [11] RIBE scheme.
Mathematics 11 04986 g001
Figure 2. Katsumata et al.’s [20] RIBE scheme with DKER.
Figure 2. Katsumata et al.’s [20] RIBE scheme with DKER.
Mathematics 11 04986 g002
Figure 3. Wang et al.’s [24] RIBE scheme with En-DKER.
Figure 3. Wang et al.’s [24] RIBE scheme with En-DKER.
Mathematics 11 04986 g003
Figure 4. A graphical description of the KUNodes algorithm.
Figure 4. A graphical description of the KUNodes algorithm.
Mathematics 11 04986 g004
Figure 5. Electronic medical application.
Figure 5. Electronic medical application.
Mathematics 11 04986 g005
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Wang, Q.; Li, J.; Wang, Z.; Zhu, Y. Revocable-Attribute-Based Encryption with En-DKER from Lattices. Mathematics 2023, 11, 4986. https://doi.org/10.3390/math11244986

AMA Style

Wang Q, Li J, Wang Z, Zhu Y. Revocable-Attribute-Based Encryption with En-DKER from Lattices. Mathematics. 2023; 11(24):4986. https://doi.org/10.3390/math11244986

Chicago/Turabian Style

Wang, Qi, Juyan Li, Zhedong Wang, and Yanfeng Zhu. 2023. "Revocable-Attribute-Based Encryption with En-DKER from Lattices" Mathematics 11, no. 24: 4986. https://doi.org/10.3390/math11244986

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop