Attribute-Based Fully Homomorphic Encryption Scheme from Lattices with Short Ciphertext

Liu, Yuan; Pan, Yun; Gu, Lize; Zhang, Yuan; An, Dezhi

doi:https://doi.org/10.1155/2021/6656764

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6656764 | https://doi.org/10.1155/2021/6656764

Attribute-Based Fully Homomorphic Encryption Scheme from Lattices with Short Ciphertext

Yuan Liu,¹Yun Pan,²Lize Gu,¹Yuan Zhang,¹and Dezhi An³

Academic Editor: Rongxing Lu

Received24 Nov 2020

Revised04 Jan 2021

Accepted15 Jan 2021

Published02 Feb 2021

Abstract

Attribute-based encryption (ABE) is a good choice for one-to-many communication and fine-grained access control of the encryption data in a cloud environment. Fully homomorphic encryption (FHE) allows cloud servers to make valid operations on encrypted data without decrypting. Attribute-based fully homomorphic encryption (ABFHE) from lattices not only combines the bilateral advantages/facilities of ABE and FHE but also can resist quantum attacks. However, in the most previous ABFHE schemes, the growth of ciphertext size usually depends on the total number of system’s attributes which leads to high communication overhead and long running time of encryption and decryption. In this paper, based on the LWE problem on lattices, we propose an attribute-based fully homomorphic scheme with short ciphertext. More specifically, by classifying the system’s attributes and using the special structure matrix in MP12, we remove the dependency of ciphertext size on system’s attributes and the ciphertext size is no longer increased with the total number of system’s attributes. In addition, by introducing the function in the homomorphic operations, we completely rerandomize the error term in the new ciphertext and have a very tight and simple error analysis using sub-Gaussianity. Besides, performance analysis shows that when and according to the parameter suggestion given by Micciancio and Dai et al., the size of ciphertext in our scheme is reduced by at least 73.3%, not to mention . The larger the , the more observable of our scheme. The short ciphertext in our construction can not only reduce the communication overhead but also reduce the running time of encryption and decryption. Finally, our scheme is proved to be secure in the standard model.

1. Introduction

Attribute-based encryption (ABE) [1], being proposed by Sahai and Waters in 2005, associates a user’s identity with a set of attributes. Depending on the relevance of access policy, it can be divided into key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE) [2]. KP-ABE means that a user’s secret key is generated relying on an access policy and the ciphertext is generated relying on an attributes set. On the contrary, in CP-ABE, a user’s secret key is generated relying on an attribute set and the ciphertext is generated relying on an access policy. They all support one-to-many communication and fine-grained access control. In order to protect the users’ data privacy and realize data security sharing in the cloud environment, ABE is a good choice.

In recent years, with the development of quantum computer, pairing-based ABE constructions face the potential threat of quantum computer. Lattice-based cryptography has been the focus of research in recent years because it is flexible in construction and resistant to quantum attack.

1.1. Related Works

In 2011, based on the learning with error (LWE) [3] problem, Zhang et al. [4] proposed a CP-ABE scheme which uses negative attributes and positive attributes denote the system’s attributes and support AND operation among these attributes. In 2012, Zhang et al. [5] proposed another CP-ABE scheme with multivalued attributes and THRESHOLD access policy. And in the same year, Agrawal et al. [6] proposed a fuzzy identity-based encryption scheme and extended it to a large universe ABE scheme. In 2013, Boyen [7] constructed a lattice-based KP-ABE scheme which uses the linear secret sharing scheme (LSSS) to express the access policy and Liu et al. [8] proposed a lattice-based ABE scheme which supports THRESHOLD access policy and attribute hierarchy. In the same year, Gorbunov et al. [9] also introduced a two-to-one recording technique to construct a lattice-based ABE scheme. In 2014, Wang [10] proposed two lattice-based CP-ABE schemes. These two schemes support AND operation among multivalued attributes. In addition, by using Boolean circuit to represent access policy, Zhao et al. [11] proposed a lattice-based KP-ABE scheme. In 2016, Brakerski and Vaikuntanathan [12] also proposed a circuit-ABE from LWE which support unbounded attributes and semiadaptive security. The lattice-based ABE schemes in [13–15] support multiple attribute authorities to manage all attributes in the system. A multiauthority ABE scheme can reduce the pressure of a single attribute authority and improve system efficiency. In 2019, based on Zhangjiang’s construction [4], Gur et al. [16] made an implement of Zhangjiang’s construction. And based on [9], Wang et al. [17] constructed a three-to-one recording technique and proposed another lattice-based CP-ABE scheme. In 2020, inspiring by [9], Dong et al. [18] proposed a lattice-based ABE scheme which is indirect revocable and satisfies efficient and secure user revocation in lattices. Brakerski and Vaikuntanathan [19] proposed another CP-ABE scheme which a circuit access policy, but in this scheme, they did not give a security reduction and leave the security as an open problem. Consider the following situation where a large amount of a user’s messages are encrypted and stored in the cloud server. To reduce the communication and computing overhead, he wants the encrypted data to be processed by the cloud server using the function without privacy leakage, and the ciphertext which is processed by can be decrypted to . The above lattice-based ABE schemes [4–19] are not suitable for this scenario; that is, they do not support homomorphic operations on the ciphertext.

The first fully homomorphic encryption (FHE) scheme was proposed by Gentry [20] in 2009. In this scheme, he introduced a “bootstrapping” technique to control the increase of noise so as to ensure the correctness of decryption and then realized the homomorphic addition and homomorphic multiplication of ciphertext. However, the “bootstrapping” needs to encrypt the private key and set it as a public parameter. In 2013, based on LWE problem, Gentry, Sahai, and Waters [21] (GSW13) employed the approximate eigenvector method to construct fully homomorphic encryption (FHE) scheme, and then by making some relatively minor modifications on an LWE-based ABE scheme for circuits [9], they proposed the first fully homomorphic KP-ABE scheme. In the fully homomorphic KP-ABE scheme of GSW13, the system’s attributes can be expressed by and the access policy is expressed by a Boolean circuit. In 2014, Boneh et al. [22] proposed a fully key homomorphic KP-ABE scheme which is used as the gadget matrix. However, in this scheme, it just only achieves a fully homomorphic of the users’ private key but not the fully homomorphic of the ciphertext, and the size of ciphertext increases linearly with the total number of system attributes which leads to a high storage overhead. In 2016, based on the construction of Boneh et al. [22], Clear and McGoldrick [23] proposed a fully homomorphic KP-ABE scheme from lattices. However, in this scheme, it can evaluate unbounded depth circuits but with a bounded input; that is, the number of ciphertext is bounded. In the same year, Brakerski et al. [24] proposed another lattice-based fully homomorphic KP-ABE scheme by using the gadget matrix and a function which are adopted from [22]. In 2017, based on the ring-LWE problem over ideal lattices, Tan and Samsudin [25] also proposed a lattice-based CP-ABE scheme based on homomorphic encryption. In the same year, Hiromasa and Kawai modified the scheme in [24] and proposed a dynamic homomorphic KP-ABE scheme [26]. However, in [24, 26], the size of ciphertext also increases linearly with the number of system attributes which leads to a high storage overhead. The above lattice-based fully homomorphic encryption schemes mostly are KP-ABE. The number of system’s attributes has been fixed in the Setup phase, and in order to match an access circuit, it generates a ciphertext component for each attribute which leads to a high storage and communication cost. Additionally, each ciphertext component usually is a vector, and the computation of ciphertext vectors would directly lead to the increase of encryption and decryption time. Therefore, it is meaningful to construct an attribute-based fully homomorphic encryption scheme with short ciphertext.

1.2. Our Contribution

In this paper, we propose a lattice-based ABE scheme which supports homomorphic addition and homomorphic multiplication of ciphertext. This scheme is based on a basic CP-ABE, and by introducing function, it can support homomorphic operations. In our scheme, the ciphertext size is reduced by removing the ciphertext’s dependence on the total number of system’s attributes. The main contributions are as follows:(1)In this scheme, we classify the system’s attributes into attribute categories. Each attribute category has some attribute values. In Setup phase, the system does not need to generate matrices as the public parameters for all attributes, just matrices for the attribute categories. The size of public parameter is reduced due to that the number of attribute categories is much smaller than the total number of system’s attributes.(2)In addition, we introduce the special structure matrix with tag in [27]. By embedding the attribute values in the access structure into the tag, the size of ciphertext is remarkably reduced by at least 73.3%. Performance analysis shows that the size of ciphertext no longer increases linearly with the total number of system’s attributes, and the size of ciphertext and running time are all reduced.(3)In order to support the homomorphic operations, we introduce a function which is adopted from [28]. By using , we have a very tight and simple error analysis using sub-Gaussianity (see Corollary 2), and in the homomorphic multiplication, can completely rerandomize the error term in a ciphertext.

1.3. Organization

The rest of this paper is organized as follows. In Section 2, we give the definition of related symbols, lattices, related algorithms, and decision learning with error (DLWE) problem. The definition of attribute-based fully homomorphic encryption scheme and security model are given in Section 3. In Section 4, we give our attribute-based fully homomorphic encryption scheme from lattices with short ciphertext, homomorphic operations, error analysis, correctness, and the security proof. In Section 5, we give a detailed comparison between our scheme and other related works. In Section 6, we summarize this paper.

2. Preliminaries

As shown in Table 1, we give the detailed description of the symbols.

2.1. Integer Lattice

Definition 1. Given n linearly independent vectors and the lattice generated by the following formula,where is a basis of , m is the dimension, and n is the rank.

Definition 2. For prime , and , define

2.2. Discrete Gaussians and Sub-Gaussian

Definition 3. For a vector and a positive integer , we define a Gaussian distribution with centre and variance as follows:where is a parameter, and .

Definition 4. (see [28, 29]). Let be a sub-Gaussian parameter. We call that is a sub-Gaussian distribution, if for a random variable and all , its generating function satisfies

Lemma 1 (see [29]). Let be an independent matrix that is sub-Gaussian with parameter . Then, for a constant , it has

2.3. The Gadget Matrix

Lemma 2 (see [28]). Let where . Define the gadget matrix . There exists a function , and for any matrix , it has where and has sub-Gaussian parameter .

2.4. Algorithms

Next, we give the related algorithms which are proposed in MP12 [27].

Let , , , , and , and there are two probabilistic polynomial-time (PPT) algorithms such that(1)TrapGen , given a uniformly random matrix and an invertible matrix , outputs a uniformly random matrix , and a trapdoor where the trapdoor size is (2)SamplePre , given , a trapdoor , , and a Gaussian parameter where is the largest singular value of and or , outputs a vector such that

Note that is a gadget matrix and denotes its dimension. also has a deterministic function as mentioned in Lemma 2. However, an -dimensional gadget matrix is just only introduced in the TrapGen algorithm; thus, we denote it as .

Lemma 3. (see [27]). The vector which is generated by the SamplePre algorithm is not statistically distinguishable from where

2.5. Hardness Assumption

In 2005, Regev proposed the learning with error (LWE) problem [3], i.e., given a positive integer , a prime integer , and a probability distribution over , output where and is an error term from .

Definition 5. Decision learning with error (DLWE) problem [3]: for a security parameter , let , , and a distribution over . The DLWE problem is to distinguish between the following two distributions:where , , and is a noise from distribution .

Definition 6. -bounded distribution [21]: for , a distribution ensemble , supported over the integers, is called -bounded if

Corollary 1 (see [3, 27]). For any and , there is a -bounded distribution such that is at least as hard as the quantum hardness and for .

3. Definitions of the Scheme and Security Model

3.1. Definition of the System Algorithm

Before we give the definition, we firstly give the definition of fully homomorphic encryption.

Definition 7. Fully homomorphic encryption [21]: a fully homomorphic encryption consists of four algorithms (KeyGen, Encrypt, Decrypt, and Eval):(1)KeyGen : on input the security parameter . This algorithm outputs the public key and secret key .(2)Encrypt : on input public key , and a message . The algorithm outputs a ciphertext .(3)Decrypt : on input secret key and ciphertext , and it outputs the message .(4)Eval : on input public key , ciphertext list , a function , and output a new ciphertext where Decrypt .An attribute-based fully homomorphic encryption scheme consists of the following five algorithms:(1)Setup : on input the security parameter . This algorithm outputs the public parameters and master secret key .(2)Extract : on input public parameters , master key , and a user’s attribute list . It outputs the user’s privacy key .(3)Encrypt : on input public parameters , access policy , and a message . The algorithm outputs a ciphertext C.(4)Decrypt : on input public parameters , private key , and ciphertext C, if does not satisfy , outputs ; otherwise it outputs the message .(5)Eval : on input public parameters , ciphertexts , under the same access policy, a function , and output a new ciphertext where Decrypt .Correctness: for a user’s attributes list , all messages , Encrypt , and Eval , we have , if and match each other.

3.2. Security Model

Here, we give the definition of the security model, and the security is adopted from [4, 5], in which the adversary specifies the challenge access structure before the Setup phase. Consider a game between a challenger and an adversary which is described as follows: Init: the adversary chooses the challenge access structure and sends it to the simulator . Setup: the challenger runs the Setup algorithm and sends the public parameters to the adversary. Queries: in this step, can adaptively make key queries for a sequence of attribute list . However, he cannot query an attribute list which satisfies . answers the queries. Challenge: the adversary sends a message to . The simulator randomly chooses . If , sends to . If , it sends a random ciphertext to . Continuation: Queries phase is repeated. Guess: outputs his guess .

The advantage of the adversary is .

Definition 8. Our attribute-based fully homomorphic scheme from lattices with short ciphertext is secure if the advantage of any PPT adversary is a negligible function.

4. Attribute-Based Fully Homomorphic Encryption Scheme from Lattices with Short Ciphertext

In the existing homomorphic ABE schemes from lattices, the size of ciphertext is usually related to the total number of system’s attributes which lead to a high communication cost. In this section, we propose an attribute-based fully homomorphic encryption scheme from lattices with short ciphertext. In our construction, we firstly assume that all the system attributes can be classified into attribute categories, and each attribute category has attribute values, i.e., where . A user’s attribute list is , and the access structure is an “AND” gates between attributes such that . Thanks to the special matrix structure of , we can embed a user’s attribute list in it such that . Here, we need an encoding with full-rank difference (FRD) function.

Definition 9. (see [30]). Let be a prime and be a positive integer, we say a function is an encoding with full-rank difference (FRD) function if(i)for any , the matrix is full rank, and(ii) is computable in polynomial time (in ).

4.1. Our Construction

The attribute-based fully homomorphic encryption scheme from lattices with short ciphertext consists of the following five algorithms.

Let , , and :(1)Setup : on input the security parameter , do as follows:(i)Perform algorithm TrapGen H to generate a pair matrix where is a uniformly random matrix and is a trapdoor for with associated tag matrix where is an identity matrix.(ii)Select uniformly random matrices as the public parameters for each attribute categories.(iii)Select a uniformly random vector .(iv)Output the public parameters and the master key .(2)Extract : on input public parameters , master key , and a user’s attribute list , do as follows:(i)For each attribute value in , compute the tag .(ii)Compute where .(iii)Sample as . .(iv)Output the user’s secret key .(3)Encrypt : on input public parameters , access policy , and message , do as follows:(i)For each attribute value in the access policy , compute . And then construct where .(ii)Choose a uniformly random matrix .(iii)Choose noise term and noise matrix .(iv)For a message , compute where is a gadget matrix as defined in Lemma 2.(v)Output the ciphertext .(4)Decrypt : on input public parameters , private key , and ciphertext , if does not satisfy , output ; otherwise do as follows:(i)Given a private key associate to a user’s attribute list, let .(ii)Consider the first columns of . Let be the ’th column of . Then, we have where . Let denote the first element of .(iii)Let denote the ’th column of , and is the ’th element of . Compute(iv)Output .(5)Eval : on input public parameters , ciphertexts , under the same access policy, a function , and output a new ciphertext where Decrypt .

Homomorphic addition: .

Homomorphic multiplication: .

Note that homomorphic multiplication of ciphertexts is defined as

4.2. Homomorphic Operations and Correctness

As mentioned above, the ciphertext . Let and . Then, . For a decryption key , we have since .

Homomorphic operations: let and be two ciphertexts which are, respectively, encrypted under and . Then, and :

Referring to equations (12) and (13), our scheme satisfies homomorphic addition and homomorphic multiplication. Note that referring to (13), the growth of the error term depends on old error terms , , , and . The dependence on and seems unavoidable. is a matrix in . However, the growth depended on presents a concern. Thus, according to the suggestion in [21], we restrict the message space to small message.

Corollary 2. Referring to equations (12) and (13), it is obvious that has error and has error where satisfies . Thus, after a single homomorphic addition, the error is amplified by a factor of 2, and after a single homomorphic multiplication, the error is amplified by a factor of . According to Lemmas 1 and 2, . Since , thus the latter error is amplified by a factor of . Let denote the maximum number of homomorphic operations. Refer to equations (14) and (15), and the error .

Note that the increase of the error term mainly depends on the homomorphic multiplication. To ensure the correctness of decryption, next we will give an analysis of the homomorphic multiplication of ciphertexts:where

Let be the ’th column of and be the ’th column of . To decrypt the ciphertext , refer to Corollary 2 and equation (14), and we have

Let , and according to the decryption algorithm, we have

Since and is a rounding function, thus to ensure the correctness of decryption, ; that is, the error term should be less than . The error term is

To ensure the correctness of decryption, the error term should be less than with overwhelming probability (w.h.p.), i.e., . Then, we have where .

4.3. Security Analysis

Before we start the security proof, we give a simple lemma based on problem.

Lemma 4. Let . is a distribution over . Define a distribution whose samples are where , and is a noise from distribution . If holds, then the two distributions are statistically indistinguishable.

Proof of Lemma 4. It is sufficient to make a proof of Lemma 4 in the case of . Suppose there is a PPT algorithm who can distinguishes two distributions and with a nonnegligible advantage . Then, we use to construct a PPT algorithm to solve the problem. Let be ’s sample which is sampled from either or . Then, randomly chooses . When , chooses and error term , computes and joints it to the original sample such that . When , chooses a uniformly random vector and sets the sample as . Finally, outputs the new sample as ’s input. If decides that the sample is from , will decide that the sample is from . If decides that the sample is from , will decide that the sample is from . Since has probability of getting a sample, thus can solve the problem with advantage .

Theorem 1. If the assumption holds, based on Lemma 4, our attribute-based fully homomorphic encryption scheme from lattices is secure against selective chosen plaintext attack.

Proof of Theorem 1. we proof the security by using a sequence of games. As defined in Section 3.2, we use to denote the event that the adversary correctly guesses in , and then the advantage of an adversary is . : this is the real game as defined in Section 3.2 between an adversary and the challenger . So, we have : in , the challenger generates the public parameters and the master key where . In this game, let be the challenge access structure, and we change the way is generated. firstly selects uniformly random matrix as the public parameters for each attribute categories and then computes . Finally constructs . The matrix in and is statistically indistinguishable. The adversary makes key query for attribute list , and does not satisfy . answers the key query. He computes and samples for as . Then, sends to . Note that if , it has , and . can no longer answer the key query. Since answers, the key queries are statistically indistinguishable in and . The advantage of adversary in is at most negligibly different from it in , i.e., : in this scheme, we change the way that is generated. Different to , is chosen uniformly from . Since the challenge ciphertext is always a random matrix in this scheme, the adversary’s advantage is 0; that is,Reduction from LWE: suppose has a nonnegligible advantage in distinguishing and . Based on Lemma 4, we use to construct an LWE algorithm denoted .
receives samples such thatwhich is sampled from either or . Init: the adversary chooses the challenge access structure , and send it to the simulator . Setup: the challenger constructs as follows:(1)Let and . Construct the other public parameters, namely, and , as .(2)Send to . Queries: in this step, can make key queries for a sequence of attribute list . However, he cannot query an attribute list which satisfies . answers the queries as . Challenge: the adversary sends a message to . The simulator generates the challenge ciphertext as follows:(1)Let and(2)Compute and let where .(3)Compute the challenge ciphertext If the samples are drawn from , we have The same to , we have where . Thus, referring to equation (26), we have where is the same as it in . Referring to equations (25) and (27), the challenge ciphertext in equation (24) is valid as it is in . If the samples are drawn from a uniformly random distribution, and are uniformly random. Therefore, the challenge ciphertext is uniformly random as it is in . Continuation: Queries phase is repeated. Guess: guesses if it is interacting with a or challenger. outputs ’s guess as the answer to the challenge it is trying to solve. Thus, the advantage of in solving problem is equal to the adversary’s advantage in distinguish or . So, we have .

5. Performance Analysis

In this section, we make a comparison between our scheme and related lattice-based ABE schemes.

As shown in Table 2, the public parameters in [4] consist of matrices and an -dimensional vector, the public parameters in [17] consist of matrices, the public parameters in [19] consist of matrices, the public parameters in [21] consist of matrices and an -dimensional vector, the public parameters in [24] consist of matrices, an matrix, and an -dimensional vector, and the public parameters in our construction consist of matrices, an matrix, and an -dimensional vector. Observe that the total number of system’s attributes contributes the most to the growth of size in [4, 17, 19, 21, 24] while the total number of system’s attribute categories contributes the most to the growth of size in our scheme. Due to the fact that (see Section 4), the size in our scheme is much smaller than it in [4, 21, 24]. The size in [17, 21] is also related to , so it is larger than [4, 19, 24] and ours. The user’s private keys in [4] are related to the number of system’s attributes ; therefore, the size is the largest among all the related schemes. Taken together, the size in both our scheme and [24] is smaller than others. The ciphertext sizes in [4, 17, 19] are relatively small, but they cannot support fully homomorphic. The ciphertext size in our scheme is the smallest among the all schemes which support fully homomorphism because the ciphertext is a matrix which is not related to the number of system’s attributes. However, the ciphertext is a matrix in [21], and in [24], the ciphertext consists of matrices and a matrix. It is obvious that the ciphertext sizes in [21, 24] depend on the total number of system’s attributes . In our scheme, we remove this dependency on by making a classification of system’s attributes. Besides, although [19] is a lattice-based ABE scheme which is constructed under the LWE problem, it does not give a security reduction and leave the security reduction as an open problem. Under the DLWE assumption, the lattice-based ABE schemes [4, 17, 21, 24] and our scheme are secure against selective chosen ciphertext attack (sCPA) in the standard model. Since [4, 17, 19] cannot support homomorphic operations on ciphertext, so we only make a comparison of the ciphertext size between our scheme and [21, 24] which support homomorphic operations on ciphertext. In our scheme, we classify system’s attributes into attribute categories. Each attribute can be denoted by two parts: attribute category and attribute value. Each attribute category has some different attribute values. In the user’s attribute set and access policy, at most one attribute value can be set under each attribute category. It is obvious that the size is dependency on the number of attribute categories . As shown in Figure 1, according to the suggestion in [16, 27, 31], we set the parameters , , and , respectively. The comparison shows that the ciphertext sizes of [21, 24] growth based on the total number of system’s attributes while it is fixed in our scheme no matter what the total number of system’s attributes is, and when , the size of ciphertext in our scheme is reduced by at least 73.3%, not to mention .

The comparison of time complexity is shown in Table 3. The encryption time in our scheme is smaller than [21, 24] since the encryption time in [21, 24] is related to the total number of system’s attribute . According to the suggestion given in [27, 31], let and . The encryption time in [21, 24] is approximately equal to while it is approximately equal to in our construction. As for the decryption time, our scheme and [21] both use one column of ciphertext for decryption, but in [24], a ciphertext matrix is used for decryption. Therefore, the decryption time in [24] is the longest. In addition, the growth of decryption time in [21] is based on the total number of system’s attributes , so the decryption time is also longer than our scheme.

6. Conclusion

In this paper, based on the LWE problem, we propose an attribute-based fully homomorphic encryption scheme with short ciphertext which is suitable for the cloud computing environment. A short ciphertext can not only reduce the communication overhead but also reduce the running time of encryption, decryption, and homomorphic operations. In our scheme, by classifying the system’s attributes and using the special structure matrix, the size of ciphertext is no longer increased with the total number of system’s attributes. Moreover, by using the function , we have a very tight and simple error analysis by using sub-Gaussianity, and in the homomorphic multiplication, can completely rerandomize the error term in a ciphertext. Unfortunately, in order to improve the efficiency of space and time, we just set an “AND” access policy. Next, we will continue to study the attribute-based fully homomorphic encryption scheme from lattices that support more flexible access policy.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the National Key Reaearch and Development Program of China (2017YFB0803001), the Shandong Provincial Key Research and Development Program of China (2018CXGC0701), the National Natural Science Foundation of China (NSFC) (no. 61972050), the BUPT Excellent Ph.D. Students Foundation (no. CX2019119), the Beijing Natural Science Foundation (no. L191012), the Team Project of Collaborative Innovation in Universities of Gansu Province (no. 2017-16), and the Major Project of Gansu University of Political Science and Law (no. 2016XZD12).

References

A. Sahai and B. Waters, “Fuzzy identity-based encrypton,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’05), pp. 457–473, Aarhus, Denmark, 2005.
View at: Google Scholar
V. Goyal, Q. Pandey O, A. Sahai et al., “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06), pp. 89–98, Alexandria, VI, USA, 2006.
View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual Acm Symposium on Theory of Computing (STOC’05), pp. 84–93, Baltimore, UK, May 2005.
View at: Google Scholar
J. Zhang and Z. F. Zhang, “A Ciphertext policy attribute-based encryption scheme without pairing,” in Proceedings of the 7th International Conference on Information Security and Cryptology (Inscrypt’11), pp. 324–340, Beijing, China, 2011.
View at: Google Scholar
J. Zhang, Z. F. Zhang, and A. J. Ge, “Ciphertext policy attribute-based encryption from lattices,” in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS’12), pp. 16-17, Seoul, Korea, May 2012.
View at: Google Scholar
S. Agrawal, X. Boyen, V. Vaikuntanathan et al., “Functional encryption for threshold functions (or Fuzzy IBE) from lattices,” in Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography (PKC’12), pp. 280–197, Darmstadt, Germany, May 2012.
View at: Google Scholar
X. Boyen, “Attribute-based functional encryption on lattices,” in Proceedings of the 10th Theory of Cryptography Conference on Theory of Cryptography (TCC’13), pp. 122–142, Tokyo, Japan, March 2013.
View at: Google Scholar
X. Liu, J. Ma, J. Xiong, Q. Li, T. Zhang, and H. Zhu, “Threshold attribute-based encryption with attribute hierarchy for lattices in the standard model,” IET Information Security, vol. 8, no. 4, pp. 217–223, 2014.
View at: Publisher Site | Google Scholar
S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Attribute-based encryption for circuits,” in Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC’13), pp. 545–554, Palo Alto, California, USA, June 2013.
View at: Google Scholar
Y. T. Wang, “Lattice ciphertext policy attribute-based encryption in the standard model,” International Journal of Network Security, vol. 16, no. 6, pp. 444–451, 2014.
View at: Google Scholar
J. Zhao, H. Y. Gao, and J. Q. Zhang, “Attribute-based encryption for circuits on lattices,” Tsinghua Science and Technology, vol. 19, no. 5, pp. 463–469, 2014.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Circuit-ABE from LWE: unbounded attributes and semi-adaptive security,” in Proceedings of the 36th International Cryptology Conference (CRYPTO’16), pp. 363–384, Santa Barbara, CA, USA, August 2016.
View at: Google Scholar
G. Y. Zhang, J. Qin, and S. Qazi, “Multi-authority attribute-based encryption scheme from lattices,” Journal of Universal Computer Science, vol. 21, no. 3, pp. 483–501, 2015.
View at: Google Scholar
L. H. Liu, S. P. Wang, and Q. Yan, “A multi-authority key-policy ABE scheme from lattices in mobile Ad Hoc Network,” Ad Hoc Sensor Wireless Networks, vol. 37, pp. 117–143, 2017.
View at: Google Scholar
Y. Liu, L. C. Wang, L. X. Li et al., “Secure and efficient multi-authority attribute-based encryption scheme from lattices,” IEEE Access, vol. 7, pp. 3665–3674, 2018.
View at: Google Scholar
K. Gur, Y. Polyakov, K. Rohloff et al., “Practical applications of improved Gaussian sampling for trapdoor lattices,” IEEE Transactions of Computers, vol. 68, no. 4, pp. 570–584, 2019.
View at: Google Scholar
G. Wang, Z. Liu Z, and D. Gu, “Ciphertext policy attribute-based encryption for circuits from LWE assumption,” in Proceedings of the 21st International Conference on Information and Communications Security (ICICS’19), pp. 278–396, Beijing, China, December 2019.
View at: Google Scholar
X. Dong, Y. Zhang, B. Wang et al., “Server-aided revocable attribute-based encryption from lattices,” Security and Communication Networks, vol. 2020, no. 13, 2020.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Lattice-inspired broadcast encryption and succinct ciphertext-policy ABE,” IACR Cryptology, vol. 191, 2020.
View at: Google Scholar
C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st Annual ACM Symposium on Symposium on Theory of Computing (STOC’09), p. 169, Bethesda, MD, USA, June 2009.
View at: Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in Proceedings of the 33rd Annual International Conference on Cryptology (CRYPTO’13), pp. 75–92, Santa Barbara, California, USA, August 2013.
View at: Google Scholar
D. Boneh, C. Gentry, S. Gorbunov et al., “Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuit,” in Proceedings of 33nd Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’14), pp. 533–556, Copenhagen, Denmark, May 2014.
View at: Google Scholar
M. Clear and C. McGoldrick, “Attribute-based fully homomorphic encryption with a bounded number of inputs,” in Proceedings of the 8th International Conference on Cryptology in Africa (AFRICACRYPT’16), pp. 307–324, Morocco, April 2016.
View at: Google Scholar
Z. Brakerski, D. Cash D, R. Tsabary et al., “Targeted homomorphic attribute-based encryption,” in Proceedings of Theory of Cryptography (TCC’16), pp. 330–360, Beijing, China, 2016.
View at: Google Scholar
S. Tan and A. Samsudin, “Ciphertext policy-attribute based homomorphic encryption (CP-ABHER-LWE) scheme: a fine-grained access control on outsourced cloud data computation,” Journal of Information Science and Engineering, vol. 33, pp. 675–694, 2017.
View at: Google Scholar
R. Hiromasa and Y. Kawai, “Dynamic multi target homomorphic attribute-based encryption,” in Proceedings of IMA International Conference on Cryptography and Coding (IMACC’17), pp. 25–43, Oxford, UK, December 2017.
View at: Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’12), vol. 7237, pp. 700–718, Heidelberg, Germany, 2012.
View at: Google Scholar
J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” in Proceedings of the 34th Annual Cryptology Conference (CRYPTO’14), pp. 297–314, Santa Barbara, CA, USA, August 2014.
View at: Google Scholar
R. Vershynin, Compressed Sensing, Theory and Applications, Cambridge University Press, Yonina Eldar, Gitta Kutyniok, UK, 2012.
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10), vol. 6110, pp. 553–572, Heidelberg, Germany, May 2010.
View at: Google Scholar
W. Dai, Y. Doroz, Y. Polyakov et al., “Implementation and evaluation of a lattice-based key-policy ABE scheme,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 5, pp. 1169–1184, 2018.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Yuan Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1324

Downloads

1030

Citations