Research Article | Open Access

# Server-Aided Revocable Attribute-Based Encryption from Lattices

**Academic Editor:**Bruce M. Kapron

#### Abstract

Attribute-based encryption (ABE) can support a fine-grained access control to encrypted data. When the user’s secret-key is compromised, the ABE system has to revoke its decryption privileges to prevent the leakage of encrypted data. Although there are many constructions about revocable ABE from bilinear maps, the situation with lattice-based constructions is less satisfactory, and a few efforts were made to close this gap. In this work, we propose the first lattice-based server-aided revocable attribute-based encryption (SR-ABE) scheme and thus the first such construction that is believed to be quantum resistant. In the standard model, our scheme is proved to be secure based on the hardness of the Learning With Errors (LWE) problem.

#### 1. Introduction

Attribute-based encryption (ABE) [1, 2], which was first introduced in 2006 as a generalization of identity-based encryption (IBE) [3, 4] and fuzzy identity-based encryption (FIBE) [1, 5], is such a notion for public-key encryption which is used to implement fine-grained access control. ABE system includes two types: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, the key generation center (KGC) generates a master secret key and a master public key , and each user has a policy function *f*. The KGC computes and sends to the user a secret key corresponding to its policy function *f*. To encrypt a message *μ*, a sender selects some required attributes from the attribute set to form a subset and generates the ciphertext labeled with . The recipient owning the policy function *f* can decrypt by applying the secret key if and only if . The different between CP-ABE and KP-ABE is that in CP-ABE, each user has its own attribute subset and a ciphertext is corresponding to a policy function *f*.

Several important results are proposed to realize ABE in the last few years. These schemes have several types. One of these can be implemented to predicates computable by Boolean formulas [2, 6–11] (which are limited to log-depth computations). Another of these has made some important progress [12–16], which can apply to sophisticated circuits. In 2013, based on Learning With Errors (LWE) problem, Gorbunov et al. proposed a KP-ABE scheme [16], which is called GVW13, where its predicate can be arbitrary polynomial-size circuits. It is one of the important candidates for Boolean circuit ABE.

When the users in ABE system changed, for example some users leave the system or their secret keys are leaked, these users’ secret keys should be revoked from the system. In other words, although these users have legal secret keys , they cannot decrypt ciphertext after leaving the system. So for an ABE system with a large number of users, an efficient revocable mechanism is very necessary and important.

In the beginning, revocation mechanism is introduced into IBE. To address the user revocation mechanism, in 2008, Boldyreva et al. [17] proposed the first revocation scheme by combining the complete subtree method [18] with FIBE. After the work of Boldyreva et al. [17], a lot of studies [19, 20] have been put forward. In 2013, in response to many realistic threats and attack scenarios, a new security notion unique to the revocation scheme called decryption key exposure resistance (DKER) was proposed by Seo and Emura [20–23]. Since then, DKER has quickly become an important security requirement for RIBE and many follow-up RIBE schemes with DKER [24–28] were proposed. In order to improve the efficiency of revocation, in 2015, Qin et al. [29] proposed an interesting solution, called server-aided revocable IBE (SR-IBE). In their scheme, a publicly accessible server with powerful computational capabilities, which can be untrusted in the sense that it does not possess any secret information, is used to outsource most of the users workload.

The revocable ABE scheme appears later. In 2009, Attrapadung and Imai [30] put forward two revocable methods. One is direct revocation which is that the sender should specify the revocation list while encrypting, and the other is indirect revocation. In the indirect revocation scheme, in order to achieve the key revocation mechanism, each user’s secret key cannot be allowed to decrypt ciphertexts alone. To complete the decryption, the KGC broadcasts key update through a public channel for every time period. The key update is useless for revoked users, but nonrevoked users will be allowed to combine their secret keys with the key update to derive a decryption key, which can finally decrypt ciphertexts. And they proposed the first hybrid revocable ABE scheme.

In 2010, Yu et al. [31] proposed a indirect revocable ABE; however, policy function only supports logical AND. In 2012, Amit et al. [32] provided a more generic way to achieve indirect revocation in ABE schemes. In order to alleviate the workload of users, in 2013, Yang et al. [33] proposed a direct revocable ABE scheme by delegating part of the users decryption capability to a semitrusted server, however, which results in an increase in traffic over the secret channel. To mitigate user’s workload and the traffic of the secret channel, in 2016, Cui et al. [34] proposed a scheme called server-aided revocable ABE (SR-ABE) based on the large universe CP-ABE scheme. If the server in their scheme was colluded with an adversary, however, the SR-ABE may be not DKER. To solve this problem, based on [34], in 2017, Qin et al. [35] proposed a SR-ABE with DKER. About direct revocable, in 2018, Liu et al. [36] proposed an efficient revocable CP-ABE scheme by embedding the revocation list into ciphertext. And they have a shorter revocation list.

These RIBE and RABE schemes operate in the bilinear pairing setting; however, the system has narrowed in the race to protect sensitive electronic information from the threat of quantum computers, which one day could render these constructions obsolete. Up to now, known quantum algorithms have no obvious advantages (beyond polynomial speedup) over classical ones in solving problems in lattice such as shortest vector problem (SVP), closest vector problem (CVP), short integer solution (SIS), and LWE. Lattice-based cryptography is considered as an ideal candidate for postquantum cryptography (PQC), and possesses several noticeable advantages over conventional number-theoretic cryptography (i.e., based on integer factoring or discrete logarithm problems), such as conjectured resistance against quantum computers, faster arithmetic operations, and provable security under the worst-case hardness assumptions. And among the PQC schemes submitted to NIST, lattice-based schemes are the most.

In 2012, Chen et al. [37] proposed the first RIBE scheme from lattices without DKER. In 2017, Takayasu and Watanabe [38] proposed a variant of [37] and partially solved the problem of achieving RIBE with DKER. In 2019, Katsumata et al. [39] completely solved the problem of achieving RIBE with DKER by proposing the first lattice-based RIBE scheme with DKER secure under the LWE assumption.

But the progress in constructing revocable ABE schemes from lattices is slow. In 2018, Ling et al. [40] proposed a server-aided revocable Predicate Encryption (SR-PE) from LWE. This scheme employs the Predicate Encryption (PE) scheme of Agrawal et al. [41] and the complete subtree method of Naor et al. [18] as the two main ingredients, and plus some additional techniques. In the security proof of the SR-PE, however, since the LWE secret vector in the original PE scheme is unknown, an unreasonable challenge ciphertext is constructed, leading to an invalid proof.

##### 1.1. Our Contributions

In order to solve the security of revocable ABE against quantum attack, we propose the first SR-ABE from LWE which is indirect revocable and satisfies efficient and secure user revocation in lattices. In order to mitigate the burden of users, all the work caused by the revocation will be delegated to a powerful untrusted server. The powerful server is similar to cloud computing, with a large number of computing resources and storage resources, which can ensure the correctness of the calculation, but cannot guarantee the security of the data. In order to achieve the key revocation mechanism, in our scheme each user’s secret key cannot be allowed to decrypt ciphertexts alone. To complete the decryption, KGC should bind the user’s identity and corresponding circuit when generating the public key, and bind the period time when generating update key. When the user’s identity is not revoked and its circuit matches the attribute subset of the ciphertext, the server can generate a transformation key from KGC to convert the ciphertext into a partially decrypted ciphertext bound only with the identity. In this way, only the secret key of the identity can be used to decrypt. The framework of our SR-ABE scheme is depicted in Figure 1.

In the scheme, there are four types of participants: a KGC, a powerful untrusted server, data sender and data recipient, among which the KGC and the server are the service of the system, the data sender and the data recipient are the client of the system. The server is opened to anyone, including the adversary. In our scheme, a user’s policy function is a boolean circuit with its identity .

According to the system parameter, the KGC generates an and an and broadcasts the to all users. By using its and a user’s identity , KGC can generate a secret key which is sent to the user. When a data *µ* needs to be sent, a data sender specifies an attribute subset for the data, encrypts it over the and a time period *t* by using the , and sends the ciphertext to the server. And all data users can see the ciphertext on the server. If needing to decrypt a ciphertext , a data recipient with identity forwards its identity and corresponding circuit to the server and points out the ciphertext that it wants the server to decrypt. And the server sends and to the KGC. If corresponds to the attribute subset of the ciphertext, KGC can generate a public key binding identity for this user and send to server. And also the KGC can generate a key update for nonrevoked user in a time period *t* and send it to server. If the recipient’s identity is not in revocation list , then the server is able to generate a transformation key by using the key update and public key . With the key , the server can get partially decrypted ciphertext of binding identity and send it to the data recipient. Finally the recipient can decrypt completely by using its secret key.

The public key is bound to an identity and corresponding circuit , which results in the transformation key binding the identity and circuit as well. If the , then the server can use to separate the attribute subset and time *t* from the ciphertext and bind the identity to generate the partial decrypted ciphertext . The partial decrypted ciphertext can only be decrypted by the secret key corresponding the identity which the recipient sends to the server.

According to the security model of GVW13 ABE [16], we define selective security model for our SR-ABE from LWE which takes into account the possible realistic threats in selective security model and formalizes all attack strategies of an adversary against the SR-ABE scheme. The selective security model is that the adversary needs to give the challenge attributes and challenge time period before seeing the master public key . There are two attack strategies, one is that when the adversary can access the secret key of a user with identity whose circuit matches within , the identity should be in revocation list before , and the other is that if this identity has not been revoked in , the adversary can not query the secret key corresponding to this with .

In short, our contributions in this paper can be summed up in the following three points:(i)We formally define the SR-ABE model from lattices that support Boolean circuit of any arbitrary polynominal size. We give the definition of the correctness and security of SR-ABE from LWE.(ii)We propose a concrete SR-ABE construction from lattice for this model based on the KP-ABE constructed by Gorbunov et al. [16].(iii)We give a strict proof of security for our scheme, based on the hardness of Learning With Errors problem and prove that our SR-ABE scheme is selective security if the GVW13 is selective security.

##### 1.2. Organization

In the forthcoming sections, we first introduce the nations and definitions relevant to this paper in Section 2. We construct the first lattice-based SR-ABE scheme in Section 3 and analyze the correctness and security and compare our scheme with previous revocable schemes in Section 4. We conclude the paper in Section 5.

#### 2. Preliminaries

##### 2.1. Notation

Bold capital letters (e.g., ) denote matrices, bold lowercase letters (e.g., ) denote vectors. The probabilistic polynomial time algorithm is denoted by PPT. denotes the set of where . For a vector , denotes its Euclidean norm. A nonnegative function is if, for every polynomial , it holds that for all sufficiently large .

##### 2.2. Server-Aided Revocable Attribute-Based Encryption

In order to support a class of boolean circuits we add several parameters to conventional SR-ABE where denotes the length of attributes and denotes the depth of a boolean circuit .

###### 2.2.1. Syntax of SR-ABE

A SR-ABE scheme consists of ten following polynomial-time algorithms:(1) the KGC takes a security parameter *λ*, an attribute length , and a circuit depth as input and outputs the system parameter .(2) the KGC takes the parameter as input, and outputs a master public key , a master secret key , a revocation list , and a state .(3) the KGC takes , identity as input; outputs the user secret key ; and sends it to the user with the identity .(4) the sender takes , a time , a message and an attribute subset as input; outputs the ciphertext ; and sends it to the server.(5) the KGC takes , an identity , a circuit corresponding to , and a state as input; outputs the public key with identity and updates the state to ; and sends to the server.(6) the KGC takes , a time , a revocation list , and a state as input; outputs a key update and updates the state to ; and sends to the server.(7) the server takes the public key with identity and a key update as input, and if , and outputs a transform key for a user with identity , else outputs .(8) the server takes the ciphertext and a transform key as input and, if the circuit corresponding to in satisfies , outputs a partially decrypted ciphertext with identity and sends it to the recipient, else outputs .(9) the recipient with identity takes the partially decrypted ciphertext and its secret key as input and outputs the message .(10) the KGC takes an identity set , time *t*, the revocation list , and the current state , and outputs a new and updates the state to .

*Definition 1 (correctness of SR-ABE). *The correctness of SR-ABE requires that for all security parameter *λ*, the circuit depth , the attribute length , all message , all , and , if the user with identity by time *t* and and all parties follow the scheme’s algorithms, then for all ciphertexts , there exists , for and , such that it has where , and .

Chen et al. [37] formalized and defined the selective-revocable-identity security revocable IBE from lattices. Qin et al. [35] defined the IND-CPA security model for SR-ABE from bilinear pairings. In this subsection, we give the definition of selective attribute security server-aided revocable attribute-based encryption from lattices.

###### 2.2.2. Selective Security Game

An adversary and a challenger play the following game. *Initial * first gives the challenge attributes and time , and some information state it wants to preserve. *Setup * runs the , generates the , , and and sends , and to . *Query * can adaptively make a polynomial number of following queries to . on input identity and circuit corresponding to , return a secret key . on input identity , circuit corresponding to and a state , return . on input time *t*, revocation list and state , return . on input and with identity , if return , and else return . on input the ciphertext and circuit with identity and , if outputs partially decrypted ciphertext , else outputs . on input identity , time *t* and state , return updated revocation list . The following restrictions must always hold: If with has been queried to at , the must be queried on for any . If with is not revoked at , should not be queried to the . Challenge outputs two equal length message and sends them to . randomly chooses a bit and sends to . Guess can continue to make a polynomial numbers of queries as in Query phase and outputs a bit . will win if .

*Definition 2 (selective security). *The advantage of is defined as the quantity:The scheme SR-ABE is called to be selective security, if the advantage of adversary is negligible in for an efficient .

##### 2.3. Background on Lattices

*Definition 3 (lattices). *Let be positive integers; for a matrix , denotes an certain family of integer lattices which was introduced by Ajtai [42]. More generally, for , denotes the coset .

*Definition 4 (discrete Gaussians). *For a vector , a parameter and an integer lattice , define and . The discrete Gaussians distribution over lattice with center vector and a parameter *s* is . We will simplify to use notations when .

*Definition 5 (learning with errors (LWE)). *LWE was introduced by Regev [43]. For positive integers *n*, *m*, a prime integer *q*, and a discrete Gaussians distribution . The decisional LWE problem is to distinguish the following two distributions: a uniform distribution pair where , and the other distribution pair where and .

Some efficient sampling algorithms which find some short vectors from specific lattice were introduced by Agrawal et al. [44] and Micciancio and Peikert [45]. We recall these sampling algorithms.

Lemma 1. *For positive integers and efficiently large , There are polynomial time algorithms with the properties below:*(1)* an efficient randomized algorithm [45–47], outputs a matrix and a basis of such that the distribute of is close to uniform and , where denotes Gram–Schmidt orthogonalization of .*(2)*: inputting , a trapdoor of , a matrix , a vector , and a sufficiently large Gaussian parameter , it outputs a vector with a distribute statistically close to .*(3)*: inputting , a trapdoor of , a matrix , , a vector , and a sufficiently large Gaussian parameter , it outputs a vector with a distribute statistically close to .*

##### 2.4. Two-To-One Recoding Scheme

In this subsection, we will introduce the Two-to-One Recoding (TOR) scheme simply presented by Gorbunov et al. based on LWE in [16]. And its idea is introduced in [44, 46, 48, 49].

Lemma 2. *Assuming the Decisional , there is a TOR.*(1)*: on input parameter λ and , output .*(2)

*: on input parameter , run and get a matrix and a trapdoor of . And output .*(3)

*: output the encoding , where . ψ is called an encoding of , and is called error vector.*(4)

*: let for . Compute*

*where , and , where . Output .*(5)

*: let , , and sample a matrix . Define and output the pair .*(6)

*: let and compute*

*where for same . It is clear that for same as long as the error-tolerance is large enough. Output .*

The ABE scheme needs a one-time symmetric encryption scheme which is in the following.

Lemma 3. *Let denote the plaintext, γ denote corresponding ciphertext, ψ and , then*(i)

*: compute the ciphertext . And output*(ii)

*γ*.*: let and a ciphertext , compute*

*where*

*Output .*

##### 2.5. Full-Rank Different Map

*Definition 6 (full-rank different map [37]). *Let *q* be a prime and *n* a positive integer. A function is a full-rank different map, if for all different vectors , the matrix is full rank and H is computable in polynomial time in .

##### 2.6. Complete Subtree Method

Like previous revocable schemes, our scheme also needs to use the complete subtree method which was proposed by Naor et al. [18]. In the method, there is a complete binary with at least *N* leaf nodes, where *N* is the maximum number of users in the system and each leaf node of is corresponding to a user. With this binary tree , a KUNode algorithm is used to compute the minimal set of nodes for which key update needs to be published so that only the nonrevoked users in this tree at a time period *t* are able to decrypt the ciphertexts.

takes the binary tree , a revocation list , and a time period *t* as input and does the following:(1);(2), if , then add to *X*;(3), if , then add to *Y*, if , then add to *Y*, where is left child of *y* and is right child of *y*;(4)if , then add root to *Y*;(5)Return *Y*.

The set *Y* is the smallest subset of nodes that contains ancestors of all the leaf nodes corresponding to nonrevoked users. In [18], it proves that the set *Y* generated by has a size at most , where *R* is the number of users in .

#### 3. SR-ABE from Lattices

##### 3.1. GVW’13 ABE Scheme

In this subsection, we will briefly describe GVW13 ABE scheme [16], which will be used as the building block for our SR-ABE.

There are three key parameters in GVW13 ABE Scheme, which are security parameter λ, attribute length , and circuit depth , respectively. The master public key is and master secret key is , where for . The generation of the secret key for a user with a circuit is complex. First of all, the KGC assigns the to every output of the *i*-th gate of the circuit for . When , the last gate is assigned only when the output of the gate is 1. Then, according to every gate of the circuit , the conversation keys are generated by where and . Finally, these conversation keys are combined as user’s secret key, and distributed to the user. If a message *µ* needs to be sent, according to the , a sender selects to encrypt it and gets the ciphertext where . When a recipient with the circuit wants to decrypt the ciphertext, if , then it can use secret key to get the code of according to the code of and can easily get the message μ; else, it can do nothing.

In the selective security model, the adversary announces a challenge attribute set before the challenger gives it public master key. According to [16], the GVW13 scheme is selectively secure.

##### 3.2. Our SR-ABE Scheme

In this subsection, we give a concrete construction of our scheme.

###### 3.2.1.

On input the , and , the KGC does the following:(1)Set , , the modulus , and Gaussian parameter . Error distribution is . is the maximal number of users the system can support. An efficient full-rank different map .(2)Let the identify space be , the time space be , the message space be , and the attribute space be .(3)Output .

###### 3.2.2.

On input , the KGC does the following:(1)For , run , and output , , and . Output(2)Choose randomly and let and .(3)Initialize the revocation list . Obtain a binary tree with at least *N* leaf nodes and set the state .(4)Output .

###### 3.2.3.

On input , an identity , the KGC does the following:(1)If the corresponding to is undefined, set , sample and note that .(2)Output .

###### 3.2.4.

On input , a time , and a message , the sender selects an attribute subset and does the following:(1)Set and sample .(2)Output , where

###### 3.2.5.

On input , an identity , a circuit , and state , the KGC does the following:(1)For every leaf node *θ* from , store the corresponding identity in this node. If the corresponding to is undefined, set .(2)After getting the circuit from server with identity , for or , run and get . Set . For the gate , there is Let .(3)For each node , if its is undefined, choose and store it on *x.* If the corresponding to is undefined, set . Sample , and such that where . And update the state to (4)Output and the updated .

###### 3.2.6.

On input , a time , a revocation list , and the state , the KGC dose the following:(1)Set .(2)For all , fetch from node *x*, and sample . Note that and (the corresponding is predefined in and always exists). And update the state to .(3)Output and the updated .

###### 3.2.7.

On input and , the server generates a transformation key for every not lying the revocation list as the following:(1)Parse and for some set of nodes *I*, *J*.(2)If , output .(3)Else choose and output . Note that .

###### 3.2.8.

Receiving , the server does the following:(1)If , use the key to obtain , else output .(2)Compute .(3)Output

The server sends to the recipient with identify .

###### 3.2.9.

On input and secret key , the recipient can obtain by using the secret key .

###### 3.2.10.

Taking an identity set where *U* is a set of revoked users, time , the revocation list , and the current state as input, the KGC adds to , updates the state to , and outputs .

#### 4. Correctness and Security Analysis

##### 4.1. Correctness

When a recipient with sends the circuit with to server and wants to decrypt the ciphertext , the server and recipient perform as following.(1)After accepting the circuit from the recipient, the server can send the to KGC and get . And using the , the server can get . By using the secret key in and in , the server computes , i.e., where .(2)Computewhere .

Because of for , then we have and then where . The server hands to recipient.

Receiving , the recipient uses the secret key and computes

If , then running decryption algorithm , the recipient will obtain the message *µ*.

##### 4.2. Security

Theorem 1. *Our SR-ABE scheme with attribute length is selective security defined in Definition 2 if the GVW13 scheme with attribute length is selective security.*

*Proof. *If there exists a PPT adversary against selective security of the SR-ABE scheme with attribute length , then we can construct a PPT adversary against selective security of the GVW13 scheme with attribute length . The security of GVW13 scheme is based on LWE, so is our scheme.

Before proving this theorem, let us summarize our ideas of proof. In the GVW13 scheme with attribute length +2, we set , . And then our scheme’s challenge ciphertext with can be regarded as a transformation of the challenge ciphertext of GVW13 scheme under attribute . Let us start with our proof.

In the GVW13 selective security model, after generating the system parameters *λ*, , and , the challenger runs the , gets , and gives the to . hands it over to . Then chooses a challenge attribute , a challenge time , and a revocation list and gives them to . Then gives to . Now, we consider two type of adversaries as follows: Type I: it is assumed that every identity whose circuit satisfies that must be included in . In this case, is allowed to issue a query to oracle on . Type II: it is assumed that there is an whose circuit satisfies that . In this case, is not revoked at and never issues a query to oracle on .The following steps are taken after receiving the public key:from .(1)Generate , and set , .(2)Sample . Choose an efficient full-rank different map . Choose an identity with and set , , and .(3′)*Type I adversary*: can set revocation list and then sample . Set , and then let and send to the adversary .(3″)*Type II adversary*: can set revocation list , , and let , and send to the adversary .The answers ’s query to the as follows: : *Type I adversary*: when queried from , can return . When queried from , can set , and then run sample algorithm . Finally, can return . *Type II adversary*: when queried from , can set , and then sample . Finally, can return . : when queries for and , can set and . And then does the following:(1)When queries for such that , store in leaf node *θ* from and set as above. If , pick and set . And then for the gate , . And can output . When queries for and , can return . If , , and set .(2)When queries for such that , for , Sample . Note that . can ask for a matrix to run by using and get