Server-Aided Revocable Attribute-Based Encryption from Lattices

Dong, Xingting; Zhang, Yanhua; Wang, Baocang; Chen, Jiangshan

doi:https://doi.org/10.1155/2020/1460531

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 1460531 | https://doi.org/10.1155/2020/1460531

Server-Aided Revocable Attribute-Based Encryption from Lattices

Xingting Dong,¹Yanhua Zhang,²Baocang Wang,¹and Jiangshan Chen³

Academic Editor: Bruce M. Kapron

Received16 Oct 2019

Accepted18 Dec 2019

Published12 Feb 2020

Abstract

Attribute-based encryption (ABE) can support a fine-grained access control to encrypted data. When the user’s secret-key is compromised, the ABE system has to revoke its decryption privileges to prevent the leakage of encrypted data. Although there are many constructions about revocable ABE from bilinear maps, the situation with lattice-based constructions is less satisfactory, and a few efforts were made to close this gap. In this work, we propose the first lattice-based server-aided revocable attribute-based encryption (SR-ABE) scheme and thus the first such construction that is believed to be quantum resistant. In the standard model, our scheme is proved to be secure based on the hardness of the Learning With Errors (LWE) problem.

1. Introduction

Attribute-based encryption (ABE) [1, 2], which was first introduced in 2006 as a generalization of identity-based encryption (IBE) [3, 4] and fuzzy identity-based encryption (FIBE) [1, 5], is such a notion for public-key encryption which is used to implement fine-grained access control. ABE system includes two types: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, the key generation center (KGC) generates a master secret key and a master public key , and each user has a policy function f. The KGC computes and sends to the user a secret key corresponding to its policy function f. To encrypt a message μ, a sender selects some required attributes from the attribute set to form a subset and generates the ciphertext labeled with . The recipient owning the policy function f can decrypt by applying the secret key if and only if . The different between CP-ABE and KP-ABE is that in CP-ABE, each user has its own attribute subset and a ciphertext is corresponding to a policy function f.

Several important results are proposed to realize ABE in the last few years. These schemes have several types. One of these can be implemented to predicates computable by Boolean formulas [2, 6–11] (which are limited to log-depth computations). Another of these has made some important progress [12–16], which can apply to sophisticated circuits. In 2013, based on Learning With Errors (LWE) problem, Gorbunov et al. proposed a KP-ABE scheme [16], which is called GVW13, where its predicate can be arbitrary polynomial-size circuits. It is one of the important candidates for Boolean circuit ABE.

When the users in ABE system changed, for example some users leave the system or their secret keys are leaked, these users’ secret keys should be revoked from the system. In other words, although these users have legal secret keys , they cannot decrypt ciphertext after leaving the system. So for an ABE system with a large number of users, an efficient revocable mechanism is very necessary and important.

In the beginning, revocation mechanism is introduced into IBE. To address the user revocation mechanism, in 2008, Boldyreva et al. [17] proposed the first revocation scheme by combining the complete subtree method [18] with FIBE. After the work of Boldyreva et al. [17], a lot of studies [19, 20] have been put forward. In 2013, in response to many realistic threats and attack scenarios, a new security notion unique to the revocation scheme called decryption key exposure resistance (DKER) was proposed by Seo and Emura [20–23]. Since then, DKER has quickly become an important security requirement for RIBE and many follow-up RIBE schemes with DKER [24–28] were proposed. In order to improve the efficiency of revocation, in 2015, Qin et al. [29] proposed an interesting solution, called server-aided revocable IBE (SR-IBE). In their scheme, a publicly accessible server with powerful computational capabilities, which can be untrusted in the sense that it does not possess any secret information, is used to outsource most of the users workload.

The revocable ABE scheme appears later. In 2009, Attrapadung and Imai [30] put forward two revocable methods. One is direct revocation which is that the sender should specify the revocation list while encrypting, and the other is indirect revocation. In the indirect revocation scheme, in order to achieve the key revocation mechanism, each user’s secret key cannot be allowed to decrypt ciphertexts alone. To complete the decryption, the KGC broadcasts key update through a public channel for every time period. The key update is useless for revoked users, but nonrevoked users will be allowed to combine their secret keys with the key update to derive a decryption key, which can finally decrypt ciphertexts. And they proposed the first hybrid revocable ABE scheme.

In 2010, Yu et al. [31] proposed a indirect revocable ABE; however, policy function only supports logical AND. In 2012, Amit et al. [32] provided a more generic way to achieve indirect revocation in ABE schemes. In order to alleviate the workload of users, in 2013, Yang et al. [33] proposed a direct revocable ABE scheme by delegating part of the users decryption capability to a semitrusted server, however, which results in an increase in traffic over the secret channel. To mitigate user’s workload and the traffic of the secret channel, in 2016, Cui et al. [34] proposed a scheme called server-aided revocable ABE (SR-ABE) based on the large universe CP-ABE scheme. If the server in their scheme was colluded with an adversary, however, the SR-ABE may be not DKER. To solve this problem, based on [34], in 2017, Qin et al. [35] proposed a SR-ABE with DKER. About direct revocable, in 2018, Liu et al. [36] proposed an efficient revocable CP-ABE scheme by embedding the revocation list into ciphertext. And they have a shorter revocation list.

These RIBE and RABE schemes operate in the bilinear pairing setting; however, the system has narrowed in the race to protect sensitive electronic information from the threat of quantum computers, which one day could render these constructions obsolete. Up to now, known quantum algorithms have no obvious advantages (beyond polynomial speedup) over classical ones in solving problems in lattice such as shortest vector problem (SVP), closest vector problem (CVP), short integer solution (SIS), and LWE. Lattice-based cryptography is considered as an ideal candidate for postquantum cryptography (PQC), and possesses several noticeable advantages over conventional number-theoretic cryptography (i.e., based on integer factoring or discrete logarithm problems), such as conjectured resistance against quantum computers, faster arithmetic operations, and provable security under the worst-case hardness assumptions. And among the PQC schemes submitted to NIST, lattice-based schemes are the most.

In 2012, Chen et al. [37] proposed the first RIBE scheme from lattices without DKER. In 2017, Takayasu and Watanabe [38] proposed a variant of [37] and partially solved the problem of achieving RIBE with DKER. In 2019, Katsumata et al. [39] completely solved the problem of achieving RIBE with DKER by proposing the first lattice-based RIBE scheme with DKER secure under the LWE assumption.

But the progress in constructing revocable ABE schemes from lattices is slow. In 2018, Ling et al. [40] proposed a server-aided revocable Predicate Encryption (SR-PE) from LWE. This scheme employs the Predicate Encryption (PE) scheme of Agrawal et al. [41] and the complete subtree method of Naor et al. [18] as the two main ingredients, and plus some additional techniques. In the security proof of the SR-PE, however, since the LWE secret vector in the original PE scheme is unknown, an unreasonable challenge ciphertext is constructed, leading to an invalid proof.

1.1. Our Contributions

In order to solve the security of revocable ABE against quantum attack, we propose the first SR-ABE from LWE which is indirect revocable and satisfies efficient and secure user revocation in lattices. In order to mitigate the burden of users, all the work caused by the revocation will be delegated to a powerful untrusted server. The powerful server is similar to cloud computing, with a large number of computing resources and storage resources, which can ensure the correctness of the calculation, but cannot guarantee the security of the data. In order to achieve the key revocation mechanism, in our scheme each user’s secret key cannot be allowed to decrypt ciphertexts alone. To complete the decryption, KGC should bind the user’s identity and corresponding circuit when generating the public key, and bind the period time when generating update key. When the user’s identity is not revoked and its circuit matches the attribute subset of the ciphertext, the server can generate a transformation key from KGC to convert the ciphertext into a partially decrypted ciphertext bound only with the identity. In this way, only the secret key of the identity can be used to decrypt. The framework of our SR-ABE scheme is depicted in Figure 1.

In the scheme, there are four types of participants: a KGC, a powerful untrusted server, data sender and data recipient, among which the KGC and the server are the service of the system, the data sender and the data recipient are the client of the system. The server is opened to anyone, including the adversary. In our scheme, a user’s policy function is a boolean circuit with its identity .

According to the system parameter, the KGC generates an and an and broadcasts the to all users. By using its and a user’s identity , KGC can generate a secret key which is sent to the user. When a data µ needs to be sent, a data sender specifies an attribute subset for the data, encrypts it over the and a time period t by using the , and sends the ciphertext to the server. And all data users can see the ciphertext on the server. If needing to decrypt a ciphertext , a data recipient with identity forwards its identity and corresponding circuit to the server and points out the ciphertext that it wants the server to decrypt. And the server sends and to the KGC. If corresponds to the attribute subset of the ciphertext, KGC can generate a public key binding identity for this user and send to server. And also the KGC can generate a key update for nonrevoked user in a time period t and send it to server. If the recipient’s identity is not in revocation list , then the server is able to generate a transformation key by using the key update and public key . With the key , the server can get partially decrypted ciphertext of binding identity and send it to the data recipient. Finally the recipient can decrypt completely by using its secret key.

The public key is bound to an identity and corresponding circuit , which results in the transformation key binding the identity and circuit as well. If the , then the server can use to separate the attribute subset and time t from the ciphertext and bind the identity to generate the partial decrypted ciphertext . The partial decrypted ciphertext can only be decrypted by the secret key corresponding the identity which the recipient sends to the server.

According to the security model of GVW13 ABE [16], we define selective security model for our SR-ABE from LWE which takes into account the possible realistic threats in selective security model and formalizes all attack strategies of an adversary against the SR-ABE scheme. The selective security model is that the adversary needs to give the challenge attributes and challenge time period before seeing the master public key . There are two attack strategies, one is that when the adversary can access the secret key of a user with identity whose circuit matches within , the identity should be in revocation list before , and the other is that if this identity has not been revoked in , the adversary can not query the secret key corresponding to this with .

In short, our contributions in this paper can be summed up in the following three points:(i)We formally define the SR-ABE model from lattices that support Boolean circuit of any arbitrary polynominal size. We give the definition of the correctness and security of SR-ABE from LWE.(ii)We propose a concrete SR-ABE construction from lattice for this model based on the KP-ABE constructed by Gorbunov et al. [16].(iii)We give a strict proof of security for our scheme, based on the hardness of Learning With Errors problem and prove that our SR-ABE scheme is selective security if the GVW13 is selective security.

1.2. Organization

In the forthcoming sections, we first introduce the nations and definitions relevant to this paper in Section 2. We construct the first lattice-based SR-ABE scheme in Section 3 and analyze the correctness and security and compare our scheme with previous revocable schemes in Section 4. We conclude the paper in Section 5.

2. Preliminaries

2.1. Notation

Bold capital letters (e.g., ) denote matrices, bold lowercase letters (e.g., ) denote vectors. The probabilistic polynomial time algorithm is denoted by PPT. denotes the set of where . For a vector , denotes its Euclidean norm. A nonnegative function is if, for every polynomial , it holds that for all sufficiently large .

2.2. Server-Aided Revocable Attribute-Based Encryption

In order to support a class of boolean circuits we add several parameters to conventional SR-ABE where denotes the length of attributes and denotes the depth of a boolean circuit .

2.2.1. Syntax of SR-ABE

A SR-ABE scheme consists of ten following polynomial-time algorithms:(1) the KGC takes a security parameter λ, an attribute length , and a circuit depth as input and outputs the system parameter .(2) the KGC takes the parameter as input, and outputs a master public key , a master secret key , a revocation list , and a state .(3) the KGC takes , identity as input; outputs the user secret key ; and sends it to the user with the identity .(4) the sender takes , a time , a message and an attribute subset as input; outputs the ciphertext ; and sends it to the server.(5) the KGC takes , an identity , a circuit corresponding to , and a state as input; outputs the public key with identity and updates the state to ; and sends to the server.(6) the KGC takes , a time , a revocation list , and a state as input; outputs a key update and updates the state to ; and sends to the server.(7) the server takes the public key with identity and a key update as input, and if , and outputs a transform key for a user with identity , else outputs .(8) the server takes the ciphertext and a transform key as input and, if the circuit corresponding to in satisfies , outputs a partially decrypted ciphertext with identity and sends it to the recipient, else outputs .(9) the recipient with identity takes the partially decrypted ciphertext and its secret key as input and outputs the message .(10) the KGC takes an identity set , time t, the revocation list , and the current state , and outputs a new and updates the state to .

Definition 1 (correctness of SR-ABE). The correctness of SR-ABE requires that for all security parameter λ, the circuit depth , the attribute length , all message , all , and , if the user with identity by time t and and all parties follow the scheme’s algorithms, then for all ciphertexts , there exists , for and , such that it has where , and .
Chen et al. [37] formalized and defined the selective-revocable-identity security revocable IBE from lattices. Qin et al. [35] defined the IND-CPA security model for SR-ABE from bilinear pairings. In this subsection, we give the definition of selective attribute security server-aided revocable attribute-based encryption from lattices.

2.2.2. Selective Security Game

An adversary and a challenger play the following game. Initial first gives the challenge attributes and time , and some information state it wants to preserve. Setup runs the , generates the , , and and sends , and to . Query can adaptively make a polynomial number of following queries to . on input identity and circuit corresponding to , return a secret key . on input identity , circuit corresponding to and a state , return . on input time t, revocation list and state , return . on input and with identity , if return , and else return . on input the ciphertext and circuit with identity and , if outputs partially decrypted ciphertext , else outputs . on input identity , time t and state , return updated revocation list . The following restrictions must always hold: If with has been queried to at , the must be queried on for any . If with is not revoked at , should not be queried to the . Challenge outputs two equal length message and sends them to . randomly chooses a bit and sends to . Guess can continue to make a polynomial numbers of queries as in Query phase and outputs a bit . will win if .

Definition 2 (selective security). The advantage of is defined as the quantity:The scheme SR-ABE is called to be selective security, if the advantage of adversary is negligible in for an efficient .

2.3. Background on Lattices

Definition 3 (lattices). Let be positive integers; for a matrix , denotes an certain family of integer lattices which was introduced by Ajtai [42]. More generally, for , denotes the coset .

Definition 4 (discrete Gaussians). For a vector , a parameter and an integer lattice , define and . The discrete Gaussians distribution over lattice with center vector and a parameter s is . We will simplify to use notations when .

Definition 5 (learning with errors (LWE)). LWE was introduced by Regev [43]. For positive integers n, m, a prime integer q, and a discrete Gaussians distribution . The decisional LWE problem is to distinguish the following two distributions: a uniform distribution pair where , and the other distribution pair where and .
Some efficient sampling algorithms which find some short vectors from specific lattice were introduced by Agrawal et al. [44] and Micciancio and Peikert [45]. We recall these sampling algorithms.

Lemma 1. For positive integers and efficiently large , There are polynomial time algorithms with the properties below:(1) an efficient randomized algorithm [45–47], outputs a matrix and a basis of such that the distribute of is close to uniform and , where denotes Gram–Schmidt orthogonalization of .(2): inputting , a trapdoor of , a matrix , a vector , and a sufficiently large Gaussian parameter , it outputs a vector with a distribute statistically close to .(3): inputting , a trapdoor of , a matrix , , a vector , and a sufficiently large Gaussian parameter , it outputs a vector with a distribute statistically close to .

2.4. Two-To-One Recoding Scheme

In this subsection, we will introduce the Two-to-One Recoding (TOR) scheme simply presented by Gorbunov et al. based on LWE in [16]. And its idea is introduced in [44, 46, 48, 49].

Lemma 2. Assuming the Decisional , there is a TOR.(1): on input parameter λ and , output .(2): on input parameter , run and get a matrix and a trapdoor of . And output .(3): output the encoding , where . ψ is called an encoding of , and is called error vector.(4): let for . Compute where , and , where . Output .(5): let , , and sample a matrix . Define and output the pair .(6): let and compute where for same . It is clear that for same as long as the error-tolerance is large enough. Output .

The ABE scheme needs a one-time symmetric encryption scheme which is in the following.

Lemma 3. Let denote the plaintext, γ denote corresponding ciphertext, ψ and , then(i): compute the ciphertext . And output γ.(ii): let and a ciphertext , computewhereOutput .

2.5. Full-Rank Different Map

Definition 6 (full-rank different map [37]). Let q be a prime and n a positive integer. A function is a full-rank different map, if for all different vectors , the matrix is full rank and H is computable in polynomial time in .

2.6. Complete Subtree Method

Like previous revocable schemes, our scheme also needs to use the complete subtree method which was proposed by Naor et al. [18]. In the method, there is a complete binary with at least N leaf nodes, where N is the maximum number of users in the system and each leaf node of is corresponding to a user. With this binary tree , a KUNode algorithm is used to compute the minimal set of nodes for which key update needs to be published so that only the nonrevoked users in this tree at a time period t are able to decrypt the ciphertexts.

takes the binary tree , a revocation list , and a time period t as input and does the following:(1);(2), if , then add to X;(3), if , then add to Y, if , then add to Y, where is left child of y and is right child of y;(4)if , then add root to Y;(5)Return Y.

The set Y is the smallest subset of nodes that contains ancestors of all the leaf nodes corresponding to nonrevoked users. In [18], it proves that the set Y generated by has a size at most , where R is the number of users in .

3. SR-ABE from Lattices

3.1. GVW’13 ABE Scheme

In this subsection, we will briefly describe GVW13 ABE scheme [16], which will be used as the building block for our SR-ABE.

There are three key parameters in GVW13 ABE Scheme, which are security parameter λ, attribute length , and circuit depth , respectively. The master public key is and master secret key is , where for . The generation of the secret key for a user with a circuit is complex. First of all, the KGC assigns the to every output of the i-th gate of the circuit for . When , the last gate is assigned only when the output of the gate is 1. Then, according to every gate of the circuit , the conversation keys are generated by where and . Finally, these conversation keys are combined as user’s secret key, and distributed to the user. If a message µ needs to be sent, according to the , a sender selects to encrypt it and gets the ciphertext where . When a recipient with the circuit wants to decrypt the ciphertext, if , then it can use secret key to get the code of according to the code of and can easily get the message μ; else, it can do nothing.

In the selective security model, the adversary announces a challenge attribute set before the challenger gives it public master key. According to [16], the GVW13 scheme is selectively secure.

3.2. Our SR-ABE Scheme

In this subsection, we give a concrete construction of our scheme.

3.2.1.

On input the , and , the KGC does the following:(1)Set , , the modulus , and Gaussian parameter . Error distribution is . is the maximal number of users the system can support. An efficient full-rank different map .(2)Let the identify space be , the time space be , the message space be , and the attribute space be .(3)Output .

3.2.2.

On input , the KGC does the following:(1)For , run , and output , , and . Output(2)Choose randomly and let and .(3)Initialize the revocation list . Obtain a binary tree with at least N leaf nodes and set the state .(4)Output .

3.2.3.

On input , an identity , the KGC does the following:(1)If the corresponding to is undefined, set , sample and note that .(2)Output .

3.2.4.

On input , a time , and a message , the sender selects an attribute subset and does the following:(1)Set and sample .(2)Output , where

3.2.5.

On input , an identity , a circuit , and state , the KGC does the following:(1)For every leaf node θ from , store the corresponding identity in this node. If the corresponding to is undefined, set .(2)After getting the circuit from server with identity , for or , run and get . Set . For the gate , there is Let .(3)For each node , if its is undefined, choose and store it on x. If the corresponding to is undefined, set . Sample , and such that where . And update the state to (4)Output and the updated .

3.2.6.

On input , a time , a revocation list , and the state , the KGC dose the following:(1)Set .(2)For all , fetch from node x, and sample . Note that and (the corresponding is predefined in and always exists). And update the state to .(3)Output and the updated .

3.2.7.

On input and , the server generates a transformation key for every not lying the revocation list as the following:(1)Parse and for some set of nodes I, J.(2)If , output .(3)Else choose and output . Note that .

3.2.8.

Receiving , the server does the following:(1)If , use the key to obtain , else output .(2)Compute .(3)Output

The server sends to the recipient with identify .

3.2.9.

On input and secret key , the recipient can obtain by using the secret key .

3.2.10.

Taking an identity set where U is a set of revoked users, time , the revocation list , and the current state as input, the KGC adds to , updates the state to , and outputs .

4. Correctness and Security Analysis

4.1. Correctness

When a recipient with sends the circuit with to server and wants to decrypt the ciphertext , the server and recipient perform as following.(1)After accepting the circuit from the recipient, the server can send the to KGC and get . And using the , the server can get . By using the secret key in and in , the server computes , i.e., where .(2)Computewhere .

Because of for , then we have and then where . The server hands to recipient.

Receiving , the recipient uses the secret key and computes

If , then running decryption algorithm , the recipient will obtain the message µ.

4.2. Security

Theorem 1. Our SR-ABE scheme with attribute length is selective security defined in Definition 2 if the GVW13 scheme with attribute length is selective security.

Proof. If there exists a PPT adversary against selective security of the SR-ABE scheme with attribute length , then we can construct a PPT adversary against selective security of the GVW13 scheme with attribute length . The security of GVW13 scheme is based on LWE, so is our scheme.
Before proving this theorem, let us summarize our ideas of proof. In the GVW13 scheme with attribute length +2, we set , . And then our scheme’s challenge ciphertext with can be regarded as a transformation of the challenge ciphertext of GVW13 scheme under attribute . Let us start with our proof.
In the GVW13 selective security model, after generating the system parameters λ, , and , the challenger runs the , gets , and gives the to . hands it over to . Then chooses a challenge attribute , a challenge time , and a revocation list and gives them to . Then gives to . Now, we consider two type of adversaries as follows: Type I: it is assumed that every identity whose circuit satisfies that must be included in . In this case, is allowed to issue a query to oracle on . Type II: it is assumed that there is an whose circuit satisfies that . In this case, is not revoked at and never issues a query to oracle on .The following steps are taken after receiving the public key:from .(1)Generate , and set , .(2)Sample . Choose an efficient full-rank different map . Choose an identity with and set , , and .(3′)Type I adversary: can set revocation list and then sample . Set , and then let and send to the adversary .(3″)Type II adversary: can set revocation list , , and let , and send to the adversary .The answers ’s query to the as follows: : Type I adversary: when queried from , can return . When queried from , can set , and then run sample algorithm . Finally, can return . Type II adversary: when queried from , can set , and then sample . Finally, can return . : when queries for and , can set and . And then does the following:(1)When queries for such that , store in leaf node θ from and set as above. If , pick and set . And then for the gate , . And can output . When queries for and , can return . If , , and set .(2)When queries for such that , for , Sample . Note that . can ask for a matrix to run by using and get such that can only get a code of from by using . That is, sets . Other than that, did not get any secret information. This will not endanger the security of GVW13. Then outputs . : for key update of time and all , set . can compute as where has been defined in and return . and : by using a key update and a public key with identity , can execute these two algorithms. : after accepting the query about updating the revocation list on an identity , a revocation list and a state , the adds to , outputs a new , and gives it to .Then gives two message to who prepares the challenge ciphertext as follows:(1)Send which are seen as two challenge messages. The chooses and returns a ciphertext as a GVW13’s encryption of under attribute .(2)Output as an SR-ABE ciphertext of under whereAfter being allowed to make additional queries, outputs . Then the adversary returns it to as the guess of the bit ℬ.
Because of assuming that can break the selective security of with probability ε, which meansthen, we have

4.3. Comparison

In the past few years, a large body of work on revocable ABE [34, 35] and revocable IBE [37, 39] has been proposed. In these revocable ABE schemes [34, 35], there is a powerful but untrustworthy server. And most of data users’ workloads are delegated to the powerful untrusted server such that the KGC indirectly revokes users in revocation list by stopping updating the keys without any operation by the user. In [34], a revocable CP-ABE is proposed where a user can generate its local secret key and public key and decrypt a ciphertext by using the local secret key. And in [35], a key-randomization was introduced such that a user’s local decryption keys can be exposed if the user is not revoked. In these revocable IBE schemes [37, 39], the KGC can revoke the users in the revocation list by stopping posting key update for these users, thereby forcing revoked users to be unable to generate their decryption keys. In [37], a revocable IBE from LWE is proposed where users can transform a long-term secret key and a key update from KGC into decryption keys. And in [39], a generic construction of an RIBE scheme with DKER was proposed which consists of any two-level standard HIBE scheme and RIBE scheme without DKER.

Table 1 compares our SR-ABE scheme with revocable ABE/IBE schemes [34, 35, 37, 39]. In Table 1, N denotes the number of all users in system, R denotes the number of users in revocation list, “-” denotes not-applicable or not-comparable. denotes the time taken for matrix multiplication, denotes the time running the Gaussian sample, denotes the time running , and denotes the time running . The schemes [34, 35] are based on decisional Bilinear Diffie–Hellman (DBDH) assumption from discrete logarithm problem and insecure when faced with the adversaries using quantum computers. Compared with them, our scheme is based on LWE and secure against the quantum computers. Compared with the schemes [37, 39], in our scheme, KGC needs more computation cost due to the complexity of current strategy function in ABE, but users need less computation cost in decryption. In the schemes [34, 35], storage overhead is , which is related to the number of users in system and users in revocation list. Our scheme mitigates user’s storage overheads by delegating the most of users’ workload to a powerful untrusted server. Our goal in this paper is to achieve user revocation in a KP-ABE system from LWE such that most of the user’s workload is delegated to a powerful untrusted server and our scheme can be secure against quantum computers.

5. Conclusion

In this paper, we propose a new model called server-aided revocable attribute based encryption (SR-ABE) from lattice to achieve efficient user revocation and security against quantum computers in attribute-based encryption (ABE). We formally define an SR-ABE model and give the definitions of the correctness and security of SR-ABE from LWE. Based on a standard (nonrevocable) ABE [16], we propose the first concrete construction of SR-ABE from lattices. And, we provide a more rigorous proof of security, based on the hardness of LWE.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Key R&D Program of China under grants no. 2017YFB0802000, National Natural Science Foundations of China (Nos. 61672412 and 61972457), National Cryptography Development Fund under grant no. MMJJ20170104, National Natural Science Foundation of China under Grant nos. U19B2021 and U1736111, National Cryptography Development Fund under Grant no. MMJJ20180111, and Key Foundation of Science and Technology Development of Henan Province (no.202102210356).

References

S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Springer, Aarhus, Denmark, 2005.
View at: Google Scholar
V. Goyal, O. Pandey, S. Amit, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98, ACM, Chicago, IL, USA, 2006.
View at: Publisher Site | Google Scholar
Adi Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, pp. 47–53, Springer, Paris, France, April 1984.
View at: Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003.
View at: Publisher Site | Google Scholar
Y. Li, Y. Yu, G. Min, W. Susilo, J. Ni, and K.-K. R. Choo, “Fuzzy identity-based data integrity auditing for reliable cloud storage systems,” IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 1, pp. 72–83, 2019.
View at: Publisher Site | Google Scholar
L. Allison, T. Okamoto, S. Amit, K. Takashima, and B. Waters, “Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 62–91, Springer, French Riviera, Monaco, 2010.
View at: Google Scholar
T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in Proceedings of the Annual Cryptology Conference, pp. 191–208, Springer, Barbara, CA, USA, August 2010.
View at: Google Scholar
X. Boyen, “Attribute-based functional encryption on lattices,” in Theory of Cryptography, pp. 122–142, Springer, Berlin, Germany, 2013.
View at: Google Scholar
S. Hohenberger and B. Waters, “Attribute-based encryption with fast decryption,” in Proceedings of the International Workshop on Public Key Cryptography, pp. 162–179, Springer, Beijing, China, April 2013.
View at: Google Scholar
L. Allison and B. Waters, “New proof methods for attribute-based encryption: achieving full security through selective techniques,” in Annual Cryptology, pp. 180–198, Springer, Berlin, Germany, 2012.
View at: Google Scholar
B. Waters, “Functional encryption for regular languages,” in Annual Cryptology, pp. 218–235, Springer, Berlin, Germany, 2012.
View at: Google Scholar
Z. Brakerski, D. Cash, R. Tsabary, and H. Wee, “Targeted homomorphic attribute-based encryption,” in Theory of Cryptography, pp. 330–360, Springer, Berlin, Germany, 2016.
View at: Google Scholar
D. Boneh, G. Craig, S. Gorbunov et al., “Fully key-homomorphic encryption, arithmetic circuit abe and compact garbled circuits,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 533–556, Springer, Copenhagen, Denmark, May 2014.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Circuit-abe from lwe: unbounded attributes and semi-adaptive security,” in Proceedings of the Annual International Cryptology Conference, pp. 363–384, Springer, Santa Barbara, CA, USA, August 2016.
View at: Google Scholar
S. Garg, G. Craig, S. Halevi, S. Amit, and B. Waters, “Attribute-based encryption for circuits from multilinear maps,” in Proceedings of the Annual Cryptology Conference, pp. 479–499, Springer, Santa Barbara, CA, USA, August 2013.
View at: Google Scholar
S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Attribute-based encryption for circuits,” in Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 545–554, ACM, Palo Alto, CA, USA, June 2013.
View at: Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 417–426, ACM, Alexandria, VA, USA, October 2008.
View at: Google Scholar
D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Proceedings of the Annual International Cryptology Conference, pp. 41–62, Springer, Santa Barbara, CA, USA, August 2001.
View at: Google Scholar
B. Libert and D. Vergnaud, “Adaptive-ID secure revocable identity-based encryption,” in Proceedings of the Cryptographers Track at the RSA Conference, pp. 1–15, Springer, San Francisco, CA, USA, April 2009.
View at: Google Scholar
J. H. Seo and K. Emura, “Revocable identity-based encryption revisited: security model and construction,” in Proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography, pp. 216–234, Nara, Japan, February 2013.
View at: Google Scholar
J. H. Seo and K. Emura, “Revocable identity-based cryptosystem revisited: security models and constructions,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 7, pp. 1193–1205, 2014.
View at: Publisher Site | Google Scholar
Against Insiders, “Revocable hierarchical identity-based encryption: history-free update, security against insiders, and short ciphertexts,” in Proceedings of the Topics in Cryptology—CT-RSA 2015: The Cryptographer’s Track at the RSA Conference, vol. 9048, p. 106, Springer, San Francisco, CA, USA, April 2015.
View at: Google Scholar
J. H. Seo and K. Emura, “Revocable hierarchical identity-based encryption via history-free approach,” Theoretical Computer Science, vol. 615, pp. 45–60, 2016.
View at: Publisher Site | Google Scholar
X. Mao, J. Lai, K. Chen, J. Weng, and Q. Mei, “Efficient revocable identity-based encryption from multilinear maps,” Security and Communication Networks, vol. 8, no. 18, pp. 3511–3522, 2015.
View at: Publisher Site | Google Scholar
S. Park, K. Lee, and D. H. Lee, “New constructions of revocable identity-based encryption from multilinear maps,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 8, pp. 1564–1577, 2015.
View at: Publisher Site | Google Scholar
Y. Ishida, J. Shikata, and Y. Watanabe, “CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance,” International Journal of Applied Cryptography, vol. 3, no. 3, pp. 288–311, 2017.
View at: Publisher Site | Google Scholar
K. Lee, D. H. Lee, and J. H. Park, “Efficient revocable identity-based encryption via subset difference methods,” Designs, Codes and Cryptography, vol. 85, no. 1, pp. 39–76, 2017.
View at: Publisher Site | Google Scholar
Y. Park, K. Emura, and J. H. Seo, “New revocable ibe in prime-order groups: adaptively secure, decryption key exposure resistant, and with short public parameters,” in Proceedings of the Cryptographers Track at the RSA Conference, pp. 432–449, Springer, San Francisco, CA, USA, March 2017.
View at: Google Scholar
B. Qin, R. H. Deng, Y. Li, and S. Liu, “Server-aided revocable identity-based encryption,” in Proceedings of the European Symposium on Research in Computer Security, pp. 286–304, Springer, Vienna, Austria, September 2015.
View at: Google Scholar
N. Attrapadung and H. Imai, “Attribute-based encryption supporting direct/indirect revocation modes,” in Proceedings of the IMA International Conference on Cryptography and Coding, pp. 278–300, Springer, Cirencester, UK, December 2009.
View at: Google Scholar
S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 261–270, ACM, Beijing, China, April 2010.
View at: Publisher Site | Google Scholar
S. Amit, H. Seyalioglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Proceedings of the Annual Cryptology Conference, pp. 199–217, Springer, Santa Barbara, CA, USA, 2012.
View at: Google Scholar
Y. Yang, X. Ding, H. Lu, Z. Wan, and J. Zhou, “Achieving revocable fine-grained cryptographic access control over cloud data,” in Proceedings of the 16th International Conference on Information Security, vol. 7807, pp. 293–308, Springer-Verlag New York, Inc., Dallas, TX, USA, 2013.
View at: Google Scholar
H. Cui, R. H. Deng, Y. Li, and B. Qin, “Server-aided revocable attribute-based encryption,” in Proceedings of the European Symposium on Research in Computer Security, pp. 570–587, Springer, Heraklion, Greece, September 2016.
View at: Google Scholar
B. Qin, Q. Zhao, Z. Dong, and H. Cui, “Server-aided revocable attribute-based encryption resilient to decryption key exposure,” in Proceedings of the International Conference on Cryptology and Network Security, pp. 504–514, Springer, Hong Kong, China, November 2017.
View at: Google Scholar
J. K. Liu, T. H. Yuen, P. Zhang, and K. Liang, “Time-based direct revocable ciphertext-policy attribute-based encryption with short revocation list,” in Proceedings of the International Conference on Applied Cryptography and Network Security, pp. 516–534, Springer, London, UK, 2018.
View at: Google Scholar
J. Chen, H. W. Lim, S. Ling, H. Wang, and K. Nguyen, “Revocable identity-based encryption from lattices,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 390–403, Springer, Wollongong, Australia, July 2012.
View at: Google Scholar
A. Takayasu and Y. Watanabe, “Lattice-based revocable identity-based encryption with bounded decryption key exposure resistance,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 184–204, Springer, Auckland, New Zealand, July 2017.
View at: Google Scholar
S. Katsumata, T. Matsuda, and A. Takayasu, “Lattice-based revocable (hierarchical) ibe with decryption key exposure resistance,” in Proceedings of the IACR International Workshop on Public Key Cryptography, pp. 441–471, Springer, Beijing, China, April 2019.
View at: Google Scholar
S. Ling, K. Nguyen, H. Wang, and J. Zhang, “Server-aided revocable predicate encryption: formalization and lattice-based instantiation,” 2018, http://arxiv.org/abs/1801.07844.
View at: Google Scholar
S. Agrawal, D. M. Freeman, and V. Vaikuntanathan, “Functional encryption for inner product predicates from learning with errors,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 21–40, Springer, Seoul, South Korea, December 2011.
View at: Google Scholar
M. Ajtai, “Generating hard instances of lattice problems,” in Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108, ACM, Philadephia, PA, USA, 1996.
View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the ACM Symposium on Theory of Computing, Baltimore, MD, USA, 2005.
View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (h) ibe in the standard model,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 553–572, Springer, Tallinn, Estonia, May 2010.
View at: Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 700–718, Springer, Cambridge, UK, April 2012.
View at: Google Scholar
G. Craig, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206, ACM, Columbia, Canada, May 2008.
View at: Google Scholar
M. Ajtai, “Generating hard instances of the short basis problem,” in Proceedings of the International Colloquium on Automata, Languages, and Programming, pp. 1–9, Springer, Prague, Czech Republic, July 1999.
View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical ibe,” in Proceedings of the Annual Cryptology Conference, pp. 98–115, Springer, Barbara, CA, USA, August 2010.
View at: Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” Journal of Cryptology, vol. 25, no. 4, pp. 601–639, 2012.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Xingting Dong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

782

Downloads

1038

Citations