Research Article | Open Access

Yuan Liu, Licheng Wang, Xiaoying Shen, Lixiang Li, Dezhi An, "Space-Efficient Key-Policy Attribute-Based Encryption from Lattices and Two-Dimensional Attributes", *Security and Communication Networks*, vol. 2020, Article ID 2345369, 11 pages, 2020. https://doi.org/10.1155/2020/2345369

# Space-Efficient Key-Policy Attribute-Based Encryption from Lattices and Two-Dimensional Attributes

**Academic Editor:**Fulvio Valenza

#### Abstract

Linear secret-sharing scheme (LSSS) is a useful tool for supporting flexible access policy in building attribute-based encryption (ABE) schemes. But in lattice-based ABE constructions, there is a subtle security problem in the sense that careless usage of LSSS-based secret sharing over vectors would lead to the leakage of the master secret key. In this paper, we propose a new method that employs LSSS to build lattice-based key-policy attribute-based encryption (KP-ABE) that resolves this security issue. More specifically, no adversary can reconstruct the master secret key since we introduce a new trapdoor generation algorithm to generate a strong trapdoor (instead of a lattice basis), that is, the master secret key, and remove the dependency of the master secret key on the total number of system attributes. Meanwhile, with the purpose of reducing the storage cost and support dynamic updating on attributes, we extended the traditional 1-dimensional attribute structure to 2-dimensional one. This makes our construction remarkably efficient in space cost, with acceptable time cost. Finally, our scheme is proved to be secure in the standard model.

#### 1. Introduction

In 2005, Sahai and Waters [1] proposed a new public key encryption mechanism: attribute-based encryption (ABE). It associates the user’s identity with a set of attributes. The user’s private key and the ciphertext are defined based on the attribute set and access policy, respectively, and a user can decrypt only if the attribute set and the access policy match each other. If the user’s privacy key is correlated to the access policy and the ciphertext is correlated to the attribute set, it is a key-policy ABE (KP-ABE). On the contrary, it is a ciphertext-policy ABE (CP-ABE) [2]. With the development of the cloud computing, more and more people tend to store and share their data through the cloud. To protect the users’ privacy information, ABE is a good choice which can achieve fine-grained access control and one-to-many communication of users’ data in public cloud storage [3].

The constructions of ABE are usually based on two different mathematical platforms: bilinear pairings and lattices. On the one hand, the quick progress in pairing-based ABE constructions [4–7] fosters the so-called expressive cryptography. On the other hand, with the breakthrough of quantum computing technology in recent years, most researchers believe that bilinear pairing-based constructions suffer from the potential threat of quantum computers. Therefore, the study of lattice-based ABE schemes attracts more attention.

In 2011, Zhang and Zhang [8] proposed a CP-ABE scheme that is based on learning with errors (LWE) problem [9] and supports AND operation among attributes. One year after, they [10] again proposed another lattice-based CP-ABE scheme that supports threshold access policies. In 2013, Liu et al. [11] proposed a threshold ABE scheme with attribute hierarchy based on lattice intractability assumptions. The constructions in [8, 10, 11] gave us a good inspiration to study lattice-based ABE. But a single AND operation or THRESHOLD operation is still not enough for describing even flexible access policies in practical application. To support an even flexible access policy, the technique of linear secret-sharing scheme (LSSS) which is known to support AND, OR, and THRESHOLD operations is useful. For instance, LSSS was used in building pairing-based ABE schemes [12–14]. However, as mentioned by Agrawal et al. [15], in building a lattice-based KP-ABE scheme, if the usage of LSSS is improper (such as work in [15]), the shares of a vector are correlated, and this would enable an adversary to reconstruct the master secret key by making some correlated key queries. For example, the adversary can make key queries for , , , and so on. Their preimages (i.e., secret key) can be combined to form a short vector in the null space. And after several key queries, the adversary can construct a full basis that can be used to break the challenge ciphertext for a target attribute vector such as . To deal with this subtle problem, Boyen [16] in their lattice-based KP-ABE construction utilized the LSSS technique but bypassed the vector-based secret sharing. Instead, they constructed a virtual encryption matrix which cascaded the sharing matrix. In 2014, Boneh et al. [17] proposed another lattice-based KP-ABE scheme that uses the arithmetic circuits to describe the access policy which can support AND and OR operations on the attributes.

Another issue of designing ABE schemes is the dimension of structure of attributes. The typical setting is to use 1-dimensional structure. That is, a set is used to denote the system attributes and all attributes of the system are initialized in Setup phase (such as in [16–18]). However, in [16–18], this kind of setting has two problems in practice. First, the number of system attributes is fixed. Or equivalently, the attributes space is bounded after the execution of the Setup algorithm. Second, the size of parameters would be linearly increased with the number of system attributes. This situation becomes ever worse in lattice-based ABE constructions. The total size of parameters would be over 300 M bytes, even 1 G byte. In particular, the space cost for attribute parameters occupied over 95% of the space cost of the total public parameters. But in practical application, it is more desirable to support dynamic updating and space-efficient settings on system attributes. Therefore, the main motivation of this paper is to construct a lattice-based KP-ABE scheme that supports flexible access policies and dynamic updating and space-efficient attribute settings.

##### 1.1. Our Contribution

In this paper, we propose a secure LSSS-based KP-ABE scheme from lattices which can support a flexible access policy but has solved the master secret key leakage problem. In addition, we give a flexible attribute description which can add new attributes dynamically and we also reduce the sizes of public parameter, master key, user’s secret key, and ciphertext. The main contributions are as follows:(1)New method of LSSS-enabled flexible access policy without the security issue mentioned by Agrawal. In our construction, we use the LSSS technique to support a flexible access policy and resolve the insecure problem by avoiding the adversary to reconstruct the master secret key. In the previous LSSS-based KP-ABE scheme, the master secret key often consisted of some bases which correlated to the total number of system attributes. An adversary can reconstruct a full basis (i.e., master secret key) by making some correlated key queries [15]. But in our scheme, we use a new trapdoor generation algorithm of MP12 [19] to generate a strong trapdoor, not a basis (i.e., the master secret key), and the master secret key is no longer correlated to the number of system attributes. Thus, no adversary can obtain the correlated information of the master key. Since the master key is a new strong trapdoor (instead of a lattice basis), we also make an improvement of the SampleLeft algorithm which takes a lattice basis as input (see Section 4.1).(2)Two-dimensional attribute structures that support attribute dynamic updating and reduce size of parameters. In our scheme, we extended the traditional 1-dimensional *(value-specified)* attribute structures to 2-dimensional *(label- and value-specified)* ones. Multiple values can be set under an attribute label. It can add new attribute values at any time without reconstructing the system. The attribute space is no longer bounded. In addition, the attribute value usually often contains more privacy information than attribute label. By doing that, the attribute labels are used to set the access policy, while the actual values are hidden. So even if the adversary makes some key queries for correlated access policy, it cannot get any privacy information of the master secret key. Particularly, the most observable advantage of using this kind of 2-dimensional attribute structure is that the storage cost is reduced. The storage cost of the trapdoor, not a basis, is at least four times smaller than other constructions. And by removing the reliance on the total number of system attributes, the sizes of public parameter, master secret key, user’s secret key, and ciphertext are remarkably reduced. The detailed performance analysis is given in Section 5. In fact, this kind of 2-dimensional settings on attributes is now new to us. In 2015, Ying et al. [13] used a tag-based setting on attributes in pairing-based constructions. Our contribution is to introduce Ying et al.’s idea into lattice-based constructions.

##### 1.2. Related Work

In 2012, Agrawal et al. proposed a fuzzy identity-based encryption scheme from lattices [15] which can support a single THRESHOLD operation. In 2014, a lattice-based KP-ABE scheme [20] and a lattice-based CP-ABE scheme [21] were proposed. These two schemes just only supported AND gate. In 2015, Zhang et al. [22] designed a multiauthority attribute-based encryption (MA-ABE) scheme on lattice which can support “THRESHOLD” operation on the attributes. There exist multiple attribute authorities in this scheme which has resolved the problem of delayed response in the single attribute authority. In 2017, Zhao and Gao proposed an LSSS matrix-based KP-ABE on lattices [23] with a flexible access policy, but the attribute space is bounded. Liu et al. proposed a multiauthority key-policy attribute-based encryption (MA-KP-ABE) scheme from lattices [24] with the same advantage of Zhang’s construction in [22]. In 2018, Liu et al. [25] proposed an MA-ABE with ciphertext policy. In the scheme, the size of ciphertext is reduced because they introduced the basis delegation without dimension increase algorithm in [26]. The lattice-based ABE schemes in [27, 28] were based on the ring-LWE problem. The authors of [27, 28] make an engineering implement of their schemes.

##### 1.3. Organization

The rest of this paper is organized as follows. In Section 2, we give the basic definition of lattice, sampling algorithms, and FRD function. The definition of the KP-ABE scheme and security model are given in Section 3. In Section 4, an improved SampleLeft algorithm and a space-efficient KP-ABE scheme with 2-dimensional attributes are proposed. The parameters setting and security proof are also given in Section 4. In Section 5, we give a detailed comparison between our scheme and relevant works from the space cost and time cost. Finally, we conclude this paper in Section 6.

#### 2. Preliminaries

*Notation*. denotes an integer set of mod residue class. is a *n*-dimension column vector. An matrix is denoted by , where = . denotes the -norm length of the longest column of . denotes the Gram-Schmidt orthogonalization of the vectors . We refer to as the Gram-Schmidt norm of . In our scheme, and denote user’s attribute set and ciphertext attributes set, respectively, and and denote the number of attributes in and , respectively.

##### 2.1. Integer Lattice

*Definition 1. * are *n* linearly independent vectors, and the lattice is generated by the following formula:Note that is a basis of , *n* is the rank, and *m* is the dimension.

*Definition 2. *For prime , and , define

##### 2.2. Discrete Gaussians

*Definition 3. *For a positive integer and a vector , we defined a Gaussian distribution with center and variance as follows:where is a parameter and .

##### 2.3. Sampling Algorithms and FRD Function

The following two algorithms are introduced from MP12 [19]. *TrapGen* is used to generate the public parameters and master key in the KP-ABE scheme.

*Definition 4. *A -trapdoor for is a matrix such that , where , , and . is a tag of the trapdoor. , the largest singular value of , is the quality of the trapdoor.

For any integer and sufficiently large , let be a invertible matrix, denotes a primitive and public matrix, is chosen at random, is a uniformly random vector, and is the Gaussian parameter, where is the largest singular value of and is the maximum length of ’s Gram-Schmidt orthogonalized vectors ( or [19]); it has the following:(1)Algorithm *TrapGen* that outputs a uniformly random matrix and a trapdoor matrix , where the trapdoor size is () and .(2)Algorithm *SamplePre* that outputs a vector , where .

Lemma 1. *The vector in (2) is not statistically distinguishable from , where [19]*

The following *SampleRight* algorithm is used in our scheme for the security proof. There also exists a *SampleLeft* algorithm. But in the traditional *SampleLeft* algorithm in [29], is a basis of . But since in our scheme the trapdoor is a trapdoor, not a basis, we make a small improvement to this algorithm (see Section 4.1). We call the improved SampleLeft algorithm *IMSampleLeft*.

For , and , algorithm *SampleRight* ( ) outputs a vector , where , , , and is a basis of and . The vector is not statistically distinguishable from , where and . Note that the matrix often is a random matrix in , is the maximum length of ’s Gram-Schmidt orthogonalized vectors, and .

The following algorithm is the encoding with full-rank differences (FRD) function. For a prime and a positive integer , a FRD function is as follows:(1)FRD: for an input , define the polynomial . Define as(2)Let be some polynomial of degree that is irreducible and denote the *n* vector of coefficients of .

##### 2.4. Two Lemmas to Bound Norms

The following three lemmas will be used to prove that the decryption is correct.

Lemma 2. *Let be some vector in and let [30]. Then the quality treated as an integer in satisfieswith all but negligible probability in m.*

As a special case, Lemma 2 shows that if is treated as an integer in , it satisfieswith all but negligible probability in *m*.

Lemma 3. *For a vector and a random matrix [29], it has*

##### 2.5. Linear Secret-Sharing Scheme (LSSS)

A secret-sharing scheme over a collection is linear if one has the following:(1)The shares for each party form a vector over .(2)There exists a matrix of size such that, for all , the *i*’th row is labeled with a function . Randomly choose and a vector , where is the secret to be shared. The share belongs to party , where is the i’th row of .

Linear reconstruction property: suppose a scheme’s access structure is LSSS. Let be an authorized set and . There exists a set of constants that can be used to compute the secret : .

##### 2.6. Hardness Assumption

*Definition 5. *Give a prime , a positive integer , and a distribution over . A -LWE problem instance consists of access to an unspecified challenge oracle , being either a noisy pseudorandom sampler carrying some constant random secret key or a truly random sampler , whose behaviors are as follows, respectively: outputs samples of the form , where is uniform in , is a uniformly distributed secret key, and is a noise component from . outputs truly uniform random samples from .The -LWE problem allows a number of queries to the challenge oracle . We say an algorithm decides a -LWE problem if is nonnegligible for a random .

Theorem 1. *If there exists an efficient, possibly quantum, algorithm for deciding the -LWE problem for , then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems to within factors in the norm, in the worst case [9].*

#### 3. Definitions of KP-ABE and Security Model

In KP-ABE, the message is encrypted by using the attributes as public keys, and a user’s private key is related to the access policy which is defined by a set of attributes. A KP-ABE scheme consists of the following four algorithms.

*Setup* ()(). Taking a security parameter as input, the algorithm outputs the public parameter and the master secret key .

*KeyGen* (*pp*, , , ()) . On input of the public parameter *pp*, the master key *msk*, a user’s attribute set, and access policy () of which the rows are associated with the attribute labels, the algorithm *KeyGen* outputs the secret keys .

*Encrypt* (*pp*, , *b*)*c*. Taking the public parameter *pp*, the encrypted attribute set , and a plaintext bit as input, this algorithm outputs the ciphertext *c*.

*Decrypt* (*pp*, *c*, )*b*. On input of the public parameter *pp*, the ciphertext *c*, and a decryptor’s secret key , this algorithm outputs a message .

*Correctness*. For a user’s attributes set , all message *b*, and the ciphertext *c*Encrypt (), we have if and match each other.

Here, we give the definition of the security model which is adapted from [16]. A KP-ABE scheme is secure under the selective attribute and chooses plaintext attack. It can be described by a game between a challenger and an adversary as follows:

*Target*. The adversary announces to the challenge attribute set.

*Setup*. runs the *Setup* algorithm and sends the public parameter to .

*Queries*. In this step, makes queries for the privacy keys adaptively for the access policy () that the target attribute set does not satisfy. answers the queries.

*Challenge*. gives a signal that it is ready to accept the challenge. Then it selects a message and sends the message to . The simulator responds with a ciphertext which is encrypted under the target attribute set.

*Continuation*. After having obtained the challenge ciphertext, is allowed to make repeat for the privacy key queries.

*Decision*. The adversary outputs its guess and the advantage of the adversary in attacking KP-ABE scheme as .

#### 4. Secure and Efficient KP-ABE Scheme Form Lattices

##### 4.1. Improved SampleLeft Algorithm

In the traditional SampleLeft algorithm [29], is a basis of . But in the our KP-ABE scheme, is a trapdoor, not a basis. So we make a small improvement to this SampleLeft algorithm. We call the improved SampleLeft algorithm *IMSampleLeft*.

For , and , where is the largest singular value of and or , algorithm *IMSampleLeft* () outputs a vector , where , , , is a trapdoor of , and . The vector is not statistically distinguishable from , where and .

For completeness, we describe the algorithm in detail.(1)Sample a random vector distributed statistically close to .(2)Let do the following: Choose a Gaussian perturbation . Recall to Definition 4; let , then we have . Let . Sample a Gaussian from and produce . Note that . Construct , where .(3)Output .

##### 4.2. Space-Efficient KP-ABE from Lattices and Two-Dimensional Attributes

In our scheme, all the universe attribute can be expressed by *l* attribute labels ; each attribute label has different attribute values. In the system, denotes the user attribute set. denotes the attribute label and is the attribute value with some privacy information.

*Setup* ()(). Taking a security parameter as input, the algorithm outputs the public parameter and the master secret key .(1)The system firstly executes the *TrapGen* algorithm in MP12 to generate a uniformly random matrix and a trapdoor matrix , where .(2)For *l* attribute labels in *U*, it chooses *l* uniformly random matrices *A*_{1}, *A*_{2}, ..., *A _{l}*.(3)Then it chooses a uniformly random vector and a uniformly random matrix .

*pp* = {}, *msk* = .

*KeyGen* (*pp*, , ()) . On input of the public parameter *pp*, the master key *msk*, and the access structure ()), where is an share matrix and is a function which maps each row to the attribute labels based on the attribute value in , do the following:(1)Construct *n* vectors , ,..., and , where are the corresponding components of .(2)Compute ,..., and .(3)For each attribute value , let . Then compute .(4)Let . Then execute the algorithm *IMSampleLeft* ( ) to generate the user’s secret key ; note that it has .

The secret key is .

*Encrypt* (*pp*, , *b*)*c*. Taking the public parameter *pp*, the encrypted attribute set , and a plaintext bit as input, do the following:(1)Let . Choose a uniformly random vector and noise terms and .(2)Choose a uniformly random matrix ; let .(3)Compute

The ciphertext is .

*Decrypt* (*pp*, *c*, )*b*. On input of the public parameter *pp*, the ciphertext *c*, and a decryptor’s secret key , do the following:(1)Let *I* denote the subset of matched attribute. The decryptor can find a vector such that that is, (2)Set the Gaussian parameter . Compute(3)If , output 1. Otherwise, output 0.

##### 4.3. Correctness

In order to ensure the correctness of decryption, we need to ensure that the error term is less than with overwhelming probability (w.h.p.). As we know,

Let , and . The error term is as follows:

From Section 4.2, we know that and .

By Lemma 1, we have .

By Lemma 3, .

Finally, by Lemma 2, is bounded w.h.p. by

Hence, the error term

To make the system work correctly, we need the following:(1)For the *TrapGen* algorithm which can operate, it needs .(2)For the IMSampleLeft and SampleRight algorithms which can operate, it needs , where .(3)For the error term which is less than w.h.p., it sets(4)For Regev’s LWE reduction applied, it needs

##### 4.4. Security

Theorem 2. *Suppose there exists a probabilistic polynomial-time (PPT) adversary with advantage in a selective security attack against our space-efficient KP-ABE scheme from lattices; then there exists a PPT simulator that decides -LWE problem with advantage .*

*Proof. * In Definition 5, the -LWE problem gives access to a sampler , which is either a truly random sampler or a noisy pseudorandom sampler . The decisional algorithm needs to distinguish which the sampler it is given. It proceeds as follows:*Instance*. requests from to obtain LWE samples that we denote as*Target*. The adversary announces to the challenge attribute set. Let denote the challenge attribute set.*Setup*. constructs the public parameter as follows:(1)Construct and from the LWE instance; let and . Then the simulator executes the *TrapGen* algorithm to generate the matrix with the trapdoor .(2)For each attribute such that , choose and compute .(3)For each attribute such that , the simulator executes the TrapGen algorithm to generate the matrices with the trapdoor .(4) sends the public parameter to .*Queries*. In this step, makes queries for the privacy keys adaptively for the policy that the target attribute set does not satisfy. answers the queries as follows:(1)As in the real scheme, construct a low-norm linear sharing matrix .(2)Let denote the set of attribute on choice policy . Note that .(3)For each attribute such that , construct vectors from like the real scheme. Let .(4)Compute and let .(5)Compute , , ..., by using the SampleRight (, (, , , ) algorithm; satisfy .(6)Finally sends the privacy key to .*Challenge*. gives a signal that it is ready to accept the challenge. Then it selects a message bit and sends the message bit to . The simulator responds with a ciphertext which is encrypted under the target attribute set . It executes as follows:(1)Compute .(2)Let .(3)The challenge ciphertext is as follows:Note that when the LWE oracle is a pseudorandom sampler , the ciphertext is valid.

As we know and = = . Thus, the ciphertext is as follows:The ciphertext is encrypted under the target attribute set ; as we know that = and , then

When , the ciphertext is uniformly random in .*Continuation*. After having obtained the challenge ciphertext, is allowed to make repeat for the privacy key queries.*Decision*. eventually emits a guess , whether was actually a valid encryption of as requested. uses the guess to determine an answer on the LWE oracle . If , answers that the LWE sampler is ; otherwise (i.e., ) it is the truly random sampler .

If the adversary succeeds in guessing the message bit (i.e., ) with probability at least , then the simulator would correctly guess the nature of the LWE oracle with probability at least .

#### 5. Performance Analysis

Here, we give the comparison between our KP-ABE scheme and the related lattice-based ABE scheme in different aspects.

As shown in Table 1, the lattice-based ABE schemes in [8, 15] just support a single AND gate or a single THRESHOLD gate in the attribute matching phase. But our scheme and [16] use the LSSS technique to support three operations of attribute, that is, AND, OR, and THRESHOLD. In addition, the lattice dimension in [8, 15] mostly is . It will lead to a large trapdoor size. But the lattice dimension in our construction and [16] is approximately equal to . Meanwhile, [8, 15, 16] introduce the trapdoor generation algorithm of GPV08 to generate a lattice basis as the trapdoor. But in our construction, we introduce the new trapdoor generation algorithm of MP12 [19]. The trapdoor is no longer a lattice basis as [8, 15, 16]. The storage cost of a single trapdoor grows only linearly in the lattice dimension in our construction, rather than quadratically as a basis does in [8, 15, 16]. The trapdoor size is at least four times smaller than the others, even 36 times.

As shown in Table 2, we compare our KP-ABE schemes from lattices with the related lattice-based KP-ABE schemes in storage cost. To make the comparison more clearly, here we let denote the maximum number of system attribute labels rather than in our scheme. Note that in our scheme denotes attribute labels, and , where is the maximum number of system attributes in [16, 17]. Particularly, due to the fact that we extended the traditional 1-dimensional (value-specified) attribute structures to 2-dimensional (label- and value-specified) ones, the number of system attribute labels is far less than the number of system attributes (i.e., ); the size and the size are particularly less than the others. Moreover, the size and the ciphertext size are only correlated to the number of and ; they actually are lower than others on account of the fact that the size of and ciphertext in [16, 17] are related to the total number of the system attributes. Besides, in [16, 17], they use a set to denote the system attributes and the number of system attributes is fixed in the Setup phase. But in our scheme, the 2-dimensional (label- and value-specified) attribute structure can ensure an unbounded attribute space; that is, it can add new attributes dynamically without reconstructing the system. Attribute values often contain more privacy information than attribute labels. By doing that, attribute label is used to set the access structure, and attribute value is hidden; it can resolve the privacy-preserving problem to some extent. The detailed storage overhead comparison is shown in Figure 1. According to the suggestion given by Micciancio and Peikert in [19], we set the parameter and . For the number of the system attributes, according to the suggestion given in [27, 28], we, respectively, let , , and . Since in our scheme, we classify the attributes and assign a label to each attribute. Multiple attribute values may have the same attribute label. Thus, we, respectively, let , , and . It is obvious that the space cost is remarkably reduced due to the 2-dimensional attribute structure and removing the reliance on the total number of system attributes.

**(a)**

**(b)**

**(c)**

**(d)**

As shown in Table 3, we compare our scheme with related lattice-based KP-ABE scheme on time complexity. According to the suggestion given in [19, 27], we let and . The encryption time complexity in our construction is equal to [16, 17], that is, . But the actual encryption time in our construction would be 4 times of [16, 17]. As for the decryption time, in [16] the user’s secret key is a matrix, while it is a matrix in [17]; thus, the decryption time is longer than our construction due to the fact that the user’s secret key in our construction is some independent vectors which are related to the number of a user’s attributes.

In summary, by introducing a new trapdoor generation algorithm and removing the reliance on the total number of system attributes, our lattice-based KP-ABE scheme solves the master secret key leakage problem. In addition, the 2-dimensional attribute structure enables our scheme to support unbounded attribute space and privacy preserving. The storage cost is remarkably reduced with an acceptable time cost. The flexible access policy makes the scheme in this paper more applicable to the distributed cloud storage environment.

#### 6. Conclusion

In this paper, based on LSSS technique, we propose a secure KP-ABE scheme from lattice which has solved the divulging problem of the master secret key. In the scheme, we introduced a new trapdoor generation algorithm to generate a strong trapdoor. The size and size are all reduced. Moreover, removing the reliance on the total number of system attributes, the size and the ciphertext size also achieved optimization. Moreover, the description of the attribute is very flexible. Attribute label and attribute value together form an attribute. Thus, it can add new attribute value at any time without rebuilding the system. The attribute space is unbounded. In addition, it also can be extended to a lattice-based large universe multiauthority KP-ABE scheme. Each attribute authority can manage an attribute label and all the values under the attribute label. And how to construct a lattice-based ABE scheme with multiple attribute authorities is our next research direction.

#### Data Availability

The data used to support the findings of this study are included within the paper.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported by the National Key R&D Program of China (2017YFB0803001), the Shandong Provincial Key Research and Development Program of China (2018CXGC0701), the National Natural Science Foundation of China (NSFC) (no. 61972050), the BUPT Excellent Ph.D. Students Foundation (nos. CX2019119 and CX2019233), the Team Project of Collaborative Innovation in Universities of Gansu Province (no. 2017‐16), and the Major Project of Gansu University of Political Science and Law (no. 2016XZD12).

#### References

- A. Sahai and B. Waters, “Fuzzy identity-based encrypton,” in
*Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’05)*, pp. 457–473, Aarhus, Denmark, May 2005. View at: Google Scholar - V. Goyal, O. Pandey, A. Sahai et al., “Attribute-based encryption for fine-grained access control of encrypted data,” in
*Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06)*, pp. 89–98, Alexandria, VA, USA, 2006. View at: Google Scholar - J. Li, W. Yao, Y. Zhang, H. Qian, and J. Han, “Flexible and fine-grained attribute-based data storage in cloud computing,”
*IEEE Transactions on Services Computing*, vol. 10, no. 5, pp. 785–796, 2017. View at: Publisher Site | Google Scholar - A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in
*Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’11)*, pp. 568–588, Tallinn, Estonia, May 2011. View at: Google Scholar - Z. Guan, J. Li, L. Zhu, Z. Zhang, X. Du, and M. Guizani, “Toward delay-tolerant flexible data access control for smart grid with renewable energy resources,”
*IEEE Transactions on Industrial Informatics*, vol. 13, no. 6, pp. 3216–3225, 2017. View at: Publisher Site | Google Scholar - J. Li, W. Yao, J. Han, Y. Zhang, and J. Shen, “User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage,”
*IEEE Systems Journal*, vol. 12, no. 2, pp. 1767–1777, 2018. View at: Publisher Site | Google Scholar - J. Li, Q. Yu, Y. Zhang, and J. Shen, “Key-policy attribute-based encryption against continual auxiliary input leakage,”
*Information Sciences*, vol. 470, pp. 175–188, 2019. View at: Publisher Site | Google Scholar - J. Zhang and Z. F. Zhang, “A ciphertext policy attribute-based encryption scheme without pairing,” in
*Proceedings of the 7th international conference on information security and cryptology (Inscrypt’11)*, vol. 7537, pp. 324–340, Beijing, China, December 2011. View at: Google Scholar - O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in
*Proceedings of the 37th Annual Acm Symposium on Theory of Computing (STOC’05)*, pp. 84–93, Baltimore, MD, USA, May 2005. View at: Google Scholar - J. Zhang, Z. F. Zhang, and A. J. Ge, “Ciphertext policy attribute-based encryption from lattices,” in
*Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS’12)*, pp. 16-17, Seoul, Korea, May 2012. View at: Google Scholar - X. Liu, H. Zhu, Q. Li, T. Zhang, J. Ma, and J. Xiong, “Threshold attribute-based encryption with attribute hierarchy for lattices in the standard model,”
*IET Information Security*, vol. 8, no. 4, pp. 217–223, 2014. View at: Publisher Site | Google Scholar - J. G. Han, W. Susilo, Y. Mu et al., “Improving privacy and security in decentralized ciphertext-policy attribute-based encryption,”
*IEEE Transactions on Information Forensics and Security*, vol. 10, no. 3, pp. 665–678, 2015. View at: Google Scholar - Z. B. Ying, J. F. Ma, and J. T. Cui, “Partially policy hidden CP-ABE supporting dynamic policy updating,”
*Journal on Communications*, vol. 36, no. 12, pp. 178–189, 2015. View at: Google Scholar - Z. B. Ying, H. Li, J. F. Ma et al., “Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating,”
*Science China Information Sciences*, vol. 59, no. 4, pp. 1–16, 2016. View at: Publisher Site | Google Scholar - S. Agrawal, X. Boyen, V. Vaikuntanathan et al., “Functional encryption for threshold functions (or Fuzzy IBE) from lattices,” in
*Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography (PKC’12)*, pp. 280–197, Darmstadt, Germany, May 2012. View at: Google Scholar - X. Boyen, “Attribute-based functional encryption on lattices,” in
*Proceedings of the 10th Theory of Cryptography Conference on Theory of Cryptography (TCC’13)*, pp. 122–142, Tokyo, Japan, March 2013. View at: Google Scholar - D. Boneh, C. Gentry, S. Gorbunov et al., “Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits,”
*Advances in Cryptology-EUROCRYPT 2014*, Springer, Berlin, Germany, 2014. View at: Publisher Site | Google Scholar - S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Attribute-based encryption for circuits,” in
*Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC’13)*, pp. 545–554, Palo Alto, CA, USA, June 2013. View at: Google Scholar - D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in
*Proceedings of 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’12)*, vol. 7237, pp. 700–718, Cambridge, UK, April 2012. View at: Google Scholar - J. Zhao, H. Y. Gao, and J. Q. Zhang, “Attribute-based encryption for circuits on lattices,”
*Tsinghua Science and Technology*, vol. 19, no. 5, pp. 463–469, 2014. View at: Publisher Site | Google Scholar - Y. T. Wang, “Lattice ciphertext policy attribute-based encryption in the standard model,”
*International Journal of Network Security*, vol. 16, no. 6, pp. 444–451, 2014. View at: Google Scholar - G. Y. Zhang, J. Qin, and S. Qazi, “Multi-authority attribute-based encryption scheme from lattices,”
*Journal of Universal Computer Science*, vol. 21, no. 3, pp. 483–501, 2015. View at: Google Scholar - J. Zhao and H. Y. Gao, “LSSS matrix-based attribute-based encryption on lattices,” in
*Proceedings of the 2017 13th International Conference on Computational Intelligence and Security*, pp. 253–257, Hong Kong, China, December 2017. View at: Google Scholar - L. H. Liu, S. P. Wang, and Q. Yan, “A multi-authority key-policy ABE scheme from lattices in mobile Ad Hoc Network,”
*Ad-Hoc and Sensor Wireless Networks*, vol. 37, pp. 117–143, 2017. View at: Google Scholar - Y. Liu, L. C. Wang, L. X. Li et al., “Secure and efficient multi-authority attribute-based encryption scheme from lattices,”
*IEEE Access*, vol. 7, pp. 3665–3674, 2018. View at: Google Scholar - S. Agrawal, D. Boneh, and X. Boyen, “Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE,” in
*Proceedings of the 30th Annual Conference on Advances in Cryptology (CRYPTO’10)*, pp. 98–115, Santa Barbara, CA, USA, August 2010. View at: Google Scholar - W. Dai, Y. Doröz, Y. Polyakov et al., “Implementation and evaluation of a lattice-based key-policy ABE scheme,”
*IEEE Transactions on Information Forensics and Security*, vol. 13, no. 5, pp. 1169–1184, 2018. View at: Publisher Site | Google Scholar - K. D. Gür, Y. Polyakov, K. Rohloff, G. W. Ryan, H. Sajjadpour, and E. Savas, “Practical applications of improved Gaussian sampling for trapdoor lattices,”
*IEEE Transactions on Computers*, vol. 68, no. 4, pp. 570–584, 2019. View at: Publisher Site | Google Scholar - S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in
*Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10)*, vol. 6110, pp. 553–572, Springer, Heidelberg, Germany, May 2010. View at: Google Scholar - C. Gentry, V. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in
*Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC’08)*, pp. 197–206, Victoria, Canada, May 2008. View at: Google Scholar

#### Copyright

Copyright © 2020 Yuan Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.