Attribute-Based Conditional Proxy Re-encryption in the Standard Model Under LWE

Abstract

Attribute-based conditional proxy re-encryption (AB-CPRE) allows delegators to carry out attribute-based control on the delegation of decryption by setting policies and attribute vectors. The fine-grained control of AB-CPRE makes it suitable for a variety of applications, such as cloud storage and distributed file systems. However, all existing AB-CPRE schemes are constructed under classical number-theoretic assumptions, which are vulnerable to quantum cryptoanalysis. Therefore, we propose the first AB-CPRE scheme based on the learning with errors (LWE) assumption. Constructed from fully key-homomorphic encryption (FKHE) and key-switching techniques, our scheme is unidirectional, single-hop, and enables a polynomial-depth boolean circuit as its policy. Furthermore, we split the ciphertext into two independent parts to avoid two-level or multi-level encryption/decryption mechanisms. Taking advantage of it, we then extend our single-hop AB-CPRE into an efficient and concise multi-hop one. No matter how many transformations are performed, the re-encrypted ciphertext is in constant size, and only one encryption/decryption algorithm is needed. Both of our schemes are proved to be selective secure against chosen-plaintext attacks (CPA) in the standard model.

Appendices

A Proof for Single-hop AB-CPRE

All details of proof can be found in full version [20]. Due to space limitations, we only present the simulator algorithms used in our proof.

• \(\mathbf { Setup }_{SIM}(n , \mathbf{x}^* )\): Let \(\mathbf{x}^* = \lbrace x_i^* \rbrace _{i \in [\ell ]}\) to be the attribute vector selected by adversary \(\mathcal {A}\). Sample a uniform matrix \(\mathbf{D}_{\theta } \leftarrow \mathbb {Z}_q^{n \times m} \) and generate a random identity’s public key \(\mathbf{A}_{\theta } \leftarrow \mathbb {Z}_q^{n \times m}\) , then choose \(\ell \) random matrices \(\mathbf{S}_1^* , ... , \mathbf{S}_\ell ^* \leftarrow \lbrace -1 , 1 \rbrace ^{m \times m}\). Set \(\mathbf{B}_i = \mathbf{A}_{\theta } \mathbf{S}_i^* - x_i^* \mathbf{G}\) for all \(i \in [\ell ]\). Select an error sampling algorithm \(\chi \), which is a \(B-\)bounded distribution. Keep matrices \(\lbrace \mathbf{S}_i^* \rbrace _{ i \in [\ell ] }\) as secret and output public parameters \(pp := ( \lbrace \mathbf{B}_i \rbrace _{i \in [\ell ]}, \chi )\) and specific public key \(pk_{\theta } := ( \mathbf{A}_{\theta } , \mathbf{D}_{\theta } )\).

• \(\mathbf { Enc }_{SIM}(pp , pk_\theta ,\boldsymbol{\mu }_b , \mathbf{x}^* )\): Let \(pp = ( \lbrace \mathbf{B}_i \rbrace _{i \in [\ell ]}, \chi )\), \(pk_\theta = \mathbf ( \mathbf{A}_{\theta } , \mathbf{D}_{\theta } )\), a challenge message \(\boldsymbol{\mu }_b \in \lbrace 0 , 1 \rbrace ^{m}\), and a selected attribute vector \(\mathbf{x}^* = ( \lbrace x_i^* \rbrace _{ i \in [\ell ] } )\). Choose a random vector \(\mathbf{s} \leftarrow \mathbb {Z}_q^n\) and two error vectors \(\mathbf{e}_{in} , \mathbf{e}_{out} \leftarrow \chi ^{m}\). Compute \(ct = ( \mathbf{c}_{in} , \mathbf{c}_{out} )\) as

  $$\mathbf{c}_{in} = ( \mathbf { A_{\theta } } )^T \mathbf{s} + \mathbf{e}_{in} , \mathbf{c}_{out} = ( \mathbf { D_{\theta } } )^T \mathbf{s} + \mathbf{e}_{out} + \lfloor q/2 \rfloor \boldsymbol{\mu }_b.$$

  Use \(\lbrace \mathbf{S}_i^* \rbrace _{ i \in [\ell ] }\) chosen in \(Setup_{SIM}\) instead of uniform matrices in \(\lbrace -1 , 1 \rbrace ^{m \times m}\) and then assemble \(cc^* = ( \lbrace \mathbf{c}_i = (x_i^* \mathbf{G} + \mathbf{B}_i )^T \mathbf{s} + (\mathbf{S}_i^*)^T \mathbf{e}_{in} \rbrace _{ i \in [ \ell ] } ) \in \mathbb {Z}_q^{ \ell m }\). Output a challenge ciphertext \(CT^* = (ct^* , cc^* )\).

• \(\mathbf { ReKeyGen }_{SIM}( pp , pk_{\beta } , f )\): Parse \(pp = (\lbrace \mathbf{B}_i \rbrace _{i \in [\ell ]}, \chi )\) , \(pk_{\beta } = ( \mathbf{A}_{\beta } , \mathbf{D}_{\beta } )\), and a policy \(f \in \mathcal {F}_{\ell , d}\). Let \(\mathbf{S}_f^* = \mathbf {Eval}_{ \mathrm {sim} }( f , (x_i^* , \mathbf{S}_i^*)_{i \in [\ell ] } , \mathbf{A}_{\theta })\).

  1. 1)

     In the case that \(f( \mathbf{x}^* ) \ne 0\), let \(\mathbf{B}_f = \mathbf{A}_{\theta } \mathbf{S}_f^* - f( \mathbf{x}^* ) \mathbf{G}\) and set \(\mathbf{F} = [ \mathbf{A}_{\theta } | \mathbf{B}_f - f( \mathbf{x}^* ) \mathbf{G} ] \in \mathbb {Z}^{n \times 2m}\). Compute the basis \(\mathbf{T}_{ \theta , f}\) for \(\mathbf{F}\) as \(\mathbf{T}_{ \theta , f} \leftarrow \mathbf {ExtendLeft}( \mathbf{A}_{\theta } , \mathbf{G} , \mathbf{T}_{\mathbf{G}}, \mathbf{S}_f )\). Then generate a matrix \(\mathbf{R}_{ \theta , f } \in \mathbb {Z}^{2m \times m}\) such that \(\mathbf{F} \mathbf{R}_{ \theta , f } = - \mathbf{D}_{\theta }\) by executing \(\mathbf {SamplePre}( \mathbf{F} , \mathbf{T}_{ \theta , f} , - \mathbf{D}_{\theta } , \sigma )\), set \(\overline{\mathbf{R}}_{\alpha ,f } = \mathbf {Power2}_q( \mathbf{R}_{ \alpha , f } )\), sample \(\mathbf{E}_1 \leftarrow \chi ^{2km \times n} , \mathbf{E}_2 , \mathbf{E}_3 \leftarrow \chi ^{2 km \times m}\) and compute

     $$\mathbf{Q} = \begin{bmatrix} \mathbf{E}_1 \mathbf{A}_{\beta } + \mathbf{E}_2 &{} \mathbf{E}_1 \mathbf{D}_{\beta } + \mathbf{E}_3 + \overline{ \mathbf{R} }_{ \theta , f } \\ \mathbf{0}_{m \times m} &{} \mathbf{I}_{m \times m} \end{bmatrix} \in \mathbb {Z}_q^{ (2km + m ) \times 2m}.$$
  2. 2)

     In the case that \(f( \mathbf{x}^* ) = 0\), sample two matrices \(\mathbf{E}_1 \leftarrow \chi ^{2km \times n} , \mathbf{E}_2 \leftarrow \chi ^{2 km \times m}\), choose a matrices \(\mathbf{M}' \leftarrow \mathbb {Z}^{ 2km \times m }\) uniformly at random, and compute

     $$\mathbf{Q} = \begin{bmatrix} \mathbf{E}_1 \mathbf{A}_{\beta } + \mathbf{E}_2 &{} \mathbf{M}' \\ \mathbf{0}_{m \times m} &{} \mathbf{I}_{m \times m} \end{bmatrix} \in \mathbb {Z}_q^{ (2km + m ) \times 2m}.$$

  Output \(rk_{ \theta , f \rightarrow \beta } = \mathbf{Q}\) as re-encryption key.

B Correctness for Multi-hop AB-CPRE

The correctness of original ciphertext is the same as the correctness in Sect. 4. Then the correctness of transformed ciphertext is presented as follows.

Transformed Ciphertext. \((ct^{(t-1)} = (\mathbf{c}_{in}^{(t-1)} , \mathbf{c}_{out}^{(t-1)} ) , cc^{(t-1)} = \lbrace \mathbf{c}_i^{(t-1)} \rbrace _{i \in [\ell ] } )\) is the ciphertext which has been transformed \(t-1\) times and associated with attribute vector \(\mathbf{x}\) under \(pk_\alpha \). For convenience, \(rk_{\alpha , f \rightarrow \beta , \mathbf{y}} = (\mathbf{Q} , \mathbf{P})\) is the re-encryption key, where \(f( \mathbf{x} ) = 0\). Set \( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} = \mathbf {Bits}_q( [\mathbf{c}_{in}^{(t-1)} ; \mathbf{c}_f^{(t-1)} ] )\) and \(\overline{ \mathbf{R} }_{\alpha ,f } =\mathbf {Power2}_q( \mathbf{R}_{\alpha , f } )\). Then the t times transformed ciphertext \(( ct^{(t)} , cc^{(t)} )\) is showed as following;

$$\begin{aligned} \mathbf{c}_{in}^{(t)}&= (\mathbf {s}^{(t)})^T \mathbf{A}_\beta + \mathbf{e}_{in}^{(t)} = ( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} )^T \mathbf{E}_1 \mathbf{A}_\beta + ( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} )^T \mathbf{E}_2, \\ \mathbf{c}_{out}^{(t)}&= ( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} )^T \mathbf{E}_1 \mathbf{D}_\beta + ( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} )^T \mathbf{E}_3 + [ \mathbf {e}_{in}^{(t-1)} ; \mathbf {e}_{f}^{(t-1)} ]^T \mathbf{R}_{\alpha , f } + ( \mathbf{e}_{out}^{(t-1)} )^T + \lfloor q/2 \rfloor \boldsymbol{\mu }, \\ \lbrace \mathbf{c}_{i}^{(t)}&= ( \mathbf {s}^{(t)} )^T( y_i \mathbf{G} + \mathbf{B}_i ) + ( \mathbf{e}_i^{(t)} )^T = ( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} )^T \mathbf{E}_1 ( y_i \mathbf{G} + \mathbf{B}_i ) + ( \widetilde{ \mathbf{c} }_{in,f}^{(t-1)} )^T \mathbf{E}_{B_i} \rbrace _{ i \in [\ell ] }. \end{aligned}$$

For any \(t > 0\), we can learn that, \(\Vert \mathbf {e}_{in}^{(t)} \Vert \le 2 k m \sqrt{m} B\) and \(\Vert \mathbf {e}_i^{(t)} \Vert \le 2 k m \sqrt{m} B\). Because \(\Vert \mathbf{e}_{out}^{(0)} \Vert \le \sqrt{m}B\) and \(\Vert \mathbf{e}_f^{(t)} \Vert \le \sqrt{2} m k B (m+1)^d\), we have,

$$\Vert \mathbf {e}_{out}^{(t)} \Vert \le \sqrt{m}B + 2 k m \sqrt{m} B t + 2 \sqrt{2}km^2(m + 1)^d \sigma Bt.$$

Therefore, for the t times transformed ciphertext \(( ct^{(t)} , cc^{(t)} )\),

$$\begin{bmatrix} ( \mathbf {c}_{in}^{(t)} )^T \quad ( \mathbf {c}_{out}^{(t)} )^T \end{bmatrix} \cdot \begin{bmatrix} \mathbf{R}_{\alpha } \\ \mathbf{I}_{m \times m} \end{bmatrix} = ( \mathbf {e}_{in}^{(t)} )^T \mathbf{R}_{\alpha } + ( \mathbf {e}_{out}^{(t)} )^T + \lfloor q/2 \rfloor \boldsymbol{\mu }^T. $$

where \(\Vert ( \mathbf {e}_{in}^{(t)} )^T \mathbf{R}_{\alpha } + ( \mathbf {e}_{out}^{(t)} )^T \Vert \le \Vert ( \mathbf {e}_{in}^{(t)} )^T \Vert \cdot \Vert \mathbf{R}_{\alpha } \Vert + \Vert ( \mathbf {e}_{out}^{(t)} )^T \Vert \le 2 k m^2 \sqrt{m} \sigma B + \sqrt{m} B + 2 k m \sqrt{m} B t + 2 \sqrt{2} k m^2(m + 1)^d \sigma B t \le B \cdot (m+1)^{O(d)} \le q/4\) with overwhelming probability, which ensures the correctness.

C Simulator Algorithms for Multi-hop AB-CPRE

We only present \(\mathbf { ReKeyGen }_{SIM}\) for multi-hop scheme and the other simulator algorithms can be found in the full version [20].

• \(\mathbf { ReKeyGen }_{SIM}( pp , pk_{\beta } , f ,\mathbf{y} )\): Parse \(pp = (\lbrace \mathbf{B}_i \rbrace _{i \in [\ell ]}, \chi )\), \(pk_{\beta } = ( \mathbf{A}_{\beta } , \mathbf{D}_{\beta } )\), a policy \(f \in \mathcal {F}_{\ell , d}\) and an attribute vector \(\mathbf{y} = \lbrace y_i \rbrace _{i \in [\ell ]}\). Compute \(\mathbf{S}_f^*\) by executing \(\mathbf {Eval}_{ \mathrm {sim} }( f , (x_i^* , \mathbf{S}_i^*)_{i \in [\ell ] } , \mathbf{A}_{\theta })\), sample matrices \(\mathbf{E}_1 \leftarrow \chi ^{2km \times n}\), \(\mathbf{E}_2 , \mathbf{E}_3 \leftarrow \chi ^{2 km \times m}\).

  1. 1)

     In the case that \(f( \mathbf{x}^* ) \ne 0\), let \(\mathbf{B}_f = \mathbf{A}_{\theta } \mathbf{S}_f^* - f( \mathbf{x}^* ) \mathbf{G}\) and set \(\mathbf{F} = [ \mathbf{A}_{\theta } | \mathbf{B}_f - f( \mathbf{x}^* ) \mathbf{G} ] \in \mathbb {Z}^{n \times 2m}\). Compute the basis \(\mathbf{T}_{ \theta , f}\) for \(\mathbf{F}\) as \(\mathbf{T}_{ \theta , f} \leftarrow \mathbf {ExtendLeft}( \mathbf{A}_{\theta } , \mathbf{G} , \mathbf{T}_{\mathbf{G}}, \mathbf{S}_f )\). Then generate a matrix \(\mathbf{R}_{ \theta , f } \in \mathbb {Z}^{2m \times m}\) such that \(\mathbf{F} \mathbf{R}_{ \theta , f } = - \mathbf{D}_{\theta }\) by executing \(\mathbf {SamplePre}( \mathbf{F} , \mathbf{T}_{ \theta , f} , - \mathbf{D}_{\theta } , \sigma )\), set \(\overline{\mathbf{R}}_{\alpha ,f } = \mathbf {Power2}_q( \mathbf{R}_{ \alpha , f } )\), and compute

     $$\mathbf{Q} = \begin{bmatrix} \mathbf{E}_1 \mathbf{A}_{\beta } + \mathbf{E}_2 &{} \mathbf{E}_1 \mathbf{D}_{\beta } + \mathbf{E}_3 + \overline{ \mathbf{R} }_{ \theta , f } \\ \mathbf{0}_{m \times m} &{} \mathbf{I}_{m \times m} \end{bmatrix} \in \mathbb {Z}_q^{ (2km + m ) \times 2m}.$$
  2. 2)

     In the case that \(f( \mathbf{x}^* ) = 0\), choose a matrices \(\mathbf{M} \leftarrow \mathbb {Z}^{ 2km \times m }\) uniformly at random, and compute

     $$\mathbf{Q} = \begin{bmatrix} \mathbf{E}_1 \mathbf{A}_{\beta } + \mathbf{E}_2 &{} \mathbf{M} \\ \mathbf{0}_{m \times m} &{} \mathbf{I}_{m \times m} \end{bmatrix} \in \mathbb {Z}_q^{ (2km + m ) \times 2m}.$$

  If \(\mathbf{y}\) is none or null, then set \(\mathbf{P}\) as a null matrix. Otherwise, samples \(\ell \) matrices \(\mathbf{E}_{B_i}\) from error distribution \(\chi ^{2km \times m}\) and compute,

  

  Output \(rk_{ \theta ,f \rightarrow \beta , \mathbf{y} } = ( \mathbf{Q} , \mathbf{P} )\) as re-encryption key.