HRA-Secure Proxy Re-encryption with Re-encryption Simulatability under Lwe in Standard Model

1. Introduction

Proxy re-encryption (PRE) was first proposed at the EUROCRYPT’98 [1]. It can transform ciphertexts between keys without decrypting, enableing powerful cryptographic workflows while maintaining confidentiality. PRE has numerous applications, such as electronic medical systems [2], data sharing [3], email systems [4], and has drawn increasing attention in applications of more fields, e.g., cloud computing [5,6,7], Internet of Things [8], and blockchain [9,10]. In these industrial scenarios, the data involved is usually sensitive business secrets, such as customer data and financial data. The leakage or tampering of these data can cause severe economic and reputational losses to enterprises or individuals, and even lead to legal disputes. Therefore, in the above industrial scenarios, the security requirements for PRE are higher, and more stringent security standards must be met to ensure the confidentiality of data.

It is challenging to design a PRE scheme with security under chosen-ciphertext attacks (CCA), while PRE schemes with security under chosen-plaintext attacks (CPA) fail to consider that there may exist the re-encryption from honest user to corrupted user in real-world scenarios. Therefore, Cohen $etal.$ [11] proposed security under honest re-encryption attacks (HRA), which better captures the inadequacy of CPA-secure PRE for various applications. Generally speaking, HRA is more robust than CPA. Cohen $etal.$ [11] also proposed an exciting property called re-encryption simulatability to enhance PRE schemes from CPA security to HRA security.

Re-encryption simulatability refers to the ciphertext generated by the re-encryption algorithm can be simulated without knowing the private key of the delegator. Although the re-encryption simulatability property is not necessary for HRA security, it can not only boost the security of PRE from CPA to HRA but also significantly reduce the difficulty of proof of HRA-secure PRE schemes. Taking advantage of re-encryption simulatability, the oracle can effortlessly answer the adversary’s re-encryption queries, transforming a ciphertext under an honest user to a ciphertext under a corrupted user. This greatly motivates us to explore PRE schemes with this property.

Until now, only a few schemes have this desirable property. However, these schemes either lack resistance against quantum attacks or suffer from inefficiency. Cohen $etal.$ [11] presented two schemes with this property. One is a pairing-based PRE scheme that is not resistant to quantum computer attacks [12]. The other is a quantum-safe PRE constructed from fully homomorphic encryption (FHE) based bootsrapping but is inefficient [13]. One is based on pairings that is vulnerable to attacks by quantum computers [12]. The other is a quantum-safe PRE from fully homomorphic encryption (FHE) based bootsrapping [13], which is inefficient. Although, in recent years, there has been a proliferation of PRE schemes based on key switching technique under the learning with errors (LWE) assumption, which are efficient and resistant to quantum computer’s attacks. To the best of our knowledge, none of them possesses re-encryption simulatability property.

1.1. Our Contributions

To address these aforementioned challenges, we primarily develop a succinct lattice-based PRE scheme, which is both quantum resistant and has the property of re-encryption simulatability. The design idea can also be applied to other types of PRE schemes. We show a comparison between existing PRE schemes and ours, as shown in Table 1. Contributions are as follows:

• PRE with Re-encryption Simulatability. We construct a concise lattice-based PRE scheme directly, scheme I,using key switching technique. Compared with other schemes, the main attraction of our proposed scheme is its re-encryption simulatability property. This property has been easily proven to be HRA-secure in the standard model under the LWE assumption. Most importantly, the methods for constructing re-encryption key generation and re-encryption algorithms can be extended to other schemes related to PRE to make them have re-encryption simulatability.
• AB-CPRE with Re-encryption Simulatability. We apply the methods above to AB-CPRE scheme presented at ESORICS’21 [14]. We first formalize the HRA security model for AB-CPRE in this work and obtain a modified AB-CPRE scheme, scheme III. Besides, we also prove that scheme III has re-encryption simulatability and boost the security of AB-CPRE from selective CPA to selective HRA.
• AB-PRE with Re-encryption Simulatability. We apply the methods above to AB-PRE presented at ESORICS’21 [16]. We obtain an improved AB-PRE scheme, scheme III, which has the re-encryption simulatability property.

1.2. Organization

In Section 2, we present the preliminaries, which encompass some algorithms of lattice, as well as relevant functions. Section 3 introduces some definitions about PRE, including the definition of re-encryption simulatability. The PRE scheme we proposed, along with its re-encryption simulatability property and security proof of HRA-secure, is presented in Section 4. Section 5 provides the selective HRA security model for AB-CPRE and a modified AB-CPRE scheme. We also boost the security of AB-CPRE from selective CPA to selective HRA in Section 5. Additionally, Section 6 discusses the re-encryption simulatability property of AB-PRE. In the end, the conclusion of this work is provided in Section 7.

2. Preliminaries

First, we give a description of notations mainly involved in this study, as shown in Table 2. Moreover, this section contains the Decisional Learning with Errors (DLWE) assumption, a few functions and algorithms. For instance, the vector decomposition function, preimage sampling (SamplePre) algorithm, and trapdoor generation (TranGen) algorithm.

Definition 1.

The Decisional Learning with Errors (DLWE) problem refers to $(\mathit{A},{\mathit{A}}^T\mathit{s}+\mathit{e})$ and $(\mathit{A},\mathit{u})$ are computationally indistinguishable, where $\mathit{A}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{n\times m}$, $\mathit{s}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$ or $\mathit{s}\stackrel{\$}{\leftarrow }{\chi }^n$, $\mathit{e}\stackrel{\$}{\leftarrow }{\chi }^m$, $\mathit{u}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^m$, and $m=poly\left(n\right)$.

Definition 2

(B-bounded Noise Distribution).If $\underset{x\leftarrow \chi }{Pr}\left[\right|x|\ge B]\le 2^{-\tilde{\Omega }\left(n\right)}$, then χ over $\mathbb{Z}$ is B-bounded.

Definition 3.

The TrapGen algorithm [17,18] takes as input $1^n$, m, q where n, m, q be integers and $q\ge 3$ be odd and $m=\lceil 6nlogq\rceil$. It generates $(\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$, ${\mathit{T}}_{\mathit{A}}\in {\mathbb{Z}}^{m\times m})$. It is ensured that $\parallel \widetilde{{\mathit{T}}_{\mathit{A}}}\parallel \le O\left(\sqrt{nlogq}\right)$ with overwhelmingly high probability in n.

Definition 4.

The SamplePre algorithm [19] algorithm takes as input $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$, a basis ${\mathit{T}}_{\mathit{A}}$ for lattice ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$, $\mathit{u}\in {\mathbb{Z}}_q^n$, and a Gaussian parameter $\tau \ge \parallel \widetilde{{\mathit{T}}_{\mathit{A}}}\parallel \omega \left(\sqrt{logm}\right)$. It outputs a vector $\mathit{e}\in {\mathbb{Z}}^m$ sampled from a distribution that is $2^{-\Omega \left(n\right)}$-close to ${\mathcal{D}}_{{\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right),\tau }$.

In the subsequent construction of the scheme in this paper, we use the following two functions of key switching techinique [20].

Definition 5.

There are two deterministic functions that map vectors to a higher dimension, $\mathit{BD}\left(\mathit{v}\right)$ and $\mathit{P}\mathbf{2}\left(\mathit{x}\right)$, respectively.

First, let us review the $\mathit{BD}\left(\mathit{v}\right)$ function. For a vector $\mathit{v}\in {\mathbb{Z}}_q^n$, let ${\mathit{v}}_i\in {\{0,1\}}^n$ be $\mathit{v}={\sum }_{i=0}^{\lceil logq\rceil -1}{2}^i{\mathit{v}}_i$, $\mathit{BD}\left(\mathit{v}\right)$ inputs a vector $\mathit{v}$ and outputs a vector $\tilde{\mathit{v}}=({\mathit{v}}_0;\cdots ;{\mathit{v}}_{\lceil logq\rceil -1})\in {\{0,1\}}^{n·\lceil logq\rceil }.$

The second function $\mathit{P}\mathbf{2}\left(\mathit{x}\right)$ inputs vector $\mathit{x}\in {\mathbb{Z}}_q^n$ and outputs $\overline{\mathit{x}}=(\mathit{x};2\mathit{x};\cdots ;2^{\lceil logq\rceil -1}\mathit{x})\in {\mathbb{Z}}_q^{n\lceil logq\rceil }$.

These two functions hold that ${\mathit{v}}^T\mathit{x}={\mathit{BD}\left(\mathit{v}\right)}^T·\mathit{P}\mathbf{2}\left(\mathit{x}\right)={\tilde{\mathit{v}}}^T\overline{\mathit{x}}$.

A very important lemma, named Leftover Hash Lemma, needs to be used in the proof of schemes.

Definition 6.

Leftover Hash Lemma [21] refers to two distributions $(\mathit{A},\mathit{AR},{\mathit{R}}^T\mathit{e})$ and $(\mathit{A},\mathit{B},{\mathit{R}}^T\mathit{e})$, which are statistically close for all $\mathit{e}\in {\mathbb{Z}}_q^m$ if $m>(n+1){log}_{2}q+\omega (logn)$, $q>2$, and $\mathit{R}\in {\{1,-1\}}^{m\times k}$ where $k=k\left(n\right)$. Matrices $\mathit{A}$ and $\mathit{B}$ are chosen uniformly from ${\mathbb{Z}}^{n\times m}$ and ${\mathbb{Z}}^{n\times k}$, respectively.

3. Re-encryption Simulatability of PRE

In this part, we define Proxy Re-Encryption (PRE) and elucidate the concept of re-encryption simulatability. Six algorithms make up a PRE scheme, as listed below:

$\mathit{Setup}\left(1^{\lambda }\right)\to pp$, $\mathit{KeyGen}(pp,i)\to (p{k}_i,s{k}_i)$, $\mathit{Enc}(p{k}_i,\mu )\to c_i$, $\mathit{Dec}(s{k}_i,c_i)\to \mu$,

$\mathit{ReKeyGen}(s{k}_i,p{k}_j)\to r{k}_{i\to j}$, $\mathit{ReEnc}(r{k}_{i\to j},c_i)\to c_j$.

In the above algorithms, $1^{\lambda }$ and $pp$ represent security parameter and public parameters; i, $p{k}_i$ and $s{k}_i$ stand for a user’s identity, public key and secret key of user i; $\mu$ represents a message; $c_i$ represents a ciphertext under $p{k}_i$ and $r{k}_{i\to j}$ represents the re-encryption key.

Correctness. The correctness includes the following two validations

• Original Ciphertext. It satisfies the equation $\mathit{Dec}(s{k}_i,\mathit{Enc}(s{k}_i,\mu ))=\mu .$
• Re-encryption Ciphertext. It satisfies $\mathit{Dec}=(s{k}_j,\mathit{ReEnc}(r{k}_{i\to j},c_i))=\mu .$

A detailed description of the widely used CPA security model of proxy re-encryption can be found in reference [22]. This paper directly describe the HRA security model [11] for PRE, which implies the CPA security model. Re-encryption simulatability plays an essential role in proving the PRE scheme’s HRA security, which was first proposed by Cohen et al. [11] at PKC’19. In a nutshell, re-encryption simulatability is the ability to simulate ciphertexts produced by computing $\mathit{ReEnc}(r{k}_{i\to j},c_i)$ without knowing the secret key $s{k}_i$ of the sender (but knowing the plaintext message $\mu$ and the secret key $s{k}_j$ of the recipient). Furthermore, Cohen et al. also put forth the following crucial theorem regarding the re-encryption simulatability. Let’s take a detailed look below.

Definition 7.

A PRE scheme possesses the re-encryption simulatability property[11] if there is a PPT algorithm $\mathit{Sim}.\mathit{ReEnc}$ that satisfies the condition $(\mathit{Sim}.\mathit{ReEnc}(aux),aux)$ is statistically indistinguishable from $(\mathit{ReEnc}(r{k}_{i\to j},c_i),aux)$. $c_i$ and $aux$ are sampled according to

$$\mathit{Setup}\left(1^{\lambda }\right)\to pp;$$

$$\mathit{KeyGen}(pp,i)\to (p{k}_i,s{k}_i);$$

$$\mathit{KeyGen}(pp,j)\to (p{k}_j,s{k}_j);$$

$$\mathit{ReKeyGen}(pp,s{k}_i,p{k}_j)\to r{k}_{i\to j};$$

$$\mathit{Enc}(pp,p{k}_i,\mu )\to c_i;$$

$$aux=(pp,p{k}_i,p{k}_j,s{k}_j,c_i,\mu ).$$

It should be noted that a special case arises when $\mathit{Sim}.\mathit{ReEnc}\left(aux\right)=\mathit{Enc}(p{k}_j,\mu )$. This indicates that the distribution of the ciphertext after re-encryption is the same as that of the original ciphertext, then the scheme possesses re-encryption simulatability property.

Lemma 1

([11]). If a PRE scheme with security under CPA possesses re-encryption simulatability property, this PRE scheme is HRA-secure.

4. Construction of PRE with Re-encryption Simulatability

Now, we introduce our innovative lattice-based Proxy Re-Encryption (PRE) scheme, designed to uphold re-encryption simulatability without bootstrapping. We integrate the concept of key switching to develop a novel re-encryption key generation algorithm and re-encryption algorithm. The resulting ciphertexts after re-encryption, maintain a distribution nearly identical to that of the original ciphertexts. Consequently, in conjunction with the Chosen-Plaintext Attack (CPA) security of the foundational dual-Regev encryption, our novel PRE scheme achieves security against Honest Re-Encryption Attacks (HRA). The detailed construction and the corresponding security analysis are provided below. Our innovation focuses on the $\mathit{ReKeyGen}$ and $\mathit{ReEnc}$ algorithms.

4.1. Construction (Scheme I)

Prior to presenting our PRE scheme, we provide a list of the parameters employed in the scheme.

–

$1^{\lambda }$-security parameter.

–

$\tau$-discrete Gaussian distribution ${\mathcal{D}}_{{\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right),\tau }$ parameter, where $\tau$ is equal to $\omega \left({(m+1)}^{d+1}\right)·\omega \left(\sqrt{logm}\right)$, larger than $\omega \left(\sqrt{logm}\right)$.

–

$(n,m,q,\chi )$-lattice parameter, where $m\ge \lceil 6nlgq\rceil$, $\frac{q}{4}\ge B·{(m+1)}^{O\left(d\right)}$, and $\chi$ is a B-bounded distribution.

The following describes lattice-based PRE scheme with re-encryption simulatability property:

–

$\mathit{Setup}\left(1^{\lambda }\right)\to pp$: This algorithm inputs $1^{\lambda }$ and outputs $pp=(n,m,q,\chi ,{\chi }^m)$.

–

$\mathit{KeyGen}(pp,i)\to (p{k}_i,s{k}_i)$: This algorithm selects a random vector ${\mathit{U}}_i\leftarrow {\mathbb{Z}}_q^{n\times m}$ and generates $({\mathit{A}}_i,{\mathit{T}}_{{\mathit{A}}_i})$ by executing $\mathit{TrapGen}(1^n,m,q)$ for every user i where ${\mathit{A}}_i\in {\mathbb{Z}}_q^{n\times m}$, and ${\mathit{T}}_{{\mathit{A}}_i}\in {\mathbb{Z}}_q^{m\times m}$, a basis of ${\mathsf{\Lambda }}_q^{\perp }\left({\mathit{A}}_i\right)$. Then, it computes ${\mathit{E}}_i\in {\chi }^{m\times m}$ by running ${\mathit{E}}_i\leftarrow \mathit{SamplePre}({\mathit{A}}_i,{\mathit{T}}_{{\mathit{A}}_i},{\mathit{U}}_i,\tau )$, where ${\mathit{U}}_i={\mathit{A}}_i{\mathit{E}}_i\in {\mathbb{Z}}_q^{n\times m}$. This algorithm outputs $p{k}_i=\{{\mathit{U}}_i,{\mathit{A}}_i\}$ and $s{k}_i={\mathit{E}}_i$.

–

$\mathit{Enc}(p{k}_i,\mu )\to c_i$: This algorithm selects $\mathit{s}\leftarrow {\mathbb{Z}}_q^n$ to encrypt $\mu \in {\{0,1\}}^m$. Let $p{k}_i=\{{\mathit{U}}_i,{\mathit{A}}_i\}$, and set ${\mathit{c}}_{i_0}={\mathit{s}}^T{\mathit{A}}_i+{\mathit{x}}_0^T\in {\mathbb{Z}}_q^{1\times m}$, ${\mathit{c}}_{i_1}={\mathit{s}}^T{\mathit{U}}_i+{\mathit{x}}_1^T+\mu \lfloor \frac{q}{2}\rfloor \in {\mathbb{Z}}_q^{1\times m}$, where Gaussian noise vectors ${\mathit{x}}_0\stackrel{\$}{\leftarrow }{\chi }^m$ and ${\mathit{x}}_1\stackrel{\$}{\leftarrow }{\chi }^m$. Finally, this algorithm outputs $c_i=({\mathit{c}}_{i_0},{\mathit{c}}_{i_1})$.

–

$\mathit{Dec}(s{k}_i,c_i)\to \mu /\perp$: Given $c_i=({\mathit{c}}_{i_0},{\mathit{c}}_{i_1})$ and $s{k}_i={\mathit{E}}_i$. This algorithm computes ${\mu }^{\prime }={\mathit{c}}_{i_1}-{\mathit{c}}_{i_0}{\mathit{E}}_i$. For $j\in \left[m\right]$, the algorithm sets ${\mu }_j=0$ if ${\mu }_j^{\prime }$ is closer to 0 than to $\frac{q}{2}$ modulo q; otherwise outputs ${\mu }_j=1$. Finally, this algorithm outputs $\mu \in {\{0,1\}}^m$.

–

$\mathit{ReKeyGen}(s{k}_i,p{k}_j)\to r{k}_{i\to j}$: On input $s{k}_i={\mathit{E}}_i$ and $p{k}_j=({\mathit{U}}_j,{\mathit{A}}_j)$. The algorithm chooses matrices ${\mathit{R}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{m\lceil logq\rceil \times n}$, ${\mathit{R}}_2\stackrel{\$}{\leftarrow }{\chi }^{m\lceil logq\rceil \times m}$, vectors ${\mathit{R}}_3\stackrel{\$}{\leftarrow }{\chi }^{m\lceil logq\rceil \times m}$. Then, it computes

$$\mathit{Z}=\left(\begin{array}{cc}{\mathit{R}}_1{\mathit{A}}_j+{\mathit{R}}_2& {\mathit{R}}_1{\mathit{U}}_j+{\mathit{R}}_3-\mathit{P}\mathbf{2}\left({\mathit{E}}_i\right)\\ {\mathbf{0}}_{1\times m}& 1\end{array}\right)\in {\mathbb{Z}}_q^{(m\lceil logq\rceil +1)\times 2m}.$$

The general key generation algorithm of PRE is only composed of $\mathit{Z}$, but in this study, we innovatively introduce ${\mathit{g}}^T$. The purpose of introducing is to make the scheme have the re-encryption simulatability. We define ${\mathit{g}}^T$ as

$${\mathit{g}}^T={\mathit{r}}_1^T({\mathit{A}}_j\parallel {\mathit{U}}_j)+({\tilde{\mathit{e}}}_0^T\parallel {\tilde{\mathit{e}}}_1^T)\in {\mathbb{Z}}_q^{1\times 2m},$$

where ${\mathit{r}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\tilde{\mathit{e}}}_0\stackrel{\$}{\leftarrow }{\chi }^m$, and ${\tilde{\mathit{e}}}_1\stackrel{\$}{\leftarrow }{\chi }^m$. Finally, it outputs $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Z}\}$.

–

$\mathit{ReEnc}(r{k}_{i\to j},c_i)\to c_j$: Given $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Z}\}$ and $c_i=({\mathit{c}}_{i_0},{\mathit{c}}_{i_1})$. This algorithm consists of three steps.

First, sample a small random number $a\in \chi$ and compute

$$({\overline{\mathit{c}}}_{j_0},{\overline{\mathit{c}}}_{j_1})=a{\mathit{g}}^T=a({\mathit{r}}_1^T({\mathit{A}}_j\parallel {\mathit{U}}_j)+({\tilde{\mathit{e}}}_0^T\parallel {\tilde{\mathit{e}}}_1^T)).$$

Since a is random, ${\overline{\mathit{c}}}_{j_0}$ and ${\overline{\mathit{c}}}_{j_1}$ are also random.

Second, calculate

$$\begin{array}{cc}\hfill ({\mathit{c}}_{j_0}^{\prime },{\mathit{c}}_{j_1}^{\prime })& =(\mathit{BD}\left({\mathit{c}}_{i_0}\right)\parallel {\mathit{c}}_{i_1})·\mathit{Z}\hfill \\ \hfill & =(\mathit{BD}\left({\mathit{c}}_{i_0}\right)\parallel {\mathit{c}}_{i_1})\left(\begin{array}{cc}{\mathit{R}}_1{\mathit{A}}_j+{\mathit{R}}_2& {\mathit{R}}_1{\mathit{U}}_j+{\mathit{R}}_3-\mathit{P}\mathbf{2}\left({\mathit{E}}_i\right)\\ {\mathbf{0}}_{1\times m}& 1\end{array}\right).\hfill \end{array}$$

The ${\mathit{c}}_{j_0}^{\prime }$ and $c_{j_1}^{\prime }$ are determined for a specific ciphertext $c_i$ and for a specific $r{k}_{i\to j}$.

Third, obtain the random re-encryption ciphertext as follows:

$${\mathit{c}}_{j_0}={\overline{\mathit{c}}}_{j_0}+{\mathit{c}}_{j_0}^{\prime },$$

and

$${\mathit{c}}_{j_1}={\overline{\mathit{c}}}_{j_1}+{\mathit{c}}_{j_1}^{\prime }.$$

Let can simplify the above steps as follows

$$c_j=a{\mathit{g}}^T+(\mathit{BD}\left({\mathit{c}}_{i_0}\right)\parallel {\mathit{c}}_{i_1})·\mathit{Z}.$$

Finally, this algorithm outputs $c_j=({\mathit{c}}_{j_0},{\mathit{c}}_{j_1})$ as re-encryption ciphertext.

Correctness. Based on the provided parameters, the correctness of the above PRE summarized as follows.

• Original Ciphertext.$c_i=({\mathit{c}}_{i_0},{\mathit{c}}_{i_1})$ is the ciphertext of $\mu$ under $p{k}_i$. ${\mathit{c}}_{i_0}={\mathit{s}}^T{\mathit{A}}_i+{\mathit{x}}_0^T\in {\mathbb{Z}}_q^{1\times m}$, ${\mathit{c}}_{i_1}={\mathit{s}}^T{\mathit{U}}_i+{\mathit{x}}_1^T+\mu \lfloor \frac{q}{2}\rfloor \in {\mathit{Z}}_q^{1m}$. Therefore, we have the decryption as below.

  $$\begin{array}{cc}\hfill {\mathit{c}}_{i_1}-{\mathit{c}}_{i_0}{\mathit{E}}_i& ={\mathit{s}}^T{\mathit{U}}_i+{\mathit{x}}_1^T+\mu \lfloor \frac{q}{2}\rfloor -({\mathit{s}}^T{\mathit{A}}_i+{\mathit{x}}_0^T){\mathit{E}}_i\hfill \\ \hfill & ={\mathit{s}}^T{\mathit{U}}_i+{\mathit{x}}_1^T+\mu \lfloor \frac{q}{2}\rfloor -{\mathit{s}}^T{\mathit{A}}_i{\mathit{E}}_i-{\mathit{x}}_0^T{\mathit{E}}_i\hfill \\ \hfill & =\mu \lfloor \frac{q}{2}\rfloor +\underset{\mathrm{error}\mathrm{term}}{\underbrace{{\mathit{x}}_1^T-{\mathit{x}}_0^T{\mathit{E}}_i}}.\hfill \end{array}$$
  In order to obtain an accurate decryption, the error term norm needs to be smaller than $q/4$, i.e., $\parallel {\mathit{x}}_1^T-{\mathit{x}}_0^T{\mathit{E}}_i\parallel \le q/4$. Because of ${\mathit{x}}_0\stackrel{\$}{\leftarrow }{\chi }^m$ and ${\mathit{x}}_1\stackrel{\$}{\leftarrow }{\chi }^m$, ${\mathit{E}}_i\in {\chi }^{m\times m}$ and ${\mathit{A}}_i{\mathit{E}}_i={\mathit{U}}_i$, we have $\parallel {\mathit{x}}_0^T\parallel \le \sqrt{m}B$, $\parallel {\mathit{x}}_1^T\parallel \le \sqrt{m}B$, and $\parallel {\mathit{E}}_i\parallel \le m\tau$. Then, we can compute $\parallel {\mathit{x}}_1^T-{\mathit{x}}_0^T{\mathit{E}}_i\parallel \le \parallel {\mathit{x}}_1^T+{\mathit{x}}_0^T{\mathit{E}}_i\parallel \le \parallel {\mathit{x}}_1^T\parallel +\parallel {\mathit{x}}_0^T{\mathit{E}}_i\parallel \le \parallel {\mathit{x}}_1^T\parallel +\parallel {\mathit{x}}_0^T\parallel \parallel {\mathit{E}}_i\parallel \le \sqrt{m}B+\sqrt{m}B·m\tau \le \sqrt{m}B+m\sqrt{m}\tau B\le B·{(m+1)}^{O\left(d\right)}\le q/4$. Therefore, the initial ciphertext can be decrypted correctly.
• Re-encryption Ciphertext. The re-encrypted ciphertext represented as $c_j=({\mathit{c}}_{j_0},{\mathit{c}}_{j_1})$ can be computed as follows.

  $$\begin{array}{cc}\hfill c_j& =a{\mathit{g}}^T+(\mathit{BD}\left({\mathit{c}}_{i_0}\right)\parallel {\mathit{c}}_{i_1})·\mathit{Z}\hfill \\ \hfill & =a{\mathit{r}}_1^T({\mathit{A}}_j\parallel {\mathit{U}}_j)+a({\tilde{\mathit{e}}}_0^T\parallel {\tilde{\mathit{e}}}_1^T)+(\mathit{BD}\left({\mathit{c}}_{i_0}\right)\parallel {\mathit{c}}_{i_1})\left(\begin{array}{cc}{\mathit{R}}_1{\mathit{A}}_j+{\mathit{R}}_2& {\mathit{R}}_1{\mathit{U}}_j+{\mathit{R}}_3-\mathit{P}\mathbf{2}\left({\mathit{E}}_i\right)\\ {\mathbf{0}}_{1\times m}& 1\end{array}\right).\hfill \end{array}$$
  Therefore, we have

  $$\left\{\begin{array}{c}{\mathit{c}}_{j_0}=(a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_1){\mathit{A}}_j+a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_2,\hfill \\ {\mathit{c}}_{j_1}=(a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_1){\mathit{U}}_j+a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_3-{\mathit{x}}_0^T{\mathit{E}}_i+{\mathit{x}}_1^T+\mu \lfloor \frac{q}{2}\rfloor .\hfill \end{array}\right.$$

  (1)
  Let

  $${\overline{\mathit{s}}}^{\mathit{T}}=a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_1\in {\mathbb{Z}}_q^{1\times n},$$

  $${\overline{\mathit{x}}}_0^T=a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_2\in {\chi }^{1\times m},$$

  $${\overline{\mathit{x}}}_1^T=a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_3-{\mathit{x}}_0^T{\mathit{E}}_i+{\mathit{x}}_1^T\in {\chi }^{1\times m}.$$
  Equation (1) can be simplified to Equation (2) as follows:

  $$\left\{\begin{array}{c}{\mathit{c}}_{j_0}={\overline{\mathit{s}}}^T{\mathit{A}}_j+{\overline{\mathit{x}}}_0^T,\hfill \\ {\mathit{c}}_{j_1}={\overline{\mathit{s}}}^T{\mathit{U}}_j+{\overline{\mathit{x}}}_1^T+\mu \lfloor \frac{q}{2}\rfloor .\hfill \end{array}\right.$$

  (2)
  Therefore, we have the decryption as below.

  $$\begin{array}{cc}\hfill {\mathit{c}}_{j_1}-{\mathit{c}}_{j_0}{\mathit{E}}_j& ={\overline{\mathit{s}}}^T{\mathit{U}}_j+{\overline{\mathit{x}}}_1^T+\mu \lfloor \frac{q}{2}\rfloor -({\overline{\mathit{s}}}^T{\mathit{A}}_j+{\overline{\mathit{x}}}_0^T){\mathit{E}}_j\hfill \\ \hfill & =\mu \lfloor \frac{q}{2}\rfloor +\underset{\mathrm{error}\mathrm{term}}{\underbrace{{\overline{\mathit{x}}}_1^T-{\overline{\mathit{x}}}_0^T{\mathit{E}}_j.}}\hfill \end{array}$$
  In order to obtain an accurate decryption, the error term norm needs to be smaller than $q/4$, i.e., $\parallel {\overline{\mathit{x}}}_1^T-{\overline{\mathit{x}}}_0^T{\mathit{E}}_j\parallel \le q/4$. Because of ${\overline{\mathit{x}}}_0^T\in {\chi }^{1\times m}$, ${\overline{\mathit{x}}}_1^T\in {\chi }^{1\times m}$, ${\mathit{E}}_j\in {\chi }^{m\times m}$ and ${\mathit{A}}_j{\mathit{E}}_j={\mathit{U}}_j$, we have $\parallel {\mathit{x}}_0^T\parallel \le \sqrt{m}B$, $\parallel {\mathit{x}}_1^T\parallel \le \sqrt{m}B$, and $\parallel {\mathit{E}}_j\parallel \le m\tau$. Similar to the first case, it is not difficult to compute $\parallel {\overline{\mathit{x}}}_1^T-{\overline{\mathit{x}}}_0^T{\mathit{E}}_j\parallel \le q/4$. As a result, the re-encryption ciphertext can be correctly decrypt.

4.2. Security Proof of Scheme I

According to Lemma 1, we now show that the above scheme satisfies CPA security and re-encryption simulatability respectively.

Theorem 1.

The scheme I has re-encryption simulatability property.

Proof of Theorem 1.

Referring to Equation 1 and Equation 2, when $\mu$ is known and $\overline{\mathit{s}}$, ${\overline{\mathit{x}}}_0$, and ${\overline{\mathit{x}}}_1$ are randomized, we can directly sample to get $({\overline{\mathit{s}}}^T{\mathit{A}}_j+{\overline{\mathit{x}}}_0^T,{\overline{\mathit{s}}}^T{\mathit{U}}_j+{\overline{\mathit{x}}}_1^T+\mu \lfloor \frac{q}{2}\rfloor )$. It is observed that the distributions of ciphertexts ${\mathit{c}}_j$ and ${\mathit{c}}_i$ are identical. Assuming that we know $pp$, $p{k}_j=\left\{{\mathit{U}}_j,{\mathit{A}}_j\right\}$ and plaintext $\mu$, we can easily sample these ciphertexts as follows.

–

$\mathit{Sim}.\mathit{ReEnc}(pp,p{k}_j,s{k}_j,c_i,\mu )\to c_j$: On input $pp=(n,m,q,\chi ,{\chi }^m)$, $p{k}_j=\{{\mathit{U}}_j,{\mathit{A}}_j\}$, $s{k}_j={\mathit{E}}_j$, $c_i=({\mathit{c}}_{i_0},{\mathit{c}}_{i_1})$. Sample ${\mathit{s}}^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\mathit{x}}_0^{\prime }\stackrel{\$}{\leftarrow }{\chi }^m$ and ${\mathit{x}}_1^{\prime }\stackrel{\$}{\leftarrow }{\chi }^m$. This algorithm outputs

$${\mathit{c}}_{j_{0}sim}^{\prime }={{\mathit{s}}^{\prime }}^T{\mathit{A}}_j+{{\mathit{x}}_0^{\prime }}^T,$$

and

$${\mathit{c}}_{j_{1}sim}^{\prime }={{\mathit{s}}^{\prime }}^T{\mathit{U}}_j+{{\mathit{x}}_1^{\prime }}^T+\mu \lfloor \frac{q}{2}\rfloor .$$

Because the re-encryption ciphertexts obtained by re-encryption algorithm are

$${\mathit{c}}_{j_0}=(a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_1){\mathit{A}}_j+a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_2={\overline{\mathit{s}}}^T{\mathit{A}}_j+{\overline{\mathit{x}}}_0^T,$$

and

$${\mathit{c}}_{j_1}=(a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_1){\mathit{U}}_j+a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_{i_0}\right){\mathit{R}}_3-{\mathit{x}}_0^T{\mathit{E}}_i+{\overline{\mathit{x}}}_1^T+\mu \lfloor \frac{q}{2}\rfloor ={\overline{\mathit{s}}}^T{\mathit{U}}_j+{\overline{\mathit{x}}}_1^T+\mu \lfloor \frac{q}{2}\rfloor .$$

From the above, we can see that ${\mathit{s}}^{\prime }$, ${\mathit{x}}_0^{\prime }$ and ${\mathit{x}}_1^{\prime }$ have the same distribution as $\overline{\mathit{s}}$, ${\overline{\mathit{x}}}_0$and ${\overline{\mathit{x}}}_1$, respectively. Therefore, it is not difficult for us to find that ${\mathit{c}}_{j_{0}sim}^{\prime }$ and ${\mathit{c}}_{j_{1}sim}^{\prime }$ are indistinguishable from ${\mathit{c}}_{j_0}$ and ${\mathit{c}}_{j_1}$, respectively. Meanwhile, the ciphertext $c_j=({\mathit{c}}_{j_{0}sim}^{\prime },{\mathit{c}}_{j_{1}sim}^{\prime })$ can be decrypted by $s{k}_j$.

Hence, the PRE scheme above has the property of re-encryption simulatability. □

Theorem 2.

The scheme I we proposed is selective HRA-secure under the hardness of LWE.

Proof of Theorem 2

The selective CPA security of this scheme is easy to prove. Due to space constraints, we do not provide detailed proof of the CPA in this study.

According to Lemma 1, the PRE scheme we proposed above can be proved to be HRA-secure under the hardness of LWE. □

5. Construction of AB-CPRE with Re-Encryption Simulatability

AB-CPRE was initially introduced by Liang et al. in [14] at ESORICS’21. They provided a comprehensive definition of AB-CPRE, elaborated on its CPA model, meticulously constructed the corresponding scheme utilizing LWE, and presented rigorous proof of its selective CPA security. In this section, we use the construction idea in scheme I to improve the $\mathit{ReKeyGen}$ and $\mathit{ReEnc}$ of [14], enabling the modified scheme to have the property of re-encryption simulatability. The modified AB-CPRE scheme enhances the security from selective CPA to selective HRA. Our focuses are on the modified scheme with re-encryption simulatability and the implementation of the selective HRA security proof. The other four algorithms remain the same as those in [14].

5.1. HRA Security Model of AB-CPRE

We directly formalize the selective HRA security model of AB-CPRE for the first time, which is demonstrated below. Unlike Scheme I, in the following scheme, we use $\alpha$ and $\beta$ to represent users’s identities. (Since letters such as f and g represent strategies, it would be confusing to use letters i and j to represent identities again.) Note: The condition $f\left(\mathit{x}\right)=0$ indicates that the attributes encoded in the $\mathit{Enc}$ algorithm satisfy the policy embedded in the $\mathit{ReKeyGen}$ algorithm.

Definition 8

(Security Model for Selective HRA of AB-CPRE). Honest Key Generation${\mathcal{O}}_{Honest}$,Corrupted Key Generation${\mathcal{O}}_{Corrupted}$ andRe-encryption Key Generation${\mathcal{O}}_{ReKeyGen}$ are the same as the security game for selective CPA [14]. Besides, ${\mathcal{O}}_{Enc}$ has been added. Additionally, the ${\mathcal{O}}_{ReEnc}$ and thechallenge phasealso differ from the CPA security model.

Init: $\mathcal{A}$ announces challenge user ${\theta }^{*}$ and the challenge attributes vector ${\mathit{x}}^{*}$.

Setup: The challenger $\mathcal{C}$ runs $\mathit{Setup}\left(1^{\lambda }\right)$ to generate $pp$ and gives it to $\mathcal{A}$. Two sets, ${\Gamma }_H$ (representing honest) and ${\Gamma }_C$ (representing corrupted), are initially empty by $\mathcal{C}$. These operation above performs the same as the challenger $\mathcal{C}$ in the CPA security model of AB-CPRE. Besides, $\mathcal{C}$ initializes a counter $\mathit{numCt}$ to 0, an empty key-value store $\mathit{Ct}$, and an empty set $\mathit{Derive}$. Besides, the set ${\Gamma }_{rk}$ (representing re-encryption key) is initially empty.

Query Phase 1: In this Phase, $\mathcal{A}$ mainly makes four types of queries:

–

Honest Key Generation${\mathcal{O}}_{Honest}$: First, $\mathcal{C}$ obtains a key pair by running $(p{k}_{\alpha },s{k}_{\alpha })\leftarrow \mathit{KeyGen}(pp,\alpha )$ after $\mathcal{A}$ sends the identity of a user α. Then, $\mathcal{C}$ give $p{k}_{\alpha }$ to $\mathcal{A}$. Finally, $\mathcal{C}$ inserts the identity α into the set ${\Gamma }_H$.

–

Corrupted Key Generation${\mathcal{O}}_{Corrupted}$: First, $\mathcal{C}$ obtains a key pair by running $(p{k}_{\alpha },s{k}_{\alpha })\leftarrow \mathit{KeyGen}(pp,\alpha )$ after $\mathcal{A}$ sends the identity of a user α. Then, $\mathcal{C}$ give ($p{k}_{\alpha }$, $s{k}_{\alpha }$) to $\mathcal{A}$. Finally, $\mathcal{C}$ inserts the identity α into the set ${\Gamma }_C$.

–

Re-encryption Key Generation${\mathcal{O}}_{ReKeyGen}$: Given α, β and f by $\mathcal{A}$, $\mathcal{C}$ inputs ⊥ if $\alpha ={\theta }^{*}$, $\beta \in {\Gamma }_C$, and satisfying $f\left({\mathit{x}}^{*}\right)=0$. Otherwise, $\mathcal{C}$ returns the $r{k}_{\alpha ,f\to \beta }$ by running the algorithm $\mathit{ReKeyGen}(s{k}_{\alpha },p{k}_{\beta },f)\to r{k}_{\alpha ,f\to \beta }$, inserts $r{k}_{\alpha ,f\to \beta }$ into ${\Gamma }_{rk}$ with the key-value (α, β, f, $r{k}_{\alpha ,f\to \beta }$), and outputs $r{k}_{\alpha ,f\to \beta }$.

–

Encryption${\mathcal{O}}_{Enc}$: Given $p{k}_{\alpha }$, $\mu \in {\{0,1\}}^m$, $\mathit{x}={\left\{x_i\right\}}_{i\in \left[l\right]}$ by $\mathcal{A}$, $\mathcal{C}$ obtains the ciphertext $c_{\alpha ,\mathit{x}}$ by running algorithm $\mathit{Enc}(p{k}_{\alpha },\mu ,\mathit{x})\to c_{\alpha ,\mathit{x}}$ and increases $\mathit{numCt}$. Then, $\mathcal{C}$ stores the value $c_{\alpha ,\mathit{x}}$ in $\mathit{Ct}$ with key $(\alpha ,\mathit{numCt})$ and returns $(\mathit{numCt},c_{\alpha ,\mathit{x}})$.

–

Re-encryption${\mathcal{O}}_{ReEnc}$: Given $c_{\alpha ,\mathit{x}}$, α, β, f and k by $\mathcal{A}$, where $k\le \mathit{numCt}$, $\mathcal{C}$ returns ⊥ if there is no value in $\mathit{Ct}$ with key $(\alpha ,k)$ or when $f\left(\mathit{x}\right)\ne 0$ holds or when $\alpha ={\theta }^{*}$, $\beta \in {\Gamma }_C$, $f\left({\mathit{x}}^{*}\right)=0$, $k\in \mathit{Derive}$. Otherwise, $\mathcal{C}$ gets $r{k}_{\alpha ,f\to \beta }$ by searching ${\Gamma }_{rk}$ set or queries ${\mathcal{O}}_{RekeyGen}$. Then, $\mathcal{C}$ runs $\mathit{ReEnc}(r{k}_{\alpha ,f\to \beta },c_{\alpha ,\mathit{x}})\to c_{\beta }$, increases $\mathit{numCt}$, and stores the value $c_{\beta }$ in $\mathit{Ct}$ with key $(\beta ,\mathit{numCt})$. Finally, $\mathcal{C}$ returns $(\mathit{numCt},c_{\beta })$.

Challenge Phase: After receiving $({\theta }^{*},{\mu }_0,{\mu }_1,{\mathit{x}}^{*})$ from $\mathcal{A}$, $\mathcal{C}$ selects $b\stackrel{\$}{\leftarrow }\{0,1\}$ and obtains the challenge ciphertext $c_{{\theta }^{*},{\mathit{x}}^{*}}$ by running the algorithm $\mathit{Enc}(pp,p{k}_{{\theta }^{*}},{\mu }_b,{\mathit{x}}^{*})$. Additionally, $\mathcal{C}$ increments $\mathit{numCt}$ and adds it to the set $\mathit{Deriv}$. The value $c_{{\theta }^{*},{\mathit{x}}^{*}}$ is stored in $\mathit{Ct}$ with key $({\theta }^{*},\mathit{numCt})$, and finally $(\mathit{numCt},c_{{\theta }^{*},{\mathit{x}}^{*}})$ is returned.

Query Phase 2: This phase is identical toQuery Phase 1, with the exception of the ${\mathcal{O}}_{ReEnc}$ oracle. $\mathcal{C}$ outputs ⊥ if $\beta \in {\Gamma }_C$ and $k\in \mathit{Derive}$.

Decision Phase: $\mathcal{A}$ produces a decision $b^{\prime }\in \{0,1\}$. Eventually, $\mathcal{A}$ is declared the winner of the game if and only if $b^{\prime }=b$.

5.2. Succinct Construction (Scheme II)

To facilitate our proofs, we elaborate on the entire scheme in this section. Notably, our primary innovations manifest in the last two algorithms. The initial four algorithms closely mirror those delineated in [14]. To avoid redundancy, we abstain from revisiting specific elements of previous knowledge integral to the scheme, such as the Gadget matrix $\mathit{G}$, $\mathit{ExtendLeft}$, $\mathit{ExtendRight}$, ${\mathit{Eval}}_{ct}$, ${\mathit{Eval}}_{pk}$, ${\mathit{Eval}}_{sim}$, as these have been extensively covered in reference reference [14].

–

$\mathit{Setup}\left(n\right)\to pp$: ${\mathit{B}}_1,\cdots ,{\mathit{B}}_l\leftarrow {\mathbb{Z}}_q^{n\times m}$. Output $pp=({\mathit{B}}_1,\cdots ,{\mathit{B}}_l,\chi )$, where $\chi$ is an error sampling algorithm.

–

$\mathit{KeyGen}(pp,\alpha )\to (p{k}_{\alpha },s{k}_{\alpha })$: The following algorithms $({\mathit{A}}_{\alpha },{\mathit{T}}_{{\mathit{A}}_{\alpha }})\leftarrow \mathit{TrapGen}(n,1^m,q),$ and ${\mathit{R}}_{\alpha }\leftarrow \mathit{SamplePre}({\mathit{A}}_{\alpha },{\mathit{T}}_{{\mathit{A}}_{\alpha }},-{\mathit{D}}_{\alpha },\sigma ).$ are executed. Then, this algorithm outputs $p{k}_{\alpha }=({\mathit{A}}_{\alpha },{\mathit{D}}_{\alpha })$ and $s{k}_{\alpha }=({\mathit{T}}_{{\mathit{A}}_{\alpha }},{\mathit{R}}_{\alpha })$, where ${\mathit{D}}_{\alpha }\leftarrow {\mathbb{Z}}_q^{n\times m}$.

–

$\mathit{Enc}(pp,p{k}_{\alpha },\mu \in {\left\{0,1\right\}}^m,\mathit{x}={\left\{x_i\right\}}_{i\in \left[l\right]})\to c_{\alpha ,\mathit{x}}$: Let $\mathit{s}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\mathit{e}}_{in},{\mathit{e}}_{out}\in {\chi }^m$. Then $c{t}_{\alpha ,\mathit{x}}=({\mathit{c}}_{in},{\mathit{c}}_{out})=({\mathit{A}}_{\alpha }^T\mathit{s}+{\mathit{e}}_{in},{\mathit{D}}_{\alpha }^T\mathit{s}+{\mathit{e}}_{out}+\mu \lfloor \frac{q}{2}\rfloor ).$ If $\mathit{x}$ is null, then set $cc=\varnothing$. Otherwise, $c{c}_{\alpha ,\mathit{x}}=\left({\left\{{\mathit{c}}_i={(x_i\mathit{G}+{\mathit{B}}_i)}^T\mathit{s}+{\mathit{S}}_i^T{\mathit{e}}_{in}\right\}}_{i\in \left[l\right]}\right)\in {\mathbb{Z}}_q^{lm},$ where ${\mathit{S}}_i\leftarrow {\left\{-1,1\right\}}^{m\times m}$. Output $c_{\alpha ,\mathit{x}}=(c{t}_{\alpha ,\mathit{x}},c{c}_{\alpha ,\mathit{x}})$.

–

$\mathit{Dec}(pp,s{k}_{\alpha },c_{\alpha ,\mathit{x}})\to {\mu }^{\prime }$: Compute

$${\mu }^{\prime }=\left({\mathit{c}}_{in}^T{\mathit{c}}_{out}^T\right)\left(\begin{array}{c}{\mathit{R}}_{\alpha }\\ {\mathit{I}}_{m\times m}\end{array}\right).$$

For $j\in \left[m\right]$, set ${\mu }_j=1$ if ${\mu }_j^{\prime }-\lfloor \frac{q}{2}\rfloor <q/4$, otherwise set ${\mu }_j=0$. Finally, output $\mu \in {\left\{0,1\right\}}^m$.

–

$\mathit{ReKeyGen}(pp,s{k}_{\alpha },p{k}_{\beta },f)\to r{k}_{\alpha ,f\to \beta }$: The inputs of this algorithm are $pp=({\mathit{B}}_1,\cdots ,{\mathit{B}}_l,\chi )$, $s{k}_{\alpha }=({\mathit{T}}_{{\mathit{A}}_{\alpha }},{\mathit{R}}_{\alpha })$, $p{k}_{\beta }=({\mathit{A}}_{\beta },{\mathit{D}}_{\beta })$ and a policy f. Then this algorithm executes the following steps one by one.

$${\mathit{B}}_f={\mathit{Eval}}_{pk}(f,{\left\{{\mathit{B}}_i\right\}}_{i\in \left[l\right]}),$$

$${\mathit{T}}_{\left({\mathit{A}}_{\alpha }\right|{\mathit{B}}_f)}\leftarrow \mathit{ExtendRight}({\mathit{A}}_{\alpha },{\mathit{T}}_{{\mathit{A}}_{\alpha }},{\mathit{B}}_f),$$

$${\mathit{R}}_{\alpha ,f}\leftarrow \mathit{SamplePre}(\left({\mathit{A}}_{\alpha }\right|{\mathit{B}}_f),{\mathit{T}}_{\left({\mathit{A}}_{\alpha }\right|{\mathit{B}}_f)},-{\mathit{D}}_{\alpha },\sigma ).$$

Let

$${\mathit{g}}^T={\mathit{r}}_1^T\left({\mathit{A}}_{\beta }\right|{\mathit{D}}_{\beta })+\left({\tilde{\mathit{e}}}_0^T\right|{\tilde{\mathit{e}}}_1^T)\in {\mathbb{Z}}_q^{1\times 2m},$$

and

$$\mathit{Q}=\left(\begin{array}{cc}{\mathit{E}}_1{\mathit{A}}_{\beta }+{\mathit{E}}_2& {\mathit{E}}_1{\mathit{D}}_{\beta }+{\mathit{E}}_3+\mathit{P}\mathbf{2}\left({\mathit{R}}_{\alpha ,f}\right)\\ {\mathbf{0}}_{m\times m}& {\mathit{I}}_{m\times m}\end{array}\right)\in {\mathbb{Z}}_q^{(2k+1)m\times 2m},$$

where ${\mathit{E}}_1\stackrel{\$}{\leftarrow }{\chi }^{2km\times n}$, ${\mathit{E}}_2,{\mathit{E}}_3\stackrel{\$}{\leftarrow }{\chi }^{2km\times m}$, vectors ${\mathit{r}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\tilde{\mathit{e}}}_0\stackrel{\$}{\leftarrow }{\chi }^m$, ${\tilde{\mathit{e}}}_1\stackrel{\$}{\leftarrow }{\chi }^m$.

Finally, this algorithm outputs $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Q}\}$.

–

$\mathit{ReEnc}(pp,r{k}_{\alpha ,f\to \beta },c_{\alpha })\to c_{\beta }$: The inputs of this algorithm are $pp=({\mathit{B}}_1,\cdots ,{\mathit{B}}_l,\chi )$, $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Q}\}$ and $c_{\alpha }=(c{t}_{\alpha },c{c}_{\alpha })$. If $f\left(\mathit{x}\right)\ne 0$ (represents that the attributes embedded in the $\mathit{Enc}$ algorithm do not satisfy the policy embedded in the $\mathit{ReKeyGen}$ algorithm) or $c{c}_{\alpha }=\varnothing$, output ⊥. Otherwise, let $c{t}_{\alpha }=({\mathit{c}}_{in},{\mathit{c}}_{out})$, $c{c}_{\alpha }=\left({\left\{{\mathit{c}}_i\right\}}_{i\in \left[l\right]}\right)\in {\mathbb{Z}}_q^{lm}$. This algorithm performs the following steps in sequence:

$${\mathit{c}}_f\leftarrow {\mathit{Eval}}_{ct}(f,{\left\{(x_i,{\mathit{B}}_i,{\mathit{c}}_i)\right\}}_{i\in \left[l\right]}),$$

$$c{t}_{\beta }^T=a{\mathit{g}}^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right)\left|{\mathit{c}}_{out}^T\right)·\mathit{Q}$$

where ${\mathit{c}}_f^{\prime }=\left[{\mathit{c}}_{in}\right|{\mathit{c}}_f]$. Finally, this algorithm outputs $c_{\beta }=(c{t}_{\beta },c{c}_{\beta }=\varnothing )$.

5.3. Security Proof

It is not difficult to see that such two minor modifications do not affect the selective CPA security in [14]. Since the original scheme is selective CPA secure, the revised one still satisfies selective CPA secure. Below we will mainly focus on its re-encryption simulatability and HRA security proof.

Theorem 3.

The Scheme II is re-encryption simulatable.

Proof of Theorem 3

We have

$$\begin{array}{cc}\hfill c{t}_{\beta }^T& =a{\mathit{g}}^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right)\left|{\mathit{c}}_{out}^T\right)·\mathit{Q}\hfill \\ \hfill & =a({\mathit{r}}_1^T\left({\mathit{A}}_{\beta }\right|{\mathit{D}}_{\beta })+\left({\tilde{\mathit{e}}}_0^T\right|{\tilde{\mathit{e}}}_1^T))+\left(\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right)\right|{\mathit{c}}_{out}^T)\left(\begin{array}{cc}{\mathit{E}}_1{\mathit{A}}_{\beta }+{\mathit{E}}_2& {\mathit{E}}_1{\mathit{D}}_{\beta }+{\mathit{E}}_3+\mathit{P}\mathbf{2}\left({\mathit{R}}_{\alpha ,f}\right)\\ {\mathbf{0}}_{m\times m}& {\mathit{I}}_{m\times m}\end{array}\right).\hfill \end{array}$$

Let $c{t}_{\beta }^T=({\mathit{c}}_{in}^T,{\mathit{c}}_{out}^T)$. Through a series of calculations, we get

$$\left\{\begin{array}{c}{\mathit{c}}_{in}^T=(a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{E}}_1){\mathit{A}}_{\beta }+a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{E}}_2,\hfill \end{array}{\mathit{c}}_{out}^T=(a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{E}}_1){\mathit{D}}_{\beta }+a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{E}}_3+{\mathit{e}}_{out}^T-{\left[{\mathit{e}}_{in}\right|{\mathit{e}}_f]}^T{\mathit{R}}_{\alpha ,f}+\mu \lfloor \frac{q}{2}\rfloor .\right.$$

(3)

Let

$${\overline{\mathit{s}}}^T=a{\mathit{r}}_1^T+\mathit{BD}({\mathit{c}}_f^{\prime T)}{\mathit{E}}_1\in {\mathbb{Z}}_q^{1\times n},$$

$${\overline{\mathit{e}}}_{in}^T=a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{E}}_2\in {\chi }^{1\times m},$$

$${\overline{\mathit{e}}}_{out}^T=a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{E}}_3+{\mathit{e}}_{out}^T-{\left[{\mathit{e}}_{in}\right|{\mathit{e}}_f]}^T{\mathit{R}}_{\alpha ,f}\in {\chi }^{1\times m}.$$

Equation (3) can be simplified to Equation (4) as follows:

$$\left\{\begin{array}{c}{\mathit{c}}_{in}^T={\overline{\mathit{s}}}^T{\mathit{A}}_{\beta }+{\overline{\mathit{e}}}_{in}^T,\hfill \\ {\mathit{c}}_{out}^T={\overline{\mathit{s}}}^T{\mathit{D}}_{\beta }+{\overline{\mathit{e}}}_{out}^T+\mu \lfloor \frac{q}{2}\rfloor .\hfill \end{array}\right.$$

(4)

According to the Definition 7, our $\mathit{Sim}.\mathit{ReEnc}$ algorithm is as follows.

–

$\mathit{Sim}.\mathit{ReEnc}(pp,p{k}_{\beta },s{k}_{\beta },c_{\alpha ,\mathit{x}},\beta ,f,\mathit{x})$: On input $pp=({\mathit{B}}_1,\cdots ,{\mathit{B}}_l,\chi )$, $p{k}_{\beta }=({\mathit{A}}_{\beta },{\mathit{D}}_{\beta })$, $s{k}_{\beta }=({\mathit{T}}_{{\mathit{A}}_{\beta }},{\mathit{R}}_{\beta })$, $c_{\alpha ,\mathit{x}}=(c{t}_{\alpha ,\mathit{x}},c{c}_{\alpha ,\mathit{x}})$ where

$$c{t}_{\alpha ,\mathit{x}}=({\mathit{A}}_{\alpha }^T\mathit{s}+{\mathit{e}}_{in},{\mathit{D}}_{\alpha }^T\mathit{s}+{\mathit{e}}_{out}+\mu \lfloor \frac{q}{2}\rfloor )$$

and

$$c{c}_{\alpha ,\mathit{x}}=\left({\left\{{\mathit{c}}_i={(x_i\mathit{G}+{\mathit{B}}_i)}^T\mathit{s}+{\mathit{S}}_i^T{\mathit{e}}_{in}\right\}}_{i\in \left[l\right]}\right)\in {\mathbb{Z}}_q^{lm}.$$

Sample ${\mathit{s}}^{\prime T}$ from ${\mathbb{Z}}_q^{1\times n}$ uniformly at random. Choose ${\mathit{e}}_{in}^{\prime T}\stackrel{\$}{\leftarrow }{\chi }^{1\times m}$ and ${\mathit{e}}_{out}^{\prime T}\stackrel{\$}{\leftarrow }{\chi }^{1\times m}$ uniformly at random. Then, this algorithm outputs ciphertext $c{t}_{\beta }=({\mathit{c}}_{in}^{sim},{\mathit{c}}_{out}^{sim})$ which can be decrypted by $s{k}_{\beta }$, where

$${\mathit{c}}_{in}^{sim}={\mathit{s}}^{\prime T}{\mathit{A}}_{\beta }+{\mathit{e}}_{in}^{\prime T},$$

$${\mathit{c}}_{out}^{sim}={\mathit{s}}^{\prime T}{\mathit{D}}_{\beta }+{\mathit{e}}_{out}^{\prime T}+\mu \lfloor \frac{q}{2}\rfloor .$$

Therefore, this scheme has the property of re-encryption simulatability. □

Then, the concrete selective HRA security proof of AB-CPRE scheme is shown below.

Theorem 4.

The Scheme II is selective HRA-secure under the hardness of LWE.

Proof of Theorem 4

First, we define three simulation algorithms, which are $\mathit{Sim}.{\mathit{ReKeyGen}}_1$, $\mathit{Sim}.{\mathit{ReKeyGen}}_2$ and $\mathit{Sim}.\mathit{ReEnc}$. The algorithm $\mathit{Sim}.\mathit{ReEnc}$ is presented in Theorem 3, and below we present two simulation algorithms, $\mathit{Sim}.{\mathit{ReKeyGen}}_1$ and $\mathit{Sim}.{\mathit{ReKeyGen}}_2$, respectively.

–

$\mathit{Sim}.{\mathit{ReKeyGen}}_1(pp,\alpha ,\beta ,f)\to r{k}_{\alpha ,f\to \beta }$: If $\alpha \in {\Gamma }_H$, $\beta \in {\Gamma }_H$, let

$$\mathit{Q}=\left(\begin{array}{cc}{\mathit{X}}_1& {\mathit{X}}_2\\ {\mathbf{0}}_{m\times (l+1)m}& {\mathit{I}}_{m\times m}\end{array}\right),$$

$${\mathit{g}}^T={\mathit{r}}_1^T\left({\mathit{A}}_{\beta }\right|{\mathit{D}}_{\beta })+\left({\tilde{\mathit{e}}}_0^T\right|{\tilde{\mathit{e}}}_1^T),$$

where ${\mathit{X}}_1\stackrel{\$}{\leftarrow }{\chi }^{2mk\times m}$, ${\mathit{X}}_2\stackrel{\$}{\leftarrow }{\chi }^{2mk\times m}$, ${\mathit{r}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\tilde{\mathit{e}}}_0\stackrel{\$}{\leftarrow }{\chi }^m$, ${\tilde{\mathit{e}}}_1\stackrel{\$}{\leftarrow }{\chi }^m$ are randomly chosen matrices or vectors. Outputs $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Q}\}$.

–

$\mathit{Sim}.{\mathit{ReKeyGen}}_2(pp,\alpha ,\beta ,f)\to r{k}_{\alpha ,f\to \beta }$: If the adversary inputs $\alpha$, $\beta$, f, where $\alpha ={\theta }^{*}$, $\beta \in {\Gamma }_C$ and $f\left({\mathit{x}}^{*}\right)\ne 0$, the algorithm does the following:

Firstly, sample ${\mathit{S}}_i\leftarrow {\left\{-1,1\right\}}^{m\times m}$ and run ${\mathit{S}}_f^{*}\leftarrow {\mathit{Eval}}_{sim}(f,{\left\{x_i^{*},{\mathit{S}}_i^{*}\right\}}_{i\in \left[l\right]},{\mathit{A}}_{{\theta }^{*}}),$ satisfying ${\mathit{A}}_{{\theta }^{*}}{\mathit{S}}_f^{*}-f\left(x_i^{*}\right)\mathit{G}={\mathit{B}}_f.$

Secondly, obtain a trapdoor ${\mathit{T}}_{\left({\mathit{A}}_{{\theta }^{*}}\right|{\mathit{B}}_f)}$ by running $\mathit{ExtendLeft}({\mathit{A}}_{{\theta }^{*}},f\left(x^{*}\right)\mathit{G},{\mathit{T}}_{\mathit{G}},{\mathit{S}}_f^{*})$ algorithm.

Thirdly, sample ${\mathit{R}}_{{\theta }^{*},f}\leftarrow \mathit{SamplePre}(\left[{\mathit{A}}_{{\theta }^{*}}\right|{\mathit{B}}_f],T_{\left({\mathit{A}}_{{\theta }^{*}}\right|{\mathit{B}}_f)},-{\mathit{D}}_{{\theta }^{*}},\sigma ).$ Let

$${\mathit{g}}^T={\mathit{r}}_1^T\left({\mathit{A}}_{\beta }\right|{\mathit{D}}_{\beta })+\left({\tilde{\mathit{e}}}_0^T\right|{\tilde{\mathit{e}}}_1^T),$$

$$\mathit{Q}=\left(\begin{array}{cc}{\mathit{E}}_1{\mathit{A}}_{\beta }+{\mathit{E}}_2& {\mathit{E}}_1{\mathit{D}}_{\beta }+{\mathit{E}}_3+\mathit{P}\mathbf{2}\left({\mathit{R}}_{{\theta }^{*},f}\right)\\ {\mathbf{0}}_{m\times m}& {\mathit{I}}_{m\times m}\end{array}\right),$$

where ${\mathit{E}}_1\stackrel{\$}{\leftarrow }{\chi }^{2km\times n}$, ${\mathit{E}}_2,{\mathit{E}}_3\stackrel{\$}{\leftarrow }{\chi }^{2km\times m}$, ${\mathit{r}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\tilde{\mathit{e}}}_0\stackrel{\$}{\leftarrow }{\chi }^m$, ${\tilde{\mathit{e}}}_1\stackrel{\$}{\leftarrow }{\chi }^m$. Outputs $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Q}\}$.

It should be noted that $\mathcal{A}$ announces both the challenge user ${\theta }^{*}$ and the challenge attribute vector ${\mathit{x}}^{*}$ in the Init phase. The security proof for selective HRA can be presented as a sequence of games, as shown below.

Game 0. This game is identical to Definition 8.

Game 1. Based on Game 0, this game is mainly modified ${\mathcal{O}}_{RekeyGen}$ and ${\mathcal{O}}_{ReEnc}$.

–

Re-encryption Key Generation${\mathcal{O}}_{ReKeyGen}$: If $\mathcal{A}$ inputs $\alpha$, $\beta$, f and the key pairs for $\alpha$ and $\beta$ were generated in ${\mathcal{O}}_{Honest}$ or ${\mathcal{O}}_{Corrupted}$. The oracle does the following:

When $\alpha \in {\Gamma }_H$, $\beta \in {\Gamma }_H$, $\mathcal{C}$ returns $r{k}_{\alpha ,f\to \beta }$ by running $\mathit{Sim}.{\mathit{ReKeyGen}}_1$ algorithm, and inserts $r{k}_{\alpha ,f\to \beta }$ into ${\Gamma }_{rk}$ with the key-value ($\alpha$, $\beta$, f, $r{k}_{\alpha ,f\to \beta }$);

When $\beta \in {\Gamma }_H$, $\beta \in {\Gamma }_C$,

1) $\alpha ={\theta }^{*}$, $f\left({\mathit{x}}^{*}\right)=0$, $\mathcal{C}$ outputs ⊥;

2) $\alpha ={\theta }^{*}$, $f\left({\mathit{x}}^{*}\right)\ne 0$, $\mathcal{C}$ returns $r{k}_{\alpha ,f\to \beta }$ by running $\mathit{Sim}.{\mathit{ReKeyGen}}_2$ algorithm. Then, $\mathcal{C}$ inserts $r{k}_{\alpha ,f\to \beta }$ into ${\Gamma }_{rk}$ with the key-value ($\alpha$, $\beta$, f, $r{k}_{\alpha ,f\to \beta }$);

3) $\alpha \ne {\theta }^{*}$, $\mathcal{C}$ returns $r{k}_{\alpha ,f\to \beta }$ by running $\mathit{ReKeyGen}$ algorithm. Then, $\mathcal{C}$ inserts $r{k}_{\alpha ,f\to \beta }$ into ${\Gamma }_{rk}$ with the key-value ($\alpha$, $\beta$, f, $r{k}_{\alpha ,f\to \beta }$).

when $\alpha \in {\Gamma }_C$ and $\beta \in {\Gamma }_H$, $\alpha \in {\Gamma }_C$ and $\beta \in {\Gamma }_C$, $\mathcal{C}$ returns $r{k}_{\alpha ,f\to \beta }$ by running $\mathit{ReKeyGen}$, and inserts $r{k}_{\alpha ,f\to \beta }$ into ${\Gamma }_{rk}$ with the key-value ($\alpha$, $\beta$, f, $r{k}_{\alpha ,f\to \beta }$).

Finally, the challenger $\mathcal{C}$ outputs $r{k}_{\alpha ,f\to \beta }=\{{\mathit{g}}^T,\mathit{Q}\}$ to the adversary $\mathcal{A}$.

–

Re-encryption${\mathcal{O}}_{ReEnc}$: Given $c_{\alpha ,\mathit{x}}$, $\alpha$, $\beta$, f and k, where $k\le \mathit{numCt}$. If there is no value in $\mathit{Ct}$ with key $(\alpha ,k)$ or when $f\left(\mathit{x}\right)\ne 0$ holds, return ⊥. Otherwise, $\mathcal{C}$ gets $r{k}_{\alpha ,f\to \beta }$ by searching ${\Gamma }_{rk}$ set or queries ${\mathcal{O}}_{RekeyGen}$. Then, when $\beta \in {\Gamma }_H$, $\beta \in {\Gamma }_C$,

1) $\alpha ={\theta }^{*}$, $f\left({\mathit{x}}^{*}\right)=0$, and $k\in \mathit{Derive}$, outputs ⊥. If $f\left({\mathit{x}}^{*}\right)=0$, $\beta \in {\Gamma }_C$ and $k\notin \mathit{Derive}$, return the $c{t}_{\beta }$ by running $\mathit{Sim}.\mathit{ReEnc}$ algorithm.$\mathcal{C}$ outputs ⊥;

2) $\alpha ={\theta }^{*}$, $f\left({\mathit{x}}^{*}\right)\ne 0$, $\mathcal{C}$ returns $c{t}_{\beta }$ by running $\mathit{ReEnc}$ algorithm.

3) $\alpha \ne {\theta }^{*}$, $\mathcal{C}$ returns $c{t}_{\beta }$ by running $\mathit{ReEnc}$ algorithm.

when $\alpha \in {\Gamma }_H$ and $\beta \in {\Gamma }_H$, $\alpha \in {\Gamma }_C$ and $\beta \in {\Gamma }_H$, $\alpha \in {\Gamma }_C$ and $\beta \in {\Gamma }_C$, $\mathcal{C}$ returns $c{t}_{\beta }$ by running $\mathit{ReEnc}$ where $r{k}_{\alpha ,f\to \beta }=\{{\mathit{g}}^T,\mathit{Q}\}$ were obtained by $\mathcal{C}$. Then $\mathcal{C}$ inserts $r{k}_{\alpha ,f\to \beta }$ into ${\Gamma }_{rk}$ with the key-value ($\alpha$, $\beta$, f, $r{k}_{\alpha ,f\to \beta }$).

Game 2. The game being described here is the same as Game 1, with the only difference being the method used to generate ${\mathit{B}}_1,\cdots ,{\mathit{B}}_l$. Let ${\mathit{B}}_i={\mathit{A}}_{{\theta }^{*}}{\mathit{S}}_i^{*}-x_i^{*}\mathit{G}$ where the random matrices ${\mathit{S}}_1^{*},\cdots ,{\mathit{S}}_l^{*}\in {\left\{+1,-1\right\}}^{m\times m}$ be chosen randomly at Setup phase. The matrices ${\left\{{\mathit{S}}_i^{*}\right\}}_{i\in \left[l\right]}$ should be kept secret, while $pp$ can be disclosed and consists of $pp=({\mathit{B}}_1,\cdots ,{\mathit{B}}_l,\chi )$.

By using Definition 6, we can demonstrate that Game 2 is statistically identical to Game 1. Consequently, from the perspective of the adversary, all the matrices ${\mathit{A}}_{{\theta }^{*}}{\mathit{S}}_i^{*}$ are statistically close to a uniform distribution, which implies that the ${\mathit{B}}_i$ (defined as ${\mathit{B}}_i={\mathit{A}}_{{\theta }^{*}}{\mathit{S}}_i^{*}-x_1^{*}\mathit{G}$ are also close to a uniform distribution. Consequently, it can be concluded that Game 2 and Game 1 are statistically indistinguishable.

Game 3. Compared to Game 2, we change how ${\mathit{A}}_{{\theta }^{*}}$ is produced where a uniformly random matrix ${\mathit{A}}_{{\theta }^{*}}\in {\mathbb{Z}}_q^{n\times m}$. The construction of ${\mathit{B}}_1,\cdots ,{\mathit{B}}_l$ remains as the same as in Game 2, where ${\mathit{B}}_i={\mathit{A}}_{{\theta }^{*}}{\mathit{S}}_i^{*}-x_i^{*}\mathit{G}$.

By using Definition 3, we can demonstrate that Game 3 is statistically identical to Game Game 2.

Game 4. The game being described here is the same as Game 3, with the only difference being the method used to generate ${\mathit{c}}^{*}=({\mathit{c}}_{in},{\mathit{c}}_{out})$.

Reduction from DLWE: Assume that $\mathcal{A}$ confers a non-negligible advantage in differentiating between Game 4 and Game 3. We build $\mathcal{B}$, a DLWE solver, using $\mathcal{A}$.

–

DLWE instance: $\mathcal{B}$ begins by obtaining a DLWE challenge consisting of two random matrices ${\mathit{A}}_{{\theta }^{*}},{\mathit{D}}_{{\theta }^{*}}\in {\mathbb{Z}}_q^{n\times m}$, and two vectors ${\mathit{c}}_{in},{\mathit{c}}_{out}\in {\mathbb{Z}}_q^m$. Here, ${\mathit{c}}_{in}$, ${\mathit{c}}_{out}$ are either random or

$${\mathit{c}}_{in}={\mathit{A}}_{{\theta }^{*}}^T\mathit{s}+{\mathit{e}}_{in},$$

$${\mathit{c}}_{out}={\mathit{D}}_{{\theta }^{*}}^T\mathit{s}+{\mathit{e}}_{out},$$

where $\mathit{s}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\mathit{e}}_{in},{\mathit{e}}_{out}\stackrel{\$}{\leftarrow }{\chi }^m$.

Init: $\mathcal{A}$ announces challenge user ${\theta }^{*}$ and the challenge attributes vector ${\mathit{x}}^{*}$.

Setup: The same as the Game 3.

Query Phase 1: The same as the Game 3 and $({\mathit{A}}_{{\theta }^{*}},{\mathit{D}}_{{\theta }^{*}})$ be the public key for user ${\theta }^{*}$.

Challenge Phase: After $\mathcal{A}$ sends two messages ${\mu }_0,{\mu }_1\in {\{0,1\}}^m$ to $\mathcal{B}$, $\mathcal{B}$ first randomly selects a bit b from $\{0,1\}$, then computes ${\mathit{c}}_{in}^{*}={\mathit{c}}_{in}$ and ${\mathit{c}}_{out}^{*}=c_{out}+{\mu }_b\lfloor \frac{q}{2}\rfloor$. $\mathcal{B}$ sends $c{t}^{*}=({\mathit{c}}_{in}^{*},{\mathit{c}}_{out}^{*})$ to $\mathcal{A}$. Additionally, $\mathcal{B}$ increments and add $\mathit{numCt}$ to the set $\mathit{Derive}$. Finally, $\mathcal{B}$ stores $c{t}^{*}$ to the set $\mathit{Ct}$ with key $(x^{*},\mathit{numCt})$.

Query Phase 2: The same as the Query Phase 1 of the Game 3.

Decision Phase: $\mathcal{A}$ guesses if it interacts with a Game 4 or Game 3 challenger. Then $\mathcal{B}$ will output $\mathcal{A}$’s guess as an answer to the DLWE challenge.

As mentioned earlier, if $\mathcal{A}$ exhibits a non-negligible advantage in distinguishing Game 4 from Game 3, then $\mathcal{B}$ similarly possesses a non-negligible advantage in solving the DLWE problem. We establish the security of our AB-CPRE scheme with re-encryption simulatability against selective HRA in the standard model under the LWE assumption. □

6. Construction of AB-PRE with Re-Encryption Simulatability

In this section, we use the construction idea in scheme I to obtain the first lattice-based AB-PRE scheme with the property of re-encryption simulatability by modifying the $\mathit{ReKeyGen}$ and $\mathit{ReEnc}$ algorithms of the AB-PRE scheme proposed in [16]. Let’s primarily focus on how the modified scheme achieves re-encryption simulatability and how the selective HRA security proof is established. It’s worth noting that the definition of AB-PRE, along with its selective CPA and selective HRA security models, can be found in [16].

6.1. Succinct Construction (Scheme III)

In this section, we only provide the two algorithms that have been modified, while the other four algorithms remain the same as those in [16].

–

$\mathit{ReKeyGen}(pp,s{k}_f,f,g)\to r{k}_{f\to g}$: Given $pp=\left\{{\mathit{A}}_0,{\mathit{A}}_1,\cdots ,{\mathit{A}}_l,\mathit{U},\mathit{G}\right\}$ and $s{k}_f={\mathit{R}}_f\in {\mathbb{Z}}_q^{2m\times m}$. Select an attribute set $\mathit{y}=(y_1,\cdots ,y_l)$ such that $g\left(\mathit{y}\right)=0$. ${\mathit{R}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{2mk\times n},$${\mathit{R}}_2\stackrel{\$}{\leftarrow }{\chi }^{2mk\times (l+1)m}$ and ${\mathit{R}}_3\stackrel{\$}{\leftarrow }{\chi }^{2mk\times m}$. Vectors ${\mathit{r}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, ${\tilde{\mathit{e}}}_0\stackrel{\$}{\leftarrow }{\chi }^{(l+1)m}$, ${\tilde{\mathit{e}}}_1\stackrel{\$}{\leftarrow }{\chi }^m$. Then, matrices ${\mathit{H}}_{\mathit{y}}$, $\mathit{Z}$, and ${\mathit{g}}^T$ are defined as

$${\mathit{H}}_{\mathit{y}}=[{\mathit{A}}_0|y_1\mathit{G}+{\mathit{A}}_1|\cdots |y_l\mathit{G}+{\mathit{A}}_l]\in {\mathbb{Z}}_q^{n\times (l+1)m},$$

$$\mathit{Z}=\left(\begin{array}{cc}{\mathit{R}}_1{\mathit{H}}_{\mathit{y}}+{\mathit{R}}_2& {\mathit{R}}_{\mathbf{1}}\mathit{U}+{\mathit{R}}_3-\mathit{P}\mathbf{2}\left({\mathit{R}}_f\right)\\ {\mathbf{0}}_{m\times (l+1)m}& {\mathit{I}}_{m\times m}\end{array}\right)\in {\mathbb{Z}}_q^{(2k+1)m\times (l+2)m},$$

$${\mathit{g}}^T={\mathit{r}}_1^T\left({\mathit{H}}_{\mathit{y}}\right|\mathit{U})+\left({\tilde{\mathit{e}}}_0^T\right|{\tilde{\mathit{e}}}_1^T)\in {\mathbb{Z}}_q^{1\times (l+2)m},$$

respectively. Output $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Z}\}$ along with the attribute vector $\mathit{y}$.

–

$\mathit{ReEnc}(pp,r{k}_{f\to g},c_{\mathit{x}},\mathit{x})\to c_{\mathit{y}}$: Given $pp=\left\{{\mathit{A}}_0,{\mathit{A}}_1,\cdots ,{\mathit{A}}_l,\mathit{U},\mathit{G}\right\}$, $r{k}_{i\to j}=\{{\mathit{g}}^T,\mathit{Z}\}$, $c_{\mathit{x}}=({\mathit{c}}_{in},{\mathit{c}}_1,\cdots ,{\mathit{c}}_l,{\mathit{c}}_{out})$, and $\mathit{x}=(x_1,\cdots ,x_l)$. If $f\left(\mathit{x}\right)\ne 0$, output ⊥. Otherwise, this algorithm computes

$${\mathit{c}}_f\leftarrow {\mathit{Eval}}_{ct}({\left\{x_i,{\mathit{A}}_i,{\mathit{c}}_i\right\}}_{i=1}^l,f).$$

Let ${\mathit{c}}_f^{\prime }=\left[{\mathit{c}}_{in}\right|{\mathit{c}}_f]\in {\mathbb{Z}}_q^{2m}$. Sample a small random number $a\in \chi$. Compute

$$c_{\mathit{y}}^T=a{\mathit{g}}^T+\left(\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right)\right|{\mathit{c}}_{out}^T)·\mathit{Z}.$$

Output $c_{\mathit{y}}$ along with the attribute vector $\mathit{y}$.

6.2. Security Proof

It is not difficult to see that such two minor modifications do not affect the selective CPA security in [16]. Since the original scheme is selective HRA secure, the revised one still satisfies selective HRA secure. Below we will mainly focus on its re-encryption simulatability.The proof of its HRA security using re-encryption simulatability is similar to the proof of Scheme III, which we will not expand in detail in this paper.

Theorem 5.

The Scheme III is re-encryption simulatable.

Proof of Theorem 5

First, let’s review the $\mathit{ReEnc}$ algorithm in the modified scheme.

$$c_{\mathit{y}}^T=a{\mathit{g}}^T+\left(\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right)\right|{\mathit{c}}_{out}^T)·\mathit{Z}.$$

Let $c_{\mathit{y}}^T=(c_{\mathit{y}0}^T,c_{\mathit{y}1}^T)$. Through a series of calculations, we get

$$\left\{\begin{array}{c}{c}_{\mathit{y}0}^T=a{\mathit{r}}_1^T{\mathit{H}}_{\mathit{y}}+a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_1{\mathit{H}}_{\mathit{y}}+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_2,\hfill \end{array}{c}_{\mathit{y}1}^T=a{\mathit{r}}_1^T\mathit{U}+a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_1\mathit{U}+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_3-{\mathit{c}}_f^{\prime T}{\mathit{R}}_f+{\mathit{c}}_{out}^T.\right.$$

(5)

Let

$${\overline{\mathit{s}}}^T=a{\mathit{r}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_1\in {\mathbb{Z}}_q^{1\times n},$$

$${\overline{\mathit{e}}}^T=a{\tilde{\mathit{e}}}_0^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_2\in {\chi }^{1\times (l+1)m},$$

$${\overline{\mathit{e}}}_{out}^T=a{\tilde{\mathit{e}}}_1^T+\mathit{BD}\left({\mathit{c}}_f^{\prime T}\right){\mathit{R}}_3+{\mathit{e}}_{out}^T-{\left[{\mathit{e}}_{in}\right|{\mathit{e}}_f]}^T{\mathit{R}}_f\in {\chi }^{1\times m}.$$

Equation (5) can be simplified to Equation (6) as follows:

$$\left\{\begin{array}{c}{c}_{\mathit{y}0}^T={\overline{\mathit{s}}}^T{\mathit{H}}_{\mathit{y}}+{\overline{\mathit{e}}}^T,\hfill \\ c_{\mathit{y}1}^T={\overline{\mathit{s}}}^T\mathit{U}+{\overline{\mathit{e}}}_{out}^T+\mu \lfloor \frac{q}{2}\rfloor .\hfill \end{array}\right.$$

(6)

According to Definition 7, we can propose the $\mathit{Sim}.\mathit{ReEnc}$ algorithm as follows.

–

$\mathit{Sim}.\mathit{ReEnc}(pp,c_{\mathit{x}},f,g,\mathit{x},{\mathit{R}}_g,\mu )$: Uniformly sample ${\mathit{s}}^{\prime }$ from ${\mathbb{Z}}_q^n$ uniformly at random. Choose ${\mathit{e}}^{\prime }$ and ${\mathit{e}}_{out}^{\prime }$ uniformly at random from ${\chi }^{(l+1)m}$ and ${\chi }^m$, respectively. Then, this algorithm outputs

$$c_{\mathit{y}0}={\mathit{H}}_{\mathit{y}}^T{\mathit{s}}^{\prime }+{\mathit{e}}^{\prime },$$

$$c_{\mathit{y}1}={\mathit{U}}^T{\mathit{s}}^{\prime }+{\mathit{e}}_{out}^{\prime }+\mu \lfloor \frac{q}{2}\rfloor .$$

Output $c_{\mathit{y}}=(c_{\mathit{y}0},c_{\mathit{y}1})$ along with the attribute vector $\mathit{y}$ and note that ${\mathit{R}}_g$ can correctly decrypt this ciphertext.

From above, we know that the scheme III has re-encryption simulatability property. □

The security proof of the selective HRA given in [16] is unusually complex. That method relies heavily on the construction of the scheme itself and is not scalable. In this study, we ensure that the scheme III is HRA-secure under the hardness of LWE by primarily utilizing re-encryption simulatability property. The detailed process of the proof is similar to the proof of the scheme II, so I will not go into detail in this work.

7. Conclusions

In this work, we first proposed a generic method to elevate the security of PRE schemes based on key switching technique from CPA security to HRA security and simplify the HRA proof. A concise lattice-based PRE scheme was constructed to better illustrate our generic method, which has the re-encryption simulatability property. Utilizing this method, we made some improvements to AB-PRE and AB-CPRE of ESORICS’21 to make them have the re-encryption simulatability property. Simultaneously, we show how to improve the AB-CPRE scheme [14] by enhancing its security from selective CPA to selective HRA and the AB-PRE scheme [16] by simplifying the security proof. Moreover, our method can be extended to other PRE schemes or its variants schemes based on key switching technique, and is not limited to the above two examples.