HRA-Secure Proxy Re-encryption with Re-encryption Simulatability under Lwe in Standard Model

Proxy re-encryption (PRE) is a momentous and widely used cryptographic technique. It enables a proxy to forward ciphertext without the need of decryption. PRE has received significant interest in applications like cloud computing, blockchain, and the Internet of Things. Despite its wide range of uses, PRE has also been subject to new security and privacy regulations. In PKC’19, Cohen $et~al.$~first drew attention to the weakness in PRE's security against chosen-plaintext attacks (CPA) and put up a more stringent security concept known as security against honest re-encryption attacks (HRA). Notably, Cohen provides a beneficial conclusion as well. It is proveded that PRE schemes with re-encryption simulatability property can be elevated from CPA to HRA security. It is also proved that CPA-secure PRE schemes with re-encryption simulatability property can be directly elevated to those satisfying HRA security. However, those PRE schemes with re-encryption simulatability are almost always based on pairings. In this study, to the best of our knowledge, we directly construct HRA-secure PRE with re-encryption simulatability for the first time based on the learning with errors (LWE) assumption, which was widely believed to be quantum-resistant. Based on the re-encryption key generation algorithm and the re-encryption algorithm construction method of the above scheme, we can modify attribute-based conditional proxy re-encryption (AB-CPRE) as well as the corresponding attribute-based proxy re-encryption (AB-PRE) algorithm to make them have re-encryption simulatability properties. Finally, by using this property, We boost the security of AB-CPRE scheme of ESORICS'21 from CPA to HRA and simplify the HRA-security proof for the AB-PRE of ESORICS'21.

Keywords:

Subject: Computer Science and Mathematics - Mathematics

1. Introduction

Proxy re-encryption (PRE) was first proposed at the EUROCRYPT’98 [1]. It can transform ciphertexts between keys without decrypting, enableing powerful cryptographic workflows while maintaining confidentiality. PRE has numerous applications, such as electronic medical systems [2], data sharing [3], email systems [4], and has drawn increasing attention in applications of more fields, e.g., cloud computing [5,6,7], Internet of Things [8], and blockchain [9,10]. In these industrial scenarios, the data involved is usually sensitive business secrets, such as customer data and financial data. The leakage or tampering of these data can cause severe economic and reputational losses to enterprises or individuals, and even lead to legal disputes. Therefore, in the above industrial scenarios, the security requirements for PRE are higher, and more stringent security standards must be met to ensure the confidentiality of data.

It is challenging to design a PRE scheme with security under chosen-ciphertext attacks (CCA), while PRE schemes with security under chosen-plaintext attacks (CPA) fail to consider that there may exist the re-encryption from honest user to corrupted user in real-world scenarios. Therefore, Cohen

e t a l .

[11] proposed security under honest re-encryption attacks (HRA), which better captures the inadequacy of CPA-secure PRE for various applications. Generally speaking, HRA is more robust than CPA. Cohen

e t a l .

[11] also proposed an exciting property called re-encryption simulatability to enhance PRE schemes from CPA security to HRA security.

Re-encryption simulatability refers to the ciphertext generated by the re-encryption algorithm can be simulated without knowing the private key of the delegator. Although the re-encryption simulatability property is not necessary for HRA security, it can not only boost the security of PRE from CPA to HRA but also significantly reduce the difficulty of proof of HRA-secure PRE schemes. Taking advantage of re-encryption simulatability, the oracle can effortlessly answer the adversary’s re-encryption queries, transforming a ciphertext under an honest user to a ciphertext under a corrupted user. This greatly motivates us to explore PRE schemes with this property.

Until now, only a few schemes have this desirable property. However, these schemes either lack resistance against quantum attacks or suffer from inefficiency. Cohen

e t a l .

[11] presented two schemes with this property. One is a pairing-based PRE scheme that is not resistant to quantum computer attacks [12]. The other is a quantum-safe PRE constructed from fully homomorphic encryption (FHE) based bootsrapping but is inefficient [13]. One is based on pairings that is vulnerable to attacks by quantum computers [12]. The other is a quantum-safe PRE from fully homomorphic encryption (FHE) based bootsrapping [13], which is inefficient. Although, in recent years, there has been a proliferation of PRE schemes based on key switching technique under the learning with errors (LWE) assumption, which are efficient and resistant to quantum computer’s attacks. To the best of our knowledge, none of them possesses re-encryption simulatability property.

1.1. Our Contributions

To address these aforementioned challenges, we primarily develop a succinct lattice-based PRE scheme, which is both quantum resistant and has the property of re-encryption simulatability. The design idea can also be applied to other types of PRE schemes. We show a comparison between existing PRE schemes and ours, as shown in Table 1. Contributions are as follows:

PRE with Re-encryption Simulatability. We construct a concise lattice-based PRE scheme directly, scheme I,using key switching technique. Compared with other schemes, the main attraction of our proposed scheme is its re-encryption simulatability property. This property has been easily proven to be HRA-secure in the standard model under the LWE assumption. Most importantly, the methods for constructing re-encryption key generation and re-encryption algorithms can be extended to other schemes related to PRE to make them have re-encryption simulatability.
AB-CPRE with Re-encryption Simulatability. We apply the methods above to AB-CPRE scheme presented at ESORICS’21 [14]. We first formalize the HRA security model for AB-CPRE in this work and obtain a modified AB-CPRE scheme, scheme III. Besides, we also prove that scheme III has re-encryption simulatability and boost the security of AB-CPRE from selective CPA to selective HRA.
AB-PRE with Re-encryption Simulatability. We apply the methods above to AB-PRE presented at ESORICS’21 [16]. We obtain an improved AB-PRE scheme, scheme III, which has the re-encryption simulatability property.

1.2. Organization

In Section 2, we present the preliminaries, which encompass some algorithms of lattice, as well as relevant functions. Section 3 introduces some definitions about PRE, including the definition of re-encryption simulatability. The PRE scheme we proposed, along with its re-encryption simulatability property and security proof of HRA-secure, is presented in Section 4. Section 5 provides the selective HRA security model for AB-CPRE and a modified AB-CPRE scheme. We also boost the security of AB-CPRE from selective CPA to selective HRA in Section 5. Additionally, Section 6 discusses the re-encryption simulatability property of AB-PRE. In the end, the conclusion of this work is provided in Section 7.

2. Preliminaries

First, we give a description of notations mainly involved in this study, as shown in Table 2. Moreover, this section contains the Decisional Learning with Errors (DLWE) assumption, a few functions and algorithms. For instance, the vector decomposition function, preimage sampling (SamplePre) algorithm, and trapdoor generation (TranGen) algorithm.

Definition 1.

The Decisional Learning with Errors (DLWE) problem refers to

(A, A^{T} s + e)

and

(A, u)

are computationally indistinguishable, where

A \overset{$}{\leftarrow} Z_{q}^{n \times m}

s \overset{$}{\leftarrow} Z_{q}^{n}

s \overset{$}{\leftarrow} χ^{n}

e \overset{$}{\leftarrow} χ^{m}

u \overset{$}{\leftarrow} Z_{q}^{m}

, and

m = p o l y (n)

Definition 2

(B-bounded Noise Distribution).If

\underset{x \leftarrow χ}{Pr} [| x | \geq B] \leq 2^{- \tilde{Ω} (n)}

, then χ over

Z

is B-bounded.

Definition 3.

The TrapGen algorithm [17,18] takes as input

1^{n}

, m, q where n, m, q be integers and

q \geq 3

be odd and

m = ⌈ 6 n log q ⌉

. It generates

(A \in Z_{q}^{n \times m}

T_{A} \in Z^{m \times m})

. It is ensured that

∥ \tilde{T_{A}} ∥ \leq O (\sqrt{n log q})

with overwhelmingly high probability in n.

Definition 4.

The SamplePre algorithm [19] algorithm takes as input

A \in Z_{q}^{n \times m}

, a basis

T_{A}

for lattice

Λ_{q}^{⊥} (A)

u \in Z_{q}^{n}

, and a Gaussian parameter

τ \geq ∥ \tilde{T_{A}} ∥ ω (\sqrt{log m})

. It outputs a vector

e \in Z^{m}

sampled from a distribution that is

2^{- Ω (n)}

-close to

D_{Λ_{q}^{u} (A), τ}

In the subsequent construction of the scheme in this paper, we use the following two functions of key switching techinique [20].

Definition 5.

There are two deterministic functions that map vectors to a higher dimension,

BD (v)

and

P 2 (x)

, respectively.

First, let us review the

BD (v)

function. For a vector

v \in Z_{q}^{n}

, let

v_{i} \in {0, 1}^{n}

v = \sum_{i = 0}^{⌈ log q ⌉ - 1} 2^{i} v_{i}

BD (v)

inputs a vector

v

and outputs a vector

\tilde{v} = (v_{0}; \dots; v_{⌈ log q ⌉ - 1}) \in {0, 1}^{n \cdot ⌈ log q ⌉} .

The second function

P 2 (x)

inputs vector

x \in Z_{q}^{n}

and outputs

\bar{x} = (x; 2 x; \dots; 2^{⌈ log q ⌉ - 1} x) \in Z_{q}^{n ⌈ log q ⌉}

These two functions hold that

v^{T} x = {BD (v)}^{T} \cdot P 2 (x) = {\tilde{v}}^{T} \bar{x}

A very important lemma, named Leftover Hash Lemma, needs to be used in the proof of schemes.

Definition 6.

Leftover Hash Lemma [21] refers to two distributions

(A, AR, R^{T} e)

and

(A, B, R^{T} e)

, which are statistically close for all

e \in Z_{q}^{m}

m > (n + 1) {log}_{2} q + ω (log n)

q > 2

, and

R \in {1, - 1}^{m \times k}

where

k = k (n)

. Matrices

A

and

B

are chosen uniformly from

Z^{n \times m}

and

Z^{n \times k}

, respectively.

3. Re-encryption Simulatability of PRE

In this part, we define Proxy Re-Encryption (PRE) and elucidate the concept of re-encryption simulatability. Six algorithms make up a PRE scheme, as listed below:

Setup (1^{λ}) \to p p

KeyGen (p p, i) \to (p k_{i}, s k_{i})

Enc (p k_{i}, μ) \to c_{i}

Dec (s k_{i}, c_{i}) \to μ

ReKeyGen (s k_{i}, p k_{j}) \to r k_{i \to j}

ReEnc (r k_{i \to j}, c_{i}) \to c_{j}

In the above algorithms,

1^{λ}

and

p p

represent security parameter and public parameters; i,

p k_{i}

and

s k_{i}

stand for a user’s identity, public key and secret key of user i;

μ

represents a message;

c_{i}

represents a ciphertext under

p k_{i}

and

r k_{i \to j}

represents the re-encryption key.

Correctness. The correctness includes the following two validations

Original Ciphertext. It satisfies the equation $Dec (s k_{i}, Enc (s k_{i}, μ)) = μ .$
Re-encryption Ciphertext. It satisfies $Dec = (s k_{j}, ReEnc (r k_{i \to j}, c_{i})) = μ .$

A detailed description of the widely used CPA security model of proxy re-encryption can be found in reference [22]. This paper directly describe the HRA security model [11] for PRE, which implies the CPA security model. Re-encryption simulatability plays an essential role in proving the PRE scheme’s HRA security, which was first proposed by Cohen et al. [11] at PKC’19. In a nutshell, re-encryption simulatability is the ability to simulate ciphertexts produced by computing

ReEnc (r k_{i \to j}, c_{i})

without knowing the secret key

s k_{i}

of the sender (but knowing the plaintext message

μ

and the secret key

s k_{j}

of the recipient). Furthermore, Cohen et al. also put forth the following crucial theorem regarding the re-encryption simulatability. Let’s take a detailed look below.

Definition 7.

A PRE scheme possesses the re-encryption simulatability property[11] if there is a PPT algorithm

Sim . ReEnc

that satisfies the condition

(Sim . ReEnc (a u x), a u x)

is statistically indistinguishable from

(ReEnc (r k_{i \to j}, c_{i}), a u x)

c_{i}

and

a u x

are sampled according to

Setup (1^{λ}) \to p p;

KeyGen (p p, i) \to (p k_{i}, s k_{i});

KeyGen (p p, j) \to (p k_{j}, s k_{j});

ReKeyGen (p p, s k_{i}, p k_{j}) \to r k_{i \to j};

Enc (p p, p k_{i}, μ) \to c_{i};

a u x = (p p, p k_{i}, p k_{j}, s k_{j}, c_{i}, μ) .

It should be noted that a special case arises when

Sim . ReEnc (a u x) = Enc (p k_{j}, μ)

. This indicates that the distribution of the ciphertext after re-encryption is the same as that of the original ciphertext, then the scheme possesses re-encryption simulatability property.

Lemma 1

([11]). If a PRE scheme with security under CPA possesses re-encryption simulatability property, this PRE scheme is HRA-secure.

4. Construction of PRE with Re-encryption Simulatability

Now, we introduce our innovative lattice-based Proxy Re-Encryption (PRE) scheme, designed to uphold re-encryption simulatability without bootstrapping. We integrate the concept of key switching to develop a novel re-encryption key generation algorithm and re-encryption algorithm. The resulting ciphertexts after re-encryption, maintain a distribution nearly identical to that of the original ciphertexts. Consequently, in conjunction with the Chosen-Plaintext Attack (CPA) security of the foundational dual-Regev encryption, our novel PRE scheme achieves security against Honest Re-Encryption Attacks (HRA). The detailed construction and the corresponding security analysis are provided below. Our innovation focuses on the

ReKeyGen

and

ReEnc

algorithms.

4.1. Construction (Scheme I)

Prior to presenting our PRE scheme, we provide a list of the parameters employed in the scheme.

–: $1^{λ}$ -security parameter.
–: $τ$ -discrete Gaussian distribution $D_{Λ_{q}^{u} (A), τ}$ parameter, where $τ$ is equal to $ω ({(m + 1)}^{d + 1}) \cdot ω (\sqrt{log m})$ , larger than $ω (\sqrt{log m})$ .
–: $(n, m, q, χ)$ -lattice parameter, where $m \geq ⌈ 6 n lg q ⌉$ , $\frac{q}{4} \geq B \cdot {(m + 1)}^{O (d)}$ , and $χ$ is a B-bounded distribution.

The following describes lattice-based PRE scheme with re-encryption simulatability property:

–: $Setup (1^{λ}) \to p p$ : This algorithm inputs $1^{λ}$ and outputs $p p = (n, m, q, χ, χ^{m})$ .

–: $KeyGen (p p, i) \to (p k_{i}, s k_{i})$ : This algorithm selects a random vector $U_{i} \leftarrow Z_{q}^{n \times m}$ and generates $(A_{i}, T_{A_{i}})$ by executing $TrapGen (1^{n}, m, q)$ for every user i where $A_{i} \in Z_{q}^{n \times m}$ , and $T_{A_{i}} \in Z_{q}^{m \times m}$ , a basis of $Λ_{q}^{⊥} (A_{i})$ . Then, it computes $E_{i} \in χ^{m \times m}$ by running $E_{i} \leftarrow SamplePre (A_{i}, T_{A_{i}}, U_{i}, τ)$ , where $U_{i} = A_{i} E_{i} \in Z_{q}^{n \times m}$ . This algorithm outputs $p k_{i} = {U_{i}, A_{i}}$ and $s k_{i} = E_{i}$ .

–: $Enc (p k_{i}, μ) \to c_{i}$ : This algorithm selects $s \leftarrow Z_{q}^{n}$ to encrypt $μ \in {0, 1}^{m}$ . Let $p k_{i} = {U_{i}, A_{i}}$ , and set $c_{i_{0}} = s^{T} A_{i} + x_{0}^{T} \in Z_{q}^{1 \times m}$ , $c_{i_{1}} = s^{T} U_{i} + x_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ \in Z_{q}^{1 \times m}$ , where Gaussian noise vectors $x_{0} \overset{$}{\leftarrow} χ^{m}$ and $x_{1} \overset{$}{\leftarrow} χ^{m}$ . Finally, this algorithm outputs $c_{i} = (c_{i_{0}}, c_{i_{1}})$ .

–: $Dec (s k_{i}, c_{i}) \to μ / ⊥$ : Given $c_{i} = (c_{i_{0}}, c_{i_{1}})$ and $s k_{i} = E_{i}$ . This algorithm computes $μ^{'} = c_{i_{1}} - c_{i_{0}} E_{i}$ . For $j \in [m]$ , the algorithm sets $μ_{j} = 0$ if $μ_{j}^{'}$ is closer to 0 than to $\frac{q}{2}$ modulo q; otherwise outputs $μ_{j} = 1$ . Finally, this algorithm outputs $μ \in {0, 1}^{m}$ .

–: $ReKeyGen (s k_{i}, p k_{j}) \to r k_{i \to j}$ : On input $s k_{i} = E_{i}$ and $p k_{j} = (U_{j}, A_{j})$ . The algorithm chooses matrices $R_{1} \overset{$}{\leftarrow} Z_{q}^{m ⌈ log q ⌉ \times n}$ , $R_{2} \overset{$}{\leftarrow} χ^{m ⌈ log q ⌉ \times m}$ , vectors $R_{3} \overset{$}{\leftarrow} χ^{m ⌈ log q ⌉ \times m}$ . Then, it computes

$Z = (\begin{matrix} R_{1} A_{j} + R_{2} & R_{1} U_{j} + R_{3} - P 2 (E_{i}) \\ 0_{1 \times m} & 1 \end{matrix}) \in Z_{q}^{(m ⌈ log q ⌉ + 1) \times 2 m} .$

The general key generation algorithm of PRE is only composed of $Z$ , but in this study, we innovatively introduce $g^{T}$ . The purpose of introducing is to make the scheme have the re-encryption simulatability. We define $g^{T}$ as

$g^{T} = r_{1}^{T} (A_{j} ∥ U_{j}) + ({\tilde{e}}_{0}^{T} ∥ {\tilde{e}}_{1}^{T}) \in Z_{q}^{1 \times 2 m},$

where $r_{1} \overset{$}{\leftarrow} Z_{q}^{n}$ , ${\tilde{e}}_{0} \overset{$}{\leftarrow} χ^{m}$ , and ${\tilde{e}}_{1} \overset{$}{\leftarrow} χ^{m}$ . Finally, it outputs $r k_{i \to j} = {g^{T}, Z}$ .

–: $ReEnc (r k_{i \to j}, c_{i}) \to c_{j}$ : Given $r k_{i \to j} = {g^{T}, Z}$ and $c_{i} = (c_{i_{0}}, c_{i_{1}})$ . This algorithm consists of three steps.

First, sample a small random number $a \in χ$ and compute

$({\bar{c}}_{j_{0}}, {\bar{c}}_{j_{1}}) = a g^{T} = a (r_{1}^{T} (A_{j} ∥ U_{j}) + ({\tilde{e}}_{0}^{T} ∥ {\tilde{e}}_{1}^{T})) .$

Since a is random, ${\bar{c}}_{j_{0}}$ and ${\bar{c}}_{j_{1}}$ are also random.

Second, calculate

$\begin{matrix} (c_{j_{0}}^{'}, c_{j_{1}}^{'}) & = (BD (c_{i_{0}}) ∥ c_{i_{1}}) \cdot Z \\ = (BD (c_{i_{0}}) ∥ c_{i_{1}}) (\begin{matrix} R_{1} A_{j} + R_{2} & R_{1} U_{j} + R_{3} - P 2 (E_{i}) \\ 0_{1 \times m} & 1 \end{matrix}) . \end{matrix}$

The $c_{j_{0}}^{'}$ and $c_{j_{1}}^{'}$ are determined for a specific ciphertext $c_{i}$ and for a specific $r k_{i \to j}$ .

Third, obtain the random re-encryption ciphertext as follows:

$c_{j_{0}} = {\bar{c}}_{j_{0}} + c_{j_{0}}^{'},$

and

$c_{j_{1}} = {\bar{c}}_{j_{1}} + c_{j_{1}}^{'} .$

Let can simplify the above steps as follows

$c_{j} = a g^{T} + (BD (c_{i_{0}}) ∥ c_{i_{1}}) \cdot Z .$

Finally, this algorithm outputs $c_{j} = (c_{j_{0}}, c_{j_{1}})$ as re-encryption ciphertext.

Correctness. Based on the provided parameters, the correctness of the above PRE summarized as follows.

Original Ciphertext. $c_{i} = (c_{i_{0}}, c_{i_{1}})$ is the ciphertext of $μ$ under $p k_{i}$ . $c_{i_{0}} = s^{T} A_{i} + x_{0}^{T} \in Z_{q}^{1 \times m}$ , $c_{i_{1}} = s^{T} U_{i} + x_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ \in Z_{q}^{1 m}$ . Therefore, we have the decryption as below.

$\begin{matrix} c_{i_{1}} - c_{i_{0}} E_{i} & = s^{T} U_{i} + x_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ - (s^{T} A_{i} + x_{0}^{T}) E_{i} \\ = s^{T} U_{i} + x_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ - s^{T} A_{i} E_{i} - x_{0}^{T} E_{i} \\ = μ ⌊ \frac{q}{2} ⌋ + \underset{error term}{\underset{︸}{x_{1}^{T} - x_{0}^{T} E_{i}}} . \end{matrix}$

In order to obtain an accurate decryption, the error term norm needs to be smaller than $q / 4$ , i.e., $∥ x_{1}^{T} - x_{0}^{T} E_{i} ∥ \leq q / 4$ . Because of $x_{0} \overset{$}{\leftarrow} χ^{m}$ and $x_{1} \overset{$}{\leftarrow} χ^{m}$ , $E_{i} \in χ^{m \times m}$ and $A_{i} E_{i} = U_{i}$ , we have $∥ x_{0}^{T} ∥ \leq \sqrt{m} B$ , $∥ x_{1}^{T} ∥ \leq \sqrt{m} B$ , and $∥ E_{i} ∥ \leq m τ$ . Then, we can compute $∥ x_{1}^{T} - x_{0}^{T} E_{i} ∥ \leq ∥ x_{1}^{T} + x_{0}^{T} E_{i} ∥ \leq ∥ x_{1}^{T} ∥ + ∥ x_{0}^{T} E_{i} ∥ \leq ∥ x_{1}^{T} ∥ + ∥ x_{0}^{T} ∥ ∥ E_{i} ∥ \leq \sqrt{m} B + \sqrt{m} B \cdot m τ \leq \sqrt{m} B + m \sqrt{m} τ B \leq B \cdot {(m + 1)}^{O (d)} \leq q / 4$ . Therefore, the initial ciphertext can be decrypted correctly.
Re-encryption Ciphertext. The re-encrypted ciphertext represented as $c_{j} = (c_{j_{0}}, c_{j_{1}})$ can be computed as follows.

$\begin{matrix} c_{j} & = a g^{T} + (BD (c_{i_{0}}) ∥ c_{i_{1}}) \cdot Z \\ = a r_{1}^{T} (A_{j} ∥ U_{j}) + a ({\tilde{e}}_{0}^{T} ∥ {\tilde{e}}_{1}^{T}) + (BD (c_{i_{0}}) ∥ c_{i_{1}}) (\begin{matrix} R_{1} A_{j} + R_{2} & R_{1} U_{j} + R_{3} - P 2 (E_{i}) \\ 0_{1 \times m} & 1 \end{matrix}) . \end{matrix}$

Therefore, we have

$\{\begin{matrix} c_{j_{0}} = (a r_{1}^{T} + BD (c_{i_{0}}) R_{1}) A_{j} + a {\tilde{e}}_{0}^{T} + BD (c_{i_{0}}) R_{2}, \\ c_{j_{1}} = (a r_{1}^{T} + BD (c_{i_{0}}) R_{1}) U_{j} + a {\tilde{e}}_{1}^{T} + BD (c_{i_{0}}) R_{3} - x_{0}^{T} E_{i} + x_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ . \end{matrix}$

(1)

Let

${\bar{s}}^{T} = a r_{1}^{T} + BD (c_{i_{0}}) R_{1} \in Z_{q}^{1 \times n},$

${\bar{x}}_{0}^{T} = a {\tilde{e}}_{0}^{T} + BD (c_{i_{0}}) R_{2} \in χ^{1 \times m},$

${\bar{x}}_{1}^{T} = a {\tilde{e}}_{1}^{T} + BD (c_{i_{0}}) R_{3} - x_{0}^{T} E_{i} + x_{1}^{T} \in χ^{1 \times m} .$

Equation (1) can be simplified to Equation (2) as follows:

$\{\begin{matrix} c_{j_{0}} = {\bar{s}}^{T} A_{j} + {\bar{x}}_{0}^{T}, \\ c_{j_{1}} = {\bar{s}}^{T} U_{j} + {\bar{x}}_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ . \end{matrix}$

(2)

Therefore, we have the decryption as below.

$\begin{matrix} c_{j_{1}} - c_{j_{0}} E_{j} & = {\bar{s}}^{T} U_{j} + {\bar{x}}_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ - ({\bar{s}}^{T} A_{j} + {\bar{x}}_{0}^{T}) E_{j} \\ = μ ⌊ \frac{q}{2} ⌋ + \underset{error term}{\underset{︸}{{\bar{x}}_{1}^{T} - {\bar{x}}_{0}^{T} E_{j} .}} \end{matrix}$

In order to obtain an accurate decryption, the error term norm needs to be smaller than $q / 4$ , i.e., $∥ {\bar{x}}_{1}^{T} - {\bar{x}}_{0}^{T} E_{j} ∥ \leq q / 4$ . Because of ${\bar{x}}_{0}^{T} \in χ^{1 \times m}$ , ${\bar{x}}_{1}^{T} \in χ^{1 \times m}$ , $E_{j} \in χ^{m \times m}$ and $A_{j} E_{j} = U_{j}$ , we have $∥ x_{0}^{T} ∥ \leq \sqrt{m} B$ , $∥ x_{1}^{T} ∥ \leq \sqrt{m} B$ , and $∥ E_{j} ∥ \leq m τ$ . Similar to the first case, it is not difficult to compute $∥ {\bar{x}}_{1}^{T} - {\bar{x}}_{0}^{T} E_{j} ∥ \leq q / 4$ . As a result, the re-encryption ciphertext can be correctly decrypt.

4.2. Security Proof of Scheme I

According to Lemma 1, we now show that the above scheme satisfies CPA security and re-encryption simulatability respectively.

Theorem 1.

The scheme I has re-encryption simulatability property.

Proof of Theorem 1.

Referring to Equation 1 and Equation 2, when

μ

is known and

\bar{s}

{\bar{x}}_{0}

, and

{\bar{x}}_{1}

are randomized, we can directly sample to get

({\bar{s}}^{T} A_{j} + {\bar{x}}_{0}^{T}, {\bar{s}}^{T} U_{j} + {\bar{x}}_{1}^{T} + μ ⌊ \frac{q}{2} ⌋)

. It is observed that the distributions of ciphertexts

c_{j}

and

c_{i}

are identical. Assuming that we know

p p

p k_{j} = \{U_{j}, A_{j}\}

and plaintext

μ

, we can easily sample these ciphertexts as follows.

–: $Sim . ReEnc (p p, p k_{j}, s k_{j}, c_{i}, μ) \to c_{j}$ : On input $p p = (n, m, q, χ, χ^{m})$ , $p k_{j} = {U_{j}, A_{j}}$ , $s k_{j} = E_{j}$ , $c_{i} = (c_{i_{0}}, c_{i_{1}})$ . Sample $s^{'} \overset{$}{\leftarrow} Z_{q}^{n}$ , $x_{0}^{'} \overset{$}{\leftarrow} χ^{m}$ and $x_{1}^{'} \overset{$}{\leftarrow} χ^{m}$ . This algorithm outputs

$c_{j_{0} s i m}^{'} = {s^{'}}^{T} A_{j} + {x_{0}^{'}}^{T},$

and

$c_{j_{1} s i m}^{'} = {s^{'}}^{T} U_{j} + {x_{1}^{'}}^{T} + μ ⌊ \frac{q}{2} ⌋ .$

Because the re-encryption ciphertexts obtained by re-encryption algorithm are

c_{j_{0}} = (a r_{1}^{T} + BD (c_{i_{0}}) R_{1}) A_{j} + a {\tilde{e}}_{0}^{T} + BD (c_{i_{0}}) R_{2} = {\bar{s}}^{T} A_{j} + {\bar{x}}_{0}^{T},

and

c_{j_{1}} = (a r_{1}^{T} + BD (c_{i_{0}}) R_{1}) U_{j} + a {\tilde{e}}_{1}^{T} + BD (c_{i_{0}}) R_{3} - x_{0}^{T} E_{i} + {\bar{x}}_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ = {\bar{s}}^{T} U_{j} + {\bar{x}}_{1}^{T} + μ ⌊ \frac{q}{2} ⌋ .

From the above, we can see that

s^{'}

x_{0}^{'}

and

x_{1}^{'}

have the same distribution as

\bar{s}

{\bar{x}}_{0}

and

{\bar{x}}_{1}

, respectively. Therefore, it is not difficult for us to find that

c_{j_{0} s i m}^{'}

and

c_{j_{1} s i m}^{'}

are indistinguishable from

c_{j_{0}}

and

c_{j_{1}}

, respectively. Meanwhile, the ciphertext

c_{j} = (c_{j_{0} s i m}^{'}, c_{j_{1} s i m}^{'})

can be decrypted by

s k_{j}

Hence, the PRE scheme above has the property of re-encryption simulatability. □

Theorem 2.

The scheme I we proposed is selective HRA-secure under the hardness of LWE.

Proof of Theorem 2

The selective CPA security of this scheme is easy to prove. Due to space constraints, we do not provide detailed proof of the CPA in this study.

According to Lemma 1, the PRE scheme we proposed above can be proved to be HRA-secure under the hardness of LWE. □

5. Construction of AB-CPRE with Re-Encryption Simulatability

AB-CPRE was initially introduced by Liang et al. in [14] at ESORICS’21. They provided a comprehensive definition of AB-CPRE, elaborated on its CPA model, meticulously constructed the corresponding scheme utilizing LWE, and presented rigorous proof of its selective CPA security. In this section, we use the construction idea in scheme I to improve the

ReKeyGen

and

ReEnc

of [14], enabling the modified scheme to have the property of re-encryption simulatability. The modified AB-CPRE scheme enhances the security from selective CPA to selective HRA. Our focuses are on the modified scheme with re-encryption simulatability and the implementation of the selective HRA security proof. The other four algorithms remain the same as those in [14].

5.1. HRA Security Model of AB-CPRE

We directly formalize the selective HRA security model of AB-CPRE for the first time, which is demonstrated below. Unlike Scheme I, in the following scheme, we use

α

and

β

to represent users’s identities. (Since letters such as f and g represent strategies, it would be confusing to use letters i and j to represent identities again.) Note: The condition

f (x) = 0

indicates that the attributes encoded in the

Enc

algorithm satisfy the policy embedded in the

ReKeyGen

algorithm.

Definition 8

(Security Model for Selective HRA of AB-CPRE). Honest Key Generation

O_{H o n e s t}

,Corrupted Key Generation

O_{C o r r u p t e d}

andRe-encryption Key Generation

O_{R e K e y G e n}

are the same as the security game for selective CPA [14]. Besides,

O_{E n c}

has been added. Additionally, the

O_{R e E n c}

and thechallenge phasealso differ from the CPA security model.

Init:

A

announces challenge user

θ^{*}

and the challenge attributes vector

x^{*}

Setup: The challenger

C

runs

Setup (1^{λ})

to generate

p p

and gives it to

A

. Two sets,

Γ_{H}

(representing honest) and

Γ_{C}

(representing corrupted), are initially empty by

C

. These operation above performs the same as the challenger

C

in the CPA security model of AB-CPRE. Besides,

C

initializes a counter

numCt

to 0, an empty key-value store

Ct

, and an empty set

Derive

. Besides, the set

Γ_{r k}

(representing re-encryption key) is initially empty.

Query Phase 1: In this Phase,

A

mainly makes four types of queries:

–: Honest Key Generation $O_{H o n e s t}$ : First, $C$ obtains a key pair by running $(p k_{α}, s k_{α}) \leftarrow KeyGen (p p, α)$ after $A$ sends the identity of a user α. Then, $C$ give $p k_{α}$ to $A$ . Finally, $C$ inserts the identity α into the set $Γ_{H}$ .
–: Corrupted Key Generation $O_{C o r r u p t e d}$ : First, $C$ obtains a key pair by running $(p k_{α}, s k_{α}) \leftarrow KeyGen (p p, α)$ after $A$ sends the identity of a user α. Then, $C$ give ( $p k_{α}$ , $s k_{α}$ ) to $A$ . Finally, $C$ inserts the identity α into the set $Γ_{C}$ .
–: Re-encryption Key Generation $O_{R e K e y G e n}$ : Given α, β and f by $A$ , $C$ inputs ⊥ if $α = θ^{*}$ , $β \in Γ_{C}$ , and satisfying $f (x^{*}) = 0$ . Otherwise, $C$ returns the $r k_{α, f \to β}$ by running the algorithm $ReKeyGen (s k_{α}, p k_{β}, f) \to r k_{α, f \to β}$ , inserts $r k_{α, f \to β}$ into $Γ_{r k}$ with the key-value (α, β, f, $r k_{α, f \to β}$ ), and outputs $r k_{α, f \to β}$ .
–: Encryption $O_{E n c}$ : Given $p k_{α}$ , $μ \in {0, 1}^{m}$ , $x = {\{x_{i}\}}_{i \in [l]}$ by $A$ , $C$ obtains the ciphertext $c_{α, x}$ by running algorithm $Enc (p k_{α}, μ, x) \to c_{α, x}$ and increases $numCt$ . Then, $C$ stores the value $c_{α, x}$ in $Ct$ with key $(α, numCt)$ and returns $(numCt, c_{α, x})$ .
–: Re-encryption $O_{R e E n c}$ : Given $c_{α, x}$ , α, β, f and k by $A$ , where $k \leq numCt$ , $C$ returns ⊥ if there is no value in $Ct$ with key $(α, k)$ or when $f (x) \neq 0$ holds or when $α = θ^{*}$ , $β \in Γ_{C}$ , $f (x^{*}) = 0$ , $k \in Derive$ . Otherwise, $C$ gets $r k_{α, f \to β}$ by searching $Γ_{r k}$ set or queries $O_{R e k e y G e n}$ . Then, $C$ runs $ReEnc (r k_{α, f \to β}, c_{α, x}) \to c_{β}$ , increases $numCt$ , and stores the value $c_{β}$ in $Ct$ with key $(β, numCt)$ . Finally, $C$ returns $(numCt, c_{β})$ .

Challenge Phase: After receiving

(θ^{*}, μ_{0}, μ_{1}, x^{*})

from

A

C

selects

b \overset{$}{\leftarrow} {0, 1}

and obtains the challenge ciphertext

c_{θ^{*}, x^{*}}

by running the algorithm

Enc (p p, p k_{θ^{*}}, μ_{b}, x^{*})

. Additionally,

C

increments

numCt

and adds it to the set

Deriv

. The value

c_{θ^{*}, x^{*}}

is stored in

Ct

with key

(θ^{*}, numCt)

, and finally

(numCt, c_{θ^{*}, x^{*}})

is returned.

Query Phase 2: This phase is identical toQuery Phase 1, with the exception of the

O_{R e E n c}

oracle.

C

outputs ⊥ if

β \in Γ_{C}

and

k \in Derive

Decision Phase:

A

produces a decision

b^{'} \in {0, 1}

. Eventually,

A

is declared the winner of the game if and only if

b^{'} = b

5.2. Succinct Construction (Scheme II)

To facilitate our proofs, we elaborate on the entire scheme in this section. Notably, our primary innovations manifest in the last two algorithms. The initial four algorithms closely mirror those delineated in [14]. To avoid redundancy, we abstain from revisiting specific elements of previous knowledge integral to the scheme, such as the Gadget matrix

G

ExtendLeft

ExtendRight

{Eval}_{c t}

{Eval}_{p k}

{Eval}_{s i m}

, as these have been extensively covered in reference reference [14].

–: $Setup (n) \to p p$ : $B_{1}, \dots, B_{l} \leftarrow Z_{q}^{n \times m}$ . Output $p p = (B_{1}, \dots, B_{l}, χ)$ , where $χ$ is an error sampling algorithm.
–: $KeyGen (p p, α) \to (p k_{α}, s k_{α})$ : The following algorithms $(A_{α}, T_{A_{α}}) \leftarrow TrapGen (n, 1^{m}, q),$ and $R_{α} \leftarrow SamplePre (A_{α}, T_{A_{α}}, - D_{α}, σ) .$ are executed. Then, this algorithm outputs $p k_{α} = (A_{α}, D_{α})$ and $s k_{α} = (T_{A_{α}}, R_{α})$ , where $D_{α} \leftarrow Z_{q}^{n \times m}$ .
–: $Enc (p p, p k_{α}, μ \in {\{0, 1\}}^{m}, x = {\{x_{i}\}}_{i \in [l]}) \to c_{α, x}$ : Let $s \overset{$}{\leftarrow} Z_{q}^{n}$ , $e_{i n}, e_{o u t} \in χ^{m}$ . Then $c t_{α, x} = (c_{i n}, c_{o u t}) = (A_{α}^{T} s + e_{i n}, D_{α}^{T} s + e_{o u t} + μ ⌊ \frac{q}{2} ⌋) .$ If $x$ is null, then set $c c = \emptyset$ . Otherwise, $c c_{α, x} = ({\{c_{i} = {(x_{i} G + B_{i})}^{T} s + S_{i}^{T} e_{i n}\}}_{i \in [l]}) \in Z_{q}^{l m},$ where $S_{i} \leftarrow {\{- 1, 1\}}^{m \times m}$ . Output $c_{α, x} = (c t_{α, x}, c c_{α, x})$ .
–: $Dec (p p, s k_{α}, c_{α, x}) \to μ^{'}$ : Compute

$μ^{'} = (c_{i n}^{T} c_{o u t}^{T}) (\begin{matrix} R_{α} \\ I_{m \times m} \end{matrix}) .$

For $j \in [m]$ , set $μ_{j} = 1$ if $μ_{j}^{'} - ⌊ \frac{q}{2} ⌋ < q / 4$ , otherwise set $μ_{j} = 0$ . Finally, output $μ \in {\{0, 1\}}^{m}$ .
–: $ReKeyGen (p p, s k_{α}, p k_{β}, f) \to r k_{α, f \to β}$ : The inputs of this algorithm are $p p = (B_{1}, \dots, B_{l}, χ)$ , $s k_{α} = (T_{A_{α}}, R_{α})$ , $p k_{β} = (A_{β}, D_{β})$ and a policy f. Then this algorithm executes the following steps one by one.

$B_{f} = {Eval}_{p k} (f, {\{B_{i}\}}_{i \in [l]}),$

$T_{(A_{α} | B_{f})} \leftarrow ExtendRight (A_{α}, T_{A_{α}}, B_{f}),$

$R_{α, f} \leftarrow SamplePre ((A_{α} | B_{f}), T_{(A_{α} | B_{f})}, - D_{α}, σ) .$

Let

$g^{T} = r_{1}^{T} (A_{β} | D_{β}) + ({\tilde{e}}_{0}^{T} | {\tilde{e}}_{1}^{T}) \in Z_{q}^{1 \times 2 m},$

and

$Q = (\begin{matrix} E_{1} A_{β} + E_{2} & E_{1} D_{β} + E_{3} + P 2 (R_{α, f}) \\ 0_{m \times m} & I_{m \times m} \end{matrix}) \in Z_{q}^{(2 k + 1) m \times 2 m},$

where $E_{1} \overset{$}{\leftarrow} χ^{2 k m \times n}$ , $E_{2}, E_{3} \overset{$}{\leftarrow} χ^{2 k m \times m}$ , vectors $r_{1} \overset{$}{\leftarrow} Z_{q}^{n}$ , ${\tilde{e}}_{0} \overset{$}{\leftarrow} χ^{m}$ , ${\tilde{e}}_{1} \overset{$}{\leftarrow} χ^{m}$ .

Finally, this algorithm outputs $r k_{i \to j} = {g^{T}, Q}$ .
–: $ReEnc (p p, r k_{α, f \to β}, c_{α}) \to c_{β}$ : The inputs of this algorithm are $p p = (B_{1}, \dots, B_{l}, χ)$ , $r k_{i \to j} = {g^{T}, Q}$ and $c_{α} = (c t_{α}, c c_{α})$ . If $f (x) \neq 0$ (represents that the attributes embedded in the $Enc$ algorithm do not satisfy the policy embedded in the $ReKeyGen$ algorithm) or $c c_{α} = \emptyset$ , output ⊥. Otherwise, let $c t_{α} = (c_{i n}, c_{o u t})$ , $c c_{α} = ({\{c_{i}\}}_{i \in [l]}) \in Z_{q}^{l m}$ . This algorithm performs the following steps in sequence:

$c_{f} \leftarrow {Eval}_{c t} (f, {\{(x_{i}, B_{i}, c_{i})\}}_{i \in [l]}),$

$c t_{β}^{T} = a g^{T} + BD (c_{f}^{' T}) | c_{o u t}^{T}) \cdot Q$

where $c_{f}^{'} = [c_{i n} | c_{f}]$ . Finally, this algorithm outputs $c_{β} = (c t_{β}, c c_{β} = \emptyset)$ .

5.3. Security Proof

It is not difficult to see that such two minor modifications do not affect the selective CPA security in [14]. Since the original scheme is selective CPA secure, the revised one still satisfies selective CPA secure. Below we will mainly focus on its re-encryption simulatability and HRA security proof.

Theorem 3.

The Scheme II is re-encryption simulatable.

Proof of Theorem 3

We have

\begin{matrix} c t_{β}^{T} & = a g^{T} + BD (c_{f}^{' T}) | c_{o u t}^{T}) \cdot Q \\ = a (r_{1}^{T} (A_{β} | D_{β}) + ({\tilde{e}}_{0}^{T} | {\tilde{e}}_{1}^{T})) + (BD (c_{f}^{' T}) | c_{o u t}^{T}) (\begin{matrix} E_{1} A_{β} + E_{2} & E_{1} D_{β} + E_{3} + P 2 (R_{α, f}) \\ 0_{m \times m} & I_{m \times m} \end{matrix}) . \end{matrix}

Let

c t_{β}^{T} = (c_{i n}^{T}, c_{o u t}^{T})

. Through a series of calculations, we get

\{\begin{matrix} c_{i n}^{T} = (a r_{1}^{T} + BD (c_{f}^{' T}) E_{1}) A_{β} + a {\tilde{e}}_{0}^{T} + BD (c_{f}^{' T}) E_{2}, \end{matrix} c_{o u t}^{T} = (a r_{1}^{T} + BD (c_{f}^{' T}) E_{1}) D_{β} + a {\tilde{e}}_{1}^{T} + BD (c_{f}^{' T}) E_{3} + e_{o u t}^{T} - {[e_{i n} | e_{f}]}^{T} R_{α, f} + μ ⌊ \frac{q}{2} ⌋ .

(3)

Let

{\bar{s}}^{T} = a r_{1}^{T} + BD (c_{f}^{' T)} E_{1} \in Z_{q}^{1 \times n},

{\bar{e}}_{i n}^{T} = a {\tilde{e}}_{0}^{T} + BD (c_{f}^{' T}) E_{2} \in χ^{1 \times m},

{\bar{e}}_{o u t}^{T} = a {\tilde{e}}_{1}^{T} + BD (c_{f}^{' T}) E_{3} + e_{o u t}^{T} - {[e_{i n} | e_{f}]}^{T} R_{α, f} \in χ^{1 \times m} .

Equation (3) can be simplified to Equation (4) as follows:

\{\begin{matrix} c_{i n}^{T} = {\bar{s}}^{T} A_{β} + {\bar{e}}_{i n}^{T}, \\ c_{o u t}^{T} = {\bar{s}}^{T} D_{β} + {\bar{e}}_{o u t}^{T} + μ ⌊ \frac{q}{2} ⌋ . \end{matrix}

(4)

According to the Definition 7, our

Sim . ReEnc

algorithm is as follows.

–: $Sim . ReEnc (p p, p k_{β}, s k_{β}, c_{α, x}, β, f, x)$ : On input $p p = (B_{1}, \dots, B_{l}, χ)$ , $p k_{β} = (A_{β}, D_{β})$ , $s k_{β} = (T_{A_{β}}, R_{β})$ , $c_{α, x} = (c t_{α, x}, c c_{α, x})$ where

$c t_{α, x} = (A_{α}^{T} s + e_{i n}, D_{α}^{T} s + e_{o u t} + μ ⌊ \frac{q}{2} ⌋)$

and

$c c_{α, x} = ({\{c_{i} = {(x_{i} G + B_{i})}^{T} s + S_{i}^{T} e_{i n}\}}_{i \in [l]}) \in Z_{q}^{l m} .$

Sample $s^{' T}$ from $Z_{q}^{1 \times n}$ uniformly at random. Choose $e_{i n}^{' T} \overset{$}{\leftarrow} χ^{1 \times m}$ and $e_{o u t}^{' T} \overset{$}{\leftarrow} χ^{1 \times m}$ uniformly at random. Then, this algorithm outputs ciphertext $c t_{β} = (c_{i n}^{s i m}, c_{o u t}^{s i m})$ which can be decrypted by $s k_{β}$ , where

$c_{i n}^{s i m} = s^{' T} A_{β} + e_{i n}^{' T},$

$c_{o u t}^{s i m} = s^{' T} D_{β} + e_{o u t}^{' T} + μ ⌊ \frac{q}{2} ⌋ .$

Therefore, this scheme has the property of re-encryption simulatability. □

Then, the concrete selective HRA security proof of AB-CPRE scheme is shown below.

Theorem 4.

The Scheme II is selective HRA-secure under the hardness of LWE.

Proof of Theorem 4

First, we define three simulation algorithms, which are

Sim . {ReKeyGen}_{1}

Sim . {ReKeyGen}_{2}

and

Sim . ReEnc

. The algorithm

Sim . ReEnc

is presented in Theorem 3, and below we present two simulation algorithms,

Sim . {ReKeyGen}_{1}

and

Sim . {ReKeyGen}_{2}

, respectively.

–: $Sim . {ReKeyGen}_{1} (p p, α, β, f) \to r k_{α, f \to β}$ : If $α \in Γ_{H}$ , $β \in Γ_{H}$ , let

$Q = (\begin{matrix} X_{1} & X_{2} \\ 0_{m \times (l + 1) m} & I_{m \times m} \end{matrix}),$

$g^{T} = r_{1}^{T} (A_{β} | D_{β}) + ({\tilde{e}}_{0}^{T} | {\tilde{e}}_{1}^{T}),$

where $X_{1} \overset{$}{\leftarrow} χ^{2 m k \times m}$ , $X_{2} \overset{$}{\leftarrow} χ^{2 m k \times m}$ , $r_{1} \overset{$}{\leftarrow} Z_{q}^{n}$ , ${\tilde{e}}_{0} \overset{$}{\leftarrow} χ^{m}$ , ${\tilde{e}}_{1} \overset{$}{\leftarrow} χ^{m}$ are randomly chosen matrices or vectors. Outputs $r k_{i \to j} = {g^{T}, Q}$ .
–: $Sim . {ReKeyGen}_{2} (p p, α, β, f) \to r k_{α, f \to β}$ : If the adversary inputs $α$ , $β$ , f, where $α = θ^{*}$ , $β \in Γ_{C}$ and $f (x^{*}) \neq 0$ , the algorithm does the following:

Firstly, sample $S_{i} \leftarrow {\{- 1, 1\}}^{m \times m}$ and run $S_{f}^{*} \leftarrow {Eval}_{s i m} (f, {\{x_{i}^{*}, S_{i}^{*}\}}_{i \in [l]}, A_{θ^{*}}),$ satisfying $A_{θ^{*}} S_{f}^{*} - f (x_{i}^{*}) G = B_{f} .$

Secondly, obtain a trapdoor $T_{(A_{θ^{*}} | B_{f})}$ by running $ExtendLeft (A_{θ^{*}}, f (x^{*}) G, T_{G}, S_{f}^{*})$ algorithm.

Thirdly, sample $R_{θ^{*}, f} \leftarrow SamplePre ([A_{θ^{*}} | B_{f}], T_{(A_{θ^{*}} | B_{f})}, - D_{θ^{*}}, σ) .$ Let

$g^{T} = r_{1}^{T} (A_{β} | D_{β}) + ({\tilde{e}}_{0}^{T} | {\tilde{e}}_{1}^{T}),$

$Q = (\begin{matrix} E_{1} A_{β} + E_{2} & E_{1} D_{β} + E_{3} + P 2 (R_{θ^{*}, f}) \\ 0_{m \times m} & I_{m \times m} \end{matrix}),$

where $E_{1} \overset{$}{\leftarrow} χ^{2 k m \times n}$ , $E_{2}, E_{3} \overset{$}{\leftarrow} χ^{2 k m \times m}$ , $r_{1} \overset{$}{\leftarrow} Z_{q}^{n}$ , ${\tilde{e}}_{0} \overset{$}{\leftarrow} χ^{m}$ , ${\tilde{e}}_{1} \overset{$}{\leftarrow} χ^{m}$ . Outputs $r k_{i \to j} = {g^{T}, Q}$ .

It should be noted that

A

announces both the challenge user

θ^{*}

and the challenge attribute vector

x^{*}

in the Init phase. The security proof for selective HRA can be presented as a sequence of games, as shown below.

Game 0. This game is identical to Definition 8.

Game 1. Based on Game 0, this game is mainly modified

O_{R e k e y G e n}

and

O_{R e E n c}

–: Re-encryption Key Generation $O_{R e K e y G e n}$ : If $A$ inputs $α$ , $β$ , f and the key pairs for $α$ and $β$ were generated in $O_{H o n e s t}$ or $O_{C o r r u p t e d}$ . The oracle does the following:

When $α \in Γ_{H}$ , $β \in Γ_{H}$ , $C$ returns $r k_{α, f \to β}$ by running $Sim . {ReKeyGen}_{1}$ algorithm, and inserts $r k_{α, f \to β}$ into $Γ_{r k}$ with the key-value ( $α$ , $β$ , f, $r k_{α, f \to β}$ );

When $β \in Γ_{H}$ , $β \in Γ_{C}$ ,

1) $α = θ^{*}$ , $f (x^{*}) = 0$ , $C$ outputs ⊥;

2) $α = θ^{*}$ , $f (x^{*}) \neq 0$ , $C$ returns $r k_{α, f \to β}$ by running $Sim . {ReKeyGen}_{2}$ algorithm. Then, $C$ inserts $r k_{α, f \to β}$ into $Γ_{r k}$ with the key-value ( $α$ , $β$ , f, $r k_{α, f \to β}$ );

3) $α \neq θ^{*}$ , $C$ returns $r k_{α, f \to β}$ by running $ReKeyGen$ algorithm. Then, $C$ inserts $r k_{α, f \to β}$ into $Γ_{r k}$ with the key-value ( $α$ , $β$ , f, $r k_{α, f \to β}$ ).

when $α \in Γ_{C}$ and $β \in Γ_{H}$ , $α \in Γ_{C}$ and $β \in Γ_{C}$ , $C$ returns $r k_{α, f \to β}$ by running $ReKeyGen$ , and inserts $r k_{α, f \to β}$ into $Γ_{r k}$ with the key-value ( $α$ , $β$ , f, $r k_{α, f \to β}$ ).

Finally, the challenger $C$ outputs $r k_{α, f \to β} = {g^{T}, Q}$ to the adversary $A$ .
–: Re-encryption $O_{R e E n c}$ : Given $c_{α, x}$ , $α$ , $β$ , f and k, where $k \leq numCt$ . If there is no value in $Ct$ with key $(α, k)$ or when $f (x) \neq 0$ holds, return ⊥. Otherwise, $C$ gets $r k_{α, f \to β}$ by searching $Γ_{r k}$ set or queries $O_{R e k e y G e n}$ . Then, when $β \in Γ_{H}$ , $β \in Γ_{C}$ ,

1) $α = θ^{*}$ , $f (x^{*}) = 0$ , and $k \in Derive$ , outputs ⊥. If $f (x^{*}) = 0$ , $β \in Γ_{C}$ and $k \notin Derive$ , return the $c t_{β}$ by running $Sim . ReEnc$ algorithm. $C$ outputs ⊥;

2) $α = θ^{*}$ , $f (x^{*}) \neq 0$ , $C$ returns $c t_{β}$ by running $ReEnc$ algorithm.

3) $α \neq θ^{*}$ , $C$ returns $c t_{β}$ by running $ReEnc$ algorithm.

when $α \in Γ_{H}$ and $β \in Γ_{H}$ , $α \in Γ_{C}$ and $β \in Γ_{H}$ , $α \in Γ_{C}$ and $β \in Γ_{C}$ , $C$ returns $c t_{β}$ by running $ReEnc$ where $r k_{α, f \to β} = {g^{T}, Q}$ were obtained by $C$ . Then $C$ inserts $r k_{α, f \to β}$ into $Γ_{r k}$ with the key-value ( $α$ , $β$ , f, $r k_{α, f \to β}$ ).

Game 2. The game being described here is the same as Game 1, with the only difference being the method used to generate

B_{1}, \dots, B_{l}

. Let

B_{i} = A_{θ^{*}} S_{i}^{*} - x_{i}^{*} G

where the random matrices

S_{1}^{*}, \dots, S_{l}^{*} \in {\{+ 1, - 1\}}^{m \times m}

be chosen randomly at Setup phase. The matrices

{\{S_{i}^{*}\}}_{i \in [l]}

should be kept secret, while

p p

can be disclosed and consists of

p p = (B_{1}, \dots, B_{l}, χ)

By using Definition 6, we can demonstrate that Game 2 is statistically identical to Game 1. Consequently, from the perspective of the adversary, all the matrices

A_{θ^{*}} S_{i}^{*}

are statistically close to a uniform distribution, which implies that the

B_{i}

(defined as

B_{i} = A_{θ^{*}} S_{i}^{*} - x_{1}^{*} G

are also close to a uniform distribution. Consequently, it can be concluded that Game 2 and Game 1 are statistically indistinguishable.

Game 3. Compared to Game 2, we change how

A_{θ^{*}}

is produced where a uniformly random matrix

A_{θ^{*}} \in Z_{q}^{n \times m}

. The construction of

B_{1}, \dots, B_{l}

remains as the same as in Game 2, where

B_{i} = A_{θ^{*}} S_{i}^{*} - x_{i}^{*} G

By using Definition 3, we can demonstrate that Game 3 is statistically identical to Game Game 2.

Game 4. The game being described here is the same as Game 3, with the only difference being the method used to generate

c^{*} = (c_{i n}, c_{o u t})

Reduction from DLWE: Assume that

A

confers a non-negligible advantage in differentiating between Game 4 and Game 3. We build

B

, a DLWE solver, using

A

–: DLWE instance: $B$ begins by obtaining a DLWE challenge consisting of two random matrices $A_{θ^{*}}, D_{θ^{*}} \in Z_{q}^{n \times m}$ , and two vectors $c_{i n}, c_{o u t} \in Z_{q}^{m}$ . Here, $c_{i n}$ , $c_{o u t}$ are either random or

$c_{i n} = A_{θ^{*}}^{T} s + e_{i n},$

$c_{o u t} = D_{θ^{*}}^{T} s + e_{o u t},$

where $s \overset{$}{\leftarrow} Z_{q}^{n}$ , $e_{i n}, e_{o u t} \overset{$}{\leftarrow} χ^{m}$ .

Init:

A

announces challenge user

θ^{*}

and the challenge attributes vector

x^{*}

Setup: The same as the Game 3.

Query Phase 1: The same as the Game 3 and

(A_{θ^{*}}, D_{θ^{*}})

be the public key for user

θ^{*}

Challenge Phase: After

A

sends two messages

μ_{0}, μ_{1} \in {0, 1}^{m}

B

B

first randomly selects a bit b from

{0, 1}

, then computes

c_{i n}^{*} = c_{i n}

and

c_{o u t}^{*} = c_{o u t} + μ_{b} ⌊ \frac{q}{2} ⌋

B

sends

c t^{*} = (c_{i n}^{*}, c_{o u t}^{*})

A

. Additionally,

B

increments and add

numCt

to the set

Derive

. Finally,

B

stores

c t^{*}

to the set

Ct

with key

(x^{*}, numCt)

Query Phase 2: The same as the Query Phase 1 of the Game 3.

Decision Phase:

A

guesses if it interacts with a Game 4 or Game 3 challenger. Then

B

will output

A

’s guess as an answer to the DLWE challenge.

As mentioned earlier, if

A

exhibits a non-negligible advantage in distinguishing Game 4 from Game 3, then

B

similarly possesses a non-negligible advantage in solving the DLWE problem. We establish the security of our AB-CPRE scheme with re-encryption simulatability against selective HRA in the standard model under the LWE assumption. □

6. Construction of AB-PRE with Re-Encryption Simulatability

In this section, we use the construction idea in scheme I to obtain the first lattice-based AB-PRE scheme with the property of re-encryption simulatability by modifying the

ReKeyGen

and

ReEnc

algorithms of the AB-PRE scheme proposed in [16]. Let’s primarily focus on how the modified scheme achieves re-encryption simulatability and how the selective HRA security proof is established. It’s worth noting that the definition of AB-PRE, along with its selective CPA and selective HRA security models, can be found in [16].

6.1. Succinct Construction (Scheme III)

In this section, we only provide the two algorithms that have been modified, while the other four algorithms remain the same as those in [16].

–: $ReKeyGen (p p, s k_{f}, f, g) \to r k_{f \to g}$ : Given $p p = \{A_{0}, A_{1}, \dots, A_{l}, U, G\}$ and $s k_{f} = R_{f} \in Z_{q}^{2 m \times m}$ . Select an attribute set $y = (y_{1}, \dots, y_{l})$ such that $g (y) = 0$ . $R_{1} \overset{$}{\leftarrow} Z_{q}^{2 m k \times n},$ $R_{2} \overset{$}{\leftarrow} χ^{2 m k \times (l + 1) m}$ and $R_{3} \overset{$}{\leftarrow} χ^{2 m k \times m}$ . Vectors $r_{1} \overset{$}{\leftarrow} Z_{q}^{n}$ , ${\tilde{e}}_{0} \overset{$}{\leftarrow} χ^{(l + 1) m}$ , ${\tilde{e}}_{1} \overset{$}{\leftarrow} χ^{m}$ . Then, matrices $H_{y}$ , $Z$ , and $g^{T}$ are defined as

$H_{y} = [A_{0} | y_{1} G + A_{1} | \dots | y_{l} G + A_{l}] \in Z_{q}^{n \times (l + 1) m},$

$Z = (\begin{matrix} R_{1} H_{y} + R_{2} & R_{1} U + R_{3} - P 2 (R_{f}) \\ 0_{m \times (l + 1) m} & I_{m \times m} \end{matrix}) \in Z_{q}^{(2 k + 1) m \times (l + 2) m},$

$g^{T} = r_{1}^{T} (H_{y} | U) + ({\tilde{e}}_{0}^{T} | {\tilde{e}}_{1}^{T}) \in Z_{q}^{1 \times (l + 2) m},$

respectively. Output $r k_{i \to j} = {g^{T}, Z}$ along with the attribute vector $y$ .
–: $ReEnc (p p, r k_{f \to g}, c_{x}, x) \to c_{y}$ : Given $p p = \{A_{0}, A_{1}, \dots, A_{l}, U, G\}$ , $r k_{i \to j} = {g^{T}, Z}$ , $c_{x} = (c_{i n}, c_{1}, \dots, c_{l}, c_{o u t})$ , and $x = (x_{1}, \dots, x_{l})$ . If $f (x) \neq 0$ , output ⊥. Otherwise, this algorithm computes

$c_{f} \leftarrow {Eval}_{c t} ({\{x_{i}, A_{i}, c_{i}\}}_{i = 1}^{l}, f) .$

Let $c_{f}^{'} = [c_{i n} | c_{f}] \in Z_{q}^{2 m}$ . Sample a small random number $a \in χ$ . Compute

$c_{y}^{T} = a g^{T} + (BD (c_{f}^{' T}) | c_{o u t}^{T}) \cdot Z .$

Output $c_{y}$ along with the attribute vector $y$ .

6.2. Security Proof

It is not difficult to see that such two minor modifications do not affect the selective CPA security in [16]. Since the original scheme is selective HRA secure, the revised one still satisfies selective HRA secure. Below we will mainly focus on its re-encryption simulatability.The proof of its HRA security using re-encryption simulatability is similar to the proof of Scheme III, which we will not expand in detail in this paper.

Theorem 5.

The Scheme III is re-encryption simulatable.

Proof of Theorem 5

First, let’s review the

ReEnc

algorithm in the modified scheme.

c_{y}^{T} = a g^{T} + (BD (c_{f}^{' T}) | c_{o u t}^{T}) \cdot Z .

Let

c_{y}^{T} = (c_{y 0}^{T}, c_{y 1}^{T})

. Through a series of calculations, we get

\{\begin{matrix} c_{y 0}^{T} = a r_{1}^{T} H_{y} + a {\tilde{e}}_{0}^{T} + BD (c_{f}^{' T}) R_{1} H_{y} + BD (c_{f}^{' T}) R_{2}, \end{matrix} c_{y 1}^{T} = a r_{1}^{T} U + a {\tilde{e}}_{1}^{T} + BD (c_{f}^{' T}) R_{1} U + BD (c_{f}^{' T}) R_{3} - c_{f}^{' T} R_{f} + c_{o u t}^{T} .

(5)

Let

{\bar{s}}^{T} = a r_{1}^{T} + BD (c_{f}^{' T}) R_{1} \in Z_{q}^{1 \times n},

{\bar{e}}^{T} = a {\tilde{e}}_{0}^{T} + BD (c_{f}^{' T}) R_{2} \in χ^{1 \times (l + 1) m},

{\bar{e}}_{o u t}^{T} = a {\tilde{e}}_{1}^{T} + BD (c_{f}^{' T}) R_{3} + e_{o u t}^{T} - {[e_{i n} | e_{f}]}^{T} R_{f} \in χ^{1 \times m} .

Equation (5) can be simplified to Equation (6) as follows:

\{\begin{matrix} c_{y 0}^{T} = {\bar{s}}^{T} H_{y} + {\bar{e}}^{T}, \\ c_{y 1}^{T} = {\bar{s}}^{T} U + {\bar{e}}_{o u t}^{T} + μ ⌊ \frac{q}{2} ⌋ . \end{matrix}

(6)

According to Definition 7, we can propose the

Sim . ReEnc

algorithm as follows.

–: $Sim . ReEnc (p p, c_{x}, f, g, x, R_{g}, μ)$ : Uniformly sample $s^{'}$ from $Z_{q}^{n}$ uniformly at random. Choose $e^{'}$ and $e_{o u t}^{'}$ uniformly at random from $χ^{(l + 1) m}$ and $χ^{m}$ , respectively. Then, this algorithm outputs

$c_{y 0} = H_{y}^{T} s^{'} + e^{'},$

$c_{y 1} = U^{T} s^{'} + e_{o u t}^{'} + μ ⌊ \frac{q}{2} ⌋ .$

Output $c_{y} = (c_{y 0}, c_{y 1})$ along with the attribute vector $y$ and note that $R_{g}$ can correctly decrypt this ciphertext.

From above, we know that the scheme III has re-encryption simulatability property. □

The security proof of the selective HRA given in [16] is unusually complex. That method relies heavily on the construction of the scheme itself and is not scalable. In this study, we ensure that the scheme III is HRA-secure under the hardness of LWE by primarily utilizing re-encryption simulatability property. The detailed process of the proof is similar to the proof of the scheme II, so I will not go into detail in this work.

7. Conclusions

In this work, we first proposed a generic method to elevate the security of PRE schemes based on key switching technique from CPA security to HRA security and simplify the HRA proof. A concise lattice-based PRE scheme was constructed to better illustrate our generic method, which has the re-encryption simulatability property. Utilizing this method, we made some improvements to AB-PRE and AB-CPRE of ESORICS’21 to make them have the re-encryption simulatability property. Simultaneously, we show how to improve the AB-CPRE scheme [14] by enhancing its security from selective CPA to selective HRA and the AB-PRE scheme [16] by simplifying the security proof. Moreover, our method can be extended to other PRE schemes or its variants schemes based on key switching technique, and is not limited to the above two examples.

Author Contributions

Conceptualization, all authors; methodology, B.W., L.H., L.Y.; validation, all authors; formal analysis, L.H., F.X., J.W.; writing—original draft preparation, B.W., L.H. L.Y.; supervision, J.W.; funding acquisition, J.W. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the National Key Research and Development Plan of China (Grant No. 2020YFB1005600), Major Program of Guangdong Basic and Applied Research Project (Grant No. 2019B030302008), National Natural Science Foundation of China (Grant No. 61825203), Guangdong Provincial Science and Technology Project (Grant Nos. 2017B010111005, 2021A0505030033), National Joint Engineering Research Center of Network Security Detection and Protection Technology and Guangdong Key Laboratory of Data Security and Privacy Preserving. This work is also supported by Special Funds for the Cultivation of Guangdong College Students’ Scientific and Technological Innovation (“Climbing Program” Special Funds) (Grant No. pdjh2021a0050). We all thank the reviewers for their valuable comments and suggestions which improve the content and presentation of this work a lot.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:

PRE	Proxy Re-encryption
CPA	Chosen-Plaintext Attacks
HRA	Honest Re-encryption Attacks
FHE	Fully Homomorphic Encryption
AB-PRE	Attribute-based Proxy Re-encryption
AB-CPRE	Attribute-based Conditional Proxy Re-encryption
LWE	Learning With Errors
DLWE	Decisional Learning With Errors
DBDH	Decisional Bilinear Diffie-Hellman assumption

References

Blaze, M.; Bleumer, G.; Strauss, M. Divertible Protocols and Atomic Proxy Cryptography. In Proceedings of the EUROCRYPT 1998; Nyberg, K., Ed. Springer, 1998, Vol. 1403, LNCS, pp. 127–144.
Ge, C.; Susilo, W.; Wang, J.; Fang, L. Identity-based Conditional Proxy Re-encryption with Fine Grain Policy. Comput. Stand. Interfaces 2017, 52, 1–9. [Google Scholar] [CrossRef]
Deng, H.; Qin, Z.; Wu, Q.; Guan, Z.; Zhou, Y. Flexible Attribute-based Proxy Re-encryption for Efficient Data Sharing. Inf. Sci. 2020, 511, 94–113. [Google Scholar] [CrossRef]
Shao, J.; Cao, Z. Multi-use Unidirectional Identity-based Proxy Re-encryption from Hierarchical Identity-based Encryption. Inf. Sci. 2012, 206, 83–95. [Google Scholar] [CrossRef]
Qin, Z.; Xiong, H.; Wu, S.; Batamuliza, J. A Survey of Proxy Re-encryption for Secure Data Sharing in Cloud Computing. IEEE Transactions on Services Computing 2016. [Google Scholar] [CrossRef]
Su, M.; Zhou, B.; Fu, A.; Yu, Y.; Zhang, G. PRTA: A Proxy Re-encryption based Trusted Authorization scheme for Nodes on CloudIoT. Inf. Sci. 2020, 527, 533–547. [Google Scholar] [CrossRef]
Zhuang, E.S.; Fan, C.I. Multi-Keyword Searchable Identity-Based Proxy Re-Encryption from Lattices. Mathematics 2023, 11, 3830. [Google Scholar] [CrossRef]
Agyekum, K.O.O.; Xia, Q.; Sifah, E.B.; Cobblah, C.N.A.; Xia, H.; Gao, J. A Proxy Re-Encryption Approach to Secure Data Sharing in the Internet of Things Based on Blockchain. IEEE Syst. J. 2022, 16, 1685–1696. [Google Scholar] [CrossRef]
Manzoor, A.; Braeken, A.; Kanhere, S.S.; Ylianttila, M.; Liyanage, M. Proxy Re-encryption Enabled Secure and Anonymous IoT Data Sharing Platform based on Blockchain. J. Netw. Comput. Appl. 2021, 176, 102917. [Google Scholar] [CrossRef]
Xiao, Y.; Xu, L.; Chen, Z.; Zhang, C.; Zhu, L. A Blockchain-Based Data Sharing System with Enhanced Auditability. Mathematics 2022, 10, 4494. [Google Scholar] [CrossRef]
Cohen, A. What About Bob? The Inadequacy of CPA Security for Proxy Reencryption. In Proceedings of the PKC 2019; Lin, D.; Sako, K., Eds. Springer, 2019, Vol. 11443, LNCS, pp. 287–316.
Ateniese, G.; Fu, K.; Green, M.; Hohenberger, S. Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage. ACM Trans. Inf. Syst. Secur. 2006, 9, 1–30. [Google Scholar] [CrossRef]
Gentry, C. A fully homomorphic encryption scheme. PhD thesis, Stanford University, USA, 2009.
Liang, X.; Weng, J.; Yang, A.; Yao, L.; Jiang, Z.; Wu, Z. Attribute-Based Conditional Proxy Re-encryption in the Standard Model Under LWE. In Proceedings of the ESORICS 2021; Bertino, E.; Shulman, H.; Waidner, M., Eds. Springer, 2021, Vol. 12973, LNCS, pp. 147–168.
Luo, F.; Al-Kuwari, S.M.; Wang, F.; Chen, K. Attribute-based Proxy Re-encryption from Standard Lattices. Theor. Comput. Sci. 2021, 865, 52–62. [Google Scholar] [CrossRef]
Susilo, W.; Dutta, P.; Duong, D.H.; Roy, P.S. Lattice-Based HRA-secure Attribute-Based Proxy Re-Encryption in Standard Model. In Proceedings of the ESORICS 2021; Bertino, E.; Shulman, H.; Waidner, M., Eds. Springer, 2021, Vol. 12973, LNCS, pp. 169–191.
Agrawal, S.; Boneh, D.; Boyen, X. Efficient Lattice (H)IBE in the Standard Model. In Proceedings of the EUROCRYPT 2010; Gilbert, H., Ed. Springer, 2010, Vol. 6110, LNCS, pp. 553–572.
Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Proceedings of the EUROCRYPT 2012; Pointcheval, D.; Johansson, T., Eds. Springer, 2012, Vol. 7237, LNCS, pp. 700–718.
Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for Hard Lattices and New Cryptographic Constructions. In Proceedings of the Proceedings of the 40th Annual ACM Symposium on Theory of Computing, 2008; Dwork, C., Ed. ACM, 2008, pp. 197–206.
Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. In Proceedings of the Innovations in Theoretical Computer Science 2012, Cambridge, MA, USA, January 8-10, 2012; Goldwasser, S., Ed. ACM, 2012, pp. 309–325.
Agrawal, S.; Boneh, D.; Boyen, X. Efficient Lattice (H)IBE in the Standard Model. In Proceedings of the EUROCRYPT 2010; Gilbert, H., Ed. Springer, 2010, Vol. 6110, LNCS, pp. 553–572.
Ateniese, G.; Benson, K.; Hohenberger, S. Key-Private Proxy Re-encryption. In Proceedings of the CT-RSA 2009; Fischlin, M., Ed. Springer, 2009, Vol. 5473, LNCS, pp. 279–294.

Table 1. Evaluating our three schemes in comparison to existing methods.

Scheme	Type	Assumptions	Security	Quantum-resistant	Standard Model	Re-encryption Simulatability
[12]	PRE	DBDH	CPA	✕	✓	✕
[11]¹	PRE	DBDH	HRA	✕	✓	✓
[13]	$P R E^{★}$	−	CPA	✓	✓	✕
[11]²	$P R E^{★}$	−	HRA	✓	✓	✓
Scheme I(Ours)	PRE	LWE	HRA	✓	✓	✓
[14]	AB-CPRE	LWE	CPA	✓	✓	✕
Scheme II(Ours)	AB-CPRE	LWE	HRA	✓	✓	✓
[15]	AB-PRE	LWE	CPA	✓	✓	✕
[16]	AB-PRE	LWE	HRA	✓	✓	✕
Scheme III(Ours)	AB-PRE	LWE	HRA	✓	✓	✓

14.1cm 1 PRE scheme based on [12]; ² PRE scheme based on [13];

P R E^{★}

is a sufficiently somewhat homomorphic encryption scheme that incorporates bootstrapping and implies CPA secure PRE

Table 2. Main notations in this work.

Notation	Description
$A$	A matrix.
$s$	A vector.
$(\cdot ∥ \cdot)$	Horizontal concatenation.
$\overset{$}{\leftarrow}$	Sample a matrix or vector randomly.
$[m]$	$1, 2, \dots, m$ .
$Λ (A)$	A lattice.
$Λ_{q}^{⊥} (A)$	A q-ary integer lattice.
$D_{Λ_{q}^{u} (A), τ}$	A discrete Gaussian distribution.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.

MDPI Initiatives

Important Links

Choose an area of interest and we will send you notifications of new preprints at your preferred frequency.

Disclaimer

HRA-Secure Proxy Re-encryption with Re-encryption Simulatability under Lwe in Standard Model

Abstract

1. Introduction

1.1. Our Contributions

1.2. Organization

2. Preliminaries

3. Re-encryption Simulatability of PRE

4. Construction of PRE with Re-encryption Simulatability

4.1. Construction (Scheme I)

4.2. Security Proof of Scheme I

5. Construction of AB-CPRE with Re-Encryption Simulatability

5.1. HRA Security Model of AB-CPRE

5.2. Succinct Construction (Scheme II)

5.3. Security Proof

6. Construction of AB-PRE with Re-Encryption Simulatability

6.1. Succinct Construction (Scheme III)

6.2. Security Proof

7. Conclusions

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Conflicts of Interest

Abbreviations

References

MDPI Initiatives

Important Links

Subscribe