Attribute-Based Fully Homomorphic Encryption Scheme from Lattices with Short Ciphertext

Attribute-based encryption (ABE) is a good choice for one-to-many communication and ﬁne-grained access control of the encryption data in a cloud environment. Fully homomorphic encryption (FHE) allows cloud servers to make valid operations on encrypted data without decrypting. Attribute-based fully homomorphic encryption (ABFHE) from lattices not only combines the bilateral advantages/facilities of ABE and FHE but also can resist quantum attacks. However, in the most previous ABFHE schemes, the growth of ciphertext size usually depends on the total number of system’s attributes which leads to high communication overhead and long running time of encryption and decryption. In this paper, based on the LWE problem on lattices, we propose an attribute-based fully homomorphic scheme with short ciphertext. More speciﬁcally, by classifying the system’s attributes and using the special structure matrix in MP12, we remove the dependency of ciphertext size on system’s attributes ℓ and the ciphertext size is no longer increased with the total number of system’s attributes. In addition, by introducing the function G − 1 in the homomorphic operations, we completely rerandomize the error term in the new ciphertext and have a very tight and simple error analysis using sub-Gaussianity. Besides, performance analysis shows that when ℓ � 2 and n � 284 according to the parameter suggestion given by Micciancio and Dai et al., the size of ciphertext in our scheme is reduced by at least 73.3%, not to mention ℓ > 2. The larger the ℓ , the more observable of our scheme. The short ciphertext in our construction can not only reduce the communication overhead but also reduce the running time of encryption and decryption. Finally, our scheme is proved to be secure in the


Introduction
Attribute-based encryption (ABE) [1], being proposed by Sahai and Waters in 2005, associates a user's identity with a set of attributes. Depending on the relevance of access policy, it can be divided into key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE) [2]. KP-ABE means that a user's secret key is generated relying on an access policy and the ciphertext is generated relying on an attributes set. On the contrary, in CP-ABE, a user's secret key is generated relying on an attribute set and the ciphertext is generated relying on an access policy. ey all support one-to-many communication and fine-grained access control. In order to protect the users' data privacy and realize data security sharing in the cloud environment, ABE is a good choice.
In recent years, with the development of quantum computer, pairing-based ABE constructions face the potential threat of quantum computer. Lattice-based cryptography has been the focus of research in recent years because it is flexible in construction and resistant to quantum attack.

Related Works.
In 2011, based on the learning with error (LWE) [3] problem, Zhang et al. [4] proposed a CP-ABE scheme which uses negative attributes and positive attributes denote the system's attributes and support AND operation among these attributes. In 2012, Zhang et al. [5] proposed another CP-ABE scheme with multivalued attributes and THRESHOLD access policy. And in the same year, Agrawal et al. [6] proposed a fuzzy identity-based encryption scheme and extended it to a large universe ABE scheme. In 2013, Boyen [7] constructed a lattice-based KP-ABE scheme which uses the linear secret sharing scheme (LSSS) to express the access policy and Liu et al. [8] proposed a lattice-based ABE scheme which supports THRESHOLD access policy and attribute hierarchy. In the same year, Gorbunov et al. [9] also introduced a two-to-one recording technique to construct a lattice-based ABE scheme. In 2014, Wang [10] proposed two lattice-based CP-ABE schemes. ese two schemes support AND operation among multivalued attributes. In addition, by using Boolean circuit to represent access policy, Zhao et al. [11] proposed a lattice-based KP-ABE scheme. In 2016, Brakerski and Vaikuntanathan [12] also proposed a circuit-ABE from LWE which support unbounded attributes and semiadaptive security. e lattice-based ABE schemes in [13][14][15] support multiple attribute authorities to manage all attributes in the system. A multiauthority ABE scheme can reduce the pressure of a single attribute authority and improve system efficiency. In 2019, based on Zhangjiang's construction [4], Gur et al. [16] made an implement of Zhangjiang's construction. And based on [9], Wang et al. [17] constructed a three-to-one recording technique and proposed another lattice-based CP-ABE scheme. In 2020, inspiring by [9], Dong et al. [18] proposed a lattice-based ABE scheme which is indirect revocable and satisfies efficient and secure user revocation in lattices. Brakerski and Vaikuntanathan [19] proposed another CP-ABE scheme which a circuit access policy, but in this scheme, they did not give a security reduction and leave the security as an open problem. Consider the following situation where a large amount of a user's messages μ 1 , μ 2 , . . . are encrypted and stored in the cloud server. To reduce the communication and computing overhead, he wants the encrypted data to be processed by the cloud server using the function f without privacy leakage, and the ciphertext which is processed by f can be decrypted to f(μ 1 , μ 2 , . . .). e above lattice-based ABE schemes [4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19] are not suitable for this scenario; that is, they do not support homomorphic operations on the ciphertext. e first fully homomorphic encryption (FHE) scheme was proposed by Gentry [20] in 2009. In this scheme, he introduced a "bootstrapping" technique to control the increase of noise so as to ensure the correctness of decryption and then realized the homomorphic addition and homomorphic multiplication of ciphertext. However, the "bootstrapping" needs to encrypt the private key and set it as a public parameter. In 2013, based on LWE problem, Gentry, Sahai, and Waters [21] (GSW13) employed the approximate eigenvector method to construct fully homomorphic encryption (FHE) scheme, and then by making some relatively minor modifications on an LWE-based ABE scheme for circuits [9], they proposed the first fully homomorphic KP-ABE scheme. In the fully homomorphic KP-ABE scheme of GSW13, the system's attributes can be expressed by 1, 2, . . . , ℓ { } and the access policy is expressed by a Boolean circuit. In 2014, Boneh et al. [22] proposed a fully key homomorphic KP-ABE scheme which is used as the gadget matrix. However, in this scheme, it just only achieves a fully homomorphic of the users' private key but not the fully homomorphic of the ciphertext, and the size of ciphertext increases linearly with the total number of system attributes which leads to a high storage overhead. In 2016, based on the construction of Boneh et al. [22], Clear and McGoldrick [23] proposed a fully homomorphic KP-ABE scheme from lattices. However, in this scheme, it can evaluate unbounded depth circuits but with a bounded input; that is, the number of ciphertext is bounded. In the same year, Brakerski et al. [24] proposed another lattice-based fully homomorphic KP-ABE scheme by using the gadget matrix G and a function G − 1 which are adopted from [22]. In 2017, based on the ring-LWE problem over ideal lattices, Tan and Samsudin [25] also proposed a lattice-based CP-ABE scheme based on homomorphic encryption. In the same year, Hiromasa and Kawai modified the scheme in [24] and proposed a dynamic homomorphic KP-ABE scheme [26]. However, in [24,26], the size of ciphertext also increases linearly with the number of system attributes which leads to a high storage overhead. e above lattice-based fully homomorphic encryption schemes mostly are KP-ABE. e number of system's attributes has been fixed in the Setup phase, and in order to match an access circuit, it generates a ciphertext component for each attribute which leads to a high storage and communication cost. Additionally, each ciphertext component usually is a vector, and the computation of ℓ ciphertext vectors would directly lead to the increase of encryption and decryption time. erefore, it is meaningful to construct an attributebased fully homomorphic encryption scheme with short ciphertext.

Our Contribution.
In this paper, we propose a latticebased ABE scheme which supports homomorphic addition and homomorphic multiplication of ciphertext. is scheme is based on a basic CP-ABE, and by introducing G − 1 function, it can support homomorphic operations. In our scheme, the ciphertext size is reduced by removing the ciphertext's dependence on the total number of system's attributes. e main contributions are as follows: (1) In this scheme, we classify the system's attributes U � 1, 2, . . . , ℓ { } into k attribute categories. Each attribute category has some attribute values. In Setup phase, the system does not need to generate ℓ matrices as the public parameters for all attributes, just k matrices for the attribute categories. e size of public parameter is reduced due to that the number of attribute categories is much smaller than the total number of system's attributes.
(2) In addition, we introduce the special structure matrix with tag in [27]. By embedding the attribute values in the access structure into the tag, the size of ciphertext is remarkably reduced by at least 73.3%. Performance analysis shows that the size of ciphertext no longer increases linearly with the total number of system's attributes, and the size of ciphertext and running time are all reduced. (3) In order to support the homomorphic operations, we introduce a function G − 1 which is adopted from 2 Mathematical Problems in Engineering [28]. By using G − 1 , we have a very tight and simple error analysis using sub-Gaussianity (see Corollary 2), and in the homomorphic multiplication, G − 1 can completely rerandomize the error term in a ciphertext.

1.3.
Organization. e rest of this paper is organized as follows. In Section 2, we give the definition of related symbols, lattices, related algorithms, and decision learning with error (DLWE) problem. e definition of attributebased fully homomorphic encryption scheme and security model are given in Section 3. In Section 4, we give our attribute-based fully homomorphic encryption scheme from lattices with short ciphertext, homomorphic operations, error analysis, correctness, and the security proof. In Section 5, we give a detailed comparison between our scheme and other related works. In Section 6, we summarize this paper.

Preliminaries
As shown in Table 1, we give the detailed description of the symbols.

Integer Lattice
Definition 1. Given n linearly independent vectors b 1 , b 2 , . . . , b n ∈ R m and the lattice Λ generated by the following formula, where B � [b 1 , b 2 , . . . , b n ] is a basis of Λ, m is the dimension, and n is the rank.
Definition 2. For prime q, A ∈ Z n×m q , and u ∈ Z n q , define Λ q (A) � y ∈ Z m s.t. ∃s ∈ Z n q A ⊤ s � y(mod q) , (2)

Discrete Gaussians and Sub-Gaussian
Definition 3. For a vector c ∈ R m and a positive integer s ∈ R, we define a Gaussian distribution with centre c and variance s as follows: where σ > 0 is a parameter, and ρ σ,c (x) � exp(− π(‖x− c‖ 2 /σ 2 )).
Definition 4 (see [28,29]). Let s > 0 be a sub-Gaussian parameter. We call that X is a sub-Gaussian distribution, if for a random variable x ∼ X and all t ∈ R, its generating function satisfies Lemma 1 (see [29]). Let X ∈ R n×m be an independent matrix that is sub-Gaussian with parameter s. en, for a constant c > 0, it has

Algorithms.
Next, we give the related algorithms which are proposed in MP12 [27].
Let q ≥ 2, n ≥ 1, n � nt, t � log q , and m � O(log q), and there are two probabilistic polynomial-time (PPT) algorithms such that , outputs a vector e ∈ Z m+n q such that Ae � u Note that G n � g ⊤ ⊗ I n ∈ Z n×n q is a gadget matrix and n denotes its dimension. G n also has a deterministic function G − 1 n as mentioned in Lemma 2. However, an n-dimensional gadget matrix G n is just only introduced in the TrapGen algorithm; thus, we denote it as G n .

Symbols
Definitions Z q An integer set of mod q residue class q Lemma 3 (see [27]). e vector e which is generated by the SamplePre algorithm is not statistically distinguishable from 2.5. Hardness Assumption. In 2005, Regev proposed the learning with error (LWE) problem [3], i.e., given a positive integer n, a prime integer q, and a probability distribution χ over Z, output (a, a ⊤ s + e) where a, s ∈ Z n q and e is an error term from χ. Definition 5. Decision learning with error (DLWE) problem [3]: for a security parameter λ, let n � n(λ), q � q(λ), and a distribution χ � χ(λ) over Z.
e DLWE problem is to distinguish between the following two distributions: where Corollary 1 (see [3,27]). For any B � B(n) and q � q(n), there is a B-bounded distribution χ � χ(n) such that DLWE n,q,χ is at least as hard as the quantum hardness GapSVP c and SIVP c for c � O(nq/B). (1) KeyGen (1 n ): on input the security parameter 1 n . is algorithm outputs the public key pk and secret key sk.

Definitions of the Scheme and Security Model
(2) Encrypt (pk, μ): on input public key pk, and a message μ. e algorithm outputs a ciphertext c. An attribute-based fully homomorphic encryption scheme consists of the following five algorithms: (1) Setup (1 n ) ⟶ (PP, MK): on input the security parameter 1 n . is algorithm outputs the public parameters PP and master secret key MK.
Correctness: for a user's attributes list L, all messages

Security Model.
Here, we give the definition of the security model, and the security is adopted from [4,5], in which the adversary specifies the challenge access structure before the Setup phase. Consider a game between a challenger B and an adversary A which is described as follows: Init: the adversary A chooses the challenge access structure W * and sends it to the simulator B. Setup: the challenger runs the Setup algorithm and sends the public parameters PP to the adversary. Queries: in this step, A can adaptively make key queries for a sequence of attribute list L. However, he cannot query an attribute list which satisfies W * . B answers the queries. Challenge: the adversary A sends a message μ * ∈ Z q to B. e simulator B randomly chooses b ∈ 0, 1

Attribute-Based Fully Homomorphic Encryption Scheme from Lattices with Short Ciphertext
In the existing homomorphic ABE schemes from lattices, the size of ciphertext is usually related to the total number of system's attributes which lead to a high communication cost.
In this section, we propose an attribute-based fully homomorphic encryption scheme from lattices with short ciphertext. In our construction, we firstly assume that all the system attributes U � 1, 2, . . . , ℓ { } can be classified into k attribute categories, and each attribute category has n i attribute values, i.e., A user's attribute list is L � l i l i ∈S i , and the access structure is an "AND" gates between attributes such that W � ( anks to the special matrix structure of A, we can embed a user's attribute list in it such that Here, we need an encoding with full-rank difference (FRD) function.
Definition 9 (see [30]). Let q be a prime and n be a positive integer, we say a function H: Z n q ⟶ Z n×n q is an encoding with full-rank difference (FRD) function if (i) for any x ≠ y, the matrix H(x) − H(y) is full rank, and (ii) H is computable in polynomial time (in n log q).

Our Construction.
e attribute-based fully homomorphic encryption scheme from lattices with short ciphertext consists of the following five algorithms.
Let n � nt, t � log q , m � m − n, and M � (m + 1) log q : is a uniformly random matrix and T A ∈ Z m×n is a trapdoor for A with associated tag matrix H � I where I is an identity matrix. (ii) Select k uniformly random matrices B i ∈ Z n×n q as the public parameters for each attribute categories.
(iii) Select a uniformly random vector u ∈ Z n q . (iv) Output the public parameters PP � A,(B i ) 1≤i≤k , u} and the master key MK�(T A ).
(2) Extract (PP, MK, L) ⟶ SK L : on input public parameters PP, master key MK, and a user's attribute list L � l i l i ∈S i , do as follows: (i) For each attribute value in L, compute the tag (iii) Sample r L ∈ Z m q as r L . r L ←SamplePre(A, H L , G n , T A , u, σ). (iv) Output the user's secret key SK L � r L .
(3) Encrypt (PP, W, μ) ⟶ C: on input public parameters PP, access policy W, and message μ ∈ 0, 1 { }, do as follows: (i) For each attribute value in the access policy W, where G � g ⊤ ⊗ I 1+m is a gadget matrix as defined in Lemma 2.
(v) Output the ciphertext C.
(4) Decrypt (PP, C, SK L ) ⟶ μ: on input public parameters PP, private key SK L , and ciphertext C, if L does not satisfy W, output ⊥; otherwise do as follows: (i) Given a private key SK L � r L associate to a user's attribute list, let v � (1; − r L ) ∈ Z 1+m q . (ii) Consider the first t columns of G. Let g i be the i'th column of G. en, we have g t− 1 � (2 t− 2 , 0, . . . , 0) ⊤ where 2 t− 2 ∈ [q/4, q/2). Let g t− 1,1 � 2 t− 2 denote the first element of g t− 1 . (iii) Let C i denote the i'th column of C, and e 0,i is the i'th element of e 0 . Compute (iv) Output μ � x t− 1 /g t− 1,1 . Homomorphic addition: . Note that homomorphic multiplication of k ciphertexts is defined as

Homomorphic Operations and Correctness.
As men- en,

Mathematical Problems in Engineering
Homomorphic operations: let C 1 and C 2 be two ciphertexts which are, respectively, encrypted under μ 1 and μ 2 .
Referring to equations (12) and (13), our scheme satisfies homomorphic addition and homomorphic multiplication. Note that referring to (13), the growth of the error term depends on old error terms E 1 , E 2 , μ 1 , and G − 1 . e dependence on E 1 and E 2 seems unavoidable. G − 1 is a matrix in 0, 1 { } M×M . However, the growth depended on μ 1 presents a concern.
us, according to the suggestion in [21], we restrict the message space to small message.

Corollary 2.
Referring to equations (12) and (13), it is obvious that C 1 + C 2 has error E 1 + E 2 and C 1 · G − 1 (C 2 ) has error μ 1 E 2 + E 1 · X where X � G − 1 (C 2 ) satisfies GX � C 2 . us, after a single homomorphic addition, the error is amplified by a factor of 2, and after a single homomorphic multiplication, the error is amplified by a factor of O(1) · �� M √ + 1. According to Lemmas 1 and 2,  (14) and (15), and the error Note that the increase of the error term mainly depends on the homomorphic multiplication. To ensure the correctness of decryption, next we will give an analysis of the homomorphic multiplication of k ciphertexts: where Let E f,i be the i'th column of E f and E i � e 0,i e i be the i'th column of E. To decrypt the ciphertext C f , refer to Corollary 2 and equation (14), and we have Let μ f � μ 1 μ 2 . . . μ k , and according to the decryption algorithm, we have Since g t− 1,1 � 2 t− 2 ∈ [q/4, q/2) and ⌊ · ⌉ is a rounding function, thus to ensure the correctness of decryption, v ⊤ E f,t− 1 /g t− 1,1 < 1/2/; that is, the error term v ⊤ E f,t− 1 should be less than q/8. e error term is To ensure the correctness of decryption, the error term should be less than q/8 with overwhelming probability (w.h.p.), i.e.,

Security Analysis.
Before we start the security proof, we give a simple lemma based on DLWE n,q,χ problem. Proof of Lemma 4. It is sufficient to make a proof of Lemma 4 in the case of M � 2. Suppose there is a PPT algorithm F 1 who can distinguishes two distributions (A, A ⊤ s 1 + e 1 , A ⊤ s 2 + e 2 ) and (A, Z m q , Z m q ) with a nonnegligible advantage ε. en, we use F 1 to construct a PPT algorithm F 2 to solve the DLWE n,q,χ problem. Let (A, b 1 ) be A 2 's sample which is sampled from either (A, A ⊤ s 1 + e 1 ) or (A, Z m q ). en, A 2 randomly chooses r ∈ 0, 1 { }. When r1 �, F 2 chooses s 2 ∈ Z n q and error term e 2 ←χ m , computes A ⊤ s 2 + e 2 and joints it to the original sample such that (A, A ⊤ s 1 + e 1 , A ⊤ s 2 + e 2 ). When r � 0, F 2 chooses a uniformly random vector b 2 ∈ Z m q and sets the sample as (A, b 1 , b 2 ). Finally, A 2 outputs the new sample as F 1 's input. If F 1 decides that the sample is from (A, Z m q , Z m q ), F 2 will decide that the sample 6 Mathematical Problems in Engineering is from (A, Z m q ). If F 1 decides that the sample is from (A, A ⊤ s 1 + e 1 , A ⊤ s 2 + e 2 ), F 2 will decide that the sample is from (A, A ⊤ s 1 + e 1 ). Since F 1 has 1/2 probability of getting a sample, thus F 2 can solve the DLWE n,q,χ problem with advantage ε/2. □ Theorem 1. If the DLWE n,q,χ assumption holds, based on Lemma 4, our attribute-based fully homomorphic encryption scheme from lattices is secure against selective chosen plaintext attack.
Proof of eorem 1. we proof the security by using a sequence of games. As defined in Section 3.2, we use W i to denote the event that the adversary correctly guesses b ′ � b in Game i , and then the advantage of an adversary A is Game 0 : this is the real game as defined in Section 3.2 between an adversary A and the challenger B. So, we have Game 1 : in Game 0 , the challenger B generates the public parameters PP � A, In this game, let W * be the challenge access structure, and we change the way A is generated. B firstly selects k uniformly random matrix B i ∈ Z n×n q as the public parameters for each attribute categories and then com- . e matrix A in Game 0 and Game 1 is statistically indistinguishable. e adversary makes key query for attribute list L, and L does not satisfy W * . B answers the key query. He and samples r L ∈ Z m q for A as r L ← SamplePre(A, H L , G n , T A , u, σ). en, B sends r L to A. Note that if L � W * , it has H L − H W * � 0, and can no longer answer the key query. Since B answers, the key queries are statistically indistinguishable in Game 0 and Game 1 . e advantage of adversary in Game 0 is at most negligibly different from it in Game 1 , i.e., Game 2 : in this scheme, we change the way that C * is generated. Different to Game 1 , C * is chosen uniformly from Z (1+m)×M q . Since the challenge ciphertext C * is always a random matrix in this scheme, the adversary's advantage is 0; that is, Reduction from LWE: suppose A has a nonnegligible advantage in distinguishing Game 1 and Game 2 . Based on Lemma 4, we use A to construct an LWE algorithm denoted B.
Init: the adversary A chooses the challenge access structure W * , and send it to the simulator B. Setup: the challenger B constructs PP as follows: (1) Let A ′ � (a 1 , a 2 , . . . , a m ) ∈ Z n×m q and u � a 0 . Construct the other public parameters, namely, B i and A, as Game 1 .
Queries: in this step, A can make key queries for a sequence of attribute list L. However, he cannot query an attribute list which satisfies W * . B answers the queries as Game 1 . Challenge: the adversary A sends a message μ * ∈ 0, 1 { } to B. e simulator B generates the challenge ciphertext as follows: If the samples are drawn from (A, e same to b 0 , we have where E ′ � (e 1 , e 2 , . . . , e m ) ⊤ . us, referring to equation (26), we have Mathematical Problems in Engineering where A W * is the same as it in Game 1 . Referring to equations (25) and (27), the challenge ciphertext C * in equation (24) is valid as it is in Game 1 .
If the samples are drawn from a uniformly random distribution, b 0 and B are uniformly random. erefore, the challenge ciphertext C * is uniformly random as it is in Game 2 . Continuation: Queries phase is repeated. Guess: A guesses if it is interacting with a Game 1 or Game 2 challenger. B outputs A's guess as the answer to the DLWE n,q,χ challenge it is trying to solve. us, the advantage of B in solving DLWE n,q,χ problem is equal to the adversary's advantage in distinguish Game 1 or Game 2 . So, we have |Adv W 2 (A) − Adv W 1 (A)]| ≤ DLWE − Adv(B).

Performance Analysis
In this section, we make a comparison between our scheme and related lattice-based ABE schemes. As shown in Table 2, the public parameters in [4] consist of (2ℓ + 1) n × m matrices and an n-dimensional vector, the public parameters in [17] consist of (2ℓ + 9) n × m matrices, the public parameters in [19] consist of 2ℓ n × m matrices, the public parameters in [21] consist of 2ℓ n × m matrices and an n-dimensional vector, the public parameters in [24] consist of ℓ + 1 n × nt matrices, an n × m matrix, and an n-dimensional vector, and the public parameters in our construction consist of k n × n matrices, an n × m matrix, and an n-dimensional vector. Observe that the total number of system's attributes ℓ contributes the most to the growth of PP size in [4,17,19,21,24] while the total number of system's attribute categories k contributes the most to the growth of PP size in our scheme. Due to the fact that ℓ � k i�1 S k (see Section 4), the PP size in our scheme is much smaller than it in [4,21,24]. e MK size in [17,21] is also related to ℓ, so it is larger than [4,19,24] and ours. e user's private keys in [4] are related to the number of system's attributes ℓ; therefore, the SK L size is the largest among all the related schemes. Taken together, the SK L size in both our scheme and [24] is smaller than others. e ciphertext sizes in [4,17,19] are relatively small, but they cannot support fully homomorphic. e ciphertext size in our scheme is the smallest among the all schemes which support fully homomorphism because the ciphertext is a (1 + m) × (1 + m)t matrix which is not related to the number of system's attributes. However, the ciphertext is a (ℓm + 1)t × (ℓm + 1)t matrix in [21], and in [24], the ciphertext consists of ℓ nt × (nt + m + 1)t matrices and a (nt + m + 1) × (nt + m + 1)t matrix. It is obvious that the ciphertext sizes in [21,24] depend on the total number of system's attributes ℓ. In our scheme, we remove this dependency on ℓ by making a classification of system's attributes. Besides, although [19] is a lattice-based ABE scheme which is constructed under the LWE problem, it does not give a security reduction and leave the security reduction as an open problem. Under the DLWE assumption, the lattice-based ABE schemes [4,17,21,24] and our scheme are secure against selective chosen ciphertext attack (sCPA) in the standard model. Since [4,17,19] cannot support homomorphic operations on ciphertext, so we only make a comparison of the ciphertext size between our scheme and [21,24] which support homomorphic operations on ciphertext. In our scheme, we classify ℓ system's attributes into k attribute categories. Each attribute can be denoted by two parts: attribute category and attribute value. Each attribute category has some different attribute values. In the user's attribute set and access policy, at most one attribute value can be set under each attribute category. It is obvious that the size is dependency on the number of attribute categories k. As shown in Figure 1, according to the suggestion in [16,27,31], we set the parameters n � 284, q � 2 24 , and ℓ � 1, 2, 4, 8, 32, 128, respectively. e comparison shows that the ciphertext sizes of [21,24] growth based on the total number of system's attributes ℓ while it is fixed in our scheme no matter what the total number of system's attributes ℓ is, and when ℓ � 2, the size of ciphertext in our scheme is reduced by at least 73.3%, not to mention ℓ > 2.  [4] (2ℓm + m + 1)n log q m 2 ℓm log q (2ℓ − |A c |)m log q + log q SM sCPA No [17] (2ℓm + 9)n log q (2ℓ + 9)m 2 3m 2 log q (ℓm + |g w | + 1)log q SM sCPA No [19] 2ℓmn log q m 2 m log q (ℓ + 1)mnt log q No security reduction No [21] (2ℓm + 1)n log q 2ℓm 2 2m 2 log q [(ℓm + 1)t] 2 log q SM sCPA Yes [24] (ℓnt + nt + m + 1)n log q m 2 (m + nt)log q (ℓnt + nt + m + 1)(nt + m + 1)t log q SM sCPA Yes Ours (kn + m + 1)n log q m × n m log q (m + 1) 2 t log q SM sCPA Yes e comparison of time complexity is shown in Table 3. e encryption time in our scheme is smaller than [21,24] since the encryption time in [21,24] is related to the total number of system's attribute ℓ. According to the suggestion given in [27,31], let ℓ � n/4 and m ≈ 2n log q. e encryption time in [21,24] is approximately equal to O(n 4 t 3 ) while it is approximately equal to O(n 3 t 2 ) in our construction. As for the decryption time, our scheme and [21] both use one column of ciphertext for decryption, but in [24], a (nt + m + 1) × (nt + m + 1)t ciphertext matrix is used for decryption. erefore, the decryption time in [24] is the longest. In addition, the growth of decryption time in [21] is based on the total number of system's attributes ℓ, so the decryption time is also longer than our scheme.

Conclusion
In this paper, based on the LWE problem, we propose an attribute-based fully homomorphic encryption scheme with short ciphertext which is suitable for the cloud computing environment. A short ciphertext can not only reduce the communication overhead but also reduce the running time of encryption, decryption, and homomorphic operations. In our scheme, by classifying the system's attributes and using the special structure matrix, the size of ciphertext is no longer increased with the total number of system's attributes. Moreover, by using the function G − 1 , we have a very tight and simple error analysis by using sub-Gaussianity, and in the homomorphic multiplication, G − 1 can completely rerandomize the error term in a ciphertext. Unfortunately, in order to improve the efficiency of space and time, we just set an "AND" access policy. Next, we will continue to study the attribute-based fully homomorphic encryption scheme from lattices that support more flexible access policy.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.