Server-Aided Revocable Attribute-Based Encryption from Lattices

. Attribute-based encryption (ABE) can support a ﬁne-grained access control to encrypted data. When the user’s secret-key is compromised, the ABE system has to revoke its decryption privileges to prevent the leakage of encrypted data. Although there are many constructions about revocable ABE from bilinear maps, the situation with lattice-based constructions is less satisfactory, and a few eﬀorts were made to close this gap. In this work, we propose the ﬁrst lattice-based server-aided revocable attribute-based encryption (SR-ABE) scheme and thus the ﬁrst such construction that is believed to be quantum resistant. In the standard model, our scheme is proved to be secure based on the hardness of the Learning With Errors (LWE) problem.


Introduction
Attribute-based encryption (ABE) [1,2], which was first introduced in 2006 as a generalization of identity-based encryption (IBE) [3,4] and fuzzy identity-based encryption (FIBE) [1,5], is such a notion for public-key encryption which is used to implement fine-grained access control. ABE system includes two types: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, the key generation center (KGC) generates a master secret key (msk) and a master public key (mpk), and each user has a policy function f. e KGC computes and sends to the user a secret key sk f corresponding to its policy function f. To encrypt a message μ, a sender selects some required attributes from the attribute set to form a subset att and generates the ciphertext ct att labeled with att. e recipient owning the policy function f can decrypt ct att by applying the secret key sk f if and only if f(att) � 1. e different between CP-ABE and KP-ABE is that in CP-ABE, each user has its own attribute subset att and a ciphertext is corresponding to a policy function f.
Several important results are proposed to realize ABE in the last few years. ese schemes have several types. One of these can be implemented to predicates computable by Boolean formulas [2,[6][7][8][9][10][11] (which are limited to log-depth computations). Another of these has made some important progress [12][13][14][15][16], which can apply to sophisticated circuits. In 2013, based on Learning With Errors (LWE) problem, Gorbunov et al. proposed a KP-ABE scheme [16], which is called GVW13, where its predicate can be arbitrary polynomial-size circuits. It is one of the important candidates for Boolean circuit ABE.
When the users in ABE system changed, for example some users leave the system or their secret keys are leaked, these users' secret keys should be revoked from the system. In other words, although these users have legal secret keys sk f , they cannot decrypt ciphertext after leaving the system. So for an ABE system with a large number of users, an efficient revocable mechanism is very necessary and important.
In the beginning, revocation mechanism is introduced into IBE. To address the user revocation mechanism, in 2008, Boldyreva et al. [17] proposed the first revocation scheme by combining the complete subtree method [18] with FIBE. After the work of Boldyreva et al. [17], a lot of studies [19,20] have been put forward. In 2013, in response to many realistic threats and attack scenarios, a new security notion unique to the revocation scheme called decryption key exposure resistance (DKER) was proposed by Seo and Emura [20][21][22][23]. Since then, DKER has quickly become an important security requirement for RIBE and many followup RIBE schemes with DKER [24][25][26][27][28] were proposed. In order to improve the efficiency of revocation, in 2015, Qin et al. [29] proposed an interesting solution, called serveraided revocable IBE (SR-IBE). In their scheme, a publicly accessible server with powerful computational capabilities, which can be untrusted in the sense that it does not possess any secret information, is used to outsource most of the users workload. e revocable ABE scheme appears later. In 2009, Attrapadung and Imai [30] put forward two revocable methods. One is direct revocation which is that the sender should specify the revocation list while encrypting, and the other is indirect revocation. In the indirect revocation scheme, in order to achieve the key revocation mechanism, each user's secret key cannot be allowed to decrypt ciphertexts alone. To complete the decryption, the KGC broadcasts key update through a public channel for every time period. e key update is useless for revoked users, but nonrevoked users will be allowed to combine their secret keys with the key update to derive a decryption key, which can finally decrypt ciphertexts. And they proposed the first hybrid revocable ABE scheme.
In 2010, Yu et al. [31] proposed a indirect revocable ABE; however, policy function only supports logical AND. In 2012, Amit et al. [32] provided a more generic way to achieve indirect revocation in ABE schemes. In order to alleviate the workload of users, in 2013, Yang et al. [33] proposed a direct revocable ABE scheme by delegating part of the users decryption capability to a semitrusted server, however, which results in an increase in traffic over the secret channel. To mitigate user's workload and the traffic of the secret channel, in 2016, Cui et al. [34] proposed a scheme called server-aided revocable ABE (SR-ABE) based on the large universe CP-ABE scheme. If the server in their scheme was colluded with an adversary, however, the SR-ABE may be not DKER. To solve this problem, based on [34], in 2017, Qin et al. [35] proposed a SR-ABE with DKER. About direct revocable, in 2018, Liu et al. [36] proposed an efficient revocable CP-ABE scheme by embedding the revocation list into ciphertext. And they have a shorter revocation list. ese RIBE and RABE schemes operate in the bilinear pairing setting; however, the system has narrowed in the race to protect sensitive electronic information from the threat of quantum computers, which one day could render these constructions obsolete. Up to now, known quantum algorithms have no obvious advantages (beyond polynomial speedup) over classical ones in solving problems in lattice such as shortest vector problem (SVP), closest vector problem (CVP), short integer solution (SIS), and LWE. Lattice-based cryptography is considered as an ideal candidate for postquantum cryptography (PQC), and possesses several noticeable advantages over conventional numbertheoretic cryptography (i.e., based on integer factoring or discrete logarithm problems), such as conjectured resistance against quantum computers, faster arithmetic operations, and provable security under the worst-case hardness assumptions. And among the PQC schemes submitted to NIST, lattice-based schemes are the most.
In 2012, Chen et al. [37] proposed the first RIBE scheme from lattices without DKER. In 2017, Takayasu and Watanabe [38] proposed a variant of [37] and partially solved the problem of achieving RIBE with DKER. In 2019, Katsumata et al. [39] completely solved the problem of achieving RIBE with DKER by proposing the first latticebased RIBE scheme with DKER secure under the LWE assumption.
But the progress in constructing revocable ABE schemes from lattices is slow. In 2018, Ling et al. [40] proposed a server-aided revocable Predicate Encryption (SR-PE) from LWE. is scheme employs the Predicate Encryption (PE) scheme of Agrawal et al. [41] and the complete subtree method of Naor et al. [18] as the two main ingredients, and plus some additional techniques. In the security proof of the SR-PE, however, since the LWE secret vector in the original PE scheme is unknown, an unreasonable challenge ciphertext is constructed, leading to an invalid proof.

Our Contributions.
In order to solve the security of revocable ABE against quantum attack, we propose the first SR-ABE from LWE which is indirect revocable and satisfies efficient and secure user revocation in lattices. In order to mitigate the burden of users, all the work caused by the revocation will be delegated to a powerful untrusted server. e powerful server is similar to cloud computing, with a large number of computing resources and storage resources, which can ensure the correctness of the calculation, but cannot guarantee the security of the data. In order to achieve the key revocation mechanism, in our scheme each user's secret key cannot be allowed to decrypt ciphertexts alone. To complete the decryption, KGC should bind the user's identity and corresponding circuit when generating the public key, and bind the period time when generating update key. When the user's identity is not revoked and its circuit matches the attribute subset of the ciphertext, the server can generate a transformation key from KGC to convert the ciphertext into a partially decrypted ciphertext bound only with the identity. In this way, only the secret key of the identity can be used to decrypt. e framework of our SR-ABE scheme is depicted in Figure 1.
In the scheme, there are four types of participants: a KGC, a powerful untrusted server, data sender and data recipient, among which the KGC and the server are the service of the system, the data sender and the data recipient are the client of the system. e server is opened to anyone, including the adversary. In our scheme, a user's policy function is a boolean circuit C id with its identity id. According to the system parameter, the KGC generates an msk and an mpk and broadcasts the mpk to all users. By using its msk and a user's identity id, KGC can generate a secret key sk id which is sent to the user. When a data µ needs to be sent, a data sender specifies an attribute subset att for the data, encrypts it over the att and a time period t by using the mpk, and sends the ciphertext ct t,att to the server. And all data users can see the ciphertext on the server. If needing to decrypt a ciphertext ct t,att , a data recipient with identity id forwards its identity i d and corresponding circuit C id to the server and points out the ciphertext that it wants the server to decrypt. And the server sends C id and id to the KGC. If C id corresponds to the attribute subset of the ciphertext, KGC can generate a public key pk id binding identity id for this user and send pk id to server. And also the KGC can generate a key update ku t for nonrevoked user in a time period t and send it to server. If the recipient's identity id is not in revocation list RL, then the server is able to generate a transformation key tk t,id by using the key update ku t and public key pk id . With the key tk t,id , the server can get partially decrypted ciphertext ct id of binding identity id and send it to the data recipient. Finally the recipient can decrypt ct id completely by using its secret key. e public key pk id is bound to an identity id and corresponding circuit C id , which results in the transformation key tk t,id binding the identity and circuit as well. If the C id (att) � 1, then the server can use tk t,id to separate the attribute subset att and time t from the ciphertext and bind the identity id to generate the partial decrypted ciphertext ct id . e partial decrypted ciphertext can only be decrypted by the secret key sk id corresponding the identity which the recipient sends to the server.
According to the security model of GVW13 ABE [16], we define selective security model for our SR-ABE from LWE which takes into account the possible realistic threats in selective security model and formalizes all attack strategies of an adversary against the SR-ABE scheme. e selective security model is that the adversary needs to give the challenge attributes att * and challenge time period t * before seeing the master public key mpk.
ere are two attack strategies, one is that when the adversary can access the secret key sk id * of a user with identity id * whose circuit C id * matches att * within t * , the identity id * should be in revocation list before t * , and the other is that if this identity id * has not been revoked in t * , the adversary can not query the secret key sk id * corresponding to this id * with C id * (att * ) � 1.
In short, our contributions in this paper can be summed up in the following three points: (i) We formally define the SR-ABE model from lattices that support Boolean circuit of any arbitrary polynominal size. We give the definition of the correctness and security of SR-ABE from LWE. (ii) We propose a concrete SR-ABE construction from lattice for this model based on the KP-ABE constructed by Gorbunov et al. [16]. (iii) We give a strict proof of security for our scheme, based on the hardness of Learning With Errors problem and prove that our SR-ABE scheme is selective security if the GVW13 is selective security.

Organization.
In the forthcoming sections, we first introduce the nations and definitions relevant to this paper in Section 2. We construct the first lattice-based SR-ABE scheme in Section 3 and analyze the correctness and security and compare our scheme with previous revocable schemes in Section 4. We conclude the paper in Section 5.

Notation.
Bold capital letters (e.g., A) denote matrices, bold lowercase letters (e.g., a) denote vectors. e probabilistic polynomial time algorithm is denoted by PPT. Security and Communication Networks denotes its Euclidean norm. A nonnegative function negl(n) is negligible if, for every polynomial p(n), it holds that negl(n) ≤ 1/p(n) for all sufficiently large n > 0.

Server-Aided Revocable Attribute-Based Encryption.
In order to support a class of boolean circuits C we add several parameters to conventional SR-ABE where ℓ denotes the length of attributes and d max denotes the depth of a boolean circuit C.

Syntax of SR-ABE.
A SR-ABE scheme consists of ten following polynomial-time algorithms: : the KGC takes a security parameter λ, an attribute length ℓ, and a circuit depth d max as input and outputs the system parameter pp. (2) Setup(pp) ⟶ (mpk, msk, RL, st): the KGC takes the parameter pp as input, and outputs a master public key mpk, a master secret key msk, a revocation list RL, and a state st.
identity id as input; outputs the user secret key sk id ; and sends it to the user with the identity id. (4) Encrypt(mpk, t, μ, att) ⟶ (ct t,att ): the sender takes mpk, a time t ∈ T, a message μ ∈ M and an attribute subset att as input; outputs the ciphertext ct t,att ; and sends it to the server. (5) GenPK(msk, id, C id , st) ⟶ (pk id , st ′ ): the KGC takes msk, an identity id, a circuit C id corresponding to id, and a state st as input; outputs the public key pk id with identity id and updates the state to st ′ ; and sends pk id to the server. (6) KeyUp(msk, t, RL, st) ⟶ (ku t , st ′ ): the KGC takes msk, a time t ∈ T, a revocation list RL, and a state st as input; outputs a key update ku t and updates the state to st ′ ; and sends ku t to the server. (7) TranKG(pk id , ku t ) ⟶ (tk t,id /⊥): the server takes the public key pk id with identity id and a key update ku t as input, and if id ∉ RL, and outputs a transform key tk t,id for a user with identity id, else outputs ⊥. (8) Transform(ct t,att , tk t,id ) ⟶ (ct id /⊥): the server takes the ciphertext ct t,att and a transform key tk t,id as input and, if the circuit C id corresponding to pk id in tk t,id satisfies C id (att) � 1, outputs a partially decrypted ciphertext ct id with identity id and sends it to the recipient, else outputs ⊥.  e correctness of SR-ABE requires that for all security parameter λ, the circuit depth d max , the attribute length ℓ, all message μ ∈ M, all t ∈ T, and (msk, mpk, RL, st) ⟵ Setup(pp), if the user with identity id ∉ RL by time t and C id (att) � 1 and all parties follow the scheme's algorithms, then for all ciphertexts ct t,att ⟵ Encrypt(mpk, t, μ, att), there exists sk id ⟵ GenSK (msk, id), for tk t,id ⟵ TranKG(pk id , ku t ) and ct id ⟵ Transform(ct t,att , tk t,id ), such that it has Dec (ct id , sk id ) � μ where pk id ⟵ GenPK(msk, id, C id , st), and ku t ⟵ KeyUp(msk, t, RL, st).
Chen et al. [37] formalized and defined the selectiverevocable-identity security revocable IBE from lattices. Qin et al. [35] defined the IND-CPA security model for SR-ABE from bilinear pairings. In this subsection, we give the definition of selective attribute security serveraided revocable attribute-based encryption from lattices.

Selective Security
Game. An adversary A and a challenger S play the following game.
Initial A first gives the challenge attributes att * and time t * , and some information state it wants to preserve.
Setup S runs the Setup(·), generates the msk, mpk, RL and st and sends mpk, RL and st to A. Query A can adaptively make a polynomial number of following queries to S.
GenSK(·): on input identity id and circuit C id corresponding to id, return a secret key sk id . GenPK(·): on input identity id, circuit C id corresponding to id and a state st, return pk id . KeyUp(·): on input time t, revocation list RL and state st, return ku t . TranKG(·): on input ku t and pk id with identity id, if id ∉ RL return tk t,id , and else return ⊥. Transform(·): on input the ciphertext ct t,att and circuit C id with identity id and tk t,id , if C id (att) � 1 outputs partially decrypted ciphertext ct att , else outputs ⊥. Revoke(·): on input identity id, time t and state st, return updated revocation list RL. e following restrictions must always hold: If id * with C id * (att * ) � 1 has been queried to GenSK(·) at t * , the Revoke(·) must be queried on (id * , t) for any t ≤ t * . If id * with C id * (att * ) � 1 is not revoked at t * , (id * , C id ) should not be queried to the GenSK(·).
Challenge A outputs two equal length message μ 0 , μ 1 ∈ M and sends them to S. S randomly chooses a bit β ∈ 0, 1 { } and sends Encrypt(mpk, t * , μ β , att * ) to A. Guess A can continue to make a polynomial numbers of queries as in Query phase and outputs a bit β ′ . A will win if β ′ � β.

Security and Communication Networks
Definition 2 (selective security).
e advantage of A is defined as the quantity: (1) e scheme SR-ABE is called to be selective security, if the advantage of adversary Adv SR− ABE A (1 λ , 1 ℓ , d max ) is negligible in λ, ℓ, d max for an efficient A.

Background on Lattices
Definition 3 (lattices). Let q, n, m be positive integers; for a matrix A ∈ Z n×m q , Λ ⊥ q (A) � x ∈ Z m q : Ax � 0 mod q denotes an certain family of integer lattices which was introduced by Ajtai [42]. More generally, for u ∈ Z n q , Λ u q (A) denotes the coset x ∈ Z m q : Ax � u mod q .
Definition 5 (learning with errors (LWE)). LWE was introduced by Regev [43]. For positive integers n, m, a prime integer q, and a discrete Gaussians distribution χ � D Z,s . e decisional LWE n,q,χ problem is to distinguish the following two distributions: a uniform distribution pair (A, b) where (A, b) ⟵ Z n×m q × Z m q , and the other distribution pair (A, b � A T s + e) where (A, s) ⟵ Z n×m q × Z n q and e ⟵ χ m . Some efficient sampling algorithms which find some short vectors from specific lattice were introduced by Agrawal et al. [44] and Micciancio and Peikert [45]. We recall these sampling algorithms. (1) TrapGen(n, m, q) ⟶ A, T A : an efficient randomized algorithm [45][46][47], outputs a matrix A ∈ Z n×m q and a basis T A ∈ Z m×m of Λ ⊥ q (A) such that the distribute of A is close to uniform and , a matrix M ∈ Z n×m q , a vector u ∈ Z n q , and a sufficiently large Gaussian parameter s ≥ ‖T A ‖ · ω( ����� � log 2m ), it outputs a vector z ∈ Z 2m with a distribute statistically close to SampleRight(A, R, G, T G , u, s): inputting G ∈ Z n×m q , a trapdoor T G of Λ ⊥ q (G), a matrix A ∈ Z n×m q , R ∈ Z m×m q , a vector u ∈ Z n q , and a sufficiently large (1) Params(1 λ , d max ): on input parameter λ and d max , output (m, n, q). (4) ReKeygen(pk 0 , pk 1 , sk b , pk tgt ): where SimReKeyGen(pk 0 , pk 1 ): let pk 0 � A 0 , pk 1 � A 1 , and sample a matrix R ⟵ (D Z 2m×m ,s ). Define and output the pair (pk tgt � A tgt , rk tgt 0,1 � R).
where ψ 0 � Encode(A 0 , s), ψ 1 � Encode(A 1 , s) for same s ∈ Z n . It is clear that ψ tgt � Encode(A tgt , s) for same s ∈ Z n as long as the error-tolerance is large enough. Output ψ tgt .
e ABE scheme needs a one-time symmetric encryption scheme (E, D) which is in the following.

Security and Communication Networks
where Output μ ′ .

Full-Rank Different Map
Definition 6 (full-rank different map [37]). Let q be a prime and n a positive integer. A function H: Z n q ⟶ Z n×n q is a fullrank different map, if for all different vectors u, v ∈ Z n q , the matrix H(u) − H(v) ∈ Z n×n q is full rank and H is computable in polynomial time in nlogq.

Complete Subtree Method.
Like previous revocable schemes, our scheme also needs to use the complete subtree method which was proposed by Naor et al. [18]. In the method, there is a complete binary BT with at least N leaf nodes, where N is the maximum number of users in the system and each leaf node of BT is corresponding to a user. With this binary tree BT, a KUNode algorithm is used to compute the minimal set of nodes for which key update needs to be published so that only the nonrevoked users in this tree at a time period t are able to decrypt the ciphertexts.
KUNode(BT, RL, t) takes the binary tree BT, a revocation list RL, and a time period t as input and does the following: (3) ∀y ∈ X, if y l ∉ X, then add y l to Y, if y r ∉ X, then add y r to Y, where y l is left child of y and y r is right child of y; (4) if Y � ∅, then add root to Y; e set Y is the smallest subset of nodes that contains ancestors of all the leaf nodes corresponding to nonrevoked users. In [18], it proves that the set Y generated by KUNodes(BT, RL, t) has a size at most O(R log N/R), where R is the number of users in RL.

GVW'13 ABE Scheme.
In this subsection, we will briefly describe GVW13 ABE scheme [16], which will be used as the building block for our SR-ABE.
ere are three key parameters in GVW13 ABE Scheme, which are security parameter λ, attribute length ℓ, and circuit depth d max , respectively. e master public key is , A out and master secret key is { }. e generation of the secret key for a user with a circuit C is complex. First of all, the KGC assigns the (A i,b , T i,b ) ⟵ Kengen(·) to every output b ∈ 0, 1 { } of the ith gate of the circuit C for i ∈ ℓ + 1, . . . , |C| − 1 { }. When i � |C|, the last gate is assigned A out only when the output of the gate is 1.
en, according to every gate C i of the circuit C, the conversation keys are generated by c) and b, c ∈ 0, 1 { }. Finally, these conversation keys are combined as user's secret key, and distributed to the user. If a message µ needs to be sent, according to the att � a 1 , a 2 , . . . , a ℓ } ∈ 0, 1 { } ℓ , a sender selects A i,a i i∈ [ℓ] to encrypt it and gets the ciphertext att, Encode (Encode(A out , u), μ)} where u ⟵ Z n q . When a recipient with the circuit C wants to decrypt the ciphertext, if C(att) � 1, then it can use secret key to get the code of A out according to the code of A i,a i i∈ [ℓ] and can easily get the message μ; else, it can do nothing.
In the selective security model, the adversary announces a challenge attribute set att * before the challenger gives it public master key. According to [16], the GVW13 scheme is selectively secure.

Our SR-ABE Scheme.
In this subsection, we give a concrete construction of our scheme. (1 λ , 1 ℓ , d max ). On input the λ, ℓ, and d max , the KGC does the following:

GenSK(msk, id).
On input msk, an identity id ∈ I, the KGC does the following: (1) If the F id corresponding to id is undefined, set Encrypt(mpk, t, μ, att). On input mpk, a time t ∈ T, and a message μ ∈ M, the sender selects an attribute subset att � (a 1 , a 2 , . . . , a ℓ ) ∈ A and does the following: (Encode(D, u), μ),

3.2.4.
3.2.5. GenPK(msk, id, C id , st). On input msk, an identity id, a circuit C id , and state st, the KGC does the following: (1) For every leaf node θ from BT, store the corresponding identity id in this node. If the B id corresponding to id is undefined, set B id � B 1 + H(id)G. (2) After getting the circuit C id from server with identity id, for i < |C id | − ℓ or b � 0, run Keygen(pp) and get ,s . And update the state to st ′ (4) Output pk id � (s id , (x, Z 1,x ) x∈Path(id) ) and the updated st ′ . (msk, t, RL, st). On input msk, a time t ∈ T, a revocation list RL, and the state st, the KGC dose the following:
(the corresponding U x is predefined in GenPK and always exists). And update the state to st ′ . (3) Output ku t � (x, Z 2,x ) x∈KUNodes(BT,RL,t) and the updated st ′ .
3.2.7. TranKG(pk id , ku t ). On input pk id and ku t , the server generates a transformation key tk t,id for every i d not lying the revocation list RL as the following: (1) Parse pk id � (s id , (x, Z 1,x ) x∈I ) and ku t � (x, Z 2,x ) x∈J for some set of nodes I, J.

Transform(ct t,att , tk t,id ).
Receiving tk t,id � (s id , Z 1,x , Z 2,x ), the server does the following: (1) If C id (att) � 1, use the key s id to obtain ψ C id � Encode(B id , u), else output ⊥.
e server sends ct att to the recipient with identify id.
3.2.9. Dec(ct id , sk id ). On input ct id and secret key sk id , the recipient can obtain μ ′ ⟵ D R T id φ ψ id , c by using the secret key sk id .

Revoke( id
{ } id∈U , t, RL, st). Taking an identity set id { } id∈U where U is a set of revoked users, time t, the revocation list RL, and the current state st as input, the KGC adds id ∈ U to RL, updates the state to st ′ , and outputs RL.

Correctness.
When a recipient with id ∉ RL sends the circuit C id with C id (att) � 1 to server and wants to decrypt the ciphertext ct t,att � (att, c, ψ i i∈ [ℓ] , ψ, ξ, φ), the server and recipient perform as following.
(1) After accepting the circuit C id from the recipient, the server can send the C id to KGC and get pk id � (s id , (x, Z 1,x ) x∈Path(id) ). And using the ku t � (x, Z 2,x ) x∈KUNodes(BT,RL,t) , the server can get tk t,id � (s id , Z 1,x , Z 2,x ). By using the secret key s id in tk t,id and ψ i i∈ [ℓ] in ct t,att , the server computes ψ C id � Encode(B id , u), i.e., ψ C id � B T id u + e 1 where ‖e 1 ‖ ≤ 2(n 3 log 2 q) d max .
(2) Compute Security and Communication Networks where . e server hands ct id � (id, c, φ, ψ id ) to recipient.

Security
Theorem 1. Our SR-ABE scheme with attribute length ℓ is selective security defined in Definition 2 if the GVW13 scheme with attribute length ℓ + 2 is selective security.
Proof. If there exists a PPT adversary A against selective security of the SR-ABE scheme with attribute length ℓ, then we can construct a PPT adversary B against selective security of the GVW13 scheme with attribute length ℓ + 2. e security of GVW13 scheme is based on LWE, so is our scheme. Before proving this theorem, let us summarize our ideas of proof. In the GVW13 scheme with attribute length +2, we set A � B l+1,0 , B � B l+2,0 . And then our scheme's challenge ciphertext with att * � a * 1 , a * 2 , . . . , a * ℓ can be regarded as a transformation of the challenge ciphertext of GVW13 scheme under attribute att * ′ � a * 1 , a * 2 , . . . , a * ℓ , 0, 0 . Let us start with our proof.
In the GVW13 selective security model, after generating the system parameters λ, ℓ, and d max , the challenger S runs the System, gets pp, and gives the pp to B. B hands it over to A.
en A chooses a challenge attribute att * ∈ A, a challenge time t * ∈ T, and a revocation list RL * and gives them to B. en B gives att * , 0, 0 { } to S. Now, we consider two type of adversaries as follows: Type I: it is assumed that every identity id * whose circuit C id * satisfies that C id * (att * ) � 1 must be included in RL * . In this case, A is allowed to issue a query to oracle GenSK(·) on id * . Type II: it is assumed that there is an id * ∉ RL * whose circuit C id * satisfies that C id * (att * ) � 1. In this case, id * is not revoked at t * and A never issues a query to oracle GenSK(·) on (id * , C id * ). e following steps are taken after B receiving the public key: from S.
(1) Generate (G, T G ) ⟵ TrapGen(n, q, m), and set Choose an efficient full-rank different map H : Z n q ⟶ Z n×n q . Choose an identity id * with C id * (att * ) � 1 and set (3′) Type I adversary: B can set revocation list RL * and Type I adversary: when queried id * from A, B can return sk id * � R * id . When queried id ≠ id * from A, B can set F id � A 1 + H(id)G � AR 1 + (H(id) − (id * ))G, and then run sample algorithm Type II adversary: when queried id ≠ id * from A, B can set F id � A 1 + H(id)G � AR 1 + (H(id)− (id * ))G, and then sample R id ⟵ SampleRight (A, R 1 , (H(id) − H(id * ))G, T G , D, s). Finally, B can return sk id � R id . GenPK(·): when A queries GenPK for id and C id , B can set And then B does the following: (1) When A queries GenPK for id * such that C id * (att * ) � 1, store id * in leaf node θ from BT and set F id as above. If x ∈ Path(id * ), pick And then for the gate When A queries GenPK for id * and C id * , (2) When A queries GenPK for i d such that B can ask A for a matrix B id to run KeyGen by using . at is, A sets pk tgt � B id . Other than that, B did not get any secret information.
is will not endanger the security of GVW13. en B outputs pk id � s id , x, Z 1,x x∈path(id) .
KeyUp(·): for key update of time t ≠ t * and all x ∈ KUNodes(BT, RL, t), where U x has been defined in GenPK(·) and return ku t � (x, Z 2,x ) x∈KUNodes(BT,RL * ,t) . TranKG(·) and Transform(·): by using a key update ku t and a public key pk id with identity id, B can execute these two algorithms. Revoke(·): after accepting the query about updating the revocation list on an identity id, a revocation list RL and a state st, the B adds id to RL, outputs a new RL, and gives it to A.
Because of assuming that A can break the selective security of SR − ABE with probability ε, which means then, we have

Comparison.
In the past few years, a large body of work on revocable ABE [34,35] and revocable IBE [37,39] has been proposed. In these revocable ABE schemes [34,35], there is a powerful but untrustworthy server. And most of data users' workloads are delegated to the powerful untrusted server such that the KGC indirectly revokes users in revocation list by stopping updating the keys without any operation by the user. In [34], a revocable CP-ABE is proposed where a user can generate its local secret key and public key and decrypt a ciphertext by using the local secret key. And in [35], a key-randomization was introduced such that a user's local decryption keys can be exposed if the user is not revoked. In these revocable IBE schemes [37,39], the KGC can revoke the users in the revocation list by stopping posting key update for these users, thereby forcing revoked users to be unable to generate their decryption keys. In [37], a revocable IBE from LWE is proposed where users can transform a long-term secret key and a key update from KGC into decryption keys. And in [39], a generic construction of an RIBE scheme with DKER was proposed which consists of any two-level standard HIBE scheme and RIBE scheme without DKER. Table 1 compares our SR-ABE scheme with revocable ABE/IBE schemes [34,35,37,39]. In Table 1, N denotes the number of all users in system, R denotes the number of users in revocation list, "-" denotes not-applicable or not-comparable. T m denotes the time taken for matrix multiplication, T g denotes the time running the Gaussian sample, T k denotes the time running Keygen(·), and T s denotes the time Table  1: Comparisons of our SR-ABE with other revocable schemes.
CDLQ [34] QZZC [35] CLL+ [37] KMT [39] Ours O (1) running SampleLeft(·). e schemes [34,35] are based on decisional Bilinear Diffie-Hellman (DBDH) assumption from discrete logarithm problem and insecure when faced with the adversaries using quantum computers. Compared with them, our scheme is based on LWE and secure against the quantum computers. Compared with the schemes [37,39], in our scheme, KGC needs more computation cost due to the complexity of current strategy function in ABE, but users need less computation cost in decryption. In the schemes [34,35], storage overhead is O(log N)+ O(R log(N/R)), which is related to the number of users in system and users in revocation list. Our scheme mitigates user's storage overheads by delegating the most of users' workload to a powerful untrusted server. Our goal in this paper is to achieve user revocation in a KP-ABE system from LWE such that most of the user's workload is delegated to a powerful untrusted server and our scheme can be secure against quantum computers.

Conclusion
In this paper, we propose a new model called server-aided revocable attribute based encryption (SR-ABE) from lattice to achieve efficient user revocation and security against quantum computers in attribute-based encryption (ABE). We formally define an SR-ABE model and give the definitions of the correctness and security of SR-ABE from LWE. Based on a standard (nonrevocable) ABE [16], we propose the first concrete construction of SR-ABE from lattices. And, we provide a more rigorous proof of security, based on the hardness of LWE.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.