Space-Efficient Key-Policy Attribute-Based Encryption from Lattices and Two-Dimensional Attributes

Linear secret-sharing scheme (LSSS) is a useful tool for supporting flexible access policy in building attribute-based encryption (ABE) schemes. But in lattice-based ABE constructions, there is a subtle security problem in the sense that careless usage of LSSSbased secret sharing over vectors would lead to the leakage of the master secret key. In this paper, we propose a new method that employs LSSS to build lattice-based key-policy attribute-based encryption (KP-ABE) that resolves this security issue. More specifically, no adversary can reconstruct the master secret key since we introduce a new trapdoor generation algorithm to generate a strong trapdoor (instead of a lattice basis), that is, the master secret key, and remove the dependency of the master secret key on the total number of system attributes. Meanwhile, with the purpose of reducing the storage cost and support dynamic updating on attributes, we extended the traditional 1-dimensional attribute structure to 2-dimensional one. ,is makes our construction remarkably efficient in space cost, with acceptable time cost. Finally, our scheme is proved to be secure in the standard model.


Introduction
In 2005, Sahai and Waters [1] proposed a new public key encryption mechanism: attribute-based encryption (ABE). It associates the user's identity with a set of attributes. e user's private key and the ciphertext are defined based on the attribute set and access policy, respectively, and a user can decrypt only if the attribute set and the access policy match each other. If the user's privacy key is correlated to the access policy and the ciphertext is correlated to the attribute set, it is a key-policy ABE (KP-ABE). On the contrary, it is a ciphertext-policy ABE (CP-ABE) [2]. With the development of the cloud computing, more and more people tend to store and share their data through the cloud. To protect the users' privacy information, ABE is a good choice which can achieve fine-grained access control and one-to-many communication of users' data in public cloud storage [3]. e constructions of ABE are usually based on two different mathematical platforms: bilinear pairings and lattices. On the one hand, the quick progress in pairingbased ABE constructions [4][5][6][7] fosters the so-called expressive cryptography. On the other hand, with the breakthrough of quantum computing technology in recent years, most researchers believe that bilinear pairing-based constructions suffer from the potential threat of quantum computers. erefore, the study of lattice-based ABE schemes attracts more attention.
In 2011, Zhang and Zhang [8] proposed a CP-ABE scheme that is based on learning with errors (LWE) problem [9] and supports AND operation among attributes. One year after, they [10] again proposed another lattice-based CP-ABE scheme that supports threshold access policies. In 2013, Liu et al. [11] proposed a threshold ABE scheme with attribute hierarchy based on lattice intractability assumptions. e constructions in [8,10,11] gave us a good inspiration to study lattice-based ABE. But a single AND operation or THRESHOLD operation is still not enough for describing even flexible access policies in practical application. To support an even flexible access policy, the technique of linear secret-sharing scheme (LSSS) which is known to support AND, OR, and THRESHOLD operations is useful. For instance, LSSS was used in building pairing-based ABE schemes [12][13][14]. However, as mentioned by Agrawal et al. [15], in building a lattice-based KP-ABE scheme, if the usage of LSSS is improper (such as work in [15]), the shares of a vector are correlated, and this would enable an adversary to reconstruct the master secret key by making some correlated key queries. For example, the adversary can make key queries for (a 1 ∧ a 2 ) ∨ a 3 , (a 1 ∧ a 2 ) ∨ a 4 , (a 1 ∧ a 2 ) ∨ a 5 , and so on. eir preimages (i.e., secret key) can be combined to form a short vector in the null space. And after several key queries, the adversary can construct a full basis that can be used to break the challenge ciphertext for a target attribute vector such as 110 . . . 00. To deal with this subtle problem, Boyen [16] in their lattice-based KP-ABE construction utilized the LSSS technique but bypassed the vector-based secret sharing. Instead, they constructed a virtual encryption matrix which cascaded the sharing matrix. In 2014, Boneh et al. [17] proposed another lattice-based KP-ABE scheme that uses the arithmetic circuits to describe the access policy which can support AND and OR operations on the attributes.
Another issue of designing ABE schemes is the dimension of structure of attributes. e typical setting is to use 1-dimensional structure. at is, a set 1, ..., ℓ { } is used to denote the system attributes and all attributes of the system are initialized in Setup phase (such as in [16][17][18]). However, in [16][17][18], this kind of setting has two problems in practice. First, the number of system attributes is fixed. Or equivalently, the attributes space is bounded after the execution of the Setup algorithm. Second, the size of parameters would be linearly increased with the number of system attributes.
is situation becomes ever worse in latticebased ABE constructions. e total size of parameters would be over 300 M bytes, even 1 G byte. In particular, the space cost for attribute parameters occupied over 95% of the space cost of the total public parameters. But in practical application, it is more desirable to support dynamic updating and space-efficient settings on system attributes. erefore, the main motivation of this paper is to construct a lattice-based KP-ABE scheme that supports flexible access policies and dynamic updating and spaceefficient attribute settings.

Our Contribution.
In this paper, we propose a secure LSSS-based KP-ABE scheme from lattices which can support a flexible access policy but has solved the master secret key leakage problem. In addition, we give a flexible attribute description which can add new attributes dynamically and we also reduce the sizes of public parameter, master key, user's secret key, and ciphertext. e main contributions are as follows: (1) New method of LSSS-enabled flexible access policy without the security issue mentioned by Agrawal. In our construction, we use the LSSS technique to support a flexible access policy and resolve the insecure problem by avoiding the adversary to reconstruct the master secret key. In the previous LSSS-based KP-ABE scheme, the master secret key often consisted of some bases which correlated to the total number of system attributes. An adversary can reconstruct a full basis (i.e., master secret key) by making some correlated key queries [15]. But in our scheme, we use a new trapdoor generation algorithm of MP12 [19] to generate a strong trapdoor, not a basis (i.e., the master secret key), and the master secret key is no longer correlated to the number of system attributes. us, no adversary can obtain the correlated information of the master key. Since the master key is a new strong trapdoor (instead of a lattice basis), we also make an improvement of the SampleLeft algorithm which takes a lattice basis as input (see Section 4.1). (2) Two-dimensional attribute structures that support attribute dynamic updating and reduce size of parameters. In our scheme, we extended the traditional 1-dimensional (value-specified) attribute structures to 2-dimensional (label-and valuespecified) ones. Multiple values can be set under an attribute label. It can add new attribute values at any time without reconstructing the system. e attribute space is no longer bounded. In addition, the attribute value usually often contains more privacy information than attribute label. By doing that, the attribute labels are used to set the access policy, while the actual values are hidden. So even if the adversary makes some key queries for correlated access policy, it cannot get any privacy information of the master secret key. Particularly, the most observable advantage of using this kind of 2dimensional attribute structure is that the storage cost is reduced. e storage cost of the trapdoor, not a basis, is at least four times smaller than other constructions. And by removing the reliance on the total number of system attributes, the sizes of public parameter, master secret key, user's secret key, and ciphertext are remarkably reduced. e detailed performance analysis is given in Section 5. In fact, this kind of 2-dimensional settings on attributes is now new to us. In 2015, Ying et al. [13] used a tag-based setting on attributes in pairingbased constructions. Our contribution is to introduce Ying et al.'s idea into lattice-based constructions.

Related Work.
In 2012, Agrawal et al. proposed a fuzzy identity-based encryption scheme from lattices [15] which can support a single THRESHOLD operation. In 2014, a lattice-based KP-ABE scheme [20] and a lattice-based CP-ABE scheme [21] were proposed. ese two schemes just only supported AND gate. In 2015, Zhang et al. [22] designed a multiauthority attribute-based encryption (MA-ABE) scheme on lattice which can support "THRESHOLD" operation on the attributes. ere exist multiple attribute authorities in this scheme which has resolved the problem of delayed response in the single attribute authority. In 2017, Zhao and Gao proposed an LSSS matrix-based KP-ABE on lattices [23] with a flexible access policy, but the attribute space is bounded. Liu et al. proposed a multiauthority keypolicy attribute-based encryption (MA-KP-ABE) scheme from lattices [24] with the same advantage of Zhang's construction in [22]. In 2018, Liu et al. [25] proposed an MA-ABE with ciphertext policy. In the scheme, the size of ciphertext is reduced because they introduced the basis delegation without dimension increase algorithm in [26]. e lattice-based ABE schemes in [27,28] were based on the ring-LWE problem. e authors of [27,28] make an engineering implement of their schemes.

Organization.
e rest of this paper is organized as follows. In Section 2, we give the basic definition of lattice, sampling algorithms, and FRD function. e definition of the KP-ABE scheme and security model are given in Section 3. In Section 4, an improved SampleLeft algorithm and a space-efficient KP-ABE scheme with 2-dimensional attributes are proposed. e parameters setting and security proof are also given in Section 4. In Section 5, we give a detailed comparison between our scheme and relevant works from the space cost and time cost. Finally, we conclude this paper in Section 6.

Preliminaries
Notation. Z q denotes an integer set of mod q residue class. u ∈ Z n q is a n-dimension column vector. An n × m matrix is denoted by A ∈ Z n×m q , where A = (a 1 , . . . , a m ). ‖A‖ denotes the ℓ 2 -norm length of the longest column of A. A denotes the Gram-Schmidt orthogonalization of the vectors a 1 , . . . , a m . We refer to ‖A‖ as the Gram-Schmidt norm of A. In our scheme, A u and A c denote user's attribute set and ciphertext attributes set, respectively, and |A u | and |A c | denote the number of attributes in A u and A c , respectively.

Integer Lattice
are n linearly independent vectors, and the lattice Λ is generated by the following formula: (1) is a basis of Λ, n is the rank, and m is the dimension. (2)

Discrete Gaussians
Definition 3. For a positive integer s ∈ R and a vector c ∈ R m , we defined a Gaussian distribution with center c and variance s as follows: where σ > 0 is a parameter and ρ σ,c (x) � exp(− π(‖x − c‖ 2 /σ 2 )).

Sampling Algorithms and FRD Function.
e following two algorithms are introduced from MP12 [19]. TrapGen is used to generate the public parameters and master key in the KP-ABE scheme.
H is a tag of the trapdoor. s 1 (T A ), the largest singular value of T A , is the quality of the trapdoor.
For any integer q ≥ 2, n ≥ 1, n � nt, t � log q and sufficiently large m � O(n log q), let H ∈ Z n×n q be a invertible matrix, G ∈ Z n×n q denotes a primitive and public matrix, A∈ Z n×m q is chosen at random, u ∈ Z n q is a uniformly random vector, and σ ≥ s 1 (T A )‖G‖ is the Gaussian parameter, where 19]); it has the following: (1) Algorithm TrapGen(A, H) that outputs a uniformly random matrix A � [A|HG − AT A ] ∈ Z n×m q and a trapdoor matrix T A ∈ Z m×n , where the trapdoor size is (2) is not statistically distin- e following SampleRight algorithm is used in our scheme for the security proof. ere also exists a SampleLeft algorithm. But in the traditional SampleLeft algorithm in [29], T A is a basis of Λ ⊥ q (A). But since in our scheme the trapdoor T A is a trapdoor, not a basis, we make a small improvement to this algorithm (see Section 4.1). We call the improved SampleLeft algorithm IMSampleLeft.
For q > 2, m > n, and and T B is a basis of Λ ⊥ q (B) and u ∈ Z n . e vector e is not statistically distinguishable from Security and Communication Networks e following algorithm is the encoding with full-rank differences (FRD) function. For a prime q and a positive integer n, a FRD function H: Z n q ⟶ Z n×n q is as follows: (2) Let f be some polynomial of degree n that is irreducible and coe(g) denote the n vector of coefficients of g.

Two Lemmas to Bound
Norms. e following three lemmas will be used to prove that the decryption is correct.

Lemma 2.
Let e be some vector in Z m and let y← R Ψ m α [30]. en the quality |e ⊤ y| treated as an integer in with all but negligible probability in m.
As a special case, Lemma 2 shows that if x← R Ψ α is treated with all but negligible probability in m. [29], it has

Linear Secret-Sharing Scheme (LSSS).
A secret-sharing scheme over a collection P is linear if one has the following: (1) e shares for each party form a vector over Z q .
(2) ere exists a matrix M of size l × n such that, for all i � 1, ..., l, the i'th row is labeled with a function ρ(i).
Randomly choose s ∈ Z q and a vector g � (s, g 2 , ..., g n ) ⊤ ∈ Z n q , where s is the secret to be shared. e share λ i � M i g belongs to party ρ(i), where M i is the i'th row of M.
Linear reconstruction property: suppose a scheme's access structure is LSSS. Let S be an authorized set and I � i | ρ(i) ∈ S . ere exists a set of constants k i ∈ Z q i∈I that can be used to compute the secret s: i∈I k i λ i � s.

Hardness Assumption
Definition 5. Give a prime q, a positive integer n, and a distribution Ψ α over Z q . A (Z q , n, Ψ α )-LWE problem instance consists of access to an unspecified challenge oracle O, being either a noisy pseudorandom sampler O s carrying some constant random secret key s ∈ Z q or a truly random sampler O s ′ , whose behaviors are as follows, respectively: e (Z q , n, Ψ α )-LWE problem allows a number of queries to the challenge oracle O. We say an algorithm A decides a (Z q , n,

Theorem 1.
If there exists an efficient, possibly quantum, algorithm for deciding the (Z q , n, Ψ α )-LWE problem for q > 2 � n √ /α, then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems to within O(n/α) factors in the ℓ 2 norm, in the worst case [9].

Definitions of KP-ABE and Security Model
In KP-ABE, the message is encrypted by using the attributes as public keys, and a user's private key is related to the access policy which is defined by a set of attributes. A KP-ABE scheme consists of the following four algorithms.
Setup (1 n ) ⟶ (pp, msk). Taking a security parameter 1 n as input, the algorithm outputs the public parameter pp and the master secret key msk.
KeyGen (pp, msk, A u , (M, ρ)) ⟶ sk u . On input of the public parameter pp, the master key msk, a user's attribute set, and access policy (M, ρ) of which the rows are associated with the attribute labels, the algorithm KeyGen outputs the secret keys sk u .
Encrypt Here, we give the definition of the security model which is adapted from [16]. A KP-ABE scheme is secure under the selective attribute and chooses plaintext attack. It can be described by a game between a challenger B and an adversary A as follows: Target.
e adversary A announces to B the challenge attribute set.
Setup. B runs the Setup algorithm and sends the public parameter to A.
Queries. In this step, A makes queries for the privacy keys adaptively for the access policy (M, ρ) that the target attribute set does not satisfy. B answers the queries.

Challenge.
A gives a signal that it is ready to accept the challenge. en it selects a message b ∈ 0, 1 { } and sends the message to B. e simulator B responds with a ciphertext which is encrypted under the target attribute set.
Continuation. After having obtained the challenge ciphertext, A is allowed to make repeat for the privacy key queries.

Improved SampleLeft Algorithm.
In the traditional SampleLeft algorithm [29], T A is a basis of Λ ⊥ q (A). But in the our KP-ABE scheme, T A is a trapdoor, not a basis. So we make a small improvement to this SampleLeft algorithm. We call the improved SampleLeft algorithm IMSampleLeft.
For q > 2, m > n, and σ ≥ s is a trapdoor of A, and u ∈ Z n . e vector e is not statistically distinguishable from D Λ u q (F 1 ),σ , where F 1 � A|M 1 and F 1 · e � u(modq).
For completeness, we describe the algorithm in detail.

Space-Efficient KP-ABE from Lattices and Two-Dimensional Attributes.
In our scheme, all the universe attribute can be expressed by l attribute labels U � 1, 2, ..., l { }; each attribute label has different attribute values. In the system, A u � i: a i denotes the user attribute set. i denotes the attribute label and a i ∈ Z n q is the attribute value with some privacy information.
Setup (1 n ) ⟶ (pp, msk). Taking a security parameter 1 n as input, the algorithm outputs the public parameter pp and the master secret key msk.
(1) e system firstly executes the TrapGen (A, H) algorithm in MP12 to generate a uniformly random matrix A ∈ Z n×m q and a trapdoor matrix T A ∈ Z m×n , where m � m + n.
(2) For l attribute labels in U, it chooses l uniformly random matrices A 1 , A 2 , ..., A l . (3) en it chooses a uniformly random vector u � (u 1 , u 2 , ..., u n ) ⊤ ∈ Z n q and a uniformly random KeyGen (pp, T A , (M, ρ)) ⟶ sk u . On input of the public parameter pp, the master key msk, and the access structure (M, ρ)), where M is an l × n share matrix and ρ is a function which maps each row M i to the attribute labels based on the attribute value a i in A u , do the following: (1) Construct n vectors g 1 � (u 1 , g 12 , g 13 , ..., g 1n ) ⊤ , g 2 � (u 2 , g 22 , g 23 , ..., g 2n ) ⊤ ,..., and g n � (u n , g n2 , g n3 , ..., g nn ) ⊤ , where u 1 , u 2 , ..., u n are the corresponding components of u.

Correctness.
In order to ensure the correctness of decryption, we need to ensure that the error term is less than q/5 with overwhelming probability (w.h.p.). As we know, Let e i � e 1,i e 2,i , and e 1,i , e 2,i ∈ Z m . e error term is as follows: From Section 4.2, we know that max k i � l and (l!) 2 ≤ (l) 2l . By Hence, the error term To make the system work correctly, we need the following: (1) For the TrapGen algorithm which can operate, it needs m ≈ 2n log q.

Security
Theorem 2. Suppose there exists a probabilistic polynomialtime (PPT) adversary A with advantage ε > 0 in a selective security attack against our space-efficient KP-ABE scheme from lattices; then there exists a PPT simulator B that decides (Z q , n, Ψ α )-LWE problem with advantage ε/2.
Proof. In Definition 5, the (Z q , n, Ψ α )-LWE problem gives access to a sampler O, which is either a truly random sampler O s ′ or a noisy pseudorandom sampler O s . e decisional algorithm needs to distinguish which the sampler it is given. It proceeds as follows: Instance. B requests from O to obtain (m + 1) LWE samples that we denote as Target. e adversary A announces to B the challenge attribute set. Let A * � 1: a * 1 , 2: a * 2 , ..., l: a * l denote the challenge attribute set.
Setup. B constructs the public parameter as follows: (1) Construct A and u from the LWE instance; let A � (w 1 , w 2 , ..., w m ) and u � w 0 . en the simulator Bexecutes the TrapGen algorithm to generate the matrix B with the trapdoor T B .
(2) For each attribute j ∈ U such that j ∈ A * , choose For each attribute j ∈ U such that j ∉ A * , the simulator B executes the TrapGen algorithm to generate the matrices A j with the trapdoor T A j . (4) B sends the public parameter to A.
Queries. In this step, A makes queries for the privacy keys adaptively for the policy (M, ρ) that the target attribute set A * does not satisfy. B answers the queries as follows: (1) As in the real scheme, B construct a low-norm linear sharing matrix M ∈ Z l×n .

Challenge.
A gives a signal that it is ready to accept the challenge. en it selects a message bit b * ∈ 0, 1 { } and sends the message bit to B. e simulator B responds with a ciphertext c * � c * 0 , (c * j ) j∈A * which is encrypted under the target attribute set A * . It executes as follows: (3) e challenge ciphertext is as follows: Note that when the LWE oracle is a pseudorandom us, the ciphertext is as follows: e ciphertext is encrypted under the target attribute set A * ; as we know that Continuation. After having obtained the challenge ciphertext, A is allowed to make repeat for the privacy key queries.

Decision.
A eventually emits a guess b ′ , whether c * was actually a valid encryption of b * as requested. B uses the guess to determine an answer on the LWE oracle O.
If the adversary A succeeds in guessing the message bit (i.e., b ′ � b * ) with probability at least 1/2 + ε, then the simulator B would correctly guess the nature of the LWE oracle with probability at least 1/2 + ε/2.

Performance Analysis
Here, we give the comparison between our KP-ABE scheme and the related lattice-based ABE scheme in different aspects.
As shown in Table 1, the lattice-based ABE schemes in [8,15] just support a single AND gate or a single THRESHOLD gate in the attribute matching phase. But our scheme and [16] use the LSSS technique to support three operations of attribute, that is, AND, OR, and THRESH-OLD. In addition, the lattice dimension in [8,15] mostly is m > 5n log q. It will lead to a large trapdoor size. But the lattice dimension in our construction and [16] is approximately equal to 2n log q. Meanwhile, [8,15,16] introduce the trapdoor generation algorithm of GPV08 to generate a lattice basis as the trapdoor. But in our construction, we introduce the new trapdoor generation algorithm of MP12 [19]. e trapdoor is no longer a lattice basis as [8,15,16]. e storage cost of a single trapdoor grows only linearly in Security and Communication Networks the lattice dimension m in our construction, rather than quadratically as a basis does in [8,15,16]. e trapdoor size is at least four times smaller than the others, even 36 times. As shown in Table 2, we compare our KP-ABE schemes from lattices with the related lattice-based KP-ABE schemes in storage cost. To make the comparison more clearly, here we let s denote the maximum number of system attribute labels rather than l in our scheme. Note that l in our scheme denotes attribute labels, and s � max|l| < ℓ, where ℓ is the maximum number of system attributes in [16,17]. Particularly, due to the fact that we extended the traditional 1-dimensional (value-specified) attribute structures to 2-dimensional (label-and valuespecified) ones, the number of system attribute labels is far less than the number of system attributes (i.e., s < ℓ); the pp size and the msk size are particularly less than the others. Moreover, the sk u size and the ciphertext size are only correlated to the number of A u and A c ; they actually are lower than others on account of the fact that the size of sk u and ciphertext in [16,17] are related to the total number of the system attributes. Besides, in [16,17], they use a set 1, ..., ℓ { } to denote the system attributes and the number of system attributes is fixed in the Setup phase. But in our scheme, the 2-dimensional (label-and valuespecified) attribute structure can ensure an unbounded attribute space; that is, it can add new attributes dynamically without reconstructing the system. Attribute values often contain more privacy information than attribute labels. By doing that, attribute label is used to set the access structure, and attribute value is hidden; it can resolve the privacy-preserving problem to some extent. e detailed storage overhead comparison is shown in Figure 1. According to the suggestion given by Micciancio and Peikert in [19], we set the parameter n � 284 and q � 2 24 . For the number of the system attributes, according to the suggestion given in [27,28], we, respectively, let ℓ � 64, ℓ � 128, and ℓ � 256. Since in our scheme, we classify the attributes and assign a label to each attribute. Multiple attribute values may have the same attribute label. us, we, respectively, let s � 8, s � 16, and s � 32. It is obvious that the space cost is remarkably reduced due to the 2-dimensional attribute structure and removing the reliance on the total number of system attributes.
As shown in Table 3, we compare our scheme with related lattice-based KP-ABE scheme on time complexity. According to the suggestion given in [19,27], we let ℓ � n/4 and max|A c | � l/2. e encryption time complexity in our construction is equal to [16,17], that is, O(n 3 m). But the actual encryption time in our construction would be 4 times of [16,17]. As for the decryption time, in [16] the user's secret key is a (ℓ + 1)m × (ℓ + 1)m matrix, while it is a 2m × m matrix in [17]; thus, the decryption time is longer than our construction due to the fact that the user's secret key in our construction is some independent vectors which are related to the number of a user's attributes.
In summary, by introducing a new trapdoor generation algorithm and removing the reliance on the total number of system attributes, our lattice-based KP-ABE scheme solves the master secret key leakage problem. In addition, the 2dimensional attribute structure enables our scheme to support unbounded attribute space and privacy preserving. e storage cost is remarkably reduced with an acceptable time cost. e flexible access policy makes the scheme in this paper more applicable to the distributed cloud storage environment.

Conclusion
In this paper, based on LSSS technique, we propose a secure KP-ABE scheme from lattice which has solved the divulging problem of the master secret key. In the scheme, we introduced a new trapdoor generation algorithm to generate a strong trapdoor. e pp size and msk size are all reduced. Moreover, removing the reliance on the total number of system attributes, the sk u size and the ciphertext size also achieved optimization. Moreover, the description of the attribute is very flexible. Attribute label and attribute value together form an attribute. us, it can add new attribute value at any time without rebuilding the system. e attribute space is unbounded. In addition, it also can be extended to a lattice-based large universe multiauthority KP-ABE scheme. Each attribute authority can manage an attribute label and all the values under the attribute label. And how to construct a lattice-based ABE scheme with multiple attribute authorities is our next research direction.

Data Availability
e data used to support the findings of this study are included within the paper.  ℓ: the maximum number of system attributes in [16,17]. According to [19,27], let ℓ � n/4 and max|A c | � l/2.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.