^{1}

^{1}

^{1}

^{1}

^{2}

^{1}

^{2}

Linear secret-sharing scheme (LSSS) is a useful tool for supporting flexible access policy in building attribute-based encryption (ABE) schemes. But in lattice-based ABE constructions, there is a subtle security problem in the sense that careless usage of LSSS-based secret sharing over vectors would lead to the leakage of the master secret key. In this paper, we propose a new method that employs LSSS to build lattice-based key-policy attribute-based encryption (KP-ABE) that resolves this security issue. More specifically, no adversary can reconstruct the master secret key since we introduce a new trapdoor generation algorithm to generate a strong trapdoor (instead of a lattice basis), that is, the master secret key, and remove the dependency of the master secret key on the total number of system attributes. Meanwhile, with the purpose of reducing the storage cost and support dynamic updating on attributes, we extended the traditional 1-dimensional attribute structure to 2-dimensional one. This makes our construction remarkably efficient in space cost, with acceptable time cost. Finally, our scheme is proved to be secure in the standard model.

In 2005, Sahai and Waters [

The constructions of ABE are usually based on two different mathematical platforms: bilinear pairings and lattices. On the one hand, the quick progress in pairing-based ABE constructions [

In 2011, Zhang and Zhang [

Another issue of designing ABE schemes is the dimension of structure of attributes. The typical setting is to use 1-dimensional structure. That is, a set

In this paper, we propose a secure LSSS-based KP-ABE scheme from lattices which can support a flexible access policy but has solved the master secret key leakage problem. In addition, we give a flexible attribute description which can add new attributes dynamically and we also reduce the sizes of public parameter, master key, user’s secret key, and ciphertext. The main contributions are as follows:

New method of LSSS-enabled flexible access policy without the security issue mentioned by Agrawal. In our construction, we use the LSSS technique to support a flexible access policy and resolve the insecure problem by avoiding the adversary to reconstruct the master secret key. In the previous LSSS-based KP-ABE scheme, the master secret key often consisted of some bases which correlated to the total number of system attributes. An adversary can reconstruct a full basis (i.e., master secret key) by making some correlated key queries [

Two-dimensional attribute structures that support attribute dynamic updating and reduce size of parameters. In our scheme, we extended the traditional 1-dimensional

In 2012, Agrawal et al. proposed a fuzzy identity-based encryption scheme from lattices [

The rest of this paper is organized as follows. In Section

Note that

For prime

For a positive integer

The following two algorithms are introduced from MP12 [

A

For any integer

Algorithm

Algorithm

The vector

The following

For

The following algorithm is the encoding with full-rank differences (FRD) function. For a prime

FRD: for an input

Let

The following three lemmas will be used to prove that the decryption is correct.

Let

As a special case, Lemma

For a vector

A secret-sharing scheme over a collection

The shares for each party form a vector over

There exists a matrix

Linear reconstruction property: suppose a scheme’s access structure is LSSS. Let

Give a prime

The

If there exists an efficient, possibly quantum, algorithm for deciding the

In KP-ABE, the message is encrypted by using the attributes as public keys, and a user’s private key is related to the access policy which is defined by a set of attributes. A KP-ABE scheme consists of the following four algorithms.

Here, we give the definition of the security model which is adapted from [

In the traditional SampleLeft algorithm [

For

For completeness, we describe the algorithm in detail.

Sample a random vector

Let

Choose a Gaussian perturbation

Recall to Definition

Let

Construct

Output

In our scheme, all the universe attribute can be expressed by

The system firstly executes the

For _{1}, _{2}, ..., _{l}

Then it chooses a uniformly random vector

Construct

Compute

For each attribute value

Let

The secret key is

Let

Choose a uniformly random matrix

Compute

The ciphertext is

Let

Set the Gaussian parameter

If

In order to ensure the correctness of decryption, we need to ensure that the error term is less than

Let

From Section

By Lemma

By Lemma

Finally, by Lemma

Hence, the error term

To make the system work correctly, we need the following:

For the

For the IMSampleLeft and SampleRight algorithms which can operate, it needs

For the error term which is less than

For Regev’s LWE reduction applied, it needs

Suppose there exists a probabilistic polynomial-time (PPT) adversary

In Definition

Construct

For each attribute

For each attribute

As in the real scheme,

Let

For each attribute

Compute

Compute

Finally

Compute

Let

The challenge ciphertext is as follows:

Note that when the LWE oracle is a pseudorandom sampler

As we know

The ciphertext is encrypted under the target attribute set

When

If the adversary

Here, we give the comparison between our KP-ABE scheme and the related lattice-based ABE scheme in different aspects.

As shown in Table

The comparing of related schemes.

Scheme | Access policy | Dimension | Trapdoor size |
---|---|---|---|

Reference [ | AND | ||

Reference [ | THRESHOLD | ||

Reference [ | AND, OR, and THRESHOLD | ||

Ours | AND, OR, and THRESHOLD |

As shown in Table

The comparison between our scheme and related KP-ABE schemes.

Reference [ | Reference [ | Ours | |
---|---|---|---|

Ciphertext size | |||

Privacy preserving | No | No | Yes |

Attribute space | Bounded | Bounded | Unbounded |

The storage overhead comparing between our scheme and related lattice-based KP-ABE schemes. (a) _{u} size. (d) Ciphertext size.

As shown in Table

The comparison of time complexity.

Reference [ | Reference [ | Ours | |
---|---|---|---|

Encryption | |||

Decryption |

In summary, by introducing a new trapdoor generation algorithm and removing the reliance on the total number of system attributes, our lattice-based KP-ABE scheme solves the master secret key leakage problem. In addition, the 2-dimensional attribute structure enables our scheme to support unbounded attribute space and privacy preserving. The storage cost is remarkably reduced with an acceptable time cost. The flexible access policy makes the scheme in this paper more applicable to the distributed cloud storage environment.

In this paper, based on LSSS technique, we propose a secure KP-ABE scheme from lattice which has solved the divulging problem of the master secret key. In the scheme, we introduced a new trapdoor generation algorithm to generate a strong trapdoor. The

The data used to support the findings of this study are included within the paper.

The authors declare that there are no conflicts of interest regarding the publication of this paper.

This work was supported by the National Key R&D Program of China (2017YFB0803001), the Shandong Provincial Key Research and Development Program of China (2018CXGC0701), the National Natural Science Foundation of China (NSFC) (no. 61972050), the BUPT Excellent Ph.D. Students Foundation (nos. CX2019119 and CX2019233), the Team Project of Collaborative Innovation in Universities of Gansu Province (no. 2017‐16), and the Major Project of Gansu University of Political Science and Law (no. 2016XZD12).