AKC-Based Revocable ABE Schemes from LWE Assumption

School of Mathematical Sciences, Fudan University, Shanghai 200433, China School of Mathematics, Shandong University, Jinan, Shandong 250100, China Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Jinan, Shandong 250100, China School of Mathematics, Shandong University of Finance and Economics, Jinan, Shandong 250014, China Tandon School of Engineering, New York University, New York City, USA


Introduction
In the 1990s, Shor [1] proposed a quantum algorithm that is capable of solving the integer factorization problem (IFP) and the discrete logarithm problem (DLP) in polynomial time, which aroused the attention of all parties to the development of quantum computers. Practical quantum computing, when available to cyber adversaries, will break the security of nearly all modern public-key cryptographic systems (including RSA and ECC) [2,3]. In response to the upcoming quantum computer, cryptography researchers have begun to devote themselves to work on replacing the classical public-key cryptosystem with a cryptographic system that can resist quantum attacks, that is, postquantum cryptography [4]. Among all computational problems that believed to be quantum-safe, lattice-based problems emerged as more economical and quantum-safe encryption providers due to their strong security proof, simplicity, and efficient implementation. In particular, the learning with errors (LWE) problem [5] has turned out to be an amazing versatile basis for cryptographic constructions due to its rigorous reduction from the worst case of the lattice problems. Recently, based on the hardness assumptions of the LWE problem and its variants, many postquantum cryptographic schemes [5][6][7][8][9][10][11][12][13][14][15][16][17] have been proposed, and they mainly focus on public-key encryption (PKE). e National Institute of Standards and Technology (NIST) [18] announced a formal call for proposals for postquantum cryptography, which promoted the update of public-key cryptographic algorithms and the research of postquantum cryptographic algorithms. ereafter, it provided the first-round submissions of postquantum cryptographic standard protocols [19]. Among them, PKE and key encapsulation mechanism (KEM) based on LWE and its variants constitute the dominating set of PKE/KEM proposals. e fundamental building tools of these proposals, i.e., the algorithms that show how to agree on an exact shared key from two close key exchange values, are referred to as key consensus (KC) or asymmetric key consensus (AKC) in [9][10][11]16]. e inequation of parameters for any KC and AKC reveals the inherent constraints among security, bandwidth, correctness, and consensus range. KC/ AKC and its inequation are the basis for many lattice-based public-key encryption schemes, and they are also powerful tools for constructing public-key encryption.
In this work, we further demonstrate the power of KC/ AKC by proposing two special types of public-key encryption schemes, i.e., revocable attribute-based encryption (RABE). As an extension of attribute-based encryption (ABE) [20], RABE [21][22][23][24][25][26] provides both fine-grained access control on encrypted data and revocation mechanisms when user's attributes change, key exposure, and so on. e revocation mechanism in ABE can be roughly divided into two types: user-level user revocation [27][28][29] and attributelevel user revocation [30]. In user-level user revocation, when a user leaves the system, he/she should be revoked and cannot decrypt any ciphertext. In attribute-level user revocation, when some attributes of a user are removed, he/she will lose the authorities corresponding to these attributes. e methods for revocation can be divided into two types: indirect revocation [24,31,32] and direct revocation [33][34][35]. In indirect revocation schemes, the authority needs to master the revocation list and issues key update for nonrevoked users regularly. In addition, all nonrevoked users need to communicate with the authority and update their decryption keys periodically as well. However, in direct revocation schemes, the revocation list is defined by the message sender, who "embeds" it into the ciphertext during encryption. erefore, the authority does not need to generate and issue key update. We find that KC and AKC are fundamental and powerful tools for constructing RABE schemes, combined with full-rank difference (FRD) [36,37], trapdoor for lattices [38][39][40], sampling algorithms [36,41], leftover hash lemma [36], and binary tree structure [31,[42][43][44][45].

Motivation.
e basic building blocks of the PKE/KEM protocols based on LWE and its variants submitted to the NIST, namely, KC/AKC, are significant for constructing general or special PKE schemes. Revocable ABE is an advanced form of PKE. Note that the existing lattice-based revocable ABE schemes are limited: [46] cannot resist collusion attacks, while [47] cannot really use the binary tree structure; In addition, as shown in Table 1, their models are incomplete to capture the security requirements for revocable ABE. erefore, we manage to put forward LWE-based RABE scheme resistant to collusion attacks with a reasonable security model, inspired by PKE/KEM protocols submitted to NIST [19], AKC [10][11][12]16], and Zhang et al. [48].

Our Contributions.
In this work, we further demonstrate the power of KC/AKC by proposing two special types of PKE schemes, namely, RABE. To be specific, on the basis of AKC and PKE/KEM protocols submitted to the NIST based on LWE and its variants, combined with full-rank difference, trapdoor on lattices, sampling algorithms, leftover hash lemma, and binary tree structure, we propose two directly revocable ciphertext-policy attribute-based encryption (DR-ABE) schemes from LWE. One achieves user-level user revocation, while the other achieves attribute-level user revocation. Both schemes support flexible threshold access policies on multivalued attributes. e size of the public key of our schemes can be reduced in the random oracle model. e two schemes imply the versatility of KC/AKC. e main advantages of our DR-ABE schemes are as follows: Multibit encryption: the message sender is allowed to encrypt M ∈ Z k instead of M ∈ 0, 1 { }. Direct revocation: the revocation list is embedded into the ciphertext by the message sender; the authority does not have to generate and issue key update; all nonrevoked users do not need to communicate with the authority to update their decryption keys. User-level and attribute-level user revocation: we provide two DR-ABE schemes with user-level and attribute-level user revocation, respectively. We use different techniques to construct these two schemes because the method of constructing the user-level scheme cannot be directly extended to the attributelevel scheme. Fine-grained access control: our schemes support flexible threshold access policies on multivalued attributes. Collusion resistance: users in the system cannot combine their information together to illegitimately gain unauthorized data through collaboration. Resistant against quantum attacks: the security of our schemes is reduced to the learning with errors (LWE) problem. Decryption outsourced: most computational overhead of the end user in our DR-ABE schemes can be outsourced to a third party (Appendix D).
In Table 1, we compare the features of our schemes with other lattice-based ABE and revocable ABE schemes.
Note that Zhang et al. [48] did not consider revocation. Wang et al. [46] and Kang et al. [47] achieved attribute-level user revocation. In the security model of Wang et al. [46], after submitting the challenge access structureÅA * and challenge revocation list RL * � RL * i , the adversary can only issue key generation queries (id, S � att i i∈I ) under the restriction S ⊭ÅA * , while in [47], there is a stricter restriction, att i ∉ÅA * . However, these restrictions are unreasonable. Because the private key of the key generation query (id, S) should be given to the adversary as long as the nonrevoked attribute set S id,RL * � att i ∈ S|id ∉ RL * i , i ∈ I does not satisfyÅA * , which is the case in our security model for DR-ABE with attribute-level user revocation. In other words, Wang et al. [46] and Kang et al. [47] did not take into account all the key queries that an adversary could issue, while both of our schemes have considered all the situations of the key generation queries from the adversary. In Appendix D, we discuss how to outsource most computational overhead of the end user to an honest-but-curious third party.
In Table 2, we compare the efficiency of our schemes with other lattice-based ABE and revocable ABE schemes. Here, N and M stand for the number of users and attributes in the system, respectively. r i means the number of revoked users in the i-th attribute binary tree. r i ′ represents the number of revoked attributes in the i-th user binary tree. δ is a number such that n 1+δ > n + 1)log q + ω(log n) .
Zhang et al.'s scheme [48] has relatively small size in every aspect because it does not take revocation into account. Wang et al.'s scheme [46] has smaller public key size than our schemes since it is an indirect revocation mechanism which gives rise to a large updated key size. Kang et al.'s scheme [47] is also an indirect revocation mechanism and has the smallest public key size; however, its security model is relatively unreasonable. It can be seen that the size of the public key and ciphertext in our schemes is larger than that of other schemes. is is because we adopt the direct revocation method, which allows senders to define the revocation list and greatly reduces the workload of the authority. Specifically, the authority does not need to generate and issue updated key periodically. In Appendix C, we describe how to reduce the size of the public key in our schemes in the random oracle model. Briefly speaking, the size of the public key in "our 1" and "our 2" schemes can be reduced from (2N + M) · o(n 2+δ ) and 2NM · o(n 2+δ ) to M · o(n 2+δ ) and M · o(n 2+δ ), respectively.
Attribute-based encryption (ABE) [20] is a promising cryptographic primitive of public-key encryption that provides fine-grained access control on encrypted data. In 2006, Goyal et al. [67] extended the idea of ABE and classified ABE as key-policy ABE (KP-ABE) [68,69] and ciphertext-policy ABE (CP-ABE) [70,72]. In a KP-ABE scheme, the private key of a user is associated with an access policy, while the ciphertext is associated with a set of attributes. On the contrary, in a CP-ABE scheme, the private key of a user is associated with a set of attributes, and the ciphertext is associated with an access policy. Generally, CP-ABE is more flexible than KP-ABE since the former allows users to set their access policies when encrypting messages.
Many revocable attribute-based encryption schemes [21][22][23][24][25][26] based on classic assumptions (e.g., pairing-related assumptions) have been proposed. However, these schemes would not be secure against attacks from quantum computes. To mitigate this issue, Wang et al. [46] and Kang et al. [47] proposed indirectly revocable CP-ABE schemes from lattices. Both of their schemes had achieved attribute-level user revocation. However, Wang et al. [46] did not resist to collusion attacks, that is, two users who do not satisfy the access structure can successfully decrypt the ciphertext through cooperation. In Kang et al. [47], they built N user binary trees BT i i∈ [1,N] , where N is the maximum number of users. Each binary tree has M leaf nodes, and each attribute is assigned to a leaf node in the binary tree, where M is the number of attributes in the system. To revoke r ′ attributes of a user, the authority actually needs to issue M − r ′ -(rather than r ′ log(M/r ′ ) as they claimed) associated key update in the key updating phase since each attribute is assigned a different secret-shared key. In other words, they did not actually take advantage of the binary-tree data structure to reduce the burden of the authority during the key updating phase as [24,31,32].

Preliminaries
For notational convenience, we sometimes regard a matrix as simply a set of its column vectors. For a matrix T, let ‖T‖ denote the L 2 length of its longest column, i.e., ‖T‖ ≔ max i ‖t i ‖; let s 1 (T) denote the largest singular value of T, i.e., s 1 (T) ≔ sup ‖u‖�1 ‖Tu‖. Furthermore, if the columns of T � t 1 , . . . , t k are linearly independent, let T ≔ t 1 , . . . , t k denote the Gram-Schmidt orthogonalization of vectors . . , t k taken in that order. For two matrices X ∈ R n×m 1 and Y ∈ R n×m 2 , let (X‖Y) ∈ R n×(m 1 +m 2 ) denote the concatenation of the columns of X followed by the columns of Y.
For two matrices X ∈ R n 1 ×m and Y ∈ R n 2 ×m , let (X; Y) ∈ R (n 1 +n 2 )×m denote the concatenation of the rows of X followed by the rows of Y.
For nonnegative integers i < j, let [i, j] denote the set i, i + 1, . . . , j . If S is an attribute set andÅA is an access structure, then S ⊨ÅA means that S satisfiesÅA. If S is a finite set, then x ⟵ S is the operation of choosing an element uniformly at random from S. For a probability distribution D, x⟵D denotes the operation of choosing an element according to D. If c is either an algorithm or a set, then x⟵c is a simple assignment statement. e natural security parameter throughout this paper is n. A function f(n) is negligible, denoted as negl(n), if for every c > 0, there exists n c such that f(n) < 1/n c for all n > n c . We say that a probability is overwhelming if it is 1 − negl(n). An algorithm is probabilistic polynomial-time (PPT) computable if it is modeled as a probabilistic Turing machine whose running time is bounded by some polynomial function.

Directly Revocable Attribute-Based Encryption.
A directly revocable ciphertext-policy attribute-based encryption (DR-ABE) scheme with user-level (resp. attribute-level) user revocation consists of the following four algorithms Setup, Keygen, Enc, Dec : Setup(n, R, N): this algorithm takes as input a security parameter n, a system attribute set R, and a maximal number of users N in the system and returns a public key PK and a master secret key MSK. Keygen(PK, MSK, id, S): this algorithm takes as input a public key PK, a master secret key MSK, an identity id, and an attribute set S � att i ⊆R for the user with identity id and returns a private key sk S,id . Enc(PK,ÅA, RL, M): this algorithm takes as input a public key PK, an access structureÅA � (W � att j j∈J , t), a revocation list RL (resp. a family of attribute revocation lists RL � RL j j∈J , where RL j consist of identities whose j-th attribute is revoked), and a message M and returns a ciphertext C. Dec(PK, sk S,id , C): this algorithm takes as input a public key PK, a private key sk S,id of identity id with attribute set S � att i , and a ciphertext C encrypted under access structureÅA and RL; it first checks whether S ⊨ÅA and id ∉ RL (resp. whether the set of nonrevoked attributes of the identity id, S id,RL � att i ∈ S|id ∉ RL i ⊨ÅA). If not, the algorithm returns a special symbol ⊥ indicating decryption failure. Otherwise, it returns a message M.
Note that, for the DR-ABE scheme with attribute-level user revocation, it is reasonable that the message sender only needs to consider attribute revocation lists associated with his/her access structure.

Security Model for DR-ABE.
We now describe the selective security model for the DR-ABE scheme with userlevel (resp. attribute-level) user revocation. e security model is described by the following game between a challenger C and an adversary A.
Init: the adversary A chooses an access structure A * � (W * , t * ) with W * � att * j j∈J * and a revocation list RL * (resp. a family of attribute revocation lists RL * � RL * j j∈J * ) and submits them to the challenger C. Setup: C runs the Setup algorithm, gives the public key PK to A, and keeps the master secret key MSK private. Phase 1: A can adaptively make a number of key generation queries (id, S), where S � att i i∈I . e restriction is that if S ⊨ W * , then id ∈ RL * (resp. the nonrevoked attribute set S id,RL * � att i ∈ S|id ∉ RL * i , i ∈ I} does not satisfy A * ). Challenge: A submits two equal-length messages, , and gives C * to A. Phase 2: it is the same as in Phase 1.
e advantage of adversary A in the above game is defined as Definition 1. A directly revocable ciphertext-policy attribute-based encryption scheme is secure if the advantage Adv A (λ) is negligible in λ for all polynomial-time adversaries A.

Background on Lattices. Let
consist of m linearly independent vectors. e m-dimensional full-rank lattice Λ generated by the basis B is the set For any positive integers pk size sk size Updated key size Ciphertext size Zhang et al. [48] M n, m, and q ≥ 2, a matrix A ∈ Z n×m q , and a vector u ∈ Z n q , we For any vector c ∈ R m and any parameter σ ∈ R >0 , define e discrete Gaussian distribution over Λ with center c and Gaussian parameter σ is D Λ,σ,c � (ρ σ,c(y) /ρ σ,c (Λ)) for ∀y ∈ Λ. If c � 0, we conveniently use ρ σ and D Λ σ. In the following, we summarize some basic properties of the discrete Gaussian distribution.
Lemma 1 (see [73]). Let n, m, and q be positive integers with Lemma 2 (see [73]). Let n, m, q > 0 be positive integers with m ≥ 2n log q and q being a prime. Let σ be any positive real number such that σ ≥ ω( ���� � log m ). en, for A⟵Z n×m q and e⟵D Z m σ, the distribution of u � Aemodq is statistically close to uniform over Z n q . Furthermore, for fixed u ∈ Z n q , the conditional distribution of e⟵D Z m σ, given Ae � umodq for

e LWE Hardness Assumption.
Security of our construction reduces to the learning with errors (LWE) problem defined by Regev [5].
Definition 2. Consider a prime q, a positive integer n, and a distribution χ over Z q , all public. A (Z q , n, χ)-LWE problem instance consists of access to an unspecified challenge oracle O, being either a noisy pseudo-random sampler O s carrying some constant random secret key s ∈ Z n q or a truly random sampler O $ , whose behaviors are, respectively, as follows: where s ∈ Z n q is a uniformly distributed persistent value invariant across invocations, x i ∈ Z q is a fresh sample from χ, and u i is uniform in Z n q O $ : outputs truly uniform random samples from Z n q × Z q e (Z q , n, χ)-LWE problem allows repeated queries to the challenge O. We say that an algorithm A decides the [5] and Peikert [74] showed that, for certain noise distribution χ, denoted as Ψ α , the LWE problem is hard.
Definition 3. Consider a real number α � α(n) ∈ (0, 1) and a prime q. Let T ≔ R/Z be the group of real numbers [0, 1) with addition modulo 1. Define by Ψ α the distribution over T of a normal variable with mean 0, standard deviation α/ �� � 2π √ , and reduced modulo 1, i.e., We denote by Ψ α the discrete distribution over Z q of the random variable ⌊q · X Ψ α ⌋ mod q, where the random variable X Ψ α ∈ T has distribution Ψ α .
. If there exists an efficient (possibly quantum) algorithm which solves the (Z q , n, Ψ α )-LWE problem, then there exists an efficient quantum algorithm for approximating SIVP in the ℓ 2 norm, in the worst case, to within O(n/α) factors.
e following lemma about the distribution Ψ α will be used to analyze the correctness of our constructions in Sections 4 and 5.
Lemma 4 (see [36]). Let e be some vector in Z m and x⟵Ψ m α . en, the quantity |e ⊤ x|, treated as an integer in with all but negligible probabilities in m. In particular, if x⟵Ψ α is treated as an integer in [0, q − 1], then |x| ≤ qαω( ���� � log m ) + 1/2 with all but negligible probabilities in m.

Technical Tools
In this section, we introduce the notion of AKC given in [9,11,17] and some other related technical tools in this paper.

Asymmetric Key Consensus
Definition 4. An asymmetric key consensus scheme AKC � (params, Con, Rec) is specified as follows: are positive integers and aux denotes some auxiliary values that are usually determined by (q, k, g, d) and could be set to be empty. (ii) v⟵Con(σ 1 , k 1 , params): on inputting (σ 1 ∈ Z q , k 1 ∈ Z k , params), the probabilistic polynomial-time conciliation algorithm Con outputs the public hint params), the deterministic polynomial-time algorithm Rec outputs k 2 ∈ Z k .
Correctness: an AKC scheme is correct if it holds k 1 � k 2 for any σ 1 , σ 2 ∈ Z q such that |σ 1 − σ 2 | q ≤ d. Security: an AKC scheme is secure if v is independent of k 1 whenever σ 1 is uniformly distributed over Z q . Specifically, for arbitrary v ∈ Z g and Security and Communication Networks where the probability is taken over σ 1 ⟵Z q and the random coins are used by Con.
Next, we review the construction and analysis of the instantiated AKC called asymmetric key consensus with noise (AKCN) in [11]. e illustration diagram is given in Algorithm 1. When the parameters q � 2 q and k � 2 k are powers of 2, AKCN can be simplified as AKCN power 2 [9].

Full-Rank Difference Encoding (FRD)
. In our construction and proof of security, we need an encoding function H: Z n q ⟶ Z n×n q to map attributes in Z n q to matrices in Z n×n q .
Definition 5 (see [36,37]). Let q be a prime and n a positive integer. We say that a function H:

Trapdoors for Lattices.
We review two trapdoor generation algorithms in the following lemma. e first algorithm generates a matrix A ∈ Z n×m q that is statistically close to uniform, together with a short trapdoor basis for the associated lattice Λ ⊥ q (A). e second algorithm generates a basis for the lattice Λ ⊥ q (G), where G is what they call the primitive matrix.
Lemma 5 (see [38][39][40]). Let n, m, q > 0 be positive integers with m ≥ 2n log q and q being a prime. en, we have (i) [38][39][40], a PPTalgorithm TrapGen that outputs a pair (A, T A ) ∈ Z n×m q × Z m×m such that A is full rank and statistically close to uniform and T A is a basis for [40], a fixed full rank matrix G ∈ Z n×m q such that the lattice Λ ⊥ q (G) has a publicly known basis T G ∈ Z m×m with ‖T G ‖ ≤ � 5 √

Sampling
Algorithms. e following SampleLeft [36,41] and SampleRight [36] algorithms will be used to sample short vectors in our construction and in the simulation, respectively. Lemma 6. Let integers q > 2 and m > n. ere is an efficient PPT algorithm SampleLeft (A, B, u, T A , σ) which takes as input a full-rank matrix A ∈ Z n×m q , a matrix B ∈ Z n×m q , a vector u ∈ Z n q , a basis T A ∈ Z m×m of Λ ⊥ q (A), and a Gaussian parameter σ > ‖T A ‖ · ω( ��������� � log(m + m) ) outputs a vector e ∈ Z m+m distributed statistically close to D Λ u q ([A‖B]) σ.

Lemma 7.
Let integers q > 2 and m > n. ere is an efficient PPT algorithm SampleRight (A, B, Ru,   3.6. e Binary-Tree Data Structure. Our construction makes use of the binary-tree data structure, as with [31,[42][43][44][45]. is structure uses a node selection algorithm called KUNodes. In the algorithm, we use the following notations: BT denotes a binary tree. root denotes the root node of BT. θ denotes a node in the binary tree, and ] emphasizes that the node θ is a leaf node. e set Path(BT, ]) stands for the collection of nodes on the path from the leaf ] to the root (including ] and the root). If θ is a nonleaf node, then θ ℓ and θ r denote the left and right child of θ, respectively. e KUNodes algorithm takes as input a binary tree BT and a revocation list RL and outputs a set of nodes Y, which is the smallest subset of nodes that contains an ancestor of all the leaf nodes corresponding to nonrevoked indexes. e description of the KUNodes algorithm is as follows: KUNodes(BT, RL): X, Y ⟵ ∅; ∀] ∈ RL; add Path(BT, ]) to X ∀θ ∈ X: if θ ℓ ∉ X, then add θ ℓ to Y; if θ r ∉ X, then add

DR-ABE with User-Level User Revocation
KC/AKC is fundamental and powerful for constructing PKE schemes. To demonstrate the versatility of KC/AKC, we propose two DR-ABE schemes from lattices based on AKCN (Algorithm 1), which supports user-level user revocation and attribute-level user revocation in Sections 4 and 5, respectively.

Construction Details.
e main ideas behind our construction can be described as follows. We assign identity id to a leaf node ] id in the binary tree BT. en, we store the attribute set S of id in every node θ ∈ path(BT, ] id ): for each θ, the random vector u in the public key is secret-shared into vectors u θ,i , where u θ,i is associated with attribute att i . If id ∉ RL and S ⊨ÅA, then there exists a node θ * ∈ path(BT, ] id ) ∩ KUNodes(BT, RL), and u can be recovered using u θ * ,i .
For convenience, it is assumed that there are ℓ attributes in our system, and the i-th attribute is associated with a value space R i ⊆Z n q ∖ 0 { }. Let R � R 1 × · · · × R ℓ denote the attribute space. We also define d default attributes Setup(n, R, N): on inputting a security parameter n, a system attribute set R � R 1 × · · · × R ℓ , and a maximal number of users N in the system, this algorithm sets the primitive matrix G (with public trapdoor T G , see Lemma 5) and the parameters q, m, α, σ, k, g, and d as specified in Section 4.4. en, it performs as follows: (1) Run (A, T A ) ⟵ TrapGen(n, m, q).
(2) Choose B i ⟵Z n×m q for i ∈ I. Keygen(PK, MSK, id, S): on inputting the public key PK, the master secret key MSK, an identity id, and the attribute set S � att i i∈I of id, where I ⊆ I 1 and att i ∈ R i , it goes as follows: (1) Pick an unassigned leaf node ] id from BT and store id in that node. For each θ ∈ path(BT, ] id ), randomly choose n degree d polynomials p θ,1 (x), . . . , for i ∈ I, and sample e θ,i ⟵SampleLeft(A, ) as the private key. Note that for any θ ∈ path(BT, ] id ) and any subset K⊆I ∪ I 2 with |K| � d + 1, we have u � i∈K L i · u θ,i , where the Lagrange coefficient L i � ( j∈K,j≠i (− j)/ j∈K,j≠i (i − j)). Enc(PK, (W, t), RL, M): on inputting a public key PK, an attribute set W � att j j∈J 1 , an integer 1 ≤ t ≤ min(|W|, d), a revocation list RL consisting of revoked identities, and a message M ∈ Z k , it works as follows: (1) Choose s⟵Z n q and compute and , c θ θ∈KUNodesBTRL ) as the ciphertext.

Security and Communication Networks 7
Dec(PK, sk S,id , C): on inputting the public key PK, the private key sk S,id of identity id with attribute set S � att i i∈I , and a ciphertext C encrypted under access structure (W � att j j∈J 1 , t) and revocation list RL, (1) If |S ∩ W| < t or id ∈ RL, return ⊥.

Security.
In this section, we prove the security of our construction of the DR-ABE scheme with user-level user revocation in the selective model in Definition 1. e proof is given in Appendix A.

Theorem 4.
For appropriate parameters n, m, q, σ, and α, the above DR-ABE scheme with user-level user revocation is secure provided that the (Z q , n, Ψ α )-LWE problem is hard.

DR-ABE with Attribute-Level Revocation
In this section, based on AKCN (Algorithm 1), we propose a DR-ABE scheme from lattices, achieving attribute-level user revocation and flexible threshold access policies on multivalued attributes, which further illustrates the utility and versatility of KC/AKC. 8 Security and Communication Networks

Construction Details.
e idea of constructing DR-ABE with user-level user revocation in Section 4 cannot be extended to constructing DR-ABE with attribute-level user revocation directly for the following reason. Suppose we associate every attribute att i with a binary tree BT i of depth L. For each id, we link id to a leaf node ] id,i of BT i . en, for each l ∈ [L], the random vector u in the public key is secretshared into vectors u l,i , where u l,i is associated with the node of depth l in path(BT, ] id,i ) of BT i . Now, if the nonrevoked attribute set S id,RL� RL i { } � att i |id ∉ RL i of id satisfies the access structure, then u should be recovered if the extension works. Now, for each att i ∈ S id,RL , there exists θ i ∈ path(BT, ] id,i ) ∩ KUNodes(BT i , RL i ), and thus, u θ i ,i can be recovered. However, we cannot recover u since θ i may not be at the same depth. e main ideas behind our construction can be described as follows. e random vector u in the public key is secretshared into vectors u i , where u i is associated with the i-th attribute att i of the identity id. To revoke att i of id, we further split each u i into two random vectors u i ′ and u i ″ , corresponding to att i and id, respectively. If att i of id is revoked, u i ″ , therefore, u i cannot be recovered. In this way, u can be recovered only if the set of nonrevoked attributes of id satisfies the threshold access policy, thereby achieving the revocation of part attributes of id.
For convenience, we use the notations from Section 4.
Setup(n, R, N): on inputting a security parameter n, a system attribute set R � R 1 × · · · × R ℓ , and a maximal number of users N in the system, this algorithm sets the primitive matrix G (with public trapdoor T G , see Lemma 5) and the parameters q, m, α, σ, k, g, and d as specified in Section 4.4. en, it performs as follows: (1) Run (A, T A ) ⟵ TrapGen(n, m, q).
(2) Choose B i ⟵ Z n×m q for i ∈ I. (3) Choose u ⟵ Z n q . (4) Choose a full-rank difference map H: Z n q ⟶ Z n×n q . (5) Build a family of binary trees BT � BT i i∈I 1 , where each BT i has N leaf nodes. For each i ∈ I 1 and each node θ ∈ BT i , choose "identifier" D i,θ ⟵Z n×m q . (6) Return PK � A, B i i∈I , u, H, BT and MSK � T A .
Keygen(PK, MSK, id, S): on inputting the public key PK, the master secret key MSK, an identity id, and the attribute set S � att i i∈I of id, where I⊆I 1 and att i ∈ R i , it goes as follows: such that u � (p 1 (0), . . . , p n (0)) ⊤ . For each i ∈ I ∪ I 2 , let u i � (p 1 (i), . . . , p n (i)) ⊤ . (2) For each i ∈ I, pick an unassigned leaf node ] id,i from BT i and store id in that node. Choose u i ′ ⟵Z n q and set u i , e i i∈I 2 ) as the private key.
Note that, for any subset K⊆I ∪ I 2 , Enc(PK, (W, t), RL, M): on inputting a public key PK, an attribute set W � att j j∈J 1 , an integer 1 ≤ t ≤ min(|W|, d), a family of attribute revocation lists RL � RL j j∈J 1 , where each RL j consists of identities whose j-th attribute is revoked, and a message M ∈ Z k , it works as follows: (1) Choose s ⟵ Z n q and compute and ) as the ciphertext. Dec(PK, sk S,id , C): on input the public key PK, the private key sk S,id a ciphertext C, it works as follows.

Security.
In this section, we prove the security of our DR-ABE scheme with attribute-level user revocation. e proof is given in Appendix B.
Theorem 5. For appropriate parameters n, m, q, σ, and α, the above DR-ABE scheme with attribute-level user revocation is secure provided that the (Z q , n, Ψ α )-LWE problem is hard.

Parameters.
e parameters are the same as those of Section 4.4.

Conclusion
In this work, we demonstrate the power of KC/AKC by proposing two special types of PKE schemes. Specifically, on the basis of AKC, combined with PKE/KEM protocols submitted to the NIST, FRD, trapdoor for lattices, Gaussian sampling, leftover hash lemma, and the binary tree structure, we propose two special kinds of PKE schemes, i.e., directly revocable ciphertext-policy attribute-based encryption schemes from LWE. One achieves user-level user revocation, while the other achieves attribute-level user revocation. Both schemes inherit the main advantages of the direct revocation mechanism: the revocation list is defined by the message sender; the authority does not need to generate and issue key update anymore. In addition, both schemes support multibit encryption and flexible threshold access policies on multivalued attributes. e size of the public key of our schemes can be reduced in the random oracle model. Most parts of the decryption work can be outsourced to a third party as well. Our schemes proved to be secure against quantum attacks in the standard model, assuming the hardness of the LWE problem. e two schemes imply the versatility of KC/AKC. Compared with other existing lattice-based revocable CP-ABE schemes, our schemes have reasonable security guarantee.
Note that, by Lemma 3, the pair (A, u) is computationally indistinguishable from its distribution in the real attack. Applying Lemma 9, we know that B i i∈I and D θ θ∈BT are statistically close to uniform even given more information about (R * i ) ⊤ x and (R * θ ) ⊤ x, respectively. Hence, the distribution of the public key in the simulation is indistinguishable from that in the real attack, and A gains negligible information about R * i i∈I and R * θ θ∈BT from the public key. According to Lemmas 2, 6, and 7, the output distribution of the key generation simulation using the SampleRight algorithm is statistical to that in the real attack.
If O(·) � O s * for some s * , we claim that the challenge ciphertext C * is a valid ciphertext for s � Ds * , R * erefore, the ciphertext is the same as the view of A in the real attack. Hence, if A guesses right b with noticeable probability more than 1/2, then B can succeed in its game with the same probability. Else, if O(·)�O $ , by eorem 3, c 0 and M b are independent. Since M b is uniformly distributed, the probability of A guesses right b is exactly 1/2. In a word, if A breaks the security of our DR-ABE with user-level user revocation, then B solves the underlying LWE problem.

B. Proof of Theorem 5
Proof. Suppose there exists a PPT adversary A which breaks the security of our DR-ABE scheme with nonnegligible probability, we can construct an algorithm B that solves the LWE problem with the same advantage.
Note that B has an oracle O(·), and he wants to determine whether it is a noisy pseudo-random sampler O s * for some s * ∈ Z n q or a truly random sampler O $ . To this end, B proceeds as follows: Init: A submits a challenge access structureÅA * � (W * � att * j j∈J * 1 , t * ) and a family of challenge attribute revocation lists RL * � RL * , chooses an FRD map H: Z n q ⟶ Z n×n q , and builds a family of binary trees BT � BT i i∈I 1 , where each BT i has N leaf nodes.
(i) For each j ∈ J * 1 and each θ ∈ BT j , B randomly Finally, B sends the public key PK � A, B i i∈I , u, H, BT} to A and keeps ( R * j j∈I , R * j,θ j∈I 1 ,θ∈BT j , v u , v) secret. Phases 1 and 2: when B receives a key generation query Otherwise, for each i ∈ I, B picks an unassigned leaf node ] id,i from BT i and stores id in that node. Let S id,RL * ∩ W * � att j j∈K , and we have |K| < t * ; thus, |K ∪ J * 2 | ≤ d. en, B chooses a set K ′ such that K ∪ J * 2 ⊆K ′ ⊆I ∪ I 2 and |K ′ | � d.
and sample e j ⟵SampleRightA, G, R * j , u j , T G , σ. Note that, by Lemma 3, the pair (A, u) is computationally indistinguishable from its distribution in the real attack. Applying Lemma 9, we know that B i i∈I and D i,θ i∈I 1 ,θ∈BT i are statistically close to uniform even given more information about (R * i ) ⊤ x and (R * i,θ ) ⊤ x, respectively. Hence, the distribution of the public key in the simulation is indistinguishable from that in the real attack, and A gains negligible information about R * i i∈I and R * i,θ i∈I 1 ,θ∈BT i from the public key. According to Lemmas 2, 6, and 7, the output distribution of the key generation simulation using the SampleRight algorithm is statistical to that in the real attack.
If O(·) � O s * for some s * , we claim that the challenge ciphertext C * is a valid ciphertext for s � Ds * , R * i i∈J * 1 ∪ J * 2 , and R * i,θ i∈J * 1 ,θ∈KUNodesBT i RL * i : note that, for each j ∈ J * 1 and each θ ∈ KUNodes(BT j , erefore, the ciphertext is the same as the view of A in the real attack. Hence, if A guesses right b with noticeable probability more than 1/2, then B can succeed in its game with the same probability. Else, if O(·) � O $ , by eorem 3, c 0 and M b are independent. Since M b is uniformly distributed, the probability of A guesses right b is exactly 1/2. In a word, if A breaks the security of our DR-ABE, then B solves the underlying LWE problem.

C. Reducing the Size of the Public Key
Our DR-ABE scheme with user-level (resp. attribute-level) revocation has a relatively large public key, and its dependence on the number of users N in the system is due to the fact that each node θ in BT (resp. each BT i ) is associated with a uniform random matrix D θ ∈ Z n×m q (resp. D i,θ ∈ Z n×m q ). In fact, the size of the public key can be reduced in the random oracle model in a way similar to [34]: let H: 0, 1 { } * ⟶ Z n×m q be a random oracle. For each node θ in BT (resp. each BT i ), we obtain uniformly random matrix D θ (resp. D i,θ ) as D θ ≔ H(A, B j j∈I , u, θ) (resp. D i,θ ≔ H (A, B j j∈I , u, i, θ)). In the security proof, we first simulate the generation of D θ (resp. D i,θ ) as in the proof of eorem 4 (resp. eorem 5) and then program the random oracle H such that H(A, B j j∈I , u, θ) � D θ (resp. H(A, B j j∈I , u, i, θ) � D i,θ ).

D. Decryption Outsourcing
To make our schemes more applicable for the resourcelimited end user, we modify our DR-ABE schemes to outsource most computational overhead of the end user to an honest-but-curious third party in the following manner: we add an extra dummy attribute dummy in the system. e Setup algorithm chooses an extra matrix B⟵Z n×m q . To generate the private key for a user, the KGC splits the public vector u into u, u such that u � u + u, samples e⟵SampleLeft(A, B + H(dummy), G, u, T A , σ), replaces u with u in the original Keygen algorithm to get sk S,id , and finally returns sk S,id along with e as the private key of the user. Moreover, we add an extra ciphertext corresponding with dummy, c � (B + H(dummy)G) ⊤ s + DR ⊤ x, into the output of the original Enc algorithm. In this case, the end user can give sk S,id to an untrusted third party to help decrypt the ciphertext except for c. e third party will return us + e and c to the user, and the latter only needs to deal with c using e to recover the message.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.

Authors' Contributions
Leixiao Cheng, Fei Meng, Xianmeng Meng, and Qixin Zhang are the main authors of the current paper. Specifically, Leixiao Cheng first brought the idea of AKC into this paper to construct revocable ABE resistant to quantum attacks and provided the main construction of two DR-ABE schemes and the formal security proof. She also wrote the initial draft of this paper. Fei Meng contributed to the construction detail and parameter analysis of those two schemes. Xianmeng Meng and Qixin Zhang contributed to carrying out additional analyses and revised the final version of this paper. All authors contributed to writing and revision and approved the final manuscript.