Cloudbased services have powerful storage functions and can provide accurate computation. However, the question of how to guarantee cloudbased services access control and achieve data sharing security has always been a research highlight. Although the attributebased proxy reencryption (ABPRE) schemes based on number theory can solve this problem, it is still difficult to resist quantum attacks and have limited expression capabilities. To address these issues, we present a novel linear secret sharing schemes (LSSS) matrixbased ABPRE scheme with the finegrained policy on the lattice in the research. Additionally, to detect the activities of illegal proxies, homomorphic signature (HS) technology is introduced to realize the verifiability of reencryption. Moreover, the noninteractivity, unidirectionality, proxy transparency, multiuse, and antiquantum attack characteristics of our system are all advantageous. Besides, it can efficiently prevent the loss of processing power brought on by repetitive authorisation and can enable precise and safe data sharing in the cloud. Furthermore, under the standard model, the proposed learning with errors (LWE)based scheme was proven to be INDsCPA secure.
It is worth noting that sensitive data is being shared and held increasingly in the third party, such as AWS, AliCloud, iCloud, etc. In the current era of cloud computing and data protection, finegrained access management of encrypted data is a crucial requirement. While sharing data in an open, complicated network environment, there is a chance that personal information will be compromised. For example, in telemedicine system, patients have to store the medical data to the cloud server of the hospital, so that medical service personnel can better analyze the health status of patients after downloading from the cloud. While sharing medical data brings about much convenience to patients and medical service personnel in the system, it also causes new privacy and security issues. Medical data usually contains patients’ sensitive information, thus, it is extremely important for patients. In addition, patients would only like the medical data to be obtained by authorized medical service personnel. In an ideal situation, people hope to encrypt data to a semitrusted cloud service provider for privacy protection purposes. At the same time, the encrypted data can realize data access control and ciphertext selection calculation as well. In other words, a cryptographic mechanism is needed to make sure “who” can access the encrypted data, and that they can get “what” from the encrypted data.
Proxy reencryption (PRE) [
In 2011, Boneh et al. [
Lattice cryptography is a kind of PKC, which is widely considered to not be threatened by quantum computing. What’s more, the security of lattice cryptography is based on the difficulty of solving lattice problems in the average case. Based on this superior feature, scholars began to focus on the design of the FE schemes on lattice. Boyen [
With the rapid development of cloud storage technology, the problems of data security and sharing have received extensive attention from industry and academia. PRE is an encryption method that can safely convert ciphertext. It allows that a noncompletely trusted third party can directly convert the user Alice’s ciphertext into other users’ ciphertext without decryption, which guarantees the privacy and security of the data left with the third party.
The following desired characteristics should be met by a pretty PRE scheme:
Proxy transparency: In the transparent PRE scheme, neither the delegator nor the delegatee knows the existence of the proxy, meanings that the ciphertext sent to the delegatee after reencryption is indistinguishable from the ciphertext originally sent to the delegatee;
Noninteractivity: The delegator does not require the assistance of the delegatee or any other third party for the generation of the proxy reencryption key;
Unidirectionality: The nonreliable proxy can only change the ciphertext of the delegator into the ciphertext of the delegatee; Conversely, it cannot change the delegatee’s ciphertext;
Multiuse: The nonreliable proxy can also repeatedly reencrypt the ciphertext that has already been reencrypted in the unidirectional PRE, as shown in
The initial proposal for a latticebased multibit encryption, unidirectional, and multiuse PRE scheme was made by Jiang et al. [
The ABPRE scheme combines ABE with PRE. This not only ensures that the new encryption scheme has the special conversion property of PRE, but also enables accessing the encrypted data of users who satisfy the access structure. This is achieved by setting up a corresponding access structure. The owner of the data has total authority over the data, while ensuring data confidentiality. Nowadays, ABPRE is widely used in distributed file systems, electronic medical systems, cloud storage services and other scenarios. Li et al. [
Cryptosystem  Assumptions  Post quantum  Proxy transparency  Noninteractivity  Unidirectionality 

DQW20 [ 
CDH  
GSB22 [ 
BDHE  
XWZ22 [ 
DBDH  
HJG19 [ 
LWE  
Our scheme  LWE 
From the
The majority of the assumptions underlying current ABPRE scheme research come from traditional number theory. However, these traditional encryption schemes can not resist quantum attacks;
The feasibility of the existing PRE schemes is somewhat hampered by the fact that they only meet two or three characteristics. Besides, the proxy is regarded as a semitrusted party, but there are few restrictive measures to check the legitimacy on the malicious proxy’s activities;
At present, most ABPRE schemes expression strategies are limited, which seriously hinders the feasibility of the ABPRE schemes in practical applications.
In summary, it is crucial to create a powerful ABPRE scheme to withstand quantum attacks in cryptography. Fortunately, the latticebased cryptosystems can effectively resist quantum attacks. Consequently, constructing latticebased ABPRE schemes with multiple properties has important theoretical significance and broad application prospects.
Designing a postquantum secure ABPRE scheme with a variety of properties under the standard model is a very meaningful research project. Therefore, we constructed an ABPRE scheme based on keypolicy with reencryption verifiability in the research (named KPABVPRE):
LSSS matrix is adopted to obtain a KPABPRE scheme that supports any monotonic policies. The delegator can formulate the corresponding attribute sets and encrypt the message on these attribute sets. Only when the attribute sets on the ciphertext meet the delegatee’s access policy can the ciphertext be decrypted. Our KPABPRE scheme uses the access structure constructed by the attribute sets to control the delegatee that can realize the flexible PRE. The delegatee can be one person, one organization or multiple organizations;
Taking the activities of corrupt proxy into consideration, the scheme is combined with homomorphic signature technology to realize the verifiability of reencryption. In other words, during the reencryption process, our KPABPRE with reencryption verifiability (KPABVPRE) scheme can be verified whether the proxy performed an honest reencryption operation. This property greatly enhances the security of the PRE;
In general, few ABPRE schemes can satisfy three or more properties. While, we design a multifeature KPABVPRE scheme with proxy transparency, noninteractivity, unidirectionality multiuse and antiquantum attack, which can greatly enhance the practicability of the program. What’s more, under the standard model, our KPABVPRE scheme is proven to be selectively INDCPA secure.
In order to better obtain an understanding of this article, we introduce the relevant notations in the next
In this paper, we apply some initial symbols, as shown in the
Symbols  Definitions 

Random numbers on integer module 

Lattice  
Gaussian noise distribution  
GramSchmidt orthogonalization result of a matrix 

Asymptotic upper bound  
Set 

Attribute set 
We give the following useful definitions and lemmas according to literature [
Here
There exists a PPT algorithm
There is a PPT algorithm
Given three matrices
The above lemmas are used in the security proof of our scheme to show that the simulated system is indistinguishable from the real system.
The attacker
Each participant’s shares compose a vector over
The share generating matrix
In addition, a LSSS has linear reconstruction’s characteristics.
For the original ciphertext
For the converted ciphertext
In the part, we mainly describe the security model of KPABVPRE, which is based on the indistinguishability under chosenplaintext attack in the selective security model (INDsCPA). And we illustrate the model through the interactive games between the adversary
Secret Key Query
ReEncryption Key Query
ReEncryption Verification Query
For any PPT
For each attribute
Chooses a uniform random variable
Finally, returns the public parameters
Converts the user’s access policy
Lets
Finally, outputs
Chooses uniformly at random a matrix
Sets
Computes
Outputs the ciphertext
For each attribute
Creates a lownorm matrix
Runs the algorithm
Finally, delivers
Finds the vector
Sets two vectors
Computes a signature
Finally, outputs the reencryption ciphertext
Construct two new vectors
where
where
Lets
Given a Gaussian parameter
Calculates
Outputs the result:
The accuracy of unconverted ciphertext decoding. When
Decryption correctness of converted ciphertext. When
Correctness of reencryption ciphertext verification. The effectiveness of the reencryption ciphertext verification depends on the output of the verification algorithm
According to the assumption of the LWE problem, for the Gaussian noise distribution
According to the algorithm
According to the algorithm
In order to make the error term
Since
Thus, we decided on the following scheme parameters:
where
The challenger
Finally, the attacker
If
The matrix
For the private key,
From the Lemma 4.1, we can see that the
–
–
–
The central authority selects the appropriate system parameters
If the attribute
The remaining parameters are the same as
–
The attacker
According to the parameters in
The challenger
After
Finally,
–
Constructing ciphertext
The challenger
If
Due to the setting of public parameters, the ciphertext obtained is
The above
–
–
In the attacker
In a pseudorandom sampler, an attacker
In a true random predictor, an attacker
Therefore, assuming that an attacker
As a result,
In conclusion, the security of our designed KPABVPRE scheme is compactly reduced to the decision
Set
In this part, we compare our KPABVPRE with other relevant schemes [
Cryptosystem  Size of ciphertext  Access policy  Multiuse  Standard model  Reencryption verifiability 

DSD21 [ 

LQZ21 [ 

SRA20 [ 

LMZ19 [ 
ANDgate  
WYZ21 [ 

Our scheme  Any monotonic 
Note:
As can be seen from
We present a multifunctional LSSS matrixbased KPABVPRE scheme from lattice that is proven to be INDsCPA secure under the standard model. The scheme based on the lattice is implemented by matrix operation, which can facilitate parallel algorithm design and has superior efficiency, as opposed to the classic ABPRE schemes based on bilinear mapping. This scheme is based on the construction of LWE difficult problems from lattice. From the complexity of lattice difficult problems in the worst case, we can see that under the appropriate parameter selection, there is no effective algorithm to solve these difficult problems in polynomial time, even if it is a quantum computer. Therefore, this scheme can resist quantum attacks. In addition, the data owner can encrypt messages on any attribute sets. The ciphertext cannot be actively decoded until the attribute put on it complies with the user’s access policy. Furthermore, the verification of reencryption is realized by introducing homomorphic signature technology, thereby detecting the activities of corrupt proxies, which has higher security and enforceability in practical scenarios. However, in our KPABVPRE scheme, the size of the ciphertext is not fixed, and it grows linearly as the number of attributes increases. Therefore, the next study will focus on creating a multifunctional ABPRE system with fixed ciphertext length in the future.
The authors are willing to express our appreciation to the reviewers for their constructive comments which significantly enhanced the presentation of the study.
The project is provided funding by the Natural Science Foundation of China (Nos. 62272124, 2022YFB2701400), the Science and Technology Program of Guizhou Province (No. [2020]5017), the Research Project of Guizhou University for Talent Introduction (No. [2020]61), the Cultivation Project of Guizhou University (No. [2019]56), the Open Fund of Key Laboratory of Advanced Manufacturing Technology, Ministry of Education, GZUAMT2021KF[01] and the Postgraduate Innovation Program in Guizhou Province (No. YJSKYJJ[2021]028).
The authors confirm contribution to the paper as follows: study conception and design: Jinqiu Hou; data collection: Weijie Tan; analysis and interpretation of results: Changgen Peng. Hongfa Ding; draft manuscript preparation: Jinqiu Hou. All authors reviewed the results and approved the final version of the manuscript.
All data generated or analysed during this study are included in this published article.
The authors declare that they have no conflicts of interest to report regarding the present study.