1. Introduction

With the continuous development of quantum computing technology, traditional encryption algorithms face unprecedented challenges. In this context, lattice-based cryptography has emerged as a promising choice to combat quantum attacks. Lattice-based cryptography was first proposed by Ajtai [1], who constructed an unbreakable cryptographic system using computationally hard lattice problems. This innovative solution not only lays the foundation for the development of post-quantum cryptography but also attracts widespread attention for its unique contributions to the field of cryptography. Therefore, lattice-based cryptography is regarded as an important milestone in the development of post-quantum cryptography.

In the field of cryptography, ciphertext policy attribute-based encryption (CP-ABE) and identity authentication technologies play a crucial role in information security and user identity verification. Considering the security threats during the process of data exchange in Internet of Thing (IoT), such as adversaries impersonating users to access data stored on servers or devices, receiving incomplete or tampered data, etc., research on post-quantum-based identity authentication and access control has become particularly urgent. In this context, the verification key protocol [2] based on the Ring Learning With Errors (RLWEs) assumption emerges as an important security service. Its main objective is to establish a session key after mutual authentication between users and accessed servers, which can ensure secure communication between users and servers. It provides a forward-looking solution for identity authentication and data access control issues in IoT environments, and it lays the foundation for more secure and reliable IoT communication.

CP-ABE technology has the dual advantages of fine-grained access control and data protection; thus, it attracts widespread attention. In recent years, the lattice-based [3] attribute encryption approach has become an important research direction in CP-ABE. Moreover, with in-depth research on the RLWEs problem, significant progress has been made in this direction, and lattice-based CP-ABE schemes have been successfully introduced into both centralized and decentralized systems. Continuous optimizations of the RLWEs problem have further enhanced the performance in implementing flexible access policies. For instance, in [4], the private keys are distributed by the decentralized multi-authority to improve efficiency, which is more suitable for distributed storage environments. This development gives the lattice-based CP-ABE schemes a unique advantage in the diverse and complex access control requirements of modern network environments.

In this paper, we made improvements based on reference [5], in which different third-party authorities and flexibility during communication are considered. Specifically, our improvements are mainly described in the following aspects:

• In the Gaussian sampling algorithm, two parameters are set for the standard deviation of the Gaussian distribution, which can concentrate the generated random values around the mean and ensures a wider Gaussian curve within a certain range of fluctuations. This results in a broader distribution of random values and improves overall performance.

• The RTrapGen algorithm handles shared and non-shared attributes differently. To enhance the efficiency of key generation, we first identify and categorize the hierarchical relationships of identities during initialization. Subsequently, in the AASetup phase, different sets of attributes are formed based on relationships, thereby reducing the computational overhead of the authorization authority. These optimization measures contribute to improving the performance of the algorithm.

• In the decryption phase, traditional Gaussian elimination is replaced to solve a set of scalar problems to verify the decryption result. A basis transformation is applied to the shared matrices in the Linear Secret Sharing Scheme (LSSS), and the shared matrices are rapidly converted into a collection of shortest vectors, thereby reducing the computational cost of linear space checks.

2. Related Work

So far, researchers have been continuously exploring and enhancing the security of CP-ABE schemes. These efforts aim to ensure that encryption systems effectively protect data from unauthorized access and disclosure. Zhang et al. [6] proposed an improved scheme for cloud computing CP-ABE, which closely associates access control policies with data to achieve fine-grained access control. The scheme also considers potential attacks through system information leakage rather than directly attacking the encryption algorithm, so it effectively maintains data security. Traditional cryptography is quite mature in resisting attacks, but further research on lattice-based cryptography is considered against quantum computers. Huang et al. [7] proposed a lattice-based group authentication scheme to resist various attacks. The scheme can implement group authentication where administrators can select any user to create the authentication process after confirming the total number of users. It indicates promising applications in the IoT domain. Sedat Akleylek et al. [8] proposed a new lattice-based IoT authentication scheme based on the ISIS problem, which can ensure system reliability against quantum attacks and meets zero-knowledge properties to protect privacy during authentication. It also defends against various attacks such as man-in-the-middle, simulation, and replay, while optimizing efficiency; therefore, it is suitable for RFID systems in the IoT. Through continuous security optimization, system protection can be effectively maintained while computational overhead is reduced. Fu et al. [9] proposed an offline/online lattice-based CP-ABE scheme, which can reduce the computational burden of mobile devices in two phases. With the RLWEs assumption, it enhances security against quantum computing attacks. And it is suitable for resource-constrained devices and has long-term security.

A gradual improvement has been achieved in lattice-based attribute strategies. However, challenges remain in lightweight and flexible encryption. Zhao et al. [10] proposed a revocable lattice attribute-based encryption scheme based on the RLWEs problem that can support attribute revocation and flexibly update user permissions to adapt to changing demands. Security proof is crucial for encryption schemes. In this scheme, security threats are discussed, such as collusion attacks [11,12,13], and corresponding solutions are proposed. This security analysis ensure that the schemes are not compromised by potential threats in practical applications. Further, researchers use the authentication scheme based on lattice in different application scenarios. Ali Shahidinejad et al. [14] presented a decentralized authentication and key exchange protocol for device-to-device communication in IoT, in which lattice-based encryption is used to resist quantum attacks and edge computing is introduced to reduce device computational overhead as well as improve system efficiency. This authentication scheme is applicable in smart homes [15], smart agriculture [16], and healthcare [17], which provides inter-domain authentication support.

Pithwi et al. [5] addressed a lattice-based quantum-resistant distributed identity authentication and policy attribute encryption scheme that can ensure the balance between security and lightweight encryption. This scheme uses ring variant trapdoors for lattice-based cryptography, which is suitable for distributed environments due to supporting the distributed settings. In the key generation and decryption phases, Shamir threshold secret sharing and Lagrange interpolation are employed for private key partitioning and recovery. Furthermore, Gaussian preimage sampling on lattice $L$ is utilized for efficiency improvement. We find that a further improvement can be achieved based on [5]; for example, more stable parameters are found by the standard deviation of the distribution in Gaussian sampling algorithms to obtain a wider distribution of random values. Additionally, in the RTrapGen algorithm, the shared and the non-shared attribute sets are distinguished to facilitate computation. In the AASetup phase, different attribute sets are formed based on the shared and the non-shared attributes, which reduces the computational overhead of authorization authorities and indirectly enhances the efficiency of the key generation phase (KenGen). These optimization measures contribute to improving the performance of the algorithm. In the decryption phase, classical Gaussian elimination is replaced to address a set of scalar problems, which can determine the success of decryption. To achieve this improvement, a basis transformation is applied to the shared matrix $F$ in the LSSS, which can be rapidly converted into a set of shortest vectors. Thereby, it can reduce the computational cost of linear space checks.

3. Preliminaries

In post-quantum cryptography, the mathematical structure of lattices has significant advantages in resisting quantum computing attacks based on lattice structures; the difficulty of the RLWEs problem is discussed in this paper. The RLWEs problem is established on a ring, and its security relies on the relationship between indistinct polynomials and random errors. Lattice-based RLWE algorithms provide an effective means against quantum attacks by leveraging the characteristics of rings and errors. This approach is widely applied in practical scenarios such as distributed identity authentication and attribute-based encryption schemes to ensure secure communication and data protection. In this section, we discuss the mathematical foundation and structure of lattice-based RLWE problems in the quantum domain, as well as the techniques adopted in distributed identity authentication and attribute-based encryption schemes.

3.1. Lattices

3.2. RLWEs

3.3. Gaussian Sampling

Discrete Gaussian sampling and Gaussian inversion sampling are widely applied in the fields of computer science and cryptography. The former refers to the process of generating random samples from a discrete Gaussian distribution, while the latter refers to the process of generating random samples from a standard normal distribution (Gaussian distribution with mean 0 and variance 1). We briefly introduce these two sampling methods.

3.4. Trapdoor

3.5. Security Assumptions

In the field of cryptography, we assume that the security model consists of a series of games between a Probabilistic Polynomial Time (PPT) adversary $A$ and a challenger $C$. As the adversary, its attacks include launching traditional number-theoretic attacks and quantum attacks against RLWE-based systems simultaneously. These attacks include replay attacks, man-in-the-middle attacks, temporary secret leakage attacks, signal leakage attacks, and so on. The security model described in this paper is considered secure against selectively ciphertext attacks (sCPA).

During the initialization phase, adversary $A$ will attempt to attack and disrupt the access structure or permissions and declare two internal challenges: access structure challenge and a set of compromised permissions $J_c$. These challenges are then sent to $C$. Challenger $C$ executes Setup and AASetup algorithms to generate public parameters and the public–private key pairs corresponding to each compromised institution in the $J_c$ list. $C$ forwards the generated parameters to adversary $A$.

Phase 1: Adversary $A$ attempts to obtain private key information for compromised permissions. Adversary $A$ generates $\left(uid,S_{uid}\right)$ and sends it to $C$. Meanwhile, $A$ frequently sends queries for private key generation to $C$. Here, $S_{uid}$ represents the attribute set of user $uid$. $T$ represents the attribute set associated with the compromised permissions. Since $\left|S_{uid}\cap T\right|$ does not satisfy the challenge access structure $W^{\prime }$, the key generation algorithm keyGen is executed by $C$, and $C$ forwards the generated private key to adversary $A$.

Challenge: Adversary $A$ randomly selects two messages, ${\varphi }_1$ and ${\varphi }_2$, which can be seen as choices of plaintext to be encrypted. These two messages are sent to $C$, which simulates a step of requesting encryption for $C$. $C$ selects a value $\alpha$ from $\left\{0,1\right\}$ that represents the message encrypted by challenger $C$. According to the challenge access structure $W^{\prime }$, challenger $C$ encrypts message ${\varphi }_{\alpha }$ using the selected $\alpha$. $C$ sends the generated ciphertext $ct$ to adversary $A$.

Phase 2: In this stage, adversary $A$ frequently requests key queries.

Conjecture: Adversary $A$ engages in a game where $A$ guesses ${\alpha }^{\prime }\in \left\{0,1\right\}$ about variable $\alpha$. If ${\alpha }^{\prime }=\alpha$, adversary $A$ wins the game. The probability of winning is defined as the advantage of $A$, namely $Adv\left(A\right)$, where $\mathfrak{A}=\mathrm{Pr}\left[a^{\prime }=a\right]-{\displaystyle \frac{1}{2}}$. If $a^{\prime }=a$ is true, it denotes that the guess ${\alpha }^{\prime }=0$ is correct. On the contrary, the guess ${\alpha }^{\prime }=1$ is true. In summary, it is defined as Equation (1).

(1)$\begin{array}{ll}Adv\left(A\right)=\left|\mathrm{Pr}\left[{\alpha }^{\prime }=\alpha \right]-{\displaystyle \frac{1}{2}}\right|& =\left|\begin{array}{l}\mathrm{Pr}\left[{\alpha }^{\prime }=\alpha |\alpha =0\right]\mathrm{Pr}\left[\alpha =0\right]\\ +\mathrm{Pr}\left[{\alpha }^{\prime }=\alpha |\alpha =1\right]\mathrm{Pr}\left[\alpha =1\right]-{\displaystyle \frac{1}{2}}\end{array}\right|\\ & =\left|\left(\mathfrak{A}+{\displaystyle \frac{1}{2}}\right){\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{2}}\times {\displaystyle \frac{1}{2}}-{\displaystyle \frac{1}{2}}\right|\\ & ={\displaystyle \frac{\mathfrak{A}}{2}}\end{array}$

Therefore, this assumption is not feasible, but it has an undeniable advantage in solving the above conjecture. Our proposed lattice-based CP-ABE scheme with multiple authorities is secure in the sCPA model. Specifically, if there exists an adversary $A$ who can successfully break IND-sCPA security (i.e., with a non-negligible success probability $\mathfrak{A}\left(\mathfrak{A}>0\right)$), we can deduce that another adversary $B$ can solve the RLWEs problem with a corresponding advantage (at least ${\displaystyle \frac{\mathfrak{A}}{2}}$). It demonstrates that the security of the CP-ABE scheme is closely related to the difficulty of the RLWEs problem.

3.6. Formal Definition for CP-ABE

Setup. The implicit security parameter is given to the setup algorithm as the input. It outputs public parameters $paras=\left\{q,f,k,\sigma ,{\sigma }_s,u\right\}$.

AASetup $\left(paras,{{\chi }^{\prime }}_{\theta },P_{\theta }\right)$. Each authorization authority $A{A}_{\theta }$ runs RTrapGen by $paras$, outputs a key pair $\left(A_{\theta },T_{A_{\theta }}^{\prime }\right)$, selects an attribute set ${{\chi }^{\prime }}_{\theta }$, chooses a polynomial $P_{\theta }$, and finally generates a public key $AP{K^{\prime }}_{\theta }$ and private key $AS{K^{\prime }}_{\theta }$.

KenGen $\left({{\chi }^{\prime }}_{\theta },A_{\theta },T_{A_{\theta }}^{\prime },{\mathsf{\Delta }}_{\theta },\sigma ,{\sigma }_s,S{K}_{uid}\right)$. The KenGen algorithm takes the attribute set ${{\chi }^{\prime }}_{\theta }$ and the public parameters $\left(A_{\theta },T_{A_{\theta }}^{\prime },{\mathsf{\Delta }}_{\theta },\sigma ,{\sigma }_s\right)$ from the Gaussian image sampling algorithm as inputs and outputs the private key $S{K}_{uid}$.

Encryption $\left(AP{K^{\prime }}_{\theta },W,M_{ess},F,\mathsf{\Sigma },E_n\left(M\right)\right)$. The public key $AP{K^{\prime }}_{\theta }$, access structure $W$, plain text $M_{ess}$, matrix $F$, and attribute vector $\mathsf{\Sigma }$ are all inputted to the KenGen algorithm. The algorithm will encrypt $M_{ess}$ and produce a ciphertext $E_n\left(M\right)$ so that only a user that possesses a set of attributes that satisfy the access structure can decrypt the message.

Decryption $\left(F,E_n\left(M\right),S{K}_{uid}\right)$. The matrix $F$, ciphertext $E_n\left(M\right)$, and the private key $S{K}_{uid}$, which is regarded as a private key for a set ${{\chi }^{\prime }}_{\theta }$ of attributes, are described as the inputs of the decryption algorithm. The decrypted ciphertext $M_{ess}$ is obtained in the condition of satisfying different access structures.

4. Lattice-Based Multi-Authority CP-ABE

In this section, security assumption is discussed, and the multi-authority CP-ABE proposal based on lattice is implemented. The meanings of the symbols in the scheme are shown in Table 1.

4.1. System Model

The description of the system model is as follows: Firstly, the trusted key generation center KGC generates public parameters, permissions, and unique identities corresponding to legitimate users by executing the Setup and AASetup stages. The access policy is set based on the general attributes of the data owner. Secondly, during the encryption phase, the ciphertext is uploaded to the cloud server. Data users download ciphertext from cloud servers. For this purpose, data users must send requests to various institutions to publish their private keys. Data users can decrypt the ciphertext only when their private keys meet the access policy.

4.2. Scheme Design

The overall scheme, as depicted in Figure 1, comprises five stages: initialization setup (Setup), attribute authority setup (AASetup), key generation (KenGen), encryption, and decryption. Then, a detailed description of each stage is provided as follows.

4.2.1. Setup

A trusted key generation center (KGC) inputs security parameter $\lambda$ during the initialization phase. A polynomial $u{\in }_R{R}_q$ is selected, and the public parameter $paras=\left\{q,f,k,\sigma ,{\sigma }_s,u\right\}$ is outputted. Assuming that the number of authorization agencies is represented as $N$, the set of authorization agencies is described as $\left\{A{A}_1,A{A}_2,\dots ,A{A}_N\right\}$, where $I\in \left\{1,2,\dots ,N-1\right\}$. KGC uniformly selects the polynomial $K\left(x\right)$ of degree N − 1, where $K\left(x\right)=u+{\displaystyle \sum _{I=1}^{N-1}\widetilde{g_I}{x}^I}$, $\widetilde{g_I}\in R_q$. During the process of selecting polynomial $K\left(x\right)$, KGC signs $K\left(x\right)$ named as $sig{n}_{k\left(x\right)}$ and obtains $K{\left(x\right)}_{all}=u+{\displaystyle \sum _{I=1}^{N-1}\widetilde{g_I}{x}^I}\parallel sig{n}_{KGC}$. KGC obtains temporary private key $r_{KGC}$ through a random number generator and then calculates temporary public key $KG{C}_{pk}=r_{KGC}·P\mathrm{mod}p$. And the signature of KGC is generated as $sig{n}_{KGC}=hash\left(KG{C}_{ID}\parallel KG{C}_{pk}\parallel P_{\theta }\right)$. Users obtain the temporary private key $r_{use{r}_i}$ through a random number generator and then calculate temporary public key $use{r}_{p{k}_i}=r_{use{r}_i}·P\mathrm{mod}p$. When users choose $P_{\theta }={\left(P_{{\theta }_1},P_{{\theta }_2},\dots ,P_{{\theta }_m}\right)}^T$, where $\theta$ is a weight of permission, they digitally sign the relevant information $P_{{\theta }_{all}}={\left(P_{{\theta }_1},P_{{\theta }_2},\dots ,P_{{\theta }_m}\right)}^T\parallel sig{n}_{use{r}_i}$, where $sig{n}_{use{r}_i}=hash\left(use{r}_{I{D}_i}\parallel use{r}_{p{k}_i}\parallel K\left(x\right)\right)$. Before transmitting $K\left(x\right)$ and $P_{\theta }$ to the corresponding authority $A{A}_{\theta }$, the temporary public key $KG{C}_{pk}$ and $use{r}_{p{k}_i}$ are transformed through a secure channel.

4.2.2. AASetup

$A{A}_{\theta }$ first runs the RTrapGen algorithm that can output a pair of parameters $\left(A_{\theta },T_{A_{\theta }}\right)$, where $A_{\theta }\in R_q^{1\times m}$, $T_{A_{\theta }}=\left(r_{\theta },e_{\theta }\right)$ and $r_{\theta }$, $e_{\theta }\in R_q^k$. If ${{\chi }^{\prime }}_{\theta }=\left\{x_1,x_2,\dots ,x_{h_{\theta }}\right\}$ represents the attribute set managed by $A{A}_{\theta }$, for each attribute $x_i\in {{\chi }^{\prime }}_{\theta }$, $\left(b_{\theta ,i}^{+},b_{\theta ,i}^{-}\right)$ is uniformly selected from $R_q^{1\times m}\times R_q^{1\times m}$ at random. The affiliation relationship of the attribute (shared attribute or non-shared attribute set) is determined, i.e., $x_i\in {{\chi }^{\prime }}_{\theta }$. The determination formula is the following Equation (2).

(2)$n_{\theta ,i}=\{\begin{array}{l}\left(b_{\theta ,i}^{+}\right)·y_{\theta ,i}{,\mathrm{if}\mathrm{x}}_i\in {\mathrm{S}}_{uid,\theta }\\ \left(b_{\theta ,i}^{-}\right)·y_{\theta ,i},{\mathrm{if}\mathrm{x}}_i\in {\displaystyle \raisebox{1ex}{${{\chi }^{\prime }}_{\theta }$}\!\left/ \!\raisebox{-1ex}{$S_{uid,\theta }$}\right.}\end{array}$

The three cases are obtained as follows: (a) the elements ${{\chi }^{\prime }}_{\theta }$ in the attribute set $x_i$ belong to the access structure $W_{\theta }^{+}$, i.e., $x_i\in W_{\theta }^{+}$. (b) The elements ${{\chi }^{\prime }}_{\theta }$ in the attribute set $x_i$ do not belong to the access structure $W_{\theta }^{+}$, i.e., $x_i\in W_{\theta }^{-}$. (c) The elements ${{\chi }^{\prime }}_{\theta }$ in the attribute set $x_i$ are not allowed to access structure ${W^{\prime }}_{\theta }$. Then, $A{A}_{\theta }$ selects $P_{\theta }={\left(P_{\theta ,1},P_{\theta ,2},\dots ,P_{\theta ,m}\right)}^T$. For each $\mathsf{\Pi }\in \left[m\right]$, there is $P_{\theta ,\mathsf{\Pi }}={\displaystyle \sum _{U=0}^{f-1}{P}_{\theta ,\mathsf{\Pi },U}}\left(z_{1,i},z_{2,i},\dots ,z_{V,i}\right)x^U$, where $\left(z_{1,i},z_{2,i},\dots ,z_{V,i}\right)\in {\left(Z_q\right)}^V$. It is worth noting that for all $\theta \in \left[N\right]$, $\mathsf{\Pi }\in \left[m\right]$, $U\in \left\{0,\dots ,f-1\right\}$, and $P_{\theta ,\mathsf{\Pi },U}$, they are linearly distributed on $\left(z_{1,i},z_{2,i},\dots ,z_{V,i}\right)$. Thus, the public key $AP{K^{\prime }}_{\theta }$ and private key $AS{K^{\prime }}_{\theta }$ for $A{A}_{\theta }$ are derived, respectively, as $\left\{A_{\theta },{\left(b_{\theta ,i}^{+},b_{\theta ,i}^{-}\right)}_{i\in \left[h_{\theta }\right]}\right\}$ and $\left\{T_{A_{\theta }},P_{\theta }\right\}$.

4.2.3. KenGen

For each attribute $x_i\in {{\chi }^{\prime }}_{\theta }$ of authority $A{A}_{\theta }$, where $i\in \left[h_{\theta }\right]$, the authority randomly selects vectors $\left(z_{1,i},z_{2,i},\dots ,z_{V,i}\right)$ from ${\left(Z_q\right)}^V$. Then, by computing polynomial $P_{\theta }$, it obtains vector $y_{\theta ,i}={\left(P_{\theta }\right)}_{\left(z_{1,i},z_{2,i},\dots ,z_{V,i}\right)}$. This process is aimed at generating polynomial values associated with the attributes of authority $A{A}_{\theta }$. For $y_{\theta ,i}\in R_q^m$, $\forall \theta \in \left[N\right]$, $i\in \left[h_{\theta }\right]$, the authority $A{A}_{\theta }$ calculates the difference vector ${\mathsf{\Delta }}_{\theta }=K\left(\theta \right)-{\displaystyle \sum _{i=1}^{h_{\theta }}{n}_{\theta ,i}}$ based on the judgments in AASetup and runs the RSamplePre algorithm to obtain $\left(y_{\theta },A_{\theta }\right)$. This step is intended to generate encrypted vectors of user attribute values based on the specified distribution to enhance the security of the keys. As a result, the authority $A{A}_{\theta }$ includes the output vector $\left(y_{\theta },A_{\theta }\right)$ as part of the private key, i.e., $S{K}_{uid}=\left\{y_{uid};\theta \in \left[N\right]\right\}$, where $y_{uid,\theta }=\left\{y_{\theta ,A_{\theta }},y_{\theta ,1},\dots ,y_{\theta ,h_{\theta }}\right\}$.

4.2.4. Encryption

The user receives public keys $AP{K}_{\theta }$ provided by the authority $A{A}_{\theta }$, where θ($\theta \in \left[N\right]$) includes the access structure denoted as ${W^{\prime }}_{\theta }$. And attribute assignments relate to each authority. The user constructs the overall access structure $W^{\prime }={\cup }_{\theta \in \left[N\right]}{W^{\prime }}_{\theta }$. These attributes are merged when constructing the access structure, denoted as $W^{\prime }=\left(W_{\theta }^{+}\cup W_{\theta }^{-}\right)$. The plaintext message is represented as $M_{ess}=\left(M_{es{s}_0},M_{es{s}_1},\dots ,M_{es{s}_{f-1}}\right)\in {\left\{0,1\right\}}^f$, in which it is expressed as a polynomial $M_{ess}\left(x\right)=M_{es{s}_0}{x}^0+M_{es{s}_1}{x}^1+M_{es{s}_2}{x}^2+\dots +M_{es{s}_{f-1}}{x}^{f-1}$. The user selects an attribute vector $F\in R_q^{h_{\theta }\times m}$ and $\mathsf{\Sigma }=\left(d,r_2,\dots ,r_m\right)$, where $d\in R_q$ is a shared secret and $\left(r_2,\dots ,r_m\right)\in R_q$. Then, random error term $\tilde{e}$ is selected from the same Gaussian distribution $D_{R,\sigma }$. The ciphertext $c_0=u^T·d+\tilde{e}+M_{ess}\lfloor {\displaystyle \frac{q}{2}}\rfloor$ is computed, where $u$ is a constant, $d$ is the shared secret, $M_{ess}\lfloor {\displaystyle \frac{q}{2}}\rfloor$ quantifies the plaintext, and $q$ is a large prime. Random samples $\left(e_{\theta },A_{\theta }\right)\in R_q^{1\times m}$ from $D_{R,\sigma }$ are then encrypted to obtain $c_{\theta ,A_{\theta }}=A_{\theta }^T·d+e_{\theta ,A_{\theta }}$ by $c_0$. There are three kinds of correspondence between the user and the authority’s attributes. Accordingly, three different encryption schemes are accomplished.

• (1). The two samples $e_{\theta ,i,1}\in R_q^{1\times m}$ and $e_{\theta ,i,2}\in R_q^m$ constitute confusion factors $c_{\theta ,i,1}$ and $c_{\theta ,i,2}$ accordingly, where $c_{\theta ,i,1}=\left(b_{\theta ,i}^{+}\right)·d+e_{\theta ,i,1}$ and $c_{\theta ,i,2}=\left(F_{i,1}\right)·u^T·d+{\displaystyle \sum _{j=2}^m{F}_{i,j}}·r_j+e_{\theta ,i,2}$.

• (2). The two samples $e_{\theta ,i,1}\in R_q^{1\times m}$ and $e_{\theta ,i,2}=\left(F_{i,1}\right)·u^T·d+{\displaystyle \sum _{j=2}^m{F}_{i,j}}·r_j+e_{\theta ,i,2}$ constitute confusion factors $c_{\theta ,i,1}=\left(b_{\theta ,i}^{-}\right)·d+e_{\theta ,i,1}$ and $c_{\theta ,i,2}=\left(F_{i,1}\right)·u^T·d+{\displaystyle \sum _{j=2}^m{F}_{i,j}·r_j+e_{\theta ,i,2}}$ accordingly.

• (3). Sample $e_{\theta ,i,1}^{+},e_{\theta ,i,1}^{-}\in D_{\theta ,\sigma }$ and sample $e_{\theta ,i,2}\in R_q^m$. For attribute $x_i\in W_{\theta }^{+}$, there is $c_{\theta ,i,1}^{+}=\left(b_{\theta ,i}^{+}\right)·d+e_{\theta ,i,1}^{+}$, and attribute $x_i\in W_{\theta }^{-}$, there is $c_{\theta ,i,1}^{-}=\left(b_{\theta ,i}^{-}\right)·d+e_{\theta ,i,1}^{-}$, as well as the standard item $c_{\theta ,i,2}=\left(F_{i,1}\right)·u^T·d+{\displaystyle \sum _{j=2}^m{F}_{i,j}}·r_j+e_{\theta ,i,2}$; the form of the ciphertext is denoted as $E_n\left(M\right)=\left\{c_0,{\left\{c_{\theta ,i,1},c_{\theta ,i,2}\right\}}_{x_i\in {W^{\prime }}_{\theta }},{\left\{c_{\theta ,i,1}^{+},c_{\theta ,i,1}^{-},c_{\theta ,i,2}\right\}}_{x_i\in {\displaystyle \raisebox{1ex}{${{\chi }^{\prime }}_{\theta }$}\!\left/ \!\raisebox{-1ex}{${W^{\prime }}_{\theta }$}\right.}},{\left\{c_{\theta },A_{\theta }\right\}}_{\theta \in \left[N\right]},W^{\prime }\right\}$.

4.2.5. Decryption

Taking a set of scalars $\widetilde{g_i}\in \left\{0,1\right\},i\in \left[h_{\theta }\right]$, there is ${\displaystyle \sum _{i=1}^{h_{\theta }}\widetilde{g_i}}·F_i=\left(1,0,\dots ,0\right)$, where $F_i$ represents the $i$-th row of matrix $F$. LLL is performed on the shared matrix $F$ that replaced the LSSS of [5], where $F$ is transformed into the set of shortest vectors (SVP) through basis transformation. If vector $\left(1,0,\dots ,0\right)\in Span⟨F_i,i\in \left[h_{\theta }\right]⟩$ is true, where $\theta \in \left[N\right]$, it indicates that there exists a shortest vector after the LLL operation. And decryption will be successful. That is, each authority $A{A}_{\theta }$ calculates ${\omega }_{\theta ,0}={\left(c_{\theta },A_{\theta }\right)}^T·y_{\theta ,A_{\theta }}$. According to the correspondence between user attributes and the attributes authorized by the authority,${\omega }_{\theta ,i,1}$ and ${\omega }_{\theta ,i,2}\in R_q$ are computed as below:

• (1). When $x_i\in {W^{\prime }}_{\theta }$ is true, compute ${\omega }_{\theta ,i,1}={\left(c_{\theta ,i,1}\right)}^T{y}_{\theta ,i}$, ${\omega }_{\theta ,i,2}=\widetilde{g_i}·\left(c_{\theta ,i,2}\right)$.

• (2). For other $x_i\in S_{uid,\theta }$, compute ${\omega }_{\theta ,i,1}={\left({c^{+}}_{\theta ,i,1}\right)}^T{y}_{\theta ,i}$, ${\omega }_{\theta ,i,2}=\widetilde{g_i}·\left(c_{\theta ,i,2}\right)$.

• (3). When $x_i\in {\displaystyle \raisebox{1ex}{${{\chi }^{\prime }}_{\theta }$}\!\left/ \!\raisebox{-1ex}{${W^{\prime }}_{\theta }\cup S_{uid,\theta }$}\right.}$ is true, compute ${\omega }_{\theta ,i,1}={\left({c^{-}}_{\theta ,i,1}\right)}^T{y}_{\theta ,i}$, ${\omega }_{\theta ,i,2}=\widetilde{g_i}·\left(c_{\theta ,i,2}\right)$, ${\omega }_{\theta }={\omega }_{\theta ,0}+{\displaystyle \sum _{i=1}^{h_{\theta }}\left[{\omega }_{\theta ,i,1}+{\omega }_{\theta ,i,2}\right]}\in R_q$.

Finally, the ciphertext parts are combined to obtain the final plaintext message ${M^{\prime }}_{ess}=\left({M^{\prime }}_{es{s}_0},\dots ,{M^{\prime }}_{es{s}_{f-1}}\right)=M_{es{s}_0}{x}^0+M_{es{s}_1}{x}^1+M_{es{s}_2}{x}^2+\dots +M_{es{s}_{f-1}}{x}^{f-1}=c_0-{\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}{A}_{\theta }$, where ${\xi }_{\theta }={\displaystyle \frac{{\mathsf{\Pi }}_{\theta \in \left[N\right],\theta \ne j}-\theta }{{\mathsf{\Pi }}_{\theta \in \left[N\right],\theta \ne j}j-\theta }}$ is a Lagrange polynomial. At this point, for each $i\in \left\{0,\dots ,f-1\right\}$, it is necessary to determine whether the Lagrange interpolation polynomial $\left|{M^{\prime }}_{es{s}_i}\right|\stackrel{?}{<}{\displaystyle \frac{q}{4}}$ holds. If true, $M_{es{s}_i}=0$ is outputted; otherwise, $M_{es{s}_i}=1$ is outputted. This process converts the real value ${M^{\prime }}_{es{s}_i}$ obtained from interpolation into binary values. The basic idea of this method is as follows. A threshold ${\displaystyle \frac{q}{4}}$ is chosen. By comparing the threshold with the magnitude of $\left|{M^{\prime }}_{es{s}_i}\right|$, the binary information of $M_{es{s}_i}$ is determined that can effectively extract useful plaintext information from noise.

5. Secure Analysis and Performance Verification

In this section, the correctness is defined firstly from the view of probability of correctly recovered plaintext. Meanwhile, parameters are selected to ensure the correctness. Then, the secure proposed scheme is analyzed and the performance is verified.

5.1. Correctness and Parameter Selection

For all $A{A}_{\theta }$, the receiving party who held the attributes $S{K}_{uid}$ is considered secure if it satisfies the following two conditions: $\{\begin{array}{l}S{K}_{uid,\theta }\cap W_{\theta }^{-}=\varnothing \\ S{K}_{uid,\theta }\cap W_{\theta }^{+}=W_{\theta }^{+}\end{array}$. That is, the receiving party has sufficient attributes to meet the access policy of $A{A}_{\theta }$. Meanwhile, no excess attributes intersect with $W_{\theta }^{-}$. For ensuring the generation of a vector satisfying a specific distribution to enhance security, we perform the following calculation described as Equation (3).

(3)$\begin{array}{l}{\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}{\omega }_{\theta }\\ ={\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}\left({\omega }_{\theta ,0}+{\displaystyle \sum _{i=1}^{h_{\theta }}\left[{\omega }_{\theta ,i,1}+{\omega }_{\theta ,i,2}\right]}\right)\\ ={\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}\left({\left(c_{\theta ,A_{\theta }}\right)}^T{y}_{\theta ,A_{\theta }}+{\displaystyle \sum _{i=1}^{h_{\theta }}\left[{\left(c_{\theta ,i,1}\right)}^T{y}_{\theta ,i}+\widetilde{g_i}\left(c_{\theta ,i,2}\right)\right]}\right)\\ ={\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}\left({\left(A_{\theta }^{T}d+e_{\theta ,A_{\theta }}\right)}^T{y}_{\theta ,A_{\theta }}+{\displaystyle \sum _{i=1}^{h_{\theta }}\left[{\left(c_{\theta ,i,1}\right)}^T{y}_{\theta ,i}+\widetilde{g_i}\left(c_{\theta ,i,2}\right)\right]}\right)\\ ={\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}\left(y_{\theta ,A_{\theta }}\left(A_{\theta }^{T}d\right)+y_{\theta ,A_{\theta }}{e}_{\theta ,A_{\theta }}+{\displaystyle \sum _{i\in \left[h_{\theta }\right]}⟨n_{\theta ,i},d⟩}+{\displaystyle \sum _{j\in \left[h_{\theta }\right]}{e}_{\theta ,j}}\right)\\ ={\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}\left(u_{\theta }d+y_{\theta ,A_{\theta }}{e}_{\theta ,A_{\theta }}+{\displaystyle \sum _{j\in \left[h_{\theta }\right]}{y}_{\theta ,j}{e}_{\theta ,j}}\right)\end{array}$

In summary, the plaintext is computed as Equation (4), which can ensure the precision of the scheme.

(4)$\begin{array}{ll}{M^{\prime }}_{ess}& =c_0-{\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }\left(u_{\theta }d+y_{\theta ,A_{\theta }}{e}_{\theta ,A_{\theta }}+{\displaystyle \sum _{j\in \left[h_{\theta }\right]}{y}_{\theta ,j}{e}_{\theta ,j}}\right)}\\ & \approx M_{\mathrm{ess}}\lfloor {\displaystyle \frac{q}{2}}\rfloor \end{array}$

The error term $\left|\tilde{e}-{\displaystyle \sum _{\theta \in \left[N\right]}{\xi }_{\theta }}\left(u_{\theta }d+y_{\theta ,A_{\theta }}{e}_{\theta ,A_{\theta }}+y_{\theta ,1}{e}_{\theta ,1}+\dots +y_{\theta ,h_{\theta }}{e}_{\theta ,h_{\theta }}\right)\right|<{\displaystyle \frac{q}{4}}$ must be constrained that can ensure the correct decryption. According to security constraints and parameter selection, the probability of the correct decryption depends on the norm of the private key generated by the Gaussian preimage sampling algorithm and the error term introduced during encryption. As stated in Section 4.1, they are set to 2 and 3, respectively.

Let the upper limit of $\left|e_{\theta ,A_{\theta }},e_{\theta ,1},\dots ,e_{\theta ,h_{\theta }}\right|$ and $\left|y_{\theta ,A_{\theta }},y_{\theta ,1},\dots ,y_{\theta ,h_{\theta }}\right|$ be ${\mathsf{\Delta }}_e$ and ${\mathsf{\Delta }}_y$, respectively. The central limit theorem estimates the noise factor $\left|y_{\theta ,A_{\theta }}{e}_{\theta ,A_{\theta }}+y_{\theta ,1}{e}_{\theta ,1}+\dots +y_{\theta ,h_{\theta }}{e}_{\theta ,h_{\theta }}\right|$ as $\mathsf{\Delta }={\mathsf{\Delta }}_e{\mathsf{\Delta }}_y\sqrt{Nnm\left(h_{\theta }+1\right)}$, and parameters ${\mathsf{\Delta }}_e=8\sigma$, ${\mathsf{\Delta }}_y=8{\sigma }_s$ are set based on the literature [19]. Therefore, the correctness constraint is $q\ge 256\sigma {\sigma }_s\sqrt{Nnm\left(h_{\theta }+1\right)}$.

5.2. Security Analysis

The proposed scheme relies on assumptions made in the security model to analyze the mainstream attacks that may be faced in modern networks, traditional number theory cryptography, and quantum cryptography.

• Replay Attack: In the setup stage, KGC selects a polynomial $K\left(x\right)$ when using random $\widetilde{g_I}$ and conducts a random selection for both $\left({b^{+}}_{\theta ,i},{b^{-}}_{\theta ,i}\right)$ and $P_{\theta }$ at each authority $A{A}_{\theta }$. Even if the same user or organization performs the same operation again, it will obtain a different value. Therefore, the proposed scheme effectively prevents replay attacks.

• Man-in-the-Middle Attack: In the setup stage, KGC introduces a digital signature during the uniform random selection process of polynomial $K\left(x\right)$. KGC signs each authority $A{A}_{\theta }$ with a hash function and sends the signature and $K\left(x\right)$ together. Users also need to generate their digital signatures to prove their identity. During the user’s selection of $P_{\theta }$, they combine a temporary public key with their ID as their identity, sign identity, and integrate the signature with $P_{\theta }$ before sending it. Upon receiving the integrated data, the recipient performs corresponding verification calculations, such as the $has{h}^{\prime }$ function, to verify authenticity. If both identity authenticity and data integrity pass verification, this indicates no man-in-the-middle attack.

• Temporary Secret Leakage Attack: In defining the n-dimensional Gaussian function on lattice $L\left(D\right)$, noise is introduced at each point. For example, when selecting parameter $\sigma$, a more significant parameter $\sigma$ results in a smoother Gaussian function. A smooth Gaussian function helps improve the quality of noise. In the exponential function, the multiple different values involved in the calculation of ${\Vert x-c\Vert }^2$ result in noise. This noise interferes with adversaries when they attempt to analyze the trapdoor, meaning that the difficulty of temporary secret leakage is increased. Additionally, since the generation of ciphertext $E_n\left(M\right)$ use multiple parameters and multi-party computation, such as $c_0$, $c_{\theta }$, ${c^{+}}_{\theta ,i,1}$, ${c^{-}}_{\theta ,i,1}$, $c_{\theta ,i,1}$, and $c_{\theta ,i,2}$, in which each calculation is independent, temporary secret leakage of one user will not affect others. In other words, even if the ciphertext of one user is leaked, the ciphertext of other users should still be secure.

• Side-Channel Attack: In the RTrapGen algorithm, parameter $\sigma$ is introduced and generated through a Gaussian distribution, so the generated threshold is random that can increase the difficulty for adversaries in analyzing the trapdoor. Adversaries cannot know the exact value of the trapdoor in advance. Furthermore, since the security of the algorithm relies on the assumption of RLWEs, it is difficult for adversaries to infer partial ciphertext from the encrypted trapdoor. The difficulty of the RLWEs problem is based on a theoretical mathematical problem that adversaries solve hardly within a finite time. Overall, the proposed scheme effectively prevents side-channel attacks.

The performance of the scheme is compared with those of other CP-ABE schemes. Through analysis of the number of authorities, system architecture, security, efficiency, and privacy protection, it is found that the proposed scheme outperforms the compared schemes in these aspects, as shown in Table 2.

The resistance to attacks is compared with references [5,8,10,13,20] in Table 3, which demonstrates their capabilities of addressing mainstream attacks in today’s network, traditional number theory cryptography, and quantum cryptography fields.

5.3. Performance Analysis

We rely on the Ubuntu 20.04.6 LTS platform 12th Gen Intel^® Core™ i7-12700H × 12 64 bit version using Python 3.10 to simulate the proposed scheme. The experiment consists of five stages: (a) setup; (b) AASetup; (c) KeyGen; (d) encryption; (e) decryption. As shown in Figure 2, different user attributes are set to reflect the time expenditure of each stage.

As shown in Figure 3 and Table 4, compared with Prithwi et al. [5], the time gap between the two parties becomes more prominent as the number of user attributes increases, especially during the encryption and decryption processes. This further highlights the robustness of the proposed scheme in this paper. In Table 4, the computational costs of the various literature are compared, which leads to the conclusion that our protocol has more advantages. All experimental results represent the average time that the scheme run 20 times.

6. Summary

In this paper, an enhanced lattice-based post-quantum multi-authority CP-ABE and identity authentication scheme is presented based on the RLWEs problem. The deterministic standard deviation parameters in Gaussian sampling are adopted to improve algorithm efficiency compared with the original scheme. The scheme performance is optimized by judging different attribute sets, and the LLL algorithm resolves a set of scalar problems in linear algebra to reduce the computational cost of linear space checks. Due to the scheme support for multi-authority authorization, multi-authority authorization can be considered a distributed decentralized system. Compared with existing lattice-based CP-ABE algorithms, our improved scheme demonstrates higher efficiency.

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Enlarge this image.

Figure 1. The system model of this scheme.

Enlarge this image.

Figure 2. Time expenditure of each stage in the article.

Enlarge this image.

Figure 3. Time expenditure between different schemes in each stage.