 Research
 Open Access
 Published:
Efficient latticebased revocable attributebased encryption against decryption key exposure for cloud file sharing
Journal of Cloud Computing volume 12, Article number: 37 (2023)
Abstract
Cloud file sharing (CFS) has become one of the important tools for enterprises to reduce technology operating costs and improve their competitiveness. Due to the untrustworthy cloud service provider, access control and security issues for sensitive data have been key problems to be addressed. Current solutions to these issues are largely related to the traditional public key cryptography, access control encryption or attributebased encryption based on the bilinear mapping. The rapid technological advances in quantum algorithms and quantum computers make us consider the transition from the tradtional cryptographic primitives to the postquantum counterparts. In response to these problems, we propose a latticebased CiphertextPolicy AttributeBased Encryption(CPABE) scheme, which is designed based on the ring learing with error problem, so it is more efficient than that designed based on the learing with error problem. In our scheme, the indirect revocation and binary treebased data structure are introduced to achieve efficient user revocation and dynamic management of user groups. At the same time, in order to further improve the efficiency of the scheme and realize file sharing across enterprises, the scheme also allows multiple authorities to jointly set up system parameters and manage distribute keys. Furthermore, by rerandomizing the user’s private key and update key, we achieve decryption key exposure resistance(DKER) in the scheme. We provide a formal security model and a series of security experiments, which show that our scheme is secure under chosenplaintext attacks. Experimental simulations and evaluation analyses demonstrate the high efficiency and practicality of our scheme.
Introduction
Cloud file sharing (CFS) has been widely used in current cloud services. According to Gallup’s report, 81% of employees of 60 million fulltime employees are choosing to work from home remotely work or mixed work (parttime working from home) by reason of the COVID19 epidemic. The CFS has the advantages of flexible use and low cost. Employees can access cloud data from any location through any internet device (e.g. mobile phone, tablet, laptop, etc.) to meet flexible remote work needs. At the same time, cloud storage servers can meet the high storage requirements of users and enterprises, and provide lowcost and diversified cloud services. It greatly saves the company’s data storage cost and improves the competitiveness of the enterprise. As a result, CFS services (such as Amazon WorkDocs, iCloud, Dropbox, Google Drive, OneDrive, Mega, etc.) have become the first choice for increasingly competitive individuals and businesses.
As a leading cloud storage platform, MEGA has more than 250 million users, and aims to provide users with endtoend encryption and information security assurance controlled by users. However, in a recent study [1], Backendal et al. found a significant shortcomings in the platform’s cryptographic architecture. They have carried out five attacks against the RSA encryption algorithm in MEGA, such as RSA key recovery attack, framing attack, integrity attack, etc., to destroy the user data integrity to some extent. Through the RSA key recovery attack, the attacker can recover the RSA private key after 1023 client login attempts, while using quantum cryptanalysis can reduce it to 512 attempts, so that the private key can be recovered more quickly.
Hence, how to protect the user’s data in the cloud from being tampered with, stolen, or illegally accessed by other users has always been a hot research issue. In order to provide finegrained access control, AttributeBased Encryption(ABE) has been widely used in various CFS systems [2,3,4,5,6]. In the ciphertextpolicy ABE(CPABE), the access policy is associated with the ciphertext, and the attribute is associated with the key, which makes CPABE more focused on the rolebased access control than the keypolicy ABE(KPABE), Hence CPABE is more suitable for CFS systems.
Currently, there are several security and access control issues on the CPABE scheme proposed for the CFS system.
\(\mathbf {Resistant\ to\ quantum\ attacks:}\) With the further study of quantum computers and quantum attack algorithms, the security of traditional ABE based on bilinear mapping has been seriously challenged. In [7], the author also pointed out that cryptographic algorithms and cryptographyrelated devices should immediately start to transition to the postquantum cryptography suite of algorithms. Otherwise, some sensitive documents, such as business secrets, medical records, national security documents and other documents that have a long shelf life can be leaked out since the transition process could take multidecade, by which time the quantum computer may have been mastered by the adversary. Currently, cryptographic algorithms based on the Learning With Error (LWE) problem in lattice are generally considered to be effective against quantum attacks. However, the large parameter size and low efficiency of LWEbased ABE schemes make the cryptographic researcher consider alternative ABE schemes designed based on the Ring Learning With Error (RLWE) problem with smaller parameter size and higer efficiency. Current RLWEbased ABE schemes are deficient in dynamic management of user groups, distributed management and the decryption key exposure resistance. Therefore, the design and security analysis of RLWEbased CPABE schemes with multiple properties for CFS system become a challenging issue.
\(\mathbf {Dynamic\ management\ of\ user\ groups:}\) In practical applications, the CFS system usually changes users’ data access policy when users’ position or role change, such as revoking the user’s access privileges to specific files and private data. Users’ privileges revocation can be divided into the direct revocation and indirect revocation. In the direct revocation, the data owner can directly revoke the user’s permissions. However, the direct revocation is not applicable in CFS because the data owner must always be online and maintain an uptodate revocation list at all times. Indirect revocation is suitable for CFS system, in which the attribute authority can periodically broadcasts the keyupdating material to users in the CFS system, and users who have not been revoked can update their credentials. However, indirect revocation also faces a problem, that is, the attribute authority needs to generate key update materials for each user in the revocation process. Although Yang et al. [8] and Wang et al. [9] used the binary tree structure to reduce the size of the key update material for each user, this is still a heavy burden for the authorization authority in the CFS system with a large number of users. Therefore, how to implement user revocation securely and efficiently is still an urgent problem.
\(\mathbf {Decryption\ key\ exposure\ attacks:}\) In the ABE scheme proposed for CFS system, the user’s decryption key is often used for the decryption of private data. Once the decryption key is exposed, the private data will be opened for the adversary. Hence the key exposure attack is a main secure threat to the CFS system. In the indirect revocation cryptosystems, decryption key exposure attack is a common attack method. The attacker can obtain the user’s longterm private key by calculating the old and leaked decryption key and the update key transmitted from the public channel. This means that the attacker can derive all subsequent decryption keys. In ABE schemes based on the bilinear mapping [10, 11], the author proposed the method of key rerandomization to achieve decryption key exposure resistance. In contrast, the latticebased CPABE scheme has a more complex algebraic structure, and it is more difficult to rerandomize its key. Therefore, how to rerandomize the key of RLWEbased CPABE to resist decryption key exposure attack remains challenged.
In addition, the latticebased multiauthority attributebased encryption(MAABE) scheme could be more suitable for a largescale CFS system than an ABE scheme with only one authority, because a shared file often has access policies that span multiple trust domains. For example, multiple companies may publish attributes as part of a joint project. If a single authority is employed, one company must be required to cede control to another, which has great limitations in practical applications. Current MAABE schemes [12, 13] are designed based on the LWE problems. What we concerns is how to design the RLWEbased MAABE schemes with the above desired properties.
Related work
Some CFS systems with access control encryption or CPABE have been proposed. Zhu et al. [14] proposed an efficient temporary access control encryption scheme for cloud services based on a proxy encryption mechanism and cryptographic integer comparison, while extending the power of attribute expression using a dual comparative expression of integer ranges. Zhu et al. [15] proposed an ABE scheme without pairings for CFS systems, and proved the chosen plaintext security in selective ID model. Zhu et al. [16] proposed a new fuzzy authorization scheme based on CPABE scheme and OAuth for cloud data access, and realized automatic revocation by updating the TimeSlot attribute when data owner modifies the data. Finally, the security of the scheme is proven under the dBDHE assumption. Wang et al. [6] proposed an efficient cloud computing encryption scheme based on filelevel attributes. Layered files are encrypted with an integrated access structure. However, the above ABE schemes are all based on bilinear pairing and do not have the ability to resist quantum attacks.
Considering the hardness of lattice problems in postquantum cryptography, researchers begin to construct latticebased ABE schemes. Zhang et al. [17] first constructs a CPABE scheme based on the LWE assumption. However, due to the introduction of default properties, the parameter size of the overall scheme increases dramatically and the efficiency is low. In order to solve this problem, chen et al. [2] uses a small policy matrix to reduce the cumulative error and improve the efficiency of the scheme. At the same time, they also proposed a new resource sharing framework combined with the ABE scheme. Chen et al. [18] improved on the basis of [17], and implemented a large universe CPABE scheme using the fullrank differences function, which can obtain greater efficiency. To further improve efficiency, Gür et al. [19] constructs and implements the CPABE scheme from lattices under the RLWE assumption. They employ Gaussian sampling for bigger bases of the gadget matrix, which reduces execution times and storage requirements.
In order to solve the user dynamic management problem in the CFS system, Ibraimi et al. [20] proposed a revocable CPABE scheme, but this scheme requires a trusted cloud service provider and requires it to be online for a long time. This does not meet actual needs. Sahai et al. [21] proposed a CPABE scheme with revocable storage, which allows a cloud Server to update the ciphertext, but this scheme adds many additional time attributes, resulting in bigger public key and ciphertext. Li et al. [3] proposed an efficient CPABE scheme with policy update and file update functions based the CFS system, which effectively reduces the communication and storage cost of the client.
In order to prevent decryption key exposure attacks in CFS systems, Xu et al. [10] proposes a CPABE scheme with decryption key exposure resistance. Xu et al. [22] proposed a CPABE scheme with decryption key exposure resistance based on cloud storage system, which can effectively deal with both secret key revocation for corrupted users and accidental decryption key exposure for honest users. However, the above revocable CPABEs are all designed based on bilinear pairing, and they cannot effectively resist quantum attacks. Wang et al. [9] and yang et al. [23] proposed two LWEbased revocable CPABE schemes. However, the public key size of scheme [9] is large, and the revocation workload of scheme [23] increases linearly with the increase of the number of system users, which makes the efficiency and scalability of the two schemes low. Takayasu et al. [24] and Dong et al. [25] proposed latticebased IBE scheme and KPABE scheme for decryption key exposure resistance, respectively. But in the latticebased CPABE scheme, which is more suitable for CFS system, there is no formal solution.
In order to further improve the efficiency of the CFS system, reduce the workload of a single AA on the enterprise side, and realize access policies across multiple trust domains at the same time, Chase et al. [26] proposed the multiattribute authority ABE scheme for the first time. The scheme includes a central authority and multiple attribute authorities, and the attributes in the system are jointly managed by multiple attribute authorities. Subsequently, Rouselakis et al. [27] proposed an MAABE scheme based on prime order bilinear groups to further improve the efficiency. To deal with quantum attacks, Zhang et al. [13] proposed latticebased MAABE for the first time. However, since this scheme is based on the assumption of learning with errors, the efficiency of this scheme is low.
Technical challenge
Current latticebased CPABE schemes for CFS system, especialy for LWEbased CPABE scheme, suffer from large parameter size, low efficiency or various cryptographic attacks, such as decryption key exposure attack, collusion attack etc.. When we design an RLWEbased CPABE with multiple properties, such as, multiple authorities, decryption key exposure resistance, collusion resistance, user group’s dynamic management, attribute revocation etc., several technical chanllenges loom over us. Specifically, when designing an RLWEbased CPABE with multiple authorities and decryption key exposure resistance, we have to consider a new type of adversary who masters more information on the private keys of some attributes. The adversary could corrupt some AAs to get some information on the private keys of some attributes. Simultaneously, the adversary can get some addtional infomation leaked out from the uncorrupted AAs due to the decryption key exposure. As the adversary gains more information, the security model becomes more complex. Hence the security proof in our scheme is more difficult than that in the scheme with one single authority, or the scheme with only decryption key exposure resistance. Furthermore, in the traditional ABE schemes based on bilinear pairing, the resistance to decryption key exposure attack is simply implemented by introducing a random number in the decryption key update. However, the latticebased CPABE scheme is usually designed based on a more complex algebraic structure, which makes the original method(by only introducing a random number in the rerandomization process) for decryption key update invalid. Therefore, in order to get the new RLWEbased MAABE suitable for the secure CFS system, we need to define new security model, specify the limits of the new adversary and develop new technique to resist the decryption key exposure attack.
Our contribution
In this paper, we designed an RLWEbased Revocable and Multiauthority CPABE scheme (RMCPABE) with decryption key exposure resistance for quantum secure CFS system, whose features includes protection of sensitive data from privacy leakage and quantum attacks, dynamic management of user groups, distributed architecture, decryption key exposure resistance, etc. Our work is summarized as follows:

Many existing CFS systems only provide rolebased access control and are not resistant to quantum attacks. We design a CPABE scheme based on RLWE to achieve more finegrained access control and CFS privacy data security under quantum attacks. In order to resist the decryption key attack, we propose a new method applicable to lattice algebraic structure for rerandomizing the key to ensure that the information of the user’s private key will not be leaked after the decryption key is exposed. To implement user revocation, we apply a binary treebased data structure to reduce the cost of key update from linear to logarithmic.

In order to further improve the system efficiency and realize crossenterprise file sharing, we implement a multiauthority CPABE scheme with a distributed architecture by applying the shamir threshold secret sharing technique. At the same time, in order to ensure the security of private data under collusion attacks by malicious users and corrupt authorities, we provide a specific security model and prove that our scheme is selectively secure under the assumption of error learning.

Finally, we implement our scheme and evaluate its key generation, user revocation, encryption, and decryption algorithm time overhead and storage overhead in comparison with related schemes. The simulation show that our scheme has high efficiency.
Preliminaries
Notations
In this paper, we denote a cyclotomic ring \(\mathcal {R}=\mathbb {Z}\left[ x \right] /\left\langle x^{n}+1 \right\rangle\), where each element is a polynomial with integer coefficients and degree at most \(n1\). For an integer \(q\ge 2\), we let \(\mathcal {R}_{q}=\mathcal {R}/q\mathcal {R}\) be a ring in which arithmetic operations on polynomial coefficients are performed modulo q, and the coefficients are integers in the interval \(\left( \left\lfloor q/2 \right\rfloor ,\left\lfloor q/2 \right\rfloor \right)\). \(\mathcal {R}_{q}^{1\times m}\), \(\mathcal {R}_{q}^{m}\), and \(\mathcal {R}_{q}^{m\times m}\) represent row vectors, column vectors, and matrices consisting of elements in \(\mathcal {R}_{q}\). We define \(Tran_{V\rightarrow M}\) as a function that maps from vector \(\textbf{a}\in \mathcal {R}_{q}^{m}\) to matrix \(\textbf{A}\in \mathbb {Z}_{q}^{m\times n}\). In detail, we expand the coefficients of each polynomial element in vector \(\textbf{a}\) to an ndimensional row vector in \(\mathbb {Z}_{q}\). Similarly, we define \(Tran_{M\rightarrow V}\) as a function that maps from matrix \(\textbf{A}\in \mathbb {Z}_{q}^{m\times n}\) to vector \(\textbf{a}\in \mathcal {R}_{q}^{m}\), which can be regarded as the inverse process of \(Tran_{V\rightarrow M}\). In this paper, we utilize a fullrank difference (FRD) function \(\textrm{H}\) that maps a random element in \(\mathcal {R}_{q}\) associated with an attribute or time to a matrix in \(\textbf{Z}_{q}^{n \times n}\).
Lemma 1
[28] For positive integers q, n with \(q>2\), the FRD function has the following properties:

For any \(a,b \in \mathcal {R}_{q}\) and \(a\ne b\), the matrix \(\left( \textrm{H}\left( \textrm{a} \right) \textrm{H}\left( \textrm{b} \right) \right)\) is full rank.

H is computable in polynomial time \(n\,\log \,q\).
Lemma 2
\((Leftover\ Hash\ Lemma)\) Let q be a positive integer, \(m=O(\log _{2}q)\) and let \(\textbf{S}\leftarrow \left\{ 1,1 \right\} ^{m\times m}\), \(\left\{ \textbf{A,B} \right\} \leftarrow \mathcal {R}_{q}^{1\times m}\). Then for all \(e \in \mathcal {R}_{q}^{m}\), we have \(\left( \textbf{A,AS,e}^{\varvec{\top }}\textbf{S} \right)\) is statistically close to \(\left( \textbf{A,B,e}^{\varvec{\top }}\textbf{S} \right)\).
Lattice
A full rank lattice \(\Lambda\) is a discrete additive subgroup of \(\mathbb {R}^{n}\). Given a positive intger n and a basis \(\textbf{B}= \left\{ b_{1},...,b_{n} \right\} \subseteq \mathbb {R}^{n}\), the lattice \(\Lambda\) can be represented as
For an uniformly randomly matrix \(\textbf{A}\in \mathbb {Z}_{q}^{n\times m}\) and a vector \(\textbf{u}\in \mathbb {Z}_{q}^{n}\), the qary lattice \(\Lambda _{q}^{\perp }(\textbf{A})\) and its coset \(\Lambda _{q}^{\textbf{u}}(\textbf{A})\) is denoted by
\(\mathbf {Discrete\ Gaussian\ Distribution}\): Given a lattice \(\Lambda\) with a parameter \(\sigma \in \mathbb {R}\) and a center vector \(\varvec{c}\in \mathbb {R}^{n}\), we denote the nth dimensional discrete Gaussian distribution by
where \(\varvec{x}\in \Lambda\) and \(\rho _{\varvec{c}, \sigma } = \text {exp}\left( \pi \left\ \varvec{xc} \right\ ^2/2\sigma ^{2} \right)\).
Definition 1
\((\mathbf {Ring\ Learning\ With\ Errors})\) The Ring Learning With Errors (RLWE) hardness assumption holds if for any PPT adversary \(\mathcal {A}\) we have
where \(\left\{ s,a_{i} \right\} \leftarrow \mathcal {R}_{q}\), \(e_{i}\leftarrow D_{\mathcal {R},\sigma }\), \(i=0,...,n\) and the probability is taken over the choice of the random coins by the PPT adversary \(\mathcal {A}\).
Lattice trapdoors
Lattices with trapdoors are described in [8, 19, 29], and they are statistically indistinguishable from randomly chosen lattices. But trapdoors have some extra information that can be used for efficient solution to the hard problem on lattices. In this paper, we utilize the trapdoor sampler from [19, 29]. The trapdoor sampler contains \(\text {TrapGen}\) algorithm, \(\text {SamplePre}\) algorithm and two expansion algorithms: \(\text {SampleLeft}\) algorithm and \(\text {SampleRight}\) algorithm, which are given as follows.

\(\textbf{TrapGen}\left( \lambda \right) \rightarrow \left( \textbf{A},\textbf{T}_{\textbf{A}} \right)\): The lattice generation algorithm takes the security parameters \(\lambda\) and \(\sigma\), modulus q, and a polynomial degree n as input. Then it outputs a vector \(\textbf{A} \in \mathcal {R}^{1 \times m}_q\) together with a trapdoor \(\textbf{T}_{\textbf{A}}\).

\(\textbf{SamplePre}\left( \textbf{A},\textbf{T}_{\textbf{A}},u,\sigma ,\sigma _{s} \right) \rightarrow \textbf{s}\): The presampling algorithm takes a vector \(\textbf{A}\in \mathcal {R}_{q}^{1 \times m}\), a trapdoor \(\textbf{T}_{\textbf{A}}\), a target \(u \in \mathcal {R}\), and a pair of parameters \(\left( \sigma , \sigma _{s} \right)\) as input. It outputs a vector \(\textbf{s} \leftarrow D_{\mathcal {R}_{q}^{m}}\) such that \(\textbf{A}\cdot \textbf{s}=u\).

\(\textbf{SampleRight}\left( \textbf{A},\textbf{B},\textbf{T}_{\textbf{A}},u \right) \rightarrow \textbf{s}\): The algorithm takes as input a pair of vectors \(\left( \textbf{A},\textbf{B} \right) \in \mathcal {R}_{q}^{1 \times m}\times \mathcal {R}_{q}^{1 \times m}\), a trapdoor \(\textbf{T}_{\textbf{A}}\) and target \(u \in \mathcal {R}\), and outputs a vector \(\textbf{s} \leftarrow D_{\mathcal {R}_{q}^{2m}}\) such that \(\left( \textbf{A}\mid \textbf{B} \right) \cdot \textbf{s}=u\).

\(\textbf{SampleLeft}\left( \textbf{A},\textbf{B},\textbf{T}_{\textbf{B}},\textbf{S},u \right) \rightarrow \textbf{s}\): The algorithm takes as input a pair of vectors \(\left( \textbf{A},\textbf{B} \right) \in \mathcal {R}_{q}^{1 \times m}\times \mathcal {R}_{q}^{1 \times m}\), a trapdoor \(\textbf{T}_{\textbf{B}}\), a matrix \(\textbf{S}\leftarrow \left( \pm 1 \right) ^{m\times m}\) and target \(u \in \mathcal {R}\), and outputs a vector \(\textbf{s} \leftarrow D_{\mathcal {R}_{q}^{2m}}\) such that \(\left( \textbf{A}\mid \textbf{A}\textbf{S}+\textbf{B} \right) \cdot \textbf{s}=u\).
Definition 2
\((\mathbf {WellSampledness\ of\ Vector})\)[12] The lattice generation algorithm is said to satisfy the wellsampledness of vector property if for any \(\lambda \in \mathbb {N}\), there exists a negligible function \(negl\left( \lambda \right)\) such that the vector \(\textbf{A}\) is \(negl\left( \lambda \right)\)close to uniform, where \(\textbf{A}\) is generated by \(\textbf{TrapGen}\left( \lambda \right)\).
Definition 3
\((\mathbf {WellSampledness\ of\ Preimage})\) [12] The presampling algorithms and two expansion algorithms are said to satisfy the wellsampledness of preimage property if for any \(\lambda \in \mathbb {N}\), there exists a negligible function \(negl\left( \lambda \right)\) such that the distribution of the vector \(\textbf{s}_{\varvec{1}}\) and \(\textbf{s}_{\varvec{2}}\) are \(negl\left( \lambda \right)\)close to \(D_{\mathcal {R}_{q}^{m}}\) and \(D_{\mathcal {R}_{q}^{2m}}\) respectively, where \(\textbf{s}_{\varvec{1}}\) is sampled by \(\textbf{SamplePre}\left( \textbf{A},\textbf{T}_{\textbf{A}},u,\sigma ,\sigma _{s} \right)\) algorithm and \(\textbf{s}_{\varvec{2}}\) is sampled by one of the two expansion algorithms with the same parameters.
The binarytree data structure
The binary treebased data structure is mainly used to reduce the calculation cost of generating keyupdating material from linear to logarithmic. In the binary tree structure, each user is associated with the leaf node. Except for leaf nodes, each node has two children nodes. Let Path(v) be the node set on the path from the root node of the tree to node v, and \((v_{l},v_{r})\) be the left child node and the right child node of node v respectively if v is a nonleaf node. When a user \(v_{i}\) is revoked at time \(t_{i}\), add the user to the revocation list rl, and then the subset covering algorithm \(\text {KUNodes}(st,rl,t)\) [30] is run to fatch the minimum set of keyupdating materials related to nonrevoked users. The \(\text {KUNodes}(st,rl,t)\) algorithm is shown as Algorithm 1.
System framework
In this section, we present the system model and threat model of CFS with our new RMCPABE scheme. We then provide a formal security model to simulate the adversary’s attacks in the model.
RMCPABE scheme
Definition 4
There are eight algorithms in our RMCPABE scheme: GlobalSetup, AuthSetup, KeyGen, KeyUpdate, DKGen, Enc, Dec, and Rev, with associated attribute space \(\mathcal {U}\), user space \(\mathcal {I}\), time space \(\mathcal {T}\), and message space \(\mathcal {M}\). The algorithms are defined as follows:
\(\text {GlobalSetup}(\lambda , N)\rightarrow pp\): The global setup algorithm takes as input the security parameter \(\lambda\) and the number of authorities N, and outputs the public parameters pp.
\(\text {AuthSetup}(pp,\theta )\rightarrow (pk_{\theta }, msk_{\theta })\): The authority setup algorithm takes as input the public parameters pp, and a number \(\theta\) to represent the \(\theta\)th authority \(AA_{\theta }\), and outputs a pair of \(\left( pk_{\theta }, msk_{\theta } \right)\) as the public key and master secret key.
\(\text {KeyGen}(pk_{\theta }, msk_{\theta },st,S)\rightarrow sk_{\theta }\): The key generation algorithm takes as input the public key \(pk_{\theta }\), master secret key \(msk_{\theta }\), a state st and a set of attributes S, and outputs the secret key \(sk_{\theta }\) associated with \(AA_{\theta }\).
\(\text {KeyUpdate}(pk_{\theta }, msk_{\theta },rl,st,t)\rightarrow ku_{t}\): The key update algorithm inputs the public key \(pk_{\theta }\), the master secret key \(msk_{\theta }\), a revocation list rl, and a state st, and a time t and outputs an update key \(ku_{t}\).
\(\text {DKGen} \left( \{sk_{\theta }, ku_{\theta }\}_{\theta \in N} \right) \rightarrow dk\): The decryption key generation algorithm takes the secret key \(\{sk_{\theta }\}_{\theta \in N}\) and the key update \(\{ku_{\theta }\}_{\theta \in N}\) as input. If the user is not revoked, the algorithm outputs the decryption key. Otherwise, it outputs \(\perp\).
\(\text {Enc} \left( pp, \{pk_{\theta }\}_{\theta \in N}, \mu ,\mathbb {W} \right) \rightarrow CT\): The encryption algorithm takes as input the public parameters pp, the public key \(\{pk_{\theta }\}_{\theta \in N}\), a message \(\mu\), and an access policy \(\mathbb {W}\) and outputs a ciphertext CT.
\(\text {Dec} \left( CT, dk \right) \rightarrow \mu\): The decryption algorithm takes as input the ciphertext CT and the decryption key dk. If the attribute set S corresponding to the decryption key dk satisfies the access policy \(\mathbb {W}\), the algorithm outputs a message \(\mu\). Otherwise it outputs \(\perp\).
\(\text {Rev} \left( rl, id, t \right) \rightarrow rl\): The revocation algorithm takes as input the revocation list rl, an user’s global identity id to be revoked and a time t, and outputs the updated revocation list rl.
Definition 5
\((\textbf{Correctness})\) The correctness of RMCPABE requires that for every security parameter \(\lambda \in \mathbb {N}\), every message \(\mu\), every access policy \(\mathbb {W}\), and every set of attribute S which satisfy the access policy \(\mathbb {W}\) it holds that
System model
We propose a secure CFS system framework based on the RMCPABE scheme, which mainly includes four typical parties described as follows:
\(\mathbf {Attribute\ Authorities(AAs)}\): AAs are authorization management entities set up by the enterprise side independently of the cloud server, responsible for initializing the system and broadcasting system parameters to other entities, and maintaining the access credentials of users in the system. In addition, every update cycle, the enterprise will revoke users who have lost access by publicly broadcasting keyupdating materials. AAs consists of a central authority(CA) and several attribute authorities. This distributed architecture not only reduces the workload of a single attribute authority, but also enhances the scalability of the system and realizes CFS across enterprises.
\(\mathbf {Data\ Owners(DOs)}\): DOs are the initiators and owners of shared files. It encrypts files through the client, sets corresponding access policies, and finally uploads the encrypted files to the cloud.
\(\mathbf {Data\ Users(DU)}\): DUs are users of shared files. Users with access rights can decrypt the file through the client to read the file content.
\(\mathbf {Cloud\ Service\ Provider(CSP)}\): CSP provides cloudbased file storage and file sharing services for CFS systems.
As shown in Fig. 1, the workflow of the CFS system based on the RMCPABE scheme can be divided into the following four steps:
System initialization: Fig. 2 shows the CFS system initialization phase. CA runs \(\text {GlobalSetup}(\lambda , N)\rightarrow pp\) and each AA runs \(\text {AuthSetup}(pp,\theta )\rightarrow (pk_{\theta }, msk_{\theta })\) to generate system parameters, then broadcast the \((pp,pk_{\theta })\) to DOs and CSP(see Fig. 1 ①). AAs runs \(\text {KeyGen}(pk_{\theta }, msk_{\theta },st,S)\rightarrow sk_{\theta }\) to generate and send private key to the corresponding user (see Fig. 1 ②).
File sharing: As shown in Fig. 2, DOs runs \(\text {Enc} \left( pp, \{pk_{\theta }\}_{\theta \in N}, \mu ,\mathbb {W} \right) \rightarrow CT\) to encrypt the files and upload them to CSP in the file sharing phase(see Fig. 1 ⑤).
User management: As shown in Fig. 3, in the user management phase, the AAs runs \(\text {Rev} \left( rl, id, t \right) \rightarrow rl\) to add users who have lost access rights to the revoked list (see Fig. 1 ③), and runs algorithm \(\text {KeyUpdate}(pk_{\theta }, msk_{\theta },rl,st,t)\rightarrow ku_{t}\) to generate and broadcast the updated key during the key update period (see Fig. 1 ④).
Files Decrytion: As shown in Fig. 3, in the files decrytion phase, the DUs with access rights first receives the update key of the current period and runs \(\text {DKGen} \left( \{sk_{\theta }, ku_{\theta }\}_{\theta \in N} \right) \rightarrow dk\) to generate a temporary decryption key(see Fig. 1 ⑥). Then DUs runs \(\text {Dec} \left( CT, dk \right) \rightarrow \mu\) to decrypt and read the files contents(see Fig. 1 ⑦).
Threat model
In our system, the CSP is honest and curious, that is, it follows the protocol, but tries to get as much sensitive information in the files as possible through observations. In addition, data stored in the cloud is more vulnerable to some adversary, such as hackers. In order to prevent the semitrusted CSP and various adversaries (including quantum adversaries, see Fig. 1⑧) from getting the sensitive information, we introduce RMCPABE based on RLWE to ensure the security of CFS systems in the postquantum era. Furthermore, in the threat model, we allow collusion attacks between revoked users and unauthorized users to attempt to obtain useful information in encrypted files. At the same time, the attacker can also launch some attacks by means of the corrupted AAs. Hence, collusion attacks between the corrupted AA and the revoked users pose a serious threat to the system’s security. This forces our RMCPABE scheme to have the ability to resist collusion attacks. Furthermore, as shown in Fig. 3, for the practical decryption key exposure attack in indirectly revocable cryptosystems, our scheme is also required to have the ability to resist decryption key exposure. For the various types of attacks that may be encountered in the real world, we present the following security model.
Security model
Definition 6
We define the selective INDCPA security with Decryption Key Exposure Resistance(DKER) for RMCPABE scheme by the following game between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\).
\(\mathbf {Init.}\) The adversary \(\mathcal {A}\) chooses a challenge access structure \(\mathbb {W}^{*}\) and a time \(t^{*}\), and give them to \(\mathcal {C}\). The challenge access policy contains two subsets, the positive attribute set \(\mathbb {W}^{+}\) and the negative attribute set \(\mathbb {W}^{}\), where \(\mathbb {W}^{+}\cap \mathbb {W}^{}=\emptyset\). Then, \(\mathcal {A}\) chooses a set of corrupted AAs \(\textbf{Cor}\) and publishes the set.
\(\mathbf {Setup.}\) \(\mathcal {C}\) calls \(\text {GlobalSetup}\) algorithm to acquire and send pp to \(\mathcal {A}\). Then, \(\mathcal {C}\) performs the \(\text {AuthSetup}\) algorithm to obtain and send their corresponding public and private key pairs \(\left\{ pk_{\theta }, msk_{\theta } \right\} _{\theta \in N}\). For the set of uncorrupted authorities, \(\mathcal {C}\) sends the corresponding public key \(\left\{ pk_{\theta } \right\} _{\theta \notin \textbf{Cor}}\). Otherwise, \(\mathcal {C}\) sends the corresponding publicprivate key pair \(\left\{ pk_{\theta }, msk_{\theta } \right\} _{\theta \in \textbf{Cor}}\).
\(\mathbf {Key\ Query.}\) \(\mathcal {A}\) is allowed to adaptively make the following query to \(\mathcal {C}\) on the attribute set \(\textbf{S}\):

\(sk_{\theta } \leftarrow \mathcal {A}^{\mathcal {O}^{KeyGen\left( \cdot \right) }}\left( \textbf{S} \right)\) for all \(\theta \notin \textbf{Cor}\).

\(ku_{\theta ,t} \leftarrow \mathcal {A}^{\mathcal {O}^{KeyUpdate\left( \cdot \right) }}\left( t,rl,st \right)\) for all \(\theta \notin \textbf{Cor}\).

\(dk\leftarrow \mathcal {A}^{\mathcal {O}^{DKGen\left( \cdot \right) }}\left( sk_{\theta },ku_{\theta ,t } \right)\).

\(\left( rl,st \right) \leftarrow \mathcal {A}^{\mathcal {O}^{Rev\left( \cdot \right) }}\left( rl,id,t \right)\).
When the adversary has access to the oracle, there are some restrictions as follows, and these restrictions are divided into two cases:
\(\mathbf {Case\ I.}\) \(\mathcal {O}^{KeyGen\left( \cdot \right) }\) can not be queried with the attribute set \(\textbf{S}\) satisfying \(\mathbb {W}^{*}\).
\(\mathbf {Case\ II.}\) If \(\mathcal {O}^{KeyGen\left( \cdot \right) }\) was queried with the attribute set \(\textbf{S}\) satisfying \(\mathbb {W}^{*}\), then \(\mathcal {O}^{Rev\left( \cdot \right) }\) must be queried on this user id before time \(t^{*}\).
In addition, both cases are held to the following restrictions:

\(\mathcal {O}^{KeyUpdate\left( \cdot \right) }\) and \(\mathcal {O}^{Rev\left( \cdot \right) }\) are only allowed to query in nondecreasing time sequence.

If \(\mathcal {O}^{KeyUpdate\left( \cdot \right) }\) was queried at the time t, \(\mathcal {O}^{Rev\left( \cdot \right) }\) can not be queried at the time t.

\(\mathcal {O}^{DKGen\left( \cdot \right) }\) cannot be queried for the decryption key dk corresponding to the user whose attribute set \(\textbf{S}\) satisfies \(\mathbb {W}^{*}\) or the user that has been revoked.
\(\mathbf {Challenge.}\) \(\mathcal {A}\) chooses two equallength message \(\mu _{1},\mu _{2} \in \mathcal {M}\) and sends them to \(\mathcal {C}\). Then \(\mathcal {C}\) randomly flips a coin \(b\leftarrow \left\{ 0,1 \right\}\) and replies \(CT \leftarrow \text {Enc} \left( pp, \{pk_{\theta }\}_{\theta \in N}, \mu _{b} ,\mathbb {W} \right)\) to \(\mathcal {A}\).
\(\mathbf {Guess.}\) The adversary \(\mathcal {A}\) outputs the guessed \(b'\) for b.
Adversary \(\mathcal {A}\)’s advantage in this game is defined as follows:
Definition 7
\((\mathbf {sINDCPA\ in\ RMCPABE})\) An RMCPABE scheme is the selective INDCPA security with DKER, if for any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\text {negl}(\cdot )\) such that the advantage of adversary \(Adv_{\mathcal {A}}^{INDCPA}\left( \lambda \right) \le \text {negl}(\cdot )\).
Construction
In this section, we provide the detailed construction of our RMCPABE scheme for access structure represented by an AND gate over positive and negative attributes. The positive attribute in the access policy requires that the user must have this attribute to decrypt the corresponding ciphertext. On the other hand, the negative attribute in the access policy requires that the attribute set of the decrypting user cannot contain this attribute. The scheme supports N attribute authorities in the system, and efficient user revocation. The details are given below.
\(\text {GlobalSetup}(\lambda , N)\rightarrow (pp,st,rl)\): The algorithm inputs a security parameter \(\lambda\) and the number of attribute authorities \(N\in \mathbb {N}\). It first chooses a set of positive integers q, n, m. Next, it samples a vector \(\textbf{y}\in \mathcal {R}_{q}^{1\times m}\) and an element \(\beta \in \mathcal {R}_{q}\). Furthermore, it specifies an FRD function H. Finally, it outputs the public parameters
\(\text {AuthSetup}(pp,\theta )\rightarrow (pk_{\theta }, msk_{\theta })\): The algorithm takes the public parameters and the number of the attribute authority as input. Each attribute authority \(AA_{\theta }\) runs the algorithm and generates a vectortrapdoor pair \(\left( \textbf{A}_{\theta }, \textbf{T}_{\textbf{A}_{\varvec{\theta }}}\right) \leftarrow \text {TrapGen}(\lambda )\), and a pair of vectors \(\left( \textbf{B}_{\theta , i}^{+}, \textbf{B}_{\theta , i}^{}\right) \leftarrow \mathcal {R}_{q}^{1 \times m}\). Next, it samples vectors \(\left\{ \textbf{D}_{\theta },\textbf{E}_{\theta } \right\} \leftarrow \mathcal {R}_{q}^{1 \times m}\) and outputs the public key and master secret key for the authority \(\theta\)
\(\text {KeyGen}(pk_{\theta }, msk_{\theta },st,\textbf{S})\rightarrow sk\): The algorithm takes the public key \(pk_{\theta }\), the master secret key \(msk_{\theta }\) of \(AA_{\theta }\), the state st and a user’s attribute set \(\textbf{S}\subseteq l_{\theta }\) as input, where \(l_{\theta }\) is the set of attributes managed by the \(AA_{\theta }\). It then proceeds as follows.

1
CA takes a polynomial \(P(x)=\beta +\sum _{i=1}^{N1} a_{i} x^{i}\) of degree \(N1\) for \(a_{i}\leftarrow \mathcal {R}_{q}\), computes \(\beta _{\theta }=P\left( \theta \right)\) and assigns \(\beta _{\theta }\) to \(AA_{\theta }\).

2
For each \(i\in l_{\theta }\), \(AA_{\theta }\) chooses a vector \(\textbf{k}_{\theta , i} \leftarrow D_{\mathcal {R}_{q}^{m}, \sigma _{s}}\). If \(i\in \textbf{S}\), it computes \(u_{\theta , i} \leftarrow \textbf{B}_{\theta ,i}^{+} \textbf{k}_{\theta , i}\), else, it computes \(u_{\theta , i} \leftarrow \textbf{B}_{\theta ,i}^{} \textbf{k}_{\theta , i}\).

3
For each node \(\alpha \in Path(id)\setminus Path(id')\), if the node is empty, \(AA_{\theta }\) randomly chooses \(u_{A_{\theta }, \alpha , 2} \leftarrow R_{q}\) and store it in the node, where id denotes the user’s identity who generated the secret key and \(id'\) denotes the user’s identity who has been revoked. It implies that the nodes \(\alpha \in Path(id')\) corresponding to the revoked user identity \(id'\) have been invalidated, and the \(AA_{\theta }\) does not need to generate secret keys corresponding to these potentially shared nodes for subsequent users.

4
\(AA_{\theta }\) calculates \(u_{A_{\theta }, \alpha , 1}=\beta _{\theta }u_{A_{\theta , \alpha , 2}}\sum _{i \in l_{\theta }} u_{\theta , i}\) and samples
$$\begin{aligned} \textbf{k}_{\textbf{A}_{\theta }, \alpha , 1} \leftarrow \text{ SamplePre }\left( \textbf{A}_{\theta }, \textbf{T}_{\textbf{A}_{\varvec{\theta }}}, u_{A_{\theta }, \alpha , 1}, \sigma , \sigma _{s}\right) .\end{aligned}$$ 
5
\(AA_{\theta }\) samples \(\textbf{k}_{\textbf{A}_{\theta },3}\leftarrow D_{\mathcal {R}_{q}^{2m},\sigma _{s}}\) and calculates \(u_{A_{\theta }, 3}\leftarrow \left( \textbf{A}_{\theta }\mid \textbf{E}_{\theta } \right) \textbf{k}_{\textbf{A}_{\theta },3}\).

6
\(AA_{\theta }\) chooses \(u_{A_{\theta }, 4}\leftarrow \mathcal {R}_{q}\) and stores it.

7
Then \(AA_{\theta }\) samples
$$\begin{aligned} \textbf{k}_{\textbf{A}_{\theta },4} \leftarrow \text{ SamplePre }\left( \textbf{A}_{\theta }, \textbf{T}_{\textbf{A}_{\varvec{\theta }}}, u_{A_{\theta },4}u_{A_{\theta },3}, \sigma , \sigma _{s}\right) \end{aligned}$$.

8
Finally, it outputs the secret key
$$\begin{aligned} sk_{\theta }=\left( \left\{ \textbf{k}_{\textbf{A}_{\theta }, \alpha , 1} \right\} _{\alpha \in Path(id)\setminus Path(id')}, \left\{ \textbf{k}_{\theta , i} \right\} _{i\in S},\textbf{k}_{\textbf{A}_{\theta },3},\textbf{k}_{\textbf{A}_{\theta },4} \right) \end{aligned}$$
\(\text {KeyUpdate}(pk_{\theta }, msk_{\theta },rl,st,t)\rightarrow ku\): Given the public key \(pk_{\theta }\), the master secret key \(msk_{\theta }\) of \(AA_{\theta }\), the revocation list rl, the state st and a revocation time t, the algorithm proceeds as follows.

1
It samples \(r_{t}\leftarrow D_{\mathcal {R}_{q},\sigma _{s}}\) and samples \(\textbf{k}_{\textbf{A}_{\theta },5}\leftarrow D_{\mathcal {R}_{q}^{2m},\sigma _{s}}\).

2
It calculates \(u_{A_{\theta }, 5}=\left( \textbf{A}_{\theta }\mid \textbf{E}_{\theta } \right) \textbf{k}_{\textbf{A}_{\theta },5}\).

3
Next, it fetches \(u_{A_{\theta }, \alpha , 2}\) and \(u_{A_{\theta }, 4}\), and samples
$$\begin{aligned} \textbf{k}_{\textbf{A}_{\theta }, \alpha , 2} \leftarrow \text{ SampleLeft }\left( \textbf{A}_{\theta }, \textbf{D}_{\theta }+\textbf{H}_{t}, \textbf{T}_{\textbf{A}_{\mathbf {\theta }}}, u'_{A_{\theta },\alpha , 2} \right) \end{aligned}$$where \(\alpha \in \text {KUNodes}(st,rl,t)\), \(u'_{A_{\theta },\alpha , 2}=u_{A_{\theta },\alpha , 2}u_{A_{\theta }, 4}r_{t}+u_{A_{\theta }, 5}\) and \(\textbf{H}_{t} = Tran_{M\rightarrow V}\left( Tran_{V\rightarrow M} \left( \textbf{y}^{\top } \right) \textrm{H} \left( t \right) \right)\).

4
Finally, it outputs the key update
$$\begin{aligned} ku_{\theta ,t}=\left( \left\{ \textbf{k}_{\textbf{A}_{\theta }, \alpha , 2} \right\} _{\alpha \in \text {KUNodes}(st,rl,t)},\textbf{k}_{\textbf{A}_{\theta }, 5},r_{t} \right) . \end{aligned}$$
\(\text {DKGen} \left( \{sk_{\theta }, ku_{\theta }\}_{\theta \in N} \right) \rightarrow dk\): The algorithm takes the secret key \(\{sk_{\theta }\}_{\theta \in N}\) and the key update \(\{ku_{\theta }\}_{\theta \in N}\) as input. If \(Path(id)\cap \text {KUNodes}(st,rl,t)=\emptyset\), it returns a failure symbol \(\perp\). Otherwise, it can find a unique node \(\alpha \in Path(id) \cap \text {KUNodes}(st,rl,t)\) and store \(\left( \textbf{k}_{\textbf{A}_{\theta },\alpha , 1}, \textbf{k}_{\textbf{A}_{\theta }, \alpha , 2}, \textbf{k}_{\theta , i} \right)\) in \(dk_{\theta }\) for ench \(\theta \in N\). For simplicity, we can omit the subscript \(\alpha\). Then, let \(\textbf{dk}_{\textbf{A}_{\theta }, 1}= \textbf{k}_{\textbf{A}_{\theta },1}+\textbf{k}_{\textbf{A}_{\theta },4}r_{t}\), \(\textbf{dk}_{\textbf{A}_{\theta },2}= \textbf{k}_{\textbf{A}_{\theta },2}\), and \(\textbf{dk}_{\textbf{A}_{\theta },3}= \textbf{k}_{\textbf{A}_{\theta },3}r_{t}\textbf{k}_{\textbf{A}_{\theta },5}\), Finally, it outputs the decryption key
\(\text {Enc} \left( pp, \{pk_{\theta }\}_{\theta \in N}, \mu ,\mathbb {W} \right) \rightarrow CT\): Given the public parameters pp, the public key \(\{pk_{\theta }\}_{\theta \in N}\), a message \(\mu\), and an access structure \(\mathbb {W}=\left( \mathbb {W}^{+}\cap \mathbb {W}^{} \right)\), which determines the set of positive and negative attributes, the algorithm samples \(s\leftarrow \mathcal {R}_{q}\) and \(e_{0}\leftarrow D_{\mathcal {R}_{q}, \sigma _{s}}\), and computes \(\textbf{C}_{0} \leftarrow s \beta +e_{0}+\mu [q / 2]\). Then it samples vectors \(\left\{ \textbf{e}_{\textbf{A}_{\theta }} \right\} _{\theta \in N}\leftarrow D_{\mathcal {R}_{q}^{m}, \sigma _{s}}\), and computes \(\textbf{C}_{\textbf{A}_{\theta }} \leftarrow \textbf{A}_{\theta }^{T}s+\textbf{e}_{\textbf{A}_{\theta }}\). For each \(\theta \in N\) and \(i \in l_{\theta }\), if \(i \in \mathbb {W}^{+}\), it samples vectors \(\textbf{e}_{\theta ,i}\leftarrow D_{\mathcal {R}_{q}^{m}, \sigma _{s}}\) and computes \(\textbf{C}_{\theta , i} \leftarrow \left( \textbf{B}_{\theta ,i}^{+}\right) ^{T}s+\textbf{e}_{\theta , i}\), else if \(i \in \mathbb {W}^{}\), it samples vectors \(\textbf{e}_{\theta ,i}\leftarrow D_{\mathcal {R}_{q}^{m}, \sigma _{s}}\) and computes \(\textbf{C}_{\theta , i} \leftarrow \left( \textbf{B}_{\theta ,i}^{}\right) ^{T}s+\textbf{e}_{\theta , i}\). Otherwise, it samples vectors \(\left\{ \textbf{e}_{\theta ,i}^{+},\textbf{e}_{\theta ,i}^{} \right\} \leftarrow D_{\mathcal {R}_{q}^{m}, \sigma _{s}}\), and computes \(\textbf{C}_{\theta , i}^{+} \leftarrow \left( \textbf{B}_{\theta ,i}^{+}\right) ^{T}s+\textbf{e}_{\theta , i}^{+}\) and \(\textbf{C}_{\theta , i}^{} \leftarrow \left( \textbf{B}_{\theta ,i}^{}\right) ^{T}s+\textbf{e}_{\theta , i}^{}\). Next, it samples matrices \(\left\{ \mathbf {R_{\theta ,1}},\mathbf {R_{\theta ,2}} \right\} \leftarrow \left\{ \pm 1 \right\} ^{m\times m}\), and computes \(\textbf{C}_{\theta , t,1}=\left( \textbf{D}_{\theta }+\textbf{H}_{t}\right) ^{T} s+\textbf{R}_{\theta ,1} \textbf{e}_{\textbf{A}_{\theta }}\) and \(\textbf{C}_{\theta ,t,2}=\left( \textbf{E}_{\theta }\right) ^{T} s+\textbf{R}_{\theta ,2} \textbf{e}_{\textbf{A}_{\theta }}\). Finally, it outputs the ciphertext
\(\text {Dec} \left( CT, dk \right) \rightarrow \mu\): The algorithm takes the ciphertext CT and the decryption key dk as input. Let \(\textbf{S}\) be the attribute set associated to dk. If \(\textbf{S}\cap \mathbb {W}^{+}=\mathbb {W}^{+}\) and \(\textbf{S}\cap \mathbb {W}^{}=\emptyset\), it proceeds as follows:

1
Calculate \(a_{\theta ,1}=\left( \textbf{C}_{\textbf{A}_{\theta }} \right) ^{\top }\textbf{dk}_{\textbf{A}_{\theta },1}\).

2
For each \(\theta \in N\) and \(i \in l_{\theta }\), if \(i \in \mathbb {W}\), calculate \(a_{\theta , 2, i}=\left( \textbf{C}_{\theta , i} \right) ^{\top }\textbf{k}_{\theta , i}\), else if \(i \in S\), calculate \(a_{\theta , 2, i}=\left( \textbf{C}_{\theta , i}^{+} \right) ^{\top }\textbf{k}_{\theta , i}\), otherwise, calculate \(a_{\theta , 2, i}=\left( \textbf{C}_{\theta , i}^{} \right) ^{\top }\textbf{k}_{\theta , i}\).

3
Let \(\textbf{C}_{\textbf{A}_{\theta },t,1}=\left( \textbf{A}_{\theta }\mid \textbf{D}_{\theta }+\textbf{H}_{t}\right) ^{T} s+\left( \textbf{e}_{\textbf{A}_{\theta }}\mid \textbf{R}_{\theta ,1 } \textbf{e}_{\textbf{A}_{\theta }} \right)\), and calculate \(a_{\theta ,3}=\textbf{C}_{\textbf{A}_{\theta }, t}\textbf{dk}_{\textbf{A}_{\theta },2}\).

4
Let \(\textbf{C}_{\textbf{A}_{\theta },t,2}=\left( \textbf{A}_{\theta }\mid \textbf{E}_{\theta }\right) ^{T} s+\left( \textbf{e}_{\textbf{A}_{\theta }}\mid \textbf{R}_{\theta ,2 } \textbf{e}_{\textbf{A}_{\theta }} \right)\), and calculate \(a_{\theta ,4}=\textbf{C}_{\textbf{A}_{\theta }, t}\textbf{dk}_{\textbf{A}_{\theta },3}\).

5
Calculate
$$\begin{aligned} t=\textbf{C}_{0}\sum _{\theta \in N}\mathcal {L}_{\theta }\left( a_{\theta ,1}+a_{\theta ,2}+a_{\theta ,3}+a_{\theta ,4} \right) \end{aligned}$$where \(a_{\theta ,2}=\sum _{i \in l_{\theta }}a_{\theta ,2,i}\), and \(\mathcal {L}_{\theta }=\frac{\Pi _{\theta \in N,\theta \ne \delta }\left( \theta \right) }{\Pi _{\theta \in N,\theta \ne \delta }\left( \delta \theta \right) }\) is the Lagrangian coefficient.

6
If \(\left t_{i} \right < \frac{q}{4}\), output \(\mu _{i}=0\), otherwise output \(\mu _{i}=1\).
Otherwise, it outputs a failure symbol \(\perp\).
\(\text {Rev} \left( rl, id, t \right) \rightarrow rl\): The algorithm takes as input the revocation list rl, an user’s global identity id to be revoked and a time t. It updates revocation list rl
Correctness
We assume that an attribute set \(\textbf{S}\) satisfies the access policy(\(\textbf{S}\cap \mathbb {W}^{+}=\mathbb {W}^{+}\) and \(\textbf{S}\cap \mathbb {W}^{}=\emptyset\)), then we have
where, if \(i\in \mathbb {W}\), \(\textbf{C}_{\theta ,i}^{*} = \textbf{C}_{\theta ,i}\), else if \(i\in S\), \(\textbf{C}_{\theta ,i}^{*} = \textbf{C}^{+}_{\theta ,i}\), otherwise, \(\textbf{C}_{\theta ,i}^{*} = \textbf{C}^{}_{\theta ,i}\), and the choice of \(\textbf{B}^{*}_{\theta ,i}\) corresponds to that of \(\textbf{C}_{\theta ,i}^{*}\). Furthermore, the total noise term is denoted by \(\mathbf {\widetilde{e}}_{\theta } = \textbf{e}_{\textbf{A}_{\theta }}^{\top }\textbf{k}_{\textbf{A}_{\theta },1}+\textbf{e}_{\textbf{A}_{\theta }}^{\top }\textbf{k}_{\textbf{A}_{\theta },4}r_{t} + \textbf{e}_{\theta ,i}^{\top }\textbf{k}_{\theta ,i} + \left( \textbf{e}_{\textbf{A}_{\theta }}\mid \textbf{R}_{\theta ,1} \textbf{e}_{\textbf{A}_{\theta }}\right) ^{\top }\textbf{k}_{\textbf{A}_{\theta },2}+\left( \textbf{e}_{\textbf{A}_{\theta }}\mid \textbf{R}_{\theta ,2} \textbf{e}_{\textbf{A}_{\theta }}\right) ^{\top }\left( \textbf{k}_{\textbf{A}_{\theta },3}r_{t}+\textbf{k}_{\textbf{A}_{\theta },5} \right)\). Next, for \(\forall \theta \in N\), we compute
When the noise is small enough, it will not affect the plaintext information in the ciphertext. We let the upper bound on the combination of all noise factors be \(\eta\), the upper bounds of key components \(\left\{ \textbf{k}_{\textbf{A}_{\theta },1}, \textbf{k}_{\textbf{A}_{\theta },2},\textbf{k}_{\textbf{A}_{\theta },3},\textbf{k}_{\textbf{A}_{\theta },4},\textbf{k}_{\textbf{A}_{\theta },5}, \textbf{k}_{\theta ,i} \right\}\) are \(\eta _{s}\), and the upper bounds of ciphertext noise factors \(\textbf{e}_{\textbf{A}_{\theta }}\), \(\textbf{e}_{\theta ,i}\) are \(\eta _{e}\). According to [19], we let \(\eta _{e} =8\sigma\), and \(\eta _{s} =8\sigma _{s}\). In order to ensure the correctness of decryption, the following inequality holds with nonnegligible probability, i.e.,
where l is the sum of the number of attributes in all attribute authorities. Finally, we have that
Security proof
Theorem 1
If the RLWE assumption holds, then our scheme is secure against the selective INDCPA described in Security model section.
In the security proof, we divided the adversary into two types, one is the adversary who has not obtained legal authorization, and the user’s private key they have does not satisfies the challenge access policy \(\mathbb {W}^{*}\). The other category is revoked users who indicate malicious intent. Adversary can query the user’s private key that satisfies the challenge access policy and the updated key and decryption key before the revoked time t \((t<t^{*})\). To prove the above theorem, we will describe several security games that differ from each other in the formation of public parameters, the key queried by adversary \(\mathcal {A}\) and the challenge ciphertext. The first game is the same as the ABE game we defined in the security model, and the adversary’s advantage is zero in the last game of the sequence. And we argue that the adversary \(\mathcal {A}\)’s advantage varies negligibly between each successive security game. This will prove that the adversary has a negligible advantage in winning the original ABE security game.
\(\textbf{Game}_{\varvec{0}}\): This is the real selective security game form Security model section between an adversary \(\mathcal {A}\) against our scheme and a RMCPABE challenger \(\mathcal {B}\).
\(\textbf{Game}_{\varvec{1}}\): This game is the same as the previous game except the way the public key vectors \(\left\{ \textbf{A}_{\theta }, \textbf{B}_{\theta ,i}^{\pm },\textbf{D}_{\theta },\right\}\) are generated for all \(\theta \in N\) and \(i\in l_{\theta }\) during the setup phase. In this game, the public key vectors \(\left\{ \textbf{A}_{\theta } \right\} _{\theta \in N}\) is uniformly randomly chosen over \(\mathcal {R}_{q}^{1 \times m}\) instead of by the \(\text {TrapGen}\) algorithm. For all \(\theta \in N\) and \(i \in l_{\theta }\setminus \mathbb {W}^{*}\), \(\mathcal {B}\) samples \(\left\{ \textbf{B}^{+}_{\theta ,i},\textbf{B}^{}_{\theta ,i} \right\} \leftarrow \mathcal {R}_{q}^{1\times m}\). For each \(i \in \mathbb {W}^{+}\), \(\mathcal {B}\) samples \(\textbf{B}^{+}_{\theta ,i}\leftarrow \mathcal {R}_{q}^{1\times m}\) and computes \(\left\{ \textbf{B}^{}_{\theta ,i},\textbf{T}_{\textbf{B}_{\theta ,i}}^{} \right\} \leftarrow \text {TrapGen}(\lambda )\). Correspondingly, \(\mathcal {B}\) samples \(\textbf{B}^{}_{\theta ,i}\leftarrow \mathcal {R}_{q}^{1\times m}\) and computes \(\left\{ \textbf{B}^{+}_{\theta ,i},\textbf{T}_{\textbf{B}_{\theta ,i}}^{+} \right\} \leftarrow \text {TrapGen}(\lambda )\) for each \(i \in \mathbb {W}^{}\). Then, \(\mathcal {B}\) samples \(\left\{ \textbf{R}_{\theta ,1},\textbf{R}_{\theta ,2} \right\} \leftarrow \left\{ 1,1 \right\} ^{m\times m}\) for each \(\theta \in N\). Next, it computes \(\textbf{D}_{\theta }\leftarrow \textbf{A}_{\theta }\textbf{R}_{\theta ,1}\textbf{H}_{t^{*}}\) and \(\textbf{E}_{\theta }\leftarrow \textbf{A}_{\theta }\textbf{R}_{\theta ,2}\). According to the properties of the \(\text {TrapGen}\) algorithm and the leftover hash lemma, we conclude that \(\textbf{Game}_{\varvec{0}}\) and \(\textbf{Game}_{\varvec{1}}\) are statistically indistinguishable from the adversary’s view.
\(\textbf{Game}_{\varvec{2}}\): This game is analogous to the previous game except the generationed of the public parameter \(\textbf{y}\) during the setup phase. In this game, the vector \(\textbf{y}\) is generated by \(\text {TrapGen}(\lambda )\) instead of being randomly sampled. The indistinguishably between \(\textbf{Game}_{\varvec{1}}\) and \(\textbf{Game}_{\varvec{2}}\) follows from the good properties of the \(\text {TrapGen}\left( \cdot \right)\) algorithm.
\(\textbf{Game}_{\varvec{3}}\): In this game, we change the way the secret keys \(\left\{ sk_{\theta } \right\} _{\theta \in N}\) and update keys \(\left\{ ku_{\theta ,t} \right\} _{\theta \in N}\) are generated during the global setup phase. According to the key query restrictions on the two cases in the security model, we make the following changes:
\({Case\ I}\): If the adversary \(\mathcal {A}\) query an identity id whose attribute set \(\textbf{S}\) does not satisfy the access policy \(\mathbb {W^{*}}\), for all \(\theta \in N\) and \(t = t^{*}\), \(\mathcal {B}\) chooses \(\left\{ \textbf{k}_{\textbf{A}_{\theta }, \alpha , 2},\textbf{k}_{\textbf{A}_{\theta },4} \right\} \leftarrow \mathcal {R}_{q}^{ m}\) and computes \(u_{A_{\theta }, 4}=\textbf{A}_{\theta }\textbf{k}_{\textbf{A}_{\theta }, 4}+u_{A_{\theta }, 3}\). Then it computes \(u_{A_{\theta }, \alpha , 2}= \left( \textbf{A}_{\theta }\mid \textbf{A}_{\theta }\textbf{R}_{\theta ,1}\right) \textbf{k}_{\textbf{A}_{\theta }, \alpha , 2}+u_{A_{\theta }, 4}r_{t^{*}}u_{A_{\theta }, 5}\) and store them in node. Next, for any \(t \ne t^{*}\), \(\mathcal {B}\) samples \(\textbf{k}_{\textbf{A}_{\theta }, \alpha , 2} \leftarrow \text{ SampleRight } (\textbf{A}_{\theta }, \textbf{A}_{\theta }\textbf{R}_{\theta ,1}  \textbf{H}_{t^{*}} + \textbf{H}_{t}, \textbf{T}_{\textbf{A}_{\varvec{\theta }}}, u_{A_{\theta },\alpha , 2}u_{A_{\theta }, 4}\left( r_{t}r_{t^{*}}\right) +u_{A_{\theta }, 5})\). For secret key query, \(\mathcal {B}\) chooses \(\textbf{k}_{\textbf{A}_{\theta }, \alpha , 1}\leftarrow \mathcal {R}_{q}^{1\times m}\) and computes \(u_{A_{\theta }, \alpha , 1}=\textbf{A}_{\theta }\textbf{k}_{\textbf{A}_{\theta }, \alpha , 1}\) for all \(\theta \in N\). Since \(\textbf{S}\) does not satisfy \(\mathbb {W^{*}}\), \(\mathcal {B}\) must knows at least one \(\textbf{T}_{\textbf{B}_{\theta ,j}}^{+}\) or \(\textbf{T}_{\textbf{B}_{\theta ,j}}^{}\). Then, \(\mathcal {B}\) calculates \(u_{\theta , i} \leftarrow \textbf{B}_{\theta ,i}^{} \textbf{k}_{\theta , i}\) for each \(i \in \textbf{S},\,i \ne j\) and samples \(\textbf{k}_{\theta , j} \leftarrow \text{ SamplePre }\left( \textbf{B}_{\theta ,j}^{*}, \textbf{T}_{\textbf{B}_{\theta ,\textbf{j}}}^{*}, u_{\theta , j}, \sigma , \sigma _{s}\right)\), where \(u_{\theta , j}=\beta _{\theta }u_{A_{\theta }, \alpha , 1}u_{A_{\theta , \alpha , 2}}\sum _{i \in l_{\theta },i \ne j} u_{\theta , i}\).
\({Case\ II}\): If the adversary \(\mathcal {A}\) query an identity id whose attribute set \(\textbf{S}\) does satisfy the access policy \(\mathbb {W^{*}}\), then the identity id have been revoked before a time \(t^{*}\). For each \(\theta \in N\) and \(\alpha \in Path(id) \cap \text {KUNodes}(st,rl,t)\), \(\mathcal {B}\) chooses \(\textbf{k}_{\textbf{A}_{\theta }, \alpha , 1}\leftarrow \mathcal {R}_{q}^{m}\) and computes \(u_{A_{\theta }, \alpha , 1}=\textbf{A}_{\theta }\textbf{k}_{\textbf{A}_{\theta }, \alpha , 1}\). Then, \(\mathcal {B}\) computes \(u_{A_{\theta , \alpha , 2}}=\beta _{\theta }u_{A_{\theta }, \alpha , 1}\sum _{i \in l_{\theta }} u_{\theta , i}\) and store them in the node.
The indistinguishably between \(\textbf{Game}_{\varvec{2}}\) and \(\textbf{Game}_{\varvec{3}}\) follows from the good sampling property of \(\text {SamplePre}\left( \cdot \right)\) algorithm.
\(\textbf{Game}_{\varvec{4}}\): This game is identical to \(\textbf{Game}_{\varvec{3}}\), except that the challenge ciphertext is generated. In this game, for all \(\theta \in N,\,i \in l_{\theta }\setminus \mathbb {W}^{*}\), the challenger \(\mathcal {B}\) sets \(\left\{ \textbf{C}_{\textbf{A}_{\theta }},\textbf{C}_{\theta ,i},\textbf{C}_{\theta ,i}^{\pm } \right\} \leftarrow \mathcal {R}_{q}^{m}\), \(\textbf{C}_{\theta ,t,1}=\textbf{R}_{\theta ,1}\textbf{C}_{\textbf{A}_{\theta }}\), and \(\textbf{C}_{\theta ,t,2}=\textbf{R}_{\theta ,2}\textbf{C}_{\textbf{A}_{\theta }}\). The indistinguishably between \(\textbf{Game}_{\varvec{3}}\) and \(\textbf{Game}_{\varvec{4}}\) follows from the RLWE problem. Since the challenge ciphertext is a random element in the ciphertext space, the advantage of adversary \(\mathcal {A}\) in this game is negligible.
Efficiency analysis
In this section, we carry out theoretical analysis and simulation implementation of our scheme. In terms of theoretical analysis, we compare our scheme and related work in terms of scheme characteristics, storage cost, and computational cost. In the experimental simulation, we focus on analyzing the time cost of each algorithm when the number of attributes is different.
Theoretical analysis
In this subsection, we gave a theoretical analysis in functions of schemes, storage cost, and computational cost by comparing related schemes in [8, 9, 12, 13, 17, 18, 25] with our scheme.
Table 1 shows the comparison of related schemes and our scheme in terms of security assumptions and the scheme’s functions. Observe that schemes in [9, 17, 18, 25] only support single attribute authority. While schemes in [8, 12, 13] and our scheme support multiattribute authority, which can effectively reduce the computational burden of each attribute authority. In addition, the schemes in [8, 9, 25] and our scheme also support user revocation, allowing the system to manage users dynamically, improving the practicability of the scheme. On this basis, the scheme in [25] and our scheme also considers more possible security issues with decryption key exposure resistance.
Table 2 shows the storage cost of related schemes and our scheme in terms of public parameter size, private key size, and ciphertext size. For the convenience of description, we let N denote the number of attribute authorities in the system, \(\left l_{s} \right\) denote the total number of attributes in the system, \(\left l_{a} \right\) denote the number of attributes in the access policy, and \(\left l_{u} \right\) denote the number of attributes owned by users. It is worth mentioning that schemes in [9, 12, 13, 17, 25] are constructed based on the LWE assumption, where the public parameter \(m=\Omega \left( n\log q \right)\), while the scheme in [8, 18] and our scheme are constructed based on the RLWE assumption. It is wellknown that the scheme based on RLWE is usually superior to the schemes based on LWE in the parameter size and efficiency. Therefore, the scheme in [8, 18] and our scheme have smaller parameters than schemes [9, 12, 13, 17, 25], and are more efficient.
Experimental simulation
Test environment
We have implemented our construction on an Ubuntu 18.04 operating system with Intel Core i510400F, 2.90GHz processor and 4GB of memory with the Palisade library.
Storage cost
In our implementation, we use the Gaussian sampling algorithm for rings in scheme [19]. Specifically, we set the base \(b=64\), the ring size \(n=1024\) and the number of attribute authority \(N=3\). Table 3 shows the storage overhead of our scheme under the above parameter settings and different number of attributes. Note that the ciphertext size of our scheme will change according to \(\left l_{a} \right\). When \(\left l_{a} \right =1\), the ciphertext size reaches the maximum value, the formula for ciphertext size (in number of bits) can be given as \(\left( 2\left l_{s} \right +2N \right) \cdot m\cdot n\cdot \left\lceil \log q \right\rceil\). When \(\left l_{a} \right =\left l_{s} \right\), the ciphertext size reaches the minimum value, the formula can be given as \(\left( \left l_{s} \right +2N+1 \right) \cdot m\cdot n\cdot \left\lceil \log q \right\rceil\). Compared with the schemes based on the LWE assumption, our scheme has a relatively small cost in terms of storage. Moreover, as the number of attributes in the system increases, the public key size, decryption key size and ciphertext size of our scheme increase slowly. Therefore, our scheme is completely feasible in practical scenarios.
Situation results
Figure 4 shows the time cost comparison between recent work [8] (refer to YSL) and our scheme in initialization phase, private key generation phase, update key generation phase and encryption phase. We set the number of attributes vary from 6 to 18 in an increment of 2, hence there are 7 different situations. For each case, the experiment was repeated 20 times and each experiment was completely independent, and finally the average value was taken as the experimental result. In Fig. 4a, since YSL and our scheme both support multiple attribute authorities to work together, the time cost in the system initialization phase is both small. And both increase linearly with the increase of the number of attributes, and the growth rate is about 1.42 (ms/item). Therefore, even in a system with a large number of attributes, the setup phase time cost is acceptable. Figure 4b shows the time cost of YSL and our scheme in terms of user private key generation. Since our scheme has smaller user key size and number of key components than YSL, it takes less time. And as the number of attributes increases, the time cost of our scheme grows more slowly. In Fig. 4c, YSL has a slightly smaller time cost in updating key generation than our scheme. However, the efficiency of update key generation is related to the number of users in the system and not to the number of attributes. In YSL, the time cost of generating updated keys is linear with the number of users in the system, while the time cost of our scheme grows logarithmically with the number of users in the system. Therefore, in the case of a large number of attributes and users in the system, our update key generation algorithm can still maintain a high efficiency. Figure 4d shows the time cost comparison between YSL and our scheme in terms of encryption. During the encryption process, our scheme operates more compactly, and the number of ciphertext components associated with each attribute is also less than YSL. Therefore, the time cost of our scheme in the encryption phase is less than that of YSL, and as the number of attributes increases, the time cost of our scheme increases more slowly.
Figure 5 shows the relationship between the number of users in the system and the generation time of the update key. We denote the number of users by \(N_{u}\). When no user in the system has been revoked, all users share a set of update keys. At this time, the attribute authority only needs to generate a set of update keys. When a user is revoked, the attribute authority needs to generate \(\left\lceil \log N_{u} \right\rceil\) update key components. Observe that the time cost of updating the key generation algorithm grows linearly and slowly when the number of users in the system grows exponentially. Therefore, our scheme is also suitable for large systems with a large number of users.
Conclusion
We propose an RMCPABE scheme suitable for CFS systems. It implements efficient dynamic management of users and supports distributed frameworks. In addition, it is also resistant to decryption key exposure attack. By using the game sequence, we prove the security against CPA attacks and collusion attacks under the random oracle model. We also conducted an implementation to demonstrate the practicability of our RLWEbased RMCPABE scheme. The future works will focus on the construction of secure and efficient CPABE scheme under the standard model. At the same time, we can also consider constructing a CPABE scheme with more flexible access policies.
Availability of data and materials
The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.
References
Backendal M, Haller M, Paterson KG (2023) Mega: malleable encryption goes awry. 44th IEEE Symposium on Security and Privacy (SP 2023). San Francisco
Chen E, Zhu Y, Liang K, Yin H (2023) Secure remote cloud file sharing with attributebased access control and performance optimization. In: IEEE Transactions on Cloud Computing, vol. 11, no. 1, pp 579–594. https://doi.org/10.1109/TCC.2021.3104323
Li J, Wang S, Li Y, Wang H, Wang H, Wang H, Chen J, You Z (2019) An efficient attributebased encryption scheme with policy update and file update in cloud computing. IEEE Trans Ind Inf 15(12):6500–6509
Deng H, Qin Z, Wu Q, Guan Z, Yin H (2022) Revocable attributebased data storage in mobile clouds. In: IEEE Transactions on Services Computing, vol. 15, no. 2, pp 1130–1142. https://doi.org/10.1109/TSC.2020.2984757
Xue K, Chen W, Li W, Hong J, Hong P (2018) Combining data ownerside and cloudside access control for encrypted cloud storage. IEEE Trans Inf Forensic Secur 13(8):2062–2074
Wang S, Zhou J, Liu JK, Yu J, Chen J, Xie W (2016) An efficient file hierarchy attributebased encryption scheme in cloud computing. IEEE Trans Inf Forensic Secur 11(6):1265–1277
Joseph D, Misoczki R, Manzano M, Tricot J, Pinuaga FD, Lacombe O, Leichenauer S, Hidary J, Venables P, Hansen R (2022) Transitioning organizations to postquantum cryptography. Nature 605(7909):237–243
Yang Y, Sun J, Liu Z, Qiao Y (2022) Practical revocable and multiauthority cpabe scheme from rlwe for cloud computing. J Inf Secur Appl 65:103108
Wang S, Zhang X, Zhang Y (2018) Efficient revocable and grantable attributebased encryption from lattices with finegrained access control. IET Inf Secur 12(2):141–149
Xu S, Yang G, Mu Y (2019) Revocable attributebased encryption with decryption key exposure resistance and ciphertext delegation. Inf Sci 479:116–134
Xu S et al (2023) A secure EMR sharing system with tamper resistance and expressive access control. In: IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 1, pp 53–67. https://doi.org/10.1109/TDSC.2021.3126532
Datta P, Komargodski I, Waters B (2021) Decentralized multiauthority ABE for DNFs from LWE. In: Canteaut A, Standaert FX (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science, vol 12696. Springer, Cham. https://doi.org/10.1007/9783030778705_7
Zhang G, Qin J, Qazi S (2015) Multiauthority attributebased encryption scheme from lattices[J]. J Univers Comput Sci 21(3):483–501. https://doi.org/10.3217/jucs021030483
Zhu Y, Hu H, Ahn GJ, Huang D, Wang S (2012) Towards temporal access control in cloud computing. Proceedings IEEE INFOCOM, Orlando, pp 2576–2580. https://doi.org/10.1109/INFCOM.2012.6195656
Zhu S, Yang X, Wu X (2013) Secure cloud file system with attribute based encryption. 2013 5th International Conference on Intelligent Networking and Collaborative Systems, Xi'an, pp 99–102. https://doi.org/10.1109/INCoS.2013.22
Zhu S, Gong G (2014) Fuzzy authorization for cloud storage. IEEE Trans Cloud Comput 2(4):422–435
Zhang J, Zhang Z, Ge A (2012) Ciphertext policy attributebased encryption from lattices. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ASIACCS ’12. Association for Computing Machinery, New York, pp 16–17. https://doi.org/10.1145/2414456.2414464
Chen Z, Zhang P, Zhang F, Huang J (2017) Ciphertext policy attributebased encryption supporting unbounded attribute space from rlwe. KSII Trans Internet Inf Syst (TIIS) 11(4):2292–2309
Gür KD, Polyakov Y, Rohloff K, Ryan GW, Sajjadpour H, Savaş E (2018) Practical applications of improved gaussian sampling for trapdoor lattices. IEEE Trans Comput 68(4):570–584
Ibraimi L, Petkovic M, Nikova S, Hartel P, Jonker W (2009) Mediated ciphertextpolicy attributebased encryption and its application. In: Youm HY, Yung M (eds) Information Security Applications. WISA 2009. Lecture Notes in Computer Science, vol 5932. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642108389_23
Sahai A, Seyalioglu H, Waters B (2012) Dynamic credentials and ciphertext delegation for attributebased encryption. In: SafaviNaini R, Canetti R (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642320095_13
Xu S, Yang G, Mu Y, Liu X (2019) A secure iot cloud storage system with finegrained access control and decryption key exposure resistance. Futur Gener Comput Syst 97:284–294
Yang K, Wu G, Dong C, Fu X, Li F, Wu T (2020) Attribute based encryption with efficient revocation from lattices. Int J Netw Secur 22(1):161–170
Takayasu A, Watanabe Y (2017) Latticebased revocable identitybased encryption with bounded decryption key exposure resistance. In: Pieprzyk J, Suriadi S (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science, vol 10342. Springer, Cham. https://doi.org/10.1007/9783319600550_10
Dong X, Hu Y, Wang B, Liu M, Gao W (2021) Latticebased revocable attributebased encryption with decryption key exposure resistance. IET Inf Secur 15(6):428–441
Chase M (2007) Multiauthority attribute based encryption. In: Vadhan SP (ed) Theory of cryptography conference. Springer Berlin Heidelberg, Berlin, Heidelberg, pp 515–534
Rouselakis Y, Waters B (2015) Efficient staticallysecure largeuniverse multiauthority attributebased encryption. International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, Berlin, Heidelberg, pp 315–332
Agrawal S, Boneh D, Boyen X (2010) Efficient lattice (H)IBE in the standard model. In: Gilbert H (ed) Advances in Cryptology – EUROCRYPT 2010. EUROCRYPT 2010. Lecture Notes in Computer Science, vol 6110. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642131905_28
Dai W, Doröz Y, Polyakov Y, Rohloff K, Sajjadpour H, Savaş E, Sunar B (2017) Implementation and evaluation of a latticebased keypolicy abe scheme. IEEE Trans Inf Forensic Secur 13(5):1169–1184
Naor D, Naor M, Lotspiech J (2001) Revocation and tracing schemes for stateless receivers. In: Kilian J (ed) Annual International Cryptology Conference, vol 2139. Springer Berlin Heidelberg, Berlin, Heidelberg, pp 41–62
Funding
This work is supported in part by the Key Research and Development Program of Shaanxi (No. 2021ZDLGY0604), Guangxi Key Laboratory of Cryptography and Information Security (No. GCIS201802).
Author information
Authors and Affiliations
Contributions
Boxue Huang: Methodology, Software, Writing  original draft. Juntao Gao: Conceptualization, Supervision, Writing  review & editing. XueLian Li: Formal analysis, Funding acquisition. The author(s) read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Huang, B., Gao, J. & Li, X. Efficient latticebased revocable attributebased encryption against decryption key exposure for cloud file sharing. J Cloud Comp 12, 37 (2023). https://doi.org/10.1186/s1367702300414w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s1367702300414w
Keywords
 Cloud file sharing
 Attributebased encryption
 Dynamic management
 Multiauthority
 Decryption key exposure