Attribute-Based Verifiable Conditional Proxy Re-Encryption Scheme

There are mostly semi-honest agents in cloud computing, so agents may perform unreliable calculations during the actual execution process. In this paper, an attribute-based verifiable conditional proxy re-encryption (AB-VCPRE) scheme using a homomorphic signature is proposed to solve the problem that the current attribute-based conditional proxy re-encryption (AB-CPRE) algorithm cannot detect the illegal behavior of the agent. The scheme implements robustness, that is the re-encryption ciphertext, can be verified by the verification server, showing that the received ciphertext is correctly converted by the agent from the original ciphertext, thus, meaning that illegal activities of agents can be effectively detected. In addition, the article demonstrates the reliability of the constructed AB-VCPRE scheme validation in the standard model, and proves that the scheme satisfies CPA security in the selective security model based on the learning with errors (LWE) assumption.


Introduction
As a new resource sharing in the field of information, cloud computing is constantly changing people's lives. As an important technology in cloud computing, cloud storage is used to organize a series of different types of network storage devices to facilitate data sharing. To ensure the confidentiality of data, before being uploaded to a cloud server, user data are encrypted, however, this poses difficulties in sharing data between different users. When dealing with a significant quantity of data recipients, general encryption algorithms can significantly increase the computational and communication expenses incurred by the data owner. Proxy re-encryption (PRE) effectively solves this problem.
In 1998, Blaze et al. [1] first introduced the concept of PRE at the Euromonitor Conference. PRE is a data cipher conversion in cloud computing, which ensures both user data security and flexible access and sharing of data. However, in the traditional PRE system, it is usually one delegator that corresponds to another delegator, that is, a oneto-one model; this implies that only one client's message can be re-encrypted at a time, necessitating a large amount of communication overhead and computation expense, which is contrary to the initial aim of cloud computing customers wanting to save money. In 2007, GREEN et al. [2] simplified the public key certificate authentication process by proposing an encryption scheme based on user identity information instead of a public key. However, the encryption process is specific to particular users and requires explicit information about the recipient. In 2009, JIAN et al. [3] suggested a strategy for conditional PRE (CPRE) based on identity proxy re-encryption. By designing a conditional ciphertext conversion method, the ciphertext can only be converted when the ciphertext meets the set conditions, enabling the assignment of partial decryption rights, but it is still in the form of a one-to-one assignment between the authorizer and the authorized person, which not only severely restricts users' ability to selectively share data with other users at a fine-grained level, but it also has the problems of high communication costs and high computational overhead when a large number of users need to access that shared data, as well as wasting a large amount of local memory space to hold a large number of decryption keys.

•
An AB-VCPRE scheme based on LWE is proposed. The scheme ensures by verification that the re-encryption ciphertext is correctly converted from the encryption ciphertext; • Fine-grained access control is implemented. In combination with fully homomorphic encryption, the delegation policy supports any polynomial-depth boolean circuit; • Robustness is achieved. The scheme uses a validation algorithm to achieve robustness. Forged or incorrectly shared ciphertexts can be detected by validating the re-encryption ciphertext with a validation server; • The scheme satisfies CPA security. The ciphertext in our scheme needs to be signed and verified using an unforgeable homomorphic signature. This paper demonstrates that the constructed AB-VCPRE scheme is CPA security based on a LWE problem.
The rest of the paper is organized into seven sections. In Section 2, the related studies are described. In Section 3, the relevant definitions are introduced. In Sections 4 and 5, we state the details of the scheme and the security analysis. Section 6 presents the efficiency analysis. The last section is a summary of the paper.

Related Work
Liang et al. [7] present an AB-PRE cryptographic primitive based on the augmented decisional bilinear Diffie-Hellman (DBDH) problem combining ABE and PRE for the first time, which empowers users to authorize in an access control environment. Li et al. [11] propose a proxy re-encryption scheme for a re-splitable threshold multi-agent, which is different from the encryption scheme on the ciphertext input and output plane and the re-encryption surface, which means the noise boundary has a wider range of choices and can ensure the security of the re-encryption key. Nunez et al. [12] propose a typical threshold proxy re-encryption scheme, which is based on a DBDH assumption, vulnerable to quantum attacks. Luo et al. [13] construct a standard lattice multi-hop AB-PRE scheme, which supports circuit access, has a short key, the key size is dependent on the depth of the circuit policy, and satisfies CPA security requirements based on the LWE problem in the selection security model. However, these PRE schemes may not show sufficient flexibility and practicality when the data owner wishes to select some but not all of the data for dissemination to certain users. Weng et al. [3] proposed a CPRE scheme where only those that satisfy the conditions can be re-encrypted, but it can only be applied to simple keywordbased conditions and will be limited in practical applications. Then, Yang et al. [8] propose a ciphertext policy-based AB-CPRE scheme, which supports a fine-grained decryption delegation. The ciphertext in the scheme is related to the access policy while the reencryption key is related to the attributes, and the ciphertext can be re-encrypted only when the access policy satisfies the attributes. Huang et al. [14] propose PRECISE, which combines AB-CPRE with IBBE to support fine-grained re-encryption conditions for IBBE ciphertexts. Yao et al. [15] combine ciphertext authorization, key update, and ciphertext evolution to propose an improved revocable, identity-based ciphertext evolution conditional proxy re-encryption scheme for secure and efficient cloud data sharing.
The universal CPRE algorithm cannot ensure the cloud server's integrity during the re-encryption procedure, while the homomorphic signature algorithm has unforgettable security and privacy, which can effectively verify the honesty of the proxy during the re-encryption. Therefore, this paper uses a homomorphic signature algorithm to propose a PRE scheme with encryption validating on the lattice, which can effectively detect the illegal behavior of the proxy and provide a guarantee for the safe sharing of data.

Lattice
Definition 1 (lattice). The lattice is a linear combination of group b 1 , b 2 , . . . , b n 's linearly independent vectors' n(m ≥ n) integer coefficients in m-dimensional Euclidean space R m , which is defined as: (1) Lemma 1 ([16]). Take integer q ≥ 3, m ≥ 6n log q, σ ≥ m 2 ω log m , there exists a PPT algorithm TrapGen(1 n , 1 m , q) that generates a matrix A ∈ Z n×m q and a trapdoor T A ∈ Z m×m for the lattice ∧ ⊥ q (A), i.e., there is AT A = 0modq, such that the distribution statistics satisfied by the matrix A are close to a uniform distribution on Z n×m q , and T A ≤ O n log q holds by an absolute margin.

Lemma 2 ([17]
). Let q > 2 and m > (n + 1) log q + ω(log n). Select three uniform matrices D ∈ {−1, 1} m×k , E ∈ Z n×m q , and F ∈ Z n×k q at random for some polynomials with k = k(n). Distribution E, ED, D T r and E, F, D T r are statistically indistinguishable for any vector r ∈ Z m q . LWE is a difficult problem under lattice. Regev [18] first proposed this in 2005 and proved that the average case is just as difficult to solve for several standard cells.
Definition 2 (LWE). Given positive integer n, integer m ≥ n and q ≥ 2, choosing uniform random matrix A ∈ Z n×m q and vector s ∈ Z n q , vector e ← χ m follows the error distribution. Given A, A T s + e , the LWE problem is to find s with non-negligible probability.
Definition 3 (Small integer solutions problem, SIS). Let the defining parameters be β, q is a prime number, given positive integers m and n, select a matrix A ∈ Z n×m q at random, solve for a non-zero vector of integers z ∈ Z m \{0} with ||z||≤ β . In 1996, Ajtai presented the SIS problem in the literature [16]. The homomorphic signature used for robustness in the paper is based on the SIS problem.

Functions of Bits and Power2
According to the article [19], decomposing the vector into the form of an inner product can effectively control the error range of the vector. The following describes how to decompose vectors into bit representations.
For any x ∈ Z N , let where y i is a column vector, output matrix It can be verified that for any q ∈ Z, there is Bit(x), Power2(y) = x, y ∈ Z 1× q .

Discrete Gaussian Distribution
For integer vectors c ∈ Z m , σ > 0, the discrete Gaussian distribution on the mdimensional lattice Λ is:

Lemma 3 ([17]
). Let q ≥ 2, B is a matrix over Z n×m q and m > n. Let T B is the base of ∧ ⊥ q (B), σ ≥ T B ω log 2 m . For u ∈ Z n q , there are:

1.
Set the rank of B ∈ Z n×m q is n, E ∈ Z n×m q , R ∈ {−1, 1} m×m , σ ≥ T B ω log 2 m .
SamplePre(B, T B , σ, u): There is trapdoor T B of lattice ∧ ⊥ q (B), the real number σ ≥ T B ·ω log n , for any vector u ∈ Z n q , a PPT algorithm SamplePre(B, T B , σ, u) capable of generating a vector e from a distribution that is statistically close to D Z m ,σ (x), satisfying Be = u(modq); 3.
Let the rank of G ∈ Z n×m q be n, B ∈ Z n×m q , a low-dimensional matrix S ∈ {−1, 1} m×m , a trapdoor for the lattice ∧ ⊥ q (G), and σ ≥ T E · R ω log 2 m . PPT algorithm SampleBasisRight(B, G, S, T G , σ) output a short base T (B|BS+G) ∈ ∧ ⊥ q (B|BS + G) with a statistical distribution close to Ψ

Key Homomorphism
By embedding algorithmic circuits in LWE matrices, Boneh et al. suggested an ABE approach for algorithmic circuits in their paper [20], and the method was used in many LWEbased structures, for example, predicate encryption [21], constraint PRFs [22], watermarks for PRFs [23], etc.  [20,24]). Given parameters t, h, k, d, q, χ, where χ is a B-bounded noise distribution, h is a security parameter, h ≥ t log q . For any matrices B 1 , B 2 , . . . , B ∈ Z t×h q , any boolean circuit g :

2.
Eval ct g, , a vector x ∈ {0, 1} k and k vectors {p 1 , . . . , p k }, outputs a vector p g , satisfying p g = B g + g(x)G T s + e g , where with all but negligible probability.

Homomorphic Signature
A homomorphic signature is a valid signature that permits any entity to conduct a sequence of operations on the original message and its signature without the signing private key.
Definition 5 (Homomorphic signature). The probabilistic polynomial-time algorithm (KG, Sign, SignEval, Veri f y) is included in the following tuple is the homomorphic signature (HS) scheme:

1.
HS.KG(p, d, N): Take a safety parameter p, a circuit depth d, and a message length N as input, output a signature private key hssk and a verification key hsvk; 2.
HS.Sign(hssk, M): Accept as inputs the message M requiring signature and hssk, output the signature σ; 3.

Robustness
A key component of the AB-VCPRE design is robustness. The fundamental tenet is that by re-encryption key sharing, an adversary cannot create ciphertext that is falsely obtained yet can be correctly authenticated. The following game Expt Rb A describes the robustness of the AB-VCPRE scheme.
During the guessing phase, the adversary outputs the appropriate ciphertext CT * satisfies Ver f y(hsvk, CT * ) = 1 while Setup, KeyGen query, ReKeyGen query, and ReEnc query interact as specified in Definition 6.
The adversary's advantage is characterized as Adv Rb

Scheme Definition
An AB-VCPRE scheme consists of seven algorithms. The specific flow chart is shown in Figure 1. In comparison to the standard AB-VCPRE, a verification method called ReEnc − Ver is added to check for an honest transformation of the ciphertext. The ReEnc − Ver algorithm is publicly verifiable because all that is required are the original ciphertext and the corresponding re-encryption ciphertext.
ReKeyGen pp, sk α , pk β , f : Input pp, sk α of user α, pk β of user β, and a control policy/function f , returns the re-encryption key RK α, f →β related to f and the corresponding signature, outputs the re-encryption verification key VK α→β from user α to user β;
ReEnc − Ver VK α→β , CT α , CT β : If the original ciphertext's conversion to the reencryption ciphertext is performed correctly, the output of the authentication algorithm is valid, otherwise output ⊥ (invalid ciphertext).
Correctness. In an AB-VCPRE scheme, correctness has the following two requirements: 1.
For security parameter n, attribute vectors where the decryption error is negligible.

Security Model
Definition 6. To demonstrate the CPA security of the AB-VCPRE scheme, the game between challenger C and adversary A is used.
Init. Before seeing the public parameter pp, adversary A declares a vector of attributes x * . Setup. Initialize the public parameters pp in Challenger C and use the KeyGen algorithm to obtain (sk θ , pk θ ), and transmit pp and pk θ to A.
Query phase 2. Similar to phase 1, A keeps asking the query. Guess. b ∈ {0, 1} is guessed by A, and if b = b , the game winner is A.

Our Scheme Composition
Using the LWE difficulty problem as a basis and the homomorphic signature algorithm, this paper proposes an AB-VCPRE scheme.

Setup(n)
Let security parameters n ∈ Z, where m ≥ 6n log(q) , q/4 ≥ B · (m + 1) O(d) . 1 Central agency generates random security parameters prime q, an error sampling algorithm χ for B-bounded distributions, B ≥ √ n · ω(log n). The boolean circuit's maximum depth is d, the number of attributes is , and the Gaussian parameter is σ, Create the corresponding trapdoor matrix T A α ∈ Z m×m q and the matrix A α ∈ Z n×m q by running algorithm TrapGen(1 n , 1 m , q); 3 Select uniform matrices B 1 , . . . , B ∈ Z n×m q with random. 4 Output public parameters pp := {B i } i∈[ ],χ , χ .
Compute the re-encryption key: 4 Creating the verification key using algorithm HS.KeyGen(n, d hs , N) and signature private key (hsvk, hssk), parse each line of Q as w i ∈ Z 2m q (1 ≤ i ≤ 2mk + m), then use the signature algorithm to sign w i as σ i = HS.Sign(hssk, w i ); 5 To validate the signature, publish hsvk. Deliver Q and the associated signature across a secure channel to the proxy server;
Verification algorithm output HS.Veri f y(hsvk, g C α , cc , σ α→β ). Figure 2 depicts the new AB-VCPRE scheme's workflow. If Bob wants to share Alice's content stored on the cloud server, first KGC generates a public key and private key for Alice and Bob and sends the keys to them. Then, Alice generates the re-encryption key and original ciphertext, which are sent to the cloud server and executes the re-encryption algorithm. The cloud server delivers both the original and the re-encryption ciphertext to the authentication server after the re-encryption operation is finished. The authentication server verifies the algorithm for re-encryption. If the verification algorithm outputs 1, the authentication server sends Bob the ciphertext, Bob recovers the message by decrypting the ciphertext matching to it, otherwise output ⊥.

The Correctness of the Original Ciphertext
With the private key R α , the original ciphertext can be decrypted.
Only if the error e 2 + e 1 R α does not exceed q/4 the decryption algorithm is able to correctly recover the plaintext µ. In fact,

Correctness of Conversion Ciphertext
After passing one conversion, the corresponding conversion cipher is decrypted as follows: where A β and D β are the user β's public keys, with overwhelming probability. By the theorem we have: where R α, f ≤ √ 2mσ, e f ≤ B √ m(m + 1) d with overwhelming probability. The conversion ciphertext is decrypted by the private key R β . where: with overwhelming probability. Therefore, the value of µ can be decrypted correctly, i.e., the transformed ciphertext can be decrypted correctly.
In fact, the algorithm can only obtain single-hop, because in ReEnc, we set ca = ∅, which means that the re-encryption ciphertext cannot be encrypted again. This design is our first work and we will investigate this problem and extend it to multi-hop schemes in future work.

Correctness of Ciphertext Verification
In the HS scheme, the re-encryption verifiability is carried out using the algorithm HS.Veri f y. In AB − VCPRE.ReEnc pp, RK α, f →β , CT α , input the ciphertext CT α and the re-encryption key RK α, f →β , using g C α (Q) = Bits q ([c 1 ; c 3 ]) T c T 2 · Q as a valuation circuit, re-encryption key as circuit input, (c T 1 |c T 2 ) = Bits q ([c 1 ; c 3 ]) T |c T 2 · Q can be seen as some computation at the message level and in σ α→β = HS.SignEval(g C α , σ i (1 ≤ i ≤2mk + m)), with signature σ i (1 ≤ i ≤ 2mk + m) as input, and it can be interpreted as a computation of the signature level. If σ α→β is in fact the outcome of an honest computation based on HS.SignEval(g C α , σ i (1 ≤ i ≤ 2mk + m)) = σ α→β , the concept of correctness for homomorphic signature schemes holds. Then HS.Veri f y(hsvk, g C α , cc , σ α→β ) can pass the verification and the verification algorithm's accuracy is demonstrated.

Security
Theorem 1 (Security). The scheme we construct is CPA security under LWE n,q,χ assumption.
Proof of Theorem 1. A game-based approach is used in this proof. A challenger C can be built to resolve the LWE presumption if it is possible for an adversary A to breach the CPA's security.
Game 0: In the original CPA attack paradigm described in Section 3, this is a true game between A and C.
Game 1: Same as game 0, but with a change in the way the common matrix {B i } i∈[ ] is generated. On receipt of x * , C generates uniformly random small parametric matrices S * 1 , . . . , 4. 5.
select a random uniform distribution matrix M ∈ Z 2km×m q , create the matrix Then A send the challenger C some re-encryption verification questions, who will then carry out the operation honestly and report the results to the adversary A.

Lemma 6. Game 1 is computationally indistinguishable from game 2.
Proof of Lemma 6. The technique employed to generate the re-encryption key differs between games 1 and 2. When f (x * ) = 0 hold, here is the re-encryption key: Corollary 1. By applying the standard mixing parameters, the ensuing distributions cannot be distinguished computationally. Otherwise, there is a useful algorithm for resolving the LWE n,q,χ problem. (D, K, DY + F, KY + F ) and (D, By Corollary 1, under the LWE assumption, it is evident that game 1 and game 2 are computationally indistinguishable.
Additionally, the private key creation mechanism is undetected from game 1 to game 2, and the produced private key continues to satisfy A α R α = D α , while the re-encryption key is selected from the uniform distribution, which is similar to the standard LWE distribution. Furthermore, because homomorphic signatures are non-negligible, the adversary in the CPA game cannot offer an invalid ciphertext to pass re-encryption verification, that is, re-encryption verification provides no auxiliary capacity to the adversary.
On the other side, to demonstrate it, if A succeeds in the re-encryption verifiability game, then by interacting with challenger C, the simulator S can break the homomorphic signature's unforgeability.
The verification key hsvk is first acquired by the simulator S from C. The re-encryption key RK * θ, f →β is then chosen by adversary A as the one it wants to assault, and the simulator s is provided RK * θ, f →β by A. To create the signature, S asks the message RK * θ, f →β for a homomorphic signature to obtain σ i (1 ≤ i ≤ 2mk + m) and then gives it back to A. The challenger C then calculates HS.Veri f y hsvk, g C α , cc * , σ * θ→β whenever A outputs a false re-encryption ciphertext CT * β = cc * = c * 1 , c * 2 , ca * = ∅, σ * θ→β after the simulator S has parsed it, where g C α is an evaluation circuit converted from the original ciphertext.
If A wins the verifiability of re-encryption, the forgery of A's signature σ * θ→β can pass HS.Veri f y, which also counts as a valid homomorphic signature. Therefore, breaking the unforgeability of the homomorphic signature provides the same advantage as breaking the re-encryption verifiability of the AB-VCPRE scheme. When all of the aforementioned factors are considered, game 1 and game 2 are similar from the standpoint of the adversary. Game 3: Similar to game 2, except that the challenge cipher CT * = (c * 1 , c * 2 ) ∈ Z 2m×1 given to the opponent is no longer honestly generated, but chosen evenly and randomly in Z 2m×1 . Due to the fact that the challenge cipher is a random factor in the cipher space, it is independent of µ * 0 and µ * 1 , so there is zero advantage to the A in this game.

Lemma 7. Game 2 is statistically indistinguishable from game 3.
Proof of Lemma 7. If A distinguishes game 2 from game 3 with a non-negligible advantage, then there is a simulator S that can use the information acquired by A to resolve the LWE n,q,χ problem.

LWE instance.
The simulator S requests the LWE prophesy device to acquire an LWE instance (Y, b) ∈ Z n×2m q × Z 2m q , possibly (Y, b) is a truly random distribution or b = Y T s + e is a pseudo-random distribution of noise e ∈ χ m from the LWE.

Challenge ciphertext. Generate challenge cipher via LWE instance
[c 1 ; c 2 ] := z; (18) The answer to A is then returned. In this case, the distribution of the challenge cipher is the same as that of game 2.
where Y ← Z n×2m q , s ← Z n q , e ← χ 2m . Challenge ciphertext: Statistically, the challenge ciphertext is indistinguishable in the alternative scenario if Y and z are chosen consistently, according to the leftover hash lemma [25].
Output. The simulator S outputs A's guess after A predicts whether it interacts with game 2 or game 3. S can solve the LWE n,q,2m,χ problem with the same probability if A can distinguish between games 2 and 3. However, the LWE n,q,2m,χ problem is mysterious, so game 3 cannot be won by A.
The Proof of Theorem 1 is completed by considering game 0 to game 3.
Proof of Theorem 2. Using a randomly selected evaluation circuit, a dishonest proxy server is able to obtain an invalid re-encryption ciphertext share and corresponding signature. However, the original ciphertext should describe the right evaluation circuit. When the correct evaluation circuit diverges from the forgery, verification fails, allowing the proxy server to convert the data truthfully. Homomorphic signatures can be used to demonstrate the robustness of the new scheme. If A can defeat the game outlined in Definition 6, then by collaborating with C in the homomorphic signature security model, it is able to build a simulator S that compromises the homomorphic signatures' unforgeability. Here is the procedure.
If A succeeds in the robustness game, then CT * β = ReEnc pp, RK θ, f →β , CT θ , but HS.Veri f y(hsvk, cc * ) = 1, this also means that HS.Veri f y hsvk, g C α , cc * , σ * θ→β was able to pass the verification, so the simulator S successfully forged an illegal signature, which will be submitted to oracle later. This indicates that the homomorphic signature algorithm's unforgeability has been compromised.
Thus, if the homomorphic signature algorithm Π HS meets the requirement for unforgeability, the signature is considered unforgeable. The new AB-VCPRE is capable of achieving robustness.
Theorem 3 (Weak collusion resistance). The new AB-VCPRE scheme can realize weak collusion resistance, if the LWE problem is difficult.
Proof of Theorem 3. Weak collusion resistance is that when an agent with a re-encryption key colludes with a trustee with a re-encryption key, the agent obtains only an approximate result, not an exact result.
The re-encryption key is E 1 A β + E 2 and E 1 D β + E 3 + Power2 q (R α, f ), which can be further expressed as This is a standard LWE distribution that is not different from unified distribution, nor can anyone obtain any useful information about private keys. After collusion, Bob encrypted the above equation with his private key R β and got E 2 R β + E 3 + Power2 q R α, f . As the noise generated during re-encryption is very low, the encryption message can be well restored by E 2 R β + E 3 + Power2 q R α, f . Therefore, in the case of collusion, the private key seems to have all been compromised. However, this is not the case. We can restore an equivalent private key, but this equivalent private key is different from the original private key. We provide the following two explanations. On the one hand, any data that can initially be decrypted by SK α can be easily re-encrypted and read by an enemy who possesses both RK α, f →β and SK β . On the other hand, they are unable to determine the delegator's precise private key SK α from the equation above. Although Power2 is an easy-to-reverse feature, because it contains some noise from E 2 R β + E 3 , you cannot obtain an exact private key from the first n-line of E 2 R β + E 3 + Power2 q R α, f . Therefore, the method proposed in this project has weak collusion resistance.

Efficiency Analysis
Paper [15] proposed a CPRE algorithm based on DBDH, which supports fine-grained authorization and collision resistance security, however, it cannot achieve robustness. Paper [11] and paper [12] are PRE schemes with verification, both of which are robust and the method for achieving robustness is zero-knowledge proof with a decisional discrete logarithm tool, but are not as low complexity as the schemes in this paper. In addition, paper [12] is based on discrete logarithmic constructions and is not resistant to quantum attacks. Although paper [11] is a scheme using lattice construction, which seems to be resistant to quantum attacks, the robustness verification tool is a decisional discrete logarithm, so in general the scheme is not resistant to quantum attacks. Table 1 demonstrates that the approach presented in this paper is not only robust to proxy re-encryption but also simple to implement and resistant to quantum attacks. In Table 2, the efficiency of the scheme is analyzed through plaintext space, size of ciphertext, size of re-encryption key, encryption complexity, re-encryption complexity, and robustness verification complexity. Z q represents an integer on modulo q. T p , T e , T s , T v , and T m denote the computation of pairing, modular exponentiation, signature, ciphertext verification, and multiplication operation, respectively. T h , T GVP , respectively, represent the time spent for the hash function and the GVP algorithm. Table 2 demonstrates that the computational complexity of the literature [15] is worse than that of the proposed scheme, and is not robust. In terms of robustness verification complexity, when a boolean circuit evaluates the original signature, homomorphic signature computation is a boolean operation that is more straightforward and effective. Here, we choose the linear homomorphic signature scheme based on the difficult problem of SIS on the lattice proposed in paper [26] for comparison. Compared with the scheme [12], the proposed scheme has better re-encryption complexity, encryption complexity, and robustness verification complexity. Compared with the scheme [11], the proposed scheme in this paper only needs to pay some extra cost to encrypt the message vector, and the robustness verification complexity is lower.

Size of Re-Encryption Key
Encryption Complexity

Conclusions
By using homomorphic signatures, this paper proposes an AB-VCPRE scheme, which solves the problem of being unable to detect illegal proxy behavior in traditional PRE schemes. The scheme is robust enough to allow proxy servers that have sent invalid transformed ciphertext shares to be detected. In terms of security, the scheme is CPA security based on a LWE problem and is resistant to quantum attacks. In terms of efficiency, the scheme has advantages in re-encryption and robustness verification computational efficiency. In addition, there is some room for improvement in the performance of our solutions, and constructing a multi-hopping PRE scheme will be the focus of our next work.

Conflicts of Interest:
The authors declare no conflict of interest.