Multi-Authority Attribute-Based Encryption with Dynamic Membership from Lattices

Attribute-based encryption is useful for one-to-many encrypted message sending. However, most attribute-based encryption schemes authorize and issue attributes to users by a single authority. Such a scenario conflicts with practical requirements and may cause the key-escrow problem. Hence, decentralization of authority is a critical issue in attribute-based encryption. Besides, dynamic membership management is another important issue in attribute-based encryption. With dynamic membership management, a system may update the user’s attributes without affecting other users, making the system more flexible and practical. On the other hand, with the rapid development of quantum computers nowadays, encryption schemes based on traditional mathematical problems are at the risk of quantum attacks. Among the existing quantum-resistant mathematical architectures, lattice-based cryptography is the most widely studied. Thus, we propose a multi-authority attribute-based encryption scheme with dynamic membership from lattices to solve the above problems. Moreover, we also formally prove the security of the proposed scheme under the decisional learning with errors assumption.


I. INTRODUCTION
To protect the personal privacy of messages sent over the network, public key encryption (PKE) schemes have been widely researched and used to protect the confidentiality of the data. In a PKE scheme, each user owns a key pair called a public key and a private key. The sender encrypts the plaintext with the public key, and the receiver decrypts the cyphertext with the private key. Moreover, there are many different aspects of research on PKE, such as identitybased encryption (IBE) [1], attribute-based encryption (ABE) [2], dynamic encryption [3], re-encryption [4], searchable encryption [5], and so on. However, to prevent man-in-themiddle attacks, a certificate authority (CA) is needed to issue and manage a certificate for each user's public key.
ABE is a kind of PKE suitable for one-to-many message sending. To reduce the requirements for certificates in PKE schemes, IBE is proposed where the user's public key is related to its identity. However, the IBE scheme is only appropriate to the one-to-one message sending scenarios. When a sender wants to send the same message to a group of receivers, he/she must first know the identity of each receiver and then individually encrypt the message with each identity. To improve efficiency for one-to-many encrypted message sending, in 2005, Sahai and Waters [6] proposed the first fuzzy identity-based encryption (Fuzzy IBE) scheme. In their scheme, each user is recognized by a specific set of attributes. A sender designates a policy for encrypting the plaintext, and receivers can decrypt the ciphertext only when their attribute set matches the policy. Thus, Fuzzy IBE is considered a pioneer of ABE.
ABE can be split into two categories according to the different strategies of access structures, namely key-policy ABE (KP-ABE) [7] and ciphertext-policy ABE (CP-ABE) [8]. In KP-ABE, the key generation center (KGC) is responsible for embedding an access structure into the user's private key. Then the sender can determine the attribute set of the ciphertext during the encryption process. By contrast, in CP-ABE, KGC is responsible for embedding an attribute set into the user's private key. Then the sender can determine the access structure of the ciphertext during the encryption process. For example, in Figure 1, assume that a Hospital-A only provides its disease reports of the COVID-19 to doctors or those who suffer from COVID-19. In KP-ABE, each user is able to recover the plaintext only when the attribute set of the ciphertext matches his/her access structure. On the contrary, a user is able to recover the plaintext only if his/her attribute set matches the access structure of the ciphertext in CP-ABE.
CP-ABE is more suitable for one-to-many encryption than KP-ABE. Since a sender can choose the distinct access structure for every ciphertext in CP-ABE, it is more elastic and feasible than KP-ABE. Furthermore, in CP-ABE, KGC may update the user's private key independently when a user's attributes change. However, in KP-ABE, revoking or updating a user's private key may invoke other users' private keys.
Decentralization of authority is another important issue in ABE. In general ABE, a single KGC distributes and manages all users' keys, which may cause the key escrow problem where the system may face severe impacts if KGC is under the attacker's control. To solve the above problem, Chase [9] proposed the first multi-authority ABE (MA-ABE) scheme in 2007 which permits a set of attribute authorities to manage and issue users' keys independently. After that, Lin et al. [10] proposed an MA-ABE scheme that eliminates the demand for a central authority in 2008, and Lewko and Waters [11] proposed an MA-ABE scheme with a novel key-binding technique in 2011. The concept of MA-ABE removes the risk of malicious KGC and makes ABE more practical. In addition, the multi-authority structure can also disperse the computation and make the key distribution process more efficient.
Apart from the multi-authority architecture, dynamic membership management is also important in ABE. Fan et al. [12] proposed the first ABE supporting dynamic membership management (ABE-DM). According to their definition, there are four features to reach DM, which are Expandability, Revocability, Renewability, and Independence. With those features, any user can join the system whenever needed, and the system can update a user's attributes without affecting other users. However, there is a flaw in the above scheme. Therefore, Fan et al. [13] proposed a new scheme to fix the flaw in 2015, but the security of their scheme is proved in the random oracle model. Finally, Fan et al. [14] proposed an ABE-DM scheme in 2021, and its security is proved in the standard model. Besides, Chang [15] applied the concept of DM to a multi-authority ABE (MA-ABE-DM) scheme in 2019.
Lattice-based encryption is one of the most popular quantum-resistant encryption. In 1994 Shor [16] proposed the quantum algorithm which may solve traditional hard problems such as discrete logarithm, elliptic curve discrete logarithm, and large integer factorization problems. Therefore, all the above schemes may be insecure, and various quantum-resistant encryption methods have been proposed in recent years. Among them, lattice-based encryption has received attention for its ability to incorporate functional encryption. The security of lattice-based encryption is based on the shortest vector problem (SVP) and its derived problems. Moreover, no known algorithm can solve SVP in polynomial time, and only approximate-SVP can be solved in polynomial time [17].
Lattice-based ABE has been studied in recent years. In 2012, Agrawal et al. [18] proposed a lattice-based Fuzzy IBE scheme, and Zhang et al. [19] improved it to a lattice-based CP-ABE scheme in the same year. Then, Boyen [20] proposed the first lattice-based KP-ABE scheme in 2013. After that, the first lattice-based MA-ABE scheme was proposed by Zhang et al. [21] in 2015, and a variant is proposed by Liu et al. [22] [23] proposed the first lattice-based MA-ABE scheme, which is CP-ABE. Although some works for MA-ABE on lattices are proposed, to the best of our knowledge, there has been no lattice-based MA-ABE scheme, which supports dynamic membership management.

A. PROBLEM STATEMENTS
In summary, to meet the needs of the practical environment, a one-to-many encryption scheme should satisfy the following requirements: • The sender may choose the access structure of the ciphertext. Therefore, the sender can easily decide who can decrypt the ciphertext. • Private keys of users may be updated independently.
Other users' private keys will not be influenced during the key-update phase. • Decentralization of authority should be provided to reduce the damage of the key escrow problem of a single authority. • The encryption scheme should resist quantum attacks. Therefore, we propose an MA-ABE-DM scheme on lattices to satisfy the above requirements.

B. CONTRIBUTIONS
To highlight the advantages of the proposed MA-ABE-DM scheme on lattices, it provides the features as follows: • The proposed scheme is a CP-ABE scheme. Therefore, the sender can choose the access structure of the ciphertext. • Since the proposed scheme allows dynamic membership management, all private keys can be updated independently. • It supports multi-authority scenarios, which resolves the key escrow problem of a single authority. • The proposed structure is based on lattices, which can resist quantum attacks.

C. ORGANIZATION
In section 2, we introduce some cryptographic primitives on lattices and the hard problem applied in the proposed scheme.
In section 3, we show some MA-ABE schemes on lattices and a traditional MA-ABE scheme that supports dynamic membership management. Then, we present the details of the proposed scheme and its security proof in section 4 and section 5, respectively. Finally, we show some comparisons between the proposed scheme and the related works in section 6 and make a conclusion for this work in section 7.

II. PRELIMINARIES
In this section, we first introduce some background knowledge of lattices. We adopt the trapdoor generation and sample techniques proposed by Micciancio and Peikert [24] in 2012 and prove the security of the proposed scheme under the assumption of the D-LWE problem introduced by Regev [25] in 2005. Furthermore, we present the concept of dynamic membership (DM) and show the composition of MA-ABE-DM schemes.

A. NOTATIONS
In the rest of this work, lowercase bold letters are used to represent column vectors, and uppercase bold letters are used to represent matrices, such as vector v and matrix V. Also, the transpose of v and V will be v ⊤ and V ⊤ , respectively. Moreover, a horizontal concatenation matrix of two matrices is denoted as . Besides, we denote scalars with lowercase regular letters and denote sets with uppercase regular letters, such as scalar r and set U . The size of the set U will be represented as |U |.

B. LATTICE
Given a set of m-dimensional linearly independent vectors A lattice Λ with V can be defined as follows: Definition II.1. The m-dimensional lattice is defined as For integer lattices, there are three common mathematical architectures as follows. VOLUME 4, 2016 Definition II.2. Given a prime q, a vector t ∈ Z n q , and a matrix A ∈ Z n×m q , define:

C. SHORT INTEGER SOLUTION (SIS)
According to the research done by Ajtai [26] in 1998, the following problems have been proved to be NP-Hard in the worst case.
Definition II.3. The Short Integer Solution (SIS) Input an arbitrary matrix A ∈ Z n×m , a prime q and a factor γ, find a nonzero vector x ∈ Z m q , where Ax = 0 (mod q) and ∥x∥ ≤ γ.
Definition II.4. The Inhomogeneous Short Integer Solution (ISIS) Input an arbitrary matrix A ∈ Z n×m , a prime q, a target vector t ∈ Z n q and a factor γ, find a nonzero vector x ∈ Z m q , where Ax = t (mod q) and ∥x∥ ≤ γ.

D. LEARNING WITH ERRORS (LWE)
In 2005, Regev [25] firstly defined the learning with errors (LWE) problem and demonstrated that for specific noise distribution χ, the LWE problem is as difficult as the worstcase of the gap shortest vector problem or shortest independent vectors problem under the quantum reduction shown by Peikert in [27]. The security of the proposed scheme is based on the hardness assumption of the D-LWE problem as shown in Figure 2 and Definition II.7 .
Definition II.5. Oracle O χ and Oracle O Ψ : Given a positive integer n, a prime q, and a specific discrete Gaussian distribution χ over Z q . Let O χ be a pseudo-random noise sampler with some random secret-vector s ∈ Z n q , and let O Ψ be a truly-random sampler. The outputs of O χ and O Ψ are defined as follows: q is a uniformly random vector, s ∈ Z n q is a fixed secret-vector, x i ∈ Z q is an ephemeral noise value sampled from χ. • O Ψ : Output a set of truly random samples (u i , v i ) ∈ Z n q × Z q , which is independently and uniformly random sampled from the whole domain Z n q × Z q . Definition II.6. The Search Learning With Errors (S-LWE) problem: Instance arbitrary polynomial number of (Z n q × Z q ) samples from O χ , find the fixed secret-vector s. ,where ϵ is non-negligible, A Oχ = 1 denotes the case that A guesses correctly when the D-LWE problem generates samples from oracle O χ , and A OΨ = 1 denotes the case that A guesses correctly when the D-LWE problem generates samples from oracle O Ψ .

E. LATTICE TRAPDOOR
The proposed scheme applies the trapdoor generation function proposed by Micciancio and Peikert [24] since it is more efficient. The algorithms of the trapdoor functions are introduced as follows: Let a gadget vector g = 1 2 4 · · · 2 k−1 ∈ Z 1×k q , where k = log 2 q and q = 2 k . There exists a matrix T g such that Then, a gadget matrix G can be defined as And there also exists a matrix T G corresponding to G, such that With the matrix T G , any SIS problem constructed with G can be simply solve.
With the special matrix G, anyone may generate a trapdoor R and compute the corresponding matrix A. Then he/she may solve the ISIS problem for matrix A. The trapdoor generation function GenTrap and the function SampleD used to solve ISIS problem are described as follows: Given a matrixĀ ∈ Z n×m q , an invertible matrix H ∈ Z n×n q , and a distribution χ over Zm ×w q . IfĀ and H are not given, then uniformly chooseĀ ∈ Z n×m q at random and set H as an identity matrix I ∈ Z n×n where the s 1 (·) function extracts the Euclidean length of the input matrix or vector.
Given a matrixĀ ∈ Z n×m q , a trapdoor matrix R ∈ Zm ×w , an invertible matrix H ∈ Z n×n q and a target vector t ∈ Z n q . Then, output a vector x ∈ Z m q with the Gaussian parameter σ, such that Ax = t ∈ Z n q , where A = Ā |HG −ĀR . The details of generating the vector x is described as follows: First, the algorithm randomly chooses a perturbation vector p ∈ Z m q with σ. The vector p can be divided into Further, the algorithm constructs an ISIS problem with G by computing Finally, the algorithm outputs

F. DISCRETE GAUSSIANS
Definition II.8. For any real number σ > 0, Gaussian function with σ as the parameter and z as the center on R n can be defined as follows: And the corresponding discrete Gaussian distribution will be: The discrete Gaussian distribution over L can be defined as: Note that, we usually omit the subscript if z is the origin or σ = 1 and denote χ = D σ,z (y).

G. ACCESS STRUCTURE
In ABE, a certain rule of attributes designed by a sender is called an access structure. The receivers can decrypt the ciphertext if and only if their attributes suffice the access structure of the ciphertext. Let U be the set of all attributes in the system, and U ID ⊆ U be the attribute set of the user with identity ID. Then, a sender chooses an access structure τ that defined a rule of the attribute set U C ⊆ U to encrypt the message. If we illustrate τ with a tree structure, the leaf VOLUME 4, 2016 nodes of τ will be the attributes in U C , and each parent node may be one of the two types of operation gates, namely AND and OR. The user with the identity ID can get the message only if U ID suffices the access structure τ .

H. DYNAMIC MEMBERSHIP (DM)
The aims of dynamic membership management (DM) were proposed by Fan et al. [12] in 2013, which contains the following features: • Expandability: Any user may enroll into the system whenever needed. • Renewability: The system may update users' attributes and get the corresponding private key. • Revocability: The system may remove any attribute of a user, and make sure that the ciphertext encrypted by the new public parameters is unable to be decrypted by a revoked private key. • Independence: Any user's revocation and the updating process may be performed without affecting other users. There are two ways to achieve revocability, namely indirect revocation and direct revocation. In an indirect revocation mechanism, the system needs to maintain a revocation list for each attribute. After each revocation, all unrevoked users have to update their private keys to ensure its effectiveness, which is a complicated work. On the other hand, a direct revocation mechanism simplifies the revocation process. In a direct revocation mechanism, none of unrevoked users will be affected after any revocation, this feature also called Independence. However, to carry out a direct revocation process, such a mechanism usually asks the sender to embed the revocation list into the ciphertext during encryption. The disclosure of the revocation list may cause some privacy issues.

I. MA-ABE-DM SCHEME
The proposed MA-ABE-DM scheme is composed of the following seven algorithms: takes the user's identity ID, the user's attribute set U ID , the public key P K d , and the master private key M K d as input and outputs the partial private key SK ID d for the user ID.
• Revoke(GP, P K d , ID, t): This algorithm takes a public key P K d , a user's identity ID, and a target attribute t as input and outputs the updated public key P K ′ d .
This algorithm takes a public key P K d , a master private key M K d , a user's identity ID, a target attribute t, and the user's partial private key SK ID d as input and outputs the updated partial private key This algorithm takes a single-bit message b, an access tree τ , and the public keys {P K d } d∈D C as input and outputs the ciphertext C, where D C is the set of attribute authorities monitoring attributes in τ . • Init: A declares a target access tree τ and the target user's identity ID * and sends them to S, where τ is form with some operation gates and a set of attributes U C . Besides, A also provides a list of corrupted attribute authorities D corrupt . Note that, D C is the set of attribute authorities monitoring attributes in U C which is restricted not to be a subset of D corrupt . • Setup: S runs Setup to generate the global public parameters GP and sends it to A. • AuthoritySetup: S runs AuthoritySetup to generate public key P K d and master private key M K d of each attribute authority AA d . Then, S sends public keys {P K d } d∈D to A. For those corrupted attribute authorities, S provides the corresponding master private keys {M K d } d∈Dcorrupt to A as well. • Phase 1: A may issue the following queries.
--Enroll: A submits (ID, U ID ) to S, where ID is a user's identity and U ID is an attribute set for ID. If ID = ID * , for each attribute in U ID * C , S provides only the public parameter B ID * d,i to A. Otherwise, S runs Enroll to create the user's private key SK ID and adds the public parameters {B ID d,i } i∈U ID into the corresponding public key P K d , and then returns and t is an element in U C , abort the query. Otherwise, S runs Revoke to revoke the attribute t for ID and update the public key P K d . --Extend: A submits (ID, t) to S, where t is an attribute monitored by AA d but not an element in U ID . If ID = ID * and t is an element in U C , S provides only the public parameter B ID * d,t to A. Otherwise, S runs Extend to create the private key e ID d,t and adds the public parameter B ID d,t into the corresponding public key P K d , and then returns e ID d,t to A. A delivers two distinct single-bit messages (m 0 , m 1 ) to S. Then, S randomly selects b ∈ {0, 1} and generates the ciphertext C b corresponding to b and the access tree τ . Then, S sends C b to A as the challenge. • Phase 2: A may issue more queries as defined in Phase 1.

III. RELATED WORKS
In this section, we introduce some traditional MA-ABE schemes and some ABE schemes based on lattices. Moreover, we show the properties comparison between the proposed scheme and related works.

A. PROPERTIES COMPARISON
The proposed scheme achieves the dynamic membership management property with the security guaranteed, which is more functional than others. The details of the properties comparison are shown in TABLE 1 In 2019, Chang [15] proposed an MA-ABE-DM scheme. In Chang's scheme, any authority can be the "Initializer" who may set up and aggregate public parameters from all attribute authorities without a central authority. This scheme grasped the advantages of both direct and indirect revocation mechanisms to design a new approach that holds privacy and independence simultaneously. The trick of Chang's scheme is to generate a unique key for each attribute value of every user, which implies that even if there are two users having the same attribute value, their attribute keys are distinct. After a user enrolled, there will be a correlated public parameter for each attribute key so that anyone can encrypt the message by adding the corresponding public parameters of the chosen attributes. This scheme was proved to be secure under the hardness of the decisional bilinear Diffie-Hellman (DBDH) problem. However, the DBDH problem is unable to resist the quantum attacks proposed by Shor [16]. Ming et al. [28] proposed a pairing-free MA-ABE scheme with revocability. Without pairing operations, their scheme has a lower computational cost. However, unrevoked users need to update their private keys in the revocation mechanism. Moreover, this scheme was proved to be IND-CPA secure under the decisional Diffie-Hellman (DDH) assumption, which is also unable to resist the quantum attacks.

C. LATTICE-BASED REVOCABLE CP-ABE SCHEMES
We introduce some CP-ABE schemes on lattices with revocation or updating mechanisms here. Wang et al. [29] added the attribute modification mechanism into the CP-ABE and proved their scheme was secure under the random oracle model. After that, Meng [30] proposed a directly revocable CP-ABE scheme in 2020, which is more intuitive than the previous works. However, both schemes were constructed under a single authority, which is not suitable for reality.

1) Wang et al.'s Revocable and Grantable CP-ABE Scheme on Lattices
In Wang et al.'s [29] scheme, they presented an efficient revocable and grantable CP-ABE scheme. They built a binary tree for each attribute and constructed the key-update process with the KUNodes algorithm. Also, they proved that their scheme was secure under the selective and random oracle model. However, the revocation mechanism in Wang et al.'s scheme is indirect, which means that the other users will be affected after the revocation process. Moreover, the scheme is based on a single authority scenario, which does not match the practical condition.

2) Meng's Revocable CP-ABE Scheme on Lattices
In Meng's [30] work, there are two directly revocable CP-ABE schemes on lattices. One can achieve user-level revocation, and another can achieve attribute-level revocation. To directly revoke a user or an attribute, the sender embeds the revocation list into the ciphertext during encryption. As mentioned above, the benefit of a direct revocation mechanism is that there is no other user will be affected. Besides, the attribute authority is able to perform revocation without issuing any updated key, which reduces lots of work. However, the revocation list in Meng's scheme reveals the identities of revoked users, which invades the privacy of the revoked users. Furthermore, their scheme is based on a single authority scenario, which conflicts with the practical condition.

D. LATTICE-BASED MA-ABE SCHEMES
We show some MA-ABE schemes on lattices here.

1) Zhang et al.'s MA-ABE Scheme on Lattices
Zhang et al. [21] firstly proposed a lattice-based MA-ABE scheme in 2015. Although the scheme requires a central authority (CA) to authenticate identities and handle attributes of users, they avoid the key escrow problem by depriving the key generating ability of the central authority. However, there are some shortages of Zhang et al.'s scheme. First, there are neither revocation nor updating mechanisms in the scheme, which is inconvenient for member management. Second, their scheme is KP-ABE. Third, the probability of two distinct users having the same attribute private key is non-negligible in their scheme, which may cause a collusion attack.

2) Liu et al.'s MA-ABE Scheme on Lattices
Liu et al. [22] proposed an efficient MA-ABE scheme on lattices in 2018. Taking advantage of the theory in Micciancio and Peikert [24] et al.'s work, they constructed an optimized sampling function to create stronger trapdoors in the key generation process. Besides, they also proved their scheme to be IND-CPA secure, but there is still a lack of modification mechanism for attributes. Precisely, there are neither revocation nor updating mechanisms in the scheme as well, which is inconvenient for member management. Moreover, their scheme is KP-ABE, too.

3) Datta et al.'s MA-ABE Scheme on Lattices
In 2021, Datta et al. [23] proposed an MA-ABE scheme on lattices, which is CP-ABE. Moreover, their scheme supports access policies described in disjunctive normal form. However, neither revocation nor updating mechanisms are provided in their scheme.

IV. CONSTRUCTION
In the proposed lattice-based MA-ABE-DM scheme, as shown in Figure 3, an initializer firstly runs Setup to generate the global public parameters, and each attribute authority runs AuthoritySetup to create its own public key and private key. After that, each attribute authority runs Enroll to generate the partial private key of each user. Once a user's attribute changes, the attribute authority runs Revoke or Extend algorithm to update the public key and user's partial private key. When sending a message, the sender runs Encrypt to generate the ciphertext and sends it to the receivers. Then, receivers run Decrypt to recover the message. The notations are shown in TABLE 2.

A. THE PROPOSED SCHEME
We show the details of the proposed scheme, which consists of seven algorithms: Setup, AuthoritySetup, Enroll, Revoke, Extend, Encrypt and Decrypt.

C. AUTHORITYSETUP
After the Initializer publishes GP , each AA d runs the following steps to create its own public key and private key: , and the following formula holds:

E. REVOKE
A revoking request for AA d includes the target attribute t and the user's identity ID. After receiving the revoking request, AA d revokes the target attribute for ID through the following steps.

F. EXTEND
An extending request for AA d includes the target attribute t and the user's identity ID. After receiving the extending request, AA d generates the private key of the target attribute for ID through the following steps. Finally, ID updates his/her private key (SK

G. ENCRYPT
A sender encrypts a single-bit message b with a chosen access tree τ by the following steps: 1) Randomly choose a noise value x ∈ χ.
2) Choose a access tree τ which is form with some operation gates and a set of attributes U C = {U C d } d∈D C , where D C is the set of attribute authorities monitoring attributes in U C . 3) For each attribute j ∈ U C d , randomly choose a noise vector x d,j ∈ χ m . 4) For each ID ∈ L, choose a random value r ID ∈ Z q and a vector s ID ∈ Z n q and set 5) Set the root node value of τ as r ID . Then, starting from the root node, assign a value to each leaf node according to the operation gates in τ : • When comes a AND gate, and M be the set of all its child nodes. Divide the value of the parent node into |M | parts, where r ID = j∈M r ID j (mod q). Set each child node value as one of parts r ID j . • When comes a OR gate, and M be the set of all its child nodes. Set each child node value as same as the value of their parent node such that ∀j ∈ M, r ID j = r ID . 6) For each attribute j ∈ {U C d } d∈D C , generate the partial ciphertext for each ID as follows:

H. DECRYPT
After receiving the ciphertext C, any user whose attribute set satisfies τ inputs his/her private key SK ID = {e ID d,j } j∈U ID ,d∈D and runs the following steps: 1) Compute b ′ according to the operation gates in τ . For the convenience of explanation, we show the case where all operation gates are AND and the case where all operation gates are OR as follows: • When τ is composed with only AND gates:

I. CORRECTNESS
We show the correctness of the formulas in decryption as follows.
For the convenience of explanation, assume that τ only composed with AND gates: By properly choosing the noise value and noise vectors, the following formula holds: Thus, compute b ′ − ⌊ q 2 ⌋ . If b ′ = 1, the result will be less than ⌊ q 4 ⌋. Otherwise, if b ′ = 0, the result will be large or equal to ⌊ q 4 ⌋.

V. SECURITY PROOF
In this section, we prove the proposed scheme to be se- 1) A determines a set of corrupted attribute authorities Dcorrupt. Without loss of generality, we consider the most extreme condition that only one attribute authority AA d * is uncorrupted, so that Dcorrupt = D − AA d * . 2) A determines the target access tree τ , where τ is form with some operation gates and a set of attributes UC = {U C d } d∈D C . Besides, A also determines the target user's identity ID * . Note that, UC must contain at least one attribute monitored by AA d * . In other words, DC cannot be a subset of Dcorrupt.  • Phase 1: A may issue the following queries.
Then, S updates the public key P K d with B ID * d,i . Otherwise, S follows the Enroll algorithm defined in Section IV-D to generate the matrix B ID d,i and the vector e ID d,i for each attributes in U ID . Then, S returns the private key SK ID = {e ID d,i } i∈U ID to A and updates the public key P K d with {B ID d,i } i∈U ID . --Revoke: Take (ID, t) as input, where t is an attribute monitored by AA d in U ID . If ID = ID * and t is an element in U C , abort the query. Otherwise, S follows the Revoke algorithm defined in Section IV-E to remove t from U ID by updating the public key P K d . --Extend: Take (ID, t) as input. If ID = ID * and t is an element in U C , S sets the matrix B ID * , which also means that Then, S updates the public key P K d with B ID * d,t . Otherwise, S follows the Extend algorithm defined in Section IV-F to generate the matrix B ID d,t and the vector e ID d,t . Then, S returns the private key e ID d,t to A and updates the public key P K d with B ID d,t . • Challenge: A delivers two distinct single-bit messages (m 0 , m 1 ) to S. Then, S randomly chooses a message b ∈ (m 0 , m 1 ) and performs the following steps to encrypt b with τ .

4) Then get
d , d∈D C , U C }. 5) S sends the ciphertext C b to A as the challenge.
• Phase 2: A may issue more queries as defined in Phase1. If the samples are chosen from O χ , we will have that . The ciphertext will be Since A is able to win the IND-CPA M A−ABE−DM game with advantage ϵ, the probability that A wins the IND-CPA M A−ABE−DM game is 1 2 + ϵ. Therefore, in this case, the probability that S correctly guesses the D-LWE oracle is 1 2 + ϵ. Otherwise, if the samples from the D-LWE oracle are uniformly random chosen from O Ψ , the ciphertext C b is uniformly random. In this case, the probability that S correctly guesses the D-LWE oracle is 1 2 . Thus, the advantage for S to solve the D-LWE problem will be: Therefore, if A can win the IND-CPA M A−ABE−DM game with non-negligible advantage ϵ, it implies that S can solve the D-LWE problem in polynomial-time with non-negligible advantage ϵ.

VI. COMPARISON
In this section, we present the comparison between the proposed scheme, Zhang  As shown in TABLE 5, the computation cost of the encryption in the proposed scheme is g times of the related works, which is the cost of achieving independence property. Nevertheless, the encryption cost of the proposed scheme with g = 100 is 3.2093 (s), which is still within an acceptable range. Moreover, we provide more flexible access structures than the related works with the much lower decryption cost, which makes the proposed scheme more efficient and functional.

B. TRANSMISSION COST
The estimation is performed under the set of practical parameters given in TABLE 3. Let U C with size h be the set of attributes associated with the ciphertext, and U ′ C with size h ′ be the smallest set of attributes that satisfies U C . Assume that g is the total number of the users and k is the total number of the attribute authorities.
As shown in TABLE 6, the ciphertext length of the proposed scheme has to multiply the total number of the users g, which is the cost of achieving independence property. Besides, due to the form of ciphertext in Zhang et al.'s work and Liu et al.'s work is nearly the same, the transmission cost and the computation cost are almost the same as well.

VII. CONCLUSION
In this research, a lattice-based multi-authority ABE with dynamic membership management has been proposed. First, the sender can design the access structure, since the proposed scheme is a CP-ABE scheme. Second, with dynamic membership management, all private keys may be updated independently. Third, it supports multi-authority to resolve the key escrow problem. Fourth, based on lattice hard problems, the proposed scheme resists quantum attacks. Fifth, it can effectively prevent collusion attacks by users. Finally, the proposed scheme is provably IND-CPA secure under the D-LWE assumption, which ensures the confidentiality of the ciphertext.
Although the transmission cost and the computation cost in the encryption process of the proposed scheme are higher than in the previous works, these costs are worth sacrificing for adding more practical features. Besides, the computation cost of the decryption of the proposed scheme is much lower than the previous works, which is more beneficial to the receivers. In the future, we will try to enhance the performance of the proposed scheme. Specifically, how to The computation time of a multiplication Z 1×n The computation time of a multiplication Z m×n q × Z n×1 q 3.080 (ms) T mul3 The computation time of a multiplication Z × Z m×1 q 0.084 (ms) T mul4 The computation time of a multiplication Z × Z n×1 q 0.002 (ms) T mul5 The computation time of a multiplication Z n×m The computation time of a multiplication Z 1×m The computation time of an addition Z m×1 q + Z m×1 q 0.045 (ms) h ′ * (T mul4 + T mul5 ) + h ′ * T mul4 + k * T mul4 + h ′ * T mul6 ≈ 2.681h ′ + 0.002h ′ + 0.002k + 0.013h ′ (ms) ≈ 2.696h ′ + 0.002k ≈ 13.49 (ms) Datta et al.
h ′ represents the size of the smallest attribute set that can satisfy the ciphertext.
g represents the total number of users.
g represents the total number of users.