Search

US-12627464-B2 - Bootstrappable fully homomorphic attribute-based encryption method with unbounded circuit depth

US12627464B2US 12627464 B2US12627464 B2US 12627464B2US-12627464-B2

Abstract

Homomorphic attribute-based encryption (HABE) is a useful cryptographic primitive that supports both fine-grained access control and computation over ciphertexts. However, existing HABE schemes are limited to the homomorphic evaluation of circuits with either bounded depth or a restricted number of inputs. To address this problem, the present disclosure introduce a bootstrappable, fully homomorphic attribute-based encryption (FHABE) scheme that supports computations of circuits with unbounded depth over cross-attribute ciphertexts. Compared to state-of-the-art schemes, the proposed scheme also has a more lightweight ciphertext and eliminates the reliance on the random oracle model. Additionally, the present disclosure extend the FHABE to a proxy re-encryption setting, proposing an attribute-based homomorphic proxy re-encryption scheme that facilitates efficient sharing of encrypted data. This scheme is the first lattice-based multi-hop attribute-based proxy re-encryption scheme with unbounded hops of re-encryptions.

Inventors

  • Jian Weng
  • Shixin Chen
  • FeiXiang Zhao
  • Man Ho Allen AU
  • Huaxiong WANG
  • Jian Guo
  • Chengxin SHU

Assignees

  • JINAN UNIVERSITY
  • THE HONG KONG POLYTECHNIC UNIVERSITY
  • NANYANG TECHNOLOGICAL UNIVERSITY

Dates

Publication Date
20260512
Application Date
20251215

Claims (18)

  1. 1 . A computer-implemented system for fully homomorphic attribute-based encryption (FHABE) with unbounded circuit depth, comprising: a processor configured to execute instructions; and a memory coupled to the processor and storing instructions configured to cause the processor to perform operations comprising: generating public parameters including matrices A, B 1 , . . . , B l , U and Gadget matrix G=I n ⊗g T , and a master secret key msk; generating a secret key sk ƒ for an access policy ƒ and an associated public key pk ƒ , wherein the associated public key pk ƒ includes an auxiliary recovery key ark ƒ ; encrypting an attribute vector x ∈ ℤ q l and a message μ∈(0,1) m associated with the access policy ƒ into a ciphertext ct x ; homomorphically evaluating an operation on one or more of the ciphertexts to produce an evaluated ciphertext, wherein the homomorphic evaluation comprises: performing a homomorphic arithmetic or logical operation on ciphertext components to achieve a resulting ciphertext component; performing a bootstrapping process on the resulting ciphertext component, wherein the bootstrapping process is configured to refresh noise associated with the resulting ciphertext component; and applying the auxiliary recovery key ark ƒ to a noise-refreshed ciphertext component to recover the evaluated ciphertext to a standard form compatible with subsequent homomorphic evaluation or decryption; and decrypting a recovered ciphertext ct using the secret key sk ƒ to retrieve the message μ, wherein correctness of the decryption is maintained for ciphertexts evaluated over an unbounded number of operations.
  2. 2 . The system of claim 1 , wherein the bootstrapping process utilizes FHEW bootstrapping techniques.
  3. 3 . The system of claim 2 , wherein the FHEW bootstrapping techniques comprise: key switching, configured to convert an LWE encryption under a first secret key to an LWE encryption under a second secret key; modulus switching, configured to convert an LWE encryption under a first modulus to an LWE encryption under a second modulus; and a homomorphic accumulator, configured to process GSW ciphertexts.
  4. 4 . The system of claim 3 , wherein the bootstrapping process performs a logical NAND operation, and further comprises: performing a homomorphic addition on first and second LWE ciphertext components (a (1) , b (1) ) and (a (2) , b (2) ), under a secret key s and a plaintext modulus t=4, to generate a summed LWE ciphertext component (a, b) that encrypts a sum of plaintext messages μ (1) +μ (2) , wherein the homomorphic addition increases an associated error bound to q/8; and applying a mapping function ƒ to a value x=b− a, s of the summed LWE ciphertext component (a, b) via a homomorphic accumulator using a bootstrapping key btk and a key switching key ksk, wherein the mapping function ƒ is configured to transform: x ⁢ to ⁢ q / 8 , if ⁢ x ∈ [ - q / 8 , 3 ⁢ q / 8 ) ; and x ⁢ to - q / 8 , if ⁢ x ∈ [ 3 ⁢ q / 8 , 7 ⁢ q / 8 ) ; whereby the mapped value reflects a result of the NAND operation μ (1) NANDμ (2) with an associated error bound reduced to q/16, wherein q is the ciphertext modulus.
  5. 5 . The system of claim 1 , wherein the auxiliary recovery key ark ƒ is configured to recover a bootstrapped ciphertext from an expanded key form to a functional ciphertext form compatible with a decryption or homomorphic evaluation algorithm, and wherein: the auxiliary recovery key arks comprises a matrix structured as: ark f = [ M 1 0 2 ⁢ m × m M 2 I m × m ] ∈ ℤ q 3 ⁢ m × ( 2 ⁢ mmd + m ) where, M 1 =[A|B ƒ ] T E 1 +E 2 , M 2 =U T E 1 +E 3 −P2({circumflex over (R)} ƒ ) T , E 1 is a randomly chosen matrix uniformly sampled from , E 2 and E 3 are error matrices sampled from an error distribution χ with bound B χ , A, B ƒ , U are public parameter matrices defined in the system, with A ∈ ℤ q n × m , B f ∈ ℤ q n × m ⁢ and ⁢ U ∈ ℤ q n × m , R ƒ is an expanded key matrix after bootstrapping, and recovering the bootstrapped ciphertext involves computing the functional ciphertext form f ( g ) via the matrix multiplication: f ( g ) = ark f · [ G - 1 ( c ¯ f ) c ¯ out ] where c ƒ and c out are components of the bootstrapped ciphertext in the expanded key form, with c ¯ f ∈ ℤ q 2 ⁢ mm , c ¯ out ∈ ℤ q m , G −1 is the inverse algorithm of the gadget matrix G, which decomposes a vector into a binary representation; the functional ciphertext form f ( g ) after recovery has an associated error term with a bound less than q/16, where q is the ciphertext modulus, thereby enabling correct decryption and further homomorphic evaluation for unbounded-depth circuits without exceeding the error tolerance; and the auxiliary recovery key ark ƒ is utilized within an Eval.NAND algorithm to restore ciphertexts after homomorphic evaluation of a NAND gate, enabling their use in subsequent unbounded-depth circuit evaluations.
  6. 6 . The system of claim 5 , wherein the homomorphic evaluation comprises the Eval.NAND algorithm, and the bootstrapping process is performed on each component of a message vector, wherein: the Eval.NAND algorithm operates on functioned ciphertexts c ^ ⁢ t f ( i ) = ( c ˆ f ( i ) , c out ( i ) ) ∈ ℤ q 3 ⁢ m for j∈{1,2}, each encrypting a message vector μ ( j ) = ( μ 1 ( j ) , … , μ m ( j ) ) ∈ { 0 , 1 } m for j∈{1,2}, and comprises: computing a homomorphic addition a = c ˆ f ( 1 ) + c ˆ f ( 2 ) ∈ ℤ q 2 ⁢ m , b = ( b 1 , … , b m ) = c out ( 1 ) + c out ( 2 ) ∈ ℤ q m ; for each component i∈[m], performing a bootstrapping process c ¯ i = ( a ¯ i , b ¯ i ) ← Bootstrap ( NAND ) ( btk r i , ksk r i , ( a , b i ) ) ∈ LWE r i 4 / q ( μ i ( 1 ) ⋀ _ μ i ( 2 ) , δ ) , where btk r i is a bootstrapping key and ksk r i is a key-switching key associated with a secret key component r i ; the bootstrapping process is performed independently for each component i∈[m], resulting in a bootstrapped ciphertext c t=( c ƒ , c out ) with c ¯ f = [ a ¯ 1 ⁢ ❘ "\[LeftBracketingBar]" … ❘ "\[RightBracketingBar]" ⁢ a ¯ m ] ∈ ℤ q 2 ⁢ mm ⁢ and ⁢ c ¯ out = ( b ¯ 1 , … , b ¯ m ) ∈ ℤ q m , wherein the error bound for each component satisfies δ≤q/16; and the component-wise bootstrapping enables parallel processing and maintains an overall error bound below q/16, supporting correct decryption and further homomorphic evaluation for unbounded-depth circuits.
  7. 7 . The system of claim 1 , wherein the system is configured to, during the generation of the public parameters in the Setup algorithm and during the homomorphic evaluation process in the Eval algorithm, select parameters that satisfy predefined error bounds to maintain correctness of the encryption scheme, wherein the error bound for fresh ciphertexts is given by B χ + 2 ⁢ m ⁢ σ ⁡ ( α ℱ + 1 ) ⁢ B χ < q 8 , where B χ is the bound of the error distribution χ, σ is the key sampling parameter used in the SampleD algorithm for generating secret keys, =(m+ is a policy depth factor with being the maximum depth of supported policy circuits, m is the dimension parameter such that m=Θ(n log q), and q is the ciphertext modulus, the chosen parameters, with overwhelming probability, satisfies  e out ( i ) - R f T [ e in ( i ) | e f ( i ) ]  < B χ + 2 ⁢ m ⁢ σ ⁡ ( α ℱ + 1 ) ⁢ B χ < q 16 for any fresh ciphertext; and the error bound for evaluated ciphertexts is given by 2 ⁢ m 2 ⁢ d · B X + δ + 2 ⁢ m ⁢ σ · 2 ⁢ m 2 ⁢ d g · α ℱ ⁢ B X < q 16 , where d g =┌log B g q┐ is the gadget base decomposition dimension with B g being a gadget base, σ represents an error bound introduced during the bootstrapping process; satisfying these error bounds allows the system to maintain correctness for homomorphic evaluations of circuits with unbounded depth, without requiring circuit-depth-dependent parameter scaling.
  8. 8 . The system of claim 1 , wherein the ciphertext ct x for a message μ∈{0,1} m associated with an attribute vector x = ( x 1 , … , x l ) ∈ ℤ q l comprises components ct x =(c in , c 1 , . . . , c l , c out ) and wherein: parameters and matrices are defined with dimensions: A ∈ ℤ q n × m , B i ∈ ℤ q n × m ⁢ for ⁢ i ∈ [ l ] , U ∈ ℤ q n × m , and ⁢ G ∈ ℤ q n × m is a gadget matrix, wherein the ciphertext vector overall belongs to ℤ q ( l + 2 ) ⁢ m , and m=Θ(n┌log q┐) as per the Setup algorithm; the mathematical forms and dimensions of the ciphertext components are: c in = A T ⁢ S + e in ∈ ℤ q m , where ⁢ s ∈ ℤ q n is a random vector; for each i∈[l], c i = ( B i + x i ⁢ G ) T ⁢ s + e i T ∈ ℤ q m ; c out = U T ⁢ s + e out + ⌊ q / 4 ⌋ · μ ∈ ℤ q m , where μ is encoded coordinate-wise; error distributions and bounds: the vectors e in , e i for i∈[l] and e out are independently sampled from an error distribution χ with a constant bound B χ such that ∥e in ∥ ∞ <B χ , ∥e i ∥ ∞ ≤B χ , and ∥e out ∥ ∞ ≤B χ , wherein parameter selection during Setup and Eval ensures this bound for correctness; attribute association: for each i∈[l], the component c i embeds the attribute x i directly, enabling subsequent key-homomorphic evaluation algorithms KeyEval ct or KeyEval D to process access-controlled information based on x; KeyEval ct result and error bound: for a policy ƒ and attribute x, KeyEval ct ( f , x , { B i , c i } i = 1 l ) → c f = D f , x T · [ c 1 ⁢  …  ⁢ c l ] ∈ ℤ q m , and c ƒ =[B ƒ +ƒ(x) G] T ·s+e ƒ , where ∥e ƒ ∥ ∞ ≤(m+ ·B with being the depth of the policy circuit ƒ, ensuring that the functioned ciphertext construction supports correct Eval and decryption.
  9. 9 . A computer-implemented system for unbounded multi-hop attribute-based fully homomorphic proxy re-encryption (AB-FHPRE), comprising: a processor configured to execute instructions; and a memory coupled to the processor and storing instructions configured to cause the processor to perform operations comprising: generating public parameters including matrices A, B 1 , . . . , B l , U, and Gadget matrix G, and a master secret key msk; generating a secret key sk ƒ for a first access policy ƒ 1 and an associated public key pk ƒ , wherein the associated public key pk ƒ includes an auxiliary recovery key ark ƒ for the first access policy ƒ 1 ; encrypting an attribute vector x ∈ ℤ q l and a message μ∈(0,1) m associated with the first access policy ƒ 1 into a ciphertext ct; generating a re-encryption key rek ƒ 1 →ƒ 2 for transforming the ciphertext ct from the first access policy ƒ 1 to a second access policy ƒ 2 , wherein the re-encryption key rek ƒ 1 →ƒ 2 is a matrix that combines policy-associated matrices and error matrices, enabling a proxy computing device to convert ciphertexts associated with the first access policy ƒ 1 to those associated with the second access policy ƒ 2 without accessing plaintext; and re-encrypting, by the proxy computing device, the ciphertext from the first access policy ƒ 1 to the second access policy ƒ 2 using the re-encryption key rek ƒ 1 →ƒ 2 and a public key of the second policy, wherein the re-encryption comprises: transforming the ciphertext under the first access policy ƒ 1 into an intermediate re-encrypted ciphertext; and performing a homomorphic AND computation on the intermediate re-encrypted ciphertext, wherein the homomorphic AND computation includes a bootstrapping process to refresh noise and produce a re-encrypted ciphertext for the second access policy ƒ 2 , and wherein the re-encryption supports an unbounded number of re-encryption hops.
  10. 10 . The system of claim 9 , wherein the re-encryption key is generated by the ReKeyGen algorithm and used by the ReEnc algorithm to re-encrypt a ciphertext under policy ƒ 1 to a ciphertext under policy ƒ 2 , and wherein: the re-encryption key rek ƒ 1 →ƒ 2 is a block matrix structured as: rek f 1 → f 2 = [ M 1 ( r ) 0 2 ⁢ m × m M 2 ( r ) I m × m ] ∈ ℤ q 3 ⁢ m × ( 2 ⁢ m · d + m ) where d=┌log B g q┐ is the decomposition length determined by a gadget base B g , and m=Θ(n log q) is the dimension parameter; the components M 1 ( r ) ⁢ and ⁢ M 2 ( r ) are constructed as follows: select an attribute vector y = ( y 1 , … , y l ) ∈ ℤ q l such that ƒ 2 (y)=0; construct an intermediate matrix M ¯ 1 ( r ) = [ A ❘ B 1 + y 1 ⁢ G ❘ … ❘ B l + y l ⁢ G ] T ⁢ E 1 ( r ) + E ¯ 1 ( r ) , where ⁢ E 1 ( r ) ← $ ℤ q n × 2 ⁢ m ⁢ d is a random matrix, E ¯ 2 ( r ) ← χ ( l + 1 ) ⁢ m × 2 ⁢ m ⁢ d is an error matrix sampled from distribution χ with bound B χ ; evaluate D ƒ 2 ,y ←KeyEval D (ƒ 2 , y, (B 1 , . . . , B l )), and compute: M 1 ( r ) = [ I m × m 0 m × m 0 l ⁢ m × m D f 2 , y ] T · M ¯ 1 ( r ) = [ A | B f 2 ] T ⁢ E 1 ( r ) + E 2 ( r ) where ⁢ E 2 ( r ) is an error matrix satisfying ∥E 2 ∥ ∞ < ·B χ , α F =(m+ is a policy depth factor with being the maximum depth of supported policies; compute M 2 ( r ) = U T ⁢ E 1 ( r ) + E 3 ( r ) - P ⁢ 2 ⁢ ( R f 1 ) T , where ⁢ E 3 ( r ) ← χ m × 2 ⁢ m ⁢ d is an error matrix, R f 1 ∈ ℤ q 2 ⁢ m × m is the secret key tor policy ƒ 1 , P2 is a public algorithm such that P2(X)=G T X for any matrix X; the ReEnc algorithm uses rek ƒ 1 →ƒ 2 and the gadget inverse to compute a 1-hop re-encrypted ciphertext c ⁢ t ¯ f 2 ( r ) = r ⁢ e ⁢ k f 1 → f 2 · [ G - 1 ( c ˆ f 1 ) c out ] where ⁢ c ˆ f 1 ∈ ℤ q 2 ⁢ m ⁢ and ⁢ c out ∈ ℤ q m are components of the input functioned ciphertext under ƒ 1 , and G −1 is the gadget inverse algorithm satisfying G·G −1 (x)=x; the matrices and error terms are sampled with respect to public parameters pp including modulus q, gadget matrix G, error distribution χ, and bound B χ such that the accumulated error after re-encryption satisfies ∥error∥ ∞ <q/16, enabling correct decryption; subsequently, a homomorphic refresh operation reduces the error to a level suitable for further re-encryption or homomorphic evaluation, thereby supporting multi-hop re-encryption with unbounded hops; the re-encryption key rek ƒ 1 →ƒ 2 is generated by ReKeyGen using the master secret key sk ƒ 1 and public parameters pp, and consumed by ReEnc in conjunction with the public key pk ƒ 2 to map ciphertexts from policy ƒ 1 to policy ƒ 2 .
  11. 11 . A computer-implemented method for unbounded depth fully homomorphic attribute-based encryption (FHABE), the method comprising: generating, by a computing device, public parameters including matrices A, B 1 , . . . , B l , U, and Gadget matrix G, and a master secret key msk=T A ; generating, by the computing device, a secret key sk ƒ for an access policy ƒ and an associated public key pk ƒ , wherein the associated public key pk ƒ includes an auxiliary recovery key ark ƒ ; encrypting, by the computing device, an attribute vector x ∈ ℤ q l and a message μ∈(0,1) m associated with the access policy ƒ into a ciphertext ct; homomorphically evaluating, by the computing device, an operation on one or more of the attribute-based ciphertexts to produce an evaluated ciphertext, wherein the homomorphic evaluation comprises: performing a homomorphic arithmetic or logical operation on ciphertext components to achieve a resulting ciphertext component; performing a bootstrapping process on the resulting ciphertext component, wherein the bootstrapping process is configured to refresh noise associated with the resulting ciphertext component; and applying the auxiliary recovery key ark ƒ to a noise-refreshed ciphertext component to recover the evaluated ciphertext to a standard form compatible with subsequent homomorphic evaluation or decryption; and decrypting the ciphertext ct using the secret key sk ƒ to retrieve the message μ, wherein correctness of the decryption is maintained for ciphertexts evaluated over an unbounded number of operations.
  12. 12 . The method of claim 11 , wherein the bootstrapping process utilizes FHEW bootstrapping techniques.
  13. 13 . The method of claim 12 , wherein the FHEW bootstrapping techniques comprise: key switching, configured to convert an LWE encryption under a first secret key to an LWE encryption under a second secret key; modulus switching, configured to convert an LWE encryption under a first modulus to an LWE encryption under a second modulus; and a homomorphic accumulator, configured to process GSW ciphertexts.
  14. 14 . The method of claim 13 , wherein the bootstrapping process performs a logical NAND operation, and further comprises: performing a homomorphic addition on first and second LWE ciphertext components (a (1) , b (1) ) and (a (2) , b (2) ), under a secret key s and a plaintext modulus t=4, to generate a summed LWE ciphertext component (a, b) that encrypts a sum of plaintext messages μ (1) +μ (2) , wherein the homomorphic addition increases an associated error bound to q/8; and applying a mapping function ƒ to a value x=b− a, s of the summed LWE ciphertext component (a, b) via a homomorphic accumulator using a bootstrapping key btk and a key switching key ksk, wherein the mapping function ƒ is configured to transform: x ⁢ to ⁢ q / 8 , if ⁢ x ∈ [ - q / 8 , 3 ⁢ q / 8 ) ; and x ⁢ to - q / 8 , if ⁢ x ∈ [ 3 ⁢ q / 8 , 7 ⁢ q / 8 ) ; whereby the mapped value reflects a result of the NAND operation μ (1) NANDμ (2) with an associated error bound reduced to q/16, wherein q is the ciphertext modulus.
  15. 15 . The method of claim 11 , wherein the auxiliary recovery key ark ƒ is configured to recover a bootstrapped ciphertext from an expanded key form to a functional ciphertext form compatible with a decryption or homomorphic evaluation algorithm, and wherein: the auxiliary recovery key ark comprises a matrix structured as: a ⁢ r ⁢ k f = [ M 1 0 2 ⁢ m × m M 2 I m × m ] ∈ ℤ q 3 ⁢ m × ( 2 ⁢ m ⁢ m ⁢ d + m ) where, M 1 =[A|B ƒ ] T E 1 +E 2 , M 2 =U T E 1 +E 3 −P2( R ƒ ) T , E 1 is a randomly chosen matrix uniformly sampled from , E 2 and E 3 are error matrices sampled from an error distribution χ with bound B χ , A, B ƒ , U are public parameter matrices defined in the system, with A ∈ ℤ q n × m , B f ∈ ℤ q n × m ⁢ and ⁢ U ∈ ℤ q n × m , R ƒ is an expanded key matrix after bootstrapping, and recovering the bootstrapped ciphertext involves computing the functional ciphertext form f ( g ) via the matrix multiplication: f ( g ) = ark f · [ G - 1 ( c ¯ f ) c _ out ] where c ƒ and c out are components of the bootstrapped ciphertext in the expanded key form, with c ¯ f ∈ ℤ q 2 ⁢ m ⁢ m , c ¯ out ∈ ℤ q m , G −1 is the inverse algorithm of the gadget matrix G, which decomposes a vector into a binary representation; the functional ciphertext form f ( g ) after recovery has an associated error term with a bound less than q/16, where q is the ciphertext modulus, thereby enabling correct decryption and further homomorphic evaluation for unbounded-depth circuits without exceeding the error tolerance; and the auxiliary recovery key ark ƒ is utilized within an Eval.NAND algorithm to restore ciphertexts after homomorphic evaluation of a NAND gate, enabling their use in subsequent unbounded-depth circuit evaluations.
  16. 16 . The method of claim 15 , wherein the homomorphic evaluation comprises the Eval.NAND algorithm, and the bootstrapping process is performed on each component of a message vector, wherein: the Eval.NAND algorithm operates on functioned ciphertexts c ˆ ⁢ t f ( i ) = ( c ˆ f ( i ) , c out ( i ) ) ∈ ℤ q 3 ⁢ m for i∈{1,2}, each encrypting a message vector μ ( j ) = ( μ 1 ( j ) , … , μ m ( j ) ) ∈ { 0 , 1 } m for j∈{1,2}, and comprises: computing a homomorphic addition a = c ˆ f ( 1 ) + c ˆ f ( 2 ) ∈ ℤ q 2 ⁢ m , b = ( b 1 , … , b m ) = c out ( 1 ) + c out ( 2 ) ∈ ℤ q m ; for each component i∈[m], performing a bootstrapping process c i =(ā i , b i )←Bootstrap (NAND) (btk r i , ksk r i , (a, b i ))∈ L ⁢ W ⁢ E r i 4 / q ( μ i ( 1 ) ⋀ _ μ i ( 2 ) , δ ) , where btk r i is a bootstrapping key and ksk r i is a key-switching key associated with a secret key component r i ; the bootstrapping process is performed independently for each component i∈[m], resulting in a bootstrapped ciphertext c t=( c ƒ , c out ) with c ¯ f = [ a ¯ 1 ⁢ ❘ "\[LeftBracketingBar]" … ❘ "\[RightBracketingBar]" ⁢ a ¯ m ] ∈ ℤ q 2 ⁢ m ⁢ m ⁢ and ⁢ c ¯ o ⁢ u ⁢ t = ( b ¯ 1 , … , b ¯ m ) ∈ ℤ q m , wherein the error bound for each component satisfies δ≤q/16; and the component-wise bootstrapping enables parallel processing and maintains an overall error bound below q/16, supporting correct decryption and further homomorphic evaluation for unbounded-depth circuits.
  17. 17 . The method of claim 11 , wherein the system is configured to, during the generation of the public parameters in the Setup algorithm and during the homomorphic evaluation process in the Eval algorithm, select parameters that satisfy predefined error bounds to maintain correctness of the encryption scheme, wherein the error bound for fresh ciphertexts is given by B χ + 2 ⁢ m ⁢ σ ⁡ ( α ℱ + 1 ) ⁢ B χ < q 8 , where B χ is the bound of the error distribution χ, σ is the key sampling parameter used in the SampleD algorithm for generating secret keys, =(m+ is a policy depth factor with being the maximum depth of supported policy circuits, m is the dimension parameter such that m=Θ(n log q), and q is the ciphertext modulus, the chosen parameters, with overwhelming probability, satisfies  e out ( i ) - R f T [ e i ⁢ n ( i ) | e f ( i ) ]  < B χ + 2 ⁢ m ⁢ σ ⁡ ( α ℱ + 1 ) ⁢ B χ < q 16 for any fresh ciphertext; and the error bound for evaluated ciphertexts is given by 2 ⁢ m 2 ⁢ d · B X + δ + 2 ⁢ m ⁢ σ · 2 ⁢ m 2 ⁢ d g · α ℱ ⁢ B X < q 16 , where d g =┌log B g q┐ is the gadget base decomposition dimension with B g being a gadget base, σ represents an error bound introduced during the bootstrapping process; satisfying these error bounds allows the system to maintain correctness for homomorphic evaluations of circuits with unbounded depth, without requiring circuit-depth-dependent parameter scaling.
  18. 18 . The method of claim 11 , wherein the ciphertext ct x for a message μ∈{0,1} m associated with an attribute vector x = ( x 1 , … , x l ) ∈ ℤ q l comprises components ct x =(c in , c 1 , . . . , c l , c out ) and wherein: parameters and matrices are defined with dimensions: A ∈ ℤ q n × m , B i ∈ ℤ q n × m ⁢ for ⁢ i ∈ [ l ] , U ∈ ℤ q n × m , and ⁢ G ∈ ℤ q n × m is a gadget matrix, wherein the ciphertext vector overall belongs to ℤ q ( l + 2 ) ⁢ m , and m=Θ(n┌log q┐) as per the Setup algorithm; the mathematical forms and dimensions of the ciphertext components are: c i ⁢ n = A T ⁢ s + e i ⁢ n ∈ ℤ q m , where ⁢ s ∈ ℤ q n is a random vector; for each i∈[l], c i = ( B i + x i ⁢ G ) T ⁢ s + e i T ∈ ℤ q m ; c out = U T ⁢ s + e out + ⌊ q / 4 ⌋ · μ ∈ ℤ q m , where μ is encoded coordinate-wise; error distributions and bounds: the vectors e in , e i for i∈[l] and e out are independently sampled from an error distribution χ with a constant bound B χ such that ∥e in ∥ ∞ ≤B χ , ∥e i ∥ ∞ ≤B χ , and ∥e out ∥ ∞ ≤B χ , wherein parameter selection during Setup and Eval ensures this bound for correctness; attribute association: for each i∈[l], the component c i embeds the attribute x i directly, enabling subsequent key-homomorphic evaluation algorithms KeyEval ct or KeyEval D to process access-controlled information based on x; KeyEval ct result and error bound: for a policy ƒ and attribute x, K ⁢ eyEval ct ( f , x , { B i , c i } i = 1 l ) → c f = D f , x T · [ c 1 ⁢  …  ⁢ c l ] ∈ ℤ q m , and c ƒ =[B ƒ +ƒ(x) G] T ·s+e ƒ , where ∥e ƒ ∥ ∞ ≤(m+ ·B with being the depth of the policy circuit ƒ, ensuring that the functioned ciphertext construction supports correct Eval and decryption.

Description

TECHNICAL FIELD The present invention relates generally to cryptography, and more particularly, to computer-implemented systems and methods for secure data processing in multi-user and untrusted environments. Specifically, the invention pertains to fully homomorphic attribute-based encryption (FHABE) schemes and attribute-based fully homomorphic proxy re-encryption (AB-FHPRE) schemes that enable fine-grained access control and arbitrary computations on encrypted data. BACKGROUND The increasing demand for secure data processing in distributed and multi-user environments, such as cloud computing and outsourced data storage, necessitates advanced cryptographic primitives capable of both granular access control and computations over encrypted information. Two foundational technologies address these needs: Attribute-Based Encryption (ABE) and Homomorphic Encryption (HE). Attribute-Based Encryption (ABE) allows for fine-grained access control, where data can be encrypted such that only users possessing a specific set of attributes or a secret key derived from an access policy can decrypt the ciphertext. This enables flexible sharing and management of encrypted data across various users. However, conventional ABE schemes are limited to controlling access and do not intrinsically support computations on the encrypted data itself. Homomorphic Encryption (HE) is a cryptographic primitive that enables computations directly on encrypted data without prior decryption, thereby preserving data confidentiality throughout the computation process. Fully Homomorphic Encryption (FHE) schemes, pioneered by Gentry, support arbitrary computations by utilizing a bootstrapping mechanism to refresh ciphertexts, thereby controlling the accumulation of noise that otherwise limits the number of operations. Advances like FHEW (Ducas and Micciancio) and GINX/TFHE (Chillotti et al.) have significantly improved bootstrapping efficiency. Despite these advancements, traditional FHE schemes primarily operate in a one-to-one model, where encryptions are typically tied to a single user and computations are confined to ciphertexts under the same user's key. This model often lacks the ability to enforce fine-grained access control in multi-user scenarios, such as large organizations requiring data accessibility and manipulability by designated staff members based on their roles or attributes. To address the combined requirements of computation and fine-grained access, Homomorphic Attribute-Based Encryption (HABE) schemes have been proposed, integrating functionalities from both HE and ABE. Early HABE constructions, such as those based on GSW-FHE, enabled computations only over ciphertexts encrypted under the same attribute set. Subsequent developments introduced Target HABE (T-HABE), which supports computations over cross-attribute ciphertexts. T-HABE is generally categorized into Single-Target HABE (ST-HABE) and Multi-Target HABE (MT-HABE) based on the number of policies supported during computations. Below is a detailed analysis of the current technical limitations: Despite these advancements, existing HABE schemes face significant technical limitations that hinder their practical applicability, particularly in complex computational environments: A paramount limitation of prior art ST-HABE and MT-HABE schemes is their restriction to processing circuits with a predetermined or prior bounded depth. Practical applications often require computations involving complex circuits with unpredictable or effectively unbounded depths. The inability to support such unbounded circuit depth operations severely constrains the computational capacity of these schemes. Specifically, in schemes like BCTW-HABE, the correctness of decryption of homomorphically evaluated ciphertexts is contingent upon the accumulated noise remaining below a certain threshold. The error in an evaluated ciphertext typically grows multiplicatively with each operation, as demonstrated by the formula dG≤log⁢M(q4⁢(τ⁢m⁢m+N+1)⁢B), where dG is the maximum supported circuit depth, τ, m, N, B are lattice and error parameters. This rapid error growth inherently imposes a significant constraint on the maximum permissible circuit depth. The parameter sizes in conventional HABE schemes tend to increase substantially with the required circuit depth. This dependency on circuit depth for parameter scaling leads to significant scalability limitations, making these schemes impractical for real-world applications demanding complex or deep computations. Some proposed HABE constructions, while aiming for unbounded depth, have remained incomplete solutions. For instance, certain schemes may restrict the number of inputs for homomorphic computations or support only “1-hop” computations, meaning evaluated ciphertexts cannot be further processed or re-encrypted. This limitation prevents the construction of complex, multi-stage evaluation processes. Another technical drawback of some existing HABE schemes is th