Adaptively Secure Efficient (H)IBE over Ideal Lattice with Short Parameters

Abstract

Identity-based encryption (IBE), and its hierarchical extension (HIBE), are interesting cryptographic primitives that aim at the implicit authentication on the users’ public keys by using users’ identities directly. During the past several decades, numerous elegant pairing-based (H)IBE schemes were proposed. However, most pairing-related security assumptions suffer from known quantum algorithmic attacks. Therefore, the construction of lattice-based (H)IBE became one of the hot directions in recent years. In the setting of most existing lattice-based (H)IBE schemes, each bit of a user’s identity is always associated with a parameter matrix. This always leads to drastic but unfavorable increases in the sizes of the system public parameters. To overcome this issue, we propose a flexible trade-off mechanism between the size of the public parameters and the involved computational cost using the blocking technique. More specifically, we divide an identity into $l^{\prime }$ segments and associate each segment with a matrix, while increasing the lattice modulo slightly for maintaining the same security level. As a result, for the setting of 160-bit identities, we show that the size of the public parameters can be reduced by almost 89.7% (resp. 93.8%) while increasing the computational cost by merely 5.2% (resp. 12.25%) when $l^{\prime }$ is a set of 16 (resp. 8). Finally, our IBE scheme is extended to an HIBE scheme, and both of them are proved to achieve the indistinguishability of ciphertexts against adaptively chosen identity and chosen plaintext attack (IND-ID-CPA) in the standard model, assuming that the well-known ring learning with error (RLWE) problem over the involved ideal lattices is intractable, even in the post-quantum era.

1. Introduction

Identity-based encryption (IBE), first introduced by Shamir [1], is an interesting public-key encryption mechanism. It reduces the complexity of system and the cost of establishing public-key infrastructure. The public keys are users’ identities directly, and the corresponding private keys can only be generated by the private-key generator (PKG). Moreover, IBEs can be used for confidential communication, network protocols, digital signatures, etc. In 2001, Boneh and Franklin [2] constructed the first practical IBE scheme under the bilinear Diffe–Hellman (BDH) assumption. Then, Canetti et al. [3] constructed an IBE scheme in the standard model, and they gave the security proof in the selective-ID model. In this model, the adversary must announce the target identity at the beginning. Boneh and Boyen [4] proposed a fully (adaptively) secure IBE scheme. Their scheme is too inefficient to be practical since it requires numerous exponentiation operations and group operations. In the adaptive-ID model, the adversary can announce the target identity after private key queries. In 2005, Waters [5] constructed the first efficient fully secure IBE scheme and showed that a selectively secure scheme can be improved to adaptive security. Furthermore, there are many IBE constructions [6,7,8,9,10,11,12,13] based on pairing or quadratic residues which cannot resist quantum computing.

Lattice-based cryptography has become the focus of research in recent years because it is flexible in construction and resistant to quantum computing. Regev [14] defined the learning with error (LWE) problem and gave a reduction from the worst-case lattice problems. Stehlé [15] and Lyubashevsky [16] defined the ring learning with error (RLWE) problem, which led to new cryptographic applications.

In 2008, Gentry et al. [17] proposed the first LWE-based IBE scheme in the random oracle model. Their scheme relied on the Dual-Regev encryption scheme and became an example of an LWE-based IBE scheme. Agrawal et al. [18] then construct an efficient selectively secure IBE scheme based on LWE problem in the standard model. They also give an adaptively secure IBE scheme, but each bit of a user’s identity is associated with a parameter matrix. This always leads to drastic but unfavorable increases in the sizes of the system public parameters. To solve this drawback, Singh et al. [19] constructed efficient adaptively secure (hierarchical) IBE schemes with short parameters using the blocking technique [20,21]. In 2016, Yamada [22] constructed an adaptively secure IBE scheme with short parameters using injective map and homomorphic computation. Zhang et al. [23] proposed an adaptively secure IBE scheme which achieved shorter public parameters, but their scheme only achieved Q-bounded security. In 2017, Yamada [24] constructed new adaptively secure IBE schemes via new partitioning functions, but the public parameters in their scheme are larger than [23]. Moreover, there are many other IBE constructions [25,26,27,28,29,30,31,32] based on the LWE problem.

Compared with the LWE problem, the RLWE problem is more practical in construction because of smaller storage and faster calculation. In particular, we can use fast Fourier transform (FFT) or number theoretic transform (NTT) to accelerate polynomial multiplications. In 2013, Yang et al. [33] construct a selectively secure IBE scheme over ideal lattice in the standard model. Their construction is a ring variant of Agrawal’s selective-ID scheme [18]. In 2014, Ducas et al. [34] propose an efficient IBE scheme over Number Theory Research Unit (NTRU) lattice. (NTRU is a ring-based public key cryptosystem, which was proposed by Hoffstein [35] in 1998. The lattice specified in their scheme is often called the NTRU lattice.) Their construction is a NTRU variant of the scheme by [17]. In order to achieve shorter public parameters, Katsumata [36] constructs an adaptively secure IBE scheme over ideal lattice using Yamada’s method [22]. In 2018, Bert et al. [37] construct an efficient IBE scheme and give an efficient implementation. Their construction uses the ring-version trapdoor of Micciancio [38] which is efficient and easy to implement. However, their scheme only achieves selective security. Therefore, it is meaningful to construct adaptively secure efficient (H)IBE schemes over ideal lattice with shorter parameters.

Our contribution. In this paper, we first construct an adaptively secure IBE scheme over ideal lattice with short parameters. In the setting of the most existing lattice-based (H)IBE schemes, the public parameters are generally composed of $l+2$ matrices, where l is the bit length of user’s identity. Using the blocking technique, we can reduce the number of elements in public parameters from $l+2$ to $l/\beta +2$ where $\beta$ is a flexible constant. However, this leads to a reduction in the security. We need to increase the lattice modulo q to achieve the same security level as [18], but it causes an increase in computational cost. Therefore, we make a trade-off between storage space and computational cost. For $l=160$, the size of public parameters can be reduced by almost 89.7% while increasing the computational cost by only 5.2%. When $\beta$ is set of 20 (resp. 10), the public parameters only contain 10 (resp. 18) vectors. According to our performance analysis, our scheme can achieve shorter public parameters and better computational efficiency. In addition, we use the gadget-based trapdoor as [37,38] which is simple, efficient and smaller in storage than a basis. Finally, we extend our IBE scheme to a hierarchical IBE scheme, and both of them are proved achieving the indistinguishability of ciphertexts against adaptively chosen identity and chosen plaintext attack (IND-ID-CPA) in the standard model.

The rest of this paper is organized as follows. Section 2 is preliminaries. Section 3 and Section 4 describe our adaptively secure IBE and HIBE schemes. In Section 5, we analyse the trade-off and compare with other constructions. In Section 6, we summarize this paper.

2. Preliminaries

Notation. In this paper, we use uppercase letters to represent matrix (i.e., A), and lowercase letters to represent constant or polynomial (i.e., l or u). We use uppercase bold letters to represent polynomial matrices (i.e., R), and lowercase bold letters to represent polynomial vectors (i.e., a). We use negligible function to represent the function $ϵ\left(n\right)$ which is less than all polynomial fractions for sufficiently large n. We use overwhelming probability to indicate that the event happens with probability $1-ϵ\left(n\right)$.

2.1. IBE and Hierarchical IBE

HIBE system contains four algorithms [7,8]. For identity $id=(i{d}_1,\cdots ,i{d}_l)$, we describe the HIBE system as follows.

Setup$(d,\lambda )$: On input a security parameter $\lambda$ and a maximum depth d, the algorithm outputs the public parameters $PP$ and master key $MK$.

Derive$(PP,id|i{d}_l,S{K}_{id|i{d}_{l-1}},MK)$: On input public parameters $PP$, master key $MK$, identity $id|i{d}_l$ at depth l, and private key $S{K}_{id|i{d}_{l-1}}$ at depth $l-1$, it outputs the private key $S{K}_{id|i{d}_l}$ at depth l.

Encrypt$(PP,\mu ,id|i{d}_l)$: On input public parameters $PP$, an identity $id|i{d}_l$ at depth l and a message $\mu$, the algorithm outputs a ciphertext $CT$.

Decrypt$(PP,CT,S{K}_{id|i{d}_l})$: On input public parameters $PP$, a ciphertext $CT$ and a private key $S{K}_{id|i{d}_l}$, the algorithm outputs the message $\mu$.

IBE system is the same as above HIBE system when $d=1$. Compared with HIBE, there is an algorithm $Extract$ instead of algorithm $Derive$. The algorithm $Extract$ inputs public parameters $PP$, identity $id$, master key $MK$, and it outputs the corresponding private key $S{K}_{id}$.

Security Game. We use an indistinguishable from random game to define the adaptive security of (H)IBE, which means that adversary can not distinguish between challenge ciphertext and random ciphertext. Let ${\mathcal{M}}_{\lambda }$ and ${\mathcal{C}}_{\lambda }$ be the message space and ciphertext space where $\lambda$ is a security parameter. For a maximum depth d, the following defines the game.

Setup: The challenger runs algorithm Setup$(d,\lambda )$ and sends the public parameters $PP$ to the adversary.

Phase 1: The adversary performs private key queries $q_1,\cdots ,q_m,$ and the event $q_i$ corresponds to the identity $i{d}_i$. The challenger runs algorithm Extract to generate the private key $s{k}_i$ corresponding to $i{d}_i$ and sends it to the adversary.

Challenge: The adversary submits a plaintext $M\in {\mathcal{M}}_{\lambda }$ and a target identity $i{d}^{\ast }$ which can not appear in Phase 1. Then the challenger chooses a random bit $r\in \{0,1\}$ and a random ciphertext $C\in {\mathcal{C}}_{\lambda }$. If $r=0$, the challenger sets the challenge ciphertext $C^{\ast }:=$ Encrypt $\left(PP,M,i{d}^{\ast }\right)$. Otherwise, it sets the challenge ciphertext $C^{\ast }=C$. The challenger sends $C^{\ast }$ to the adversary.

Phase 2: The adversary performs adaptive queries $q_{m+1},\cdots ,q_n$. The event $q_i$ corresponds to the identity $i{d}_i$ which can not be $i{d}^{\ast }$. The challenger responds as in Phase 1.

Guess: The adversary outputs a guess $r^{\prime }\in \{0,1\},$ and wins if $r^{\prime }=r$.

The adversary $\mathcal{A}$ described above is a IND-ID-CPA attacker. We define the advantage of $\mathcal{A}$ as

$$Ad{v}_{d,\epsilon ,\mathcal{A}}\left(\lambda \right)=|Pr\left[r^{\prime }=r\right]-\frac{1}{2}|$$

Definition 1.

If for all IND-ID-CPA attackers $\mathcal{A}$, the advantage $Ad{v}_{d,\epsilon ,\mathcal{A}}\left(\lambda \right)$ is a negligible function, then the HIBE scheme ε is IND-ID-CPA security. The security model of IBE is the same as above model with $d=1$.

The following Definition 2 defines the abort-resistant hash functions [18,19], which is used in our security proof.

Definition 2

([18,19]). Let $\mathcal{H}:=\{H:X\to Y\}$ be a family of hash functions and Y contains element 0. For a set $\overline{x}=\{x_0,x_1,\cdots ,x_Q\}\in X^{Q+1}$ with $x_0\notin \{x_1,\cdots ,x_Q\}$, we define the non-abort probability of $\overline{x}$

$$\alpha \left(\overline{x}\right):=Pr[H\left(x_0\right)=0\wedge H\left(x_1\right)\ne 0\wedge \cdots \wedge H\left(x_Q\right)\ne 0]$$

where the probability is over the random choice of H in $\mathcal{H}$. For $\alpha \left(\overline{x}\right)\in [{\alpha }_{min},{\alpha }_{max}]$, the hash family $\mathcal{H}$ is $(Q,{\alpha }_{min},{\alpha }_{max})$ abort-resistant.

We use the abort-resistant hash family similar to [5,18]. Let q be a prime and ${(Z_q^{l^{\prime }})}^{\ast }:=Z_q^{l^{\prime }}\backslash \{0^{l^{\prime }}\}$; we define the hash family ${\mathcal{H}}_{\mathrm{Wat}}:\left\{H_h:{(Z_q^{l^{\prime }})}^{\ast }\to Z_q\right\}$ as $H_h\left(id\right):=1+{\sum }_{i=1}^{l^{\prime }}{h}_i{b}_i\in Z_q$ where $id=(b_1,\dots ,b_{l^{\prime }})\in {(Z_q^{l^{\prime }})}^{\ast }$ and $h=(h_1,\dots ,h_{l^{\prime }})\in Z_q^{l^{\prime }}$.

2.2. Integer Lattice and Ideal Lattice

Definition 3.

Let q be a prime, $A\in Z_q^{n\times m}$ and $u\in Z_q^n$; we define integer lattice as:

$$\begin{array}{c}{\Lambda }_q\left(A\right):=\{e\in Z^{m}s.t.\exists s\in Z_q^{n}where{A}^{\top }s=emodq\}\hfill \\ {\Lambda }_q^{\perp }\left(A\right):=\{e\in Z^{m}s.t.Ae=0modq\}\hfill \\ {\Lambda }_q^u\left(A\right):=\{e\in Z^{m}s.t.Ae=umodq\}\hfill \end{array}$$

Ideal Lattice. Let n be a power of 2; we define the modular polynomial $f\left(x\right)=x^n+1$. Then, we define the ring polynomial R as $R=Z\left[x\right]/f\left(x\right)$. For a modulus q, we define the ring polynomial $R_q$ as $R_q=Z_q\left[x\right]/f\left(x\right)$. Therefore, elements in $R_q$ are polynomials with coefficients less than q. The following definition from [16,37] defines the Decision RLWE problem.

Definition 4

(Decision RLWE). Given a vector of m uniformly random polynomials $\mathit{a}={(a_1,\cdots ,a_m)}^{\top }\in R_q^m$, and $\mathit{b}=\mathit{a}s+e$ where $s\in R_q$ and $e\in D_{R^m,\sigma }$. Then, distinguish $(\mathit{a},\mathit{b}=\mathit{a}s+e)$ from uniform $(\mathit{a},\mathit{b})$.

Similar to [18], we use $\parallel \tilde{S}\parallel$ to denote the Gram–Schmidt norm of S where $S=\{s_1,\cdots ,s_k\}$ in ${\mathbb{R}}^m$. We use $D_{L,\sigma ,c}$ to denote the discrete Gaussian distribution with center c and parameter $\sigma$ over a set L. Moreover, the following theorem from [18,39] defines an algorithm $ExtendBasis$ which is used in our HIBE construction.

Theorem 1

([18,39]). Let $A_i\in Z_q^{n\times m_i}$ where $i=1,2,3$, and $A:=\left(A_1\right|A_2\left|A_3\right)$. We define the algorithm $ExtendBasis(A_1,A_2,A_3,T_2)$ which outputs a basis $T_A$ of ${\Lambda }_q^{\perp }\left(A\right)$ where $T_2$ is a basis of ${\Lambda }_q^{\perp }\left(A_2\right)$.

2.3. Trapdoors on Lattice

Our constructions require the notion of trapdoor which is first introduced by Ajtai [40]. For a short basis $T_A$ of ${\Lambda }_q^{\perp }\left(A\right)$, we can get short vectors in ${\Lambda }_q^{\perp }\left(A\right)$ from a Gaussian distribution. We use the g-trapdoor introduced by Micciancio [38] and the following definition from [37] defines the ring variant of the g-trapdoor.

Definition 5

(g-trapdoor). For $k=\lceil {log}_{2}q\rceil$, $m>k$, let $\mathit{a}$ be a vector in $R_q^m$ and $\mathit{g}$ be a vector in $R_q^k$. The g-trapdoor for $\mathit{a}$ is a polynomial matrix ${\mathit{T}}_{\mathit{a}}$ in $R^{(m-k)\times k}$ following a discrete Gaussian distribution of parameter σ, and satisfying ${\mathit{a}}^{\top }(\begin{array}{c}\hfill \begin{array}{c}{\mathit{T}}_{\mathit{a}}\hfill \\ I_k\hfill \end{array}\end{array})=h{\mathit{g}}^{\top }$ for some invertible element $h\in R_q$. The polynomial h is the tag associated to trapdoor ${\mathit{T}}_{\mathit{a}}$.

In our construction, we need a trapdoor generation algorithm ($TrapGen$) and preimage sampling algorithm ($SamplePre$) from [37], and both of them are described as follows.

Algorithm $TrapGen$ inputs a modulus q, a Gaussian parameter $\sigma$, a polynomial vector ${\mathit{a}}^{\prime }\in R_q^{m-k}$ and a polynomial $h\in R_q$. It returns a polynomial vector $\mathit{a}\in R_q^m$, a trapdoor ${\mathit{T}}_{\mathit{a}}\in R^{(m-k)\times k}$ with tag h. We use vector ${\mathit{a}}^{\prime }$, gadget vector $\mathit{g}$ and trapdoor ${\mathit{T}}_{\mathit{a}}$ to construct the target vector $\mathit{a}$. The trapdoor ${\mathit{T}}_{\mathit{a}}$ is choosing from a gaussian distribution with parameter $\sigma$. In our construction, the target vector $\mathit{a}$ is part of public parameter and the trapdoor ${\mathit{T}}_{\mathit{a}}$ is the master key.

Algorithm $SamplePre$ inputs a vector $\mathit{a}\in R_q^m$, a trapdoor ${\mathit{T}}_{\mathit{a}}\in R^{(m-k)\times k}$ with tag $h\in R_q$, a polynomial $u\in R_q$ and a Gaussian parameter $\sigma$. It returns a vector $\mathit{x}\in R_q^m$ following a discrete Gaussian distribution of parameter $\xi$, and satisfying ${\mathit{a}}^{\top }\mathit{x}=u$. To find a vector $\mathit{x}$ satisfing ${\mathit{a}}^{\top }\mathit{x}=u$, we need to find a vector $\mathit{z}$ that satisfies ${\mathit{g}}^{\top }\mathit{z}=h^{-1}·(u-{\mathit{a}}^{\top }\mathit{p})$ where $\mathit{p}$ is a perturbation vector. Then, we get $\mathit{x}=\mathit{p}+(\begin{array}{c}\hfill \begin{array}{c}{\mathit{T}}_a\hfill \\ I_k\hfill \end{array}\end{array})\mathit{z}$ such that ${\mathit{a}}^{\top }\mathit{x}={\mathit{a}}^{\top }\mathit{p}+{\mathit{a}}^{\top }(\begin{array}{c}\hfill \begin{array}{c}{\mathit{T}}_a\hfill \\ I_k\hfill \end{array}\end{array})\mathit{z}={\mathit{a}}^{\top }\mathit{p}+h{\mathit{g}}^{\top }\mathit{z}={\mathit{a}}^{\top }\mathit{p}+h·h^{-1}(u-{\mathit{a}}^{\top }\mathit{p})=u$. In our construction, the target vector $\mathit{x}$ is used to construct the private keys.

2.4. Sampling Algorithms

Our constructions require a vector of form $\mathit{f}=(\begin{array}{c}\hfill \begin{array}{c}\mathit{a}\\ {\mathit{R}}^{\top }\mathit{a}+\mathit{b}\end{array}\end{array})\in R_q^{2m}$ where $\mathit{a}$ and $\mathit{b}$ are vectors in $R_q^m$. Matrix $\mathit{R}\in R^{m\times m}$ consists of polynomials with coefficients $\left\{1,-1\right\}$. We can get the private key by sampling short vectors in ${\Lambda }_q^u\left(\mathit{f}\right)$ for some $u\in R_q$. Algorithm $SampleLeft$ is used in our construction and algorithm $SampleRight$ is used in our security proof.

Algorithm $SampleLeft$ needs a vector of form ${\mathit{f}}_1:=(\begin{array}{c}\hfill \begin{array}{c}\mathit{a}\\ {\mathit{m}}_1\end{array}\end{array})$. It inputs a trapdoor ${\mathit{T}}_{\mathit{a}}$ of ${\Lambda }_q^{\perp }\left(\mathit{a}\right)$ and returns a short vector $\mathit{s}\in {\Lambda }_q^u\left({\mathit{f}}_1\right)$. The description of SampleLeft is shown in Algorithm 1. By algorithm $SamplePre$ and 1, we have ${\mathit{a}}^{\top }{\mathit{s}}_1=u-{\mathit{m}}_1^{\top }{\mathit{s}}_2$. Then, ${\mathit{f}}_1^{\top }\mathit{s}={\mathit{a}}^{\top }{\mathit{s}}_1+{\mathit{m}}_1^{\top }{\mathit{s}}_2=u-{\mathit{m}}_1^{\top }{\mathit{s}}_2+{\mathit{m}}_1^{\top }{\mathit{s}}_2=u$. Therefore, we get a short vector $\mathit{s}\in R^{m+m_1}$ distributed statistical close to $D_{{\Lambda }_q^u\left({\mathit{f}}_1\right),\sigma }$.

Algorithm 1 SampleLeft$(\mathit{a},{\mathit{m}}_1,{\mathit{T}}_{\mathit{a}},u,\sigma )$.

Input:  Polynomial vectors $\mathit{a}\in R_q^m$ and ${\mathit{m}}_1\in R_q^{m_1}$, a trapdoor ${\mathit{T}}_{\mathit{a}}$ of ${\Lambda }_q^{\perp }\left(\mathit{a}\right)$, a polynomial $u\in R_q$ and a Gaussian parameter $\sigma$; Output:  A short vector $\mathit{s}\in R_q^{m+m_1}$ following the Gaussian distribution $D_{{\Lambda }_q^u({\mathit{f}}_1),\sigma }$ with ${\mathit{f}}_1:=(\begin{array}{c}\hfill \begin{array}{c}\mathit{a}\\ {\mathit{m}}_1\end{array}\end{array})$. 1: Sample a random vector ${\mathit{s}}_2\leftarrow D_{R^{m_1},\sigma }$; 2: Sample ${\mathit{s}}_1\leftarrow SamplePre(\mathit{a},{\mathit{T}}_{\mathit{a}},y,\sigma )$, where $y=u-{\mathit{m}}_1^{\top }{\mathit{s}}_2\in R_q$; 3: return$\mathit{s}\leftarrow ({\mathit{s}}_1,{\mathit{s}}_2)\in R^{m+m_1}$.

Algorithm $SampleRight$ needs a vector of form ${\mathit{f}}_2:=(\begin{array}{c}\hfill \begin{array}{c}\mathit{a}\\ {\mathit{R}}^{\top }\mathit{a}+\mathit{b}\end{array}\end{array})$. It inputs a trapdoor ${\mathit{T}}_{\mathit{b}}$ of ${\Lambda }_q^{\perp }\left(\mathit{b}\right)$ and returns a short vector $\mathit{s}\in {\Lambda }_q^{\perp }\left({\mathit{f}}_2\right)$. The description of SampleRight is shown in Algorithm 2. In HIBE, we also need an algorithm $ExtendBasis$ which is similar to Theorem 1. By algorithm $SamplePre$ and 2, we have ${\mathit{f}}_2\mathit{s}=u$ and then we get a short vector $\mathit{s}\in R_q^{m+k}$ distributed statistically close to $D_{{\Lambda }_q^u\left({\mathit{f}}_2\right),\sigma }$.

Algorithm 2 SampleRight$(\mathit{a},\mathit{b},{\mathit{T}}_{\mathit{b}},u,\sigma )$.

Input:  Polynomial vectors $\mathit{a}\in R_q^k$ and $\mathit{b}\in R_q^m$, a matrix of polynomial $\mathit{R}\in R_q^{k\times m}$, a trapdoor ${\mathit{T}}_{\mathit{b}}$ of ${\Lambda }_q^{\perp }\left(\mathit{b}\right)$, a polynomial $u\in R_q$ and a Gaussian parameter $\sigma$; Output:  A short vector $\mathit{s}\in R_q^{m+k}$ following the Gaussian distribution $D_{{\Lambda }_q^u({\mathit{f}}_2),\sigma }$ with ${\mathit{f}}_2:=(\begin{array}{c}\mathit{a}\\ {\mathit{R}}^{\top }\mathit{a}+\mathit{b}\end{array})$. 1: Select $m+k$ linearly indepndent vectors in ${\Lambda }_q^{\perp }\left({\mathit{f}}_2\right)$ and construct ${\mathit{T}}_{{\mathit{f}}_2}$; 2: Convert ${\mathit{T}}_{{\mathit{f}}_2}$ into a basis ${\mathit{T}}_{{\mathit{f}}_2}^{\prime }$ of ${\Lambda }_q^{\perp }\left({\mathit{f}}_2\right)$ where $\parallel \tilde{{\mathit{T}}_{{\mathit{f}}_2}}\parallel =\parallel \tilde{{\mathit{T}}_{{\mathit{f}}_2}^{\prime }}\parallel$; 3: Sample $\mathit{s}\leftarrow SamplePre({\mathit{f}}_2,{\mathit{T}}_{{\mathit{f}}_2}^{\prime },u,\sigma )$; 4: return$\mathit{s}\in {\Lambda }_q^u\left({\mathit{f}}_2\right)$.

3. Adaptively Secure IBE

Agrawal [18] converted their selectively secure IBE to an adaptively secure IBE using the technique of Waters [5]. Though the private key size and ciphertext size are the same, the size of the public parameters is too large. In this section, we construct an adaptively security IBE over ideal lattice and reduce the size of the public parameters using the blocking technique.

3.1. The IBE Construction

The identity $id$ is an l bits string in ${\{0,1\}}^l$. We divide $id$ into $l^{\prime }$ segments $(b_1,b_2,\cdots ,b_{l^{\prime }})$, where $b_i$ is a $l/l^{\prime }=\beta$ bits string. Then, we describe our IBE construction as follows.

Setup$\left(\lambda \right)$: On input a security parameter $\lambda$ and other parameters $q,n,m,\sigma ,\alpha$, do:

• Run $({\mathit{a}}_0$, ${\mathit{T}}_{{\mathit{a}}_0})$$\leftarrow TrapGen(q,n)$, where ${\mathit{a}}_0$ is a vector in $R_q^m$ with a trapdoor ${\mathit{T}}_{{\mathit{a}}_0}\in R_q^{(m-k)\times k}$;
• Select $l^{\prime }+1$ uniformly random vectors ${\mathit{a}}_1,{\mathit{a}}_2,\cdots ,{\mathit{a}}_{l^{\prime }},\mathit{b}\in R_q^m$, and these vectors are used to form the public parameters;
• Select a uniformly random polynomial $u\in R_q$;
• Output the public parameters $PP=({\mathit{a}}_0,{\mathit{a}}_1,{\mathit{a}}_2,\cdots ,{\mathit{a}}_{l^{\prime }},\mathit{b},u)$ and master key $MK=\left({\mathit{T}}_{{\mathit{a}}_0}\right)$.

Extract$(PP,MK,id)$: On input public parameters $PP$, master key $MK$ and identity $id=(b_1,b_2,\cdots ,b_{l^{\prime }})$, do:

• Set ${\mathit{a}}_{id}=\mathit{b}+{\sum }_{i=1}^{l^{\prime }}{b}_i·{\mathit{a}}_i\in R_q^m$ and $\mathit{f}=(\begin{array}{c}\hfill \begin{array}{c}{\mathit{a}}_0\hfill \\ {\mathit{a}}_{id}\hfill \end{array}\end{array})\in R_q^{2m}$. They are used to generate the private key;
• Run $\mathit{s}\leftarrow SampleLeft({\mathit{a}}_0,{\mathit{a}}_{id},{\mathit{T}}_{{\mathit{a}}_0},u,\sigma )$, where $\mathit{s}$ is a vector in $R_q^{2m}$;
• Output the private key $SK=\mathit{s}\in R_q^{2m}$.

Encrypt$(PP,id,m)$: On input public parameters $PP$, an identity $id=(b_1,b_2,\cdots ,b_{l^{\prime }})$, and a message $\mu \in {\{0,1\}}^n$, do:

• Set ${\mathit{a}}_{id}=\mathit{b}+{\sum }_{i=1}^{l^{\prime }}{b}_i·{\mathit{a}}_i\in R_q^m$ and $\mathit{f}=(\begin{array}{c}\hfill \begin{array}{c}{\mathit{a}}_0\hfill \\ {\mathit{a}}_{id}\hfill \end{array}\end{array})\in R_q^{2m}$. They are used to generate the ciphertext;
• Select a uniformly random polynomial $t\in R_q$;
• Select $l^{\prime }$ matrices ${\mathit{R}}_1,{\mathit{R}}_2,\cdots ,{\mathit{R}}_{l^{\prime }}$ in $R^{m\times m}$ which consist of uniformly random polynomials with coefficient $\{1,-1\}$. Define ${\mathit{R}}_{id}={\sum }_{i=1}^{l^{\prime }}{b}_i{\mathit{R}}_i$ and its coefficients are in $\{-l^{\prime }(2^{\beta }-1),l^{\prime }(2^{\beta }-1)\}$;
• Select noise polynomial $x\leftarrow D_{R_q,\sigma }$, noise vector $\mathit{y}\leftarrow D_{R_q^m,\sigma }$ and set $\mathit{z}\leftarrow {\mathit{R}}_{id}^{\top }·\mathit{y}\in R_q^m$;
• Set $c_0=u·t+x+\mu ·\lfloor q/2\rfloor \in R_q$, and ${\mathit{c}}_1=\mathit{f}·t+[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}]\in R_q^{2m}$;
• Output the ciphertext $CT=(c_0,{\mathit{c}}_1)\in R_q\times R_q^{2m}$.

Decrypt$(PP,SK,CT)$: On input public parameters $PP$, a private key $SK=\mathit{s}$, and a ciphertext $CT=(c_0,{\mathit{c}}_1)$, do:

• Compute $w=c_0-{\mathit{s}}^{\top }·{\mathit{c}}_1\in R_q$, and $w_i$ denotes the coefficient of w;
• Compare $w_i$ and $\lfloor q/2\rfloor$ treating them as integer in Z, if $|w-\lfloor q/2\rfloor |<\lfloor q/4\rfloor$, output 1, otherwise output 0.

3.2. Parameters and Correctness

In this section, we prove the correctness of the above IBE scheme. During decryption, we have

$$\begin{array}{cc}\hfill w& =c_0-{\mathit{s}}^{\top }·{\mathit{c}}_1\hfill \\ \hfill & =u·t+x+\mu ·\lfloor q/2\rfloor -{\mathit{s}}^{\top }(\mathit{f}·t+\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right])\hfill \\ \hfill & =\mu ·\lfloor q/2\rfloor +\underset{errorterm}{\underbrace{x-{\mathit{s}}^{\top }\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right]}}\hfill \end{array}$$

(1)

In order to decrypt correctly, the error term $x-{\mathit{s}}^{\top }[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}]$ should be bounded by $\lfloor q/4\rfloor$. Then, we need the following two lemmas to analyze the error rate of decryption.

Lemma 1

([41]). Let $c\ge 1$, $C=c·exp(\frac{1-c^2}{2})<1$ and $x\leftarrow D_{Z^n,s}$; then, for any real $s>0$ and any integer $n\ge 1$, we have

$$Pr\left[\parallel x\parallel \ge cs\sqrt{n/2\pi }\right]\le C^n$$

(2)

Lemma 2

([42]). For any real $s>0$, $T>0$, and any $x\in R^n$, we have

$$Pr\left[|<x,D_{Z^n,s}>|\ge Ts\parallel x\parallel \right]<2exp(-\pi T^2)$$

(3)

Theorem 2.

Let $q\le 4[l^{\prime }(2^{\beta }-1)\sqrt{mn}+1]\delta c\sigma \sqrt{mn/2\pi }$, $c\ge 1$, $t>15$, the above IBE scheme decrypts correctly with overwhelming probability.

Proof of Theorem 2.

Letting $\mathit{s}=(\begin{array}{c}\hfill \begin{array}{c}{\mathit{s}}_1\hfill \\ {\mathit{s}}_2\hfill \end{array}\end{array})$ with ${\mathit{s}}_1,{\mathit{s}}_2\in R^m$, we have ${\mathit{s}}^{\top }[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}]={\mathit{s}}_1^{\top }·\mathit{y}+{\mathit{s}}_2^{\top }·\mathit{z}$. Since $\mathit{z}={\mathit{R}}_{id}^{\top }·\mathit{y}$, we have $\parallel \mathit{z}\parallel =\parallel {\mathit{R}}_{id}·\mathit{y}\parallel \le \parallel {\mathit{R}}_{id}\parallel ·\parallel \mathit{y}\parallel =l^{\prime }(2^{\beta }-1)\sqrt{mn}\parallel \mathit{y}\parallel$.

Similar to [33], we compute the decryption error rate with Lemma 2 as

$$\begin{array}{cc}\hfill & Pr\left[(l^{\prime }(2^{\beta }-1)\sqrt{mn}+1)\sqrt{m}|<x,y>|\ge q/4\right]\hfill \\ \hfill & =Pr\left[|<x,y>|\ge q/\left(4(l^{\prime }(2^{\beta }-1)\sqrt{mn}+1)\sqrt{m}\right)\right]\hfill \\ \hfill & =Pr\left[|<x,y>|\ge T\delta \parallel x\parallel \right]\hfill \\ \hfill & <2exp(-\pi T^2)\hfill \end{array}$$

(4)

For $c\ge 1$, we have $\parallel x\parallel \le c\sigma \sqrt{n/2\pi }$ with Lemma 1. Then,

$$T=\frac{q}{4[l^{\prime }(2^{\beta }-1)\sqrt{mn}+1]\sqrt{m}\delta \parallel x\parallel }\ge \frac{q}{4[l^{\prime }(2^{\beta }-1)\sqrt{mn}+1]\delta c\sigma \sqrt{mn/2\pi }}$$

(5)

When T is sufficiently large, the decryption error rate $2exp(-\pi T^2)$ is a negligible function, and we can decrypt correctly with overwhelming probability. □

Similar to [18,19,37], we need to set the parameters as follows:

• the error term is less than $q/4$$(i.e.q\le 4[l^{\prime }(2^{\beta }-1)\sqrt{mn}+1]\delta c\sigma \sqrt{mn/2\pi })$,
• that algorithm TrapGen can operate $(i.e.m=O(nlogq\left)\right)$,
• that $\sigma$ is sufficiently large for sampling algorithm
  (i.e., $\sigma >\parallel \widetilde{T_B}\parallel 2^{\beta }{l}^{\prime }\sqrt{m}\omega \sqrt{logm}=2^{\beta }{l}^{\prime }\sqrt{m}\omega \sqrt{logm}$),
• that reduction applies (i.e., the number of private key queries $Q\le \frac{q}{2}$).

3.3. Security Proof

In this section, we give the security proof of our IBE scheme. We describe the definition of abort-resistant hash functions in Definition 2.

Lemma 3.

Let q be a prime, the hash family ${\mathcal{H}}_{Wat}$ is $(Q,\frac{1}{q}(1-\frac{Q}{q}),\frac{1}{q})$ abort-resistant where $0<Q<q$.

Proof of Lemma 3.

Let $\overline{id}$ be a set of $(i{d}_0,i{d}_1,\cdots ,i{d}_Q)$ where $i{d}_0\notin \{i{d}_1,\cdots ,i{d}_Q\}$. For $i=0,\cdots ,Q+1$, $S_i$ denotes the set of functions $H\left(i{d}_i\right)=0$ in ${\mathcal{H}}_{Wat}$. We have $|S_i|=q^{l^{\prime }-1}$ and $|S_0\cap S_j|\le q^{l^{\prime }-2}$ with $j>0$. For $i=1,\cdots ,Q$, the set of $H\left(i{d}_0\right)=0$ and $H\left(i{d}_i\right)\ne 0$ is defined as $S:=S_0\backslash (S_1\cup \cdots \cup S_Q)$. Then, we have

$$\left|S\right|=|S_0\backslash (S_1\cup \cdots \cup S_Q)|\ge |S_0|-{\sum }_{i=1}^Q|S_0\cap S_i|\ge q^{l^{\prime }-1}-Q{q}^{l^{\prime }-2}$$

The non-abort probability of $\overline{id}$ is $\left|S\right|/q^{l^{\prime }}\ge \frac{1}{q}(1-\frac{Q}{q})$. Since $\left|S\right|\le |S_0|$, the no-abort probability is $\left|S\right|/q^{l^{\prime }}\le \left|S_0\right|/q^{l^{\prime }}\le \frac{1}{q}$ at most. □

Theorem 3.

The IBE system with parameters $(n,m,q,\sigma )$ is IND-ID-CPA secure in the standard model under the hardness of RLWE.

Proof of Theorem 3.

The proof proceeds in a sequence of games, and the first game is the same as the security game in Definition 1. In game i, we use $W_i$ to denote that the adversary guesses the challenge message correctly. Then, the advantage of adversary in game i is $|Pr\left[W_i\right]-\frac{1}{2}|$.

Game 0. The original IND-ID-CPA game between an adversary $\mathcal{A}$ and a challenger.

Game 1. The challenger builds the public parameters $PP=({\mathit{a}}_0,{\mathit{a}}_1,{\mathit{a}}_2,\cdots ,{\mathit{a}}_{l^{\prime }},\mathit{b},u)$ in the original game. These vectors ${\mathit{a}}_1,{\mathit{a}}_2,\cdots ,{\mathit{a}}_{l^{\prime }},\mathit{b}$ are chosen uniformly from $R_q^m$. The Game 1 challenger chooses $l^{\prime }$ random matrices ${\mathit{R}}_i^{\ast }\in R^{m\times m}$ and random polynomials $h_i\in Z_q$ at the setup phase. Matrix ${\mathit{R}}_i^{\ast }$ consists of uniformly random polynomials with coefficient $\{-1.1\}$. Then the challenger generates vectors ${\mathit{a}}_0$ and $\mathit{b}$ as in original game, and constructs vector ${\mathit{a}}_i$ as

$${\mathit{a}}_i\leftarrow {\left({\mathit{R}}_i^{\ast }\right)}^{\top }·{\mathit{a}}_0-h_i·\mathit{b}\in R_q^m,i\in [1,l^{\prime }]$$

The matrix ${\mathit{R}}_i^{\ast }$ is used to build vector ${\mathit{a}}_i$ and challenge ciphertext $C{T}^{\ast }$ (i.e. $\mathit{z}\leftarrow {\left({\mathit{R}}_{id}^{\ast }\right)}^{\top }y\in R_q^m$ where ${\mathit{R}}_{id}^{\ast }={\mathsf{\Sigma }}_{i=1}^{l^{\prime }}{b}_i^{\ast }·{\mathit{R}}_i^{\ast }\in R^{m\times m}$). Set ${\mathit{R}}^{\ast }:=({\mathit{R}}_1^{\ast },{\mathit{R}}_2^{\ast },\cdots ,{\mathit{R}}_{l^{\prime }}^{\ast })$, the distributions

$$({\mathit{a}}_0,{\mathit{a}}_0^{\top }·{\mathit{R}}^{\ast },{({\mathit{R}}^{\ast })}^{\top }\mathit{y})\mathrm{and}({\mathit{a}}_0,({({\mathit{a}}_1^{\prime })}^{\top }|\cdots |{({\mathit{a}}_{l^{\prime }}^{\prime })}^{\top }),{({\mathit{R}}^{\ast })}^{\top }\mathit{y})$$

are statistically close. The vectors ${\mathit{a}}_i^{\prime }$ are uniformly random elements in $R_q^m$. For $\mathit{z}\leftarrow {({\mathit{R}}_{id}^{\ast })}^{\top }·\mathit{y}$, the distributions

$$({\mathit{a}}_0,{\mathit{a}}_0^{\top }·{\mathit{R}}_{\mathbf{1}}^{\ast },\cdots ,{\mathit{a}}_0^{\top }·{\mathit{R}}_{{\mathit{l}}^{\prime }}^{\ast },\mathit{z})\mathrm{and}({\mathit{a}}_0,{({\mathit{a}}_1^{\prime })}^{\top },\cdots ,{({\mathit{a}}_{l^{\prime }}^{\prime })}^{\top },\mathit{z})$$

are statistically close. In adversary’s view, the vectors ${\mathit{a}}_0^{\top }·{\mathit{R}}_{\mathit{i}}^{\ast }$ are statistically close to uniformly random elements ${\left({\mathit{a}}_i^{\prime }\right)}^{\top }$ and independent of vector $\mathit{z}$. Therefore, in adversary’s view, the vector ${\mathit{a}}_i$ are uniformly random vectors as in Game 0. This shows that

$$Pr\left[W_0\right]=Pr\left[W_1\right]$$

(6)

Game 2. In Game 2, we add an abort event and the rest is the same as Game 1. We use the abort-resistant ${\mathcal{H}}_{Wat}$ introduced in Lemma 3. In the Setup phase, the challenger chooses a function $H\in {\mathcal{H}}_{Wat}$ and reserves it to itself. Then, the challenger answers key queries and sends challenge ciphertext to adversary as in Game 1. We use $i{d}_1,\cdots ,i{d}_Q$ to denote the identities that the adversary queries. We use $i{d}^{\ast }$ to denote the challenge identity which is not in $\{i{d}_1,\cdots ,i{d}_Q\}$. In the Guess phase, the adversary returns a guess $r^{\prime }\in \{0,1\}$. Then, the challenger performs as follows:

• Abort check [18]: For $i=1,\cdots ,Q$, the game proceeds normally if $H\left(i{d}^{\ast }\right)=0$ and $H\left(i{d}_i\right)\ne 0$. Otherwise, it resets $r^{\prime }$ and aborts the game. However, the game proceeds normally in the adversary’s view.
• Artificial abort [5,18]: The challenger chooses a bit $\mathsf{\Gamma }\in \{0,1\}$ such that $Pr[\mathsf{\Gamma }=1]=\gamma \left(I\right)$. If there is no abort $\gamma \left(I\right)=0$, otherwise, $\gamma \left(I\right)=1$. If $\mathsf{\Gamma }=1$ or $\gamma \left(I\right)=1$, the challenger resets $r^{\prime }$ and aborts the game.

For identities $I=(i{d}^{\ast },i{d}_1,\cdots ,i{d}_Q)$, we use $ϵ\left(I\right)$ to denote the probability of non-abort when the adversary performs these private key queries. Moreover, we use ${ϵ}_{max}$ and ${ϵ}_{min}$ to denote the maximum and minimum of $ϵ\left(I\right)$.

Lemma 4

([18]). For $i=1,2$, let $W_i$ be the event that the adversary wins the Game i. Then,

$$\left|Pr\left[W_2\right]-\frac{1}{2}\right|\ge {ϵ}_{min}\left|Pr\left[W_1\right]-\frac{1}{2}\right|-\frac{1}{2}\left({ϵ}_{max}-{ϵ}_{min}\right)$$

According to [18], they show that ${ϵ}_{max}-{ϵ}_{min}$ is less than ${ϵ}_{min}\left|Pr\left[W_1\right]-\frac{1}{2}\right|$. Since $q\ge 2Q$, we have ${ϵ}_{min}=\frac{1}{q}(1-\frac{Q}{q})\ge \frac{1}{2q}$. Then,

$$\left|Pr\left[W_2\right]-\frac{1}{2}\right|\ge \frac{1}{2}{ϵ}_{min}\left|Pr\left[W_1\right]-\frac{1}{2}\right|\ge \frac{1}{4q}\left|Pr\left[W_1\right]-\frac{1}{2}\right|$$

(7)

Game 3. In Game 3, we change the method of generating ${\mathit{a}}_0$ and $\mathit{b}$ in $PP$. Vector ${\mathit{a}}_0$ is generated as a random element in $R_q^m$ and vector $\mathit{b}$ is generated by algorithm TrapGen. The challenger also gets a trapdoor $T_{\mathit{b}}$ of ${\Lambda }_q^{\perp }\left(\mathit{b}\right)$. The construction ${\mathit{a}}_i\leftarrow {\left({\mathit{R}}_i^{\ast }\right)}^{\top }·{\mathit{a}}_0-h_i·\mathit{b}\in R_q^m$ is the same as in Game 2. To answer the private key query of $id=(b_1,b_2,\cdots ,b_{l^{\prime }})$, the challenger generates the corresponding private key $S{K}_{id}=\mathit{s}$ from ${\Lambda }_q^u\left({\mathit{f}}_{id}\right)$. Let

$${\mathit{f}}_{id}:=\left(\begin{array}{c}{\mathit{a}}_0\\ \mathit{b}+{\mathsf{\Sigma }}_{i=1}^{l^{\prime }}{b}_i·{\mathit{a}}_i\end{array}\right)=\left(\begin{array}{c}{\mathit{a}}_0\\ {\left({\mathit{R}}_{id}\right)}^{\top }·{\mathit{a}}_0-h_{id}·\mathit{b}\end{array}\right)$$

(8)

where ${\mathit{R}}_{id}={\mathsf{\Sigma }}_{i=1}^{l^{\prime }}{b}_i·{\mathit{R}}_i^{\ast }\in R_q^{m\times m}$ and $h_{id}=1+{\mathsf{\Sigma }}_{i=1}^{l^{\prime }}{b}_i·h_i\in Z_q$. If $h_{id}=0$, the challenger abort the game as in Game 2. Otherwise, the challenger gets $\mathit{s}\leftarrow SampleRight({\mathit{a}}_0,h_{id}·\mathit{b},{\mathit{R}}_{id},T_{\mathit{b}},u,\sigma )\in R_q^{2m}$. Then, it sends $S{K}_{id}=\mathit{s}$ to adversary $\mathcal{A}$.

In adversary’s view, Game 2 and Game 3 are indistinguishable. Therefore,

$$Pr\left[W_2\right]=Pr\left[W_3\right]$$

(9)

Game 4. The challenge ciphertext $(c_0^{\ast },{\mathit{c}}_1^{\ast })$ is randomly selected in $R_q\times R_q^{2m}$ and the rest is the same as in Game 3, so the advantage of $\mathcal{A}$ is 0 in Game 4. Then, we need to prove that Game 3 and Game 4 are computationally indistinguishable.

Suppose there is an adversary $\mathcal{A}$ who has non-negligible probability in distinguishing Game 3 and Game 4. Then, we constructs an RLWE algorithm $\mathcal{B}$.

An instance of RLWE problem is provided as a sample oracle $\mathcal{O}$. We use ${\mathcal{O}}_{\$}$ to denote a truly random oracle. For a random $s\in R_q$, we use ${\mathcal{O}}_s$ to denote a noisy pseudo-random oracle.

Instance. For $i=0,\cdots ,m$, $\mathcal{B}$ requests from $\mathcal{O}$ and gets RLWE samples $(u_i,v_i)\in R_q\times R_q$ .

Setup. $\mathcal{B}$ generates the public parameters:

• Construct random vector ${\mathit{a}}_0\in R_q^m$ with RLWE samples. For $i=1,\cdots ,m$, the i-th column of ${\mathit{a}}_0$ is $u_i$.
• Let the random polynomial $u_0\in R_q$ be the 0-th RLWE sample.
• Construct vectors ${\mathit{a}}_i$ and $\mathit{b}$ as in Game 3.
• Send public parameters $PP=({\mathit{a}}_0,{\mathit{a}}_1,\cdots ,{\mathit{a}}_{l^{\prime }},\mathit{b},u_0)$ to adversary $\mathcal{A}$.

Phase 1 and Phase 2. $\mathcal{B}$ answers private key queries as in Game 3.

Challenge. $\mathcal{A}$ submits a target identity $i{d}^{\ast }=(b_1,\cdots ,b_{l^{\prime }})$ and a message ${\mu }^{\ast }\in {\{0,1\}}^n$. $\mathcal{B}$ prepares a challenge ciphertext for the target identity as follows:

• Set $v_{\ast }=\left[\begin{array}{c}\hfill \begin{array}{c}{v}_1\\ ⋮\\ v_m\end{array}\end{array}\right]\in R_q^m$ with the RLWE instance.
• Let $c_0^{\ast }=v_0+{\mu }^{\ast }·\lfloor q/2\rceil \in R_q$ to blind the message bit.
• Set ${\mathit{R}}_{id}^{\ast }={\mathsf{\Sigma }}_{i=1}^{l^{\prime }}{b}_i·{\mathit{R}}_i^{\ast }\in R_q^{m\times m}$ and ${\mathit{c}}_1^{\ast }=\left[\begin{array}{c}{v}^{\ast }\\ {\left({\mathit{R}}_{i{d}^{\ast }}\right)}^{\top }·v^{\ast }\end{array}\right]\in R_q^{2m}$.
• Choose a random bit $r\in \{0,1\}$. If $r=0$, set $C{T}^{\ast }=(c_0^{\ast },{\mathit{c}}_1^{\ast })$. Otherwise, select a random element $C{T}^{\ast }=(c_0,{\mathit{c}}_1)$ in $R_q\times R_q^{2m}$. Then, send challenge ciphertext $C{T}^{\ast }$ to adversary.

Guess. Finally, the adversary $\mathcal{A}$ returns a guess $r^{\prime }$. The simulator $\mathcal{B}$ outputs 1 if $r^{\prime }=r$, otherwise 0.

Analysis. According to [18], the challenge ciphertext is the same as valid ciphertext in game 3 if sampling oracle $\mathcal{O}$ is pseudo-random ${\mathcal{O}}_s$, and the challenge ciphertext is the same as random ciphertext in game 4 if oracle $\mathcal{O}$ is truly random ${\mathcal{O}}_{\$}$. The simulator’s advantage in solving RLWE problem is equal to $\mathcal{A}$’s advantage in distinguishing valid ciphertext and random ciphertext. For $Pr\left[W_4\right]=\frac{1}{2}$, we get

$$|Pr\left[W_3\right]-\frac{1}{2}|=|Pr\left[W_3\right]-Pr\left[W_4\right]|\le Ad{v}_{\mathcal{B}}^{RLWE}$$

(10)

Then, we have

$$|Pr\left[W_0\right]-\frac{1}{2}|\le 4q·Ad{v}_{\mathcal{B}}^{RLWE}$$

(11)

□

4. Adaptively Secure HIBE

We extend our IBE scheme to a hierarchical IBE scheme. Similar to our IBE scheme above, we also use the blocking technique to reduce the size of public parameters.

4.1. The HIBE Construction

The identity $id|i{d}_l$ is composed of l identities $i{d}_i$ at different depth, and it is represented as $id|i{d}_l=(i{d}_1,\cdots ,i{d}_l)$ where $i{d}_i$ is a $l^{\prime }$ bit string. We divide the identity $i{d}_i$ at depth i into $l^{″}$ segments $(b_{i,1},\cdots ,b_{i,l^{″}})$ where $b_{i,j}$ is a $\beta =l^{\prime }/l^{″}$ bits string.

Then, we describe our HIBE construction as follows.

Setup$(d,\lambda )$: On input a security parameter $\lambda$, a maximum depth d and other parameters $q,n,m,\sigma ,\alpha$, do:

• Run $({\mathit{a}}_0$, ${\mathit{T}}_{{\mathit{a}}_0})$$\leftarrow TrapGen(q,n)$, where ${\mathit{a}}_0$ is a vector in $R_q^m$ with a trapdoor ${\mathit{T}}_{{\mathit{a}}_0}\in R_q^{(m-k)\times k}$;
• Choose $l^{″}d+1$ random vectors ${\mathit{a}}_{1,1},\cdots ,{\mathit{a}}_{1,l^{″}},\cdots ,{\mathit{a}}_{d,1},\cdots ,{\mathit{a}}_{d,l^{″}},\mathit{b}\in R_q^m$, and these vectors are used to form the public parameters;
• Choose a uniformly random polynomial $u\in R_q$;
• Output the public parameters $PP=({\mathit{a}}_0,{\mathit{a}}_{1,1},\cdots ,{\mathit{a}}_{1,l^{″}},\cdots ,{\mathit{a}}_{d,1},\cdots ,{\mathit{a}}_{d,l^{″}},\mathit{b},u)$ and master key $MK=\left({\mathit{T}}_{{\mathit{a}}_0}\right)$.

Derive$(PP,id|i{d}_l,S{K}_{id|i{d}_{l-1}})$: On input public parameters $PP$, an identity $id|i{d}_l$ and a private key $S{K}_{id|i{d}_{l-1}}$ at depth $l-1$, do:

• Set ${\mathit{f}}_{id|i{d}_l}=\left(\begin{array}{c}{\mathit{f}}_{id|i{d}_{l-1}}\\ {\sum }_{i=1}^{l^{″}}{\mathit{a}}_{l,i}{\mathit{b}}_{l,i}+\mathit{b}\end{array}\right)\in R_q^{(l+1)m}$, and it is used to generate the private key;
• Run $\mathit{s}\leftarrow SampleLeft({\mathit{f}}_{id|i{d}_{l-1}},{\sum }_{i=1}^{l^{″}}{\mathit{a}}_{l,i}{\mathit{b}}_{l,i}+\mathit{b},S{K}_{id|i{d}_{l-1}},{\sigma }_l)$, where $\mathit{s}$ is a vector in $R_q^{2m}$;
• Output the private key $S{K}_{id|i{d}_l}=\mathit{s}\in R_q^{2m}$.

Encrypt$(PP,id,m)$: On input public parameters $PP$, an identity $id|i{d}_l$ at depth l and a message $\mu \in {\{0,1\}}^n$, do:

• Set ${\mathit{f}}_{id|i{d}_l}=\left(\begin{array}{c}{\mathit{f}}_{id|i{d}_{l-1}}\\ {\sum }_{i=1}^{l^{″}}{\mathit{a}}_{l,i}{\mathit{b}}_{l,i}+\mathit{b}\end{array}\right)\in R_q^{(l+1)m}$, and it is used to generate the ciphertext;
• Choose a uniformly random polynomial $t\in R_q$;
• Choose $l{l}^{″}$ matrices ${\mathit{R}}_{i,j}\in R^{m\times m}$ for $i=1,\cdots ,l$ and $j=1,\cdots ,l^{″}$, which consist of random polynomials with coefficient $\{1,-1\}$. Define ${\mathit{R}}_{id}={\sum }_{i=1}^{l^{″}}{b}_{1,i}{\mathit{R}}_{1,i}\left|\right|\cdots \left|\right|{\sum }_{i=1}^{l^{″}}{b}_{l,i}{\mathit{R}}_{l,i}\in R^{m\times lm}$;
• Choose noise polynomial $x\leftarrow D_{R_q,\sigma }$, noise vector $\mathit{y}\leftarrow D_{R_q^m,\sigma }$, and set $\mathit{z}\leftarrow {\mathit{R}}_{id}^{\top }·\mathit{y}\in R_q^{lm}$;
• Set $c_0=u·t+x+\mu ·\lfloor q/2\rfloor \in R_q$, and ${\mathit{c}}_1=\mathit{f}·t+\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right]\in R_q^{(l+1)m}$;
• Output the ciphertext $CT=(c_0,{\mathit{c}}_1)\in R_q\times R_q^{(l+1)m}$.

Decrypt$(PP,S{K}_{id|i{d}_l},CT)$: On input public parameters $PP$, a private key $S{K}_{id|i{d}_l}$ at depth l and a ciphertext $CT=(c_0,{\mathit{c}}_1)$, do:

• Set ${\tau }_l:={\sigma }_l\sqrt{m(l+1)}w\sqrt{log\left(lm\right)}$;
• Sample ${\mathit{s}}_{id}\leftarrow SamplePre({\mathit{f}}_{id|i{d}_l},S{K}_{id|i{d}_l},u,{\tau }_l)$ such that ${\mathit{f}}_{id}·{\mathit{s}}_{id}=u$;
• Compute $w=c_0-{\mathit{s}}_{id}^{\top }·{\mathit{c}}_1\in R_q$, $w_i$ denotes the coefficient of w;
• Compare $w_i$ and $\lfloor q/2\rfloor$ treating them as integer in Z, if $|w_i-\lfloor q/2\rfloor |<\lfloor q/4\rfloor$, output 1, otherwise output 0.

4.2. Parameters and Correctness

In this section, we prove the correctness of the above HIBE scheme. During decryption, we have

$$\begin{array}{cc}\hfill w& =c_0-{\mathit{s}}_{id}^{\top }·{\mathit{c}}_1\hfill \\ \hfill & =u·t+x+\mu ·\lfloor q/2\rfloor -{\mathit{s}}_{id}^{\top }(\mathit{f}·t+\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right])\hfill \\ \hfill & =\mu ·\lfloor q/2\rfloor +\underset{errorterm}{\underbrace{x-{\mathit{s}}_{id}^{\top }\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right]}}\hfill \end{array}$$

(12)

In order to decrypt correctly, the error term $x-{\mathit{s}}_{id}^{\top }\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right]$ should be bounded by $\lfloor q/4\rfloor$. Similar to our IBE scheme, the following proof also needs Lemmas 1 and 2 to analyze the error rate of decryption.

Theorem 4.

Let $q\le 4[l^{″}(2^{\beta }-1)\sqrt{lmn}+1]\delta c\sigma \sqrt{mn/2\pi },c\ge 1,t>15$, the above HIBE scheme decrypts correctly with overwhelming probability.

Proof of Theorem 4.

Letting ${\mathit{s}}_{id}=(\begin{array}{c}\hfill \begin{array}{c}{\mathit{s}}_1\hfill \\ {\mathit{s}}_2\hfill \end{array}\end{array})$ with ${\mathit{s}}_1,{\mathit{s}}_2\in R^m$ we have ${\mathit{s}}_{id}^{\top }\left[\begin{array}{c}\hfill \begin{array}{c}\mathit{y}\hfill \\ \mathit{z}\hfill \end{array}\end{array}\right]={\mathit{s}}_1^{\top }·\mathit{y}+{\mathit{s}}_2^{\top }·\mathit{z}$. Since $\mathit{z}={\mathit{R}}_{id}^{\top }·\mathit{y}$, we have $\parallel \mathit{z}\parallel =\parallel {\mathit{R}}_{id}·\mathit{y}\parallel \le \parallel {\mathit{R}}_{id}\parallel ·\parallel \mathit{y}\parallel =l^{″}(2^{\beta }-1)\sqrt{lmn}\parallel \mathit{y}\parallel$.

Then, we compute the decryption error rate with Lemma 2 as

$$\begin{array}{cc}\hfill & Pr\left[(l^{″}(2^{\beta }-1)\sqrt{lmn}+1)\sqrt{m}|<x,y>|\ge q/4\right]\hfill \\ \hfill & =Pr\left[|<x,y>|\ge q/\left(4(l^{″}(2^{\beta }-1)\sqrt{lmn}+1)\sqrt{m}\right)\right]\hfill \\ \hfill & =Pr\left[|<x,y>|\ge T\delta \parallel x\parallel \right]\hfill \\ \hfill & <2exp(-\pi T^2)\hfill \end{array}$$

(13)

For $c\ge 1$, we have $\parallel x\parallel \le c\sigma \sqrt{n/2\pi }$ with Lemma 1. Then

$$T=\frac{q}{4[l^{″}(2^{\beta }-1)\sqrt{lmn}+1]\sqrt{m}\delta \parallel x\parallel }\ge \frac{q}{4[l^{″}(2^{\beta }-1)\sqrt{lmn}+1]\delta c\sigma \sqrt{mn/2\pi }}$$

(14)

When T gets large enough, the decryption error rate $2exp(-\pi T^2)$ is negligible, and we can decrypt correctly with overwhelming probability.  □

Similar to [18,19,37], we need to set the parameters as follows:

• the error term is less than $q/4$$(i.e.,q\le 4[l^{″}(2^{\beta }-1)\sqrt{lmn}+1]\delta c\sigma \sqrt{mn/2\pi })$,
• that algorithm TrapGen can operate $(i.e.,m=O(nlogq\left)\right)$,
• that $\sigma$ is sufficiently large for sampling algorithm
  (i.e., $\sigma >\parallel \widetilde{T_B}\parallel 2^{\beta }{l}^{″}\sqrt{l}m\omega \sqrt{logm}=2^{\beta }{l}^{″}\sqrt{l}m\omega \sqrt{logm})$,
• that reduction applies (i.e., the number of private key queries $Q\le q^l/2$).

4.3. Security Proof

In this section, we give the security proof of our HIBE scheme. We describe the definition of abort-resistant hash functions in Definition 2.

Lemma 5.

Let q be a prime and $0<Q<q$; the hash family ${\mathcal{H}}_{Wat}$ is $(Q,\frac{1}{q^l}(1-\frac{Q}{q^l}),\frac{1}{q^l})$ abort-resistant.

Proof of Lemma 5.

Let $\overline{id}$ be a set of $(i{d}_0,i{d}_1,\cdots ,i{d}_Q)$ where $i{d}_0\notin \{i{d}_1,\cdots ,i{d}_Q\}$. For $i=0,\cdots ,Q+1$, we have $|S_i|=q^{l(l^{″}-1)}$ and $|S_0\cap S_j|\le q^{l(l^{″}-2)}$ for $j>0$. Then,

$$\left|S\right|=|S_0\backslash (S_1\cup \cdots \cup S_Q)|\ge |S_0|-\sum _{i=1}^Q|S_0\cap S_i|\ge q^{l(l^{″}-1)}-Q{q}^{l(l^{″}-2)}$$

(15)

The non-abort probability of $\overline{id}$ is $\left|S\right|/q^{l{l}^{″}}\ge \frac{1}{q^l}(1-\frac{Q}{q^l})$. Since $\left|S\right|\le |S_0|$, the non-abort probability is $\left|S\right|/q^{l{l}^{″}}\le \left|S_0\right|/q^{l{l}^{″}}\le \frac{1}{q^l}$ at most. □

Theorem 5.

The HIBE system with parameters $(n,m,q,\sigma )$ is IND-ID-CPA secure for depth d in the standard model under the hardness of RLWE.

Proof of Theorem 5.

The proof proceeds in a sequence of games, and the first game is the same as the security game in Definition 1. In game i, we use $W_i$ to denote that adversary guess the challenge message correctly. The advantage of adversary in game i is $|Pr\left[W_i\right]-\frac{1}{2}|$.

Game 0. The original IND-ID-CPA game between an adversary $\mathcal{A}$ and a challenger.

Game 1. The challenger builds the public parameters $PP=({\mathit{a}}_0,{\mathit{a}}_{1,1},\cdots ,{\mathit{a}}_{1,l^{″}},\cdots ,{\mathit{a}}_{d,l^{″}},\mathit{b},u)$ in the original game. These vectors ${\mathit{a}}_{1,1},\cdots ,{\mathit{a}}_{1,l^{″}},\cdots ,{\mathit{a}}_{d,l^{″}},\mathit{b}$ are chosen uniformly random from $R_q^m$.

The Game 1 challenger chooses $l{l}^{″}$ random matrices ${\mathit{R}}_{k,i}^{\ast }\in R^{m\times m}$ and polynomials $h_{k,i}\in R_q$ for $k\in [1,l],i\in [1,l^{″}]$. Matrix ${\mathit{R}}_{k,i}^{\ast }$ consists of uniformly random polynomials with coefficients $\{-1.1\}$. Then, the challenger generates vectors ${\mathit{a}}_0$ and $\mathit{b}$ as in original game, and constructs vector ${\mathit{a}}_{k,i}$ as

$${\mathit{a}}_{k,i}\leftarrow {\left({\mathit{R}}_{k,i}\right)}^{\top }·{\mathit{a}}_0-h_{k,i}·\mathit{b}\in R_q^m,k\in [1,l],i\in [1,l^{″}]$$

(16)

In the adversary’s view, the distribution ${\mathit{a}}_0^{\top }·{\mathit{R}}_{\mathit{k},\mathit{i}}^{\ast }$ is statistically close to uniform ${({\mathit{a}}_{k,i}^{\prime })}^{\top }$ and independent of vector $\mathit{z}$. Therefore, in adversary’s view, vecors ${\mathit{a}}_{k,i}$ are uniformly random elements as in Game 0. This shows that

$$Pr\left[W_0\right]=Pr\left[W_1\right]$$

(17)

Game 2. In Game 2, we add an abort event which is similar to the abort event in Section 3.3. The rest is the same as Game 1. We use the abort-resistant ${\mathcal{H}}_{Wat}$ introduced in Lemma 5.

According to [18], they show that ${ϵ}_{max}-{ϵ}_{min}$ is less than ${ϵ}_{min}\left|Pr\left[W_1\right]-\frac{1}{2}\right|$. Since $q^l\ge 2Q$, we have ${ϵ}_{min}=\frac{1}{q^l}(1-\frac{Q}{q^l})\ge \frac{1}{2q^l}$. By Lemma 4, we have

$$\left|Pr\left[W_2\right]-\frac{1}{2}\right|\ge \frac{1}{2}{ϵ}_{min}\left|Pr\left[W_1\right]-\frac{1}{2}\right|\ge \frac{1}{4q^l}\left|Pr\left[W_1\right]-\frac{1}{2}\right|$$

(18)

Game 3. In Game 3, we change the method of generating ${\mathit{a}}_0$ and $\mathit{b}$ in $PP$. Vector ${\mathit{a}}_0$ is generated as a random vector in $R_q^m$ and vector $\mathit{b}$ is generated by algorithm TrapGen. The challenger also gets a trapdoor $T_{\mathit{b}}$ of ${\Lambda }_q^{\perp }\left(\mathit{b}\right)$. The construction ${\mathit{a}}_{k,i}\leftarrow {\left({\mathit{R}}_{k,i}^{\ast }\right)}^{\top }·{\mathit{a}}_0-h_{k,i}·\mathit{b}\in R_q^m$ is the same as in Game 2. To answer the private key query of $id=(i{d}_1,i{d}_2,\cdots ,i{d}_l)$, the challenger generates the corresponding private key $S{K}_{id}=\mathit{s}$ from ${\Lambda }_q^u\left({\mathit{f}}_{id}\right)$. Let

$${\mathit{f}}_{id|i{d}_l}:=\left(\begin{array}{c}{\mathit{a}}_0\\ \sum _{i=1}^{l^{″}}{\mathit{a}}_{1,i}{b}_{1,i}+\mathit{b}\\ ⋮\\ \sum _{i=1}^{l^{″}}{\mathit{a}}_{l,i}{b}_{l,i}+\mathit{b}\end{array}\right)or{\mathit{f}}_{id}=\left(\begin{array}{c}{\mathit{a}}_0\\ {\left({\mathit{R}}_{id}\right)}^{\top }·{\mathit{a}}_0-h_{id}·\mathit{b}\end{array}\right)$$

(19)

where

$${\mathit{R}}_{id}:=\sum _{i=1}^{l^{″}}{b}_{1,i}{\mathit{R}}_{1,i}^{\ast }\left|\right|\cdots \left|\right|\sum _{i=1}^{l^{″}}{b}_{l,i}{\mathit{R}}_{l,i}^{\ast }\in R^{m\times lm}$$

(20)

and

$$h_{id}=(1+\sum _{i=2}^{l^{″}}{b}_{1,i}·h_{1,i})\left|\right|\cdots \left|\right|(1+\sum _{i=1}^{l^{″}}{b}_{l,i}·h_{l,i})$$

(21)

If $h_{id}=0$, the challenger aborts the game as in Game 2. Otherwise, the challenger gets private key $\mathit{s}\leftarrow SampleRight({\mathit{a}}_0,h_{id}·\mathit{b},{\mathit{R}}_{id},T_{\mathit{b}},u,\sigma )\in R_q^{2m}$. Then, it sends $S{K}_{id}=\mathit{s}$ to the adversary $\mathcal{A}$. In the adversary’s view, Game 2 and Game 3 are indistinguishable. Therefore,

$$Pr\left[W_2\right]=Pr\left[W_3\right]$$

(22)

Game 4. The challenge ciphertext $(c_0^{\ast },{\mathit{c}}_1^{\ast })$ is randomly selected in $R_q\times R_q^{2m}$ and the rest is the same as in Game 3, so the advantage of $\mathcal{A}$ is 0 in Game 4. Similar to Section 3.3, we need to prove that Game 3 and Game 4 are computationally indistinguishable.

Instance. For $i=0,\cdots ,m$, $\mathcal{B}$ receives RLWE samples $(u_i,v_i)\in R_q\times R_q$.

Setup. $\mathcal{B}$ generates the public parameters:

• Construct random vector ${\mathit{a}}_0\in R_q^m$ with RLWE samples. For $i=1,\cdots ,m$, the i-th column of ${\mathit{a}}_0$ is $u_i$.
• Let a random polynomial $u_0\in R_q$ be the 0-th RLWE sample.
• Construct ${\mathit{a}}_{k,i}$ and $\mathit{b}$ as in Game 3.
• Send public parameters $PP=({\mathit{a}}_0,{\mathit{a}}_{1,1},\cdots ,{\mathit{a}}_{1,l^{″}},\cdots ,{\mathit{a}}_{d,l^{″}},\mathit{b},u)$ to adversary $\mathcal{A}$.

Phase 1 and Phase 2. $\mathcal{B}$ answers private key queries as in Game 3.

Challenge. $\mathcal{A}$ submits a target identity $i{d}^{\ast }=(i{d}_1^{\ast },\cdots ,i{d}_l^{\ast })$ and a message ${\mu }^{\ast }\in {\{0,1\}}^n$. $\mathcal{B}$ returns a challenge ciphertext as follows:

• Set ${\mathit{v}}^{\ast }=\left[\begin{array}{c}\hfill \begin{array}{c}{v}_1\\ ⋮\\ v_m\end{array}\end{array}\right]\in R_q^m$ with the RLWE instance.
• Set $c_0^{\ast }=v_0+{\mu }^{\ast }·\lfloor q/2\rceil \in R_q$ to blind the message bit.
• Set ${\mathit{R}}_{i{d}^{\ast }}:={\sum }_{i=1}^{l^{″}}{b}_{1,i}{\mathit{R}}_{1,i}^{\ast }\left|\right|\cdots \left|\right|{\sum }_{i=1}^{l^{″}}{b}_{l,i}{\mathit{R}}_{l,i}^{\ast }$ and ${\mathit{c}}_1^{\ast }=\left[\begin{array}{c}{\mathit{v}}^{\ast }\\ {\left({\mathit{R}}_{i{d}^{\ast }}^{\ast }\right)}^{\top }·{\mathit{v}}^{\ast }\end{array}\right]$.
• Choose a random bit $r\in \{0,1\}$. If $r=0$ set $C{T}^{\ast }=(c_0^{\ast },{\mathit{c}}_1^{\ast })$, otherwise, select a random $C{T}^{\ast }=(c_0,{\mathit{c}}_1)$ in $R_q\times R_q^{2m}$. Then, send the challenge ciphertext $C{T}^{\ast }$ to adversary.

Guess. Finally, the adversary $\mathcal{A}$ returns a guess $r^{\prime }$. The simulator $\mathcal{B}$ outputs 1 if $r^{\prime }=r$ otherwise 0.

Analysis. According to [18], the challenge ciphertext is the same as valid ciphertext in game 3 if sampling oracle $\mathcal{O}$ is pseudo-random ${\mathcal{O}}_s$, and the challenge ciphertext is the same as random ciphertext in game 4 if oracle $\mathcal{O}$ is truly random ${\mathcal{O}}_{\$}$. The simulator’s advantage in solving RLWE problem is equal to $\mathcal{A}$’s advantage in distinguishing valid ciphertext and random ciphertext. For $Pr\left[W_4\right]=\frac{1}{2}$, we get

$$|Pr\left[W_3\right]-\frac{1}{2}|=|Pr\left[W_3\right]-Pr\left[W_4\right]|\le Ad{v}_{\mathcal{B}}^{RLWE}$$

(23)

Then

$$|Pr\left[W_0\right]-\frac{1}{2}|\le 4q^l·Ad{v}_{\mathcal{B}}^{RLWE}$$

(24)

□

5. Efficiency

Trade-off. We make a trade-off between the decrease in the size of public parameters and the increase in the computation cost. Using the blocking technique, we divide an identity into $l^{\prime }$ segments, and the number of elements in public parameters is reduced from $l+2$ to $l/\beta +2$ where $\beta$ is a flexible constant. Therefore, the percentage of decrease in public parameter space is $\frac{l-l^{\prime }}{l+2}$ and it is shown as the thin blue line in Figure 1 with $l=160$. According to the analysis of Singh [19], there is no effect of $l^{\prime }$ on cost of key generation, encryption and decription. However, we need to increase the value of lattice modulo q for maintaining the same security level, and it will increase the computation cost. According to Chatterjee ’s work [20], the number of bits in q is increased by $\Delta =\beta -{log}_2\beta$. We use $\left|q\right|$ to denote the bit length of q and then $|q^{\prime }|=|q|+2\Delta =|q|+2(\beta -{log}_2\beta )$. The percentage of increase in computation cost is $\frac{|q^{\prime }|-|q|}{\left|q\right|}=\frac{2(\beta -{log}_2\beta )}{\left|q\right|}$ and it is shown as the thick red line in Figure 1 with $\left|q\right|=256$. In Figure 1, the x-axis represents the value of $\beta$, and the y-axis represents the percentage of increase or decrease. For $l=160$ and $\left|q\right|=256$, the size of public parameters is reduced by 89.7% while the cost of computation is merely increased by 5.2% when $l^{\prime }=16$ or $\beta =10$. If we set $l^{\prime }=8$ or $\beta =20$, the size of public parameters is reduced by 93.8% while the computational cost is merely increased by 12.25%.

Comparisons. We propose an adaptively secure IBE scheme in Section 3.

Table 1. Comparison of storage space.

Schemes	$\mathit{PP}$ Size	$\mathit{SK}$ Size	Ciphertext Size	Security	Assumption
[18]	$(l+2)mnlogq$	$2mlogq$	$(2m+1)logq$	Adaptive-CPA	LWE
[23]	$(logl+2)mnlogq$	$mnlogq$	$(m+n)logq$	Adaptive-CPA	LWE
[22] *	$(d\lceil l^{1/d}\rceil +2)mnlogq$	$2mlogq$	$(2m+1)logq$	Adaptive-CPA	LWE
[36] *	$(d\lceil l^{1/d}\rceil +2)mnlogq$	$2mnlogq$	$(2m+1)nlogq$	Adaptive-CPA	RLWE †
[24]	$({log}^{2}l+2)mnlogq$	$2mlogq$	$(2m+1)logq$	Adaptive-CPA	LWE
Ours **	$(l/\beta +2)mnlogq$	$2mnlogq$	$(2m+1)nlogq$	Adaptive-CPA	RLWE †

* In [22] and [36], they use an injective map which maps an identity $id\in {\{0,1\}}^l$ to a subset of ${[1,\lceil l^{1/d}\rceil ]}^d$, where the element d is a flexible constant. The choice of d will affect the reduction cost; ** In our construction, the element $\beta$ is a flexible constant. The choice of $\beta$ will affect the size of modulus q and we make a trade-off in the previous part; † Our scheme and [36] only work over the rings $R_q$; thus, the basic elements in the public parameters are polynomial vectors rather than matrices.

shows the comparison of storage space between different IBE schemes in the standard model. In this table, $PP$, $SK$, l denote the public parameters, private keys and length of user’s identity.

Since the public parameters are composed of multiple matrices, its size will directly affect the communication overhead in actual applications. As shown in this table, the public parameter in Agrawal’s construction [18] contains $l+2$ matrices. Zhang’s construction [23] achieves shorter public parameter at the cost of weaker security guarantees. In Yamada’s construction [22], the public parameter consists of $d\lceil l^{1/d}\rceil +2$ matrices, where d is a constant. In Katsumata’s scheme [36], the public parameter consists of $d\lceil l^{1/d}\rceil +2$ vectors because of ring setting. The relationship between the size of public parameters and constant d is shown in Figure 2. For $l=160$, the minimum size of public parameters is 17 vectors when we set $d=5$. Moreover, we need to set d very small (e.g., $d=2$ or 3) because of the reduction cost. If we set $d=2$ (resp. 3), the public parameters have 28 (resp. 20) vectors. In [24], the public parameter consists of ${log}^{2}l+2$ matrices via new partitioning functions. In our construction, the public parameters only contain $l^{\prime }+2$ vectors, where $l^{\prime }=l/\beta$. We have analyzed the choice of $\beta$ or $l^{\prime }$ in the previous part. For $l=160$, the public parameter only contains 10 (resp. 18) vectors if we choose $\beta =20$ (resp. 10).

The comparison of public parameter size is shown in the Figure 3. It involves four IBE schemes with short public parameters, including Yam17 [24], KY16 [36] ($d=3$), ZCZ16 [23] and ours ($\beta =20$). The x-axis represents the length of user’s identity, and the y-axis represents the number of basic matrices (or vectors) in the public parameters of each scheme. Obviously, the public parameters in our scheme are shorter than [24] and [36]. Moreover, it can be shorter than [23] if the identity length l is small (e.g., less than 140).

Compared with the LWE-based scheme, the RLWE-based scheme contains a lot of polynomial operations instead of matrix operations. To compare more fair, we only compare the computational efficiency between the schemes under RLWE assumption. Since the scheme by [36] also has short public parameters and ring setting, we only compare the calculation efficiency between [36] and our scheme.

Table 2. Comparison of computational efficiency.

Schemes	$\mathit{KeyGen}$	$\mathit{Enc}$	$\mathit{Dec}$
[36]	$d{m}^2{n}^2$	$d{m}^2{n}^2+n^2+2mn$	$2m{n}^2$
Ours	$l^{\prime }mn$	$l^{\prime }mn+n^2+2mn$	$2m{n}^2$

shows the comparison of computational efficiency. In this table, $KeyGen$, $Enc$, $Dec$ denote the key generation, encryption and decryption.

The difference between these two schemes is the calculation of $H\left(id\right)$ and ${\mathit{a}}_{id}$. In Katsumata’s construction [36], $H\left(id\right)=\mathit{b}+{\mathsf{\Sigma }}_{j_1,\cdots ,j_d}PubEva{l}_d({\mathit{b}}_{1,j_1},{\mathit{b}}_{2,j_2},\cdots ,{\mathit{b}}_{d,j_d})$ and it is used to generate private keys. They use the homomorphic function $PubEva{l}_d:{\left(R_q^m\right)}^d\to R_q^m$ as in [22], which maps vectors ${\mathit{b}}_1,\cdots ,{\mathit{b}}_d$ to a vector in $R_q^m$. The function $PubEval$ needs $d{m}^2{n}^2$ multiplications and $d-1$ inversions. In our construction, ${\mathit{a}}_{id}=\mathit{b}+{\mathsf{\Sigma }}_{i=1}^{l^{\prime }}{b}_i·{\mathit{a}}_i$ and it is also used as the input of the sampling algorithm to generate private keys. However, it only needs $l^{\prime }mn$ multiplication operations which is obviously less than [36].

In Section 4, we also extend our IBE scheme to an adaptively secure HIBE scheme. Using Waters’ technology, we can convert the selectively secure HIBE scheme to adaptive security. Howerve, the size of the public parameter increases from $d+2$ matrices to $d{l}^{\prime }+2$ matrices. In our HIBE construction, the public parameter is reduced from $d{l}^{\prime }+2$ matrices to $d{l}^{″}+2$ vectors where $l^{″}=l^{\prime }/\beta$. In particular, it can be further reduced to $l^{″}+2$ thanks to the method of Chatterjee [11,43]. Finally, both of our constructions support multi-bit encryption because of ring setting.

6. Conclusions

In this paper, we propose an identity-based encryption scheme and a hierarchical identity-based encryption scheme over ideal lattice. The new schemes have short public parameters, and achieve IND-ID-CPA security in the standard model. In addition, we use the trapdoor of Micciancio to further improve the efficiency of our scheme. However, there are still many problems to be solved, such as how to reduce the size of ciphertext and how to implement these schemes.