Adaptively Secure Efficient (H)IBE over Ideal Lattice with Short Parameters

Identity-based encryption (IBE), and its hierarchical extension (HIBE), are interesting cryptographic primitives that aim at the implicit authentication on the users’ public keys by using users’ identities directly. During the past several decades, numerous elegant pairing-based (H)IBE schemes were proposed. However, most pairing-related security assumptions suffer from known quantum algorithmic attacks. Therefore, the construction of lattice-based (H)IBE became one of the hot directions in recent years. In the setting of most existing lattice-based (H)IBE schemes, each bit of a user’s identity is always associated with a parameter matrix. This always leads to drastic but unfavorable increases in the sizes of the system public parameters. To overcome this issue, we propose a flexible trade-off mechanism between the size of the public parameters and the involved computational cost using the blocking technique. More specifically, we divide an identity into l′ segments and associate each segment with a matrix, while increasing the lattice modulo slightly for maintaining the same security level. As a result, for the setting of 160-bit identities, we show that the size of the public parameters can be reduced by almost 89.7% (resp. 93.8%) while increasing the computational cost by merely 5.2% (resp. 12.25%) when l′ is a set of 16 (resp. 8). Finally, our IBE scheme is extended to an HIBE scheme, and both of them are proved to achieve the indistinguishability of ciphertexts against adaptively chosen identity and chosen plaintext attack (IND-ID-CPA) in the standard model, assuming that the well-known ring learning with error (RLWE) problem over the involved ideal lattices is intractable, even in the post-quantum era.


Introduction
Identity-based encryption (IBE), first introduced by Shamir [1], is an interesting public-key encryption mechanism. It reduces the complexity of system and the cost of establishing public-key infrastructure. The public keys are users' identities directly, and the corresponding private keys can only be generated by the private-key generator (PKG). Moreover, IBEs can be used for confidential communication, network protocols, digital signatures, etc. In 2001, Boneh and Franklin [2] constructed the first practical IBE scheme under the bilinear Diffe-Hellman (BDH) assumption. Then, Canetti et al. [3] constructed an IBE scheme in the standard model, and they gave the security proof in the selective-ID model. In this model, the adversary must announce the target identity at the beginning. Boneh and Boyen [4] proposed a fully (adaptively) secure IBE scheme. Their scheme is too inefficient to be practical since it requires numerous exponentiation operations and group operations. In the adaptive-ID model, the adversary can announce the target identity after private key queries. In 2005, Waters [5] constructed the first efficient fully secure IBE scheme and showed that a selectively secure scheme can be improved to adaptive security. Furthermore, there are many IBE constructions [6][7][8][9][10][11][12][13] based on pairing or quadratic residues which cannot resist quantum computing.
Lattice-based cryptography has become the focus of research in recent years because it is flexible in construction and resistant to quantum computing. Regev [14] defined the learning with error (LWE) problem and gave a reduction from the worst-case lattice problems. Stehlé [15] and Lyubashevsky [16] defined the ring learning with error (RLWE) problem, which led to new cryptographic applications.
In 2008, Gentry et al. [17] proposed the first LWE-based IBE scheme in the random oracle model. Their scheme relied on the Dual-Regev encryption scheme and became an example of an LWE-based IBE scheme. Agrawal et al. [18] then construct an efficient selectively secure IBE scheme based on LWE problem in the standard model. They also give an adaptively secure IBE scheme, but each bit of a user's identity is associated with a parameter matrix. This always leads to drastic but unfavorable increases in the sizes of the system public parameters. To solve this drawback, Singh et al. [19] constructed efficient adaptively secure (hierarchical) IBE schemes with short parameters using the blocking technique [20,21]. In 2016, Yamada [22] constructed an adaptively secure IBE scheme with short parameters using injective map and homomorphic computation. Zhang et al. [23] proposed an adaptively secure IBE scheme which achieved shorter public parameters, but their scheme only achieved Q-bounded security. In 2017, Yamada [24] constructed new adaptively secure IBE schemes via new partitioning functions, but the public parameters in their scheme are larger than [23]. Moreover, there are many other IBE constructions [25][26][27][28][29][30][31][32] based on the LWE problem.
Compared with the LWE problem, the RLWE problem is more practical in construction because of smaller storage and faster calculation. In particular, we can use fast Fourier transform (FFT) or number theoretic transform (NTT) to accelerate polynomial multiplications. In 2013, Yang et al. [33] construct a selectively secure IBE scheme over ideal lattice in the standard model. Their construction is a ring variant of Agrawal's selective-ID scheme [18]. In 2014, Ducas et al. [34] propose an efficient IBE scheme over Number Theory Research Unit (NTRU) lattice. (NTRU is a ring-based public key cryptosystem, which was proposed by Hoffstein [35] in 1998. The lattice specified in their scheme is often called the NTRU lattice.) Their construction is a NTRU variant of the scheme by [17]. In order to achieve shorter public parameters, Katsumata [36] constructs an adaptively secure IBE scheme over ideal lattice using Yamada's method [22]. In 2018, Bert et al. [37] construct an efficient IBE scheme and give an efficient implementation. Their construction uses the ring-version trapdoor of Micciancio [38] which is efficient and easy to implement. However, their scheme only achieves selective security. Therefore, it is meaningful to construct adaptively secure efficient (H)IBE schemes over ideal lattice with shorter parameters.
Our contribution. In this paper, we first construct an adaptively secure IBE scheme over ideal lattice with short parameters. In the setting of the most existing lattice-based (H)IBE schemes, the public parameters are generally composed of l + 2 matrices, where l is the bit length of user's identity. Using the blocking technique, we can reduce the number of elements in public parameters from l + 2 to l/β + 2 where β is a flexible constant. However, this leads to a reduction in the security. We need to increase the lattice modulo q to achieve the same security level as [18], but it causes an increase in computational cost. Therefore, we make a trade-off between storage space and computational cost. For l = 160, the size of public parameters can be reduced by almost 89.7% while increasing the computational cost by only 5.2%. When β is set of 20 (resp. 10), the public parameters only contain 10 (resp. 18) vectors. According to our performance analysis, our scheme can achieve shorter public parameters and better computational efficiency. In addition, we use the gadget-based trapdoor as [37,38] which is simple, efficient and smaller in storage than a basis. Finally, we extend our IBE scheme to a hierarchical IBE scheme, and both of them are proved achieving the indistinguishability of ciphertexts against adaptively chosen identity and chosen plaintext attack (IND-ID-CPA) in the standard model.
The rest of this paper is organized as follows. Section 2 is preliminaries. Sections 3 and 4 describe our adaptively secure IBE and HIBE schemes. In Section 5, we analyse the trade-off and compare with other constructions. In Section 6, we summarize this paper.

Preliminaries
Notation. In this paper, we use uppercase letters to represent matrix (i.e., A), and lowercase letters to represent constant or polynomial (i.e., l or u). We use uppercase bold letters to represent polynomial matrices (i.e., R), and lowercase bold letters to represent polynomial vectors (i.e., a). We use negligible function to represent the function (n) which is less than all polynomial fractions for sufficiently large n. We use overwhelming probability to indicate that the event happens with probability 1 − (n).
Setup(d, λ): On input a security parameter λ and a maximum depth d, the algorithm outputs the public parameters PP and master key MK.
Derive(PP, id|id l , SK id|id l−1 , MK): On input public parameters PP, master key MK, identity id|id l at depth l, and private key SK id|id l−1 at depth l − 1, it outputs the private key SK id|id l at depth l.
Encrypt(PP, µ, id|id l ): On input public parameters PP, an identity id|id l at depth l and a message µ, the algorithm outputs a ciphertext CT.
Decrypt(PP, CT, SK id|id l ): On input public parameters PP, a ciphertext CT and a private key SK id|id l , the algorithm outputs the message µ.
IBE system is the same as above HIBE system when d = 1. Compared with HIBE, there is an algorithm Extract instead of algorithm Derive. The algorithm Extract inputs public parameters PP, identity id, master key MK, and it outputs the corresponding private key SK id . Security Game. We use an indistinguishable from random game to define the adaptive security of (H)IBE, which means that adversary can not distinguish between challenge ciphertext and random ciphertext. Let M λ and C λ be the message space and ciphertext space where λ is a security parameter. For a maximum depth d, the following defines the game.
Setup: The challenger runs algorithm Setup(d, λ) and sends the public parameters PP to the adversary.
Phase 1: The adversary performs private key queries q 1 , · · · , q m , and the event q i corresponds to the identity id i . The challenger runs algorithm Extract to generate the private key sk i corresponding to id i and sends it to the adversary.
Challenge: The adversary submits a plaintext M ∈ M λ and a target identity id * which can not appear in Phase 1. Then the challenger chooses a random bit r ∈ {0, 1} and a random ciphertext C ∈ C λ . If r = 0, the challenger sets the challenge ciphertext C * := Encrypt (PP, M, id * ). Otherwise, it sets the challenge ciphertext C * = C. The challenger sends C * to the adversary.
Phase 2: The adversary performs adaptive queries q m+1 , · · · , q n . The event q i corresponds to the identity id i which can not be id * . The challenger responds as in Phase 1.
Guess: The adversary outputs a guess r ∈ {0, 1}, and wins if r = r.
The adversary A described above is a IND-ID-CPA attacker. We define the advantage of A as If for all IND-ID-CPA attackers A, the advantage Adv d,ε,A (λ) is a negligible function, then the HIBE scheme ε is IND-ID-CPA security. The security model of IBE is the same as above model with d = 1.
We use the abort-resistant hash family similar to [5,18]. Let q be a prime and (Z l q ) * := Z l q \{0 l }; we define the hash family H Wat :

Integer Lattice and Ideal Lattice
Definition 3. Let q be a prime, A ∈ Z n×m q and u ∈ Z n q ; we define integer lattice as: Ideal Lattice. Let n be a power of 2; we define the modular polynomial f (x) = x n + 1. Then, we define the ring polynomial R as R = Z[x]/ f (x). For a modulus q, we define the ring polynomial R q as R q = Z q [x]/ f (x). Therefore, elements in R q are polynomials with coefficients less than q. The following definition from [16,37] defines the Decision RLWE problem.

Definition 4 (Decision RLWE).
Given a vector of m uniformly random polynomials a = (a 1 , · · · , a m ) ∈ R m q , and b = as + e where s ∈ R q and e ∈ D R m ,σ . Then, distinguish (a, b = as + e) from uniform (a, b).
Similar to [18], we use S to denote the Gram-Schmidt norm of S where S = {s 1 , · · · , s k } in R m . We use D L,σ,c to denote the discrete Gaussian distribution with center c and parameter σ over a set L. Moreover, the following theorem from [18,39] defines an algorithm ExtendBasis which is used in our HIBE construction. Theorem 1 ([18,39]). Let A i ∈ Z n×m i q where i = 1, 2, 3, and A := (A 1 |A 2 |A 3 ). We define the algorithm

Trapdoors on Lattice
Our constructions require the notion of trapdoor which is first introduced by Ajtai [40]. For a short basis T A of Λ ⊥ q (A), we can get short vectors in Λ ⊥ q (A) from a Gaussian distribution. We use the g-trapdoor introduced by Micciancio [38] and the following definition from [37] defines the ring variant of the g-trapdoor.
Definition 5 (g-trapdoor). For k = log 2 q , m > k, let a be a vector in R m q and g be a vector in R k q . The g-trapdoor for a is a polynomial matrix T a in R (m−k)×k following a discrete Gaussian distribution of parameter σ, and satisfying a ( T a I k ) = hg for some invertible element h ∈ R q . The polynomial h is the tag associated to trapdoor T a .
In our construction, we need a trapdoor generation algorithm (TrapGen) and preimage sampling algorithm (SamplePre) from [37], and both of them are described as follows.
Algorithm TrapGen inputs a modulus q, a Gaussian parameter σ, a polynomial vector a ∈ R m−k q and a polynomial h ∈ R q . It returns a polynomial vector a ∈ R m q , a trapdoor T a ∈ R (m−k)×k with tag h. We use vector a , gadget vector g and trapdoor T a to construct the target vector a. The trapdoor T a is choosing from a gaussian distribution with parameter σ. In our construction, the target vector a is part of public parameter and the trapdoor T a is the master key.
Algorithm SamplePre inputs a vector a ∈ R m q , a trapdoor T a ∈ R (m−k)×k with tag h ∈ R q , a polynomial u ∈ R q and a Gaussian parameter σ. It returns a vector x ∈ R m q following a discrete Gaussian distribution of parameter ξ, and satisfying a x = u. To find a vector x satisfing a x = u, we need to find a vector z that satisfies g z = h −1 · (u − a p) where p is a perturbation vector. Then, we In our construction, the target vector x is used to construct the private keys.

Sampling Algorithms
Our constructions require a vector of form f = ( q where a and b are vectors in R m q . Matrix R ∈ R m×m consists of polynomials with coefficients {1, −1}. We can get the private key by sampling short vectors in Λ u q ( f ) for some u ∈ R q . Algorithm SampleLe f t is used in our construction and algorithm SampleRight is used in our security proof.
Algorithm SampleLe f t needs a vector of form ). It inputs a trapdoor T a of Λ ⊥ q (a) and returns a short vector s ∈ Λ u q ( f 1 ). The description of SampleLeft is shown in Algorithm 1. By algorithm SamplePre and 1, we have a s 1 Input: Polynomial vectors a ∈ R m q and m 1 ∈ R m 1 q , a trapdoor T a of Λ ⊥ q (a), a polynomial u ∈ R q and a Gaussian parameter σ; Algorithm SampleRight needs a vector of form f 2 := ( a R a + b ). It inputs a trapdoor T b of Λ ⊥ q (b) and returns a short vector s ∈ Λ ⊥ q ( f 2 ). The description of SampleRight is shown in Algorithm 2. In HIBE, we also need an algorithm ExtendBasis which is similar to Theorem 1. By algorithm SamplePre and 2, we have f 2 s = u and then we get a short vector s ∈ R m+k q distributed statistically close to D Λ u q ( f 2 ),σ .
, a polynomial u ∈ R q and a Gaussian parameter σ;

Adaptively Secure IBE
Agrawal [18] converted their selectively secure IBE to an adaptively secure IBE using the technique of Waters [5]. Though the private key size and ciphertext size are the same, the size of the public parameters is too large. In this section, we construct an adaptively security IBE over ideal lattice and reduce the size of the public parameters using the blocking technique.

The IBE Construction
The identity id is an l bits string in {0, 1} l . We divide id into l segments (b 1 , b 2 , · · · , b l ), where b i is a l/l = β bits string. Then, we describe our IBE construction as follows. Setup(λ): On input a security parameter λ and other parameters q, n, m, σ, α, do: Select l + 1 uniformly random vectors a 1 , a 2 , · · · , a l , b ∈ R m q , and these vectors are used to form the public parameters; 3. Select a uniformly random polynomial u ∈ R q ; 4. Output the public parameters PP = (a 0 , a 1 , a 2 , · · · , a l , b, u) and master key MK = (T a 0 ). Extract(PP, MK, id): On input public parameters PP, master key MK and identity id = They are used to generate the private key; Encrypt(PP, id, m): On input public parameters PP, an identity id = (b 1 , b 2 , · · · , b l ), and a message µ ∈ {0, 1} n , do: They are used to generate the ciphertext; 2. Select a uniformly random polynomial t ∈ R q ; 3. Select l matrices R 1 , R 2 , · · · , R l in R m×m which consist of uniformly random polynomials with Decrypt(PP, SK, CT): On input public parameters PP, a private key SK = s, and a ciphertext CT = (c 0 , c 1 ), do: 1. Compute w = c 0 − s · c 1 ∈ R q , and w i denotes the coefficient of w; 2. Compare w i and q/2 treating them as integer in Z, if |w − q/2 | < q/4 , output 1, otherwise output 0.

Parameters and Correctness
In this section, we prove the correctness of the above IBE scheme. During decryption, we have In order to decrypt correctly, the error term x − s [ y z ] should be bounded by q/4 . Then, we need the following two lemmas to analyze the error rate of decryption. 2 2 ) < 1 and x ← D Z n ,s ; then, for any real s > 0 and any integer n ≥ 1, we have Lemma 2 ([42]). For any real s > 0, T > 0, and any x ∈ R n , we have , the above IBE scheme decrypts correctly with overwhelming probability.
Proof of Theorem 2. Letting s = ( √ mn y . Similar to [33], we compute the decryption error rate with Lemma 2 as For c ≥ 1, we have x ≤ cσ √ n/2π with Lemma 1. Then, When T is sufficiently large, the decryption error rate 2exp(−πT 2 ) is a negligible function, and we can decrypt correctly with overwhelming probability.

Security Proof
In this section, we give the security proof of our IBE scheme. We describe the definition of abort-resistant hash functions in Definition 2.

Lemma 3. Let q be a prime, the hash family H
Proof of Lemma 3. Letī d be a set of (id 0 , id 1 , · · · , id Q ) where id 0 / ∈ {id 1 , · · · , id Q }. For i = 0, · · · , Q + 1, S i denotes the set of functions H(id i ) = 0 in H Wat . We have |S i | = q l −1 and |S 0 ∩ S j | ≤ q l −2 with j > 0. For i = 1, · · · , Q, the set of H(id 0 ) = 0 and H(id i ) = 0 is defined as S := S 0 \ (S 1 ∪ · · · ∪ S Q ). Then, we have The non-abort probability ofī d is |S|/q l ≥ 1 q (1 − Q q ). Since |S| ≤ |S 0 |, the no-abort probability is |S|/q l ≤ |S 0 |/q l ≤ 1 q at most. Proof of Theorem 3. The proof proceeds in a sequence of games, and the first game is the same as the security game in Definition 1. In game i, we use W i to denote that the adversary guesses the challenge message correctly. Then, the advantage of adversary in game i is |Pr[W i ] − 1 2 |.
Game 0. The original IND-ID-CPA game between an adversary A and a challenger.

Game 1.
The challenger builds the public parameters PP = (a 0 , a 1 , a 2 , · · · , a l , b, u) in the original game. These vectors a 1 , a 2 , · · · , a l , b are chosen uniformly from R m q . The Game 1 challenger chooses l random matrices R * i ∈ R m×m and random polynomials h i ∈ Z q at the setup phase. Matrix R * i consists of uniformly random polynomials with coefficient {−1.1}. Then the challenger generates vectors a 0 and b as in original game, and constructs vector a i as The matrix R * i is used to build vector a i and challenge ciphertext CT (a 0 , a 0 · R * , (R * ) y) and (a 0 , ((a 1 ) | · · · |(a l ) ) , (R * ) y) are statistically close. The vectors a i are uniformly random elements in R m q . For z ← (R * id ) · y, the distributions (a 0 , a 0 · R * 1 , · · · , a 0 · R * l , z) and (a 0 , (a 1 ) , · · · , (a l ) , z) are statistically close. In adversary's view, the vectors a 0 · R * i are statistically close to uniformly random elements (a i ) and independent of vector z. Therefore, in adversary's view, the vector a i are uniformly random vectors as in Game 0. This shows that Game 2. In Game 2, we add an abort event and the rest is the same as Game 1. We use the abort-resistant H Wat introduced in Lemma 3. In the Setup phase, the challenger chooses a function H ∈ H Wat and reserves it to itself. Then, the challenger answers key queries and sends challenge ciphertext to adversary as in Game 1. We use id 1 , · · · , id Q to denote the identities that the adversary queries. We use id * to denote the challenge identity which is not in {id 1 , · · · , id Q }. In the Guess phase, the adversary returns a guess r ∈ {0, 1}. Then, the challenger performs as follows: 1. Abort check [18]: For i = 1, · · · , Q, the game proceeds normally if H(id * ) = 0 and H(id i ) = 0. Otherwise, it resets r and aborts the game. However, the game proceeds normally in the adversary's view. 2. Artificial abort [5,18] For identities I = (id * , id 1 , · · · , id Q ), we use (I) to denote the probability of non-abort when the adversary performs these private key queries. Moreover, we use max and min to denote the maximum and minimum of (I).

Lemma 4 ([18]
). For i = 1, 2, let W i be the event that the adversary wins the Game i. Then, According to [18], they show that max − min is less than min Pr [W 1 ] − 1 2 . Since q ≥ 2Q, we have min = 1 q (1 − Q q ) ≥ 1 2q . Then, Game 3. In Game 3, we change the method of generating a 0 and b in PP. Vector a 0 is generated as a random element in R m q and vector b is generated by algorithm TrapGen. The challenger also gets a trapdoor T b of Λ ⊥ q (b). The construction a i ← (R * i ) · a 0 − h i · b ∈ R m q is the same as in Game 2. To answer the private key query of id = (b 1 , b 2 , · · · , b l ), the challenger generates the corresponding private key SK id = s from Λ u q ( f id ). Let If h id = 0, the challenger abort the game as in Game 2. Otherwise, the challenger gets s ← SampleRight(a 0 , h id · b, R id , T b , u, σ) ∈ R 2m q . Then, it sends SK id = s to adversary A.
In adversary's view, Game 2 and Game 3 are indistinguishable. Therefore, Game 4. The challenge ciphertext (c * 0 , c * 1 ) is randomly selected in R q × R 2m q and the rest is the same as in Game 3, so the advantage of A is 0 in Game 4. Then, we need to prove that Game 3 and Game 4 are computationally indistinguishable.
Suppose there is an adversary A who has non-negligible probability in distinguishing Game 3 and Game 4. Then, we constructs an RLWE algorithm B.
An instance of RLWE problem is provided as a sample oracle O. We use O $ to denote a truly random oracle. For a random s ∈ R q , we use O s to denote a noisy pseudo-random oracle.
Instance. For i = 0, · · · , m, B requests from O and gets RLWE samples (u i , v i ) ∈ R q × R q .
Setup. B generates the public parameters: 1. Construct random vector a 0 ∈ R m q with RLWE samples. For i = 1, · · · , m, the i-th column of a 0 is u i . 2. Let the random polynomial u 0 ∈ R q be the 0-th RLWE sample. 3. Construct vectors a i and b as in Game 3. 4. Send public parameters PP = (a 0 , a 1 , · · · , a l , b, u 0 ) to adversary A.
Guess. Finally, the adversary A returns a guess r . The simulator B outputs 1 if r = r, otherwise 0.
Analysis. According to [18], the challenge ciphertext is the same as valid ciphertext in game 3 if sampling oracle O is pseudo-random O s , and the challenge ciphertext is the same as random ciphertext in game 4 if oracle O is truly random O $ . The simulator's advantage in solving RLWE problem is equal to A's advantage in distinguishing valid ciphertext and random ciphertext. For Pr[W 4 ] = 1 2 , we get Then, we have

Adaptively Secure HIBE
We extend our IBE scheme to a hierarchical IBE scheme. Similar to our IBE scheme above, we also use the blocking technique to reduce the size of public parameters.

The HIBE Construction
The identity id|id l is composed of l identities id i at different depth, and it is represented as id|id l = (id 1 , · · · , id l ) where id i is a l bit string. We divide the identity id i at depth i into l segments Then, we describe our HIBE construction as follows. Setup(d, λ): On input a security parameter λ, a maximum depth d and other parameters q, n, m, σ, α, do: 1. Run (a 0 , T a 0 ) ← TrapGen(q, n), where a 0 is a vector in R m q with a trapdoor T a 0 ∈ R (m−k)×k q ; 2. Choose l d + 1 random vectors a 1,1 , · · · , a 1,l , · · · , a d,1 , · · · , a d,l , b ∈ R m q , and these vectors are used to form the public parameters; 3. Choose a uniformly random polynomial u ∈ R q ; 4. Output the public parameters PP = (a 0 , a 1,1 , · · · , a 1,l , · · · , a d,1 , · · · , a d,l , b, u) and master key MK = (T a 0 ).
Derive(PP, id|id l , SK id|id l−1 ): On input public parameters PP, an identity id|id l and a private key SK id|id l−1 at depth l − 1, do: , and it is used to generate the private key; Encrypt(PP, id, m): On input public parameters PP, an identity id|id l at depth l and a message µ ∈ {0, 1} n , do: , and it is used to generate the ciphertext; 2. Choose a uniformly random polynomial t ∈ R q ; 3. Choose ll matrices R i,j ∈ R m×m for i = 1, · · · , l and j = 1, · · · , l , which consist of random polynomials with coefficient {1, −1}. Define R id = ∑ l i=1 b 1,i R 1,i || · · · || ∑ l i=1 b l,i R l,i ∈ R m×lm ; 4. Choose noise polynomial x ← D R q ,σ , noise vector y ← D R m q ,σ , and set z ← R id · y ∈ R lm q ; 5. Set c 0 = u · t + x + µ · q/2 ∈ R q , and c 1 = f · t + y z ∈ R (l+1)m q ; 6. Output the ciphertext CT = (c 0 , Decrypt(PP, SK id|id l , CT): On input public parameters PP, a private key SK id|id l at depth l and a ciphertext CT = (c 0 , c 1 ), do: 1. Set τ l := σ l m(l + 1)w log(lm); 2. Sample s id ← SamplePre( f id|id l , SK id|id l , u, τ l ) such that f id · s id = u; 3. Compute w = c 0 − s id · c 1 ∈ R q , w i denotes the coefficient of w; 4. Compare w i and q/2 treating them as integer in Z, if |w i − q/2 | < q/4 , output 1, otherwise output 0.

Parameters and Correctness
In this section, we prove the correctness of the above HIBE scheme. During decryption, we have In order to decrypt correctly, the error term x − s id y z should be bounded by q/4 . Similar to our IBE scheme, the following proof also needs Lemmas 1 and 2 to analyze the error rate of decryption. ) with s 1 , s 2 ∈ R m we have s id [ y z ] = s 1 · y + s 2 · z. Since z = R id · y, we have z = R id · y ≤ R id · y = l (2 β − 1) √ lmn y . Then, we compute the decryption error rate with Lemma 2 as For c ≥ 1, we have x ≤ cσ √ n/2π with Lemma 1. Then When T gets large enough, the decryption error rate 2exp(−πT 2 ) is negligible, and we can decrypt correctly with overwhelming probability.

Security Proof
In this section, we give the security proof of our HIBE scheme. We describe the definition of abort-resistant hash functions in Definition 2.
Lemma 5. Let q be a prime and 0 < Q < q; the hash family H Wat is (Q, 1 q l (1 − Q q l ), 1 q l ) abort-resistant.
Proof of Lemma 5. Letī d be a set of (id 0 , id 1 , · · · , id Q ) where id 0 / ∈ {id 1 , · · · , id Q }. For i = 0, · · · , Q + 1, we have |S i | = q l(l −1) and |S 0 ∩ S j | ≤ q l(l −2) for j > 0. Then, The non-abort probability ofī d is |S|/q ll ≥ 1 q l (1 − Q q l ). Since |S| ≤ |S 0 |, the non-abort probability is |S|/q ll ≤ |S 0 |/q ll ≤ 1 q l at most. Proof of Theorem 5. The proof proceeds in a sequence of games, and the first game is the same as the security game in Definition 1. In game i, we use W i to denote that adversary guess the challenge message correctly. The advantage of adversary in game i is |Pr[ Game 0. The original IND-ID-CPA game between an adversary A and a challenger.

Game 1.
The challenger builds the public parameters PP = (a 0 , a 1,1 , · · · , a 1,l , · · · , a d,l , b, u) in the original game. These vectors a 1,1 , · · · , a 1,l , · · · , a d,l , b are chosen uniformly random from R m q . The Game 1 challenger chooses ll random matrices R * k,i ∈ R m×m and polynomials h k,i ∈ R q for k ∈ [1, l], i ∈ [1, l ]. Matrix R * k,i consists of uniformly random polynomials with coefficients {−1.1}. Then, the challenger generates vectors a 0 and b as in original game, and constructs vector a k,i as In the adversary's view, the distribution a 0 · R * k,i is statistically close to uniform (a k,i ) and independent of vector z. Therefore, in adversary's view, vecors a k,i are uniformly random elements as in Game 0. This shows that Game 2. In Game 2, we add an abort event which is similar to the abort event in Section 3.3. The rest is the same as Game 1. We use the abort-resistant H Wat introduced in Lemma 5. According to [18], they show that max − min is less than min Pr [W 1 ] − 1 2 . Since q l ≥ 2Q, we have min = 1 q l (1 − Q q l ) ≥ 1 2q l . By Lemma 4, we have Game 3. In Game 3, we change the method of generating a 0 and b in PP. Vector a 0 is generated as a random vector in R m q and vector b is generated by algorithm TrapGen. The challenger also gets a trapdoor T b of Λ ⊥ q (b). The construction a k,i ← (R * k,i ) · a 0 − h k,i · b ∈ R m q is the same as in Game 2. To answer the private key query of id = (id 1 , id 2 , · · · , id l ), the challenger generates the corresponding private key SK id = s from Λ u q ( f id ). Let where and If h id = 0, the challenger aborts the game as in Game 2. Otherwise, the challenger gets private key q . Then, it sends SK id = s to the adversary A. In the adversary's view, Game 2 and Game 3 are indistinguishable. Therefore, Game 4. The challenge ciphertext (c * 0 , c * 1 ) is randomly selected in R q × R 2m q and the rest is the same as in Game 3, so the advantage of A is 0 in Game 4. Similar to Section 3.3, we need to prove that Game 3 and Game 4 are computationally indistinguishable.
Setup. B generates the public parameters: 1. Construct random vector a 0 ∈ R m q with RLWE samples. For i = 1, · · · , m, the i-th column of a 0 is u i . 2. Let a random polynomial u 0 ∈ R q be the 0-th RLWE sample. 3. Construct a k,i and b as in Game 3. 4. Send public parameters PP = (a 0 , a 1,1 , · · · , a 1,l , · · · , a d,l , b, u) to adversary A. Phase 1 and Phase 2. B answers private key queries as in Game 3.
Guess. Finally, the adversary A returns a guess r . The simulator B outputs 1 if r = r otherwise 0.

Efficiency
Trade-off. We make a trade-off between the decrease in the size of public parameters and the increase in the computation cost. Using the blocking technique, we divide an identity into l segments, and the number of elements in public parameters is reduced from l + 2 to l/β + 2 where β is a flexible constant. Therefore, the percentage of decrease in public parameter space is l−l l+2 and it is shown as the thin blue line in Figure 1 with l = 160. According to the analysis of Singh [19], there is no effect of l on cost of key generation, encryption and decription. However, we need to increase the value of lattice modulo q for maintaining the same security level, and it will increase the computation cost. According to Chatterjee 's work [20], the number of bits in q is increased by ∆ = β − log 2 β. We use |q| to denote the bit length of q and then |q | = |q| + 2∆ = |q| + 2(β − log 2 β). The percentage of increase in computation cost is and it is shown as the thick red line in Figure 1 with |q| = 256. In Figure 1, the x-axis represents the value of β, and the y-axis represents the percentage of increase or decrease. For l = 160 and |q| = 256, the size of public parameters is reduced by 89.7% while the cost of computation is merely increased by 5.2% when l = 16 or β = 10. If we set l = 8 or β = 20, the size of public parameters is reduced by 93.8% while the computational cost is merely increased by 12.25%. Comparisons. We propose an adaptively secure IBE scheme in Section 3. Table 1 shows the comparison of storage space between different IBE schemes in the standard model. In this table, PP, SK, l denote the public parameters, private keys and length of user's identity.

Schemes
PP Size SK Size Ciphertext Size Security Assumption [18] (l + 2)mn log q 2m log q (2m + 1) log q Adaptive-CPA LWE [23] (log l + 2)mn log q mn log q (m + n) log q Adaptive-CPA LWE [22] * (d l 1/d + 2)mn log q 2m log q (2m + 1) log q Adaptive-CPA LWE [36] * (d l 1/d + 2)mn log q 2mn log q (2m + 1)n log q Adaptive-CPA RLWE † [24] (log 2 l + 2)mn log q 2m log q (2m + 1) log q Adaptive-CPA LWE Ours ** (l/β + 2)mn log q 2mn log q (2m + 1)n log q Adaptive-CPA RLWE † Since the public parameters are composed of multiple matrices, its size will directly affect the communication overhead in actual applications. As shown in this table, the public parameter in Agrawal's construction [18] contains l + 2 matrices. Zhang's construction [23] achieves shorter public parameter at the cost of weaker security guarantees. In Yamada's construction [22], the public parameter consists of d l 1/d + 2 matrices, where d is a constant. In Katsumata's scheme [36], the public parameter consists of d l 1/d + 2 vectors because of ring setting. The relationship between the size of public parameters and constant d is shown in Figure 2. For l = 160, the minimum size of public parameters is 17 vectors when we set d = 5. Moreover, we need to set d very small (e.g., d = 2 or 3) because of the reduction cost. If we set d = 2 (resp. 3), the public parameters have 28 (resp. 20) vectors. In [24], the public parameter consists of log 2 l + 2 matrices via new partitioning functions. In our construction, the public parameters only contain l + 2 vectors, where l = l/β. We have analyzed the choice of β or l in the previous part. For l = 160, the public parameter only contains 10 (resp. 18) vectors if we choose β = 20 (resp. 10). The comparison of public parameter size is shown in the Figure 3. It involves four IBE schemes with short public parameters, including Yam17 [24] , KY16 [36] (d = 3), ZCZ16 [23] and ours (β = 20). The x-axis represents the length of user's identity, and the y-axis represents the number of basic matrices (or vectors) in the public parameters of each scheme. Obviously, the public parameters in our scheme are shorter than [24] and [36]. Moreover, it can be shorter than [23] if the identity length l is small (e.g., less than 140). Compared with the LWE-based scheme, the RLWE-based scheme contains a lot of polynomial operations instead of matrix operations. To compare more fair, we only compare the computational efficiency between the schemes under RLWE assumption. Since the scheme by [36] also has short public parameters and ring setting, we only compare the calculation efficiency between [36] and our scheme. Table 2 shows the comparison of computational efficiency. In this table, KeyGen, Enc, Dec denote the key generation, encryption and decryption.

Schemes KeyGen
Enc Dec [36] dm 2 n 2 dm 2 n 2 + n 2 + 2mn 2mn 2 Ours l mn l mn + n 2 + 2mn 2mn 2 The difference between these two schemes is the calculation of H(id) and a id . In Katsumata's construction [36], H(id) = b + Σ j 1 ,··· ,j d PubEval d (b 1,j 1 , b 2,j 2 , · · · , b d,j d ) and it is used to generate private keys. They use the homomorphic function PubEval d : (R m q ) d → R m q as in [22], which maps vectors b 1 , · · · , b d to a vector in R m q . The function PubEval needs dm 2 n 2 multiplications and d − 1 inversions. In our construction, a id = b + Σ l i=1 b i · a i and it is also used as the input of the sampling algorithm to generate private keys. However, it only needs l mn multiplication operations which is obviously less than [36].
In Section 4, we also extend our IBE scheme to an adaptively secure HIBE scheme. Using Waters' technology, we can convert the selectively secure HIBE scheme to adaptive security. Howerve, the size of the public parameter increases from d + 2 matrices to dl + 2 matrices. In our HIBE construction, the public parameter is reduced from dl + 2 matrices to dl + 2 vectors where l = l /β. In particular, it can be further reduced to l + 2 thanks to the method of Chatterjee [11,43]. Finally, both of our constructions support multi-bit encryption because of ring setting.

Conclusions
In this paper, we propose an identity-based encryption scheme and a hierarchical identity-based encryption scheme over ideal lattice. The new schemes have short public parameters, and achieve IND-ID-CPA security in the standard model. In addition, we use the trapdoor of Micciancio to further improve the efficiency of our scheme. However, there are still many problems to be solved, such as how to reduce the size of ciphertext and how to implement these schemes.

Conflicts of Interest:
The authors declare no conflict of interest.