New Constructions of Identity-Based Dual Receiver Encryption from Lattices

Abstract

Dual receiver encryption (DRE), being originally conceived at CCS 2004 as a proof technique, enables a ciphertext to be decrypted to the same plaintext by two different but dual receivers and becomes popular recently due to itself useful application potentials such secure outsourcing, trusted third party supervising, client puzzling, etc. Identity-based DRE (IB-DRE) further combines the bilateral advantages/facilities of DRE and identity-based encryption (IBE). Most previous constructions of IB-DRE are based on bilinear pairings, and thus suffers from known quantum algorithmic attacks. It is interesting to build IB-DRE schemes based on the well-known post quantum platforms, such as lattices. At ACISP 2018, Zhang et al. gave the first lattice-based construction of IB-DRE, and the main part of the public parameter in this scheme consists of $2n+2$ matrices where n is the bit-length of arbitrary identity. In this paper, by introducing an injective map and a homomorphic computation technique due to Yamada at EUROCRYPT 2016, we propose another lattice-based construction of IB-DRE in an even efficient manner: The main part of the public parameters consists only of $2p{n}^{\frac{1}{p}}+2$ matrices of the same dimensions, where $p(\ge 2)$ is a flexible constant. The larger the p and n, the more observable of our proposal. Typically, when $p=2$ and $n=284$ according to the suggestion given by Peikert et al., the size of public parameters in our proposal is reduced to merely 12% of Zhang et al.’s method. In addition, to lighten the pressure of key generation center, we extend our lattice-based IB-DRE scheme to hierarchical scenario. Finally, both the IB-DRE scheme and the HIB-DRE scheme are proved to be indistinguishable against adaptively chosen identity and plaintext attacks (IND-ID-CPA).

1. Introduction

With the rapid development of the internet of things, more and more user tend to encrypt their data and then outsource their data to the cloud server. These outsourced data may contain some sensitive information such as financial, medical data, national security-related data, etc. Therefore, a reliable third party or government department is required to supervise these data, and if it is necessary, the regulator can decrypt the ciphertext and view the plaintext information of these data. Dual receiver encryption (DRE) [1] allows that a ciphertext can be decrypted to the same plaintext by two independent receivers. For the above scenario, DRE is a good handy tool. It not only guarantees the encrypted transmission and storage of data, but also enables data to be supervised by a reliable third party. In addition, DRE also can form a joint program with other cryptographic scheme. In [1], Diament et al. combined a DRE scheme with a signature scheme to achieve that a user can use a same public/secret key pair to complete the encryption and signature functions. In 2014, Chow et al. [2] proposed a DRE-PKE joint scheme and appended some stable properties to the DRE and made it more practical in the construction of plaintext-awareness public key encryption. Furthermore, DRE also can be used to construct a client puzzles mechanism based on decryption. Design client puzzles mechanism between the clients and severs can prevent servers from suffering from resource-depletion attacks. Diament et al. pointed out in [1] that the client puzzles mechanism can be applied to secure transport protocol, e.g., TLS. The DRE cryptographic primitive can be easily construct a deniable authentication system [3]. As a special kind of PKE, DRE also face the general certificate management problem. To solve the problem of certificate management in the traditional PKE, Zhang et al. [4] gave an identity-based variant version of DRE, named identity-based dual receiver encryption (IB-DRE). In this scheme, they constructed two IB-DRE schemes based on the identity-based encryption (IBE) scheme in [5].

However, all the above (IB)-DRE schemes are based on bilinear pairing groups. Since Shor [6] proposed a polynomial time quantum algorithm in 1997 which can solve discrete logarithm problem (DLP) and prime factorization. This type of bilinear pairing groups based schemes are not secure and can not resist the quantum attack. Since then, scholars have begun to study post-quantum cryptography (PQC). Lattices-based cryptography is a research hotspot for PQC. It has the following properties: high efficiency, simplicity, parallelization and average case/worst case equivalence property. In 1997, Ajtai and Dwork [7] first constructed a public key encryption scheme by using the problem on lattices. This scheme relies on the worst-case hardness of uSVP [8], and the key and ciphertext size is too large. Until 2005, Regev [9] presented another public key encryption scheme which security based on the learning with errors (LWE) problem. He proved that a LWE-based public key encryption can resist quantum attack. Then the researchers begin to study LWE-based public key encryption scheme. Based on LWE, many public key encryption schemes have been proposed, such as LWE-based IBE schemes [10,11,12,13,14], LWE-based attribute-based encryption schemes [15,16,17,18,19]. To our knowledge, the first lattice-based IB-DRE scheme was proposed in 2018 [20] (Next we use how Zhang18 denotes it). The public parameters size in this scheme consists of $2n+2$ matrices which lead a high storage cost and communication cost. Additionally, when some users apply for their privacy key to the key generation center (KGC) at the same time, KGC may face great system pressure. Therefore, in order to reduce the storage cost, it is meaningful to construct a lattice-based IB-DRE with short public parameters and then extend it a hierarchical scenario to reduce the stress of KGC.

OUR CONTRIBUTION. In this paper, we firstly propose a new lattice-based construction of IB-DRE scheme which can resist quantum attack. By using a homomorphic computation technique and an injective map function, comparing to the first lattice-based IB-DRE [20], we reduce the public parameters size from $2n+2$ matrices to $2p{n}^{\frac{1}{p}}+2$ matrices where n is the bit-length of arbitrary identity and $p(\ge 2)$ is a flexible constant. By choosing appropriate p and n, the $pp$ size can be reduced by almost at least 88% compared to Zhang18. In addition, considering the hierarchical scenario, we extend it to a hierarchical IB-DRE (HIB-DRE), which is not considered in Zhang18. A HIB-DRE can reduce the stress of the key generation center (KGC). The public parameters size of the HIB-DRE is also reduced from $2dn+2$ matrices to $2dp{n}^{\frac{1}{p}}+2$ matrices where d is the maximum hierarchy depth. Finally, our lattice-based IB-DRE scheme and HIB-DRE scheme are proved to be indistinguishable against adaptively chosen identity and plaintext attacks (IND-ID-CPA) in the standard model. Additionally, to improve the encryption efficiency, our two schemes also can convert to a multi-bit encryption scheme by using the same method in [11].

2. Preliminarise

Notation. We use lowercase black italic alphabet for vectors, as in $\mathit{u}$, uppercase black italic alphabet for matrices, as in $\mathit{A}$. $\left[n\right]$ denotes a integer set $\{1,2,\cdots ,n\}$. ${\mathbb{Z}}_q$ denotes an integer set of mod q residue class. $\mathit{u}\in {\mathbb{Z}}_q^n$ is a n-dimension column vector. A $n\times m$ matrix is denoted by $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ where $\mathit{A}=({\mathit{a}}_1,{\mathit{a}}_2,\cdots ,{\mathit{a}}_m)$. $\parallel \mathit{A}\parallel$ denotes the ${\ell }_2$-norm length of the longest column of $\mathit{A}$. $\tilde{\mathit{A}}$ denotes the Gram–Schmidt orthogonalization of the vectors ${\mathit{a}}_1,\cdots ,{\mathit{a}}_m$. We refer to $\parallel \tilde{\mathit{A}}\parallel$ as the Gram–Schmidt norm of $\mathit{A}$.

2.1. Integer Lattice

Definition 1 (Lattices).

${\mathbf{b}}_1,{\mathbf{b}}_2,\dots ,{\mathbf{b}}_n\in {\mathbb{R}}^m$are n linearly independent vectors, and the lattice Λ generated by the following formula:

$$\mathsf{\Lambda }=L\left(\mathbf{B}\right)=\{\sum _{i=1}^n{x}_i{\mathbf{b}}_i:x_i\in \mathbb{Z},(i=1,\cdots ,n)\}.$$

Note that$\mathbf{B}=[{\mathbf{b}}_1,{\mathbf{b}}_2,\cdots ,{\mathbf{b}}_n]$is a basis of Λ, n is the rank and m is the dimension.

Definition 2 (Integer lattices).

For prime$q,\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, and$\mathbf{u}\in {\mathbb{Z}}_q^n$, define:

$${\mathsf{\Lambda }}_q\left(\mathbf{A}\right)=\{\mathbf{y}\in {\mathbb{Z}}^{m}s.t.\exists \mathbf{s}\in {\mathbb{Z}}_q^n,{\mathbf{A}}^{\top }\mathbf{s}=\mathbf{y}\left(\mathrm{mod}q\right)\}.$$

$${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)=\{\mathbf{y}\in {\mathbb{Z}}^{m}s.t.\mathbf{A}\mathbf{y}=0\left(\mathrm{mod}q\right)\}.$$

$${\mathsf{\Lambda }}_q^u\left(\mathbf{A}\right)=\{\mathbf{y}\in {\mathbb{Z}}^{m}s.t.\mathbf{A}\mathbf{y}=\mathbf{u}\left(\mathrm{mod}q\right)\}.$$

2.2. Discrete Gaussians

Definition 3 (Discrete Gaussian).

For a positive integer$s\in \mathbb{R}$and a vector$\mathbf{c}\in {\mathbb{R}}^m$, we defined a Gaussian distribution with center$\mathbf{c}$and variance s as follow:

$${\mathcal{D}}_{\mathsf{\Lambda },\sigma ,\mathbf{c}}=\frac{{\rho }_{\sigma ,\mathbf{c}}\left(\mathbf{x}\right)}{{\rho }_{\sigma ,\mathbf{c}}\left(\mathsf{\Lambda }\right)}=\frac{{\rho }_{\sigma ,\mathbf{c}}\left(\mathbf{x}\right)}{{\sum }_{\mathbf{x}\in \mathsf{\Lambda }}{\rho }_{\sigma ,\mathbf{c}}\left(\mathbf{x}\right)}$$

where$\sigma >0$is a parameter, and${\rho }_{\sigma ,\mathbf{c}}\left(\mathbf{x}\right)=exp(-\pi \frac{{\parallel \mathbf{x}-\mathbf{c}\parallel }^2}{{\sigma }^2})$.

Lemma 1

([10]). Let $q\ge 2$, $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ with $m>n$, ${\mathbf{T}}_{\mathbf{A}}\in {\mathbb{Z}}_q^{m\times m}$ be a basis for ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$ and $\sigma \ge \parallel \widetilde{{\mathbf{T}}_{\mathbf{A}}}\parallel \omega \left(\sqrt{logm}\right)$. Then for $\mathbf{c}\in {\mathbb{R}}^m$ and $\mathbf{u}\in {\mathbb{Z}}_q^n$, we have:

(1). 

$Pr[\mathbf{e}\sim D_{{\mathsf{\Lambda }}_q^u\left(\mathit{A}\right),\sigma }:\parallel \mathbf{e}\parallel >\sigma \sqrt{m}]\le negl\left(n\right)$.

(2). 

There is a probabilistic polynomial-time (PPT) algorithm $\mathrm{SampleGaussian}$($\mathbf{A}$,${\mathit{T}}_{\mathbf{A}}$, σ,$\mathbf{c}$) that outputs a vector$\mathbf{e}\in {\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$drawn from a distribution statistically close to${\mathcal{D}}_{\mathsf{\Lambda },\sigma ,\mathbf{c}}$.

(3). 

There is a PPT algorithm $\mathrm{SamplePre}$($\mathbf{A}$,${\mathbf{T}}_{\mathbf{A}}$,$u$,$\mathbf{c}$) that outputs a vector$\mathbf{e}\in {\mathsf{\Lambda }}_q^u\left(\mathbf{A}\right)$sampled from a distribution statistically close to${\mathcal{D}}_{{\mathsf{\Lambda }}_q^u\left(\mathbf{A}\right),\sigma }$.

2.3. Related Algorithms

For any integer $q,n,m$ and q is a prime, there are PPT algorithms such that:

(1).

$\mathrm{TrapGen}$($q,n$) ([21]): outputs a pair matrices $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ and ${\mathit{T}}_{\mathit{A}}\in {\mathbb{Z}}_q^{m\times m}$ where ${\mathit{T}}_{\mathit{A}}$ is a basis for ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$ and $m\ge 3(1+\delta )nlogq$ for some $\delta >0$.

(2).

$\mathrm{SampleLeft}$($\mathit{A}$, ${\mathit{M}}_1$, ${\mathit{T}}_{\mathit{A}}$, $\mathit{u}$, $\sigma$) ([11]): given $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$, ${\mathit{M}}_1\in {\mathbb{Z}}_q^{n\times m_1}$, a basis ${\mathit{T}}_{\mathit{A}}\in {\mathbb{Z}}_q^{m\times m}$ for ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$, $u\in {\mathbb{Z}}_q^n$ and a Gaussian parameter $\sigma >\parallel \widetilde{{\mathit{T}}_{\mathit{A}}}\parallel \omega \left(\sqrt{log(m+m_1)}\right)$, outputs a vector $\mathit{e}\in {\mathbb{Z}}^{m+m_1}$ and the vector $\mathit{e}$ is not statistically distinguishable from ${\mathcal{D}}_{{\mathsf{\Lambda }}_q^u\left({\mathit{F}}_1\right),\sigma }$ where ${\mathit{F}}_1=\left[\mathit{A}\right|{\mathit{M}}_1]$ and ${\mathit{F}}_1·\mathit{e}=u\left(\mathrm{mod}q\right)$.

(3).

$\mathrm{SampleRight}$($\mathit{A}$, $\mathit{B}$, $\mathit{R}$, ${\mathit{T}}_{\mathit{B}}$, $u$, $\sigma$) ([11]): given $\mathit{A}\in {\mathbb{Z}}_q^{n\times k}$, $\mathit{B}\in {\mathbb{Z}}_q^{n\times m}$, $\mathit{R}\in {\mathbb{Z}}_q^{k\times m}$, a basis ${\mathit{T}}_{\mathit{B}}$ for ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{B}\right)$, $u\in {\mathbb{Z}}_q^n$ and a Gaussian parameter $\sigma >\parallel \widetilde{{\mathit{T}}_{\mathit{B}}}\parallel s_{\mathit{R}}\omega \left(\sqrt{logm}\right)$ where $s_{\mathit{R}}=\parallel \tilde{\mathit{R}}\parallel <O\left(\sqrt{m}\right)$, outputs a vector $\mathit{e}\in {\mathbb{Z}}^{m+k}$ and the vector $\mathit{e}$ is not statistically distinguishable from ${\mathcal{D}}_{{\mathsf{\Lambda }}_q^u\left({\mathit{F}}_2\right),\sigma }$ where ${\mathit{F}}_1=\left[\mathit{A}\right|\mathit{A}\mathit{R}+\mathit{B}]$ and ${\mathit{F}}_2·\mathit{e}=\mathit{u}\left(\mathrm{mod}q\right)$.

Note that in our scheme, we let $\mathit{B}=y\mathit{G}$ where $y\in {\mathbb{Z}}_q$ and $y\ne 0$. Then taking ${\mathit{T}}_{\mathit{G}}$ as the input basis for the lattices ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{G}\right)$.

Lemma 2

([22]). For any integer $q\ge 2,n\ge 1,w=nt,t=\lceil {log}_{2}q\rceil$, there is a gadget matrix $\mathbf{G}\in {\mathbb{Z}}_q^{n\times w}$ such that:

• The lattice ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{G}\right)$ has a known basis ${\mathbf{T}}_{\mathbf{G}}$ where $\parallel \widetilde{{\mathbf{T}}_{\mathbf{G}}}\parallel \le \sqrt{5}$.
• There is a PPT algorithm ${\mathbf{G}}^{-1}$ that takes input a vector $\mathbf{u}\in {\mathbb{Z}}_q^n$ and output a vector $\mathbf{x}={\mathbf{G}}^{-1}\left(\mathbf{u}\right)$ where $\mathbf{x}\in {\{0,1\}}^w$ and $\mathbf{G}\mathbf{x}=\mathbf{u}$. Note that ${\mathbf{G}}^{-1}$ is a function, not a matrix.

2.4. Homomorphic Computation

The ideal of homomorphic trapdoor computation is introduced in [14].

Let p be a positive integer, it has a function $\mathrm{Eval}$: ${\left({\mathbb{Z}}_q^{n\times m}\right)}^p\to {\mathbb{Z}}_q^{n\times m}$ which inputs p matrices ${\mathit{A}}_1$, ${\mathit{A}}_2$,⋯,${\mathit{A}}_p$ and outputs a matrix.

$${\mathrm{Eval}}_p({\mathit{A}}_1,{\mathit{A}}_2,\cdots ,{\mathit{A}}_p)=\left\{\begin{array}{cc}{\mathit{A}}_1\hfill & \hfill p=1\\ {\mathit{A}}_1·{\mathit{G}}^{-1}\left({\mathrm{Eval}}_{p-1}({\mathit{A}}_2,\cdots ,{\mathit{A}}_p)\right)\hfill & \hfill p\ge 2\end{array}\right.$$

Here ${\mathit{G}}^{-1}$ is a deterministic function that has the following feature:

$$\begin{array}{cc}\hfill {\mathit{G}}^{-1}:& {\mathbb{Z}}_q^{n\times m}\to {(0,1)}^{m\times m}\hfill \\ & \mathit{U}\to \mathit{X},s.t.\mathit{G}\mathit{X}=\mathit{U}\hfill \end{array}$$

Lemma 3

([14]). Let $\mathbf{A},{\mathbf{A}}_1,\cdots ,{\mathbf{A}}_p\in {\mathbb{Z}}_q^{n\times m}$ and ${\mathbf{R}}_1,\cdots ,{\mathbf{R}}_p\in {\mathbb{Z}}^{m\times m}$, for $i\in \left[p\right]$, it has ${\mathbf{A}}_i=\mathbf{A}{\mathbf{R}}_i+y_i\mathbf{G}$. In addition, assume that $\parallel {\mathbf{R}}_i\parallel \le m$, $|y_i|\le \delta$ and $\delta >m$, there exists$TrapEval$ algorithm that takeing ${\mathbf{R}}_1,\cdots ,{\mathbf{R}}_p,y_1,\cdots ,y_p$ as input and outputs a matrix ${\mathbf{R}}^{{}^{\prime }}$ such that ${Eval}_p({\mathbf{A}}_1,{\mathbf{A}}_2,\cdots ,{\mathbf{A}}_p)=\mathbf{A}{\mathbf{R}}^{{}^{\prime }}+y_1\cdots y_p·\mathbf{G}$ and $\parallel {\mathbf{R}}^{{}^{\prime }}\parallel \le mp{\delta }^{p-1}$.

2.5. LWE Hardness Assumption

Definition 4.

Give a prime q, a positive integer n and a distribution ${\overline{\mathsf{\Psi }}}_{\alpha }$ over ${\mathbb{Z}}_q$. A $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE problem instance consists of access to an unspecified challenge oracle $\mathcal{O}$, being either a truly random sampler ${\mathcal{O}}_s^{{}^{\prime }}$ or a noisy pseudo-random sampler ${\mathcal{O}}_s$ carrying some constant random secret key $\mathbf{s}\in {\mathbb{Z}}_q$, whose behaviors are as follows, respectively:

${\mathcal{O}}_s$: Outputs samples of the form $({\mathbf{w}}_i,v_i)=({\mathbf{w}}_i,{\mathbf{w}}_i^{\top }\mathbf{s}+{\chi }_i)$$\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$, where $\mathbf{s}\in {\mathbb{Z}}_q^n$ is a uniformly distributed secret key, ${\chi }_i$ is a noise component from ${\overline{\mathsf{\Psi }}}_{{\alpha }_i}$, and ${\mathbf{w}}_i$ is uniform in ${\mathbb{Z}}_q^n$.

${\mathcal{O}}_s^{{}^{\prime }}$: Outputs truly uniform random samples $({\mathbf{w}}_i,v_i)$ from ${\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$.

The $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE problem allows a number of queries to the challenge oracle $\mathcal{O}$. We say an algorithm $\mathcal{A}$ decides a $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE problem if $\mathrm{LWE}Adv\left[\mathcal{A}\right]=|Pr[{\mathcal{A}}^{{\mathcal{O}}_s}=1]-Pr[{\mathcal{A}}^{{\mathcal{O}}_s^{{}^{\prime }}}=1]|$ is non-negligible for a random $\mathbf{s}\in {\mathbb{Z}}_q^n$.

Theorem 1

([9]). If there exists an efficient, possibly quantum, algorithm for deciding the $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE problem for $q>2\sqrt{n}/\alpha$ then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems to within $\tilde{O}(n/\alpha )$ factors in the ${\ell }_2$ norm, in the worst case.

Lemma 4

([10]). Let $\mathbf{e}$ be some vector in ${\mathbb{Z}}^m$ and let $\mathbf{y}\stackrel{R}{\leftarrow }{\overline{\mathsf{\Psi }}}_{\alpha }^m$. Then the quality $|{\mathbf{e}}^{\top }\mathbf{y}|$ treated as an integer in $[0,q-1]$ satisfies:

$$|{\mathbf{e}}^{\top }\mathbf{y}|\le \parallel \mathbf{e}\parallel q\alpha \omega \left(\sqrt{logm}\right)+\parallel \mathbf{e}\parallel \sqrt{m}/2$$

(1)

with all but negligible probability in m.

As a special case, Lemma 4 shows that if $x\stackrel{R}{\leftarrow }{\overline{\mathsf{\Psi }}}_{\alpha }$ is treated as an integer in $[0,q-1]$ satisfies

$$\left|x\right|\le q\alpha \omega \left(\sqrt{logm}\right)+1/2$$

(2)

with all but negligible probability in m.

2.6. Three Basic Lemmas

Lemma 5

([11]). For a random matrix $\mathbf{R}\in {\{-1,1\}}^{k\times m}$, there is a universal constant C such that:

$$Pr[\parallel \mathbf{R}\parallel >C\sqrt{k+m}]<e^{-(k+m)}.$$

(3)

Lemma 6

(Leftover Hash Lemma [11]). For $m>(n+1)logq+\omega (logn)$ and a prime $q>2$. Let $\mathbf{R}\in {\{-1,1\}}^{m\times k}$, $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ and $\mathbf{B}\in {\mathbb{Z}}_q^{n\times k}$ be uniformly random matrices. Then the distribution ($\mathbf{A}$, $\mathbf{A}\mathbf{R}$, ${\mathbf{R}}^{\top }\mathbf{w}$) is $\mathrm{negl}\left(n\right)$-close to the distribution ($\mathbf{A}$, $\mathbf{B}$, ${\mathbf{R}}^{\top }\mathbf{w}$).

Lemma 7

(Smudging out Lemma [14]). Let ${\mathbf{x}}_0\in {\mathbb{Z}}^m$ be a fixed vector and $\parallel {\mathbf{x}}_0{\parallel }_{\infty }\le \delta$. $\mathbf{x}\leftarrow {\{-B,B\}}^m$ is a uniformly random vector. Then the two distributions ${\mathbf{x}}_0$ and ${\mathbf{x}}_0+\mathbf{x}$ are within statistical distance $m\delta /B$.

2.7. Definitions of (H)IB-DRE and Adaptive-ID Security Model

Identity-based dual receiver encryption (IB-DRE) enables a ciphertext to be decrypted to the same plaintext by two different receivers since it embeds two independent user’s identity in the encrypt phase. Considering the definition of IB-DRE in [20]. We give the following definition of IB-DRE. An IB-DRE scheme consists the following four algorithms.

(1).

$\mathrm{Setup}(1^n$)→ ($pp,msk$): on input the security parameter $1^n$. This algorithm outputs the public parameters $pp$ and master secret key $msk$.

(2).

$\mathrm{KeyGen}(pp,\mathit{id},msk$)$\to s{k}_{\mathit{id}}$: On input the public parameter $pp$, a user’s identity $\mathit{id}$ and the master secret key $msk$. This algorithm KeyGen outputs the secret key $s{k}_{\mathit{id}}$. In the scheme, we let ${\mathit{id}}_1$, ${\mathit{id}}_2$ denote the first receiver and the second receiver respectively.

(3).

$\mathrm{Encrypt}(pp,{\mathit{id}}_1,{\mathit{id}}_2,\mu$)$\to \mathit{c}$: on input the public parameter $pp$, the user’s identities ${\mathit{id}}_1,{\mathit{id}}_2$ and the message bit $\mu \in \{0,1\}$. This algorithm outputs the ciphertext $\mathit{c}$.

(4).

$\mathrm{Decrypt}(pp,s{k}_{{\mathit{id}}_{i^{\prime }}},\mathit{c}$)$\to \mu$: on input the public parameter $pp$, a user’s secret key ${\left(s{k}_{{\mathit{id}}_{i^{\prime }}}\right)}_{i^{\prime }\in \{1,2\}}$, and the ciphertext $\mathit{c}$. This algorithm outputs a message $\mu$.

The definition of IB-DRE can be easily extended to a hierarchical IB-DRE by following the method in [11].

Correctness. For all identities ${\mathit{id}}_{i^{\prime }}$, all message $\mu$ and the ciphertext $\mathit{c}$←$\mathrm{Encrypt}(pp,{\mathit{id}}_1,{\mathit{id}}_2,\mu$), we have $Pr\left[\mathrm{Decrypt}\right($pp$,s{k}_{{\mathit{id}}_1},$c$)=\mathrm{Decrypt}($pp$,s{k}_{{\mathit{id}}_2},c$$)=\mu ]=1-\mathrm{negl}\left(n\right)$.

The definition of adaptive-ID security model is adapted from [11]. It can be described by a IND-ID-CPA game between a challenger $\mathcal{B}$ and an adversary $\mathcal{A}$ as follows:

Setup. The challenger $\mathcal{B}$ runs the $\mathrm{Setup}(1^n$) algorithm to generate the public parameters $pp$ and the master key $msk$, and send $pp$ to $\mathcal{A}$.

Phase 1. The adversary $\mathcal{A}$ makes secret key queries for different identities adaptively.

Challenge. The adversary $\mathcal{A}$ sends a message bit ${\mu }^{*}\in \{0,1\}$ and the target identities $({\mathit{id}}_1^{*},{\mathit{id}}_2^{*})$ to $\mathcal{B}$, and the target identities $({\mathit{id}}_1^{*},{\mathit{id}}_2^{*})$ should not be asked in Phase 1. The challenger $\mathcal{B}$ randomly chooses $r\in \{0,1\}$ and a randomly ciphertext space $\mathcal{C}$. If $r=0$, it send the challenge ciphertext ${\mathit{c}}^{*}$=Encrypt($pp,{\mathit{id}}_1^{*},{\mathit{id}}_2^{*},{\mu }^{*}$) to $\mathcal{A}$. If $r=1$, it send a randomly challenge ciphertext ${\mathit{c}}^{*}\in \mathcal{C}$ to $\mathcal{A}$.

Phase 2. The adversary $\mathcal{A}$ also makes secret key queries for different identities adaptively as Phase 1. It can not ask for $({\mathit{id}}_1^{*},{\mathit{id}}_2^{*})$.

Guess. The adversary $\mathcal{A}$ outputs its guess $r^{\prime }\in \{0,1\}$ and wins if $r^{\prime }=r$. We define the advantage of the adversary $\mathcal{A}$ in attacking IB-DRE scheme as $\epsilon =|Pr[r^{\prime }=r]-\frac{1}{2}|$.

3. Adaptively Secure IB-DRE Scheme with Short Public Parameters

As we all know, in the adaptively secure IBE scheme in [11], for an identity $\mathit{id}=(b_1,b_2,\cdots ,b_n)\in {\{0,1\}}^n$, the key generation matrix/encryption matrix is ${\mathit{F}}_{\mathit{id}}=\left[{\mathit{A}}_0\right|{\mathit{B}}_0+{\sum }_{i=1}^n{b}_i{\mathit{A}}_i]$ where ${\left({\mathit{A}}_i\right)}_{i\in \left[n\right]}$ is the matrices in the public parameters. Thus, if we want to construct an adaptively secure identity based dual receiver encryption (IB-DRE) scheme, the public parameters will be $2n+2$ matrices which lead to high storage cost.

In this section, we propose an adaptively secure IB-DRE scheme with short public parameters. There are four algorithms in this scheme: $\mathrm{Setup}, \mathrm{KeyGen}, \mathrm{Encrypt} \mathrm{and} \mathrm{Decrypt}$. The main method to reduce the public parameters is that in the Setup phase we introduce an injective map function which can map a n-bits identity to a subset of ${[1,l]}^p$, and here we let $l=\lceil n^{\frac{1}{p}}\rceil$. Additionally, we also introduce a homomorphic computation technique to ensure that our scheme achieves a strong secure notion, i.e., indistinguishability of ciphertext under the adaptive chosen-identity chosen-plaintext attack (IND-ID-CPA). For the key generation matrix/encryption matrix, let $\mathcal{H}\left(\mathit{id}\right)={\mathit{B}}_0+{\sum }_{i=1}^n{b}_i{\mathit{A}}_i$, then ${\mathit{F}}_{\mathit{id}}=\left[{\mathit{A}}_0\right|\mathcal{H}\left(\mathit{id}\right)]$. In the $\mathrm{KeyGen}$ phase, we use the same SampleLeft algorithm in [11] to generated the two independent users’ secret keys but change the way $\mathcal{H}\left(\mathit{id}\right)$ is generated. $\mathcal{H}\left(\mathit{id}\right)$ is computed by a function $\mathrm{Eval}$: ${\left({\mathbb{Z}}_q^{n\times m}\right)}^p\to {\mathbb{Z}}_q^{n\times m}$ of the public parameters where function $\mathrm{Eval}$ is a part of homomorphic computation technique. When encrypting a message bit, it should use two independent receivers’ public keys to encrypt the message. Then the ciphertext can be decrypted to the same message by the two independent receivers.

By doing this, we reduce the size of public parameters from $2n+2$ (i.e., $O\left(n\right)$) matrices to $2p{n}^{\frac{1}{p}}+2$ (i.e., $O(n^{\frac{1}{p}})$) matrices where p is a flexible constant and can affect the reduction cost. Next we will describe our scheme step by step.

3.1. Our Construction

The adaptively secure IB-DRE scheme with short public parameters consists the following four algorithms.

(1).

$\mathrm{Setup}(1^n$)→ ($pp,msk$): on input the security parameter $1^n$. This algorithm outputs the public parameters $pp$ and master secret key $msk$, do:

-

Perform algorithm TrapGen to generate a uniformly matrix ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$ and a trapdoor ${\mathit{T}}_{{\mathit{A}}_0}\in {\mathbb{Z}}^{m\times m}$.

-

For an identity $\mathit{id}=(b_1,b_2,\cdots ,b_n)\in {\{0,1\}}^n$, select an injective map $\mathcal{F}$ that maps an identity to a subset $\mathcal{F}\left(\mathit{id}\right)$ of ${[1,l]}^p$ where $l=\lceil n^{\frac{1}{p}}\rceil$.

-

For $(i,j)\in [p,l]$, select $2pl$ matrices ${\mathit{A}}_{i,j},{\mathit{A}}_{i,j}^{{}^{\prime }}$.

-

Select a uniformly random matrices ${\mathit{B}}_0$ and a uniformly random vector $u\in {\mathbb{Z}}_q^n$.

The public parameter $pp=\{{\mathit{A}}_0,{({\mathit{A}}_{i,j},{\mathit{A}}_{i,j}^{{}^{\prime }})}_{(i,j)\in [p,l]},{\mathit{B}}_0,u\}$, the master secret key $msk=\left\{{\mathit{T}}_{{\mathit{A}}_0}\right\}$.

Recall that by the function ${\mathrm{Eval}}_p$: ${\left({\mathbb{Z}}_q^{n\times m}\right)}^p\to {\mathbb{Z}}_q^{n\times m}$, for the two identities $\mathcal{F}\left({\mathit{id}}_1\right),\mathcal{F}\left({\mathit{id}}_2\right)$, we have a deterministic function $\mathcal{H}$ such that

$$\mathcal{H}\left({\mathit{id}}_1\right)={\mathit{B}}_0+\sum _{(j_1,j_2,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1\right)}{\mathrm{Eval}}_p({\mathit{A}}_{1,j_1},{\mathit{A}}_{2,j_2},\cdots ,{\mathit{A}}_{p,j_p}).$$

$$\mathcal{H}\left({\mathit{id}}_2\right)={\mathit{B}}_0+\sum _{(j_1,j_2,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_2\right)}{\mathrm{Eval}}_p({\mathit{A}}_{1,j_1}^{{}^{\prime }},{\mathit{A}}_{2,j_2}^{{}^{\prime }},\cdots ,{\mathit{A}}_{p,j_p}^{{}^{\prime }}).$$

(2).

$\mathrm{KeyGen}(pp,\mathit{id},msk$)$\to s{k}_{\mathit{id}}$: On input the public parameter $pp$, the user’s identity $\mathit{id}$ and the master secret key $msk$. This algorithm $\mathrm{KeyGen}$ outputs the secret key $s{k}_{\mathit{id}}$, it works as follows:

-

It runs algorithm $\mathrm{SampleLeft}({\mathit{A}}_0,\mathcal{H}\left(\mathit{id}\right),{\mathit{T}}_{{\mathit{A}}_0})$ to generate $\mathit{e}$ such that ${\mathit{F}}_{\mathit{id}}·\mathit{e}=u$ where ${\mathit{F}}_{\mathit{id}}=\left[{\mathit{A}}_0\right|\mathcal{H}\left(\mathit{id}\right)]$. Then it set $s{k}_{\mathit{id}}=\mathit{e}\in {\mathbb{Z}}_q^{2m}$.

-

For two independent receivers, we let ${\mathit{e}}_1$ and ${\mathit{e}}_2$ denote the first and second receiver’s secret key.

The two independent receivers’ secret keys are $s{k}_{{\mathit{id}}_1}={\mathit{e}}_1\in {\mathbb{Z}}_q^{2m}$, $s{k}_{{\mathit{id}}_2}={\mathit{e}}_2\in {\mathbb{Z}}_q^{2m}$.

(3).

$\mathrm{Encrypt}（pp,{\mathit{id}}_1,{\mathit{id}}_2,\mu$)$\to \mathit{c}$: On input the public parameter $pp$, the user’s identities ${\mathit{id}}_1,{\mathit{id}}_2$ and the message bit $\mu \in \{0,1\}$. This algorithm outputs the ciphertext $\mathit{c}$. it works as follows:

-

It firstly gets $\mathcal{H}\left({\mathit{id}}_1\right)$ and $\mathcal{H}\left({\mathit{id}}_2\right)$ as above.

-

Choose a randomly uniform vector $\mathit{s}\in {\mathbb{Z}}_q^n$, and error terms $x\stackrel{{\overline{\mathsf{\Psi }}}_{\alpha }}{\leftarrow }{\mathbb{Z}}_q$, ${\mathit{x}}_{1,1},{\mathit{x}}_{1,2},\stackrel{{\overline{\mathsf{\Psi }}}_{\alpha }^m}{\leftarrow }{\mathbb{Z}}_q^m$, and ${\mathit{x}}_{2,1},{\mathit{x}}_{2,2}\leftarrow {\{-B,B\}}^m$, compute

$$c_0=u^{\top }\mathit{s}+x+\mu \lfloor q/2\rfloor \in {\mathbb{Z}}_q.$$

$${\mathit{c}}_1={\mathit{F}}_{{\mathit{id}}_1}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,1}\\ {\mathit{x}}_{2,1}\end{array}\right]\in {\mathbb{Z}}_q^{2m}.$$

$${\mathit{c}}_2={\mathit{F}}_{{\mathit{id}}_2}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,2}\\ {\mathit{x}}_{2,2}\end{array}\right]\in {\mathbb{Z}}_q^{2m}.$$

The ciphertext is $\mathit{c}=\{c_0,{\mathit{c}}_1,{\mathit{c}}_2\}$.

(4).

$\mathrm{Decrypt}(pp,s{k}_{{\mathit{id}}_1}/s{k}_{{\mathit{id}}_2},\mathit{c}$)$\to \mu$: On input the public parameter $pp$, a secret key ${(s{k}_{{\mathit{id}}_{i^{\prime }}})}_{i^{\prime }\in \{1,2\}}$ and the ciphertext $\mathit{c}$, do:

-

For $i^{\prime }\in \{1,2\}$, compute ${\mu }^{\prime }=c_0-{\mathit{e}}_{i^{\prime }}^{\top }{\mathit{c}}_{i^{\prime }}$.

-

$\mu =1$ if $|{\mu }^{\prime }-\lfloor q/2\rfloor |<\lfloor q/4\rfloor$. Otherwise $\mu =0$.

-

Finally, it outputs the message $\mu$.

3.2. Correctness

We firstly compute

$$\begin{array}{cc}\hfill {\mu }^{\prime }& =c_0-{\mathit{e}}_{i^{\prime }}^{\top }{\mathit{c}}_{i^{\prime }}\hfill \\ & ={\mathit{u}}^{\top }\mathit{s}+x+\mu \lfloor q/2\rfloor -{\mathit{e}}_{i^{\prime }}^{\top }({\mathit{F}}_{{\mathit{id}}_{i^{\prime }}}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right])\hfill \\ & =\mu \lfloor q/2\rfloor +x-{\mathit{e}}_{i^{\prime }}^{\top }\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right]\hfill \end{array}.$$

(4)

Let ${\mathit{e}}_{i^{\prime }}=\left[\begin{array}{c}{\left({\mathit{e}}_{i^{\prime }}\right)}_1\\ {\left({\mathit{e}}_{i^{\prime }}\right)}_2\end{array}\right]$ where ${\left({\mathit{e}}_{i^{\prime }}\right)}_1,{\left({\mathit{e}}_{i^{\prime }}\right)}_2\in {\mathbb{Z}}^m$. Based on Lemma 1 and the formulas in Equations (1) and (2), the error term

$$\begin{array}{cc}& |x-{\mathit{e}}_{i^{\prime }}^{\top }\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right]|\hfill \\ \hfill \le & \left|x\right|+|{\mathit{e}}_{i^{\prime }}^{\top }\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right]|\hfill \\ \hfill =& \left|x\right|+|{\left({\mathit{e}}_{i^{\prime }}\right)}_1^{\top }{\mathit{x}}_{1,i^{\prime }}|+|{\left({\mathit{e}}_{i^{\prime }}\right)}_2^{\top }{\mathit{x}}_{2,i^{\prime }}|\hfill \\ \hfill \le & q\alpha \omega \left(\sqrt{logm}\right)+\frac{1}{2}+\sigma \sqrt{m}q\alpha \omega \left(\sqrt{logm}\right)+\frac{\sigma m}{2}\hfill \\ & +\sigma \sqrt{m}·O\left(B\sqrt{m}\right)\hfill \\ \hfill \le & q\alpha \sigma m\omega \left(\sqrt{logm}\right)+O\left(B\sigma m\right)\hfill \end{array}$$

(5)

To ensure the correctness of decryption and preform the security proof, we need that:

-

the error term is less than $q/5$ with overwhelming probability(w.h.p)(i.e., $\alpha <{\left[\sigma m\omega \left(\sqrt{logm}\right)\right]}^{-1}$, and $q=\mathsf{\Omega }\left(B\sigma m\right)$),

-

the $\mathrm{TrapGen}$ algorithm can operate (i.e., $m>3(1+\delta )nlogq$ for some $\delta >0$),

-

the Leftover Hash Lemma can be applied to security proof (i.e., $m>(n+1)logq+\omega (logn)$),

-

the SampleLeft and SampleRight algorithm can operate (i.e., $\sigma >{\sigma }_{TG}B\sqrt{m}\omega \left(\sqrt{logm}\right)$ where ${\sigma }_{TG}=O\left(\sqrt{nlogq}\right)$),

-

the Regev’s LWE reduction applies (i.e., $q>2\sqrt{n}/\alpha$) and

-

the security reduction applies (i.e., $\alpha q{m}^{5/2}(1+p^p{n}^{cp-c+1})/B\le \frac{p}{n+1}·{\left(\frac{1}{p{n}^c}\right)}^{p+1}$ i.e., $B\ge \alpha q{m}^{5/2}{p}^{2p}{n}^{2cp+2}$).

3.3. Security

Theorem 2.

If the $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE assumption holds, the above IB-DRE scheme is IND-ID-CPA secure.

Proof. 

Let $\mathcal{A}$ be a probabilistic polynomial-time(PPT) adversary that can break our IB-DRE scheme with advantage $\epsilon >0$. Then there exists a reduction that solves the $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE problem with an negligible advantage. Let $Q=Q\left(n\right)$ is the upper bound of the number of KeyGen queries and $I=\{({\mathit{id}}_1^{*},{\mathit{id}}_2^{*}),{({\mathit{id}}_1^{յ},{\mathit{id}}_2^{յ})}_{յ\in \left[Q\right]}\}$ where $({\mathit{id}}_1^{*},{\mathit{id}}_2^{*})$ are the challenge IDs and ${({\mathit{id}}_1^{յ},{\mathit{id}}_2^{յ})}_{յ\in \left[Q\right]}$ are the queried IDs. Different from $Q\le \frac{q}{2}$ in [11], here we let $Q\le \frac{n^c}{4}-1$ where $c=c\left(n\right)$. We show the security via the following games. In each game, we define a value $r\in \{0,1\}$ and let $W_i$ denote the event that the adversary correctly guesses the challenge bit, i.e., the challenger outputs $r^{\prime }=r$ in ${\mathbf{Game}}_i$. $|Pr\left[W_i\right]-\frac{1}{2}|$ is the adversary’s advantage.

${\mathbf{Game}}_0$. This is the real IND-ID-CPA game between an adversary $\mathcal{A}$ and the challenger. We have

$$|Pr\left[W_0\right]-\frac{1}{2}|=|Pr[r^{\prime }=r]-\frac{1}{2}|=\epsilon .$$

${\mathbf{Game}}_1$. This game is as same as ${\mathbf{Game}}_0$ except we add an abort event at the end of the game. The challenger chooses randomly $y_{i,j},y_{i,j}^{{}^{\prime }}\leftarrow [1,p{n}^c]$ and $y_0\leftarrow [-(n+1){\left(p{n}^c\right)}^p,0]$. Let $y=\{y_0,{\left(y_{i,j}\right)}_{(i,j)\in [p,l]}\}$ and $y^{{}^{\prime }}=\{y_0,{\left(y_{i,j}^{{}^{\prime }}\right)}_{(i,j)\in [p,l]}\}$. Let H and $H^{{}^{\prime }}$ be two function where

$$H\left({\mathit{id}}_1\right)=y_0+\sum _{(j_1,j_2,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1\right)}{y}_{i,j_1}\cdots y_{i,j_p}.$$

$$H^{{}^{\prime }}\left({\mathit{id}}_2\right)=y_0+\sum _{(j_1,j_2,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_2\right)}{y}_{i,j_1}^{{}^{\prime }}\cdots y_{i,j_p}^{{}^{\prime }}.$$

For $I=\{({\mathit{id}}_1^{*},{\mathit{id}}_2^{*}),{({\mathit{id}}_1^{յ},{\mathit{id}}_2^{յ})}_{j\in \left[Q\right]}\}$, the challenger checks whether the following formula holds:

$$H\left({\mathit{id}}_1^{*}\right)=0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}(H\left({\mathit{id}}_1^{յ}\right)\ne 0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0).$$

If they do not hold, the game aborts, i.e., the challenger outputs a random $r^{\prime }\in \{0,1\}$. Otherwise, the challenger outputs $r^{\prime }=r$. By Lemma 8, we have

$$|Pr\left[W_1\right]-\frac{1}{2}|\ge \frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·(\epsilon -\frac{2Q}{n^c}).$$

Lemma 8

([11,14]). Let $\eta \left(I\right)$ denotes the non-abort probability, and $\eta \left(I\right)=Pr[H\left({\mathit{id}}_1^{*}\right)=0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0{\bigwedge }_{յ=1}^Q(H\left({\mathit{id}}_1^{յ}\right)\ne 0\wedge H^{{}^{\prime }}\left({\mathbf{id}}_2^{յ}\right)\ne 0)]$. ${\eta }_{min},{\eta }_{max}$ denote the minimum and maximum probability of $\eta \left(I\right)$, respectively. Then we have $|Pr\left[W_1\right]-\frac{1}{2}|={\eta }_{min}·|Pr\left[W_0\right]-\frac{1}{2}|-({\eta }_{max}-{\eta }_{min})/2\ge \frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·(\epsilon -\frac{2Q}{n^c})$.

Proof of Lemma 8 

For $(Q+1)$-tuple identities, the non-abort probability $\eta \left(I\right)=Pr[H\left({\mathit{id}}_1^{*}\right)=0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0{\bigwedge }_{յ=1}^Q(H\left({\mathit{id}}_1^{յ}\right)\ne 0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0)]$. As we know, the non-abort probability is taken over $\mathit{y}=\{y_0,{\left(y_{i,j}\right)}_{(i,j)\in [p,l]}\}$ and ${\mathit{y}}^{{}^{\prime }}=\{y_0,{\left(y_{i,j}^{{}^{\prime }}\right)}_{(i,j)\in [p,l]}\}$ which are chose in ${\mathbf{Game}}_1$. For any $y_{i,j}$ and $y_{i,j}^{{}^{\prime }}$, we can find a $y_0\leftarrow [-(n+1){\left(p{n}^c\right)}^p,0]$ such that $Pr[H\left({\mathit{id}}_1^{*}\right)=0]$ and $Pr[H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0]$ are

$$0\le \sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{*}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}\le \sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{*}\right)}{\left(p{n}^c\right)}^p<(n+1){\left(p{n}^c\right)}^p,$$

(6)

$$0\le \sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_2^{*}\right)}{y}_{1,j_1}^{{}^{\prime }},\cdots ,y_{p,j_p}^{{}^{\prime }}\le \sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_2^{*}\right)}{\left(p{n}^c\right)}^p<(n+1){\left(p{n}^c\right)}^p.$$

(7)

We have $Pr[H\left({\mathit{id}}_1^{*}\right)=0]=Pr[H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0]=\frac{1}{n+1}·{\left(\frac{1}{p{n}^c}\right)}^p$. Therefore, the upper bound of non-abort probability $\eta \left(I\right)$ is

$$\eta \left(I\right)\le Pr[H\left({\mathit{id}}_1^{*}\right)=0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0]=\frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}.$$

(8)

Next we give the lower bound of non-abort probability $\eta \left(I\right)$.

$$\begin{array}{cc}\hfill \eta \left(I\right)=& Pr[H\left({\mathit{id}}_1^{*}\right)=0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}(H\left({\mathit{id}}_1^{յ}\right)\ne 0\wedge H^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0)]\hfill \\ \hfill =& Pr[H\left({\mathit{id}}_1^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}H\left({\mathit{id}}_1^{յ}\right)\ne 0]·Pr[H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}{H}^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0].\hfill \end{array}$$

(9)

Then we calculate the lower bound of $Pr[H\left({\mathit{id}}_1^{*}\right)=0{\bigwedge }_{յ=1}^{Q}H\left({\mathit{id}}_1^{յ}\right)\ne 0]$ and $Pr[H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0{\bigwedge }_{յ=1}^Q{H}^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0]$, respectively.

$$\begin{array}{cc}\hfill & Pr[H\left({\mathit{id}}_1^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}H\left({\mathit{id}}_1^{յ}\right)\ne 0]\hfill \\ \hfill =& Pr[\underset{յ=1}{\overset{Q}{\bigwedge }}H\left({\mathit{id}}_1^{յ}\right)\ne 0|H\left({\mathit{id}}_1^{*}\right)=0]·Pr[H\left({\mathit{id}}_1^{*}\right)=0]\hfill \\ \hfill =& \left(1-Pr[\underset{յ=1}{\overset{Q}{\bigvee }}H\left({\mathit{id}}_1^{յ}\right)=0|H\left({\mathit{id}}_1^{*}\right)=0]\right)·Pr[H\left({\mathit{id}}_1^{*}\right)=0]\hfill \\ \hfill \ge & \left(1-\sum _{յ\in Q}Pr[H\left({\mathit{id}}_1^{յ}\right)=0|H\left({\mathit{id}}_1^{*}\right)=0]\right)·Pr[H\left({\mathit{id}}_1^{*}\right)=0]\hfill \\ \hfill =& \frac{1}{n+1}·{\left(\frac{1}{p{n}^c}\right)}^p·\left(1-\sum _{յ\in Q}Pr[H\left({\mathit{id}}_1^{յ}\right)=0|H\left({\mathit{id}}_1^{*}\right)=0]\right)\hfill \\ \hfill \ge & \frac{1}{n+1}·{\left(\frac{1}{p{n}^c}\right)}^p·\left(1-\frac{Q}{n^c}\right).\hfill \end{array}$$

(10)

The last equation follows the fact that since $H\left({\mathit{id}}_1^{*}\right)=0$, so we have $y_0=-{\sum }_{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{*}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}$. Then the probability of

$$\begin{array}{cc}\hfill & Pr[H\left({\mathit{id}}_1^{յ}\right)=0|H\left({\mathit{id}}_1^{*}\right)=0]=Pr\left[y_0+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_{յ}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}=0\right]\hfill \\ \hfill =& Pr\left[-\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{*}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{յ}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}=0\right].\hfill \end{array}$$

(11)

Since ${\mathit{id}}_1^{*}\ne {\mathit{id}}_1^{յ}$ and $\mathcal{F}$ is an injective function, then $\mathcal{F}\left({\mathit{id}}_1^{յ}\right)\ne \mathcal{F}\left({\mathit{id}}_1^{*}\right)$, the equation ${\sum }_{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{յ}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}-{\sum }_{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{*}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}$ can be seen as a polynomial with degree p. Since $y_{i,j}\leftarrow [1,p{n}^c]$, the probability of

$$Pr\left[-\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{*}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1^{յ}\right)}{y}_{1,j_1},\cdots ,y_{p,j_p}=0\right]\le \frac{p}{p{n}^c}=\frac{1}{n^c}.$$

(12)

By the same method, we can get $Pr[H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0{\bigwedge }_{յ=1}^Q{H}^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0]=\frac{1}{n+1}·{\left(\frac{1}{p{n}^c}\right)}^p·\left(1-\frac{Q}{n^c}\right)$. Finally, the non-abort probability

$$\eta \left(I\right)=Pr[H\left({\mathit{id}}_1^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}H\left({\mathit{id}}_1^{յ}\right)\ne 0]·Pr[H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0\underset{յ=1}{\overset{Q}{\bigwedge }}{H}^{{}^{\prime }}\left({\mathit{id}}_2^{յ}\right)\ne 0]\ge \frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·{(1-\frac{Q}{n^c})}^2.$$

(13)

Then we have ${\eta }_{min}=\frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·{(1-\frac{Q}{n^c})}^2$, ${\eta }_{max}=\frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}$. Finally,

$$\begin{array}{cc}\hfill & |Pr\left[W_1\right]-\frac{1}{2}|\ge {\eta }_{min}·\epsilon -({\eta }_{max}-{\eta }_{min})/2\hfill \\ \hfill =& \frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·{(1-\frac{Q}{n^c})}^2·\epsilon -\frac{\frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}-\frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·{(1-\frac{Q}{n^c})}^2}{2}\hfill \\ \hfill =& \frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·{(1-\frac{Q}{n^c})}^2·\epsilon -\frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}\left(\frac{1}{2}-\frac{1}{2}{(1-\frac{Q}{n^c})}^2\right)\hfill \\ \hfill \ge & \frac{1}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·(\epsilon -\frac{2Q}{n^c})\hfill \end{array}$$

(14)

The last inequality due to that $\epsilon \le \frac{1}{2}$. ☐

${\mathbf{Game}}_2$. In this game, we change the way ${\mathit{A}}_{i,j},{\mathit{A}}_{i,j}^{{}^{\prime }}$ and ${\mathit{B}}_0$ are generated. The challenger firstly chooses $\mathit{y}=\{y_0,{\left(y_{i,j}\right)}_{(i,j)\in [p,l]}\}$, ${\mathit{y}}^{{}^{\prime }}=\{y_0,{\left(y_{i,j}^{{}^{\prime }}\right)}_{(i,j)\in [p,l]}\}$ as ${\mathbf{Game}}_1$ and then chooses three matrices ${\mathit{R}}_0,{\mathit{R}}_{i,j},{\mathit{R}}_{i,j}^{{}^{\prime }}\in {\{-1,1\}}^{m\times m}$. Compute

$${\mathit{B}}_0={\mathit{A}}_0{\mathit{R}}_0+y_0\mathit{G}$$

(15)

$${\mathit{A}}_{i,j}={\mathit{A}}_0{\mathit{R}}_{i,j}+y_{i,j}\mathit{G}$$

(16)

$${\mathit{A}}_{i,j}^{{}^{\prime }}={\mathit{A}}_0{\mathit{R}}_{i,j}^{{}^{\prime }}+y_{i,j}^{{}^{\prime }}\mathit{G}$$

(17)

Based on Lemma 6, the distribution ($\mathit{A}$, ${\mathit{A}}_0{\mathit{R}}_0+y_0\mathit{G}$, ${\mathit{A}}_0{\mathit{R}}_{i,j}+y_{i,j}\mathit{G}$, ${\mathit{A}}_0{\mathit{R}}_{i,j}^{{}^{\prime }}+y_{i,j}^{{}^{\prime }}\mathit{G}$) is $\mathrm{negl}\left(n\right)$-close to the distribution ($\mathit{A}$, ${\mathit{B}}_0$, ${\mathit{A}}_{i,j}$, ${\mathit{A}}_{i,j}^{{}^{\prime }}$). Therefore, we have

$$|Pr\left[W_1\right]-Pr\left[W_2\right]|=\mathrm{negl}\left(n\right).$$

Before the next game, for any $\mathit{id}\in \mathcal{ID}$, we make a definition as follow. Let

$${\mathit{R}}_{{\mathit{id}}_1}={\mathit{R}}_0+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1\right)}{\mathrm{TrapEval}}_p({\mathit{R}}_{1,j_1},\cdots ,{\mathit{R}}_{p,j_p}),$$

$${\mathit{R}}_{{\mathit{id}}_2}={\mathit{R}}_0+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_2\right)}{\mathrm{TrapEval}}_p({\mathit{R}}_{1,j_1}^{{}^{\prime }},\cdots ,{\mathit{R}}_{p,j_p}^{{}^{\prime }}).$$

Based on Lemma 3, we have

$$\begin{array}{cc}\hfill & \parallel {\mathit{R}}_{{\mathit{id}}_1}\parallel \le \parallel {\mathit{R}}_0\parallel +\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_1\right)}\parallel {\mathrm{TrapEval}}_p({\mathit{R}}_{1,j_1},\cdots ,{\mathit{R}}_{p,j_p})\parallel \hfill \\ \hfill \le & m+nmp{\left(p{n}^c\right)}^{p-1}=m(1+p^p{n}^{cp-c+1}).\hfill \end{array}$$

(18)

$\parallel {\mathit{R}}_{{\mathit{id}}_2}\parallel$ is the same as $\parallel {\mathit{R}}_{{\mathit{id}}_1}\parallel$.

${\mathbf{Game}}_3$. In this game, we show that when we change the ciphertext is generated, the distributions ${\mathit{x}}_{2,i^{\prime }}$ and ${\mathit{R}}_{{\mathit{id}}_{i^{\prime }}^{*}}^{\top }{\mathit{x}}_{1,i^{\prime }}+{\mathit{x}}_{2,i^{\prime }}$ are within statistical distance $\alpha q{m}^{5/2}(1+p^p{n}^{cp-c+1})/B$ where $i^{\prime }\in \{1,2\}$. The challenge ciphertext is generated as follows: the challenger firstly chooses $\mathit{s}\in {\mathbb{Z}}_q^n$, $x\stackrel{{\overline{\mathsf{\Psi }}}_{\alpha }}{\leftarrow }{\mathbb{Z}}_q^n$, ${\mathbf{x}}_{1,1},{\mathit{x}}_{1,2},\stackrel{{\overline{\mathsf{\Psi }}}_{\alpha }^m}{\leftarrow }{\mathbb{Z}}_q^m$, ${\mathit{x}}_{2,1},{\mathit{x}}_{2,2}\leftarrow {\{-B,B\}}^m$ and computes ${\mathit{R}}_{{\mathit{id}}_1^{*}}$, ${\mathit{R}}_{{\mathit{id}}_2^{*}}$. The challenge ciphertext

$$c_0^{*}=u^{\top }\mathit{s}+x+{\mu }^{*}\lfloor q/2\rfloor ,$$

$${\mathit{c}}_1^{*}={\left({\mathit{A}}_0\right|\mathcal{H}\left({\mathit{id}}_1^{*}\right))}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,1}\\ {\mathit{R}}_{{\mathit{id}}_1^{*}}^{\top }{\mathit{x}}_{1,1}+{\mathit{x}}_{2,1}\end{array}\right],$$

$${\mathit{c}}_2^{*}={\left({\mathit{A}}_0\right|\mathcal{H}\left({\mathit{id}}_2^{*}\right))}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,2}\\ {\mathit{R}}_{{\mathit{id}}_2^{*}}^{\top }{\mathit{x}}_{1,2}+{\mathit{x}}_{2,2}\end{array}\right].$$

${\mu }^{*}\in \{0,1\}$ is the message chosen by $\mathcal{A}$.

Since ${\mathit{x}}_{1,i^{\prime }}\stackrel{{\overline{\mathsf{\Psi }}}_{\alpha }^m}{\leftarrow }$, by the formula in Equation (18) we have

$$\begin{array}{cc}\hfill \parallel {\mathit{R}}_{{\mathit{id}}_{i^{\prime }}^{*}}^{\top }{\mathit{x}}_{1,i^{\prime }}{\parallel }_{\infty }\le & \parallel {\mathit{R}}_{{\mathit{id}}_{i^{\prime }}^{*}}^{\top }{\mathit{x}}_{1,i^{\prime }}\parallel \le \parallel {\mathit{R}}_{{\mathit{id}}_{i^{\prime }}^{*}}^{\top }\parallel ·\parallel {\mathit{x}}_{1,i^{\prime }}\parallel \hfill \\ \hfill \le & m(1+p^p{n}^{cp-c+1})·\alpha q\sqrt{m}\hfill \\ \hfill =& \alpha q{m}^{3/2}(1+p^p{n}^{cp-c+1})\hfill \end{array}$$

(19)

By Lemma 7, let ${\mathit{x}}_{2,i^{\prime }}$ be a fixed vector, the distributions ${\mathit{x}}_{2,i^{\prime }}$ and ${\mathit{R}}_{{\mathit{id}}_{i^{\prime }}^{*}}^{\top }{\mathit{x}}_{1,i^{\prime }}+{\mathit{x}}_{2,i^{\prime }}$ are within statistical distance $\alpha q{m}^{5/2}(1+p^p{n}^{cp-c+1})/B\le \frac{p}{n+1}·{\left(\frac{1}{p{n}^c}\right)}^{p+1}$.

${\mathbf{Game}}_4$. In this game, we change the way ${\mathit{A}}_0$ is generated. The challenger chooses a random matrix ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$ instead of using the TrapGen algorithm. For the secret key queries, the challenger respond by the SampleRight instead of SampleLeft. By the definition of ${\mathit{R}}_{\mathit{id}}$, we have $\mathcal{H}\left({\mathit{id}}_1\right)={\mathit{A}}_0·({\mathit{R}}_{{\mathit{id}}_1}+H\left({\mathit{id}}_1\right)\mathit{G})$, ${\mathcal{H}}^{{}^{\prime }}\left({\mathit{id}}_2\right)={\mathit{A}}_0·({\mathit{R}}_{{\mathit{id}}_2}+H^{{}^{\prime }}\left({\mathit{id}}_2\right)\mathit{G})$. If $H\left({\mathit{id}}_1\right)=0$ or $H^{{}^{\prime }}\left({\mathit{id}}_2\right)=0$, the challenger aborts and returns a random bit. Otherwise, it returns ${\mathit{e}}_1$ and ${\mathit{e}}_2$ to $\mathcal{A}$ where

$${\mathit{e}}_1\leftarrow \mathrm{SampleRight}({\mathit{A}}_0,\mathit{G},{\mathit{R}}_{{\mathit{id}}_1},H\left({\mathit{id}}_1\right),u,{\mathit{T}}_{\mathit{G}})$$

$${\mathit{e}}_2\leftarrow \mathrm{SampleRight}({\mathit{A}}_0,\mathit{G},{\mathit{R}}_{{\mathit{id}}_2},H^{{}^{\prime }}\left({\mathit{id}}_2\right),\mathit{u},{\mathit{T}}_{\mathit{G}}).$$

In particular, the challenger checks if the challenge identity $({\mathit{id}}_1^{*},{\mathit{id}}_2^{*})$ satisfies $H\left({\mathit{id}}_1^{*}\right)=0$ and $H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0$. If not, the game aborts as in ${\mathbf{Game}}_1$.

Since in the adversary’s view, ${\mathbf{Game}}_2$ and ${\mathbf{Game}}_4$ are identical (the public parameters, abort conditions, responses to private key queries and the challenge ciphertext). The advantage of the adversary $\mathcal{A}$ is identical to ${\mathbf{Game}}_2$, i.e.,

$$|Pr\left[W_2\right]-Pr\left[W_4\right]|=\mathrm{negl}\left(n\right).$$

${\mathbf{Game}}_5$. As we know, the ciphertext space is $\mathcal{C}\in {\mathbb{Z}}_q\times {\mathbb{Z}}_q^{2m}\times {\mathbb{Z}}_q^{2m}$. In this game, the challenger set the ciphertext as ${\mathit{c}}^{*}=\{c_0,{\mathit{c}}_1^{*},{\mathit{c}}_2^{*}\}$ which is uniformly random in ${\mathbb{Z}}_q\times {\mathbb{Z}}_q^{2m}\times {\mathbb{Z}}_q^{2m}$ in the challenge phase. The advantage of the adversary $\mathcal{A}$ is 0. As shown in Lemma 9, assuming $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE holds, ${\mathbf{Game}}_4$ and ${\mathbf{Game}}_5$ are computationally indistinguishable, i.e., $|Pr\left[W_4\right]-|Pr\left[W_5\right]|=\mathrm{negl}\left(n\right).$ ☐

Lemma 9.

For any PPT adversary $\mathcal{A}$, there exists a challenger $\mathcal{B}$ such that

$$|Pr\left[W_4\right]-Pr\left[W_5\right]\le \mathrm{LWE}-Adv\left(\mathcal{B}\right).$$

Proof of Lemma 9.

Suppose $\mathcal{A}$ has a non-negligible advantage in distinguishing ${\mathbf{Game}}_4$ and ${\mathbf{Game}}_5$. We use $\mathcal{A}$ to construct an LWE algorithm denoted $\mathcal{B}$.

Recall from Definition 4 that an LWE problem instance is provided as a sampling oracle $\mathcal{O}$ which is either a truly random sampler ${\mathcal{O}}_s^{{}^{\prime }}$ or a noisy pseudo-random sampler ${\mathcal{O}}_s$ for a secret $\mathit{s}\in {\mathbb{Z}}_q^n$. The challenger $\mathcal{B}$ uses the adversary $\mathcal{A}$ to distinguish which the sampler it is given, and proceeds as follows:

Instance. The challenger $\mathcal{B}$ requests from $\mathcal{O}$ to obtains $(m+1)$ LWE samples that we denote as:

$$\{({\mathbf{w}}_0,v_0),({\mathbf{w}}_1,v_1),({\mathbf{w}}_2,v_2),\dots ,({\mathbf{w}}_m,v_m)\}\in ({\mathbb{Z}}_q^n\times {\mathbb{Z}}_q)$$

Setup. The challenger $\mathcal{B}$ constructs the public parameters $pp$ as follows:

(1)

Construct a matrix ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$ by assembling m LWE samples such that ${\mathit{A}}_0=({\mathit{w}}_1,{\mathit{w}}_2,\dots ,{\mathit{w}}_m)$, and let $u={\mathit{w}}_0$.

(2)

Choose $\mathit{y}$ as in ${\mathbf{Game}}_1$ and constructs the remainder of the public parameters as in ${\mathbf{Game}}_2$.

(3)

Send the $pp=\{{\mathit{A}}_0,{\left({\mathit{A}}_{i,j}\right)}_{(i,j)\in [p,l]},{\left({\mathit{A}}_{i,j}^{{}^{\prime }}\right)}_{(i,j)\in [p,l]},{\mathit{B}}_0,u\}$ to $\mathcal{A}$.

Queries. $\mathcal{A}$ makes secret key query. The challenger $\mathcal{B}$ computes and checks if $H\left(\mathit{id}\right)=0$. If it holds, it aborts. Otherwise it generate the secret key for $\mathcal{A}$ as in ${\mathbf{Game}}_4$.

Challenge. $\mathcal{A}$ sends a message bit ${\mu }^{*}\in \{0,1\}$ and the target identities $({\mathit{id}}_1^{*},{\mathit{id}}_2^{*})$ to $\mathcal{B}$. The challenger $\mathcal{B}$ constructs ${\mathit{v}}^{*}={(v_1,v_2,\cdots ,v_m)}^{\top }$ where $v_0,v_1,\cdots ,v_m\in {\mathbb{Z}}_q$ is the LWE samples. $\mathcal{B}$ chooses ${\mathit{x}}_{2,1},{\mathit{x}}_{2,2}\leftarrow {\{-B,B\}}^m$. The challenge ciphertext

$$c_0^{*}=v_0+{\mu }^{*}\lfloor q/2\rfloor$$

$${\mathit{c}}_1^{*}=\left[\begin{array}{c}{\mathit{v}}^{*}+{\mathbf{0}}_m\\ {\mathit{R}}_{{\mathit{id}}_1^{*}}^{\top }{\mathit{v}}^{*}+{\mathit{x}}_{2,1}\end{array}\right]$$

$${\mathit{c}}_2^{*}=\left[\begin{array}{c}{\mathit{v}}^{*}+{\mathbf{0}}_m\\ {\mathit{R}}_{{\mathit{id}}_2^{*}}^{\top }{\mathit{v}}^{*}+{\mathit{x}}_{2,2}\end{array}\right].$$

$\mathcal{B}$ sends the challenge ciphertext ${\mathit{c}}^{*}=\{c_0^{*},{\mathit{c}}_1^{*},{\mathit{c}}_2^{*}\}$ to $\mathcal{A}$.

Note that when $\mathcal{O}={\mathcal{O}}_s$, the ciphertext is valid.(We just argue only when no abort happens). Since $H\left({\mathit{id}}_1^{*}\right)=0$ and $H^{{}^{\prime }}\left({\mathit{id}}_2^{*}\right)=0$, we have ${\mathit{F}}_{{\mathit{id}}_1^{*}}=\left[{\mathit{A}}_0\right|\mathcal{H}\left({\mathit{id}}_1^{*}\right)]=\left[{\mathit{A}}_0\right|{\mathit{A}}_0{\mathit{R}}_{{\mathit{id}}_1^{*}}]$ where $\mathcal{H}\left({\mathit{id}}_1^{*}\right)={\mathit{A}}_0·({\mathit{R}}_{{\mathit{id}}_1^{*}}+H\left({\mathit{id}}_1^{*}\right)\mathit{G})={\mathit{A}}_0·{\mathit{R}}_{{\mathit{id}}_1^{*}}$. The same as ${\mathit{F}}_{{\mathit{id}}_1^{*}}$, we have ${\mathit{F}}_{{\mathit{id}}_2^{*}}=\left[{\mathit{A}}_0\right|{\mathit{A}}_0{\mathit{R}}_{{\mathit{id}}_2^{*}}]$. By definition of ${\mathcal{O}}_s$, we know ${\mathit{v}}^{*}={\mathit{A}}_0^{\top }\mathit{s}+\mathit{x}$. Then we have

$$c_0^{*}=v_0+{\mu }^{*}\lfloor q/2\rfloor =({\mathit{u}}^{\top }\mathit{s}+x_0)+{\mu }^{*}\lfloor q/2\rfloor$$

(20)

$$\begin{array}{c}\hfill {\mathit{c}}_1^{*}=\left[\begin{array}{c}{\mathit{v}}^{*}+{\mathbf{0}}_m\\ {\mathit{R}}_{{\mathit{id}}_1^{*}}^{\top }{\mathit{v}}^{*}+{\mathit{x}}_{2,1}\end{array}\right]=\left[\begin{array}{c}{\mathit{A}}_0^{\top }\mathit{s}+\mathit{x}+{\mathbf{0}}_m\\ {\mathit{R}}_{{\mathit{id}}_1^{*}}^{\top }({\mathit{A}}_0^{\top }\mathit{s}+\mathit{x})+{\mathit{x}}_{2,1}\end{array}\right]=\left[\begin{array}{c}{\mathit{A}}_0^{\top }\mathit{s}+\mathit{x}+{\mathbf{0}}_m\\ {\left({\mathit{A}}_0{\mathit{R}}_{{\mathit{id}}_1^{*}}\right)}^{\top }\mathit{s}+{\mathit{R}}_{{\mathit{id}}_1^{*}}^{\top }\mathit{x}+{\mathit{x}}_{2,1}\end{array}\right]={\mathit{F}}_{{\mathit{id}}_1^{*}}^{\top }\mathit{s}+\left[\begin{array}{c}\mathit{x}\\ {\mathit{R}}_{{\mathit{id}}_1^{*}}^{\top }\mathit{x}+{\mathit{x}}_{2,1}\end{array}\right]\end{array}$$

(21)

The same as ${\mathit{c}}_1^{*}$, ${\mathit{c}}_2^{*}$ is also valid. It is also similar to the ${\mathbf{Game}}_3$.

When $\mathcal{O}={\mathcal{O}}_s^{{}^{\prime }}$, $v_0\in {\mathbb{Z}}_q$ and ${\mathit{v}}^{*}\in {\mathbb{Z}}_q^m$ are all uniform. Therefore $c_0^{*},{\mathit{c}}_1^{*},{\mathit{c}}_2^{*}$ are uniform in $\in {\mathbb{Z}}_q\times {\mathbb{Z}}_q^{2m}\times {\mathbb{Z}}_q^{2m}$ by the Lemma 6.

Guess. After being allowed to make additional secret key queries, $\mathcal{A}$ guesses if it is interacting with a ${\mathbf{Game}}_4$ or ${\mathbf{Game}}_5$ challenger. $\mathcal{B}$ output $\mathcal{A}$’s guess as the answer to the LWE challenge it is trying to solve. Therefore we have $\mathrm{LWE}-Adv\left(\mathcal{B}\right)=|Pr\left[W_4\right]-Pr\left[W_5\right]|$. ☐

4. Adaptively Secure Hierarchical IB-DRE Scheme with Short Public Parameter

To lighten the pressure of the KGC, hierarchical IBE (HIBE) scheme was proposed. In HIBE, the user’s identity can be described by an identity tuple, and we let ${\mathcal{ID}}_k=({\mathit{id}}_1,{\mathit{id}}_2,\cdots ,{\mathit{id}}_k)$ denote an identity at the depth k. There are many users at each depth. In this section, we use ${\mathcal{ID}}_{k,1}$ and ${\mathcal{ID}}_{k,2}$ to denote the two arbitrary receivers at the depth k in our HIB-DRE scheme.

As we all know, when convert an selectively secure HIBE scheme in [11] to an adaptively secure HIBE, for an identity ${\mathcal{ID}}_k=({\mathit{id}}_1,{\mathit{id}}_2,\cdots ,{\mathit{id}}_k)$ at the depth k, the key generation matrix/encryption matrix would be

$${\mathit{F}}_{{\mathcal{ID}}_k}=[{\mathit{A}}_0|{\mathit{B}}_0+\sum _{j=1}^n{b}_{1,j}{\mathit{A}}_{1,j}|\cdots |{\mathit{B}}_0+\sum _{j=1}^n{b}_{k,j}{\mathit{A}}_{k,j}]\in {\mathbb{Z}}_q^{n\times (k+1)m}.$$

where ${\left({\mathit{A}}_{i,j}\right)}_{i\in \left[k\right],j\in \left[n\right]}$ is the matrices in the public parameters.

Therefore the public parameters would be $2dn+2$ matrices which lead to a high storage cost. d is the maximum hierarchy depth.

In this section, we construct an adaptively secure HIB-DRE scheme with short public parameters. There are also four algorithms in this scheme: $\mathrm{Setup}, \mathrm{KeyGen}, \mathrm{Encrypt} \mathrm{and} \mathrm{Decrypt}$. In this scheme, we use the same injective map function and homomorphic computation technique to reduce the size of public parameters from $2dn+2$ matrices to $2dp{n}^{\frac{1}{p}}+2$ matrices. Different to the adaptively secure IB-DRE scheme in Section 3, we use the $\mathrm{SampleBasisLeft}$ [11] algorithm to generate the user’s secret key, and $\mathrm{SampleBasisRight}$ algorithm for the security proof. In the $\mathrm{KeyGen}$ phase, it needs to input a secret key for the identity at depth $l-1$, and then outputs a secret key for the identity at depth l.

$\mathrm{SampleBasisLeft}({\mathit{M}}_1,\mathit{M},{\mathit{T}}_{{\mathit{M}}_1},\sigma$): On input two matrices ${\mathit{M}}_1\in {\mathbb{Z}}_q^{n\times m_1}$, $\mathit{M}\in {\mathbb{Z}}_q^{n\times m}$, a “short” basis ${\mathit{T}}_{{\mathit{M}}_1}$ of ${\mathsf{\Lambda }}_q^{\perp }\left({\mathit{M}}_1\right)$ and a Gaussian parameter $\sigma \ge \parallel \tilde{{\mathit{T}}_{{\mathit{M}}_1}}\parallel \omega \left(\sqrt{logm+m_1}\right)$. This algorithm outputs a short basis $\mathit{E}$ of ${\mathsf{\Lambda }}_q^{\perp }\left({\mathit{F}}_1\right)$ where ${\mathit{F}}_1=\left[{\mathit{M}}_1\right|\mathit{M}]$.

$\mathrm{SampleBasisRight}({\mathit{A}}_0,{\mathit{G}}_{\mathit{id}},\mathit{R},{\mathit{T}}_{\mathit{G}},{\sigma }_k$): On input three matrices ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$, ${\mathit{G}}_{\mathit{id}}\in {\mathbb{Z}}_q^{n\times m_1}$, $\mathit{R}\in {\mathbb{Z}}_q^{m\times m_1}$, a basis ${\mathit{T}}_{\mathit{G}}$ of ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{G}\right)$ and a Gaussian parameter ${\sigma }_k>\parallel \widetilde{{\mathit{T}}_{\mathit{G}}}\parallel ·s_{\mathit{R}}\omega \left(\sqrt{logm}\right)$ where ${\mathit{G}}_{\mathit{id}}=H\left(\mathit{id}\right)\mathit{G}$ and $s_{\mathit{R}}=\parallel \tilde{\mathit{R}}\parallel$. This algorithm outputs a short basis $\mathit{E}$ of ${\mathsf{\Lambda }}_q^{\perp }\left({\mathit{F}}_2\right)$ where ${\mathit{F}}_2=\left[{\mathit{A}}_0\right|{\mathit{A}}_0\mathit{R}+{\mathit{G}}_{\mathit{id}}]$.

4.1. Our Construction

The adaptively secure HIB-DRE scheme with short public parameters consists the following four algorithms.

(1).

$\mathrm{Setup}(d,1^n$)→ ($pp,msk$): on input the maximum hierarchy depth d and the security parameter $1^n$. This algorithm outputs the public parameters $pp$ and master secret key $msk$, do:

-

Perform algorithm TrapGen to generate a uniformly matrix ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$ and a trapdoor ${\mathit{T}}_{{\mathit{A}}_0}\in {\mathbb{Z}}^{m\times m}$.

-

For all identities ${\left({\mathcal{ID}}_k\right)}_{k\in \left[d\right]}={({\mathit{id}}_1,{\mathit{id}}_2,\cdots ,{\mathit{id}}_k)}_{k\in \left[d\right]}$ where ${\mathit{id}}_k\in {\{0,1\}}^n$, select an injective map $\mathcal{F}$ that maps an identity to a subset $\mathcal{F}\left({\mathcal{ID}}_k\right)$ of ${[1,l]}^p$ where $l=\lceil n^{\frac{1}{p}}\rceil$.

-

For $(i,j)\in [p,l]$ and $k\in \left[d\right]$, select $2dpl$ matrices ${\mathit{A}}_{i,j}^k$, ${\overline{\mathit{A}}}_{i,j}^k$.

-

Select a uniformly random vector $\mathit{u}={(u_1,u_2,\dots ,u_n)}^{\top }\in {\mathbb{Z}}_q^n$ and a uniformly random matrix ${\mathit{B}}_0\in {\mathbb{Z}}_q^{n\times m}$.

The public parameter $pp$ = $\{{\mathit{A}}_0$, ${({\mathit{A}}_{i,j}^k,{\overline{\mathit{A}}}_{i,j}^k)}_{(i,j)\in [p,l],k\in \left[d\right]}$, ${\mathit{B}}_0,\mathit{u}\}$, the master secret key $msk=\left\{{\mathit{T}}_{{\mathit{A}}_0}\right\}$.

For two arbitrary receivers ${\mathcal{ID}}_{k,1}$, ${\mathcal{ID}}_{k,2}$ at the depth k. Recall that by the function ${\mathrm{Eval}}_p$: ${\left({\mathbb{Z}}_q^{n\times m}\right)}^p\to {\mathbb{Z}}_q^{n\times m}$, for the two identities $\mathcal{F}\left({\mathcal{ID}}_{k,1}\right),\mathcal{F}\left({\mathcal{ID}}_{k,2}\right)$, let

$${\mathit{B}}_{i,j}^k=\sum _{(j_1,j_2,\cdots ,j_p)\in \mathcal{F}\left({\mathcal{ID}}_{k,1}\right)}{\mathrm{Eval}}_p({\mathit{A}}_{1,j_1}^k,{\mathit{A}}_{2,j_2}^k,\cdots ,{\mathit{A}}_{p,j_p}^k),$$

$${\overline{\mathit{B}}}_{i,j}^k=\sum _{(j_1,j_2,\cdots ,j_p)\in \mathcal{F}\left({\mathcal{ID}}_{k,2}\right)}{\mathrm{Eval}}_p({\overline{\mathit{A}}}_{1,j_1}^k,{\overline{\mathit{A}}}_{2,j_2}^k,\cdots ,{\overline{\mathit{A}}}_{p,j_p}^k).$$

Then construct

$$\mathcal{H}\left({\mathcal{ID}}_{k,1}\right)={\mathit{B}}_0+{\mathit{B}}_{i,j}^1|{\mathit{B}}_0+{\mathit{B}}_{i,j}^2|\cdots |{\mathit{B}}_0+{\mathit{B}}_{i,j}^k,$$

$$\mathcal{H}\left({\mathcal{ID}}_{k,2}\right)={\mathit{B}}_0+{\overline{\mathit{B}}}_{i,j}^1|{\mathit{B}}_0+{\overline{\mathit{B}}}_{i,j}^2|\cdots |{\mathit{B}}_0+{\overline{\mathit{B}}}_{i,j}^k.$$

Note that for $i^{\prime }\in \{1,2\}$, ${\mathit{F}}_{{\mathcal{ID}}_{k,i^{\prime }}}=\left[{\mathit{A}}_0\right|\mathcal{H}\left({\mathcal{ID}}_{k,i^{\prime }}\right)]\in {\mathbb{Z}}_q^{n\times (k+1)m}$.

(2).

$\mathrm{KeyGen}(pp,{\mathcal{ID}}_{k,i^{\prime }},s{k}_{{\mathcal{ID}}_{k-1,i^{\prime }}},msk$)$\to s{k}_{{\mathcal{ID}}_{k,i^{\prime }}}$: On input the public parameter $pp$, the user’s identity ${\mathcal{ID}}_{k,i^{\prime }}$ at depth k where $i^{\prime }\in \{1,2\}$, the secret key $s{k}_{{\mathcal{ID}}_{k-1,i^{\prime }}}$ corresponding to an identity ${\mathcal{ID}}_{k-1,i^{\prime }}$ at depth $k-1$ and the master secret key $msk$. This algorithm KeyGen outputs a secret key $s{k}_{{\mathcal{ID}}_{k,i^{\prime }}}$ as follow:

$${\mathit{E}}_1\leftarrow \mathrm{SampleBasisLeft}({\mathit{F}}_{{\mathcal{ID}}_{k-1,1}},{\mathit{B}}_0+{\mathit{B}}_{i,j}^k,s{k}_{{\mathcal{ID}}_{k-1,1}},{\sigma }_k).$$

$${\mathit{E}}_2\leftarrow \mathrm{SampleBasisLeft}({\mathit{F}}_{{\mathcal{ID}}_{k-1,2}},{\mathit{B}}_0+{\overline{\mathit{B}}}_{i,j}^k,s{k}_{{\mathcal{ID}}_{k-1,2}},{\sigma }_k).$$

The secret key is $s{k}_{{\mathcal{ID}}_{k,i^{\prime }}}={\mathit{E}}_{i^{\prime }}$.

(3).

$\mathrm{Encrypt}(pp,{\mathcal{ID}}_{k,1},{\mathcal{ID}}_{k,2},\mu$)$\to \mathit{c}$: On input the public parameter $pp$, the user’s identities ${\mathcal{ID}}_{k,1},{\mathcal{ID}}_{k,2}$ and the message bit $\mu \in \{0,1\}$. This algorithm outputs the ciphertext $\mathit{c}$. It works as follows:

-

It firstly gets ${\mathit{F}}_{{\mathcal{ID}}_{k,1}}=\left[{\mathit{A}}_0\right|\mathcal{H}\left({\mathcal{ID}}_{k,1}\right)]$ and ${\mathit{F}}_{{\mathcal{ID}}_{k,2}}=\left[{\mathit{A}}_0\right|\mathcal{H}\left({\mathcal{ID}}_{k,2}\right)]$ as above.

-

Choose a randomly uniform vector $\mathit{s}\in {\mathbb{Z}}_q^n$, and a uniformly random matrix $\mathit{R}\leftarrow {\{-1,1\}}^{m\times km}$.

-

Choose error terms $x\stackrel{{\overline{\mathsf{\Psi }}}_{{\alpha }_k}}{\leftarrow }{\mathbb{Z}}_q$, ${\mathit{x}}_{1,1},{\mathit{x}}_{1,2},\stackrel{{\overline{\mathsf{\Psi }}}_{{\alpha }_k}^m}{\leftarrow }{\mathbb{Z}}_q^m$. Let ${\mathit{x}}_{2,1}={\mathit{R}}^{\top }{\mathit{x}}_{1,1},{\mathit{x}}_{2,2}={\mathit{R}}^{\top }{\mathit{x}}_{1,2}$, compute

$$c_0=u^{\top }\mathit{s}+x+\mu \lfloor q/2\rfloor \in {\mathbb{Z}}_q.$$

$${\mathit{c}}_1={\mathit{F}}_{{\mathcal{ID}}_{k,1}}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,1}\\ {\mathit{x}}_{2,1}\end{array}\right]\in {\mathbb{Z}}_q^{(k+1)m}.$$

$${\mathit{c}}_2={\mathit{F}}_{{\mathcal{ID}}_{k,2}}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,2}\\ {\mathit{x}}_{2,2}\end{array}\right]\in {\mathbb{Z}}_q^{(k+1)m}.$$

The ciphertext is $\mathit{c}=\{c_0,{\mathit{c}}_1,{\mathit{c}}_2\}$.

(4).

$\mathrm{Decrypt}(pp,s{k}_{{\mathcal{ID}}_{k,i^{\prime }}},\mathit{c}$)$\to \mu$: On input the public parameter $pp$, a secret key ${\left(s{k}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_{i^{\prime }\in \{1,2\}}$ where ${\mathcal{ID}}_{k,i^{\prime }}$ at depth k and the ciphertext $\mathit{c}$, do:

-

Set ${\overline{\sigma }}_k={\sigma }_k\sqrt{(k+1)m}\omega \left(\sqrt{logkm}\right)$.

-

For $i^{\prime }\in \{1,2\}$, set ${\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\leftarrow \mathrm{SamplePre}({\mathit{F}}_{{\mathcal{ID}}_{k,i^{\prime }}},s{k}_{{\mathcal{ID}}_{k,i^{\prime }}},u,{\overline{\sigma }}_k)$. Then ${\mathit{F}}_{{\mathcal{ID}}_{k,i^{\prime }}}{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}=u$ and $\parallel {\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\le {\overline{\sigma }}_k\sqrt{(k+1)m}\parallel$.

-

Compute ${\mu }^{\prime }=c_0-{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }{\mathit{c}}_{i^{\prime }}\in {\mathbb{Z}}_q$.

-

$\mu =1$ if $|{\mu }^{\prime }-\lfloor q/2\rfloor |<\lfloor q/4\rfloor$. Otherwise $\mu =0$.

-

Finally, it outputs the message $\mu$.

4.2. Correctness

We firstly compute

$$\begin{array}{cc}\hfill {\mu }^{\prime }& =c_0-{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }{\mathit{c}}_{i^{\prime }}\hfill \\ & =u^{\top }\mathit{s}+x+\mu \lfloor q/2\rfloor -{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }({\mathit{F}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }\mathit{s}+\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right])\hfill \\ & =\mu \lfloor q/2\rfloor +x-{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right]\hfill \end{array}$$

(22)

Let ${\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}=\left[\begin{array}{c}{\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_1\\ {\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_2\end{array}\right]$ where ${\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_1\in {\mathbb{Z}}^m,{\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_2\in {\mathbb{Z}}^{km}$. Then we have $\parallel {\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_1\parallel \le {\overline{\sigma }}_k\sqrt{m}$ and ${\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_2\le {\overline{\sigma }}_k\sqrt{km}$ where ${\overline{\sigma }}_k={\sigma }_k\sqrt{(k+1)m}\omega \left(\sqrt{logkm}\right)$. Since ${\mathit{x}}_{2,i^{\prime }}={\mathit{R}}^{\top }{\mathit{x}}_{1,i^{\prime }}$, by Equation (3), $\parallel {\mathit{x}}_{2,i^{\prime }}\parallel =\parallel {\mathit{R}}^{\top }{\mathit{x}}_{1,i^{\prime }}\parallel \le O\left(\sqrt{k}m\right)$

Refer to the formulas in Equations (1) and (2), the error term

$$\begin{array}{cc}\hfill & |x-{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right]|\hfill \\ \hfill \le & \left|x\right|+|{\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}^{\top }\left[\begin{array}{c}{\mathit{x}}_{1,i^{\prime }}\\ {\mathit{x}}_{2,i^{\prime }}\end{array}\right]|\hfill \\ \hfill =& \left|x\right|+|{\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_1^{\top }{\mathit{x}}_{1,i^{\prime }}|+|{\left({\mathit{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\right)}_2^{\top }{\mathit{x}}_{2,i^{\prime }}|\hfill \\ \hfill \le & q{\alpha }_k\omega \left(\sqrt{logm}\right)+\frac{1}{2}+{\overline{\sigma }}_k\sqrt{m}q{\alpha }_k\omega \left(\sqrt{logm}\right)+\frac{{\overline{\sigma }}_{k}m}{2}+{\overline{\sigma }}_k\sqrt{km}·O\left(\sqrt{k}m\right)\hfill \\ \hfill \le & q{k}^2{\alpha }_k{\sigma }_{k}m\omega \left(\sqrt{logm}\right)+O\left(k^{3/2}{\sigma }_k{m}^2\right)\hfill \end{array}$$

(23)

To ensure the correctness of decryption and preform the security proof, for all $1\le k\le d$, we need that:

-

the error term is less than $q/5$ with overwhelming probability (w.h.p) (i.e., ${\alpha }_k<{\left[{\sigma }_{k}m\omega \left(\sqrt{logm}\right)\right]}^{-1}$, and $q=\mathsf{\Omega }\left(k^{3/2}{\sigma }_k{m}^2\right)$),

-

the $\mathrm{TrapGen}$ algorithm can operate (i.e., $m>3(1+\delta )nlogq$ for some $\delta >0$),

-

the Leftover Hash Lemma can be applied to security proof (i.e., $m>(n+1)logq+\omega (logn)$),

-

the SampleBasisLeft and SampleBasisRight algorithm can operate (i.e., ${\sigma }_k>{\sigma }_{TG}\sqrt{m}\omega \left(\sqrt{logm}\right)$ where ${\sigma }_{TG}=O\left(\sqrt{nlogq}\right)$), and

-

the Regev’s LWE reduction applies(i.e., $q>2\sqrt{n}/\alpha$).

4.3. Security

Theorem 3.

If the $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE assumption holds, the above HIB-DRE scheme is IND-ID-CPA secure.

Proof. 

Let $\mathcal{A}$ be a probabilistic polynomial-time(PPT) adversary that can break our IB-DRE scheme with advantage $\epsilon >0$. Then there exists a reduction that solves the $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE problem with an negligible advantage. Let $Q=Q\left(n\right)$ is the upper bound of the number of KeyGen queries and $I=\{({\mathcal{ID}}_{k,1}^{*},{\mathcal{ID}}_{k,2}^{*}),{({\mathcal{ID}}_{k,1}^{յ},{\mathcal{ID}}_{k,2}^{յ})}_{j\in \left[Q\right]}\}$ denotes the challenge IDs. Different from $Q\le \frac{q}{2}$ in [11], here we let $Q\le \frac{n^c}{4}-1$ where $c=c\left(n\right)$. We show the security via the following games. In each game, we define a value $r\in \{0,1\}$ and let $W_i$ denote the event that the adversary correctly guessed the challenge bit, i.e., the challenger output $r^{\prime }=r$ in ${\mathbf{Game}}_i$. $|Pr\left[W_i\right]-\frac{1}{2}|$ is the adversary’s advantage.

${\mathbf{Game}}_0$. This is the real IND-ID-CPA game between an adversary $\mathcal{A}$ and the challenger. So we have

$$|Pr\left[W_0\right]-\frac{1}{2}|=|Pr[r^{\prime }=r]-\frac{1}{2}|=\epsilon .$$

${\mathbf{Game}}_1$. The same as ${\mathbf{Game}}_1$ in Section 3.3, in this game we also add an abort event at the end of the game. The challenger chooses $y=\{y_0,{\left(y_{i,j}^k\right)}_{(i,j)\in [p,l],k\in \left[d\right]}\}$ where $y_0\leftarrow [-(n+1){\left(p{n}^c\right)}^p,0]$ and $y_{i,j}^k\leftarrow [1,p{n}^c]$. Let $h_{{\mathit{id}}_k}=y_0+{\sum }_{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathit{id}}_k\right)}{y}_{i,j_1}^k\cdots y_{i,j_p}^k$ and H be a function such that

$$H\left({\mathcal{ID}}_k\right)=h_{{\mathit{id}}_1}|h_{{\mathit{id}}_2}|\cdots |h_{{\mathit{id}}_k}.$$

For the challenge IDs, the challenger checks whether $H\left({\mathcal{ID}}_{k,i^{\prime }}^{*}\right)=0$ and $H\left({\mathcal{ID}}_{k,i^{\prime }}^{յ}\right)\ne 0$ where $i^{\prime }\in \{1,2\}$. If they do not hold, the game aborts. Otherwise, the challenger outputs $r^{\prime }=r$.

Different to the Lemma 8, the probability $\eta \left(I\right)$ satisfies

$$\frac{k}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·{(1-\frac{Q}{n^c})}^2\le \eta \left(I\right)\le \frac{k}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}.$$

Then by $|Pr\left[W_1\right]-\frac{1}{2}|={\eta }_{min}·\epsilon -({\eta }_{max}-{\eta }_{min})/2$, we have

$$|Pr\left[W_1\right]-\frac{1}{2}|\ge \frac{k}{{(n+1)}^2}·{\left(\frac{1}{p{n}^c}\right)}^{2p}·(\epsilon -\frac{2Q}{n^c})$$

${\mathbf{Game}}_2$. In this game, we change the way ${\mathit{A}}_{i,j}^k$, ${\overline{\mathit{A}}}_{i,j}^k$, ${\mathit{B}}_0$ are generated. The challenger firstly chooses $y=\{y_0,{\left(y_{i,j}^k\right)}_{(i,j)\in [p,l],k\in \left[d\right]}\}$, $y^{{}^{\prime }}=\{y_0,{\left({\overline{y}}_{i,j}^k\right)}_{(i,j)\in [p,l],k\in \left[d\right]}\}$ as ${\mathbf{Game}}_1$ and chooses three matrices ${\mathit{R}}_0,{\mathit{R}}_{i,j}^k,{\overline{\mathit{R}}}_{i,j}^k\in {\{-1,1\}}^{m\times m}$. Compute

$${\mathit{B}}_0={\mathit{A}}_0{\mathit{R}}_0+y_0\mathit{G}$$

(24)

$${\mathit{A}}_{i,j}^k={\mathit{A}}_0{\mathit{R}}_{i,j}^k+y_{i,j}^k\mathit{G}$$

(25)

$${\overline{\mathit{A}}}_{i,j}^k={\mathit{A}}_0{\overline{\mathit{R}}}_{i,j}^k+{\overline{y}}_{i,j}^k\mathit{G}$$

(26)

Based on Lemma 6, the distribution ($\mathit{A}$, ${\mathit{A}}_0{\mathit{R}}_0+y_0\mathit{G}$, ${\mathit{A}}_0{\mathit{R}}_{i,j}^k+y_{i,j}^k\mathit{G}$, ${\mathit{A}}_0{\overline{\mathit{R}}}_{i,j}^k+{\overline{y}}_{i,j}^k\mathit{G}$) is $\mathrm{negl}\left(n\right)$-close to the distribution ($\mathit{A}$, ${\mathit{B}}_0$, ${\mathit{A}}_{i,j}^k$, ${\overline{\mathit{A}}}_{i,j}^k$). Therefore, we have

$$|Pr\left[W_1\right]-Pr\left[W_2\right]|=\mathrm{negl}\left(n\right).$$

Before the next game, let

$${\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,1}}={\mathit{R}}_0+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathcal{ID}}_{k,1}\right)}{\mathrm{TrapEval}}_p({\mathit{R}}_{1,j_1}^k,\cdots ,{\mathit{R}}_{p,j_p}^k),$$

$${\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,2}}={\mathit{R}}_0+\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathcal{ID}}_{k,2}\right)}{\mathrm{TrapEval}}_p({\overline{\mathit{R}}}_{1,j_1}^k,\cdots ,{\overline{\mathit{R}}}_{p,j_p}^k).$$

Based on Lemma 3, we have

$$\begin{array}{c}\parallel {\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,1}}\parallel =\parallel {\mathit{R}}_0+{\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,1}}\parallel \le \parallel {\mathit{R}}_0\parallel +\sum _{(j_1,\cdots ,j_p)\in \mathcal{F}\left({\mathcal{ID}}_{k,1}\right)}\parallel {\mathrm{TrapEval}}_p({\mathit{R}}_{1,j_1}^k,\cdots ,{\mathit{R}}_{p,j_p}^k)\parallel \hfill \\ \le m+nmp{\left(p{n}^c\right)}^{p-1}=m(1+p^p{n}^{cp-c+1}).\hfill \end{array}$$

(27)

$\parallel {\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,2}}\parallel$ is the same as $\parallel {\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,1}}\parallel$.

Then define ${\mathit{R}}_{{\mathcal{ID}}_{k,i^{\prime }}}={\widehat{\mathit{R}}}_{{\mathcal{ID}}_{1,i^{\prime }}}|\cdots |{\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,i^{\prime }}}\in {\mathbb{Z}}_q^{m\times km}$ where $i^{\prime }\in \{1,2\}$. We have $\parallel {\mathit{R}}_{{\mathcal{ID}}_{k,i^{\prime }}}\parallel \le km(1+p^p{n}^{cp-c+1})$.

${\mathbf{Game}}_3$. In this game, we change the way ${\mathit{A}}_0$ is generated. The challenger chooses a random matrix ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$ instead of using the $\mathrm{TrapGen}$ algorithm. For the secret key queries, the challenger responds by the $\mathrm{SampleRight}$ instead of $\mathrm{SampleRight}$. By the definition of ${\mathit{R}}_{{\mathcal{ID}}_k}$, we have

$$\mathcal{H}\left({\mathcal{ID}}_{k,1}\right)={\mathit{A}}_0·({\widehat{\mathit{R}}}_{{\mathcal{ID}}_{1,1}}+h_{{\mathit{id}}_{1,1}}\mathit{G})|\cdots |{\mathit{A}}_0·({\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,1}}+h_{{\mathit{id}}_{k,1}}\mathit{G}),$$

$$\mathcal{H}\left({\mathcal{ID}}_{k,2}\right)={\mathit{A}}_0·({\widehat{\mathit{R}}}_{{\mathcal{ID}}_{1,2}}+h_{{\mathit{id}}_{1,2}}\mathit{G})|\cdots |{\mathit{A}}_0·({\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,2}}+h_{{\mathit{id}}_{k,2}}\mathit{G}).$$

Therefore for $i^{\prime }\in \{1,2\}$,

$${\mathit{F}}_{{\mathcal{ID}}_{k,i^{\prime }}}={\mathit{A}}_0|\mathcal{H}\left({\mathcal{ID}}_{k,i^{\prime }}\right)={\mathit{A}}_0|{\mathit{A}}_0({\mathit{R}}_{{\mathcal{ID}}_{k,i^{\prime }}}+{\mathit{G}}_{{\mathcal{ID}}_{k,i^{\prime }}})$$

(28)

where ${\mathit{R}}_{{\mathcal{ID}}_{k,i^{\prime }}}={\widehat{\mathit{R}}}_{{\mathcal{ID}}_{1,i^{\prime }}}|\cdots |{\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,i^{\prime }}}$ and ${\mathit{G}}_{{\mathcal{ID}}_{k,i^{\prime }}}=h_{{\mathit{id}}_{1,i^{\prime }}}\mathit{G}|\cdots |h_{{\mathit{id}}_{1,i^{\prime }}}\mathit{G}$.

If $H\left({\mathcal{ID}}_{k,1}\right)=0$ or $H\left({\mathcal{ID}}_{k,2}\right)=0$, the challenger aborts and returns a random bit. Otherwise, it returns ${\mathit{E}}_1$ and ${\mathit{E}}_2$ to $\mathcal{A}$ where

$${\mathit{E}}_1\leftarrow \mathrm{SampleBasisRight}({\mathit{A}}_0,{\mathit{G}}_{{\mathcal{ID}}_{k,1}},{\mathit{R}}_{{\mathcal{ID}}_{k,1}},{\mathit{T}}_{\mathit{G}},{\sigma }_k)$$

$${\mathit{E}}_2\leftarrow \mathrm{SampleBasisRight}({\mathit{A}}_0,{\mathit{G}}_{{\mathcal{ID}}_{k,2}},{\mathit{R}}_{{\mathcal{ID}}_{k,2}},{\mathit{T}}_{\mathit{G}},{\sigma }_k)$$

In particular, the challenger checks if the challenge identity $({\mathcal{ID}}_{k,1}^{*},{\mathcal{ID}}_{k,2}^{*})$ satisfies $H\left({\mathcal{ID}}_{k,1}^{*}\right)=0$ and $H\left({\mathcal{ID}}_{k,2}^{*}\right)=0$. If not, the game aborts as in ${\mathbf{Game}}_1$.

Since in the adversary’s view, ${\mathbf{Game}}_2$ and ${\mathbf{Game}}_3$ are identical (the public parameters, abort conditions, responses to private key queries and the challenge ciphertext). The advantage of the adversary $\mathcal{A}$ is identical to ${\mathbf{Game}}_2$, i.e.,

$$|Pr\left[W_2\right]-Pr\left[W_3\right]|=\mathrm{negl}\left(n\right).$$

${\mathbf{Game}}_4$. As we know, the ciphertext space is $\mathcal{C}\in {\mathbb{Z}}_q\times {\mathbb{Z}}_q^{(k+1)m}\times {\mathbb{Z}}_q^{(k+1)m}$. In this game, the challenger set the ciphertext as ${\mathit{c}}^{*}=\{c_0^{*},{\mathit{c}}_1^{*},{\mathit{c}}_2^{*}\}$ which is uniformly random in ${\mathbb{Z}}_q\times {\mathbb{Z}}_q^{(k+1)m}\times {\mathbb{Z}}_q^{(k+1)m}$ in the challenge phase. And the advantage of the adversary $\mathcal{A}$ is 0. As shown in Lemma 10, assuming $({\mathbb{Z}}_q,n,{\overline{\mathsf{\Psi }}}_{\alpha })$-LWE holds, ${\mathbf{Game}}_3$ and ${\mathbf{Game}}_4$ are computationally indistinguishable, i.e., $|Pr\left[W_3\right]-Pr\left[W_4\right]|=\mathrm{negl}\left(n\right).$ ☐

Lemma 10.

For any PPT adversary $\mathcal{A}$, there exists a challenger $\mathcal{B}$ such that

$$|Pr\left[W_3\right]-Pr\left[W_4\right]|\le \mathrm{LWE}-Adv\left(\mathcal{B}\right).$$

Proof of Lemma 10.

Suppose $\mathcal{A}$ has a non-negligible advantage in distinguishing ${\mathbf{Game}}_4$ and ${\mathbf{Game}}_5$. We use $\mathcal{A}$ to construct an LWE algorithm denoted $\mathcal{B}$.

Recall from Definition 4 that an LWE problem instance is provided as a sampling oracle $\mathcal{O}$ which is either a truly random sampler ${\mathcal{O}}_s^{{}^{\prime }}$ or a noisy pseudo-random sampler ${\mathcal{O}}_s$ for a secret $\mathbf{s}\in {\mathbb{Z}}_q^n$. The challenger $\mathcal{B}$ uses the adversary $\mathcal{A}$ to distinguish which the sampler it is given, and proceeds as follows:

Instance. The challenger $\mathcal{B}$ requests from $\mathcal{O}$ to obtain $(m+1)$ LWE samples that we denote as:

$$\{({\mathit{w}}_0,v_0),({\mathit{w}}_1,v_1),({\mathit{w}}_2,v_2),\dots ,({\mathit{w}}_m,v_m)\}\in ({\mathbb{Z}}_q^n\times {\mathbb{Z}}_q)$$

Setup. The challenger $\mathcal{B}$ constructs the public parameters $pp$ as follows:

(1)

Construct a matrix ${\mathit{A}}_0\in {\mathbb{Z}}_q^{n\times m}$ by assembling m LWE samples such that ${\mathit{A}}_0=({\mathit{w}}_1,{\mathit{w}}_2,\dots ,{\mathit{w}}_m)$, and let $u={\mathit{w}}_0$.

(2)

Choose $\mathit{y}$ as in ${\mathbf{Game}}_1$ and constructs the remainder of the public parameters as in ${\mathbf{Game}}_2$.

(3)

Send the $pp=\{{\mathit{A}}_0,{({\mathit{A}}_{i,j}^k,{\overline{\mathit{A}}}_{i,j}^k)}_{(i,j)\in [p,l],k\in \left[d\right]},{\mathit{B}}_0,u\}$ to $\mathcal{A}$.

Queries. $\mathcal{A}$ makes secret key query. The challenger $\mathcal{B}$ computes and checks if $H\left({\mathcal{ID}}_k\right)=0$. If it holds, it aborts. Otherwise it generate the secret key for $\mathcal{A}$ as in ${\mathbf{Game}}_3$.

Challenge. $\mathcal{A}$ sends a message bit ${\mu }^{*}\in \{0,1\}$ and the target identities $(({\mathcal{ID}}_{k,1}^{*},{\mathcal{ID}}_{k,2}^{*})$ to $\mathcal{B}$. The challenger $\mathcal{B}$ constructs ${\mathit{v}}^{*}={(v_1,v_2,\cdots ,v_m)}^{\top }$ where $v_0,v_1,\cdots ,v_m\in {\mathbb{Z}}_q$ is the LWE samples. Let ${\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}={\widehat{\mathit{R}}}_{{\mathcal{ID}}_{1,1}^{*}}|\cdots |{\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,1}^{*}}\in {\mathbb{Z}}_q^{m\times km}$ and ${\mathit{R}}_{{\mathcal{ID}}_{k,2}^{*}}={\widehat{\mathit{R}}}_{{\mathcal{ID}}_{1,2}^{*}}|\cdots |{\widehat{\mathit{R}}}_{{\mathcal{ID}}_{k,2}^{*}}\in {\mathbb{Z}}_q^{m\times km}$. Then the challenge ciphertext

$$c_0^{*}=v_0+{\mu }^{*}\lfloor q/2\rfloor ,$$

$${\mathit{c}}_1^{*}=\left[\begin{array}{c}{\mathit{v}}^{*}\\ {\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}^{\top }{\mathit{v}}^{*}\end{array}\right],$$

$${\mathit{c}}_2^{*}=\left[\begin{array}{c}{\mathit{v}}^{*}\\ {\mathit{R}}_{{\mathcal{ID}}_{k,2}^{*}}^{\top }{\mathit{v}}^{*}\end{array}\right].$$

$\mathcal{B}$ sends the challenge ciphertext ${\mathit{c}}^{*}=\{c_0^{*},{\mathit{c}}_1^{*},{\mathit{c}}_2^{*}\}$ to $\mathcal{A}$.

Note that when $\mathcal{O}={\mathcal{O}}_s$, the ciphertext is valid.(We just argue only when no abort happens). Since $H\left({\mathcal{ID}}_{k,1}^{*}\right)=0$ and $H\left({\mathcal{ID}}_{k,2}^{*}\right)=0$, we have ${\mathit{F}}_{{\mathcal{ID}}_{k,1}^{*}}={\mathit{A}}_0|\mathcal{H}\left({\mathcal{ID}}_{k,1}^{*}\right)={\mathit{A}}_0|{\mathit{A}}_0{\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}$. The same as ${\mathit{F}}_{{\mathcal{ID}}_{k,1}^{*}}$, we have ${\mathit{F}}_{{\mathcal{ID}}_{k,2}^{*}}={\mathit{A}}_0|{\mathit{A}}_0{\mathit{R}}_{{\mathcal{ID}}_{k,2}^{*}}$. By definition of ${\mathcal{O}}_s$, we know ${\mathit{v}}^{*}={\mathit{A}}_0^{\top }\mathit{s}+\mathit{x}$. Then we have

$$c_0^{*}=v_0+{\mu }^{*}\lfloor q/2\rfloor =({\mathit{u}}^{\top }\mathit{s}+x_0)+{\mu }^{*}\lfloor q/2\rfloor$$

(29)

$$\begin{array}{cc}\hfill {\mathit{c}}_1^{*}& =\left[\begin{array}{c}{\mathit{v}}^{*}\\ {\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}^{\top }{\mathit{v}}^{*}\end{array}\right]=\left[\begin{array}{c}{\mathit{A}}_0^{\top }\mathit{s}+\mathit{x}\\ {\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}^{\top }({\mathit{A}}_0^{\top }\mathit{s}+\mathit{x})\end{array}\right]\hfill \\ & =\left[\begin{array}{c}{\mathit{A}}_0^{\top }\mathit{s}+\mathit{x}\\ {\mathit{A}}_0{\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}{]}^{\top }\mathit{s}+{\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}^{\top }\mathit{x}\end{array}\right]={\mathit{F}}_{{\mathcal{ID}}_{k,1}^{*}}^{\top }\mathit{s}+\left[\begin{array}{c}\mathit{x}\\ {\mathit{R}}_{{\mathcal{ID}}_{k,1}^{*}}^{\top }\mathit{x}\end{array}\right]\hfill \end{array}$$

(30)

The same as ${\mathit{c}}_1^{*}$, ${\mathit{c}}_2^{*}$ is also valid. It is also similar to the ${\mathbf{Game}}_3$.

When $\mathcal{O}={\mathcal{O}}_s^{{}^{\prime }}$, $v_0\in {\mathbb{Z}}_q$ and $v^{*}\in {\mathbb{Z}}_q^m$ are all uniform. Therefore $c_0^{*},{\mathit{c}}_1^{*},{\mathit{c}}_2^{*}$ are uniform in $\in {\mathbb{Z}}_q\times {\mathbb{Z}}_q^{(k+1)m}\times {\mathbb{Z}}_q^{(k+1)m}$ by the Lemma 6.

Guess. After being allowed to make additional secret key queries, $\mathcal{A}$ guesses if it is interacting with a ${\mathbf{Game}}_4$ or ${\mathbf{Game}}_5$ challenger. $\mathcal{B}$ output $\mathcal{A}$’s guess as the answer to the LWE challenge it is trying to solve. Therefore we have $\mathrm{LWE}-Adv\left(\mathcal{B}\right)=|Pr\left[W_3\right]-Pr\left[W_4\right]|$. ☐

Remark 1.

Note that, as in [10,11], the two schemes also can encrypt multiple message bits. To encrypt n-bits message we need to include n vectors ${\mathbf{u}}_1,{\mathbf{u}}_2,\cdots ,{\mathbf{u}}_n$in the public parameters$pp$. Let$\mathbf{U}=({\mathbf{u}}_1,{\mathbf{u}}_2,\cdots ,{\mathbf{u}}_n)$and replace the vector$\mathbf{u}$with$\mathbf{U}$. Then taking each element of$\mathbf{U}$as input in the KeyGen phase in the IB-DRE scheme or the Decrypt phase in the HIB-DRE scheme such that${\mathbf{e}}_{{\mathbf{id}}_{i^{\prime }}}\leftarrow SampleLeft({\mathbf{A}}_0,\mathcal{H}\left({\mathbf{id}}_{i^{\prime }}\right),{\mathbf{u}}_i,{\mathbf{T}}_{{\mathbf{A}}_0})$,${\mathbf{e}}_{{\mathcal{ID}}_{k,i^{\prime }}}\leftarrow SamplePre({\mathbf{F}}_{{\mathcal{ID}}_{k,i^{\prime }}},s{k}_{{\mathcal{ID}}_{k,i^{\prime }}},{\mathbf{u}}_i,{\overline{\sigma }}_k)$. Moreover, replace the ciphertext$c_0$with$c_0={\mathbf{U}}^{\top }\mathbf{s}+x+\mu \lfloor q/2\rfloor \in {\mathbb{Z}}_q^n$. The proof of security is basically unchanged, except that in the Instance phase$\mathcal{B}$ makes $m+n$ times queries of the LWE oracle instead of $m+1$ times.

5. Performance Analysis

Here we firstly give the comparison between lattice-based IB-DRE scheme and other related IB-DRE schemes which are based on bilinear maps. As shown in Table 1, compared to [4], our scheme and [20] can resist quantum attack due to the fact that our scheme and [20] are based on the LWE problem on lattices which is proved by Regev [9] to resist quantum computing attack, but [4] is based on the decisional bilinear Diffie–Hellman (DBDH) problem which can not resist quantum computing attack. In addition, [4,20] and our scheme are all proved to be CPA secure. To lighten the pressure of KGC, we extend our scheme to the hierarchical scenario, but [4,20] can not support hierarchical scenario.

Table 1. The comparison between lattice-based identity-based device receiver encryption (IB-DRE) and bilinear maps-based IB-DRE.

Scheme	Security Assumption	Resistance to Quantum Attack	CPA/CCA	Hierarchical
[4]	DBDH	No	CPA	No
[20]	LWE	Yes	CPA	No
Ours	LWE	Yes	CPA	Yes

Next we give the comparison of storage cost, communication cost and computational cost between our construction and the first lattice-based IB-DRE scheme (next we use how Zhang18 denotes it).

Storage costs analysis. Here we give the comparison of storage costs between our construction and the first lattice-based IB-DRE scheme (next we use how Zhang18 denotes it). In Zhang18, the authors propose an adaptively secure IB-DRE scheme based on the LWE problem. In their scheme, to achieve the adaptively-ID secure, they generate $2n$ matrices in the Setup phase by using the same method of [11]. The size of public parameters is $O(n^{3}logq)$ which lead to a high storage overhead. As shown in Table 2, the suggested lattice dimension m in our scheme is smaller than [20] under the same adaptively secure model. Since p is a flexible constant which can directly affect the $pp$ size, we give the comparison results when p takes different values. Since we introduce an injective map function in our construction, the public parameters size can be reduced from $2n+2$ matrices to $2p{n}^{\frac{1}{p}}+2$ matrices where $p(\ge 2)$ is a flexible constant. Namely, the storage cost of public parameters $pp$ is reduced from $O(n^{3}logq)$ to $O(n^{2+\frac{1}{p}}logq)$. Moreover, the user’s secret key in our scheme is smaller than [20] and the ciphertext is equal to [20]. Figure 1 shows that when $p=2$ and $n=284$ according to the suggestion given by Micciancio et al. in [22], the size of public parameters in our scheme is reduced by merely 88% of Zhang et al.’s method. Not to mention when $p>2$ or $n>284$. In addition, from the Figure 1, with the increasing of the bit-length of identity, the size of public parameters in our scheme and [20] are also increase. It is still smaller than [20]. In addition, in our scheme, when $p=2$, the size of the public parameters in our scheme achieves the largest of our scheme, and it is $12\%$ of [20]. Not to mention when $p>2$.

Table 2. The comparison between our scheme and related lattice-based scheme.

Schemes	Lattice Dimension m	pp	${\mathit{sk}}_{\mathit{id}}$	Ciphertext	$1/\mathit{\alpha }$ for LWE Assumption	Selective/Adaptive
Zhang18 [20]	$6nlogq$	$O(n^{3}logq)$	$2mnlogq$	$O(n^{3}logq)$	Fixed $\mathrm{poly}\left(n\right)$	Adaptive
Ours IB-DRE	$3nlogq$	$O(n^{2+\frac{1}{p}}logq)$	$2mlogq$	$O(n^{3}logq)$	All $\mathrm{poly}\left(n\right)$	Adaptive
		$p(\ge 2)$

Fixed poly(n): a scheme is proven secure under the LWE assumption with 1/α being some fixed polynomial (e.g.,n³). All poly(n): a scheme is proven secure under the LWE assumption with 1/α being all polynomial.

Figure 1. The number of the matrices in public parameters.

Communication costs analysis. There are four algorithms in our scheme and in Zhang18 [20]. During the operation of the algorithm, three transmissions of public parameters, two transmissions of ciphertext and at least two transmissions of user’s secret key are required. According to the comparison results of Table 2 and Figure 1, under the same transmission bandwidth, it is obvious that communication costs of our public parameters and user’s secret key are faster than in Zhang18 [20]. Communication cost of the ciphertext is equal to Zhang18 [20].

Computational costs analysis. As shown in Table 3, we compared our scheme with Zhang18 on computational costs. The computational cost of encryption in our construction is equal to the related lattice-based IB-DRE scheme in [20]. As for the computational cost of KeyGen, in [20] the user’s secret key is a $2m\times n$ matrix while it is a $2m$ dimensions vector in our scheme. Thus, the computational cost of KeyGen in [20] is larger than our scheme. Due to the fact that the size of user’s secret in [20] is n times larger than us, the computational cost is also larger than us.

Table 3. The comparison of computational cost.

Scheme	KeyGen	Encryption	Decryption
Zhang18 [20]	$O\left(n^2{m}^2\right)$	$O\left(n^{2}m\right)$	$O\left(n{m}^2\right)$
Ours	$O\left(n{m}^2\right)$	$O\left(n^{2}m\right)$	$O\left(m^2\right)$

6. Conclusions

Different from the standard cryptographic primitive of public key encryption by which a ciphertext can usually be decrypted by the private-key holders only, dual receiver encryption enables a ciphertext to be decrypted to the same plaintext by two different but dual receivers. In this paper, we propose two more efficient constructions of (hierarchical) identity-based dual receiver encryption schemes from lattices which can resist quantum attack. By combining an injective map and a homomorphic computation technique, the size of public parameters is remarkably reduced from $2n+2$ matrices to $2p{n}^{\frac{1}{p}}+2$ matrices where $p(\ge 2)$ is a flexible constant. Compared to the only related work—Zhang18, about 88% = (1–12%) storage cost is saved by using our method. Under the intractability assumption of the learning with errors problem over lattices, our proposal was proved to be semantically secure against adaptively chosen identity and plaintext attacks.