New Constructions of Identity-Based Dual Receiver Encryption from Lattices

Dual receiver encryption (DRE), being originally conceived at CCS 2004 as a proof technique, enables a ciphertext to be decrypted to the same plaintext by two different but dual receivers and becomes popular recently due to itself useful application potentials such secure outsourcing, trusted third party supervising, client puzzling, etc. Identity-based DRE (IB-DRE) further combines the bilateral advantages/facilities of DRE and identity-based encryption (IBE). Most previous constructions of IB-DRE are based on bilinear pairings, and thus suffers from known quantum algorithmic attacks. It is interesting to build IB-DRE schemes based on the well-known post quantum platforms, such as lattices. At ACISP 2018, Zhang et al. gave the first lattice-based construction of IB-DRE, and the main part of the public parameter in this scheme consists of 2n+2 matrices where n is the bit-length of arbitrary identity. In this paper, by introducing an injective map and a homomorphic computation technique due to Yamada at EUROCRYPT 2016, we propose another lattice-based construction of IB-DRE in an even efficient manner: The main part of the public parameters consists only of 2pn1p+2 matrices of the same dimensions, where p(≥2) is a flexible constant. The larger the p and n, the more observable of our proposal. Typically, when p=2 and n=284 according to the suggestion given by Peikert et al., the size of public parameters in our proposal is reduced to merely 12% of Zhang et al.’s method. In addition, to lighten the pressure of key generation center, we extend our lattice-based IB-DRE scheme to hierarchical scenario. Finally, both the IB-DRE scheme and the HIB-DRE scheme are proved to be indistinguishable against adaptively chosen identity and plaintext attacks (IND-ID-CPA).


Introduction
With the rapid development of the internet of things, more and more user tend to encrypt their data and then outsource their data to the cloud server. These outsourced data may contain some sensitive information such as financial, medical data, national security-related data, etc. Therefore, a reliable third party or government department is required to supervise these data, and if it is necessary, the regulator can decrypt the ciphertext and view the plaintext information of these data. Dual receiver encryption (DRE) [1] allows that a ciphertext can be decrypted to the same plaintext by two independent receivers. For the above scenario, DRE is a good handy tool. It not only guarantees the encrypted transmission and storage of data, but also enables data to be supervised by a reliable third party. In addition, DRE also can form a joint program with other cryptographic scheme. In [1], Diament et al. combined a DRE scheme with a signature scheme to achieve that a user can use a same public/secret key pair to complete the encryption and signature functions. In 2014, Chow et al. [2] 1 p + 2 matrices where n is the bit-length of arbitrary identity and p(≥ 2) is a flexible constant. By choosing appropriate p and n, the pp size can be reduced by almost at least 88% compared to Zhang18. In addition, considering the hierarchical scenario, we extend it to a hierarchical IB-DRE (HIB-DRE), which is not considered in Zhang18. A HIB-DRE can reduce the stress of the key generation center (KGC). The public parameters size of the HIB-DRE is also reduced from 2dn + 2 matrices to 2dpn 1 p + 2 matrices where d is the maximum hierarchy depth. Finally, our lattice-based IB-DRE scheme and HIB-DRE scheme are proved to be indistinguishable against adaptively chosen identity and plaintext attacks (IND-ID-CPA) in the standard model. Additionally, to improve the encryption efficiency, our two schemes also can convert to a multi-bit encryption scheme by using the same method in [11].

Preliminarise
Notation. We use lowercase black italic alphabet for vectors, as in u, uppercase black italic alphabet for matrices, as in A.
[n] denotes a integer set {1, 2, · · · , n}. Z q denotes an integer set of mod q residue class. u ∈ Z n q is a n-dimension column vector. A n × m matrix is denoted by A ∈ Z n×m q where A = (a 1 , a 2 , · · · , a m ). A denotes the 2 -norm length of the longest column of A. A denotes the Gram-Schmidt orthogonalization of the vectors a 1 , · · · , a m . We refer to A as the Gram-Schmidt norm of A.
Note that B = [b 1 , b 2 , · · · , b n ] is a basis of Λ, n is the rank and m is the dimension.

Discrete Gaussians
Definition 3 (Discrete Gaussian). For a positive integer s ∈ R and a vector c ∈ R m , we defined a Gaussian distribution with center c and variance s as follow: where σ > 0 is a parameter, and ρ σ,c (x) = exp(−π x−c 2 σ 2 ). Lemma 1 ([10]). Let q ≥ 2, A ∈ Z n×m q with m > n, T A ∈ Z m×m q be a basis for Λ ⊥ q (A) and σ ≥ T A ω( log m). Then for c ∈ R m and u ∈ Z n q , we have: (1).
There is a probabilistic polynomial-time (PPT) algorithm SampleGaussian(A, T A , σ, c) that outputs a vector e ∈ Λ ⊥ q (A) drawn from a distribution statistically close to D Λ,σ,c .
There is a PPT algorithm SamplePre(A, T A , u, c) that outputs a vector e ∈ Λ u q (A) sampled from a distribution statistically close to D Λ u q (A),σ .

Related Algorithms
For any integer q, n, m and q is a prime, there are PPT algorithms such that: (1). TrapGen(q, n) ( [21]): outputs a pair matrices A ∈ Z n×m q and T A ∈ Z m×m q where T A is a basis for Λ ⊥ q (A) and m ≥ 3(1 + δ)n log q for some δ > 0. (2). SampleLeft(A, M 1 , T A , u, σ) ( [11]): given A ∈ Z n×m q , M 1 ∈ Z n×m 1 q , a basis T A ∈ Z m×m q for Λ ⊥ q (A), u ∈ Z n q and a Gaussian parameter σ > T A ω( log(m + m 1 )), outputs a vector e ∈ Z m+m 1 and the vector e is not statistically distinguishable from D Λ u q (F 1 ),σ where F 1 = [A|M 1 ] and F 1 · e = u(modq).
(3). SampleRight(A, B, R, T B , u, σ) ( [11]): given A ∈ Z n×k q , B ∈ Z n×m q , R ∈ Z k×m q , a basis T B for Λ ⊥ q (B), u ∈ Z n q and a Gaussian parameter , outputs a vector e ∈ Z m+k and the vector e is not statistically distinguishable from D Λ u q (F 2 ),σ where F 1 = [A|AR + B] and F 2 · e = u(modq).
Note that in our scheme, we let B = yG where y ∈ Z q and y = 0. Then taking T G as the input basis for the lattices Λ ⊥ q (G). Lemma 2 ([22]). For any integer q ≥ 2, n ≥ 1, w = nt, t = log 2 q , there is a gadget matrix G ∈ Z n×w q such that: 2. There is a PPT algorithm G −1 that takes input a vector u ∈ Z n q and output a vector x = G −1 (u) where x ∈ {0, 1} w and Gx = u. Note that G −1 is a function, not a matrix.

Homomorphic Computation
The ideal of homomorphic trapdoor computation is introduced in [14]. Let p be a positive integer, it has a function Eval: (Z n×m q ) p → Z n×m q which inputs p matrices A 1 , A 2 ,· · · ,A p and outputs a matrix.
Here G −1 is a deterministic function that has the following feature: ). Let A, A 1 , · · · , A p ∈ Z n×m q and R 1 , · · · , R p ∈ Z m×m , for i ∈ [p], it has A i = AR i + y i G. In addition, assume that R i ≤ m, |y i | ≤ δ and δ > m, there exists TrapEval algorithm that takeing R 1 , · · · , R p , y 1 , · · · , y p as input and outputs a matrix R such that Eval p (A 1 , A 2 , · · · , A p ) = AR + y 1 · · · y p · G and R ≤ mpδ p−1 .

LWE Hardness Assumption
Definition 4. Give a prime q, a positive integer n and a distributionΨ α over Z q . A (Z q , n,Ψ α )-LWE problem instance consists of access to an unspecified challenge oracle O, being either a truly random sampler O s or a noisy pseudo-random sampler O s carrying some constant random secret key s ∈ Z q , whose behaviors are as follows, respectively: where s ∈ Z n q is a uniformly distributed secret key, χ i is a noise component fromΨ α i , and w i is uniform in Z n q . O s : Outputs truly uniform random samples (w i , v i ) from Z n q × Z q . The (Z q , n,Ψ α )-LWE problem allows a number of queries to the challenge oracle O. We say an algorithm Theorem 1 ([9]). If there exists an efficient, possibly quantum, algorithm for deciding the (Z q , n,Ψ α )-LWE problem for q > 2 √ n/α then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems to withinÕ(n/α) factors in the 2 norm, in the worst case. with all but negligible probability in m.
Lemma 7 (Smudging out Lemma [14]). Let x 0 ∈ Z m be a fixed vector and x 0 ∞ ≤ δ. x ← {−B, B} m is a uniformly random vector. Then the two distributions x 0 and x 0 + x are within statistical distance mδ/B.

Definitions of (H)IB-DRE and Adaptive-ID Security Model
Identity-based dual receiver encryption (IB-DRE) enables a ciphertext to be decrypted to the same plaintext by two different receivers since it embeds two independent user's identity in the encrypt phase. Considering the definition of IB-DRE in [20]. We give the following definition of IB-DRE. An IB-DRE scheme consists the following four algorithms.
(1). Setup(1 n )→ (pp, msk): on input the security parameter 1 n . This algorithm outputs the public parameters pp and master secret key msk. (2). KeyGen(pp, id, msk)→ sk id : On input the public parameter pp, a user's identity id and the master secret key msk. This algorithm KeyGen outputs the secret key sk id . In the scheme, we let id 1 , id 2 denote the first receiver and the second receiver respectively. (3). Encrypt(pp, id 1 , id 2 , µ)→ c: on input the public parameter pp, the user's identities id 1 , id 2 and the message bit µ ∈ {0, 1}. This algorithm outputs the ciphertext c. (4). Decrypt(pp, sk id i , c)→ µ: on input the public parameter pp, a user's secret key (sk id i ) i ∈{1,2} , and the ciphertext c. This algorithm outputs a message µ.
The definition of IB-DRE can be easily extended to a hierarchical IB-DRE by following the method in [11].
The definition of adaptive-ID security model is adapted from [11]. It can be described by a IND-ID-CPA game between a challenger B and an adversary A as follows: Setup. The challenger B runs the Setup(1 n ) algorithm to generate the public parameters pp and the master key msk, and sendpp to A. Phase 1. The adversary A makes secret key queries for different identities adaptively. Challenge. The adversary A sends a message bit µ * ∈ {0, 1} and the target identities (id * 1 , id * 2 ) to B, and the target identities (id * 1 , id * 2 ) should not be asked in Phase 1. The challenger B randomly chooses r ∈ {0, 1} and a randomly ciphertext space C. If r = 0, it send the challenge ciphertext c * =Encrypt(pp, id * 1 , id * 2 , µ * ) to A. If r = 1, it send a randomly challenge ciphertext c * ∈ C to A. Phase 2. The adversary A also makes secret key queries for different identities adaptively as Phase 1. It can not ask for (id * 1 , id * 2 ). Guess. The adversary A outputs its guess r ∈ {0, 1} and wins if r = r. We define the advantage of the adversary A in attacking IB-DRE scheme as ε = | Pr[r = r] − 1 2 |.

Adaptively Secure IB-DRE Scheme with Short Public Parameters
As we all know, in the adaptively secure IBE scheme in [11], for an identity id = (b 1 , b 2 , · · · , b n ) ∈ {0, 1} n , the key generation matrix/encryption matrix is is the matrices in the public parameters. Thus, if we want to construct an adaptively secure identity based dual receiver encryption (IB-DRE) scheme, the public parameters will be 2n + 2 matrices which lead to high storage cost.
In this section, we propose an adaptively secure IB-DRE scheme with short public parameters. There are four algorithms in this scheme: Setup, KeyGen, Encrypt and Decrypt. The main method to reduce the public parameters is that in the Setup phase we introduce an injective map function which can map a n-bits identity to a subset of [1, l] p , and here we let l = n 1 p . Additionally, we also introduce a homomorphic computation technique to ensure that our scheme achieves a strong secure notion, i.e., indistinguishability of ciphertext under the adaptive chosen-identity chosen-plaintext attack (IND-ID-CPA). For the key generation matrix/encryption matrix, let H(id) In the KeyGen phase, we use the same SampleLeft algorithm in [11] to generated the two independent users' secret keys but change the way H(id) is generated. H(id) is computed by a function Eval: (Z n×m q ) p → Z n×m q of the public parameters where function Eval is a part of homomorphic computation technique. When encrypting a message bit, it should use two independent receivers' public keys to encrypt the message. Then the ciphertext can be decrypted to the same message by the two independent receivers.
By doing this, we reduce the size of public parameters from 2n + 2 (i.e., O(n)) matrices to 2pn 1 p + 2 (i.e., O(n 1 p )) matrices where p is a flexible constant and can affect the reduction cost. Next we will describe our scheme step by step.

Our Construction
The adaptively secure IB-DRE scheme with short public parameters consists the following four algorithms.
(1). Setup(1 n )→ (pp, msk): on input the security parameter 1 n . This algorithm outputs the public parameters pp and master secret key msk, do: -Perform algorithm TrapGen to generate a uniformly matrix A 0 ∈ Z n×m q and a trapdoor Select a uniformly random matrices B 0 and a uniformly random vector u ∈ Z n q .

Recall that by the function Eval
(2). KeyGen(pp, id, msk)→ sk id : On input the public parameter pp, the user's identity id and the master secret key msk. This algorithm KeyGen outputs the secret key sk id , it works as follows: For two independent receivers, we let e 1 and e 2 denote the first and second receiver's secret key.
The two independent receivers' secret keys are sk id 1 On input the public parameter pp, the user's identities id 1 , id 2 and the message bit µ ∈ {0, 1}. This algorithm outputs the ciphertext c. it works as follows: -It firstly gets H(id 1 ) and H(id 2 ) as above.
-Choose a randomly uniform vector s ∈ Z n q , and error terms xΨ The ciphertext is c = {c 0 , c 1 , c 2 }. (4). Decrypt(pp, sk id 1 /sk id 2 , c)→ µ: On input the public parameter pp, a secret key (sk id i ) i ∈{1, 2} and the ciphertext c, do: Finally, it outputs the message µ.
Proof. Let A be a probabilistic polynomial-time(PPT) adversary that can break our IB-DRE scheme with advantage ε > 0. Then there exists a reduction that solves the (Z q , n,Ψ α )-LWE problem with an negligible advantage. Let Q = Q(n) is the upper bound of the number of KeyGen queries and are the queried IDs. Different from Q ≤ q 2 in [11], here we let Q ≤ n c 4 − 1 where c = c(n). We show the security via the following games. In each game, we define a value r ∈ {0, 1} and let W i denote the event that the adversary correctly guesses the challenge bit, i.e., the challenger outputs Game 0 . This is the real IND-ID-CPA game between an adversary A and the challenger. We have Game 1 . This game is as same as Game 0 except we add an abort event at the end of the game. The challenger chooses randomly y i,j , }, the challenger checks whether the following formula holds: If they do not hold, the game aborts, i.e., the challenger outputs a random r ∈ {0, 1}. Otherwise, the challenger outputs r = r. By Lemma 8, we have 11,14]). Let η(I) denotes the non-abort probability, and η( . η min , η max denote the minimum and maximum probability of η(I), respectively. Then we have | Pr[ As we know, the non-abort probability is taken over We have Therefore, the upper bound of non-abort probability η(I) is Next we give the lower bound of non-abort probability η(I).
By the same method, we can get Finally, the non-abort probability Then we have The last inequality due to that ε ≤ 1 2 .
Game 2 . In this game, we change the way A i,j , A i,j and B 0 are generated. The challenger firstly chooses y = {y 0 , (y i,j ) (i,j)∈[p,l] }, y = {y 0 , (y i,j ) (i,j)∈[p,l] } as Game 1 and then chooses three matrices Based on Lemma 6, the distribution (A, Before the next game, for any id ∈ ID, we make a definition as follow. Let TrapEval p (R 1,j 1 , · · · , R p,j p ), TrapEval p (R 1,j 1 , · · · , R p,j p ).
Based on Lemma 3, we have R id 2 is the same as R id 1 . Game 3 . In this game, we show that when we change the ciphertext is generated, the distributions x 2,i and R id * i x 1,i + x 2,i are within statistical distance αqm 5/2 (1 + p p n cp−c+1 )/B where i ∈ {1, 2}.
The challenge ciphertext is generated as follows: the challenger firstly chooses s ∈ Z n q , xΨ α ←− Z n q , The challenge ciphertext µ * ∈ {0, 1} is the message chosen by A.
Game 4 . In this game, we change the way A 0 is generated. The challenger chooses a random matrix A 0 ∈ Z n×m q instead of using the TrapGen algorithm. For the secret key queries, the challenger respond by the SampleRight instead of SampleLeft. By the definition of R id , we have H(id 1 ) = A 0 · (R id 1 + H(id 1 )G), H (id 2 ) = A 0 · (R id 2 + H (id 2 )G). If H(id 1 ) = 0 or H (id 2 ) = 0, the challenger aborts and returns a random bit. Otherwise, it returns e 1 and e 2 to A where In particular, the challenger checks if the challenge identity (id * 1 , id * 2 ) satisfies H(id * 1 ) = 0 and H (id * 2 ) = 0. If not, the game aborts as in Game 1 .
Since in the adversary's view, Game 2 and Game 4 are identical (the public parameters, abort conditions, responses to private key queries and the challenge ciphertext). The advantage of the adversary A is identical to Game 2 , i.e., Game 5 . As we know, the ciphertext space is C ∈ Z q × Z 2m q × Z 2m q . In this game, the challenger set the ciphertext as c * = {c 0 , c * 1 , c * 2 } which is uniformly random in Z q × Z 2m q × Z 2m q in the challenge phase. The advantage of the adversary A is 0. As shown in Lemma 9, assuming (Z q , n,Ψ α )-LWE holds, Game 4 and Game 5 are computationally indistinguishable, i.e., | Pr[W 4 ] − | Pr[W 5 ]| = negl(n).

Lemma 9. For any PPT adversary A, there exists a challenger B such that
Proof of Lemma 9. Suppose A has a non-negligible advantage in distinguishing Game 4 and Game 5 . We use A to construct an LWE algorithm denoted B.
Recall from Definition 4 that an LWE problem instance is provided as a sampling oracle O which is either a truly random sampler O s or a noisy pseudo-random sampler O s for a secret s ∈ Z n q . The challenger B uses the adversary A to distinguish which the sampler it is given, and proceeds as follows: Instance. The challenger B requests from O to obtains (m + 1) LWE samples that we denote as: Setup. The challenger B constructs the public parameters pp as follows: (1) Construct a matrix A 0 ∈ Z n×m q by assembling m LWE samples such that A 0 = (w 1 , w 2 , ..., w m ), and let u = w 0 .
(2) Choose y as in Game 1 and constructs the remainder of the public parameters as in Game 2 . Challenge. A sends a message bit µ * ∈ {0, 1} and the target identities (id * 1 , id * 2 ) to B. The challenger B constructs v * = (v 1 , v 2 , · · · , v m ) where v 0 , v 1 , · · · , v m ∈ Z q is the LWE samples.
B sends the challenge ciphertext c * = {c * 0 , c * 1 , c * 2 } to A. Note that when O = O s , the ciphertext is valid.(We just argue only when no abort happens). Since H(id * 1 ) = 0 and H (id The same as c * 1 , c * 2 is also valid. It is also similar to the Game 3 . When O = O s , v 0 ∈ Z q and v * ∈ Z m q are all uniform. Therefore c * 0 , c * 1 , c * 2 are uniform in ∈ Z q × Z 2m q × Z 2m q by the Lemma 6. Guess. After being allowed to make additional secret key queries, A guesses if it is interacting with a Game 4 or Game 5 challenger. B output A's guess as the answer to the LWE challenge it is trying to solve. Therefore we have

Adaptively Secure Hierarchical IB-DRE Scheme with Short Public Parameter
To lighten the pressure of the KGC, hierarchical IBE (HIBE) scheme was proposed. In HIBE, the user's identity can be described by an identity tuple, and we let ID k = (id 1 , id 2 , · · · , id k ) denote an identity at the depth k. There are many users at each depth. In this section, we use ID k,1 and ID k,2 to denote the two arbitrary receivers at the depth k in our HIB-DRE scheme.
As we all know, when convert an selectively secure HIBE scheme in [11] to an adaptively secure HIBE, for an identity ID k = (id 1 , id 2 , · · · , id k ) at the depth k, the key generation matrix/encryption matrix would be [n] is the matrices in the public parameters.
Therefore the public parameters would be 2dn + 2 matrices which lead to a high storage cost. d is the maximum hierarchy depth.
In this section, we construct an adaptively secure HIB-DRE scheme with short public parameters. There are also four algorithms in this scheme: Setup, KeyGen, Encrypt and Decrypt. In this scheme, we use the same injective map function and homomorphic computation technique to reduce the size of public parameters from 2dn + 2 matrices to 2dpn 1 p + 2 matrices. Different to the adaptively secure IB-DRE scheme in Section 3, we use the SampleBasisLeft [11] algorithm to generate the user's secret key, and SampleBasisRight algorithm for the security proof. In the KeyGen phase, it needs to input a secret key for the identity at depth l − 1, and then outputs a secret key for the identity at depth l.
SampleBasisLeft(M 1 , M, T M 1 , σ): On input two matrices M 1 ∈ Z n×m 1 q , M ∈ Z n×m q , a "short" basis T M 1 of Λ ⊥ q (M 1 ) and a Gaussian parameter σ ≥ T M 1 ω( log m + m 1 ). This algorithm outputs a short basis , a basis T G of Λ ⊥ q (G) and a Gaussian parameter σ k > T G · s R ω( log m) where G id = H(id)G and s R = R . This algorithm outputs a short basis

Our Construction
The adaptively secure HIB-DRE scheme with short public parameters consists the following four algorithms. (1).
Setup(d, 1 n )→ (pp, msk): on input the maximum hierarchy depth d and the security parameter 1 n . This algorithm outputs the public parameters pp and master secret key msk, do: -Perform algorithm TrapGen to generate a uniformly matrix A 0 ∈ Z n×m q and a trapdoor where id k ∈ {0, 1} n , select an injective map F that maps an identity to a subset F (ID k ) of [1, l] Select a uniformly random vector u = (u 1 , u 2 , ..., u n ) ∈ Z n q and a uniformly random matrix , B 0 , u}, the master secret key msk = {T A 0 }. For two arbitrary receivers ID k,1 , ID k,2 at the depth k. Recall that by the function Eval p : Eval p (Ā k 1,j 1 ,Ā k 2,j 2 , · · · ,Ā k p,j p ).
Then construct H(ID k,1 ) KeyGen(pp, ID k,i , sk ID k−1,i , msk)→ sk ID k,i : On input the public parameter pp, the user's identity ID k,i at depth k where i ∈ {1, 2}, the secret key sk ID k−1,i corresponding to an identity ID k−1,i at depth k − 1 and the master secret key msk. This algorithm KeyGen outputs a secret key sk ID k,i as follow: Encrypt(pp, ID k,1 , ID k,2 , µ)→ c: On input the public parameter pp, the user's identities ID k,1 , ID k,2 and the message bit µ ∈ {0, 1}. This algorithm outputs the ciphertext c. It works as follows: -It firstly gets F ID k,1 = [A 0 |H(ID k,1 )] and F ID k,2 = [A 0 |H(ID k,2 )] as above.
-Choose a randomly uniform vector s ∈ Z n q , and a uniformly random matrix R ← {−1, 1} m×km .
Decrypt(pp, sk ID k,i , c)→ µ: On input the public parameter pp, a secret key (sk ID k,i ) i ∈{1,2} where ID k,i at depth k and the ciphertext c, do: Finally, it outputs the message µ.
Proof. Let A be a probabilistic polynomial-time(PPT) adversary that can break our IB-DRE scheme with advantage ε > 0. Then there exists a reduction that solves the (Z q , n,Ψ α )-LWE problem with an negligible advantage. Let Q = Q(n) is the upper bound of the number of KeyGen queries and We show the security via the following games. In each game, we define a value r ∈ {0, 1} and let W i denote the event that the adversary correctly guessed the challenge bit, i.e., the challenger output r = r in Game i . |Pr[W i ] − 1 2 | is the adversary's advantage. Game 0 . This is the real IND-ID-CPA game between an adversary A and the challenger. Let h id k = y 0 + ∑ (j 1 ,··· ,j p )∈F (id k ) y k i,j 1 · · · y k i,j p and H be a function such that For the challenge IDs, the challenger checks whether H(I D * k,i ) = 0 and H(I D  k,i ) = 0 where i ∈ {1, 2}. If they do not hold, the game aborts. Otherwise, the challenger outputs r = r.
Based on Lemma 3, we have R ID k,2 is the same as R ID k,1 .
Game 3 . In this game, we change the way A 0 is generated. The challenger chooses a random matrix A 0 ∈ Z n×m q instead of using the TrapGen algorithm. For the secret key queries, the challenger responds by the SampleRight instead of SampleLeft. By the definition of R ID k , we have H(ID k,1 ) = A 0 · (R ID 1,1 + h id 1,1 G)| · · · |A 0 · (R ID k,1 + h id k,1 G), H(ID k,2 ) = A 0 · (R ID 1,2 + h id 1,2 G)| · · · |A 0 · (R ID k,2 + h id k,2 G).
If H(I D k,1 ) = 0 or H(I D k,2 ) = 0, the challenger aborts and returns a random bit. Otherwise, it returns E 1 and E 2 to A where In particular, the challenger checks if the challenge identity (ID * k,1 , ID * k,2 ) satisfies H(I D * k,1 ) = 0 and H(I D * k,2 ) = 0. If not, the game aborts as in Game 1 . Since in the adversary's view, Game 2 and Game 3 are identical (the public parameters, abort conditions, responses to private key queries and the challenge ciphertext). The advantage of the adversary A is identical to Game 2 , i.e., Proof of Lemma 10. Suppose A has a non-negligible advantage in distinguishing Game 4 and Game 5 . We use A to construct an LWE algorithm denoted B.
Recall from Definition 4 that an LWE problem instance is provided as a sampling oracle O which is either a truly random sampler O s or a noisy pseudo-random sampler O s for a secret s ∈ Z n q . The challenger B uses the adversary A to distinguish which the sampler it is given, and proceeds as follows: Instance. The challenger B requests from O to obtain (m + 1) LWE samples that we denote as: Setup. The challenger B constructs the public parameters pp as follows: (1) Construct a matrix A 0 ∈ Z n×m q by assembling m LWE samples such that A 0 = (w 1 , w 2 , ..., w m ), and let u = w 0 .
(2) Choose y as in Game 1 and constructs the remainder of the public parameters as in Game 2 . Challenge. A sends a message bit µ * ∈ {0, 1} and the target identities ((ID * k,1 , ID * k,2 ) to B. The challenger B constructs v * = (v 1 , v 2 , · · · , v m ) where v 0 , v 1 , · · · , v m ∈ Z q is the LWE samples. Let R ID * k,1 =R ID * 1,1 | · · · |R ID * k,1 ∈ Z m×km q and R ID * k,2 =R ID * 1,2 | · · · |R ID * k,2 ∈ Z m×km q . Then the challenge ciphertext B sends the challenge ciphertext c * = {c * 0 , c * 1 , c * 2 } to A. Note that when O = O s , the ciphertext is valid.(We just argue only when no abort happens). Since H(I D * k,1 ) = 0 and H(I D * k,2 ) = 0, we have . The same as . By definition of O s , we know v * = A 0 s + x. Then we have The same as c * 1 , c * 2 is also valid. It is also similar to the Game 3 . When O = O s , v 0 ∈ Z q and v * ∈ Z m q are all uniform. Therefore c * 0 , c * 1 , c * 2 are uniform in ∈ Z q × Z Guess. After being allowed to make additional secret key queries, A guesses if it is interacting with a Game 4 or Game 5 challenger. B output A's guess as the answer to the LWE challenge it is trying to solve. Therefore we have LWE − Adv(B) = | Pr[W 3 ] − Pr[W 4 ]|. Remark 1. Note that, as in [10,11], the two schemes also can encrypt multiple message bits. To encrypt n-bits message we need to include n vectors u 1 , u 2 , · · · , u n in the public parameters pp. Let U = (u 1 , u 2 , · · · , u n ) and replace the vector u with U. Then taking each element of U as input in the KeyGen phase in the IB-DRE scheme or the Decrypt phase in the HIB-DRE scheme such that . Moreover, replace the ciphertext c 0 with c 0 = U s + x + µ q/2 ∈ Z n q . The proof of security is basically unchanged, except that in the Instance phase B makes m + n times queries of the LWE oracle instead of m + 1 times.

Performance Analysis
Here we firstly give the comparison between lattice-based IB-DRE scheme and other related IB-DRE schemes which are based on bilinear maps. As shown in Table 1, compared to [4], our scheme and [20] can resist quantum attack due to the fact that our scheme and [20] are based on the LWE problem on lattices which is proved by Regev [9] to resist quantum computing attack, but [4] is based on the decisional bilinear Diffie-Hellman (DBDH) problem which can not resist quantum computing attack. In addition, [4,20] and our scheme are all proved to be CPA secure. To lighten the pressure of KGC, we extend our scheme to the hierarchical scenario, but [4,20] can not support hierarchical scenario. Next we give the comparison of storage cost, communication cost and computational cost between our construction and the first lattice-based IB-DRE scheme (next we use how Zhang18 denotes it).
Storage costs analysis. Here we give the comparison of storage costs between our construction and the first lattice-based IB-DRE scheme (next we use how Zhang18 denotes it). In Zhang18, the authors propose an adaptively secure IB-DRE scheme based on the LWE problem. In their scheme, to achieve the adaptively-ID secure, they generate 2n matrices in the Setup phase by using the same method of [11]. The size of public parameters is O(n 3 log q) which lead to a high storage overhead. As shown in Table 2, the suggested lattice dimension m in our scheme is smaller than [20] under the same adaptively secure model. Since p is a flexible constant which can directly affect the pp size, we give the comparison results when p takes different values. Since we introduce an injective map function in our construction, the public parameters size can be reduced from 2n + 2 matrices to 2pn 1 p + 2 matrices where p(≥ 2) is a flexible constant. Namely, the storage cost of public parameters pp is reduced from O(n 3 log q) to O(n 2+ 1 p log q). Moreover, the user's secret key in our scheme is smaller than [20] and the ciphertext is equal to [20]. Figure 1 shows that when p = 2 and n = 284 according to the suggestion given by Micciancio et al. in [22], the size of public parameters in our scheme is reduced by merely 88% of Zhang et al.'s method. Not to mention when p > 2 or n > 284. In addition, from the Figure 1, with the increasing of the bit-length of identity, the size of public parameters in our scheme and [20] are also increase. It is still smaller than [20]. In addition, in our scheme, when p = 2, the size of the public parameters in our scheme achieves the largest of our scheme, and it is 12% of [20]. Not to mention when p > 2. Zhang18 [20] 6n log q O(n 3 log q) 2mn log q O(n 3 log q) Fixed poly(n) Adaptive Ours IB-DRE 3n log q O(n 2+ 1 p log q) 2m log q O(n 3 log q) All poly(n) Adaptive p(≥ 2) Fixed poly(n): a scheme is proven secure under the LWE assumption with 1/α being some fixed polynomial (e.g., n 3 ). All poly(n): a scheme is proven secure under the LWE assumption with 1/α being all polynomial. The bit-length of arbitrary identity (n) The number of matrices in PP Zhang18 [20] Ours(p=2) Ours(p=10) Figure 1. The number of the matrices in public parameters.

Communication costs analysis.
There are four algorithms in our scheme and in Zhang18 [20]. During the operation of the algorithm, three transmissions of public parameters, two transmissions of ciphertext and at least two transmissions of user's secret key are required. According to the comparison results of Table 2 and Figure 1, under the same transmission bandwidth, it is obvious that communication costs of our public parameters and user's secret key are faster than in Zhang18 [20]. Communication cost of the ciphertext is equal to Zhang18 [20].
Computational costs analysis. As shown in Table 3, we compared our scheme with Zhang18 on computational costs. The computational cost of encryption in our construction is equal to the related lattice-based IB-DRE scheme in [20]. As for the computational cost of KeyGen, in [20] the user's secret key is a 2m × n matrix while it is a 2m dimensions vector in our scheme. Thus, the computational cost of KeyGen in [20] is larger than our scheme. Due to the fact that the size of user's secret in [20] is n times larger than us, the computational cost is also larger than us. Table 3. The comparison of computational cost.

Scheme KeyGen Encryption Decryption
Zhang18

Conclusions
Different from the standard cryptographic primitive of public key encryption by which a ciphertext can usually be decrypted by the private-key holders only, dual receiver encryption enables a ciphertext to be decrypted to the same plaintext by two different but dual receivers. In this paper, we propose two more efficient constructions of (hierarchical) identity-based dual receiver encryption schemes from lattices which can resist quantum attack. By combining an injective map and a homomorphic computation technique, the size of public parameters is remarkably reduced from 2n + 2 matrices to 2pn 1 p + 2 matrices where p(≥ 2) is a flexible constant. Compared to the only related work-Zhang18, about 88% = (1-12%) storage cost is saved by using our method. Under the intractability assumption of the learning with errors problem over lattices, our proposal was proved to be semantically secure against adaptively chosen identity and plaintext attacks.