Post-Quantum Secure Lightweight Revocable IBE with Decryption Key Exposure Resistance

Abstract

Revocable Identity-Based Encryption (RIBE) can dynamically revoke users whose secret keys have been compromised, ensuring a system’s backward security. An RIBE scheme with decryption key exposure resistance (DKER) guarantees the confidentiality of ciphertext during any time period where the decryption key remains undisclosed. Existing RIBE schemes with DKER generate $O\left(r\log (N/r)\right)$ ciphertexts for each plaintext message. Redundant ciphertexts impose significant computational burdens on users and substantial communication overhead on the system. To reduce high computation and communication overhead in existing schemes, this paper proposes a dual-key combination trapdoor generation method. Based on the proposed method, an indirect RIBE scheme with DKER is constructed, reducing ciphertext redundancy and obtaining computation and communication efficiency. Firstly, this paper proposes a dual-key combination trapdoor generation mechanism. By constructing an Inhomogeneous Small Integer Solution (ISIS) instance, the Key Generation Center (KGC) generates and distributes short bases to users as their identity keys. Subsequently, based on the constructed ISIS instance, a new inverse ISIS instance is derived. Furthermore, during each time period, KGC generates short bases for all non-revoked users as their time keys. By linearly combining their identity key with the corresponding time key, every non-revoked user can derive a re-randomized decryption key, achieving controlled key derivation. Secondly, based on the proposed method, a Post-Quantum Secure, Lightweight RIBE scheme with DKER (PQS-LRIBE-DKER) is constructed. For every non-revoked user, their identity key and time key serve as their own user secret key and key update, respectively. Controllable key derivation enables indirect revocation of the scheme. By adopting an indirect revocation, the PQS-LRIBE-DKER scheme achieves a single ciphertext per plaintext message, significantly reducing the sender’s computational load and the system’s communication overhead. Finally, under the hardness assumptions of the Learning with Errors (LWE) and ISIS problems, we prove that the proposed scheme achieves selective identity security in the standard model.

1. Introduction

In Identity-Based Encryption (IBE), the users’ identities serve as public keys, obviating digital certificates and eliminating the complex burden of certificate storage and management inherent in traditional public key infrastructures [1]. However, this characteristic also poses a critical challenge for IBE: how to achieve efficient user revocation when faced with key compromise or expiration.

Boneh first proposed a user revocation mechanism for the IBE scheme [2]. In his Revocable IBE (RIBE) scheme, the public key consists of the user identity and time period. The Key Generation Center (KGC) revokes users by regenerating and distributing new secret keys to all non-revoked users at each time period, which incurs a computational overhead proportional to the number of non-revoked users. In practical scenarios, the number of non-revoked users typically far exceeds that of revoked users. Consequently, Boneh’s revocation approach exhibits significant deficiencies in both efficiency and practicality.

To alleviate the efficiency bottleneck, Boldyreva et al. introduced the complete subtree method [3], which avoids generating secret keys individually for every non-revoked user per time period. This scheme assigns users to leaf nodes and calculates the smallest subtree set covering all non-revoked users. KGC generates time keys only for set nodes. This significantly reduces KGC’s computational complexity from $O(N-r)$ to $O\left(r\log (N/r)\right)$, where N is the total number of users and r is the number of revoked users. This scheme achieves revocation by preventing revoked recipients from decrypting messages, which is referred to as indirect revocation.

As research progressed, scholars uncovered new security vulnerabilities in RIBE schemes. In the scheme of [4], the decryption key for each time period is concatenated from the secret key and the key update for that period. Leaking any single period’s decryption key reveals the user’s long-term secret key, thereby compromising ciphertext confidentiality across all time periods. To counter this threat, Seo et al. introduced the decryption key exposure resistance (DKER) and constructed an RIBE scheme with DKER, which guarantees that even after a decryption key compromise, ciphertext confidentiality for all other periods remains secure [5].

Subsequently, RIBE schemes with DKER based on bilinear or multilinear pairings rapidly evolved. However, the rapid advancement of quantum computing threatens to break cryptographic schemes based on traditional mathematical hard problems. Consequently, research on post-quantum secure RIBE schemes with DKER has become an important topic.

1.1. Motivations

To implement DKER, users in Reference [6] autonomously generate re-randomized decryption keys for arbitrary time periods based on their secret keys. As shown in Figure 1a, KGC distributes a short basis corresponding to each user’s identity-based public key matrix as the user’s secret key. Then, the user employs the short basis trapdoor to solve for the randomized short vector corresponding to an identity–time matrix, which serves as the decryption key. This scheme excludes revoked users from the sender’s encryption list to revoke users. The sender has to generate $O\left(r\log (N/r)\right)$ ciphertexts for each plaintext message, significantly increasing the computational overhead on the sender and the communication overhead on the system.

In addition to the direct revocation discussed above, IBE also incorporates indirect revocation. As shown in Figure 1b, KGC distributes an identity-related secret key to each user. In each time period, the KGC distributes key updates to non-revoked users. Non-revoked users utilize these two keys to generate their decryption keys. Indirect revocation works by ensuring that revoked users cannot obtain decryption keys, thus losing decryption capability. The sender encrypts without excluding revoked users, effectively reducing the number of ciphertexts required and alleviating the system’s communication overhead. Consequently, designing RIBE schemes that support both indirect revocation and DKER has emerged as a significant research direction.

1.2. Contributions

As a solution to the heavy computational burden and high system communication overhead caused by direct revocation in previous RIBE schemes with DKER, this paper proposes a dual-key combination trapdoor generation mechanism to achieve indirect revocation. This enables the construction of a lightweight RIBE scheme with DKER. The contributions are as follows:

• Proposing a dual-key combination trapdoor generation mechanism
  • Starting from an Inhomogeneous Small Integer Solution (ISIS) instance, KGC generates and distributes short bases to users of different identities as their identity keys.
  • In each time period, the KGC constructs a new ISIS instance using the additive inverse of the target matrix and generates short bases as time keys for non-revoked users. Due to the target matrix in the ISIS instance, users cannot directly compute the decryption key for any time period using the short basis alone.
  • Non-revoked users must linearly combine their identity key and time key to obtain the short basis trapdoor corresponding to the public key matrix, thus solving for the current time period’s re-randomized decryption key. By allowing non-revoked users to compute the current decryption key from both keys while denying this capability to revoked users, the scheme successfully achieves controlled key derivation.
• Constructing a post-quantum secure lightweight RIBE scheme with DKER
  • By adopting the above mechanism for key generation and distribution, treating identity keys as user secret keys and time keys as key updates, we construct a Post-Quantum Secure, Lightweight RIBE scheme with DKER (PQS-LRIBE-DKER).
  • Controllable key derivation enables indirect revocation in the scheme. Ultimately, the scheme shifts the periodic computational burden of revocation to a more powerful KGC, maintains a one-to-one correspondence between plaintext and ciphertext, and significantly reduces the sender’s computational load and the system’s communication overhead.
• Providing rigorous formal security proofs
  • Assuming the hardness of the Learning with Errors (LWE) and ISIS problems, the proposed scheme has been proven to possess selective identity security in the standard model.

1.3. Related Works

Boneh et al. proposed the first RIBE scheme, which relies on traditional bilinear pairing assumptions [2]. In 2012, building upon the work of Agrawal et al. [7] and incorporating the complete subtree method [3], Chen et al. presented the first lattice-based RIBE scheme [8]. In 2016, Nguyen et al. proposed the first lattice-based server-aided revocable IBE scheme [9], which significantly reduces the users’ computational burden through an innovative server-assisted revocation mechanism. In 2021, Zhang et al. presented the first lattice-based RIBE with server-aided ciphertext evolution, preventing revoked users from accessing ciphertexts created prior to revocation [10]. In 2022, Zhang et al. introduced a scalable revocable IBE scheme with cloud-aided ciphertext update, achieving constant-size ciphertexts and a streamlined update mechanism [11]. In 2023, Chen et al. proposed a more efficient cloud-assisted ciphertext-evolving RIBE scheme [12]. In 2024, Huang et al. proposed a generic framework for post-quantum secure identity-based matchmaking encryption with revocable decryption keys, constructed from an identity-based signature scheme and a revocable hierarchical IBE scheme [13]. In 2025, Takayasu et al. presented an RIBE scheme based on the Middle-Product LWE (MPLWE) hardness assumption, achieving the shortest master public key and ciphertext lengths [14].

In 2013, Seo and Emura first introduced the concept of DKER and constructed the first RIBE scheme with DKER based on bilinear pairings [5]. In 2017, Takayasu and Watanabe proposed a lattice-based RIBE scheme satisfying Bounded-DKER (B-DKER), a security model weaker than full DKER [15]. In 2019, Katsumata et al. realized a hierarchical RIBE scheme with DKER and proved its security against selective-identity attacks in the standard model [16]. In 2023, Wang et al. introduced an Enhanced DKER (En-DKER) security notion and constructed a lattice-based RIBE scheme with En-DKER supporting direct revocation [6]. In 2025, Huang et al. proposed an integrated revocation model and used it to construct an efficient lattice-based online/offline integrated revocable IBE scheme with En-DKER [17].

In terms of applications, in 2021, Xia et al. employed an adaptively chosen-ciphertext secure RIBE scheme based on bilinear pairings for IoT device authentication [18]. RIBE schemes have also demonstrated significant potential in authenticated key exchange and proxy re-encryption [19,20]. In 2025, Zhu et al. proposed a revocable hierarchical identity-based inner-product functional encryption scheme with a malicious user revocation mechanism, designed to address patient privacy concerns in smart healthcare systems [21].

2. Preliminaries

This paper assumes line vectors. Bold uppercase letters denote matrices, e.g., A. Bold lowercase letters denote vectors, e.g., b. $\mathbb{R}$ represents the set of real numbers, $\mathbb{Z}$ represents the set of integers, and $\mathbb{N}$ represents the set of natural numbers. $\left|\left|\mathit{x}\right|\right|$ denotes the ${\mathcal{l}}_2$ norm of vector x. The norm of a matrix is the largest ${\mathcal{l}}_2$ norm among its rows: $\left|\left|\mathit{X}\right|\right|={max}_i\left|\right|{\mathit{x}}_i\left|\right|$.

Definition 1. (Full-Rank Differences).

Let q be a prime and n be a positive integer. We say that a function H: ${\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$is an encoding with full-rank differences if the following criteria are met:

• For all distinct u, v $\in {\mathbb{Z}}_q^n$, the matrix $H\left(\mathit{u}\right)-H\left(\mathit{v}\right)\in {\mathbb{Z}}_q^{n\times n}$is full rank;
• $H$is computable in polynomial time in nlogq.

2.1. Lattice and Discrete Gaussians

Let $\mathit{B}=\{{\mathit{b}}_1,\dots ,{\mathit{b}}_n\}\subset {\mathbb{R}}^n$ be a set of n linearly independent vectors. The n-dimensional lattice generated by the basis B is defined as

$$\mathsf{\Lambda }=\mathcal{L}\left(\mathit{B}\right)=\left\{\mathit{B}\mathit{c}=\sum _{i\in \left[n\right]}{c}_i\cdot {\mathit{b}}_i:\mathit{c}\in {\mathbb{Z}}^n\right\}.$$

Let n, m, and q be positive integers. For a matrix $\mathit{A}\in {\mathbb{Z}}_{\mathit{q}}^{\mathit{n}\times \mathit{m}}$, this paper employs two types of m-dimensional full-rank integer lattices defined by A:

$$\begin{gathered} {\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)=\left\{\mathit{e}\in {\mathbb{Z}}^m:\mathit{A}\mathit{e}=0 mod q\right\} \\ {\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right)=\{\mathit{e}\in {\mathbb{Z}}^m:\mathit{A}\mathit{e}=\mathit{u} mod q , \mathit{u}\in {\mathbb{Z}}_q^n\} \end{gathered}$$

For any $s>0$, the Gaussian function on ${\mathbb{R}}^n$ with center c and parameter s is defined as follows:

$$\forall \mathit{x}\in {\mathbb{R}}^n,{\rho }_{s,\mathit{c}}\left(\mathit{x}\right)=\mathrm{e}\mathrm{x}\mathrm{p}(-\pi {\left|\left|\mathit{x}-\mathit{c}\right|\right|}^2/s^2).$$

For any $\mathit{c}\in {\mathbb{R}}^n$, and real number $s>0$, an n-dimensional lattice $\mathsf{\Lambda }$, the discrete Gaussian distribution is defined as follows:

$$\forall \mathit{x}\in \mathsf{\Lambda },D_{\mathsf{\Lambda },s,\mathbf{c}}\left(\mathit{x}\right)={\displaystyle \frac{{\rho }_{s,\mathbf{c}}\left(\mathit{x}\right)}{{\rho }_{s,\mathbf{c}}\left(\mathsf{\Lambda }\right)}}.$$

For any ordered set of n linearly independent vectors $\mathit{S}=\{{\mathit{s}}_1,\dots ,{\mathit{s}}_n\}\subset {\mathbb{R}}^n$, let $\tilde{\mathit{S}}=\{\widetilde{{\mathit{s}}_1},\dots ,\widetilde{{\mathit{s}}_n}\}$ denote the Gram–Schmidt orthogonalized vectors of S.

2.2. Useful Facts

Lemma 1.

(Leftover Hash Lemma [7]).Suppose that m > (n + 1) ${\mathit{log}}_{2}q+\omega \left(\mathit{log}n\right)$and that q > 2 is prime. Let R be an m × k matrix chosen uniformly in ${\{-\mathrm{1,1}\}}^{m\times k} mod q$where k = k(n) is polynomial in n. Let A and B be matrices chosen uniformly in ${\mathbb{Z}}_q^{n\times m}$and ${\mathbb{Z}}_q^{n\times k}$respectively. Then, for all vectors w in ${\mathbb{Z}}_q^m$, the distribution (A, AR,${\mathit{R}}^T\mathit{w}$) is statistically close to the distribution (A, B, ${\mathit{R}}^T\mathit{w}$).

Lemma 2.

(Smudging Lemma [22]).Let $B_1,B_2$be two polynomials over the integers, and let $\mathcal{D}={\left\{{\mathcal{D}}_{\lambda }\right\}}_{\lambda }$be any $B_1$-bounded distribution family. Let $\mathcal{U}={\left\{{\mathcal{U}}_{\lambda }\right\}}_{\lambda }$be the uniform distribution over the integers in [−$B_2\left(\lambda \right),B_2\left(\lambda \right)$]. The family of distributions $\mathcal{D}+\mathcal{U}$are statistically indistinguishable if there exists a negligible function negl ($·$) such that for all $\lambda \in \mathbb{N}$it holds that $B_1\left(\lambda \right)/B_2\left(\lambda \right)\le$negl$\left(\lambda \right)$.

2.3. Sampling Algorithms

Lemma 3.

([7]). Let n$\ge 1$,m$\ge 2n⌈\mathit{log}q⌉$, q $\ge$2

• $\mathbf{T}\mathbf{r}\mathbf{a}\mathbf{p}\mathbf{G}\mathbf{e}\mathbf{n} (q,n)\to (\mathit{A},\mathit{S})$: On input q, n, output a pair ($\mathit{A}\in {\mathbb{Z}}_q^{n\times m},\mathit{S}\in {\mathbb{Z}}^{m\times m}$) such that A is statistically close to a uniform matrix in ${\mathbb{Z}}_q^{n\times m}$and S is a basis for ${\Lambda }_q^{\perp }\left(\mathit{A}\right)$satisfying $\left|\right|\mathit{S}\left|\right|\le O\left(\sqrt{n\mathit{log}q}\right)$and $\left|\right|\tilde{\mathit{S}}\left|\right|$ $\le O\left(\sqrt{n\mathit{log}q}\right)$.
  $\mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{L}\mathbf{e}\mathbf{f}\mathbf{t} (\mathit{A},{\mathit{M}}_1,{\mathit{T}}_{\mathit{A}},\mathit{u},\sigma )\to \mathit{e}$: On input a rank n matrix A in ${\mathbb{Z}}_q^{n\times m}$, a matrix ${\mathit{M}}_1\in {\mathbb{Z}}_q^{n\times m_1}$, a short basis ${\mathit{T}}_{\mathit{A}}$of ${\Lambda }_q^{\perp }\left(\mathit{A}\right) and a vector \mathit{u}\in {\mathbb{Z}}_q^n$, a Gaussian parameter $\sigma >\left|\right|\widetilde{{\mathit{T}}_{\mathit{A}}}\left|\right|\cdot \omega \left(\sqrt{\mathit{log}(m+m_1)}\right)$, output a vector $e\in {\mathbb{Z}}^{m+m_1}$sampled from a distribution statistically close to ${\mathcal{D}}_{{\Lambda }_q^{\mathit{u}}\left( \left[\mathit{A}\right|{\mathit{M}}_1]\right),\sigma }$.
  $\mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t} (\mathit{A},\mathit{G},\mathit{R},{\mathit{T}}_{\mathit{G}},\mathit{u},\sigma )\to \mathit{e}$: On input a rank n matrix A in ${\mathbb{Z}}_q^{n\times m}$, the gadget matrix G and its trapdoor ${\mathit{T}}_{\mathit{G}}, a uniform random matrix \mathit{R}\in {\{-\mathrm{1,1}\}}^{m\times m}$, and a Gaussian parameter $\sigma >\left|\right|\widetilde{{\mathit{T}}_{\mathit{G}}}\left|\right|\cdot \sqrt{m}\cdot \omega \left(\sqrt{\mathit{log}m}\right)$, output a vector $\mathit{e}\in {\mathbb{Z}}^{2m}$sampled from a distribution statistically close to ${\mathcal{D}}_{{\Lambda }_q^{\mathit{u}}\left( \left[\mathit{A}\right|\mathit{A}\mathit{R}+\mathit{G}]\right),\sigma }$.

2.4. Hardness Assumptions

Definition 2.

($\mathit{D}\mathit{e}\mathit{c}\mathit{i}\mathit{s}\mathit{i}\mathit{o}\mathit{n}-{\mathit{L}\mathit{W}\mathit{E}}_{n,q,\chi ,m}$ [23]). Given m independent samples $({\mathit{a}}_i,b_i)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$ where every sample is distributed according to either (1) $b_i=<{\mathit{a}}_i\mathit{s}+e_i>$ with ${ e}_i\leftarrow \chi$ for a uniformly random $\mathit{s}\in {\mathbb{Z}}_q^n$ (fixed for all samples), or uniform distribution, distinguish which is the case with non-negligible advantage.

Definition 3.

(ISIS [24]). The Inhomogeneous Small Integer Solution problem is as follows: given an integer q, a matrix A$\in {\mathbb{Z}}_q^{n\times m}$, a syndrome $\mathit{u}\in {\mathbb{Z}}_q^n$, and a real $\beta$, find an integer vector $\mathit{e}\in {\mathbb{Z}}^m$ such that $\mathit{A}\mathit{e}=\mathit{u} mod q$ and ${\left|\right|\mathit{e}\left|\right|}_2\le \beta$.

Definition 4. (Preimage Sampleable Function).

The function $f_A\left(x\right)=\mathit{A}\mathit{x} mod q$maps inputs from the domain $D_n=\{\mathit{e}\in {\mathbb{Z}}^m:{\left|\right|\mathit{e}\left|\right|}_2\le \delta \sqrt{m}\}$to the range$R^n={\mathbb{Z}}_q^n$. For any $\mathit{x}\in D_n$, the probability that $f_{\mathit{A}}\left(x\right)$output a particular value in $R^n$is the same as any other value in $R^n$.

2.5. Complete Subtree

The PQS-LRIBE scheme adopts the complete subtree method from Reference [3] to reduce the periodic workload of KGC. During the setup phase, KGC constructs a binary tree BT, where user identities are assigned and stored at leaf nodes. A user’s secret key is composed of the keys at each node along the path from the root to that leaf. During the key update phase, KGC uses the algorithm KUNodes to compute the minimal node set $\mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\left({\mathrm{R}\mathrm{L}}_t\right)$ covering all non-revoked users. It then generates key updates only for nodes within this set. Non-revoked users derive new decryption keys for the current time period based on valid nodes along their path, while revoked users lose decryption capability due to the absence of a valid key update. Let RL denote the revocation list. Let $\mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left(v\right)$ denote the set of all nodes on the path from the leaf node $v$ to the root node (including both the leaf and the root). Let $\rho$ be a node in the BT, and let${\rho }_l$ and ${\rho }_r$ represent its left and right child nodes, respectively.

$$\begin{array}{l}\mathbf{K}\mathbf{U}\mathbf{N}\mathbf{o}\mathbf{d}\mathbf{e}\mathbf{s}(\mathrm{B}\mathrm{T},{\mathrm{R}\mathrm{L}}_t)\\ \mathrm{X},\mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)\leftarrow \varnothing \\ \forall v_i\in \mathrm{R}\mathrm{L}\\ add \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left(v_i\right)to \mathrm{X}\\ \forall \rho \in \mathrm{X}\\ if {\rho }_l\notin \mathrm{X} then add {\rho }_l to \mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)\\ if {\rho }_r\notin \mathrm{X} then add {\rho }_r to \mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)\\ If \mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)=\varnothing then add root to \mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)\\ Return \mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)\end{array}$$

3. Formal Definitions for RIBE with DKER

3.1. Scheme Model for RIBE with DKER

An RIBE scheme consists of the six algorithms (Setup, GenSK, KeyUp, Enc, GenDK, Dec). The syntactic definition of the RIBE does not include an explicit revocation algorithm; the revocation is performed simply by adding the user’s identity to the revocation list RL.

• $\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}(1^{\lambda },N)\to$(PP, MSK): Executed by KGC, this algorithm takes a security parameter $\lambda$ and the maximum number of users N in the system as input, generating the system public parameters PP and the system master secret key MSK as output.

• $\mathrm{G}\mathrm{e}\mathrm{n}\mathrm{S}\mathrm{K}(\mathrm{P}\mathrm{P},\mathrm{M}\mathrm{S}\mathrm{K},\mathrm{I}\mathrm{D})\to {\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}$: Executed by the KGC, this algorithm takes the system public parameters PP, the master secret key MSK, and a user’s identity ID as input, generating a secret key ${\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}$ as the output.

• $\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{U}\mathrm{p}\left(\mathrm{P}\mathrm{P},\mathrm{M}\mathrm{S}\mathrm{K},{\mathrm{R}\mathrm{L}}_t\right)\to {\mathrm{K}\mathrm{U}}_t$: Executed by KGC, this algorithm takes the system public parameters PP, the master secret key MSK, and the revocation list RL as input, generating the key update ${\mathrm{K}\mathrm{U}}_t$ for time period t as output.

• Enc$\left(\mathrm{P}\mathrm{P},\mathrm{I}\mathrm{D},t,\mathrm{m}\right)\to {\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}$: Executed by the sender, this algorithm takes the system public parameters PP, a user’s identity ID, a plaintext message m, and a time period t as input, generating a ciphertext ${\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}$ as output.

• $\mathrm{G}\mathrm{e}\mathrm{n}\mathrm{D}\mathrm{K}\left(\mathrm{P}\mathrm{P},{\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}},{\mathrm{K}\mathrm{U}}_t\right)\to {\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}$: Executed by the receiver, this algorithm takes the system public parameters PP, a secret key ${\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}$, and a key update ${\mathrm{K}\mathrm{U}}_t$as input, generating the decryption key ${\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}$ for the receiver with identity in time period t as output.

• $\mathrm{D}\mathrm{e}\mathrm{c}\left({\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t},{\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}\right)\to \mathrm{m}$: Executed by the receiver, this algorithm takes a ciphertext ${\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}$and a decryption key ${\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}$ as input, generating the plaintext message m as output.

Correctness:

For all $\lambda \in \mathbb{N},N\in \mathbb{N},\left(\mathrm{P}\mathrm{P},\mathrm{M}\mathrm{S}\mathrm{K}\right)\leftarrow \mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}\left(\lambda ,N\right),\mathrm{m}\in \mathcal{M},\mathrm{I}\mathrm{D}\in \mathcal{I}\mathcal{D},t\in \mathcal{T}$, and any revocation list RL, the RIBE scheme satisfies correctness if the following probability equation holds:

$$\mathrm{P}\mathrm{r}\left({\mathrm{m}}^{\prime }=\mathrm{m}|\begin{array}{c}{\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}\leftarrow \mathrm{GenSK}\left(\mathrm{P}\mathrm{P},\mathrm{M}\mathrm{S}\mathrm{K},\mathrm{I}\mathrm{D}\right)\\ {\mathrm{K}\mathrm{U}}_t\leftarrow \mathrm{KeyUp}\left(\mathrm{P}\mathrm{P},\mathrm{M}\mathrm{S}\mathrm{K},{\mathrm{R}\mathrm{L}}_t\right)\\ {\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}\leftarrow \mathrm{GenDK}\left(\mathrm{P}\mathrm{P},{\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}},{\mathrm{K}\mathrm{U}}_t\right)\\ {\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}\leftarrow \mathrm{Enc}\left(\mathrm{P}\mathrm{P},\mathrm{I}\mathrm{D},t,\mathrm{m}\right)\\ {\mathrm{m}}^{\prime }\leftarrow \mathrm{Dec}\left({\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t},{\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}\right)\end{array}\right)=1-\mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}(\lambda )$$

3.2. Security Model for RIBE with DKER

The selective identity security of the RIBE scheme against chosen plaintext attacks is defined through a game between an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$ in Figure 2. Let the current time period be denoted as $t_{cu}$, which is a global variable initialized to 1.

Definition 5.

An RIBE with DKER scheme is selectively secure if the advantage ${Adv}_{\mathcal{A}}^{IND-sID-CPA}\left(\lambda \right)=\left|\mathit{Pr}\left[b=b^{\prime }\right]-{\displaystyle \frac{1}{2}}\right|$is negligible for any PPT adversaries $\mathcal{A}$.

To simplify the reduction, this paper categorizes the adversary $\mathcal{A}$ into two types:

Type I: $\mathcal{A}$ queries the secret key ${\mathrm{S}\mathrm{K}}_{{\mathrm{I}\mathrm{D}}^{\ast }}$ corresponding to the challenge identity ${\mathrm{I}\mathrm{D}}^{\ast }.$

Type II: $\mathcal{A}$ does not query the secret key ${\mathrm{S}\mathrm{K}}_{{\mathrm{I}\mathrm{D}}^{\ast }}$ corresponding to the challenge identity ${\mathrm{I}\mathrm{D}}^{\ast }$.

4. Dual-Key Combination Trapdoor Generation Mechanism

KGC directly distributes a short basis trapdoor to users based on their public key matrix, enabling them to compute re-randomized decryption keys for DKER. This allows users to derive decryption keys for any time period using that trapdoor. However, this approach restricts the scheme to direct revocation, resulting in a ciphertext-to-plaintext ratio of $O\left(r\log \left(N/r\right)\right)$, which significantly increases the computational burden on users and the system’s communication overhead. Therefore, designing a more efficient IBE scheme that supports indirect revocation and DKER to enable lightweight user computation has become a critical research focus.

To overcome the limitations of the aforementioned schemes, this chapter proposes a dual-key combination trapdoor generation mechanism. First, KGC generates and allocates a short basis to each user based on an ISIS instance, which serves as their identity key. Subsequently, a new ISIS instance is constructed by taking the additive inverse of the original target matrix. Building upon this derived instance, KGC generates short bases as time keys for non-revoked users across different time periods. Due to the target matrix in the ISIS instance, users cannot directly compute decryption keys using only their identity keys. Non-revoked users must linearly combine their identity key with the corresponding time key. This combination neutralizes the target matrix in the ISIS instance, yielding the short basis trapdoor associated with the public key matrix, which in turn enables the computation of a re-randomized decryption key. Crucially, since time keys are only valid for non-revoked users, revoked users are unable to compute any valid decryption key, thus achieving controlled key derivation.

As shown in Figure 3, the specific procedural details are as follows:

Firstly, KGC generates an identity key ${\mathit{K}}_{\mathrm{I}\mathrm{D}}$ for each user, satisfying $\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right]{\mathit{K}}_{\mathrm{I}\mathrm{D}}=\mathit{C}$. At this point, the identity key ${\mathit{K}}_{\mathrm{I}\mathrm{D}}$ is no longer a trapdoor for $\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right]$ and cannot be directly used to solve the short vectors of other instances.

Secondly, in each time period, KGC computes time keys ${\mathit{U}}_t$ for non-revoked users satisfying $\left[\mathit{A}|{\mathit{W}}_t\right]{\mathit{U}}_t=-\mathit{C}$, where ${\mathit{W}}_t$ is a matrix representing the time period.

Finally, non-revoked users perform a linear combination of their identity key ${\mathit{K}}_{\mathrm{I}\mathrm{D}}$ and time key ${\mathit{U}}_t.$ This operation corresponds to adding the two key equations, which yields:

$$\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right]{\mathit{K}}_{\mathrm{I}\mathrm{D}}+\left[\mathit{A}|{\mathit{W}}_t\right]{\mathit{U}}_t=0$$

Through simple matrix block operations and vector concatenation, this equation can be rewritten as:

$$\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}{|\mathit{W}}_t\right]\left[{\displaystyle \genfrac{}{}{0pt}{}{{\mathit{K}}_{\mathrm{I}\mathrm{D},1}+{\mathit{U}}_{t,1}}{\begin{array}{c}{\mathit{K}}_{\mathrm{I}\mathrm{D},2}\\ {\mathit{U}}_{t,2}\end{array}}}\right]=0$$

At this step, the non-revoked user obtains a short basis for the lattice ${\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right|{\mathit{B}}_{ID}\left|{\mathit{W}}_t\right)$, the matrix S$=\left[{\displaystyle \genfrac{}{}{0pt}{}{{\mathit{K}}_{\mathrm{I}\mathrm{D},1}+{\mathit{U}}_{t,1}}{\begin{array}{c}{\mathit{K}}_{\mathrm{I}\mathrm{D},2}\\ {\mathit{U}}_{t,2}\end{array}}}\right]$.

The security of the proposed mechanism relies entirely on the computational hardness of the ISIS problem. Specifically, the core of its security hinges on the computational infeasibility of finding a short-norm solution vector s from the publicly available matrix $\left[\mathit{A}\left|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right|{\mathit{W}}_t\right]$ that satisfies the equation $\left[\mathit{A}\left|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right|{\mathit{W}}_t\right]\cdot \mathit{s}=\mathit{c}$.

The compromise of the ISIS problem would lead to a complete loss of confidentiality, as an adversary could derive valid decryption keys directly from public parameters—enabling decryption of any ciphertext for any identity across all time periods without requiring user-specific keys. Ultimately, such a scenario would trigger total system collapse, since the attack targets the cryptographic core rather than individual users, thereby invalidating all security guarantees and rendering the entire encryption scheme practically useless.

Based on the above mechanism, and drawing inspiration from the lattice-based delegation method in [6], we leverage the gadget matrix G to outsource the vector sampling operation during decryption key generation to untrusted servers, which further reduces the computational overhead for users. The scheme is constructed as follows:

• Setup. KGC generates a matrix A and its corresponding trapdoor ${\mathit{T}}_{\mathit{A}}$ using a trapdoor generation algorithm. Matrix A serves as a system’s public parameter, while the trapdoor ${\mathit{T}}_{\mathit{A}}$ serves as the system’s master secret key.

• Secret Key Generation. KGC inputs ${\mathit{T}}_{\mathit{A}}$ into the algorithm SampleLeft and generates a secret key ${\mathit{K}}_{\mathrm{I}\mathrm{D}}$ for each user. This key satisfies the equation $\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right]{\mathit{K}}_{\mathrm{I}\mathrm{D}}=\mathit{G}-\mathit{C}$. Here, C is a public parameter, ${\mathit{B}}_{\mathrm{I}\mathrm{D}}$ is a matrix representing the user identity, and G is the gadget matrix.

• Key Update Generation. In each time period, KGC inputs ${\mathit{T}}_{\mathit{A}}$ into the algorithm SampleLeft. Given the equation $\left[\mathit{A}|{\mathit{W}}_t\right]{\mathit{U}}_t=-\mathit{C}$, it generates and broadcasts key updates for non-revoked users. ${\mathit{W}}_t$ is a matrix representing the time period t.

• Decryption Key Generation. The user possesses the short basis S, which satisfies $\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}{|\mathit{W}}_t\right]\mathit{S}=0$. The receiver needs to generate the decryption key ${\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}$ satisfying $\left[\mathit{A}\right|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\left|{\mathit{W}}_t\right]{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},\mathrm{t}}=\mathit{u}$, where u is a public parameter. The user accomplishes this by outsourcing the sampling of an intermediate vector x satisfying $\mathit{G}\mathit{x}=\mathit{u}$ to an untrusted server. After obtaining x, the user computes ${\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}=\mathit{S}·\mathit{x}.$ This derivation is valid because $\left[\mathit{A}|{\mathit{B}}_{ID}{|\mathit{W}}_t\right]\mathit{S}·\mathit{x}=\mathit{G}·\mathit{x}=\mathit{u}$, which produces a valid short solution to the target equation.

5. Post-Quantum Secure, Lightweight RIBE Scheme with DKER

Parameters. We set the message space as $\mathcal{M}=\left\{\mathrm{0,1}\right\}$, the identity space as $\mathcal{I}\mathcal{D}\subset {\mathbb{Z}}_q^n\backslash \left\{0_n\right\}$, and the time period space as $\mathcal{T}\subset {\mathbb{Z}}_q^n$. Typically, time periods are treated as natural numbers, and a hash function $H:\mathbb{N}\to {\mathbb{Z}}_q^n$ is used to map natural numbers into vector form. For any $B\in \mathbb{N}, {\mathcal{U}}_B$ denotes the uniformly random distribution on $\mathbb{Z}\cap [-B,B]$. Moreover, the selection of our security parameters is constrained by the following requirements: $m>2nlog q, \sigma >\sqrt{m}·\omega \left(\sqrt{m}\right),n=O\left(\lambda \right),{ \chi }_{LWE}={\mathcal{D}}_{\mathbb{Z},\sigma },{\chi }_{big}={\mathcal{U}}_B,B>(m{\sigma }^2+1)2^{\lambda }$.

5.1. Setup

Input a security parameter $\mathsf{\lambda }$ and the maximum number of system users N. Output the system public parameter PP and master secret key MSK.

• Run the trapdoor generation algorithm $\mathbf{T}\mathbf{r}\mathbf{a}\mathbf{p}\mathbf{G}\mathbf{e}\mathbf{n}\left(n,q\right)$to generate a matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ and its corresponding trapdoor ${\mathit{T}}_{\mathit{A}}\in {\mathbb{Z}}^{m\times m}$.
• Select uniformly random matrices B, W$⟵{\mathbb{Z}}_q^{n\times m}$, and select an n-dimensional vector $\mathit{u}⟵{\mathbb{Z}}_{\mathrm{q}}^n$ uniformly at random.
• Create a binary tree BT containing at least N leaf nodes. Mark all leaf nodes as unassigned. For each node $\theta$ in the binary tree, select a uniformly random matrix ${\mathit{C}}_{\theta }⟵{\mathbb{Z}}_q^{n\times m}.$
• Output the system public parameters $\mathrm{P}\mathrm{P}=\left\{\mathit{A},\mathit{B},\mathit{W},\left\{{\mathit{C}}_{\theta }|\theta \in BT\right\},\mathit{u}\right\}$ and the master secret key $\mathrm{M}\mathrm{S}\mathrm{K}=\left\{{\mathit{T}}_{\mathit{A}}\right\}$.

5.2. GenSK

Input the system public parameters PP, the master secret key MSK, and a user identity $\mathrm{I}\mathrm{D}\in {\mathbb{Z}}_q^n$. Output the secret key ${\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}$ corresponding to identity ID.

• Randomly select an unassigned leaf node $\eta$ in the binary tree BT, and store the identity ID in this leaf node. Let ${\eta }_{ID}$denote the leaf node storing identity ID. Let $\mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{ID}\right)$ denote the set of all nodes on the path from the leaf node ${\eta }_{ID}$ to the root node (including both the leaf and the root).
• Let ${\mathit{B}}_{\mathrm{I}\mathrm{D}}=\mathit{B}+\mathrm{H}\left(\mathrm{I}\mathrm{D}\right)\mathit{G}$, where the hash function H is defined in Definition 1, and G is the gadget matrix in Lemma 3.
• For the identity ID and each node $\theta$ in $\mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{ID}\right)$, generate ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }$satisfying the equation $\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right]{\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }=\mathit{G}-{\mathit{C}}_{\theta }$, as follows:
  • Select a uniformly random matrix ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$. Compute ${\mathit{Z}}_{\mathrm{I}\mathrm{D}}=\left[\mathit{A}\right|{\mathit{B}}_{\mathrm{I}\mathrm{D}}]{\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }$.
  • Sample ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{L}\mathbf{e}\mathbf{f}\mathbf{t}\left(\mathit{A},{\mathit{B}}_{\mathrm{I}\mathrm{D}},{\mathit{T}}_{\mathit{A}},\mathit{G}-{\mathit{C}}_{\theta }-{\mathit{Z}}_{\mathrm{I}\mathrm{D}},\sigma \right)$.
  • Split ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }$ into two parts, the first m rows denoted as ${\mathit{K}}_{\mathrm{I}\mathrm{D},1}^{\prime }$, and the last m rows denoted as ${\mathit{K}}_{\mathrm{I}\mathrm{D},2}^{\prime }$. Similarly, split ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}$ into ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta ,1}^{″}$ and ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta ,2}^{″}$. Construct the key update matrix as: ${\mathit{K}}_{\mathrm{I}\mathrm{D},\mathsf{\theta }}={\left[\left({\mathit{K}}_{\mathrm{I}\mathrm{D},1}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},\theta ,1}^{″}\right)|{(\mathit{K}}_{\mathrm{I}\mathrm{D},2}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},\theta ,2}^{″})\right]}^{\mathrm{T}}\in {\mathbb{Z}}_q^{2m\times m}$.
• Output the secret key ${\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}=\left\{\right(\theta ,{\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }\left)\right|\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{ID}\right)\}$.

5.3. KeyUp

Input the system public parameters PP, the master secret key MSK, the revocation list ${RL}_t$ for time period t, and the binary tree BT. Output the key update ${KU}_t$.

• Run the KUNode algorithm, inputting the binary tree BT and the revocation list ${RL}_t$ for time period t. This outputs the node update set $\mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)$ for time period t.
• Compute ${\mathit{W}}_t=\mathit{W}+\mathrm{H}\left(t\right)\mathit{G}$, where the hash function H is defined in Definition 1, and G is the gadget matrix from Lemma 3.
• For each node in the $\mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)$, generate a key update${\mathit{T}}_{\theta ,t}$ satisfying the equation $\left[\mathit{A}|{\mathit{W}}_t\right]{\mathit{T}}_{\theta ,t}={\mathit{C}}_{\theta }$, as follows:
  • Select a uniformly random matrix ${\mathit{T}}_t^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$. Compute ${\mathit{Y}}_t=\left[\mathit{A}|{\mathit{W}}_t\right]{\mathit{T}}_t^{\prime }$.
  • Sample ${\mathit{T}}_{\theta ,t}^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{L}\mathbf{e}\mathbf{f}\mathbf{t}\left(\mathit{A},{\mathit{W}}_t,{\mathit{T}}_{\mathit{A}},{\mathit{C}}_{\theta }-{\mathit{Y}}_t,\sigma \right)$.
  • Split ${\mathit{T}}_t^{\prime }$ into two parts, the first m rows denoted as ${\mathit{T}}_{t,1}^{\prime }$, and the last m rows denoted as ${\mathit{T}}_{t,2}^{\prime }$. Similarly, split ${\mathit{T}}_{\theta ,t}^{″}$ into ${\mathit{T}}_{\theta ,t,1}^{″}$ and ${\mathit{T}}_{\theta ,t,2}^{″}$. Construct the key update matrix as:

    $${\mathit{T}}_{\theta ,t}={\left[\left({\mathit{T}}_{t,1}^{\prime }+{\mathit{T}}_{\theta ,t,1}^{″}\right)\left|\right({\mathit{T}}_{t,2}^{\prime }+{\mathit{T}}_{\theta ,t,2}^{″})\right]}^{\mathrm{T}}\in {\mathbb{Z}}_q^{2m\times m}$$
• Broadcast the key update ${KU}_t=\left\{\right(\theta ,{\mathit{T}}_{\theta ,t}\left)\right|\theta \in \mathrm{N}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{U}\mathrm{P}\left({\mathrm{R}\mathrm{L}}_t\right)\}$.

5.4. Enc

Input the system public parameters PP, a message $\mu ⟵\left\{\mathrm{0,1}\right\}$, an identity $\mathrm{I}\mathrm{D}\in {\mathbb{Z}}_q^n$, and a time period $t\in {\mathbb{Z}}_q^n$. Output ciphertext ${\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}$.

• Select uniformly random matrices R, V$⟵{\{-\mathrm{1,1}\}}^{m\times m}$, and select a uniformly random vector $\mathit{s}\leftarrow {\mathbb{Z}}_q^n$.
• Sample noise $e_0⟵{\chi }_{LWE}$, and sample an m-dimensional noise vector ${\mathit{e}}_1\leftarrow {\chi }_{LWE}^m$.
• Compute: $c_0=\mathit{s}{\mathit{u}}^T+e_0+⌊{\displaystyle \frac{q}{2}}⌋\mu$, ${\mathit{c}}_{\mathrm{I}\mathrm{D},t}=\mathit{s}\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}|{\mathit{W}}_t\right]+{\mathit{e}}_1\left[{\mathit{I}}_m\right|\mathit{R}\left|\mathit{V}\right]$, where ${\mathit{I}}_m$ is an identity matrix.
• Output the ciphertext ${\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}=(c_0,{ \mathit{c}}_{ID,t})$.

5.5. GenDK

Input system public parameters PP, the secret key ${\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}$ corresponding to the identity ID, and the key update ${\mathrm{K}\mathrm{U}}_t$ for time period t. Output the decryption key ${\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}$.

• Compare the binary tree nodes associated with their secret key against the nodes in the key update ${\mathrm{K}\mathrm{U}}_t$for time period t. If a common node exists, denote this node as ${\theta }^{\ast }$ and proceed with the following steps. Otherwise, the algorithm aborts.
• Select ${\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast }}$from their secret key ${\mathrm{S}\mathrm{K}}_{\mathrm{I}\mathrm{D}}$ and ${\mathit{T}}_{{\theta }^{\ast },\mathrm{t}}$ from the key update ${KU}_t$. Generate the decryption key ${\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}$ satisfying the equation $\left[\mathit{A}\left|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right|{\mathit{W}}_{\mathrm{t}}\right]{{\mathit{d}\mathit{k}}_{ID,t}}^T={\mathit{u}}^T$.
  • Select a vector ${\mathit{k}}_t\leftarrow {\chi }_{big}^{3m}$ and compute${{\mathit{h}}_{ID,t}}^T= \left[\mathit{A}\left|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right|{\mathit{W}}_{\mathrm{t}}\right]{{\mathit{k}}_t}^T$.
  • Sample ${{\mathit{k}}_{ID,t}^{\prime }}^T\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{P}\mathbf{r}\mathbf{e}\left(\mathit{G},{\mathit{T}}_{\mathit{G}},\mathit{u}-{\mathit{h}}_{ID,t},\sigma \right)$.
  • Construct the combined matrix S using the secret key component ${\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast }}$ and the key update component ${\mathit{T}}_{{\theta }^{\ast },\mathrm{t}}$: $\mathit{S}={ \left[\left({\mathit{K}}_{ID,1}^{\prime }+{\mathit{K}}_{ID,{\theta }^{\ast },1}^{″}+{\mathit{T}}_{t,1}^{\prime }+{\mathit{T}}_{{\theta }^{\ast },t,1}^{″}\right)\left|{(\mathit{K}}_{ID,2}^{\prime }+{\mathit{K}}_{ID,{\theta }^{\ast },2}^{″})\right|\right({\mathit{T}}_{{\theta }^{\ast },t,2}^{″}+{\mathit{T}}_{t,2}^{\prime }\left)\right]}^T\in {\mathbb{Z}}_q^{3m\times m}$.
  • Compute ${{\mathit{K}}_{ID,{\theta }^{\ast },t}^{″}}^T=\mathit{S}·{\mathit{k}}_{ID,t}^{\prime }$.
  • Split the vector ${\mathit{k}}_t$ into three blocks of m elements each, denoted as ${\mathit{k}}_{t,1}$, ${\mathit{k}}_{t,2}$, and ${\mathit{k}}_{t,3}$. Split the resulting vector ${{\mathit{K}}_{ID,{\theta }^{\ast },t}^{″}}^T$ into three blocks of m elements each, denoted as ${{\mathit{K}}_{ID,{\theta }^{\ast },t,1}^{″}}^T,{{\mathit{K}}_{ID,{\theta }^{\ast },t,2}^{″}}^T$ and ${{\mathit{K}}_{ID,{\theta }^{\ast },t,3}^{″}}^T$. Construct the final decryption key vector:

    $${\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}= \left[\right({\mathit{k}}_{t,1}+{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,1}^{″}}^T)\left|\left({\mathit{k}}_{t,2}+{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,2}^{″}}^T\right)\right|{(\mathit{k}}_{t,3}+{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,3}^{″}}^T)]{\in \mathbb{Z}}_q^{3m}$$
• Output decryption key ${\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}={\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}$.

5.6. Dec

Input the system public parameters PP, the ciphertext ${\mathrm{C}\mathrm{T}}_{\mathrm{I}\mathrm{D},t}$, and the decryption key ${\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}$. Output message $\mu$.

• Compute $c^{\prime }=c_0-{\mathit{c}}_{\mathrm{I}\mathrm{D},t}·{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T$. If $\left|c^{\prime }-⌊{\displaystyle \frac{q}{2}}⌋\right|<⌊{\displaystyle \frac{q}{4}}⌋$ then $\mu =1$; otherwise $\mu =0$.
• Output the message $\mu$.

6. Performance Comparison

6.1. Correctness

Next, we analyze the correctness of the proposed scheme,

$$c^{\prime }=c_0-{\mathit{c}}_{\mathrm{I}\mathrm{D},t}·{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T=⌊{\displaystyle \frac{q}{2}}⌋\mu +e_0-{\mathit{e}}_1\left[{\mathit{I}}_m\right|\mathit{R}\left|\mathit{V}\right]{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T$$

The error term in the decryption process is $e_0-{\mathit{e}}_1\left[{\mathit{I}}_m\right|\mathit{R}\left|\mathit{V}\right]{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T$.

$$e_0-{\mathit{e}}_1 [{\mathit{I}}_m\left|\mathit{R}\right|\mathit{V}]{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T=e_0-{\mathit{e}}_1 [{\mathit{I}}_m|\mathit{R}|\mathit{V}]\left[\begin{array}{c}{\mathit{k}}_{t,1}+\left({\mathit{K}}_{\mathrm{I}\mathrm{D},1}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },1}^{″}+{\mathit{T}}_{t,1}^{\prime }+{\mathit{T}}_{{\theta }^{\ast },t,1}^{″}\right){\mathit{k}}_{\mathrm{I}\mathrm{D},t,1}^{\prime }\\ {\mathit{k}}_{t,2}+\left({\mathit{K}}_{\mathrm{I}\mathrm{D},2}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },2}^{″}\right){\mathit{k}}_{\mathrm{I}\mathrm{D},t,2}^{\prime }\\ {\mathit{k}}_{t,3}+({\mathit{T}}_{{\theta }^{\ast },t,2}^{″}+{\mathit{T}}_{t,2}^{\prime }){\mathit{k}}_{\mathrm{I}\mathrm{D},t,3}^{\prime }\end{array}\right]$$

According to Lemma 1, $\left|\left|\mathit{R}\right|\right|,\left|\right|\mathit{V}\left|\right|\le O\left(\sqrt{m}\right)$.

According to Lemma 3, $\left|\left|{\mathit{k}}_{t,1}\right|\right|,\left|\left|{\mathit{k}}_{t,2}\right|\right|,\left|\left|{\mathit{k}}_{t,3}\right|\right|,\left|\right|{\mathit{k}}_{t,4}\left|\right|\le \sqrt{m}B$.

According to Lemma 3, $\left|\left|\left({\mathit{K}}_{\mathrm{I}\mathrm{D},1}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },1}^{″}+{\mathit{T}}_{t,1}^{\prime }+{\mathit{T}}_{{\theta }^{\ast },t,1}^{″}\right){\mathit{k}}_{\mathrm{I}\mathrm{D},t,1}^{\prime }\right|\right|,\left|\left|\left({\mathit{K}}_{\mathrm{I}\mathrm{D},2}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },2}^{″}\right) {\mathit{k}}_{\mathrm{I}\mathrm{D},t,2}^{\prime }\right|\right|,\left|\left|({\mathit{T}}_{{\theta }^{\ast },t,2}^{″}+{\mathit{T}}_{t,2}^{\prime }) {\mathit{k}}_{\mathrm{I}\mathrm{D},t,3}^{\prime }\right|\right|\le m^{3/2}\sigma$, and similarly for other terms of this matrix.

According to Lemma 3, $\left|\left|e_0\right|\right|\le \sigma ,\left|\right|{\mathit{e}}_1\left|\right|\le \sqrt{m}\sigma$. Therefore, this analysis leads to the following upper bound for the error term:

$$\begin{gathered} \left|\left|e_0-{\mathit{e}}_1\left[{\mathit{I}}_m|\mathit{R}|\mathit{V}\right]{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T\right|\right|\le \left|\left|e_0\right|\right|+\left|\right|{\mathit{e}}_1\left|\right|·\left|\right|\left[{\mathit{I}}_m|\mathit{R}|\mathit{V}\right]{{\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}}^T\left|\right| \\ \le \sigma +\sqrt{m}\sigma \left[m^{3/2}\sigma +3\sqrt{m}B\right]O\left(\sqrt{m}\right) \\ \le O\left(m^{3/2}B\sigma \right)<q/4. \end{gathered}$$

When the parameters in the scheme satisfy the relation $O\left(m^{3/2}B\sigma \right)<q/4$ the scheme can successfully decrypt and recover the plaintext.

6.2. Security Analysis

Theorem 1.

Under the decision-LWE and ISIS hardness assumptions, the proposed PQS-LRIBE-DKER scheme is provably secure in the IND-sID-CPA security model.

Proof. 

The selective identity security is proved through a series of games. The first game in this sequence is indistinguishable from the real IND-sID-CPA. In the final game of the sequence, the adversary’s advantage is zero. Since any probabilistic polynomial-time adversary cannot distinguish any two consecutive games in the sequence, the adversary’s advantage in winning the original IND-sID-CPA game is negligible. In conclusion, under the decision-LWE and ISIS hardness assumptions, the proposed scheme possesses selective identity security.

Game 0: The adversary $\mathcal{A}$ interacts with the challenger $\mathcal{C}$ in the original IND-sID-CPA game as defined by the security model.

Game 1: Building upon Game 0, the challenger $\mathcal{C}$ generates matrices B and W in the following manner during the setup phase. Let ${\mathrm{I}\mathrm{D}}^{\ast }$ and $t^{\ast }$ denote the challenge identity and challenge time period chosen by the adversary $\mathcal{A}$. The challenger $\mathcal{C}$ moves the step of selecting matrices ${\mathit{R}}^{\mathbf{\ast }}$ and ${\mathit{V}}^{\ast }$ forward to the setup phase, sampling uniformly random matrices ${\mathit{R}}^{\mathbf{\ast }},{\mathit{V}}^{\ast }\leftarrow {\{-\mathrm{1,1}\}}^{m\times m}$. Then, compute the following:

$$\mathit{B}=\mathit{A}{\mathit{R}}^{\mathbf{\ast }}-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right)\mathit{G}$$

$$\mathit{W}=\mathit{A}{\mathit{V}}^{\mathbf{\ast }}-\mathrm{H}\left(t^{\ast }\right)\mathit{G}$$

Reduction from Game 0 to Game 1: According to Lemma 1, if a matrix A${\in \mathbb{Z}}_q^{n\times m}$ is selected uniformly at random, and a matrix $\mathit{R}{\in \left\{-\mathrm{1,1}\right\}}^{m\times m}$ is uniformly random, then the distribution of (A, AR) is statistically indistinguishable from the distribution of (A, E), where E is a uniformly random matrix in ${\mathbb{Z}}_q^{n\times m}$. Therefore, in Game 1, the distribution of matrix $\mathit{B}=\mathit{A}{\mathit{R}}^{\mathbf{\ast }}-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right)\mathit{G}$ is statistically indistinguishable from the distribution of E to the adversary $\mathcal{A}$. The same applies to matrix W. Consequently, Game 0 and Game 1 are indistinguishable to the adversary $\mathcal{A}$.

Game 2: Based on Game 1, the challenger $\mathcal{C}$ changes the way of responding to secret key queries.

For a Type I adversary, challenger $\mathcal{C}$ needs to respond to queries for the secret key ${\mathrm{S}\mathrm{K}}_{{\mathrm{I}\mathrm{D}}^{\ast }}$ corresponding to the challenge identity. During the setup phase, set ${\mathit{C}}_{\theta }=\mathit{G}-\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\mathbf{\ast }}\right]{\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }, \theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{\mathrm{I}\mathrm{D}}^{\ast }}\right)$.

• $\mathrm{I}\mathrm{D}={\mathrm{I}\mathrm{D}}^{\ast }$.
  For $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{\mathrm{I}\mathrm{D}}^{\ast }}\right)$, select ${\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }\leftarrow {\chi }_{LWE}^{2m\times m}$ and compute ${\mathit{C}}_{\theta }=\mathit{G}-\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\mathbf{*}}\right]{\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }$.
• $\mathrm{I}\mathrm{D}\ne {\mathrm{I}\mathrm{D}}^{\ast }$.
  For $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{\mathrm{I}\mathrm{D}}^{\ast }}\right)\cap \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{\mathrm{I}\mathrm{D}}\right)$, compute ${\mathit{C}}_{\theta }=\mathit{G}-\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\mathbf{*}}\right]{\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }$.
  • Select ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and compute ${\mathit{Z}}_{\mathrm{I}\mathrm{D}}=\left[\mathit{A}\right|{\mathit{B}}_{\mathrm{I}\mathrm{D}}]{\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }$.
  • Sample ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},\mathit{A}{\mathit{R}}^{\mathbf{*}}+\mathrm{H}\left(\mathrm{I}\mathrm{D}\right)-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right),\mathit{G},{\mathit{T}}_{\mathit{G}},\mathit{G}-{\mathit{C}}_{\theta }-{\mathit{Z}}_{\mathrm{I}\mathrm{D}},\sigma )$.
  For $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{ID}\right)/\mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{ID}^{\ast }}\right)$, select uniformly random matrices ${\mathit{C}}_{\theta }⟵{\mathbb{Z}}_q^{n\times m}$.
  • Select ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and compute ${\mathit{Z}}_{\mathrm{I}\mathrm{D}}=\left[\mathit{A}|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right]{\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }$.
  • Sample ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},\mathit{A}{\mathit{R}}^{\mathbf{\ast }}+\mathrm{H}\left(\mathrm{I}\mathrm{D}\right)-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right),\mathit{G},{\mathit{T}}_{\mathit{G}},\mathit{G}-{\mathit{C}}_{\theta }-{\mathit{Z}}_{\mathrm{I}\mathrm{D}},\sigma )$.

For a Type II adversary, challenger $\mathcal{C}$ responds to secret key queries except challenge identity ${\mathrm{I}\mathrm{D}}^{\ast }$. In the setup phase, select uniformly random matrices${\mathit{C}}_{\theta }⟵{\mathbb{Z}}_q^{n\times m}$.

• ID ≠ ID^∗.
  • Select ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and compute ${\mathit{Z}}_{\mathrm{I}\mathrm{D}}= \left[\mathit{A}\right|{\mathit{B}}_{\mathrm{I}\mathrm{D}}]{\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }$.
  • Sample ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},\mathit{A}{\mathit{R}}^{\mathbf{\ast }}+\mathrm{H}\left(\mathrm{I}\mathrm{D}\right)-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right),\mathit{G},{\mathit{T}}_{\mathit{G}},\mathit{G}-{\mathit{C}}_{\theta }-{\mathit{Z}}_{\mathrm{I}\mathrm{D}},\sigma )$.

Reduction from Game 1 to Game 2: In Game 1, the matrices ${\mathit{C}}_{\theta }\leftarrow {\mathbb{Z}}_q^{n\times m}$ are selected uniformly at random. In Game 2, the matrices ${\mathit{C}}_{\theta }$ are defined as ${\mathit{C}}_{\theta }=\mathit{G}-\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\mathbf{\ast }}\right]{\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta } ,$ where $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{ID}^{\ast }}\right)$. According to the ISIS assumption, the output of the preimage sampleable function is uniformly random. Therefore, the matrices ${\mathit{C}}_{\theta }$ in Game 1 and Game 2 are indistinguishable to the adversary $\mathcal{A}$. Furthermore, in Game 1, the matrices ${\mathit{K}}_{ID,\theta }^{″}$ are generated using the SampleLeft algorithm. In Game 2, the challenger samples the matrices ${\mathit{K}}_{ID,\theta }^{″}$ using the SampleRight algorithm. According to Lemma 3, the statistical distance between the outputs of the SampleLeft and SampleRight algorithms is negligible, and the output of the SampleRight algorithm is computationally indistinguishable from the ${\chi }_{LWE}$. Consequently, Game 1 and Game 2 are also indistinguishable to the adversary $\mathcal{A}$.

Game 3: Building upon Game 2, the challenger $\mathcal{C}$ modifies the method for responding to key update queries.

For a Type I adversary, while the adversary $\mathcal{A}$ is permitted to query the secret key ${\mathrm{S}\mathrm{K}}_{{\mathrm{I}\mathrm{D}}^{\ast }}$ corresponding to the challenge identity, according to the security model definition, the adversary $\mathcal{A}$ is subsequently prohibited from querying the key update corresponding to the challenge time period.

• $t\ne t^{\ast }$.
  • Select ${\mathit{T}}_t^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and set ${\mathit{Y}}_t= \left[\mathit{A}\right|\mathit{A}{\mathit{V}}^{\ast }]{\mathit{T}}_t^{\prime }$.
  • Sample ${\mathit{T}}_{\theta ,t}^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},{\mathit{V}}^{\ast },\mathit{G},{\mathit{T}}_{\mathit{G}},\mathrm{H}\left(t\right)-\mathrm{H}\left(t^{\ast }\right),{\mathit{C}}_{\theta }-{\mathit{Y}}_t,\sigma )$.

For a Type II adversary, the challenger $\mathcal{C}$ must respond to the adversary’s query for the key update ${\mathit{T}}_{\theta ,t^{\ast }}$ corresponding to the challenge time $t^{\ast }$. The matrix ${\mathit{C}}_{\theta }$ is set as ${\mathit{C}}_{\theta }=\left[\mathit{A}|\mathit{A}{\mathit{V}}^{\mathbf{\ast }}\right]{\mathit{T}}_{\theta ,t^{\ast }} , \theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{\mathrm{I}\mathrm{D}}^{\ast }}\right)$.

• $t=t^{\ast }$.
  For $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{\mathrm{I}\mathrm{D}}^{\ast }}\right)$, select ${\mathit{T}}_{\theta ,t^{\ast }}\leftarrow {\chi }_{LWE}^{2m\times m}$ and return ${\mathit{T}}_{\theta ,t^{\ast }}$ to the adversary $\mathcal{A}$.
  For $\theta \notin \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{\mathrm{I}\mathrm{D}}^{\ast }}\right)$,
  • Select ${\mathit{T}}_t^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and set ${\mathit{Y}}_t= \left[\mathit{A}\right|\mathit{A}{\mathit{V}}^{\ast }]{\mathit{T}}_t^{\prime }$.
  • Sample ${\mathit{T}}_{\theta ,t}^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},{\mathit{V}}^{\ast },\mathit{G},{\mathit{T}}_{\mathit{G}},\mathrm{H}\left(t\right)-\mathrm{H}\left(t^{\ast }\right),{\mathit{C}}_{\theta }-{\mathit{Y}}_t,\sigma )$.
• $t\ne t^{\ast }$.
  • Select ${\mathit{T}}_t^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and set ${\mathit{Y}}_t= \left[\mathit{A}\right|\mathit{A}{\mathit{V}}^{\ast }]{\mathit{T}}_t^{\prime }$.
  • Sample ${\mathit{T}}_{\theta ,t}^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},{\mathit{V}}^{\ast },\mathit{G},{\mathit{T}}_{\mathit{G}},\mathrm{H}\left(t\right)-\mathrm{H}\left(t^{\ast }\right),{\mathit{C}}_{\theta }-{\mathit{Y}}_t,\sigma )$.

Reduction from Game 2 to Game 3: The difference between Game 2 and Game 3 lies in the method of generating key updates. In Game 2, the matrix ${\mathit{T}}_{\theta ,t}^{″}$ is generated using the SampleLeft algorithm. In Game 3, the challenger selects the matrix ${\mathit{T}}_{\theta ,t^{\ast }}$ from the ${\chi }_{LWE}^{2m\times m}$ obtaining it by sampling using the SampleRight algorithm. According to Lemma 3, the statistical distance between the outputs of the SampleLeft and SampleRight algorithms is negligible, and the output of the SampleRight algorithm is computationally indistinguishable from the ${\chi }_{LWE}$ distribution. Therefore, Game 2 and Game 3 are also indistinguishable to the adversary $\mathcal{A}$.

Game 4: Building upon Game 3, the challenger $\mathcal{C}$ modifies the method of generating decryption keys.

For a Type I adversary, when ${\mathrm{I}\mathrm{D}\ne \mathrm{I}\mathrm{D}}^{\ast },t=t^{\ast }$, and $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{ID}^{\ast }}\right)$, the challenger cannot simulate the key update ${\mathit{T}}_{\theta ,t^{\ast }}$. Challenger $\mathcal{C}$ responds to decryption key queries for ${\mathit{d}\mathit{k}}_{\mathit{I}\mathit{D},{\mathit{t}}^{\mathbf{\ast }}}$ according to the following steps:

• Select a matrix ${\mathit{T}}_{\theta ,t^{\ast }}\leftarrow {\chi }_{LWE}^{2m\times m}$ and compute $\mathit{K}=\left[\mathit{A}|\mathit{A}{\mathit{V}}^{\ast }\right]{\mathit{T}}_{\theta ,t^{\ast }}$.
• Solve for the secret key ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }$ satisfying the equation $\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\mathbf{\ast }}+(\mathit{H}\left(\mathit{I}\mathit{D}\right)-\mathit{H}\left({\mathit{I}\mathit{D}}^{\mathbf{\ast }}\right))\right]{\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }=\mathit{G}-\mathit{K}$.
  • Select a matrix ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$and compute ${\mathit{Z}}_{\mathrm{I}\mathrm{D}}=\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\ast }+(\mathrm{H}\left(\mathrm{I}\mathrm{D}\right)-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right))\mathit{G}\right]{\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }$.
  • Sample ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},\mathit{A}{\mathit{R}}^{\ast },\mathit{G},{\mathit{T}}_{\mathit{G}},\mathrm{H}\left(\mathrm{I}\mathrm{D}\right)-\mathrm{H}\left({\mathrm{I}\mathrm{D}}^{\ast }\right),\mathit{G}-{\mathit{Z}}_{\mathrm{I}\mathrm{D}}-\mathit{K},\sigma )$.
• Compute ${\mathit{d}\mathit{k}}_{\mathbf{I}\mathbf{D},{\mathit{t}}^{\mathbf{*}}}$ using ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }$ and ${\mathit{T}}_{\theta ,t^{\ast }}$.
  • Select a vector ${\mathit{k}}_t\leftarrow {\chi }_{big}^{3m}$ and set ${{\mathit{h}}_{\mathrm{I}\mathrm{D},t}}^T= \left[\mathit{A}\left|{\mathit{B}}_{\mathrm{I}\mathrm{D}}\right|{\mathit{W}}_{\mathrm{t}}\right]{{\mathit{k}}_t}^T$.
  • Sample ${{\mathit{k}}_{\mathrm{I}\mathrm{D},t}^{\prime }}^T\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{P}\mathbf{r}\mathbf{e}\left(\mathit{G},{\mathit{T}}_{\mathit{G}},\mathit{u}-{\mathit{h}}_{\mathrm{I}\mathrm{D},t},\sigma \right)$.
  • Compute $\mathit{S}={ \left[\left({\mathit{K}}_{\mathrm{I}\mathrm{D},1}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },1}^{″}+{\mathit{T}}_{t,1}^{\prime }+{\mathit{T}}_{{\theta }^{\ast },t,1}^{″}\right)\left|{(\mathit{K}}_{\mathrm{I}\mathrm{D},2}^{\prime }+{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },2}^{″})\right|\right({\mathit{T}}_{{\theta }^{\ast },t,2}^{″}+{\mathit{T}}_{t,2}^{\prime }\left)\right]}^T\in {\mathbb{Z}}_q^{3m\times m}$ using${\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast }} \mathrm{a}\mathrm{n}\mathrm{d} {\mathit{T}}_{{\theta }^{\ast },\mathrm{t}}$.
  • Compute ${{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t}^{″}}^T=\mathit{S}·{\mathit{k}}_{\mathrm{I}\mathrm{D},t}^{\prime }$.
  • Perform row blocking on the vector ${\mathit{k}}_t$, dividing it into three blocks of m rows each, denoted as ${\mathit{k}}_{t,1}$, ${\mathit{k}}_{t,2}$, and ${\mathit{k}}_{t,3}$. Perform row blocking on the ${{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t}^{″}}^T$, dividing it into three blocks of m rows each, denoted as ${{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,1}^{″}}^T,{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,2}^{″}}^T$, and ${{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,3}^{″}}^T$. Construct the final decryption key vector by adding the corresponding blocks:

    $${\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}= \left[\right({\mathit{k}}_{t,1}+{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,1}^{″}}^T)\left|\left({\mathit{k}}_{t,2}+{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,2}^{″}}^T\right)\right|{(\mathit{k}}_{t,3}+{{\mathit{K}}_{\mathrm{I}\mathrm{D},{\theta }^{\ast },t,3}^{″}}^T)]{\in \mathbb{Z}}_q^{3m}$$
• Output decryption key ${\mathrm{D}\mathrm{K}}_{\mathrm{I}\mathrm{D},t}={\mathit{d}\mathit{k}}_{\mathrm{I}\mathrm{D},t}$.

For a Type II adversary, when ${\mathrm{I}\mathrm{D}=\mathrm{I}\mathrm{D}}^{\ast },t\ne t^{\ast }$, and $\theta \in \mathrm{P}\mathrm{a}\mathrm{t}\mathrm{h}\left({\eta }_{{ID}^{\ast }}\right)$, the challenger cannot simulate the secret key ${\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }$. The challenger responds to decryption key queries for ${\mathit{d}\mathit{k}}_{{\mathrm{I}\mathrm{D}}^{\ast }, t}$ according to the following steps:

• Select a matrix ${\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }\leftarrow {\chi }_{LWE}^{2m\times m}$ and let $\mathit{K}=\left[\mathit{A}|\mathit{A}{\mathit{R}}^{\ast }\right]{\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }$.
• Next, solve for the key update ${\mathit{T}}_{\theta ,t}$ satisfying the equation $\left[\mathit{A}|\mathit{A}{\mathit{V}}^{\mathbf{\ast }}+(\mathit{H}\left(\mathit{t}\right)-\mathit{H}\left({\mathit{t}}^{\mathbf{\ast }}\right))\mathit{G}\right]{\mathit{T}}_{\theta ,t}=\mathit{G}-\mathit{K}$.
  • Select a matrix ${\mathit{T}}_t^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$and compute ${\mathit{Y}}_t=\left[\mathit{A}|\mathit{A}{\mathit{V}}^{\ast }+(\mathrm{H}\left(t\right)-\mathrm{H}\left(t^{\ast }\right))\mathit{G}\right]{\mathit{T}}_t^{\prime }$.
  • Sample ${\mathit{T}}_{\theta ,t}^{″}\leftarrow \mathbf{S}\mathbf{a}\mathbf{m}\mathbf{p}\mathbf{l}\mathbf{e}\mathbf{R}\mathbf{i}\mathbf{g}\mathbf{h}\mathbf{t}(\mathit{A},{\mathit{V}}^{\ast },\mathit{G},{\mathit{T}}_{\mathit{G}},\mathrm{H}\left(t\right)-\mathrm{H}\left(t^{\ast }\right),\mathit{G}-{\mathit{Y}}_t-\mathit{K},\sigma )$.
• Compute the decryption key using ${\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }$ and ${\mathit{T}}_{\theta ,t}$. The remaining steps are the same as in the scheme.

Reduction from Game 3 to Game 4: The difference between Game 4 and Game 3 exists in the method of generating decryption keys. In Game 3, the key update consists of a matrix ${\mathit{T}}_t^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and a matrix ${\mathit{T}}_{\theta ,t}^{″}$sampled via the SampleRight algorithm; the secret key consists of a matrix ${\mathit{K}}_{\mathrm{I}\mathrm{D}}^{\prime }\leftarrow {\chi }_{LWE}^{2m\times m}$ and a matrix ${\mathit{K}}_{\mathrm{I}\mathrm{D},\theta }^{″}$. In Game 4, the key update is ${\mathit{T}}_{\theta ,t^{\ast }}\leftarrow {\chi }_{LWE}^{2m\times m}$ and the secret key is ${\mathit{K}}_{{\mathrm{I}\mathrm{D}}^{\ast },\theta }\leftarrow {\chi }_{LWE}^{2m\times m}$. For the adversary $\mathcal{A}$, the ${\chi }_{LWE}$ distribution is computationally indistinguishable from the output of the SampleRight algorithm. In the end, the decryption keys derived from the secret key and key update are indistinguishable for the adversary $\mathcal{A}$. Game 3 and Game 4 are also indistinguishable to the adversary $\mathcal{A}$.

Game 5: Building upon Game 4, the challenger $\mathcal{C}$ modifies the generation methods for matrices A, B, and W. In Game 4, the challenger $\mathcal{C}$ uses the TrapGen algorithm to generate matrix A and its corresponding trapdoor ${\mathit{T}}_{\mathit{A}}$, while selecting matrices B and W uniformly at random. In Game 5, the challenger selects the uniformly random matrix $\mathit{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and uses the TrapGen algorithm to generate matrices B, W, and their corresponding trapdoors.

Game 6: Building upon Game 5, the challenger $\mathcal{C}$ modifies the method for generating the challenge ciphertext. In Game 6, the challenger $\mathcal{C}$ randomly selects $c_0\leftarrow {\mathbb{Z}}_q$ and ${ \mathit{c}}_{\mathrm{I}\mathrm{D},t}\leftarrow {\mathbb{Z}}_q^{3m}$ as the challenge ciphertext.

Reduction from Game 5 to Game 6: If the adversary $\mathcal{A}$ can distinguish between Game 5 and Game 6, then the simulator $\mathcal{B}$ can leverage the adversary $\mathcal{A}$ to solve the decision-LWE problem.

Assume the adversary $\mathcal{A}$ can distinguish between Game 5 and Game 6 with a non-negligible probability. Then the simulator $\mathcal{B}$ utilizes the adversary $\mathcal{A}$ to solve the decision-LWE problem defined in Definition 2. The reduction process is as follows:

Instance: Given the decision-LWE instance ${\{{\mathit{u}}_i,v_i\}}_{i\in \left[m\right]}\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$ to simulator $\mathcal{B}$. The task for the simulator $\mathcal{B}$ is to distinguish whether the $v_i$ are generated by ${\mathit{v}}_i={\mathit{u}}_i{\mathit{s}}^T+{\mathit{e}}_i\left({\mathit{e}}_i\leftarrow {\chi }_{LWE}\right)$ or are chosen from a uniformly random distribution.

Init: The adversary $\mathcal{A}$ sends the challenge identity ${\mathrm{I}\mathrm{D}}^{\ast }$ and challenge time period ${\mathrm{t}}^{\ast }$ to the simulator BB.

Setup: In the setup phase, the simulator $\mathcal{B}$ constructs the matrix $\mathit{A}=\left({\mathit{u}}_1^T|\dots |{\mathit{u}}_m^T\right){\in \mathbb{Z}}_q^{n\times m}$ and sets $\mathit{u}={\mathit{u}}_0$.

Query Phase: The adversary $\mathcal{A}$ makes secret key queries, key update queries, decryption key queries, and revocation queries. The simulator $\mathcal{B}$ responds to these queries according to the method used in Game 5.

Challenge Phase: The adversary $\mathcal{A}$ sends the plaintext messages $(m_0,m_1)$ to the simulator $\mathcal{B}$.

The simulator $\mathcal{B}$ generates the challenge ciphertext:

• Let $\mathit{v}=\left({\mathit{v}}_1\right|\dots \left|{\mathit{v}}_m\right)$.
• Compute $c^{\ast }=v_0+⌊{\displaystyle \frac{q}{2}}⌋m_b,{\mathit{c}}_{\mathrm{I}\mathrm{D},t}^{\ast }=\mathit{v}[{\mathit{I}}_m|{\mathit{R}}^{\ast }|{\mathit{V}}^{\mathbf{*}}]$. Send the challenge ciphertext ${ct}^{\ast }=(c^{\ast },{\mathit{c}}_{\mathrm{I}\mathrm{D},t}^{\ast })$ to the adversary $\mathcal{A}$.

Guess Phase: After receiving the challenge ciphertext, the adversary $\mathcal{A}$ makes a guess and returns b’. The simulator $\mathcal{B}$ uses the adversary’s guess $b^{\prime }$ as the answer to the decision-LWE problem.

Analysis:

• When $v_i={\mathit{u}}_i{\mathit{s}}^T+{\mathit{e}}_i$, the challenge ciphertext is:

  $$c_0=v_0+⌊{\displaystyle \frac{q}{2}}⌋m_b=\mathit{u}{\mathit{s}}^T+e_0+⌊{\displaystyle \frac{q}{2}}⌋m_b$$

  $${ \mathit{c}}_{\mathrm{I}\mathrm{D},t}=\mathit{v}\left[{\mathit{I}}_m|{\mathit{R}}^{\mathbf{\ast }}|{\mathit{V}}^{\ast }\right]=\left(\mathit{s}\mathit{A}+\mathit{e}\right)\left[{\mathit{I}}_m|{\mathit{R}}^{\mathbf{\ast }}|{\mathit{V}}^{\mathbf{\ast }}\right]=\mathit{s}\left[\mathit{A}|{\mathit{B}}_{{\mathrm{I}\mathrm{D}}^{\ast }}|{\mathit{W}}_{t^{\ast }}\right]+\mathit{e}\left[{\mathit{I}}_m|{\mathit{R}}^{\mathbf{\ast }}|{\mathit{V}}^{\ast }\right]$$

Therefore, when $v_i={\mathit{u}}_i{\mathit{s}}^T+{\mathit{e}}_i$, the distribution of the challenge ciphertext is identical to that in Game 5.

• When the ${(\mathit{u}}_i,v_i)$ are uniformly random elements, the distribution of the challenge ciphertext is identical to that in Game 6.

Consequently, the advantage of the simulator $\mathcal{B}$ for the decision-LWE problem equals the distinguishing advantage of the adversary $\mathcal{A}$ between Game 5 and Game 6. Given that the simulator’s advantage is negligible, the adversary $\mathcal{A}’\mathrm{s}$ advantage must likewise be negligible. □

6.3. Comparison of Complexity

Table 1. Comparison of Performance.

Scheme	Revocation Model	Post-Quantum Secure	Periodic Workload of KGC	Computational Cost of User
Scalable RIBE with DKER [5]	Indirect	F	$O\left(r\log (N/r)\right)$	$O\left(1\right)$
Efficient RIBE with DKER [25]	Indirect	F	$O\left(r\log (N/r)\right)$	$O\left(1\right)$
LB-RIBE with B-DKER [15]	Indirect	T	$O\left(r\log (N/r)\right)$	$O\left(1\right)$
LB-RHIBE with DKER [16]	Indirect	T	$O\left(r\log (N/r)\right)$	$O\left(1\right)$
LB-RIBE with En-DKER [6]	Direct	T	$\approx$0	$\approx O\left(r\log \left(N/r\right)\right)+0$
LB-SA-RIBE [26]	Server-aided	T	$O\left(r\log (N/r)\right)$	$O\left(1\right)$
OO-IRIBE-EnDKER [17]	Direct	T	0	$\approx O\left(N-r\right)+0$
PQS-LRIBE-DKER	Indirect	T	$O\left(r\log (N/r)\right)$	$\approx O\left(1\right)+0$

presents a comparison of the proposed PQS-LRIBE-DKER scheme with other RIBE schemes with DKER across multiple key performance metrics. Specifically, KGC periodic workload refers to the computational effort required for KGC to execute undo operations within each time period; the user computational overhead includes the computational cost required to generate ciphertext during the encryption process.

In terms of security, both the Scalable RIBE with DKER scheme [5] and the Efficient RIBE with DKER scheme [25] are constructed based on traditional mathematical hard problems and cannot resist attacks from quantum computers. The LB-RIBE with B-DKER scheme [15] has an upper limit on the number of decryption key leaks, making it a bounded decryption key exposure resistance scheme.

For the LB-RHIBE with DKER scheme [16], users sample short vectors when generating decryption keys. Compared to the aforementioned schemes, the proposed PQS-LRIBE-DKER scheme enables the sampling process during decryption key generation to be outsourced to an untrusted third party, only needing to perform some simple matrix multiplication operations locally. In the LB-RIBE with En-DKER scheme [6], the sender needs to generate $O\left(r\log (N/r)\right)$ ciphertexts for a single plaintext message, while in the OO-IRIBE-EnDKER scheme [17], the number of ciphertexts is $O(N-r)$. The revocation in the LB-SA-RIBE scheme [26] requires a semi-trusted third-party server.

Table 2. Comparison of Key Length and Ciphertext Length.

Scheme	Secret Key Length	Key Update Length	Decryption Key Length	Ciphertext Length
LB-RIBE with B-DKER [15]	2m	2m	4m	3m + 1
LB-RHIBE with DKER [16]	3m	3m	6m	3m + 1
LB-RIBE with En-DKER [6]	$3m^2$	0	4m	$O\left(r\log \left(N/r\right)\right)·4m+1$
OO-IRIBE-EnDKER [17]	$6m^2$	0	4m	$O\left(N-r\right)·m$+ 3m + 1
PQS-LRIBE-DKER	$2m^2$	$2m^2$	3m	3m + 1

presents a comparison between the PQS-LRIBE-DKER scheme and other lattice-based RIBE with DKER schemes, focusing on secret key length, key update length, decryption key length, and ciphertext length. Here, ciphertext length refers to the total length of the ciphertext generated by encrypting a single bit, while the parameters n and m denote the number of rows and columns of the matrix, respectively.

As shown in Table 2, the LB-RIBE with B-DKER scheme [15] achieves shorter key and ciphertext lengths, albeit with weaker security. The proposed PQS-LRIBE-DKER scheme offers multiple advantages: it employs a shorter decryption key than the LB-RHIBE with DKER scheme [16]; meanwhile, it also generates a shorter ciphertext length when encrypting a single bit compared to both the LB-RIBE with En-DKER scheme [6] and the OO-IRIBE-EnDKER scheme [17].

Table 3. Workload of Users.

Scheme	Decryption Key Generation	Ciphertext Generation
LB-RIBE with B-DKER [15]	$O\left(1\right)$	$O\left(1\right)$
LB-RHIBE with DKER [16]	$O\left(1\right)$	$O\left(1\right)$
LB-RIBE with En-DKER [6]	0	$O\left(r\log \left(N/r\right)\right)$
OO-IRIBE-EnDKER [17]	0	$O\left(N-r\right)$
PQS-LRIBE-DKER	0	$O\left(1\right)$

compares the theoretical workload of users in our scheme with prior schemes across two dimensions: decryption key generation and ciphertext generation.

During the decryption key generation phase, users must execute the preimage sampling algorithm, which is the most computationally intensive and time-consuming operation in lattice-based cryptography, with a typical complexity of $O\left(mnlogq\right)$. Therefore, we use the number of invocations of the preimage sampling algorithm to measure the user’s workload for generating decryption keys. As shown in Table 3, both the LB-RIBE with B-DKER scheme [15] and the LB-RHIBE with DKER scheme [16] require users to perform preimage sampling once per time period to generate decryption keys. In contrast, the LB-RIBE with En-DKER scheme [6], OO-IRIBE-EnDKER scheme [17], and our proposed PQS-LRIBE-DKER scheme allow users to offload the sampling tasks to untrusted third-party servers, thereby completely avoiding this overhead.

In terms of ciphertext generation, the user’s workload is characterized by the number of ciphertexts produced. Table 3 shows that in the LB-RIBE with En-DKER scheme [6], encrypting a single plaintext message requires generating $O\left(r\log \left(N/r\right)\right)$ ciphertexts; in the OO-IRIBE-EnDKER scheme [17], the number of ciphertexts is $O\left(N-r\right)$, whereas our scheme requires only one ciphertext. This single-ciphertext characteristic ensures that the encryption process remains highly efficient, and its performance does not degrade as the system scales. In summary, our scheme imposes the lightest computational burden on users.

7. Conclusions

This paper addresses the excessive computational and communication overhead in existing RIBE schemes with DKER. It proposes a lightweight RIBE scheme with DKER. We design a dual-key combination trapdoor generation mechanism, enabling non-revoked users to controllably derive decryption keys for the current time period by linearly combining identity keys and time keys. Furthermore, based on this dual-key combination trapdoor generation mechanism, the proposed scheme implements indirect revocation. This successfully shifts the periodic computational burden to a more computationally capable KGC, significantly reducing user computational costs and system communication overhead while enhancing overall system efficiency. We compare our scheme with other similar schemes, showing that the computational burden on the user in our scheme is lower than that in others, achieving a lightweight design for the user. A promising direction for future work is to investigate the applicability of this mechanism to more complex access control paradigms, particularly attribute-based encryption.