Quantum Identity-Based Encryption from the Learning with Errors Problem

Abstract

To prevent eavesdropping and tampering, network security protocols take advantage of asymmetric ciphers to establish session-specific shared keys with which further communication is encrypted using symmetric ciphers. Commonly used asymmetric algorithms include public key encryption, key exchange, and identity-based encryption (IBE). However, network security protocols based on classic identity-based encryption schemes do not have perfect forward secrecy. To solve this problem, we construct the first quantum IBE (QIBE) scheme based on the learning with errors (LWE) problem, which is also the first cryptographic scheme that applies the LWE problem to quantum encryption. We prove that our scheme is fully secure under the random oracle model and highlight the following advantages: (1) Network security protocols with our QIBE scheme provide perfect forward secrecy. The ciphertext is transmitted in the form of a quantum state unknown to the adversary and cannot be copied and stored. Thus, in network security protocols based on QIBE construction, the adversary does not have any previous quantum ciphertext to decrypt for obtaining the previous session key, even if the private identity key is threatened. (2) Classic key generation centre (KGC) systems can still be used in the QIBE scheme to generate and distribute private identity keys, reducing the cost when implementing this scheme. The classic KGC systems can be used because the master public and secret keys of our scheme are both in the form of classic bits. Finally, we present quantum circuits to implement this QIBE scheme and analyse its required quantum resources for given numbers of qubits, Hadamard gates, phase gates, T gates, and CNOT (controlled-NOT) gates. One of our main findings is that the quantum resources required by our scheme increase linearly with the number of plaintext bits to be encrypted.

1. Introduction

Identity-based encryption (IBE) is an advanced form of public key encryption, and the notion of IBE was first proposed by Shamir in 1984 [1]. In the IBE scheme, the public key is directly calculated from the receiver’s identity $i{d}_R$, which may be a phone number, email address, or network address, and the corresponding private identity key $s{k}_{i{d}_R}$ is generated by a trusted key generation centre (KGC), which owns the master public key $\mathsf{mpk}$ and the master secret key $\mathsf{msk}$. When the sender wants to send a message m to the receiver, the sender encrypts the message to obtain a ciphertext $ct=\mathsf{Encrypt}(\mathsf{mpk},i{d}_R,m;r)$, where r is a random number. After receiving the ciphertext $ct$, the receiver can decrypt it and obtain the message $m=\mathsf{Decrypt}(s{k}_R,ct)$. Compared with a public key infrastructure (PKI)-based cryptographic system, an identity-based cryptographic system avoids the high cost of storing and managing public key certificates, simplifies the process of public key management, and reduces the pressure on the system. Therefore, identity-based cryptosystems have been widely developed and applied.

The first practical IBE scheme was proposed by Boneh et al. in 2001 [2], and it was followed by numerous other classic IBE schemes. These classic IBE schemes can be divided into three categories: based on elliptic curve bilinear pairings [2,3,4], based on quadratic residue [5,6,7,8], and based on lattices [9,10,11,12,13]. With the development of quantum computers and quantum algorithms, especially the Shor algorithm [14], the security of IBE schemes based on elliptic curve bilinear pairings and quadratic residue has been seriously threatened. As there is currently no quantum algorithm that can solve lattice-based problems, the construction of lattice-based IBE schemes has become a major research area for cryptographers.

One of the main applications of IBE is the construction of network security protocols, such as the Chinese SSL VPN technology specification [15]. In the IBE-based security protocol, the receiver sends its identity $i{d}_R$ and $\mathsf{mpk}$ to the sender, and the sender chooses a $sessionKey$ and sends its ciphertext to the receiver. The receiver decrypts the ciphertext to obtain the $sessionKey$. Subsequently, both the sender and the receiver can own this secret session key $sessionKey$ with which further communication is encrypted using a symmetric cipher. The entire procedure is briefly described in Figure 1. A security protocol is said to provide perfect forward secrecy [16] if the compromise of long-term keys does not compromise past session keys that were established before the compromise of the long-term key. In security protocols based on classic IBE, all session keys and their ciphertexts are in the form of classic bits. A patient attacker can capture the conversations and store the ciphertexts of the session keys, whose confidentiality is protected by a private identity key (which is the long-term key of the network security protocol based on IBEs) and wait until the long-term key is threatened. Once the patient attacker obtains the long-term key, the attacker can decrypt the ciphertexts of all previous session keys. Ultimately, all encrypted communications and sessions recorded in the past can be retrieved. Therefore, the security protocols based on the classic IBE scheme do not have perfect forward secrecy. This naturally leads to the following question:

Can we construct a fully secure IBE scheme with which the network security protocol can provide perfect forward secrecy?

1.1. Our Contributions

To solve this problem, considering that an adversary cannot replicate an unknown quantum state [17], we propose the notion of quantum identity-based encryption (QIBE) and construct the first QIBE scheme based on the learning with errors (LWE) problem. Then, we prove that our scheme is fully secure under the random oracle model. Our scheme possesses the following advantages:

• Network security protocols with our QIBE scheme provide perfect forward secrecy. The ciphertext is transmitted in the form of a quantum state that is unknown to the adversary, who cannot duplicate the ciphertext. Thus, in security protocols based on QIBE construction, even if the private identity key is threatened, the adversary does not possess the previous ciphertexts of session keys to decrypt, and therefore cannot threaten the security of the previous session keys. Therefore, security protocols based on QIBE construction have perfect forward secrecy.
• The classic KGC system can still be used for QIBE schemes to generate and distribute private identity keys, reducing the cost of implementing this scheme. The classic KGC system can be used because the $\mathsf{Setup}$, $\mathsf{KeyGen}$ algorithms of our scheme are classic, and the master public and secret keys of our scheme are both in the form of classic bits.

Finally, we present quantum circuits to implement this QIBE scheme and establish its required quantum resource estimates for given numbers of qubits, Hadamard gates, phase gates, T gates, and CNOT gates. One of our primary findings is that the quantum resources required by our scheme increase linearly with the number of plaintext bits to be encrypted.

1.2. Outline of the Paper

The remainder of this paper is organised as follows: In Section 2, we present the necessary background for the paper, including quantum computation, lattices, and classic IBE. In Section 3, we first present the definition of QIBE; then, we describe the concrete construction of the scheme and analyse its correctness, and finally, prove the security of the scheme and discuss its advantages. In Section 4, we discuss the specific quantum circuit implementation for the QIBE scheme and estimate the quantum resources needed. In Section 5, we summarise our work, discuss the drawbacks of our scheme, and suggest directions for future work.

2. Preliminaries

2.1. Quantum Computation

In this section, we briefly discuss the basic concepts used in this work. Please refer to [18] for a more detailed introduction to quantum computing. “$\overline{(·)}$” is defined as the bit-flip of “$(·)$”, such as $\left|\overline{0}\right.〉=\left|1\right.〉$, $\left|\overline{1}\right.〉=\left|0\right.〉$, and $\left|\overline{101}\right.〉=\left|010\right.〉$. We begin by introducing some quantum gates.

Fundamental gates. The fundamental gate set we use comprises the NOT gate, the CNOT gate, the CNOT variant gate, the Toffoli (two-controlled NOT) gate, and the Fredkin gate. These four gates are shown in Figure 2. One CNOT variant gate can be obtained by a CNOT gate and two NOT gates. The Fredkin gate is also known as a three-qubit controlled swap gate, that is, if the control qubit is in state $|1\rangle$, the two target qubits swap their states; otherwise, they remain in their initial states if the control qubit is in state $|0\rangle$. One Fredkin gate can be constructed from one Toffoli gate and two CNOT gates.

Complex Gates. We use four complex gates (Figure 3): the first gate is the ℓ-controlled-NOT gate, which can be decomposed into $(2\ell -3)$ Toffoli gates, the second gate is the variant of the ℓ-controlled-NOT gate, which can also be decomposed into $(2\ell -3)$ Toffoli gates, the third gate is the ℓ-combination-CNOT gate, which is a combination of ℓ CNOT gates, and the last gate is the ℓ-Fredkin gate, which can be constructed from ℓ Toffoli gates and $2\ell$ CNOT gates.

Quantum Basic Circuits.Figure 4f depicts the controlled copy circuit in which copying the integer d into the quantum register is controlled by $|\mathrm{ctrl}\rangle$. If the controlled bit $|\mathrm{ctrl}\rangle =|0\rangle$, the output of the controlled copy circuit is $\left(\right|\mathrm{ctrl}\rangle ,|0\rangle )$. Otherwise, the output is $\left(\right|\mathrm{ctrl}\rangle ,|d\rangle )$. The output of the controlled copy circuit is $\left(\right|\mathrm{ctrl}\rangle ,|\mathrm{ctrl}·d\rangle )$. We denote the controlled copy circuit by $\mathsf{CCopy}\left(\right|\mathrm{ctrl}\rangle ,d)$ when this algorithm takes a qubit $|\mathrm{ctrl}\rangle$ and an ℓ-bit number d as input. According to the conclusion in [19], copying an integer uses only NOT gates so that a controlled copy circuit only uses CNOT gates. Suppose that d is a uniform integer in $\{0,1,\cdots ,2^{\ell }-1\}$; then, the controlled copy circuit uses approximately $\ell /2$ CNOT gates, where $\ell =\lfloor logd\rfloor +1$.

Quantum Arithmetic Circuits. We introduce some quantum arithmetic circuits, including addition, subtraction, modular addition, modular subtraction, and comparison, and describe the corresponding quantum resources required, including the number of qubits and the number of CNOT gates and Toffoli gates. To simplify the description, we only show the simplified form of these quantum arithmetic circuits.

• Addition and subtraction: Cuccaro et al. [20] proposed a quantum addition circuit. The quantum addition achieves the addition of two registers, that is,

  $$|a,b\rangle \to |a,a+b\rangle .$$

  To prevent overflows caused by the carry, the second register (initially loaded in state $|b\rangle$) should be sufficiently large, i.e., if both a and b are encoded on ℓ qubits, the second register should be of size $\ell +1$. In the addition circuit, the last carry is the most significant bit of the result and is written in the $\ell +1$-th qubit of the second register. As a result of the reversibility of unitary operations, by reversing the addition circuit, i.e., applying each gate of the circuit in the reversed order, the subtraction circuit is obtained. The addition and subtraction circuits are shown in $\left(a\right)$ and $\left(b\right)$ of Figure 4, respectively. In this paper, a circuit with a bar on the left side represents the reversed sequence of elementary gates embedded in the same circuit with the bar on the right side.
  In the subtraction circuit, with the input $\left(\right|a\rangle ,|b\rangle )$, the output produces $\left(\right|a\rangle ,|a-b\rangle )$ when $a\ge b$. When $a<b$, the output is $\left(\right|2^{\ell }-(b-a)\rangle )$, where the size of the second register is $\ell +1$. i.e.,

  $$\left\{\begin{array}{c}|a,b\rangle \to |a,a-b\rangle ,\mathrm{for}a\ge b.\hfill \\ |a,b\rangle \to |a,2^{\ell }-(b-a)\rangle ,\mathrm{for}a<b.\hfill \end{array}\right.$$

  When $a<b$, the significant qubit, that is, the $\ell +1$-th qubit of the second register, which indicates whether an overflow occurred in the subtraction, always contains 1. We denote the addition circuit by $\mathsf{Add}\left(\right|a\rangle ,|b\rangle )$ when this algorithm takes two ℓ-qubit states $|a\rangle$ and $|b\rangle$ as input. Similarly, we denote the subtraction circuit by $\mathsf{Sub}\left(\right|a\rangle ,|b\rangle )$ when this algorithm takes two ℓ-qubit states $|a\rangle$ and $|b\rangle$ as input. To calculate the addition or subtraction of two ℓ-bit inputs, a total of $2\ell +2$ qubits, $2\ell$ Toffoli gates, and $4\ell +1$ CNOT gates are required.
• Addition and subtraction module q: Liu et al. [21] improved Roetteler’s [22] quantum modular addition circuit and reduced the number of quantum gates required. This quantum circuit produces

  $$|a,b\rangle \to |a,(a+b)\mathrm{mod}q\rangle ,$$

  where $0\le a,b<q$. The simplified form of the addition module q circuit is shown in Figure 4c. The modular subtraction can be obtained by reversing the modular addition circuit, and its bar is on the left-hand side. We denote the modular addition circuit by $\mathsf{AddMod}\left(\right|a\rangle ,|b\rangle )$ when this algorithm takes two $\lceil logq\rceil$-qubit states $|a\rangle$ and $|b\rangle$ as input. Similarly, we denote the modular subtraction circuit by $\mathsf{SubMod}\left(\right|a\rangle ,|b\rangle )$ when this algorithm takes two $\lceil logq\rceil$-qubit states $|a\rangle$ and $|b\rangle$ as input. To calculate the addition or subtraction module q of two $\lceil logq\rceil$-bit inputs, a total of $3·\lceil logq\rceil +3$ qubits, $8·\lceil logq\rceil$ Toffoli gates, $13·\lceil logq\rceil +6$ CNOT gates are required.
• Comparison: Markov et al. [23] constructed a quantum comparison circuit by comparing $|a\rangle$ and $|b\rangle$ based on whether the highest bit of $|a-b\rangle$ is $|0\rangle$ or $|1\rangle$. This circuit is obtained by modifying the previous subtraction circuit so that it outputs only the highest bit of $|a-b\rangle$. The comparison circuit achieves the comparison of two registers, that is

  $$\left\{\begin{array}{c}|a,b\rangle |0\rangle \to |a,b\rangle |0\rangle ,\mathrm{for}a\ge b.\hfill \\ |a,b\rangle |0\rangle \to |a,b\rangle |1\rangle ,\mathrm{for}a<b.\hfill \end{array}\right.$$

  The simplified form of the quantum comparison circuit is shown in Figure 4e. We denote the comparison circuit by $\mathsf{Comp}\left(\right|a\rangle ,|b\rangle )$ when this algorithm takes two ℓ-qubit states $|a\rangle$ and $|b\rangle$ as input. To compare two ℓ-bit inputs $|a\rangle$ and $|b\rangle$, a total of $2\ell +2$ qubits, $2\ell$ Toffoli gates, and $4\ell +1$ CNOT gates are required.

2.2. Lattices

Let X and Y be two random variables over some finite set $S_X$, $S_Y$, respectively. The statistical distance $\Delta (X,Y)$ between X and Y is defined as

$$\Delta (X,Y)=\frac{1}{2}\sum _{s\in S_X\cup S_Y}\left|Pr[X=s]-Pr[Y=s]\right|.$$

For integer $q\ge 2$, ${\mathbb{Z}}_q$ denotes the quotient ring of integer modulo q. We use bold capital letters to denote matrices, such as $\mathbf{A},\mathbf{B}$, and bold lowercase letters to denote column vectors, such as $\mathbf{x},\mathbf{y}$. The notation ${\mathbf{A}}^{\top }$ denotes the transpose of the matrix $\mathbf{A}$.

Let $\mathbf{S}$ be a set of vectors, $\mathbf{S}=\{{\mathbf{s}}_1,\cdots ,{\mathbf{s}}_n\}$ in ${\mathbb{R}}^{\tilde{m}}$. We use $\tilde{\mathbf{S}}=\{{\tilde{\mathbf{s}}}_1,\cdots ,{\tilde{\mathbf{s}}}_n\}$ to denote the Gram–Schmidt orthogonalisation of the vectors ${\mathbf{s}}_1,\cdots ,{\mathbf{s}}_n$ in that order and $\parallel \mathbf{S}\parallel$ to denote the length of the longest vector in $\mathbf{S}$. For positive integers $q,n,\tilde{m}$ with q prime, and a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \tilde{m}}$, the $\tilde{m}$-dimensional integer lattices are defined as follows: ${{\Lambda }}_q\left(\mathbf{A}\right)=\{\mathbf{y}:\mathbf{y}={\mathbf{A}}^{\top }\mathbf{s}\mathrm{for}\mathrm{some}\mathbf{s}\in {\mathbb{Z}}^n\}$ and ${{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)=\{\mathbf{y}:\mathbf{A}\mathbf{y}=\mathbf{0}modq\}$. Moreover, for $\mathbf{u}\in {\mathbb{Z}}_q^n$, the set of syndromes is defined as ${{\Lambda }}_q^{\mathbf{u}}\left(\mathbf{A}\right)=\{\mathbf{y}:\mathbf{u}=\mathbf{A}\mathbf{y}modq\}$.

For $\mathbf{x}\in {\Lambda }$, define the Gaussian function ${\rho }_{s,\mathbf{c}}\left(\mathbf{x}\right)$ over ${\Lambda }\subseteq {\mathbb{Z}}^{\tilde{m}}$ centred at $\mathbf{c}\in {\mathbb{R}}^{\tilde{m}}$ with parameter $s>0$ as ${\rho }_{s,\mathbf{c}}\left(\mathbf{x}\right)=exp(-\pi ||\mathbf{x}-\mathbf{c}||/s^2)$. Let ${\rho }_{s,\mathbf{c}}\left({\Lambda }\right)={\sum }_{\mathbf{x}\in {\Lambda }}{\rho }_{s,\mathbf{c}}\left(\mathbf{x}\right)$, and define the discrete Gaussian distribution over ${\Lambda }$ as ${\mathcal{D}}_{{\Lambda },s,\mathbf{c}}\left(\mathbf{x}\right)=\frac{{\rho }_{s,\mathbf{c}}\left(\mathbf{x}\right)}{{\rho }_{s,\mathbf{c}}\left({\Lambda }\right)}$, where $\mathbf{x}\in {\Lambda }$. For simplicity, ${\rho }_{s,\mathbf{0}}$ and ${\mathcal{D}}_{{\Lambda },s,\mathbf{0}}$ are abbreviated as ${\rho }_s$ and ${\mathcal{D}}_{{\Lambda },s}$, respectively.

Lemma 1

(Adopted from [9,24,25]). Let $q,n,\tilde{m}$ be positive integers with $q\ge 2$ and q prime. There exist the following PPT (probabilistic polynomial-time) algorithms:

• $\mathsf{TrapGen}(\tilde{m},n,q):$ a randomised algorithm that, when $\tilde{m}\ge 6n\lceil logq\rceil$, outputs a pair $(\mathbf{A},{\mathbf{T}}_{\mathbf{A}})\in {\mathbb{Z}}_q^{n\times \tilde{m}}\times {\mathbb{Z}}^{\tilde{m}\times \tilde{m}}$ such that $\mathbf{A}$ is $2^{-\mathsf{\Omega }\left(n\right)}—$close to uniform in ${\mathbb{Z}}_q^{n\times \tilde{m}}$ and ${\mathbf{T}}_{\mathbf{A}}$ is a basis of ${{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$, satisfying $\parallel \widetilde{{\mathbf{T}}_{\mathbf{A}}}\parallel \le \mathcal{O}\left(\sqrt{nlogq}\right)$ with overwhelming probability.
• $\mathsf{SampleD}(\mathbf{A},{\mathbf{T}}_{\mathbf{A}},\mathbf{u},\sigma ):$ a randomised algorithm that, given a full rank matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \tilde{m}}$,a basis ${\mathbf{T}}_{\mathbf{A}}$ of ${{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$, a vector $\mathbf{u}\in {\mathbb{Z}}_q^n$ and $\sigma \ge \parallel \widetilde{{\mathbf{T}}_{\mathbf{A}}}\parallel ·\omega \left(\sqrt{log\tilde{m}}\right)$, outputs a vector $\mathbf{r}\in {\mathbb{Z}}_q^{\tilde{m}}$ sampled from a distribution $2^{-\mathsf{\Omega }\left(n\right)}—$close to ${\mathcal{D}}_{{{\Lambda }}_q^{\mathbf{u}}\left(\mathbf{A}\right),\sigma }$.

Discrete Gaussian Lemmas. The following lemmas are used to manipulate and obtain meaningful bounds on discrete Gaussian vectors.

Lemma 2

(Adopted from [9], Lemma 5.2). Let n, $\tilde{m}$, q be positive integers such that $\tilde{m}\ge 2nlogq$ and q is prime. Let σ be any positive real number such that $\sigma \ge \sqrt{n+log\tilde{m}}$. Then, for all but a $2^{-\mathsf{\Omega }\left(n\right)}$ fraction of $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \tilde{m}}$, the distribution of $\mathbf{u}=\mathbf{Ar}modq$ for $\mathbf{r}\leftarrow D_{{\mathbb{Z}}^{\tilde{m}},\sigma }$ is $2^{-\mathsf{\Omega }\left(n\right)}$-close to uniform distribution over ${\mathbb{Z}}_q^n$. Furthermore, for a fixed $\mathbf{u}\in {\mathbb{Z}}_q^n$, the conditional distribution of $\mathbf{r}\leftarrow D_{{\mathbb{Z}}^{\tilde{m}},\sigma }$, given $\mathbf{Ar}=\mathbf{u}modq$ is ${\mathcal{D}}_{{{\Lambda }}_q^{\mathbf{u}}\left(\mathbf{A}\right),\sigma }$.

The Learing with Errors Problem. The security of our construction is based on the LWE problem. The LWE problem is a hard problem based on lattices defined by Regev [26]. It is stated as follows: given an input $(\mathbf{A},\mathbf{d})$, where $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \tilde{m}}$ for any $\tilde{m}=poly\left(n\right)$, integer $q\ge 2$ is prime, and $\mathbf{d}\in {\mathbb{Z}}_q^{\tilde{m}}$ is either of the form $\mathbf{d}=({\mathbf{A}}^{\top }\mathbf{s}+\mathbf{e})\mathrm{mod}q$ for $\mathbf{s}\in {\mathbb{Z}}_q^n$ and $\mathbf{e}\in {\mathcal{D}}_{{\mathbb{Z}}^{\tilde{m}},\sigma }$ or is uniformly random (and independent of $\mathbf{A}$), distinguish which is the case, with non-negligible advantage. Regev proved that the LWE problem is as hard as approximating standard lattice problems in the worst case using a quantum algorithm.

2.3. Classic Identity-Based Encryption

A classic identity-based encryption scheme consists of the following four algorithms:

• $\mathsf{KeyGen}\left(1^{\lambda }\right)\to (\mathsf{mpk},\mathsf{msk})$. The key generation algorithm takes a security parameter $1^{\lambda }$ as input. It outputs a master public key $\mathsf{mpk}$ and a master secret key $\mathsf{msk}$.
• $\mathsf{Extract}(\mathsf{mpk},\mathsf{msk},id)\to s{k}_{id}$. The key extraction algorithm takes a master public key $\mathsf{mpk}$, a master secret key $\mathsf{msk}$, and an identity $id$ as input. It outputs a private identity key $s{k}_{id}$. We assume that $id$ is implicitly included in $s{k}_{id}$.
• $\mathsf{Encrypt}(\mathsf{mpk},id,m;r)\to ct$. The encryption algorithm takes a master public key $\mathsf{mpk}$, an identity $id$, and the message m as input. It outputs a ciphertext $ct$.
• $\mathsf{Decrypt}(s{k}_{id},ct)\to m$. The decryption algorithm takes the master public key $\mathsf{mpk}$, the private identity key $s{k}_{id}$, and the ciphertext $ct$ as input. It outputs the message m. Correctness. For all $(\mathsf{mpk},\mathsf{msk})\stackrel{\$}{\leftarrow }\mathsf{KeyGen}\left(1^{\lambda }\right)$, all identities $id\in ID$, all messages m, and all $c\leftarrow \mathsf{Encrypt}(\mathsf{mpk},id,m;r)$, we have

  $$Pr[\mathsf{Decrypt}(\mathsf{mpk},s{k}_{id},ct)=m]=1-\mathsf{negl}\left(\lambda \right).$$

  Security. The security game is defined by the following experiment, which is played by a challenger and an adversary $\mathcal{A}$:
• The challenger runs $\mathsf{KeyGen}$ to generate $(\mathsf{mpk},\mathsf{msk})$. It gives $\mathsf{mpk}$ to the adversary $\mathcal{A}$.
• The adversary $\mathcal{A}$ adaptively requests keys for any identity $i{d}_i$ of its choice. The challenger responds with the corresponding secret key $s{k}_{i{d}_i}$, which it generates by running $\mathsf{Extract}(\mathsf{mpk},\mathsf{msk},i{d}_i)$.
• The adversary $\mathcal{A}$ submits two messages of equal length, $m_0$ and $m_1$, and a challenge identity $i{d}^{*}$ with the restriction that $i{d}^{*}$ is not equal to any identity requested in the previous phase. The challenger picks $\beta \stackrel{\$}{\leftarrow }\{0,1\}$, encrypts $m_{\beta }$ under $i{d}^{*}$ by running the encryption algorithm, and sends the ciphertext to the adversary $\mathcal{A}$.
• $\mathcal{A}$ continues to issue key queries for any identity $i{d}_i$ as in step (2) with the restriction that $i{d}_i\ne i{d}^{*}$.
• The adversary $\mathcal{A}$ outputs a guess ${\beta }^{\prime }$ for $\beta$.

The advantage ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{IBE}}\left(\lambda \right)$ of an adversary $\mathcal{A}$ is defined as

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{IBE}}\left(\lambda \right)=\left|Pr[{\beta }^{\prime }=\beta ]-1/2\right|.$$

Definition 1.

An IBE scheme is fully secure if for all probabilistic polynomial-time adversaries $\mathcal{A}$, ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{IBE}}\left(\lambda \right)$ is a negligible function in λ.

3. QIBE and Its Construction

3.1. Definition of QIBE

We begin by defining a primitive for identity-based encryption schemes in which some elements may belong to a quantum space.

Definition 2.

We say that an identity-based encryption scheme $\mathsf{IBE}$ is a quantum identity-based encryption (QIBE) scheme if there exists at least one quantum algorithm in its algorithms that include $\mathsf{KeyGen},\mathsf{Extract},\mathsf{Encrypt}$, and $\mathsf{Decrypt}$.

Note that the classification of QIBE can be analogous to that of quantum public key encryption [27] and a quantum symmetric-encryption scheme [28]. Since each algorithm in the QIBE schemes could be either classic or quantum, there exist only fifteen types of QIBE schemes in total.

3.2. Our Construction

Then, we design a QIBE scheme by utilising the proposed classic IBE scheme [9] and prove its security based on the LWE problem.

In our QIBE scheme, $\mathsf{KeyGen}$ and $\mathsf{Extract}$ are classic algorithms while $\mathsf{Encrypt}$ and $\mathsf{Decrypt}$ are quantum algorithms. To make it easier to distinguish between classic IBE and QIBE, we denote our scheme as $\mathsf{QIBE}$, and our QIBE scheme consists of one tuple $(\mathsf{QKeyGen},\mathsf{QExtract},\mathsf{QEncrypt},\mathsf{QDecrypt})$. Let integer parameters $n=\mathcal{O}\left(\lambda \right),\tilde{m}=\mathcal{O}\left(n\right),\sigma =\mathcal{O}\left(n^{0.5}\right),q=\mathcal{O}\left({\tilde{m}}^{3.5}\right)$ as specified in [9], where $\lambda$ is a security parameter.

• $\mathsf{QKeyGen}:$ (1) It runs $\mathsf{TrapGen}(\tilde{m},n,q)$ to obtain a uniformly random $n\times \tilde{m}—$matric $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \tilde{m}}$ and ${\mathbf{T}}_{\mathbf{A}}\in {\mathbb{Z}}_q^{\tilde{m}\times \tilde{m}}$ which is a good basis for ${{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$. (2) Then, it selects a hash function $\mathsf{H}:{\{0,1\}}^n\to {\mathbb{Z}}_q^n$, which maps an identity to a vector. (3) Finally, it outputs $\mathsf{mpk}=(\mathbf{A},q,\tilde{m},n,\mathsf{H})$ and $\mathsf{msk}=\left({\mathbf{T}}_{\mathbf{A}}\right)$. (4) In summary, $\mathsf{QKeyGen}(\lambda ,q,\tilde{m},n)\to (\mathsf{mpk}=(\mathbf{A},q,\tilde{m},n,\mathsf{H}),\mathsf{msk}=\left({\mathbf{T}}_{\mathbf{A}}\right))$.
• $\mathsf{QExtract}$: (1) On input $\mathsf{mpk}$, $\mathsf{msk}$ and an identity $id\in {\{0,1\}}^n$, it computes $\mathbf{u}=\mathsf{H}\left(id\right)$ and generates $s{k}_{id}=\mathbf{r}$ such that $\mathbf{r}=\mathsf{SampleD}(\mathbf{A},{\mathbf{T}}_{\mathbf{A}},\mathbf{u},\sigma )$. It is clear that $\mathbf{u}=\mathbf{A}\mathbf{r}modq$. (2) In summary, $\mathsf{QExtract}(\mathsf{msk},\mathsf{mpk},id)\to s{k}_{id}=\mathbf{r}$.
• $\mathsf{QEncrypt}$: (1) On input of an identity $id$, $\mathsf{mpk}$, and a bit quantum superposition state $|\varphi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|m\rangle$, it first computes $\mathbf{u}=\mathsf{H}\left(id\right)$ and chooses a uniformly random $\mathbf{s}\leftarrow {\mathbb{Z}}_q^n$, $e_0\in {\mathcal{D}}_{\mathbb{Z},\sigma }$ and $\mathbf{e}\in {\mathcal{D}}_{{\mathbb{Z}}^{\tilde{m}},\sigma }$. (2) Then, it sets $x=({\mathbf{u}}^{\top }\mathbf{s}+e_0)\mathrm{mod}q$ and ${\mathbf{c}}_1=({\mathbf{A}}^{\top }\mathbf{s}+\mathbf{e})\mathrm{mod}q$. More procedures are performed as follows:

  ⋆

  Step 1: Taking $|\varphi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|m\rangle$ and $\lfloor \frac{q}{2}\rfloor$ as input, it runs $\mathsf{CCopy}\left(\right|\varphi \rangle ,\lfloor \frac{q}{2}\rfloor )$ and gets

  $$\sum _{m\in \{0,1\}}{\alpha }_m|m\rangle |m·\lfloor \frac{q}{2}\rfloor \rangle .$$

  ⋆

  Step 2: Taking the second register of the above result and x as input, it runs $\mathsf{AddMod}$ and obtains

  $$\sum _{m\in \{0,1\}}{\alpha }_m|m\rangle |(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle .$$

  ⋆

  Step 3: Finally, taking the two registers of the above result as input, it runs the unentanglement quantum circuit (which is described in Section 4, and we denote it by $\mathsf{Unentangle}$) to obtain

  $$|\psi \rangle =\sum _{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle .$$

  (3) In summary, $\mathsf{QEncrypt}(id,|\varphi \rangle )\to (ct=\left(\right|\psi \rangle ,{\mathbf{c}}_1))$.

• $\mathsf{QDecrypt}$: To decrypt a ciphertext $\left(\right|\psi \rangle ,{\mathbf{c}}_1)$ using an identity secret key $s{k}_{id}=\mathbf{r}$, it computes $y={\mathbf{r}}^{\top }{\mathbf{c}}_1\mathrm{mod}q\in {\mathbb{Z}}_q$. Then, more processes are performed as follows:

  ⋆

  Step 1: Taking $|\psi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ and $|y\rangle$ as input, it runs $\mathsf{SubMod}\left(\right|\psi \rangle ,|y\rangle )$ to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x-y)modq\rangle .$$

  ⋆

  Step 2: Taking the above result and $\lfloor \frac{q}{2}\rfloor$ as input, it runs $\mathsf{SubAbs}$ ($\mathsf{SubAbs}$ is a quantum circuit, which takes two ℓ-qubit quantum states $|a\rangle$ and $|b\rangle$ as input and outputs the absolute value of their subtraction, i.e., $\left|\mathsf{Abs}\right(a-b)\rangle$) to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|\mathsf{Abs}((m·\lfloor \frac{q}{2}\rfloor +x-y)modq-\lfloor \frac{q}{2}\rfloor )\rangle .$$

  Please refer to Section 4.1 for more information about $\mathsf{SubAbs}$.

  ⋆

  Step 3: Taking the above result and $\lfloor \frac{q}{4}\rfloor$ as input, it runs $\mathsf{Comp}$ to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|\mathsf{Abs}((m·\lfloor \frac{q}{2}\rfloor +x-y)modq-\lfloor \frac{q}{2}\rfloor )\rangle |m\rangle .$$

  Next, the algorithm $\mathsf{QDecrypt}$ will unentangle the first and second registers of this quantum state.

  ⋆

  Step 4: Taking the first register of the above result and $\lfloor \frac{q}{2}\rfloor$ as input, it runs $\mathsf{InvSubAbs}$ (The $\mathsf{InvSubAbs}$ (which is the inverse of $\mathsf{SubAbs}$) is a quantum circuit which takes in two ℓ-qubit quantum states $\left|\mathsf{Abs}\right(a-b)\rangle$ and $|b\rangle$ as input and outputs one ℓ-qubit quantum state, i.e., $|a\rangle$) to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x-y)modq\rangle |m\rangle .$$

  Please refer to Section 4.1 for more information about the inverse of $\mathsf{SubAbs}$.

  ⋆

  Step 5: Taking the first register of the above result and $|y\rangle$ as input, it runs $\mathsf{AddMod}$ to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle |m\rangle .$$

  ⋆

  Step 6: Taking the second register of the above result and $\lfloor \frac{q}{2}\rfloor$ as the input, it runs $\mathsf{CCopy}$ to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle |m\rangle |m·\lfloor \frac{q}{2}\rfloor \rangle .$$

  ⋆

  Step 7: Taking the first register and the third register of the above result as input, it runs $\mathsf{SubMod}$ to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|xmodq\rangle |m\rangle |m·\lfloor \frac{q}{2}\rfloor \rangle .$$

  Finally, the algorithm $\mathsf{QDecrypt}$ unentangles the second and third registers of the above result.

  ⋆

  Step 8: Taking the third register of the above result and $\lfloor \frac{q}{2}\rfloor$ as input, it performs the inverse of the controlled copy circuit to obtain

  $$\sum _{m\in \{0,1\}}{\alpha }_m|xmodq\rangle |m\rangle |0\rangle .$$

  The quantum state ${\sum }_{m\in \{0,1\}}{\alpha }_m|m\rangle$ is no longer entangled with other registers and the decryption procedure is completed. In summary,

  $$\mathsf{QDecrypt}(id,\mathsf{mpk},\mathbf{r},\left(\right|\psi \rangle ,{\mathbf{c}}_1))\to |\varphi \rangle =\sum _{m\in \{0,1\}}{\alpha }_m|m\rangle .$$

3.3. Correctness

Considering a ciphertext

$$\begin{array}{cc}\hfill & \left(\right|\psi \rangle ,{\mathbf{c}}_1)\hfill \\ \hfill =& \left(\sum _{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle ,({\mathbf{A}}^{\top }\mathbf{s}+\mathbf{e})\mathrm{mod}q\right)\hfill \end{array}$$

of a qubit quantum superposition state $|\varphi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|m\rangle$, it can be observed that $|\psi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|c_0\rangle$, where $c_0=(x+m·\lfloor \frac{q}{2}\rfloor )\mathrm{mod}q={\mathbf{u}}^{\top }\mathbf{s}+e_0+m·\lfloor \frac{q}{2}\rfloor \mathrm{mod}q$. In step 2 of $\mathsf{QDecrypt}$, it is clear that

$$\begin{array}{c}\hfill \begin{array}{cc}& \mathsf{Abs}\left(\left(\left(x+\lfloor \frac{q}{2}\rfloor ·m\right)\mathrm{mod}q-y\right)\mathrm{mod}q-\lfloor \frac{q}{2}\rfloor \right)\hfill \\ \hfill =& \mathsf{Abs}\left(\left(c_0-y\right)\mathrm{mod}q-\lfloor \frac{q}{2}\rfloor \right),\hfill \end{array}\end{array}$$

which is equal to the absolute value of b in the $\mathsf{Decrypt}$ of Theorem A1, i.e., $\mathsf{Abs}\left(b\right)$. Finally, in step 3 of $\mathsf{QDecrypt}$, we compare $\mathsf{Abs}\left(b\right)$ with $\lfloor \frac{q}{4}\rfloor$ and obtain m. According to Theorem A1, the decryption algorithm $\mathsf{Decrypt}$ with the identity secret key $s{k}_{id}={\mathbf{r}}_{id}$ can decrypt the ciphertext $(c_0,{\mathbf{c}}_1)$ correctly with a probability of $1-\mathsf{negl}\left(\lambda \right)$. Therefore, the decryption algorithm $\mathsf{QDecrypt}$ with the identity secret key $s{k}_{id}={\mathbf{r}}_{id}$ can decrypt the ciphertext $ct=\left(\right|\psi \rangle ,{\mathbf{c}}_1)$ correctly with a probability of $1-\mathsf{negl}\left(\lambda \right)$.

3.4. Security Proof

Theorem 1.

The above QIBE scheme is fully secure in the random oracle model under the $\mathrm{LWE}$ assumption, namely, for any classical PPT adversary $\mathcal{A}$ making at most $Q_{\mathsf{H}}$ random oracle queries to $\mathsf{H}$ and $Q_{\mathrm{ID}}$ identity secret key queries, there exists a classical PPT algorithm $\mathcal{B}$ such that

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{QIBE}}\left(\lambda \right)\le Q_{\mathsf{H}}·{\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{LWE}}\left(\lambda \right)+(Q_{\mathsf{H}}+Q_{\mathsf{ID}}+1)·2^{-\mathsf{\Omega }\left(n\right)}.$$

(1)

Proof of Theorem 1.

Without loss of generality, we make some simplifying assumptions about $\mathcal{A}$. First, we assume that whenever $\mathcal{A}$ queries a secret key or asks for a challenge ciphertext, the corresponding $id$ has already been queried to the random oracle $\mathsf{H}$. Second, we assume that $\mathcal{A}$ makes the same query for the same random oracle at most once. Third, we assume that $\mathcal{A}$ does not repeat secret key queries for the same identity more than once. We show the security of the scheme via the following games. In each game, we define $X_i$ as the event that the adversary $\mathcal{A}$ wins in ${\mathbf{Game}}_i$.

${\mathbf{Game}}_{\mathbf{0}}$: This is a real security game. At the beginning, $(\mathbf{A},{\mathbf{T}}_{\mathbf{A}})\leftarrow \mathsf{TrapGen}(1^n,1^m,q)$ is run, and the adversary $\mathcal{A}$ is given $\mathbf{A}$. Then, the challenger samples $\beta \leftarrow \{0,1\}$ and keeps it secret. During the game, $\mathcal{A}$ may make random oracle queries, secret key queries, and the challenge query. These queries are handled as follows:

• Hash queries: When $\mathcal{A}$ makes a random oracle query to $\mathsf{H}$ on $id$, the challenger chooses a random vector ${\mathbf{u}}_{id}\leftarrow {\mathbb{Z}}_q^n$ and locally stores the tuple $(id,{\mathbf{u}}_{id},\perp )$, and returns ${\mathbf{u}}_{id}$ to $\mathcal{A}$.
• Identity secret key queries: When $\mathcal{A}$ queries an identity secret key for $id$, the challenger uses the algorithm $\mathsf{SampleD}$, which takes $\mathbf{A},{\mathbf{T}}_A,\sigma ,{\mathbf{u}}_{id}$ as input to compute ${\mathbf{r}}_{id}$ and returns ${\mathbf{r}}_{id}$ to $\mathcal{A}$.
• Challenge ciphertext: When the adversary $\mathcal{A}$ submits two messages ${\sum }_{m_0\in 0,1}{\alpha }_{m_0}|m_0\rangle$ and ${\sum }_{m_1\in 0,1}{\alpha }_{m_1}|m_1\rangle$ of equal length and a challenge identity $i{d}^{*}$ with the restriction that $i{d}^{*}$ is not equal to any identity requested in the previous phase, the challenger picks $\beta \stackrel{\$}{\leftarrow }\{0,1\}$, and encrypts ${\sum }_{m_{\beta }\in \{0,1\}}{\alpha }_{m_{\beta }}|m_{\beta }\rangle$ under $i{d}^{*}$ by running the encryption algorithm $\mathsf{QEncrypt}$ to get $c{t}^{*}=\left(\right|\psi \rangle ,{\mathbf{c}}_1)$, where $|\psi \rangle ={\sum }_{m_{\beta }\in \{0,1\}}{\alpha }_{m_{\beta }}|(m_{\beta }·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ and ${\mathbf{c}}_1=({\mathbf{A}}^{\top }\mathbf{s}+\mathbf{e})\mathrm{mod}q$ and $x={\mathbf{u}}^{\top }\mathbf{s}+e_0\mathrm{mod}q$. Then, the ciphertext $c{t}^{*}$ is sent to $\mathcal{A}$.

At the end of the game, $\mathcal{A}$ outputs a guess ${\beta }^{\prime }$ for $\beta$. Finally, the challenger outputs $\beta$. By definition, we have

$$|Pr\left[X_0\right]-\frac{1}{2}|=|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}|={\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{QIBE}}\left(\lambda \right).$$

(2)

${\mathbf{Game}}_{\mathbf{1}}$: In this game, we change the way the random oracle queries to $\mathsf{H}$ are answered.

• Hash queries: When $\mathcal{A}$ queries the random oracle $\mathsf{H}$ on $id$, the challenger generates a pair $({\mathbf{u}}_{id},{\mathbf{r}}_{id})$ by first sampling ${\mathbf{r}}_{id}\stackrel{\$}{\leftarrow }{\mathcal{D}}_{{\mathbb{Z}}^{\tilde{m}},\sigma }$ and setting ${\mathbf{u}}_{id}=\mathbf{A}·{\mathbf{r}}_{id}$. Then, it locally stores the tuple $(id,{\mathbf{u}}_{id},\perp )$ and returns ${\mathbf{u}}_{id}$ to $\mathcal{A}$.
• Identity secret key queries: When $\mathcal{A}$ makes an identity secret key query for $id$, the challenger uses the algorithm $\mathsf{SampleD}$, which takes $\mathbf{A},{\mathbf{T}}_A,\sigma ,{\mathbf{u}}_{id}$ as input to compute ${\mathbf{r}}_{id}^{\prime }$ and returns ${\mathbf{r}}_{id}^{\prime }$ to $\mathcal{A}$.
• Challenge ciphertext: The same as that in the ${\mathbf{Game}}_{\mathbf{0}}$.

Note that ${\mathbf{r}}_{id}^{\prime }$ is independent of ${\mathbf{r}}_{id}$, which was generated in the simulation of the random oracle $\mathsf{H}$ on input $id$. Due to Lemma 2, the distribution of ${\mathbf{u}}_{id}$ in ${\mathbf{Game}}_{\mathbf{1}}$ is $2^{-\mathsf{\Omega }\left(n\right)}$-close to that of ${\mathbf{Game}}_{\mathbf{0}}$ except for $2^{-\mathsf{\Omega }\left(n\right)}$ fraction of $\mathbf{A}$ as we choose $\sigma >\sqrt{n+log\tilde{m}}$. Therefore, we have

$$|Pr\left[X_1\right]-Pr\left[X_0\right]|=Q_{\mathsf{H}}·2^{-\mathsf{\Omega }\left(n\right)}.$$

(3)

${\mathbf{Game}}_{\mathbf{2}}$: In this game, we change the way identity secret key queries are answered. By the end of this game, the challenger will no longer require the trapdoor ${\mathbf{T}}_{\mathbf{A}}$ to generate the identity secret keys.

• Hash queries: When $\mathcal{A}$ queries the random oracle on $id$, the challenger generates a pair $({\mathbf{u}}_{id},{\mathbf{r}}_{id})$ as in the previous game. Then, it locally stores the tuple $(id,{\mathbf{u}}_{id},{\mathbf{r}}_{id})$ and returns ${\mathbf{u}}_{id}$ to $\mathcal{A}$.
• Identity secret key queries: When $\mathcal{A}$ queries an identity secret key for $id$, the challenger retrieves the unique tuple $(id,{\mathbf{u}}_{id},{\mathbf{r}}_{id})$ from the local storage and returns ${\mathbf{r}}_{id}$.
• Challenge ciphertext: The same as that in the ${\mathbf{Game}}_{\mathbf{1}}$.

For any fixed ${\mathbf{u}}_{id}$, let ${\mathbf{r}}_{id,1}$ and ${\mathbf{r}}_{id,2}$ be random variables that are distributed according to the distributions of $s{k}_{id}$ conditional on $\mathsf{H}\left(id\right)={\mathbf{u}}_{id}$ in ${\mathbf{Game}}_{\mathbf{1}}$ and ${\mathbf{Game}}_{\mathbf{2}}$, respectively. Owing to Lemma 1, we have $\Delta ({\mathbf{r}}_{id,1},{\mathcal{D}}_{{{\Lambda }}_q^{\mathbf{u}}\left(\mathbf{A}\right),\sigma })\le 2^{-\mathsf{\Omega }\left(n\right)}$. Owing to Lemma 2, we have $\Delta ({\mathbf{r}}_{id,2},{\mathcal{D}}_{{{\Lambda }}_q^{\mathbf{u}}\left(\mathbf{A}\right),\sigma })\le 2^{-\mathsf{\Omega }\left(n\right)}$. Then, we obtain $\Delta ({\mathbf{r}}_{id,1},{\mathbf{r}}_{id,2})\le 2^{-\mathsf{\Omega }\left(n\right)}$. Therefore, we have

$$|Pr\left[X_2\right]-Pr\left[X_1\right]|=Q_{\mathsf{ID}}·2^{-\mathsf{\Omega }\left(n\right)}.$$

(4)

${\mathbf{Game}}_{\mathbf{3}}$: In this game, we change the way the matrix $\mathbf{A}$ is generated. Specifically, the challenger chooses $\mathbf{A}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{n\times \tilde{m}}$ without generating the associated trapdoor ${\mathbf{T}}_{\mathbf{A}}$.

• Hash queries: The same as that in the ${\mathbf{Game}}_{\mathbf{2}}$.
• Identity secret key queries: The same as that in the ${\mathbf{Game}}_{\mathbf{2}}$.
• Challenge ciphertext: The same as that in the ${\mathbf{Game}}_{\mathbf{2}}$.

By Lemma 1, this makes only $2^{-\mathsf{\Omega }\left(n\right)}$-statistical difference. As the challenger can answer all the secret key queries without the trapdoor owing to the change made in the previous game, the view of $\mathcal{A}$ is altered only by $2^{-\mathsf{\Omega }\left(n\right)}$. Therefore, we have

$$|Pr\left[X_3\right]-Pr\left[X_2\right]|=2^{-\mathsf{\Omega }\left(n\right)}.$$

(5)

${\mathbf{Game}}_{\mathbf{4}}$: In this game, we change the way the random oracle queries to $\mathsf{H}$ are answered and the challenge ciphertext is created. The challenger chooses an index $i^{*}\stackrel{\$}{\leftarrow }\left[Q_{\mathsf{H}}\right]$ and a vector $\mathbf{u}\in {\mathbb{Z}}_q^n$ uniformly at random.

• Hash queries: On $\mathcal{A}$’s $j$-th distinct query $i{d}_j$ to $\mathsf{H}$, the challenger does the following: if $j=i^{*}$, then locally stores the tuple $(i{d}_j,\mathbf{u},\perp )$ and returns $\mathbf{u}$ to $\mathcal{A}$. Otherwise, for $j\ne i^{*}$, the challenger selects ${\mathbf{r}}_{i{d}_j}$ and computes ${\mathbf{u}}_{i{d}_j}=\mathbf{A}{\mathbf{r}}_{i{d}_j}$; then, it locally stores the tuple $(i{d}_j,{\mathbf{u}}_{i{d}_j},{\mathbf{r}}_{i{d}_j})$ and returns ${\mathbf{u}}_{i{d}_j}$ to $\mathcal{A}$.
• Identity secret key queries: The same as that in the ${\mathbf{Game}}_{\mathbf{3}}$.
• Challenge ciphertext: When $\mathcal{A}$ produces a challenge identity $i{d}^{*}$ (distinct from all its identity secret key queries) and messages ${\sum }_{m_0\in \{0,1\}}{\alpha }_{m_0}|m_0\rangle$, ${\sum }_{m_1\in \{0,1\}}{\alpha }_{m_1}|m_1\rangle$, assume without loss of generality that $\mathcal{A}$ already queried $\mathsf{H}$ on $i{d}^{*}$. If $i{d}^{*}\ne i{d}_{i^{*}}$, i.e., if the tuple $(i{d}_{i^{*}},\mathbf{u},\perp )$ is not in the local storage, then the challenger ignores the output of $\mathcal{A}$ and aborts the game (we denote this event as $\mathsf{abort}$). Otherwise, i.e., if the $\mathsf{abort}$ does not occur (we denote this event as $\overline{\mathsf{abort}}$), the challenger picks $\beta \stackrel{\$}{\leftarrow }\{0,1\}$ and encrypts ${\sum }_{m_{\beta }\in \{0,1\}}{\alpha }_{m_{\beta }}|m_{\beta }\rangle$ under $i{d}^{*}$ by running the encryption algorithm $\mathsf{QEncrypt}$ to obtain $c{t}^{*}=\left(\right|\psi \rangle ,{\mathbf{c}}_1)$, where $|\psi \rangle ={\sum }_{m_{\beta }\in \{0,1\}}{\alpha }_{m_{\beta }}|(m_{\beta }·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ and ${\mathbf{c}}_1=({\mathbf{A}}^{\top }\mathbf{s}+\mathbf{e})\mathrm{mod}q$, and $x={\mathbf{u}}^{\top }\mathbf{s}+e_0\mathrm{mod}q$. Then, the ciphertext $c{t}^{*}$ is sent to the adversary $\mathcal{A}$.

Conditional on the challenger not aborting, we affirm that the view it provides to $\mathcal{A}$ in ${\mathbf{Game}}_{\mathbf{4}}$ is statistically close to that in ${\mathbf{Game}}_{\mathbf{3}}$. Therefore, we have

$$Pr[X_4\mid \overline{\mathsf{abort}}]=Pr[X_3\mid \overline{\mathsf{abort}}].$$

(6)

By a standard argument, the probability that the challenger does not abort during the simulation is $\frac{1}{Q_{\mathsf{H}}}$ (this is proved by considering a game in which the challenger can answer all identity secret key queries, so that the value of $i^{*}$ is perfectly hidden from $\mathcal{A}$). Therefore, we have

$$Pr\left[\overline{\mathsf{abort}}\right]=\frac{1}{Q_{\mathsf{H}}}.$$

(7)

${\mathbf{Game}}_{\mathbf{5}}$: In this game, we change the way the challenge ciphertext is created.

• Hash queries: The same as that in the ${\mathbf{Game}}_{\mathbf{4}}$.
• Identity secret key queries: The same as that in the ${\mathbf{Game}}_{\mathbf{4}}$.
• Challenge ciphertext: When $\mathcal{A}$ produces a challenge identity $i{d}^{*}$ (distinct from all its identity secret key queries) and messages ${\sum }_{m_0\in \{0,1\}}{\alpha }_{m_0}|m_0\rangle$, ${\sum }_{m_1\in \{0,1\}}{\alpha }_{m_1}|m_1\rangle$, assume without loss of generality that $\mathcal{A}$ already queried $\mathsf{H}$ on $i{d}^{*}$. If $i{d}^{*}\ne i{d}_i$, i.e., if the tuple $(i{d}_i,\mathbf{u},\perp )$ is not in the local storage, then the challenger ignores the output of $\mathcal{A}$ and aborts the game. Otherwise, i.e., if the $\mathsf{abort}$ does not occur, the challenger picks $\beta \stackrel{\$}{\leftarrow }\{0,1\}$ and encrypts ${\sum }_{m_{\beta }\in \{0,1\}}{\alpha }_{m_{\beta }}|m_{\beta }\rangle$ under $i{d}^{*}$ using two random vectors $b^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q,\mathbf{b}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^m$ to obtain $c{t}^{*}=\left(\right|\psi \rangle ,{\mathbf{c}}_1)$, where $|\psi \rangle ={\sum }_{m_{\beta }\in \{0,1\}}{\alpha }_{m_{\beta }}|(m_{\beta }·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ and ${\mathbf{c}}_1=\mathbf{b}$, and $x=b^{\prime }$. Then, the ciphertext $c{t}^{*}$ is sent to the adversary $\mathcal{A}$.

It can be seen that if $\left(\mathbf{A},\mathbf{u},{\mathbf{c}}_1,x\right)$ are valid LWE samples (i.e., ${\mathbf{c}}_1=({\mathbf{A}}^{\top }\mathbf{s}+\mathbf{e})\mathrm{mod}q$ and $x={\mathbf{u}}^{\top }\mathbf{s}+e_0\mathrm{mod}q$), the view of the adversary corresponds to ${\mathbf{Game}}_{\mathbf{4}}$. Otherwise (i.e., ${\mathbf{c}}_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{\tilde{m}},x\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q$), it corresponds to ${\mathbf{Game}}_{\mathbf{5}}$. Therefore, we have

$$\left|Pr[X_5\wedge \overline{\mathsf{abort}}]-Pr[X_4\wedge \overline{\mathsf{abort}}]\right|\le {\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{LWE}}\left(\lambda \right).$$

(8)

Note that ${\mathbf{c}}_1,x$ is statistically close to the uniform distribution over ${\mathbb{Z}}_q^{\tilde{m}}\times {\mathbb{Z}}_q$, so that

$$Pr[X_5\mid \overline{\mathsf{abort}}]=\frac{1}{2}.$$

(9)

According to Equations (6)–(9), we can obtain

$$\left|Pr[X_3\mid \overline{\mathsf{abort}}]-\frac{1}{2}\right|\le Q_{\mathsf{H}}·{\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{LWE}}\left(\lambda \right).$$

Then, because $\overline{\mathsf{abort}}$ is independent of $X_3$, we get

$$\left|Pr\left[X_3\right]-\frac{1}{2}\right|\le Q_{\mathsf{H}}·{\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{LWE}}\left(\lambda \right).$$

(10)

Finally, according to Equations (2)–(5) together with Equation (10), we obtain Equation (1). □

3.5. Advantages of Our QIBE

The proposed QIBE scheme has two main advantages. One is that the network security protocol based on our QIBE scheme has perfect forward secrecy, and the other is that the QIBE scheme can still use the KGC system to generate and distribute private identity keys, thus reducing the cost when this scheme is implemented.

• A fundamental fact in quantum information theory is that unknown or random quantum states cannot be replicated [17]. The probability amplitude and corresponding basis state of ciphertext $|\psi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)\mathrm{mod}q\rangle$ are unknown to the adversary, so the ciphertext $|\psi \rangle$ is an unknown quantum state and cannot be replicated during transmission. When attempting to attack our QIBE-based network security protocol, an attacker cannot copy and store the ciphertext of the session key, which is encrypted by a private identity key (called a long-term key). Thus, the attacker does not have the quantum ciphertext of the previous session key to decrypt, and the security of the previous session key will not be threatened even if the attacker obtains the long-term key. In other words, all encrypted communications and sessions recorded in the past cannot be retrieved. Therefore, the security protocol based on our QIBE has perfect forward secrecy, which cannot be achieved by the security protocol based on classic IBE.
• In our QIBE scheme, the KGC uses the algorithms $\mathsf{QKeyGen}$ and $\mathsf{QExtract}$ to generate the private identity key $s{k}_{id}$ when it takes as input a master public key $\mathsf{mpk}$, a master secret key $\mathsf{msk}$, and an identity $id$. The key observation is that both the input ($\lambda ,q,\tilde{m},n$) and the output ($\mathsf{mpk}=(\mathbf{A},q,\tilde{m},n,\mathsf{H}),\mathsf{msk}=\left({\mathbf{T}}_{\mathbf{A}}\right)$) of $\mathsf{QKeyGen}$ are in the form of classic bits, and so are the input ($\mathsf{msk},\mathsf{mpk},id$) and the output ($s{k}_{id}=\mathbf{r}$) of $\mathsf{QExtract}$. Therefore, the classic KGC system can still be used in our QIBE scheme to generate and distribute private identity keys, reducing the cost when this scheme is implemented.

4. Quantum Circuit Realisation

The realisation of a quantum scheme requires describing the corresponding quantum circuit. To analyse the realisability of our QIBE scheme, we begin by providing details for the quantum circuits of $\mathsf{QEncrypt}$ and $\mathsf{QDecrypt}$, and then, we analyse the complexity of these two quantum circuits.

4.1. Quantum Circuit

Note that the algorithms $\mathsf{QKeyGen}$ and $\mathsf{QExtract}$ of $\mathsf{QIBE}$ are classic, so there is no need to construct quantum circuits for these two algorithms.

The Quantum Circuit of $\mathsf{QEncrypt}$. The main part of $\mathsf{QEncrypt}$ is the unentangled quantum circuit $\mathsf{Unentangle}$. Taking an additional quantum state $\left|\right(\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ as input, $\mathsf{Unentangle}$ can transform ${\sum }_{m\in \{0,1\}}{\alpha }_m|m\rangle |(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ to a non-entangled quantum state $|\psi \rangle ={\sum }_{m\in \{0,1\}}{\alpha }_m|(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$, as shown in Figure 5a. The correctness of $\mathsf{Unentangle}$ can be proven by the following facts.

• On input $\left|\right(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$, $\left|\right(\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ and $|m\rangle$, the initial output where the number 1 is located is $|((m·\lfloor \frac{q}{2}\rfloor +x)modq)\oplus (\lfloor \frac{q}{2}\rfloor +x)modq)\rangle$, $\left|\right(\lfloor \frac{q}{2}\rfloor +x)\mathrm{mod}q\rangle$ and $|m\rangle$. This is because only one $\lceil logq\rceil$-combination-CNOT operation is performed.
• The output where the number 2 is located is $|((m·\lfloor \frac{q}{2}\rfloor +x)modq)\oplus (\lfloor \frac{q}{2}\rfloor +x)modq)\rangle$, $\left|\right(\lfloor \frac{q}{2}\rfloor +x)\mathrm{mod}q\rangle$ and $|0\rangle$. This is because only one $\lceil logq\rceil$-controlled-NOT variant operation is performed, in which the control bits are $|((m·\lfloor \frac{q}{2}\rfloor +x)modq)\oplus (\lfloor \frac{q}{2}\rfloor +x)modq)\rangle$ and the target bit is $|m\rangle$. If $|m\rangle =|1\rangle$, the control bits are $\lceil logq\rceil$-qubit $|0\rangle$, and the target qubit $|m\rangle$ will change to $|0\rangle$. Otherwise, the control bits are not equal to $\lceil logq\rceil$-qubit $|0\rangle$, and the target qubit $|m\rangle$ is $|0\rangle$ all the time.
• The final output where the number 3 is located is $\left|\right(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$, $\left|\right(\lfloor \frac{q}{2}\rfloor +x)modq\rangle$ and $|0\rangle$. Only one $\lceil logq\rceil$-combination-CNOT operation is performed, in which the control bits are $\left|\right(\lfloor \frac{q}{2}\rfloor +x)\mathrm{mod}q\rangle$ and the target bits are $|((m·\lfloor \frac{q}{2}\rfloor +x)modq)\oplus (\lfloor \frac{q}{2}\rfloor +x)modq)\rangle$; therefore, it can obtain $\left|\right(m·\lfloor \frac{q}{2}\rfloor +x)modq\rangle$.

Note that one unentangled quantum circuit is composed of two $\lceil logq\rceil$-combination-CNOT gates and one $\lceil logq\rceil$-controlled-NOT variant gate. Thus, one unentangled quantum circuit is composed of $2·\lceil logq\rceil$ CNOT gates and $2\lceil logq\rceil -3$ Toffoli gates.

Using the unentangled quantum circuit $\mathsf{Unentangle}$, we can provide details for the quantum circuit of $\mathsf{QEncrypt}$, which is depicted in Figure 5b. Note that one $\mathsf{QEncrypt}$ is composed of one controlled copy circuit, one modular addition circuit, and one unentangled quantum circuit. To encrypt one qubit, a total of $4·\lceil logq\rceil +4$ qubits, $10·\lceil logq\rceil -3$ Toffoli gates and $15.5·\lceil logq\rceil +6$ CNOT gates are required.

The Quantum Circuit of $\mathsf{QDecrypt}$. The main part of $\mathsf{QDecrypt}$ is $\mathsf{SubAbs}$ and the inverse of $\mathsf{SubAbs}$. In the $\mathsf{SubAbs}$ circuit, with the input $\left(\right|a\rangle ,|b\rangle ,|0\rangle )$, the output will produce $\left(\right|a\rangle ,\left|\mathsf{Abs}\right(a-b)\rangle ,|0\rangle )$ when $a\ge b$. When $a<b$, the output is $\left(\right|b\rangle ,\left|\mathsf{Abs}\right(a-b)\rangle ,|1\rangle )$.

$$\left\{\begin{array}{c}|a,b,0\rangle \to |a,a-b,0\rangle ,\mathrm{for}a\ge b.\hfill \\ |a,b,0\rangle \to |b,b-a,1\rangle ,\mathrm{for}a<b.\hfill \end{array}\right.$$

On the inverse of the $\mathsf{SubAbs}$ circuit, i.e., $\mathsf{InvSubAbs}$, with the input $\left(\right|a\rangle ,|a-b\rangle ,|0\rangle )$, the output will produce $\left(\right|a\rangle ,|b\rangle ,|0\rangle )$ when $a\ge b$. When $a<b$, the input is $\left(\right|b\rangle ,|b-a\rangle ,|1\rangle )$ and the output is $\left(\right|a\rangle ,|b\rangle ,|0\rangle )$.

$$\left\{\begin{array}{c}|a,a-b,0\rangle \to |a,b,0\rangle ,\mathrm{for}a\ge b.\hfill \\ |b,b-a,1\rangle \to |a,b,0\rangle ,\mathrm{for}a<b.\hfill \end{array}\right.$$

The quantum circuit of $\mathsf{SubAbs}$ is depicted in Figure 6, and the correctness of the quantum circuit $\mathsf{SubAbs}$ can be easily verified. As a result of the reversibility of unitary operations, by reversing the circuit of $\mathsf{SubAbs}$, that is, by applying each gate of the circuit in the reversed order, the quantum circuit of $\mathsf{InvSubAbs}$ can be obtained.

Note that one $\mathsf{SubAbs}$ is composed of one comparison circuit and one subtraction quantum circuit. To compute the absolute value of the subtraction of two ℓ-bit inputs $|a\rangle$ and $|b\rangle$, a total of $2\ell +4$ qubits, $5\ell$ Toffoli gates, and $10\ell +2$ CNOT gates are required. The conclusion is also applicable to the inverse of $\mathsf{SubAbs}$, that is, $\mathsf{InvSubAbs}$.

Using the quantum circuit $\mathsf{SubAbs}$ and its reverse $\mathsf{InvSubAbs}$, we can provide particulars for the quantum circuit of $\mathsf{QDecrypt}$ which is depicted in Figure 7. Note that one $\mathsf{QDecrypt}$ is composed of two subtraction modular circuits, one quantum circuit of $\mathsf{SubAbs}$, one comparison quantum circuit, one quantum circuit of $\mathsf{InvSubAbs}$, one modular addition circuit, and two controlled copy quantum circuits. To decrypt one ciphertext that encrypts one qubit, a total of $6·\lceil logq\rceil +5$ qubits, $36·\lceil logq\rceil$ Toffoli gates, and $64·\lceil logq\rceil +23$ CNOT gates are required.

4.2. Complexity Analysis

To measure the complexity of a quantum circuit, we should consider the quantum resources required by the circuit.

Quantum resources. When analysing the complexity of a quantum circuit, a gate set that arises frequently and that has been studied often in the literature, but by no means the only conceivable gate set, is the so-called Clifford+T gate set. This gate set consists of the Hadamard gate, the phase gate, and the controlled NOT (CNOT) gate, along with the T gate. The Clifford+T gate set is known to be universal [18]. This comes from that any unitary operator can be accurately expressed using single-qubit gates and CNOT gates [29], and Hadamard gates, phase gates, and T gates can used to approximate any single-qubit gates with arbitrary precision [18]. In conclusion, these four types of quantum gates form a universal quantum gate group. As a result, when assessing the complexity of a quantum circuit, we need to compute the number of needed Hadamard gates, phase gates, CNOT gates, and T gates.

Quantum resources needed by $\mathsf{QEncrypt}$ and $\mathsf{QDecrypt}$. In Section 4.1, we have concluded the following:

• $\mathsf{QEncrypt}:$ To encrypt one qubit, a total of $4·\lceil logq\rceil +4$ qubits, $10·\lceil logq\rceil -3$ Toffoli gates, and $15.5·\lceil logq\rceil +6$ CNOT gates are required.
• $\mathsf{QDecrypt}:$ To decrypt one ciphertext that encrypts one qubit, a total of $6·\lceil logq\rceil +5$ qubits, $36·\lceil logq\rceil$ Toffoli gates, and $64·\lceil logq\rceil +23$ CNOT gates are required.

According to [30], one Toffoli gate can be broken down into two Hadamard gates, one phase gate, seven T gates, and six CNOT gates. Furthermore, to save quantum resources, auxiliary bits can be reused according to the sequence of calculations in each circuit [19]. Based on the previous results and analysis, we estimate the quantum resources needed when encrypting one qubit quantum state ${\sum }_{m\in \{0,1\}}{\alpha }_m|m\rangle$ with the algorithm $\mathsf{QEncrypt}$ and decrypting the corresponding ciphertext with the algorithm $\mathsf{QDecrypt}$ in our QIBE scheme, including the number of qubits and the number of Hadamard, phase, T, and CNOT gates. The result is shown in

Table 1. Quantum resource.

Quantum Resource	$\mathbf{QEncrypt}$	$\mathbf{QDecrypt}$
Qubit	$4·\lceil logq\rceil +4$	$6·\lceil logq\rceil +5$
Hadamard gate	$20·\lceil logq\rceil -6$	$72·\lceil logq\rceil$
phase gate	$10·\lceil logq\rceil -3$	$36·\lceil logq\rceil$
T gate	$70·\lceil logq\rceil -21$	$252·\lceil logq\rceil$
CNOT gate	$75.5·\lceil logq\rceil -12$	$280·\lceil logq\rceil +23$

.

Note that our QIBE scheme can encrypt one qubit at a time. By integrating our scheme and the IBE scheme encrypting n-bit message (The IBE scheme is described in Appendix A), we can easily construct a new QIBE that can encrypt n-qubit at a time. It is evident that the quantum resources required by this new QIBE scheme increase linearly with the number of plaintext bits to be encrypted.

5. Conclusions and Future Work

In this paper, we proposed the first QIBE scheme based on the learning with errors problem. Then, we proved that our scheme is fully secure under the random oracle model. Furthermore, we explained that our scheme possesses the following advantages:

• The network security protocol with our QIBE scheme provides perfect forward secrecy. The ciphertext is transmitted in the form of a quantum state that is unknown to the adversary and cannot be copied and stored. Thus, in network security protocols based on our QIBE construction, the adversary cannot have access to any previous quantum ciphertext to decrypt and obtain the previous session key, even if the private identity key is threatened.
• Classic KGC systems still can be used in our QIBE scheme to generate and distribute private identity keys, thus reducing the cost when this scheme is implemented. The classic KGC systems can be used because the master public and secret keys of our scheme are both in the form of classic bits.

Finally, to analyse the realisability of this QIBE scheme, we provided particulars for the quantum circuits of $\mathsf{QEncrypt}$ and $\mathsf{QDecrypt}$, and we analysed their required quantum resources for given numbers of qubits, Hadamard gates, phase gates, T gates, and CNOT gates. We concluded that the quantum resources required by our scheme increase linearly with the number of plaintext bits to be encrypted.

As aforementioned, network security protocols based on our QIBE scheme have forward secrecy, unlike the classic IBE. However, our QIBE scheme has certain drawbacks. In terms of quantum circuit realisation, we do not yet have a method to obtain the optimal circuit and find the lower bound of the quantum resources required by this scheme. Furthermore, this construction is a theoretical achievement, and any practical application remains a distant goal before the advent of universal quantum computers.

Our scheme is one of fifteen types of QIBE schemes described in Section 3.1, and the other fourteen types are yet to be studied. Therefore, the focus of our next work is to study and design the other fourteen types of QIBE schemes and their quantum circuit implementations, and to explore ways to find the lower bound of the quantum resources required by these schemes. Moreover, to make our scheme more practical, our next work includes making an implementation in Q# and providing a Github repository for it.