Efficient CCA2-Secure IBKEM from Lattices in the Standard Model

Abstract

Recent work at SCN 2020 by Boyen, Izabachène, and Li introduced a lattice-based key-encapsulation mechanism (KEM) that achieves CCA2-security in the standard model without relying on generic transformations. Their proof, however, leaves a few gaps that prevent a fully rigorous security justification. Building on the same design rationale, we revisit that construction and refine it to obtain a more compact and provably secure KEM under the Learning With Errors assumption. Furthermore, we extend this framework to derive an identity-based variant (IBKEM) whose security is established in the same model. The resulting schemes combine conceptual simplicity with improved efficiency and complete proofs of adaptive-ciphertext security.

1. Introduction

Public-key encryption (PKE) remains a cornerstone primitive in modern cryptography. There are two common notions for the security of PKE: security against adaptive chosen-plaintext attacks (CPA) and security against adaptive chosen-ciphertext attacks (CCA). In the CPA security model, an adversary is allowed to adaptively query the encryption of messages chosen by himself, and at the end, he must guess which of the two challenge plaintexts corresponds to a given ciphertext. CCA1 security is a stronger notion in which the adversary can request the decryption of arbitrary ciphertexts before seeing the challenge ciphertext. If the adversary can query the decryption oracle even after receiving the challenge ciphertext, we refer to this as CCA2 security. From a design perspective, achieving CCA2 security is preferable because it captures realistic attack scenarios in which ciphertexts can be modified or replayed.

Recently, Key Encapsulation Mechanisms (KEMs) have been introduced as a modular and efficient alternative to traditional PKE. A KEM is a public-key primitive allowing a sender to securely encapsulate a random session key under the public key of the receiver. The receiver can later decapsulate this ciphertext to recover the same shared key, which can then be used with a symmetric encryption scheme (Data Encapsulation Mechanism, or DEM) to achieve hybrid encryption. The security of a KEM is typically defined under the IND-CCA model, ensuring that the encapsulated key is indistinguishable from random even under adaptive decryption queries.

The motivation for studying Identity-Based KEMs (IB-KEMs) stems from the need to simplify key management in large-scale systems. Traditional public-key infrastructures (PKIs) require certificates to bind identities to public keys, which introduces significant overhead. In contrast, identity-based cryptography allows public keys to be derived directly from user identities, such as email addresses, thus eliminating the need for certificates. When combined with the KEM framework, IB-KEM provides an efficient and modular way to establish shared keys under the identity-based setting while maintaining strong CCA security guarantees.

Following the work of Boyen, Izabachène and Li in [1], several directions have been investigated for building lattice-based public-key or key-encapsulation mechanisms that achieve adaptive-ciphertext security in the standard model. The first uses transformations, such as the BCHK conversion [2], applied to identity-based encryption frameworks. The second relies on lossy-trapdoor functions [3], which are injective for one key distribution but statistically lossy for another, as in [4]. The third incorporates non-interactive zero-knowledge (NIZK) proofs within lattice encryption to certify ciphertext validity, following ideas similar to the Naor–Yung paradigm. However, all of those three approaches have certain drawbacks. The first approach is quite popular but it produces an overhead in the ciphertext because they depend on one-time signature mechanisms to bind tags. The problem with the second approach is that all currently known lossy trapdoor functions from lattices [3,5] require large parameters and rely on strong lattice assumptions. The third approach is not practical. Boyen, Izabachène, and Li then proposed, in [1], a new approach to construct an efficient KEM from lattices without using any generic constructions as the aforementioned three approaches. Their technique is adapted from previous work [6] on CCA2-secure PKE construction in pairings to lattice setting. They start from the tag-based CCA1-secure PKE scheme in [7] and replace the tag in a suitable way to achieve CCA2-security. The proof of security reduces to a special form of the Learning With Errors problem, which they denote as the SISnLWE assumption (see Section 2 for the details). However, the security proof of [1] is not complete. In fact, it missed one case in the proof and it is not clear how to argue the security in this situation. In addition, it is non-trivial to obtain an identity-based KEM (IBKEM) from the construction of Boyen, Izabachène, and Li in [1].

1.1. Contribution

The central goal of this paper is to design an identity-based key-encapsulation mechanism (IBKEM) over lattices that achieves selective chosen-ciphertext (CCA2) security, presented in Section 3. This work builds upon the CCA2-secure KEM construction by Boyen, Izabachène, and Li [1], and integrates it with the strong G-trapdoor technique from [7] to enable efficient private key extraction for identities. However, the proposed approach is not an immediate adaptation of [1], due to a technical issue in its security proof. Specifically, the proof of the KEM in [1] does not cover all possible cases of well-formed ciphertexts submitted to the decapsulation oracle. In particular, one security branch was left unaddressed, which leaves the argument for completeness unclear. To address this, we propose in Section 2 a simple modification to the CCA2-secure KEM of [1]. With this refinement, we provide a complete reduction demonstrating that the new KEM satisfies adaptive-ciphertext security. Building on this foundation, our IBKEM inherits the improved security guarantees, achieving IND-sID-CCA2 protection in the standard model under the hardness assumptions of the SIS and SISnLWE problems.

1.2. Our Approach

Let us recall the construction in [1]. In the KEM from [1], the ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ is of the form

$${\mathbf{c}}_0^T={\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}_0^T,{\mathbf{c}}_1^T={\mathbf{s}}^T({\mathbf{A}}_1+\mathsf{FRD}(\mathbf{t})\mathbf{G})+{\mathbf{e}}_1^T,\mathbf{t}=\mathsf{H}({\mathbf{c}}_0,\mathbf{U}{\mathbf{e}}_1)$$

where matrices $\mathbf{A},{\mathbf{A}}_1,\mathbf{U}$ and hash function $\mathsf{H}$ are public and $\mathbf{s}=\mathbf{k}\lfloor q/2\rfloor +\overline{\mathbf{s}}$ is a transformation of the session key $\mathbf{k}\in {\{0,1\}}^{*}$ with noise $\overline{\mathbf{s}}$. Here, $\mathbf{G}\in {\mathbb{Z}}_q^{n\times \omega }$ is a gadget matrix (see Section 2.3 for the detail) and FRD is a full-rank difference encoding introduced in [8]; readers are referred to the formal definition in Section 2.3. The decapsulation algorithm extracts $\mathbf{s},{\mathbf{e}}_0,{\mathbf{e}}_1$ and recovers session key $\mathbf{k}$.

We first attempted to extend the original construction of CCA2-secure KEM in [1] to a CCA2-secure IBKEM. Our first challenge was to find a way to generate a trapdoor for each identity in the decapsulation algorithm. In many IBKEM schemes based on lattices (e.g., [8,9]), the ciphertexts for identities $\mathsf{id}$ are usually of the form

$$\mathbf{c}={\mathbf{s}}^T{\mathbf{F}}_{\mathsf{id}}+{\mathbf{e}}^T$$

where ${\mathbf{F}}_{\mathsf{id}}=[\mathbf{A}|{\mathbf{A}}_1+\mathsf{FRD}(\mathsf{id})\mathbf{G})]\in {\mathbb{Z}}_q^{n\times (m+\omega )}$ is the matrix tied to the identity $\mathsf{id}$ whose trapdoor is the secret keys for $\mathsf{id}$. Note that the trapdoor in [1] is a G-trapdoor [7], not the short vectors or bases of the lattices ${\Lambda }_q^{\perp }({\mathbf{F}}_{\mathsf{id}})$, as in many works such as [8,10]. Moreover, there was no existing scheme using G-trapdoor extraction. We then come up with a way of extracting G-trapdoor by considering

$${\mathbf{F}}_{\mathsf{id}}=[\mathbf{A}|{\mathbf{A}}_1+\mathsf{FRD}(\mathsf{id})\mathbf{G}|\mathbf{C}+\mathsf{FRD}(\mathbf{t})\mathbf{G}]\in {\mathbb{Z}}_q^{n\times 3m},$$

where $\mathbf{A},{\mathbf{A}}_1,\mathbf{C}$ are public matrices.

The most difficult challenge was in answering the decapsulation queries without leaking any information in the case of some parts of query tuples $(\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t}),\mathsf{id})$ that coincide with the challenge $({\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*}),{\mathsf{id}}^{*})$. The adversary may request decryptions for $(\mathsf{CT},\mathsf{id})\ne ({\mathsf{CT}}^{*},{\mathsf{id}}^{*})$. The appearance of identities $\mathsf{id}$ in queries in IBKEM yields more cases to deal with than in KEM. Therefore, we failed to use the original KEM construction of Boyen [1] to extend to IBKEM, which motivated us to revise it.

In the IND-CCA2 experiment for the KEM [1], the challenger sends the adversary $\mathcal{A}$ a ciphertext ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$ together with either the genuine session key ${\mathbf{k}}^{*}$ or a random key $\mathbf{k}$. The adversary’s task is to decide whether the received key is authentic or random. If $\mathcal{A}$ can successfully submit a well-formed ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ to the decryption oracle, with ${\mathbf{c}}_0={\mathbf{c}}_0^{*}={({\mathbf{k}}^{*}\lfloor q/2\rfloor +\overline{\mathbf{s}})}^T\mathbf{A}+{\mathbf{e}}_0^T$, then the oracle must return the correct session key ${\mathbf{k}}^{*}$, enabling $\mathcal{A}$ to distinguish the challenge. Therefore, we need to deal with such a case. As the query $\mathsf{CT}$ is different from the challenge ciphertext ${\mathsf{CT}}^{*}$, when ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$, there are three cases:

(i)

${\mathbf{c}}_1={\mathbf{c}}_1^{*}$ and $\mathbf{t}\ne {\mathbf{t}}^{*}$;

(ii)

${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$ and $\mathbf{t}={\mathbf{t}}^{*}$;

(iii)

${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$ and $\mathbf{t}\ne {\mathbf{t}}^{*}$.

Case (i) occurs with negligible probability by Lemma 7 [1]. Case (ii) is also considered in Lemma 8 [1]. To be more precise, in Lemma 8, the authors mentioned the case where “${\mathbf{c}}_0={\mathbf{c}}_0^{*}$ (thus, $\mathbf{t}={\mathbf{t}}^{*}$) and ${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$”. The assumption that ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$ implies that $\mathbf{t}={\mathbf{t}}^{*}$ is incorrect because ${\mathbf{e}}_1$ can be sampled independently of ${\mathbf{c}}_0$. We double-checked the proof of the Lemma 8 to ascertain if it is a typo, but from the arguments in Lemma 8, only the case (ii) is considered. As a result, the case (iii) is missing in [1] and it is not clear how to argue the security in this case in the original construction. Therefore, the security proof of Boyen [1] is not complete. However, we observe that to deal with case (iii), such $\mathbf{k}$ should not be considered as the whole valid session key. Our solution is setting session key

$$\mathsf{K}=\mathbf{U}{\mathbf{e}}_1+\mathbf{k},$$

deriving the session key not just from ${\mathbf{c}}_0$ but also from the SIS hash of ${\mathbf{e}}_1$. When receiving the session key $\mathsf{K}$ from the decapsulation oracle for any kind of ciphertext, an adversary cannot find any linkability to challenge the session key except in the case that ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$ and ${\mathbf{c}}_1={\mathbf{c}}_1^{*}$, which can happen with negligible probability, and in the case that $\mathbf{t}={\mathbf{t}}^{*}$, which is unlikely to happen, assuming the computational intractability of the SIS assumption. Within our updated session-key framework, this adjustment enhances the proof, yielding IND-sID-CCA2 protection for the proposed IBKEM.

To preserve these guarantees, we further adapt the gadget matrix $\mathbf{G}$ in [1] by enlarging its dimension while maintaining its algebraic characteristics. This modification ensures that the resulting matrix continues to satisfy the essential properties required for the correctness and trapdoor extraction procedures.

1.3. Related Work

Micciancio and Peikert [7] introduced one of the earliest lattice-based public-key encryption schemes that achieved CCA1 security within the standard model. It is of the form of tag-based encryption and has inspired several follow-up works in this line of research. The BCHK transformation [2] can be used to transform the CCA1-secure scheme in [7], either using an MAC or a signature scheme, to achieve CCA2-security. Boyen, Izabachène, and Li, in [1], proposed a simple and efficient CCA2-secure KEM, starting from the tag-based encryption scheme in [7]. However, the proof in [1] remains incomplete and the parameter choice is inconsistent: the authors required the matrix $\mathbf{R}$ used for key generation to act as a right inverse rather than the left inverse adopted in [7]. As a consequence, configurations in which the number of rows in $\mathbf{R}$ exceeds its number of columns no longer satisfy the necessary properties. To fix this, we need the reverse. Unfortunately, the adjustment introduces a trade-off between the matrix dimension and the trapdoor quality. Our work revises that construction and parameter selection to obtain a CCA2-secure KEM with a full proof of security that matches the efficiency of the earlier design. A comparative summary of our approach with existing lattice-based PKE/KEM schemes is shown in Table 1. We adopt the same notation as in [1] for consistency: MP12 for the CCA1-secure scheme in [7], MP12-MAC and MP12-SIG for the CCA2-secure schemes obtained from using the BCHK transformation. We also note that Zhang et al. [11] proposed another lattice-based encryption achieving CCA2 resistance, though Boyen et al. [1] later observed that the associated proof omits one crucial case; we, therefore, exclude that scheme from our direct comparison.

Table 1. Comparison for CCA2-secure PKE/KEM schemes.

	Param.  $\mathit{\alpha }$	$|\mathsf{PK}|$	$|\mathsf{CT}|$	Security	Type
MP12 [7]	$\tilde{O}(1/n)$	$2{(nlogq)}^2$	$3n{(logq)}^2+\lambda$	CCA1	PKE
MP12-MAC [2,7]	$\tilde{O}(1/n)$	$2{(nlogq)}^2+|\mathsf{PP}|$	$6n{(logq)}^2+|\mathsf{tag}|+|\mathsf{com}|$	CCA2	PKE
MP12-SIG [2,7]	$\tilde{O}(1/n)$	$2{(nlogq)}^2$	$6n{(logq)}^2+|\mathsf{sig}|+|\mathsf{VK}|$	CCA2	PKE
This work	$\tilde{O}(1/n)$	$6{(nlogq)}^2$	$4n{(logq)}^2+\lambda$	CCA2	KEM

Let $\lambda$ denote the security parameter, and $\alpha$ be the value linked to the underlying LWE assumption (see Section 2.3). We use $|\mathsf{PK}|,|\mathsf{CT}|$, and $|\mathsf{PP}|$ to represent the lengths of the public keys, ciphertexts, and public parameters. These correspond, respectively, to the commitment and MAC in the MP12-MAC variant. The symbol $|\mathsf{tag}|$ and $|\mathsf{com}|$ refer to the tag and commitment sizes, while $|\mathsf{sig}|$ and $|\mathsf{VK}|$ denote the signature and verification-key sizes of the one-time signature used in MP12-SIG.

Agrawal et al. [8,10] and Cash et al. [12] pioneered identity-based encryption constructions grounded on lattice assumptions in the standard model. Subsequent studies by Yamada [13] and Zhang et al. [14] enhanced efficiency, achieving adaptive IBE with compact public keys of size $\mathcal{O}(log\lambda )$. At PKC’2021, Jager et al. [9] proposed the blockwise partitioning technique, which enables practical realization of adaptive identity-based key-encapsulation mechanisms (IB-KEMs) from lattices under the same model. Their design achieves smaller master key dimensions and milder LWE parameters than those required by Yamada [13] and Zhang et al. [14], though its security remains confined to the CPA level. In contrast, the present work develops an identity-based KEM that attains CCA2 security in the standard model while maintaining comparable efficiency. Our current construction supports selective security; improving it toward a fully adaptive guarantee is left as a direction for future study.

Recent research has also advanced CCA-secure IBKEM in non-lattice settings. Qiao et al. [15] proposed a continuously leakage-resilient IBKEM secure under chosen-ciphertext attacks, and Li et al. [16] introduced an identity-based multi-receiver KEM tailored for privacy-preserving federated learning. Earlier, Tomita, Ogata, and Kurosawa [17] presented a leakage-resilient CCA-secure IBKEM from simple group-based assumptions. These works represent the most recent developments on strengthening IBKEM security; however, all rely on group-based hardness assumptions such as bilinear pairings. Our construction is fundamentally different in that it achieves CCA2 security entirely from lattice assumptions, thereby contributing to post-quantum–secure IBKEM in a setting not addressed by the above works.

2. Preliminaries

2.1. Key Encapsulation Mechanism (KEM)

This part summarizes the framework of a Key Encapsulation Mechanism (KEM) and the associated security definitions.

Definition 1

(KEM). A KEM scheme Π is defined by three polynomial-time algorithms:

• $\mathsf{Setup}(\lambda )$: Given the security parameter λ, the algorithm outputs a public/secret key pair$(\mathsf{PK},\mathsf{SK})$.
• $\mathsf{Encap}(\mathsf{PK})$: On input of the public key$\mathsf{PK}$, it produces a ciphertext$\mathsf{CT}$ that encapsulates a random session key$\mathsf{K}$, and outputs the pair$(\mathsf{CT},\mathsf{K})$.
• $\mathsf{Decap}(\mathsf{PK},\mathsf{CT},\mathsf{SK})$: Using the public key$\mathsf{PK}$, the ciphertext$\mathsf{CT}$, and the secret key$\mathsf{SK}$, it recovers the corresponding session key$\mathsf{K}$ if the ciphertext is valid; otherwise it returns the rejection symbol ⊥.

Correctness: For every $\lambda \in \mathbb{N}$, a KEM is correct if the session key produced by encapsulation is recovered with probability 1 by decapsulation:

$$\mathrm{Pr}\left[\begin{array}{c}\mathsf{Decap}(\mathsf{PK},\mathsf{CT},\mathsf{SK})=\mathsf{K}\end{array}\left|\begin{array}{c}(\mathsf{PK},\mathsf{SK})\leftarrow \mathsf{Setup}(\lambda )\\ (\mathsf{CT},\mathsf{K})\leftarrow \mathsf{Encap}(\mathsf{PK})\end{array}\right.\right]=1.$$

Security models of KEM. 

The confidentiality of a KEM is captured by the adaptive chosen-ciphertext attack (IND-CCA2) experiment between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

• Setup: $\mathcal{C}$ runs $\mathsf{Setup}(\lambda )$ to generate $(\mathsf{PK},\mathsf{SK})$ and gives T$\mathsf{PK}$ to $\mathcal{A}$, while keeping $\mathsf{SK}$ secret.
• Phase 1: $\mathcal{A}$ may query the decapsulation oracle ${\mathcal{O}}_{\mathsf{Decap}}$ on any ciphertexts of its choice and receive the corresponding session keys.
• Challenge: The challenger $\mathcal{C}$ generates $({\mathsf{CT}}^{*},{\mathsf{K}}_1^{*})\leftarrow \mathsf{Encap}(\mathsf{PK})$ and chooses a random session key ${\mathsf{K}}_0^{*}$ in the key space. Then $\mathcal{C}$ picks a bit $b\in \{0,1\}$ randomly and sends $({\mathsf{CT}}^{*},{\mathsf{K}}_b^{*})$ to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ continues to query ${\mathcal{O}}_{\mathsf{Decap}}$ on any ciphertext $\mathsf{CT}\ne {\mathsf{CT}}^{*}$.
• Guess: Finally, $\mathcal{A}$ outputs a bit $b^{\prime }\in \{0,1\}$ and wins if $b^{\prime }=b$.

The adversary’s advantage is

$${\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}:=\left|\mathrm{Pr}[b=b^{\prime }]-{\displaystyle \frac{1}{2}}\right|.$$

A KEM is IND-CCA2 secure if this advantage is negligible for all probabilistic polynomial-time adversaries.

2.2. Identity Based Key Encapsulation Mechanism (IBKEM)

This section outlines the structure and security formulation of an Identity-Based Key Encapsulation Mechanism (IBKEM).

Definition 2

(IBKEM). An IBKEM scheme Π is specified by four efficient algorithms:

• $\mathsf{Setup}(\lambda )$: Given the security parameter λ, the algorithm produces a master public key and a master secret key, denoted $(\mathsf{MPK},\mathsf{MSK})$.
• $\mathsf{Extract}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$: On input of the master keys and an identity $\mathsf{id}$, the algorithm outputs the secret key ${\mathsf{SK}}_{\mathsf{id}}$ associated with that identity.
• $\mathsf{Encap}(\mathsf{MPK},\mathsf{id})$: Using the master public key and the target identity $\mathsf{id}$, the algorithm generates a ciphertext $\mathsf{CT}$ that encapsulates a random session key $\mathsf{K}$. It then returns $(\mathsf{CT},\mathsf{K})$.
• $\mathsf{Decap}(\mathsf{MPK},\mathsf{CT},{\mathsf{SK}}_{\mathsf{id}})$: Given the master public key, a ciphertext, and the identity’s secret key, the algorithm recovers the session key $\mathsf{K}$ if the ciphertext is valid; otherwise it outputs ⊥.

Correctness: 

The correctness of IBKEM scheme requires that for all $\lambda \in \mathbb{N}$, and all identities $\mathsf{id}$ in the identity space, it holds that

$$\mathrm{Pr}\left[\begin{array}{c}\mathsf{Decap}(\mathsf{MPK},\mathsf{CT},{\mathsf{SK}}_{\mathsf{id}})=\mathsf{K}\end{array}\left|\begin{array}{c}(\mathsf{MPK},\mathsf{MSK})\leftarrow \mathsf{Setup}(\lambda )\\ {\mathsf{SK}}_{\mathsf{id}}\leftarrow \mathsf{Extract}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})\\ (\mathsf{CT},\mathsf{K})\leftarrow \mathsf{Encap}(\mathsf{MPK},\mathsf{id})\end{array}\right.\right]=1.$$

Security models of IBKEM: 

We define the selective-identity chosen-ciphertext (IND-sID-CCA2) security of an IBKEM scheme through an interactive game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$:

• Setup: The challenger $\mathcal{C}$ executes $\mathsf{Setup}(\lambda )$ to produce a master key pair $(\mathsf{MPK},\mathsf{MSK})$. It provides $\mathsf{MPK}$ to the adversary while keeping $\mathsf{MSK}$ secret.
• Initial: $\mathcal{A}$ declares a target identity ${\mathsf{id}}^{*}$.
• Phase 1: The adversary $\mathcal{A}$ may issue a polynomial number of queries to two oracles, in any sequence:

  –

  ${\mathcal{O}}_{\mathsf{Extract}}$: On input of an identity $\mathsf{id}\ne {\mathsf{id}}^{*}$, it outputs the corresponding private key ${\mathsf{SK}}_{\mathsf{id}}$.

  –

  ${\mathcal{O}}_{\mathsf{Decap}}$: Given an identity $\mathsf{id}$ and a ciphertext $\mathsf{CT}$, it returns the session key $\mathsf{K}\leftarrow \mathsf{Decap}(\mathsf{MPK},\mathsf{CT},{\mathsf{SK}}_{\mathsf{id}})$ using the secret key ${\mathsf{SK}}_{\mathsf{id}}$ associated with the identity $\mathsf{id}$.

• Challenge: The challenger $\mathcal{C}$ computes $({\mathsf{CT}}^{*},{\mathsf{K}}_1^{*})\leftarrow \mathsf{Encap}(\mathsf{MPK},{\mathsf{id}}^{*})$ and chooses a random session key ${\mathsf{K}}_0^{*}$ in the key space. Then $\mathcal{C}$ selects a bit $b\in \{0,1\}$ randomly and sends the pair $({\mathsf{CT}}^{*},{\mathsf{K}}_b^{*})$ to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ continues to query both oracles under the restrictions that

  –

  The challenge identity ${\mathsf{id}}^{*}$ is never used in ${\mathcal{O}}_{\mathsf{Extract}}$.

  –

  The pair $({\mathsf{id}}^{*},{\mathsf{CT}}^{*})$ cannot be submitted to ${\mathcal{O}}_{\mathsf{Decap}}$.

  All other queries are answered as in Phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a bit $b^{\prime }\in \{0,1\}$. It wins if $b^{\prime }=b$.

The advantage of $\mathcal{A}$ is defined as

$${\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}}:=\left|\mathrm{Pr}[b=b^{\prime }]-{\displaystyle \frac{1}{2}}\right|.$$

A scheme is IND-sID-CCA2 secure when this advantage is negligible for every probabilistic polynomial-time adversary.

2.3. Lattices

Lattices can be viewed as discrete subgroups of ${\mathbb{Z}}^m$. Let $B=\{{\mathbf{b}}_1,\dots ,{\mathbf{b}}_n\}$ be a set of linearly independent vectors in ${\mathbb{Z}}^m$. The lattice generated by B is defined as

$$\Lambda :=\left\{\sum _{i=1}^n{c}_i{\mathbf{b}}_i|c_i\in \mathbb{Z},i=1,\dots ,n\right\}.$$

Here, $\Lambda$ is of rank n and the matrix B serves as a basis of $\Lambda$. When $n=m$, the lattice is said to have full-rank.

In this work we focus primarily on q-ary lattices, a family of full-rank lattices that contain $q{\mathbb{Z}}^m$. For a matrix $\mathbf{M}\in {\mathbb{Z}}^{n\times m}$ and $\mathbf{u}\in {\mathbb{Z}}_q^n$, we define

$$\begin{array}{cc}\hfill {\Lambda }_q(\mathbf{M})& :=\left\{\mathbf{u}\in {\mathbb{Z}}^m|\exists \mathbf{v}\in {\mathbb{Z}}_q^n,{\mathbf{M}}^T\mathbf{v}=\mathbf{u}modq\right\}\hfill \\ \hfill {\Lambda }_q^{\perp }(\mathbf{M})& :=\left\{\mathbf{v}\in {\mathbb{Z}}^m|\mathbf{M}\mathbf{v}=\mathbf{0}modq\right\}\hfill \end{array}$$

and the translation of ${\Lambda }_q^{\perp }(\mathbf{M})$ of the form

$${\Lambda }_q^{\mathbf{u}}(\mathbf{M}):=\left\{\mathbf{v}\in {\mathbb{Z}}^m|\mathbf{M}\mathbf{v}=\mathbf{u}modq\right\}.$$

For a vector family $\mathbf{B}=\{{\mathbf{v}}_1,\dots ,{\mathbf{v}}_k\}\subseteq {\mathbb{R}}^m$, we write $\parallel \mathbf{B}\parallel :={max}_{1\le i\le k}\parallel {\mathbf{v}}_i\parallel$ for the length of its longest generator. If $\mathbf{B}$ is linearly independent, its Gram–Schmidt orthogonalization $\tilde{\mathbf{B}}=\{{\tilde{\mathbf{v}}}_1,\dots ,{\tilde{\mathbf{v}}}_k\}$ is obtained by processing the vectors in order, and $\parallel \tilde{\mathbf{B}}\parallel$ denotes the Gram–Schmidt norm of $\mathbf{B}$.

For any matrix $\mathbf{M}\in {\mathbb{Z}}^{n\times m}$, there exists a singular value decomposition $\mathbf{M}=\mathbf{U}\mathbf{D}{\mathbf{V}}^T$, where $\mathbf{U}\in {\mathbb{R}}^{n\times n}$, $\mathbf{V}\in {\mathbb{R}}^{m\times m}$ are orthogonal matrices, and $\mathbf{D}\in {\mathbb{R}}^{n\times m}$ is a rectangular diagonal matrix with non-negative diagonal entries $s_i$, arranged in non-increasing order. Such diagonal entries are uniquely determined by $\mathbf{M}$ and are called the singular values of $\mathbf{M}$, denoted $s_i(\mathbf{M})$. They satisfy $s_1(\mathbf{M})\ge \parallel \mathbf{M}\parallel$ and $s_1(\mathbf{M})\ge \parallel {\mathbf{M}}^T\parallel$.

A matrix $\mathbf{M}$ in ${\mathbb{Z}}^{m\times m}$ is said to be ${\mathbb{Z}}_q$-invertible when its reduction modulo q is invertible as an element of ${\mathbb{Z}}_q^{m\times m}.$

Gaussian distribution. 

We now recall the definition of the discrete Gaussian distribution, which plays a central role in our construction.

Definition 3.

Let $\mathcal{L}\subseteq {\mathbb{Z}}^m$ be a lattice. For a center vector $\mathbf{c}\in {\mathbb{R}}^m$ and a positive parameter $\sigma \in \mathbb{R}$, we define the following:

$${\rho }_{\sigma ,\mathbf{c}}(\mathbf{x})=exp\left(-\pi {\displaystyle \frac{{\parallel \mathbf{x}-\mathbf{c}\parallel }^2}{{\sigma }^2}}\right)\mathit{and}{\rho }_{\sigma ,\mathbf{c}}(\mathcal{L})=\sum _{\mathbf{x}\in \mathcal{L}}{\rho }_{\sigma ,\mathbf{c}}(\mathbf{x}).$$

The discrete Gaussian distribution over $\mathcal{L}$ with center $\mathbf{c}$ and parameter σ is

$$\forall \mathbf{y}\in \mathcal{L},{\mathcal{D}}_{\mathcal{L},\sigma ,\mathbf{c}}(\mathbf{y})={\displaystyle \frac{{\rho }_{\sigma ,\mathbf{c}}(\mathbf{y})}{{\rho }_{\sigma ,\mathbf{c}}(\mathcal{L})}}.$$

For simplicity, we often omit the center when it is the origin and write ${\rho }_{\sigma }$ and ${\mathcal{D}}_{\mathcal{L},\sigma }$ in place of ${\rho }_{\sigma ,\mathbf{0}}$ and ${\mathcal{D}}_{\mathcal{L},\sigma ,\mathbf{0}}$, respectively. When the parameter takes the value $\sigma =1$, we denote the function simply as $\rho$ (i.e., ${\rho }_1$).

We will utilize the following well-known results on lattices in [18].

Lemma 1.

For $\mathbf{x}\leftarrow {\mathcal{D}}_{{\Lambda }_q^{\mathbf{u}}(A),\sigma }$, $\mathrm{Pr}[\parallel \mathbf{x}\parallel >\sigma \sqrt{m}]\le \mathrm{negl}(\mathrm{n})$.

Lemma 2.

Let q be a prime and $m,n$ be positive integers satisfying $m\ge 2n\lceil logq\rceil$. For all but at most $q^{-n}$ fraction of matrices $\mathbf{A}\in {\mathbb{Z}}^{n\times m}$, the shortest vector in the lattice ${\Lambda }_q(A)$ has a length of at least $q/4.$

Lemma 3.

Let q be a prime and $m,n>0$ with $m\ge 2n\lceil logq\rceil$. Except for at most a $2q^{-n}$ fraction of matrices $\mathbf{A}\in {\mathbb{Z}}^{n\times m}$ and for every $\sigma \ge \omega (\sqrt{logm})$, the distribution of vector $\{\mathbf{A}\mathbf{r}\in {\mathbb{Z}}_q^n|\mathbf{r}\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma }^m\}$ is statistically indistinguishable from the uniform distribution over ${\mathbb{Z}}_q^n$. Moreover, for any fixed$\mathbf{u}\in {\mathbb{Z}}_q^n$, the conditional distribution of  $\mathbf{r}$, given that $\mathbf{A}\mathbf{r}=\mathbf{u}$, follows the discrete Gaussian ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{u}}(A),\sigma }$.

This lemma is used in our proof to justify correctness and to analyze the session-key distribution within the key space $\mathcal{K}$.

Lemma 4.

Let q be prime and$m,n>0$ such that $m\ge 2n\lceil logq\rceil$. Let $\mathbf{U}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and draw $\mathbf{e}\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma }^m$ for some $\sigma \ge \omega (\sqrt{logm})$. For a binary vector $\mathbf{k}\leftarrow {\{0,1\}}^n$, the distribution of $\mathsf{K}=\mathbf{U}\mathbf{e}+\mathbf{k}\in {\mathbb{Z}}_q^n$ is statistically close to the uniform distribution over ${\mathbb{Z}}_q^n$.

Lattice trapdoors. 

In our construction, (master) secret keys are G-trapdoors, as introduced in [7]. Below, we revisit this definition along with some useful algorithms from [7].

Definition 4.

($\mathbf{G}$-trapdoor) Let n be a positive integer, $q\ge 2$ a prime and set${,}^{\prime }\ge m\ge n\lceil logq\rceil$. Let $\mathbf{F}\in {\mathbb{Z}}_q^{n\times m^{\prime }}$ and $\mathbf{G}\in {\mathbb{Z}}_q^{n\times m}$ be public matrices, and let $\mathbf{H}\in {\mathbb{Z}}_q^{n\times n}$ be invertible. A matrix $\mathbf{R}\in {\mathbb{Z}}^{(m^{\prime }-m)\times m}$ is called a $\mathbf{G}$-trapdoor for $\mathbf{F}$ with tag $\mathbf{H}$ if $\mathbf{F}\left[\begin{array}{c}-\mathbf{R}\\ {\mathbf{I}}_m\end{array}\right]=\mathbf{H}\mathbf{G}\mathrm{mod}q$.

In [7], $\mathbf{G}$ refers to the gadget matrix ${\mathbf{I}}_n\otimes {\mathbf{g}}^T\in {\mathbb{Z}}_q^{n\times nk}$ where $k=\lceil logq\rceil$ and ${\mathbf{g}}^T=(1,2,4,\dots ,2^{k-1})$. The lattice ${\Lambda }_q^{\perp }(\mathbf{G})$ has a publicly known short basis ${\mathbf{T}}_{\mathbf{G}}\in {\mathbb{Z}}^{m\times m}$ satisfying $\parallel {\tilde{\mathbf{T}}}_{\mathbf{G}}\parallel \le \sqrt{5}$ and $\parallel {\mathbf{T}}_{\mathbf{G}}\parallel \le max(\sqrt{5},\sqrt{k})$. The same work also provides an algorithm for generating a pseudorandom matrix $\mathbf{F}\in {\mathbb{Z}}_q^{n\times (\overline{m}+m)}$ together with a “strong” $\mathbf{G}$-trapdoor for ${\Lambda }_q^{\perp }(\mathbf{F})$ whenever $\overline{m}\ge n\lceil logq\rceil$:

• Sample $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times \overline{m}}$ and $\mathbf{R}\leftarrow {({\mathcal{D}}_{{\mathbb{Z}}^{\overline{m}},{\sigma }_{\mathbf{R}}})}^m$ for an invertible $\mathbf{H}\leftarrow {\mathbb{Z}}_q^{n\times n}$.
• Output $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\mathbf{G}]$ together with trapdoor $\mathbf{R}$.

The matrix $\mathbf{R}\leftarrow {({\mathcal{D}}_{{\mathbb{Z}}^{\overline{m}},{\sigma }_{\mathbf{R}}})}^m$ serves as a low-norm basis for ${\Lambda }_q^{\perp }(\mathbf{F})$ and, thus, forms a valid trapdoor. Its quality is determined by its largest singular value, which satisfies $s_1(\mathbf{R})=\sigma .\mathcal{O}(\sqrt{\overline{m}}+\sqrt{m})$ except with negligible probability. The resulting matrix $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\mathbf{G}]$ is nearly uniform.

To extend this construction, we follow [7] (Theorem 5.1) by introducing $\overline{\mathbf{G}}=[\mathbf{G}|\mathbb{O}]$ as an augmented gadget matrix and treat the corresponding trapdoor $\overline{\mathbf{R}}$ analogously.

Lemma 5.

Let $n\ge 1$, $\overline{m}\ge n\lceil logq\rceil$, $q\ge 2$, $m\ge n\lceil logq\rceil$. Let $\overline{\mathbf{G}}$ be the $n\times m$ matrix obtained by adding $m-n\lceil logq\rceil$ zero columns to the right of the gadget matrix $\mathbf{G}$. Let $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times \overline{m}}$, $\mathbf{R}\leftarrow {({\mathcal{D}}_{{\mathbb{Z}}^{\overline{m}},{\sigma }_{\mathbf{R}}})}^m$, and $\mathbf{H}\leftarrow {\mathbb{Z}}_q^{n\times n}$ be an invertible matrix. Set $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\overline{\mathbf{G}}]$. Then

• $\mathbf{F}$ is computationally indistinguishable from uniform.
• For any ${\mathbf{b}}^T={\mathbf{s}}^T\mathbf{F}+{\mathbf{e}}^T$ with $\mathbf{s}\in {\mathbb{Z}}_q^n$, ${\mathbf{e}}^T=[{\mathbf{e}}_0^T|{\mathbf{e}}_1^T]\in {\mathbb{Z}}^{\overline{m}+m}$ with $\parallel {\mathbf{e}}_1^T-{\mathbf{e}}_0^T{\mathbf{R}\parallel }_{\infty }<q/4$, there exists an algorithm $\mathsf{Invert}(\mathbf{R},\mathbf{F},\mathbf{b})$ that, with overwhelming probability, recovers $\mathbf{s}$ and ${\mathbf{e}}_0,{\mathbf{e}}_1$.

The next lemma (adapted from SampleRight of Agrawal et al. [8]) will later be employed for correctness analysis in our construction.

Lemma 6.

Let $n\ge 1$, $\overline{m}\ge n\lceil logq\rceil$, $q>2$, $m\ge n\lceil logq\rceil$. Let $\overline{\mathbf{G}}$ be the $n\times m$ matrix obtained by adding $m-n\lceil logq\rceil$ zero columns to the right of the gadget matrix $\mathbf{G}$. Let $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times \overline{m}}$, $\mathbf{R}\leftarrow {({\mathcal{D}}_{{\mathbb{Z}}^{\overline{m}},{\sigma }_{\mathbf{R}}})}^m$, and $\mathbf{H}\leftarrow {\mathbb{Z}}_q^{n\times n}$ be invertible. Define $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\overline{\mathbf{G}}]$. If the parameter s satisfies $s\ge \sqrt{5}·s_1(\mathbf{R})·\omega (\sqrt{logm})$, then there exists a PPT algorithm $\mathsf{SamplePre}(\mathbf{R},\mathbf{F},\mathbf{H},\mathbf{U},s)$ that outputs a matrix $\mathbf{T}\in {\mathbb{Z}}^{(\overline{m}+m)\times m}$ whose distribution is statistically close to ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{U}}(\mathbf{F}),s}$. In particular, it holds that $\mathbf{F}\mathbf{T}=\mathbf{U}$.

Hardness Assumptions

Definition 5

(Short Integer Solution—SIS Problem). Let λ be the security parameter, $n=n(\lambda ),m=m(\lambda ),q=q(\lambda )$ be positive and a real $\beta =\beta (\lambda )>0$. Given a uniformly random matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, the ${\mathsf{SIS}}_{n,m,q,\beta }$ problem asks for a non-zero integer vector $\mathbf{e}\in {\mathbb{Z}}^m$ of small norm $\parallel \mathbf{e}\parallel \le \beta$ such that $\mathbf{A}\mathbf{e}=0\mathrm{mod}q$.

For an algorithm $\mathcal{A}$ solving ${\mathsf{SIS}}_{n,m,q,\beta }$, its success probability is written as ${\mathsf{Adv}}_{\mathcal{A}}^{SI{S}_{n,m,q,\beta }}(\lambda )$. The ${\mathsf{SIS}}_{n,m,q,\beta }$ assumption holds if, for every PPT algorithm $\mathcal{A}$, this advantage is negligible in λ.

Definition 6

(Learning With Errors - LWE problem). Let q be prime, $n>0$ be an integer, and χ be a distribution over ${\mathbb{Z}}_q$. An instance of the $({\mathbb{Z}}_q,n,\chi )$-$\mathsf{LWE}$ problem provides oracle access to samples drawn either from:

${\mathcal{O}}_{\mathbf{s}}$:

Returns pairs $({\mathbf{a}}_i,b_i)=({\mathbf{a}}_i,{\mathbf{s}}^T{\mathbf{a}}_i+e_i)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$, where ${\mathbf{a}}_i$ is uniformly sampled from ${\mathbb{Z}}_q^n$ and $e_i\in {\mathbb{Z}}_q$ is a noise withdrawn from χ.

${\mathcal{O}}_{\$}$:

Returns uniformly random pairs in ${\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$.

The goal of an adversary $\mathcal{A}$ is to distinguish which oracle it is interacting with. Its advantage is defined as

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{LWE}}:=\left|\mathrm{Pr}[{\mathcal{A}}^{{\mathcal{O}}_{\mathbf{s}}}=1]-\mathrm{Pr}[{\mathcal{A}}^{{\mathcal{O}}_{\$}}=1]\right|.$$

The LWE assumption asserts that this advantage is negligible for all efficient $\mathcal{A}$.

Hardness reductions show that $\mathsf{LWE}$ is at least as difficult as approximating certain worst-case lattice problems to within polynomial factors when $\chi \sim {\mathcal{D}}_{\mathbb{Z},\alpha }$ and $\alpha \in (0,1)$, $\alpha q>\sqrt{n}$ in [19].

Theorem 1

(Genise et al. [20]). Let $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ be primitive, $\mathbf{s}\in {\mathbb{Z}}^n,\mathbf{e}\in {\mathbb{Z}}^m$, and set ${\mathbf{b}}^T={\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}^T$. For $r,\overline{r}>0$ and for some negligible ϵ such that ${\eta }_{ϵ}({\Lambda }_q^{\perp }(\mathbf{A})){\le ((1/r)}^2+(\parallel \mathbf{e}\parallel /\overline{r}{{)}^2)}^{-1/2}\le r$, the pair

$$(\mathbf{a}=\mathbf{A}\mathbf{r},b={\mathbf{b}}^T\mathbf{r}+\overline{e})$$

where $\mathbf{r}\leftarrow {\mathcal{D}}_{\mathbb{Z},r}^m$, $\overline{e}\leftarrow {\mathcal{D}}_{\mathbb{Z},\tilde{r}}$ is within negligible statistical distance of an $({\mathbb{Z}}_q,n,{\mathcal{D}}_{\mathbb{Z},t})$-$\mathsf{LWE}$ instance where $t^2={(r\parallel \mathbf{e}\parallel )}^2+{\overline{r}}^2$.

The security of our schemes relies upon the so-called the Normal form LWE with an SIS hint (SISnLWE) problem, introduced by Boyen et al. [1].

Definition 7

(Normal-form LWE with an SIS hint—SISnLWE problem). Let λ be the security parameter and define $n=n(\lambda )$, $q=q(\lambda )$, $m=O(nlogq)$. Let $\mathcal{X}$ be a distribution over ${\mathbb{Z}}_q$. The ${\mathsf{SISnLWE}}_{n,m,q,\mathcal{X}}$ problem is a distinguishing task formulated as follows: given the tuple

$$(\mathbf{A},{\mathbf{b}}^T,\mathbf{z},\mathbf{Z}),$$

where $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathbf{b}\in {\mathbb{Z}}_q^m,\mathbf{Z}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathbf{z}=\mathbf{Z}\mathbf{e}modq$, and $\mathbf{e}\leftarrow {\mathcal{X}}^m$, decide whether ${\mathbf{b}}^T={\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}^{T}modq$ for some $\mathbf{s}\sim {\mathcal{X}}^n$ or whether $\mathbf{b}\in {\mathbb{Z}}_q^n$ is drawn uniformly random from ${\mathbb{Z}}_q^n$.

For an adversary $\mathcal{A}$ attempting to solve the ${\mathsf{SISnLWE}}_{n,m,q,\mathcal{X}}$ problem, its distinguishing advantage is denoted by ${\mathsf{Adv}}_{\mathcal{A}}^{{\mathsf{SISnLWE}}_{n,m,q,\mathcal{X}}}(\lambda )$.

Boyen et al. [1] established that ${\mathsf{SISnLWE}}_{n,m,q,\mathcal{X}}$ is computationally as hard as the standard ${\mathsf{LWE}}_{n,m,q,\mathcal{X}}$ problem whenever $m=\mathcal{O}(nlogq)$.

In the security analysis of our IBKEM construction, we rely on a computational version of this assumption, given below.

Definition 8

(Computational SISnLWE problem). Let λ be the security parameter and set $n=n(\lambda )$, $q=q(\lambda )$, $m=m(\lambda )=\mathcal{O}(nlogq)$, and let $\mathcal{X}$ be a noise distribution over ${\mathbb{Z}}_q$. The ${\mathsf{SISnLWE}}_{n,m,q,\mathcal{X}}$ problem provides the adversary with the challenge tuple

$$(\mathbf{A},{\mathbf{b}}^T,\mathbf{z},\mathbf{Z})$$

where $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathbf{Z}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathbf{z}=\mathbf{Z}\mathbf{e}modq$, $\mathbf{e}\leftarrow {\mathcal{X}}^m$ and ${\mathbf{b}}^T={\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}^T(\mathrm{mod}q)\in {\mathbb{Z}}_q^m$, $\mathbf{s}\leftarrow {\mathcal{X}}^n$. The objective is to recover $\mathbf{s}$.

The following lemma will later be used to bound statistical distance terms in our KEM security proof.

Lemma 7

([21]). Let $X_1,X_2,B$ be events in a common probability space such that $X_1\wedge \neg B$ is equivalent to $X_2\wedge \neg B$. Then, $|\mathrm{Pr}[X_1]-\mathrm{Pr}[X_2]|\le \mathrm{Pr}[B]$.

3. CCA2-Secure KEM in the Standard Model

In this section, we revisit the CCA2-secure KEM of Boyen et al. [1] and provide a slight modification with the complete security proof with a change in setting for parameters.

3.1. Parameters

Our KEM scheme involves several parameters, defined as follows.

• Let $\lambda$ be the security parameter and suppose that all parameters are functions of $\lambda$.

• Let $q=q(\lambda )$ denote a large prime modulus, and let $n=n(\lambda )$ represent the number of rows in the public matrix.
• Following [1], the secret key $\mathbf{R}$ is an $m\times (n\lceil logq\rceil )$ matrix. To ensure correctness, their work requires that $m\ge 2n\lceil logq\rceil$. However, in their security proof, the simulator needs to sample a trapdoor $\mathbf{R}$ such that ${\mathbf{R}}^T$ has a left inverse modulo q. This requires $m\le 2n\lceil logq\rceil$, which is not noticed in [1]. Therefore, in our scheme, we set $m=2n\lceil logq\rceil$ and let R be a square matrix of size m.
• $\alpha$ is an error rate with the requirement that $1/\alpha =7·m^{3/2}·\omega (\sqrt{logm})$ is sufficiently large.
• Set $\sigma =\alpha qm·\omega (\sqrt{logm})$ to be a Gaussian parameter.
• Let $\overline{\mathbf{G}}$ be the $n\times m$ matrix obtained by adding $m-n\lceil logq\rceil$ zero columns to the right of the gadget matrix $\mathbf{G}$.
• We use the ${\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}$ problem where we denote by ${\mathcal{D}}_{\mathbb{Z},\alpha q}$ the discrete Gaussian distribution parameterized by $\alpha q$.
• ${\mathcal{D}}_{m\times m}$ is a conditional distribution over ${\mathbb{Z}}^{m\times m}$, defined as ${({\mathcal{D}}_{{\mathbb{Z}}^m,{\sigma }_{\mathbf{R}}})}^m$, such that the resulting matrices are ${\mathbb{Z}}_q$-invertible with ${\sigma }_{\mathbf{R}}=\sqrt{nlogq}·\omega (\sqrt{logm})$.

We also recall the following useful encoding techniques which are essential for both of the KEM and IBKEM constructions:

• $\mathsf{FRD}:{\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$ is a full-rank difference encoding (FRD) introduced in [8] such that every image is an invertible matrix and so is $\mathsf{FRD}(\mathbf{u})-\mathsf{FRD}(\mathbf{v})\in {\mathbb{Z}}_q^{n\times n}$ for all distinct $\mathbf{u},\mathbf{v}\in {\mathbb{Z}}_q^n$.
• $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$ is a hash function that is second-pre-image resistant. Without loss of generality, we assume that an efficiently computable injective encoding exists so that each hash output can be represented as an element of ${\mathbb{Z}}_q^n$.

3.2. Construction

This section presents our Key Encapsulation Mechanism (KEM). It uses the parameters $q,n,m,\alpha ,\sigma$, as described in Section 3.1, and consists of the following three algorithms.

Setup($\lambda$).

Given a security parameter $\lambda$, the algorithm proceeds as follows.

• Choose a second-pre-image resistant hash function $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$.
• Generate a random matrix $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and a trapdoor matrix $\mathbf{R}\leftarrow {\mathcal{D}}_{m\times m}$.
• Define ${\mathbf{A}}_1\leftarrow \mathbf{A}\mathbf{R}$.
• Sample another uniform matrix $\mathbf{U}\leftarrow {\mathbb{Z}}_q^{n\times m}$.
• Output

  $$\mathsf{PK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{U}),\mathsf{SK}=\mathbf{R}.$$

Encap($\mathsf{PK}$).

On inputting the pubic key $\mathsf{PK}$, the encapsulation algorithm works as follows:

• Draw a random key seed $\mathbf{k}\leftarrow {\{0,1\}}^n$.
• Sample noise vectors ${\mathbf{e}}_0\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$, ${\mathbf{e}}_1\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma }^m$.
• Set $\mathbf{s}\leftarrow \mathbf{k}⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ where $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$.
• Compute ${\mathbf{c}}_0^T\leftarrow {\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}_0^T$.
• Compute ${\mathbf{c}}_2\leftarrow \mathbf{U}{\mathbf{e}}_1$ and $\mathbf{t}=\mathsf{H}({\mathbf{c}}_0,{\mathbf{c}}_2)$.
• Compute ${\mathbf{c}}_1^T={\mathbf{s}}^T({\mathbf{A}}_1+\mathsf{FRD}(\mathbf{t})\overline{\mathbf{G}})+{\mathbf{e}}_1^T$.
  (To reduce the ciphertext size, we can set $t=H({\mathbf{c}}_0,{\mathbf{c}}_2)\in {\{0,1\}}^{\lambda }$ and then encode it as an element in ${\mathbb{Z}}_q^n$ prior to being input to $\mathsf{FRD}(·)$).
• Return the ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ and the session key $\mathbf{K}={\mathbf{c}}_2+\mathbf{k}$.

Decap($\mathsf{PK},\mathsf{CT},\mathsf{SK}$).

Given the public key $\mathsf{PK}$, a ciphertext $\mathsf{CT}$, and the secret key $\mathsf{SK}$, the decapsulation procedure proceeds as follows:

• Parse $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$; if the format is invalid, output ⊥.
• Form $\mathbf{F}=[\mathbf{A}|{\mathbf{A}}_1+\mathsf{FRD}(\mathbf{t})\overline{\mathbf{G}}]$, then recover $\mathbf{s},{\mathbf{e}}_0,{\mathbf{e}}_1$ using $\mathsf{Invert}(\mathbf{R},\mathbf{F},[{\mathbf{c}}_0^T|{\mathbf{c}}_1^T])$.
• If either $\parallel {\mathbf{e}}_0\parallel >\alpha q\sqrt{m}$ or $\parallel {\mathbf{e}}_1\parallel >\alpha q{m}^{3/2}·\omega (\sqrt{logm})$, reject and output ⊥.
• Compute $\mathsf{H}({\mathbf{c}}_0,\mathbf{U}{\mathbf{e}}_1)$; if the result differs from $\mathbf{t}$, output ⊥.
• For each coordinate $\mathbf{s}[i]$, determine the corresponding bit $\mathbf{k}[i]\leftarrow 0$ if $\mathbf{s}[i]$ is closer to 0 or $\mathbf{k}[i]\leftarrow 1$ if $\mathbf{s}[i]$ is closer to ${\displaystyle \frac{q}{2}}$.
• If $\parallel \mathbf{s}-\mathbf{k}\parallel \le \alpha q\sqrt{n}$ output $\mathbf{K}={\mathbf{c}}_2+\mathbf{k}$; otherwise, output ⊥.

3.3. Correctness

We follow the work of Boyen [1] to prove the correctness of the KEM scheme. During the decapsulation process, the algorithm $\mathsf{Invert}(\mathbf{R},\mathbf{F},[{\mathbf{c}}_0^T|{\mathbf{c}}_1^T])$ must successfully output $\mathbf{s}$ with overwhelming probability. According to Lemma 1, we obtain $\parallel {\mathbf{e}}_0\parallel \le \alpha q\sqrt{m}$, $\parallel {\mathbf{e}}_1\parallel \le \sigma \sqrt{m}$, $\parallel \mathbf{R}\parallel \le {\sigma }_{\mathbf{R}}\sqrt{m}={\displaystyle \frac{1}{\sqrt{2}}}m·\omega (\sqrt{logm})$ with overwhelming probability. By Lemma 5, we obtain

$$\begin{array}{cc}\hfill \parallel {\mathbf{e}}_1^T-{\mathbf{e}}_0^T{\mathbf{R}\parallel }_{\infty }& \le \parallel {\mathbf{e}}_1^T-{\mathbf{e}}_0^T\mathbf{R}\parallel \le \parallel {\mathbf{e}}_1^T\parallel +\parallel {\mathbf{e}}_0^T\parallel \dot{\parallel }\mathbf{R}\parallel \hfill \\ \hfill & \le \sigma \sqrt{m}+(\alpha q\sqrt{m})\left({\displaystyle \frac{1}{\sqrt{2}}}m·\omega (\sqrt{logm})\right)\hfill \\ \hfill & \le \alpha q·m^{3/2}·\omega (\sqrt{logm})+{\displaystyle \frac{1}{\sqrt{2}}}\alpha q·m^{3/2}·\omega (\sqrt{logm})\hfill \\ \hfill & \le (1+{\displaystyle \frac{1}{\sqrt{2}}})\alpha q·m^{3/2}·\omega (\sqrt{logm})\hfill \end{array}$$

Therefore, for a large enough $1/\alpha =7·m^{3/2}·\omega (\sqrt{logm})$, we have ${\displaystyle \parallel {\mathbf{e}}_1^T-{\mathbf{e}}_0^T{\mathbf{R}\parallel }_{\infty }\le \frac{q}{4}}$, and the algorithm $\mathsf{Invert}(\mathbf{R},\mathbf{F},[{\mathbf{c}}_0^T|{\mathbf{c}}_1^T])$ correctly returns ${\mathbf{e}}_0,{\mathbf{e}}_1,\mathbf{s}$. Finally, as $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$, we have ${\displaystyle \parallel \overline{\mathbf{s}}{\parallel }_{\infty }\le \frac{q}{4}}$, which means, for each $i\in \{1,\dots ,n\}$, ${\displaystyle |\overline{\mathbf{s}}[i]|\le \frac{q}{4}}$, that the $\mathsf{Decap}$ algorithm can output $\mathbf{k}$ from $\mathbf{s}=\mathbf{k}⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ in step (5) and return the session key $\mathsf{K}={\mathbf{c}}_2+\mathbf{k}$ with overwhelming probability.

3.4. Security Analysis

We now establish that our proposed KEM construction attains IND-CCA2 security under standard lattice assumptions.

Theorem 2.

Let $\Pi :=(\mathsf{Setup},\mathsf{Encap},\mathsf{Decap})$ denote our KEM with parameters $(q,n,m,\alpha ,\sigma )$. Assume that $\mathsf{H}$ is a second-pre-image collision resistant hash function and ${\mathsf{SIS}}_{n,q,\beta }$, ${\mathsf{SVP}}_{n,m,q,\tau }$, ${\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}$ problems are computationally hard. Then, for any probabilistic polynomial-time adversary $\mathcal{A}$ that can win the IND-CCA2 experiment with advantage ϵ, there exist algorithms ${\mathcal{B}}_1,{\mathcal{B}}_2,{\mathcal{B}}_3$, and ${\mathcal{B}}_4$ such that

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\le {\mathsf{Adv}}_{{\mathcal{B}}_2}^{{\mathsf{SIS}}_{n,q,\beta }}(\lambda )+{\mathsf{Adv}}_{{\mathcal{B}}_3}^{{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}(\lambda )+\mathsf{negl}(\lambda ).\end{array}$$

Proof. 

To argue the theorem, we employ a standard game-hopping technique. Starting from the original IND-CCA2 experiment (Game 0), we progressively transform the challenger’s behavior while ensuring that the adversary’s distinguishing advantage changes only negligibly between consecutive games. Let $S_i$ denote the event that the adversary $\mathcal{A}$ win Game i. □

Game 0.

This initial game matches the standard selective IND-CCA2 experiment between adversary $\mathcal{A}$ and challenger $\mathcal{B}$. The challenger runs KeyGen($\lambda$) to obtain a public/secret key pair $(\mathsf{PK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{U}),\mathsf{SK})$, and forward $\mathsf{PK}$ to $\mathcal{A}$. It chooses uniformly random ${\mathbf{k}}_1,\overline{\mathbf{s}}\leftarrow {\{0,1\}}^n$ and sets ${\mathbf{s}}^{*}\leftarrow {\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$. $\mathcal{B}$ computes the challenge ciphertext ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$:

$${{\mathbf{c}}_0^{*}}^T={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T,{{\mathbf{c}}_1^{*}}^T={{\mathbf{s}}^{*}}^T({\mathbf{A}}_1+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}})+{{\mathbf{e}}_1^{*}}^T,{\mathbf{t}}^{*}=\mathsf{H}({{\mathbf{c}}_0}^{*},{{\mathbf{c}}_2}^{*})$$

where ${\mathbf{c}}_2^{*}=\mathbf{U}{\mathbf{e}}_1^{*}$, together with a valid session key ${\mathsf{K}}_1^{*}={\mathbf{c}}_2+{\mathbf{k}}_1$ and a random session key ${\mathsf{K}}_0^{*}$. A random bit $b\leftarrow {\{0,1\}}^n$ is selected and $({\mathsf{CT}}^{*},{\mathsf{K}}_b^{*})$ is sent to $\mathcal{A}$. The challenger $\mathcal{B}$ subsequently answers the decapsulation queries by invoking the genuine decapsulation procedure. The adversary $\mathcal{A}$ outputs a bit $b^{\prime }$ and wins the game if $b^{\prime }=b$. This completes the description of Game 0, which coincides with the real IND-CCA2 attack experiment:

$${\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}=\left|\mathrm{Pr}[S_0]-{\displaystyle \frac{1}{2}}\right|=\left|\mathrm{Pr}[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.$$

Game 1.

Let $E_1$ denote the event that the adversary $\mathcal{A}$ asks the decapsulation oracle ${\mathcal{O}}_{\mathsf{Decap}}$ to decap $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ with ${\mathbf{c}}_0={\mathbf{c}}_0^{*},{\mathbf{c}}_1={\mathbf{c}}_1^{*}$. Game 1 is the same as Game 0 unless the decapsulation oracle ${\mathcal{O}}_{\mathsf{Decap}}$ rejects if the event $E_1$ happens.

Assume that event $E_1$ happens, then the corresponding errors ${\mathbf{e}}_0,{\mathbf{e}}_1$ in the valid ciphertext $\mathsf{CT}$ must satisfy ${\mathbf{e}}_0={\mathbf{e}}_0^{*},{\mathbf{e}}_1={\mathbf{e}}_1^{*}$ w.h.p., and thus $\mathbf{t}=\mathsf{H}({\mathbf{c}}_0,\mathbf{U}{\mathbf{e}}_1)=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{e}}_1^{*})={\mathbf{t}}^{*}$ w.h.p. However, as $\mathsf{CT}\ne {\mathsf{CT}}^{*}$ and ${\mathbf{c}}_0={\mathbf{c}}_0^{*},{\mathbf{c}}_1={\mathbf{c}}_1^{*}$, one has $\mathbf{t}\ne {\mathbf{t}}^{*}$. This implies that the probability that $E_1$ happens is negligible, i.e., $\mathrm{Pr}[E_1]\le \mathsf{negl}(\lambda )$. We note that Game 0 is similar to Game 1 except that $E_1$ happens. This implies that Game 0 and Game 1 differ in the adversary’s view only up to a negligible distance.

$$|\mathrm{Pr}[S_1]-\mathrm{Pr}[S_0]|\le \mathrm{Pr}[E_1]\le \mathsf{negl}(\lambda ).$$

Game 2.

Game 2 is the same as Game 1 except in the case that ${\mathcal{O}}_{\mathsf{Decap}}$ does not accept $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ with $\mathbf{t}={\mathbf{t}}^{*}$.

Denote by $E_2$ the event that $\mathcal{A}$ outputs $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ where $\mathbf{t}={\mathbf{t}}^{*}$. Assume that $E_2$ happens. Then, we have $\mathsf{H}({\mathbf{c}}_0,{\mathbf{c}}_2)=\mathsf{H}({\mathbf{c}}_0^{*},{\mathbf{c}}_2^{*})$. As $\mathsf{H}$ is collision resistant under pre-image $({\mathbf{c}}_0^{*},{\mathbf{c}}_2^{*})$, we obtain ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$ and ${\mathbf{c}}_2={\mathbf{c}}_2^{*}$ w.h.p. As $\mathsf{CT}$ is valid, $\mathsf{CT}\ne {\mathsf{CT}}^{*}$, and $\mathbf{t}={\mathbf{t}}^{*}$, we deduce that ${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$ w.h.p.

Assume that the decapsulation query is a valid ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,{\mathbf{t}}^{*})$ where ${\mathbf{c}}_0^T={\mathbf{s}}^T\mathbf{A}+{{\mathbf{e}}_0}^T={{\mathbf{c}}_0^{*}}^T$, ${{\mathbf{c}}_1}^T={\mathbf{s}}^T({\mathbf{A}}_1+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}})+{{\mathbf{e}}_1}^T\ne {{\mathbf{c}}_1^{*}}^T$ with the corresponding errors ${\mathbf{e}}_0,{\mathbf{e}}_1$. Then, challenger $\mathcal{B}$ can use its trapdoor and run a decapsulation algorithm to recover ${\mathbf{e}}_0,{\mathbf{e}}_1,\mathbf{s}$.

• Consider the case that ${\mathbf{e}}_1\ne {\mathbf{e}}_1^{*}$. As ${\mathbf{c}}_2={\mathbf{c}}_2^{*}$, we have $\mathbf{U}{\mathbf{e}}_1=\mathbf{U}{\mathbf{e}}_1^{*}$. Then, challenger $\mathcal{B}$ is able to find $\mathbf{e}={\mathbf{e}}_1-{\mathbf{e}}_1^{*}\ne \mathbf{0}$ as a solution for the SIS problem. Therefore, such a case happens with negligible probability. One has

  $$\begin{array}{cc}\hfill \parallel \mathbf{e}\parallel & \le \parallel {\mathbf{e}}_1-{\mathbf{e}}_1^{*}\parallel \le 2\sigma \sqrt{m}\hfill \\ \hfill & \le 2\alpha qm·\omega (\sqrt{logm})·\sqrt{m}\hfill \\ \hfill & \le 2m^{3/2}\alpha q·\omega (\sqrt{logm})=\beta .\hfill \end{array}$$
• If ${\mathbf{e}}_1={\mathbf{e}}_1^{*}$, then, as ${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$, we have $\mathbf{s}\ne {\mathbf{s}}^{*}$. As ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$, we have ${{\mathbf{c}}_0}^T={\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}_0^T={{\mathbf{c}}_0^{*}}^T$. This implies that ${(\mathbf{s}-{\mathbf{s}}^{*})}^T\mathbf{A}={({\mathbf{e}}_0^{*}-{\mathbf{e}}_0)}^T$. By Lemma 5.3 in [18], it happens with negligible probability.

In short, as Game 2 is the same as Game 1 except in the case that $E_2$ happens, we have

$$|\mathrm{Pr}[S_2]-\mathrm{Pr}[S_1]|\le \mathrm{Pr}[E_2]\le {\mathsf{Adv}}_{{\mathcal{B}}_2}^{{\mathsf{SIS}}_{n,q,\beta }}(\lambda )+\mathsf{negl}(\lambda ).$$

Game 3.

Game 3 is similar to Game 2 except that we modify the way that the public parameters $\mathsf{PK}$ are generated and the way the challenge ciphertext ${\mathsf{CT}}^{*}$ is constructed, as follows:

• Select $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$ to be a hash function.
• Sample $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and $\mathbf{Z}\leftarrow {\mathbb{Z}}_q^{n\times m}$.
• Sample ${\mathbf{R}}^T\leftarrow {\mathcal{D}}_{m\times m}$ of rank m. Find ${({\mathbf{R}}^T)}^{-1}\in {\mathbb{Z}}^{m\times m}$ such that ${({\mathbf{R}}^T)}^{-1}{\mathbf{R}}^T={\mathbf{I}}_m$. According to the definition of the distribution ${\mathcal{D}}_{m\times m}$, sampling such matrix $\mathbf{R}$ is successful with a high probability.
• Choose $\mathbf{U}\leftarrow \mathbf{Z}{({\mathbf{R}}^T)}^{-1}$.
• Choose ${{\mathbf{e}}_0}^{*}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$, $\mathbf{v}\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma /\sqrt{2}}^m$ and set ${{\mathbf{e}}_1^{*}}^T\leftarrow {{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$.
• Compute ${\mathbf{c}}_2^{*}\leftarrow \mathbf{Z}{\mathbf{e}}_0^{*}+\mathbf{U}\mathbf{v}=\mathbf{U}{\mathbf{e}}_1^{*}$.
• Choose ${\mathbf{k}}_1\leftarrow {\{0,1\}}^n$, $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$ and set ${\mathbf{s}}^{*}\leftarrow {\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$.
• Compute ${{\mathbf{c}}_0^{*}}^T\leftarrow {{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T$, ${\mathbf{t}}^{*}=H({{\mathbf{c}}_0}^{*},{{\mathbf{c}}_2}^{*})$ and ${{\mathbf{c}}_1^{*}}^T\leftarrow {{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$.
• Set ${\mathbf{A}}_1\leftarrow \mathbf{A}\mathbf{R}-\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}$.
• Set the public key $\mathsf{PK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{U})$, secret key $\mathsf{SK}=\mathbf{R}$, challenge ciphertext ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$, and the valid session key ${\mathsf{K}}_1^{*}={\mathbf{c}}_2^{*}+{\mathbf{k}}_1^{*}$.

Challenger $\mathcal{B}$ sends $\mathcal{A}$$\mathsf{PK}$, $\mathsf{H}$, and ${\mathsf{CT}}^{*}$ together with the session key ${\mathsf{K}}_b^{*}$.

Here, to respond to the decapsulation queries, the challenger in Game 3 computes

$$\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+(\mathsf{FRD}(\mathbf{t})-\mathsf{FRD}({\mathbf{t}}^{*}))\overline{\mathbf{G}}].$$

Note that ${\mathcal{O}}_{\mathsf{Decap}}$ rejects any $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ if $\mathbf{t}={\mathbf{t}}^{*}$. If $\mathbf{t}\ne {\mathbf{t}}^{*}$, then $\mathsf{FRD}(\mathbf{t})-\mathsf{FRD}({\mathbf{t}}^{*})$ is an invertible matrix so $\mathbf{R}$ is still a $\mathbf{G}$-trapdoor for $\mathbf{F}$, which enables the decapsulation oracle to provide answers to queries.

Note that $\mathbf{A}$ and $\mathsf{H}$ are correctly distributed as in the previous game. As ${\mathbf{R}}^T\leftarrow {\mathcal{D}}_{m\times m}$, by Lemma 3, in $\mathcal{A}$’s view, ${\mathbf{A}}_1=\mathbf{A}\mathbf{R}-\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}$ in Game 3 and ${\mathbf{A}}_1$ in Game 2 are statistically close as well as statistically close to uniform over ${\mathbb{Z}}_q^{n\times m}$. In addition, $\mathbf{Z}$ is sampled uniformly at random in ${\mathbb{Z}}_q^{n\times m}$, and we obtain that $\mathbf{U}=\mathbf{Z}{({\mathbf{R}}^T)}^{-1}$ is uniformly random in ${\mathbb{Z}}_q^{n\times m}$ as in Game 2. Thus, the public parameters in Game 3 and Game 2 are indistinguishable.

In this game, ${\mathbf{c}}_0^{*}={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T$ is correctly distributed. Moreover, according to Theorem 1, ${{\mathbf{e}}_1^{*}}^T={{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$ is statistically close to ${\mathcal{D}}_{\mathbb{Z},\sigma }^m$ where $\sigma$. ${\mathbf{c}}_1^{*}$ defined in step (8) above also satisfies

$$\begin{array}{cc}\hfill {{\mathbf{c}}_1^{*}}^T& ={{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T=({{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T)\mathbf{R}+{\mathbf{v}}^T\hfill \\ \hfill & ={{\mathbf{s}}^{*}}^T\mathbf{A}\mathbf{R}+{{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T={{\mathbf{s}}^{*}}^T({\mathbf{A}}_1+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}})+{{\mathbf{e}}_1^{*}}^T.\hfill \end{array}$$

Moreover, we have

$$\begin{array}{cc}\hfill {\mathbf{t}}^{*}& =\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{Z}{\mathbf{e}}_0^{*}+\mathbf{U}\mathbf{v})=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{R}}^T{\mathbf{e}}_0^{*}+\mathbf{U}\mathbf{v})=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{e}}_1^{*}).\hfill \end{array}$$

Therefore, ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$ in Game 3 is correctly distributed as in the previous game.

Hence, in $\mathcal{A}$’s view, Game 3 and Game 2 are indistinguishable.

$$|\mathrm{Pr}[S_3]-\mathrm{Pr}[S_2]|\le \mathsf{negl}(\lambda ).$$

Game 4.

Game 4 is similar to Game 3 unless both session key ${\mathsf{K}}_0^{*}$ and ${\mathsf{K}}_1^{*}$ are sampled uniformly at random. In this case, $\mathcal{A}$ does not have any advantage, i.e.,

$$\mathrm{Pr}[S_4]={\displaystyle \frac{1}{2}}.$$

We need to show that distinguishing between Game 4 and Game 3 is reduced to solving the ${\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}$ problem.

Suppose $\mathcal{A}$ can distinguish between Games 4 and Game 3 with non-negligible probability. We will construct an algorithm $\mathcal{B}$ to solve the SISnLWE problem.

Recall from Definition 8 that an SISnLWE problem instance provides its challenge $(\mathbf{A},{\mathbf{b}}^T,\mathbf{z}=\mathbf{Z}{\mathbf{e}}_{0}modq,\mathbf{Z})$ where $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathbf{b}\in {\mathbb{Z}}_q^m,\mathbf{Z}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and ${\mathbf{e}}_0\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$ and asks if there is a vector $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$ such that ${\mathbf{b}}^T={\overline{\mathbf{s}}}^T\mathbf{A}+{\mathbf{e}}_0^T$ or if $\mathbf{b}\in {\mathbb{Z}}_q^n$ is random. The challenger $\mathcal{B}$ utilizes $\mathcal{A}$ and proceeds as follows:

• Select a hash function $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$.
• Set $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ from the SISnLWE challenge.
• Sample $\mathbf{R}\leftarrow {\mathcal{D}}_{m\times m}$ and find ${({\mathbf{R}}^T)}^{-1}\in {\mathbb{Z}}^{m\times m}$ such that ${({\mathbf{R}}^T)}^{-1}{\mathbf{R}}^T={\mathbf{I}}_m$.
• Set $\mathbf{U}\leftarrow \mathbf{Z}{({\mathbf{R}}^T)}^{-1}$ so that $\mathbf{Z}=\mathbf{U}{\mathbf{R}}^T$.
• Sample $\mathbf{v}\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma /\sqrt{2}}^m$.
• Set ${\mathbf{c}}_2^{*}\leftarrow \mathbf{z}+\mathbf{U}\mathbf{v}$ with $\mathbf{z}\in {\mathbb{Z}}_q^n$ from the challenge.
• Select ${\mathbf{k}}_0,{\mathbf{k}}_1\leftarrow {\{0,1\}}^n$ and set ${{\mathbf{c}}_0^{*}}^T\leftarrow {\left({\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋\right)}^T\mathbf{A}+{\mathbf{b}}^T$.
• Define ${\mathbf{t}}^{*}=\mathsf{H}({{\mathbf{c}}_0}^{*},{{\mathbf{c}}_2}^{*})$ and ${{\mathbf{c}}_1^{*}}^T\leftarrow {{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$.
• Set ${\mathbf{A}}_1\leftarrow \mathbf{A}\mathbf{R}-\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}$.
• Set $\mathsf{PK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{U},\mathsf{H})$, $\mathsf{SK}=\mathbf{R}$, ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$. Set ${\mathsf{K}}_1^{*}={\mathbf{c}}_2^{*}+{\mathbf{k}}_1$ and choose a random session key ${\mathsf{K}}_0^{*}$ in the key space.
• Return $\mathsf{MPK}$, ${\mathsf{CT}}^{*}$, and ${\mathsf{K}}_b^{*}$ with $b\leftarrow \{0,1\}$ and keep $\mathsf{MSK}$ secret.
• The challenger $\mathcal{B}$ answer ${\mathcal{O}}_{\mathsf{Extract}}$ and ${\mathcal{O}}_{\mathsf{Decap}}$ as in the previous game.

When the SISnLWE oracle is pseudorandom, meaning that ${\mathbf{b}}^T={\overline{\mathbf{s}}}^T\mathbf{A}+{\mathbf{e}}_0^T$, we have

$$\begin{array}{cc}\hfill {{\mathbf{c}}_0^{*}}^T& ={\left({\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋\right)}^T\mathbf{A}+{\mathbf{b}}^T={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0}^T\hfill \\ \hfill {{\mathbf{c}}_1^{*}}^T& ={{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T={{\mathbf{s}}^{*}}^T\mathbf{A}\mathbf{R}+{{\mathbf{e}}_0}^T\mathbf{R}+{\mathbf{v}}^T\hfill \\ \hfill & ={{\mathbf{s}}^{*}}^T({\mathbf{A}}_1+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}})+{{\mathbf{e}}_1^{*}}^T\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\mathbf{t}}^{*}& =H({\mathbf{c}}_0^{*},\mathbf{z}+\mathbf{U}\mathbf{v})=H({\mathbf{c}}_0^{*},\mathbf{Z}{\mathbf{e}}_0+\mathbf{U}\mathbf{v})=H({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{e}}_1^{*}).\hfill \end{array}$$

where ${\mathbf{s}}^{*}={\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ and ${{\mathbf{e}}_1^{*}}^T={\mathbf{e}}_0^T\mathbf{R}+{\mathbf{v}}^T$. Therefore, ${\mathsf{CT}}^{*}$ is distributed exactly as in Game 3.

When the SISnLWE oracle is random, we have that $\mathbf{b}$ is uniform in ${\mathbb{Z}}_q^n$. Thus, ${\mathbf{c}}_0^{*}$ in step (7) and ${\mathbf{c}}_2$ in step (6) above are uniform in ${\mathbb{Z}}_q^n$. In particular, the challenge session keys ${\mathsf{K}}_0^{*},{\mathsf{K}}_1^{*}$ are uniform and do not depend on ${\mathsf{CT}}^{*}$ as in Game 4. Hence, $\mathcal{B}$’s advantage in solving the SISnLWE problem is the same as $\mathcal{A}$’s advantage in distinguishing Game 3 and Game 4, i.e.,

$$|\mathrm{Pr}[S_4]-\mathrm{Pr}[S_3]|\le {\mathsf{Adv}}_{{\mathcal{B}}_4}^{{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}(\lambda )+\mathsf{negl}(\lambda ).$$

From the above, one has

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\le {\mathsf{Adv}}_{{\mathcal{B}}_2}^{{\mathsf{SIS}}_{n,q,\beta }}(\lambda )+{\mathsf{Adv}}_{{\mathcal{B}}_3}^{{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}(\lambda )+\mathsf{negl}(\lambda ).\end{array}$$

This completes the proof.

4. CCA2-Secure IBKEM in the Standard Model

This section introduces an IBKEM scheme obtained from our KEM scheme, and provides its IND-sID-CCA2 security proof in the standard model. We have to deal with more cases than in KEM’s security proof because of the appearance of identities in the queries of the adversary.

4.1. Parameters

The IBKEM involves several parameters, which are functions of the security parameter $\lambda$.

• Let $q=q(\lambda )$ be prime, $n=n(\lambda )\in \mathbb{Z}$ be positive, and set $m=2n\lceil logq\rceil$.
• Let $\mathbf{G}\in {\mathbb{Z}}_q^{n\times n\lceil logq\rceil }$ be the gadget matrix and $\overline{\mathbf{G}}$ be the $n\times m$ matrix obtained by adding $m-n\lceil logq\rceil$ zero columns to the right of $\mathbf{G}$.
• $\alpha$ is an error rate for LWE such that $1/\alpha =\omega (m^3·{(logm)}^{3/2})$.
• We use the ${\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}$ problem.
• ${\mathcal{D}}_{m\times m}$ is a distribution on ${\mathbb{Z}}^{m\times m}$ defined as ${({\mathcal{D}}_{{\mathbb{Z}}^m,{\sigma }_{\mathbf{R}}})}^m$ conditioned on the resulting matrix being ${\mathbb{Z}}_q$-invertible where ${\sigma }_{\mathbf{R}}=\sqrt{nlogq}·\omega (\sqrt{logm})$.
• $\sigma =\alpha qm·\omega (\sqrt{logm})$ is a Gaussian parameter.
• $s=\sqrt{5}·{\sigma }_R·\mathcal{O}(\sqrt{m})·\omega (\sqrt{log2m})$.

4.2. Construction

This section describes the proposed IBKEM with parameters $q,n,m,\omega ,\alpha ,\sigma ,s$ specified as in Section 4.1. Our IBKEM construction is as follows:

Setup($\lambda$).

On input security parameter $\lambda$, it proceeds as follows:

• Choose a second-pre-image collision resistant hash function $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$.
• Select uniformly random matrices $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and $\mathbf{R}\leftarrow {\mathcal{D}}_{m\times m}$.
• Set ${\mathbf{A}}_1\leftarrow \mathbf{A}\mathbf{R}\in {\mathbb{Z}}_q^{n\times m}$.
• Sample uniformly random matrices $\mathbf{C}\leftarrow {\mathbb{Z}}_q^{n\times m}$, $\mathbf{U}\leftarrow {\mathbb{Z}}_q^{n\times 2m}$.
• Return the master key pair

  $$(\mathsf{MPK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{C},\mathbf{U},\mathsf{H}),\mathsf{MSK}=\mathbf{R}).$$

Extract($\mathsf{MPK},\mathsf{MSK},\mathsf{id}$).

On inputting the master pubic key $\mathsf{MPK}$, the master secret key $\mathsf{MSK}$, and an identity $\mathsf{id}\in {\mathbb{Z}}_q^{n\times m}$, the algorithm proceeds as follows:

• Compute ${\mathbf{F}}_{\mathsf{id}}=[\mathbf{A}|{\mathbf{A}}_1+\mathsf{FRD}(\mathsf{id})\overline{\mathbf{G}}]\in {\mathbb{Z}}_q^{n\times 2m}$.
• Sample ${\mathbf{T}}_{\mathsf{id}}\leftarrow \mathsf{SamplePre}(\mathbf{R},{\mathbf{F}}_{\mathsf{id}},\mathsf{FRD}(\mathsf{id}),\mathbf{C},s)\in {\mathbb{Z}}_q^{2m\times m}$ s.t. ${\mathbf{F}}_{\mathsf{id}}{\mathbf{T}}_{\mathsf{id}}=\mathbf{C}$.
• Return secret key ${\mathsf{SK}}_{\mathsf{id}}={\mathbf{T}}_{\mathsf{id}}$.

Encap($\mathsf{MPK},\mathsf{id}$).

On inputting the master pubic key $\mathsf{MPK}$ and an identity $\mathsf{id}$, the algorithm proceeds as follows:

• Sample $\mathbf{k}\leftarrow {\{0,1\}}^n$.
• Sample noise vectors ${\mathbf{e}}_0\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$, ${\mathbf{e}}_1\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma }^{2m}$.
• Set $\mathbf{s}\leftarrow \mathbf{k}⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ where $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$.
• Compute ${\mathbf{c}}_0^T\leftarrow {\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}_0^T\in {\mathbb{Z}}_q^m$.
• Compute ${\mathbf{c}}_2\leftarrow \mathbf{U}{\mathbf{e}}_1\in {\mathbb{Z}}_q^n$ and $\mathbf{t}=\mathsf{H}({\mathbf{c}}_0,{\mathbf{c}}_2)$.
• Compute ${\mathbf{c}}_1^T={\mathbf{s}}^T[{\mathbf{A}}_1+\mathsf{FRD}(\mathsf{id})\overline{\mathbf{G}}|\mathbf{C}+\mathsf{FRD}(\mathbf{t})\overline{\mathbf{G}}]+{\mathbf{e}}_1^T\in {\mathbb{Z}}_q^{2m}$.
• Return $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ and the session key $\mathbf{K}={\mathbf{c}}_2+\mathbf{k}$.

Decap($\mathsf{MPK},\mathsf{CT},{\mathsf{SK}}_{\mathsf{id}}$).

On inputting $\mathsf{MPK}$, it uses ${\mathsf{SK}}_{\mathsf{id}}$ to decap $\mathsf{CT}$ as follows:

• Parse $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$; output ⊥ if $\mathsf{CT}$ does not parse.
• Set ${\mathbf{F}}_{\mathsf{id}}^{\prime }=[{\mathbf{F}}_{\mathsf{id}}|\mathbf{C}+\mathsf{FRD}(\mathbf{t})\overline{\mathbf{G}}]=[\mathbf{A}|{\mathbf{A}}_1+\mathsf{FRD}(\mathsf{id})\overline{\mathbf{G}}|\mathbf{C}+\mathsf{FRD}(\mathbf{t})\overline{\mathbf{G}}]\in {\mathbb{Z}}_q^{n\times 3m}$ and recover $\mathbf{s},{\mathbf{e}}_0,{\mathbf{e}}_1$ via $\mathsf{Invert}({\mathbf{T}}_{\mathsf{id}},{\mathbf{F}}_{\mathsf{id}}^{\prime },[{\mathbf{c}}_0^T|{\mathbf{c}}_1^T])$.
• If $\parallel {\mathbf{e}}_0\parallel >\alpha q\sqrt{m}$ or $\parallel {\mathbf{e}}_1\parallel >\sigma \sqrt{2m}$, output ⊥.
• If $H({\mathbf{c}}_0,\mathbf{U}{\mathbf{e}}_1)\ne \mathbf{t}$, output ⊥.
• Set $\mathbf{k}[i]\leftarrow 0$ if the i-th coordinate $\mathbf{s}[i]$ of $\mathbf{s}$ is closer to 0 or $\mathbf{k}[i]\leftarrow 1$ if $\mathbf{s}[i]$ is closer to ${\displaystyle \frac{q}{2}}$.
• If $\parallel \mathbf{s}-\mathbf{k}\parallel \le \alpha q\sqrt{n}$ then return the session key $\mathbf{K}=\mathbf{U}{\mathbf{e}}_1+\mathbf{k}$; otherwise, return ⊥.

4.3. Correctness

Following the procedure of the scheme described above, during decryption of $\mathsf{CT}$ encapsulated a session key $\mathsf{K}$ for an identity $\mathsf{id}$, we have that the algorithm $\mathsf{Invert}({\mathbf{T}}_{\mathsf{id}},{\mathbf{F}}_{\mathsf{id}}^{\prime },[{\mathbf{c}}_0^T|{\mathbf{c}}_1^T])$ will recover $\mathbf{s},{\mathbf{e}}_0,{\mathbf{e}}_1$ with overwhelming probability. As ${\mathbf{e}}_0\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$, ${\mathbf{e}}_1\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma }^{2m}$, where $\sigma =\alpha qm·\omega (\sqrt{logm})$ and ${\mathbf{T}}_{\mathsf{id}}$ has the distribution ${\mathcal{D}}_{\mathbb{Z},s}^{2m\times m}$, according to Lemma 1, we have $\parallel {\mathbf{e}}_0\parallel \le \alpha q\sqrt{m}$, $\parallel {\mathbf{e}}_1\parallel \le \sigma \sqrt{2m}$, $\parallel {\mathbf{T}}_{\mathsf{id}}\parallel \le s\sqrt{2m}$ except with a negligible probability. Let ${\mathbf{e}}_1=[{\mathbf{e}}_{1,1}|{\mathbf{e}}_{1,2}]$, and by Lemma 5, we obtain

$$\begin{array}{cc}\hfill \parallel {\mathbf{e}}_{1,2}^T-([{\mathbf{e}}_0^T|{\mathbf{e}}_{1,1}^T]){\mathbf{T}}_{\mathsf{id}}{\parallel }_{\infty }& \le \parallel {\mathbf{e}}_{1,2}^T-([{\mathbf{e}}_0^T|{\mathbf{e}}_{1,1}^T]){\mathbf{T}}_{\mathsf{id}}\parallel \le \parallel {\mathbf{e}}_{1,2}^T\parallel +(\parallel {\mathbf{e}}_{1,1}^T\parallel +\parallel {\mathbf{e}}_0^T\parallel )\parallel {\mathbf{T}}_{\mathsf{id}}\parallel \hfill \\ \hfill & \le \sigma \sqrt{m}+(\sigma \sqrt{m}+\alpha q\sqrt{m})·s\sqrt{2m}·\hfill \\ \hfill & \le \alpha q·\omega (m^3{(logm)}^{3/2}).\hfill \end{array}$$

Therefore, for a large enough $1/\alpha =4\omega (m^3·{(logm)}^{3/2})$, the algorithm $\mathsf{Invert}({\mathbf{T}}_{\mathsf{id}},\mathbf{F},$$[{\mathbf{c}}_0^T|{\mathbf{c}}_1^T])$ correctly returns ${\mathbf{e}}_0,{\mathbf{e}}_1,\mathbf{s}$. Finally, as $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$, we obtain ${\displaystyle \parallel \overline{\mathbf{s}}{\parallel }_{\infty }\le \frac{q}{4}}$, which means that for each $i=1,\dots ,n$, we have ${\displaystyle |\overline{\mathbf{s}}[i]|<\frac{q}{4}}$. Thus, we obtain $\mathbf{k}$ from $\mathbf{s}=\mathbf{k}⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ in step (5) of the $\mathsf{Decap}$ algorithm and return $\mathsf{K}={\mathbf{c}}_2+\mathbf{k}$ with overwhelming probability.

4.4. Security Analysis

In this section, we prove that our proposed scheme is $\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}$ secure against an adaptive adversary $\mathcal{A}$ (cf. Theorem 3).

Theorem 3.

The IBKEM scheme$\Pi :=(\mathsf{Setup},\mathsf{Extract},\mathsf{Encap},\mathsf{Decap})$ with parameters $(q,n,m,$$\alpha ,\sigma ,s)$ achieves $\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}$ security with conditions that H is a second-pre-image collision resistant hash function $\mathsf{H}$, and ${\mathsf{SIS}}_{n,q,\beta }$, ${\mathsf{SVP}}_{n,m,q,\tau }$, and ${\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}$ are hard. In particular, if there exists an adversary$\mathcal{A}$ against the$\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}$ game with advantage ϵ, then there are some adversaries $\mathcal{C},\mathcal{B}$, ^and ${\mathcal{B}}^{\prime }$ such that

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}}\le {\mathsf{Adv}}_{\mathcal{C}}^{{\mathsf{SIS}}_{n,q,\beta }}(\lambda )+{\mathsf{Adv}}_{\mathcal{B}}^{{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}(\lambda )+{\mathsf{Adv}}_{{\mathcal{B}}^{\prime }}^{C{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}+\mathsf{negl}(\lambda ).\end{array}$$

Proof. 

We will proceed in a sequence of games to prove the security where Game 0 is the original game and $\mathcal{A}$ has no advantage in winning the game in the last game. Let $S_i$ denote the event that the adversary $\mathcal{A}$ wins Game i. □

Game 0.

It is the selectively $\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}$ security game between $\mathcal{A}$ and an $\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}$ challenger.

After receiving the challenge identity ${\mathsf{id}}^{*}$ from $\mathcal{A}$, the challenger $\mathcal{C}$ operates $\mathsf{Setup}(\lambda )$ to generate $\mathsf{MPK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{C},\mathbf{U},\mathsf{H})$ and $\mathsf{MSK}=\mathbf{R}$. Then, $\mathcal{C}$ sends $\mathsf{MPK}$ through to $\mathcal{A}$, keeps $\mathsf{MSK}$ secret, chooses uniformly random ${\mathbf{k}}_1\leftarrow {\{0,1\}}^n$, $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\alpha q}^n$, and sets ${\mathbf{s}}^{*}\leftarrow {\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$. It then computes the challenge ciphertext ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$:

$${{\mathbf{c}}_0^{*}}^T={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T,{{\mathbf{c}}_1^{*}}^T={{\mathbf{s}}^{*}}^T[{\mathbf{A}}_1+\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}|\mathbf{C}+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}]+{{\mathbf{e}}_1^{*}}^T,{\mathbf{t}}^{*}=\mathsf{H}({{\mathbf{c}}_0}^{*},{{\mathbf{c}}_2}^{*})$$

where ${\mathbf{c}}_2^{*}=\mathbf{U}{\mathbf{e}}_1^{*}$, together with a valid session key ${\mathsf{K}}_1^{*}={\mathbf{c}}_2^{*}+{\mathbf{k}}_1$, and samples a random session key ${\mathsf{K}}_0^{*}$ from the key space $\mathcal{K}$. Finally, $\mathcal{C}$ picks a random bit $b\leftarrow {\{0,1\}}^n$ and sends the pair $({\mathsf{CT}}^{*},{\mathsf{K}}_b^{*})$ through to the adversary $\mathcal{A}$.

The challenger $\mathcal{C}$ implements the key extraction oracle ${\mathcal{O}}_{\mathsf{Extract}}$ and the decapsulation oracle ${\mathcal{O}}_{\mathsf{Decap}}$ by following the real algorithms in the construction. The adversary $\mathcal{A}$ returns a bit $b^{\prime }$ and wins the game if $b^{\prime }=b$. By the definition, we have

$${\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}}=\left|\mathrm{Pr}[S_0]-{\displaystyle \frac{1}{2}}\right|=\left|\mathrm{Pr}[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.$$

Game 1.

Game 1 is identical to Game 0 except that the decapsulation oracle ${\mathcal{O}}_{\mathsf{Decap}}$ rejects any ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ of the challenge identity ${\mathsf{id}}^{*}$ if $\mathbf{t}={\mathbf{t}}^{*}$.

Let $E_1$ be the event that the adversary $\mathcal{A}$ issues a decap of $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ of ${\mathsf{id}}^{*}$ where $\mathbf{t}={\mathbf{t}}^{*},\mathsf{id}={\mathsf{id}}^{*}$.

Assuming that event $E_1$ happens, we have $\mathbf{t}=\mathsf{H}({\mathbf{c}}_0,{\mathbf{c}}_2)=\mathsf{H}({\mathbf{c}}_0^{*},{\mathbf{c}}_2^{*})={\mathbf{t}}^{*}$. Because of the pre-image collision resistance of H, ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$ and ${\mathbf{c}}_2={\mathbf{c}}_2^{*}$ w.h.p. As $\mathsf{CT}$ is valid, $\mathsf{CT}\ne {\mathsf{CT}}^{*}$, and $\mathbf{t}={\mathbf{t}}^{*}$, we obtain ${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$ w.h.p.

Assume that the decapsulation query is a valid ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,{\mathbf{t}}^{*})$, where ${\mathbf{c}}_0^T={\mathbf{s}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T={{\mathbf{c}}_0^{*}}^T$, ${\mathbf{c}}_1^T={\mathbf{s}}^T[{\mathbf{A}}_1+\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}|\mathbf{C}+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}]+{\mathbf{e}}_1^T\ne {{\mathbf{c}}_1^{*}}^T$ with the corresponding errors ${\mathbf{e}}_0,{\mathbf{e}}_1$. Then, the challenger $\mathcal{C}$ can use its trapdoor and run a decapsulation algorithm to recover ${\mathbf{e}}_0,{\mathbf{e}}_1,\mathbf{s}$.

• If ${\mathbf{e}}_1\ne {\mathbf{e}}_1^{*}$, then, as ${\mathbf{c}}_2={\mathbf{c}}_2^{*}$, we must have $\mathbf{U}{\mathbf{e}}_1=\mathbf{U}{\mathbf{e}}_1^{*}$ with overwhelming probability, and $\mathbf{e}={\mathbf{e}}_1-{\mathbf{e}}_1^{*}$ is actually a solution for the SIS problem. Such a case happens with negligible probability. We have

  $$\begin{array}{cc}\hfill \parallel \mathbf{e}\parallel & \le \parallel {\mathbf{e}}_1-{\mathbf{e}}_1^{*}\parallel \le 2\sigma \sqrt{2m}\hfill \\ \hfill & \le \sqrt{8}·\alpha q{m}^{3/2}·\omega (\sqrt{logm})=\beta .\hfill \end{array}$$
• If ${\mathbf{e}}_1={\mathbf{e}}_1^{*}$, then, as ${\mathbf{c}}_1\ne {\mathbf{c}}_1^{*}$, we have $\mathbf{s}\ne {\mathbf{s}}^{*}$. As ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$, we have ${{\mathbf{c}}_0}^T={\mathbf{s}}^T\mathbf{A}+{\mathbf{e}}_0^T={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T={{\mathbf{c}}_0^{*}}^T$. This implies that ${(\mathbf{s}-{\mathbf{s}}^{*})}^T\mathbf{A}={({\mathbf{e}}_0^{*}-{\mathbf{e}}_0)}^T$. This happens with negligible probability by Lemma 5.3 [22].

In short, as Game 1 is the same as Game 0 unless $E_1$ happens, then

$$|\mathrm{Pr}[S_1]-\mathrm{Pr}[S_0]|\le \mathrm{Pr}[E_1]\le {\mathsf{Adv}}_{\mathcal{C}}^{{\mathsf{SIS}}_{n,q,\beta }}(\lambda )+\mathsf{negl}(\lambda ).$$

Game 2.

Game 2 is similar to Game 1 unless that we modify the way $\mathsf{MPK}$ is generated and the way ${\mathsf{CT}}^{*}$ together with the valid session ${\mathsf{K}}_1^{*}$ are constructed, as follows:

• Select a hash function $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$.
• Sample $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and $\mathbf{Z}\leftarrow {\mathbb{Z}}_q^{n\times m}$.
• Sample ${\mathbf{R}}_1,{\mathbf{R}}_2\leftarrow {\mathcal{D}}_{m\times m}$ and set ${\mathbf{R}}^T={[{\mathbf{R}}_1|{\mathbf{R}}_2]}^T\in {\mathbb{Z}}^{2m\times m}$. Find ${({\mathbf{R}}^T)}^{-1}\in {\mathbb{Z}}^{m\times 2m}$ such that ${({\mathbf{R}}^T)}^{-1}{\mathbf{R}}^T={\mathbf{I}}_m$.
  We can successfully sample such matrix $\mathbf{R}$ of rank m with an overwhelming probability.
• Set $\mathbf{U}\leftarrow \mathbf{Z}{({\mathbf{R}}^T)}^{-1}\in {\mathbb{Z}}_q^{n\times 2m}$.
• Sample ${{\mathbf{e}}_0}^{*}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$, $\mathbf{v}\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma /\sqrt{2}}^{2m}$ and set ${{\mathbf{e}}_1^{*}}^T\leftarrow {{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$.
• Compute ${\mathbf{c}}_2^{*}\leftarrow \mathbf{Z}{\mathbf{e}}_0^{*}+\mathbf{U}\mathbf{v}=\mathbf{U}{\mathbf{e}}_1^{*}$.
• Sample ${\mathbf{k}}_1\leftarrow {\{0,1\}}^n$, $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$ and set ${\mathbf{s}}^{*}\leftarrow {\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$.
• Compute ${{\mathbf{c}}_0^{*}}^T\leftarrow {{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T$, ${\mathbf{t}}^{*}=\mathsf{H}({{\mathbf{c}}_0}^{*},{{\mathbf{c}}_2}^{*})$, and ${{\mathbf{c}}_1^{*}}^T\leftarrow {{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$.
• Set ${\mathbf{A}}_1\leftarrow \mathbf{A}{\mathbf{R}}_1-\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}$.
• Set $\mathbf{C}\leftarrow \mathbf{A}{\mathbf{R}}_2-\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}$.
• Set $\mathsf{MPK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{C},\mathbf{U},\mathsf{H})$, $\mathsf{MSK}={\mathbf{R}}_1$, ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$, and the valid session key ${\mathsf{K}}_1^{*}={\mathbf{c}}_2^{*}+{\mathbf{k}}_1^{*}$.

Challenger $\mathcal{C}$ sends $\mathsf{MPK}$ and ${\mathsf{CT}}^{*}$ together with the session key ${\mathsf{K}}_b^{*}$ to $\mathcal{A}$.

• We do not allow $\mathcal{A}$ to query ${\mathcal{O}}_{\mathsf{Extract}}$ for ${\mathsf{id}}^{*}$. To answer the key extraction query for $\mathsf{id}$, the challenger $\mathcal{C}$ computes

  $${\mathbf{F}}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}{\mathbf{R}}_1+(\mathsf{FRD}(\mathsf{id})-\mathsf{FRD}({\mathsf{id}}^{*}))\overline{\mathbf{G}}].$$
  By the property of $\mathsf{FRD}$, $(\mathsf{FRD}(\mathsf{id})-\mathsf{FRD}({\mathsf{id}}^{*}))$ is an invertible matrix in ${\mathbb{Z}}_q^{n\times n}$, so $\mathcal{C}$ can sample

  $${\mathsf{SK}}_{\mathsf{id}}={\mathbf{T}}_{\mathsf{id}}\leftarrow \mathsf{SamplePre}({\mathbf{R}}_1,{\mathbf{F}}_{\mathsf{id}},\mathsf{FRD}(\mathsf{id})-\mathsf{FRD}({\mathsf{id}}^{*}),\mathbf{C},s).$$
• Let $E_2$ be the event that $\mathcal{A}$ asks for the decapsulation queries $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,{\mathbf{t}}^{*})$ of identity $\mathsf{id}\ne {\mathsf{id}}^{*}$. Let the game abort when event $E_2$ happens.
  Note that the case $\mathbf{t}={\mathbf{t}}^{*}$ consists of the case $\{\mathsf{id}={\mathsf{id}}^{*},\mathbf{t}={\mathbf{t}}^{*}\}$ and the case $\{\mathsf{id}\ne {\mathsf{id}}^{*},\mathbf{t}={\mathbf{t}}^{*}\}$. This means that Game 2 aborts if $\mathbf{t}={\mathbf{t}}^{*}$.
• To answer to the decapsulation oracle of a valid $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ of ${\mathsf{id}}^{*}$ with $\mathbf{t}\ne {\mathbf{t}}^{*}$, the challenger $\mathcal{C}$ computes

  $${\mathbf{F}}_{{\mathsf{id}}^{*}}^{\prime }=[\mathbf{A}|\mathbf{A}{\mathbf{R}}_1|\mathbf{A}{\mathbf{R}}_2+(\mathsf{FRD}(\mathbf{t})-\mathsf{FRD}({\mathbf{t}}^{*}))\overline{\mathbf{G}}]$$

  and sets the secret key ${\mathsf{SK}}_{{\mathsf{id}}^{*}}={\mathbf{T}}_{{\mathsf{id}}^{*}}=\left[\begin{array}{c}{\mathbf{R}}_1+{\mathbf{R}}_2\\ -{\mathbf{I}}_{\omega }\end{array}\right]$.
  As $\mathbf{t}\ne {\mathbf{t}}^{*}$, $\mathsf{FRD}(\mathbf{t})-\mathsf{FRD}({\mathbf{t}}^{*})$ is invertible, so the decapsulation oracle is able to respond to valid ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$ by invoking $\mathsf{Invert}({\mathbf{T}}_{{\mathsf{id}}^{*}},{\mathbf{F}}_{{\mathsf{id}}^{*}}^{\prime },[{\mathbf{c}}_0^T,{\mathbf{c}}_1^T])$ to recover $\mathbf{s},{\mathbf{e}}_0$ and ${\mathbf{e}}_1$.

Note that $\mathbf{A}$ is correctly distributed as in the previous game. As ${\mathbf{R}}_1,{\mathbf{R}}_2\leftarrow {\mathcal{D}}_{m\times m}$, by using Lemma 3, in $\mathcal{A}$’s view, the matrices ${\mathbf{A}}_1=\mathbf{A}\mathbf{R}-\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}$, $\mathbf{C}=\mathbf{A}{\mathbf{R}}_2-\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}$ in Game 2 and ${\mathbf{A}}_1,\mathbf{C}$ in Game 1 are indistinguishable and statistically close to uniform over ${\mathbb{Z}}_q^{n\times m}$. In addition, $\mathbf{Z}$ is chosen uniformly at random in ${\mathbb{Z}}_q^{n\times m}$, so $\mathbf{U}=\mathbf{Z}{({\mathbf{R}}^T)}^{-1}$ is a uniformly random matrix in ${\mathbb{Z}}_q^{n\times 2m}$ as in Game 1. Hence, the public parameters in Game 2 and Game 1 are indistinguishable.

In this game, ${\mathbf{c}}_0^{*}={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T$ is correctly distributed. By Theorem 1, we have that ${{\mathbf{e}}_1^{*}}^T={{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$ is statistically close to ${\mathcal{D}}_{\mathbb{Z},\sigma }^{2m}$ as

$$({\sigma }_R\parallel {\mathbf{e}}_0{\parallel )}^2+{(\sigma /\sqrt{2})}^2\le {\sigma }^2.$$

The vector ${\mathbf{c}}_1^{*}$ defined in step (8) above also satisfies

$$\begin{array}{cc}\hfill {{\mathbf{c}}_1^{*}}^T& ={{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T=({{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T)\mathbf{R}+{\mathbf{v}}^T\hfill \\ \hfill & ={{\mathbf{s}}^{*}}^T[\mathbf{A}{\mathbf{R}}_1|\mathbf{A}{\mathbf{R}}_2]+{{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T\hfill \\ \hfill & ={{\mathbf{s}}^{*}}^T[{\mathbf{A}}_1+\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}|\mathbf{C}+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}]+{{\mathbf{e}}_1^{*}}^T.\hfill \end{array}$$

Moreover, we have

$$\begin{array}{cc}\hfill {\mathbf{t}}^{*}& =\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{Z}{\mathbf{e}}_0^{*}+\mathbf{U}\mathbf{v})=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{R}}^T{\mathbf{e}}_0^{*}+\mathbf{U}\mathbf{v})=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{e}}_1^{*}).\hfill \end{array}$$

Therefore, ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$ in Game 2 is correctly distributed as in the previous game.

Hence, in $\mathcal{A}$’s view, Game 2 and Game 1 are indistinguishable.

$$|\mathrm{Pr}[S_2]-\mathrm{Pr}[S_1]|\le \mathrm{Pr}[E_2]+\mathsf{negl}(\lambda )$$

Game 3.

Game 3 is similar to Game 2 unless ${\mathsf{K}}_0^{*}$ and ${\mathsf{K}}_1^{*}$ are uniformly random. We have $\mathrm{Pr}[S_3]=1/2.$

We now show that Game 3 and Game 2 are computationally indistinguishable by reducing to the ${\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}$ problem.

Suppose the adversary $\mathcal{A}$ can distinguish Game 3 and Game 2 with non-negligible advantage. We will then build the simulator $\mathcal{B}$ that can solve the SISnLWE problem. Recall from Definition 8 that an SISnLWE problem instance provides its challenge $(\mathbf{A},{\mathbf{b}}^T,\mathbf{z}=\mathbf{Z}{\mathbf{e}}_{0}modq,\mathbf{Z})$, where $\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m},\mathbf{b}\in {\mathbb{Z}}_q^m,\mathbf{Z}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and ${\mathbf{e}}_0\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^m$, and asks if there is a vector $\overline{\mathbf{s}}\leftarrow {\mathcal{D}}_{\mathbb{Z},\alpha q}^n$ such that ${\mathbf{b}}^T={\overline{\mathbf{s}}}^T\mathbf{A}+{\mathbf{e}}_0^T$ or if $\mathbf{b}\in {\mathbb{Z}}_q^n$ is random. $\mathcal{B}$ uses $\mathcal{A}$ as follows:

• Choose a hash function $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^n$.
• Set $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ from the SISnLWE challenge.
• Sample ${\mathbf{R}}_1,{\mathbf{R}}_2\leftarrow {\mathcal{D}}_{m\times m}$ and set ${\mathbf{R}}^T={[{\mathbf{R}}_1|{\mathbf{R}}_2]}^T\in {\mathbb{Z}}^{2m\times m}$ is of rank m. Find ${({\mathbf{R}}^T)}^{-1}\in {\mathbb{Z}}^{m\times 2m}$ such that ${({\mathbf{R}}^T)}^{-1}{\mathbf{R}}^T={\mathbf{I}}_m.$
• Set $\mathbf{U}\leftarrow \mathbf{Z}{({\mathbf{R}}^T)}^{-1}\in {\mathbb{Z}}_q^{n\times 2m}$.
• Sample $\mathbf{v}\leftarrow {\mathcal{D}}_{\mathbb{Z},\sigma /\sqrt{2}}^{2m}$.
• Set ${\mathbf{c}}_2^{*}\leftarrow \mathbf{z}+\mathbf{U}\mathbf{v}$ where $\mathbf{z}\in {\mathbb{Z}}_q^n$ is from the SISnLWE challenge.
• Sample ${\mathbf{k}}_1\leftarrow {\{0,1\}}^n$ and set ${{\mathbf{c}}_0^{*}}^T\leftarrow {\left({\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋\right)}^T\mathbf{A}+{\mathbf{b}}^T$.
• Set ${\mathbf{t}}^{*}=\mathsf{H}({{\mathbf{c}}_0}^{*},{{\mathbf{c}}_2}^{*})$ and ${{\mathbf{c}}_1^{*}}^T\leftarrow {{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T$.
• Set ${\mathbf{A}}_1\leftarrow \mathbf{A}{\mathbf{R}}_1-\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}$.
• Set $\mathbf{C}\leftarrow \mathbf{A}{\mathbf{R}}_2-\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}$.
• Set $\mathsf{MPK}=(\mathbf{A},{\mathbf{A}}_1,\mathbf{C},\mathbf{U},\mathsf{H})$, $\mathsf{MSK}={\mathbf{R}}_1$, ${\mathsf{CT}}^{*}=({\mathbf{c}}_0^{*},{\mathbf{c}}_1^{*},{\mathbf{t}}^{*})$. Set ${\mathsf{K}}_1^{*}={\mathbf{c}}_2^{*}+{\mathbf{k}}_1$ and choose ${\mathsf{K}}_0^{*}$ randomly in the key space.
• $\mathcal{B}$ sends $\mathcal{A}$ the triple $\mathsf{MPK}$, ${\mathsf{CT}}^{*}$ and ${\mathsf{K}}_b^{*}$ where $b\leftarrow \{0,1\}$ and keeps $\mathsf{MSK}$ secret.
• The simulator $\mathcal{B}$ answers queries to ${\mathcal{O}}_{\mathsf{Extract}}$ and ${\mathcal{O}}_{\mathsf{Decap}}$ as in the previous game.
• When $\mathcal{B}$ receives $b^{\prime }$ as a guess for b from $\mathcal{A}$, it outputs $b^{\prime }$ as a solution to the SISnLWE challenge.

We provide the argument that when the SISnLWE oracle is pseudorandom, meaning ${\mathbf{b}}^T={\overline{\mathbf{s}}}^T\mathbf{A}+{\mathbf{e}}_0^T$, ${\mathsf{CT}}^{*}$ is distributed exactly as in Game 2. Note that

$$\begin{array}{cc}\hfill {{\mathbf{c}}_0^{*}}^T& ={\left({\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋\right)}^T\mathbf{A}+{\mathbf{b}}^T={{\mathbf{s}}^{*}}^T\mathbf{A}+{{\mathbf{e}}_0^{*}}^T\hfill \\ \hfill {{\mathbf{c}}_1^{*}}^T& ={{\mathbf{c}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T={{\mathbf{s}}^{*}}^T[\mathbf{A}{\mathbf{R}}_1|\mathbf{A}{\mathbf{R}}_2]+{{\mathbf{e}}_0^{*}}^T\mathbf{R}+{\mathbf{v}}^T\hfill \\ \hfill & ={{\mathbf{s}}^{*}}^T[{\mathbf{A}}_1+\mathsf{FRD}({\mathsf{id}}^{*})\overline{\mathbf{G}}|\mathbf{C}+\mathsf{FRD}({\mathbf{t}}^{*})\overline{\mathbf{G}}]+{{\mathbf{e}}_1^{*}}^T\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\mathbf{t}}^{*}& =\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{z}+\mathbf{U}\mathbf{v})=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{Z}{\mathbf{e}}_0+\mathbf{U}\mathbf{v})=\mathsf{H}({\mathbf{c}}_0^{*},\mathbf{U}{\mathbf{e}}_1^{*}).\hfill \end{array}$$

where ${\mathbf{s}}^{*}={\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ and ${{\mathbf{e}}_1^{*}}^T={\mathbf{e}}_0^T\mathbf{R}+{\mathbf{v}}^T$.

Moreover, by Lemma 4 any valid ${\mathsf{K}}_1^{*}={\mathbf{c}}_2^{*}+{\mathbf{k}}_1$ is distributed statistically close to uniform in $\mathcal{K}$.

When the SISnLWE oracle is random, we have that $\mathbf{b}$ is uniform in ${\mathbb{Z}}_q^n$. Thus, ${\mathbf{c}}_0^{*}$ defined in step (7) and ${\mathbf{c}}_2$ in step (6) above are uniform in ${\mathbb{Z}}_q^n$. In particular, the challenge session keys ${\mathsf{K}}_0^{*},{\mathsf{K}}_1^{*}$ are uniform and independent of ${\mathsf{CT}}^{*}$ as in Game 3.

We conclude that the advantage of $\mathcal{B}$ in solving the SISnLWE problem is the same as the advantage of $\mathcal{A}$ in distinguishing Game 2 and Game 3, i.e.,

$$|\mathrm{Pr}[S_3]-\mathrm{Pr}[S_2]|\le {\mathsf{Adv}}_{\mathcal{B}}^{{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}(\lambda )+\mathsf{negl}(\lambda ).$$

It remains to be shown that the abort event $E_2=\{\mathsf{id}\ne {\mathsf{id}}^{*},\mathbf{t}={\mathbf{t}}^{*}\}$ happens with negligible probability under the hardness assumption of the Computational SISnLWE problem. Indeed, we can construct a simulator ${\mathcal{B}}^{\prime }$ similarly to $\mathcal{B}$ where ${\mathcal{B}}^{\prime }$ can solve the Computational SISnLWE problem when adversary $\mathcal{A}$ provides ${\mathcal{B}}^{\prime }$ with a valid ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t})$, where $\mathbf{t}={\mathbf{t}}^{*}$ for an identity $\mathsf{id}\ne {\mathsf{id}}^{*}$. Given a Computational SISnLWE instance $(\mathbf{A},{\mathbf{b}}^T=\overline{\mathbf{s}}\mathbf{A}+{\mathbf{e}}_0^T,\mathbf{Z},\mathbf{z}=\mathbf{Z}{\mathbf{e}}_0)$, ${\mathcal{B}}^{\prime }$ runs as step 1 to step 12 of $\mathcal{B}$. Consider the case where adversary $\mathcal{A}$ provides ${\mathcal{B}}^{\prime }$ with a valid ciphertext $\mathsf{CT}=({\mathbf{c}}_0,{\mathbf{c}}_1,\mathbf{t}={\mathbf{t}}^{*})$ for an identity $\mathsf{id}\ne {\mathsf{id}}^{*}.$ As $\mathbf{t}={\mathbf{t}}^{*}$, we have $\mathsf{H}({\mathbf{c}}_0,{\mathbf{c}}_2)=\mathsf{H}({\mathbf{c}}_0^{*},{\mathbf{c}}_2^{*})$ w.h.p, meaning that ${\mathbf{c}}_0={\mathbf{c}}_0^{*}$ and ${\mathbf{c}}_2={\mathbf{c}}_2^{*}$ w.h.p. We must have $\mathbf{s}={\mathbf{s}}^{*}$, ${\mathbf{e}}_0={\mathbf{e}}_0^{*}$, ${\mathbf{e}}_1={\mathbf{e}}_1^{*}$ with overwhelming probability where ${\mathbf{s}}^{*}={\mathbf{k}}_1⌊{\displaystyle \frac{q}{2}}⌋+\overline{\mathbf{s}}$ and ${{\mathbf{e}}_1^{*}}^T={\mathbf{e}}_0^T\mathbf{R}+{\mathbf{v}}^T$.

As $\mathsf{CT}$ is a valid ciphertext for $\mathsf{id}\ne {\mathsf{id}}^{*}$, we deduce that

$${\mathbf{c}}_1^T-{{\mathbf{c}}_1^{*}}^T={{\mathbf{s}}^{*}}^T[(\mathsf{FRD}(\mathsf{id})-\mathsf{FRD}({\mathsf{id}}^{*}))\overline{\mathbf{G}}|\mathbf{0}].$$

Set $\mathbf{M}=[(\mathsf{FRD}(\mathsf{id})-\mathsf{FRD}({\mathsf{id}}^{*}))\overline{\mathbf{G}}|\mathbf{0}]\in {\mathbb{Z}}_q^{n\times 2m}$ where $\mathbf{0}\in {\mathbb{Z}}^{n\times m}$. As $(\mathsf{FRD}(\mathsf{id})-\mathsf{FRD}({\mathsf{id}}^{*}))\in {\mathbb{Z}}_q^{n\times n}$ is invertible and $\mathbf{G}$ is a gadget matrix, there exists ${\mathbf{M}}^{-1}\in {\mathbb{Z}}_q^{2m\times n}$ such that $\mathbf{M}.{\mathbf{M}}^{-1}=I_n$. Therefore, the simulator ${\mathcal{B}}^{\prime }$ is able to find ${\mathbf{s}}^{*}$ by calculating $({\mathbf{c}}_1-{\mathbf{c}}_1^{*}){\mathbf{M}}^{-1}$ and then finding $\overline{\mathbf{s}}$, which solves the Computational SISnLWE problem.

We deduce that the probability

$$\mathrm{Pr}[E_2]\le {\mathsf{Adv}}_{{\mathcal{B}}^{\prime }}^{C{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}+\mathsf{negl}(\lambda ).$$

Combining all of the inequalities above, we have that

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{\mathcal{A},\Pi }^{\mathsf{IND}-\mathsf{sID}-\mathsf{CCA}\mathsf{2}}\le {\mathsf{Adv}}_{\mathcal{C}}^{{\mathsf{SIS}}_{n,q,\beta }}(\lambda )+{\mathsf{Adv}}_{\mathcal{B}}^{{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}(\lambda )+{\mathsf{Adv}}_{{\mathcal{B}}^{\prime }}^{C{\mathsf{SISnLWE}}_{n,m,q,{\mathcal{D}}_{\mathbb{Z},\alpha q}}}+\mathsf{negl}(\lambda ).\end{array}$$

This concludes the proof.

5. Conclusions

In this paper, we modified the CCA2-secure KEM by Boyen et al. [1] to obtain an efficient CCA2-secure KEM scheme with a complete security proof. We also introduced a construction of an efficient and simple CCA2-secure IBKEM based on the hardness of Normal-form Learning With Errors with a Shortest Integer Solution hint problem defined by Boyen et al. [1]. Our IBKEM obtained selectively-security only. One can apply Yamada’s technique [13] for adaptive setting but computations on parameters show that it is inefficient. Therefore, it is an interesting challenge to design a comparable efficient CCA2-secure IBKEM with adaptive security.