1 Introduction

1.1 Identity-Based Encryption

Public key cryptography has long been in widespread real-world use, but it has the issue that public keys look like random strings. Consequently, public key infrastructure (PKI) has also been developed to prove the validity of public keys. Identity-based encryption (IBE) [27] can reduce the costs associated with PKI systems by enabling users to select arbitrary strings (such as e-mail addresses or bio-information) as public keys. A special entity called the key-generation center (KGC) maintains a master public/secret key pair \((\mathsf{mpk},\mathsf{msk})\). The KGC (implicitly) confirms the validity of each user \(\mathsf{ID}\) and then issues an associated secret key \(\mathsf{sk}_{\mathsf{ID}}\) using the master secret key \(\mathsf{msk}\). Once the master public key \(\mathsf{mpk}\) has been downloaded from the KGC, anyone can encrypt messages if they know the recipient’s \(\mathsf{ID}\). IBE is standardized by ISO/IEC 18033-5 and IEEE P1363.3.

1.2 Key Escrow Problem and Current Solutions

The key escrow problem is a significant barrier to the widespread real-world use of IBE, and is a serious concern for communication privacy. Specifically, the KGC potentially has the power to decrypt all ciphertexts, since it can generate secret keys for any \(\mathsf{ID}\). Several attempts have already been made to deal with this issue by reducing the amount of trust we put in the KGC.

One line of research is to make users participate in the secret key-generation process. In certificateless encryption (CE) [3], in addition to the secret key \({\mathsf{sk}}_{\mathsf{ID}}\) generated by the KGC, each user also needs to generate their own public/secret key pair \((\mathsf{pk},\mathsf{sk})\). Here, both the \(\mathsf{ID}\) and \(\mathsf{pk}\) are required to encrypt messages, so decryption involves both \({\mathsf{sk}}_{\mathsf{ID}}\) and \({\mathsf{sk}}\). This means that the KGC can no longer decrypt ciphertexts, since it does not know \(\mathsf{sk}\). However, the PKI now has to certify the \(\mathsf{pk}\) as well, as they are required for encryption. Garg et al. [12, 13] improved the CE approach by having the KGC aggregate and compress all users’ public keys. Instead of generating a secret key \(\mathsf{sk}_\mathsf{ID}\) for each user, the KGC updates and maintains \(\mathsf{mpk}\) using the pair \((\mathsf{ID},\mathsf{pk})\) for each user \(\mathsf{ID}\). As in IBE, encryption and decryption only require \((\mathsf{mpk}, \mathsf{ID})\) and \(\mathsf{sk}\), respectively. However, one drawback when implementing this in practice is that \(\mathsf{mpk}\) must be periodically updated.

Another approach is to define an independent notion of security against the KGC for standard IBEs. Here, we call an IBE standard if encryption requires only a (static) \(\mathsf{mpk}\) and \(\mathsf{ID}\), and decryption requires only \(\mathsf{sk}_{\mathsf{ID}}\), as originally defined in [27]. Here, the essential idea is to capture some notion of anonymity [1, 6] with respect to the KGC, specifically to guarantee that ciphertexts reveal no information about the underlying identities, and hence that the KGC cannot determine the correct identity needed to decrypt a given ciphertext. Based on this design criterion, Izabachène and Pointcheval [17] formalized anonymity with respect to the KGC for identity-based key encapsulation mechanisms (IB-KEMs). However, as Chow [10] pointed out, their definition is incomplete, since it considers the situation where an adversary can only obtain the challenge ciphertext, whereas in a standard IB-KEM, adversaries can obtain both the challenge ciphertext and the corresponding session key. In order to define a more stringent notion of security against the KGC, Chow [10] introduced the notion of KGC anonymous ciphertext indistinguishability (ACI-KGC), which guarantees that the KGC cannot obtain any information about the corresponding plaintext from a ciphertext if the author’s identity is chosen randomly and unknown to the KGC. However, as he noted, requiring ACI-KGC is still insufficient in practice: the KGC typically manage lists of issued identity/secret key pairs, so it could decrypt any ciphertext via brute force by running the decryption algorithm against all the secret keys issued so far. In other words, even though ACI-KGC is a well-motivated security definition, it would be impossible to satisfy in practice. To resolve this gap between the security notion and practical implementation, Chow also introduced, in the same paper, a new entity called an identity-certifying authority (ICA) and defined an anonymous key-issuing protocol. In this protocol, the ICA authenticates the user’s identity \(\mathsf{ID}\) by providing them certificates. The user can then use this certificate to interact with the KGC and obtain \(\mathsf{sk}_{\mathsf{ID}}\) without revealing their identity \(\mathsf{ID}\), an idea reminiscent of blind IBEs [8, 15].Footnote 1 Since the KGC is now outsourcing the work of authenticating users to the ICA, it will no longer know which identities it has generated secret keys for.

Chow’s work [10] was a significant step toward defining a standard IBE scheme that can resolve the key escrow problem. However, in this research, we identify some deficiencies in this formulation and show that the definition must be refined. First, as explained above, Chow introduced a new entity called the ICA and proposed an anonymous key-issuing protocol involving the user, the KGC, and the ICA to close the gap between the ACI-KGC security notion for standard IBEs and practical KGC implementations. However, unfortunately, Chow defined ACI-KGC only between the user and the KGC and did not provide any formal treatment when the ICA is used to authenticate the users. He does provide some informal argument suggesting that something similar to ACI-KGC should hold for a standard IBE scheme where the ICA authenticates the users, however, on closer look, ACI-KGC is not a notion which can be naturally extended to such scenarios. Considering the relevance of key escrow problems for IBE in the real world, the definition which we base our security on must properly formalize ACI-KGC in the presence of an ICA. Second, in Chow’s definition, the ICA is fully trusted. We observe that this extra (strong) assumption makes the definition completely void and trivial to achieve. In particular, consider the following IBE scheme, defined between the users, the KGC, and the fully trusted ICA: the ICA plays the role of the KGC in a standard IBE scheme and the KGC does nothing. It is easy to see that this construction achieves ACI-KGC security, since the KGC holds no secret information and standard anonymous IBE readily implies ACI-KGC. In other words, we have simply transferred all the trust from the KGC to the ICA and also deferred the key escrow problem to it. This shows that, if we are to make this a well-defined and well-motivated security notion, we cannot fully trust the ICA.

Finally, all subsequent works [23, 28] have followed Chow’s general outline and in particular, they are all pairing-based constructions and insecure in the face of quantum computing. It is therefore, an interesting question to ask whether we can construct a provably secure post-quantum IBE under any sensible security notion that resolves the key escrow problem.

1.3 Our Contribution

In this paper, we formalize a standard IBE scheme that captures the key escrow problem and provide a candidate construction. Our formalization is inspired by Chow’s original work and is based on the idea of creating an ICA to authenticate the system’s users. We describe this scheme as blind IBE with certified identities to differentiate between prior formalizations. This terminology follows from the fact that the proposed secret key-generation process can be seen as a blind IBE combined with an ICA to certify user identities. We also propose a lattice-based approach to constructing such a blind IBE based on the Learning with Errors (LWE) assumption in the random oracle model. As far as we are aware, this is the first post-quantum IBE to resolve the key escrow problem based on Chow’s work.Footnote 2 Our contributions can be summarized in more detail as follows.

Formalization of a Blind IBE with Certified Identities. We formalize a standard IBE scheme (which we call blind IBE with certified identities) that resolves the key escrow problem based on Chow’s work [10]. Our definition involves three entities: the users, the KGC, and the ICA. The ICA is responsible for authenticating users by issuing certificates, while the KGC is responsible for (blindly) generating secret keys for users. We define three security notions, one for each of the three entities involved. Specifically, we define indistinguishability and anonymity against chosen plaintext attacks for the users (IND-ANON-CPA), the KGC (IND-ANON-KGC), and the ICA (IND-ANON-ICA). The first of these, IND-ANON-CPA, captures the standard concept of IBE security, while the second and third model cases where the KGC or the ICA is malicious. Our IBE formalization takes all the aforementioned issues into account: the syntax captures anonymous key-issuing via IND-ANON-KGC security, and the ICA is no longer fully trusted due to our additional definition of IND-ANON-ICA security. Our formalization can be seen as a natural and formal extension of Chow’s idea of combining ACI-KGC security with an anonymous key-issuing protocol.

Lattice-Based Instantiation. We also provide a concrete instantiation of a blind IBE with certified identities, based on the LWE problem in the random oracle model. Our construction is based on the standard lattice-based IBE scheme by Gentry–Peikert–Vaikuntanathan (GPV-IBE) [14], which is arguably the most efficient IBE scheme based on standard lattice assumptions. The two main technical hurdles involved in developing our construction are as follows.

(a) Realizing Anonymous Key Issuing. Unlike standard IBE, where the KGC knows (i.e., authorizes via some certification mechanism) which ID it is issuing secret keys to, IBE schemes that deal with the key escrow problem cannot allow the KGC to know the IDs corresponding to the secret keys. This is the main reason why the ICA was introduced: it authorizes users by providing them with certificates that do not leak their ID, which they can then use to obtain secret keys from the KGC. The main problem here is thus figuring out what the certificate should look like and how to combine it with GPV-IBE’s key-generation process.

Our main observation is that the secret keys of GPV-IBE is only a short vector over \(\mathbb {Z}^m\) and the key-generation process of GPV-IBE can be viewed as a signing algorithm through the Naor transformation [5]. Concretely, a secret key for \(\mathsf{ID}\), which is a short vector over \(\mathbb {Z}^m\), can be seen as a signature for some message (related to \(\mathsf{ID}\)) over \(\mathbb {Z}_q^n\). At a high level, the user in our construction will end up receiving two certificates: one from the ICA and another from the KGC, and then the user will combine them together to form a secret key for the GPV-IBE. However, the two certificates must be related to one specific ID in some meaningful way or otherwise the user can simply mix-and-match different certificates together. To this end, we build on the lattice-based blind signature scheme proposed by Rückert [25] and use it in a way so that the KGC can blindly sign to a vector over \(\mathbb {Z}_q^n\) which implicitly commits to an ID. We note that Rückert [26] later mentions that the blind signature scheme in [25] is vulnerable in some use cases, however, the way we use it avoids this problem.

(b) Satisfying IND-ANON-KGC Security. Informally, IND-ANON-KGC security stipulates that even if the KGC receives polynomially many ciphertexts for the same ID, as long as the ID is sampled from a sufficiently high min-entropy source, then it cannot tell whether the ciphertexts are real or sampled uniformly at random from the ciphertext space. In other words, even though the KGC can construct secret keys for any ID, it should not be able to identify the right ID corresponding to the ciphertexts with more than negligible probability. Below we recall the ciphertext of GPV-IBE: \(c_0=\mathbf {u}_{\mathsf{ID}}^\top \mathbf {s} +x+ \mathsf {M}\lfloor q/2 \rceil \) and \(\mathbf {c}_1= \mathbf {A}^\top \mathbf {s}+ \mathbf {x}\), where \(\mathsf {M}\in \{ 0,1 \} \) is the plaintext, \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\) is included in \(\mathsf{mpk}\), \(\mathbf {u}_{\mathsf{ID}}=\mathsf {H}(\mathsf{ID})\in \mathbb {Z}_q^n\) is a hash value (derived from the random oracle), \(\mathbf {s} \in \mathbb {Z}_q^n\) is a uniformly random vector over \(\mathbb {Z}_q^n\), and \(\mathbf {x}, x\) are small “noise” terms.

At first glance, IND-ANON-KGC security seems highly related to IBE in the multi-challenge setting [16] where an adversary can obtain polynomially many challenge ciphertexts, and therefore, may seem that the security proof of IND-ANON-KGC follows from a simple hybrid argument. However, this intuition is inaccurate. The key difference between the two security notions is that in IND-ANON-KGC the KGC holds the master secret key to the IBE scheme, i.e., the trapdoor for the lattice generated by \(\mathbf {A}\). In particular, the adversary for IND-ANON-KGC (which is the KGC) has the power to fully recover the randomness \(\mathbf {s}\) from \(\mathbf {c}_1\) in the ciphertext. This prevents us from using an entropy-based argument on the vector \(\mathbf {s}\) to argue uniformness of \(c_0\), as was done in previous proofs for GPV-IBE in the multi-challenge setting [19]. We therefore depart from previous proof techniques for GPV-IBE to prove IND-ANON-KGC of our proposed IBE scheme. We take advantage of the fact that the adversary does not have knowledge of the ID corresponding to the challenge ciphertext. Note that to the contrary, in the multi-challenge setting, the adversary was able to specify the ID that is being encrypted. In our security proof, we use the fact that \(\mathbf {u}_\mathsf{ID} = \mathsf {H}(\mathsf{ID}) \in \mathbb {Z}_q^n\) is distributed as a uniformly random vector from the view of the adversary in the random oracle model and embed \(\mathbf {u}_\mathsf{ID}\) as the LWE secret, rather than embedding the encryption randomness \(\mathbf {s}\) as in previous proofs.

2 Preliminaries

Notations. For a distribution or random variable X we write \(x \leftarrow X\) to denote the operation of sampling a random x according to X. For a set S, we write \(s \leftarrow S\) as a shorthand for \(s \leftarrow U(S)\). For a vector \(\mathbf {v}\in \mathbb R^n\), denote \(||\mathbf {v} ||\) as the standard Euclidean norm. For a matrix \(\mathbf {R}\in \mathbb R^{n \times n}\), denote \(||\mathbf {R} ||\) as the length of the longest column and as the longest column of the Gram-Schmidt orthogonalization of \(\mathbf {R}\). We denote \(s_1(\mathbf {R})\) as the largest singular value of \(\mathbf {R}\). Finally, denote \(\langle A, B \rangle \) as an interactive protocol between two PPT algorithms A and B.

Lattices and Gaussian Measures. A (full-rank-integer) m-dimensional lattice \(\Lambda \) in \(\mathbb Z^m\) is a set of the form \(\{ \sum _{i \in [m]} x_i \mathbf {b}_i| x_i \in \mathbb Z \}\), where \(\mathbf {B}= \{ \mathbf {b}_1, \cdots , \mathbf {b}_m \}\) are m linearly independent vectors in \(\mathbb Z^m\). We call \(\mathbf {B}\) the basis of the lattice \(\Lambda \). For any positive integers nm and \(q\ge 2\), a matrix \(\mathbf {A}\in \mathbb Z_q^{n \times m}\) and a vector \(\mathbf {u}\in \mathbb Z_q^n\), we define the lattices \(\Lambda ^{\perp }(\mathbf {A}) = \{ \mathbf {z}\in \mathbb Z^m | \mathbf {A}\mathbf {z}= \mathbf {0}\mod q \}\) and \(\Lambda ^{\perp }_{\mathbf {u}}(\mathbf {A}) = \{ \mathbf {z}\in \mathbb Z^m | \mathbf {A}\mathbf {z}= \mathbf {u}\mod q \}\).

Lemma 1

([14]). Let nmq be positive integers such that \(m \ge 2n \log q\). Let \(\sigma \) be any positive real such that \(\sigma \ge \omega (\sqrt{\log n})\). Then for \(\mathbf {A}\leftarrow \mathbb Z_q^{n \times m}\) and \(\mathbf {e}\leftarrow D_{\mathbb Z^m, \sigma }\), the distribution of \(\mathbf {u}= \mathbf {A}\mathbf {e}\mod q\) is statistically close to uniform over \(\mathbb Z_q^n\).

Furthermore, fix \(\mathbf {u}\in \mathbb Z_q^n\). Then the conditional distribution of \(\mathbf {e}\leftarrow D_{\mathbb Z^m, \sigma }\) given \(\mathbf {A}\mathbf {e}= \mathbf {u}\mod q\) for a uniformly random \(\mathbf {A}\) in \(\mathbb Z_q^{n \times m}\) is statistically close to \(D_{\Lambda ^\perp _\mathbf {u}(\mathbf {A}), \sigma }\).

Lemma 2

([14]). Let nmq be positive integers with \(m \ge 2n \log q\), \(\sigma \ge \omega (\sqrt{\log m})\), and \(\mathbf {u}\) be an arbitrary vector in \(\mathbb {Z}_q^n\). Then, for all but a \(q^{-n}\) fraction of \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\), if we sample a vector \(\mathbf {x} \leftarrow D_{\Lambda ^\perp _\mathbf {u}(\mathbf {A}), \sigma }\), we have \(\Pr [||\mathbf {x} || > \sqrt{m} \sigma ] < \mathsf {negl}(n)\).

Lemma 3

(Noise Rerandomization, [18]). Let \(q, \ell , m\) be positive integers and r a positive real satisfying \(r > \max \{ \omega (\sqrt{\log m}), \omega ({\sqrt{\log \ell }}) \}\). Let \(\mathbf {b}\in \mathbb Z_q^{m}\) be arbitrary and \(\mathbf {z}\) chosen from \(D_{\mathbb Z^m, r }\). Then there exists a PPT algorithm \(\mathsf {ReRand}\) such that for any \(\mathbf {V}\in \mathbb Z^{m \times \ell }\) and positive real \(\sigma > s_1(\mathbf {V})\), \({\mathsf {ReRand}}(\mathbf {V}, \mathbf {b}+ \mathbf {z}, r, \sigma ) \) outputs \(\mathbf {b}'^\top = \mathbf {b}^\top \mathbf {V}+ \mathbf {z}'^\top \in \mathbb Z_q^\ell \), where \(\mathbf {z}'\) is distributed statistically close to \(D_{\mathbb Z^\ell , 2 r \sigma }\).

Sampling Algorithms. The following lemma states useful algorithms for sampling short vectors from lattices.

Lemma 4

([14, 20]). Let \(n, m, q > 0\) be integers with \(m \ge 2n \log q \).

  • \(\mathsf {TrapGen}(1^n, 1^m, q) \rightarrow (\mathbf {A}, \mathbf {T}_\mathbf {A})\): There exists a randomized algorithm that outputs a matrix \(\mathbf {A}\in \mathbb Z_q^{n \times m}\) and a full-rank matrix \(\mathbf {T}_\mathbf {A}\in \mathbb Z^{m \times m}\), where \(\mathbf {T}_\mathbf {A}\) is a basis for \(\Lambda ^\perp (\mathbf {A})\), \(\mathbf {A}\) is statistically close to uniform and \(||\mathbf {T}_\mathbf {A} ||_\mathsf{GS} = O(\sqrt{n \log q})\).

  • \(\mathsf {SamplePre}(\mathbf {A}, \mathbf {u}, \mathbf {T}_\mathbf {A}, \sigma ) \rightarrow \mathbf {e}:\) There exists a randomized algorithm that, given a matrix \(\mathbf {A}\in \mathbb Z_q^{n \times m}\), a vector \(\mathbf {u}\in \mathbb Z_q^n\), a basis \(\mathbf {T}_\mathbf {A}\) for \(\Lambda ^{\perp }(\mathbf {A})\), and a Gaussian parameter \(\sigma > ||\mathbf {T}_\mathbf {A} ||_\mathsf{GS} \cdot \omega (\sqrt{\log m})\), outputs a vector \(\mathbf {e}\in \mathbb Z^m\) sampled from a distribution which is \(\mathsf {negl}(n)\)-close to \(D_{\Lambda ^\perp _\mathbf {u}(\mathbf {A}), \sigma }\).

Hardness Assumption. We define the Learning with Errors (LWE) problem introduced by Regev [24].

Definition 1

(Learning with Errors). For integers \(n = n(\lambda )\), \(m = m(\lambda )\), \(q = q(n) > 2\), an error distribution \(\chi = \chi (n)\) over \(\mathbb Z^m\), and a PPT algorithm \(\mathcal A\), the advantage for the learning with errors problem \(\mathsf {LWE}_{n, m, q, \chi }\) of \(\mathcal A\) is defined as \(\mathsf {Adv}_{\mathcal A}^{\mathsf {LWE}_{n, m, q, \chi }} = \Big | \Pr \big [\mathcal A \big (\mathbf {A}, \mathbf {A}^\top \mathbf {s} + \mathbf {z}\big )= 1 \big ] - \Pr \big [\mathcal A\big (\mathbf {A}, \mathbf {w}+ \mathbf {z}\big ) = 1 \big ] \Big |\) where \(\mathbf {A}\leftarrow \mathbb {Z}_q^{n \times m}\), \(\mathbf {s} \leftarrow \mathbb {Z}_q^n\), \(\mathbf {w}\leftarrow \mathbb {Z}_q^m\), and \(\mathbf {z}\leftarrow \chi \). We say that the \(\mathsf {LWE}\) assumption holds if \(\mathsf {Adv}_{\mathcal A}^{\mathsf {LWE}_{n, m, q, \chi }}\) is negligible for all PPT algorithm \(\mathcal A\).

We note adding the noise term \(\mathbf {z}\leftarrow \chi \) to the uniform element in \(\mathbf {w}\leftarrow \mathbb {Z}^m_q\) is done intentional. This is only a syntactical change to make the proof using Lemma 3 during the security proof easier as done in prior works [18, 19].

For prime q and \(\alpha \in (0, 1)\), the (decisional) \(\mathsf {LWE}_{n, m, q, D_{\mathbb Z, \alpha q}}\) for \(\alpha q > 2\sqrt{n}\) has been shown by Regev [24] via a quantum reduction to be as hard as approximating the worst-case \(\mathsf{SIVP}\) and \(\mathsf {GapSVP}\) problems to within \(\tilde{O}(n/\alpha )\) factors in the \(\ell _2\)-norm in the worst case. In the subsequent works, (partial) dequantumization of the reduction were achieved [7, 21].

3 Blind Identity-Based Encryption with Certified Identities

In this section, we present a new and secure IBE formalization that resolves the key escrow problem. As mentioned in the introduction, we refer to this primitive as blind IBE with certified identities, since the secret key-generation process can be seen as blind IBE [8, 15] with an ICA to certify users’ identities. For simplicity, we occasionally call it “IBE” for simplicity.

In our scheme, users first authenticate themselves with the ICA to obtain certificates, which they then use to run an interactive protocol with the KGC and construct secret keys \(\mathsf{sk}_\mathsf{ID}\) for use as in standard IBE. Here, the KGC never knows which user \(\mathsf{ID}\) it is interacting with, and in particular, this implies that it does not know the \(\mathsf{sk}_\mathsf{ID}\). We assume that users communicate with the ICA and the KGC via secure channels. Note that we use the same encryption and decryption algorithms as in standard IBE.

Definition 2

(Blind IBE with Certified Identities). A blind IBE scheme with certified identities \(\varPi _\mathsf{IBE}\) consists of the following PPT algorithms:

  • \(\mathsf{Setup}(1^\lambda ) \rightarrow \mathsf{params}\): The setup algorithm takes as input a security parameter \(1^\lambda \), and outputs a public parameter \(\mathsf{params}\). We assume the identity space \(\mathcal {ID}\) and the message space \(\mathcal {M}\) are defined by \(\mathsf{params}\). Moreover, we assume \(\mathsf{params}\) are implicitly provided as input to all algorithms.

  • \(\mathsf{KGC.KeyGen}(\mathsf{params}) \rightarrow (\mathsf{mpk}, \mathsf{msk})\): The setup algorithm run by KGC takes as input \(\mathsf{params}\), and outputs a master public key \(\mathsf{mpk}\) and a master secret key \(\mathsf{msk}\).

  • \(\mathsf{ICA.KeyGen}(\mathsf{params}) \rightarrow (\mathsf{vk}, \mathsf{ik})\): The key-generation algorithm run by ICA takes as input \(\mathsf{params}\), and outputs a certificate verification key \(\mathsf{vk}\) and a certificate-issuing key \(\mathsf{ik}\).

  • \(\mathsf{ICA.Cert}(\mathsf{vk},\mathsf{ik},\mathsf{ID}) \rightarrow (\mathsf{cert}, \mathsf{td})\): The certificate-issuing algorithm run by ICA takes as inputs a certificate verification key \(\mathsf{vk}\), certificate-issuing key \(\mathsf{ik}\) and an identity \(\mathsf{ID}\in \mathcal {ID}\), and outputs a certificate \(\mathsf{cert}\) and a trapdoor information \(\mathsf{td}\).

  • \(\mathsf{IBE.Enc}(\mathsf{mpk},\mathsf{ID},\mathsf {M}) \rightarrow \mathsf{ct}\): The encryption algorithm run by a user takes as inputs the master public key \(\mathsf{mpk}\), an identity \(\mathsf{ID}\in \mathcal {ID}\) and a message \(\mathsf {M}\in \mathcal {M}\), and outputs a ciphertext \(\mathsf{ct}\).

  • \(\mathsf{IBE.Dec}(\mathsf{mpk},\mathsf{sk}_{\mathsf{ID}}, \mathsf{ct}) \rightarrow \mathsf {M}\text { or } \bot \): The decryption algorithm run by a user takes as input the master public key \(\mathsf{mpk}\), a secret key \(\mathsf{sk}_{\mathsf{ID}}\) and a ciphertext \(\mathsf{ct}\), and outputs \(\mathsf {M}\) or \(\bot \).

  • \(\langle \mathsf{ObtainKey}(\mathsf{mpk},\mathsf{ID},\mathsf{cert},{\mathsf{td}}), \mathsf{IssueKey}(\mathsf{mpk},\mathsf{msk},\mathsf{vk}) \rangle \): The interactive key-issuing protocol between a user and the KGC involves two interactive algorithms \(\mathsf{ObtainKey}\) and \(\mathsf{IssueKey}\). The user and the KGC interactively run the \(\mathsf{ObtainKey}\) algorithm and the \(\mathsf{IssueKey}\) algorithm, respectively, as follows.

    • User: The user takes as input \((\mathsf{mpk}\), \(\mathsf{ID}\), \(\mathsf{cert}\), \({\mathsf{td}})\) as specified by the input of \(\mathsf{ObtainKey}\), and sends a first-round message \(\mathsf{M}_\mathsf{user}\) to KGC.

    • KGC: The KGC takes as input \((\mathsf{mpk}\), \(\mathsf{msk}\), \(\mathsf{vk})\) as specified by the input of \(\mathsf{IssueKey}\) along with the message \(\mathsf{M}_\mathsf{user}\) sent by the user, and returns a second-round message \(\mathsf{M}_\mathsf{KGC}\) to the user.

    • User: On input the message \(\mathsf{M}_\mathsf{KGC}\) from the KGC, the user (locally) outputs either \(\mathsf{sk}_\mathsf{ID}\) or \(\bot \).

    We denote \( (\mathsf{sk}, \epsilon ) \leftarrow \langle \mathsf{ObtainKey}(\mathsf{mpk}, \mathsf{ID}, \mathsf{cert}, \mathsf{td}) , \mathsf{IssueKey}( \mathsf{mpk}, \mathsf{msk}, \mathsf{vk} ) \rangle \) to indicate that the final output obtained by the user and the KGC are the secret key \(\mathsf{sk}_\mathsf{ID}\) and an empty string \(\epsilon \), respectively. Note that depending on what the KGC responds as the second message \(\mathsf{M}_\mathsf{KGC}\), \(\mathsf{sk}_\mathsf{ID}\) may be set to \(\bot \). Furthermore, we call \((\mathsf{M}_\mathsf{user}, \mathsf{M}_\mathsf{KGC})\) as the transcript of the protocol.

Correctness. For all \(\lambda \in \mathbb {N}\), all \(\mathsf{ID}\in \mathcal {ID}\), and all \(\mathsf {M}\in \mathcal {M}\), \(\mathsf{IBE.Dec}(\mathsf{mpk},\mathsf{sk}_{\mathsf{ID}}, \mathsf{ct})=\mathsf {M}\) holds with overwhelming probability where it is taken over the randomness used in running \(\mathsf{params}\leftarrow { \mathsf{Setup}}(1^\lambda )\), \((\mathsf{mpk},\mathsf{msk})\leftarrow \mathsf{KGC.KeyGen}(\mathsf{params})\), \((\mathsf{vk},\mathsf{ik})\leftarrow \mathsf{ICA.KeyGen}(\mathsf{params})\), \((\mathsf{cert},\mathsf{td})\leftarrow \mathsf{ICA.Cert}(\mathsf{vk},\mathsf{ik},\mathsf{ID})\), \((\mathsf{sk}_{\mathsf{ID}},\epsilon )\leftarrow \langle \mathsf{ObtainKey}(\mathsf{mpk},\mathsf{ID},\mathsf{cert},\mathsf{td}), \mathsf{IssueKey}(\mathsf{mpk},\mathsf{msk},\mathsf{vk}) \rangle \), and \(\mathsf{ct} \leftarrow \mathsf{IBE.Enc}(\mathsf{mpk},\mathsf{ID},\mathsf {M})\).

Remark 1

(On the round complexity of key issuing). The above definition only considers a two-move key-issuing protocol. One can easily generalize the definition to a multi-move protocol, however, we restricted it to a two-move protocol for simplicity. Indeed, the instantiation we provide in Sect. 4 will be two-move.

Security Against Users. As in standard IBE, we consider the notion of security against corrupted users and define indistinguishability against chosen plaintext attacks. We call this IND-ANON-CPA, to explicitly indicate that it implies anonymity. Broadly speaking, this differs from other similar definitions or standard IBE in that an adversary \(\mathcal {A}\) can access the certifying oracle, that will output certificates for any \(\mathsf{ID}\) (except the challenge identity \(\mathsf{ID}^*\)), and can also supply the certificates obtained to the key-generation oracle. Note that we do not consider an adversary \(\mathcal {A}\) that can obtain a certificate for \(\mathsf{ID}^*\), since this will allow \(\mathcal {A}\) to trivially break security. This corresponds to the assumption that, in practice, an adversary cannot obtain a certificate for the challenge identity \(\mathsf{ID}^*\).

Definition 3

(IND-ANON-CPA). We define IND-ANON-CPA security by the following game between a challenger and a PPT adversary \({\mathcal A}\). Below, let \(\mathsf{CTSamp}\) be a sampling algorithm that takes a master public key as input and outputs an element in the ciphertext space.

  • Setup. At the outset of the game, the challenger runs \(\mathsf{params}\leftarrow \mathsf{Setup}(1^\lambda )\), \((\mathsf{mpk},\mathsf{msk})\leftarrow \mathsf{KGC.KeyGen}(\mathsf{params})\), \((\mathsf{vk},\mathsf{ik})\leftarrow \mathsf{ICA.KeyGen}(\mathsf{params})\), and initializes an empty list \(\mathsf{IDList}:=\emptyset \). The challenger further picks a random coin \(\mathsf {coin}\leftarrow \{0,1\}\) and keeps it secret. The challenger gives \((\mathsf{params}, \mathsf{mpk}, \mathsf{vk})\) to \(\mathcal {A}\). After this, \(\mathcal {A}\) can adaptively make the following three types of queries to the challenger in arbitrary order: certificate, secret key, and challenge queries. \(\mathcal {A}\) can query the first two arbitrarily polynomially many times and the third only once.

    • Certificate Query: If \(\mathcal {A}\) submits \(\mathsf{ID}\in \mathcal {ID}\) to the challenger, the challenger computes \((\mathsf{cert},\mathsf{td})\leftarrow \mathsf{ICA.Cert}(\mathsf{vk},\mathsf{ik},\mathsf{ID})\) and returns \((\mathsf{cert},\mathsf{td})\) to \(\mathcal {A}\). It then stores \(\mathsf{ID}\) to IDList.

    • Secret Key Query: If \(\mathcal {A}\) submits a first-round message \(\mathsf{M}_\mathsf{user}\) to the challenger, the challenger runs the \(\mathsf{IssueKey}\) algorithm taking as inputs \((\mathsf{mpk}\), \(\mathsf{msk}\), \(\mathsf{vk})\) and the message \(\mathsf{M}_\mathsf{user}\), and obtains a second-round message \(\mathsf{M}_\mathsf{KGC}\). It then returns \(\mathsf{M}_\mathsf{KGC}\) to \(\mathcal {A}\).

    • Challenge Query: If \(\mathcal {A}\) submits \((\mathsf{ID}^*, \mathsf {M}^*)\) to the challenger where \(\mathsf{ID}^*\in \mathcal {ID}\), \(\mathsf{ID}^*\not \in \mathsf{IDList}\), and \(\mathsf {M}^*\in \mathcal {M}\), the challenger proceeds as follows: If \(\mathsf {coin}=0\), the challenger returns \(\mathsf{ct}^*\leftarrow \mathsf{IBE.Enc}(\mathsf{mpk},\mathsf{ID}^*, \mathsf {M}^*)\). Otherwise, if \(\mathsf {coin}= 1\), the challenger returns \(\mathsf{ct}^*\leftarrow \mathsf{CTSamp}(\mathsf{mpk})\).

  • Guess. \(\mathcal {A}\) outputs a guess \({\widehat{\mathsf{coin}}}\in \{0,1\}\) for \(\mathsf {coin}\). We say that \(\varPi _\mathsf{IBE}\) is IND-ANON-CPA secure if the advantage

    $$\mathsf {Adv}_{\mathsf{IBE}, \mathcal {A}}^{\mathrm{IND\text {-}ANON\text {-}CPA}}(\lambda )=\left| \Pr [\mathsf {coin}= {\widehat{\mathsf{coin}}}]- 1/2 \right| $$

    is negligible for any PPT adversary \({\mathcal A}\).

Security Against the KGC. We also consider the notion of security against the honest-but-curious KGC, which follows the protocol but attempts to obtain information about the underlying plaintexts from the observed ciphertexts. This is a more stringent and practical security notion than the corresponding notion informally stated in [10]. A more detailed explanation on the difference between prior works is provided in Remark 2. In brief, our definition guarantees that if the KGC runs, i.e., generates secret keys as specified, it cannot obtain any information about the corresponding identities or plaintexts from ciphertexts, even if it uses knowledge obtained via the key-issuing protocol.

At the start of the security game, the adversary \(\mathcal {A}\) is given the master secret key \(\mathsf{msk}\) along with all public information \((\mathsf{mpk}, \mathsf{params},\mathsf{vk})\). In addition, \(\mathcal {A}\) is allowed to access two oracles, namely, the key-generation and encryption oracles. First, \(\mathcal {A}\) obtains the secret key \(\mathsf{sk}_{\mathsf{ID}}\) for a randomly chosen identity \(\mathsf{ID}\) from the key-generation oracle. This captures the scenario where an unknown user \(\mathsf{ID}\) generates their secret key \(\mathsf{sk}_{\mathsf{ID}}\) via executing \(\langle \mathsf{ObtainKey}, \mathsf{IssueKey} \rangle \) with the KGC. The identities sent to the key-generation oracle are stored in an identity list \(\mathsf {IDList}\). In addition, for any plaintext \(\mathsf {M}\) and any \(\mathsf{ID}\) in \(\mathsf {IDList}\), \(\mathcal {A}\) can ask for a ciphertext \(\mathsf{ct}\) from the encryption oracle. This captures the scenario where the KGC can observe ciphertexts for all users to whom it has issued secret keys. In the challenge phase, \(\mathcal {A}\) specifies the challenge identity \(\mathsf{ID}^*\) from \(\mathsf {IDList}\) (and submits an arbitrary message \(\mathsf {M}^*\)) to obtain the challenge ciphertext \(\mathsf{ct}^*\). Note that \(\mathcal {A}\) does not specify \(\mathsf{ID}\) nor \(\mathsf{ID}^*\) itself, but simply specifies the indices in \(\mathsf {IDList}\). It is clear that if ciphertexts reveal any information about the corresponding identities, \(\mathcal {A}\) could easily win the game by creating \(\mathsf{sk}_{\mathsf{ID}^*}\). In particular, our definition captures both indistinguishability and anonymity.

Definition 4

(IND-ANON-KGC). We define IND-ANON-KGC security by the following game between a challenger and a PPT adversary \({\mathcal A}\). Below, let \(\mathsf{CTSamp}\) be a sampling algorithm that takes a master public key as input and outputs an element in the ciphertext space.Footnote 3

  • Setup. At the outset of the game, the challenger runs \(\mathsf{params}\leftarrow \mathsf{Setup}(1^\lambda )\), \((\mathsf{mpk}, \mathsf{msk}) \leftarrow \mathsf{KGC.KeyGen}(\mathsf{params})\), \((\mathsf{vk},\mathsf{ik})\leftarrow \mathsf{ICA.KeyGen}(\mathsf{params})\) and initializes an empty set \(\mathsf {IDList}:=\emptyset \) and an integer \(Q_\mathsf{key}:= 0\). The challenger further picks a random coin \( \mathsf {coin}\leftarrow \{0,1\}\) and keeps it secret. The challenger gives \((\mathsf{params}, \mathsf{mpk}, \mathsf{msk}, \mathsf{vk})\) to \(\mathcal {A}\). After this, \(\mathcal {A}\) can adaptively make the following three types of queries to the challenger in an arbitrary order: encryption, issue key, and challenge queries. \(\mathcal {A}\) can query the first two arbitrarily polynomial many times and the third only once.

    • Encryption Query: If \(\mathcal {A}\) submits an index i and a message \( \mathsf {M}\in \mathcal {M}\) to the challenger, the challenger first checks if \(i \in [Q_\mathsf{key}]\) where [0] is defined as the empty set. If not, the challenger forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\) in \( \{ 0,1 \} \). Otherwise, the challenger retrieves the i-th entry \(\mathsf{ID}\) of \(\mathsf {IDList}\) and returns \(\mathsf{ct} \leftarrow {\mathsf{IBE.Enc}}(\mathsf{mpk},\mathsf{ID}, \mathsf {M})\).

    • IssueKey Query: If \(\mathcal {A}\) makes an IssueKey query, the challenger first randomly samples \(\mathsf{ID} \leftarrow \mathcal {ID}\) and computes \((\mathsf{cert},\mathsf{td})\leftarrow \mathsf{ICA.Cert}(\mathsf{vk},\mathsf{ik},\mathsf{ID})\). It then runs \(\mathsf{ObtainKey}\) on inputs \((\mathsf{mpk}\), \(\mathsf{ID}\), \(\mathsf{cert}\), \(\mathsf{td})\) to obtain the first-round message \(\mathsf{M}_\mathsf{user}\) and returns \(\mathsf{M}_\mathsf{user}\) to \(\mathcal {A}\). Finally, the challenger stores \(\mathsf{ID}\) to \(\mathsf {IDList}\) and updates \(Q_\mathsf{key}\leftarrow Q_\mathsf{key}+ 1\).

    • Challenge Query: If \(\mathcal {A}\) submits \((\mathsf {M}^*, i^*)\) to the challenger where \(\mathsf {M}^*\in \mathcal {M}\), the challenger first checks if \(i^*\in [Q_\mathsf{key}]\). If not, the challenger forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\) in \( \{ 0,1 \} \). Otherwise, the challenger proceeds as follows: The challenger first retrieves the \(i^*\)-th entry \(\mathsf{ID}^*\) of \(\mathsf {IDList}\). Then, if \(\mathsf {coin}=0\), the challenger returns \(\mathsf{ct}^*\leftarrow \mathsf{IBE.Enc}(\mathsf{mpk},\mathsf{ID}^*, \mathsf {M}^*)\). Otherwise, if \(\mathsf {coin}=1\), the challenger returns \(\mathsf{ct}^*\leftarrow \mathsf{CTSamp}(\mathsf{mpk})\).

  • Guess. \(\mathcal {A}\) outputs a guess \({\widehat{\mathsf{coin}}}\in \{0,1\}\) for \(\mathsf {coin}\). We say that \(\varPi _\mathsf{IBE}\) is IND-ANON-KGC secure if the advantage

    $$\mathsf {Adv}_{\mathsf{IBE}, \mathcal {A}}^{\mathrm{IND\text {-}ANON\text {-}KGC}}(\lambda )=\left| \Pr [\mathsf {coin}= {\widehat{\mathsf{coin}}}]- 1/2 \right| $$

    is negligible for any PPT adversary \({\mathcal A}\).

Remark 2

(Differences from the existing definition). As described above, our idea is based on Chow’s work [10]. However, Chow’s notion of security against the KGC (ACI-KGC) is defined for standard IBE under the assumption that the KGC does not know the identities used in the system. However, this assumption is generally invalid since, in practice, the KGC manages identity lists in order to identify users before generating their keys.Footnote 4 By contrast, IND-ANON-KGC is defined for a version of IBE where the KGC generates secret keys without having access to such an identity list, meaning that the key-generation process does not violate the real-world usage.

Security Against the ICA. Unlike Chow’s work [10] that only considered a fully trusted ICA, we aim to define security against a potentially malicious ICA. However, such a definition is difficult. A malicious ICA can generate certificates for any identity \(\mathsf{ID}\) and thereby obtain the corresponding secret keys by impersonating the user and interacting with the KGC. Therefore, in principle, we cannot allow the ICA to have arbitrary access to the key-generation oracle (i.e., interacting with the KGC). Given this, we model the malicious ICA that generates a potentially malicious key pair \((\mathsf{vk},\mathsf{ik})\) Given this, we model the malicious ICA to have the capability of generating a potentially malicious key pair \((\mathsf{vk},\mathsf{ik})\)Footnote 5 while disallowing it to have access to the key-generation oracle. Unlike Chow’s definition, our definition prevents to construct a trivial IBE scheme secure against the KGC mentioned in the introduction; the ICA plays the role of the KGC in a standard IBE scheme and the KGC does nothing.

Definition 5

(IND-ANON-ICA). We define IND-ANON-ICA security by the following game between a challenger and an PPT adversary \({\mathcal A}\). Below, let \(\mathsf{CTSamp}\) be a sampling algorithm that takes a master public key as input and outputs an element in the ciphertext space.

  • Setup. At the outset of the game, the challenger runs \(\mathsf{params}\leftarrow \mathsf{Setup}(1^\lambda )\) and \((\mathsf{mpk},\mathsf{msk})\leftarrow \mathsf{KGC.KeyGen}(\mathsf{params})\). The challenger picks a random coin \(\mathsf {coin}\leftarrow \{ 0,1 \} \) and keeps it secret. The challenger gives \((\mathsf{params}, \mathsf{mpk})\) to \(\mathcal {A}\). Then, \(\mathcal {A}\) can make the following challenge query once.

    • Challenge Query: If \(\mathcal {A}\) submits \((\mathsf{ID}^*, \mathsf {M}^*)\) to the challenger where \(\mathsf{ID}^*\in \mathcal {ID}\) and \(\mathsf {M}^*\in \mathcal {M}\), the challenger proceeds as follows: If \(\mathsf {coin}=0\), the challenger returns \(\mathsf{ct}^*\leftarrow \mathsf{IBE.Enc}(\mathsf{mpk},\mathsf{ID}^*,\mathsf {M}^*)\). Otherwise, if \(\mathsf {coin}=1\), the challenger returns \(\mathsf{ct}^*\leftarrow {\mathsf{CTSamp}}(\mathsf{mpk})\).

  • Guess. \(\mathcal {A}\) outputs a guess \({\widehat{\mathsf{coin}}}\in \{0,1\}\) for \(\mathsf {coin}\). We say that \(\varPi _\mathsf{IBE}\) is IND-ANON-ICA secure if the advantage

    $$\mathsf {Adv}_{\mathsf{IBE}, \mathcal {A}}^{\mathrm{IND\text {-}ANON\text {-}ICA}}(\lambda )=\left| \Pr [\mathsf {coin}={\widehat{\mathsf{coin}}}]- 1/2 \right| $$

    is negligible for any PPT adversary \({\mathcal A}\).

Remark 3

One can consider a stronger definition than what we define above; the malicious ICA is allowed to get secret keys for any \(\mathsf{ID} \ (\ne \mathsf{ID}^*)\) during the game. The reason why we do not define this stronger notion is that, compared to our weaker definition, it seems to only capture some additional unnatural scenarios. In practice, if the ICA can impersonate any user \(\mathsf{ID} \ (\ne \mathsf{ID}^*)\) and interact with the KGC, it is only fair to assume that it is also able to impersonate \(\mathsf{ID}^*\), and hence, obtain a secret key for \(\mathsf{ID}^*\) by interacting with the KGC. Nonetheless, we like to point out that our construction appearing in the next section can in fact be proven to satisfy such a stronger definition.

4 Proposed IBE Scheme

In this section, we present our proposed scheme. This combines the GPV IBE scheme [14] with Rückert’s full-domain hash style lattice-based blind signature scheme [25]. Although Rückert [26] later found [25] that his signature scheme is vulnerable (to an attack we will explain later), fortunately, this vulnerability does not affect our scheme, where the ICA issues a certificate and the KGC issues a secret key only if the certificate is valid.

Construction. Let the identity space \(\mathcal {ID}\) of the IBE scheme \(\varPi _\mathsf{IBE}\) be \(\mathcal {ID}= \{ 0,1 \} ^*\). In practice, by using collusion resistant hash functions, we can set \(\mathcal {ID}= \{ 0,1 \} ^\ell \) for \(\ell = O(\lambda )\). Here, we occasionally treat elements in \(\mathbb {Z}_q^n\) as binary strings over \( \{ 0,1 \} ^{n \log q}\) through some fixed canonical embedding. Let \(\mathsf {PRF}: \mathcal {K}\times \mathcal {X} \rightarrow \mathcal {Y}\) be any pseudorandom function with appropriate domain \(\mathcal X\) and range \(\mathcal Y\). I.e., let \(\mathcal X\) include \(\mathcal {ID}\) and the set of all the first-round messages \(\mathsf{M}_\mathsf{user}\), and let range \(\mathcal Y\) include an appropriate length of randomness used by algorithms \(\mathsf{ICA.Cert}\) and \(\mathsf{IssueKey}\). Finally, let \(\varPi _\mathsf{Sig}: (\mathsf{Sig.KeyGen}\), \(\mathsf{Sig.Sign}\), \(\mathsf{Sig.Verify})\) be a deterministic digital signature scheme with message space \( \{ 0,1 \} ^{n \log q}\) where the randomness used to sign a message is derived deterministically from the signing key and the message. Using PRFs, any digital signature scheme can be derandomized. We assume that \(\varPi _\mathsf{Sig}\) provides the standard security notion of existential unforgeability under an adaptive chosen message attack (\(\mathsf {eu\text {-}cma}\)).

  • \(\mathsf{Setup}(1^\lambda )\): Choose positive integers nm and prime q, and output \(\mathsf{params}=(1^\lambda , 1^n, 1^m,q, \alpha ', \sigma , \mathsf {H})\), where \(\mathsf {H}: \{ 0,1 \} ^* \rightarrow \mathbb {Z}_q^n\) is a hash function modeled as a random oracle.

  • \(\mathsf{KGC.KeyGen}(\mathsf{params})\): Run \((\mathbf {A},\mathbf {T_A})\leftarrow \mathsf {TrapGen}(1^n,1^m,q)\) and sample a PRF key \(\mathsf {s}_\mathsf{KGC}\leftarrow \mathcal {K}\). Then, output a master pubic key \(\mathsf{mpk}=\mathbf {A}\in \mathbb {Z}_q^{n \times m}\) and a master secret key \(\mathsf{msk}= (\mathbf {T}_{\mathbf {A}} , \mathsf {s}_\mathsf{KGC})\).

  • \({\mathsf{ICA.KeyGen}}(\mathsf{params})\): Run \((\mathsf{vk}_\mathsf{Sig},\mathsf{sk}_\mathsf{Sig})\leftarrow \mathsf{Sig.KeyGen}(1^\lambda )\) and sample a PRF key \(\mathsf {s}_\mathsf{ICA}\leftarrow \mathcal {K}\). Then, output a certificate verification key \(\mathsf{vk} = \mathsf{vk}_\mathsf{Sig}\) and a certificate issuing key \(\mathsf{ik} = (\mathsf{sk}_\mathsf{Sig}, \mathsf {s}_\mathsf{ICA})\).

  • \({\mathsf{ICA.Cert}}(\mathsf{vk},\mathsf{ik},\mathsf{ID})\): Parse \(\mathsf{ik} = (\mathsf{sk}_\mathsf{Sig}, \mathsf {s}_\mathsf{ICA})\) and compute \(\mathbf {u}_{\mathsf{ID}}=\mathsf {H}(\mathsf{ID})\). Then, sample a short vector \(\mathbf {y}_{\mathsf{ID}, 1} \leftarrow \{ 0,1 \} ^m\) and compute \(\mathbf {u}_{\mathsf{ID}, 1} = \mathbf {A}\mathbf {y}_{\mathsf{ID}, 1}\). Furthermore, compute \(\mathbf {u}_{\mathsf{ID}, 2}=\mathbf {u}_{\mathsf{ID}} - \mathbf {u}_{\mathsf{ID}, 1} \in \mathbb {Z}_q^n\) and \(\sigma _\mathsf{Sig}\leftarrow \mathsf{Sig.Sign}(\mathsf{sk}_\mathsf{Sig},\mathbf {u}_{\mathsf{ID}, 2})\). Finally, output a certificate \(\mathsf{cert}= (\mathbf {u}_{\mathsf{ID}, 2},\sigma _\mathsf{Sig})\) and trapdoor information \(\mathsf{td}= \mathbf {y}_{\mathsf{ID}, 1}\). Here, we assume all the randomness used in this algorithm is derived from \(r_\mathsf{ID} \leftarrow \mathsf {PRF}(\mathsf {s}_\mathsf{ICA}, \mathsf{ID})\).

  • \({\mathsf{IBE.Enc}}(\mathsf{mpk},\mathsf{ID}, \mathsf {M})\): Compute \(\mathbf {u}_{\mathsf{ID}}=\mathsf {H}(\mathsf{ID})\). To encrypt a message \(\mathsf {M}\in \{ 0,1 \} \), sample \(\mathbf {s} \leftarrow \mathbb {Z}_q^n\), \(\mathbf {x} \leftarrow D_{\mathbb {Z}^m, \alpha ' q}\), and \(x \leftarrow D_{\mathbb {Z}, \alpha ' q}\), and compute \(c_0=\mathbf {u}_{\mathsf{ID}}^\top \mathbf {s}+x+ \mathsf {M}\lfloor q/2 \rceil \) and \(\mathbf {c}_1= \mathbf {A}^\top \mathbf {s}+\mathbf {x}\). Finally, output a ciphertext \(\mathsf{ct}=(c_0,\mathbf {c}_1)\).

  • \({\mathsf{IBE.Dec}}(\mathsf{mpk},\mathsf{sk}_{\mathsf{ID}},\mathsf{ct})\): Parse \(\mathsf{sk}_\mathsf{ID} = \mathbf {e}_\mathsf{ID}\) and \(\mathsf{ct}=(c_0,\mathbf {c}_1)\). Compute \(w = c_0-\mathbf {e}_{\mathsf{ID}}^\top \mathbf {c}_1\). Output 0 if w is closer to 0 than to \(\lfloor q/2 \rfloor \) modulo q, and 1, otherwise.

  • \(\langle \mathsf{ObtainKey}(\mathsf{mpk},\mathsf{ID},\mathsf{cert},\mathsf{td}),\mathsf{IssueKey}(\mathsf{mpk},\mathsf{msk},\mathsf{vk}) \rangle \): The user and the KGC interactively runs \(\mathsf{ObtainKey}\) and \(\mathsf{IssueKey}\), respectively.

    • User: On input \((\mathsf{mpk}\), \(\mathsf{ID}\), \(\mathsf{cert}, \mathsf{td})\), set the first-round message \(\mathsf{M}_\mathsf{user}= \mathsf{cert}\) and send \(\mathsf{M}_\mathsf{user}\) to the KGC. Here, \(\mathsf{cert}=(\mathbf {u}_{\mathsf{ID}, 2},\sigma _\mathsf{Sig})\).

    • KGC: On input \((\mathsf{mpk}\), \(\mathsf{msk}\), \(\mathsf{vk})\) and the first-round message \(\mathsf{M}_\mathsf{user}\), parse \(\mathsf{vk} = \mathsf{vk}_\mathsf{Sig}\) and \(\mathsf{M}_\mathsf{user}=(\mathbf {u}_{\mathsf{ID}, 2},\sigma _\mathsf{Sig})\). If \(\mathsf{Sig.Verify}(\mathsf{vk}_\mathsf{Sig}, \mathbf {u}_{\mathsf{ID}, 2}, \sigma _\mathsf{Sig}) = \bot \), then set \(\mathsf{M}_\mathsf{KGC}=\bot \) and send \(\mathsf{M}_\mathsf{KGC}\) to the user. Otherwise, parse \(\mathsf{mpk}=\mathbf {A}\) and \(\mathsf{msk}=(\mathbf {T}_{\mathbf {A}}, \mathsf {s}_\mathsf{KGC})\). Then, sample a short vector \(\mathbf {y}_{\mathsf{ID}, 2} \leftarrow \mathsf {SamplePre}(\mathbf {A}, \mathbf {u}_{\mathsf{ID}, 2}, \mathbf {T}_\mathbf {A}, \sigma )\), set \(\mathsf{M}_\mathsf{KGC}=\mathbf {y}_{\mathsf{ID}, 2}\), and send \(\mathsf{M}_\mathsf{KGC}\) to the user. Here, we assume all the randomness used in this algorithm is derived from \(r_{\mathsf{M}_\mathsf{user}} \leftarrow \mathsf {PRF}(\mathsf {s}_\mathsf{KGC}, \mathsf{M}_\mathsf{user})\).

    • User: If \(\mathsf{M}_\mathsf{KGC}=\bot \), then output \(\bot \). Otherwise, parse \(\mathsf{td}= \mathbf {y}_{\mathsf{ID}, 1}\) and \(\mathsf{M}_\mathsf{KGC}=\mathbf {y}_{\mathsf{ID}, 2}\), set \(\mathbf {e}_{\mathsf{ID}}=\mathbf {y}_{\mathsf{ID}, 1} + \mathbf {y}_{\mathsf{ID}, 2}\) and (locally) output the secret key \(\mathsf{sk}_{\mathsf{ID}}=\mathbf {e}_{\mathsf{ID}}\).

Remark 4

(Generating randomness via PRFs). Here, we generate the randomness used by the \(\mathsf{ICA.Cert}\) and \(\mathsf{IssueKey}\) algorithms via PRFs. This has the effect of only allowing the adversary to obtain one valid certificate \(\mathsf{cert}\) per identity \( \mathsf{ID}\) and one valid second-round message \(\mathsf{M}_\mathsf{KGC}\) per first-round message \(\mathsf{M}_\mathsf{user}(=\mathsf{cert})\). We require this condition during the security proof for reasons similar to those for other lattice-based IBE schemes [2, 9, 14].

Remark 5

(Role of certificates). If the validity of \(\mathsf{cert}\) is not checked, then users can obtain information about the master secret key as follows. First, the user samples \(\mathbf {y}_1\) from \(\mathbb {Z}_q^m\), computes \(\mathbf {u}^\prime =\mathbf {A}\mathbf {y}_1\), and then sends \(\mathbf {u}^\prime \) directly to the KGC, which returns \(\mathbf {e}_{\mathsf{ID}}\) such that \(\mathbf {A}\mathbf {e}_{\mathsf{ID}}=\mathbf {u}^\prime \). If we let \(\mathbf {e}=\mathbf {y}_1-\mathbf {e}_{\mathsf{ID}}\), then \(\mathbf {A}\mathbf {e}=\mathbf {A}(\mathbf {y}_1-\mathbf {e}_{\mathsf{ID}})=\mathbf {0}\). This means that the user has obtained an \(\mathbf {e}\) satisfying \(\mathbf {A}\mathbf {e}=\mathbf {0}\). If enough users collude together, than we can recover a trapdoor \(\mathbf {T}_\mathbf {A}\) for \(\mathbf {A}\) such that \(\mathbf {A}\mathbf {T}_\mathbf {A}= \mathbf {0}\). Thus, for the security proof, we must require that users cannot obtain such an \(\mathbf {e}\). This attack has been identified by Rückert [26] as an issue in constructing a full-domain-hash style lattice-based blind signature scheme. In our scheme, users have no choice but to use the \(\mathbf {u}^\prime _{\mathsf{ID}}\) issued by the ICA unless they can forge \(\mathsf{cert}\), and this issue does not appear.

Correctness. The following lemma states the correctness of our blind IBE scheme with certified identity.

Lemma 5

(Correctness). Suppose the parameters \(q, \sigma \) and \(\alpha '\) satisfy \(\sigma > \omega (\sqrt{n \log m \log q})\) and \(\alpha ' < 1/(8 \sigma \sqrt{m})\). Then our scheme is correct with overwhelming probability.

Proof

If the key issuing protocol between the user and the KGC is run correctly, then any user \(\mathsf{ID}\) will obtain a secret key \(\mathsf{sk}_\mathsf{ID} = \mathbf {e}_\mathsf{ID}\) such that \(\mathbf {A}\mathbf {e}_{\mathsf{ID}}=\mathbf {A}(\mathbf {y}_{\mathsf{ID}, 1} + \mathbf {y}_{\mathsf{ID},2})=\mathbf {u}_{\mathsf{ID}, 1} + \mathbf {u}_{\mathsf{ID}, 2} = \mathbf {u}_{\mathsf{ID}}\). Let \(\mathsf{ct} \leftarrow \mathsf{IBE.Enc}(\mathsf{mpk}, \mathsf{ID}. \mathsf {M})\). Then when we run \(\mathsf{IBE.Dec}\) with \(\mathsf{sk}_\mathsf{ID}\), we obtain \(w = c_0 - \mathbf {e}_\mathsf{ID}^\top \mathbf {c}_1 = \mathsf {M}\lfloor q/ 2 \rceil + x + (\mathbf {y}_{\mathsf{ID}, 1} + \mathbf {y}_{\mathsf{ID}, 2})^\top \mathbf {x}\). By Lemma 4, we have that \(\mathbf {y}_{\mathsf{ID}, 2}\) is distributed negligibly close to \(D_{\Lambda ^\perp _{\mathbf {u}_{\mathsf{ID}, 2}}(\mathbf {A}), \sigma }\). Then, by Lemma 2, we have \(||\mathbf {y}_{\mathsf{ID}, 2} || \le \sigma \sqrt{m}\) with overwhelming probability. Since, \(x \leftarrow D_{\mathbb {Z}, \alpha ' q} \) and \( \mathbf {x} \leftarrow D_{\mathbb {Z}^m, \alpha ' q}\) and \(\mathbf {y}_{\mathsf{ID}, 1} \in \{ 0,1 \} ^m\) the error term w can be bounded by \(|| x + (\mathbf {y}_{\mathsf{ID}, 1} + \mathbf {y}_{\mathsf{ID}, 2})^\top \mathbf {x} || \le 2 \alpha ' q \sigma \sqrt{m}\), where we used the subgaussian property to make a finer analysis of the noise bound on \(\mathbf {y}_{\mathsf{ID}, 1}^\top \mathbf {x}\) (See for example [14, 22]). Hence, for the error term to have absolute value less than q / 4, it suffices to choose the parameters as in the statement.    \(\square \)

Parameter Selection. For the system to satisfy correctness and make the security proof work, we need the following restrictions. Note that we will prove the security of the scheme under the LWE assumption whose noise rate is \(\alpha \), which is lower than \(\alpha '\) that is used in the encryption algorithm.

  • The error term is less than q/4 (i.e., \(\alpha ' < 1/8\sigma \sqrt{m}\) by Lemma 5)

  • TrapGen operates properly (i.e., \(m > 3n\log q\) by Lemma 4)

  • Samplable from \(D_{\mathrm{\Lambda }_\mathbf {u}^{\perp }(\mathbf {A}),\sigma }\) (i.e., \(O( \sqrt{n \log m \log q} )\) by Lemma 4),

  • \(\sigma \) is sufficiently large so that we can apply Lemma 1 (i.e., \(\sigma > \omega (\log {n} )\)),

  • We can apply Lemma 3 (i.e., \(\alpha ' / 2\alpha > \sqrt{(\sigma + 1)^2 m +1}\)),

  • \(\mathsf {LWE}_{n, m, q, D_{\mathbb Z, {\alpha q}}}\) is hard (e.g., \(\alpha q > 2\sqrt{n}\) for prime q).

To satisfy these requirements, for example, we can set the parameters \(m, q, \sigma , \alpha , \alpha '\) as: \(m= n^{1+\kappa }\), \(q = n^{2 +3.5\kappa }\), \(\sigma = n^{0.5+\kappa }\), \(\alpha 'q= n^{1.5 + 2\kappa }\), and \(\alpha q= 2 \cdot n^{0.5}\), where \(\kappa >0\) is a constant that can be set arbitrarily small. In the above, we round up m to the nearest integer and q to the nearest largest prime.

Multi-bit Encryption. Although the above scheme only provides 1-bit encryption, we can extend it to provide k-bit encryption without incurring a factor k blow up of the ciphertext size. We change the range of the hash function as \(\mathsf {H}: \{ 0,1 \} ^* \rightarrow \mathbb {Z}_q^{n\times k}\). Then, a plaintext vector \(\mathsf {M}\in \mathbb {Z}^k_q\) is encrypted as \(\mathbf {c}_0=\mathbf {u}_{\mathsf{ID}}^\top \mathbf {s}+\mathbf {x}^\prime +\mathsf {M}\lfloor q/2 \rceil \in \mathbb {Z}^k_q\) where \(\mathbf {s} \leftarrow \mathbb {Z}_q^{n\times k}\) and \(\mathbf {x}^\prime \leftarrow D_{\mathbb {Z}^k, \alpha ' q}\) (\(\mathbf {c}_1\) is the same). Note that the secret key is now required to be a matrix \(\mathbf {e}_{\mathsf{ID}}\in \mathbb {Z}^{m\times k}\).

5 Security Analysis

Theorem 1

Our blind IBE scheme with certified identity \(\varPi _\mathsf{IBE}\) is IND-ANON-CPA secure in the random oracle model if the underlying signature scheme \(\varPi _\mathsf{Sig}\) is \(\mathsf {eu\text {-}cma}\) secure, the \(\mathsf {PRF}\) is pseudorandom, and assuming the hardness of \(\mathsf {LWE}_{n, m, q, D_{\mathbb {Z}, \alpha q}}\). Alternatively, we can get rid of the second requirement by replacing the \(\mathsf {PRF}\) by the random oracle.

Proof Overview. Here, we give an overview of the proof and the proof is provided in the full version of this paper due to page limitation. The high level structure of the proof follows the original GPV IBE security proof. That is, for a random oracle query \(\mathsf{ID}\), the challenger first samples \(\mathbf {e}_{\mathsf{ID}}\) from \(D_{\mathbb {Z}^m, \sigma }\) and sets \(\mathbf {u}_{\mathsf{ID}}=\mathbf {A}\mathbf {e}_{\mathsf{ID}}\), instead of sampling \(\mathbf {e}_{\mathsf{ID}}\) from \(D_{\Lambda ^\bot _{\mathbf {u}_\mathsf{ID}}(\mathbf {A}), \sigma }\). Since our key-issuing protocol is 2-move, and \(\mathbf {u}_{\mathsf{ID}, 2}\) contained in \(\mathbf {u}_{\mathsf{ID}, 2}\) depends on the key issuing, we employ this idea twice: the challenger samples \(\mathbf {y}_{\mathsf{ID}, 1}\) from \( \{ 0,1 \} ^m\) and \(\mathbf {y}_{\mathsf{ID},2}\) from \(D_{\Lambda ^\perp _\mathbf {u}(\mathbf {A}), \sigma }\), and sets \(\mathbf {u}_{\mathsf{ID}}=\mathbf {A}(\mathbf {y}_{\mathsf{ID}, 1}+\mathbf {y}_{\mathsf{ID},2})\), and also sets \(\mathbf {u}_{\mathsf{ID}, 2}=\mathbf {u}_{\mathsf{ID}} - \mathbf {A}\mathbf {y}_{\mathsf{ID}, 1}\). We remark that the distribution of \(\mathbf {A}\mathbf {y}_{\mathsf{ID},2}\) is statistically close to uniform over \(\mathbb {Z}_q^n\) [14], and thus \(\mathbf {u}_{\mathsf{ID}} \leftarrow \mathbb {Z}_q^n\) and \(\mathbf {u}_{\mathsf{ID}}=\mathbf {A}(\mathbf {y}_{\mathsf{ID}, 1}+\mathbf {y}_{\mathsf{ID},2})\) are identical from \(\mathcal {A}\)’s view. We also remark that we adopt the proof strategy of Katsumata et al. [19]. In the original GPV-IBE scheme the so-called partitioning technique was used to prove security; the simulator divides the identity space into two in such a way that for one partition it can only construct secret keys and for the other it can only construct challenge ciphertexts. However, this proof strategy was notorious for having a loose reduction. Recently, Katsumata et al. [19] provided a much tighter reduction by following the proof technique of the Cramer-Shoup encryption scheme [11]. Since our proof follows the strategy of [19], it enjoys tight security as well.

Theorem 2

Our blind IBE scheme with certified identity \(\varPi _\mathsf{IBE}\) is IND-ANON-KGC secure in the random oracle model if the \(\mathsf {PRF}\) is pseudorandom and assuming the hardness of the \(\mathsf {LWE}_{n, m, q, D_{\mathbb {Z}, \alpha q}}\) problem. Alternatively, we can get rid of the first requirement by replacing the \(\mathsf {PRF}\) by the random oracle.

Proof Overview. In our security proof, we use the fact that \(\mathbf {u}_\mathsf{ID} = \mathsf {H}(\mathsf{ID}) \in \mathbb {Z}_q^n\) is distributed as a uniformly random vector from the view of the adversary in the random oracle model and embed \(\mathbf {u}_\mathsf{ID}\) as the LWE secret, rather than embedding the encryption randomness \(\mathbf {s}\) as in previous proofs. Recall that the LWE assumption informally states the following: given a uniformly random matrix \(\mathbf {B}\leftarrow \mathbb {Z}_q^{n \times \ell }\) and some vector \(\mathbf {v}\in \mathbb {Z}_q^\ell \), there is no PPT algorithm that can decide with non-negligible probability whether \(\mathbf {v}\) is of the form \(\mathbf {B}^\top \mathbf {d}+ \mathbf {x}\) for some secret vector \(\mathbf {d}\leftarrow \mathbb {Z}_q^n\) and noise \(\mathbf {x}\), or a uniformly random vector over \(\mathbb {Z}_q^\ell \). To restate, while in prior proofs encryption randomness \(\mathbf {s}\) was set as the LWE secret \(\mathbf {d}\), during our security proof, we set \(\mathbf {u}_\mathsf{ID} = \mathsf {H}(\mathsf{ID})\) as \(\mathbf {d}\) instead. Moreover, since the encryption randomness \(\mathbf {s}\) of each ciphertext is completely known to the adversary in the IND-ANON-KGC setting, we set each of the \(\mathbf {s}\) as the columns of the LWE matrix \(\mathbf {B}\).

Proof

Let \(\mathcal {A}\) be a PPT adversary against the IND-ANON-KGC security game with advantage \(\epsilon \). We assume \(\mathcal {A}\) makes at most \(Q'\) random oracle queries, Q IssueKey queries, and N encryption queries, where \(Q'(\lambda ), Q(\lambda )\) and \(N(\lambda )\) can be arbitrary large polynomials. We also define the sampling algorithm \(\mathsf{CTSamp}\) as an algorithm which takes any \(\mathsf{mpk} = \mathbf {A}\in \mathbb {Z}_q^{n \times m}\) as input and outputs \((t, \mathbf {A}^\top \mathbf {s} + \mathbf {x}) \in \mathbb {Z}_q \times \mathbb {Z}_q^m\), where \(t\leftarrow \mathbb {Z}_q\), \(\mathbf {s} \leftarrow \mathbb {Z}_q^{n}\), and \(\mathbf {x} \leftarrow D_{\mathbb {Z}^m, \alpha ' q}\). In the following let \(X_i\) denote the event that \(\mathcal {A}\) wins in \(\mathsf {Game}_i\). We modify the games so that in the final game, the adversary will have no winning advantage.

\(\mathsf {Game}_0{:}\) This is the original security game. At the beginning of the game the challenger prepares \(\mathsf{params}\), \((\mathsf{mpk}, \mathsf{msk})\), and \((\mathsf{vk}, \mathsf{ik})\) as specified by the game and gives \((\mathsf{params}, \mathsf{mpk}, \mathsf{msk}, \mathsf{vk})\) to \(\mathcal {A}\). The challenger also prepares two empty lists \(\mathsf {IDList}\) and \(\mathsf{HList}\), and an integer \(Q_\mathsf{key}:= 0\). Here, the list \(\mathsf{HList}\) is absent in the security definition and only introduced to be used throughout this proof. Moreover, throughout this proof, for clarity we adopt the notation \(\mathsf {IDList}[i] = \mathsf{ID}\) to indicate that the i-th index of the list \(\mathsf {IDList}\) is set to \(\mathsf{ID}\). Initially, we have \(\mathsf {IDList}[i] = \bot \) for all \(i \in [Q]\). The challenger also picks a random coin \(\mathsf {coin}\leftarrow \{ 0,1 \} \) which it keeps secret. Finally, the challenger answers to the queries made by the adversary \(\mathcal {A}\) as follows:

  • When \(\mathcal {A}\) makes a random oracle query on \(\mathsf{ID}\), the challenger first checks if \((\mathsf{ID}, \star ) \in \mathsf{HList}\). If so, it retrieves the (unique) tuple \((\mathsf{ID}, \mathbf {u}_\mathsf{ID})\) and returns \(\mathbf {u}_\mathsf{ID}\) to \(\mathcal {A}\). Otherwise, it samples a random \(\mathbf {u}_\mathsf{ID} \leftarrow \mathbb {Z}_q^n\) and updates \(\mathsf{HList}\leftarrow \mathsf{HList}\cup \{ (\mathsf{ID}, \mathbf {u}_\mathsf{ID}) \}\). Then, it returns \(\mathbf {u}_\mathsf{ID}\) to \(\mathcal {A}\). Here, the challenger can query the random oracle similarly to \(\mathcal {A}\) (See the following item on IssueKey query).

  • When \(\mathcal {A}\) makes the j-th (\(j \in [N]\)) encryption query on index i and a message \(\mathsf {M}_j\), the challenger checks \(i \in [Q_\mathsf{key}]\). If not, the challenger forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\leftarrow \{ 0,1 \} \). Otherwise, it retrieves \(\mathsf{ID}_i = \mathsf {IDList}[i]\) and the unique tuple \((\mathsf{ID}_i, \mathbf {u}_{\mathsf{ID}_i}) \in \mathsf{HList}\) (which is guaranteed to exist). Then, it computes \(c^{(j)}_0 = \mathbf {u}_{\mathsf{ID}_i}^\top \mathbf {s}_j + x_j + \mathsf {M}_j \lfloor q/2 \rceil \) and \(\mathbf {c}^{(j)}_1 = \mathbf {A}^\top \mathbf {s}_j + \mathbf {x}_j\) as specified by the scheme and returns the ciphertext \(\mathsf{ct} = (c^{(j)}_0, \mathbf {c}^{(j)}_1)\) to \(\mathcal {A}\).

  • When \(\mathcal {A}\) makes an IssueKey query, the challenger first samples \(\mathsf{ID} \leftarrow \mathcal {ID}\). It then queries the random oracle on input \(\mathsf{ID}\) and receives back \(\mathbf {u}_\mathsf{ID}\). Then, it proceeds with generating \((\mathsf{cert}, \mathsf{td})\) as specified by algorithm \(\mathsf{ICA.Cert}(\mathsf{vk}, \mathsf{ik}, \mathsf{ID})\) (i.e., runs the algorithm after the receiving \(\mathbf {u}_\mathsf{ID} = \mathsf {H}(\mathsf{ID})\) back from the random oracle), and sets the first-round message \(\mathsf{M}_\mathsf{user}= \mathsf{cert}\). It then returns \(\mathsf{M}_\mathsf{user}\) to \(\mathcal {A}\). Finally, the challenger updates \(Q_\mathsf{key}\leftarrow Q_\mathsf{key}+ 1\) and then sets \(\mathsf {IDList}[Q_\mathsf{key}] = \mathsf{ID}\). Here, as in the real scheme, the randomness used to compute \(\mathsf{M}_\mathsf{user}\) is generated by \(r_{\mathsf{ID}} \leftarrow \mathsf {PRF}(\mathsf {s}_\mathsf{ICA}, \mathsf{ID})\), where the PRF key \(\mathsf {s}_\mathsf{ICA}\) is included in the certificate issuing key \(\mathsf{ik}\) which the challenger generates at the beginning of the game.

  • When \(\mathcal {A}\) queries for a challenge ciphertext on index \(i^*\) and a message \(\mathsf {M}^*\), the challenger checks \(i^* \in [Q_\mathsf{key}]\). If not, the challenger forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\leftarrow \{ 0,1 \} \). Otherwise, it retrieves \(\mathsf{ID}_{i^*} = \mathsf {IDList}[i^*]\) and the unique tuple \((\mathsf{ID}_{i^*}, \mathbf {u}_{\mathsf{ID}_{i^*}}) \in \mathsf{HList}\). It returns \(\mathsf{ct}^* \leftarrow \mathsf{CTSamp}(\mathsf{mpk})\) if \(\mathsf {coin}= 1\). Otherwise, if \(\mathsf {coin}= 0\), it proceeds the same as it does for the encryption queries and returns \(\mathsf{ct}^* = (c_0, \mathbf {c}_1) = ( \mathbf {u}_{\mathsf{ID}_{i^*}}^\top \mathbf {s} + x + \mathsf {M}^* \lfloor q/2 \rceil , \mathbf {A}^\top \mathbf {s} + \mathbf {x})\) to \(\mathcal {A}\).

At the end of the game, \(\mathcal {A}\) outputs a guess \({\widehat{\mathsf{coin}}}\) for \(\mathsf {coin}\). Finally, the challenger outputs \({\widehat{\mathsf{coin}}}\). By definition, we have \(\left| \Pr [X_0] - \frac{1}{2} \right| = \left| \Pr [{\widehat{\mathsf{coin}}}= \mathsf {coin}] - \frac{1}{2} \right| = \mathsf {Adv}^{\mathrm{IND\text {-}ANON\text {-}KGC}}_{\mathsf{IBE}, \mathcal {A}}(\lambda )\).

\(\mathsf {Game}_1{:}\) In this game, we change how the challenger generates the randomness used for answering the IssueKey query. In particular, the challenger always samples fresh randomness to be used when made an IssueKey query. Notably, even if the challenger happens to sample the same \(\mathsf{ID}\) on two different IssueKey queries, it will use an independently sampled randomness. The only difference in the view of the adversary \(\mathcal {A}\) in \(\mathsf {Game}_0\) and \(\mathsf {Game}_1\), is how the randomness are generated to answer the IssueKey query. Since the identity space \(\mathcal {ID}\) is exponentially large and \(\mathcal {A}\) only makes \(Q = \mathsf {poly}(\lambda )\) many queries, the probability of sampling the same \(\mathsf{ID}\) for two different IssueKey queries is negligible. Conditioned on this fact, the view of \(\mathcal {A}\) is negligibly close assuming the pseudorandomness of the PRF. Therefore, combing the two arguments, we have \(\left| \Pr [X_0] - \Pr [X_1] \right| = \mathsf {negl}(\lambda )\). In the following games, we will no longer explicitly mention the used randomness for simplicity and assume \(\mathsf{ik} = \mathsf{sk}_\mathsf{Sig}.\)

\(\mathsf {Game}_2{:}\) In this game, we change how the challenger responds to the IssueKey queries. In particular, the challenger responds as follows for an IssueKey query:

  • When \(\mathcal {A}\) queries for an IssueKey query, the challenger first samples \(\mathsf{ID} \leftarrow \mathcal {ID}\). The challenger then queries the random oracle on input \(\mathsf{ID}\) and receives back \(\mathbf {u}_\mathsf{ID}\). Then, it samples \(\mathbf {u}_{\mathsf{ID}, 2} \leftarrow \mathbb {Z}_q^n\) (independent of \(\mathsf{ID}\)) and signs \(\sigma _\mathsf{Sig}\leftarrow \mathsf{Sig.Sign}(\mathsf{sk}_\mathsf{Sig}, \mathbf {u}_{\mathsf{ID}, 2})\), where \(\mathsf{sk}_\mathsf{Sig}\) is included in the certificate issuing key \(\mathsf{ik}\). It then sets \(\mathsf{M}_\mathsf{user}= \mathsf{cert}= (\mathbf {u}_{\mathsf{ID}, 2}, \sigma _\mathsf{Sig})\), and returns \(\mathsf{M}_\mathsf{user}\) to \(\mathcal {A}\). Finally, the challenger updates \(Q_\mathsf{key}\leftarrow Q_\mathsf{key}+ 1\) and sets \(\mathsf {IDList}[Q_\mathsf{key}] = \mathsf{ID}\).

From the view of the adversary \(\mathcal {A}\), the only difference between the two games are in how the vector \(\mathbf {u}_{\mathsf{ID}, 2}\) is created. In the previous game, the challenger first sampled \(\mathbf {y}_{\mathsf{ID}, 1} \leftarrow \{ 0,1 \} ^m\) and set \(\mathbf {u}_{\mathsf{ID}, 2} = \mathbf {u}_{\mathsf{ID}} - \mathbf {A}\mathbf {y}_{\mathsf{ID}, 1}\) where \(\mathbf {u}_\mathsf{ID} = \mathsf {H}(\mathsf{ID})\) was obtained via a random oracle query. Here, combining the three facts; \(\mathsf{td}= \mathbf {y}_{\mathsf{ID}, 1} \leftarrow \{ 0,1 \} ^m\) is information theoretically hidden from \(\mathcal {A}\); \(\mathbf {A}\) is statistically close to uniform (Lemma 4); and by the left-over-hash lemma, we have that \(\mathbf {u}_{\mathsf{ID}, 2}\) is distributed uniformly close to random over \(\mathbb {Z}_q^n\) regardless of the value taken by \(\mathbf {u}_\mathsf{ID}\). Therefore, since the distribution of \(\mathbf {u}_{\mathsf{ID}, 2}\) is statistically close in \(\mathsf {Game}_1\) and \(\mathsf {Game}_2\), we have \(\left| \Pr [X_1] - \Pr [X_2] \right| = \mathsf {negl}(\lambda )\).

\(\mathsf {Game}_3{:}\) In this game, we change when the challenger queries each identity \(\mathsf{ID}\) sampled during the IssueKey query to the random oracle. Namely, we make the following changes:

  • When \(\mathcal {A}\) queries for an IssueKey query the challenger directly samples \(\mathbf {u}\leftarrow \mathbb {Z}_q^n\) and signs \(\sigma _\mathsf{Sig}\leftarrow \mathsf{Sig.Sign}(\mathsf{sk}_\mathsf{Sig},\mathbf {u})\). It then sets \(\mathsf{M}_\mathsf{user}= \mathsf{cert}= (\mathbf {u}, \sigma _\mathsf{Sig})\), and returns \(\mathsf{M}_\mathsf{user}\) to \(\mathcal {A}\). Finally, the challenger updates \(Q_\mathsf{key}\leftarrow Q_\mathsf{key}+ 1\).

  • When \(\mathcal {A}\) makes the j-th (\(j \in [N]\)) encryption query on index i and a message \(\mathsf {M}_j\), the challenger first checks \(i \in [Q_\mathsf{key}]\). If not, the challenger forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\leftarrow \{ 0,1 \} \). It then further checks if \(\mathsf {IDList}[i] = \bot \). If so, the challenger samples \(\mathsf{ID}_i \leftarrow \mathcal {ID}\) and sets \(\mathsf {IDList}[i] = \mathsf{ID}_i\). Otherwise, it retrieves \(\mathsf{ID}_i = \mathsf {IDList}[i]\). Then, the challenger queries the random oracle on input \(\mathsf{ID}_i\) and receives back \(\mathbf {u}_{\mathsf{ID}_i}\). Finally, it computes \(c^{(j)}_0 = \mathbf {u}_{\mathsf{ID}_i}^\top \mathbf {s}_j + x_j + \mathsf {M}_j \lfloor q/2 \rceil \) and \(\mathbf {c}^{(j)}_1 = \mathbf {A}^\top \mathbf {s}_j + \mathbf {x}_j\) as specified by the scheme and returns the ciphertext \(\mathsf{ct} = (c^{(j)}_0, \mathbf {c}^{(j)}_1)\) to \(\mathcal {A}\).

  • When \(\mathcal {A}\) queries for a challenge ciphertext on index \(i^*\) and message \(\mathsf {M}^*\), it proceeds as it did to answer the encryption query.

The only difference between the previous game is the timing on which \(\mathsf{ID}\) is sampled by the challenger, and hence, when the random oracle is queried on input \(\mathsf{ID}\) which the challenger samples. However, since in \(\mathsf {Game}_2\) the challenger never required \(\mathsf{ID}\) to answer to the IssueKey query anymore due to the modification we made, it is easy to see that the view of \(\mathcal {A}\) is identical in both games. Here, note that the randomness used by the challenger to answer the IssueKey queries were no longer tied to \(\mathsf{ID}\) due to the modification we made in \(\mathsf {Game}_1\). In particular, the challenger is only required to check whether the i-th identity \(\mathsf{ID}_i\) was sampled or not when it is queried on the i-th index for the encryption or challenge ciphertext query. Therefore we have \(\Pr [X_2] = \Pr [X_3]\).

\(\mathsf {Game}_4{:}\) In this game, at the outset of the game, the challenger samples a random index \(I \leftarrow [Q]\) and keeps it secret. It then checks whether the index \(i^*\) submitted by \(\mathcal {A}\) as the challenge ciphertext satisfies \(i^* = I\). If not, it forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\leftarrow \{ 0,1 \} \). We will call this event \(\mathsf{abort}\). Otherwise, it proceeds in the same was as in the previous game. We have \(\left| \Pr [X_4] - 1/2 \right| = \left| \Pr [X_3 | \lnot \mathsf{abort}] \cdot \Pr [\lnot \mathsf{abort}] + (1/2)\cdot \Pr [\mathsf{abort}] - 1/2 \right| = (1/Q ) \cdot \left| \Pr [X_3] - 1/2 \right| \), where we used the fact that event \(X_3\) occurs independently of event \(\mathsf{abort}\), and when \(\mathsf{abort}\) occurs the challenger outputs a random coin \({\widehat{\mathsf{coin}}}\) on behalf of \(\mathcal {A}\).

\(\mathsf {Game}_{5}{:}\) In this game, we modify how the challenger answers the encryption and challenge ciphertext query on \(I\in [Q]\). In particular, we make the following modification:

  • When \(\mathcal {A}\) makes the j-th (\(j \in [N]\)) encryption query on index i and a message \(\mathsf {M}_j\), if \(i \ne I\), then it proceeds as in the previous game. Otherwise, if \(i = I\), then the challenger samples \(\mathsf{ct}^{(j)} \leftarrow \mathsf{CTSamp}(\mathsf{mpk})\) and returns \(\mathsf{ct}^{(j)}\) to \(\mathcal {A}\).

  • When \(\mathcal {A}\) queries for a challenge ciphertext on index \(i^*\) and message \(\mathsf {M}^*\), it checks whether \(i^* = I\) and forces \(\mathcal {A}\) to output a random coin \({\widehat{\mathsf{coin}}}\leftarrow \{ 0,1 \} \) if not satisfied. Otherwise, it returns \(\mathsf{ct}^* \leftarrow \mathsf{CTSamp}(\mathsf{mpk})\) to \(\mathcal {A}\) regardless of the value of \(\mathsf {coin}\in \{ 0,1 \} \).

Lemma 6 shows that \(\left| \Pr [X_4] - \Pr [X_5] \right| = \mathsf {negl}(\lambda )\) assuming the hardness of the LWE problem. We omit the proof of the lemma due to the page limitation and it appears in the full version of this paper.

Lemma 6

If the \(\mathsf {LWE}_{n, m, q, D_{\mathbb {Z}, \alpha q}}\) assumption holds, then \(| \Pr [X_4] - \Pr [X_5] | = \mathsf {negl}(\lambda )\).

Let we conclude the proof of Theorem 2. Observe that since the challenge ciphertext is sampled in the same way for both \(\mathsf {coin}= 0\) and 1, we have \(\Pr [X_5] = 1/2\). Therefore, combining everything together, we have \(\mathsf {Adv}_{\mathsf{IBE}, \mathcal {A}}^{\mathrm{IND\text {-}ANON\text {-}KGC}}(\lambda ) = \left| \Pr [X_0] - 1/2 \right| = Q \cdot \mathsf {negl}(\lambda )\). Thus, we conclude that \(\mathsf {Adv}_{\mathsf{IBE}, \mathcal {A}}^{\mathrm{IND\text {-}ANON\text {-}KGC}}(\lambda )\) is negligible for all PPT adversary \(\mathcal {A}\) since \(Q = \mathsf {poly}(\lambda )\).     \(\square \)

Theorem 3

Our blind IBE scheme with certified identity \(\varPi _\mathsf{IBE}\) is IND-ANON-ICA secure in the random oracle model if the \(\mathsf {PRF}\) is pseudorandom and assuming the hardness of the \(\mathsf {LWE}_{n, m, q, D_{\mathbb {Z}, \alpha q}}\) problem. Alternatively, we can get rid of the first requirement by replacing the \(\mathsf {PRF}\) by the random oracle.

Proof

The IND-ANON-ICA game played between the adversary and the challenger is a strictly weaker variant of the IND-ANON-CPA game. In other words, any adversary with non-negligible advantage against the IND-ANON-ICA game also has non-negligible advantage against the IND-ANON-CPA game. Therefore, Theorem 1 proves Theorem 3. We point out that since the challenger never requires to answer a certificate query in the IND-ANON-ICA game, we do not additionally require the \(\mathsf {eu\text {-}cma}\) security for the signature scheme \(\varPi _\mathsf{Sig}\).     \(\square \)