Identity-Based Encryption from LWE with More Compact Master Public Key

Abstract

This paper presents an adaptively secure identity-based encryption (IBE) scheme from Learning With Errors (LWE) in the standard model. Compared to the previous LWE-based most compact construction of Yamada (CRYPTO17), one of the distinguishing properties of our IBE scheme is that the master public key size of our IBE scheme is significantly smaller, and our design is explicitly given, and thus all the IBE parameters can be instantiated.

To achieve this, we design a more compact homomorphic equality test algorithm over LWE problems, which is significantly better than the previous bit-wise comparison of Yamada (CRYPTO17) and Katsumata (ASIACRYPT17). We show that our homomorphic equality test algorithms can pack a super-constant number of GSW-type bit encodings and thus may find other improvements in other LWE-based crypto schemes.

Appendices

A Supplementary Materials for Section 2

1.1 A.1 Definition of Partition Function and Related Results

Definition A.1

(Partition Function [36]). Let \(\textbf{F}= \left\{ \textbf{F}_\lambda : \mathcal {K}_\lambda \times \mathcal {X}_\lambda \rightarrow R_{2} \right\} \) be an ensemble of function family, we say that \(\textbf{F}\) is a partition function, if there exists an efficient algorithm \(\textsf{PrtSmp}(1^\lambda )\), which takes as input polynomial bounded \(Q=Q(\lambda )\in \mathbb {N}\) and noticeable \(\epsilon =\epsilon (\lambda )\in (0,1/2]\) and outputs K such that:

• There exists \(\lambda _0\in N\) such that

  $$ \textsf{Pr}\left[ K\in \mathcal {K}_\lambda : K \xleftarrow {\$} \textsf{PrtSmp}(1^\lambda , Q(\lambda ),\epsilon (\lambda ))\right] = 1 $$

  for all \(\lambda > \lambda _0\), where \(\lambda _0\) may depend on \(Q(\lambda )\) and \(\epsilon (\lambda )\).

• For \(\lambda > \lambda _0\), there exists \(\gamma _{\max }(\lambda )\) and \(\gamma _{\min }(\lambda )\) that depends on \(Q(\lambda )\) and \(\epsilon (\lambda )\) such that for all \(X^{(1)},\cdots , X^{(Q)}, X^{*} \in \mathcal {X}_\lambda \) with \(X^* \notin \left\{ X^{(1)},\cdots , X^{(Q)} \right\} \)

  $$ \gamma _{\max }(\lambda ) \ge \textsf{Pr}\left[ \textbf{F}\left( X^{(1)}\right) \in R_q^*,\cdots ,\textbf{F}\left( X^{(Q)}\right) \in R_q^* \wedge \textbf{F}\left( X^{*}\right) =0 \right] \ge \gamma _{\min }(\lambda ) $$

  holds and the function \(\tau (\lambda )\) defined as

  $$ \tau (\lambda ) := \gamma _{\min } \cdot \epsilon (\lambda ) - \frac{\gamma _{\max }(\lambda ) -\gamma _{\min }(\lambda ) }{2} $$

  is noticeable. The probability is taken over the randomness of the function key \(K\xleftarrow {\$} \textsf{PrtSmp}(1^\lambda , Q(\lambda ),\epsilon (\lambda ))\).

We call K the partition key and \(\tau (\lambda )\) the quality of the partition function.

The proof of the following lemma can be found in the paper of [2, 26].

Lemma A.2

(Lemma 8 in [26]). Let us consider an IBE scheme and an adversary A that breaks the adaptively-anonymous security (resp. Pseudorandomness) with advantage \(\lambda \). Let the identity space (resp. input space) be X and consider a map \(\gamma \) that maps a sequence of elements in X to a value in [0,1]. We consider the following experiment. We first execute the security game for \(\mathcal {A}\). Let \(X^*\) be the challenge identity (resp. challenge input) and \(X_1, \cdots , X_Q\) be the identities (resp. inputs) for which key extraction queries (resp. evaluation queries) were made. We denote \(\mathbb {X} = (X^*, X_1,\cdots , X_Q)\). At the end of the game, we set \(coin' \in \{0,1\}\) as \(\hat{b} = b' \) with probability \(\gamma (\mathbb {X})\) and \(\hat{b}\xleftarrow {} \{0,1\}\) with probability \(1- \gamma (\mathbb {X})\). Then, the following holds

$$ \Big | \textsf{Pr}[\hat{b} ==b] - \frac{1}{2} \Big | \ge \gamma _{\min } \cdot \epsilon - \frac{\gamma _{\max } - \gamma _{\min }}{2} $$

where \(\gamma _{\max }\) and \(\gamma _{\min }\) are the maximum and the minimum of \(\gamma (\mathbb {X})\) taken over all possible \(\mathbb {X}\), respectively.

B Supplementary Materials for Section 3

1.1 B.1 Proof of Theorem 3.4

Proof

From the description of Construction 3.2, we have that

$$\begin{aligned} \Vert \mathsf {{R}}_{\eta } \Vert \le \Vert \mathsf {{R}}'_{\eta } \cdot \mathsf {{G}}_b^{-1}\left( p^j \cdot \mathsf {{G}}_b\right) \Vert \le \Vert \mathsf {{R}}'_{\eta } \Vert \cdot kb \end{aligned}$$

Thus to prove the theorem, showing \( \Vert \mathsf {{R}}'_{\eta } \Vert \le \eta ^\eta \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \) is sufficient, and we show it by induction. Namely, we prove \( \Vert \mathsf {{R}}'_{j^*} \Vert \le \eta ^{j^*} \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \) for all \(\eta \ge j^*\ge 1\) below. Furthermore, by taking \(j^*:= \eta \), we have that \( \Vert \mathsf {{R}}'_{\eta } \Vert \le \eta ^{\eta } \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \), and the theorem follows.

For the basis step that when \(j^*=1\), we have \( \Vert \mathsf {{R}}'_{1} \Vert \le \Vert \mathsf {{R}}_x \Vert \le \eta ^1 \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \). For the induction step, assume that \( \Vert \mathsf {{R}}'_{j^*} \Vert \le \eta ^{j^*} \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \) holds for some \(\eta >j^*>1\), then we need to prove that \( \Vert \mathsf {{R}}'_{j^*+1} \Vert \le \eta ^{j^*+1} \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \). Note that we have followings for \( \Vert \mathsf {{R}}'_{j^*+1} \Vert \).

$$\begin{aligned} \Vert \mathsf {{R}}'_{j^*+1} \Vert &\le \Vert \mathsf {{R}}_{j^*+1} \Vert \cdot nkb + \Vert \mathsf {{R}}'_{j^*} \Vert \cdot |(x-j^*-1)| \\ &\le \Vert \mathsf {{R}}_{x} \Vert \cdot nkb + |(x-j^*-1)| \cdot \eta ^{j^*} \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \\ &\le \Vert \mathsf {{R}}_{x} \Vert \cdot nkb \left( |(x-j^*-1)| \cdot \eta ^{j^*} +1 \right) \\ &\le \Vert \mathsf {{R}}_{x} \Vert \cdot nkb \cdot \eta ^{j^*+1}, \end{aligned}$$

where the first inequality is from the description of step 2 of algorithm \(\textsf{Trap}\textsf{Eval}\); the second inequality is from the induction assumption; the third and last inequality is from a simple rearranging the terms and from the fact that \(|x-j-1|+1 \le \eta \). This is the case, since \(x\in [\eta ]\) and \(1<j<\eta \), we have that \(|x-j-1| \le \eta -1\) and thus \(\eta - |x-j-1| \le \eta \). Therefore, from the induction, we have that \( \Vert \mathsf {{R}}'_{j^*} \Vert \le \eta ^{j^*} \cdot (nkb) \cdot \Vert \mathsf {{R}}_x \Vert \) for all \(\eta \ge j^*\ge 1\) below    \(\square \)

1.2 B.2 Proof of Theorem 3.7

Proof

If \(\mathsf {{B}}_{x_i} = \mathsf {{A}} \cdot \mathsf {{R}}_{x_i} + x_i\cdot \mathsf {{G}}_b\) for all \(i\in [\xi ]\), then from the description of step 1 of \(\textsf{Pub}\textsf{Eval}_{\textsf{d}}\) and \(\textsf{Trap}\textsf{Eval}_{\textsf{d}}\), we have that

$$ \mathsf {{B}}'_i = \mathsf {{A}} \cdot \mathsf {{R}}'_{i} + \left( j_i \overset{?}{=}\ x_i \right) \cdot \mathsf {{G}}_b, $$

where we use the theorem assumption that deterministic algorithms \(\left( \textsf{Pub}\textsf{Eval}, \textsf{Trap}\textsf{Eval}\right) \) are correct to homomorphically evaluate the function class \(\{\textsf{Equal}_j(\star )\}_{j\in [\eta ]}\), and \(\left( j_i \overset{?}{=}\ x_i \right) \) is 1 if \(j_i=x_i\) and is zero otherwise. From the second step of algorithm \(\textsf{Pub}\textsf{Eval}\), we know that

$$\begin{aligned} \mathsf {{B}}_{\textsf{d}} &= \mathsf {{B}}'_{\textsf{d}} \cdot \mathsf {{G}}_b^{-1}\left( \mathsf {{B}}''_{\textsf{d}-1} \right) = \left( \mathsf {{A}} \cdot \mathsf {{R}}'_{\xi } + \left( j_{\xi } \overset{?}{=}\ x_{\xi } \right) \cdot \mathsf {{G}}_b\right) \cdot \mathsf {{G}}_b^{-1}\left( \mathsf {{B}}''_{\xi -1} \right) \\ &= \mathsf {{A}} \cdot \underbrace{\left( \mathsf {{R}}'_{\xi } \cdot \mathsf {{G}}_b^{-1}\left( \mathsf {{B}}''_{\xi -1} \right) + \left( j_{\xi } \overset{?}{=}\ x_{\xi } \right) \cdot \mathsf {{R}}''_{\xi -1} \right) }_{=\mathsf {{R}}_{\textsf{d}}}+ \underbrace{\prod _{i=1}^{\xi } \left( j_{i} \overset{?}{=}\ x_{i} \right) }_{= \textsf{Equal}_j(x)} \cdot \mathsf {{G}}_b\\ &= \mathsf {{A}} \cdot \mathsf {{R}}_{\textsf{d}}+ \textsf{Equal}_j(x) \cdot \mathsf {{G}}_b\end{aligned}$$

Therefore, the correctness follows.    \(\square \)

1.3 B.3 Proof of Theorem 3.8

Proof

From the description of Construction 3.6, we know that showing \( \Vert \mathsf {{R}}''_{\xi } \Vert \le \xi \cdot (nkb) \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } \) is sufficient to show the theorem. We show it by induction.

For the basis step that when \(j^*=1\), we have

$$ \Vert \mathsf {{R}}''_{1} \Vert \le \Vert \mathsf {{R}}'_1 \Vert \le \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } , $$

where the second inequality is from theorem assumption that \(\left( \textsf{Pub}\textsf{Eval}, \textsf{Trap}\textsf{Eval}\right) \) are \(\delta \)-expanding, that is \( \Vert \mathsf {{R}}'_i \Vert \le \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } \) for all \(i\in [\xi ]\).

For the induction step, assume that \( \Vert \mathsf {{R}}''_{i^*} \Vert \le i^* \cdot (nkb) \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert }\) holds for some \(\xi >i^*>1\), then we need to prove that \( \Vert \mathsf {{R}}''_{i^*+1} \Vert \le (i^*+1) \cdot (nkb) \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert }\). Note that we have followings for \( \Vert \mathsf {{R}}''_{i^*+1} \Vert \).

$$\begin{aligned} \Vert \mathsf {{R}}''_{i^*+1} \Vert &\le \Vert \mathsf {{R}}'_{i^*+1} \Vert \cdot nkb + \left( j_{i^*} \overset{?}{=}\ x_{i^*} \right) \Vert \mathsf {{R}}''_{i^*} \Vert \\ &\le nkb \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } + i^* \cdot (nkb) \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } \\ &\le (i^*+1) \cdot nkb \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } \end{aligned}$$

where the first inequality is from the description of step 2 of algorithm \(\textsf{Trap}\textsf{Eval}_{\textsf{d}}\) and triangle inequality of the 2-norm; the second inequality is from the induction assumption and the theorem assumption; the last inequality is from a simple amplifying the first term. Furthermore, by taking \(i^*:= \xi \), we have that \( \Vert \mathsf {{R}}''_{\xi } \Vert \le \xi \cdot (nkb) \cdot \delta \cdot \max _{i\in [\xi ]}{ \Vert \mathsf {{R}}_{x_i} \Vert } \), and thus this completes the proof of the theorem.    \(\square \)

C Supplementary Materials for Section 4

1.1 C.1 Proof of Theorem 4.3

Proof

To show the theorem, we need to define an algorithm \(\textsf{PrtSmp}\) and show it equipped two properties of partition function in Definition A.1. First, our definition of \(\textsf{PrtSmp}\) as follows:

• \(\textsf{PrtSmp}\left( 1^\lambda ,Q(\lambda ), \epsilon (\lambda ) \right) \rightarrow K\): Let \(t':= \lceil \log _{1-\textsf{d}}(\frac{3Q}{\epsilon })\rceil \), then randomly sample a vector \(\mathsf {\boldsymbol{\alpha }}' \xleftarrow {} [\textsf{L}]^{t'}\) and a vector \(\mathsf {\boldsymbol{\beta }}' \in [p]^{t'}\). Then we pad zeros to each of \(\mathsf {\boldsymbol{\alpha }}', \mathsf {\boldsymbol{\beta }}\) to get the vectors \(\mathsf {\boldsymbol{\alpha }}\) and \(\mathsf {\boldsymbol{\beta }}\) such that each has length t. Finally, outputs \(K=(\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }})\).

Note that above algorithm \(\textsf{PrtSmp}\) has the first property of partition function (Definition A.1). Since Q is polynomially bounded and \(\epsilon \) is noticeable, when \(t= \omega (1)\), we have that \(\frac{3Q}{\epsilon }\) is polynomially bounded, and thus we have that \(t'\) is constant. Furthermore, due to the setting that \(t= \omega (1)\), for large enough \(\lambda \), we have that \(t' < t\), thus \(K=(\mathsf {\boldsymbol{\alpha }},\mathsf {\boldsymbol{\beta }}) \in \mathcal {K}=[\textsf{L}]^t\times [p]^t\).

Next we show the partition property of \(\textsf{PrtSmp}\). If let \(\gamma \) be the partition probability that

$$ \gamma =\gamma (X^{(1)},X^{(2)},\cdots ,X^{(Q)},X^{*}):= \mathop {\textsf{Pr}}\limits _{K}\left[ \bigwedge _{i=1}^{Q} F_K\left( X^{(i)}\right) \in \mathbb {Z}_q^* \wedge F_K\left( X^{*}\right) =0\right] , $$

then we have

$$\begin{aligned} \gamma &= \mathop {\textsf{Pr}}\limits _{K}\left[ \bigwedge _{i=1}^{Q} F_K\left( X^{(i)}\right) \in \mathbb {Z}_q^* | F_K\left( X^{*}\right) =0 \right] \cdot \mathop {\textsf{Pr}}\limits _{K}\left[ F_K\left( X^{*}\right) =0\right] \\ &= \left( 1 - \mathop {\textsf{Pr}}\limits _{K}\left[ \exists j\in [Q], s.t., F_K\left( X^{(j)}\right) \notin \mathbb {Z}_q^* | F_K\left( X^{*}\right) =0\right] \right) \cdot \mathop {\textsf{Pr}}\limits _{K}\left[ F_K\left( X^{*}\right) =0\right] . \end{aligned}$$

To show \(\textsf{PrtSmp}\) has second property of Definition A.1, we first show (1) \(\gamma _{\max }= \frac{1}{p^{t'}}\) is an upper bound of \(\gamma \), and (2) \(\gamma _{\min }= \left( 1 - (1-\textsf{d})^{t'} \right) \cdot \gamma _{\max }\) is a lower bound of \(\gamma \).

First we show property (1). Note that we have

$$\begin{aligned} \gamma &\le \mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ F_{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}(X^{*}) =0\right] = \mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ \bigwedge _{i=1}^{t} \left( \textsf{ECC}(X^{*})[\alpha _i] - \beta _i =0 \right) \right] \\ & = \prod _{i=1}^{t}\mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ \left( \textsf{ECC}(X^{*})[\alpha _i] = \beta _i \right) \right] =\underbrace{ \left( \frac{1}{p} \right) ^{t'}}_{:=\gamma _{\max }}~~~, \end{aligned}$$

where the first equality is from the fact the sum of quadratic terms is zero iff each quadratic term is zero; the second equality is from the fact that each entry of \(\mathsf {\boldsymbol{\alpha }}\) and \(\mathsf {\boldsymbol{\beta }}\) are independent; the last equality is from the randomness of \(\beta _i\) in \(\mathbb {Z}_p\).

Next we show property (2). Since the modulus q is prime, we know that \(F_K\left( X^{(j)}\right) \) is invertible in \(\mathbb {Z}_q\) if it is non-zero. Therefore, we have

$$\begin{aligned} \gamma &= \left( 1 - \mathop {\textsf{Pr}}\limits _{K}\left[ \exists j\in [Q], s.t., F_K\left( X^{(j)}\right) =0 | F_K\left( X^{*}\right) =0\right] \right) \cdot \gamma _{\max } \\ &\ge \left( 1 - Q\cdot \mathop {\textsf{Pr}}\limits _{K}\left[ F_K\left( X^{(j)}\right) =0 | F_K\left( X^{*}\right) =0\right] \right) \cdot \gamma _{\max } \\ &= \underbrace{\left( 1 - Q\cdot \mathop {\textsf{Pr}}\limits _{K}\left[ F_K\left( X^{(j)}\right) = F_K\left( X^{*}\right) \right] \right) \cdot \gamma _{\max }}_{:=\gamma _{\min }} \end{aligned}$$

Note that for any two distinct \(x_1 \ne x_2\), we have

$$\begin{aligned} \mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ \! \mathop {F}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}(x_1)\!\! =0 \big | \!\!\mathop {F}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}(x_2)\! =\!0\right] \!\!& =\!\! \mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ \bigwedge _{i=1}^{t} \left( \textsf{ECC}(x_1)[\alpha _i] = \beta _i\right) \big | \bigwedge _{i=1}^{t} \left( \textsf{ECC}(x_2)[\alpha _i] = \beta _i \right) \right] \\ & =\prod _{i=1}^{t}\mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ \textsf{ECC}(x_1)[\alpha _i] = \beta _i \big | \textsf{ECC}(x_2)[\alpha _i] = \beta _i \right] \\ & =\prod _{i=1}^{t}\mathop {\textsf{Pr}}\limits _{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}\left[ \textsf{ECC}(x_1)[\alpha _i] = \textsf{ECC}(x_2)[\alpha _i] \right] = (1-\textsf{d})^{t'}, \end{aligned}$$

where the first equality is from the fact the sum of quadratic terms is zero iff each quadratic term is zero; the second equality is from the fact that each entry of \(\mathsf {\boldsymbol{\alpha }}\) and \(\mathsf {\boldsymbol{\beta }}\) are independent; the third and last equalities are from a simple substitution, randomness of \(\mathsf {\boldsymbol{\alpha }}\) and the relative distance of \(\textsf{ECC}\). Therefore, we have

$$\begin{aligned} \gamma _{\min }= \left( 1 - Q\cdot (1-\textsf{d})^{t'} \right) \cdot \gamma _{\max } \end{aligned}$$

Next we show that \(\tau (\lambda ) =\gamma _{\min }\cdot \epsilon - \frac{\gamma _{\max }-\gamma _{\min }}{2}\) is noticeable. From above results, we have that

$$\begin{aligned} \tau &= \left( 1 - Q\cdot (1-\textsf{d})^{t'} \right) \cdot \gamma _{\max } \cdot \epsilon - Q\cdot (1-\textsf{d})^{t'} \cdot \gamma _{\max } \end{aligned}$$

(1)

$$\begin{aligned} &\ge \frac{1}{2} \cdot \gamma _{\max } \cdot \epsilon - \frac{\epsilon }{6} \cdot \gamma _{\max } \end{aligned}$$

(2)

$$\begin{aligned} &\ge \frac{1}{3} \cdot \gamma _{\max } \cdot \epsilon \end{aligned}$$

(3)

where the inequalities are from the setting of \(t'\). Since \(\epsilon \) is noticeable and Q is polynomially bounded, we have that \(t'\) is some constant from the definition of \(t'\), therefore \(\gamma _{\max }=1/p^{t'}\) is noticeable, and thus \(\tau (\lambda )\) is noticeable. This completes the proof.    \(\square \)

D Supplementary Materials for Section 5

1.1 D.1 Proof of Theorem 5.2

Proof

From the description of the decryption algorithm, we know that

$$\begin{aligned} c_0 - \mathsf {{e}} \cdot \mathsf {{c}}_1 =& \mathsf {{u}}^\top \cdot \mathsf {{s}} + e_0 + \bigg \lceil \frac{q}{2}\bigg \rceil \cdot \mu - \mathsf {{e}} ^\top \cdot \left( \begin{bmatrix}\mathsf {{A}}\\ \mathsf {{A}}_{\textsf{id}}\end{bmatrix}\cdot \mathsf {{s}} - \begin{bmatrix}\mathsf {{e}}_1\\ \mathsf {{e}}_2\end{bmatrix} \right) \\ =& \bigg \lceil \frac{q}{2}\bigg \rceil \cdot \mu +e_0 -\mathsf {{e}}^\top \cdot \begin{bmatrix}\mathsf {{e}}_1\\ \mathsf {{e}}_2\end{bmatrix} \end{aligned}$$

Note that \(e_0\) is sampled from the Gaussian distribution \(D_{\mathbb {Z}_q,\sigma _0}\), thus from the Gaussian tail bound (Lemma 2.6), we have that \(\textsf{Pr}[\Vert e_0\Vert _{\infty } \le \omega (\log (n)) \cdot \sigma _0] \le \textsf{negl}(\lambda )\). Furthermore, we have followings:

$$\begin{aligned} \left\| \mathsf {{e}}^\top \cdot \begin{bmatrix}\mathsf {{e}}_1 \\ \mathsf {{e}}_2 \end{bmatrix}\right\| _{\infty } &\le \max _{j\in [n]} \Vert \mathsf {{e}} ^\top \Vert \cdot \left\| \begin{bmatrix}\mathsf {{e}}_1 \\ \mathsf {{e}}_2 \end{bmatrix}_{j}\right\| _{\infty } \\ &\le \sqrt{2m} \sigma \cdot \omega (\log (n)) \cdot \sigma _1 , \end{aligned}$$

where the last inequality holds except with negligible probability by Lemma 2.6. Thus from the above results, we have that

$$\begin{aligned} \textsf{Pr}\left[ \left\| e_0 -\mathsf {{e}}^\top \cdot \begin{bmatrix}\mathsf {{e}}_1\\ \mathsf {{e}}_2\end{bmatrix} \right\| _{\infty } \le \omega (\log (n))\sigma _0 + \sigma \sigma _1 \cdot \omega (\log (n)) \cdot \sqrt{2m} \right] \le \textsf{negl}(\lambda ). \end{aligned}$$

Thus, from the description of the decryption algorithm, it decrypts correctly except with negligible probability, and thus the \(\textsf{IBE}\) scheme is correct.    \(\square \)

1.2 D.2 Proof of Theorem 5.3

Proof

To show the theorem, we prove that if there is an adversary \(\mathcal {A}\) who breaks the \(\textsf{IBE}\) scheme in the Construction 5.1 in polynomial running time with noticeable probability \(\epsilon \) via making an polynomially bounded number, say Q, of key extraction queries for Q identities, then there is an algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) which invokes \(\mathcal {A}\) to solve the \(D\text {-}\textsf{LWE}_{n,k+1,q,\sigma _0}\) problem with noticeable probability in polynomial time as well. This contradicts to the theorem assumption that \(D\text {-}\textsf{LWE}_{n,m+1,q,\sigma _0}\) is hard, and thus the theorem follows. Before presenting the concrete description of \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\), we first define and analysis follows hybrid games, from which the design idea of \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) can be easily seen. The hybrid games are defined as follows.

• \(\textsf{Game}_0{:}\) This is the original adaptive IBE security game between the adversary \(\mathcal {A}\) and the challenger \(\textsf{Chall}\).

• \(\textsf{Game}_1{:}\) In this game, we change the \(\textsf{Game}_0\) so that the challenger \(\textsf{Chall}\) procedure an conditional abort at the end of the game. Namely, this game is identical to the \(\textsf{Game}_0\) except that at the end of the game, the challenger runs \(\textsf{PrtSmp}(1^\lambda ,t_{\mathcal {A}},\epsilon ) \rightarrow K = (\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }})\) and abort the game if the following condition holds;

  $$\begin{aligned} \bigwedge _{i=1}^{Q} \left( F_K\left( id^{i}\right) \in \mathbb {Z}^*_q \right) \bigwedge F_K\left( id^{*}\right) =0, \end{aligned}$$

  where \(\textsf{id}^{1},\cdots , \textsf{id}^{Q}\) are the identities for which \(\mathcal {A}\) has made key extraction queries, and \(\textsf{id}^*\) is the challenge identity.

• \(\textsf{Game}_2{:}\) In this game, we change the way that the matrices \(\{\mathsf {{A}}_{i,j}\}_{i\in [t],j\in [\xi ]},\{\mathsf {{B}}_i\}_{i\in [t]}\) are generated. Here, instead of sampling them uniformly over \(\mathbb {Z}_q^{n\times m}\), the challenger first samples \(\{\mathsf {{R}}_{i,j}\}_{i\in [t],j\in [\xi ]},\{\mathsf {{R}}^B_i\}_{i\in [t]} \xleftarrow {} \mathbb {Z}_{[-\rho , \rho ]}^{m\times m}\), and sets

  $$\begin{aligned} \mathsf {{A}}_{i,j} &:= \mathsf {{A}}^\top \cdot \mathsf {{R}}_{i,j} + \mathsf {\boldsymbol{\alpha }}_{i,j}\cdot \mathsf {{G}}_b\text{, } \text{ for } i\in [t], j\in [\xi ] \\ \mathsf {{B}}_i &:= \mathsf {{A}}^\top \cdot \mathsf {{R}}^B_i + \mathsf {\boldsymbol{\beta }}_i\cdot \mathsf {{G}}_b, \text{, } \text{ for } i\in [t], \end{aligned}$$

  where \(\mathsf {\boldsymbol{\alpha }}_{i,j}\) is the j-th \(\eta \)-adic representation of \(\mathsf {\boldsymbol{\alpha }}\).

• \(\textsf{Game}_3{:}\) This game is the same as \(\textsf{Game}_2\) except that we change way of generating public matrix \(\mathsf {{A}}\) and the key extraction procedure. Here, the challenger samples \(\mathsf {{A}} \xleftarrow {\$} \mathbb {Z}_q^{n\times m}\) uniformly instead of generating it with trapdoor by running the trapdoor generating algorithm \(\textsf{Trap}\textsf{Gen}\). To extract a secret key for an identity \(\textsf{id}\), the challenger first computes

  $$ \mathsf {{R}}_{\textsf{id}} = \textsf{Trap}\textsf{Eval}_{\textsf{IBE}}\left( \{\mathsf {{R}}_{i,j}\}_{i\in [t],j\in [\xi ]},\{\mathsf {{R}}^B_i\}_{i\in [t]} , \mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}, \textsf{id}\right) . $$

  Then sample a vector \(\mathsf {{e}}_{\textsf{id}} \in \mathbb {Z}_q^{2m}\) by running \(\textsf{SampleRight}\) as

  $$ \mathsf {{e}}_{\textsf{id}} = \textsf{SampleRight}\left( \mathsf {{A}}, \mathsf {{R}}_{\textsf{id}}, \mathsf {{u}}, F_{\mathsf {\boldsymbol{\alpha }}, \mathsf {\boldsymbol{\beta }}}(\textsf{id}), \mathsf {{G}}_b, \mathsf {{T}}_{\mathsf {{G}}_b}, \sigma \right) . $$

  Finally, the challenger outputs \(\mathsf {{e}}_{\textsf{id}}\) as a corresponding key for the identity \(\textsf{id}\).

• \(\textsf{Game}_4{:}\) In this game, we change the way that the challenge ciphertext \(\textsf{ct}^* = (c^*_0,\mathsf {{c}}^*_1)\) is generated. Here, the challenger first selects \(\mathsf {{s}} \xleftarrow {\$} \mathbb {Z}^n_q\) and \(\mathsf {{x}} \xleftarrow {} D_{\mathbb {Z}_q^m,\sigma _0}\), and compute \(\mathsf {{v}} = \mathsf {{A}} \cdot \mathsf {{s}} + \mathsf {{x}}\). Then the challenger samples \(e_0 \xleftarrow {} D_{\mathbb {Z}_q^m,\sigma _0}\), and generates the challenge ciphertext as follows:

  $$ c_0^* = \mathsf {{u}} \cdot \mathsf {{s}} + e_0 + \big \lceil \frac{q}{2}\big \rceil \cdot \mu , \text{, } \mathsf {{c}}^*_1 = \textsf{ReRand}\left( [I_m|\mathsf {{R}}_{\textsf{id}^*}]^\top , \mathsf {{v}}, \sigma _0, \frac{\sigma _1}{2\sigma _0}\right) , $$

  where \(I_m\) is the identity matrix.

• \(\textsf{Game}_5{:}\) In this game, we change the way that the challenge ciphertext \(\textsf{ct}^* = (c^*_0,\mathsf {{c}}^*_1)\) is generated. Here, instead of masking the message with LWE samples, the challenger masks the message with uniformly random samples. Formally, the challenger first samples \(u_0 \xleftarrow {} \mathbb {Z}_q\), \(\mathsf {{v}}' \xleftarrow {} \mathbb {Z}_q^m\) and \(\mathsf {{x}} \xleftarrow {} D_{\mathbb {Z}_q^m,\sigma _0}\), then set \(\mathsf {{v}} = \mathsf {{v}}' + x \) and compute the challenger ciphertext as follows:

  $$ c_0^* = u_0 + \big \lceil \frac{q}{2}\big \rceil \cdot \mu , \text{, } \mathsf {{c}}^*_1 = \textsf{ReRand}\left( [I_m|\mathsf {{R}}_{\textsf{id}^*}]^\top , \mathsf {{v}}, \sigma _0, \frac{\sigma _1}{2\sigma _0}\right) , $$

For \(i\in \left\{ 0,1,2,3,4,5 \right\} \), let \(E_1\) be the event that the adversary \(\mathcal {A}\) wins in \(\textsf{Game}_i\), and let \(\textsf{abort}\) be the event that challenger aborts in \(\textsf{Game}_1\). From the above assumption, we have that \(\textsf{Pr}[E_0] = \epsilon \). Additionally, from the description of \(\textsf{Game}_5\), it is easy to see that \(c_0\) is independent of \(\mathsf {{c}}_1\), and from the uniformity of \(u_0\), the advantage of any adversary in \(\textsf{Game}_5\) is exactly 0, that is \(\textsf{Pr}[E_5] = 0\). Due to the space limit, we postpone the proof of following lemmas to Appendix D.3 to Appendix D.7.

Lemma D.1

\(\textsf{Pr}[E_1]\) is noticeable if \(\epsilon \) is noticeable.

Lemma D.2

\(|\textsf{Pr}[E_2] - \textsf{Pr}[E_1]| \le \textsf{negl}(\lambda )\)

Lemma D.3

\(|\textsf{Pr}[E_3] - \textsf{Pr}[E_2]| \le \textsf{negl}(\lambda )\)

Lemma D.4

\(|\textsf{Pr}[E_4] - \textsf{Pr}[E_3]| \le \textsf{negl}(\lambda )\)

Lemma D.5

\(|\textsf{Pr}[E_5] - \textsf{Pr}[E_4]| \le \textsf{negl}(\lambda )\) if the \(D\text {-}\textsf{LWE}_{n,m+1,q,\sigma _0}\) problem is hard.

Put All Together. Combining the above results, we have

$$\begin{aligned} \textsf{Pr}[E_5] & = \sum _{i=1}^4\left( \textsf{Pr}[E_{i+1}] -\textsf{Pr}[E_i] \right) + \textsf{Pr}[E_1] \ge \textsf{Pr}[E_1] - \sum _{i=1}^4\left| \left( \textsf{Pr}[E_{i+1}] -\textsf{Pr}[E_i] \right) \right| \\ & \ge \textsf{Pr}[E_1] - \textsf{negl}(\lambda ) \ge \epsilon \cdot \frac{1}{p^{t'}}- \textsf{negl}(\lambda ) , \end{aligned}$$

where \(t'=\lceil \log _{1-\textsf{d}}(\frac{3Q}{\epsilon })\rceil \). Since \(\epsilon \) is noticeable and Q is polynomially bounded, the value \(p^{t'}\) is polynomially bounded, and thus \(\textsf{Pr}[E_5]\) is noticeable. Which is contradicts to the fact that \(\textsf{Pr}[E_5] = 0\). This completes the proof of Theorem 5.3.    \(\square \)

1.3 D.3 Proof of Lemma D.1

Proof

Since the \(\mathcal {A}\)’s advantage \(\epsilon \) is noticeable and the running time \(T_{\mathcal {A}}\) is polynomially bounded, the Lemma A.2 and the second property of the partition function implies that

$$\begin{aligned} \textsf{Pr}[E_1] \ge \gamma _{\min } \cdot \epsilon - \frac{1}{2} \left( \gamma _{\max } - \gamma _{\min }\right) \ge \epsilon \cdot \frac{1}{3 p^{t'}}, \end{aligned}$$

where \(t'=\lceil \log _{1-\textsf{d}}(\frac{3Q}{\epsilon })\rceil \). Since \(\epsilon \) is noticeable and Q is polynomially bounded, thus \(p^{t'}\) is polynomially bounded, and thus the probability \(\textsf{Pr}[E_1]\) is noticeable. This completes the proof of Lemma D.1.    \(\square \)

1.4 D.4 Proof of Lemma D.2

Proof

Recall that the difference between the \(\textsf{Game}_1\) and \(\textsf{Game}_2\) is the way that they generate the public matrices \(\{\mathsf {{A}}_{i,j}\}_{i\in [t],j\in [\xi ]}\) and \(\{\mathsf {{B}}_i\}_{i\in [t]}\). Namely, the two games generate the public ring vectors as follows:

$$\begin{aligned} \textsf{Game}_1: & {\left\{ \begin{array}{ll} \mathsf {{A}}_{i,j} &{}\xleftarrow {\$} \mathbb {Z}_q^{n\times m} \text{, } \text{ for } i\in [t], j\in [\xi ] \\ \mathsf {{B}}_i &{}\xleftarrow {\$} \mathbb {Z}_q^{n\times m} \text{, } \text{ for } i\in [t], \end{array}\right. } \\ \textsf{Game}_2: & {\left\{ \begin{array}{ll} \mathsf {{A}}_{i,j} &{}:= \mathsf {{A}}^\top \cdot \mathsf {{R}}_{i,j} + \mathsf {\boldsymbol{\alpha }}_{i,j}\cdot \mathsf {{G}}_b\text{, } \text{ for } i\in [t], j\in [\xi ] \\ \mathsf {{B}}_i &{}:= \mathsf {{A}}^\top \cdot \mathsf {{R}}^B_i + \mathsf {\boldsymbol{\beta }}_i\cdot \mathsf {{G}}_b, \text{, } \text{ for } i\in [t], \end{array}\right. } \end{aligned}$$

where \(\mathsf {{R}}_{i,j}, \mathsf {{R}}^B_{i} \xleftarrow {} \mathbb {Z}_{-\rho ,\rho }^{m\times m}\). Thus, Lemma 2.7 shows that the difference between the above two games is negligible. This completes the proof of Lemma D.2.    \(\square \)

1.5 D.5 Proof of Lemma D.3

Proof

Note that, in \(\textsf{Game}_3\), the challenger changed the way of generating the public matrix \(\mathsf {{A}}\) and the key extraction procedure. So, to show this lemma, it suffices to show that (1) the difference between the generating processes of \(\mathsf {{A}}\) is negligible, and (2) the difference between the key extraction procedures is negligible. Thus, applying the probability union bound, we complete the proof of this lemma.

Now we show the statement (1): Note that public matrix \(\mathsf {{A}}\) is sampled uniformly from the \(\mathbb {Z}_q^{n\times m}\) in \(\textsf{Game}_3\) instead of by running \(\textsf{Trap}\textsf{Gen}\) as in \(\textsf{Game}_2\). From the first property of Lemma 2.13, the difference between the two cases is negligible in security parameter \(\lambda \).

Next we show the statement (2):Note that in \(\textsf{Game}_2\), the challenger uses the trapdoor information of \(\mathsf {{A}}\) to extract the identity key by running \(\textsf{SampleLeft}\) algorithm of Lemma 2.13. However, in \(\textsf{Game}_3\), the challenger has no trapdoor information about the matrix \(\mathsf {{A}}\), yet it can use \(\mathsf {{R}}_{\textsf{id}}\) to generate the corresponding secret identity key by running the \(\textsf{SampleRight}\) algorithm of Lemma 2.13. The second and third property of Lemma 2.13 shows that the outputs of above two sampling algorithms are statistically close to \(D_{[\mathsf {{A}}^\top | \mathsf {{A}}_{\textsf{id}}^\top ], \mathsf {{u}}, \sigma }\). Thus the difference between the above two procedures of generating identity keys is negligible.    \(\square \)

1.6 D.6 Proof of Lemma D.4

Proof

Note that the only difference between the \(\textsf{Game}_3\) and \(\textsf{Game}_4\) is the way the challenger generates the challenge ciphertext \(\textsf{ct}= (c_0, \mathsf {{c}}_1)\). In \(\textsf{Game}_3\), the challenge ciphertext is generated by the encryption algorithm, while in \(game_4\), \(c_0\) is generated by the same way as in \(\textsf{Game}_3\), yet \(\mathsf {{c}}_1 = \textsf{ReRand}\left( [I_m| \mathsf {{R}}_{\textsf{id}^*}, \mathsf {{v}}, \sigma _0, \frac{\sigma }{2\sigma _0}]\right) \). From Lemma 2.11, we have that the difference between the above two games is negligible.    \(\square \)

1.7 D.7 Proof of Lemma D.5

Proof

To show this lemma, we construct a simulation algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) (which is desired in Theorem 5.3) which tries to solve the \(D\text {-}\textsf{LWE}\) problem by invoking an algorithm \(\mathcal {B}\) who tries to distinguish \(\textsf{Game}_4\) and \(\textsf{Game}_5\) . The description if \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) is as follows:

• \( \textsf{Sim}_{D\text {-}\textsf{LWE}}\left( (\mathsf {{A}}^\top | \mathsf {{u}}), (\mathsf {{b}}^\top , b_0) \right) \rightarrow \{0,1\}{:}\)

• On input the \(D\text {-}\textsf{LWE}_{n,m+1,q,\sigma _0}\) challenge samples \(\left( [\mathsf {{A}} \top | \mathsf {{u}}], [ \mathsf {{b}}^\top ,b_0] \right) \), algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) simulates the \(\textsf{Game}_4\) for \(\mathcal {B}\) except the challenge ciphertext respond. It first lets \(\mathsf {{A}}\) as the part of the master public key of \(\textsf{IBE}\) scheme, and generates the matrices \(\{\mathsf {{A}}_{i,j}\}_{i\in [t],j\in [\xi ]}\) and \(\{\mathsf {{B}}_i\}_{i\in [t]}\) as in \(\textsf{Game}_4\), and let \(\textsf{mpk}=\left( \mathsf {{A}}, \{\mathsf {{A}}_{i,j}\}_{i\in [t],j\in [\xi ]},\{\mathsf {{B}}_i\}_{i\in [t]}, \mathsf {{u}} \right) \) as the master public key of the \(\textsf{IBE}\) scheme. The identity key extraction procedure is the same as in \(\textsf{Game}_4\), yet it generates the challenge ciphertext as follows:

  $$\begin{aligned} c_0^* = b_0 + \big \lceil \frac{q}{2}\big \rceil \cdot \mu \text{, } \mathsf {{c}}_1^* = \textsf{ReRand}\left( \left[ I_m| \mathsf {{R}}_{\textsf{id}^*}\right] , \mathsf {{b}}, \sigma _0, \frac{\sigma }{2\sigma _0}\right) . \end{aligned}$$

  If the algorithm \(\mathcal {B}\) outputs 1, meaning that the simulated game is \(\textsf{Game}_4\), then the algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) outputs 1 implies the challenge samples are from \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) distribution. If \(\mathcal {B}\) outputs 0, meaning that the simulated game is \(\textsf{Game}_5\), then the algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) outputs 0 implies the challenge samples are from uniform distribution.

It is not hard to see that if the given challenge samples \(\left( [\mathsf {{A}} \top | \mathsf {{u}}], \mathsf {{b}}^\top ,b_0\right) \) are from \(D\text {-}\textsf{LWE}\) distribution, then the algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) exactly simulates the \(\textsf{Game}_4\); if the given challenge samples are from uniform distribution, then the algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) exactly simulates the \(\textsf{Game}_5\). Thus the advantage of the simulation algorithm \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) is exactly the advantage of the distinguishing advantage of \(\mathcal {B}\). From the hardness assumption of \(D\text {-}\textsf{LWE}\) problem, the advantage of \(\textsf{Sim}_{D\text {-}\textsf{LWE}}\) is negligible, and thus the distinguishing advantage of any algorithm \(\mathcal {B}\) is negligible. This completes the proof of Lemma D.5    \(\square \)

E Supplementary Materials for Section 6

1.1 E.1 Parameters for Our IBE Scheme

Parameter Constraints. Here we present the parameter constraints which ensure our \(\textsf{IBE}\) in Construction 5.1 reaches the correctness and the adaptive security. To meet the corresponding requirements, the parameters should satisfy the following constraints:

• For the requirements of \(\textsf{Trap}\textsf{Gen}\) algorithm and gadget vector \(\mathsf {{G}}_b\), we need

  $$\begin{aligned} m&\ge \frac{(n+1) \log (q)+ \omega (\log (n))}{\log (\rho )} , \\ m&\ge n\cdot \lceil \log _{\rho }(q)\rceil \end{aligned}$$

• To ensure the Lemma 4.2 to hold, we need

  $$\begin{aligned} q > t \cdot p^2 \end{aligned}$$

• To ensure the existence of such \(t'\) in the definition of \(\textsf{PrtSmp}\) in Theorem 4.3, we need to set \(t'\) such that

  $$ t'= \log _{1-\textsf{d}}\left( \frac{3Q}{\epsilon }\right) , $$

  where Q is the number key queries and \(\lambda \) is the advantage of the adversary.

• To ensure the hardness of \(D\text {-}\textsf{LWE}\) problem, we need \(\sigma _0\) satisfies the condition of the reduction in Lemma 2.10, that is

  $$\sigma _{0} \ge 2\sqrt{n}.$$

• To meet the requirement of \(\textsf{ReRand}\) algorithm, we set

  $$\sigma _0 \ge \omega \left( \sqrt{\log (n)}\right) \text{ and } \sigma _1 \ge 2\sigma _0 \cdot \sqrt{s^2_1(\mathsf {{R}}_{\textsf{id}^*}) + 1} .$$

• To meet the requirement of \(\textsf{SampleLeft}\) algorithm in Lemma 2.13, we need

  $$ \sigma > \Vert \textsf{rot}(\mathsf {{T}}_{\mathsf {{A}}})\Vert _{\textsf{GS}}\cdot \omega \left( \sqrt{\log (n)}\right) $$

  where \(\Vert \textsf{rot}(\mathsf {{T}}_{\mathsf {{A}}})\Vert _{\textsf{GS}} < O\left( b \rho \sqrt{n\log _{\rho }(q)}\right) \).

• To meet the requirement of \(\textsf{SampleRight}\) algorithm in Lemma 2.13, we need

  $$\sigma > s_1(\mathsf {{R}}_{\textsf{id}})\cdot \Vert \textsf{rot}(\mathsf {{T}}_{\mathsf {{G}}_b})\Vert _{\textsf{GS}}\cdot \omega \left( \sqrt{\log (n)}\right) ,$$

  where \(s_1(\mathsf {{R}}_{\textsf{id}})\) satisfies following

  $$s_1(\mathsf {{R}}_{\textsf{id}}) < \tilde{O}\left( t\cdot (mb+p)\cdot \xi \cdot (mb)^3\right) \cdot \Vert \mathsf {{R}}\Vert ,$$

  Additionally, \(\Vert \mathsf {{R}}\Vert \le C\cdot s \cdot \left( \sqrt{m}+\sqrt{n} + t\right) \) with probability \( 2 e^{-\pi t^2}\) for some \(t>0\), and \(\Vert \textsf{rot}(\mathsf {{T}}_{\mathsf {{g}}_b})\Vert _{\textsf{GS}}\le \sqrt{b^2+1}.\)

• For the correctness of our \(\textsf{IBE}\) scheme, we need the modulus q satisfy

  $$q \ge O\left( \omega (\log (n)) \cdot \sigma _0 + \sigma \sigma _1 \cdot \omega (\log (n)) \cdot \sqrt{2m}\right) $$

  to achieve overwhelming correctness.