Advertisement

Cybersecurity

, 2:18 | Cite as

(Identity-based) dual receiver encryption from lattice-based programmable hash functions with high min-entropy

  • Yanyan LiuEmail author
  • Daode Zhang
  • Yi Deng
  • Bao Li
Open Access
Research

Abstract

Dual receiver encryption (DRE) is an important cryptographic primitive introduced by Diament et al. at CCS’04, which allows two independent receivers to decrypt a same ciphertext to obtain the same plaintext. This primitive is quite useful in designing combined public key cryptosystems and denial of service attack-resilient protocols. In this paper, we obtain some results as follows.
  • Using weak lattice-based programmable hash functions (wLPHF) with high min-entropy (Crypto’16), we give a generic IND-CCA secure DRE construction in the standard model. Furthermore, we get a concrete DRE scheme by instantiating a concrete wLPHF with high min-entropy.

  • For DRE notion in the identity-based setting, identity-based DRE (IB-DRE), basing on lattice-based programmable hash functions (LPHF) with high min-entropy, we give a framework of IND-ID-CPA secure IB-DRE construction in the standard model. When instantiating with concrete LPHFs with high min-entropy, we obtain five concrete IB-DRE schemes.

Keywords

Dual receiver encryption Identity-based dual receiver encryption Lattice-based programmable hash functions with high min-entropy 

Introduction

Dual receiver encryption, which was proposed by Diament, Lee, Keromytis and Yung (Diament et al. 2004), is a special kind of public-key encryption which allows two independent users to decrypt a ciphertext to obtain the same plaintext by using their own secret keys. More precisely, in a DRE scheme, the encryption algorithm takes as input a message M and two receivers’ independently generated public keys pk1 and pk2 and produces a ciphertext c. Once the receivers receive the ciphertext c, either of them can decrypt c and obtain the message M using their respective secret key. This primitive is quite useful in designing combined public key cryptosystems and denial of service attack-resilient protocols. Ten years later, S. Chow, Franklin and Zhang (Chow et al. 2014) refined the notion of DRE and appended some appealing features for DRE. Zhang et al. (2016a) extended the DRE in public-key setting to the identity-based setting: identity-based dual receiver encryption (IB-DRE), so as to handle the difficulty of certificate management.

Many constructions from pairings and lattices have been emerged since the notions of DRE and IB-DRE was proposed.

Constructions from pairings. In Diament et al. (2004), presented the first DRE scheme by transforming the three-party one-round Diffie-Hellman key exchange scheme by Joux (2000), and also proved that it is indistinguishable secure against chosen ciphertext attacks. However, their scheme relied on the existence of random oracle heuristic, where a DRE that proven to be secure in the random oracle model (ROM) may turn into insecure one when the RO is instantiated by an actual hash function in practice. Hence, (Youn and Smith: An efficent construction of dual-receiver encryption, unpublished) began with attempting to give a provably secure DRE scheme in the standard model by combining an adaptively CCA secure encryption scheme and a non-interactive zero-knowledge protocol, while suffered low efficiency due to the prohibitively huge proof size. Later on, Chow, Franklin, and Zhang (Chow et al. 2014) proposed a CCA secure DRE scheme via combining a selective-tag weakly CCA-secure tag-based DRE (based on the tag-based encryption scheme in Kiltz (2006)) and a strong one-time signature scheme, as well as other DRE instantiations for non-malleable and other properties 1. Recently, Zhang et al. (2016a) constructed two provably secure IB-DRE schemes against adaptively chosen plaintext or ciphertext and chosen identity attacks based on an identity-based encryption scheme in (Waters 2005).

Constructions from lattices. As studied in (Chow et al. 2014; Zhang et al. 2016a), the DRE or IB-DRE can be viewed as a special instance of broadcast encryption (BE, for short) or identity-based broadcast encryption (IBBE, for short) primitive which supports multiple recipients in an encryption system. So a construction of BE or IBBE implies a construction of DRE or IB-DRE. Georgescu (2013) constructed a tag-based anonymous hint system (Libert et al. 2012) under the ring learning with errors (RLWE) assumption. Combining an IND-CCA secure public key encryption (PKE) scheme and a strongly unforgeable one-time signature (OTS), we can get an IND-CCA secure BE scheme which is a conclusion in Libert et al. (2012). Wang et al. (2015) presented a construction of BE which is indistinguishable against adaptively chosen plaintext attacks (IND-CPA), based on the LWE problem. As for IBBE constructions, Wang and Bi (2010) proposed an adaptively secure IBBE scheme in the ROM, under the LWE assumption.

Our Contributions. In this paper, we pay attention to using lattice-based programmable hash function to construct the DRE and IB-DRE on lattices. Our schemes are constructed in the standard model and satisfy chosen-ciphertext or chosen-plaintext security based on the hardness of the Learning With Errors (LWE) problem. Specifically, our works are stated as follows.
  • We give a generic DRE construction from weak lattice-based programmable hash functions (wLPHF) with high min-entropy which defined in Zhang et al. (2016b). The construction is indistinguishable against chosen-ciphertext attacks (IND-CCA) in the standard model. When instantiating with a wLPHF with high min-entropy, we get a concrete DRE scheme. We also compare our DRE scheme with the existing lattice-based DRE schemes. Please see more details in Table 1.

  • We also give a framework of IB-DRE from lattice-based programmable hash functions (LPHF) with high min-entropy. The construction is secure against chosen-plaintext and adaptively chosen-identity attacks (IND-ID-CPA). When instantiating with five concrete LPHFs with high min-entropy, we obtain five concrete IB-DRE schemes. The differences between our IB-DRE schemes and the existing lattice-based IB-DRE schemes are described in Table 2.

Table 1

Comparison of DRE Schemes from Lattices

 

# of

# of

# of

  

Other

Schemes

\(\mathbb {Z}_{q}^{n\times m}\) matrix

\(\mathbb {Z}_{q}^{m\times m}\) matrix

\(\mathbb {Z}_{q}^{m}\) vector

Assumption

Security

primitives

 

|pk|

|sk|

|c|

   

Geo13 (Georgescu 2013)

RLWE

IND-CCA

PKE, OTS

WWW’15 (Wang et al. 2015)

1

1

1

LWE

IND-CPA

 

Ours: DREABB

1

1

4

LWE

IND-CCA

OTS

∗, |pk|,|sk| and |c| show the size of public key, secret key and ciphertext, respectively.

, Because of the usage of an IND-CCA secure PKE scheme from lattices, we do not know how to show the detail of |pk|,|sk| and |c| about Geo’13 scheme

Table 2

Comparison of IB-DRE Schemes from Lattices

 

# of

# of

# of

  

Standard

Schemes

\(\mathbb {Z}_{q}^{n\times m}\) matrix

\(\mathbb {Z}_{q}^{m\times m}\) matrix

\(\mathbb {Z}_{q}^{m}\) vector

Assumption

Security

model

 

|PP|

|Msk|

|c|

  

?

WB’10 (Wang and Bi 2010)

1

1

3

LWE

IND-ID-CPA

ROM

Ours:

      

IB−DREABB

\(\mathcal {O}(n)\)

1

3

LWE

IND-ID-CPA

\(\checkmark \)

IB−DREZCZ

\(\mathcal {O}(\log {Q})\)

1

3

LWE

IND-ID-CPA

\(\checkmark \)

IB−DREYam

\(\omega (\sqrt {n})\)

1

3

LWE

IND-ID-CPA

\(\checkmark \)

IB−DREMAH

ω(log2n)

1

3

LWE

IND-ID-CPA

\(\checkmark \)

IB−DREAFF

ω(logn)

1

3

LWE

IND-ID-CPA

\(\checkmark \)

∗, |PP|,|Msk| and |c| show the size of public parameters, master secret key and ciphertext, respectively. Q is the number bound of the secret key queries

Remark 1. This work is relevant to Zhang et al. (2018b) in which we constructed DREABB and IB- DREABB directly from the identity-based encryption scheme in Agrawal et al. (2010), and it is a concrete case of our generic construction. As our growing understanding, we find that DREABB (or, IB- DREABB) can be explained by using wLPHFs or LPHFs with high min-entropy. So, in this paper, we present a generic DRE (IB-DRE) construction from wLPHFs (LPHFs) with high min-entropy.

Preliminaries

Notations. Let λ be the security parameter, poly(λ) denotes the function \(f\left (\lambda \right)=\mathcal {O}\left (\lambda ^{c}\right)\) for some constant c and negl(λ) represents a negligible function. For positive integer \(n\in \mathbb {N}, [n]\) represents the set {1,⋯,n}. \(\mathbb {Z}_{q}\) denotes the ring of integer modulo q for integer q≥2. Matrices are written as bold capital letters such as A,B, and column vectors are written as bold lowercase letters such as x,y. The transpose of the matrix A stands for A and [A|B] represents the matrix by concatenating A and B. (a)i and (A)i signify i-th element of a and the i-th column of A. In and Invn stand for the n×n identity matrix and the set consists of invertible matrices in \(\mathbb {Z}_{q}^{n\times n}\), respectively.

Dual Receiver Encryption

Definition 1

(Dual receiver encryption (DRE) (Chow et al. 2014)) A dual receiver encryption scheme \(\mathcal {DRE} = (\mathsf {CGen}_{\mathsf {DRE}}, \mathsf {Gen}_{\mathsf {DRE}}, \mathsf {Enc}_{\mathsf {DRE}}, \mathsf {Dec}_{\mathsf {DRE}}\)) is defined as follows:
  • CGenDRE(1λ)→crs. The randomized common reference string (CRS) generation algorithm on input a security parameter λ, output a CRS crs.

  • GenDRE(crs)→(pk,sk). The randomized key generation algorithm on input crs, output a pair of public key and secret key (pk,sk). Run the GenDRE twice independently to generate the key pairs (pk1,sk1) and (pk2,sk2) for two independent users. Without loss of generality, assume pk1 and pk2 are ordered based on lexicographic order.

  • EncDRE(crs,pk1,pk2,M)→c. The randomized encryption algorithm takes crs, two public keys pk1 and pk2 (such that pk1<dpk2) and a message M as input, outputs a ciphertext c.

  • DecDRE(crs,pk1,pk2,skj,c)→M. The deterministic decryption algorithm on input two public keys pk1 and pk2, one secret keys skj (j∈{1,2}), and a ciphertext c, output a message M or ⊥.

Correctness. For all crsCGenDRE(1λ), all (pk1,sk1)←GenDRE(crs) and all (pk2,sk2)←GenDRE(crs), and cEncDRE(crs,pk1,pk2,M), the following holds:
$$\begin{aligned} &\Pr\left[\mathsf{Dec}_{\mathsf{DRE}}(\mathsf{crs},pk_{1},pk_{2},sk_{1},c)= M\right. \\ &\left.\quad=\mathsf{Dec}_{\mathsf{DRE}}(\mathsf{crs},pk_{1},pk_{2},sk_{2},c)\right]\leq 1-\mathsf{negl}(\lambda). \end{aligned} $$
Security.\(\mathcal {DRE}\) is said to be IND-CCA secure if for any probabilistic polynomial time (PPT) adversary \(\mathcal {A}\), its advantage denoted as
$$\left[\mathbf{Adv}_{\mathcal{DRE},\mathcal{A}}^{\mathsf{ind-cca}}\left(1^{\lambda}\right)= \left|\Pr\left[\mathsf{Exp}_{\mathcal{DRE},\mathcal{A}}^{\mathsf{ind-cca}}\left(1^{\lambda}\right)=1\right]-\frac{1}{2}\right|\right] $$
is negligible in λ, where \(\mathsf {Exp}_{\mathcal {DRE},\mathcal {A}}^{\mathsf {ind-cca}}(1^{\lambda })\) is defined in Table 3.
Table 3

IND-CCA security for DRE

\(\mathbf {Experiment}~\mathsf {Exp}_{\mathcal {DRE},\mathcal {A}}^{\mathsf {ind}-\mathsf {cca}}(1^{\lambda }):\)

\(\mathsf {crs}\overset {\$}{\leftarrow }\mathsf {CGen}_{\mathsf {DRE}}(1^{\lambda })\);

\((pk_{j},sk_{j})\overset {\$}{\leftarrow }\mathsf {Gen}_{\mathsf {DRE}}(\mathsf {crs})\) for j∈{1,2};

\((M_{0},M_{1},s)\overset {\$}{\leftarrow }\mathcal {A}^{\mathsf {Dec}_{\mathsf {DRE}}(sk_{j},c)}(\mathsf {crs},pk_{1},pk_{2})\);

\(b\overset {\$}{\leftarrow }\{0,1\}, c^{\star }\overset {\$}{\leftarrow }\mathsf {Enc}_{\mathsf {DRE}}(\mathsf {crs},pk_{1},pk_{2},M_{b})\);

\(b^{\prime }\overset {\$}{\leftarrow }\mathcal {A}^{\mathsf {Dec}_{\mathsf {DRE}}(sk_{j},c)\wedge {c\neq c^{\star }}}(c^{\star },s)\);

if b=b then return 1 else return 0.

Identity-Based Dual Receiver Encryption

Definition 2

(Identity-based dual receiver encryption (IB-DRE) (Zhang et al. 2016a)) An identity-based dual receiver encryption scheme \(\mathcal {IB}-\mathcal {DRE}\) = (SetupID,KeyGenID,EncID,DecID) is defined as follows:
  • SetupID(1λ)→(PP,Msk). The setup algorithm on inputs a security parameter 1λ, outputs a pair of public parameters and master secret key (PP, Msk).

  • \(\mathsf {KeyGen}_{\mathsf {ID}}(PP, Msk,{id}_{1st},{id}_{2nd}\in \mathcal {ID})\rightarrow sk_{{id}_{1st}}, sk_{id_{2nd}}\). The key generation algorithm on inputs the public parameters PP, master secret key Msk, and two identities id1st,id2nd, outputs \(\phantom {\dot {i}\!}sk_{{id}_{1st}}\) and \(sk_{id_{2nd}}\) as the secret keys for the first receiver id1st and the second receiver id2nd, respectively.

  • EncID(PP,id1st,id2nd,M)→c. The encryption algorithm on inputs the public parameters PP, two identities id1st and id2nd, and a message M, outputs a ciphertext c.

  • \(\mathsf {Dec}_{\mathsf {ID}}(PP,c,sk_{id_{j}}) \rightarrow M\). The decryption algorithm on inputs the public parameters PP, a ciphertext c, and one secret key \(sk_{id_{j}}, j\in \{1st,2nd\}\), outputs a message M or ⊥.

Correctness. For all \((PP,Msk)\overset {\$}{\leftarrow } \mathsf {Setup}_{\mathsf {ID}}\left (1^{\lambda }\right)\), all identities \(id_{j}\in \mathcal {ID}\), all messages M, all \(sk_{id_{j}} \leftarrow \mathsf {KeyGen}_{\mathsf {ID}}(PP, Msk,id_{j})\), all cEncID(PP,id1st,id2nd,M), it holds that
$${{} \begin{aligned} &\Pr\left[\mathsf{Dec}_{\mathsf{ID}}(PP,sk_{id_{1st}},c)=M=\mathsf{Dec}_{\mathsf{ID}}(PP,sk_{id_{2nd}},c)\right]\\& \quad\leq 1-\mathsf{negl}(\lambda). \end{aligned}} $$
Security. An IB-DRE scheme is said to be IND-ID-CPA secure if for any PPT adversary \(\mathcal {A}\), its advantage denoted as
$${{} \begin{aligned} \mathbf{Adv}_{\mathcal{IB-DRE},\mathcal{A}}^{\mathsf{ind-id-cpa}}\left(1^{\lambda}\right)= \left|\Pr\left[\mathsf{Exp}_{\mathcal{IB-DRE},\mathcal{A}}^{\mathsf{ind-id-cpa}}(1^{\lambda})=1\right]-\frac{1}{2}\right| \end{aligned}} $$
is negligible in λ, where \(\mathsf {Exp}_{\mathcal {IB-DRE},\mathcal {A}}^{\mathsf {ind-id-cpa}}(1^{\lambda })\) is defined in Table 4.
Table 4

IND-ID-CPA security for IB-DRE

\(\mathbf {Experiment}~\mathsf {Exp}_{\mathcal {IB-DRE},\mathcal {A}}^{\mathsf {ind-id-cpa}}(1^{\lambda }):\)

\((PP,Msk)\overset {\$}{\leftarrow } \mathsf {Setup}_{\mathsf {ID}}(1^{\lambda })\)

\((id_{1st}^{\star },id_{2nd}^{\star },M_{0},M_{1},s)\overset {\$}{\leftarrow }\mathcal {A}^{\mathsf {KeyGen}_{\mathsf {ID}}(PP, Msk,id_{1st},id_{2nd})}(PP)\);

\(b\overset {\$}{\leftarrow }\{0,1\},c^{\star }\overset {\$}{\leftarrow }\mathsf {Enc}_{\mathsf {ID}}(PP,id_{1st}^{\star },id_{2nd}^{\star },M_{b})\);

\(b^{\prime }\overset {\$}{\leftarrow }\mathcal {A}^{\mathsf {KeyGen}_{\mathsf {ID}}(PP,Msk,id_{1st},id_{2nd})\wedge id_{j}\neq id_{j,j=1st,2nd}^{\star }}(c^{\star },s)\);

if b=b then return 1 else return 0.

Lattice-Based Programmable Hash Function with High Min-Entropy

Let \(\ell,\overline {m},m,n,q,v\) be some polynomials in the security parameter λ. A hash function \(\mathcal {H}:\mathcal {X}\rightarrow \mathbb {Z}_{q}^{n\times m}\) contains two algorithms \((\mathcal {H}.\mathsf {Gen},\mathcal {H}.\mathsf {Eval})\), where the PPT key generation algorithm \(\mathcal {H}.\mathsf {Gen}(1^{\lambda })\) takes the security parameter λ as input and outputs a key K, namely, \(K\leftarrow \mathcal {H}.\mathsf {Gen}\left (1^{\lambda }\right)\), and the efficiently deterministic evaluation algorithm \(\mathcal {H}.\mathsf {Eval}(K,X)\) takes \(X \in \mathcal {X} = \{0,1\}^{\ell }\) as input and outputs a hash value \(\mathbf {Z}\in \mathbb {Z}_{q}^{n\times m}\), namely, \(\mathbf {Z} = \mathcal {H}.\mathsf {Eval}(K,X)\).

Definition 3

(Lattice-based programmable hash functions (LPHF) (Zhang et al. 2016b)) A hash function \(\mathcal {H}:\mathcal {X}\rightarrow \mathbb {Z}_{q}^{n\times m}\) is a (1,v,β,γ,δ)-LPHF if there exist a PPT trapdoor key generation algorithm \(\mathcal {H}.\mathsf {TrapGen}\) and a PPT deterministic trapdoor evaluation algorithm \(\mathcal {H}.\mathsf {TrapEval}\) such that the following properties hold:

Syntax: Given a uniformly random matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times \overline {m}}\) and a (public) trapdoor matrix \(\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}\), the PPT algorithm \(\mathcal {H}.\mathsf {TrapGen}\) outputs a key K along with a trapdoor td. i.e., \((K^{\prime },td)\leftarrow \mathcal {H}.\mathsf {TrapGen}\left (1^{\lambda },\mathbf {A,B}\right)\). Moreover, given td, K and \(X\in \mathcal {X}\), the deterministic algorithm \(\mathcal {H}.\mathsf {TrapEval}\) returns \(\mathbf {R}^{\prime }_{X}\in \mathbb {Z}_{q}^{\overline {m}\times m}\) and \(\mathbf {S}^{\prime }_{X}\in \mathbb {Z}_{q}^{n\times n}\), i.e., \((\mathbf {R}^{\prime }_{X},\mathbf {S}^{\prime }_{X}) = \mathcal {H}.\mathsf {TrapEval}(td,K^{\prime },X)\), such that \(s_{1}(\mathbf {R}^{\prime }_{X})\leq \beta \) and \(\mathbf {S}^{\prime }_{X}\in \mathbf {Inv}_{n}\cup \{\mathbf {0}\}\) with overwhelming probability over the trapdoor td generated together with K, where s1(·) is defined in Appendix A, and Invn denotes the set of invertible matrices in \(Z^{n \times n}_{q}\).

Correctness: For all \((K^{\prime },td)\leftarrow \mathcal {H}.\mathsf {TrapGen}\left (1^{\lambda },\mathbf {A,B}\right)\), all \(X\in \mathcal {X}\) and \((\mathbf {R}^{\prime }_{X},\mathbf {S}^{\prime }_{X}) = \mathcal {H}.\mathsf {TrapEval}(td,K^{\prime },X)\), it holds that \(\mathcal {H}.\mathsf {Eval}(K^{\prime },X) = \mathbf {AR}^{\prime }_{X}+\mathbf {S}^{\prime }_{X}\mathbf {B}.\)

Statistically close trapdoor keys: For all \(\left (K^{\prime },td\right)\leftarrow \mathcal {H}.\mathsf {TrapGen}(1^{\lambda },\mathbf {A,B})\), and all \(K\leftarrow \mathcal {H}.\mathsf {Gen}\left (1^{\lambda }\right)\), the statistical distance between (A,K) and (A,K) is at most γ.

Welldistributed hidden matrices: For all \(\left (K^{\prime },td\right)\leftarrow \mathcal {H}.\mathsf {TrapGen}\left (1^{\lambda },\mathbf {A,B}\right)\), any inputs X,X1,⋯,Xv where XXj for any j∈[v], it holds that
$$\Pr[\mathbf{S}^{\prime}_{X^{*}} = \mathbf{0}\wedge\mathbf{S}^{\prime}_{X_{1}},\cdots,\mathbf{S}^{\prime}_{X_{v}} \in \mathbf{Inv}_{n}]\geq\delta,$$
where \((\mathbf {R}^{\prime }_{X^{*}},\mathbf {S}^{\prime }_{X^{*}}) \leftarrow \mathcal {H}.\mathsf {TrapEval}(td,K^{\prime },X^{*})\) and \(\left (\mathbf {R}^{\prime }_{X_{j}},\mathbf {S}^{\prime }_{X_{j}}\right) \leftarrow \mathcal {H}.\mathsf {TrapEval}(td, K^{\prime },X_{j})\) for j∈[v], and the probability is over the trapdoor td generated together with K.

A weak LPHF (wLPHF) is a relaxed version of LPHF with only a little difference that the \(\mathcal {H}.\mathsf {TrapGen}\) additionally takes X as input. i.e., \((K^{\prime }, td) \leftarrow \mathcal {H}.\mathsf {TrapGen}(1^{\lambda }, \mathbf {A},\mathbf {G},X^{*})\).

Definition 4

(Lattice-based programmable hash functions with high min-entropy (Zhang et al. 2016b)) Assume the hash function \(\mathcal {H}:\mathcal {X}\rightarrow \mathbb {Z}_{q}^{n\times m}\) is a (1,v,β,γ,δ)-LPHF where γ=negl(λ) and noticeable δ>0. The key space of \(\mathcal {H}\) is \(\mathcal {K}\), and \(\mathcal {H}.\mathsf {TrapGen}\) and \(\mathcal {H}. \mathsf {TrapEval}\) are the corresponding trapdoor generation and trapdoor evaluation algorithms. \(\mathcal {H}\) is called as a LPHF with high min-entropy if for uniformly random matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times \overline {m}}\) and a (public) trapdoor matrix \(\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}\), the following condition holds:
  • For any \((K^{\prime },td) \leftarrow \mathcal {H}.\mathsf {TrapGen}(1^{\lambda },\mathbf {A,B})\), any \(X \in \mathcal {X}\) and \((\mathbf {R}^{\prime }_{X},\mathbf {S}^{\prime }_{X}) = \mathcal {H}.\mathsf {TrapEval}(td, K^{\prime },X)\), the distributions
    $$(\mathbf{A},K^{\prime},\mathbf{v},\mathbf{u}) ~ \text{and} ~ \left(\mathbf{A},K^{\prime},\mathbf{v},(\mathbf{R}^{\prime}_{X})^{\top}\mathbf{v}\right)$$
    are statistically close, where \(\mathbf {u}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{m},\mathbf {v}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{\overline {m}}\).

In a similar way, wLPHF with high min-entropy can be defined.

Definition 5

(Weak lattice-based programmable hash functions with high min-entropy) Assume the hash function \(\mathcal {H}:\mathcal {X}\rightarrow \mathbb {Z}_{q}^{n\times m}\) is a (1,v,β,γ,δ)-wLPHF where γ=negl(λ) and noticeable δ>0. The corresponding trapdoor generation and trapdoor evaluation algorithms are \(\mathcal {H}.\mathsf {TrapGen}\) and \(\mathcal {H}.\mathsf {TrapEval}\). \(\mathcal {H}\) is called as a wLPHF with high min-entropy if for uniformly random matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times \overline {m}}\) and a (public) trapdoor matrix \(\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}\):
  • For any \((K^{\prime },td)\leftarrow \mathcal {H}.\mathsf {TrapGen}\left (1^{\lambda },\mathbf {A,B},X^{*}\right)\), and the corresponding \((\mathbf {R}^{\prime }_{X^{*}}, \mathbf {S}^{\prime }_{X^{*}}) = \mathcal {H}.\mathsf {TrapEval}(td,K^{\prime }, X^{*})\), the distributions
    $$(\mathbf{A},K^{\prime},\mathbf{v},\mathbf{u}) ~ \text{and} ~ \left(\mathbf{A},K^{\prime}, \mathbf{v},(\mathbf{R}^{\prime}_{X^{*}})^{\top}\mathbf{v}\right)$$
    are statistically close, where \(\mathbf {u}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{m},\mathbf {v}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{\overline {m}}\).

Dual Receiver Encryption Construction

In this section, we will give the generic construction of DRE using the weak lattice-based programmable hash function with high min-entropy, and give the parameter selection and the security proof of the scheme.

In order to obtain the IND-CCA security, we require two primitives: a strong one-time signature scheme \(\mathcal {OTS}\) = (GenOTS,SigOTS,VrfOTS) which defined in Definition 6 in Appendix B and a (1,v,β,γ,δ)-wLPHF \(\mathcal {H}: \{0,1\}^{\lambda } \rightarrow \mathbb {Z}_{q}^{n\times m}\) with high min-entropy, where γ is negligible and δ>0 is noticeable. Let integers n,m,q,v,β be polynomials in the security parameter λ, and set \(\overline {m} = m\). Assume the message space \(\mathcal {M} \in \{0,1\}^{n}\) and the size of verification key is λ bits, our DRE scheme \(\mathcal {DRE}\) is as follows.
  • CGenDRE(1λ): On input a security parameter λ, algorithm CGenDRE sets the parameters n,m,q as specified in Correctness and Parameter Selection as below. Then choose a uniformly random matrix \(\mathbf {U}\in \mathbb {Z}_{q}^{n\times n}\). Finally, output a CRS crs=(n,m,q,U).

  • GenDRE(crs): Generate a pair of matrices \((\mathbf {A}_{i},\mathbf {T}_{\mathbf {A}_{i}}) \in \mathbb {Z}_{q}^{n\times m}\times \mathbb {Z}_{q}^{m\times m}\) by using TrapGen(1n,1m,q), and compute \(K_{i}\overset {\$}{\leftarrow } \mathcal {H}.\mathsf {Gen}(1^{\lambda })\) twice independently for i∈{1,2}. Finally, output pki=(Ai,Ki) and \(\phantom {\dot {i}\!}sk_{i} = \mathbf {T}_{\mathbf {A}_{i}}.\)

  • EncDRE(crs,pk1,pk2,m∈{0,1}n): Generate a pair \((\mathsf {vk},\mathsf {sk}) \overset {\$}{\leftarrow } \mathsf {Gen}_{\mathsf {OTS}}(1^{\lambda })\) and compute \(\mathbf {C}_{1} = [\mathbf {A}_{1}|\mathcal {H}.\mathsf {Eval}(K_{1},\mathsf {vk})] \in \mathbb {Z}_{q}^{n\times 2m}, \mathbf {C}_{2} = [\mathbf {A}_{2}|\mathcal {H}.\mathsf {Eval}(K_{2},\mathsf {vk})] \in \mathbb {Z}_{q}^{n\times 2m}\). Then, pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \widetilde {\mathbf {e}}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}\), and \(\mathbf {e}_{1,1}, \mathbf {e}_{2,1}, \mathbf {e}_{1,2}, \mathbf {e}_{2,2} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\). Finally, compute and return the ciphertext c=(vk,c0,c1,c2,ρ), where ρ=SigOTS(sk,(c0,c1,c2)) and
    $${{} \begin{aligned} \begin{array}{ll} \mathbf{c}_{0} &= \mathbf{U}^{\top}\mathbf{s} + \widetilde{\mathbf{e}}_{0} + \mathbf{m} \cdot \left\lceil\frac{q}{2}\right\rceil \in\mathbb{Z}_{q}^{n},\\ ~\mathbf{c}_{1}& \,=\, \mathbf{C}_{1}^{\top}\mathbf{s} + \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2} \end{array} \right] \in \mathbb{Z}_{q}^{2m},~~ \mathbf{c}_{2} = \mathbf{C}_{2}^{\top}\mathbf{s} + \left[ \begin{array}{c} \mathbf{e}_{2,1}\\ \mathbf{e}_{2,2} \end{array} \right] \in \mathbb{Z}_{q}^{2m}. \end{array} \end{aligned}} $$
  • DecDRE(crs,pk1,pk2,sk1,c): To decrypt a ciphertext c=(vk,c0,c1,c2,ρ) with a private key \(\phantom {\dot {i}\!}sk_{1} = \mathbf {T}_{\mathbf {A}_{1}}\), the algorithm DecDRE does as follows:
    • Run VrfOTS(vk),(c0,c1,c2),ρ), outputs ⊥ if VrfOTS rejects;

    • For i∈[n], run \(\phantom {\dot {i}\!}(\mathbf {E}_{1})_{i} \leftarrow \mathsf {SampleLeft}(\mathbf {A}_{1},\mathcal {H}.\mathsf {Eval}(K_{1}, \mathsf {vk}), (\mathbf {U})_{i}, \mathbf {T}_{\mathbf {A}_{1}},\sigma)\). Then obtain \(\mathbf {E}_{1} \in \mathbb {Z}_{q}^{2m \times n}\) such that C1·E1=U;

    • Compute \(\phantom {\dot {i}\!}\mathbf {b} = \mathbf {c}_{0}-\mathbf {E}_{1}^{\top }\mathbf {c}_{1}\) and treat each element of b=((b)1,⋯,(b)n) as an integer in \(\mathbb {Z}\), and set (m)i=1 if \(\left |(\mathbf {b})_{i} - \lceil \frac {q}{2}\rceil \right | < \lceil \frac {q}{4}\rceil \), else (m)i=0, where i∈[n];

    • Finally, it returns the plaintext m=((m)1,⋯,(m)n).

Correctness and Parameter Selection

To make sure the correctness and the security proof works, we need to satisfy the following:
  • For i∈[n], the corresponding error terms are less than q/4 with overwhelming probability (i.e. \(\alpha q\sqrt {m} + 2\alpha ^{\prime }\sigma mq < q/4\))
    $${} \begin{aligned} |(\mathbf{e}_{0})_{i} - (\mathbf{E}_{1})^{\top}_{i}\cdot \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2}\\ \end{array} \right]| &\leq |(\widetilde{\mathbf{e}}_{0})_{i}| + |(\mathbf{E}_{1})^{\top}_{i}\cdot \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2}\\ \end{array} \right]|\\ &\!\!\!\!\!\!\leq \alpha q\sqrt{m} \,+\, \sigma\sqrt{2m} \cdot \alpha^{\prime}q\sqrt{2m} \!<\! q/4. \end{aligned} $$
  • TrapGen algorithm can works (i.e. m≥6n logq).

  • SampleLeft algorithms can operate (i.e., \(\phantom {\dot {i}\!}\sigma \geq \|\widetilde {\mathbf {T}_{\mathbf {A}_{i}}}\|\cdot \omega \left (\sqrt {\log {m}}\right) = \mathcal {O}\left (\sqrt {n\log {q}}\right)\cdot \omega \left (\sqrt {\log {m}}\right)\).

  • SampleRight algorithms can operate(i.e. \(\sigma \geq \|\widetilde {\mathbf {T_{G}}}\|\cdot s_{1}\left (\mathbf {R}^{\prime }_{\mathsf {vk}}\right) \cdot \omega \left (\sqrt {\log {m}}\right)\) and \(\sigma \geq \|\widetilde {\mathbf {T_{G}}}\|\cdot s_{1}\left (\mathbf {R}^{\prime \prime }_{\mathsf {vk}}\right) \cdot \omega \left (\sqrt {\log {m}}\right)\), where \(s_{1}\left (\mathbf {R}^{\prime }_{\mathsf {vk}}\right) \leq \beta \) and s1(Rvk′′)≤β).

  • ReRand algorithm can works (i.e., α/2α>s1(Vi) for i=1,2, where \(s_{1}(\mathbf {V}_{1}) = s_{1}\left ([\mathbf {I}_{m}|\mathbf {R}^{\prime }_{\mathsf {vk}^{*}}]^{\top }\right) \leq 1 + s_{1}\left (\mathbf {R}^{\prime }_{\mathsf {vk}^{*}}\right) \leq 1 + \beta \) and s1(V2)≤1+β respectively, and \(\alpha q > \max \left \{\omega \left (\sqrt {\log {m}}\right), \omega \left (\sqrt {\log {2m}}\right)\right \} = \left.\omega \left (\sqrt {\log {2m}}\right)\right)\).

  • The worst case to average case reduction works (i.e. \(\alpha q > 2\sqrt {2n}\)).

To satisfy the above requirements, we set the parameters as follows:
$${\begin{aligned}\lambda &= n, \ell = n, m = \mathcal{O}(n\log{q}), \\ \sigma &= \sqrt{5}\cdot\beta\cdot \omega\left(\sqrt{\log{m}}\right),\\ \alpha q &= 3\sqrt{n}, \alpha^{\prime}q = 6(1 + \beta)\cdot \sqrt{n},\\ q &= 12\sqrt{mn} + 48\sqrt{5}\left(\beta + \beta^{2}\right) \cdot m\sqrt{n}\cdot\omega\left(\sqrt{\log{m}}\right). \end{aligned}} $$

Security Proof

Theorem 1

Let \(n,q,m \in \mathbb {Z}\), and \(\alpha, \beta \in \mathbb {R}\) be polynomials in the security parameter λ. For large enough v=poly(n), let \(\mathcal {H} = (\mathcal {H}.\mathsf {Gen}, \mathcal {H}.\mathsf {Eval})\) be any (1,v,β,γ,δ)-wLPHF with high min-entropy from {0,1}λ to \(\mathbb {Z}^{n \times m}_{q}\), where v=poly(n) is large enough, γ=negl(λ) and δ>0 is noticeable. Then, if \(\mathcal {OTS}\) is a strongly existential unforgeable one-time signature scheme and the DLWEq,n,n+2m,α assumption holds, then the generic DRE scheme \(\mathcal {DRE}\) is IND-CCA secure.

Proof

(of Theorem 1). Assume \(\mathcal {A}\) is a PPT adversary against \(\mathcal {DRE}\) in a chosen-ciphertext attack. The ciphertext c=(vk,(c0,c1,c2),ρ) is valid if VrfOTS(vk,(c0,c1,c2),ρ)=1. The challenge ciphertext is \(\mathbf {c}^{*} = (\mathsf {vk}^{*},(\mathbf {c}^{*}_{0},\mathbf {c}^{*}_{1},\mathbf {c}^{*}_{2}), \rho ^{*})\) during the experiment, and Forge is the event that \(\mathcal {A}\) submits a valid ciphertext c=(vk,(c0,c1,c2),ρ) to the decryption oracle during the query phase (assume that vk is chosen at the outer of the experiment). Note that
$${\begin{aligned} \mathsf{Adv}^{\mathrm{ind-cca}}_{\mathcal{DRE, A}}(1^{\lambda}) = &\left|\Pr[\mathsf{Exp}^{\mathrm{ind-cca}}_{\mathcal{DRE, A}}(1^{\lambda}) = 1] - \frac{1}{2}\right|\\ \leq &\left|\Pr[\mathsf{Exp}^{\mathrm{ind-cca}}_{\mathcal{DRE, A}}(1^{\lambda}) = 1 \wedge \mathsf{Forge}] - \frac{1}{2}\Pr[\mathsf{Forge}] \right| \\ &+ \left|\Pr[\mathsf{Exp}^{\mathrm{ind-cca}}_{\mathcal{DRE, A}}(1^{\lambda}) = 1 \wedge \overline{\mathsf{Forge}}] + \frac{1}{2}\Pr[\mathsf{Forge}]- \frac{1}{2}\right|\\ \leq &\frac{1}{2}\Pr[\mathsf{Forge}] + \left|\Pr[\mathsf{Exp}^{\mathrm{ind-cca}}_{\mathcal{DRE, A}}\left(1^{\lambda}\right)\right. \\& \left.= 1 \wedge \overline{\mathsf{Forge}}] + \frac{1}{2}\Pr[\mathsf{Forge}]- \frac{1}{2}\right|. \end{aligned}} $$
By the security of \(\mathcal {OTS}\) defined in Definition 6 in Appendix B, Pr[Forge] is negligible. So in order to complete the proof of Theorem 1, we only need to prove the following lemma. □

Lemma 1

\(\left |\Pr [\mathsf {Exp}^{\mathrm {ind-cca}}_{\mathcal {DRE, A}}\left (1^{\lambda }\right) \,=\, 1 \wedge \overline {\mathsf {Forge}}] \,+\, \frac {1}{2}\Pr [\mathsf {Forge}] - \frac {1}{2}\right |\) is negligible, assuming the DLWEq,n,n+2m,α assumption holds.

Proof

(of Lemma 1). We will prove the lemma by a sequences of games. We show that if there is a PPT adversary \(\mathcal {A}\) can breaks our \(\mathcal {DRE}\) scheme with a non-negligible advantage ε (i.e. the success probability is \(\frac {1}{2} + \epsilon \)), then there exists a reduction can break the DLWEq,n,n+2m,α assumption with an advantage δ2ε. For simplicity, we set the trapdoor matrix \(\mathbf {B} = \mathbf {G} \in \mathbb {Z}^{n \times m}_{q}\) throughout the proof. Assume that the adversary \(\mathcal {A}\) makes Q1 and Q2 times queries for Dec(sk1,·) and Dec(sk2,·), respectively, and v=Q1+Q2. In the following, define Xi as the event that the challenger outputs 1 in Gamei for i∈{1,2,3,4,5,6,7}.

Game1 This game is the same as the original experiment \(\mathsf {Exp}^{\mathrm {ind-cca}}_{\mathcal {DRE, A}}(1^{\lambda })\) as described in Table 3 except that when the adversary \(\mathcal {A}\) submits a valid ciphertext (vk,(c0,c1,c2),ρ) to the decryption oracle, namely, the Forge event happens, \(\mathcal {C}\) aborts and outputs a random bit. It is easy to see that
$$ {\begin{aligned} \left|\Pr[X_{1}] - \frac{1}{2}\right| &= \left|\Pr[\mathsf{Exp}^{\mathrm{ind-cca}}_{\mathcal{DRE, A}}(1^{\lambda}) \right.\\& \left.= 1 \wedge \overline{\mathsf{Forge}}] + \frac{1}{2}\Pr[\mathsf{Forge}]- \frac{1}{2}\right| \end{aligned}} $$
(1)

Game2 This game is identical to the Game1 except that \(\mathcal {C}\) changes the generation of the public keys and the challenge ciphertext, and the way that the decrypt oracle answered.

Setup phase: For i=1,2, generate a pair of matrices \((\mathbf {A}_{i}, \mathbf {T}_{\mathbf {A}_{i}}) \leftarrow \mathsf {TrapGen}(1^{n},1^{m},q)\), and generate the key of the wLPHF as \((K^{\prime }_{i}, td_{i}) \leftarrow \mathcal {H}.\mathsf {TrapGen}(1^{\lambda }, \mathbf {A}_{i}, \mathbf {G}, \mathsf {vk}^{*})\).

Decryption queries: When \(\mathcal {A}\) submits a valid ciphertext (vkvk,(c0,c1,c2),ρ), the challenger generates E1 or E2 as follows:
$$(\mathbf{E}_{1})_{j} \leftarrow \mathsf{SampleLeft}\left(\mathbf{A}_{1}, \mathbf{A}_{1}\mathbf{R}^{\prime}_{\mathsf{vk}} + \mathbf{S}^{\prime}_{\mathsf{vk}}\mathbf{G}, (\mathbf{U})_{j}, \mathbf{T}_{\mathbf{A}_{1}},\sigma\right)$$
$$(\mathbf{E}_{2})_{j} \leftarrow \mathsf{SampleLeft}\left(\mathbf{A}_{2}, \mathbf{A}_{2}\mathbf{R}^{\prime\prime}_{\mathsf{vk}} + \mathbf{S}^{\prime\prime}_{\mathsf{vk}}\mathbf{G}, (\mathbf{U})_{j}, \mathbf{T}_{\mathbf{A}_{2}},\sigma\right) $$
for j∈[n], where \(\mathcal {H}.\mathsf {TrapEval}(td_{1}, K^{\prime }_{1}, \mathsf {vk}) = \left (\mathbf {R}^{\prime }_{\mathsf {vk}}, \mathbf {S}^{\prime }_{\mathsf {vk}}\right)\) and \(\mathcal {H}.\mathsf {TrapEval}\left (td_{2}, K^{\prime }_{2}, \mathsf {vk}\right) = \left (\mathbf {R}^{\prime \prime }_{\mathsf {vk}}, \mathbf {S}^{\prime \prime }_{\mathsf {vk}}\right)\).
Challenge phase: Generate \(\left (\mathbf {R}^{\prime }_{\mathsf {vk}^{*}}, \mathbf {S}^{\prime }_{\mathsf {vk}^{*}}\right)\) and \(\left (\mathbf {R}^{\prime \prime }_{\mathsf {vk}^{*}}, \mathbf {S}^{\prime \prime }_{\mathsf {vk}^{*}}\right)\) using \(\mathcal {H}.\mathsf {TrapEval}\) algorithm as in Decryption queries phase, and set \(\mathbf {C}_{1} = \left [\mathbf {A}_{1}|\mathbf {A}_{1}\mathbf {R}^{\prime }_{\mathsf {vk}^{*}} + \mathbf {S}^{\prime }_{\mathsf {vk}^{*}}\mathbf {G}\right ],~ \mathbf {C}_{2} = \left [\mathbf {A}_{2}|\mathbf {A}_{2}\mathbf {R}^{\prime \prime }_{\mathsf {vk}^{*}} + \mathbf {S}^{\prime \prime }_{\mathsf {vk}^{*}}\mathbf {G}\right ].\) By the well-distribution hidden matrices property of wLPHF,
$$\Pr[\mathbf{S}^{\prime}_{\mathsf{vk}^{*}} = \mathbf{0} \wedge^{Q_{1}}_{i=1} \mathbf{S}^{\prime}_{\mathsf{vk}_{i}} \in \mathbf{Inv}_{n}] \geq \delta,$$
$$\Pr[\mathbf{S}^{\prime\prime}_{\mathsf{vk}^{*}} = \mathbf{0} \wedge^{Q_{2}}_{i=1} \mathbf{S}^{\prime\prime}_{\mathsf{vk}_{i}} \in \mathbf{Inv}_{n}] \geq \delta.$$
Thus, with noticeable probability \(\delta ^{2}, (\mathbf {c}^{*}_{0}, \mathbf {c}^{*}_{1}, \mathbf {c}^{*}_{2})\) in the challenge ciphertext are as follows:
$$\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{U}^{\top}\mathbf{s} + \widetilde{\mathbf{e}}_{0} + \mathbf{m}_{b} \cdot \left\lceil\frac{q}{2}\right\rceil,\\ \mathbf{c}^{*}_{1} &= \left[ \begin{array}{c} (\mathbf{A}_{1})^{\top}\\ (\mathbf{R}^{\prime}_{\mathsf{vk}^{*}})^{\top} (\mathbf{A}_{1})^{\top} \end{array} \right]\mathbf{s} + \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2} \end{array} \right], \\ \mathbf{c}^{*}_{2} &= \left[ \begin{array}{l} (\mathbf{A}_{2})^{\top}\\ (\mathbf{R}^{\prime\prime}_{\mathsf{vk}^{*}})^{\top} (\mathbf{A}_{2})^{\top} \end{array} \right]\mathbf{s} + \left[ \begin{array}{l} \mathbf{e}_{2,1}\\ \mathbf{e}_{2,2} \end{array} \right]. \end{aligned} $$
Game3 This game is identical to the Game2 except that \(\mathcal {C}\) chooses the matrices A1 and A2 uniformly random from \(\mathbb {Z}^{n \times m}_{q}\) instead of generated by TrapGen, and generate the matrices E1 and E2 using SampleRight instead of SampleLeft. i.e., for j∈[n],
$$(\mathbf{E}_{1})_{j} \leftarrow \mathsf{SampleRight}\left(\mathbf{A}_{1}, \mathbf{G}, \mathbf{R}^{\prime}_{\mathsf{vk}}, \mathbf{S}^{\prime}_{\mathsf{vk}}, (\mathbf{U})_{j}, \mathbf{T}_{\mathbf{G}},\sigma\right),$$
$$(\mathbf{E}_{2})_{j} \leftarrow \mathsf{SampleRight}\left(\mathbf{A}_{2}, \mathbf{G}, \mathbf{R}^{\prime\prime}_{\mathsf{vk}}, \mathbf{S}^{\prime\prime}_{\mathsf{vk}}, (\mathbf{U})_{j}, \mathbf{T}_{\mathbf{G}},\sigma\right),$$
where \(\mathcal {H}.\mathsf {TrapEval}\left (td_{1}, K^{\prime }_{1}, \mathsf {vk}\right) = \left (\mathbf {R}^{\prime }_{\mathsf {vk}}, \mathbf {S}^{\prime }_{\mathsf {vk}}\right)\) and \(\mathcal {H}.\mathsf {TrapEval}(td_{2}, K^{\prime }_{2}, \mathsf {vk}) = \left (\mathbf {R}^{\prime \prime }_{\mathsf {vk}}, \mathbf {S}^{\prime \prime }_{\mathsf {vk}}\right).\)
Game4 This game is identical to the Game3 except that we change the way that the challenge ciphertext is generated. Pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \widetilde {\mathbf {e}}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}\), and \(\widetilde {\mathbf {e}}_{1,1}, \widetilde {\mathbf {e}}_{2,1} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha q}\), and set \(\phantom {\dot {i}\!}\mathbf {w} = \mathbf {U}^{\top } \mathbf {s} + \widetilde {\mathbf {e}}_{0}, \mathbf {b}_{1} = \mathbf {A}_{1}^{\top } \mathbf {s} + \widetilde {\mathbf {e}}_{1,1}, \mathbf {b}_{2} = \mathbf {A}_{2}^{\top } \mathbf {s} + \widetilde {\mathbf {e}}_{2,1}\). Then compute
$$\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{U}^{\top}\mathbf{s} + \widetilde{\mathbf{e}}_{0} + \mathbf{m}_{b} \cdot \left\lceil\frac{q}{2}\right\rceil,\\ \mathbf{c}^{*}_{1} &= \mathsf{ReRand} \left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime}_{\mathsf{vk}^{*}})^{\top} \end{array} \right], \mathbf{b}_{1}, \alpha q, \frac{\alpha^{\prime}}{2\alpha} \right),\\ \mathbf{c}^{*}_{2} &= \mathsf{ReRand} \left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime\prime}_{\mathsf{vk}^{*}})^{\top} \end{array} \right], \mathbf{b}_{2}, \alpha q, \frac{\alpha^{\prime}}{2\alpha} \right). \end{aligned} $$
Game5 This game is identical to the Game4 except that the challenge ciphertext generated as follows. The challenger \(\mathcal {C}\) first picks \(\mathbf {w} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}, \widetilde {\mathbf {b}}_{1} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}, \widetilde {\mathbf {b}}_{2} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}\), and \(\widetilde {\mathbf {e}}_{1,1}, \widetilde {\mathbf {e}}_{2,1} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha q}\), and sets \(\mathbf {b}_{1} = \widetilde {\mathbf {b}}_{1} + \widetilde {\mathbf {e}}_{1,1}, \mathbf {b}_{2} = \widetilde {\mathbf {b}}_{2} + \widetilde {\mathbf {e}}_{2,1}\). Then it computes
$$\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{w} + \mathbf{m}_{b} \cdot \left\lceil\frac{q}{2}\right\rceil,\\ \mathbf{c}^{*}_{1} &= \mathsf{ReRand} \left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime}_{\mathsf{vk}^{*}})^{\top} \end{array} \right], \mathbf{b}_{1}, \alpha q, \frac{\alpha^{\prime}}{2\alpha} \right),\\ \mathbf{c}^{*}_{2} &= \mathsf{ReRand} \left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime\prime}_{\mathsf{vk}^{*}})^{\top} \end{array} \right], \mathbf{b}_{2}, \alpha q, \frac{\alpha^{\prime}}{2\alpha} \right). \end{aligned} $$
Game6 In this game, the challenge ciphertext generated as follows: \(\mathcal {C}\) picks \(\mathbf {w} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \widetilde {\mathbf {b}}_{1} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}, \widetilde {\mathbf {b}}_{2} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}\), and \(\mathbf {e}_{1,1}, \mathbf {e}_{2,1}, \mathbf {e}_{1,2}, \mathbf {e}_{2,2} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\). Then it computes
$$\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{w} + \mathbf{m}_{b} \cdot \left\lceil\frac{q}{2}\right\rceil,\\ \mathbf{c}^{*}_{1} &= \left[ \begin{array}{c} \widetilde{\mathbf{b}}_{1}\\ (\mathbf{R}^{\prime}_{\mathsf{vk}^{*}})^{\top} \widetilde{\mathbf{b}}_{1} \end{array} \right] + \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2} \end{array} \right],\\ \mathbf{c}^{*}_{2} &= \left[ \begin{array}{c} \widetilde{\mathbf{b}}_{2}\\ (\mathbf{R}^{\prime\prime}_{\mathsf{vk}^{*}})^{\top} \widetilde{\mathbf{b}}_{2} \end{array} \right] + \left[ \begin{array}{c} \mathbf{e}_{2,1}\\ \mathbf{e}_{2,2} \end{array} \right]. \end{aligned} $$

Game7 In this game, \((\mathbf {c}^{*}_{0}, \mathbf {c}^{*}_{1}, \mathbf {c}^{*}_{2})\) in the challenge ciphertext \(\mathbf {c}^{*} = (\mathsf {vk}^{*}, (\mathbf {c}^{*}_{0}, \mathbf {c}^{*}_{1}, \mathbf {c}^{*}_{2}), \rho ^{*})\) is chosen from \(\mathbb {Z}^{n}_{q} \times \mathbb {Z}_{q}^{2m} \times \mathbb {Z}_{q}^{2m}\) uniform randomly. At this time, ρ is a signature on a random message. In this cases, the adversary \(\mathcal {A}\) has no more advantage than random guess. Thus, \(\Pr [X_{7}] = \frac {1}{2}\). □

Analysis of Games.

Lemma 2

\(|\Pr [X_{2}] - \frac {1}{2}| = \delta ^{2}|\Pr [X_{1}] - \frac {1}{2}| + \mathsf {negl}(\lambda).\)

Proof

This lemma can be proved by the the statistically close trapdoor keys and well-distributed hidden matrices properties of the wLPHF. □

Lemma 3

Game3 and Game2 are statistically indistinguishable, namely, |Pr[X3]− Pr[X2]|≤negl(λ).

Proof

By the first, second and third items in Lemma 16, the matrix A that generated by TrapGen is statistically close to uniform in \(\mathbb {Z}^{n \times m}_{q}\), and the vectors generated by SampleLeft and SampleRight are statistically close. Those changes only make negligible difference, |Pr[X3]− Pr[X2]|≤negl(λ). □

Lemma 4

Game4 and Game3 are statistically indistinguishable, namely, | Pr[X4]− Pr[X3]|≤negl(λ).

Proof

This lemma can be proved by using the property of ReRand in Lemma 17. □

Lemma 5

Assume that the DLWEn,q,n+2m,α assumption holds, then Game5 and Game4 are computationally indistinguishable, namely, |Pr[X5]− Pr[X4]|≤DLWEn,q,n+2m,α.

Proof

Suppose there exists an adversary \(\mathcal {A}\) can distinguish Game4 and Game5 with non-negligible advantage, then we can construct an reduction \(\mathcal {B}\) who can break the DLWE assumption as follows.

The simulator \(\mathcal {B}\) is given the LWE instance: \(\left (\mathbf {U}, \mathbf {A}_{1}, \mathbf {A}_{2}, \mathbf {w} = \widetilde {\mathbf {w}} + \widetilde {\mathbf {e}}_{0}, \mathbf {b}_{1} = \widetilde {\mathbf {b}}_{1} + \widetilde {\mathbf {e}}_{1,1}, \mathbf {b}_{2} = \widetilde {\mathbf {b}}_{2} + \widetilde {\mathbf {e}}_{2,1}\right) \in \mathbb {Z}^{n \times n}_{q} \times \mathbb {Z}^{n \times m}_{q} \times \mathbb {Z}^{n \times m}_{q} \times \mathbb {Z}^{n}_{q} \times \mathbb {Z}^{m}_{q} \times \mathbb {Z}^{m}_{q}\) where \(\widetilde {\mathbf {e}}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}, \widetilde {\mathbf {e}}_{1,1}, \widetilde {\mathbf {e}}_{2,1} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha q}\). The task of \(\mathcal {B}\) is to distinguish whether \(\widetilde {\mathbf {w}} = \mathbf {U}^{\top } \mathbf {s}, \widetilde {\mathbf {b}}_{1} = \mathbf {A}^{\top }_{1} \mathbf {s}, \widetilde {\mathbf {b}}_{2} = \mathbf {A}^{\top }_{2} \mathbf {s}\) for \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}\) or \(\widetilde {\mathbf {w}} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}, \widetilde {\mathbf {b}}_{1}, \widetilde {\mathbf {b}}_{2} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}\). Note that this subtle change from the standard LWE problem is done only for the convenience of the proof. Then it works as follows:

Setup phase: The same as in Game4.

Decryption queries: During the game, decryption queries made by \(\mathcal {A}\) are answered as in Game4.

Challenge phase: When \(\mathcal {A}\) sends two messages \(\mathbf {m}_{0}, \mathbf {m}_{1}, \mathcal {B}\) generates the challenge ciphertext as follows:
$$\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{w} + \mathbf{m}_{b} \cdot \left\lceil\frac{q}{2}\right\rceil,\\ \mathbf{c}^{*}_{1} &= \mathsf{ReRand} \left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime}_{\mathsf{vk}^{*}})^{\top} \end{array} \right], \mathbf{b}_{1}, \alpha q, \frac{\alpha^{\prime}}{2\alpha} \right),\\ \mathbf{c}^{*}_{2} &= \mathsf{ReRand} \left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime\prime}_{\mathsf{vk}^{*}})^{\top} \end{array} \right], \mathbf{b}_{2}, \alpha q, \frac{\alpha^{\prime}}{2\alpha} \right). \end{aligned} $$

Guess phase: After being allowed to make additional queries, \(\mathcal {A}\) guesses if it interacts with the challenger in Game4 or Game5.

It is easy to see that if (U,A,w,b) is a valid LWE instance, then the view of \(\mathcal {A}\) is the same as in Game4; otherwise, the view of \(\mathcal {A}\) corresponds to that in Game4. By the DLWEn,q,n+2m,α assumption, it holds that | Pr[X5]− Pr[X4]|≤DLWEn,q,n+2m,α. □

Lemma 6

Game6 and Game5 are statistically indistinguishable, namely, | Pr[X6]− Pr[X5]|≤negl(λ).

Proof

This lemma can be proved by property of ReRand in Lemma 17. □

Lemma 7

Game7 and Game6 are statistically indistinguishable, namely, | Pr[X7]− Pr[X6]|≤negl(λ).

Proof

This lemma can be obtained by the property of wLPHF with high min-entropy. □

Complete the Proof of Theorem 1. By Lemmas 3-7 and the fact that \(\Pr [X_{7}] = \frac {1}{2}\), we can get \(\left |\Pr [X_{2}] - \frac {1}{2}\right | \leq \mathsf {DLWE}_{n,q,n+2m,\alpha } + \mathsf {negl}(\lambda).\) Note that \(|\Pr [X_{1}] - \frac {1}{2}| + \frac {1}{2}\Pr [\mathsf {Forge}] \geq \epsilon \) and Pr[Forge]≤negl(λ), and by Lemma 2, we obtain that DLWEn,q,n+2m,αδ2ε+negl(λ). □

Identity-Based Dual Receiver Encryption Construction

In this section, we will give the generic construction of IB-DRE using lattice-based programmable hash functions, and give the parameter selection and the security proof of the scheme.

In our IB-DRE scheme, we require that the hash function \(\mathcal {H}: \{0,1\}^{\lambda } \rightarrow \mathbb {Z}_{q}^{n\times m}\) is a (1,v,β,γ,δ)-LPHF with high min-entropy which is defined in Definition 4, where γ is negligible and δ>0 is noticeable. Let integers n,m,q,v,β be polynomials in the security parameter λ. And in our concrete construction, set \(\overline {m} = m\). Assume the identity space is \(\mathcal {ID} = \{0,1\}^{\ell }\), and a message space \(\mathcal {M}=\{0,1\}^{n}\), our IB-DRE scheme \(\mathcal {IB}-\mathcal {DRE}\) is as follows:
  • SetupID(1λ): Given a security parameter λ, first set the parameters n,m,q as specified in parameter selection in Parameter selection as below. Then, obtain a pair of matrices \((\mathbf {A},\mathbf {T}_{\mathbf {A}}) \in \mathbb {Z}_{q}^{n\times m}\times \mathbb {Z}_{q}^{m\times m}\) by using TrapGen(1n,1m,q), generate K1,K2 by running \(\mathcal {H}.\mathsf {Gen}(1^{\lambda })\) twice independently, and choose a uniformly random matrix \(\mathbf {U}\in \mathbb {Z}_{q}^{n\times n}\). Finally, output PP=(n,m,q,A,K1,K2,U) and Msk=TA.

  • \(\mathsf {KeyGen}_{\mathsf {ID}}(PP, Msk,\mathbf {id}_{1st},\mathbf {id}_{2nd}\in \mathcal {ID}):\) Given public parameters PP, a master key Msk, and identities id1st,id2nd, first compute
    $$\mathbf{A}_{\mathbf{id}_{1}}=\mathcal{H}.\mathsf{Eval}(K_{1},\mathbf{id}_{1st}),~ \mathbf{A}_{\mathbf{id}_{2}}=\mathcal{H}.\mathsf{Eval}(K_{2},\mathbf{id}_{2nd}).$$
    Then, for \(i\in [n], (\mathbf {E}_{\mathbf {id}_{1}})_{i} \leftarrow \mathsf {SampleLeft}(\mathbf {A},\mathbf {A}_{\mathbf {id}_{1}}, (\mathbf {U})_{i},\mathbf {T}_{\mathbf {A}},\sigma)\). Set \(sk_{\mathbf {id}_{1st}}=\mathbf {E}_{\mathbf {id}_{1}}\in \mathbb {Z}_{q}^{2m\times n}\) satisfying \(\left [\mathbf {A}|\mathbf {A}_{\mathbf {id}_{1}}\right ]\cdot \mathbf {E}_{\mathbf {id}_{1}}=\mathbf {U}\). Similarly, obtain \(\phantom {\dot {i}\!}sk_{\mathbf {id}_{2nd}}=\mathbf {E}_{\mathbf {id}_{2}}\) such that \(\left [\mathbf {A}|\mathbf {A}_{\mathbf {id}_{2}}\right ]\cdot \mathbf {E}_{\mathbf {id}_{2}}=\mathbf {U}\).
  • EncID(PP,id1st,id2nd,m): Compute \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}_{1}},\mathbf {A}_{\mathbf {id}_{2}}\) as above. Then, pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \mathbf {e}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}\), and \(\mathbf {e}_{1,1}, \mathbf {e}_{1,2},\mathbf {e}_{1,3} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\). Finally, compute and return the ciphertext c=(c0,c1), where
    $$\begin{aligned} \mathbf{c}_{0} &= \mathbf{U}^{\top}\mathbf{s} + \mathbf{e}_{0} + \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}\in\mathbb{Z}_{q}^{n},\\ \mathbf{c}_{1} &= \left[ \begin{array}{c} \mathbf{c_{1,1}}\\ \mathbf{c_{1,2}}\\ \mathbf{c_{1,3}} \end{array} \right]= \left[ \begin{array}{c} \mathbf{A}^{\top}\\ (\mathbf{A}_{\mathbf{id}_{1}})^{\top}\\ (\mathbf{A}_{\mathbf{id}_{2}})^{\top} \end{array} \right]\mathbf{s} +\left[ \begin{array}{c} \mathbf{e_{1,1}}\\ \mathbf{e_{1,2}}\\ \mathbf{e_{1,3}}\\ \end{array} \right]\in\mathbb{Z}_{q}^{3m}. \end{aligned} $$
  • \(\phantom {\dot {i}\!}\mathsf {Dec}_{\mathsf {ID}}(PP,sk_{\mathbf {id}_{j}},\mathbf {c})\): To decrypt a ciphertext c=(c0,c1) with a private key \(\phantom {\dot {i}\!}sk_{\mathbf {id}_{1st}} = \mathbf {E}_{\mathbf {id}_{1}}\), it computes \(\phantom {\dot {i}\!}\mathbf {b} = \mathbf {c}_{0}-\mathbf {E}_{\mathbf {id}_{1}}^{\top }\cdot \left [ \begin {array}{c} \mathbf {c}_{1,1}\\ \mathbf {c}_{1,2}\\ \end {array} \right ]\) and let \(\phantom {\dot {i}\!}\mathbf {b} = ((\mathbf {b})_{1},\cdots,(\mathbf {b})_{n})^{\top } \in \mathbb {Z}^{n}_{q}\). Set (m)i=1 if \(\left |(\mathbf {b})_{i} - \lceil \frac {q}{2}\rceil \right | < \lceil \frac {q}{4}\rceil \); otherwise set (m)i=0 where i∈{1,⋯,n}. Finally, it returns a plaintext m=((m)1,⋯,(m)n).

Correctness and Parameter Selection

Parameter selection. To make sure the correctness and the security proof works, we need to satisfy the following
  • For i∈[n], the corresponding error term should be less than q/4 with overwhelming probability
    $${{} \begin{aligned} |(\mathbf{e}_{0})_{i} - (\mathbf{E}_{\mathbf{id}_{1}})^{\top}_{i}\cdot \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2}\\ \end{array} \right]| &\leq |(\mathbf{e}_{0})_{i}| + |(\mathbf{E}_{\mathbf{id}_{1}})^{\top}_{i}\cdot \left[ \begin{array}{c} \mathbf{e}_{1,1}\\ \mathbf{e}_{1,2}\\ \end{array} \right]|\\ & \!\!\!\!\!\!\!\!\!\!\!\!\!\!\leq \alpha q\sqrt{m} + \sigma\sqrt{2m} \cdot \alpha^{\prime}q\sqrt{2m} \leq q/4. \end{aligned}} $$
  • the TrapGen algorithm can works (i.e. m≥6n logq)

  • SampleLeft algorithms can operate (i.e. \(\sigma \geq \|\widetilde {\mathbf {T_{A}}}\| \cdot \omega \left (\sqrt {\log {m}}\right) = \mathcal {O}\left (\sqrt {n\log {q}}\right) \left.\cdot \omega \left (\sqrt {\log {m}}\right)\right)\)

  • SampleRight algorithms can operate(i.e. \(\sigma \geq \|\widetilde {\mathbf {T_{G}}}\| \cdot s_{1}\left (\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{j}}\right) \cdot \omega \left (\sqrt {\log {m}}\right) = \sqrt {5}\cdot \beta \cdot \omega \left (\sqrt {\log {m}}\right)\), where \(s_{1}\left (\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{j}}\right) \leq \beta, i \in [Q], j = 1, 2\))

  • ReRand algorithm can works (i.e. α/2α>s1(V) where \(s_{1}(\mathbf {V}) = s_{1}\left (\left (\mathbf {I}_{m}|\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{1}}|\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{2}}\right)^{\top }\right) \leq 1 + s_{1}\left (\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{1}}\right) + s_{1}\left (\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{2}}\right) \leq 1 + 2\beta \), and \(\alpha q > \max \left \{\omega \left (\sqrt {\log {m}}\right), \omega \left (\sqrt {\log {3m}}\right)\right \} =\left. \omega \left (\sqrt {\log {3m}}\right)\right)\)

  • the worst case to average case reduction works (i.e. \(\alpha q > 2\sqrt {2n}\))

To satisfy the above requirements, we set the parameters as follows:
$$\begin{aligned}\lambda &= n, \ell = n, m = \mathcal{O}(n\log{q}), \\ \sigma &= \sqrt{5}\cdot\beta\cdot\omega\left(\sqrt{\log{m}}\right),\\ \alpha q &= 3\sqrt{n}, \alpha^{\prime}q = 6(1 + 2\beta) \cdot \sqrt{n}, q = 12\sqrt{mn} ~ \\ &\quad+ 48\sqrt{5}\left(\beta + 2\beta^{2}\right) \cdot m\sqrt{n} \cdot \omega\left(\sqrt{\log{m}}\right). \end{aligned} $$

Security Proof

Theorem 2

Let \(n,q,m \in \mathbb {Z}\), and \(\alpha, \beta \in \mathbb {R}\) be polynomials in the security parameter λ. For large enough v=poly(n), let \(\mathcal {H} = (\mathcal {H}.\mathsf {Gen}, \mathcal {H}.\mathsf {Eval})\) be any (1,v,β,γ,δ)-PHF with high min-entropy from {0,1}n to \(\mathbb {Z}^{n \times m}_{q}\), where γ=negl(λ) and δ>0 is noticeable. Then, if the DLWEq,n,n+m,α assumption holds, then the above scheme \(\mathcal {IB}-\mathcal {DRE}\) is a secure IB-DRE scheme against chosen-plaintext and adaptively chosen-identity attacks.

Proof

(of Theorem 2) We show that if there is a PPT adversary \(\mathcal {A}\) can breaks our \(\mathcal {IB}-\mathcal {DRE}\) scheme with a non-negligible advantage ε (i.e. the success probability is \(\frac {1}{2} + \epsilon \)), then there exists a reduction that can break the LWE assumption with an advantage \(\frac {\delta ^{2}\epsilon }{3}\).

Let Q=Q(λ) be the upper bound of the number of key queries and \(I^{*} = \left \{\left (\mathbf {id}^{*}_{1st},\mathbf {id}^{*}_{2nd}\right), \left (\mathbf {id}_{1st}^{i}, \mathbf {id}_{2nd}^{i}\right)_{i \in [Q]}\right \}\) the set of challenge ID and ID’s for key queries. We will prove the theorem by a sequences of games where the first game is the real IND-ID-CPA game in Table 4 and in the last game the adversary has advantage zero. In each game, the challenger \(\mathcal {C}\) selects a uniform coin \(b \overset {\$}{\leftarrow } \{0,1\}\) in the challenge phase, while finally \(\mathcal {A}\) returns a guess bit b for b to the challenger. In the first game, the challenger sets \(\hat {b} = b^{\prime }\), these values might be different in the latter games. We define Xi as the event that \(\hat {b} = b\) in Gamei for i∈{0,1,2,3,4,5,6,7}. As mentioned in the proof of Lemma 1, we fix the trapdoor matrix \(\mathbf {B} = \mathbf {G} \in \mathbb {Z}^{n \times m}_{q}\) throughout the proof.

Game0 This game is the real IND-ID-CPA game. By the definition, it holds that
$${} \left|\Pr[X_{0}] - \frac{1}{2}\right| = \left|\Pr[\hat{b} = b] - \frac{1}{2}\right| = \left|\Pr[b^{\prime} = b] - \frac{1}{2}\right| = \epsilon.$$

Game1 This game is identical to Game0 except that \(\mathcal {C}\) changes the setup and challenge phases.

Setup phase: Same as in Game0 except that generate \((K^{\prime }_{i}, td_{i}) \leftarrow \mathcal {H}.\mathsf {TrapGen}(1^{\lambda }, \mathbf {A}, \mathbf {G})\) for i=1,2.

Challenge phase: Generate \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}^{*}_{1}}\) and \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}^{*}_{2}}\) using \(\mathcal {H}.\mathsf {TrapEval}\) instead of \(\mathcal {H}.\mathsf {Eval}\). Compute \(\phantom {\dot {i}\!}(\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{1}}, \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{1}}) \leftarrow \mathcal {H}.\mathsf {TrapEval}(K^{\prime }_{1}, td_{1}, \mathbf {id}^{*}_{1st}), (\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{2}}, \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{2}}) \leftarrow \mathcal {H}.\mathsf {TrapEval}(K^{\prime }_{2}, td_{2}, \mathbf {id}^{*}_{2nd})\), and set \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}^{*}_{i}} = \mathbf {A}\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{i}} + \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{i}}\mathbf {G}\) for i=1,2. Then, choose a random coin b∈{0,1}, pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \mathbf {e}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}, \mathbf {e}_{1,1},\mathbf {e}_{1,2},\mathbf {e}_{1,3} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\). Compute the challenge ciphertext \(\phantom {\dot {i}\!}\mathbf {c^{*}} = (\mathbf {c}^{*}_{0},\mathbf {c}^{*}_{1})\) where
$$\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{U}^{\top}\mathbf{s} + \mathbf{e}_{0} + \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}_{b} \in \mathbb{Z}_{q}^{n},\\ \mathbf{c}^{*}_{1} &= \left[ \begin{array}{c} \mathbf{A}^{\top}\\ (\mathbf{A}_{\mathbf{id}^{*}_{1}})^{\top}\\ (\mathbf{A}_{\mathbf{id}^{*}_{2}})^{\top} \end{array} \right]\mathbf{s} + \left[ \begin{array}{c} \mathbf{e_{1,1}}\\ \mathbf{e_{1,2}}\\ \mathbf{e_{1,3}}\\ \end{array} \right]\in\mathbb{Z}_{q}^{3m}. \end{aligned} $$

Game2 This game is identical to Game1 except that add an abort event that is independent of the adversary’s view.

Guess phase: Finally, \(\mathcal {A}\) outputs his guess b∈{0,1} of b. \(\mathcal {C}\) defines the following function
$${\begin{aligned} &\mathbf{\tau}\left(\widehat{td_{1}},\widehat{td_{2}},\widehat{K^{\prime}_{1}},\widehat{K^{\prime}_{2}},I^{*}\right)\\ &=\left\{\begin{array}{ll} 0, & \mathbf{S}^{\prime}_{\mathbf{id}^{*}_{1}} = \mathbf{0} \wedge \mathbf{S}^{\prime}_{\mathbf{id}^{*}_{2}} = \mathbf{0} \wedge^{Q}_{i=1} \mathbf{S}^{\prime}_{\mathbf{id}^{i}_{1}} \in \mathbf{Inv_{n}} \wedge^{Q}_{i=1} \mathbf{S}^{\prime}_{\mathbf{id}^{i}_{2}} \in \mathbf{Inv_{n}},\\ 1, &\text{otherwise}, \end{array} \right. \end{aligned}} $$
where \(\left (\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{i}}, \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{i}}\right), i = 1,2\), generated as in Game1, and \(\left (\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{1}}, \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{1}}\right) \leftarrow \mathcal {H}.\mathsf {TrapEval}\left (\widehat {K^{\prime }_{1}}, \widehat {td_{1}}, \mathbf {id}^{i}_{1st}\right), \left (\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{2}}, \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{2}}\right) \leftarrow \mathcal {H}.\mathsf {TrapEval}(\widehat {K^{\prime }_{2}}, \widehat {td_{2}}, \mathbf {id}^{i}_{2nd})\) for i∈[Q].

Abort check: Let \((td_{i}, K^{\prime }_{i}), i=1,2\) be produced at setup phase as in Game1. The challenger \(\mathcal {C}\) computes \(\mathbf {\tau }(td_{1},td_{2}, K^{\prime }_{1},K^{\prime }_{2},I^{*})\). If \(\mathbf {\tau }(td_{1},td_{2},K^{\prime }_{1},K^{\prime }_{2},I^{*}) = 1\), the challenger aborts the game and sets \(\hat {b} \overset {\$}{\leftarrow } \{0,1\}\) ignoring the output of \(\mathcal {A}\).

Artificial abort: Given the identities set I, let \(p = \Pr \left [\mathbf {\tau }\left (\widehat {td_{1}}, \widehat {td_{2}}, \widehat {K^{\prime }_{1}}, \widehat {K^{\prime }_{2}}, I^{*}\right)= 0\right ]\) over the random choice of \(\left (\widehat {td_{1}}, \widehat {K^{\prime }_{1}}\right)\) and \(\left (\widehat {td_{2}}, \widehat {K^{\prime }_{2}}\right)\). The challenger samples \(\mathcal {O}\left (\epsilon ^{-2}\log \left (\epsilon ^{-1}\right)\lambda ^{-1}\log \left (\lambda ^{-1}\right)\right)\) times the probability p by independently running \(\left (\widehat {td_{i}}, \widehat {K^{\prime }_{i}}\right) \leftarrow \mathcal {H}.\mathsf {TrapGen}\left (1^{\lambda },\mathbf {A}_{i}, \mathbf {G}\right)\) and evaluating \(\mathbf {\tau }\left (\widehat {td_{1}}, \widehat {td_{2}}, \widehat {K^{\prime }_{1}}, \widehat {K^{\prime }_{2}}, I^{*}\right)\) to compute an estimate p, where λ is the lower bound of the p for any set I. If p>λ, then abort with probability \(\frac {p^{\prime } - \lambda }{p^{\prime }}\) (and not abort with probability \(\frac {\lambda }{p^{\prime }}\)), and set \(\hat {b} \overset {\$}{\leftarrow } \{0,1\}\) ignoring the output of \(\mathcal {A}\).

Finally, when receiving b from \(\mathcal {A}\), the challenger sets \(\hat {b} = b^{\prime }\).

Game3 This game is identical to Game2 except that change the generation of A and the way that answering the key query.

Setup phase: Choose a random matrix \(\mathbf {A} \in \mathbb {Z}^{n\times m}_{q}\) instead of running the TrapGen algorithm.

Key query: For the i-th secret key query \(\left (\mathbf {id}^{i}_{1st}, \mathbf {id}^{i}_{2nd}\right), i \in [Q]\), generate \(\left (\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{1}}, \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{1}}\right)\) and \(\left (\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{2}}, \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{2}}\right)\) by using \(\mathcal {H}.\mathsf {TrapEval}\) such that \(\mathbf {A}_{\mathbf {id}^{i}_{1}} = \mathbf {A}\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{1}} + \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{1}}\mathbf {G}\) and \(\mathbf {A}_{\mathbf {id}^{i}_{2}} = \mathbf {A}\mathbf {R}^{\prime }_{\mathbf {id}^{i}_{2}} + \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{2}}\mathbf {G}\). If \(\mathbf {S}^{\prime }_{\mathbf {id}^{i}_{1}} = \mathbf {0}\) or \(\mathbf {S}^{\prime }_{\mathbf {id}^{i}_{2}} = \mathbf {0}\), abort the game and set \(\hat {b} \overset {\$}{\leftarrow } \{0, 1\}\) ignoring the output of \(\mathcal {A}\). Otherwise, compute \(\left (\mathbf {E}_{\mathbf {id}^{i}_{\iota }}\right)_{j} \leftarrow \mathsf {SampleRight}\left (\mathbf {A}, \mathbf {G}, \mathbf {R}^{\prime }_{\mathbf {id}^{i}_{\iota }}, \mathbf {S}^{\prime }_{\mathbf {id}^{i}_{\iota }}, \mathbf {T_{G}}, (\mathbf {U})_{j}, \sigma \right)\) for ι=1,2 and j∈[n], set and send \(sk_{\mathbf {id}^{i}_{1}} = \mathbf {E}_{\mathbf {id}^{i}_{1}} \in \mathbb {Z}^{2m \times n}_{q}\) and \(sk_{\mathbf {id}^{i}_{2}} = \mathbf {E}_{\mathbf {id}^{i}_{2}} \in \mathbb {Z}^{2m \times n}_{q}\), where i∈[Q].

Challenge phase: When the adversary outputs \(\mathbf {id}^{*}_{1st}, \mathbf {id}^{*}_{2nd}\) and two messages m0,m1, for \(\left (\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{i}}, \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{i}}\right), i = 1,2\), generated as in Game2, the challenger first checks if \(\mathbf {S}^{\prime }_{\mathbf {id}^{*}_{1}} = \mathbf {0} \wedge \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{2}} = \mathbf {0}\). If not, abort the game and output a random bit \(\hat {b} \overset {\$}{\leftarrow } \{0, 1\}\). Thus, \(\mathbf {A}_{\mathbf {id}^{*}_{i}} = \mathbf {A}\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{i}}, i = 1, 2\). Pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \mathbf {e}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}, \mathbf {e}_{1,1},\mathbf {e}_{1,2},\mathbf {e}_{1,3} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\), compute and send the challenge ciphertext \(\mathbf {c}^{*} = (\mathbf {c}^{*}_{0}, \mathbf {c}^{*}_{1})\) where
$${\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{U}^{\top}\mathbf{s} + \mathbf{e}_{0} + \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}_{b} \in \mathbb{Z}_{q}^{n}, \end{aligned}} $$
$${\begin{aligned} \mathbf{c}^{*}_{1} &= \left[ \begin{array}{c} \mathbf{A}^{\top}\\ (\mathbf{A}_{\mathbf{id}^{*}_{1}})^{\top}\\ (\mathbf{A}_{\mathbf{id}^{*}_{2}})^{\top} \end{array} \right]\mathbf{s} + \left[ \begin{array}{c} \mathbf{e_{1,1}}\\ \mathbf{e_{1,2}}\\ \mathbf{e_{1,3}} \end{array} \right] \\&\quad= \left[ \begin{array}{c} \mathbf{A}^{\top}\mathbf{s}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{1}})^{\top}\mathbf{A}^{\top}\mathbf{s}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{2}})^{\top}\mathbf{A}^{\top}\mathbf{s} \end{array} \right] + \left[ \begin{array}{c} \mathbf{e_{1,1}}\\ \mathbf{e_{1,2}}\\ \mathbf{e_{1,3}} \end{array} \right]\in\mathbb{Z}_{q}^{3m}.\\ \end{aligned}} $$
At the guess phase, it also executes the artificial abort check.
Game4 This game is identical to Game3 except that change the way that the challenge ciphertext generated. Pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \mathbf {e}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}, \mathbf {e}_{1} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha q}\), and set w=Us+e0,b1=As+e1. Compute
$${\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{w} + \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}_{b}, \\\mathbf{c}^{*}_{1}&= \mathsf{ReRand}\left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{1}})^{\top}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{2}})^{\top} \end{array} \right], \mathbf{b}_{1}, \alpha q, \frac{\alpha^{\prime}}{2\alpha}\right). \end{aligned}} $$
Game5 In this game, the challenge ciphertext is generated as follows. Pick \(\mathbf {w} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}, \widetilde {\mathbf {b}} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}, \mathbf {e}_{1} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha q}, \mathbf {b}_{1} = \widetilde {\mathbf {b}} + \mathbf {e}_{1}\). Then compute
$${\begin{aligned} \mathbf{c}^{*}_{0} &= \mathbf{w} + \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}_{b}, \\ \mathbf{c}^{*}_{1} &= \mathsf{ReRand}\left(\left[ \begin{array}{c} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{1}})^{\top}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{2}})^{\top} \end{array} \right], \mathbf{b}_{1}, \alpha q, \frac{\alpha^{\prime}}{2\alpha}\right). \end{aligned}} $$
Game6 In this game, the challenge ciphertext is generated as follows. Pick \(\mathbf {w} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}, \widetilde {\mathbf {b}} \overset {\$}{\leftarrow } \mathbb {Z}^{m}_{q}, \mathbf {e}_{1,1},\mathbf {e}_{1,2},\mathbf {e}_{1,3} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\). Then compute
$$\mathbf{c}^{*}_{0} = \mathbf{w} + \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}_{b}, ~~ \mathbf{c}^{*}_{1} = \left[ \begin{array}{c} \widetilde{\mathbf{b}}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{1}})^{\top}\widetilde{\mathbf{b}} \\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{2}})^{\top}\widetilde{\mathbf{b}} \end{array} \right] +\left[ \begin{array}{c} \mathbf{e_{1,1}}\\ \mathbf{e_{1,2}}\\ \mathbf{e_{1,3}} \end{array} \right] $$

Game7 In this game, choose the challenge ciphertext randomly uniform, namely, \(\mathbf {c} = (\mathbf {c}^{*}_{0}, \mathbf {c}^{*}_{1}) \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q} \times \mathbb {Z}^{3m}_{q}\). In this game, the advantage of the adversary is zero. Namely, \(\Pr [X_{7}] = \frac {1}{2}\). By the definition of Γ7, we have Γ7=0. □

Analysis of Games.

Lemma 8

If \(\mathcal {H}\) is a LPHF with high min-entropy, then | Pr[X1]− Pr[X0]|≤negl(λ).

Proof

This lemma can be proved by the statistically close trapdoor keys property of LPHF in definition 3. □

For i∈{2,3,4,5,6,7}, let \(\widetilde {p_{i}}\) be the probability that the challenger does not abort in the abort check stage in Gamei, and the probability in the artificial abort stage in Gamei is defined as \(p_{i} = \Pr \left [\mathbf {\tau }\left (\widehat {td_{1}}, \widehat {td_{2}}, \widehat {K^{\prime }_{1}}, \widehat {K^{\prime }_{2}}, I^{*}\right) = 0\right ]\). Since the adversary might obtain some information of td1 and td2 from the challenge ciphertext, the probability \(\widetilde {p_{i}}\) might not be equal to pi. Formally, let Γi be the difference between \(\widetilde {p_{i}}\) and pi, i.e. \(\Gamma _{i} = |\widetilde {p_{i}} - p_{i}|\).

Lemma 9

If \(\mathcal {H}\) is a (1,v,β,γ,δ)-LPHF, and Qv, then \(|\Pr [X_{2}] - \frac {1}{2}| \geq \frac {1}{2}\epsilon (\delta ^{2} - \Gamma _{2}).\)

So as not to interrupt the proof of Theorem 2, we skip the proof of Lemma 9 for time being.

Lemma 10

If \(\mathcal {H}\) is a (1,v,β,γ,δ)-LPHF, and Qv, then | Pr[X3]− Pr[X2]|≤negl(λ) and |Γ3Γ2|≤negl(λ).

Proof

Note that abort check and the artificial abort in Game2 and in Game3 are identical. By the item 1, item 2 and item 3 of Lemma 16, those changes that generating the matrix A using TrapGen and secret key \(sk_{\mathbf {id}^{i}_{j}}, i \in [Q], j = 1, 2,\) using SampleRight instead of SampleLeft make only negligible difference. In conclusion, | Pr[X3]− Pr[X2]|≤negl(λ) and |Γ3Γ2|≤negl(λ). □

Lemma 11

If \(\mathcal {H}\) is a (1,v,β,γ,δ)-LPHF, and Qv, then | Pr[X4]− Pr[X3]|≤negl(λ) and |Γ4Γ3|≤negl(λ).

Proof

This lemma can be proved by the property of ReRand in Lemma 17. □

Lemma 12

Assume that the DLWEn,q,n+m,α assumption holds, then | Pr[X5]− Pr[X4]|≤DLWEn,q,n+m,α and |Γ5Γ4|≤DLWEn,q,n+m,α.

Proof

we can construct an adversary \(\mathcal {B}\) to against the DLWEn,q,n+m,α problem using the ability of \(\mathcal {A}\), where \(\mathcal {A}\) is an adversary in Game4 or Game5. The simulator \(\mathcal {B}\) is given the LWE instance: \((\mathbf {A}^{\prime }, \mathbf {u}^{\prime } = \mathbf {b}^{\prime } + \mathbf {e}^{\prime }) \in \mathbb {Z}^{n \times (n+m)}_{q} \times \mathbb {Z}^{n +m}_{q}\) where \(\mathbf {e}^{\prime } \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n+m},\alpha q}\). And the task of \(\mathcal {B}\) is to distinguish whether b=(A)s for \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}\) or \(\mathbf {b}^{\prime } \overset {\$}{\leftarrow } \mathbb {Z}^{n+m}_{q}\). Note that this subtle change from the standard LWE problem is done only for the convenience of the proof. Then works as follows:

Setup phase: Let the first n columns of A be the matrix \(\mathbf {U} \in \mathbb {Z}^{n \times n}_{q}\) and the last m columns the matrix \(\mathbf {A} \in \mathbb {Z}^{n \times n}_{q}\). The rest is the same as in Game4.

Key query: During the game, key extraction queries made by \(\mathcal {A}\) are answered as in Game4 without knowing TA.

Challenge phase: For \(\left (\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{i}}, \mathbf {S}^{\prime }_{\mathbf {id}^{*}_{i}}\right), i = 1,2\), generated as in Game4, first check if \(\mathbf {S^{\prime }_{{id}^{*}_{1}}} = \mathbf {0} \wedge \mathbf {S^{\prime }_{{id}^{*}_{2}}} = \mathbf {0}\). If not, abort the game as in Game4. Otherwise, \(\mathbf {A}_{\mathbf {id}^{*}_{1}} = \mathbf {A}\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{1}}, \mathbf {A}_{\mathbf {id}^{*}_{2}} = \mathbf {A}\mathbf {R}^{\prime }_{\mathbf {id}^{*}_{2}}\). Pick a random coin \(b \overset {\$}{\leftarrow } \{0,1\}\). Let the first n coefficients of u be \(\mathbf {w} \in \mathbb {Z}^{n}_{q}\), and the last m coefficients \(\mathbf {b}_{1} \in \mathbb {Z}^{m}_{q}\). Then the challenge ciphertext generated as follows:
$${\begin{aligned} \mathbf{c}^{*}_{0} \,=\, \mathbf{w} \,+\, \left\lceil\frac{q}{2}\right\rceil \cdot \mathbf{m}_{b}, ~~ \mathbf{c}^{*}_{1} \,=\, \mathsf{ReRand}\left(\left[ \begin{array}{c}\setlength{\arraycolsep}{1pt} \mathbf{I}_{m}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{1}})^{\top}\\ (\mathbf{R}^{\prime}_{\mathbf{id}^{*}_{2}})^{\top} \end{array} \right], \mathbf{b}_{1}, \alpha q, \frac{\alpha^{\prime}}{2\alpha}\right). \end{aligned}} $$

If b=(A)s for \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}^{n}_{q}\), then (A,u=b+e=(U,A)s+e) is a valid LWE sample, the view of the adversary \(\mathcal {A}\) is the same as in Game4. And if \(\mathbf {b}^{\prime } \overset {\$}{\leftarrow } \mathbb {Z}^{n+m}_{q}\), then the view of the adversary \(\mathcal {A}\) is the same as in Game5. So the advantage of \(\mathcal {B}\) is | Pr[X5]− Pr[X4]|, by the DLWE assumption, it holds that | Pr[X5]− Pr[X4]|≤DLWEn,q,n+m,α and |Γ5Γ4|≤DLWEn,q,n+m,α. □

Lemma 13

| Pr[X6]− Pr[X5]|≤negl(λ) and |Γ6Γ5|≤negl(λ).

Proof

This lemma can be proved just according to the property of ReRand in Lemma 17. □

Lemma 14

If \(\mathcal {H}\) is LPHF with high min-entropy, then | Pr[X7]− Pr[X6]|≤negl(λ) and |Γ7Γ6|≤negl(λ).

Proof

This lemma can be obtained by the property of LPHF with high min-entropy in definition 4. □

Complete the proof of Theorem 2 . By Lemmas 9-14 and the fact that \(\Pr [X_{7}] = \frac {1}{2}\), it holds that
$$\mathsf{DLWE}_{n,q,n+m,\alpha} \geq \frac{1}{2}\epsilon(\delta^{2} - \Gamma_{2}) - \mathsf{negl}(\lambda). $$
And by Lemmas 10-14 again, we can obtain that Γ2DLWEn,q,n+m,α+negl(λ). Thus, \(\mathsf {DLWE}_{n,q,n+m,\alpha } \geq \frac {\delta ^{2}\epsilon }{3} - \mathsf {negl}(\lambda).\)

In order to complete the proof of Theorem 2, we need to prove the Lemma 9 by using the Lemma 28 in the full vision of Agrawal et al. (2010), which is described as follows.

Lemma 15

(Lemma 28 in Agrawal et al. (2010)) Let I be a (Q+1)-ID tuple {id,{idj}j∈[Q]} denoted the challenge ID along with the queried ID’s, and η(I)the probability that an abort does not happen in Game2. Let ηmax= maxη(I) and ηmin= minη(I). For i=1,2, we set Xi be the event that \(\hat {b} = b\) at the end of Game1. Then
$$\left|\Pr[X_{2}] - \frac{1}{2}\right| \geq \eta_{min} \left|\Pr[X_{1}] - \frac{1}{2}\right| - \frac{1}{2}(\eta_{max} - \eta_{min}).$$

Lemma 9: If \(\mathcal {H}\) is a (1,v,β,ε,δ)-LPHF, and Qv, then \(|\Pr [X_{2}] - \frac {1}{2}| \geq \frac {1}{2}\epsilon (\delta ^{2} - \Gamma _{2})\).

Proof

(of Lemma 9) As the generations of \((\widehat {td_{1}}, \widehat {K^{\prime }_{1}})\) and \((\widehat {td_{2}}, \widehat {K^{\prime }_{2}})\) are independent, by the well-distributed hidden matrices property of the \(\mathcal {H}\), it holds that
$${\begin{aligned} p & \,=\, \Pr\left[\mathbf{S}^{\prime}_{\mathbf{id}^{*}_{1}} \,=\, \mathbf{0} \wedge \mathbf{S}^{\prime}_{\mathbf{id}^{*}_{2}} \,=\, \mathbf{0} \wedge^{Q}_{i=1} \mathbf{S}^{\prime}_{\mathbf{id}^{i}_{1}} \in \mathbf{Inv_{n}} \wedge^{Q}_{i=1} \mathbf{S}^{\prime}_{\mathbf{id}^{i}_{2}} \in \mathbf{Inv_{n}}\right]\\ & = \Pr\left[\mathbf{S}^{\prime}_{\mathbf{id}^{*}_{1}} = \mathbf{0} \wedge^{Q}_{i=1} \mathbf{S}^{\prime}_{\mathbf{id}^{i}_{1}} \in \mathbf{Inv_{n}}]\cdot \Pr[\mathbf{S}^{\prime}_{\mathbf{id}^{*}_{2}} = \mathbf{0} \wedge^{Q}_{i=1} \mathbf{S}^{\prime}_{\mathbf{id}^{i}_{2}} \in \mathbf{Inv_{n}}\right] \\ & \geq \delta \cdot \delta = \delta^{2} = \lambda. \end{aligned}} $$
According to Lemma 15, we only need to evaluate ηmax,ηmin and ηmaxηmin. By the definition of \(\widetilde {p_{2}}\) and p2 in Game2, it holds that \(\eta (I^{*}) = \widetilde {p_{2}}\frac {\lambda }{p^{\prime }}\), where p is an estimate of p2. Since the challenger always samples \(\mathcal {O}\left (\epsilon ^{-2}\log \left (\epsilon ^{-1}\right)\lambda ^{-1}\log \left (\lambda ^{-1}\right)\right)\) times p2 to compute p, according to the Chernoff bounds, we have \(\Pr \left [p^{\prime } \geq p_{2}\left (1 + \frac {\epsilon }{8}\right)\right ] \leq \lambda \frac {\epsilon }{8}\) and \(\Pr \left [p^{\prime } \leq p_{2}\left (1 - \frac {\epsilon }{8}\right)\right ] \leq \lambda \frac {\epsilon }{8}\). Then,
$${\begin{aligned} \eta_{max} &\leq \left(1 - \lambda\frac{\epsilon}{8}\right) \widetilde{p_{2}} \frac{\lambda}{p_{2}\left(1 - \frac{\epsilon}{8}\right)}, ~ \\ \eta_{min} &\geq \left(1 - \lambda\frac{\epsilon}{8}\right) \widetilde{p_{2}} \frac{\lambda}{p_{2}(1 + \frac{\epsilon}{8})} \geq \frac{7\lambda\widetilde{p_{2}}}{9p_{2}}\\ \eta_{max} - \eta_{min}& \leq \left(1 - \lambda\frac{\epsilon}{8}\right) \frac{\lambda\epsilon\widetilde{p_{2}}}{4(1-\frac{\epsilon^{2}}{64})p_{2}} \leq \frac{16\lambda\epsilon\widetilde{p_{2}}}{63p_{2}} \end{aligned}} $$
Substitute them and the value of λ into the inequality in Lemma 15, we can get
$${{} \begin{aligned} \left|\Pr[X_{2}] - \frac{1}{2}\right| &\geq \frac{7\lambda\widetilde{p_{2}}}{9p_{2}} \cdot \epsilon - \frac{1}{2} \cdot \frac{16\lambda\epsilon\widetilde{p_{2}}}{63p_{2}}\\ &\!\geq\! \frac{\lambda\epsilon(p_{2} - \Gamma_{2})}{2p_{2}} \!\geq\! \frac{1}{2}\epsilon(\lambda \,-\, \Gamma_{2}) \,=\, \frac{1}{2}\epsilon\left(\delta^{2} - \Gamma_{2}\right). \end{aligned}} $$

Instantiation of Generic DRE construction

As said in Zhang et al. (2016b), the selectively secure IBE in Agrawal et al. (2010) implies a weak LPHF with high min-entropy, thus we can use this weak LPHF to instantiate our IND-CCA secure DRE scheme.

The wLPHF \(\mathcal {H}_{\text {ABB}}: \mathbb {Z}^{n}_{q} \rightarrow \mathbb {Z}^{n \times m}_{q}\) in Agrawal et al. (2010) consists of two algorithms \((\mathcal {H}_{\text {ABB}}.\mathsf {Gen}, \mathcal {H}_{\text {ABB}}.\mathsf {Eval})\) which are defined as follows:
  • \(\mathcal {H}_{\text {ABB}}.\mathsf {Gen}(1^{\lambda }) \rightarrow K\): \(\mathbf {A}_{0} \overset {\$}{\leftarrow } \mathcal {K} = \mathbb {Z}^{n \times m}_{q}\), and output K=A0.

  • \(\mathcal {H}_{\text {ABB}}.\mathsf {Eval}(K, X) \rightarrow \mathbf {Z} \in \mathbb {Z}^{n \times m}_{q}\): For \(X \in \mathbb {Z}^{n}_{q}\), an FRD encoding function \(H_{n,q}: \mathbb {Z}^{n}_{q} \rightarrow \mathbb {Z}^{n \times n}_{q}\) which was introduced in Zhang et al. (2018b), output Z=A0+Hn,q(X)G.

The associating algorithms \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapGen}\) and \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapEval}\) are defined as follows:
  • \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapGen}(1^{\lambda }, \mathbf {A}, \mathbf {G}, X^{*}) \rightarrow (K^{\prime }, td)\): Randomly choose \(\mathbf {R}\overset {\$}{\leftarrow } \{-1, 1\}^{m \times m}\), and set A0=ARHn,q(X)G, and output K=A0 and td={R}.

  • \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapEval}(td, K^{\prime }, X) \rightarrow (\mathbf {R}_{X}, \mathbf {S}_{X})\): For \(X \in \mathbb {Z}^{n}_{q}, \mathbf {Z} = \mathbf {AR} + (H_{n,q}(X) - H_{n,q}(X^{*}))\mathbf {G}\), where RX=R and SX=Hn,q(X)−Hn,q(X).

The above function \(\mathcal {H}_{\text {ABB}}\) is a \((1,v,\mathcal {O}(\ell \sqrt {m}),\mathsf {negl(\lambda)},1)\)-wLPHF with high min-entropy (Zhang et al. 2016b), and using it to instantiate our generic DRE construction, we can get the concrete DRE ABB scheme in Table 5.
Table 5

DRE ABB scheme

\(\mathsf {CGen}_{\mathsf {DRE}}(1^{\lambda }): \mathbf {U} \overset {\$}{\leftarrow } \mathbb {Z}^{n \times n}_{q}\), output crs=U.

 

\(\mathsf {Gen}_{\mathsf {DRE}}(\mathsf {crs})\!:\! (\mathbf {A}_{i}, \mathbf {T}_{\mathbf {A}_{i}})\! \overset {\$}{\leftarrow }\! \mathsf {TrapGen}(1^{n}, 1^{m}, q), \mathbf {B}_{i} \overset {\$}{\leftarrow } \mathbb {Z}^{n \times m}_{q}\) for i = 1,2. Output

 

\(\phantom {\dot {i}\!}pk_{i} = (\mathbf {A}_{i}, \mathbf {B}_{i}), sk_{i} = \mathbf {T}_{\mathbf {A}_{i}}\).

 

EncDRE(crs,pk1,pk2,m∈{0,1}n):

 

1. Generate (vk,sk)←GenOTS(1λ).

 

2. Compute C1=(A1|B1+Hn,q(vkG),C2=(A2|B2+Hn,q(vkG)).

 

3. Pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}, \widetilde {\mathbf {e}}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}\), and \(\mathbf {e}_{1,1}, \mathbf {e}_{2,1}, \mathbf {e}_{1,2}, \mathbf {e}_{2,2} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\),

 

compute and return the ciphertext c = (vk,c0,c1,c2,ρ), where

 

ρ=SigOTS(sk,(c0,c1,c2)) and

 

\(\mathbf {c}_{0} = \mathbf {U}^{\top }\mathbf {s} + \widetilde {\mathbf {e}}_{0} + \mathbf {m} \cdot \left \lceil \frac {q}{2}\right \rceil \in \mathbb {Z}_{q}^{n}\),

 

\({\begin {aligned} &\mathbf {c}_{1} = \mathbf {C}_{1}^{\top }\mathbf {s} + \left [ \begin {array}{c} \mathbf {e}_{1,1}\\ \mathbf {e}_{1,2} \end {array} \right ] \in \mathbb {Z}_{q}^{2m},& \mathbf {c}_{2} = \mathbf {C}_{2}^{\top }\mathbf {s} + \left [ \begin {array}{c} \mathbf {e}_{2,1}\\ \mathbf {e}_{2,2} \end {array} \right ] \in \mathbb {Z}_{q}^{2m}. \end {aligned}}\)

 

DecDRE(crs,pk1,pk2,sk1,c):

 

1. Run VrfOTS(vk,(c0,c1,c2),ρ), outputs ⊥ if VrfOTS rejects;

 

2. \((\mathbf {E}_{1})_{i} \leftarrow \mathsf {SampleLeft}(\mathbf {A}_{1},\mathbf {B}_{1} + H_{n,q}(\mathsf {vk})\cdot \mathbf {G}, (\mathbf {U})_{i}, \mathbf {T}_{\mathbf {A}_{1}},\sigma), i\in [n]\), to obtain

 

\(\mathbf {E}_{1} \in \mathbb {Z}_{q}^{2m \times n}\) such that C1·E1=U;

 

3. Compute \(\mathbf {b} = \mathbf {c}_{0}-\mathbf {E}_{1}^{\top }\mathbf {c}_{1} = ((\mathbf {b})_{1},\cdots,(\mathbf {b})_{n})^{\top } \in \mathbb {Z}^{n}\).

 

Set (m)i=1 if \(\left |(\mathbf {b})_{i} - \lceil \frac {q}{2}\rceil \right |< \lceil \frac {q}{4}\rceil \), else (m)i=0,i∈[n].

 

4. Return the plaintext m=((m)1,⋯,(m)n).

 

Instantiations of Generic IB-DRE construction

As mentioned in Zhang et al. (2019), the adaptively secure and anonymous IBE schemes in Agrawal et al. (2010); Yamada (2016); Yamada (2017) naturally imply instantiations of LPHFs with high min-entropy. In this section, we will use them to instantiate our generic IB-DRE constructions.

IB-DRE construction from \(\text {LPHF}~ \mathcal {H}_{\text {ABB}}\)

\(\mathcal {H}_{\text {ABB}}: \{-1,1\}^{\ell } \rightarrow \mathbb {Z}^{n \times m}_{q}\) in Agrawal et al. (2010) consists of two algorithms \((\mathcal {H}.\mathsf {Gen}, \mathcal {H}.\mathsf {Eval})\) are defined as follows:
  • \(\mathcal {H}_{\text {ABB}}.\mathsf {Gen}(1^{\lambda }) \rightarrow K\): Randomly choose \(\mathbf {A}_{1}, \cdots, \mathbf {A}_{\ell } \overset {\$}{\leftarrow } \mathbb {Z}^{n \times m}_{q}\), and output K=({Ai}i∈[]).

  • \(\mathcal {H}_{\text {ABB}}.\mathsf {Eval}(K, X) \rightarrow \mathbf {Z} \in \mathbb {Z}^{n \times m}_{q}\): For \(X \in \{-1,1\}^{\ell }, \mathbf {Z} = \mathbf {G} + \sum ^{l}_{i = 1} (X)_{i}\cdot \mathbf {A}_{i} \in \mathbb {Z}^{n \times m}_{q}.\)

The associating algorithms \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapGen}\) and \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapEval}\) are defined as follows:
  • \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapGen}(1^{\lambda }, \mathbf {A}, \mathbf {G}) \rightarrow (K^{\prime }, td)\): Randomly choose \(\mathbf {R}_{1}, \cdots, \mathbf {R}_{\ell } \overset {\$}{\leftarrow } \{-1, 1\}^{m \times m}\), and set Ai=ARi+Ht,q(hi)⊗In/t·G, where \(H_{t,q}: \mathbb {Z}^{t}_{q} \rightarrow \mathbb {Z}^{t \times t}_{q}\) is a FRD function introduced in Zhang et al. (2018b), and \(\mathbf {h}_{i} \overset {\$}{\leftarrow } \mathbb {Z}^{t}_{q}, i \in [\ell ]\). Output K=({Ai}i∈[]) and td=({hi}i∈[],{Ri}i∈[]).

  • \(\mathcal {H}_{\text {ABB}}.\mathsf {TrapEval}(td, K^{\prime }, id) \rightarrow (\mathbf {R_{id}}, \mathbf {S_{id}})\): For \(id \in \{-1,1\}^{\ell }, \mathbf {Z} = \mathbf {A}\sum \limits ^{l}_{i = 1} {id}_{i}\mathbf {R}_{i} + (\mathbf {I}_{n} + \sum \limits ^{l}_{i = 1} {id}_{i} \cdot H_{t,q}(\mathbf {h}_{i}) \otimes \mathbf {I}_{n/t})\mathbf {G},\) where \(\mathbf {R}_{id} = \sum \limits ^{l}_{i = 1} {id}_{i}\mathbf {R}_{i}\) and \(\mathbf {S}_{id} = \mathbf {I}_{n} + \sum \limits ^{l}_{i = 1} {id}_{i} \cdot H_{t,q}(\mathbf {h}_{i}) \otimes \mathbf {I}_{n/t}\).

\(\mathcal {H}_{\text {ABB}}\) can be proved as a \((1,v,\mathcal {O}(\ell \sqrt {m}),\mathsf {negl(\lambda)},\frac {1}{q^{t}}(1-\frac {Q}{q^{t}}))\)-LPHF with high min-entropy (Zhang et al. 2016b), where t is the smallest integer satisfying qt>2v. And using it to instantiate our generic IB-DRE construction, we can get our concrete IB-DRE ABB scheme in Table 6.
Table 6

IB-DRE ABB scheme

\(\mathsf {Setup}_{\mathsf {ID}}(1^{\lambda }): (\mathbf {A}, \mathbf {T_{A}}) \overset {\$}{\leftarrow } \mathsf {TrapGen}(1^{n}, 1^{m}, q), \mathbf {U}\overset {\$}{\leftarrow } \mathbb {Z}^{n \times n}_{q}, \mathbf {A}^{1}_{i}, \mathbf {A}^{2}_{i} \overset {\$}{\leftarrow } \mathbb {Z}^{n \times m}_{q}\)

for \(i \in [\ell ].\ \text {Output}\ PP = \left (\mathbf {A}, \{\mathbf {A}^{1}_{i}\}_{i \in \ell }, \{\mathbf {A}^{2}_{i}\}_{i \in \ell }, \mathbf {U}\right)\) and Msk=TA.

\(\mathsf {KeyGen}_{\mathsf {ID}}(PP, Msk,\mathbf {id}_{1st},\mathbf {id}_{2nd}\in \mathcal {ID}):\)

1. Compute \(\mathbf {A}_{\mathbf {id}_{1}} = \mathbf {G} + \sum ^{l}_{i = 1} (\mathbf {id}_{1st})_{i}\mathbf {A}^{1}_{i}, \mathbf {A}_{\mathbf {id}_{2}}\) = \(\mathbf {G} + \sum ^{l}_{i = 1} (\mathbf {id}_{2nd})_{i}\mathbf {A}^{2}_{i}\).

2. \(\left (\mathbf {E}_{\mathbf {id}_{1}}\!\right)_{i} \!\!\leftarrow \!\! \mathsf {SampleLeft}\!\left (\mathbf {A},\mathbf {A}_{\mathbf {id}_{1}}, (\mathbf {U})_{i},\mathbf {T}_{\mathbf {A}},\sigma \!\right)\)for i∈[n] and set\(\phantom {\dot {i}\!}sk_{\mathbf {id}_{1st}}\,=\,\mathbf {E}_{\mathbf {id}_{1}}\).

Similarly, it obtain \(\phantom {\dot {i}\!}sk_{\mathbf {id}_{2nd}}\) = \(\phantom {\dot {i}\!}\mathbf {E}_{\mathbf {id}_{2}}\) such that \(\phantom {\dot {i}\!}\left [\mathbf {A}|\mathbf {A}_{\mathbf {id}_{2}}\right ]\cdot \mathbf {E}_{\mathbf {id}_{2}}=\mathbf {U}\).

3. Output the secret key \(\phantom {\dot {i}\!}sk_{\mathbf {id}_{1st}}\,=\,\mathbf {E}_{\mathbf {id}_{1}} \in \mathbb {Z}_{q}^{2m\times n}\)and\(\phantom {\dot {i}\!}sk_{\mathbf {id}_{2nd}}\) = \(\phantom {\dot {i}\!}\mathbf {E}_{\mathbf {id}_{2}} \in \mathbb {Z}_{q}^{2m\times n}\).

\(\phantom {\dot {i}\!}\mathsf {Enc}_{\mathsf {ID}}(PP,\mathbf {id}_{1st},\mathbf {id}_{2nd}, \mathbf {m})\):

Compute \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}_{1}},\mathbf {A}_{\mathbf {id}_{2}}\) as above. Pick \(\phantom {\dot {i}\!}\mathbf {s} \overset {\$}\!{\leftarrow }\! \mathbb {Z}_{q}^{n}, \mathbf {e}_{0} \overset {\$}\!{\leftarrow }\! \mathcal {D}_{\mathbb {Z}^{n},\alpha q}, \mathbf {e}_{1,1},\mathbf {e}_{1,2},\)

\(\mathbf {e}_{1,3} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\).

\(\mathbf {c}_{0} = \mathbf {U}^{\top }\mathbf {s} + \mathbf {e}_{0} + \left \lceil \frac {q}{2}\right \rceil \cdot \mathbf {m}\in \mathbb {Z}_{q}^{n},\)

\(\mathbf {c}_{1} = \left [ \begin {array}{c} \mathbf {c_{1,1}}\\ \mathbf {c_{1,2}}\\ \mathbf {c_{1,3}} \end {array} \right ]= \left [ \begin {array}{c} \mathbf {A}^{\top }\\ (\mathbf {A}_{\mathbf {id}_{1}})^{\top }\\ (\mathbf {A}_{\mathbf {id}_{2}})^{\top } \end {array} \right ]\mathbf {s} +\left [ \begin {array}{c} \mathbf {e_{1,1}}\\ \mathbf {e_{1,2}}\\ \mathbf {e_{1,3}}\\ \end {array} \right ]\in \mathbb {Z}_{q}^{3m}.\)

\(\phantom {\dot {i}\!}\mathsf {Dec}_{\mathsf {ID}}(PP,sk_{\mathbf {id}_{j}},\mathbf {c})\): Compute \(\phantom {\dot {i}\!}\mathbf {b} = \mathbf {c}_{0}-\mathbf {E}_{\mathbf {id}_{1}}^{\top }\cdot \left [ \begin {array}{c} \mathbf {c}_{1,1}\\ \mathbf {c}_{1,2}\\ \end {array} \right ] \)

\(= ((\mathbf {b})_{1},\cdots, (\mathbf {b})_{n})^{\top } \in \mathbb {Z}^{n}\). Set

(m)i=1 if \(\left |(\mathbf {b})_{i} - \lceil \frac {q}{2}\rceil \right | < \lceil \frac {q}{4}\rceil \); otherwise sets (m)i=0

where i∈[n]. Finally, output a plaintext m=((m)1,⋯,(m)n).

IB-DRE constructions from other LPHFs with high min-entropy

In this section, we plug the LPHFs with high min-entropy corresponding to the adaptively secure IBE schemes in Zhang et al. (2016b); Yamada (2016); Yamada (2017) into our generic IB-DRE construction, and obtain some concrete IB-DRE schemes on lattice in the standard model. Please see more details in Table 7.
Table 7

IB-DRE schemes from other LPHF with high min-entropy

Schemes

# of

 

Sample

Error

Error

Reduction

 

\(\mathbb {Z}_{q}^{n\times m}\) matrix

Modulus

width

width

width

cost

 

|PP|

q

σ

α q

α q

 

IB-DRE ZCZ16

\(\mathcal {O}(\log {Q})\)

\(\mathcal {O}(n^{6.5+7.5\eta +4c})\)

\(\mathcal {O}(n^{2.5+3.5\eta +2c})\)

\(\mathcal {O}(n^{3+3\eta +2c})^{\dag }\)

\(\mathcal {O}\left (n^{0.5}\right)\)

\(\mathcal {O}\left (\frac {\epsilon }{\ell ^{2}Q^{4}}\right)\)

IB-DRE Yam16

\(\omega (\sqrt {n})\)

\(\mathcal {O}(n^{5.5+3.5\eta +2c})\)

\(\mathcal {O}(n^{2+1.5\eta +c})\)

\(\mathcal {O}(n^{2.5+\eta +c})\ddag \)

\(\mathcal {O}\left (n^{0.5}\right)\)

\(\mathcal {O}\left (\frac {\epsilon ^{5}}{\ell ^{2}Q^{4}}\right)\)

IB-DRE MAH

ω(log2n)

\(\mathcal {O}(n^{6.5+7.5\eta })\)

\(\mathcal {O}(n^{2+3.5\eta })\)

\(\mathcal {O}(n^{2.5+3\eta })\)

\(\mathcal {O}\left (n^{0.5}\right)\)

\(\mathcal {O}\left (\frac {\epsilon ^{2\varphi +1}}{Q^{2\varphi }}\right)\)§

IB-DRE AFF

ω(logn)

poly(n)

poly(n)

poly(n)

\(\mathcal {O}\left (n^{0.5}\right)\)

\(\mathcal {O}\left (\frac {\epsilon ^{3}}{\ell ^{4}Q^{2}}\right)\)

∗, |PP|,|Msk| and |c| show the size of public parameters, master secret key and ciphertext, respectively. is the length of identity and Q is the bound of secret key queries.

Assume that η such that \(n^{\eta } > \lceil \log {q} \rceil = \mathcal {O}(\log {n})\), and c is the smallest integer satisfying that ncQ+1.

c=c1+c2 where c1,c2 satisfying \(\phantom {\dot {i}\!}\frac {n^{c_{1}}}{2} \geq Q + 1\) and \(\phantom {\dot {i}\!}n^{-c_{2}} \leq \epsilon \)

§φ>1 is the constant which satisfying \(s = 1 - 2^{-\frac {1}{\epsilon }}\), where s∈{0,1} is the relative distance of the underlying error correcting code. We can take φ as close to 1 as one wants

Conclusion

In this paper, we give the frameworks of the DRE and IB-DRE by using the (weak) LPHFs with high min-entropy on lattice. The constructions are based on the learning with error assumption in the standard model and have adaptively secure. And when instantiating with the concrete (w)LPHFs with high min-entropy, we get a concrete DRE scheme and five concrete IB-DRE schemes.

Appendix A: Lattice Background

For a prime q, the positive integers n,m and \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), we define the m-dimensional integer lattices as: \(\Lambda _{q}(\mathbf {A})=\{\mathbf {y}:\mathbf {y}=\mathbf {A}^{\top }\mathbf {s}~\text {for}~\text {some}~\mathbf {s}\in \mathbb {Z}^{n}\}\) and \(\Lambda _{q}^{\perp }(\mathbf {A})=\{\mathbf {y}:\mathbf {A}\mathbf {y}=\mathbf {0}\mod q\}\).

Let S={s1,⋯,sn} be a set of vectors in \(\mathbb {R}^{m}\). The Gram-Schmidt orthogonalization of the vectors s1,⋯,sn is denoted as \(\widetilde {\mathbf {S}}=\{\widetilde {\mathbf {s}}_{1},\cdots,\widetilde {\mathbf {s}}_{n}\}\). ∥S∥ := the length of the longest vector in S. For a real matrix R, let s1(R)= max∥u∥=1∥Ru∥ (respectively, ∥R= max∥ri).

For xΛ,ρs,c(x)= exp(−π||xc||/s2) represents the Gaussian function ρs,c(x) over \(\Lambda \subseteq \mathbb {Z}^{m}\) which centered at \(\mathbf {c}\in \mathbb {R}^{m}\) with parameter s>0. Let \(\rho _{s,\mathbf {c}}(\Lambda)=\sum _{\mathbf {x}\in \Lambda }\rho _{s,\mathbf {c}}(\mathbf {x})\), and the discrete Gaussian distribution over Λ defined as \(\mathcal {D}_{\Lambda,s,\mathbf {c}}(\mathbf {x})=\frac {\rho _{s,\mathbf {c}}(\mathbf {x})}{\rho _{s,\mathbf {c}}(\Lambda)}\), where xΛ. For simplicity, ρs,0 and \(\mathcal {D}_{\Lambda,s,\mathbf {0}}\) are written as ρs and \(\mathcal {D}_{\Lambda,s}\), respectively.

Learning with Errors Assumption. The learning with errors (LWE) problem was introduced by Regev (2005). For integer n,m=m(n), a prime integer q>2, an error rate α∈(0,1), the LWE problem LWEq,n,m,α is to distinguish {A,As+e} and {A,u}, where \(\mathbf {A}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{n\times m},\mathbf {s}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{n},\mathbf {u}\overset {\$}{\leftarrow }\mathbb {Z}_{q}^{m}\) and \(\mathbf {e}\overset {\$}{\leftarrow }\mathcal {D}_{\mathbb {Z}^{m},\alpha q}\). Regev (2005) showed that for \(\alpha q>2\sqrt {2n}\), solving the decisional version LWEq,n,m,α (DLWEq,n,m,α) problem is (quantumly) as hard as approximating the SIVP and GapSVP problems within \(\widetilde {\mathcal {O}}(n/\alpha)\) factors in the worst case.

Lemma 16

Let p,q,n,m be positive integers with qp≥2 and q prime, the following holds:
  • (Ajtai (1999);Alwen and Peikert (2009)): When m≥6n⌈logq⌉, the randomized algorithm TrapGen(1n,1m,q) outputs a matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\) which is statistically close to uniform in \(\mathbb {Z}_{q}^{n\times m}\), and a matrix \(\mathbf {T_{A}}\in \mathbb {Z}^{m\times m}\) which is a basis of \(\Lambda ^{\perp }_{q}(\mathbf {A})\), satisfying \(\|\widetilde {\mathbf {T_{A}}}\|\leq \mathcal {O}(\sqrt {n\log q})\) with overwhelming probability.

  • (Cash et al. (2010)): The randomized algorithm SampleLeft(A,B,u,TA,σ) on inputs a full rank matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), a matrix \(\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}\), a basis TA of \(\Lambda ^{\perp }_{q}(\mathbf {A})\), a vector \(\mathbf {u}\in \mathbb {Z}_{q}^{n}\) and \(\sigma \geq \|\widetilde {\mathbf {T_{A}}}\|\cdot \omega (\sqrt {\log m})\), outputs a vector \(\mathbf {r}\in \mathbb {Z}_{q}^{2m}\) which is distributed statistically close to \(\mathcal {D}_{\Lambda _{q}^{\mathbf {u}}(\mathbf {F}),\sigma }\) where F=[A|B].

  • (Agrawal et al. (2010)): The randomized algorithm SampleRight(A,G,R,S,u,TG,σ) on inputs a full rank matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), a matrix \(\mathbf {R}\in \mathbb {Z}_{q}^{m\times m}\), an invertible matrix \(\mathbf {S}\in \mathbb {Z}_{q}^{n\times n}\), a vector \(\mathbf {u}\in \mathbb {Z}_{q}^{n}\) and \(\sigma \geq \|\widetilde {\mathbf {T_{G}}}\|\cdot s_{1}(\mathbf {R})\cdot \omega (\sqrt {\log m})\), outputs a vector \(\mathbf {r}\in \mathbb {Z}_{q}^{2m}\) which is statistically close to \(\mathcal {D}_{\Lambda _{q}^{\mathbf {u}}(\mathbf {F}),\sigma }\) where F=[A|AR+SG].

  • (Gadget MatrixMicciancio and Peikert (2012)): When m>n⌈logq⌉, there exists a full-rank matrix \(\mathbf {G}\in \mathbb {Z}_{q}^{n\times m}\) which is called gadget matrix, satisfies that the lattice \(\Lambda _{q}^{\bot }(\mathbf {G})\) has a public known basis \(\mathbf {T_{G}}\in \mathbb {Z}_{q}^{m\times m}\) with \(\|\widetilde {\mathbf {T_{G}}}\|\leq \sqrt {5}\).

In Katsumata and Yamada (2016), Katsuamta and Yamada introduced the “Noise Rerandomization" lemma which plays an important role in the security proof because of creating a well distributed challenge ciphertext.

Lemma 17

(Noise Rerandomization (Katsumata and Yamada 2016)) Let q,w,m be positive integers and r a positive real number with \(r>\max \{\omega (\sqrt {\log m}),\omega (\sqrt {\log w})\}\). For arbitrary column vector \(\mathbf {b}\in \mathbb {Z}_{q}^{m}\), vector e chosen from \(\mathcal {D}_{\mathbb {Z}^{m},r}\), any matrix \(\mathbf {V}\in \mathbb {Z}^{w\times m}\) and positive real number σ>s1(V), there exists a PPT algorithm ReRand(V,b+e,r,σ) that outputs \(\mathbf {b}^{\prime }=\mathbf {Vb}+\mathbf {e}^{\prime }\in \mathbb {Z}^{w}\) where e is distributed statistically close to \(\mathcal {D}_{\mathbb {Z}^{w},2r\sigma }\).

Appendix B: Signature

Definition 6

(Signature Scheme) A signature scheme \(\mathcal {Sig} = (\mathsf {Gen}, \mathsf {Sign}, \mathsf {Ver})\) is defined as follows:
  • Gen(1λ): given the security parameter λ, output a pair of verification key and signing key (vk,sk).

  • Sign(sk,μ): given sk and a message μ∈{0,1}, output a signature σ∈{0,1}.

  • Ver(vk,μ,σ): output either accept if the signature σ is the signature of message μ under vk or reject.

Correctness. For any message \(\mu \in \mathcal {M}\), any \((vk,sk)\overset {\$}{\leftarrow }\mathsf {Gen}(1^{\lambda })\), and \(\sigma \overset {\$}{\leftarrow }\mathsf {Sign}(sk; \mu), \Pr [\mathsf {Ver}(vk,\mu,\sigma)~\text {accept}] = 1- \mathsf {negl}(\lambda)\).

Security. In our construction IND-CCA DRE construction, we need the signature scheme satisfies strong existential unforgeability under one-time chosen message attack. The game between the challenger \(\mathcal {C}\) and the forger \(\mathcal {S}\) is as follows: generate \((vk,sk)\overset {\$}{\leftarrow }\mathsf {Gen}(1^{\lambda })\) and give vk to \(\mathcal {S}\); \(\mathcal {S}\) outputs a message μ; generate and send \(\sigma \overset {\$}{\leftarrow }\mathsf {Sign}(sk,\mu)\) to \(\mathcal {S}\). \(\mathcal {S}\) wins if it outputs (μ,σ)≠(μ,σ) such that Ver(vk,μ,σ) accepts. The signature scheme is secure if for every PPT adversary \(\mathcal {S}, sss\Pr [\mathcal {S}~\text {wins}] = \mathsf {negl}(\lambda)\).

Footnotes

  1. 1.

    Note that Chow et al. (2014) also gave two generic DRE constructions: one is combining Naor-Yung “two-key” paradigm (Naor and Yung 1990) with Groth-Sahai proof system (Groth and Sahai 2008), the other is from lossy trapdoor functions (Peikert and Waters 2011).

Notes

Acknowledgements

Not applicable.

Funding

This work was supported by National Natural Science Foundation of China (Grant No. 61379141 and No. 61772521), Key Research Program of Frontier Sciences, CAS (Grant No. QYZDB-SSW-SYS035), and the Open Project Program of the State Key Laboratory of Cryptology.

Availability of data and materials

Not applicable.

Authors’ contributions

The first author conceived the idea of the study and wrote the paper; all authors discussed the results and revised the final manuscript. All authors read and approved the final manuscript.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References

  1. Agrawal, S., Boneh D., Boyen X. (2010) Efficient lattice (H)IBE in the standard model In: Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings, 553–572.  https://doi.org/10.1007/978-3-642-13190-5_28.CrossRefGoogle Scholar
  2. Ajtai, M. (1999) Generating hard instances of the short basis problem In: ICALP 1999, 1–9.Google Scholar
  3. Alwen, J., Peikert C. (2009) Generating shorter bases for hard random lattices In: STOCS 2009, 75–86.Google Scholar
  4. Cash, D., Hofheinz D., Kiltz E., Peikert C. (2010) Bonsai trees, or how to delegate a lattice basis In: EUROCRYPT 2010, 523–552.Google Scholar
  5. Chow, SSM, Franklin MK, Zhang H (2014) Practical dual-receiver encryption - soundness, complete non-malleability, and applications In: Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25-28, 2014. Proceedings, 85–105. https://dblp.org/rec/bib/conf/ctrsa/ChowFZ14.
  6. Diament, T, Lee HK, Keromytis AD, Yung M (2004) The dual receiver cryptosystem and its applications In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, Washington, DC, USA, October 25-29, 2004, 330–343. https://dblp.org/rec/bib/conf/ccs/DiamentLKY04.
  7. Georgescu, A (2013) Anonymous lattice-based broadcast encryption In: Information and Communicatiaon Technology - International Conference, ICT-EurAsia 2013, Yogyakarta, Indonesia, March 25-29, 2013. Proceedings, 353–362. https://dblp.org/rec/bib/conf/ict-eurasia/Georgescu13.
  8. Groth, J, Sahai A (2008) Efficient non-interactive proof systems for bilinear groups In: Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings, 415–432. https://dblp.org/rec/bib/conf/eurocrypt/GrothS08.
  9. Joux, A (2000) A one round protocol for tripartite diffie-hellman In: Algorithmic Number Theory, 4th International Symposium, ANTS-IV, Leiden, The Netherlands, July 2-7, 2000, Proceedings, 385–394. https://dblp.org/rec/bib/conf/ants/Joux00.
  10. Katsumata, S, Yamada S (2016) Partitioning via non-linear polynomial functions: More compact ibes from ideal lattices and bilinear maps In: Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part II, 682–712. http://dblp.uni-trier.de/rec/bib/conf/asiacrypt/Katsumata016.CrossRefGoogle Scholar
  11. Kiltz, E (2006) Chosen-ciphertext security from tag-based encryption In: Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006, Proceedings, 581–600. https://dblp.org/rec/bib/conf/tcc/Kiltz06.CrossRefGoogle Scholar
  12. Libert, B, Paterson KG, Quaglia EA (2012) Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model In: Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23, 2012. Proceedings, 206–224. https://dblp.org/rec/bib/conf/pkc/LibertPQ12.
  13. Micciancio, D, Peikert C (2012) Trapdoors for lattices: Simpler, tighter, faster, smaller In: Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings, 700–718. http://dblp.uni-trier.de/rec/bib/conf/eurocrypt/MicciancioP12.
  14. Naor, M, Yung M (1990) Public-key cryptosystems provably secure against chosen ciphertext attacks In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, STOC 1990, May 13-17, 1990, Baltimore, Maryland, USA, 427–437. https://dblp.org/rec/bib/conf/stoc/NaorY90.
  15. Peikert, C, Waters B (2011) Lossy trapdoor functions and their applications. SIAM J Comput 40(6):1803–1844.MathSciNetCrossRefGoogle Scholar
  16. Regev, O (2005) On lattices, learning with errors, random linear codes, and cryptography In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, STOC 2005, Baltimore, MD, USA, May 22-24, 2005, 84–93. http://dblp.uni-trier.de/rec/bib/conf/stoc/Regev05.
  17. Wang, J, Bi J (2010) Lattice-based identity-based broadcast encryption scheme. IACR Cryptology ePrint Archive 2010:288.Google Scholar
  18. Wang, F, Wang XA, Wang C (2015) Lattice-based dynamical and anonymous broadcast encryption scheme for wireless ad hoc networks. J Interconnection Netw 15(3-4):1–14.Google Scholar
  19. Waters, B (2005) Efficient identity-based encryption without random oracles In: Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, 114–127. https://dblp.org/rec/bib/conf/eurocrypt/Waters05.
  20. Yamada, S (2016) Adaptively secure identity-based encryption from lattices with asymptotically shorter public parameters In: Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II, 32–62. http://dblp.uni-trier.de/rec/bib/conf/eurocrypt/Yamada16.CrossRefGoogle Scholar
  21. Yamada, S (2017) Asymptotically compact adaptively secure lattice ibes and verifiable random functions via generalized partitioning techniques In: Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part III, 161–193. http://dblp.org/rec/bib/conf/crypto/Yamada17.CrossRefGoogle Scholar
  22. Zhang, K, Chen W, Li X, Chen J, Qian H (2016a) New application of partitioning methodology: identity-based dual receiver encryption. Secur Commun Netw 9(18):5789–5802.CrossRefGoogle Scholar
  23. Zhang, J, Chen Y, Zhang Z (2016b) Programmable hash functions from lattices: Short signatures and ibes with small key sizes In: Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part III, 303–332. http://dblp.uni-trier.de/rec/bib/conf/crypto/ZhangCZ16.CrossRefGoogle Scholar
  24. Zhang, D., Li J., Li B., Lu X., Xue H., Jia D., Liu Y. (2019) Deterministic Identity-Based Encryption from Lattice-Based Programmable Hash Functions with High Min-Entropy, 1816393:1–1816393:12.  https://doi.org/10.1155/2019/1816393.Google Scholar
  25. Zhang, D, Zhang K, Li B, Lu X, Xue H, Li J (2018b) Lattice-based dual receiver encryption and more In: ACISP 2018, 520–538. https://dblp.org/rec/bib/conf/acisp/ZhangZLLXL18.CrossRefGoogle Scholar

Copyright information

© The Author(s) 2019

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesBeijingChina
  2. 2.School of Cyber Security, University of Chinese Academy of SciencesBeijingChina

Personalised recommendations