Adaptively Secure IdentityBased Encryption from Lattices with Asymptotically Shorter Public Parameters
 13 Citations
 1.9k Downloads
Abstract
In this paper, we present two new adaptively secure identitybased encryption (IBE) schemes from lattices. The size of the public parameters, ciphertexts, and private keys are \(\tilde{O}(n^2 \kappa ^{1/d})\), \(\tilde{O}(n)\), and \(\tilde{O}(n)\) respectively. Here, n is the security parameter, \(\kappa \) is the length of the identity, and \(d\in \mathbb {N}\) is a flexible constant that can be set arbitrary (but will affect the reduction cost). Ignoring the polylogarithmic factors hidden in the asymptotic notation, our schemes achieve the best efficiency among existing adaptively secure IBE schemes from lattices. In more detail, our first scheme is anonymous, but proven secure under the LWE assumption with approximation factor \(n^{\omega (1)}\). Our second scheme is not anonymous, but proven adaptively secure assuming the LWE assumption for all polynomial approximation factors.
As a side result, based on a similar idea, we construct an attributebased encryption scheme for branching programs that simultaneously satisfies the following properties for the first time: Our scheme achieves compact secret keys, the security is proven under the LWE assumption with polynomial approximation factors, and the scheme can deal with unbounded length branching programs.
1 Introduction
Background. Identitybased encryption (IBE) is an advanced form of public key encryption (PKE) where any string such as an email address can be used as a public key. The notion of IBE was proposed by Shamir in 1984 [42]. Since then, it took nearly 20 years for the first realizations of IBE [10, 18, 41] to appear. Boneh and Franklin [10] and Sakai, Ohgishi, and Kasahara [41] used groups equipped with efficiently computable bilinear maps to construct the first IBE. On the other hand, Cocks [18] used quadratic residue for a composite modulus. These constructions are only proven secure in the random oracle model. In subsequent works, pairingbased schemes in the standard model appeared [8, 9, 15, 47, 48]. While earlier works [8, 15] focus on the constructions that are only selectively secure, later works [9, 47, 48] focus on a much more realistic security, i.e., adaptive security.
Another important line of research is construction of IBE from lattices. The first latticebased IBE was proposed in the seminal work by Gentry, Peikert, and Vaikuntanathan [25] in the random oracle model. Later, constructions in the standard model were proposed [1, 12, 16]. To achieve adaptive security in the latticebased settings, we have to either rely on an analogue of Waters’ hash [47] or an admissible hash [9, 16]. In any case, we require \(O(\kappa )\) number of basic matrices in the public parameters (master public key), where \(\kappa \) is the bit length of the identities. This results in very large public parameters with size \(\tilde{O}(n^2\kappa )\). Here, n is the security parameter (dimension of the lattices). On the other hand, in the selectively secure variant of lattice IBE in [1], we only require small constant number of basic matrices in the public parameters. This stands in sharp contrast to pairingbased settings, in which we have adaptively secure IBE schemes [17, 31] that are as efficient as selectively secure ones [8], up to only small constant factors. A natural important question is:
Can we construct adaptively secure IBE schemes from lattices, which is as efficient as selectively secure ones? In particular, can we reduce the size of the public parameters?
Difficulties. A natural approach to achieve short public parameters in lattice based IBE schemes would be to mimic the technique for pairing based IBE schemes. However, all IBE schemes with short public parameters based on pairings are constructed using dual system encryption methodology [48], for which there is still no lattice analogue. The realization of the dual system encryption methodology in the lattice settings is an important open problem [38]. Another possible approach would be to use a technique from Naccache’s IBE scheme [36], as is done in [44]. Using this approach, we can obtain a scheme with the public parameters shorter by a factor of u, at the cost of \(2^u\)loss in security. Therefore, using this approach, we are only allowed to reduce the size of public parameters up to logarithmic factor.
Our Contribution. Instead of taking the above approaches, we use a technique unique to the lattice setting. Namely, we use the fully homomorphic computation of trapdoors, which is recently devised in [11] to reduce the size of the public parameters. We obtain the following two different IBE schemes with tradeoff between the security, efficiency, and underlying hardness assumptions. See Table 1 in Sect. 6 for the overview.

We propose an adaptively secure and anonymous IBE with asymptotically short parameters. In particular, the size of the public parameters, ciphertexts, and private keys are \(\tilde{O}(n^2 \kappa ^{1/d})\), \(\tilde{O}(n)\), and \(\tilde{O}(n)\) respectively. Here, \(d\in \mathbb {N}\) is a flexible constant which can be set arbitrary. Ignoring polylogarithmic factors hidden in the asymptotic notation, our scheme achieves the best efficiency among all previous adaptively secure IBE schemes from lattices. The security of the scheme is proven under the LWE assumption with superpolynomial approximation factors.

We propose an adaptively secure IBE (without anonymity) that achieves asymptotically the same efficiency as the above scheme. The difference from the above scheme is that our scheme can be proven secure assuming the LWE assumption with all polynomial approximation factor. The assumption is weaker than the one used in the above scheme, but the sizes of the public parameters, ciphertexts, and private keys are larger than the above scheme by a superconstant factor.
In the second construction, different from lattice IBE schemes in the literature [1, 2, 12, 16], we have to rely on the LWE assumption for all polynomial approximation factors, rather than some fixed polynomial approximation factor (e.g., \(O(n^{3})\)). The interesting feature of the reduction is that the problem we reduce the security to varies according to the power of the adversary. More specifically, as the number of key extraction queries grows or as the advantage of the adversary drops, we would need the LWE assumption with larger approximation factor. This is somewhat similar to the security proof based on the qtype assumptions (e.g., [24]), in which the problem that the reduction algorithm solves depends on the number of key extraction queries made by the adversary. However, unlike the qtype assumptions, our assumptions enjoy reduction to the worst case lattice problems [13, 37, 40].
To present our schemes in a unified manner, we define the new notion of parametrized IBE (PIBE). The syntax of PIBE is the same as that of ordinary IBE except that it is parametrized by a variable c. As for the security, roughly speaking, we require the advantage of any adversary to be at most \(1{\slash }n^c\) if the number of key extraction queries is bounded by \(n^c\). In the case of c is a superconstant function, the notion of PIBE corresponds to that of (ordinary) IBE. We then construct a specific PIBE scheme from the LWE assumption. By setting c to be a superconstant function, we obtain our first IBE scheme. Our second IBE scheme is obtained by running several instances of the PIBE scheme in parallel with different values of c. This is captured as a generic conversion from PIBE to (ordinary) IBE.
We note that our IBE schemes might not be as efficient as previous adaptively secure lattice IBE schemes [1, 12] for a practical choice of parameters, due to the superconstant factors hidden in the asymptotic notation. However, we believe that our technique would be of theoretical interest. In particular, the security proof of our PIBE scheme is based on the traditional partitioning technique [47] with some novel ideas. In addition, our technique used in the generic construction of IBE from PIBE, inspired by [7], would be useful for other settings.
Other Application of Our Technique. As a side result, we show an application of our technique to attributebased encryption (ABE). In particular, we obtain the first ABE scheme that simultaneously satisfies the following properties: an unbounded length branching program is usable as an attribute, the sizes of the private keys are compact, the security is proven under the LWE problem for all polynomial approximation factors. We obtain such a scheme by applying a simple conversion to the recent ABE scheme for branching programs by Gorbunov and Vinayagamurthy [28]. The idea for the conversion is similar in spirit to our PIBEtoIBE conversion. We note that the original ABE scheme of [28] is either based on the superpolynomial LWE while dealing with unbounded length branching programs or based on the polynomial LWE while only dealing with bounded length branching programs. The details appear in the full version [50].
Related Works. We can obtain efficient PKE as well as IBE schemes over ideal lattices [22, 45]. By switching to the ring setting, we can generally reduce the size of the public parameters by an factor of O(n). However, we have to rely on the ring LWE (RLWE) assumption [33, 34], which is a stronger assumption than the LWE assumption.
The techniques for constructing IBE and signatures are somewhat similar and related. Indeed, we can obtain secure signature from (adaptively) secure IBE, via the Naor transformation [10]. A construction of short signature with short public parameters from weak assumptions has been an important research topic. This problem has been addressed by several previous works [4, 7, 23, 30, 32]. However, their techniques heavily depend on the fact that we can convert a nonadaptively secure signature scheme into adaptively secure (or equivalently, EUFCMA secure) one by using chameleon hash functions [43]. There is no known analogue of the conversion in the setting of IBE. We also note that our technique of converting PIBE into IBE is similar to the “on the fly adaptation technique” in [21], which was used to improve the efficiency and the reduction cost of the NaorReingold PRF.
2 Overview of Our Technique
2.1 Overview of the Construction
2.2 Overview of the Security Proof
Proof Continued. Based on the idea we have explained above, we can simulate key extraction queries with sufficiently high success probability. However, two problems remain in order to complete the security proof.
 (C)
In the above discussion, we assumed that q is much larger than Q. Therefore, if q is bounded by some polynomial, so is Q. In such a setting, we can only prove “bounded” security, where the number of key extraction queries is bounded by a predetermined polynomial.
 (D)
Furthermore, we are not able to generate a properly distributed challenge ciphertext, as we explain below.
We can resolve the problem by a standard technique. Namely, we “smudge out” or “eat” the problematic term \(\mathbf {R}_{\mathsf {ID}^\star }^\top \mathbf {x}\) by adding a large enough term \(\mathbf {x}' \in \mathbb {Z}_q^{m}\) to it. This makes the error terms essentially statistically independent from \(\mathbf {R}_{\mathsf {ID}^\star }\). The size of the term \(\mathbf {x}'\) should be superpolynomially larger than the size of \(\mathbf {R}_{\mathsf {ID}^\star }^\top \mathbf {x}\), but it should be polynomially smaller than q. Therefore, the size of q should be superpolynomially large, which also resolves the problem (C) at the same time. Appropriately setting the parameters, we obtain our new adaptively secure and anonymous IBE scheme.
2.3 An Additional Idea
However, making q superpolynomially large is not quite desirable because of the following two reasons. Firstly, this would negatively impact the performance of the system. Secondly, since the error term (in our case \(\mathbf {x}\)) is superpolynomially smaller compared to q, the corresponding LWE problem becomes easier. While we are not able to resolve the first problem, we present an idea to avoid the second problem.
Our first observation is that for any constant \(c\in \mathbb {N}\), by making q and \(\mathbf {x}'\) sufficiently large (but polynomial size), we can show that any PPT adversary whose number of key extraction queries is bounded by \(n^c\) cannot break the security of IBE with advantage nonnegligibly larger than \(1{\slash }n^c\). Of course, this is not sufficient because we need the adversary to have only negligible (rather than inverse of polynomial) advantage, even if the number of key extraction queries is unbounded.
In order to accomplish this, we prepare several instances of IBE scheme with different size of q. We call each instance of the IBE scheme as a subscheme. The number of subschemes is superconstant (rather than superpolynomial) and therefore the resulting scheme is still efficient. The size of q varies from very small polynomial to superpolynomial. Furthermore, we “glue” them so that an adversary must break the security of all of the subschemes, in order to break the resulting IBE scheme. This can easily be accomplished by splitting the message by koutofk secret sharing scheme, and then encrypt them by each of the subschemes.
In the security proof, we assume an PPT adversary \(\mathcal {A}\) that breaks the resulting IBE scheme. Since \(\mathcal {A}\) is polynomial time and has nonnegligible advantage, there exists some constant \(c\in \mathbb {N}\) such that the number of the key extraction queries that \(\mathcal {A}\) makes is smaller than \(n^c\) and \(\mathcal {A}\)’s advantage is nonnegligibly larger than \(1{\slash }n^c\). Thus, there exists at least one subscheme whose size of q fits for \(\mathcal {A}\), and q is polynomial size. We transform the adversary A into another adversary \(\mathcal {B}\) that breaks the subscheme. Since q is polynomial size, we can reduce the security to the LWE assumption with polynomial approximation factor. Note that similar technique is used in [21] to improve the efficiency and the reduction cost of the NaorReingold PRF. There, the reduction algorithm chooses the target subscheme based on the number of queries that the adversary makes. In our reduction, we choose the target depending on the advantage of the adversary in addition to the number of key extraction queries.
To present our results in a unified and modular manner, we introduce the notion of PIBE. Roughly speaking, PIBE is an IBE scheme that is parametrized by a variable c. Our technique to avoid superpolynomial factor we discussed above can be generalized to be a generic conversion from PIBE to IBE. Furthermore, our scheme we discussed in the previous subsection also can be captured as a special case of PIBE, in that c is set to be a superconstant.
3 Preliminaries
Notation. We denote by [n] a set \(\{1,2,\ldots , n\}\) for any integer \(n\in \mathbb {N}\). We treat a vector as a column vector. If \(\mathbf {A}_1\) is \(n\times m\) and \(\mathbf {A}_2\) is \(n\times m'\) matrix, then \((\mathbf {A}_1  \mathbf {A}_2 )\) denotes the \(n\times (m+ m')\) matrix formed by concatenating \(\mathbf {A}_1\) and \(\mathbf {A}_2\). We use similar notation for vectors. A function \(f: \mathbb {N} \rightarrow \mathbb {R}_{\ge 0}\) is said to be negligible, if for all c, there exists N such that \(f(n) < 1/n^c \) for all \(n> N\). We denote by \(\mathsf {negl}(n)\) a negligible function. We denote by \(x\overset{_{\tiny \text {\$}}}{\leftarrow }X\) the process of sampling a value x according to the distribution X. Similarly, for a finite set S, we denote by \(x\overset{_{\tiny \text {\$}}}{\leftarrow }S\) the process of sampling a value x according to the uniform distribution over S. Statistical distance between two random variables X and Y with support \(\varOmega \) is defined as \(\varDelta (X;Y) = \frac{1}{2} \sum _{s\in \varOmega } \Pr [X=s]  \Pr [Y=s] \). For ensembles of random variable \(\{ X(n) \}_{n\in \mathbb {N}}\) and \(\{ Y(n) \}_{n\in \mathbb {N}}\), we say that they are \(\mathsf {negl}(n)\)close if \(\varDelta (X(n);Y(n))=\mathsf {negl}(n)\).
3.1 IdentityBased Encryption
Syntax. Let \(\mathcal {ID}\) be the ID space of the scheme. If a collision resistant hash function \(CRH: \{ 0,1 \}^* \rightarrow \mathcal {ID}\) is available, one can use an arbitrary string as an identity. An IBE scheme is defined by the following four algorithms.

\(\mathsf{Setup}(1^n)\rightarrow (\mathsf {mpk}, \mathsf {msk})\): The setup algorithm takes as input a security parameter \(1^n\) and outputs a master public key \(\mathsf {mpk}\) and a master secret key \(\mathsf {msk}\).

\(\mathsf{KeyGen}(\mathsf {mpk}, \mathsf {msk}, \mathsf {ID})\rightarrow \mathsf {sk}_\mathsf {ID}\): The key generation algorithm takes as input the master public key \(\mathsf {mpk}\), the master secret key \(\mathsf {msk}\), and an identity \(\mathsf {ID}\in \mathcal {ID}\). It outputs a private key \(\mathsf {sk}_\mathsf {ID}\). We assume that \(\mathsf {ID}\) is implicitly included in \(\mathsf {sk}_\mathsf {ID}\).

\(\mathsf{Encrypt} (\mathsf {mpk}, \mathsf {ID}, \mathsf {M})\rightarrow C\): The encryption algorithm takes as input a master public key \(\mathsf {mpk}\), an identity \(\mathsf {ID}\in \mathcal {ID}\), and a message \(\mathsf {M}\), It outputs a ciphertext \(C\).

\(\mathsf{Decrypt}(\mathsf {mpk},\mathsf {sk}_\mathsf {ID}, C)\rightarrow \mathsf {M}\ or \bot \): The decryption algorithm takes as input the master public key \(\mathsf {mpk}\), a private key \(\mathsf {sk}_{\mathsf {ID}}\), and a ciphertext \(C\). It outputs the message \(\mathsf {M}\) or \(\bot \), which means that the ciphertext is not in a valid form.
Security. We now define the security for an IBE scheme \(\varPi \). This security notion is defined by the following game between a challenger and an adversary \(\mathcal{A}\).
 Setup. At the outset of the game, the challenger runs \(\mathsf {Setup}(1^n)\rightarrow (\mathsf {mpk}, \mathsf {msk})\) and gives \(\mathsf {mpk}\) to \(\mathcal{A}\).
 Phase 1. \(\mathcal {A}\) may adaptively make keyextraction queries. If \(\mathcal {A}\) submits \(\mathsf {ID}\in \mathcal {ID}\) to the challenger, the challenger returns \(\mathsf {sk}_\mathsf {ID}\leftarrow \mathsf {KeyGen}(\mathsf {mpk},\mathsf {msk},\mathsf {ID})\).
 Challenge Phase. At some point, \(\mathcal {A}\) outputs a message \(\mathsf {M}\) and an identity \(\mathsf {ID}^\star \in \mathcal {ID}\), on which it wishes to be challenged. Then, the challenger picks a random coin \(\mathsf {coin}\overset{_{\tiny \text {\$}}}{\leftarrow }\{ 0,1 \}\) and a random ciphertext \(C \overset{_{\tiny \text {\$}}}{\leftarrow }\mathcal {C}\) from the ciphertext space. If \(\mathsf {coin}= 0\), it runs \(\mathsf {Encrypt}(\mathsf {mpk},\mathsf {ID}^{\star },\mathsf {M})\rightarrow C^{\star }\) and gives the challenge ciphertext \(C^\star \) to \(\mathcal {A}\). If \(\mathsf {coin}= 1\), it sets the challenge ciphertext as \(C^\star = C\) and gives it to \(\mathcal {A}\).
 Phase 2. After the challenge query, \(\mathcal {A}\) may continue to make keyextraction queries, with the added restriction that \(\mathsf {ID}\ne \mathsf {ID}^\star \).
 Guess. Finally, \(\mathcal{A}\) outputs guess a \(\widehat{\mathsf {coin}}\) for \(\mathsf {coin}\). The advantage of \(\mathcal{A}\) is defined as \( \mathsf {Adv}^{\mathsf {IBE}}_{\mathcal{A},\varPi }= \left \Pr [ \widehat{\mathsf {coin}} = \mathsf {coin}]\frac{1}{2} \right . \) We say that \(\varPi \) is adaptively anonymous, if the advantage of any PPT \(\mathcal {A}\) is negligible.
We also define adaptive security (without anonymity) for \(\varPi \) via a similar game to the above. To define adaptive security, we change the challenge phase as follows.
 Challenge Phase. \(\mathcal {A}\) outputs two messages \(\mathsf {M}_0\), \(\mathsf {M}_1\) and an identity \(\mathsf {ID}^\star \in \mathcal {ID}\), on which it wishes to be challenged. Then, the challenger picks a random coin \(\mathsf {coin}\overset{_{\tiny \text {\$}}}{\leftarrow }\{ 0,1 \}\), runs \(\mathsf {Encrypt}(\mathsf {mpk},\mathsf {ID}^{\star },\mathsf {M}_\mathsf {coin})\rightarrow C^{\star }\), and gives the challenge ciphertext \(C^\star \) to \(\mathcal {A}\).
We also say that \(\varPi \) is adaptively secure, if the advantage of any PPT \(\mathcal {A}\) is negligible. We note that the adaptive anonymity implies the adaptive security. Namely, the former is a stronger security notion.
3.2 Lattice Preliminaries
For positive integers q, m, n, a matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\), and a vector \(\mathbf {u}\in \mathbb {Z}_q^m\), the mdimensional integer lattice \(\varLambda _q^{\mathbf {u}}(\mathbf {A})\) is defined as \(\varLambda _q^{\mathbf {u}}(\mathbf {A})=\{ \mathbf {e}\in \mathbb {Z}^m: \mathbf {A}\mathbf {e}= \mathbf {u}\mod q \}\). \(\varLambda _q^{\bot }(\mathbf {A})\) denotes \(\varLambda _q^{\mathbf {0}}(\mathbf {A})\). Let \(D_{\varLambda ,\mathbf {c},\sigma }\) denote the discrete Gaussian distribution over \(\varLambda \) with center \(\mathbf {c}\) and parameter \(\gamma \). When \(\mathbf {c}\) is omitted, we set \(\mathbf {c}=\mathbf {0}\).

\(\Vert \mathbf {R}\Vert \) denotes the \(\ell _2\) length of the longest column of \(\mathbf {R}\).

Open image in new window denotes \(\Vert \tilde{\mathbf {R}} \Vert \) where \(\tilde{\mathbf {R}}\) is the result of applying GramSchmidt to the columns of \(\mathbf {R}\).

\(\Vert \mathbf {R}\Vert _2\) is the operator norm of \(\mathbf {R}\) defined as \(\Vert \mathbf {R}\Vert _2 = \sup _{\Vert \mathbf {x}\Vert =1} \Vert \mathbf {R}\mathbf {x}\Vert \).
We have that the following lemma holds [1].
Lemma 1
Let m, n, q be positive integers with \(m>n\), \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) be a matrix, \(\mathbf {u}\in \mathbb {Z}_q^n\) be a vector, \(\mathbf {T}_\mathbf {A}\) be a basis for \(\varLambda _q^{\bot }(\mathbf {A})\), and Open image in new window . Then we have Open image in new window .
Trapdoor Generators and Related Operations
Lemma 2
 1.
([3, 5]): \(\mathsf {TrapGen}(1^n, 1^m, q) \rightarrow (\mathbf {A}, \mathbf {T}_{\mathbf {A}})\)
a randomized algorithm that, when \(m \ge 6n\lceil \log q \rceil \), outputs a full rank matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) and a basis \(\mathbf {T}_\mathbf {A}\in \mathbb {Z}^{m\times m}\) for \(\varLambda _q^{\bot }(\mathbf {A})\) such that \(\mathbf {A}\) is \(\mathsf {negl}(n)\)close to uniform and Open image in new window with all but negligible probability in n.
 2.
([16]): \(\mathsf {SampleLeft}(\mathbf {A},\mathbf {F},\mathbf {u}, \mathbf {T}_\mathbf {A}, \sigma ) \rightarrow \mathbf {e}\)
a randomized algorithm that, given a full rank matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\), a matrix \(\mathbf {F}\in \mathbb {Z}_q^{n\times m}\), a vector \(\mathbf {u}\in \mathbb {Z}_q^n\), a basis \(\mathbf {T}_\mathbf {A}\) for \(\varLambda _q^{\bot }(\mathbf {A})\), and a Gaussian parameter Open image in new window , outputs a vector \(\mathbf {e}\in \mathbb {Z}^{2m}\) sampled from a distribution which is \(\mathsf {negl}(n)\)close to \(D_{\varLambda _q^\mathbf {u}(\mathbf {A}\mathbf {F}),\sigma }\).
 3.
([1]): \(\mathsf {SampleRight}(\mathbf {A}, \mathbf {G}, \mathbf {R}, y,\mathbf {u}, \mathbf {T}_{\mathbf {G}}, \sigma ) \rightarrow \mathbf {e}\) where \(\mathbf {F}= \mathbf {A}\mathbf {R}+ y \mathbf {G}\)
a randomized algorithm that, given a full rank matrix \(\mathbf {A}, \mathbf {G}\in \mathbb {Z}_q^{n\times m}\), \(y \in \mathbb {Z}_q{\backslash } \{ 0 \}\), a matrix \(\mathbf {R}\in \mathbb {Z}^{m\times m}\), a vector \(\mathbf {u}\in \mathbb {Z}_q^n\), a basis \(\mathbf {T}_{\mathbf {G}}\) for \(\varLambda _q^{\bot }(\mathbf {G})\), and a Gaussian parameter Open image in new window outputs a vector \(\mathbf {e}\in \mathbb {Z}^{2m}\) sampled from a distribution which is \(\mathsf {negl}(n)\)close to \(D_{\varLambda _q^\mathbf {u}(\mathbf {A}\mathbf {F}),\sigma }\).
 4.
([35]): Let \(m > n \lceil \log q \rceil \). Then there is a fixed fullrank matrix \(\mathbf {G}\in \mathbb {Z}_q^{n\times m}\) such that the lattice \(\varLambda _q^{\bot }(\mathbf {G})\) has a publicly known basis \(\mathbf {T}_\mathbf {G}\in \mathbb {Z}^{m\times m}\) with Open image in new window . Furthermore, there exists a deterministic polynomialtime algorithm \(\mathbf {G}^{1}\) which takes the input \(\mathbf {U}\in \mathbb {Z}_q^{n\times m}\) and outputs \(\mathbf {R}= \mathbf {G}^{1}(\mathbf {U})\) such that \(\mathbf {R}\in \{ 0,1 \}^{m\times m }\) and \(\mathbf {G}\mathbf {R}= \mathbf {U}\).
Note that in the above, we are abusing notation and \(\mathbf {G}^{1}\) is not a matrix but rather a function. Namely, for any \(\mathbf {U}\) there are many choices of \(\mathbf {R}\) such that \(\mathbf {G}\mathbf {R}=\mathbf {U}\), and \(\mathbf {G}^{1}(\mathbf {U})\) deterministically outputs a particular short matrix from this set. Since we have \(\Vert \mathbf {R}\Vert _2 \le m \) for any \(\mathbf {R}\in \{1, 0,1 \}^{m\times m}\), \(\Vert \mathbf {G}^{1}(\mathbf {U}) \Vert _{2} \le m\) holds for any \(\mathbf {U}\in \mathbb {Z}_q^{n\times m}\).
Learning with Errors. The learning with errors (LWE) problem was introduced by Regev who showed that solving it on the average is as hard as (quantumly) solving several standard lattice problems in the worst case.
Definition 1
Let \(B = B(n)\in \mathbb {N}\). A family of distributions \(\chi = \{ \chi _n \}\) is called Bbounded if \( \Pr [\chi \in [B,B]] =1. \) For any constant \(d>0\) and sufficiently large q, Regev [40] through a quantum reduction showed that taking \(\chi \) as a \(q/n^d\)bounded (truncated) discretized Gaussian distribution, the \(\mathsf {dLWE}_{n,m,q,\chi }\) problem is as hard as approximating the worstcase \(\mathsf {GapSVP}\) to \(n^{O(d)}\) factors, which is believed to be hard. In subsequent works, (partial) dequantization of the Regev’s reduction were achieved [13, 37]. More generally, let \(\chi _{\max }<q\) be the bound on the noise distribution. The difficulty of the problem is measured by the ratio \(q/\chi _{\max }\). This ratio is always bigger than 1 and the smaller it is the harder the problem. The problem appears to remain hard even when \(q/\chi _{\max } < 2^{n^\epsilon }\) for some fixed \(\epsilon \) that is \(0< \epsilon < 1{\slash }2\).
3.3 Basic Facts
Injective Map. Let d and \(\kappa \) be some integers. Furthermore, let \(\ell \) be \(\ell = \lceil \kappa ^{1/d} \rceil \). Then, an element of \([1,\kappa ] \) can be written as an element of \([1,\ell ]^d\) using some canonical map. Furthermore, it is also possible to write a subset of \([1,\kappa ] \) as a subset of \([1,\ell ]^d\), by naturally extending the canonical map. By identifying a bit string in \(\{ 0,1 \}^\kappa \) with a subset of \([1,\kappa ]\) (for example, by regarding the former as the indicator vector of a subset of \([1,\kappa ]\)), we can define an efficiently computable injective map S that maps a bit string \(\mathsf {ID}\in \{ 0,1 \}^\kappa \) to a subset \(S(\mathsf {ID})\) of \([1,\ell ]^d\).
The following lemma can be shown by a simple calculation.
Lemma 3
(Smudging out Lemma). Let \(\mathbf {x}_0 \in \mathbb {Z}^m\) be a (fixed) vector such that \(\Vert \mathbf {x}_0 \Vert _\infty \le \delta \) and let \(\mathbf {x}\in \mathbb {Z}^m\) be a random vector that is chosen as \(\mathbf {x}\overset{_{\tiny \text {\$}}}{\leftarrow }[B', B']^m\). Then, two distributions \(\mathbf {x}_0 + \mathbf {x}\) and \(\mathbf {x}\) are within statistical distance \({m\delta }/{B'}\).
As observed in [1, 40], the following lemma is obtained as a corollary to the (general) leftover hash lemma.
Lemma 4
(Leftover Hash Lemma). Let \(q\in \mathbb {N}\) be an odd prime and let \(m>(n+1)\log q + \omega (\log n)\). Let \(\mathbf {R}\overset{_{\tiny \text {\$}}}{\leftarrow }\{ 1,1 \}^{m\times m}\) and \(\mathbf {A}, \mathbf {A}' \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\) be uniformly random matrices. Then the distribution of \((\mathbf {A},\mathbf {A}\mathbf {R})\) is \(\mathsf {negl}(n)\)close to the distribution of \((\mathbf {A},\mathbf {A}')\).
The following lemma is implicitly shown in [6].
Lemma 5
Let \(a_1,\ldots , a_n \in \mathbb {R}\) be real numbers such that \( \sum ^n_{i=1} a_i  = \epsilon \) and \( \sum ^n_{i=1}  a_i  \le 1{\slash }2\). Furthermore, let \(\gamma _1,\ldots , \gamma _n \in \mathbb {R}\) be real numbers such that \(0 < \gamma _{\min } \le \gamma _i \le \gamma _{\max } \) for \(i\in [n]\). Then, we have \( \sum ^n_{i=1} \gamma _i a_i  \ge \gamma _{\min }\epsilon  ( \gamma _{\max }  \gamma _{\min } )/2 \).
4 Parametrized IBE
In this section, we introduce the notion of parametrized IBE (PIBE), which is an slight extension of the ordinary notion of IBE. The syntax and the security notion for PIBE is almost the same, except that it is parametrized by an integer c. Roughly speaking, the larger c becomes, the more secure PIBE becomes. In particular, when c is superconstant in n, the security notion for PIBE corresponds to that for ordinary IBE. However, in our construction of PIBE in Sect. 5, in order to prove the security of the scheme for superconstant c, we need to assume superpolynomial LWE, which is a stronger assumption than the assumption that is needed for constant c. In this section, to base the scheme on a weaker assumption, we provide generic construction of adaptively secure IBE scheme from PIBE scheme that is secure only for constant c.
4.1 Definition of Parametrized IBE
Here, we define PIBE. The syntax of PIBE is the same as ordinary IBE except that the \(\mathsf {Setup}\) algorithm is parametrized by an integer \(c=c(n)\). Namely, \(\mathsf {Setup}\) takes as inputs \(1^n\) and \(1^c\) and outputs a master public key \(\mathsf {mpk}\) and a master secret key \(\mathsf {msk}\). Other algorithms, \(\mathsf {KeyGen}\), \(\mathsf {Encrypt}\), and \(\mathsf {Decrypt}\) are defined as in ordinary IBE. We require that these algorithms work within a time that is polynomial in n and c.
When c(n) is a constant, the cadaptive anonymity is an weaker security notion than the adaptive anonymity for IBE, since it allows an adversary to have nonnegligible advantage. Furthermore, there is a bound on the number of key extraction queries. On the other hand, when c(n) is superconstant, the security definition of cadaptive anonymity corresponds to that of adaptive anonymity for (ordinary) IBE. More precisely, we have the following theorem.
Theorem 1
If \(\varPi =(\mathsf {Setup}, \mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt})\) is \(c'\)adaptively anonymous for some super constant function \(c'(n)=\omega (1)\) such that \(c'(n)< \mathsf {poly}(n)\), \(\varPi '=(\mathsf {Setup}', \mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt})\) is adaptively anonymous (as an ordinary IBE) if we set \( \mathsf {Setup}'(1^n)=\mathsf {Setup}(1^n, 1^{c'(n)}). \)
Proof
Comparison with Bounded Collusion IBE. Our notion of PIBE is similar to the notion of bounded collusion IBE [19] (also called kresilient IBE [29]), in that adversaries only learn private keys of an apriori bounded number of identities. The security requirement for the former is weaker than that for the latter, because we allow adversaries to have nonnegligible advantages (in the case of c is a constant). On the other hand, we pose more severe requirement on the efficiency for the former. We require the algorithms of PIBE to work in polynomial time in c, rather than in \(n^c\). Because of this, existing bounded collusion IBE schemes [19, 26, 29, 46, 49] do not satisfy the requirement of PIBE.
4.2 IBE from PIBE
In this section, we show a conversion from a PIBE scheme \(\varPi =(\mathsf {PIBE}.\mathsf {Setup},\mathsf {PIBE}.\mathsf {KeyGen}, \mathsf {PIBE}.\mathsf {Encrypt},\mathsf {PIBE}.\mathsf {Decrypt})\) to an (ordinary) IBE scheme \(\varPi ' = (\mathsf {IBE}.\mathsf {Setup},\mathsf {IBE}.\mathsf {KeyGen}, \mathsf {IBE}.\mathsf {Encrypt},\mathsf {IBE}.\mathsf {Decrypt})\). In the following, let \(\eta (n)\) be any function such that \(\eta (n)=\omega (1)\) (e.g., \(\eta (n) = \log \log (n)\)). We also let the message space of \(\varPi \) and \(\varPi '\) be \(\{ 0,1\}^{\ell _M}\) for some \(\ell _M \in \mathbb {N}\).
 \(\mathsf {IBE}.\mathsf {Setup}(1^n)\): It runs \(\mathsf {PIBE}.\mathsf {Setup}(1^n,1^i)\rightarrow (\mathsf {mpk}^{(i)}, \mathsf {msk}^{(i)} )\) for \(i= 1,\ldots , \eta \). It outputs$$\begin{aligned} \mathsf {mpk}= ( \mathsf {mpk}^{(1)}, \mathsf {mpk}^{(2)}, \ldots , \mathsf {mpk}^{(\eta )} ) ~~ \text{ and } ~~ \mathsf {msk}= ( \mathsf {msk}^{(1)}, \mathsf {msk}^{(2)}, \ldots , \mathsf {msk}^{(\eta )} ). \end{aligned}$$
 \(\mathsf {IBE}.\mathsf {KeyGen}(\mathsf {mpk}, \mathsf {msk}, \mathsf {ID})\): It runs \(\mathsf {PIBE}.\mathsf {KeyGen}(\mathsf {mpk}^{(i)},\mathsf {msk}^{(i)},\mathsf {ID})\rightarrow \mathsf {sk}^{(i)}_{\mathsf {ID}} \) for \(i= 1,\ldots , \eta \). It outputs$$\begin{aligned} \mathsf {sk}_\mathsf {ID}= ( \mathsf {sk}^{(1)}_{\mathsf {ID}},\mathsf {sk}^{(2)}_{\mathsf {ID}},\ldots , \mathsf {sk}^{(\eta )}_{\mathsf {ID}} ). \end{aligned}$$
 \(\mathsf {Encrypt}(\mathsf {mpk}, \mathsf {ID}, \mathsf {M})\): To encrypt \(\mathsf {M}= \{ 0,1 \}^{\ell _M}\), it picks random \( \mathsf {M}^{(i)} \in \{ 0,1 \}^{\ell _M}\) for \(i\in [\eta ]\) subject to constraint that \(\mathsf {M}= \bigoplus _{i=1}^\eta \mathsf {M}^{(i)} \), where \(\bigoplus \) denotes bitwise exclusive or. Then it runsFinally, it outputs the ciphertext \(C=(C^{(1)},\ldots , C^{(\eta )})\).$$\begin{aligned} \mathsf {PIBE}.\mathsf {Encrypt}( \mathsf {mpk}^{(i)}, \mathsf {ID}, \mathsf {M}^{(i)} ) \rightarrow C^{(i)} \qquad \text{ for } \quad i= 1,\ldots , \eta . \end{aligned}$$
 \(\mathsf {Decrypt}(\mathsf {mpk}, \mathsf {sk}_\mathsf {ID}, C)\): It first parses the ciphertext and the private key as \(C\rightarrow (C^{(1)},\ldots , C^{(\eta )})\) and \(\mathsf {sk}_\mathsf {ID}\rightarrow (\mathsf {sk}_\mathsf {ID}^{(1)},\ldots , \mathsf {sk}_\mathsf {ID}^{(\eta )})\). Then, it runsFinally, it outputs \(\mathsf {M}= \bigoplus _{i=1}^\eta \mathsf {M}^{(i)} \).$$\begin{aligned} \mathsf {PIBE}.\mathsf {Decrypt}(\mathsf {mpk}^{(i)},\mathsf {sk}_\mathsf {ID}^{(i)},C^{(i)}) \rightarrow \mathsf {M}^{(i)} \qquad \text{ for } \quad i= 1,\ldots , \eta . \end{aligned}$$
Correctness of the scheme can be shown very easily. The following theorem addresses the security of the scheme. Note that the resulting IBE scheme is not anonymous even if the original PIBE scheme is anonymous.
Theorem 2
Assume that PIBE \(\varPi \) is secure for all (constant) \(c \in \mathbb {N}\). Then, \(\varPi '\) is adaptively secure as an (ordinary, not parametrized) IBE scheme.
Proof

The advantage \(\epsilon (n)\) of \(\mathcal {A}\) is greater than \(2/n^{c'}\) for infinitely many n.

The number Q(n) of key extraction queries that \(\mathcal {A}\) makes is bounded by \(n^{c''}{\slash }2 1\).
Setup. First, \(\mathsf {PIBE}.\mathsf {Setup}(1^n,1^{i^\star } )\rightarrow (\mathsf {mpk}^{(i^\star )}, \mathsf {msk}^{(i^\star )} )\) is run and \(\mathsf {mpk}^{(i^\star )}\) is given to \(\mathcal {B}\). Then, \(\mathcal {A}\) runs \(\mathsf {PIBE}.\mathsf {Setup}(1^n,1^i)\rightarrow (\mathsf {mpk}^{(i)}, \mathsf {msk}^{(i)} )\) for \(i= [1,\eta ]{\backslash } \{ i^\star \} \) and sets \(\mathsf {mpk}= ( \mathsf {mpk}^{(1)}, \mathsf {mpk}^{(2)}, \ldots , \mathsf {mpk}^{(\eta )} )\). \(\mathcal {B}\) keeps \(\mathsf {msk}^{(i)}\) for \(i\in [1,\eta ]{\backslash } \{ i^\star \}\) secret, and returns \(\mathsf {mpk}\) to \(\mathcal {A}\).
Phases 1 and 2. When \(\mathcal {A}\) makes a key extraction query for an identity \(\mathsf {ID}\), \(\mathcal {B}\) queries a private key for the same \(\mathsf {ID}\) to its challenger. Then, \(\mathsf {PIBE}.\mathsf {KeyGen}(\mathsf {mpk}^{(i^\star )},\mathsf {msk}^{(i^\star )}, \mathsf {ID})\rightarrow \mathsf {sk}^{(i^\star )}_{\mathsf {ID}} \) is run and \( \mathsf {sk}^{(i^\star )}_{\mathsf {ID}} \) is given to \(\mathcal {B}\). Then \(\mathcal {B}\) runs \(\mathsf {PIBE}.\mathsf {KeyGen}( \mathsf {mpk}^{(i)}, \mathsf {msk}^{(i^\star )}, \mathsf {ID})\rightarrow \mathsf {sk}^{(i)}_{\mathsf {ID}} \) for \(i\in [1,\eta ]{\backslash } \{ i^\star \}\) and returns \(\mathsf {sk}_\mathsf {ID}= ( \mathsf {sk}^{(1)}_{\mathsf {ID}},\ldots , \mathsf {sk}^{(\eta )}_{\mathsf {ID}} )\) to \(\mathcal {A}\).
Guess. Finally, \(\mathcal {A}\) outputs a guess \( \widehat{\mathsf {coin}}\) for \(\mathsf {coin}'\). If \(\widehat{\mathsf {coin}}=\mathsf {coin}'\), \(\mathcal {B}\) outputs 0 as its guess for \(\mathsf {coin}\) and outputs 1 otherwise.
More Efficient Conversion. In the above conversion, we run \(\eta \) instances of PIBE scheme in parallel. The number of instances can be reduced to \(O(\log \eta )\). We briefly sketch the construction and the security proof for it. Let us assume that \(\eta \) is a power of 2. In the setup algorithm of the variant, we run \(\mathsf {PIBE}.\mathsf {Setup}(1^n,1^i)\rightarrow (\mathsf {mpk}^{(i)}, \mathsf {msk}^{(i)} )\) for \(i=1,2,4,\ldots , 2^i, \ldots , 2^{\log \eta }(=\eta )\), instead of \(i=1,2,\ldots , \eta \). Other algorithms are defined similarly to the above. In the security proof, the target of the reduction algorithm is set to be \(i^\star \) such that \( 2^{i^\star  1} \le c'+c'' < 2^{i^\star }.\)
5 Our Construction of PIBE from Lattices
Here, we show our constructions of PIBE from lattices. By setting the parameter c superconstant or applying the conversions in Sect. 4.2, we obtain IBE schemes that provide tradeoff between the efficiency, security, and the underlying assumptions. (See Sect. 6 for the overview). In this section, we first introduce some functions that will be needed to describe our construction. Then, we show our construction of PIBE scheme for singlebit message space. We then prove the security of the scheme. Finally, we discuss extension of the scheme to the multibit variant.
5.1 Homomorphic Computation
Lemma 6
5.2 Our Construction
In the following, we present our PIBE scheme. Let d be a (flexible) constant. In addition, let the identity space of the scheme be \(\mathcal {ID}= \{ 0,1 \}^{\kappa }\) for some \(\kappa \in \mathbb {N}\) and the message space be \(\{ 0,1 \}\). For our construction, we consider an efficiently computable injective map S that maps an identity \(\mathsf {ID}\in \{ 0,1 \}^\kappa \) to a subset \(S(\mathsf {ID})\) of \([1,\ell ]^d\), where \(\ell = \lceil \kappa ^{1/d} \rceil \). Such a map can be constructed easily as we explained in Sect. 3.3. We would typically set \(\kappa = O(n)\), and thus \(\ell = O(n^{1/d})\) in such a case.
 \(\mathsf {Setup}(1^n,1^c)\): On input \(1^n\) and \(1^c\), it sets the parameters q, m, \(\sigma \), B, \(B'\), and a distribution \(\chi \) as specified in Sect. 5.3, where q is a prime number. Then, it picks random matrices \(\mathbf {B}_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\), \(\mathbf {B}_{i,j} \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\) for \((i,j)\in [d, \ell ]\) and a vector \(\mathbf {u}\overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^n\). It also picks \(\mathsf {TrapGen}(1^n, 1^m, q) \rightarrow (\mathbf {A},\mathbf {T}_\mathbf {A})\in \mathbb {Z}_q^{n\times m} \times \mathbb {Z}^{m\times m}\) such that Open image in new window . It finally outputs$$\begin{aligned} \mathsf {mpk}= (\mathbf {A}, \mathbf {B}_0, \{ \mathbf {B}_{i,j} \}_{(i,j)\in [d, \ell ] }, \mathbf {u}) \qquad \text{ and } \qquad \mathsf {msk}=\mathbf {T}_\mathbf {A}. \end{aligned}$$
 \(\mathsf {KeyGen}(\mathsf {mpk}, \mathsf {msk}, \mathsf {ID})\): It first computes \(\mathsf {H}(\mathsf {ID})\) and picks \(\mathbf {e}\in \mathbb {Z}^{2m}\) such thatby running \(\mathsf {SampleLeft}(\mathbf {A},\mathsf {H}(\mathsf {ID}),\mathbf {u}, \mathbf {T}_\mathbf {A}, \sigma ) \rightarrow \mathbf {e}\). It returns \(\mathsf {sk}_\mathsf {ID}= \mathbf {e}\).$$\begin{aligned} \bigl ( \mathbf {A} \mathsf {H}(\mathsf {ID}) \bigr ) \cdot \mathbf {e}= \mathbf {u}\end{aligned}$$
 \(\mathsf {Encrypt}(\mathsf {mpk}, \mathsf {ID}, b)\): To encrypt a message \(b\in \{ 0,1 \}\), it picks \(\mathbf {s}\overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^n\), \(x_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\chi \), \(\mathbf {x}_1 \overset{_{\tiny \text {\$}}}{\leftarrow }\chi ^m\), \(\mathbf {x}_2 \overset{_{\tiny \text {\$}}}{\leftarrow }[B',B']^m\) and computesFinally, it returns the ciphertext \(C=(c_0,\mathbf {c}_1)\).$$\begin{aligned} \qquad c_0= \mathbf {s}^\top \mathbf {u}+ x_0 + b \cdot \lceil q/2 \rceil , \qquad \mathbf {c}^\top _1= \mathbf {s}^\top ( \mathbf {A} \mathsf {H}(\mathsf {ID}) ) + ( \mathbf {x}_1^\top  \mathbf {x}_2^\top ). \end{aligned}$$
 \(\mathsf {Decrypt}(\mathsf {mpk},\mathsf {sk}_\mathsf {ID}, C)\): To decrypt a ciphertext \(C=(c_0,\mathbf {c}_1)\) using a private key \(\mathsf {sk}_\mathsf {ID}{:}= \mathbf {e}\), it first computesThen it returns 1 if \( w  \lceil q/2 \rceil  < \lceil q/4 \rceil \) and 0 otherwise.$$\begin{aligned} w =c_0  \mathbf {c}_1^\top \cdot \mathbf {e}\in \mathbb {Z}_q. \end{aligned}$$
5.3 Correctness and Parameter Selection
Lemma 7
Assuming \(B' >B\), the error term is bounded by \(O(B' \sigma m )\) with overwhelming probability.
Proof

the error term is less than \(q{\slash }5\) with overwhelming probability (i.e., \(\varOmega ( B' \sigma m) < q\)),

that q is sufficiently large so that the simulation works (i.e., \(q > \varTheta ( \kappa (d n^c )^d )\)),

that \(\mathsf {TrapGen}\) can operate (i.e., \(m \ge 6 n \lceil \log q \rceil \)),

that the leftover hash lemma (Lemma 4) can be applied in the security proof (i.e., \(m=(n+1)\log q + \omega (\log n)\)),

that \(\sigma \) is sufficiently large so that \(\mathsf {SampleLeft}\) and \(\mathsf {SampleRight}\) work, (i.e., \(\sigma > O(\sqrt{n\log q}) \cdot \omega (\sqrt{ \log m } ) \) and \(\sigma > m ( 1 + \kappa d^{d} n^{c(d1)} ) \cdot \omega ( \sqrt{\log m } ) \), where the latter condition turns out to be more restrictive),

that the “noise smudging step” in the security proof works (i.e., \(m^{5/2} ( 1 + \kappa d^{d} n^{c(d1)} ) B/B' \le d/(\kappa +1)( dn^c )^{d+1}\). See Eq. (11)).
5.4 Security Proof
The following theorem addresses the security of the scheme. The proof is based on the partitioning technique, similarly to [1, 6, 12, 47]. For simplicity, we opt to use the framework of [6] in our analysis, which does not require the artificial abort step [47]. The analysis with the artificial abort step is also possible, and it might lead to a scheme with slightly better efficiency (up to constant factors).
Theorem 3
The above scheme is cadaptive anonymous assuming \(\mathsf {dLWE}_{n,m+1,q,\chi }\) is hard, where the ciphertext space is \(\mathcal {C}= \mathbb {Z}_q \times \mathbb {Z}_q^{2m}\).
Proof
We show the security of the scheme via the following games. In each game, a value \(\mathsf {coin}' \in \{ 0,1 \}\) is defined. While it is set \(\mathsf {coin}' = \widehat{\mathsf {coin}}\) in the first game, these values might be different in the later games. In the following, we define \(X_i\) be the event that \(\mathsf {coin}' = \mathsf {coin}\).
 \(\mathsf {Game}_{0}\): This is the real security game. Recall that since the ciphertext space is \(\mathcal {C}= \mathbb {Z}_q \times \mathbb {Z}_q^{2m}\), in the challenge phase, the challenge ciphertext is set as \(C^\star = (c_0, \mathbf {c}_1 )\overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q\times \mathbb {Z}_q^{2m}\) if \(\mathsf {coin}= 1\). At the end of the game, \(\mathcal {A}\) outputs a guess \(\widehat{\mathsf {coin}}\) for \(\mathsf {coin}\). Finally, the challenger sets \(\mathsf {coin}' = \widehat{\mathsf {coin}}\). By the definition, we have$$\begin{aligned} \left \Pr [X_0]  \frac{1}{2} \right = \left \Pr [\mathsf {coin}' = \mathsf {coin}]  \frac{1}{2} \right = \left \Pr [\widehat{\mathsf {coin}} = \mathsf {coin}]  \frac{1}{2} \right = \epsilon . \end{aligned}$$
 \(\mathsf {Game}_{1}\): In this game, we change \(\mathsf {Game}_0\) so that the challenger performs the following additional step at the end of the game. First, the challenger picks \(\mathbf {y}=(y_0, \{ y_{i,j} \}_{(i,j)\in [d,\ell ]})\) asWe define a function \(\mathsf {F}_\mathbf {y}{\,:\,}\mathcal {ID}\rightarrow \mathbb {Z}_q\) as follows:$$\begin{aligned} y_0 \overset{_{\tiny \text {\$}}}{\leftarrow }[(\kappa +1) (dn^{\tilde{c}} )^d +1, 0] \quad \text{ and } \quad y_{i,j} \overset{_{\tiny \text {\$}}}{\leftarrow }[1, dn^{\tilde{c}} ] \quad \text{ for } \quad (i,j)\in [d]\times [\ell ]. \end{aligned}$$Then the challenger checks whether the following condition holds:$$\begin{aligned} \mathsf {F}_\mathbf {y}(\mathsf {ID})= y_0 + \sum _{(j_1, \ldots , j_d)\in S(\mathsf {ID})} y_{1,j_1}\cdots y_{d,j_d}. \end{aligned}$$where \(\mathsf {ID}^\star \) is the challenge identity, and \(\mathsf {ID}_1,\ldots , \mathsf {ID}_Q\) are identities for which \(\mathcal {A}\) has made key extraction queries. If it does not hold, the challenger ignores the output \(\widehat{\mathsf {coin}}\) of \(\mathcal {A}\), and sets \(\mathsf {coin}' \overset{_{\tiny \text {\$}}}{\leftarrow }\{ 0,1\}\). In this case, we say that the challenger aborts. If condition (7) holds, the challenger sets \(\mathsf {coin}' = \widehat{\mathsf {coin}}\). As we will show in Lemma 8, we have$$\begin{aligned} \mathsf {F}_\mathbf {y}(\mathsf {ID}^\star )=0 ~ \wedge ~ \mathsf {F}_\mathbf {y}(\mathsf {ID}_1) \ne 0 ~ \wedge ~ \mathsf {F}_\mathbf {y}(\mathsf {ID}_2) \ne 0 ~ \wedge ~ \cdots ~ \wedge ~ \mathsf {F}_\mathbf {y}(\mathsf {ID}_Q) \ne 0 \end{aligned}$$(7)So as not to interrupt the proof of Theorem 3, we intentionally skip the proof for the time being.$$\begin{aligned} \left \Pr [X_1] \frac{1}{2} \right \ge \frac{1}{\kappa +1} \cdot \left( \frac{1}{ dn^{\tilde{c}} } \right) ^d \cdot \left( \epsilon  \frac{Q}{n^{\tilde{c}}} \right) . \end{aligned}$$
 \(\mathsf {Game}_{2}\): In this game, we change the way \(\mathbf {B}_0\) and \(\mathbf {B}_{i,j}\) are chosen. At the beginning of the game, the challenger picks \(\mathbf {R}_0, \mathbf {R}_{i,j} \overset{_{\tiny \text {\$}}}{\leftarrow }\{ 1, 1\}^{m\times m}\) for \((i,j)\in [d]\times [\ell ]\). It also picks \(\mathbf {y}\) as in \(\mathsf {Game}_1\). Then, \(\mathbf {A}\), \(\mathbf {B}_0\), and \(\mathbf {B}_{i,j}\) are defined asfor \((i,j) \in [d] \times [\ell ]\). The rest of the game is the same as in \(\mathsf {Game}_1\). Then, we bound \( \Pr [X_2]\Pr [X_1] \). By Lemma 4, the distributions$$\begin{aligned} \mathbf {B}_0=\mathbf {A}\mathbf {R}_0 + y_0 \mathbf {G}, \qquad \mathbf {B}_{i,j}=\mathbf {A}\mathbf {R}_{i,j} + y_{i,j} \mathbf {G}\end{aligned}$$(8)are \(\mathsf {negl}(n)\)close, where \(\mathbf {B}_0, \mathbf {B}_{i,j} \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\). Therefore, we have \( \Pr [X_1]  \Pr [X_2]  = \mathsf {negl}(n).\)$$\begin{aligned} \bigl (\mathbf {A}, ~ \mathbf {A}\mathbf {R}_0+ y_0 \mathbf {G}, ~ \{ \mathbf {A}\mathbf {R}_{i,j}+y_{i,j}\mathbf {G}\} \bigr ) ~~ \text{ and } ~~ \bigl (\mathbf {A}, ~ \mathbf {B}_0, ~ \{ \mathbf {B}_{i,j} \} \bigr ) \end{aligned}$$
 \(\mathsf {Game}_{3}\): In this game, we change the way the challenge ciphertext is created when \(\mathsf {coin}=0\). If \(\mathsf {coin}=0\), to create the challenge ciphertext \(\mathsf {Game}_3\) challenger first picks \(\mathbf {s}\overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^n\), \(x_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\chi \), \(\mathbf {x}_1 \overset{_{\tiny \text {\$}}}{\leftarrow }\chi ^m\), \(\mathbf {x}_2 \overset{_{\tiny \text {\$}}}{\leftarrow }[B',B']^m\) and computes \(\mathbf {R}_{\mathsf {ID}^\star }\). Then, the challenge ciphertext \(C^\star = (c_0, \mathbf {c}_1)\) is computed aswhere \(b\in \{ 0,1\}\) is the message chosen by \(\mathcal {A}\).$$\begin{aligned} c_0= \mathbf {s}^\top \mathbf {u}+ x_0 + b \cdot \lceil q/2 \rceil , \qquad \mathbf {c}_1^\top = \mathbf {s}^\top ( \mathbf {A} \mathsf {H}(\mathsf {ID}^\star ) ) + ( \mathbf {x}_1^\top  \mathbf {x}_1^\top \mathbf {R}_{\mathsf {ID}^\star } + \mathbf {x}_2^\top ) \end{aligned}$$We then proceed to bound \( \Pr [X_3]\Pr [X_2] \). Since \(\mathbf {x}_1\) is chosen from a Bbounded distribution, we haveWhen all randomness other than \(\mathbf {x}_2\) in this game is fixed, the distributions \(\mathbf {x}_2\) and \( \mathbf {R}_{\mathsf {ID}^\star }^\top \cdot \mathbf {x}_1 + \mathbf {x}_2\) are within statistical distance$$\begin{aligned} \Vert \mathbf {R}_{\mathsf {ID}^\star }^\top \mathbf {x}_1 \Vert _\infty \le \Vert \mathbf {R}_{\mathsf {ID}^\star }^\top \mathbf {x}_1 \Vert _2 \le \Vert \mathbf {R}_{\mathsf {ID}^\star }^\top \Vert _2 \cdot \Vert \mathbf {x}_1 \Vert \le m^{3/2} ( 1 + \kappa d^{d} n^{c(d1)} ) B. \end{aligned}$$by Lemma 3. Averaging over all other randomness, we have that the distribution of the challenge ciphertext is within statistical distance \(d/(\kappa +1)( dn^c )^{d+1}\) from the previous game, when \(\mathsf {coin}=0\). In the case of \(\mathsf {coin}=1\), the view of \(\mathcal {A}\) is unchanged. Therefore, we conclude that the view of \(\mathcal {A}\) in this game is within statistical distance \(d/(\kappa +1)(dn^c )^{d+1}\) from the previous game. Thus, we have$$\begin{aligned} m \Vert \mathbf {R}^\top _{\mathsf {ID}^\star } \mathbf {x}_1 \Vert _{\infty }/B' = m^{5/2} ( 1 + \kappa d^{d} n^{c(d1)} ) B/B' \le \frac{d}{\kappa +1} \cdot \left( \frac{1}{ dn^c } \right) ^{d+1} \end{aligned}$$(11)$$\begin{aligned}  \Pr [X_2]  \Pr [X_3]  \le \frac{d }{\kappa +1 } \cdot \left( \frac{1}{dn^c} \right) ^{d+1}. \end{aligned}$$

\(\mathsf {Game}_{4}:\) Recall that in the previous game, the challenger aborts at the end of the game, if the condition (7) is not satisfied. In this game, we change the game so that the challenger aborts as soon as the abort condition becomes true. Since this is only a conceptual change, we have \( \Pr [X_3]=\Pr [X_4]. \)
 \(\mathsf {Game}_{5}:\) In this game, we change the way the matrix \(\mathbf {A}\) is sampled. Namely, \(\mathsf {Game}_5\) challenger picks \(\mathbf {A}\overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\) instead of generating it with a trapdoor. By Lemma 2, this makes only negligible difference. Furthermore, we also change the way the key extraction queries are answered. When \(\mathcal {A}\) makes a key extraction query for an identity \(\mathsf {ID}\), the challenger first computes \(\mathbf {R}_\mathsf {ID}\) as in Eq. (9). By the definition of \(\mathbf {R}_\mathsf {ID}\), it holds thatIf \(\mathsf {F}_\mathbf {y}(\mathsf {ID}) = 0\), it aborts, as the previous game. Otherwise, it runs$$\begin{aligned} \mathsf {H}(\mathsf {ID})=\mathbf {A}\cdot \left( \mathbf {R}_\mathsf {ID}+ \mathsf {F}_\mathbf {y}(\mathsf {ID})\mathbf {G}\right) . \end{aligned}$$and returns \(\mathbf {e}\) to \(\mathcal {A}\). Note that the private key was sampled as$$\begin{aligned} \mathsf {SampleRight}(\mathbf {A}, \mathbf {G}, \mathbf {R}_\mathsf {ID}, \mathsf {F}_\mathbf {y}(\mathsf {ID}),\mathbf {u}, \mathbf {T}_{\mathbf {G}}, \sigma ) \rightarrow \mathbf {e}, \end{aligned}$$in the previous game. By Eq. (10) and the choice of \(\sigma \), the output distribution of \(\mathsf {SampleRight}\) is \(\mathsf {negl}(n)\)close to \(D_{\varLambda _q^\mathbf {u}(\mathbf {A}\mathsf {H}(\mathsf {ID}) ),\sigma }\). Similarly, by the choice of \(\sigma \), the output distribution of \(\mathsf {SampleLeft}\) is also \(\mathsf {negl}(n)\)close to \(D_{\varLambda _q^\mathbf {u}(\mathbf {A}\mathsf {H}(\mathsf {ID}) ),\sigma }\). Therefore, the above change alters the view of the adversary only negligibly. Thus, we have \(  \Pr [X_4]  \Pr [X_5]  = \mathsf {negl}(n). \)$$\begin{aligned} \mathsf {SampleLeft}(\mathbf {A},\mathsf {H}(\mathsf {ID}),\mathbf {u}, \mathbf {T}_\mathbf {A}, \sigma ) \rightarrow \mathbf {e}\end{aligned}$$
 \(\mathsf {Game}_{6}\): In this game, we change the way the challenge ciphertext is created when \(\mathsf {coin}=0\). If \(\mathsf {coin}=0\), to create the challenge ciphertext for the identity \(\mathsf {ID}^\star \) and the message b, \(\mathsf {Game}_6\) challenger first picks \(v_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q\), \(\mathbf {v}_1 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{m}\), \(\mathbf {x}_2 \overset{_{\tiny \text {\$}}}{\leftarrow }[B', B']^m\) and computes \(\mathbf {R}_{\mathsf {ID}^\star }\). Then, it sets the challenge ciphertext \(C^\star = ( c_0,\mathbf {c}_1 )\) asAs we will show in Lemma 9, assuming \(\mathsf {dLWE}_{n,m+1,q,\chi }\) is hard, we have \( \Pr [X_5]\Pr [X_6]=\mathsf {negl}(n). \)$$\begin{aligned} \qquad c_0= v_0 + b \cdot \lceil q/2 \rceil , \qquad \mathbf {c}_1^\top = ( \mathbf {v}_1^\top  \mathbf {v}_1^\top \mathbf {R}_{\mathsf {ID}^\star }) + ( \mathbf {0}_m^\top  \mathbf {x}_2^\top ). \end{aligned}$$
 \(\mathsf {Game}_{7}\): In this game, we change the challenge ciphertext to be a random vector, regardless of whether \(\mathsf {coin}=0\) or \(\mathsf {coin}=1\). Namely, \(\mathsf {Game}_7\) challenger generates the challenge ciphertext \((c_0,\mathbf {c}_1)\) as \(c_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q\) and \(\mathbf {c}_1 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^m\). We now proceed to bound \( \Pr [X_7]  \Pr [X_6] \). Since \(\mathsf {Game}_6\) and \(\mathsf {Game}_7\) differ only in the creation of the challenge ciphertext when \(\mathsf {coin}= 0\), we focus on this case. First, it is easy to see that \(c_0\) is uniformly random over \(\mathbb {Z}_q\) in both of \(\mathsf {Game}_6\) and \(\mathsf {Game}_7\). We also have to show that the distribution of \(\mathbf {c}_1\) is \(\mathsf {negl}(n)\)close to the uniform distribution over \(\mathbb {Z}_q^{2m}\). To see this, it suffices to show that \(( \mathbf {v}_1^\top  \mathbf {v}_1^\top \mathbf {R}_{\mathsf {ID}^\star } )\) is distributed statistically close to uniform distribution over \(\mathbb {Z}_q^{2m}\). Observe that the following distributions are \(\mathsf {negl}(n)\)close:where \(\mathbf {A}, \mathbf {A}' \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\), \(\mathbf {R}_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\{ 1, 1 \}^{m \times m}\), \(\mathbf {v}_1, \mathbf {v}'_1 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^m\). It can be seen that the first and the second distributions are \(\mathsf {negl}(n)\)close, by applying Lemma 4 for \(( \mathbf {A}^\top  \mathbf {v})^\top \in \mathbb {Z}_{(n+1)\times m}\) and \(\mathbf {R}_0\). It can also be seen that the second and the third distributions are \(\mathsf {negl}(n)\)close, by applying the same lemma for \(\mathbf {A}\) and \(\mathbf {R}_0\). From the above, we have that the following distributions are statistically close:$$\begin{aligned} (\mathbf {A}, \mathbf {A}\mathbf {R}_0, \mathbf {v}_1^\top , \mathbf {v}_1^\top \mathbf {R}_0) \approx (\mathbf {A}, \mathbf {A}', \mathbf {v}_1^\top , {\mathbf {v}'_1}^\top ) \approx (\mathbf {A}, \mathbf {A}\mathbf {R}_0, \mathbf {v}_1^\top , {\mathbf {v}'_1}^\top ), \end{aligned}$$(12)where \(\mathbf {A}, \mathbf {A}' \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n\times m}\), \(\mathbf {R}_0 \overset{_{\tiny \text {\$}}}{\leftarrow }\{ 1, 1 \}^{m \times m}\), \(\mathbf {v}_1, \mathbf {v}'_1 \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^m\). The second and the third distributions above are \(\mathsf {negl}(n)\)close by Eq. (12). Therefore, we may conclude that \(  \Pr [X_6]  \Pr [X_7]  = \mathsf {negl}(n). \)$$\begin{aligned}&(\mathbf {A}, \mathbf {A}\mathbf {R}_0, \mathbf {v}_1, \mathbf {v}_1^\top \mathbf {R}_\mathsf {ID}^\star )\\= & {} \left( \mathbf {A}, \mathbf {A}\mathbf {R}_0, \mathbf {v}_1, \mathbf {v}_1^\top \left( \mathbf {R}_0 + \sum _{\begin{array}{c} (j_1, \ldots , j_d)\\ \in S(\mathsf {ID}) \end{array}} \mathsf {TrapEval}(\mathbf {R}_{1,j_1},\ldots , \mathbf {R}_{d,j_d}, y_{1,j_1}, \ldots , y_{d,j_d}) \right) \right) \\\approx & {} \left( \mathbf {A}, \mathbf {A}\mathbf {R}_0, \mathbf {v}_1, {\mathbf {v}'_1}^\top + \mathbf {v}_1^\top \left( \sum _{\begin{array}{c} (j_1, \ldots , j_d)\\ \in S(\mathsf {ID}) \end{array}} \mathsf {TrapEval}(\mathbf {R}_{1,j_1},\ldots , \mathbf {R}_{d,j_d}, y_{1,j_1}, \ldots , y_{d,j_d}) \right) \right) \\\approx & {} (\mathbf {A}, \mathbf {A}\mathbf {R}_0, \mathbf {v}_1, {\mathbf {v}'_1}^\top ) \end{aligned}$$
To complete the proof of Theorem 3, it remains to show Lemmas 8 and 9.
Lemma 8
Proof
Claim
Proof
Lemma 9
Proof
Suppose an adversary \(\mathcal {A}\) that has nonnegligible advantage in distinguishing \(\mathsf {Game}_5\) and \(\mathsf {Game}_6\). We use \(\mathcal {A}\) to construct an LWE algorithm denoted \(\mathcal {B}\), which proceeds as follows.
Instance. \(\mathcal {B}\) is given the problem instance of LWE \((\mathbf {A}', \mathbf {v}' ) \in \mathbb {Z}_q^{n\times (m+1)} \times \mathbb {Z}_q^{m+1}\). Let the first column of \(\mathbf {A}'\) be \(\mathbf {u}\in \mathbb {Z}_q^n\) and the last m column be \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\). It also sets the first coefficient of \(\mathbf {v}'\) be \(v_0\) and the last m coefficients be \(\mathbf {v}_1\).
Setup. To construct master public key \(\mathsf {mpk}\), \(\mathcal {B}\) first picks \(\mathbf {y}\) as in \(\mathsf {Game}_1\). It also picks \(\mathbf {R}_0, \mathbf {R}_{i,j} \overset{_{\tiny \text {\$}}}{\leftarrow }\{ 1, 1\}^{m\times m}\) and sets \(\mathbf {B}_0\) and \(\mathbf {B}_{i,j}\) as Eq. (8). Finally, it returns \(\mathsf {mpk}= (\mathbf {A}, \mathbf {B}_0, \{ \mathbf {B}_{i,j} \}_{(i,j)\in [d, \ell ] }, \mathbf {u})\) to \(\mathcal {A}\). \(\mathcal {B}\) also picks a random bit \(\mathsf {coin}\overset{_{\tiny \text {\$}}}{\leftarrow }\{ 0,1\}\) and keeps it secret.
Phases 1 and 2. When \(\mathcal {A}\) makes a key extraction query for \(\mathsf {ID}\), \(\mathcal {B}\) first computes \(\mathsf {F}_\mathbf {y}(\mathsf {ID})\). It aborts and sets \(\mathsf {coin}'\overset{_{\tiny \text {\$}}}{\leftarrow }\{ 0,1\}\) if \(\mathsf {F}_\mathbf {y}(\mathsf {ID})=0\). Otherwise, \(\mathcal {B}\) generates the private key as in \(\mathsf {Game}_5\).
Guess. At last, \(\mathcal {A}\) outputs its guess \(\widehat{\mathsf {coin}}\) (if the abort condition has not been satisfied). Then, \(\mathcal {B}\) sets \(\mathsf {coin}' = \widehat{\mathsf {coin}}\). Finally, \(\mathcal {B}\) outputs 1 if \(\mathsf {coin}' = \mathsf {coin}\) and 0 otherwise.
Analysis. We now show that \(\mathcal {B}\) perfectly simulates the view of \(\mathcal {A}\) in \(\mathsf {Game}_5\) if \((\mathbf {A}', \mathbf {v}')\) is a valid LWE sample (i.e., \({\mathbf {v}'}^\top = \mathbf {s}^\top \mathbf {A}' + \mathbf {x}^\top \) for \(\mathbf {s}\overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{n}\) and \(\mathbf {x}\overset{_{\tiny \text {\$}}}{\leftarrow }\chi ^{m+1}\)), and \(\mathsf {Game}_6\) if \(\mathbf {v}' \overset{_{\tiny \text {\$}}}{\leftarrow }\mathbb {Z}_q^{m+1}\). Note that these games differ only in the generation of the challenge ciphertext in the case of \(\mathsf {coin}= 0\). Furthermore, it is easy to see that the simulation of the master public key, Phases 1 and 2, and the challenge ciphertext for the case of \(\mathsf {coin}= 1\) are perfect. Therefore, in the following, we focus on the generation of the challenge ciphertext in the case of \(\mathsf {coin}= 0\).
Therefore, we have \( \mathsf {Adv}^{\mathsf {dLWE}_{n,m+1,q,\chi }}_{\mathcal {B}} =  \Pr [ X_5 ]  \Pr [ X_6 ]  \) as desired.
5.5 Multibit Encryption
Here, we explain that our scheme can be extended to deal with multibit messages without much increasing the sizes of public parameters and ciphertexts, similarly to [1, 39]. To modify the scheme so that it can encrypt messages with Nbit, we replace \(\mathbf {u}\in \mathbb {Z}_q^n\) in \(\mathsf {mpk}\) with \(\mathbf {u}_1,\ldots , \mathbf {u}_N \in \mathbb {Z}_q^n\). The component \(c_0 = \langle \mathbf {u}, \mathbf {s}\rangle + x_{0} + b \lceil \frac{q}{2}\rceil \) in the ciphertext is replaced with \(\mathbf {c}_0 = \{ \langle \mathbf {u}_i, \mathbf {s}\rangle + x_{0,i} + b_i \lceil \frac{q}{2}\rceil \}^N_{i=1} \) where \(x_{0,i} \overset{_{\tiny \text {\$}}}{\leftarrow }\chi \) and \(b_i \in \{ 0,1\}\) is the ith bit of the message. Furthermore, the private key is changed to be short vectors \(\mathbf {e}_1,\ldots , \mathbf {e}_{N} \in \mathbb {Z}^m\) such that \(( \mathbf {A} \mathsf {H}(\mathsf {ID}) ) \mathbf {e}_i = \mathbf {u}_i\) for \(i=1,\ldots , N\). We can prove the security for the variant from \(\mathsf {dLWE}_{n,m+N,q,\chi }\) by naturally extending the proof of Theorem 3.
As for the efficiency, the size of the master public key and the ciphertexts become \(O( ( \ell m + N ) n \log q )\) and \(O( ( m + N)\log q )\) respectively, and these are asymptotically the same as the case of singlebit encryption when \( N < O(m) \). The case of \(N > O(m) \) can also be handled without increasing the size of parameters, by employing the KEMDEM approach. Namely, we encrypt a random ephemeral key of sufficient length (e.g., O(n)) by IBE and then encrypt the message by the ephemeral key using a symmetric cipher.
6 Comparisons and Discussions

By setting \(c = \omega (1)\), we obtain adaptively anonymous IBE by Theorem 1. However, we have to rely on superpolynomial LWE assumption, namely, \(\mathsf {dLWE}_{n,m,q,\chi }\) with \(q/\chi _{\max } = n^{\omega (1)}\).

By applying PIBEtoIBE conversion in Sect. 4.2 to our PIBE in Sect. 5, we obtain (nonanonymous) adaptively secure IBE from polynomial LWE. More precisely, the security of the scheme can be proven under the assumption that \(\mathsf {dLWE}_{n,m,q,\chi }\) is hard for all \(q/\chi _{\max } = \mathsf {poly}(n)\).
Comparison of IBE from the LWE assumption in the Standard Model.
Schemes  \(\mathsf {mpk}\)  \(C\)  \(\mathsf {sk}_\mathsf {ID}\)  Anon?  Selective or adaptive  \(q{\slash }\chi _{\max }\) for LWE assumption 

[1]  \(\tilde{O}(n^2)\)  \(\tilde{O}(n)\)  \(\tilde{O}(n)\)  Yes  Selective  Fixed \(\mathsf {poly}(n)\) 
[16]  \(\tilde{O}(n^2 \kappa )\)  \(\tilde{O}(n\kappa )\)  \(\tilde{O}(n^2)\)  Yes  Adaptive  Fixed \(\mathsf {poly}(n)\) 
\(\tilde{O}(n^2 \kappa )\)  \(\tilde{O}(n)\)  \(\tilde{O}(n)\)  Yes  Adaptive  Fixed \(\mathsf {poly}(n)\)  
\(\tilde{O}(n^2 \kappa ^{1/d})\)  \(\tilde{O}(n)\)  \(\tilde{O}(n)\)  Yes  Adaptive  \(n^{\omega (1)}\)  
\(\tilde{O}(n^2 \kappa ^{1/d})\)  \(\tilde{O}(n)\)  \(\tilde{O}(n)\)  No  Adaptive  All \(\mathsf {poly}(n)\) 
In the table, we compare IBE schemes from the LWE assumption in the standard model. \(\mathsf {mpk}\), \(C\), and \(\mathsf {sk}_\mathsf {ID}\) show the size of the master public keys, ciphertexts, and private keys, respectively. \(\kappa \) denotes the length of the identity (which corresponds to the output length of the collision resistant hash if we first hash the bit string representing identity in the scheme). \(d\in \mathbb {N}\) is a flexible constant, which can be set to be any value. “Anon?” shows whether the scheme is anonymous. “Selective\({\slash }\)Adaptive” shows whether the scheme is selectively secure or adaptively secure. “\(q/\chi _{\max }\)” for LWE assumption refers to the ratio of the modulus to the error size of the underlying LWE assumption used in the security reduction. “Fixed \(\mathsf {poly}(n)\)” means that the corresponding scheme is proven secure under the LWE assumption with \(q/\chi _{\max }\) being some fixed polynomial (e.g., \(n^3\)). “All \(\mathsf {poly}(n)\)” mean that we have to assume the LWE assumption for all polynomial \(q/\chi _{\max }\).
Footnotes
 1.
Note that we are abusing the notation here. \(\mathbf {G}^{1}\) is not an inverse matrix of \(\mathbf {G}\), but a function.
 2.
For the sake of simplicity, we present a scheme that is a special case of our scheme in Sect. 5. More generally, we can further reduce the number of basic matrices from \(O( \sqrt{\kappa })\) to be \(O( \kappa ^{1/d})\) for any constant \(d \in \mathbb {N}\).
Notes
Acknowledgement
The author would like to thank all members of the study group “ShinAkaruiAngouBenkyouKai” for fruitful discussion. In particular, the author thanks Shuichi Katsumata for his comments on improving the presentation, Goichiro Hanaoka and Jacob. C.N. Schuldt for their helpful advice in the rebuttal phase. The author also thanks the anonymous reviewers of Eurocrypt 2016 for their insightful comments.
References
 1.Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 2.Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorterciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 3.Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 4.AlperinSheriff, J.: Short signatures with short public keys from homomorphic trapdoor functions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 236–255. Springer, Heidelberg (2015)Google Scholar
 5.Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS, pp. 75–86 (2009)Google Scholar
 6.Bellare, M., Ristenpart, T.: Simulation without the artificial abort: simplified proof and improved concrete security for waters’ IBE scheme. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 407–424. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 7.Böhl, F., Hofheinz, D., Jager, T., Koch, J., Seo, J.H., Striecks, C.: Practical signatures from standard assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 461–485. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 8.Boneh, D., Boyen, X.: Efficient selectiveID secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 9.Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 10.Boneh, D., Franklin, M.: Identitybased encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 11.Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully keyhomomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 12.Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 13.Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC, pp. 575–584 (2013)Google Scholar
 14.Brakerski, Z., Vaikuntanathan, V.: Latticebased FHE as secure as PKE. In: ITCS, pp. 1–12 (2014)Google Scholar
 15.Canetti, R., Halevi, S., Katz, J.: A forwardsecure publickey encryption scheme. In: EUROCRYPT, pp. 255–271 (2003)Google Scholar
 16.Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 17.Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 18.Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) IMA 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001)Google Scholar
 19.Dodis, Y., Katz, J., Xu, S., Yung, M.: Keyinsulated public key cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 65–82. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 20.Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 21.Döttling, N., Schröder, D.: Efficient pseudorandom functions via onthefly adaptation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 329–350. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 22.Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identitybased encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014)Google Scholar
 23.Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 335–352. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 24.Gentry, C.: Practical identitybased encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 25.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)Google Scholar
 26.Goldwasser, S., Lewko, A., Wilson, D.A.: Boundedcollusion IBE from key homomorphism. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 564–581. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 27.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attributebased encryption for circuits. In: STOC, pp. 545–554 (2013)Google Scholar
 28.Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: efficient ABE for branching programs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 549–573. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_23 Google Scholar
 29.Heng, S.H., Kurosawa, K.: kresilient identitybased encryption in the standard model. In: Okamoto, T. (ed.) CTRSA 2004. LNCS, vol. 2964, pp. 67–80. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 30.Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 31.Jutla, C.S., Roy, A.: Shorter quasiadaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 32.Lyubashevsky, V., Micciancio, D.: Asymptotically efficient latticebased digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 33.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 34.Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ringLWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 35.Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 36.Naccache, D.: Secure and practical identitybased encryption. IET Inf. Secur. 1(2), 59–64 (2007)CrossRefGoogle Scholar
 37.Peikert, C.: Publickey cryptosystems from the worstcase shortest vector problem: extended abstract. In: STOC, pp. 333–342 (2009)Google Scholar
 38.Peikert, C.: A decade of lattice cryptography. IACR Cryptology ePrint Archive, Report 2015/939Google Scholar
 39.Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 40.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 843–873 (2005)Google Scholar
 41.Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing over elliptic curve. In: The 2000 Symposium on Cryptography and Information Security (2000). (in Japanese)Google Scholar
 42.Shamir, A.: Identitybased cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)CrossRefGoogle Scholar
 43.Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 44.Singh, K., Pandurangan, C., Banerjee, A.K.: Adaptively secure efficient lattice (H)IBE in standard model with short public parameters. In: Bogdanov, A., Sanadhya, S. (eds.) SPACE 2012. LNCS, vol. 7644, pp. 153–172. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 45.Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 46.Tessaro, S., Wilson, D.A.: Boundedcollusion identitybased encryption from semanticallysecure publickey encryption: generic constructions with short ciphertexts. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 257–274. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 47.Waters, B.: Efficient identitybased encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 48.Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 49.Yamada, S., Hanaoka, G., Kunihiro, N.: Twodimensional representation of cover free families and its applications: short signatures and more. In: Dunkelman, O. (ed.) CTRSA 2012. LNCS, vol. 7178, pp. 260–277. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 50.Yamada, S.: Adaptively Secure IdentityBased Encryption from Lattices with Asymptotically Shorter Public Parameters. Cryptology ePrint Archive, Report/140 (2016). http://eprint.iacr.org/2016/140