¹¹institutetext: Department of Mathematics and Physics, University of Information Technology,
Vietnam National University, Ho Chi Minh city, Vietnam
¹¹email: vannna@uit.edu.vn ²²institutetext: Institute of Cybersecurity and Cryptology
School of Computing and Information Technology, University of Wollongong
Northfields Avenue, Wollongong NSW 2522, Australia
²²email: pm.thuytruc@gmail.com

Anonymous communication system provides a secure environment without leaking metadata, which has many application scenarios in IoT

Ngoc Ai Van Nguyen 11 Minh Thuy Truc Pham 22

Abstract

Anonymous Identity Based Encryption (AIBET) scheme allows a tracer to use the tracing key to reveal the recipient’s identity from the ciphertext while keeping other data anonymous. This special feature makes AIBET a promising solution to distributed IoT data security. In this paper, we construct an efficient quantum-safe Hierarchical Identity-Based cryptosystem with Traceable Identities (AHIBET) with fully anonymous ciphertexts. We prove the security of the AHIBET scheme under the Learning with Errors (LWE) problem in the standard model.

1 Introduction

Internet of Things (IoT) has emerged as a set of interconnected technologies like Wireless Sensors Networks (WSN) and Radio Frequency Identification (RFID), that provide identification, computation, and mutual information exchange among the connected devices all over the world. The key idea of the IoT is to obtain information about our environment to understand and control and act on it [DMR16].

Identity-Based Encryption (IBE) is a type of public-key encryption where the public key is an arbitrary string that uniquely defined the user (for example an email address or a telephone number). The Private-key Generator (PKG) who has knowledge of a master secret key generates the private key for the corresponding identities. This concept was first introduced by Shamir [Sha84] and then in 2001, Boneh and Franklin [BF01] proposed the first practical IBE scheme based on bilinear map. The idea of Hierarchical Identity-Based Encryption (HIBE), which is an extension of IBE where each level can issue private keys for identites of the next level, was first proposed in the work of Gentry and Silverberg [GS02]. Since then, there have been many efficient constructions of HIBE, ranging from classical setting [BB04, BBG05, Wat05] to post-quantum setting [ABB10a, CHKP10, SRB14] just to name a few.

The concept of “Anonymous” IBE offers an additional privacy guarantee to standard IBE schemes where the ciphertexts do not leak the identity of the recipients. AIBE is a promising solution to anonymous communications and it can be applied to many realistic scenarios that provide privacy-preserving and security under cloud environment. It can also bring a secure environment without leaking metadata which has many application scenarios in the aforementioned distributed IoT system [JLL⁺18]. However, the first AIBE construction of Boneh and Frankl in [BF01] is just anonymous in the random oracle model and it was a challenging problem to achieve anonymous IBE in the standard model until [BW06b]. In [BW06a], Boyen and Waters proposed the first secure anonymous HIBE scheme without random oracles. More recently, the HIBE constructions in the post-quantum setting [ABB10a, SRB14] are proven to be anonymous secure in the standard model in the mean of a ciphertext encrypted for a target identity is indistinguishable from a random element in the ciphertext space which helps hide this identity from any malicious attacker.

Although this strong unconditional privacy seems very attractive from the user’s point of view, it can potentially be a dangerous tool against public safety if there is no way to revoke such privacy when illegal behavior is detected. For example, in the case where the email filtering system has to filter out all encrypted email from members are suspected of illegal activity, standard anonymous IBE and HIBE prevent the system reveal the recipients of those ciphertexts. Traceability can provide a solution to this problem in which an additional traceability function can detect specific identities in ciphertexts and all the others remain anonymous.

In 2019, Blazy et al. [BBP19] first considered the traceability for identity-based encryption and constructed an Anonymous Identity Based Encryption (AIBET) scheme in the standard model but under the matrix Diffie Hellman (MDDH) assumption. Two security notions are formally defined in [4] are anonymity and ciphertext indistinguishability. Anonymity requires that someone without an associated user secret key or tracing key should not be able to guess the targeted identity. The notion of indistinguishability requires that no one can distinguish between a valid ciphertext and a random string from the ciphertext space even having access to the tracing key of the target identity. Recent, in [LTT⁺21], Liu et al. proposed a lattice-based construction for AIBET which is based on the anonymous IBE by Katsumata and Yamada [KY16]. However, they do not address the notion of indistinguishability which is the main difference between an AIBET and a standard anonymous IBE. Note that the role of the tracer and the Private-key Generator PKG are distinguishable where the tracer has less power than the PKG. For example, it could be a gateway that checks whether an email for a suspected illegal user is passed. Even if the tracers are corrupted, the privacy and the confidentiality of the system will still remain intact.

Our contribution: We propose a concrete construction of an Anonymous Lattice Hierarchical Identity-Based Encryption with Traceable Identities (AHIBET) scheme which is secure in the standard model based on the hardness assumption of lattices. In particular, our AHIBET construction is anonymous across all the levels of hierarchy, i.e., ciphertexts conceal recipients’ identities from everyone which does not know the corresponding keys for decryption or tracing. Traceability cannot be extended down the hierarchy, i.e., knowing the tracing key for identity $\mathsf{id}$ doesn’t imply knowing tracing key for any of its descendants. Besides, our construction is ciphertext indistinguishable, i.e., even having the tracing key for identity $\mathsf{id}$ , one cannot distinguish the ciphertexts of message $\mathbf{m}$ from the one of random messages for identity $\mathsf{id}$ .

An instance of our AHIBET yields a lattice-based construction of AIBET that can be easily converted to a construction over ideal lattices using the techniques in [BFRS18], which outperforms the AIBET by Liu et al. [LTT⁺21]¹¹1In fact, the public parameter in Liu et al. [LTT⁺21] will be a factor of $dl$ greater than ours where $d$ is some fixed constant (e.g., d=2 or 3) and $l=\lceil n^{1/d}\rceil$ for $n$ the security parameter..

Technical Overview:
The first main idea is that an AHIBET system must be controlled by three levels of trapdoors:

•

The master secret key $\mathsf{MPK}$ can be used to generate secret key $\mathsf{SK}_{\mathsf{id}}$ and tracing key $\mathsf{Tsk}_{\mathsf{id}}$ for each identity $\mathsf{id}$ of any level.
•

The secret keys $\mathsf{SK}_{\mathsf{id}}$ enable recipients to decrypt the corresponding ciphertexts. Each secret key $\mathsf{SK}_{\mathsf{id}}$ can be used to generate the secret keys for identities of the next level and thus control all descendants of $\mathsf{id}$ .
•

The tracing keys $\mathsf{Tsk}_{\mathsf{id}}$ enable tracers to detect only the ciphertexts sent to identities $\mathsf{id}$ without leaking information of the messages.

To achieve the identity traceability property, we attach each ciphertext a random tag and its encapsulation whereas tracing keys are the trapdoors for decapsulation.

We exploit the power of lattice trapdoors in [MP12, CHKP10] combining with the HIBE construction by Agrawal et al. [ABB10a] to achieve our AHIBET.

In [ABB10a], each identity $\mathsf{id}$ is assigned a matrix $\mathbf{F}_{\mathsf{id}}$ and message $\mathbf{m}$ is encrypted following the dual-Regev scheme:

\mathbf{c}^{T}=\mathbf{s}^{T}\mathbf{F}_{\mathsf{id}}+\mathbf{e}^{T},\ \ \ \mathbf{c}^{\prime T}=\mathbf{s}^{T}\mathbf{U}+\mathbf{e}^{\prime T}+\mathbf{m}^{T}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor.

In our scheme, we use one dual-Regev part to encrypt the message and another one to encapsulate the random tag to allow the ciphertext to reveal the recipients’ identity from the tracing key holder.

In [MP12], the authors introduced a so-called $\mathbf{G}$ -trapdoor where $\mathbf{G}$ is a gadget matrix in $\mathbb{Z}_{q}^{n\times\omega}$ . A $\mathbf{G}$ -trapdoor for matrix $\mathbf{F}$ is a matrix $\mathbf{R}\in\mathbb{Z}^{(m-\omega)\times\omega}$ such that $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\mathbf{G}]$ for some invertible matrix $\mathbf{H}\in\mathbb{Z}^{n\times n}_{q}$ where $\mathbf{A}\in\mathbb{Z}^{n\times(m-\omega)}_{q}$ . The authors called it “strong trapdoor” since a good basis $\mathbf{T}_{\mathbf{F}}\in\mathbb{Z}^{m\times m}$ for $\Lambda_{q}^{\perp}(\mathbf{F})$ can be obtained from the knowledge of the matrix $\mathbf{R}$ but the reverse is hard. Moreover, with either $\mathbf{R}$ or $\mathbf{T}_{\mathbf{F}}$ , one can easily generate a low norm matrix $\mathbf{D}_{\mathbf{F}}\in\mathbb{Z}^{n\times t}_{q}$ satisfying $\mathbf{F}.\mathbf{D}_{\mathbf{F}}=\mathbf{U}$ with respect to a given random matrix $\mathbf{U}\in\mathbb{Z}_{q}^{n\times t}$ using the sampling algorithms from [ABB10a] and [MP12]. Since $\mathbf{D}_{\mathbf{F}}$ is a kind of weaker trapdoor than $\mathbf{T}_{\mathbf{F}}$ , we can use such matrices $\mathbf{R}$ , $\mathbf{T}_{\mathbf{F}}$ and $\mathbf{D}_{\mathbf{F}}$ as the three levels of trapdoors $\mathsf{MSK}$ , $\mathsf{SK}_{\mathsf{id}}$ , $\mathsf{Tsk}_{\mathsf{id}}$ respectively for a traceable identity-based encryption where the matrix $\mathbf{F}$ is associated to an identity $\mathsf{id}=(\mathsf{id}_{1},\ldots,\mathsf{id}_{\ell})$ , namely, $\mathbf{F}=\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}_{1})\mathbf{G}|\ldots|\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}_{\ell})\mathbf{G}]$ for the public matrices $\mathbf{A},\mathbf{A}_{1},\ldots,\mathbf{A}_{\ell}$ and the full-rank difference encoding function $\mathsf{FRD}$ . However, such trapdoors do not guarantee the anonymity and even the secrecy of messages across the hierarchy of identities. For example, knowing $\mathbf{D}_{\mathbf{F}_{\mathsf{id}_{1}}}$ and $\mathbf{D}_{\mathbf{F}_{[\mathsf{id}_{1}|\mathsf{id}_{2}]}}$ , one can easily find a low norm matrix $\mathbf{T}$ of the same size as $\mathbf{D}_{\mathbf{F}_{\mathsf{id}_{1}|\mathsf{id}_{2}}}$ such that $\mathbf{F}_{[\mathsf{id}_{1}|\mathsf{id}_{2}]}\mathbf{T}=\mathbf{0}$ , which reveals information of the messages. Therefore, we use a collision resistance hash function $\mathsf{H}$ to construct a matrix $\mathbf{F}^{\prime}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}(\mathsf{id}))\mathbf{G}]$ and use the sampling algorithms to generate the tracing key $\mathbf{D}_{\mathbf{F}^{\prime}_{\mathsf{id}}}$ of the identity $\mathsf{id}$ such that $\mathbf{F}^{\prime}_{\mathsf{id}}\mathbf{D}_{\mathbf{F}^{\prime}_{\mathsf{id}}}=\mathbf{U}$ . Such tracing keys are determined uniquely by the identities and independent of the secret keys, which ensures the anonymity and secrecy of the messages.

2 Preliminaries

2.1 Anonymous Lattice Hierarchical Identity-Based Encryption with Traceable Identities (AHIBET)

In this section, we describe the model of Anonymous Lattice Hierarchical Identity-Based Encryption with Traceable Identities (AHIBET) based on the Anonymous Lattice Identity-Based Encryption with Traceable Identities (AIBET) from [BBP19] and its security model.

Definition 1 (AHIBET).

An AHIBET scheme consists of the following seven algorithms:

•

$\mathsf{Setup}(\lambda,d)$ takes as input the security parameter $\lambda$ and the maximal hierarchy depth $d$ of the scheme and outputs the master public key $\mathsf{MPK}$ and the master secret key $\mathsf{MSK}$ .
•

$\mathsf{Extract}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$ uses the master public key $\mathsf{MPK}$ and the master secret key $\mathsf{MSK}$ to generate the secret key $\mathsf{SK}_{\mathsf{id}}$ for an identity $\mathsf{id}$ at depth $1$ .
•

$\mathsf{Derive}(\mathsf{MPK},\mathsf{SK}_{\mathsf{id}}),(\mathsf{id}|\mathsf{id}_{\ell})$ takes as input the master public key $\mathsf{MPK}$ and a secret key $\mathsf{SK}_{\mathsf{id}}$ corresponding to an identity $\mathsf{id}$ at depth $\ell-1$ , outputs the secret key $\mathsf{SK}_{\mathsf{id}|\mathsf{id}_{\ell}}$ for the identity $(\mathsf{id}|\mathsf{id}_{\ell})$ at depth $\ell$ .
•

$\mathsf{TskGen}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$ uses the master public key $\mathsf{MPK}$ and the master secret key $\mathsf{MSK}$ to generate the tracing key $\mathsf{Tsk}_{\mathsf{id}}$ for a given identity $\mathsf{id}$ .
•

$\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id},\mathbf{m})$ takes as input the master public key $\mathsf{MPK}$ , a given identity $\mathsf{id}$ and a message $\mathbf{m}$ , outputs the ciphertext $\mathsf{CT}$ .
•

$\mathsf{Decrypt}(\mathsf{MPK},\mathsf{CT},\mathsf{SK}_{\mathsf{id}})$ takes as input the master public key $\mathsf{MPK}$ , a ciphertext $\mathsf{CT}$ and a secret key $\mathsf{SK}_{\mathsf{id}}$ . The algorithm outputs the message $\mathbf{m}$ if $\mathsf{CT}$ is encrypted for $\mathsf{id}$ ; otherwise, it outputs the rejection symbol $\perp$ .
•

$\mathsf{TkVer}(\mathsf{MPK},\mathsf{id},\mathsf{Tsk}_{\mathsf{id}},\mathsf{CT})$ takes as input the master public key $\mathsf{MPK}$ , an identity $\mathsf{id}$ and a ciphertext $\mathsf{CT}$ , uses the tracing key $\mathsf{Tsk}_{\mathsf{id}}$ to check whether a ciphertext $\mathsf{CT}$ is encrypted for $\mathsf{id}$ . $\mathsf{TkVer}$ outputs $1$ if $\mathsf{CT}$ is for the user with identity $\mathsf{id}$ ; otherwise, it outputs $0$ .

Correctness and soundness.
The correctness of AHIBET scheme requires that if for all key pairs $(\mathsf{MPK},\mathsf{MSK})$ output by $\mathsf{Setup}$ , all $1\leq\ell\leq d$ , all identities $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell})$ where $\mathsf{id}_{i}\in\mathbb{Z}^{n}_{q}\setminus\{\mathbf{0}\}$ and all messages $\mathbf{m}\in\{0,1\}^{\lambda}$ , it holds that

\Pr\left[{\begin{gathered}\mathsf{Decrypt}(\mathsf{MPK},\mathsf{SK}_{\mathsf{id}},\mathsf{CT})=\mathbf{m}\end{gathered}\left|\begin{gathered}(\mathsf{MPK},\mathsf{MSK})\leftarrow\mathsf{Setup}(\lambda,d)\\ \mathsf{SK}_{\mathsf{id}}\leftarrow\mathsf{Derive}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})\\ \mathsf{CT}\leftarrow\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id},\mathbf{m})\\ 1\leftarrow\mathsf{TkVer}(\mathsf{MPK},\mathsf{id},\mathsf{Tsk}_{\mathsf{id}},\mathsf{CT})\end{gathered}\right.}\right]=1

and the soundness of AHIBET requires

\Pr\left[{\begin{gathered}\mathsf{Decrypt}(\mathsf{MPK},\mathsf{SK}_{\mathsf{id}},\mathsf{CT})=\perp\end{gathered}\left|\begin{gathered}(\mathsf{MPK},\mathsf{MSK})\leftarrow\mathsf{Setup}(\lambda,d)\\ \mathsf{SK}_{\mathsf{id}}\leftarrow\mathsf{Derive}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})\\ \mathsf{CT}\leftarrow\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id},\mathbf{m})\\ 0\leftarrow\mathsf{TkVer}(\mathsf{MPK},\mathsf{id},\mathsf{Tsk}_{\mathsf{id}},\mathsf{CT})\end{gathered}\right.}\right]=1

Security models of AHIBET. For the security models, we give the definition of anonymity and ciphertext indistinguishability for the AHIBET scheme.

•
Anonymity is the property that the adversary can not distinguish the encryption of a chosen message for a first chosen identity from the encryption on the same message for a second chosen identity. Similarly, the adversary can not decide whether a ciphertext it received from the challenger was encrypted for a chosen challenge identity, or for a random identity in the identity space. The anonymity game, denoted ANON-sID-CPA, is played between an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$ , provided that the adversary $\mathcal{A}$ does not have the corresponding tracing key of the challenge identity, is defined through the following game:
- –
  
  Init: The adversary $\mathcal{A}$ is given the maximum depth of the hierarchy $d$ and then $\mathcal{A}$ decides a target pattern $\mathsf{id}^{*}=(\mathsf{id}_{1}^{*},\dots,\mathsf{id}_{\ell}^{*})$ , $\ell\leq d$ .
- –
  
  Setup: At the beginning of the game, the challenger $\mathcal{C}$ runs $\mathsf{Setup}(\lambda,d)$ to obtain $(\mathsf{MPK},\mathsf{MSK})$ and gives the resulting master public key $\mathsf{MPK}$ to the adversary $\mathcal{A}$ .
- –
  Phase 1: $\mathcal{A}$ may adaptively make queries polynomial many times to the key derivation oracle $\mathcal{O}_{\mathsf{Derive}}$ and the tracing key oracle $\mathcal{O}_{\mathsf{TskGen}}$ where:
  - *
    
    Oracle $\mathcal{O}_{\mathsf{Derive}}(\mathsf{id})$ takes input an identity $\mathsf{id}$ different from $\mathsf{id}^{\ast}$ and its prefixes, returns the output of $\mathsf{Derive}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$ .
  - *
    
    Oracle $\mathcal{O}_{\mathsf{TskGen}}(\mathsf{id})$ takes input an identity $\mathsf{id}$ different from $\mathsf{id}^{\ast}$ , returns the output of $\mathsf{TskGen}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$ .
- –
  
  Challenge: The adversary $\mathcal{A}$ chooses a message $\mathbf{m}\in\{0,1\}^{\lambda}$ and gives it to the challenger $\mathcal{C}$ . $\mathcal{C}$ then selects a random bit $b\in\{0,1\}$ and a random identity $\mathsf{id}^{\prime}$ in the identity space which has the same depth with the challenge identity $\mathsf{id}^{\ast}$ . If $b=0$ , $\mathcal{C}$ runs $\mathsf{CT}_{0}^{\ast}\leftarrow\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id}^{\ast},\mathbf{m})$ ; otherwise, it runs $\mathsf{CT}_{1}^{\ast}\leftarrow\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id}^{\prime},\mathbf{m})$ . Finally, $\mathcal{C}$ passes $(\mathsf{MPK},\mathsf{CT}_{b}^{*})$ through to the adversary $\mathcal{A}$ .
- –
  
  Phase 2: $\mathcal{A}$ continues to issue additional key derivation and tracing key queries and $\mathcal{C}$ responds as in Phase 1.
- –
  
  Guess: $\mathcal{A}$ outputs its guess $b^{\prime}\in\{0,1\}$ and wins if $b^{\prime}=b$ .
The advantage of $\mathcal{A}$ is defined as

$\mathsf{Adv}_{\mathcal{A},\text{AHIBET}}^{\textsf{ANON-sID-CPA}}:=\left|\mathrm{Pr}[b=b^{\prime}]-\frac{1}{2}\right|.$
•
In the ciphertext indistinguishability game, we use a privacy property called indistinguishable from random which means that the challenge ciphertext encrypted for a given message $\mathbf{m}^{\ast}$ is computationally indistinguishable from a the challenge ciphertext encrypted for a random message $\mathbf{m}$ on the same challenge identity $\mathsf{id}^{\ast}$ , even the adversary $\mathcal{A}$ has the corresponding tracing key $\mathsf{Tsk}_{\mathsf{id}^{\ast}}$ of $\mathsf{id}^{\ast}$ . The IND-sID-CPA security model is defined through the following game, played between an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$ :
- –
  
  Init: The adversary $\mathcal{A}$ is given the maximum depth of the hierarchy $d$ and then $\mathcal{A}$ decides a target pattern $\mathsf{id}^{*}=(\mathsf{id}_{1}^{*},\dots,\mathsf{id}_{l}^{*})$ , $\ell\leq d$ .
- –
  
  Setup: At the beginning of the game, the challenger $\mathcal{C}$ runs $\mathsf{Setup}(\lambda,d)$ to obtain $(\mathsf{MPK},\mathsf{MSK})$ and gives the resulting master public key $\mathsf{MPK}$ to the adversary $\mathcal{A}$ .
- –
  Phase 1: $\mathcal{A}$ may adaptively make queries polynomial many times to the key derivation oracle $\mathcal{O}_{\mathsf{Derive}}$ and the tracing key oracle $\mathcal{O}_{\mathsf{TskGen}}$ where:
  - *
    
    Oracle $\mathcal{O}_{\mathsf{Derive}}(\mathsf{id})$ takes input an identity $\mathsf{id}$ different from $\mathsf{id}^{\ast}$ and its prefixes, returns the output of $\mathsf{Derive}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$ .
  - *
    
    Oracle $\mathcal{O}_{\mathsf{TskGen}}(\mathsf{id})$ takes input an identity $\mathsf{id}$ different from $\mathsf{id}^{\ast}$ , returns the output of $\mathsf{TskGen}(\mathsf{MPK},\mathsf{MSK},\mathsf{id})$ .
- –
  
  Challenge: The adversary $\mathcal{A}$ chooses a message $\mathbf{m}^{\ast}\in\{0,1\}^{\lambda}$ and gives it to the challenger $\mathcal{C}$ . $\mathcal{C}$ sets $\mathbf{m}_{0}=\mathbf{m}^{\ast}$ and chooses a random message $\mathbf{m}_{1}$ in the message space. $\mathcal{C}$ then selects a random bit $b\in\{0,1\}$ . If $b=0$ , $\mathcal{C}$ runs $\mathsf{CT}_{0}^{\ast}\leftarrow\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id}^{\ast},\mathbf{m}_{0})$ ; otherwise, it runs $\mathsf{CT}_{1}^{\ast}\leftarrow\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id}^{\ast},\mathbf{m}_{1})$ . Finally, $\mathcal{C}$ passes $(\mathsf{MPK},\mathsf{CT}_{b}^{*})$ through to the adversary $\mathcal{A}$ .
- –
  
  Phase 2: $\mathcal{A}$ continues to issue additional key derivation and tracing key queries and $\mathcal{C}$ responds as in Phase 1.
- –
  
  Guess: $\mathcal{A}$ outputs its guess $b^{\prime}\in\{0,1\}$ and wins if $b^{\prime}=b$ .
The advantage of $\mathcal{A}$ is defined as

$\mathsf{Adv}_{\mathcal{A},\text{AHIBET}}^{\textsf{IND-sID-CPA}}:=\left|\mathrm{Pr}[b=b^{\prime}]-\frac{1}{2}\right|.$

2.2 Lattices

A lattice $\Lambda$ in $\mathbb{Z}^{m}$ is a set of all integer linear combinations of (linearly independent) basis vectors $\mathbf{B}=\{\mathbf{b}_{1},\cdots,\mathbf{b}_{n}\}\in\mathbb{Z}^{m}$ , i.e.,

\Lambda:=\left\{\sum_{i=1}^{n}\mathbf{b}_{i}x_{i}|x_{i}\in\mathbb{Z}\leavevmode\nobreak\ \forall i=1,\cdots,n\right\}\subseteq\mathbb{Z}^{m}.

We call $n$ the rank of $\Lambda$ and if $n=m$ we say that $\Lambda$ is a full rank lattice. In this paper, we mainly consider full rank lattices containing $q\mathbb{Z}^{m}$ , called $q$ -ary lattices,

	$\displaystyle\Lambda_{q}(\mathbf{A})$	$\displaystyle:=\left\{\mathbf{e}\in\mathbb{Z}^{m}\leavevmode\nobreak\ \rm{s.t.}\leavevmode\nobreak\ \exists\mathbf{s}\in\mathbb{Z}_{q}^{n}\leavevmode\nobreak\ \rm{where}\leavevmode\nobreak\ \mathbf{A}^{T}\mathbf{s}=\mathbf{e}\mod q\right\}$
	$\displaystyle\Lambda^{\perp}_{q}(\mathbf{A})$	$\displaystyle:=\left\{\mathbf{e}\in\mathbb{Z}^{m}\leavevmode\nobreak\ \rm{s.t.}\leavevmode\nobreak\ A\mathbf{e}=\mathbf{0}\mod q\right\}$

and translations of lattice $\Lambda^{\perp}_{q}(\mathbf{A})$ defined as follows

\Lambda_{q}^{\mathbf{u}}(\mathbf{A}):=\left\{\mathbf{e}\in\mathbb{Z}^{m}\leavevmode\nobreak\ \rm{s.t.}\leavevmode\nobreak\ A\mathbf{e}=\mathbf{u}\mod q\right\}

for given matrices $\mathbf{A}\in\mathbb{Z}^{n\times m}$ and $\mathbf{u}\in\mathbb{Z}_{q}^{n}$ .

Let $\mathbf{S}=\{\mathbf{s}_{1},\cdots,\mathbf{s}_{k}\}$ be a set of vectors in $\mathbb{R}^{m}$ . We denote by $\|\mathbf{S}\|:=\max_{1\leq i\leq k}\|\mathbf{s}_{i}\|$ the maximum $\ell_{2}$ length of the vectors in $\mathbf{S}$ . We also denote $\tilde{\mathbf{S}}:=\{\tilde{\mathbf{s}}_{1},\cdots,\tilde{\mathbf{s}}_{k}\}$ the Gram-Schmidt orthogonalization of the vectors $\mathbf{s}_{1},\cdots,\mathbf{s}_{k}$ in that order. We refer to $\|\tilde{\mathbf{S}}\|$ the Gram-Schmidt norm of $\mathbf{S}$ .

Note that for any matrix $\mathbf{B}\in\mathbb{Z}^{n\times m}$ , there exists a singular value decomposition $\mathbf{B}=\mathbf{Q}\mathbf{D}\mathbf{P}^{T}$ , where $\mathbf{Q}\in\mathbb{R}^{n\times n}$ , $\mathbf{P}\in\mathbb{R}^{m\times m}$ are orthogonal matrices, and $\mathbf{D}\in\mathbb{R}^{n\times m}$ is a diagonal matrix with nonnegative entries $s_{i}\geq 0$ on the diagonal, in non-increasing order. The $s_{i}$ are called the singular values of $\mathbf{B}$ . Under this convention, $\mathbf{D}$ is uniquely determined and $s_{1}(\mathbf{B})=\max_{\mathbf{u}}\|\mathbf{B}\mathbf{u}\|=\max_{\mathbf{u}}\|\mathbf{B}^{T}\mathbf{u}\|\geq\|\mathbf{B}\|,\|\mathbf{B}^{T}\|$ where the maxima are taken over all unit vectors $\mathbf{u}\in\mathbb{R}^{m}$ . Note that the singular values of $\mathbf{B}$ and $\mathbf{B}^{T}$ are the same.

Gaussian distribution. We will use the following definitions of the discrete Gaussian distributions.

Definition 2.

Let $\Lambda\subseteq\mathbb{Z}^{m}$ be a lattice. For a vector $\mathbf{c}\in\mathbb{R}^{m}$ and a positive parameter $\sigma\in\mathbb{R}$ , define:

\rho_{\sigma,\mathbf{c}}(\mathbf{x})=\exp\left(-\pi\frac{\|\mathbf{x}-\mathbf{c}\|^{2}}{\sigma^{2}}\right)\quad\text{and}\quad\rho_{\sigma,\mathbf{c}}(\Lambda)=\sum_{\mathbf{x}\in\Lambda}\rho_{\sigma,\mathbf{c}}(\mathbf{x}).

The discrete Gaussian distribution over $\Lambda$ with center $\mathbf{c}$ and parameter $\sigma$ is

\forall\mathbf{y}\in\Lambda\quad,\quad\mathcal{D}_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y})=\frac{\rho_{\sigma,\mathbf{c}}(\mathbf{y})}{\rho_{\sigma,\mathbf{c}}(\Lambda)}.

For convenience, we will denote by $\rho_{\sigma}$ and $\mathcal{D}_{\Lambda,\sigma}$ for $\rho_{\sigma,\mathbf{0}}$ and $\mathcal{D}_{\Lambda,\sigma,\mathbf{0}}$ respectively. When $\sigma=1$ we will write $\rho$ instead of $\rho_{1}$ .

It is well-known that for a vector $\mathbf{x}$ sampled from $\mathcal{D}^{m}_{\mathbb{Z},\sigma}$ , one has that $\|\mathbf{x}\|\leq\sigma\sqrt{m}$ with overwhelming probability.

Lemma 3.

For $\mathbf{x}\leftarrow\mathcal{D}_{\Lambda_{q}^{\mathbf{u}}(\mathbf{A}),\sigma}$ , $\Pr[\|\mathbf{x}\|>\sigma\sqrt{m}]\leq\rm{negl}(n)$ .

Lemma 4.

For a prime $q$ and a positive integer $n$ , let $m\geq n\lceil\log q\rceil$ . For $\mathbf{A}\leftarrow\mathbb{Z}^{n\times m}_{q}$ , $\mathbf{r}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},\sigma}$ with $\sigma\geq\omega(\sqrt{\log n})$ , the distribution of $\mathbf{u}=\mathbf{A}\mathbf{r}\in\mathbb{Z}^{n}_{q}$ is statistically close to the uniform distribution over $\mathbb{Z}^{n}_{q}$ .
Furthermore, fix $\mathbf{u}\in\mathbb{Z}^{n}_{q}$ , the distribution of $\mathbf{r}$ conditioned on $\mathbf{A}\mathbf{r}=\mathbf{u}$ is $\mathcal{D}_{\Lambda_{q}^{\mathbf{u}}(A),\sigma}$ .

The security of our construction reduces to the LWE (Learning With Errors) problem introduced by Regev [Reg09].

Definition 5 (Learning With Errors - LWE problem).

Consider a prime $q$ , a positive integer $n$ , and a distribution $\chi$ over $\mathbb{Z}_{q}$ . An $\textsf{LWE}_{n,m,q,\chi}$ problem instance consists of access to an unspecified challenge oracle $\mathcal{O}$ , being either a noisy pseudorandom sampler $\mathcal{O}_{\mathbf{s}}$ associated with a secret $\mathbf{s}\in\mathbb{Z}_{q}^{n}$ , or a truly random sampler $\mathcal{O}_{\$}$ who behaviors are as follows:

$\mathcal{O}_{\mathbf{s}}$ :: samples of the form $(\mathbf{a}_{i},b_{i})=(\mathbf{a}_{i},\mathbf{s}^{T}\mathbf{a}_{i}+e_{i})\in\mathbb{Z}_{q}^{n}\times\mathbb{Z}_{q}$ where $\mathbf{s}\in\mathbb{Z}_{q}^{n}$ is a uniform secret key, $\mathbf{a}_{i}\in\mathbb{Z}_{q}^{n}$ is uniform and $e_{i}\in\mathbb{Z}_{q}$ is a noise withdrawn from $\chi$ .
$\mathcal{O}_{\$}$ :: samples are uniform pairs in $\mathbb{Z}_{q}^{n}\times\mathbb{Z}_{q}$ .

The $\textsf{LWE}_{n,m,q,\chi}$ problem allows respond queries to the challenge oracle $\mathcal{O}$ . We say that an algorithm $\mathcal{A}$ decides the $\textsf{LWE}_{n,m,q,\chi}$ problem if

\mathsf{Adv}_{\mathcal{A}}^{\textsf{LWE}_{n,m,q,\chi}}:=\left|\Pr[\mathcal{A}^{\mathcal{O}_{\mathbf{s}}}=1]-\Pr[\mathcal{A}^{\mathcal{O}_{\$}}=1]\right|

is non-negligible for a random $\mathbf{s}\in\mathbb{Z}_{q}^{n}$ .

Regev [Reg09] showed that (see Theorem 6 below) when $\chi$ is a distribution $\overline{\Psi}_{\alpha}$ with $\alpha\in(0,1)$ , the LWE problem is hard.

Theorem 6.

If there exists an efficient, possibly quantum, algorithm for deciding the $\textsf{LWE}_{n,m,q,\overline{\Psi}_{\alpha}}$ problem for $q>2\sqrt{n}/\alpha$ then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems, to within $\tilde{\mathcal{O}}(n/\alpha)$ factors in the $\ell_{2}$ norm, in the worst case.

The theorem implies, for $n/\alpha$ is a polynomial in $n$ , the LWE problem is as hard as approximating the SIVP and GapSVP problems in lattices of dimension $n$ to within polynomial (in $n$ ) factors.

In this paper, we will use the discrete Gaussian distribution $\mathcal{D}^{m}_{\mathbb{Z},\sigma}$ and denote $\textsf{LWE}_{n,m,q,\sigma}$ instead of $\textsf{LWE}_{n,m,q,\mathcal{D}^{m}_{\mathbb{Z},\sigma}}$ for convenience.

We use the following lemma which was introduced by Katsumata and Yamada in [KY16] to rerandomize LWE instances:

Lemma 7.

Let $\ell,q,m$ be positive integers and let $r$ be a positive real number satisfying $r\geq\max\{\omega(\sqrt{\log m}),\omega(\sqrt{\log\ell})\}$ . Let $\mathbf{b}\in\mathbb{Z}^{m}_{q}$ be arbitrary and $\mathbf{z}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},r}$ . Then there exists an efficient algorithm $\mathsf{ReRand}$ such that for any $\mathbf{D}\in\mathbb{Z}^{m\times\ell}$ and positive real $\sigma\geq s_{1}(\mathbf{D})$ , the output of $\mathsf{ReRand}(\mathbf{D},\mathbf{b}^{T}+\mathbf{z}^{T},r,\sigma)$ is distributed as $\mathbf{b}^{\prime T}=\mathbf{b}^{T}\mathbf{D}+\mathbf{z}^{\prime T}\in\mathbb{Z}^{\ell}_{q}$ where the distribution of $\mathbf{z}^{\prime}$ is close to $\mathcal{D}^{\ell}_{\mathbb{Z},2r\sigma}$ .

Lattice trapdoors

Our work heavily bases on the notion $\mathbf{G}$ -trapdoor introduced in [MP12]. In the following, we recap this notion as well as some usefull algorithms.

As in [MP12], let $n\geq 1$ , $q\geq 2$ and let $\omega=n\lceil\log q\rceil=nk$ , we will use the vector $\mathbf{g}^{T}=(1,2,4,\dots,2^{k-1})$ and extend it to get the gadget matrix $\mathbf{G}=\mathbf{I}_{n}\otimes\mathbf{g}^{T}\in\mathbb{Z}^{n\times\omega}_{q}$ such that the lattice $\Lambda^{\perp}_{q}(\mathbf{G})$ has a public known matrix $\mathbf{T}_{\mathbf{G}}\in\mathbb{Z}^{\omega\times\omega}$ with $\|\widetilde{\mathbf{T}_{\mathbf{G}}}\|\leq\sqrt{5}$ and $\|\mathbf{T}_{\mathbf{G}}\|\leq\max(\sqrt{5},\sqrt{k})$ .

Definition 8.

( $\mathbf{G}$ -trapdoor) Let $n\geq 1$ , $q\geq 2$ and $\omega=n\lceil\log q\rceil$ , $m\geq\omega$ . Let $\mathbf{A}\in\mathbb{Z}^{n\times m}_{q}$ , $\mathbf{G}\in\mathbb{Z}^{n\times\omega}_{q}$ . Let $\mathbf{H}\in\mathbb{Z}^{n\times n}_{q}$ be some invertible matrix. A matrix $\mathbf{R}\in\mathbb{Z}^{(m-\omega)\times\omega}$ is called a $\mathbf{G}$ -trapdoor for $\mathbf{A}$ with tag $\mathbf{H}$ if it holds that $\mathbf{A}\begin{bmatrix}-\mathbf{R}\\ \mathbf{I}_{\omega}\end{bmatrix}=\mathbf{H}\mathbf{G}\mod q$ . The quality of the trapdoor is measured by its largest singular value $s_{1}(\mathbf{R})$ .

[MP12] also presented an algorithm to generate a pseudorandom matrix $\mathbf{F}\in\mathbb{Z}^{n\times(m+\omega)}_{q}$ together with a “strong” $\mathbf{G}$ -trapdoor for the lattice $\Lambda^{\perp}_{q}(\mathbf{F})$ :

1.

Sample $\mathbf{A}\leftarrow\mathbb{Z}^{n\times m}_{q}$ , $\mathbf{R}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ and an invertible matrix $\mathbf{H}\leftarrow\mathbb{Z}^{n\times n}_{q}$
2.

Return $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\mathbf{G}]$ and the $\mathbf{G}$ -trapdoor $\mathbf{R}$ .

The matrix $\mathbf{R}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ can do everything that a low-norm basis of $\Lambda^{\perp}_{q}(\mathbf{F})$ does. Moreover, $\mathbf{R}$ can be used to efficiently generate low-norm basis $\mathbf{T}_{\mathbf{F}}\in\mathbb{Z}^{(m+\omega)\times(m+\omega)}$ for $\Lambda^{\perp}_{q}(\mathbf{F})$ .

Next, we recall the following lemma from [GPV08]:

Lemma 9.

Let $q,k,n,m$ be integers with $q>2,k>1$ , $m>n$ and let $\mathbf{A}\in\mathbb{Z}_{q}^{n\times m}$ , $\mathbf{U}\in\mathbb{Z}^{n\times k}_{q}$ . Let $\mathbf{T}_{\mathbf{A}}$ be a basis for $\Lambda^{\perp}_{q}(\mathbf{A})$ . For $\sigma\geq\|\widetilde{\mathbf{T}_{\mathbf{A}}}\|\cdot\omega(\sqrt{\log m})$ , there is a PPT algorithm $\mathsf{SamplePre}(\mathbf{A},\mathbf{T}_{\mathbf{A}},\mathbf{U},\sigma)$ that returns a matrix $\mathbf{D}\in\mathbb{Z}^{n\times k}_{q}$ sampled from a distribution statistically close to $\mathcal{D}_{\Lambda_{q}^{\mathbf{U}}(\mathbf{A}),\sigma}$ , whenever $\Lambda_{q}^{\mathbf{U}}(\mathbf{A})$ is not empty such that $\mathbf{A}\mathbf{D}=\mathbf{U}$ .

The following lemma consists of algorithms for generating bases for lattices collected from the sampling technique in the work of Agrawal et al. [ABB10a] and the $\mathsf{SamplePre}$ algorithm from the work of Micciancio et al. [MP12, Theorem 5.1] which will be used in our construction. Note that the $\mathsf{SamplePre}$ algorithm in [MP12] is different from the $\mathsf{SamplePre}$ algorithm from [ABB10a] in Lemma 9 above.

Lemma 10.

Let $n\geq 1$ , $q\geq 2$ , $\omega=n\lceil\log q\rceil$ , $m\geq\omega$ . Let $\mathbf{A}\leftarrow\mathbb{Z}^{n\times m}_{q}$ .

•

Let $\mathbf{T}_{\mathbf{A}}$ be a basis for $\Lambda^{\perp}_{q}(\mathbf{A})$ , $\mathbf{M}\leftarrow\mathbb{Z}_{q}^{n\times m_{1}}$ and $\sigma\geq\|\widetilde{\mathbf{T}_{\mathbf{A}}}\|\cdot\omega(\sqrt{\log(m+m_{1})})$ . Then there exists a PPT algorithm $\mathsf{SampleBasisLeft}(\mathbf{A},\mathbf{M},\mathbf{T}_{\mathbf{A}},\sigma)$ that outputs a basis of $\Lambda_{q}^{\perp}([\mathbf{A}|\mathbf{M}])$ .
•

Let $\mathbf{R}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ , $\mathbf{U}\leftarrow\mathbb{Z}^{n\times\omega}_{q}$ , and let $\mathbf{H}\leftarrow\mathbb{Z}^{n\times n}_{q}$ be an invertible matrix. Let $\mathbf{F}=[\mathbf{A}|\mathbf{A}\mathbf{R}+\mathbf{H}\mathbf{G}]$ . Then for $\sigma\geq 5\cdot s_{1}(\mathbf{R})\cdot\omega(\sqrt{\log n})$ , there exists a PPT algorithm $\mathsf{SampleRight}(\mathbf{R},\mathbf{F},\mathbf{H},\mathbf{U},\sigma)$ that outputs a matrix $\mathbf{D}\in\mathbb{Z}^{(m+\omega)\times\omega}$ distributed statistically close to $\mathcal{D}_{\Lambda_{q}^{\mathbf{U}}(\mathbf{F}),\sigma}$ s.t. $\mathbf{F}\mathbf{D}=\mathbf{U}$ .
In particular, there exits a PPT algorithm $\mathsf{SampleBasisRight}(\mathbf{R},\mathbf{F},\mathbf{H},\mathbf{U},\sigma)$ that outputs a basis $\mathbf{T}\in\mathbb{Z}^{(m+\omega)\times(m+\omega)}$ of $\Lambda_{q}^{\perp}(\mathbf{F})$ which distributes statistically close to $\mathcal{D}_{\Lambda_{q}^{\perp}(\mathbf{F}),\sigma}$ , i.e., $\mathbf{F}\mathbf{T}=\mathbf{0}$ .

Here, we note that the algorithm $\mathsf{SampleBasisRight}$ basically runs $\mathsf{SampleRight}(\mathbf{R},\mathbf{F},\mathbf{H},\mathbf{0},\sigma)$ many times until there are enough linearly independent output vectors to form a basis of $\Lambda_{q}^{\perp}(\mathbf{F})$ . According to [ABB10b], $2(m+\omega)$ samples are needed in expectation to get the basis $\mathbf{T}$ for $\Lambda_{q}^{\perp}(\mathbf{F})$ .

Peikert [Pei09] shows how to construct a basis for $\Lambda^{\perp}_{q}(\mathbf{A}_{1}|\mathbf{A}_{2}|\mathbf{A}_{3})$ from a basis for $\Lambda^{\perp}_{q}(\mathbf{A}_{2})$ .

Theorem 11.

For $i=1,2,3$ , let $\mathbf{A}_{i}$ be a matrix in $\mathbb{Z}^{n\times m_{i}}$ and let $\mathbf{A}=(\mathbf{A}_{1}|\mathbf{A}_{2}|\mathbf{A}_{3})$ . Let $\mathbf{T}_{2}$ be a basis of $\Lambda^{\perp}_{q}(\mathbf{A}_{2})$ . There is a deterministic polynomial time algorithm $\mathsf{ExtendBasis}$ that outputs a basis $\mathbf{T}$ for $\Lambda^{\perp}_{q}(\mathbf{A})$ such that $\|\widetilde{\mathbf{T}}\|=\|\widetilde{\mathbf{T}_{2}}\|$ .

We will also use the following lemma in the decryption algorithm to recover the message.

Lemma 12.

Let $\mathbf{A}$ be a uniformly random matrix in $\mathbb{Z}^{n\times m}_{q}$ where $m>2n$ . Let $\mathbf{T}\in\mathbb{Z}^{m\times m}$ be a basis of $\Lambda^{\perp}_{q}(\mathbf{A})$ . Given $\mathbf{y}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}^{T}$ where $\mathbf{s}\in\mathbb{Z}^{n}_{q}$ , $\mathbf{e}\in\mathbb{Z}^{m}$ with $\|\mathbf{e}^{T}\mathbf{T}\|_{\infty}<q/4$ , there exists an algorithm $\mathsf{Invert}(\mathbf{A},\mathbf{T},\mathbf{y})$ that outputs $\mathbf{s}$ and $\mathbf{e}$ with overwhelming probability.

It can be easily seen that the lemma is true since the algorithm works by computing $\mathbf{y}^{T}\mathbf{T}\mod q=\mathbf{e}^{T}\mathbf{T}\mod q$ . We have $\|\mathbf{e}^{T}\mathbf{T}\|_{\infty}<q/4$ , so $\mathbf{e}^{T}\mathbf{T}\mod q=\mathbf{e}^{\mathbf{T}}\in\mathbb{Z}^{m}$ . Since $\mathbf{T}\in\mathbb{Z}^{m\times m}$ is a basis of lattice $\Lambda^{\perp}_{q}(\mathbf{A})$ , $\mathbf{T}$ has linearly independent columns, one can simply use the Gaussian elimination to recover $\mathbf{e}$ and then get $\mathbf{s}^{T}\mathbf{A}$ . Finally, $\mathbf{s}$ can be recovered by Gaussian elimination because $\mathbf{A}\in\mathbb{Z}^{n\times m}$ has at least $n$ linearly independent column vectors.

3 AHIBET Construction over Integer Lattices

•

Let $\lambda$ be the security parameter, $d$ be the hierarchy depth and identities are vector $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell})$ ( $1\leq\ell\leq d$ ) where all components $\mathsf{id}_{i}$ are in $\mathbb{Z}^{n}\setminus{\{\mathbf{0}\}}$ .
•

Let $\mathsf{FRD}:\mathbb{Z}^{n}_{q}\longrightarrow\mathbb{Z}^{n\times n}_{q}$ be a full-rank difference encoding (FRD) from [ABB10a] s.t. for all distinct $\mathbf{u},\mathbf{v}\in\mathbb{Z}^{n}_{q}$ , $\mathsf{FRD}(\mathbf{u})-\mathsf{FRD}(\mathbf{v})\in\mathbb{Z}^{n\times n}_{q}$ is an invertible matrix.
•

Let $\mathsf{H}:(\mathbb{Z}^{n}_{q})^{*}\longrightarrow\mathbb{Z}^{n}_{q}$ be a collision resistant hash function.
•

For an integer $q>2$ , $x\in\mathbb{Z}_{q}$ , the algorithm $\mathsf{Round}(x)$ returns $0$ if $x$ is closer to $0$ than to $\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor$ modulo $q$ ; otherwise, it returns $1$ .

In the construction of the AHIBET scheme, we assume each identity $\mathsf{id}$ can only be given exactly one tracing key $\mathsf{Tsk}_{\mathsf{id}}$ .

Setup( $\lambda,d$ )

On input security parameter $\lambda$ and a maximum hierarchy depth $d$ , set the parameters $(n,m,q,\omega,\bar{\sigma},\tau,\alpha,r)$ as in section 3.1, the algorithm does:

1.

Sample uniformly random matrices $\mathbf{A}\leftarrow\mathbb{Z}_{q}^{n\times m}$ , $\mathbf{A}_{2},\dots,\mathbf{A}_{d}\leftarrow\mathbb{Z}_{q}^{n\times\omega}$ and $\mathbf{R}_{0},\mathbf{R}_{1}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ .
2.

Set $\mathbf{A}_{0}\leftarrow\mathbf{A}\mathbf{R}_{0}\in\mathbb{Z}^{n\times\omega}_{q}$ , $\mathbf{A}_{1}\leftarrow\mathbf{A}\mathbf{R}_{1}\in\mathbb{Z}^{n\times\omega}_{q}$ and choose $\mathbf{U}_{1},\mathbf{U}_{2}\leftarrow\mathbb{Z}^{n\times\lambda}_{q}$ uniformly at random.

Output the master public key and the master secret key

\mathsf{MPK}=(\mathbf{A},\mathbf{A}_{0},\mathbf{A}_{1},\dots,\mathbf{A}_{d},\mathbf{U}_{1},\mathbf{U}_{2})\leavevmode\nobreak\ ,\leavevmode\nobreak\ \mathsf{MSK}=(\mathbf{R}_{0},\mathbf{R}_{1}).

Extract( $\mathsf{MPK},\mathsf{MSK},\mathsf{id}$ )

On input the master pubic key $\mathsf{MPK}$ , the master secret key $\mathsf{MSK}$ and an identity $\mathsf{id}$ of level $1$ , the algorithm generates secret key for $\mathsf{id}$ as follows:

1.

Compute $\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id})\mathbf{G}]\in\mathbb{Z}^{n\times(m+\omega)}_{q}$ .
2.

Sample $\mathbf{T}_{\mathsf{id}}\leftarrow\mathsf{SampleBasisRight}(\mathbf{F}_{\mathsf{id}},\mathbf{R}_{1},\mathsf{FRD}(\mathsf{id}),\sigma_{1})\in\mathbb{Z}^{(m+\omega)\times(m+\omega)}_{q}$ s.t. $\mathbf{F}_{\mathsf{id}}\mathbf{T}_{\mathsf{id}}=0$ .
3.

Output $\mathsf{SK}_{\mathsf{id}}\leftarrow\mathbf{T}_{\mathsf{id}}$ .

Derive( $\mathsf{MPK},\mathsf{SK}_{\mathsf{id}},(\mathsf{id}|\mathsf{id}_{\ell})$ )

On input the master pubic key $\mathsf{MPK}$ , a secret key $\mathsf{SK}_{\mathsf{id}}$ corresponding to an identity $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell-1})$ at depth $\ell-1$ and an identity $\mathsf{id}|\mathsf{id}_{\ell}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell-1},\mathsf{id}_{\ell})$ of level $\ell>1$ , the algorithm generates secret key for $\mathsf{id}$ as follows:

1.

Set $\mathbf{F}_{\mathsf{id}|\mathsf{id}_{\ell}}=[\mathbf{F}_{\mathsf{id}}|\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}_{\ell})\mathbf{G}]\in\mathbb{Z}^{n\times(m+\ell\omega)}_{q}$ with $\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}_{1})\mathbf{G}|\dots|\mathbf{A}_{\ell-1}+\mathsf{FRD}(\mathsf{id}_{\ell-1})\mathbf{G}]$ .
2.

Sample $\mathbf{T}_{\mathsf{id}|\mathsf{id}_{\ell}}\leftarrow\mathsf{SampleBasisLeft}(\mathbf{F}_{\mathsf{id}},\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}_{\ell})\mathbf{G},\mathsf{SK}_{\mathsf{id}},\sigma_{\ell})$ s.t. $\mathbf{F}_{\mathsf{id}|\mathsf{id}_{\ell}}\mathbf{T}_{\mathsf{id}|\mathsf{id}_{\ell}}=0$ .
3.

Output $\mathsf{SK}_{\mathsf{id}|\mathsf{id}_{\ell}}\leftarrow\mathbf{T}_{\mathsf{id}|\mathsf{id}_{\ell}}$ .

TskGen( $\mathsf{MPK},\mathsf{MSK},\mathsf{id}$ )

On input the master pubic key $\mathsf{MPK}$ , the master secret key $\mathsf{MSK}$ and an identity $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell})$ , the algorithm generates the tracing key for $\mathsf{id}$ as follows:

1.

Compute $\mathbf{F}^{\prime}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H(\mathsf{id})})\mathbf{G}]\in\mathbb{Z}^{n\times(m+\omega)}_{q}$ .
2.

Sample $\mathbf{D}^{\prime}_{\mathsf{id}}\leftarrow\mathsf{SampleBasisRight}(\mathbf{F}^{\prime}_{\mathsf{id}},\mathbf{R}_{0},\mathsf{FRD}(\mathsf{H}(\mathsf{id})),\sigma_{1})\in\mathbb{Z}^{(m+\omega)\times(m+\omega)}_{q}$ s.t. $\mathbf{F}^{\prime}_{\mathsf{id}}\mathbf{D}^{\prime}_{\mathsf{id}}=0$ .
3.

Sample $\mathbf{D}_{\mathsf{id}}\leftarrow\mathsf{SamplePre}(\mathbf{F}^{\prime}_{\mathsf{id}},\mathbf{D}^{\prime}_{\mathsf{id}},\mathbf{U}_{2},\sigma_{1})\in\mathbb{Z}^{(m+\omega)\times\lambda}_{q}$ .
4.

Output $\mathsf{Tsk}_{\mathsf{id}}\leftarrow\mathbf{D}_{\mathsf{id}}$ .

Encrypt( $\mathsf{MPK},\mathsf{id},\mathbf{m}$ )

On input the master pubic key $\mathsf{MPK}$ , the algorithm encrypts the message $\mathbf{m}\in\{0,1\}^{\lambda}$ for identity $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell})$ at depth $\ell$ as follows:

1.

Compute $\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{B}_{\mathsf{id}}]=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}_{1})\mathbf{G}|\dots|\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}_{\ell})\mathbf{G}]\in\mathbb{Z}^{n\times(m+\ell\omega)}_{q}$ .
2.

Sample $\mathbf{k}\leftarrow\{0,1\}^{\lambda}$ .
3.

Sample a uniformly random vector $\mathbf{s}\leftarrow\mathbb{Z}^{n}_{q}$ .
4.

Choose noise vectors $\mathbf{e}_{0}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},r}$ , $\mathbf{e}_{1}\leftarrow\mathcal{D}^{\ell\omega}_{\mathbb{Z},2r\tau}$ $\mathbf{e}_{2}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},r},\ \mathbf{e}_{3}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},2r\tau},\ \mathbf{e}_{4}\leftarrow\mathcal{D}^{\omega}_{\mathbb{Z},2r\tau}$ .

Set

\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},\ \ \ \ \ \mathbf{c}_{1}^{T}=\mathbf{s}^{T}\mathbf{B}_{\mathsf{id}}+\mathbf{e}_{1}^{T},\ \ \ \ \ \mathbf{c}_{2}^{T}=\mathbf{s}^{T}\mathbf{U}_{1}+\mathbf{e}_{2}^{T}+\mathbf{m}^{T}\left\lfloor\frac{q}{2}\right\rfloor,

and

\mathbf{c}_{3}^{T}=\mathbf{s}^{T}\mathbf{U}_{2}+\mathbf{e}_{3}^{T}+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor,\ \ \ \ \ \mathbf{c}_{4}^{T}=\mathbf{s}^{T}(\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}(\mathsf{id}))\mathbf{G})+\mathbf{e}_{4}^{T}.

6.

Output $\mathsf{CT}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ .

Decrypt( $\mathsf{MPK},\mathsf{CT},\mathsf{SK}_{\mathsf{id}}$ )

On input the master pubic key $\mathsf{MPK}$ , a ciphertext $\mathsf{CT}$ and a secret key $\mathsf{SK}_{\mathsf{id}}$ where $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell})$ is an identity at depth $\ell$ , the algorithm does:

1.

Parse $\mathsf{CT}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ ; Output $\perp$ if $\mathsf{CT}$ doesn’t parse.
2.

Set $\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}_{1})\mathbf{G}|\dots|\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}_{\ell})\mathbf{G}]$ and recover $\mathbf{s}$ via $\mathsf{Invert}(\mathsf{SK}_{\mathsf{id}},\mathbf{F}_{\mathsf{id}},[\mathbf{c}_{0}^{T}|\mathbf{c}_{1}^{T}])$ .
3.

Recover $\tilde{\mathbf{k}}\leftarrow\mathsf{Round}(\mathbf{c}_{3}^{T}-\mathbf{s}^{T}\mathbf{U}_{2})$ ; Return $\perp$ if $\tilde{\mathbf{k}}\neq\mathbf{k}$ .
4.

Compute $\mathbf{m}\leftarrow\mathsf{Round}(\mathbf{c}_{2}^{T}-\mathbf{s}^{T}\mathbf{U}_{1})$ .
5.

Output $\mathbf{m}$ .

TkVer( $\mathsf{MPK},\mathsf{id},\mathsf{Tsk}_{\mathsf{id}},\mathsf{CT}$ )

On input the master pubic key $\mathsf{MPK}$ , the algorithm uses the tracing key $\mathsf{Tsk}_{\mathsf{id}}=\mathbf{D}_{\mathsf{id}}$ corresponding to the identity $\mathsf{id}$ to check whether a ciphertext $\mathsf{CT}$ is encrypted for the given identity $\mathsf{id}$ :

1.

Parse $\mathsf{CT}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ ; Output $\perp$ if $\mathsf{CT}$ doesn’t parse.
2.

Compute $\tilde{\mathbf{k}}\leftarrow\mathsf{Round}(\mathbf{c}_{3}^{T}-[\mathbf{c}_{0}^{T}|\mathbf{c}_{4}^{T}]\mathbf{D}_{\mathsf{id}})$ .
3.

If $\tilde{\mathbf{k}}=\mathbf{k}$ then output $1$ ; else output $0$ .

3.1 Parameters

Let $\lambda$ be the security parameter, $d$ is the maximum hierarchical depth of the scheme, $1\leq\ell\leq d$ . We assume that all parameters are functions of $\lambda$ . Now for the system to work correctly, we need to ensure:

•

$\sigma_{\ell}$ is large enough for $\mathsf{SampleBasisLeft}$ and $\mathsf{SampleBasisRight}$ , i.e., $\sigma_{\ell}>O(m)\cdot\omega(\log n)\cdot\omega(\sqrt{\log(\ell+1)m})$ ,
•

$\tau$ is large enough for $\mathsf{ReRand}$ , i.e. $\tau\geq O(m^{3/2})\cdot\omega(\log^{3/2}n),$
•

the error term in decryption is less than ${q}/{4}$ with high probability, i.e. $\alpha<(8\sigma_{\ell}\tau(m+\ell\omega))^{-1}$ ,

Hence the following choice of parameters $(n,m,q,\omega,\bar{\sigma},\tau,\alpha,r)$ satisfies all of the above conditions, taking $\lambda$ to be the security parameter:

		$\displaystyle n\geq 2\quad,\quad q\geq 2\quad,\quad\omega=n\lceil\log q\rceil\quad,\quad 1\leq\ell\leq d$		(1)
		$\displaystyle m\geq n\log q+\omega(\log n)\quad,\quad r=\alpha q\quad,\quad\sigma_{1}=O(\sqrt{m})\cdot\omega(\log n)$
		$\displaystyle\sigma_{\ell}=O(m)\cdot\omega(\log n)\cdot\omega(\sqrt{\log(\ell+1)m}),$
		$\displaystyle\tau=O(m^{3/2})\cdot\omega(\log^{3/2}n),$
		$\displaystyle\alpha=[(\ell+1)\cdot O(m^{7/2})\cdot\omega(\log^{5/2}n)\cdot\omega(\sqrt{\log(\ell+1)m})]^{-1}.$

3.2 Correctness and soundness

When the cryptosystem is operated as specified, during decryption of a correctly generated ciphertext encrypted a message $\mathbf{m}$ to an identity $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{\ell})$ at depth $\ell\leq d$ , with the parameters as specified in 3.1, we have:

•

Since $\mathbf{e}_{0}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},r}$ , $\mathbf{e}_{1}\leftarrow\mathcal{D}^{\ell\omega}_{\mathbb{Z},2r\tau}$ , by applying Lemma 3 and the parameters set up, we get $\|[\mathbf{e}_{0}^{T}|\mathbf{e}_{1}^{T}]\|\leq 2r\tau\cdot\sqrt{m+\ell\omega}$ , which means $\|[\mathbf{e}_{0}^{T}|\mathbf{e}_{1}^{T}]\mathbf{T}_{\mathsf{id}}\|_{\infty}\leq\|[\mathbf{e}_{0}^{T}|\mathbf{e}_{1}^{T}]\|\cdot\|\mathbf{T}_{\mathsf{id}}\|\leq(2r\tau\cdot\sqrt{(m+\ell\omega)})\cdot(\sigma_{\ell}\cdot\sqrt{m+\ell\omega})\leq 2r\tau\sigma_{\ell}\cdot(m+\ell\omega)\leq q/4.$
Using Lemma 12, it is sufficient to show that the algorithm $\mathsf{Invert}(\mathbf{T}_{\mathsf{id}},\mathbf{F}_{\mathsf{id}},[\mathbf{c}_{0}^{T}|\mathbf{c}_{1}^{T}])$ will output $\mathbf{s}$ with overwhelming probability.
•

Since $\mathbf{e}_{2}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},r}$ , $\mathbf{e}_{3}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},2r\tau}$ , by applying Lemma 3 and the parameters set up we get $\|\mathbf{e}_{2}\|\leq\|\mathbf{e}_{3}\|\leq 2r\tau\sqrt{\lambda}<q/4$ .
Hence $\mathsf{Round}(\mathbf{c}_{3}^{T}-\mathbf{s}^{T}\mathbf{U}_{2})=\mathsf{Round}\left(\mathbf{k}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor^{T}+\mathbf{e}_{3}^{T}\right)$ and $\mathsf{Round}(\mathbf{c}_{2}-\mathbf{s}^{T}\mathbf{U}_{1})=\mathsf{Round}\left(\mathbf{m}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor^{T}+\mathbf{e}_{2}^{T}\right)$ will correctly recover $\mathbf{k}$ and $\mathbf{m}$ .

In the algorithm $\mathsf{TkVer}$ , $\mathsf{Round}(\mathbf{c}_{3}^{T}-[\mathbf{c}_{0}^{T}|\mathbf{c}_{4}^{T}]\mathbf{D}_{\mathsf{id}})=\mathsf{Round}\left(\mathbf{k}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor^{T}+\mathbf{e}_{3}^{T}+[\mathbf{e}_{0}^{T}|\mathbf{e}_{4}^{T}]\mathbf{D}_{\mathsf{id}}\right)$ where $\|\mathbf{D}_{\mathsf{id}}\|\leq\sigma_{1}\sqrt{m+\omega}$ . Hence by the parameters set up, $\mathsf{TkVer}$ will correctly recover the key $\mathbf{k}$ .

4 Security analysis

4.1 Proof of Anonymity

In this part, we will prove that our proposed AHIBET scheme is ANON-sID-CPA secure in the standard model.

Theorem 4.1.

The AHIBET scheme $\Pi:=(\mathsf{Setup},\mathsf{Extract},\mathsf{Derive},\mathsf{Encrypt},\mathsf{Decrypt},\mathsf{TskGen},\mathsf{TkVer})$ with parameters $(\lambda,n,m,q,\omega,\bar{\sigma},\tau,\alpha,r)$ as in (1) is ANON-sID-CPA secure for the maximal hierarchy depth $d$ provided that the hardness of the $\textsf{LWE}_{n,m+\lambda,q,r}$ problem holds.

Proof.

We will proceed the proof via a sequence of games where the Game 0 is identical to the original ANON-sID-CPA game and the adversary in the last game has advantage at most the advantage of an efficient LWE adversary.

Let $\mathcal{A}$ be a PPT adversary that attacks the AHIBET scheme $\Pi$ and has advantage $\mathsf{Adv}_{\mathcal{A},\Pi}^{\textsf{ANON-sID-CPA}}=\epsilon$ . We will then construct a simulator $\mathcal{B}$ that solves the LWE problem using $\mathcal{A}$ .
Let $G_{i}$ denote the event that the adversary $\mathcal{A}$ wins Game $i$ . The adversary’s advantage in Game $i$ is $\left|\Pr[G_{i}]-\displaystyle{\frac{1}{2}}\right|$ .

Game 0.

This is the original ANON-sID-CPA game between the adversary $\mathcal{A}$ against our scheme and an ANON-sID-CPA challenger.

\mathsf{Adv}_{\mathcal{A},\Pi}^{\textsf{ANON-sID-CPA}}=\left|\Pr[G_{0}]-\frac{1}{2}\right|=\left|\Pr[b^{\prime}=b]-\frac{1}{2}\right|.

Game 1.

Game 1 is analogous to Game 0 except that we slightly modify the way that the challenger $\mathcal{C}$ generates the master public key $\mathsf{MPK}$ and responds to the key derivation oracles $\mathcal{O}_{\mathsf{Derive}}$ as well as the tracing key oracles $\mathcal{O}_{\mathsf{TskGen}}$ . Let $\mathsf{id}^{\ast}=(\mathsf{id}^{\ast}_{1},\dots,\mathsf{id}^{\ast}_{\ell})$ $(\ell\leq d)$ be the target identity that $\mathcal{A}$ intends to attack. After receiving $\mathsf{id}^{\ast}$ , $\mathcal{C}$ does:

1.

Sample $\mathbf{A}\leftarrow\mathbb{Z}_{q}^{n\times m}$ , $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ and $\overline{\mathbf{R}}\leftarrow\mathcal{D}^{m\times\lambda}_{\mathbb{Z},\omega(\sqrt{\log n})}$ .
2.

Set $\mathbf{A}_{0}\leftarrow\mathbf{A}\mathbf{R}_{0}-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G}$ .
3.

Set $\mathbf{A}_{i}\leftarrow\mathbf{A}\mathbf{R}_{i}-\mathsf{FRD}(\mathsf{id}^{\ast}_{i})\mathbf{G}$ for $i=1,\dots,\ell$ and $\mathbf{A}_{i}\leftarrow\mathbf{A}\mathbf{R}_{i}$ for $\ell<i\leq d$ .
4.

Set $\mathbf{U}_{2}\leftarrow\mathbf{A}\overline{\mathbf{R}}$ and sample $\mathbf{U}_{1}\leftarrow\mathbb{Z}^{n\times\lambda}_{q}$ .
5.

Send master public key

$\mathsf{MPK}=(\mathbf{A},\mathbf{A}_{0},\mathbf{A}_{1},\dots,\mathbf{A}_{d},\mathbf{U}_{1},\mathbf{U}_{2})$

to $\mathcal{A}$ and keep $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d},\overline{\mathbf{R}}$ secret.

•

Recall that the adversary $\mathcal{A}$ is not allowed to use the challenge identity $\mathsf{id}^{\ast}$ or its prefixes for its key derivation queries. To respond to the key derivation queries $\mathcal{O}_{\mathsf{Derive}}$ for $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{k})\neq\mathsf{id}^{\ast}=(\mathsf{id}^{\ast}_{1},\dots,\mathsf{id}^{\ast}_{\ell})$ ( $1\leq k\leq d$ ), $\mathcal{C}$ sets

\displaystyle\mathbf{F}_{\mathsf{id}}

\displaystyle=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}_{1})\mathbf{G}|\dots|\mathbf{A}_{k}+\mathsf{FRD}(\mathsf{id}_{k})\mathbf{G}]\in\mathbb{Z}^{n\times(m+k\omega)}_{q}.

–

If $k\leq\ell$ , then

\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}\mathbf{R}_{1}+(\mathsf{FRD}(\mathsf{id}_{1})-\mathsf{FRD}(\mathsf{id}^{\ast}_{1}))\mathbf{G}|\ldots|\mathbf{A}\mathbf{R}_{k}+(\mathsf{FRD}(\mathsf{id}_{k})-\mathsf{FRD}(\mathsf{id}^{\ast}_{k}))\mathbf{G}].

Let $h$ be the sallowest level where $\mathsf{id}_{h}\neq\mathsf{id}_{h}^{\ast}$ ( $h\leq k$ ). By the property of the full-rank difference encoding $\mathsf{FRD}$ , $\mathsf{FRD}(\mathsf{id}_{h})-\mathsf{FRD}(\mathsf{id}_{h}^{\ast})\in\mathbb{Z}^{n\times n}_{q}$ is an invertible matrix, $\mathcal{C}$ then samples

\mathbf{T}_{\mathsf{id}_{h}}\leftarrow\mathsf{SampleBasisRight}([\mathbf{A}|\mathbf{A}\mathbf{R}_{h}+(\mathsf{FRD}(\mathsf{id}_{h})-\mathsf{FRD}(\mathsf{id}_{h}^{\ast}))\mathbf{G}],\mathbf{R}_{h},\mathsf{FRD}(\mathsf{id}_{h})-\mathsf{FRD}(\mathsf{id}_{h}^{\ast}),\sigma_{1}).

If $h=k=1$ , $\mathcal{C}$ returns $\mathsf{SK}_{\mathsf{id}}=\mathbf{T}_{\mathsf{id}_{1}}$ .
If $k>1$ , $\mathcal{C}$ uses algorithm $\mathsf{ExtendBasis}$ to extend the basis $\mathbf{T}_{\mathsf{id}_{h}}$ of $\Lambda^{\perp}_{q}([\mathbf{A}|\mathbf{A}\mathbf{R}_{h}+(\mathsf{FRD}(\mathsf{id}_{h})-\mathsf{FRD}(\mathsf{id}_{h}^{\ast}))\mathbf{G}])$ to a basis $\mathbf{T}_{\mathsf{id}}$ of $\Lambda^{\perp}_{q}(\mathbf{F}_{\mathsf{id}})$ then returns $\mathsf{SK}_{\mathsf{id}}=\mathbf{T}_{\mathsf{id}}$ .

–

If $k>\ell$ , then

\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}\mathbf{R}_{1}|\ldots|\mathbf{A}\mathbf{R}_{\ell}|\mathbf{A}\mathbf{R}_{\ell+1}+\mathsf{FRD}(\mathsf{id}_{\ell+1})\mathbf{G}|\ldots|\mathbf{A}\mathbf{R}_{k}+\mathsf{FRD}(\mathsf{id}_{k})\mathbf{G}]

and $\mathsf{FRD}(\mathsf{id}_{\ell+1})\in\mathbb{Z}^{n\times n}_{q}$ is an invertible matrix. The challenger $\mathcal{C}$ samples

\mathbf{T}_{\mathsf{id}_{\ell+1}}\leftarrow\mathsf{SampleBasisRight}([\mathbf{A}|\mathbf{A}\mathbf{R}_{\ell+1}+\mathsf{FRD}(\mathsf{id}_{\ell+1})\mathbf{G}],\mathbf{R}_{\ell+1},\mathsf{FRD}(\mathsf{id}_{\ell+1}),\sigma_{1})

and uses algorithm $\mathsf{ExtendBasis}$ to extend the basis $\mathbf{T}_{\mathsf{id}_{\ell+1}}$ of $\Lambda^{\perp}_{q}([\mathbf{A}|\mathbf{A}\mathbf{R}_{\ell+1}+\mathsf{FRD}(\mathsf{id}_{\ell+1})\mathbf{G}])$ to a basis $\mathbf{T}_{\mathsf{id}}$ of $\Lambda^{\perp}_{q}(\mathbf{F}_{\mathsf{id}})$ . Finally, $\mathcal{C}$ returns $\mathsf{SK}_{\mathsf{id}}=\mathbf{T}_{\mathsf{id}}$ .

•

To respond to the tracing key query $\mathcal{O}_{\mathsf{TskGen}}$ for $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{k})\neq\mathsf{id}^{\ast}=(\mathsf{id}^{\ast}_{1},\dots,\mathsf{id}^{\ast}_{\ell})$ , $\mathcal{C}$ sets

\mathbf{F}^{\prime}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}_{\mathsf{id}})\mathbf{G}]=[\mathbf{A}|\mathbf{A}\mathbf{R}_{0}+(\mathsf{FRD}(\mathsf{H}(\mathsf{id}))-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast})))\mathbf{G}].

Since $\mathsf{H}$ is a collision resistant hash function, $\mathsf{H}(\mathsf{id})\neq\mathsf{H}(\mathsf{id}^{\ast})$ even if $\mathsf{id}$ is a prefix of $\mathsf{id}^{\ast}$ and thus $\mathsf{FRD}(\mathsf{H}(\mathsf{id}))-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))$ is an invertible matrix in $\mathbb{Z}^{n\times n}_{q}$ . Challenger $\mathcal{C}$ samples

\mathbf{D}^{\prime}_{\mathsf{id}}\leftarrow\mathsf{SampleBasisRight}(\mathbf{F}^{\prime}_{\mathsf{id}},\mathbf{R}_{0},\mathsf{FRD}(\mathsf{H}(\mathsf{id}))-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G},\sigma_{1})

then invokes the algorithm $\mathsf{SamplePre}$

\mathbf{D}_{\mathsf{id}}\leftarrow\mathsf{SamplePre}(\mathbf{F}^{\prime}_{\mathsf{id}},\mathbf{D}^{\prime}_{\mathsf{id}},\mathbf{U}_{2},\sigma_{1})\in\mathbb{Z}^{(m+\omega)\times\lambda}_{q}

and returns $\mathsf{Tsk}_{\mathsf{id}}=\mathbf{D}_{\mathsf{id}}$ .

Using Lemma 4, we can easily prove that the matrices $\mathbf{A}_{i}$ ( $0\leq i\leq d$ ) are statistically close to uniform. Hence, in the adversary’s point of view, $\mathbf{A}_{0},\mathbf{A}_{1},\dots,\mathbf{A}_{d}$ in Game 0 and Game 1 are computationally indistinguishable.

Next, we consider the responses to the secret key derivation queries $\mathcal{O}_{\mathsf{Derive}}$ and the tracing key queries $\mathcal{O}_{\mathsf{TskGen}}$ . For secret key derivation queries $\mathcal{O}_{\mathsf{Derive}}$ , Theorem 10 shows that when $\sigma_{1}\geq 5\cdot s_{1}(\mathbf{R})\cdot\omega(\sqrt{\log n})$ , $\sigma_{\ell}\geq\|\widetilde{\mathbf{T}_{\mathsf{id}_{h}}}\|\cdot\omega(\sqrt{\log(m+{\ell}\omega)})$ , the algorithms $\mathsf{SampleBasisRight}$ and $\mathsf{ExtendBasis}$ generate a basis $\mathbf{T}_{\mathsf{id}}$ for $\Lambda^{\perp}_{q}(\mathbf{F}_{\mathsf{id}})$ which is statistically close to the one generated in the original game. Similarly, the tracing keys generate by $\mathsf{SampleBasisRight}$ and $\mathsf{SamplePre}$ in Game 1 have distribution statistically close to ones in Game 0.

Since the master public key $\mathsf{MPK}$ and responses to key derivation queries and tracing key queries in Game 1 are statistically close to those in Game 0, these games are statistically indistinguishable in the view of the adversary. Thus we have

|\Pr[G_{1}]-\Pr[G_{0}]|\leq\mathsf{negl}(\lambda).

Game 2.

In this game, we change the way the challenge ciphertext $\mathsf{CT}^{*}$ for the challenge identity $\mathsf{id}^{\ast}$ is created. Recall that, after receiving a message $\mathbf{m}\in\{0,1\}^{\lambda}$ from the adversary $\mathcal{A}$ , the challenger $\mathcal{C}$ then selects a random bit $b\in\{0,1\}$ .

If $b=1$ , $\mathcal{C}$ chooses a random identity $\mathsf{id}^{\prime}$ in the identity space which is not identical to any query identities in Phase 1. $\mathcal{C}$ then runs $\mathsf{Encrypt}(\mathsf{MPK},\mathsf{id},\mathbf{m}$ ) and sends the resulting ciphertext $\mathsf{CT}_{1}^{*}$ to $\mathcal{A}$ .
If $b=0$ , the challenger $\mathcal{C}$ does the following steps to generate $\mathsf{CT}_{0}^{\ast}$ and sends it to $\mathcal{A}$ .

1.

Sample $\mathbf{k}\leftarrow\{0,1\}^{\lambda}$ .
2.

Sample $\mathbf{s}\leftarrow\mathbb{Z}^{n}_{q}$ .
3.

Choose noise vectors $\mathbf{e}_{0}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},r}$ , $\mathbf{e}_{2}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},r}$ .

Set $\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T}$ , $\mathbf{c}_{2}^{T}=\mathbf{s}^{T}\mathbf{U}_{1}+\mathbf{e}_{2}^{T}+\mathbf{m}^{T}\left\lfloor\frac{q}{2}\right\rfloor$ and

	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R},\mathbf{c}_{0}^{T},r,\tau)$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T},r,\tau)+\left(\mathbf{k}\left\lfloor\frac{q}{2}\right\rfloor\right)^{T}$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T},r,\tau)$

where $\mathbf{R}=[\mathbf{R}_{1}|\dots|\mathbf{R}_{\ell}]$ .

5.

Output $\mathsf{CT}_{0}^{\ast}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ .

Observe that $\mathbf{c}_{0}$ and $\mathbf{c}_{3}$ are distributed exactly as they as in the previous game. Since

	$\displaystyle\mathbf{F}_{\mathsf{id}^{\ast}}$	$\displaystyle=[\mathbf{A}\|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}^{\ast}_{1})\mathbf{G}\|\dots\|\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}^{\ast}_{\ell})\mathbf{G}]\in\mathbb{Z}^{n\times(m+\ell\omega)}_{q}$
		$\displaystyle=[\mathbf{A}\|\mathbf{A}\mathbf{R}_{1}\|\dots\|\mathbf{A}\mathbf{R}_{\ell}]=[\mathbf{A}\|\mathbf{A}\mathbf{R}]$

by Lemma 7, we get

	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle=\mathsf{ReRand}(\mathbf{R}=[\mathbf{R}_{1}\|\dots\|\mathbf{R}_{\ell}],\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},r,\tau)=\mathbf{s}^{T}\mathbf{A}\mathbf{R}+\mathbf{e}^{T}_{1},$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle=\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},r,\tau)+\left(\mathbf{k}\left\lfloor\frac{q}{2}\right\rfloor\right)^{T}$
		$\displaystyle=\mathbf{s}^{T}\mathbf{A}\overline{\mathbf{R}}+\mathbf{e}^{T}_{3}=\mathbf{s}^{T}\mathbf{U}_{2}+\mathbf{e}^{T}_{3}+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor,$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle=\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},r,\tau)$
		$\displaystyle=\mathbf{s}^{T}\mathbf{A}\mathbf{R}_{0}+\mathbf{e}^{T}_{4}=\mathbf{s}^{T}(\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G})+\mathbf{e}_{4}^{T}$

where the distribution of $\mathbf{e}_{1},\mathbf{e}_{3}$ and $\mathbf{e}_{4}$ are statistically close to $\mathcal{D}^{\ell\omega}_{\mathbb{Z},2r\tau}$ , $\mathcal{D}^{\lambda}_{\mathbb{Z},2r\tau}$ and $\mathcal{D}^{\omega}_{\mathbb{Z},2r\tau}$ , respectively. So we yields that Game 1 and Game 2 are statistically close in the adversary’s point of view, the adversary’s advantage against Game 2 will be the same as Game 1.

|\Pr[G_{2}]-\Pr[G_{1}]|\leq\mathsf{negl}(\lambda).

Theorem 4.1 then follows from the reduction from the LWE problem by the following lemma.

Lemma 13.

If there exists an adversary $\mathcal{A}$ that wins the Game 2 with non-negligible advantage then there is an adversary $\mathcal{B}$ that solves the LWE problem, i.e., $\mathsf{Adv}_{\mathcal{A}}^{Game2}\leq\mathsf{Adv}_{\mathcal{B}}^{\textsf{LWE}_{n,m+\lambda,q,r}}(\lambda)$ for some LWE adversary $\mathcal{B}$ .

Proof of Lemma 13. Recall that an LWE problem instance is provided as a sampling oracle $\mathcal{O}$ . $\mathcal{B}$ requests from oracle $\mathcal{O}$ and receives a decisional $\textsf{LWE}_{n,m+\lambda,q,r}$ problem sample $(\mathbf{C},\mathbf{c}^{T}=\mathbf{u}^{T}+\mathbf{e}^{T})$ where $\mathbf{C}$ is a random matrix in $\mathbb{Z}^{n\times(m+\lambda)}_{q}$ , $\mathbf{c}\in\mathbb{Z}^{m+\lambda}$ and $\mathbf{e}$ is sampled from the distribution $\mathcal{D}^{m+\lambda}_{\mathbb{Z},r}$ . $\mathcal{B}$ needs to decide whether $\mathbf{u}$ is truly random $\mathcal{O}_{\$}$ or a noisy pseudo-random $\mathcal{O}_{s}$ for some secret random $\mathbf{s}\in\mathbb{Z}^{n}_{q}$ such that $\mathbf{u}^{T}=\mathbf{s}^{T}\mathbf{C}$ . $\mathcal{B}$ simulates Game 2 with adversary $\mathcal{A}$ and uses the guess from $\mathcal{A}$ to respond LWE challenges.

After receiving the challenge identity $\mathsf{id}^{\ast}=(\mathsf{id}^{\ast}_{1},\dots,\mathsf{id}^{\ast}_{\ell})$ ( $\ell\leq d$ ) from $\mathcal{A}$ , $\mathcal{B}$ constructs the simulator as follows:

•

Split $\mathbf{C}=[\mathbf{A}|\mathbf{U}_{1}]$ where $\mathbf{A}\in\mathbb{Z}^{n\times m}_{q}$ and $\mathbf{U}_{1}\in\mathbb{Z}^{n\times\lambda}_{q}$ .
•

Sample $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ , $\overline{\mathbf{R}}\leftarrow\mathcal{D}^{m\times\lambda}_{\mathbb{Z},\omega(\sqrt{\log n})}$ and set $\mathbf{R}=[\mathbf{R}_{1}|\dots|\mathbf{R}_{\ell}]$ .
•

Set $\mathbf{A}_{0}\leftarrow\mathbf{A}\mathbf{R}_{0}-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G}$ .
•

Set $\mathbf{A}_{i}\leftarrow\mathbf{A}\mathbf{R}_{i}-\mathsf{H}(\mathsf{id}_{i}^{\ast})\mathbf{G}$ for $i=1,\dots,\ell$ and $\mathbf{A}_{i}\leftarrow\mathbf{A}\mathbf{R}_{i}$ for $\ell<i\leq d$ .
•

Set $\mathbf{U}_{2}\leftarrow\mathbf{A}\overline{\mathbf{R}}$ and sample $\mathbf{U}_{1}\leftarrow\mathbb{Z}^{n\times\lambda}_{q}$ .
•

Send the master public key

$\mathsf{MPK}=(\mathbf{A},\mathbf{A}_{0},\mathbf{A}_{1},\dots,\mathbf{A}_{d},\mathbf{U}_{1},\mathbf{U}_{2})$

to $\mathcal{A}$ and keep $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d},\overline{\mathbf{R}}$ secret.
•

Respond to the key derivation queries and tracing key queries as in Game 2.
•

Split $\mathbf{c}^{T}=(\bar{\mathbf{c}}^{T}|\tilde{\mathbf{c}}^{T})\in\mathbb{Z}_{q}^{m+\lambda}$ where $\bar{\mathbf{c}}^{T}=\bar{\mathbf{u}}^{T}+\bar{\mathbf{e}}^{T}\in\mathbb{Z}_{q}^{m}$ and $\tilde{\mathbf{c}}^{T}=\tilde{\mathbf{u}}^{T}+\tilde{\mathbf{e}}^{T}\in\mathbb{Z}^{\lambda}_{q}$ .

•

Create the challenge ciphertext $\mathsf{CT}^{\ast}$ :

1.

Sample $\mathbf{k}\leftarrow\{0,1\}^{\lambda}$ .
2.

Set $\mathbf{c}_{0}^{T}=\bar{\mathbf{c}}^{T}$ , $\mathbf{c}_{2}^{T}=\tilde{\mathbf{c}}^{T}+\mathbf{m}^{T}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor$ .

Set

	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R},\mathbf{c}_{0}^{T},r,\tau)$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T},r,\tau)+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T},r,\tau)$

4.

Send $\mathsf{CT}^{\ast}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ to $\mathcal{A}$ .

When LWE oracle is pseudorandom (i.e. $\mathcal{O}=\mathcal{O}_{s})$ then $\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T}$ , $\mathbf{c}_{2}^{T}=\mathbf{s}^{T}\mathbf{U}_{1}+\mathbf{e}^{T}_{2}+\mathbf{m}^{T}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor$ , meaning that $\mathsf{CT}^{\ast}$ is a valid challenge ciphertext that encrypts challenge message $\mathbf{m}$ for the target identity $\mathsf{id}^{*}$ .
When LWE oracle is a random oracle (i.e. $\mathcal{O}=\mathcal{O}_{\$}$ ), $\mathbf{c}^{T}$ is uniformly random in $\mathbb{Z}^{m+\lambda}_{q}$ and thus $\mathsf{CT}^{\ast}$ distributes as a ciphertext encrypted for a random identity in the identity space. Indeed, we have

	$\displaystyle\mathbf{c}_{0}^{T}$	$\displaystyle=\bar{\mathbf{u}}^{T}+\mathbf{e}_{0}^{T}$
	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle=\mathsf{ReRand}(\mathbf{R},\mathbf{c}_{0}^{T},r,\tau)=\bar{\mathbf{u}}^{T}\mathbf{R}+\mathbf{e}_{1}^{T}$
	$\displaystyle\mathbf{c}_{2}^{T}$	$\displaystyle=\tilde{\mathbf{u}}^{T}+\mathbf{e}_{2}^{T}+\mathbf{m}^{T}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle=\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T},r,\tau)+\mathbf{m}^{T}\left\lfloor\frac{q}{2}\right\rfloor=\bar{\mathbf{u}}^{T}\overline{\mathbf{R}}+\mathbf{e}_{3}^{T}+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle=\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T},r,\tau)=\bar{\mathbf{u}}^{T}\mathbf{R}_{0}+\mathbf{e}_{4}^{T}$

where $\mathbf{e}_{1}$ , $\mathbf{e}_{3}$ and $\mathbf{e}_{4}$ are statistically close to $\mathcal{D}^{\ell\omega}_{\mathbb{Z},2r\tau}$ , $\mathcal{D}^{\lambda}_{\mathbb{Z},2r\tau}$ and $\mathcal{D}^{\omega}_{\mathbb{Z},2r\tau}$ , respectively. Since ${\mathbf{u}}=(\bar{\mathbf{u}}|\tilde{\mathbf{u}})$ is a random vector, the following distributions are negligibly close by using Lemma 4:

(\mathbf{A},\mathbf{A}\mathbf{R},\mathbf{A}\overline{\mathbf{R}},\mathbf{A}\mathbf{R}_{0},\bar{\mathbf{u}}^{T},\bar{\mathbf{u}}^{T}\mathbf{R},\bar{\mathbf{u}}^{T}\overline{\mathbf{R}},\bar{\mathbf{u}}^{T}\mathbf{R}_{0})\approx(\mathbf{A},\mathbf{B}_{\mathsf{id}^{\prime}},\mathbf{U}_{2},\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G},\bar{\mathbf{u}}^{T},\mathbf{u}_{1}^{T},\mathbf{u}_{2}^{T},\mathbf{u}_{3}^{T})

where $\mathbf{A}$ is a random matrix in $\mathbb{Z}^{n\times m}_{q}$ , $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ , $\overline{\mathbf{R}}\leftarrow\mathcal{D}^{m\times\lambda}_{\mathbb{Z},\omega(\sqrt{\log n})}$ , $\mathbf{R}=[\mathbf{R}_{1}|\dots|\mathbf{R}_{\ell}]$ ( $\ell\leq d$ ), $\mathbf{B}_{\mathsf{id}^{\prime}}=[\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}^{\prime}_{1})\mathbf{G}|\dots|\mathbf{A}_{\ell}+\mathsf{FRD}(\mathsf{id}^{\prime}_{\ell})\mathbf{G}]$ for a random identity $\mathsf{id}^{\prime}=(\mathsf{id}^{\prime}_{1},\ldots,\mathsf{id}^{\prime}_{\ell})$ of level $\ell$ , and $\mathbf{u}_{1}\in\mathbb{Z}^{\ell\omega}_{q}$ , $\mathbf{u}_{2}\in\mathbb{Z}^{\lambda}_{q}$ , $\mathbf{u}_{3}\in\mathbb{Z}^{\omega}_{q}$ are uniformly random vectors. Therefore, in the view of the adversary $\mathcal{A}$ , when the LWE oracle is random, $\mathsf{CT}^{\ast}$ distributes as a ciphertext encrypted message $\mathbf{m}$ for a random identity. This implies that

\mathsf{Adv}_{\mathcal{A}}^{Game2}\leq\mathsf{Adv}_{\mathcal{B}}^{\textsf{LWE}_{n,q,m+\lambda,r}}(\lambda).

∎

4.2 Proof of Ciphertext Indistinguishability

Finally, we will prove that our proposed AHIBET scheme is IND-sID-CPA secure in the standard model. Recall that indistinguishable from random meaning that the challenge ciphertext encrypted for a given message $\mathbf{m}^{\ast}$ is computationally indistinguishable from a challenge ciphertext encrypted for a random message $\mathbf{m}$ in the message space on the same challenge identity $\mathsf{id}^{\ast}$ .

Theorem 4.2.

The AHIBET scheme $\Pi:=(\mathsf{Setup},\mathsf{Extract},\mathsf{Derive},\mathsf{Encrypt},\mathsf{Decrypt},\mathsf{TskGen},\mathsf{TkVer})$ with parameters $(\lambda,n,m,q,\omega,\bar{\sigma},\tau,\alpha,r)$ as in (1) is IND-sID-CPA secure for the maximal hierarchy depth $d$ provided that the hardness $\textsf{LWE}_{n,q,m+\lambda,r}$ assumption holds.

Proof.

We will proceed the proof via a sequence of games where the Game 0 is identical to the original IND-sID-CPA game and the adversary has no advantage in winning the last game. Let $\mathcal{A}$ be a PPT adversary that attacks the AHIBET scheme $\Pi$ and has advantage $\mathsf{Adv}_{\mathcal{A},\Pi}^{\textsf{IND-sID-CPA}}=\epsilon$ . We will then construct a simulator $\mathcal{B}$ that solves the LWE problem using $\mathcal{A}$ .
In Game $i$ , let $G_{i}$ denote the event that the adversary $\mathcal{A}$ win the game. The adversary’s advantage in Game $i$ is $|\Pr[G_{i}]-\frac{1}{2}|$ .

Game 0.

This is the original IND-sID-CPA game between the adversary $\mathcal{A}$ against our scheme and an IND-sID-CPA challenger.

\mathsf{Adv}_{\mathcal{A},\Pi}^{\textsf{IND-sID-CPA}}=\left|\Pr[G_{0}]-\frac{1}{2}\right|=\left|\Pr[b^{\prime}=b]-\frac{1}{2}\right|.

Game 1.

Game 1 is similar to Game 0 except that we slightly modify the way that the challenger $\mathcal{C}$ generates the master public key $\mathsf{MPK}$ and responds to the key derivation oracles $\mathcal{O}_{\mathsf{Derive}}$ and tracing key oracles $\mathcal{O}_{\mathsf{TskGen}}$ . Let $\mathsf{id}^{\ast}=(\mathsf{id}^{\ast}_{1},\dots,\mathsf{id}^{\ast}_{\ell})$ $(\ell\leq d)$ be the identity that $\mathcal{A}$ intends to attack. After receiving $\mathsf{id}^{\ast}$ , $\mathcal{C}$ does:

1.

Sample $\mathbf{A}\leftarrow\mathbb{Z}_{q}^{n\times m}$ , $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d}\leftarrow\mathcal{D}^{m\times\omega}_{\mathbb{Z},\omega(\sqrt{\log n})}$ and $\mathbf{D}_{0}\leftarrow\mathcal{D}^{m\times\lambda}_{\mathbb{Z},\sigma_{1}}$ , $\mathbf{D}_{1}\leftarrow\mathcal{D}^{\omega\times\lambda}_{\mathbb{Z},\sigma_{1}}$ .
2.

Set $\mathbf{A}_{i}\leftarrow\mathbf{A}\mathbf{R}_{i}-\mathsf{FRD}(\mathsf{id}^{\ast})\mathbf{G}$ for $i=1,\dots,\ell$ and $\mathbf{A}_{i}\leftarrow\mathbf{A}\mathbf{R}_{i}$ for $\ell<i\leq d$ .
3.

Set $\overline{\mathbf{R}}\leftarrow\mathbf{D}_{0}+\mathbf{R}_{0}\mathbf{D}_{1}$ .
4.

Set $\mathbf{A}_{0}\leftarrow\mathbf{A}\mathbf{R}_{0}-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G}$ , $\mathbf{U}_{2}\leftarrow\mathbf{A}\overline{\mathbf{R}}$ and sample $\mathbf{U}_{1}\leftarrow\mathbb{Z}^{n\times\lambda}_{q}$ .
5.

Output the master public key

$\mathsf{MPK}=(\mathbf{A},\mathbf{A}_{0},\mathbf{A}_{1},\dots,\mathbf{A}_{d},\mathbf{U}_{1},\mathbf{U}_{2})$

and keep $\mathbf{R}_{0},\mathbf{R}_{1},\dots,\mathbf{R}_{d},\overline{\mathbf{R}}$ secret.

•

The adversary $\mathcal{A}$ is not allowed to ask for the key derivation queries of the challenge identity $\mathsf{id}^{\ast}$ and its prefixes. To respond to a key derivation query $\mathcal{O}_{\mathsf{Derive}}$ for an identity $\mathsf{id}=(\mathsf{id}_{1},\dots,\mathsf{id}_{k})$ , $\mathcal{C}$ sets:

\displaystyle\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}_{1}+\mathsf{FRD}(\mathsf{id}_{1})\mathbf{G}|\dots|\mathbf{A}_{k}+\mathsf{FRD}(\mathsf{id}_{k})\mathbf{G}]\in\mathbb{Z}^{n\times(m+k\omega)}_{q}.

–

If $k\leq\ell$ , then

\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}\mathbf{R}_{1}+(\mathsf{FRD}(\mathsf{id}_{1})-\mathsf{FRD}(\mathsf{id}^{\ast}_{1}))\mathbf{G}|\ldots|\mathbf{A}\mathbf{R}_{k}+(\mathsf{FRD}(\mathsf{id}_{k})-\mathsf{FRD}(\mathsf{id}^{\ast}_{k}))\mathbf{G}].

\mathbf{T}_{\mathsf{id}_{h}}\leftarrow\mathsf{SampleBasisRight}([\mathbf{A}|\mathbf{A}\mathbf{R}_{h}+(\mathsf{FRD}(\mathsf{id}_{h})-\mathsf{FRD}(\mathsf{id}_{h}^{\ast}))\mathbf{G}],\mathbf{R}_{h},\mathsf{FRD}(\mathsf{id}_{h})-\mathsf{FRD}(\mathsf{id}_{h}^{\ast}),\sigma_{1}).

–

If $k>\ell$ , then

\mathbf{F}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}\mathbf{R}_{1}|\ldots|\mathbf{A}\mathbf{R}_{\ell}|\mathbf{A}\mathbf{R}_{\ell+1}+\mathsf{FRD}(\mathsf{id}_{\ell+1})\mathbf{G}|\ldots|\mathbf{A}\mathbf{R}_{k}+\mathsf{FRD}(\mathsf{id}_{k})\mathbf{G}]

and $\mathsf{FRD}(\mathsf{id}_{\ell+1})\in\mathbb{Z}^{n\times n}_{q}$ is an invertible matrix. The challenger $\mathcal{C}$ samples

\mathbf{T}_{\mathsf{id}_{\ell+1}}\leftarrow\mathsf{SampleBasisRight}([\mathbf{A}|\mathbf{A}\mathbf{R}_{\ell+1}+\mathsf{FRD}(\mathsf{id}_{\ell+1})\mathbf{G}],\mathbf{R}_{\ell+1},\mathsf{FRD}(\mathsf{id}_{\ell+1}),\sigma_{1})

•

\mathbf{F}^{\prime}_{\mathsf{id}}=[\mathbf{A}|\mathbf{A}\mathbf{R}_{0}+(\mathsf{FRD}(\mathsf{H}(\mathsf{id}))-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast})))\mathbf{G}]

\mathbf{D}^{\prime}_{\mathsf{id}}\leftarrow\mathsf{SampleBasisRight}(\mathbf{F}^{\prime}_{\mathsf{id}},\mathbf{R}_{0},\mathsf{FRD}(\mathsf{H}(\mathsf{id}))-\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G},\sigma_{1})

then invokes the algorithm $\mathsf{SamplePre}$

\mathbf{D}_{\mathsf{id}}\leftarrow\mathsf{SamplePre}(\mathbf{F}^{\prime}_{\mathsf{id}},\mathbf{D}^{\prime}_{\mathsf{id}},\mathbf{U}_{2},\sigma_{1})\in\mathbb{Z}^{(m+\omega)\times\lambda}_{q}

and returns $\mathsf{Tsk}_{\mathsf{id}}=\mathbf{D}_{\mathsf{id}}$ .

To respond to the tracing key query of $\mathsf{id}^{\ast}=(\mathsf{id}^{\ast}_{1},\dots,\mathsf{id}^{\ast}_{\ell})$ , the challenger $\mathcal{C}$ sets:

\mathsf{Tsk}_{\mathsf{id}^{\ast}}=\mathbf{D}_{\mathsf{id}^{\ast}}=\begin{bmatrix}\mathbf{D}_{0}\\ \mathbf{D}_{1}\end{bmatrix}\in\mathbb{Z}^{(m+\omega)\times\lambda}

so that

[\mathbf{A}|\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast}))\mathbf{G}]\mathbf{D}_{\mathsf{id}^{\ast}}=[\mathbf{A}|\mathbf{A}\mathbf{R}_{0}]\begin{bmatrix}\mathbf{D}_{0}\\ \mathbf{D}_{1}\end{bmatrix}=\mathbf{A}\mathbf{D}_{0}+\mathbf{A}\mathbf{R}_{0}\mathbf{D}_{1}=\mathbf{A}\overline{\mathbf{R}}=\mathbf{U}_{2}.

Using Lemma 4 with $\sigma_{1}\geq O(\sqrt{m})\cdot\omega(\log n)$ we have: the distribution of $\mathbf{U}_{2}$ is statistically close to uniform over $\mathbb{Z}^{\lambda}_{q}$ and $\mathbf{D}_{\mathsf{id}^{\ast}}$ has the distribution $\mathcal{D}^{(m+\omega)\times\lambda}_{\mathbb{Z},\sigma_{1}}$ . Since the master public key $\mathsf{MPK}$ and responses to key derivation queries and the tracing key queries are statistically close to those in Game 0, the adversary’s advantage in Game 1 is at most negligibly different form its advantage in Game 0.

|\Pr[\mathbf{G}_{1}]-\Pr[\mathbf{G}_{0}]|\leq\mathsf{negl}(\lambda).

Game 2.

Game 2 is similar to Game 1 except that we modify the construction of the challenge ciphertext $\mathsf{CT}^{*}$ . The challenger $\mathcal{C}$ sets $\mathbf{m}_{0}=\mathbf{m}^{\ast}$ , chooses a random bit $b\in\{0,1\}$ , a random message $\mathbf{m}_{1}$ in the message space and generates the ciphertext $\mathsf{CT}_{b}^{\ast}$ for a message $\mathbf{m}_{b}\in\{0,1\}^{\lambda}$ of the identity $\mathsf{id}^{\ast}$ as follows:

1.

Sample $\mathbf{k}\leftarrow\{0,1\}^{\lambda}$ .
2.

Sample $\mathbf{s}\leftarrow\mathbb{Z}^{n}_{q}$ .
3.

Choose noise vectors $\mathbf{e}_{0}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},r}$ , $\mathbf{e}_{2}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},r}$ .

Set $\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T}$ , $\mathbf{c}_{2}^{T}=\mathbf{s}^{T}\mathbf{U}_{1}+\mathbf{e}_{2}^{T}+\mathbf{m}^{T}_{b}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor$ and

	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R},\mathbf{c}_{0}^{T},r,\tau)$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T},r,\tau)+\left(\mathbf{k}\left\lfloor\frac{q}{2}\right\rfloor\right)^{T}$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T},r,\tau)$

where $\mathbf{R}=[\mathbf{R}_{1}|\dots|\mathbf{R}_{\ell}]$ and $\overline{\mathbf{R}}=\mathbf{D}_{0}+\mathbf{R}_{0}\mathbf{D}_{1}$ . Note that $\|\overline{\mathbf{R}}\|<\tau$ by the way that the game generates the matrices $\mathbf{R}_{0},\mathbf{D}_{0}$ and $\mathbf{D}_{1}$ .

5.

Output $\mathsf{CT}_{0}^{\ast}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ .

We have that $\mathbf{c}_{0}$ , $\mathbf{c}_{2}$ are distributed exactly as in the previous game, besides

	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle=\mathsf{ReRand}(\mathbf{R}=[\mathbf{R}_{1}\|\dots\|\mathbf{R}_{\ell}],\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},r,\tau)$
		$\displaystyle=\mathbf{s}^{T}\mathbf{A}\mathbf{R}+\mathbf{e}^{T}_{1}$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle=\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},r,\tau)+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor=\mathbf{s}^{T}\mathbf{A}\overline{\mathbf{R}}+\mathbf{e}^{T}_{2}+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor$
		$\displaystyle=\mathbf{s}^{T}\mathbf{A}(\mathbf{D}_{0}+\mathbf{R}_{0}\mathbf{D}_{1})+\mathbf{e}^{T}_{3}+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor=\mathbf{s}^{T}\mathbf{U}_{2}+\mathbf{e}_{3}^{T}+\mathbf{k}^{T}\left\lfloor\frac{q}{2}\right\rfloor$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle=\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T}=\mathbf{s}^{T}\mathbf{A}+\mathbf{e}_{0}^{T},r,\tau)$
		$\displaystyle=\mathbf{s}^{T}\mathbf{A}\mathbf{R}_{0}+\mathbf{e}^{T}_{4}=\mathbf{s}^{T}(\mathbf{A}_{0}+\mathsf{FRD}(\mathsf{H}(\mathsf{id}^{\ast})\mathbf{G})+\mathbf{e}_{4}^{T}$

where the distribution of $\mathbf{e}_{1}$ , $\mathbf{e}_{3}$ and $\mathbf{e}_{4}$ are statistically close to $\mathcal{D}^{\ell\omega}_{\mathbb{Z},2r\tau}$ , $\mathcal{D}^{\lambda}_{\mathbb{Z},2r\tau}$ and $\mathcal{D}^{\omega}_{\mathbb{Z},2r\tau}$ , respectively. So we yields that Game 1 and Game 2 are statistically close in the adversary’s point of view, the adversary’s advantage against Game 2 will be the same as Game 1.

|\Pr[G_{2}]-\Pr[G_{1}]|\leq\mathsf{negl}(\lambda).

Game 3.

In this game, we keep changing how the challenge ciphertext is created. The challenger $\mathcal{C}$ does:

1.

Sample $\mathbf{k}\leftarrow\{0,1\}^{\lambda}$ .
2.

Sample $\bar{\mathbf{u}}\leftarrow\mathbb{Z}^{m}_{q}$ and $\widetilde{\mathbf{u}}\leftarrow\mathbb{Z}^{\lambda}_{q}$
3.

Choose noise vectors $\mathbf{e}_{0}\leftarrow\mathcal{D}^{m}_{\mathbb{Z},r}$ , $\mathbf{e}_{2}\leftarrow\mathcal{D}^{\lambda}_{\mathbb{Z},r}$ .

Set $\mathbf{c}_{0}=\bar{\mathbf{u}}+\mathbf{e}_{0}$ , $\mathbf{c}_{2}=\widetilde{\mathbf{u}}+\mathbf{e}_{2}+\mathbf{m}_{b}\left\lfloor\frac{q}{2}\right\rfloor$ and

	$\displaystyle\mathbf{c}_{1}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R},\mathbf{c}_{0}^{T},r,\tau)$
	$\displaystyle\mathbf{c}_{3}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\overline{\mathbf{R}},\mathbf{c}_{0}^{T},r,\tau)+\left(\mathbf{k}\left\lfloor\frac{q}{2}\right\rfloor\right)^{T}$
	$\displaystyle\mathbf{c}_{4}^{T}$	$\displaystyle\leftarrow\mathsf{ReRand}(\mathbf{R}_{0},\mathbf{c}_{0}^{T},r,\tau)$

where $\mathbf{R}=[\mathbf{R}_{1}|\dots|\mathbf{R}_{\ell}]$ .

5.

Output $\mathsf{CT}_{0}^{\ast}=(\mathbf{c}_{0},\mathbf{c}_{1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4},\mathbf{k})$ .

Observe that the ciphertext $\mathbf{c}_{2}=\widetilde{\mathbf{u}}+\mathbf{e}_{2}+\mathbf{m}_{b}\left\lfloor\displaystyle{\frac{q}{2}}\right\rfloor$ in Game 3 is uniformly random over $\mathbb{Z}^{\lambda}_{q}$ . Therefore, the ciphertext is independent from $\mathbf{m}_{b}$ in the adversary $\mathcal{A}$ ’s view. Hence, both $\mathsf{CT}_{0}^{\ast}$ and $\mathsf{CT}_{1}^{\ast}$ is statistically close to the uniform distribution over the ciphertext space, and the adversary $\mathcal{A}$ has no advantage in winning the game. We have

\left|\Pr[G_{3}]-\displaystyle{\frac{1}{2}}\right|\leq\mathsf{negl}{(\lambda)}.

Moreover, using the same reduction technique as in the Anonymity Game in the previous subsection, we can construct a simulator $\mathcal{B}$ that solves LWE problem if adversary $\mathcal{A}$ is able to distinguish between Game 2 and Game 3. Therefore we have

|\Pr[G_{3}]-\Pr[G_{2}]|\leq\mathsf{Adv}^{\textsf{LWE}_{n,q,m+\lambda,r}}_{\mathcal{B}}(\lambda),

which completes the proof of Theorem 2.

∎

5 Conclusion

In this paper, we propose a Lattice-based Anonymous Hierarchical Identity-Based Encryption scheme with Traceable Identities (AHIBET) and prove that our scheme is secure in the standard model based on the decisional LWE assumption.

References

[ABB10a] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H)IBE in the standard model. In Henri Gilbert, editor, Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings, volume 6110 of Lecture Notes in Computer Science, pages 553–572. Springer, 2010.
[ABB10b] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical ibe. In Tal Rabin, editor, Advances in Cryptology – CRYPTO 2010, pages 98–115, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg.
[BB04] Dan Boneh and Xavier Boyen. Efficient selective-id secure identity-based encryption without random oracles. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, volume 3027 of Lecture Notes in Computer Science, pages 223–238. Springer, 2004.
[BBG05] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with constant size ciphertext. In Ronald Cramer, editor, Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume 3494 of Lecture Notes in Computer Science, pages 440–456. Springer, 2005.
[BBP19] Olivier Blazy, Laura Brouilhet, and Duong Hieu Phan. Anonymous identity based encryption with traceable identities. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES ’19, New York, NY, USA, 2019. Association for Computing Machinery.
[BF01] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. In Joe Kilian, editor, Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer, 2001.
[BFRS18] Pauline Bert, Pierre-Alain Fouque, Adeline Roux-Langlois, and Mohamed Sabt. Practical implementation of ring-sis/lwe based signature and IBE. In Tanja Lange and Rainer Steinwandt, editors, Post-Quantum Cryptography - 9th International Conference, PQCrypto 2018, Fort Lauderdale, FL, USA, April 9-11, 2018, Proceedings, volume 10786 of Lecture Notes in Computer Science, pages 271–291. Springer, 2018.
[BW06a] Xavier Boyen and Brent Waters. Anonymous hierarchical identity-based encryption (without random oracles). In Cynthia Dwork, editor, Advances in Cryptology - CRYPTO 2006, pages 290–307, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
[BW06b] Xavier Boyen and Brent Waters. Compact group signatures without random oracles. In Serge Vaudenay, editor, Advances in Cryptology - EUROCRYPT 2006, pages 427–444, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
[CHKP10] David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert. Bonsai trees, or how to delegate a lattice basis. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 523–552. Springer, 2010.
[DMR16] Manuel Díaz, Cristian Martín, and Bartolomé Rubio. State-of-the-art, challenges, and open issues in the integration of internet of things and cloud computing. J. Netw. Comput. Appl., 67:99–117, 2016.
[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Cynthia Dwork, editor, Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17-20, 2008, pages 197–206. ACM, 2008.
[GS02] Craig Gentry and Alice Silverberg. Hierarchical id-based cryptography. In Yuliang Zheng, editor, Advances in Cryptology - ASIACRYPT 2002, 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002, Proceedings, volume 2501 of Lecture Notes in Computer Science, pages 548–566. Springer, 2002.
[JLL⁺18] Liaoliang Jiang, Tong Li, Xuan Li, Mohammed Atiquzzaman, Haseeb Ahmad, and Xianmin Wang. Anonymous communication via anonymous identity-based encryption and its application in iot. Wireless Communications and Mobile Computing, 2018:1–8, 11 2018.
[KY16] Shuichi Katsumata and Shota Yamada. Partitioning via non-linear polynomial functions: More compact ibes from ideal lattices and bilinear maps, 2016.
[LTT⁺21] Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Masahiro Mambo, and Yu-Chi Chen. Quantum-resistant anonymous IBE with traceable identities. IACR Cryptol. ePrint Arch., 2021:33, 2021.
[MP12] Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 700–718. Springer, 2012.
[Pei09] Chris Peikert. Bonsai trees (or, arboriculture in lattice-based cryptography). IACR Cryptology ePrint Archive, 2009:359, 01 2009.
[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM (JACM), 56(6):34, 2009.
[Sha84] Adi Shamir. Identity-based cryptosystems and signature schemes. In G. R. Blakley and David Chaum, editors, Advances in Cryptology, Proceedings of CRYPTO ’84, Santa Barbara, California, USA, August 19-22, 1984, Proceedings, volume 196 of Lecture Notes in Computer Science, pages 47–53. Springer, 1984.
[SRB14] Kunwar Singh, C. Pandu Rangan, and A. K. Banerjee. Efficient lattice hibe in the standard model with shorter public parameters. In Linawati, Made Sudiana Mahendra, Erich J. Neuhold, A. Min Tjoa, and Ilsun You, editors, Information and Communication Technology, pages 542–553, Berlin, Heidelberg, 2014. Springer Berlin Heidelberg.
[Wat05] Brent Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, editor, Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume 3494 of Lecture Notes in Computer Science, pages 114–127. Springer, 2005.