Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2019, Article ID 1816393, 12 pages
https://doi.org/10.1155/2019/1816393
Research Article

Deterministic Identity-Based Encryption from Lattice-Based Programmable Hash Functions with High Min-Entropy

Daode Zhang,1,2,3 Jie Li,1,2,3 Bao Li,1,2,3 Xianhui Lu,1,2,3 Haiyang Xue,1,2,3 Dingding Jia,1,2,3 and Yamin Liu1,2,3

1School of Cyber Security, University of Chinese Academy of Sciences, China
2State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
3Data Assurances and Communications Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

Correspondence should be addressed to Haiyang Xue; nc.ca.eii@gnayiaheux

Received 18 January 2018; Accepted 3 December 2018; Published 13 January 2019

Academic Editor: Salvatore D’Antonio

Copyright © 2019 Daode Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

There only exists one deterministic identity-based encryption (DIBE) scheme which is adaptively secure in the auxiliary-input setting, under the learning with errors (LWE) assumption. However, the master public key consists of basic matrices. In this paper, we consider to construct adaptively secure DIBE schemes with more compact public parameters from the LWE problem. (i) On the one hand, we gave a generic DIBE construction from lattice-based programmable hash functions with high min-entropy. (ii) On the other hand, when instantiating our generic DIBE construction with four LPHFs with high min-entropy, we can get four adaptively secure DIBE schemes with more compact public parameters. In one of our DIBE schemes, the master public key only consists of basic matrices.

1. Introduction

A DIBE scheme is an identity-based encryption (IBE) scheme [1] whose encryption algorithm is deterministic. This primitive was proposed by Bellare et al. [2] via extending the security definition under high min-entropy into the identity-based setting. In order to construct DIBE schemes, Bellare et al. [2] first defined a notion of identity-based lossy trapdoor functions (IB-LTDFs). And they obtained a DIBE scheme by constructing an IB-LTDF with a universal property, based on the DLIN assumption. However, due to the inherent limitation of IB-LTDFs, their scheme can only achieve a selective security; i.e., the adversary must commit an challenge identity before getting the master public key from the challenger.

In SCN12, Xie et al. [3] gave a more efficient secure DIBE scheme in the auxiliary-input setting, based on the hardness of the LWE problem. In their scheme, there exists only 3 matrices in the master public key. However, the scheme only satisfies a selective security same as the scheme in [2]. The more significant contribution of Xie et al. [3] is that they proposed the first DIBE scheme with a much more realistic adaptive security (or equivalently, full security) in the auxiliary-input setting, based on the same assumption. To the best of our knowledge, their scheme is the only DIBE scheme that achieves an adaptive security. However, their scheme requires basic matrices in the master public key so that it is less efficient than their selectively secure scheme, where is the bit length of the identity and .

Our Contributions. In this paper, we consider to construct adaptively secure DIBE schemes with more compact public parameters from the LWE problem.(i)We gave a generic DIBE construction from lattice-based programmable hash functions (LPHFs) with high min-entropy [4]. Note that the adaptively secure DIBE in [3] is in our framework.(ii)We present more instantiations of LPHFs with high min-entropy. In fact, most of these instantiations are already implicit in recent works. Following the works of Zhang et al. [4] who proved that the IBE schemes in [46] imply instantiations of LPHFs with high min-entropy, we show that LPHFs with high min-entropy can be constructed from partitioning functions with compatible algorithms [7]. And we show that the IBE schemes in [810] naturally imply instantiations of LPHFs with high min-entropy. Combining with the result of Zhang et al., we conclude that the adaptively secure and anonymous IBE schemes in [410] naturally imply instantiations of LPHFs with high min-entropy (note that Boyen and Li [11] constructed an adaptively secure and anonymous IBE scheme with tight security. However, their construction does not imply a LPHF and is not in our framework).(iii)When instantiating our generic DIBE construction with four LPHFs with high min-entropy in [4, 7, 8], we can get four adaptively secure DIBE schemes with more compact public parameters. In our DIBE schemes, the master public key, respectively, consists of number of basic matrices, where denotes the number of key extraction queries. Please see more details in Table 1.

Table 1: Comparison of Adaptively Secure DIBE Schemes in the Auxiliary-Input Setting.

Related Works. In [2], Bellare et al. extended the notion of lossy trapdoor function (LDTF) to identity-setting and introduced the notion of identity-based LTDF (IB-LTDF). And they used IB-LTDF to construct DIBE scheme with a selective security from pairings. Soon afterwards, Escala et al. [12] extended the notion of IB-LTDF [2] and introduced the notion of hierarchical identity-based trapdoor functions (HIB-TDFs). With HIB-TDFs, they could construct deterministic hierarchical identity-based schemes (DHIBE). They instantiated HIB-TDFs from pairings so that they constructed a pairing-based DHIBE scheme. Fang et al. [13] constructed a DHIBE scheme with a selective security based on the hardness of the learning with rounding problem over small modulus [14]. In fact, a DHIBE with a selective security implies a selectively secure DIBE. In SCN12, Xie et al. [3] gave a more efficient DIBE scheme with a security. Additionally, they also proposed the first and the only DIBE scheme with an adaptive security in the auxiliary-input setting.

Remarks. This work is very relevant to [15] in which we constructed the DIBE schemes , , and directly from the works of Yamada [7, 8]. As our growing understanding, we find that all adaptively secure DIBE schemes in [3, 15] can be explained by using LPHFs with high min-entropy (note that the adaptively secure DIBE scheme in [3] is constructed from the LPHF with high min-entropy in [5, 6].). So, in this paper, we present a generic DIBE construction from LPHFs with high min-entropy.

2. Preliminaries

Notations. Let be the security parameter, and all other quantities are implicitly dependent on . Let denote a negligible function and denote an unspecified function for some constant . A function is -hard-to-invert with respect to the distribution , if, given with , there exists no PPT algorithm that can find with probability better than . For , we use to denote a set . And, for integer , denotes the quotient ring of integer modulo . We use bold capital letters to denote matrices, such as , and bold lowercase letters to denote column vectors, such as , . The notations and denote the transpose of the matrix and the matrix of concatenating and , respectively.

For , we use to denote a set . For integer , denotes the quotient ring of integer modulo . For integers and , a rounding function is defined by .

2.1. Deterministic Identity-Based Encryption and Its Security

A deterministic identity-based encryption scheme with the identity space can be defined by a tuple of PPT algorithms . The algorithm takes a security parameter as input and outputs a master secret key and a master secret key . The algorithm takes as input and outputs a private key . The deterministic algorithm takes and a message , outputs a ciphertext . The deterministic algorithm decrypts ciphertexts using the private key . We require that, for all , all , and all in the specified message space, .

Definition 1 (see [3]). We say that a DIBE scheme is ---secure with respect to -hard-to-invert auxiliary inputs if for any PPT algorithm , for any efficiently sampled distribution , and for any efficiently computable , that is, -hard-to-invert with respect to , the advantage of in the following game is negligible. . At the outset of the game, the challenger runs which outputs a pair and gives to .. When adaptively makes key-extraction queries to the challenger, the challenger returns , for all in the key-extraction queries.. At some point, outputs an identity , on which it wishes to be challenged. Then, the challenger picks a random coin , a message , a random ciphertext from the ciphertext space , and a function . If , it runs and gives the challenge ciphertext to . If , it gives to .. can also adaptively make key-extraction queries to the challenger, with the restriction .. Finally, makes a guess for . The advantage of is defined as

2.2. LPHFs with High Min-Entropy [4]

Let be some polynomials in the security parameter . By we denote the set of invertible matrices in . A hash function consists of two algorithms . Given the security parameter , the probabilistic polynomial time (PPT) key generation algorithm outputs a key ; i.e., . For any input , the efficiently deterministic evaluation algorithm outputs a hash value ; i.e., .

Definition 2 (LPHFs). A hash function is a -LPHF if there exist a PPT trapdoor key generation algorithm and a PPT deterministic trapdoor evaluation algorithm such that given a uniformly random matrix and a (public) trapdoor matrix the following properties hold: : the PPT algorithm outputs a key together with a trapdoor . Moreover, for any input , the deterministic algorithm returns and such that and hold with overwhelming probability over the trapdoor that is produced along with .: for all possible , all , and its corresponding , we have : for all and  , the statistical distance between and is at most .: for all , any inputs such that for any , we have that , where and .

Definition 3 (LPHFs with high min-entropy). Let be a -LPHF with and noticeable . Let be the key space of , and let and be a pair of trapdoor generation and trapdoor evaluation algorithms for . We say that is a revised LPHF with high min-entropy if, for uniformly random matrix and a (public) trapdoor matrix , the following condition holds(i) For any , any and its corresponding , the statistical distance between and is negligible in , where , .

Remark 4. Note that this definition of LPHFs with min-high-entropy is much weaker than Zhang et al.’s definition of LPHFs with min-high-entropy which includes another one requirement. In [9], Katsumata and Yamada found that this requirement is not necessary; i.e., we can define this weaker version of LPHFs with min-high-entropy while keeping their functionality–constructing IBE schemes.

3. Generic DIBE Construction

Here, we construct an adaptively secure DIBE scheme in the auxiliary-input setting by using a LPHF with high min-entropy from to , where is negligible and is noticeable. Let and be a pair of trapdoor generation and trapdoor evaluation algorithm of that satisfies the condition in Definition 3, where integers are polynomials in the security parameter . Additionally, let integers . We assume and , where is the user identity space and is the message space. Our generic DIBE scheme is defined as follows.(i)Setup. Algorithm takes as input, and generates a pair , where and . Then, it obtains . Finally, it outputs(ii) Key Generation. Algorithm takes and as inputs. It first computes and then generates by running . It finally outputs .(iii) Encryption. Algorithm takes , , as inputs. It first computes and, then, it outputs the ciphertext .(iv) Decryption. To decrypt a ciphertext with a private key , the algorithm computes . Then, if it outputs , and otherwise it outputs .

3.1. Correctness and Parameter Selection

In order to be sure of the correctness of the DIBE scheme and make the security proof follow through, we need the following to satisfy.(i) in Lemma A.2 (Item 1) can work (), and it returns satisfying .(ii) in Lemma A.2 (Item 2) can operate .(iii) in Lemma A.2 (Item 3) can operate .(iv)In order to keep the correctness of the DIBE scheme, i.e., in Lemma A.2 (Item 4) can work , where given by both and .(v) (Lemma A.3) in the security proof can operate (, and , where (vi)Lemma A.1 holds ( is super-polynomial and ).(vii), where .

To satisfy the above requirements, we set the parameters in Table 2. The private key size, ciphertext siz,e and ciphertext expansion factor in our scheme are , , and , respectively. To optimize the ciphertext expansion factor, we can choose , which makes the ciphertext expansion factor to be .

Table 2: Parameter Selection of Generic DIBE Construction.
3.2. Security of DIBE

Theorem 5. If is a LPHF with high min-entropy from to , where is negligible, is noticeable and independent of the modulus , and large enough . Then, the above DIBE scheme is ---secure with respect to -hard-to-invert auxiliary inputs, assuming is hard.

According to Lemma A.1, it is easy for us to get the following corollary.

Corollary 6. If is a -LPHF with high min-entropy from to , where is negligible, is noticeable and independent of the modulus and large enough . Then, the above DIBE scheme is ---secure with respect to -hard-to-invert auxiliary inputs, assuming is hard, where .

Proof of Theorem 5. Let be a PPT adversary that breaks the ---security with auxiliary inputs of the scheme. Moreover, let and be its advantage and the upper bound of the number of queries, respectively. And let denote the challenge ID along with the queried IDs. For any distribution over , let be a set of -hard-to-invert functions with respect to .
In order to prove the security of this scheme, we define a sequence of games. In each game, the challenger selects a uniform bit , while the adversary finally returns a guess bit to the challenger. The challenger sets in the first game; these values might be different in the latter games. In the following, we define as the event that .
: this game is the original -- game with auxiliary inputs. By definition, we have: this game is identical to except that the challenger changes the setup and challenge phase as below.. It first generates a pair , where and . Then, it computes . Finally, it outputs and keeps the trapdoor private.. The challenger directly uses to generate the challenge ciphertext. According to the property of , we have .
: this game is identical to except that the challenger performs the following additional step at the end of the game. The challenger first defineswhere and . Then, the challenger proceeds the following steps: : in the setup phase, the challenger generates a pair of . If , the challenger aborts the game and sets ignoring the output of . Otherwise, the following equation holds:: Fix ; let be the probability over the random choice of . Then, the challenger samples times the probability by independently running and evaluating to compute an estimate . Then if , the challenger will abort with probability and sets ignoring the output of . Finally, when receiving from , the challenger sets .
For , let be the probability that the challenger does not abort in the abort check stage in , and let be the probability in the artificial abort stage of defined by . Since the adversary might obtain some information of from the challenge ciphertext, the probability might not be equal to the probability . Formally, let be the absolute difference between and (i.e., ). As we show in Lemma 8, we haveSo as not to interrupt the proof of Theorem 5, we intentionally skip the proof for the time being.
: this game is identical to except that the challenger changes setup, phases and , and challenge phase as below.. It first selects a random matrix . Then, it computes . Finally, it outputs and keeps the trapdoor private. When receiving the private key query with identity , the challenger first computes . If is not invertible, the challenger aborts the game and sets . Otherwise, it computes and sends to . The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , we have Then, the challenger computes . Finally, the challenger returns   to the adversary . The challenger responds as in , when receiving the private key query with identity . It is easy to see that: in this game, the challenger changes the way that the challenge ciphertext is created when The challenger computes . If , the challenger aborts the game and sets . Otherwise, when  , the challenger first picks and chooses and computesThen, the challenger computes . Finally, the challenger returns to the adversary . Before analyzing the difference between and , we first define a “bad event” as follows: , where .
If does not occur for some , then we have It immediately follows that for any adversary : in this game, the challenger changes the way that the challenge ciphertext is created when The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger first picks and and computes . It runs the algorithm to get ; i.e.,in the Lemma A.3, where    is the unit matrix of size .According to the property of the algorithm , we have: in this game, the challenger changes the way that the challenge ciphertext is created when The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger first picks and sets . Then, it computes We construct an algorithm against the problem as follows. Given the problem instance of LWE , where . The task of is to distinguish whether for or . This subtle change from the standard is done only for convenience of the proof. simulates the security game for the adversary . If , the view of corresponds to ; otherwise, the view of corresponds to . As a result, we get that: in this game, the challenger changes the way that the challenge ciphertext is created when . The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger computesinstead of running the algorithm , where , , . According to the property of the algorithm , we haveBecause for the statistical distance between and is negligible in , where , is statistically close to uniform distribution over , therefore for uniform ,by assumption on and . In the meantime, because is statistically close to uniform distribution over , we can get thatSumming up (6), (8), (11), (13), (15), (17), (18), and (19), we can get

In order to prove Theorem 5, we should prove that (6) holds. We will use Lemma 28 in the full version of the work [5], which is described as follows.

Lemma 7 (see [5]). Let be a -ID tuple denoting the challenge ID along with the queried IDs, and define the probability that an abort does not happen in . Let and . For , we set as the event that at the end of . Then,

Lemma 8. If is a -LPHF with high min-entropy and , then

Proof. According to Lemma 7, we only need to compute , ,  and  . By the definition of and in , we have , where is an estimate of . Since the challenger always samples times the probability to compute , according to the Chernoff bounds, we have and . As a result, the following equations hold:Finally, we have

4. Constructions of LPHFs with High Min-Entropy

In [4], Zhang et al. proved that the IBE schemes in [46] imply instantiations of LPHFs with high min-entropy. In fact, the IBE scheme in [10] also implies an instantiation of LPHF with high min-entropy.

In this section, we show that LPHFs with high min-entropy can be constructed from partitioning functions with compatible algorithms [7]. Moreover, we prove that the adaptively secure and anonymous IBE schemes in [8, 9] naturally imply instantiations of LPHFs with high min-entropy. In a word, the adaptively secure and anonymous IBE schemes in [410] naturally imply instantiations of LPHFs with high min-entropy.

4.1. From Partitioning Functions with Compatible Algorithms [7]

Let be a partitioning function with associating -compatible algorithms (see the Appendix). We assume . Now, we show how to construct a -LPHF with high min-entropy defined by us from the partitioning function .

A hash function consists of two algorithms which are defined as follows:(i) it first computes . Then, it gets by operating the algorithm . Finally, it randomly chooses matrices , , and returns these matrices; i.e., (ii) for , it first gets by running the algorithm . Then, it returns .

The associating algorithms and are defined as follows.(i): it first computes . Then, it gets by operating the algorithm . Finally, it randomly chooses matrices and returns and .(ii) for , it defines and , where denotes the identity matrix of . In this case, .

Now, we show that this construction satisfies the following properties:(i)Correctness: .(ii)Statistically close trapdoor keys: according to the Leftover Hash Lemma, the statistical distance between the distributions and is negligible. As a result, the statistical distance between and is negligible; i.e., .(iii)Well-distributed hidden matrices: for all , any inputs such that for any . Then,

In a word, this construction is -LPHF. Finally, we show that this LPHF possesses Property 1, i.e., with high min-entropy.(i)For any , any , and its corresponding , the following distributions are statistically close: where