Wireless Communications and Mobile Computing

Volume 2019, Article ID 1742386, 13 pages

https://doi.org/10.1155/2019/1742386

## Provably Secure Identity-Based Encryption and Signature over Cyclotomic Fields

^{1}School of Mathematics, Shandong University, Jinan Shandong 250100, China^{2}Shandong Branch of China Mobile Online Service Co. Ltd., Jinan Shandong 250100, China

Correspondence should be addressed to Mingqiang Wang; nc.ude.uds@gnaiqgnimgnaw

Received 29 March 2019; Revised 29 May 2019; Accepted 8 July 2019; Published 17 October 2019

Guest Editor: Zaobo He

Copyright © 2019 Yang Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Identity-based cryptography is a type of public key cryptography with simple key management procedures. To our knowledge, till now, the existing identity-based cryptography based on NTRU is all over power-of-2 cyclotomic rings. Whether there is provably secure identity-based cryptography over more general fields is still open. In this paper, with the help of the results of collision resistance preimage sampleable functions (CRPSF) over cyclotomic fields, we give concrete constructions of provably secure identity-based encryption schemes (IBE) and identity-based signature schemes (IBS) based on NTRU over any cyclotomic field. Our IBE schemes are provably secure under adaptive chosen-plaintext and adaptive chosen-identity attacks, meanwhile, our IBS schemes are existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks for any probabilistic polynomial time (PPT) adversary in the random oracle model. The securities of both schemes are based on the worst-case approximate shortest independent vectors problem (SIVP_{γ}) over corresponding ideal lattices. The secret key size of our IBE (IBS) scheme is short—only one (two) ring element(s). The ciphertext (signature) is also short—only two (three) ring elements. Meanwhile, as the case of NTRUEncrypt, our IBE scheme could encrypt *n* bits in each encryption process. These properties may make our schemes have more advantages for some IoT applications over postquantum world in theory.

#### 1. Introduction

Nowadays, Internet of things (IoT) plays an extremely important role by comprising millions of smart and connected devices to offer benefits in a wide range of situations, for example, smart cities, smart grads, smart traffic, and smart buildings. The corresponding techniques have been unprecedentedly developed and adopted due to the quick evolution of smart devices and the continuous investment of leading communities. In a smart IoT system, data collected by mote devices will be transferred to gateway/cloud; the cloud will perform data analysis and send the results to the particular management system which takes suitable action. How to protect this complete network against malicious events, as well as the privacy and authenticity of data, is one of the toughest challenges for the deploying IoT technology. Several considerations and solutions are discussed in [1–4]. Due to the constrained resources (i.e., the size of memory, CPU speed, and network bandwidth), we could not directly use the traditional public key system, since the key management is complicated and the computations and storages may consume large amount of resources.

Identity-based cryptography is a type of public key cryptography in which the public key of a user is some unique information about the identity of the user (e.g., a user’s e-mail address and the MAC address of devices). This means that a sender who has access to the public parameters of the system can encrypt a message (verify a signature) by using the receiver’s (signer’s) identity as a public key. The receiver (signer) obtains its decryption (signing) key from a central authority, which needs to be trusted as it generates secret keys for every user. Such cryptographic primitives significantly simplify the key management procedures of certificated-based public key infrastructures.

IBE and IBS were proposed by Shamir [5]; from then on, a large number of papers have been published in this area, including IBE [6–12], IBS [13–17], and identity-based signcryption (sign-then-encrypt a message) schemes [13, 18, 19]. Till now, the fully practical identity-based cryptographic primitives are based on bilinear pairings. With the rapid development of quantum computation, in a not-so-distant future, quantum computers are expected to break such systems, and it is urgent to design quantum-immune IBE and IBS schemes. Cryptographic primitives based on hard lattice problems are good candidates, and many such identity-based schemes were designed [6, 9, 10, 16]. However, the efficiency of these schemes is not very satisfactory, especially in the IoT applications. As we all know, cryptographic primitives based on NTRU usually have high efficiency [20] and are good candidates of lightweight cryptographic systems in the postquantum world. Therefore, IBE and IBS schemes based on NTRU may enjoy the advantages of high efficiency and quantum-immune at the same time.

To the best of our knowledge, the existing IBE [21] and IBS [17] based on NTRU are all over power-of-2 cyclotomic rings, in which NTT algorithm can be implemented and calculations can be done very fast. However, there are too many subfields in the corresponding cyclotomic fields, making these settings more sensitive to subfield attacks [22, 23, 24]. So, seeking constructions of IBE and IBS over more general fields is a meaningful work. Meanwhile, strictly speaking, both of the schemes [17, 21] lack a security proof in the following two senses: (1) The PPT key generation algorithm [21] is heuristic and the CPA security of the schemes is guaranteed by a key-encapsulation mechanism designed in the process of encryption and is measured by the Kullback–Leibler “distance”—not statistical distance. Then, security is estimated in the aspect of attacks. So, the magnitude of module *q* is small and the schemes are practical. (2) Parameter settings of IBS [17] were referred to [25]; while the main lemma for proving the PPT trapdoor generation algorithm of CRPSF in [25] had some deficiencies, making the parameter choices in [17] could not achieve the desired result.

##### 1.1. Our Contributions and Technique Overview

Motivated by the above reasons, we construct provably secure IBE and IBS schemes over any cyclotomic field.

Compared with [21], our IBE scheme is strictly provably secure under adaptive chosen-plaintext and adaptive chosen-identity attacks. So, at a high level, our result implies that we can heuristically design IBE scheme by using similar parameters as [21] in any cyclotomic field. Since we use the modified algorithms of CRPSF proposed in [26], our IBS scheme is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks in theory. Though the efficiency of our IBE and IBS schemes may be not satisfactory when we set parameters to achieve the provably security, our results give a high-level implication that we can heuristically design IBE and IBS over any cyclotomic field with small parameters (for example, settings of the classical NTRU-based cryptography [20]) and construct a lightweight cryptosystem, which can be used in some IoT applications.

Next, we give a brief review of constructions.

The construction of our IBE scheme is inspired by [21] and followed the route of [10]. The setup algorithm uses the key generation algorithm of CRPSF constructed in [26] to generate some public parameters , including a cyclotomic field *K* and an element . Here, is the ring of integers of *K* and is the set of invertible elements of . Meanwhile, the key generation algorithm of CRPSF also outputs a short trapdoor basis of the NTRU lattice . The secret key of an identity (we map an identity to by using a random oracle ) is the element in outputted by the SamplePre algorithm of CRPSF by using the trapdoor basis. The encryption and decryption follow the idea of [10]. We embed the message in a Ring-LWE instance in the encryption process and the outputted ciphertext consists of two Ring-LWE instances (only the *b*-component) (*u*, ) with the “implied” relation that is short. Then, the decryption process only need to remove the errors by rounding . Security (indistinguishability) is based on the hardness of corresponding decision Ring-LWE problems, and we do not need to use the key-encapsulation mechanism in the encryption process.

The construction of IBS follows the route of [17], which is a combination of techniques shown in [10, 27]. We also use the key generation algorithm of CRPSF to generate . The secret key of an identity is produced by the SamplePre algorithm of CRPSF, satisfying . The signing and verification follow the idea of [27] by using a rejection sampling algorithm. The signature of a message *μ* contains a triple with , , and . The rejection sampling algorithm could make it seem that is independent of , in particular, . Then, to verify a signature, one only needs to make sure that is short and . Unforgeability of our scheme can be reduced to the corresponding Ring-SIS problems.

Finally, we remark that techniques used in [28] are also vital to bound the decryption error of our IBE scheme. Though we design our IBE schemes in , the dual ideal of *R*, we can convert it to work in an integral ideal of *R* or we can directly design the IBE scheme in *R* by using the hardness result shown in [29] (with larger parameter *γ* and *q*). Also, we can discuss the practicability under the Kullback–Leibler “distance” by using the same method as in [21]. Meanwhile, our construction provides an important support for designing IBE and IBS over general cyclotomic rings with relative small parameters (with no provably secure guarantee, but the key generation algorithm is PPT by our results) and analyzing the security from the view of attacks. How to reduce the magnitudes of parameters of provably secure identity-based cryptographic primitives and improve the efficiency of these schemes are important and meaningful open problems.

##### 1.2. Organization

In Section 2, we will introduce some notations and basic results we need in our discussion. In Section 3, we shall discuss the IBE schemes, including the basic definitions, security models, constructions, and security analysis. Discussions of IBS schemes are put in Section 4.

#### 2. Preliminaries

In this section, we introduce some background results and notations.

##### 2.1. Notations

We use to denote the set . represents the norm corresponding to the canonical embedding. For two random variables *X* and *Y*, stands for their statistic distance. When we write , we mean that the random variable *X* obeys to a distribution *ξ*. If *S* is a finite set, then is its cardinality and is the uniform distribution over *S*. Symbols and stand for the sets of positive integers and positive reals. Symbol represents for . Functions and stand for the Euler function and the Möbius function.

##### 2.2. Cyclotomic Fields, Space *H*, and Ideal Lattices

Throughout this paper, we only consider cyclotomic fields. For a cyclotomic field with the primitive *l*-th root of unity, its minimal polynomial is with degree . As usual, we set , which is the ring of integers of *K*. Then, , and . *K* is Galois over . We set and use the canonical embedding *σ* on *K*, which maps to a space via embeddings in . *H* is isomorphic to as an inner product space via the orthonormal basis defined as follows: for ,where is the vector with 1 in its *j*-th coordinate and 0 elsewhere and is the imaginary number such that . For any element , we can define its norm by and its infinity norm by .

We define a lattice as a discrete additive subgroup of *H*. The dual lattice of is defined as . One can check that this definition is actually the complex conjugate of the dual lattice as usually defined in . All of the properties of the dual lattice that we use also hold for the conjugate dual. Any fractional ideal *I* of *K* is a free module of rank *n*. So, is a lattice of *H*, and we call an ideal lattice and identify *I* with this lattice and associate with *I* all the usual lattice quantities. Meanwhile, its dual is defined as . Then, it is easy to verify that , is a fractional ideal, and embeds under *σ* as the dual lattice of *I* as defined above.

##### 2.3. Gaussian Distributions, Ring-SIS Problems, and Ring-LWE Problems

The Gaussian distribution is defined as usual. For any , , which is taken to be or when omitted, define the Gaussian function as . By normalizing this function, we obtain the continuous Gaussian probability distribution of parameter *s*, whose density function is given by . For a real vector , we define the elliptical Gaussian distributions in the basis as follows: a sample from is given by , where is chosen independently from the Gaussian distribution over . Note that if we define a map by , then is also a (elliptical) Gaussian distribution over .

For a lattice , and , we define the lattice Gaussian distribution of support , deviation *σ*, and center by for any . For , we define the smoothing parameter as the smallest such that . The following theorem comes from [10, 30]. Here we use to represent the Gram–Schmidt orthogonalization of *B* and regard the columns of *B* as a set of vectors. For , define .

Theorem 1. *There is a probabilistic polynomial time algorithm that, given a basis B of an n-dimensional lattice , a standard deviation , and a , outputs a sample whose distribution is statistically close to .*

We will use following lemmata from [10, 31].

Lemma 1. *For any full-rank lattice and positive real , we have .*

Lemma 2. *For any full-rank lattice , , and , we have .*

Lemma 3. *For any full-rank lattice , , , and , we have .*

The following useful rejection sampling theorem comes from [27]. We state an adapted version, corresponding to the canonical embedding and space *H*. Its proof is essentially the same as that in [27], so we put it in Appendix with a remark that the constant *M* can be effectively calculated in practice.

Theorem 2. *Let be an arbitrary lattice, be a set in which all elements have norms less than T, σ be some elements in such that , and be a probability distribution. Then, there exists an absolute constant M such that the distribution of the output of the following algorithm :*(1)(2)(3)*Output with probability **is within statistical distance of the distribution of the output of the following algorithm :*(1)(2)(3)*Output with probability .**Moreover, the probability p that outputs something satisfies .*

*The hard lattice problems we use are Ring-SIS and Ring-LWE problems. For an element , let us define . We first introduce the Ring-SIS problem. The definition is as follows.*

*Definition 1. *Let R be the ring of integers of K, q and m be positive integers, and *β* be a real number. The small integer solution problem over *R* (R-SIS_{q, m, β}) is given chosen independently from , find such that and .

*For appropriate parameters, the following theorem comes from [32], which shows that the Ring-SIS problem is hard.*

*Theorem 3. For , there is a PPT reduction from solving with high probability in polynomial time in the worst case to solving R-SIS_{q, m, β} with nonnegligible probability in polynomial time, for any such that , , and .*

*The Ring-LWE problem is defined as follows. Let .*

*Definition 2. *For and an error distribution ψ over H, the Ring-LWE distribution over is sampled by independently choosing a uniformly random and an error term and outputting .

*Definition 3. *Let be a family of distributions over H. The average-case Ring-LWE decision problem, denoted , is to distinguish (with nonnegligible advantage) between independent samples from for a random choice of and the same number of uniformly random and independent samples from .

*In [33], a reduction from Ideal-SIVP _{γ} to decision Ring-LWE problem over any algebraic number field is given.*

*Theorem 4. Let K be an algebraic number field and , . Assume such that , and let be an integer such that . Then there is a polynomial time quantum reduction from Ideal-SIVP_{γ} (in the worst case) to , where with k the number of samples to be used and .*

*We can modify the sample of Ring-LWE distribution to as in [28]. We scale the b component by a factor of q, so that it is an element in . The corresponding error distribution is with and k the number of samples. Then, we discretize the error, by taking . The decision version of Ring-LWE becomes to distinguish between the modified distribution of and the uniform samples from . Notice that by using the same method proposed in [34], we can change the secret s to obey the error distributions, i.e., . We will use the symbol to denote this problem. Meanwhile, note that, if we constrain for some , where and , the hardness of the corresponding problem does not decrease. We will use the symbol to denote this problem. For more details, one can refer to [28, 34].*

*2.4. Key Generation Algorithm and Regularity Result*

*In this subsection, we shall introduce some useful algorithms and results we need. The following algorithm plays a key role in our constructions of IBE and IBS. It is a modified version of key generation algorithm of traditional NTRU signatures. For simplicity, we denote it by N-KeyGen.*