Table of Contents Author Guidelines Submit a Manuscript
Wireless Communications and Mobile Computing
Volume 2019, Article ID 1742386, 13 pages
https://doi.org/10.1155/2019/1742386
Research Article

Provably Secure Identity-Based Encryption and Signature over Cyclotomic Fields

1School of Mathematics, Shandong University, Jinan Shandong 250100, China
2Shandong Branch of China Mobile Online Service Co. Ltd., Jinan Shandong 250100, China

Correspondence should be addressed to Mingqiang Wang; nc.ude.uds@gnaiqgnimgnaw

Received 29 March 2019; Revised 29 May 2019; Accepted 8 July 2019; Published 17 October 2019

Guest Editor: Zaobo He

Copyright © 2019 Yang Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Identity-based cryptography is a type of public key cryptography with simple key management procedures. To our knowledge, till now, the existing identity-based cryptography based on NTRU is all over power-of-2 cyclotomic rings. Whether there is provably secure identity-based cryptography over more general fields is still open. In this paper, with the help of the results of collision resistance preimage sampleable functions (CRPSF) over cyclotomic fields, we give concrete constructions of provably secure identity-based encryption schemes (IBE) and identity-based signature schemes (IBS) based on NTRU over any cyclotomic field. Our IBE schemes are provably secure under adaptive chosen-plaintext and adaptive chosen-identity attacks, meanwhile, our IBS schemes are existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks for any probabilistic polynomial time (PPT) adversary in the random oracle model. The securities of both schemes are based on the worst-case approximate shortest independent vectors problem (SIVPγ) over corresponding ideal lattices. The secret key size of our IBE (IBS) scheme is short—only one (two) ring element(s). The ciphertext (signature) is also short—only two (three) ring elements. Meanwhile, as the case of NTRUEncrypt, our IBE scheme could encrypt n bits in each encryption process. These properties may make our schemes have more advantages for some IoT applications over postquantum world in theory.

1. Introduction

Nowadays, Internet of things (IoT) plays an extremely important role by comprising millions of smart and connected devices to offer benefits in a wide range of situations, for example, smart cities, smart grads, smart traffic, and smart buildings. The corresponding techniques have been unprecedentedly developed and adopted due to the quick evolution of smart devices and the continuous investment of leading communities. In a smart IoT system, data collected by mote devices will be transferred to gateway/cloud; the cloud will perform data analysis and send the results to the particular management system which takes suitable action. How to protect this complete network against malicious events, as well as the privacy and authenticity of data, is one of the toughest challenges for the deploying IoT technology. Several considerations and solutions are discussed in [14]. Due to the constrained resources (i.e., the size of memory, CPU speed, and network bandwidth), we could not directly use the traditional public key system, since the key management is complicated and the computations and storages may consume large amount of resources.

Identity-based cryptography is a type of public key cryptography in which the public key of a user is some unique information about the identity of the user (e.g., a user’s e-mail address and the MAC address of devices). This means that a sender who has access to the public parameters of the system can encrypt a message (verify a signature) by using the receiver’s (signer’s) identity as a public key. The receiver (signer) obtains its decryption (signing) key from a central authority, which needs to be trusted as it generates secret keys for every user. Such cryptographic primitives significantly simplify the key management procedures of certificated-based public key infrastructures.

IBE and IBS were proposed by Shamir [5]; from then on, a large number of papers have been published in this area, including IBE [612], IBS [1317], and identity-based signcryption (sign-then-encrypt a message) schemes [13, 18, 19]. Till now, the fully practical identity-based cryptographic primitives are based on bilinear pairings. With the rapid development of quantum computation, in a not-so-distant future, quantum computers are expected to break such systems, and it is urgent to design quantum-immune IBE and IBS schemes. Cryptographic primitives based on hard lattice problems are good candidates, and many such identity-based schemes were designed [6, 9, 10, 16]. However, the efficiency of these schemes is not very satisfactory, especially in the IoT applications. As we all know, cryptographic primitives based on NTRU usually have high efficiency [20] and are good candidates of lightweight cryptographic systems in the postquantum world. Therefore, IBE and IBS schemes based on NTRU may enjoy the advantages of high efficiency and quantum-immune at the same time.

To the best of our knowledge, the existing IBE [21] and IBS [17] based on NTRU are all over power-of-2 cyclotomic rings, in which NTT algorithm can be implemented and calculations can be done very fast. However, there are too many subfields in the corresponding cyclotomic fields, making these settings more sensitive to subfield attacks [22, 23, 24]. So, seeking constructions of IBE and IBS over more general fields is a meaningful work. Meanwhile, strictly speaking, both of the schemes [17, 21] lack a security proof in the following two senses: (1) The PPT key generation algorithm [21] is heuristic and the CPA security of the schemes is guaranteed by a key-encapsulation mechanism designed in the process of encryption and is measured by the Kullback–Leibler “distance”—not statistical distance. Then, security is estimated in the aspect of attacks. So, the magnitude of module q is small and the schemes are practical. (2) Parameter settings of IBS [17] were referred to [25]; while the main lemma for proving the PPT trapdoor generation algorithm of CRPSF in [25] had some deficiencies, making the parameter choices in [17] could not achieve the desired result.

1.1. Our Contributions and Technique Overview

Motivated by the above reasons, we construct provably secure IBE and IBS schemes over any cyclotomic field.

Compared with [21], our IBE scheme is strictly provably secure under adaptive chosen-plaintext and adaptive chosen-identity attacks. So, at a high level, our result implies that we can heuristically design IBE scheme by using similar parameters as [21] in any cyclotomic field. Since we use the modified algorithms of CRPSF proposed in [26], our IBS scheme is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks in theory. Though the efficiency of our IBE and IBS schemes may be not satisfactory when we set parameters to achieve the provably security, our results give a high-level implication that we can heuristically design IBE and IBS over any cyclotomic field with small parameters (for example, settings of the classical NTRU-based cryptography [20]) and construct a lightweight cryptosystem, which can be used in some IoT applications.

Next, we give a brief review of constructions.

The construction of our IBE scheme is inspired by [21] and followed the route of [10]. The setup algorithm uses the key generation algorithm of CRPSF constructed in [26] to generate some public parameters , including a cyclotomic field K and an element . Here, is the ring of integers of K and is the set of invertible elements of . Meanwhile, the key generation algorithm of CRPSF also outputs a short trapdoor basis of the NTRU lattice . The secret key of an identity (we map an identity to by using a random oracle ) is the element in outputted by the SamplePre algorithm of CRPSF by using the trapdoor basis. The encryption and decryption follow the idea of [10]. We embed the message in a Ring-LWE instance in the encryption process and the outputted ciphertext consists of two Ring-LWE instances (only the b-component) (u, ) with the “implied” relation that is short. Then, the decryption process only need to remove the errors by rounding . Security (indistinguishability) is based on the hardness of corresponding decision Ring-LWE problems, and we do not need to use the key-encapsulation mechanism in the encryption process.

The construction of IBS follows the route of [17], which is a combination of techniques shown in [10, 27]. We also use the key generation algorithm of CRPSF to generate . The secret key of an identity is produced by the SamplePre algorithm of CRPSF, satisfying . The signing and verification follow the idea of [27] by using a rejection sampling algorithm. The signature of a message μ contains a triple with , , and . The rejection sampling algorithm could make it seem that is independent of , in particular, . Then, to verify a signature, one only needs to make sure that is short and . Unforgeability of our scheme can be reduced to the corresponding Ring-SIS problems.

Finally, we remark that techniques used in [28] are also vital to bound the decryption error of our IBE scheme. Though we design our IBE schemes in , the dual ideal of R, we can convert it to work in an integral ideal of R or we can directly design the IBE scheme in R by using the hardness result shown in [29] (with larger parameter γ and q). Also, we can discuss the practicability under the Kullback–Leibler “distance” by using the same method as in [21]. Meanwhile, our construction provides an important support for designing IBE and IBS over general cyclotomic rings with relative small parameters (with no provably secure guarantee, but the key generation algorithm is PPT by our results) and analyzing the security from the view of attacks. How to reduce the magnitudes of parameters of provably secure identity-based cryptographic primitives and improve the efficiency of these schemes are important and meaningful open problems.

1.2. Organization

In Section 2, we will introduce some notations and basic results we need in our discussion. In Section 3, we shall discuss the IBE schemes, including the basic definitions, security models, constructions, and security analysis. Discussions of IBS schemes are put in Section 4.

2. Preliminaries

In this section, we introduce some background results and notations.

2.1. Notations

We use to denote the set . represents the norm corresponding to the canonical embedding. For two random variables X and Y, stands for their statistic distance. When we write , we mean that the random variable X obeys to a distribution ξ. If S is a finite set, then is its cardinality and is the uniform distribution over S. Symbols and stand for the sets of positive integers and positive reals. Symbol represents for . Functions and stand for the Euler function and the Möbius function.

2.2. Cyclotomic Fields, Space H, and Ideal Lattices

Throughout this paper, we only consider cyclotomic fields. For a cyclotomic field with the primitive l-th root of unity, its minimal polynomial is with degree . As usual, we set , which is the ring of integers of K. Then, , and . K is Galois over . We set and use the canonical embedding σ on K, which maps to a space via embeddings in . H is isomorphic to as an inner product space via the orthonormal basis defined as follows: for ,where is the vector with 1 in its j-th coordinate and 0 elsewhere and is the imaginary number such that . For any element , we can define its norm by and its infinity norm by .

We define a lattice as a discrete additive subgroup of H. The dual lattice of is defined as . One can check that this definition is actually the complex conjugate of the dual lattice as usually defined in . All of the properties of the dual lattice that we use also hold for the conjugate dual. Any fractional ideal I of K is a free module of rank n. So, is a lattice of H, and we call an ideal lattice and identify I with this lattice and associate with I all the usual lattice quantities. Meanwhile, its dual is defined as . Then, it is easy to verify that , is a fractional ideal, and embeds under σ as the dual lattice of I as defined above.

2.3. Gaussian Distributions, Ring-SIS Problems, and Ring-LWE Problems

The Gaussian distribution is defined as usual. For any , , which is taken to be or when omitted, define the Gaussian function as . By normalizing this function, we obtain the continuous Gaussian probability distribution of parameter s, whose density function is given by . For a real vector , we define the elliptical Gaussian distributions in the basis as follows: a sample from is given by , where is chosen independently from the Gaussian distribution over . Note that if we define a map by , then is also a (elliptical) Gaussian distribution over .

For a lattice , and , we define the lattice Gaussian distribution of support , deviation σ, and center by for any . For , we define the smoothing parameter as the smallest such that . The following theorem comes from [10, 30]. Here we use to represent the Gram–Schmidt orthogonalization of B and regard the columns of B as a set of vectors. For , define .

Theorem 1. There is a probabilistic polynomial time algorithm that, given a basis B of an n-dimensional lattice , a standard deviation , and a , outputs a sample whose distribution is statistically close to .

We will use following lemmata from [10, 31].

Lemma 1. For any full-rank lattice and positive real , we have .

Lemma 2. For any full-rank lattice , , and , we have .

Lemma 3. For any full-rank lattice , , , and , we have .

The following useful rejection sampling theorem comes from [27]. We state an adapted version, corresponding to the canonical embedding and space H. Its proof is essentially the same as that in [27], so we put it in Appendix with a remark that the constant M can be effectively calculated in practice.

Theorem 2. Let be an arbitrary lattice, be a set in which all elements have norms less than T, σ be some elements in such that , and be a probability distribution. Then, there exists an absolute constant M such that the distribution of the output of the following algorithm :(1)(2)(3)Output with probability is within statistical distance of the distribution of the output of the following algorithm :(1)(2)(3)Output with probability .Moreover, the probability p that outputs something satisfies .

The hard lattice problems we use are Ring-SIS and Ring-LWE problems. For an element , let us define . We first introduce the Ring-SIS problem. The definition is as follows.

Definition 1. Let R be the ring of integers of K, q and m be positive integers, and β be a real number. The small integer solution problem over R (R-SISq, m, β) is given chosen independently from , find such that and .

For appropriate parameters, the following theorem comes from [32], which shows that the Ring-SIS problem is hard.

Theorem 3. For , there is a PPT reduction from solving with high probability in polynomial time in the worst case to solving R-SISq, m, β with nonnegligible probability in polynomial time, for any such that , , and .

The Ring-LWE problem is defined as follows. Let .

Definition 2. For and an error distribution ψ over H, the Ring-LWE distribution over is sampled by independently choosing a uniformly random and an error term and outputting .

Definition 3. Let be a family of distributions over H. The average-case Ring-LWE decision problem, denoted , is to distinguish (with nonnegligible advantage) between independent samples from for a random choice of and the same number of uniformly random and independent samples from .

In [33], a reduction from Ideal-SIVPγ to decision Ring-LWE problem over any algebraic number field is given.

Theorem 4. Let K be an algebraic number field and , . Assume such that , and let be an integer such that . Then there is a polynomial time quantum reduction from Ideal-SIVPγ (in the worst case) to , where with k the number of samples to be used and .

We can modify the sample of Ring-LWE distribution to as in [28]. We scale the b component by a factor of q, so that it is an element in . The corresponding error distribution is with and k the number of samples. Then, we discretize the error, by taking . The decision version of Ring-LWE becomes to distinguish between the modified distribution of and the uniform samples from . Notice that by using the same method proposed in [34], we can change the secret s to obey the error distributions, i.e., . We will use the symbol to denote this problem. Meanwhile, note that, if we constrain for some , where and , the hardness of the corresponding problem does not decrease. We will use the symbol to denote this problem. For more details, one can refer to [28, 34].

2.4. Key Generation Algorithm and Regularity Result

In this subsection, we shall introduce some useful algorithms and results we need. The following algorithm plays a key role in our constructions of IBE and IBS. It is a modified version of key generation algorithm of traditional NTRU signatures. For simplicity, we denote it by N-KeyGen.

Algorithm 1

The following theorem comes from [26] (Algorithm 1). Note that in the case of cyclotomic fields, it was shown in [26] that the value of Dedekind zeta function at 2 (i.e. ) has a relatively small absolute upper bound.

Theorem 5. Let be a cyclotomic field, , , be a prime such that and the prime ideal decomposition of in R is such that , be an arbitrary positive number. Assume that . Then, the key generation algorithm proposed in this section terminates in polynomial time, and the output matrix is an R basis of for . Meanwhile, if , the distribution of h is rejected with probability for some absolute constant c from a distribution whose statistical distance from is .

Based on the N-KeyGen algorithm, Wang and Wang [26] gave a detailed construction of CRPSF, which was first proposed in [10], over any cyclotomic field. The preimage sampling algorithm of CRPSF is useful for us to design our IBE and IBS. We also use NTRUCRPSF to represent the CRPSF and only describe the results we need. For more details, one can refer to [26]. The construction of CRPSF is as follows:(1)TrapGen : by running the N-KeyGen algorithm, we get a public key and a private key . The key h defines function with domain and range . The trapdoor of is .(2)SampleDom : sample , if , resample.(3)SamplePre : to find a preimage in for a target under by using the trapdoor , sample with and . Return .

Theorem 6. Assume for some and . Then, the constructed NTRUCRPSF is a CRPSF against time adversaries, assuming the hardness of the worst-case Ideal-SIVPγ over K against time adversaries, with .

We also need the following regularity theorem. For more details, one can refer to [26, 28, 29].

Theorem 7. Let K be a cyclotomic field with , , , q is a positive prime such that and the prime ideal decomposition of in R is , , , and for all . Assume with . Then, we have

As in [28], we only use the powerful basis of R and the decoding basis of . We mainly use the following definition and arrangements. More details can be found in [28].

Definition 4. Given a basis of a fractional ideal J, for any with , the B-coefficient embedding of x is defined as the vector and the B-coefficient embedding norm of x is defined as .

Set when l is odd and when l is even. If for primes , then we define . If we represent (or ) with respect to the powerful basis (or decoding basis), we have

We will omit the subscripts and in the following applications when it does not cause ambiguities.

When we write , we use the representative element of the coset as with . It is similar for element . Notice that , and any element of R can also be represented as a -linear combination of the decoding basis.

3. Identity-Based Encryption Schemes

In this section, we shall give the definition of IBE schemes and then construct a provably secure IBE scheme based on NTRU over any cyclotomic field.

3.1. Basic Definition and Security Model

We give the definition of IBE system first.

Definition 5. An identity-based encryption system consists of four PPT algorithms: Setup, KeyGen, Encrypt, and Decrypt.(i)Setup : this algorithm takes as input a security parameter λ and generates public parameters PP and a master secret key Msk.(ii)KeyGen : this algorithm uses the master secret key Msk to generate an identity private key corresponding to an identity id.(iii)Encrypt : this algorithm takes the public parameters PP to encrypt a message m for any given identity id.(iv)Decrypt : this algorithm decrypts ciphertext c by using the identity private key if the identity of the ciphertext matches the identity of the private key.The security model of IBE is defined through the following game between an adversary and a challenger . For a security parameter λ, let be the plaintext space and be the ciphertext space. The game, which appraises the indistinguishability of plaintext under adaptive chosen-plaintext and adaptive chosen-identity attack (IND-ID-CPA), is defined as follows:(i)Setup: runs the algorithm Setup to get the public parameters PP and the master secret key Msk; then, it sends PP to and keeps the master secret key Msk.(ii)Phase 1: adaptively issues private key queries for identity . In each query for , runs KeyGen to generate and sends it to .(iii)Challenge: once decides the Phase 1 is over, it outputs a challenge identity , which has not been queried during Phase 1, and two plaintext message . chooses a random element uniformly and sends to .(iv)Phase 2: adaptively issues more private key queries for identity . The only requirement is that for any .(v)Guess: outputs an element and wins if and only if .We refer to such an adversary as an IND-ID-CPA adversary and define the advantage (in the security parameter λ) of in attacking an IBE scheme as .

Definition 6. For a security parameter λ, we say that an IBE scheme is adaptively IND-ID-CPA secure if for any PPT adversary that takes at most private key queries, .

3.2. Constructions of IBE Based on NTRU

Now, we can give the construction of IBE system over any cyclotomic field. The construction is inspired by [21], which follows the route of [10] and could be regarded as a generalization from power of 2 cyclotomic field to arbitrary cyclotomic field. The detailed construction is as follows, where denotes the discriminant of K and .(i)Setup : given a security parameter λ, first construct a set of parameters such that with , , and such that . Meanwhile, for some , . Then, call the N-KeyGen algorithm to generate a public key h and a secret key . Set the public parameters , where is a random oracle, and the master secret key .(ii)KeyGen : if the pair (id, ) is in the local storage, output to the user id. Otherwise,(1)Set .(2)Take , where satisfies .(3)Output and keep the pair (id, ) in the local storage.(iii)Encrypt : given a plaintext with coefficients , the encryption process is as follows:(1)Sample with , where is a positive integer.(2)Compute , and .(3)Output the ciphertext .(iv)Decrypt : this algorithm first computes and returns .

Note that we have where for some satisfying . If , then we get that has the representation of the form in . Setting and , we can conclude that for any ,

Therefore, the decryption process succeeds in recovering the encrypted message m whenever . Now, we bound the probability that . Here, represents the basis-coefficient norm under the decoding basis with respect to the norm.

Lemma 4. Assume that such that and let be an integer such that ; meanwhile, ; then, we have with probability at least .

Proof. Lemma 5.1 of [28] implies that . Note that ; we haveTherefore, we getwith probability at least , where we have used that .
Overall, we get the following lemma.

Lemma 5. Assume that such that and let be an integer such that ; meanwhile, ; then, the decryption algorithm of the IBE scheme succeeds in recovering the encrypted message with probability at least .

We can prove that our IBE scheme is secure, assuming that problem and problem are hard. We first give a IND-CPA secure public key encryption scheme (denoted by BasicPub). Note that Lemma 5 is suitable for BasicPub as well.(i)Setup : given a security parameter λ, do as the Setup algorithm of IBE scheme. Set the public parameters .(ii)KeyGen : sample ; set the secret key and the public key .(iii)Encrypt : do as the Encrypt algorithm of IBE scheme with .(iv)Decrypt : the same as the Decrypt algorithm of IBE scheme.

Lemma 6. Let be a cyclotomic field, , , and be a prime such that . Set for some and ; meanwhile, assume that such that , , and . Then, the BasicPub is IND-CPA secure assuming that problem and problem are hard.

Proof. Note that, by the property of SampleDom algorithm, the distribution of is statistically close to . Then, for a ciphertext of either or , by our choices of parameters, the entire view of the adversary is indistinguishable from the uniform distribution, assuming the hardness of problem and problem. Hence, the adversary could not distinguish the ciphertexts of 0 and 1. We get the results, as desired.

Theorem 8. Suppose that Lemma 6 holds, i.e., the BasicPub is correct and IND-CPA secure in the standard model; then, the IBE scheme is adaptively IND-ID-CPA secure in the random oracle model.

Proof. Let be a PPT adversary that attacks the IBE scheme with advantage δ by using distinct H queries. We shall construct an algorithm to attack the BasicPub scheme with advantage . The algorithm works as follows:(1) calls an oracle (or the challenger) to get the public parameters and a public key . Then, it sends the public parameters to . Here, simulates the random oracle H; meanwhile, chooses an uniformly at random.(2) simulates the view of as follows:(i)Hash queries: on ’s jth distinct query to H, if , then store the tuple and return to . Otherwise, , runs the BasicPub.KeyGen () to generate a public/secret key pair , locally store the tuple , and return to .(ii)KeyGen queries: when asks for a secret key for an identity , assume without loss of generality that has already queried H on . Retrieve the unique tuple from local storage. If , then output a random bit and abort. Otherwise, return to .(3)When produces a challenge identity which is distinct from all its secret key queries and two messages , assume without loss of generality that has already queried H on . If , output a random bit and abort. Otherwise, return for to .When terminates with some output, terminates with the same output.
Assume makes N distinct KeyGen queries for some . Notice that the probability that does not abort isMeanwhile, conditioned on not aborting, the view it provides to is statistically close to the view of the real IBE scheme. Hence, the advantage that attacks the IND-CPA secure of BasicPub is , as desired.
Overall, we conclude the following theorem.

Theorem 9. Let be a cyclotomic field, , , and be a prime such that . Set for some and ; meanwhile, assume that such that , , and . Then, the IBE scheme is adaptively IND-ID-CPA secure against any PPT adversary in the random oracle model, assuming the hardness of worst-case Ideal-SIVPγ over K against PPT adversaries, with .

Remark 1. If we choose , then , and . As remarked in [28], we can also convert our constructions to work in an ideal of R, or we can directly design our schemes in R (with larger γ and q). Moreover, when we require that with l having some special cases (for example, or for some prime ), we can use the hardness results shown in [35] and techniques shown in [36] to reduce the magnitude of the parameters q and γ. Usually, the module q is far away from practicality. A heuristic practical choice of parameters (with respect to coefficient embedding) is shown in [21]. How to reduce the size of q and γ is a hard problem which is worth studying.

4. Identity-Based Signature Schemes

In this section, we shall give the definition of IBS schemes and then construct a provably secure IBS scheme based on NTRU over any cyclotomic field.

4.1. Basic Definition and Security Model

We give the definition of IBS system first.

Definition 7. An identity-based signature system consists of four PPT algorithms: Setup, KeyGen, Sign, and Verification.(i)Setup : this algorithm takes as input a security parameter λ and generates public parameters PP and a master secret key Msk.(ii)KeyGen : this algorithm uses the master secret key Msk to generate an identity private key corresponding to an identity id.(iii)Sign : this algorithm takes the public parameters PP, a message μ, an identity , and the secret key to generate a signature of μ.(iv)Verification : on input of the identity , the message μ, the parameters , and a signature , this algorithm outputs 1 when the verification is correct (i.e., the signature is valid) and outputs 0 otherwise.The security model of IBS is defined through the following game between an adversary and a challenger . For a security parameter λ, let be the message space and be the signature space. The game, which appraises the property of existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks, is defined as follows:(i)Setup: runs the algorithm Setup to get the public parameters PP and the master secret key Msk; then, it sends PP to and keeps the master secret key Msk.(ii)Phase 1: adaptively issues private key queries for identity . In each query for , runs KeyGen to generate and sends it to .(iii)Challenge: once decides the Phase 1 is over, it outputs an identity , which has not been queried during Phase 1.(iv)Phase 2: adaptively issues more queries where each query is one of the following:(1)Private key query for : responds as in Phase 1.(2)Signature query for a message μ under identity : this query can be regarded as an oracle, and runs the oracle to get a signature and sends to .(v)Forge: outputs a forge for a message μ under identity . It wins if and only if one of the following two cases happens:(1)If μ is queried in Phase 2, then we require that , where is the signature of μ that got in Phase 2. Meanwhile, .(2)Otherwise, we simply require that .We define the advantage (in the security parameter λ) of in attacking an IBS scheme as .

Definition 8. For a security parameter λ, we say that an IBS scheme is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks if for any PPT adversary that takes at most queries, .

4.2. Constructions of IBS Based on NTRU

Now, we can give the construction of IBS system over any cyclotomic field. The detailed construction is as follows:(i)Setup : given a security parameter λ, first construct a set of parameters such that with , , and such that . Meanwhile, for some , . Then, call the N-KeyGen algorithm to generate a public key h and a secret key . Set the public parameters , where and are two random oracles, and the master secret key .(ii)KeyGen : if the pair (id, ) is in the local storage, output to the user id. Otherwise,(1)Set .(2)Take , where satisfies .(3)Output and keep the pair (id, ) in the local storage.(iii)Sign : given a message μ, the signature process is as follows:(1)Sample .(2)Compute and for .(3)Output the signature of message μ with probability with and (in practice, M can be computed efficiently).(iv)Verification : for , if and , output 1. Otherwise, output 0.

The signing algorithm outputs something with probability , if nothing was output, the signer runs the signing algorithm again until some signature is outputted. Note that . Meanwhile, Lemma 2 and Theorem 2.2 imply that with overwhelming probability. We conclude the following lemma.

Lemma 7. The IBS scheme proposed above satisfies correctness.

The security of the IBS scheme can be reduced to the worst-case SIVPγ problem over K.

Theorem 10. Let be a cyclotomic field, , , and be a prime such that . Assume that for some , . The IBS scheme is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks for any PPT adversary in the random oracle model, assuming the hardness of worst-case Ideal-SIVPγ over K against PPT adversaries, with .

Proof. Suppose that there is an adversary which can break the existentially unforgeable IBS scheme with advantage δ; we can construct an algorithm to solve the problem over K for . The interactions between and are described as follows:(1)For an R-SIS instance , if , abort. Otherwise, sends to .(2) can adaptively query in the following ways. In general, we can assume that has to query the random oracle H for before it makes other kinds of queries.(i)H query: at the beginning, keeps an ID-list which consists of elements of the form . The list is empty initially. For a query of identity , if it is contained in the ID-list, simply sends to . Otherwise, is fresh. samples and computes . Then, sends to and stores in the ID-list.(ii)KeyGen query: given , looks up the ID-list to find corresponding to and sends to .(iii)Sign query: also keeps a SIGN-list which is empty initially and consists of elements of the form . To obtain the signature of message under the identity , if is in the SIGN-list, simply sends to . Otherwise, is fresh and looks up the ID-list for and runs Sign to get a signature . sends to and stores in the SIGN-list. Here, is obtained through the algorithm Sign .(iv) query: when sends a message under identity to for the query, finds the corresponding in the SIGN-list and sends it to (if is not in the SIGN-list, implements Sign query for and sends corresponding obtained by Sign query to ).(3)Forge: after finishing the queries listed above, outputs a forgery for with a nonnegligible probability δ.Note that, without loss of generality, we can assume that before outputting the attempted forgery , has made a query for (or strictly speaking, has made a query for , but a query is equivalent to a Sign query, by our constructions), i.e. for a in the SIGN-list. can get from the SIGN-list, which satisfies . Hence, we have (up to a negligible probability). Therefore, . Let ; we have . Hence, if , it is a valid solution of .
Also, note that in order to give a valid forge, needs to find to fulfil that and for . Theorem 2.2 implies that we can regard . Theorem 2.7 implies that . For any , the solutions of the equation form a lattice . Hence, for the parameter choices of s and σ, Lemma 3 indicates that the probability that is negligible. Therefore, except with some negligible probability , we can solve R-SIS with advantage .

Remark 2. By the conditions in Theorem 4.1, we can take , and . Also, the module q is far away from practicality. How to reduce the size of q and γ is a hard problem which is worth studying.
One may note that the trapdoor generation algorithms used in IBE and IBS schemes are the same, so as the case of IBE in power-of-2 cyclotomic rings; we can also use the parameter choices (with respect to coefficient embedding) as in [21], together with the parameter choices of rejection sampling as in [27] to give a practical implementation of our schemes. A more heuristic implementation with respect to coefficient embedding in power-of-2 cyclotomic rings is also shown in [17].

Appendix

We first introduce a useful “rejection sampling” lemma which is a modified version of Lemma 4.7 in [27]. Their proof is essentially the same.

Lemma 8. Let be an arbitrary set and be an arbitrary lattice. Assume and be probability distributions. If is a family of probability distributions indexed by all with the property that