Lattice-Based IBE with Equality Test in Standard Model

Abstract

Public key encryption with equality test (PKEET) allows the testing of equality of underlying messages of two ciphertexts. PKEET is a potential candidate for many practical applications like efficient data management on encrypted databases. Identity-based encryption scheme with equality test (IBEET), which was introduced by Ma (Information Science 2016), can simplify the certificate management of PKEET. Potential applicability of IBEET leads to intensive research from its first instantiation. Ma’s IBEET and most of the constructions are proven secure in the random oracle model based on number-theoretic hardness assumptions which are vulnerable in the post-quantum era. Recently, Lee et al. (ePrint 2016) proposed a generic construction of IBEET schemes in the standard model and hence it is possible to yield the first instantiation of IBEET schemes based on lattices. Their method is to use a 3-level hierarchical identity-based encryption (HIBE) scheme together with a one-time signature scheme. In this paper, we propose, for the first time, a concrete construction of an IBEET scheme based on the hardness assumption of lattices in the standard model and compare the data sizes with the instantiation from Lee et al. (ePrint 2016). Further, we have modified our proposed IBEET to make it secure against insider attack.

Appendix A: An Instantiation of Lee et al.’s Construction

In this section, we will present a lattice-based IBEET which is an instantiation of the Lee et al.’s construction [7]. In their generic construction, they need (i) a multi-bit HIBE scheme and (ii) an one-time signature scheme. To instantiate their construction, we modify the lattice based single-bit HIBE of [1] to multi-bit one and use it, along with the signature scheme, to have following construction of lattice based IBEET. Even though one needs only a one-time signature scheme, we choose the full secure signature scheme from [1] to unify the system, since in such case, both signature and HIBE schemes use the same public key. It is required to use multi-bit HIBE and signature scheme to have IBEET from Lee et al.’s [7].

In what follows, we will denote by \([id_1.id_2.id_3]\) the identity of a 3-level HIBE scheme where \(id_1\) is the first level identity, \(id_2\) is the second level identity and \(id_3\) is third level identity. Below, we follow [7] to denote by \([\mathsf {ID}.0]\) (resp. \([\mathsf {ID}.1]\)) an identity in the second level in which we indicate that \(\mathsf {ID}\) is the identity of the first level.

1.1 A.1 Construction

• \(\mathsf {Setup}\)(\(\lambda \))

  On input security parameter \(\lambda \), and a maximum hierarchy depth 3, set the parameters \(q, n, m, {\bar{\sigma }}, {\bar{\alpha }}\). The vector \( {\bar{\sigma }} ~ \& ~ {\bar{\alpha }} \in \mathbb {R}^2\) and we use \(\sigma _l\) and \(\alpha _l\) to refer to their l- th coordinate.

  1. 1.

     Use algorithm \(\mathsf {TrapGen}(q, n)\) to select a uniformly random \(n \times m\)- matrix \(A, A' \in \mathbb {Z}_q^{n \times m}\) with a basis \(T_{A}, T_{A'}\) for \(\varLambda ^{\perp }_q (A)\) and \(\varLambda ^{\perp }_q (A')\), respectively. Repeat this Step until A and \(A'\) have rank n.

  2. 2.

     Select \(l+1\) uniformly random \(m \times m\) matrices \(A_1, A_2, A_3, \cdots , A_l, B \in \mathbb {Z}_q^{n \times m}\).

  3. 3.

     Select a uniformly random matrix \(U\in \mathbb {Z}_q^{n\times t}\).

  4. 4.

     We need some hash functions \(H: \{0, 1\}^* \rightarrow \{0,1\}^t\), \(H_1: \{0, 1\}^* \rightarrow \{-1, 1\}^t\), \(H_2 :\{0,1\}^*\rightarrow \mathbb {Z}^n_q\) and a full domain difference map \(H' :\mathbb {Z}_q^n\rightarrow \mathbb {Z}_q^{n\times n}\) as in [1, Sect. 5].

  5. 5.

     Output the public key and the secret key

     $$\mathsf {PK}=(A,A', A_1,A_2,A_3, \cdots , A_l, B,U)\quad ,\quad \mathsf {MSK}=T_A ,\quad \mathsf {sk_s}= T_{A'}$$

• Extract(\(\mathsf {PP},\mathsf {MSK},\mathsf {ID}\)): On input the public parameter \(\mathsf {PP}\), a master secret key \(\mathsf {MSK}\) and an identity \(\mathsf {ID}(\in \mathbb {Z}_q^n)=(b_1,\cdots ,b_l)\in \{-1,1\}^l\):

  1. 1.

     Let \(A_{\mathsf {ID}} =A_1+ H'(\mathsf {ID})B\in \mathbb {Z}_q^{n\times m}\).

  2. 2.

     Sample \(E\in \mathbb {Z}_q^{2m\times t}\) as

     $$E\leftarrow \mathsf {SampleBasisLeft}(A,A_{\mathsf {ID}},T_A,U,\sigma).$$
  3. 3.

     Output \(\mathsf {SK}_\mathsf {ID}:=E\).

  Let \(F_\mathsf {ID}=(A|A_\mathsf {ID})\in \mathbb {Z}_q^{n\times 2m}\) then \(F_\mathsf {ID}\cdot E = U\) in \(\mathbb {Z}_q\) and E is distributed as \(D_{\varLambda _q^U(F_\mathsf {ID}),\sigma }\).

• \(\mathsf {Enc}(\mathsf {PP}, \mathsf {ID}, \mathbf {m})\)

  On input the public key \(\mathsf {PK}\) and a message \(\mathbf {m}\in \{0,1\}^t\) do

  1. 1.

     Choose uniformly random \(\mathbf {s}_1,\mathbf {s}_2\in \mathbb {Z}_q^n\).

  2. 2.

     Choose \(\mathbf {x}_1,\mathbf {x}_2\in \overline{\varPsi }_\alpha ^t\) and compute

     $$\begin{aligned} \mathbf {c}_1&= U^T\mathbf {s}_1 +\mathbf {x}_1 +\mathbf {m}\big \lfloor \frac{q}{2}\big \rfloor \in \mathbb {Z}_q^t,\\ \mathbf {c}_2&= U^T\mathbf {s}_2 +\mathbf {x}_2 +H(\mathbf {m})\big \lfloor \frac{q}{2}\big \rfloor \in \mathbb {Z}_q^t. \end{aligned}$$
  3. 3.

     Set \(vk_s=A_1\Vert \cdots \Vert A_l\).

  4. 4.

     Set \(id := H_2(vk_s)\in \mathbb {Z}_q^n\).

  5. 5.

     Build the following matrices in \(\mathbb {Z}_q^{n\times 4m}\):

     $$\begin{aligned} F_{\mathsf {ID}. 0. vk_s}&= (F_\mathsf {ID}| A_2 + H'(0)\cdot B | A_3 + H'(id)\cdot B),\\ F_{\mathsf {ID}. 1. vk_s}&= (F_\mathsf {ID}| A_2 + H'(1)\cdot B | A_3 + H'(id)\cdot B). \end{aligned}$$
  6. 6.

     Choose a uniformly random \(n\times 2m\) matrix R in \(\{-1,1\}^{n\times 3m}\).

  7. 7.

     Choose \(\mathbf {y}_1, \mathbf {y}_2\in \overline{\varPsi }_\alpha ^m\) and set \(\mathbf {z}_1=R^T\mathbf {y}_1, \mathbf {z}_2=R^T\mathbf {y}_2\in \mathbb {Z}_q^{3m}\).

  8. 8.

     Compute

     $$\begin{aligned} \mathbf {c}_3&=F_{\mathsf {ID}. 0. vk_s}^T\mathbf {s}_1+[\mathbf {y}_1^T|\mathbf {z}_1^T]^T\in \mathbb {Z}_q^{4m},\\ \mathbf {c}_4&=F_{\mathsf {ID}. 1. vk_s}^T\mathbf {s}_2+[\mathbf {y}_2^T|\mathbf {z}_2^T]^T\in \mathbb {Z}_q^{4m}. \end{aligned}$$
  9. 9.

     Let \(\mathbf {b}:= H_1(\mathbf {c}_1\Vert \mathbf {c}_2\Vert \mathbf {c}_3\Vert \mathbf {c}_4)\in \{-1,1\}^l\) and define a matrix

     $$F=(A'| B+\sum _{i=1}^lb_iA_i)\in \mathbb {Z}_q^{n\times 2m}.$$
  10. 10.

      Extract a signature \(\mathbf {e}\in \mathbb {Z}^{2m\times t}\) by

      $$\mathbf {e}\leftarrow \mathsf {SampleBasisLeft}(A',B+\sum _{i=1}^lb_iA_i,T_{A'},0,\sigma).$$

      Note that \(F\cdot \mathbf {e} =0\mod q\).

  11. 11.

      Output the ciphertext

      $$\mathsf {CT}=(vk,\mathbf {c}_1,\mathbf {c}_2,\mathbf {c}_3,\mathbf {c}_4,\mathbf {e}).$$

• \(\mathsf {Dec}(\mathsf {PP}, \mathsf {SK}_{\mathsf {ID}},\mathsf {CT})\)

  On input a secret key \(\mathsf {SK}_{\mathsf {ID}}\) and a ciphertext \(\mathsf {CT}\), do

  1. 1.

     Parse the ciphertext \(\mathsf {CT}\) into

     $$(vk,\mathbf {c}_1,\mathbf {c}_2,\mathbf {c}_3,\mathbf {c}_4,\mathbf {e}).$$
  2. 2.

     Let \(\mathbf {b}:= H_1(\mathbf {c}_1\Vert \mathbf {c}_2\Vert \mathbf {c}_3\Vert \mathbf {c}_4)\in \{-1,1\}^l\) and define a matrix

     $$F=(A'| B+\sum _{i=1}^lb_iA_i)\in \mathbb {Z}_q^{n\times 2m}.$$
  3. 3.

     If \(F\cdot \mathbf {e}=0\) in \(\mathbb {Z}_q\) and \(\Vert \mathbf {e}\Vert \le \sigma \sqrt{2m}\) then continue to Step 4; otherwise output \(\perp \).

  4. 4.

     Set \(id := H_2(vk)\in \mathbb {Z}_q^n\) and build the following matrices:

     $$\begin{aligned} F_{\mathsf {ID}. 0}&= (F_\mathsf {ID}| A_2 + H'(0)\cdot B) \in \mathbb {Z}_q^{n\times 3m},\\ F_{\mathsf {ID}. 1}&= (F_\mathsf {ID}| A_2 + H'(1)\cdot B) \in \mathbb {Z}_q^{n\times 3m}. \end{aligned}$$
     $$\begin{aligned} F_{\mathsf {ID}. 0. vk_s}&= (F_\mathsf {ID}| A_2 + H'(0)\cdot B | A_3 + H'(id)\cdot B) \in \mathbb {Z}_q^{n\times 4m},\\ F_{\mathsf {ID}. 1. vk_s}&= (F_\mathsf {ID}| A_2 + H'(1)\cdot B | A_3 + H'(id)\cdot B) \in \mathbb {Z}_q^{n\times 4m}. \end{aligned}$$
  5. 5.

     Generate

     $$\begin{aligned} E_{\mathsf {ID}. 0} \leftarrow \mathsf {SampleBasisLeft}(F_\mathsf {ID}, A_2 + H'(0)\cdot B, E, U, \sigma)\\ ~s.t.~ F_{\mathsf {ID}. 0} \cdot E_{\mathsf {ID}. 0} = U\\ E_{\mathsf {ID}. 1} \leftarrow \mathsf {SampleBasisLeft}(F_\mathsf {ID}, A_2 + H'(1)\cdot B, E, U, \sigma)\\ ~s.t.~ F_{\mathsf {ID}. 1} \cdot E_{\mathsf {ID}. 1} = U\\ E_{\mathsf {ID}. 0. vk_s} \leftarrow \mathsf {SampleBasisLeft}(F_{\mathsf {ID}.0}, A_3 + H'(0)\cdot B, E_{\mathsf {ID}.0}, U, \sigma)\\ ~s.t.~ F_{\mathsf {ID}. 0.vk_s} \cdot E_{\mathsf {ID}. 0. vk_s} = U\\ E_{\mathsf {ID}. 1. vk_s} \leftarrow \mathsf {SampleBasisLeft}(F_{\mathsf {ID}.1}, A_3 + H'(1)\cdot B, E_{\mathsf {ID}.1}, U, \sigma)\\ ~s.t.~ F_{\mathsf {ID}. 1.vk_s} \cdot E_{\mathsf {ID}. 1. vk_s} = U. \end{aligned}$$
  6. 6.

     Compute \(\mathbf {w}\leftarrow \mathbf {c}_1-E_{\mathsf {ID}. 0. vk_s}^T\mathbf {c}_3\in \mathbb {Z}_q^t\).

  7. 7.

     For each \(i=1,\cdots , t\), compare \(w_i\) and \(\lfloor \frac{q}{2}\rfloor \). If they are close, output \(m_i=1\) and otherwise output \(m_i=0\). We then obtain the message \(\mathbf {m}\).

  8. 8.

     Compute \(\mathbf {w}'\leftarrow \mathbf {c}_2-E_{\mathsf {ID}. 1. vk_s}^T\mathbf {c}_4\in \mathbb {Z}_q^t\).

  9. 9.

     For each \(i=1,\cdots ,t\), compare \(w'_i\) and \(\lfloor \frac{q}{2}\rfloor \). If they are close, output \(h_i=1\) and otherwise output \(h_i=0\). We then obtain the vector \(\mathbf {h}\).

  10. 10.

      If \(\mathbf {h}=H(\mathbf {m})\) then output \(\mathbf {m}\), otherwise output \(\perp \).

• \(\mathsf {Td}(\mathsf {SK}_i)\)

  On input the secret key \(\mathsf {SK}_i (= E_i)\) of a user \(U_i\), run

  $$\mathsf {td}_i\leftarrow \mathsf {SampleBasisLeft}(F_\mathsf {ID}, A_2 + H'(1)\cdot B, E_i, U, \sigma).$$

• \(\mathsf {Test}(\mathsf {td}_i,\mathsf {td}_j,\mathsf {CT}_i,\mathsf {CT}_j)\)

  On input trapdoors \(\mathsf {td}_i,\mathsf {td}_j\) and ciphertexts \(\mathsf {CT}_i,\mathsf {CT}_j\) of users \(U_i\) and \(U_j\) respectively, for \(k=i,j\), do the following

  1. 1.

     Parse \(\mathsf {CT}_k\) into

     $$(vk_k,\mathbf {c}_{k,1},\mathbf {c}_{k,2},\mathbf {c}_{k,3},\mathbf {c}_{k,4},\mathbf {e}_k).$$
  2. 2.

     Sample \(E_{\mathsf {ID}_k . 1. vk_s}\in \mathbb {Z}_q^{5m\times t}\) from

     $$ \mathsf {SampleBasisLeft}(F_{\mathsf {ID}_k .1}, A_{k, 3} + H'(1)\cdot B_k, E_{\mathsf {ID}_k .1}, U, \sigma).$$
  3. 3.

     Use \(E_{\mathsf {ID}_k . 1. vk_s}\) to decrypt \(\mathbf {c}_{k,2}\), \(\mathbf {c}_{k,4}\) as in Step 8–9 of \(\mathsf {Dec}(\mathsf {SK},\mathsf {CT})\) above to obtain the hash value \(\mathbf {h}_k\).

  4. 4.

     If \(\mathbf {h}_i=\mathbf {h}_j\) then ouput 1; otherwise output 0.

Theorem 5

(Correctness). The above IBEET is correct if the hash function H is collision resistant.

Proof

Since we employ the multi-bit HIBE and signature scheme from [1], their correctness follow from [1]. The Theorem follows from [7, Theorem 1].    \(\square \)

1.2 A.2 Parameters

We follow [1, Sect. 8.3] for choosing parameters for our scheme. Now for the system to work correctly we need to ensure

• the error term in decryption is less than q/5 with high probability, i.e., \(q=\varOmega (\sigma m^{3/2})\) and \(\alpha <[\sigma lm\omega (\sqrt{\log m})]^{-1}\),

• that the \(\mathsf {TrapGen}\) can operate, i.e., \(m>6n\log q\),

• that \(\sigma \) is large enough for \(\mathsf {SampleLeft}\) and \(\mathsf {SampleRight}\), i.e., \(\sigma >lm\omega (\sqrt{\log m})\),

• that Regev’s reduction applies, i.e., \(q>2\sqrt{n}/\alpha \),

Hence the following choice of parameters \((q,m,\sigma ,\alpha)\) from [1] satisfies all of the above conditions, taking n to be the security parameter:

$$\begin{aligned} \begin{aligned}&m=6n^{1+\delta }\quad ,\quad q=\max (2Q,m^{2.5}\omega (\sqrt{\log n})) \\&\sigma = ml\omega (\sqrt{\log n})\quad ,\quad \alpha =[l^2m^2\omega (\sqrt{\log n})] \end{aligned} \end{aligned}$$

(3)

and round up m to the nearest larger integer and q to the nearest larger prime. Here we assume that \(\delta \) is such that \(n^\delta >\lceil \log q\rceil =O(\log n)\).

Theorem 6

The IBEET constructed in Sect. 5 with paramaters as in (3) is \(\textsf {IND-ID-CCA2}\) secure provided that \(H_1\) is collision resistant.

Proof

The HIBE is \(\textsf {IND-sID-CPA}\) secure by [1, Theorem 33] and the signature is strongly unforgeable by [1, Sect. 7.5]. The result follows from [7, Theorem 5].    \(\square \)

Theorem 7

([7, Theorem 3]). The IBEET with parameters \((q,n,m,\sigma ,\alpha)\) as in (3) is \(\textsf {OW-ID-CCA2}\) provided that H is one-way and \(H_1\) is collision resistant.

Proof

The HIBE is \(\textsf {IND-sID-CPA}\) secure by [1, Theorem 33] and the signature is strongly unforgeable by [1, Sect. 7.5]. The result follows from [7, Theorem 6].    \(\square \)