Almost Tight Security in Lattices with Polynomial Moduli – PRF, IBE, All-but-many LTF, and More

Lai, Qiqi; Liu, Feng-Hao; Wang, Zhedong

doi:10.1007/978-3-030-45374-9_22

Qiqi Lai¹²,
Feng-Hao Liu¹³ &
Zhedong Wang¹³

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12110))

Included in the following conference series:

IACR International Conference on Public-Key Cryptography

1322 Accesses
7 Citations

Abstract

Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent.

In this work, we remove the super-polynomial modulus restriction for many important primitives – PRF, IBE, All-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Crypto 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.

You have full access to this open access chapter, Download conference paper PDF

Improved Constructions of PRFs Secure Against Related-Key Attacks

All-But-Many Lossy Trapdoor Functions from Lattices and Applications

Lattice-Based Programmable Hash Functions and Applications

Article 29 November 2023

1 Introduction

Tight Security. The reduction framework is a powerful tool to analyze security of a cryptographic construction by relating its security to some suitable mathematical hard problem, such as problems of integer factoring, discrete logs, shortest vector in lattices, and many others [19, 35, 46]. This framework can be described roughly as follows: assume that there exists a $(t_{\mathcal {A}},\varepsilon {}_{\mathcal {A}})$-adversary $\mathcal {A} $ that breaks the cryptographic construction, then we can construct a $(t_{\mathcal {B}},\varepsilon {}_{\mathcal {B}})$-reduction algorithm $\mathcal {B} $ that uses $\mathcal {A} $ as a subroutine and solves the underlying hard problem.^{Footnote 1}

To evaluate how tight the security of the cryptographic scheme is with respect to the hardness of the underlying problem, we establish analysis of bounds in the form: $\varepsilon {}_\mathcal {B} \ge \varepsilon {}_\mathcal {A}/\theta $ and $t_{\mathcal {B}}\le k t_{\mathcal {A}}+o(t_{\mathcal {A}})$, and then use $k \theta $ as a measure of tightness – the smaller this quantity is, the tighter the security can achieve. The cryptographic scheme is considered to be (1) tight (with respect to the underlying hard problem) if $k\theta = c$ for some constant independent of the adversary, and (2) almost tight (with respect to the underlying hard problem) if $k\theta = \mathsf {poly}(\lambda )$ for some small polynomial of the security parameter, independent of the adversary.

Achieving tight security is a meaningful task, particularly when one can prove the same or perhaps slightly less efficient scheme has a tight reduction than a non-tight one. From a theoretical point of view, tightness indicates that security of a crypto scheme is (extremely) closely related to the hardness of the underlying hard problem, which is the optimal case we can expect from the provable security theory. By knowing the (almost) tight relation, we would know how aggressively we can set the security parameter, which is important for practical efficiency.

This subject has drawn a large amount of attention. For symmetric key primitives, we know how to achieve almost tight pseudorandom functions ($\mathsf {PRF}$s) [8, 26, 41] with respect to various assumptions. Later on, the community turned the focus to public-key primitives. For example, Waters [53] stated an open problem of constructing a tightly, adaptively secure $\mathsf {IBE} $ scheme from standard computational hardness assumptions without random oracles. In addition to $\mathsf {IBE} $, progress has been made for various other schemes, including public-key encryption and signature (e.g, [5, 10, 24, 28, 32, 33]).

Progress in Lattices. While research in this line is active, most results were with respect to assumptions on groups [10, 24, 33] or integer factorization [9, 39]. For other important or post-quantum assumptions such as lattices, only a few results are known even for almost tight security. For symmetric-key primitives, there are only two almost tight $\mathsf {PRF} $s from the learning with error assumption $(\mathsf {LWE})$ [8, 41]. For public-key primitives, Boyen and Li [16] constructed the first almost tight $\mathsf {IBE} $ based on $\mathsf {LWE}$ by using a novel application of (key) homomorphic evaluation of $\mathsf {PRF}$. Later in subsequent work, Boyen and Li [17], and Libert et al. [41] generalized this technique to construct almost tight all-but-many lossy trapdoor functions ($\mathsf {ABM}$-$\mathsf {LTF}$s) from $\mathsf {LWE}$. These results are significant, as $\mathsf {ABM}$-$\mathsf {LTF}$s have several important applications in constructing other primitives, such as almost tight encryption schemes that are secure against selective opening attacks and $\mathsf {CCA}$2 attacks ($\mathsf {SO}$-$\mathsf {CCA}$2) [17], and almost tight encryption schemes with multiple challenges against $\mathsf {CCA}$2 attacks [41].

Despite these excellent advances, we however notice a common drawback in all prior almost tight lattice-based results – they all require super-polynomial moduli. It is much more favorable to build schemes with a polynomial modulus, as this provides a better security guarantee, e.g., a better approximate factor of worst-case lattice problems, and thus can lead to smaller parameters resulting in better efficiency. Additionally from a theoretic point of view, it is important to determine whether a super-polynomial modulus is inherent in achieving almost tight security in lattice-based crypto. Therefore, we ask:

Can we achieve (almost) tight security in lattices with a polynomial modulus ?

1.1 Our Results

In this work, we answer this question in a positive way for the following important primitives – $\mathsf {PRF}$, $\mathsf {IBE} $, and $\mathsf {ABM}$-$\mathsf {LTF}$. In particular, we construct and prove almost tight security of all these primitives with respect to $\mathsf {LWE}$ with polynomial moduli. Some other almost tight constructions can also be obtained along this line as we describe several examples. (1) Similar to the work of Boyen and Li [16], our technique of $\mathsf {IBE} $ can be used to derive almost tight signature schemes. Moreover, our $\mathsf {IBE} $ can be (almost) tightly extended to $\mathsf {CCA}$2-$\mathsf {IBE}$. (2) We can achieve almost tight $\mathsf {IND}$-$\mathsf {SO}$-$\mathsf {CCA}$2 secure encryption schemes from $\mathsf {LWE}$ with a polynomial modulus q, following the framework of [17]. (3) We can achieve almost tight encryption schemes for multiple ciphertexts against $\mathsf {CCA}$2 attacks from $\mathsf {LWE}$ with a polynomial modulus q, following the framework of [41]. Below we summarize our main results.

1.
We prove that the GGM-based $\mathsf {PRF}$ in [8] is almost tight with respect to $\mathsf {LWE}$ with a polynomial modulus. This derives the first almost tight lattice-based $\mathsf {PRF}$ with a polynomial modulus. The crux relies on a new route of reduction $\mathsf {LWE}\rightarrow Q\text {-}\mathsf {LWR}' \rightarrow \mathsf {PRF}$, avoiding the known non-tight approach, i.e., $\mathsf {LWE}\rightarrow \mathsf {PRG}\rightarrow \mathsf {PRF}$.^{Footnote 2}

Moreover, our reduction $\mathsf {LWE}\rightarrow Q\text {-}\mathsf {LWR}^\prime $ has advantages over existing reductions: (1) we remove the additional number-theoretic limitation on the modulus in [4]; (2) our reduction has better running time and distinguishing probability than those in the work [11, 16]. See Sects. 1.2 and 3 for further discussions.
2.
We then construct an almost tight adaptively secure $\mathsf {IBE}$ from lattices with a polynomial modulus. This improves the prior work [16] by weakening its underlying assumption, i.e., $\mathsf {LWE}$ for some super-polynomial modulus. To achieve this, we first improve the framework of [16], showing that an almost tight $\mathsf {PRF}$ (even not computable in NC1) suffices for achieving almost tight $\mathsf {IBE} $ with a polynomial modulus. Then the desired $\mathsf {IBE} $ follows by combining our almost tight $\mathsf {PRF}$ (not necessarily in NC1) with the improved framework.
3.
We further show that our technique in Contribution 2 can be used to achieve an almost tight $\mathsf{ABM}\text {-}\mathsf{LTF}$ and signatures from $\mathsf {LWE}$ with a polynomial modulus, improving the underlying assumption needed in the prior work [17, 41].

1.2 Our Techniques

Pseudorandom Functions

In this work, we derive the first almost tight $\mathsf {PRF}$ with respect to $\mathsf {LWE}$ with a polynomial modulus. To illustrate our new ideas, we first briefly review the elegant approach by Banerjee, Peikert, and Rosen [8], who constructed the first lattice-based $\mathsf {PRF}$ by introducing an intermediate problem – the learning with rounding ($\mathsf {LWR}$) assumption, a de-randomized version of the $\mathsf {LWE}$ assumption [49]. In $\mathsf {LWR}$, there is a secret vector $\varvec{s} \in \mathbb {Z}_{q}^{n}$ and the target is to distinguish $(\varvec{a}, \lfloor \langle \varvec{a}, \varvec{s} \rangle \rceil _{q\rightarrow p} )$ from the uniform distribution, where $(\varvec{a}, \varvec{s}) \xleftarrow {\$} \mathbb {Z}_{q}^{n}\times \mathbb {Z}_{q}^{n}$, and the rounding function is taken as $\lfloor x \mod q \rceil _{q\rightarrow p} = \lfloor x (p/q) \rceil \mod p$. Since then, the work [15] and follow-up work [7] have built $\mathsf {PRF}$s based on the $\mathsf {LWE}/\mathsf {LWR}$ (or their variants), and different reductions from $\mathsf {LWE}$ to $\mathsf {LWR}$ have been proved for various parameters [4, 6, 11].

We observe that all non-GGM $\mathsf {PRF}$s [7, 8] cannot be proved secure under $\mathsf {LWE}$ with a polynomial modulus using current techniques: (1) The synthesizer in Naor-Reigold-based $\mathsf {PRF}$s [45] need to use $\mathsf {LWR}$ with unbounded samples. However, all known reductions from $\mathsf {LWE}$ to $\mathsf {LWR}$ [4, 6, 8, 11] with polynomial moduli require that the number of samples is bounded; (2) Other constructions such as the direct construction [8], tree-based construction [7], and the key-homomorphic $\mathsf {PRF}$ [7, 15, 41], require the modulus to be larger than the noise, which grows super-polynomially as needed in their analyses.

On the other hand, the GGM-based $\mathsf {PRF}$s can be proved secure under $\mathsf {LWE}$ with a polynomial modulus. This is because $\mathsf {LWR}$ with bounded samples suffices for the GGM analysis (see [4]), and we do know reductions from $\mathsf {LWE}$ to $\mathsf {LWR}$ with a polynomial modulus [4, 6, 11]. However, the reduction loss in this approach depends on the number of queries Q by the $\mathsf {PRF}$ adversary. This work shows how to remove this dependency on Q.

Our New Idea: A New Route of Reduction

We first recall that the GGM framework [31] showed that a length-doubling $\mathsf {PRG}$ implies a $\mathsf {PRF}$. The proof of security can be decomposed into two steps (c.f. [37]), i.e., $\mathsf {PRG}\xrightarrow {(1)} Q$-$\mathsf {PRG}\xrightarrow {(2)} \mathsf {PRF}$, where the Q-$\mathsf {PRG}$ problem is to distinguish Q independent samples of $\mathsf {PRG}$ from Q random strings. The second step is almost tight, yet the loss in the first step depends on Q under currently known hybrid proof techniques. Therefore, any route that starts with $\mathsf {LWE}\rightarrow \mathsf {PRG}$ will hit this technical difficulty. To bypass this barrier, we propose a new route:

where the $Q\text {-}\mathsf {LWR}'$ problem asks to distinguish samples either from $(\mathbf {A}, \lfloor \varvec{s}^{t}_{1}\cdot \mathbf {A} \rceil _{q\rightarrow p}, \dots , \lfloor \varvec{s}^{t}_{Q}\cdot \mathbf {A} \rceil _{q\rightarrow p})$ or from the corresponding uniform distribution, where $\varvec{s}_i \leftarrow \mathbb {Z}_p^n$ for $i\in [Q]$.^{Footnote 3}

The reduction loss in (i) is n by a simple hybrid argument, and thus almost tight. The reduction loss in (iii) is k (the input length), which is almost tight. It is worth pointing out that the n-$\mathsf {LWE}$ problem is also known as the multi-secret $\mathsf {LWE}$ problem. As n is a system parameter that only depends on the security parameter, sometimes this version of the $\mathsf {LWE}$ is used as the starting point of the underlying hard problem, e.g. the work [17].

We next present a new analysis of $n\text {-}\mathsf {LWE}\xrightarrow {(ii)} Q\text {-}\mathsf {LWR}' $, which can be proved tight (for some useful settings of parameters). To achieve this, we present a refinement of the work [4] below:

Refinement of [4]. We present a critical observation that the information-theoretic step of [4] can be applied to the multi-secret setting. More specifically, we take the steps as follows.

1.
First, we break $\mathbf {A} \in \mathbb {Z}_{q}^{n\times m}$ into $( \mathbf {\bar{A}}, \varvec{a}) \in \mathbb {Z}_{q}^{n\times (m-1)} \times \mathbb {Z}_{q}^{n}$ and switch $ \mathbf {\bar{A}}$ into some lossy but indistinguishable $ \mathbf {\tilde{A}}$. This incurs a security loss $\varepsilon {}_{n\text {-}\mathsf {LWE}}$.
2.
Then, we prove that $(\mathbf {\tilde{A}}, \lfloor {\varvec{s}_{1}}^t\cdot \mathbf {\tilde{A}} \rceil _{q\rightarrow p}, \cdots , \lfloor \varvec{s}_{Q}^t \cdot \mathbf {\tilde{A}}\rceil _{q\rightarrow p}, \varvec{a}, \lfloor \varvec{a} \cdot \varvec{s}_{1}\rceil _{q\rightarrow p},\cdots , \lfloor \varvec{a} \cdot \varvec{s}_{Q}\rceil _{q\rightarrow p})$ is statistically close to $(\mathbf {\tilde{A}}, \lfloor \varvec{s}_{1}^t \cdot \mathbf {\tilde{A}}\rceil _{q\rightarrow p}, \cdots , \lfloor \varvec{s}_{Q}^t\cdot \mathbf {\tilde{A}}\rceil _{q\rightarrow p}, \varvec{a}, \lfloor \varvec{u}_{1}\rceil _{q\rightarrow p}, \cdots , \lfloor \varvec{u}_{Q}\rceil _{q\rightarrow p} ))$ for truly random $\{\varvec{u}_{i}\}_{i\in [Q]}$.
3.
Next, we switch $\mathbf {\tilde{A}}$ back to $\mathbf {\bar{A}}$, with another security loss $\varepsilon {}_{n\text {-}\mathsf {LWE}}$.
4.
Then we repeat the above steps for each column of $\mathbf {A}$.

The second step can be proved using the concept that a strong extractor extracts randomness from a block-source. It is clear that $(\varvec{a} , \langle \varvec{a}, \varvec{s} \rangle )$ is a strong extractor. As we can show that $\varvec{s}_{1},\cdots , \varvec{s}_{Q}$ form a block-source,^{Footnote 4} $\varvec{a}$ can extract their randomness [52]. This step might incur a dependency on Q yet in the purely information-theoretic manner, i.e., the dependency on Q will not affect $\varepsilon {}_{n\text {-}\mathsf {LWE}}$ in the multiplicative way. With appropriate parameters, we can make the statistical distance in Step 2 arbitrarily small, e.g., $2^{-n}$, and the security loss in Steps 1–3 would be $2\varepsilon {}_{n\text {-}\mathsf {LWE}} + 2^{-n}$. By repeating Steps 1–3 for all columns (i.e. m), we can obtain a reduction with loss $m(2\varepsilon {}_{n\text {-}\mathsf {LWE}} + 2^{-n}) $, which is almost tight.

Further Improvements. Next, we present two optimizations of the above approach: (1) By using a more efficient hybrid analysis, we can get rid of the dependency on m in the above argument. Particularly, if the secret $\varvec{s}$ has sufficient entropy relative to m, we can extract multiple columns per hybrid, resulting in using less hybrids and thus the overall reduction can be independent of m. (2) By using a leftover hash lemma for general modulus q with a more careful analysis, we can further remove the number-theoretic restrictions in [4]. This broadens the range of parameter selections – for example, the prior analysis [4] does not cover several useful settings, e.g., $q = p^e$, where our improvement does.

Putting Things Together for PRF. Putting things together, we are able to achieve: $n\text {-}\mathsf {LWE}\rightarrow \mathsf {PRF}$ with reduction loss k, and similarly $\mathsf {LWE}\rightarrow \mathsf {PRF}$ with reduction loss kn. By applying the technique of input-domain extension by [26], we can further reduce the loss k to $ \omega (\log \kappa )$ and achieve the on-the-fly security. We summarize the results as follow:

Theorem 1.1

(Informal). With some polynomial modulus q, we have: (1) $n\text {-}\mathsf {LWE}\rightarrow \mathsf {PRF}$ with reduction loss $ \omega (\log \kappa )$, and (2) $\mathsf {LWE}\rightarrow \mathsf {PRF}$ with reduction loss $n \cdot \omega (\log \kappa )$.

A Note on Dimension Loss. For general moduli p, q, all known reductions $\mathsf {LWE}\rightarrow $ (Q-)$\mathsf {LWR}$ ( [4, 6, 11] and ours) incur a dimension loss, i.e., $\mathsf {LWE}$ with dimension $\ell $ implies (Q-)$\mathsf {LWR}$ with dimension ranging from $O(\ell )$ to $O(\ell \log q)$. As our almost tight result $\mathsf {LWE}\rightarrow Q$-$\mathsf {LWR}$ can achieve dimension loss of a constant factor, in the setting of general moduli, our reduction $\mathsf {LWE}\rightarrow \mathsf {PRF}$ is better than existing non-tight analyses $\mathsf {LWE}\rightarrow \mathsf {LWR}\rightarrow \mathsf {PRF}$ [4, 6, 11] in terms of security loss and in some cases as well dimension loss.

For special moduli p, q such that p|q, the reduction $\mathsf {LWE}\rightarrow \mathsf {LWR}$ of Bai et al. [6] does not incur a dimension loss, yet their reduction running time blows up significantly (at least quadratically) as the analysis goes through a decision to search step. An alternative approach would take the $\mathsf {LWE}$ function $f_{\mathbf {A}}(\varvec{s}, \varvec{e}) = \mathbf {A} \cdot \varvec{s} + \varvec{e}$ as a $\mathsf {PRG}$, which is indeed length expanding as we do not need $n\log q$ bits of randomness to represent $\varvec{e}$. This approach would not incur a dimension loss nor impose number theoretic restrictions on the modulus q. By using these two approaches, one can get a non-tight GGM $\mathsf {PRF}$ with the same dimension parameter as the underlying $\mathsf {LWE}$, namely $\ell $.

In general, a non-tight $\mathsf {PRF}$ (with dimension $\ell $) and a tight $\mathsf {PRF}$ (with dimension $O(\ell )$) are incomparable as we discuss below. On one hand, if $\mathsf {LWE}$ is exponentially hard, e.g., $\varepsilon {}_\mathsf {LWE}(\ell ) = 2^{-\ell }$, the non-tight $\mathsf {PRF}$ only needs to scale up $\ell $ to $(\ell + \log Q)$ to accommodate the security loss of a factor Q. In this case, the non-tight $\mathsf {PRF}$ parameter is better than the tight one. On the other hand, if $\mathsf {LWE}$ is only super-polynomially hard, e.g., $\varepsilon {}_\mathsf {LWE}(\ell ) = 2^{-\log ^2(\ell )}$, the non-tight $\mathsf {PRF}$ needs to scale up $\ell $ to $e \ell $ where $\log e \approx \log Q / (2\log \ell )$, in order to accommodate the security loss. As e can be an arbitrary constant depending on the adversary, the tight $\mathsf {PRF}$ is better in this setting.

Almost Tight IBE and ABM-LTFs from LWE with Polynomial $\varvec{q}$

Recently, Boyen and Li [16] showed how to achieve an almost tight $\mathsf {IBE} $ from $\mathsf {LWE}$ by proposing a novel technique that applies (key) homomorphic evaluation on $\mathsf {PRF}$. Shortly, this technique was used to achieve $\mathsf{ABM}\text {-}\mathsf{LTF}$s from $\mathsf {LWE}$ and thus many of their applications [17, 41]. However, their techniques inherently require a super-polynomial modulus in achieving almost tight security. Below, we present our new insights to remove this restriction. For simplicity of presentation, we just focus on the setting of $\mathsf {IBE} $ [16] and remark that the idea can be extended to the $\mathsf {ABM}$-$\mathsf {LTF}$ in a similar way.

Basically, Boyen and Li [16] showed that an almost tight $\mathsf {IBE} $ can be constructed if (1) $\mathsf {LWE}$ is hard, (2) there exists an (almost) tight $\mathsf {PRF}$ that can be evaluated in NC1. Even though their reduction is tight from $\mathsf {LWE}+ \mathsf {PRF}$, there is no known instantiation of the required $\mathsf {PRF}$ from $\mathsf {LWE}$ with a polynomial modulus. Therefore, there is no construction of pure lattice-based almost tight $\mathsf {IBE} $ with a polynomial modulus. How to achieve such a $\mathsf {PRF}$ instantiation is a natural and interesting open problem.

The GGM-$\mathsf {PRF}$ with our new analysis still does not solve the open problem directly, as the GGM-based construction is not known to be in NC1. Nevertheless, we bypass this issue by showing that the requirement on NC1 is not necessary. Particularly, we improve the framework of Boyen and Li [16] by showing that the following conditions are sufficient: (1) $\mathsf {LWE}$ is hard, (2) there exists an almost tight $\mathsf {PRF}$, and (3) there exists a (leveled) fully homomorphic encryption scheme whose decryption algorithm can be computed in NC1.^{Footnote 5} Our desired $\mathsf {IBE} $ follows, as we can instantiate all the components from $\mathsf {LWE}$ with a polynomial modulus – the GGM-based $\mathsf {PRF}$ in this work for (2), and the $\mathsf{FHE}$ schemes [3, 22] for (3). In summary, we achieve the following theorem:

Theorem 1.2

(Informal). Assuming $\mathsf {LWE}$ is hard for some polynomial modulus q, there exists an almost tight adaptively secure $\mathsf {IBE} $ in the standard model.

Below we highlight our new ideas. We first recall the framework of Boyen and Li [16], which can be described roughly as follows. The public key contains matrices $\mathbf {A}$ and $\mathbf {B}_{1},\dots , \mathbf {B}_{k}$. At various steps (in the proof), the matrices are encoded as $\mathbf {B}_{i} = \mathbf {A} \cdot \mathbf {R}_{i} + s_{i} \mathbf {G}$, where $ s_{i}$ is the i-th bit of a $\mathsf {PRF}$ key K and $\mathbf {R}_{i}$’s are random matrices with small norms. In the key derivation process, i.e., to derive $\mathsf {sk} _{\mathsf {id}}$, their scheme applies the (key) homomorphic evaluation algorithm [14] on the matrices $\{\mathbf {B}_{i}\}_{i\in k}$ to compute the function $\mathsf {PRF}(K,\mathsf {id})$ for some given $\mathsf {id}$, resulting in $\mathbf {B}_{\mathsf {id}} = \mathbf {A} \cdot \mathbf {R}_{\mathsf {id}} + \mathsf {PRF}(K, \mathsf {id}) \mathbf {G}$. Their $\mathsf {IBE} $ scheme [16] requires that $ \Vert \mathbf {R}_{\mathsf {id}} \Vert < q $, as $\Vert \mathbf {R}_{\mathsf {id}} \Vert $ affects the quality of the $\mathsf {SampleRight} $ algorithm and the noise growth. As long as the $\mathsf {PRF}$ computation is in NC1 [16], then $\Vert \mathbf {R}_{\mathsf {id} }\Vert $ can be upper bounded by a polynomial, allowing the scheme to use a polynomial modulus q. On the other hand, if the $\mathsf {PRF}$ is not computable in NC1, then a super-polynomial q seems to be inherent in this approach as $ \Vert \mathbf {R}_{\mathsf {id}} \Vert $ would become super-polynomial.

To bypass the technical barrier, we introduce a two-step approach that integrates homomorphic evaluation on leveled $\mathsf {HE} $ ciphertexts, key homomorphic evaluation on the public matrices, and Gentry’s bootstrapping technique [3, 29]. Given a leveled $\mathsf{FHE}$ ($\mathsf {HE} $) that supports homomorphic computation of the $\mathsf {PRF}$ and has an NC1 decryption algorithm, we add an encryption of a $\mathsf {PRF}$ key K, i.e., $c \leftarrow \mathsf {HE}.\mathsf {Enc} (K) $, to the public key, and encode $\mathbf {B}_{i} = \mathbf {A} \cdot \mathbf {R}_{i} + (\mathsf {sk})_{i} \mathbf {G}$, where $(\mathsf {sk})_{i}$ is the i-th bit of the decryption key of the $\mathsf {HE} $ scheme. Then our new key derivation process consists of the following two steps:

1.
(Homomorphic Evaluation of $\mathsf {PRF}$) First run $\tilde{c} = \mathsf {HE}.\mathsf {Eval} (\mathsf {PRF}(\cdot , \mathsf {id}), c)$ to homomorphically evaluate $\mathsf {PRF}(K, \mathsf {id})$.
2.
(Key Homomorphic Bootstrapping) Next run the key homomorphic evaluation of the decryption algorithm of $\mathsf {HE} $ on the matrices $\{\mathbf {B}_{i}\}_{i \in [k]}$ with the input $\tilde{c}$, i.e., evaluate $\mathsf {HE}.\mathsf {Dec} (\mathsf {sk}, \tilde{c})$ homomorphically. Then we obtain $\mathbf {B}_{\mathsf {id}} = \mathbf {A} \cdot \mathbf {R}_{\mathsf {Dec}} + \mathsf {PRF}(K, \mathsf {id}) \mathbf {G}$.

As the decryption algorithm can be computed in NC1, we know that $\Vert \mathbf {R}_{\mathsf {Dec}}\Vert $ can be bounded by a polynomial. Furthermore, we know that the required $\mathsf {HE} $ can be instantiated from $\mathsf {LWE}$ with a polynomial modulus [3, 22]. Putting all things together, we can obtain the desired $\mathsf {IBE} $.

We note that our result above does not need the circular security assumption, as we only need a leveled $\mathsf {HE} $ that supports computation of the PRF, which is of a bounded depth. Moreover, in our key homomorphic bootstrapping step, the secret key of HE is information-theoretically hidden in the matrices $\mathbf {B}_i$’s. This again does not rely on the circular security assumption.

Finally, we observe that the above two-step approach can be used to improve the modulus used in prior $\mathsf{ABM}\text {-}\mathsf{LTF}$ [17, 41] and signatures [16]. Particularly, we achieve:

Theorem 1.3

(Informal). Assuming $\mathsf {LWE}$ is hard for some $q=\mathsf {poly}(\kappa )$, there exist an almost tight $\mathsf{ABM}\text {-}\mathsf{LTF}$ and a signature scheme with a poly modulus.

Other Related Work. Very recently, Jager $et~al.\ $ [34] proposed a new framework to improve the size of secret key and reduction loss of the $\mathsf {PRF} $s [8, 40, 45], yet their instantiations from lattices however, still require super-polynomial moduli.

2 Preliminaries

Notations. We let $\kappa $ denote the security parameter. For an integer n, let [n] denote the set $\{1,...,n\}$. We use bold lowercase letters (e.g. $\varvec{a}$) to denote vectors and bold capital letters (e.g. $\mathbf {A}$) to denote matrices. For a positive integer $q\ge 2$, let $\mathbb {Z}_{q}$ be the ring of integers modulo q. For a distribution or a set X, we write $x\xleftarrow {\$} X$ to denote the operation of sampling an uniformly random x according to X. For distribution X, Y, we let $\mathsf {SD}(X,Y)$ denote their statistical distance. We write $X\overset{s}{\approx } Y$ to mean that they are statistically close, and $X\overset{c}{\approx } Y$ to say that they are computationally indistinguishable. We let $\mathsf {negl} (\kappa )$ denote the set of all negligible function $\mu (\kappa )=\kappa ^{-\omega (1)}$.

Definition 2.1

(Computational indistinguishability). We say that two experiments $H_{0}, H_{1}$ are $(t,\varepsilon )$-indistinguishable with oracle access if for every distinguisher $\mathcal {D}$ within running time t, we have $|\mathsf {Pr}[\mathcal {D}^{H_{0}} \mathsf {accepts}]-\mathsf {Pr}[\mathcal {D}^{H_{1}} \mathsf {accepts}]|< \varepsilon ,$ where the probabilities are taken over the coin tosses of $H_{0}, H_{1}$.

2.1 Learning with Error

We define the multi-secret variant of learning with error, i.e., N-$\mathsf {LWE}$, and note that the standard learning with error can be denoted as 1-$\mathsf {LWE}$.

Definition 2.2

(Multi-secret Learning with Errors $({\mathbf {\mathsf{{LWE}}}})$ Assumption [49]). Let $\kappa $ be the security parameter, n, m, q, N be integers (functions of $\kappa $), and $\chi =\chi (\kappa )$ be a distribution over $\mathbb {Z}_{q}$. The N-$\mathsf {LWE}_{n,m,q,\chi }$ assumption with parameter N can be stated that for independently sampled $\mathbf {A}\xleftarrow {\$} \mathbb {Z}_q^{n\times m}$, $\varvec{u}_i\xleftarrow {\$} \mathbb {Z}_q^{m}$, $\varvec{s}_i\xleftarrow {\$} \mathbb {Z}_q^{n}$ and $\varvec{e}_i\xleftarrow {\$} \chi ^{m}$ for $i\in [N]$, the following distributions are computationally indistinguishable: $(\mathbf {A}, (\varvec{s}_1^t\cdot \mathbf {A}+\varvec{e}_1^t),\ldots ,(\varvec{s}_N^t\cdot \mathbf {A} +\varvec{e}_N^t)) \overset{c}{\approx }(\mathbf {A}, \varvec{u}_1^t,\ldots , \varvec{u}_N^t).$ We say N-$\mathsf {LWE}_{n,m,q,\chi }$ problem is $(t,\varepsilon )$-hard if the two distributions above are $(t,\varepsilon )$-indistinguishable.

By a simple hybrid argument, we can derive a reduction from 1-$\mathsf {LWE}_{n,m,q}$ to N-$\mathsf {LWE}_{n,m,q}$ with a security loss with a multiplicative factor of N. The work [20, 47, 49] showed that there exist quantum/classical reductions from some worst-case lattice problems $(\mathsf {GapSVP,SIVP})$ to the LWE problem.

2.2 Learning with Rounding

For any integer modulus $q>2$, $\mathbb {Z}_q$ denotes the quotient ring of integers modulus q. We define a rounding function $\lfloor \cdot \rceil _{p}:\mathbb {Z}_q\rightarrow \mathbb {Z}_p$ for $q\ge p\ge 2$ as

$$\lfloor x\rceil _{q\rightarrow p}=\lfloor (p/q)\bar{x}\rceil _{q\rightarrow p},$$

where $\bar{x}\in \mathbb {Z}$ is any integer congruent to $x~\mathrm {mod} ~q$. Furthermore, $\lfloor \cdot \rceil _{q\rightarrow p}$ can be extended component-wise to vectors and matrices over $\mathbb {Z}_q$. In places where the context is clear about the modulus q, we would omit q in the notation as $\lfloor \cdot \rceil _{ p}$ for simplicity of presentation.

Similar to the multi-secret $\mathsf {LWE}$, we define a multi-secret variant for the $\mathsf {LWR}$ assumption, and note that the original $\mathsf {LWR}$ [8] can be denoted as 1-$\mathsf {LWR}$.

Definition 2.3

(Multi-secret LWR). Let $\kappa \ge 1$ be the security parameter, $n,q\ge p\ge 2$, Q be integers (functions of $\kappa $). The Q-$\mathsf {LWR}_{n,m,q,p}$ assumption states that for independently sampled $\mathbf {A}\xleftarrow {\$} \mathbb {Z}_q^{n\times m}$, $\varvec{u}_i\xleftarrow {\$} \mathbb {Z}_q^{m}$, $\varvec{s}_i\xleftarrow {\$} \mathbb {Z}_q^{n}$ with $i\in [Q]$, the following distributions are computationally indistinguishable:

$$(\mathbf {A}, \lfloor \varvec{s}^{t}_{1}\cdot \mathbf {A} \rceil _{p},\ldots , \lfloor \varvec{s}^{t}_{Q}\cdot \mathbf {A} \rceil _{p})\overset{c}{\approx }(\mathbf {A}, \lfloor \varvec{u}^t_{1} \rceil _{p},\ldots , \lfloor \varvec{u}^t_{Q} \rceil _{p}),$$

We say the Q-$\mathsf {LWR}_{n,m,q,p}$ problem is $(t,\varepsilon )$-hard if the two distributions above are $(t,\varepsilon )$-indistinguishable.

Below we define a variant of the $\mathsf {LWR}$ problem, namely, $\mathsf {LWR}'$, which will be useful for our $\mathsf {PRF}$ construction.

Definition 2.4

(Multi-secret ${\mathbf {\mathsf{{LWR}}}}'$). The Q-$\mathsf {LWR}^{\prime }_{n,m,q,p}$ problem is the same as Q-$\mathsf {LWR}_{n,m,q,p}$ except that the secret vectors $\varvec{s}_1, \dots , \varvec{s}_Q$ are sampled from $\mathbb {Z}_p^n$.

2.3 Pseudorandom Function and Identity-Based Encryption

Definition 2.5

(Pseudorandom function). Let A and B be finite sets, and let $\mathcal {F}=\{F_{i}:A\rightarrow B\}$ be a function family, endowed with efficient sampleable distribution ($\mathcal {F}, A$ and B are all indexed by the security parameter $\lambda $). We say that $\mathcal {F}$ is a $(t,Q,\varepsilon )$-$pseudorandom~ function (\mathsf {PRF})$ family if the following two experiments are $(t,\varepsilon )$-indistinguishable with oracle access up to Q adaptive queries: (1) Choose a function $F\leftarrow \mathcal {F}$, and (2) Choose a uniformly random function $R: A\rightarrow B$.

Definition 2.6

(Identity-Based Encryption (${\mathbf {\mathsf{{IBE}}}}$) [13, 51]). An identity-based encryption scheme consists of four $\textsc {ppt} $ algorithms $(\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ defined as follows:

$\mathsf {Setup} (1^{\kappa })$: Given the security parameter, it outputs a master public key $\mathsf {mpk} $ and a master secret key $\mathsf {msk} $.
$\mathsf {KeyGen} (\mathsf {msk},\mathsf {id})$: Given the $\mathsf {msk} $ and an identity $\mathsf {id}\in \{0,1\}^{\ell }$, it outputs the identity secret key $\mathsf {sk} _{\mathsf {id}}$.
$\mathsf {Enc} (\mathsf {mpk},\mathsf {id},m)$: Given the $\mathsf {mpk} $, an identity $\mathsf {id}\in \{0,1\}^{\ell }$, and a message m, it outputs a ciphertext c.
$\mathsf {Dec} (\mathsf {sk} _{\mathsf {id}},c)$: Given a secret key $\mathsf {sk} _{\mathsf {id}}$ for identity $\mathsf {id}$ and a ciphertext c, it outputs a plaintext m.

The following correctness and security properties must be satisfied:

Correctness: For all security parameter $\kappa $, identity $\mathsf {id}\in \{0,1\}^{\ell }$ and message m, the following holds: $\mathsf {Pr}[\mathsf {Dec} (\mathsf {sk} _{\mathsf {id}},\mathsf {Enc} (\mathsf {mpk},\mathsf {id},m))\ne m]=\mathsf {negl} (\kappa ),$ where $\mathsf {sk} _{\mathsf {id}}\leftarrow \mathsf {KeyGen} (\mathsf {msk},\mathsf {id})$ and $(\mathsf {mpk},\mathsf {msk})\leftarrow \mathsf {Setup} (1^{\kappa })$.

Security: We define the adaptive chosen-plaintext security ($\mathsf {IND\text {-}ID\text {-}CPA}$) for $\mathsf {IBE} $ as below, where the adversary can adaptively make secret key queries.

Definition 2.7

For a security parameter $\kappa $, let $t=t(\kappa ), q=q(\kappa )$ and $\varepsilon =\varepsilon (\kappa )$. we say that an $\mathsf {IBE} $ scheme $\mathcal {E}$ is $(t,q,\varepsilon )\text {-}\mathsf {IND\text {-}ID\text {-}CPA}$ secure if for any t time adversary $\mathcal {A} $ makes at most q secret key queries and the following holds:

$$\mathsf {Pr}[\mathsf {IND\text {-}ID\text {-}CPA}^{\mathsf {IBE}}(\mathcal {A})=1]\le \frac{1}{2}+\varepsilon (\kappa ).$$

2.4 Lattice Backgrounds

Theorem 2.8

(Trapdoor Generation [2, 43]). There is a probabilistic polynomial-time algorithm $\mathsf {TrapGen} (1^{n},q,m)$ that for all $m\ge m_{0}=m_{0}(n,q)=O(n \log q)$, outputs $(\mathbf {A}, \mathbf {T}_{\mathbf {A}})$ s.t. $\mathbf {A}\in \mathbb {Z}^{n\times m}_{q}$ is within statistical distance $2^{-n}$ from uniform and the distribution of $\mathbf {T}_{\mathbf {A}}$ is the Discrete Gaussian $D_{Z^{m},\tau }$ conditioned on $\mathbf {A}\cdot \mathbf {T}_{\mathbf {A}}=0~(\mathrm {mod} ~q)$ and $\tau =O\sqrt{n\log q\log n}$.

Theorem 2.9

([1]). Let $q>2, m>n$. (i) If $s>\Vert \tilde{\mathbf {T}}_{\mathbf {A}}\Vert \cdot \omega (\sqrt{\log (m+m_{1})})$. Then there exists an algorithm $\mathsf {SampleLeft} $ taking $(\mathbf {A}\in \mathbb {Z}^{n\times m}_{q}, \mathbf {B}\in \mathbb {Z}^{n\times m_{1}},\mathbf {T}_{\mathbf {A}},\varvec{u}\in \mathbb {Z}^{n}_{q},s)$ as input, outputs a vector $\varvec{d}\in \mathbb {Z}^{m+m_{1}}$ distributed statistically close to $D_{\varLambda ^{\varvec{u}}_{q}([\mathbf {A}|\mathbf {B}]),s}$. (ii) If $s>\Vert \tilde{\mathbf {T}}_{\mathbf {B}}\Vert \cdot \Vert \mathbf {R}\Vert \cdot \omega (\sqrt{\log m})$. Then there exists an algorithm $\mathsf {SampleRight} $ taking $(\mathbf {A}\in \mathbb {Z}^{n\times k}_{q}, \mathbf {R}\in \mathbb {Z}^{k\times m},\mathbf {B}\in \mathbb {Z}^{n\times m},\mathbf {T}_{\mathbf {B}},\varvec{u}\in \mathbb {Z}^{n}_{q},s)$ as input, outputs a vector $\varvec{d}\in \mathbb {Z}^{m+k}$ distributed statistically close to $D_{\varLambda ^{\varvec{u}}_{q}([\mathbf {A}|\mathbf {A}\mathbf {R}+\mathbf {B}]),s}$.

Gadget Matrix. We recall the “gadget matrix” $\mathbf {G}$ defined in [43]. The “gadget matrix” $\mathbf {G}=\varvec{g}\otimes \mathbf {I}_{n}\in \mathbb {Z}^{n\times n\lceil \log q\rceil }_{q}$ where $\varvec{g}=(1,2,4,...,2^{\lceil \log q\rceil -1})$.

Lemma 2.10

([43], Theorem 1). Let q be a prime, and n, m be integers with $m=n\lceil \log q\rceil $. There is a full-rank matrix $\mathbf {G}\in \mathbb {Z}^{n\times m}_{q}$ such that the lattice $\varLambda ^{\perp }_{q}(\mathbf {G})$ has a publicly known trapdoor matrix $\mathbf {T}_{\mathbf {G}}\in \mathbb {Z}^{n\times m}$ with $\Vert \tilde{\mathbf {T}}_{\mathbf {G}}\Vert \le \sqrt{5}$, where $\tilde{\mathbf {T}}_{\mathbf {G}}$ is the Gram-Schmidt order orthogonalization of $\mathbf {T}_{\mathbf {G}}$.

Lemma 2.11

([14], Lemma 2.1). There is a deterministic algorithm, denoted by $\mathbf {G}^{-1}(\cdot ):\mathbb {Z}^{n\times m}_{q}\rightarrow \mathbb {Z}^{m\times m}$, that takes any matrix $\mathbf {A}\in \mathbb {Z}^{n\times m}_{q}$ as input, and outputs the preimage $\mathbf {G}^{-1}(\mathbf {A})$ of $\mathbf {A}$ such that $\mathbf {G}\cdot \mathbf {G}^{-1}(\mathbf {A})=\mathbf {A}~(\mathrm {mod} ~q)$ and $\Vert \mathbf {G}^{-1}(\mathbf {A})\Vert \le m$.

Definition 2.12

($\varvec{\delta }$-compatible algorithms [54]). We say that the deterministic algorithms $(\mathsf {Eval} ^{\mathsf {Pub}},\mathsf {Eval} ^{\mathsf {Trap}})$ are $\delta $-compatible for a function family $\mathcal {F}=\{f:\{0,1\}^{\ell } \rightarrow \{0,1\}\}$ if they are efficient and satisfy the following properties:

$\mathsf {Eval} ^{\mathsf {Pub}}(f\in \mathcal {F},\{\mathbf {A}_{i}\in \mathbb {Z}^{n\times m}_{q}\}_{i\in [\ell ]})=\mathbf {A}_{f}\in \mathbb {Z}^{n\times m}$.
$\mathsf {Eval} ^{\mathsf {Trap}}(f\in \mathcal {F},\mathbf {A},\varvec{x}\in \{0,1\}^{\ell }, \{\mathbf {R}_{i}\in \mathbb {Z}^{m\times m}\}_{i\in [\ell ]})=\mathbf {R}_{f}\in \mathbb {Z}^{m\times m}$.

For any $\varvec{x}=(x_{1},...,x_{\ell })\in \{0,1\}^{\ell }$, we require that the following holds:

$$\mathsf {Eval} ^{\mathsf {Pub}}(f,\{\mathbf {A}\mathbf {R}_{i}+x_{i}\mathbf {G}\}_{i\in [\ell ]})=\mathbf {A}\mathbf {R}_{f}+f(\varvec{x})\mathbf {G}~(\mathrm {mod} ~q),$$

and we have $\Vert \mathbf {R}_{f}\Vert _{\infty }\le \delta \cdot \max _{i\in [\ell ]}\{\Vert \mathbf {R}_{i}\Vert \}$.

Lemma 2.13

(Noise Rerandomization [36]). Let $q,\ell ,m$ be positive integers and r a positive real satisfying $r>max\{\eta _{\epsilon }(\mathbb {Z}^{m}),\eta _{\epsilon }(\mathbb {Z}^{\ell })\}$. Let $\varvec{b}\in \mathbb {Z}^{m}_{q}$ be arbitrary vector and $\varvec{x}$ chosen from $D_{\mathbb {Z}^{m},r}$. Then for any $\mathbf {V}\in \mathbb {Z}^{m\times \ell }$ and positive real $\sigma > \mathsf {s}_{1}(\mathbf {V})$, there exists a PPT algorithm $\mathsf {ReRand}(\mathbf {V},\varvec{b}+\varvec{x},r,\sigma )$ that outputs $\varvec{b}^{'}=\varvec{b}\mathbf {V}+\varvec{x}^{'}\in \mathbb {Z}^{\ell }_{q}$ where the statistical distance of the discrete Gaussian $D_{\mathbb {Z}^{\ell },2r\sigma }$ and the distribution of $\varvec{x}^{'}$ is within $8\epsilon $.

Fully Homomorphic Encryption. We present the syntax of (leveled fully) homomorphic encryption. A homomorphic encryption scheme $\mathsf {HE} =(\mathsf {HE}.\mathsf {KeyGen}, \mathsf {HE}.\mathsf {Enc}, \mathsf {HE}.\mathsf {Dec},\mathsf {HE}.\mathsf {Eval})$ is a quadruple of $\textsc {ppt} $ algorithms as follows:

$\mathsf {HE}.\mathsf {KeyGen} (1^{\kappa })$. Generate an encryption key $\mathsf {ek} $. a public evaluation key $\mathsf {evk} $, and a secret decryption key $\mathsf {dk} $.
$\mathsf {HE}.\mathsf {Enc} (\mathsf {ek},\mu )$. Generate a ciphertext $\mathsf {ct} $.
$\mathsf {HE}.\mathsf {Dec} (\mathsf {dk},\mathsf {ct})$. Decrypt the ciphertext and output message $\mu $.
$\mathsf {HE}.\mathsf {Eval} (\mathsf {evk},f,\{\mathsf {ct} _{i}\})$. The algorithm takes $\mathsf {evk} $ and a function (circuit) f and a set of ciphertexts $\{\mathsf {ct} _{i}\}$ as input, and outputs an evaluated ciphertext $\mathsf {ct} _{f}$.

Correctness and security follow by the standard definitions as [21, 29]. If a homomorphic scheme $\mathsf {HE} $ supports evaluation of a class of functions $\mathcal {C}$, then it is $\mathcal {C}$-homomorphic. A fully homomorphic encryption supports evaluation of all polynomial-sized circuits. Details are deferred to full version of this paper.

Next, we present an important result, saying that for most of the LWE-based FHEs, the decryption circuits are in NC1 and can be homomorphically evaluated with a small noise growth.

Theorem 2.14

([3, 22]). For all $n, q, m, \ell \in \mathbb {N}$, and for any sequence of matrices $(\mathbf {B}_{1},...,\mathbf {B}_{\ell })\in (\mathbb {Z}^{n\times m}_{q})^{\ell }$ where $\mathbf {B}_{i}=\mathbf {A}\mathbf {R}_{i}+x_{i}\mathbf {G}$ for $\mathbf {A}\xleftarrow {\$}\mathbb {Z}^{n\times m}_{q}, \mathbf {R}_{i}\xleftarrow {\$}\{-1,1\}^{m\times m}, x_{i}\xleftarrow {\$} \{0,1\}$, the following holds. For the special decryption algorithms $f\in \{0,1\}^{\ell }\rightarrow \{0,1\}$ of $\mathsf {LWE}$ based FHE [3, 22], $\mathsf {Eval} ^{\mathsf {Pub}}(f,\mathbf {B}_{1},...,\mathbf {B}_{\ell })=\mathbf {A}\mathbf {R}_{f}+f(\varvec{x})\mathbf {G}~(\mathrm {mod} ~q)$, where $\varvec{x}=(x_{1},...,x_{\ell })$, and $\Vert \mathbf {R}_{f}\Vert _{2}\le O(n^{2+\varepsilon })$ for any $\varepsilon \in (0,1)$. In other word, the algorithms $(\mathsf {Eval} ^{\mathsf {Pub}},\mathsf {Eval} ^{\mathsf {Trap}})$ are $O(n^{2+\varepsilon })$-compatible in this case.

3 Almost Tight Lattice-Based PRF Under Poly Moduli

In this section, we first present an (almost) tight reduction of $\mathsf {LWE}\rightarrow Q\text {-}\mathsf {LWR}'$ for bounded number of samples with a polynomial modulus. This new reduction serves as the core technique to prove the almost tight security of $\mathsf {GGM}$ $\mathsf {PRF}$ from $\mathsf {LWE}$ with polynomial modulus.

3.1 $\mathsf {LWR}$ with a General Modulus q

To study the $\mathsf {LWR}$ problem with a general modulus q, we first present a useful leftover hash lemma in a general $\mathbb {Z}_{q}$. In particular, we show that matrix multiplication in general $\mathbb {Z}_{q}$ is a good extractor, i.e. $(\mathbf {A}, \varvec{s}^{t} \mathbf {A}) \overset{s}{\approx } (\mathbf {A}, \varvec{u})$, as long as the min-entropy of $\varvec{s}~\mathrm {mod} ~ p'$ has sufficient entropy for every factor $p'$ of q.

We note that this condition for entropy is necessary as otherwise, we can construct a simple counterexample where the output distribution of $\varvec{s}^{t} \mathbf {A}$ is far from uniform. Consider $q = 2^{10}$, and $\varvec{s}$ is sampled uniformly from $\{0,2\}^{n}$. It is clear that $\varvec{s}$ has min-entropy n and all components of $\varvec{s}$ are small, but for any vector $\varvec{a} \in \mathbb {Z}_{q}^{n}$, $\langle \varvec{s}, \varvec{a} \rangle $ is an even number and thus the distribution of $\langle \varvec{s}, \varvec{a} \rangle $ over a random $\varvec{a}$ is far from uniform over $\mathbb {Z}_{q}$.

More formally, we use the following lemma to show that this entropy condition is sufficient for extraction.

Theorem 3.1

(Randomness Extraction for General $\varvec{q}$). Let $z,n,k,q\in \mathbb {N}$ be integers and $\varepsilon \in (0,1)$ such that

$$ k > z\log q + 3(\log (zq) + \log (1/\varepsilon {})) + 2(\log q)(\log \log q) + 7. $$

Suppose $\varvec{s}$ is chosen from some distribution over $\mathbb {Z}_{q}^n$ such that $H_{\infty }(\varvec{s} ~\mathrm {mod} ~ p) \ge k$ for any factor p of q, and $\mathbf {A}\xleftarrow {\$} \mathbb {Z}_q^{n\times z}$, $\varvec{u}\xleftarrow {\$} \mathbb {Z}_q^z$ are chosen independently of $\varvec{s}$ from the uniform distribution. Then we have: $\varDelta [(\mathbf {A},\varvec{s}^t\cdot \mathbf {A});(\mathbf {A},\varvec{u}^t)]\le \varepsilon {}.$

This theorem can be proved via Lemma 2.3 in [42]. We describe our alternative proof for completeness of presentation in the full version of this paper.

Next, we define a generalization of the weak learning with rounding ($\mathsf {wLWR}$) assumption (in the form of multi-secret) in general $\mathbb {Z}_{q}$. Intuitively, the $\mathsf {wLWR}$ problem considers scenarios where the secret $\varvec{s}$ comes from some high min-entropy distribution (e.g., perhaps the secret is somewhat leaked) instead of the uniform distribution.^{Footnote 6}

Definition 3.2

(Multi-secret ${\mathbf {\mathsf{{wLWR}}}}$). Let $\kappa $ be the security parameter, $n,m,q\ge p \ge 2, \gamma , k,Q$ be integers (functions of $\kappa $). The Q-$\mathsf {wLWR}^{(\gamma ,k)}_{n,m,q,p}$ assumption states: let $\{(\varvec{s}_{i},\mathsf {aux} _{i})\}_{i\in [Q]}$ be Q pairs of correlated random variables where (i) each pair is sampled independently of the others, (ii) the support of each $\varvec{s}_{i} \in [-\gamma , \gamma ]^{n}$, and (iii) $H_{\infty }(\varvec{s}_{i}~\mathrm {mod} ~p' ~| ~\mathsf {aux} _i) \ge k$ for every prime factor $p'$ of q and for $i\in [Q]$. Then the distributions below are computationally indistinguishable:

$$(\{\mathsf {aux} _{i}\}_{i\in [Q]},\mathbf {A}, \lfloor \varvec{s}^{t}_{1}\cdot \mathbf {A} \rceil _{p},\ldots , \lfloor \varvec{s}^{t}_{Q}\cdot \mathbf {A} \rceil _{p})\overset{c}{\approx }(\{\mathsf {aux} _{i}\}_{i\in [Q]}, \mathbf {A}, \lfloor \varvec{u}_{1} \rceil _{p},\ldots , \lfloor \varvec{u}_{Q} \rceil _{p}),$$

where $\mathbf {A}\xleftarrow {\$} \mathbb {Z}^{n\times m}_{q}, \varvec{u}_{1},\cdots , \varvec{u}_{Q} \xleftarrow {\$} \mathbb {Z}^{m}_{q}$ are chosen randomly and independently of $\{(\varvec{s}_{i},\mathsf {aux} _{i})\}_{i\in [Q]}$. We say the Q-$w\mathsf {LWR}^{(\gamma ,k)}_{n,m,q,p}$ problem is $(t,\varepsilon )$-hard if the two distributions above are $(t,\varepsilon )$-indistinguishable.

We remark that contrast with the previous definition by [4] for restricted moduli, our generalized definition instead impose more condition on the secret distribution, just as required in the randomness extraction in Theorem 3.1, i.e., $ \varvec{s}~\mathrm {mod} ~p'$ has sufficient entropy for every factor $p'$ of q. Intuitively, without this additional condition in general $\mathbb {Z}_q$, $\lfloor \varvec{s}^{t}\cdot \mathbf {A} \rceil $ might be far from uniform for some $\varvec{s}$ which is only guaranteed to have high min-entropy.

More formally, we establish the following main theorem to show that Q-$\mathsf {wLWR}$ is at least as hard as n-$\mathsf {LWE}$ for a wide range of parameters.

Theorem 3.3

(Hardness of Multi-secret $\mathbf{(}{\mathbf {\mathsf{{w}}}}{} \mathbf{)}{\mathbf {\mathsf{{LWR}}}}$). Let $k,\ell ,n,m,p,q,\gamma ,Q,\lambda $ be positive integers, $p_{\min }$ be the smallest prime factor of q, c be an integer, and $\chi $ be a $\beta $-bounded distribution for some real $\beta >0$, such that $q\ge 2\beta \gamma nmp $. Assume n-$\mathsf {LWE}_{\ell ,m,q,\chi }$ problem is $(t,\varepsilon )$-hard, then we have the following:

(High entropy secret). Q-$\mathsf {wLWR}^{(\gamma ,k)}_{n,m,q,p}$ is $\left( t^\prime ,\varepsilon ^\prime \right) $-hard, where $t^\prime =t-\mathsf {poly}(\kappa ), \varepsilon ^\prime =2c\varepsilon +(Qc+1)\frac{1}{2^\lambda }$, if $k\ge \left( \lfloor \frac{m}{c}\rfloor +2(\log \log q)+\ell +\lambda +3\right) \log q+3\log \lfloor \frac{m}{c}\rfloor +3\lambda +7$.
(Uniform secret). Q-$\mathsf {LWR}_{n,m,q,p}$ is $\left( t^\prime ,\varepsilon ^\prime \right) $-hard, where $t^\prime =t-\mathsf {poly}(\kappa ), \varepsilon ^\prime =2c\varepsilon +(Qc+1)\frac{1}{2^\lambda }$, if $n \ge \frac{1}{\min \{\log (2\gamma ), \log (p_{\min }) \}}\Big (\Big (\lfloor \frac{m}{c}\rfloor +2(\log \log q)+\ell +\lambda +3\Big )\log q+3\log \lfloor \frac{m}{c}\rfloor +3\lambda +7\Big )$.

The proof of this theorem relies on the use of a lossy matrix and randomness extraction alternately as we described in Sect. 1.2. Due to space limit, we defer the full proof to the supplementary material in full version of this paper.

Note that the reduction loss in Theorem 3.3 does not depend on Q in the multiplicative way, and thus can be made tight in several parameter settings. Furthermore, the hardness of ordinary $\mathsf {wLWR}$, $\mathsf {LWR}$ and $\mathsf {LWR}'$ in the general $\mathbb {Z}_q$ can be derived easily from this theorem.

As we discussed in the beginning of this section, our result in Theorem 3.3 improves the prior work [4] in the following two aspects: (1) our q does not require the additional number theoretic requirement, and (2) if the secret $\varvec{s}$ has sufficient entropy, we can further improve the security loss. The work [4] can be thought as $c=m$ in our case.

Using the above theorem, we can prove the problem $\mathsf {LWR}'_{n,m,q,p}$ as a special case of the problem $\mathsf {wLWR}^{(\gamma ,k)}_{n,m,q,p}$, where $\gamma = p$, and $k= n \left( \min \{ \log p,\log (p_{\min })\} \right) $.

Table 1. Simple example of parameter setting

Full size table

We note that by a simple calculation, $\varvec{s}\xleftarrow {\$}\mathbb {Z}_p$ implies $H_{\infty } (\varvec{s} ~\mathrm {mod} ~p') \ge n \left( \min \{ \log p,\log (p_{\min })\} \right) $ for any prime factor $p'$ of q. Thus we have the following corollary.

Corollary 3.4

(Hardness of Multi-secret ${\mathbf {\mathsf{{LWR}}}}'$). Let $\ell ,n,m,p,q,Q,\lambda $ be positive integers, $p_{\min }$ be the smallest prime factor of q, c be an integer, and $\chi $ be a $\beta $-bounded distribution for some real $\beta >0$, such that $q\ge 2 \beta nmp^{2}$. Assume n-$\mathsf {LWE}_{\ell ,m,q,\chi }$ problem is $(t,\varepsilon )$-hard, then Q-$\mathsf {LWR}'_{n,m,q,p}$ is $\left( t^\prime ,\varepsilon ^\prime \right) $-hard, where $t^\prime =t-\mathsf {poly}(\kappa ), \varepsilon ^\prime =2c\varepsilon +(Qc+1)\frac{1}{2^\lambda }$, if $n\ge \frac{1}{\min \{\log p,\log (p_{\min }) \}}\Big (\Big (\lfloor \frac{m}{c}\rfloor +2(\log \log q)+\ell +\lambda +3\Big )\log q+3\log \lfloor \frac{m}{c}\rfloor +3\lambda +7\Big )$.

Some Useful Setting of Parameters. Our reduction of $\mathsf {LWE}\rightarrow Q\text {-}\mathsf {LWR}'$ holds for a wide range of parameters (e.g., $q=p^{e}$). Here we describe one example, which will be used in our almost tight PRF in Sect. 3.2.

Through combining Theorem 3.3 and Corollary 3.4, together with the parameter setting in Table 1, we can directly achieve the following corollary

Corollary 3.5

Let $\kappa $ be the security parameter, $\ell ,n,m,p,q,\lambda ,\beta ,c$ be function of $\kappa $ setting above. Assume n-$\mathsf {LWE}_{\ell ,m,q,\chi }$ problem is $(t,\varepsilon )$-hard, then Q-$\mathsf {LWR}'_{n,m,q,p}$ is $\left( t^\prime ,\varepsilon ^\prime \right) $-hard for any $Q=\mathsf {poly}(\kappa )$ and sufficient large $\kappa $, where $t^\prime =t-\mathsf {poly}(\kappa ), \varepsilon ^\prime \le 48\varepsilon +\frac{24Q+1}{2^{2\kappa }}$.

3.2 Lattice-Based PRF with $\mathsf {poly}$ Modulus

In this section, we show that the GGM-based construction [8], when instantiated under LWR’ with parameters as Table 1, indeed achieves almost tight security. Thus, we achieve the first almost tight LWE-based PRF with a poly modulus.

Lattice PRF via GGM. By using the (n)-$\mathsf {LWR}'$ (with bounded samples) and the GGM construction, one can derive a PRF, as shown by the work [8]. For completeness, below we include the construction, parameters, and a theorem that summarizes security.

Construction. For parameters $n\in \mathbb {N}$, moduli $q\ge p\ge 2$, and input length $k\ge 1$, the family $\mathcal {F}$ consists of functions from $\{0,1\}^{k}$ to $\mathbb {Z}^{n}_{p}$. A function $F\in \mathcal {F}$ is indexed by some $\mathbf {A}_{0}, \mathbf {A}_{1}\in \mathbb {Z}^{n\times n}_{q}$ and $\varvec{s}\in \mathbb {Z}^{n}_{p}$, and is defined as

$$F(x)=F_{\varvec{s},\{\mathbf {A}_{i}\}_{i\in \{0,1\}}}(x_{1},...,x_{k});=\lfloor \ldots \lfloor \lfloor \varvec{s}^{t}\cdot \mathbf {A}_{x_{1}} \rceil _{p}\cdot \mathbf {A}_{x_{2}}\rceil _{p}\ldots \cdot \mathbf {A}_{x_{k}}\rceil _{p}.$$

We endow $\mathcal {F}$ with the distribution where $\{\mathbf {A}_{i}\}_{i\in \{0,1\}}$ and $\varvec{s}$ are chosen uniformly at random, and $\{\mathbf {A}_{i}\}_{i\in \{0,1\}}$ can be publicly known.

Parameters. Our PRF works for a wide range of parameters. For ease of our security proof, we use a concrete parameter setting following Table 1: Let $\kappa $ be the security parameter, we set $n=50\kappa , k=\kappa , p=\kappa , q=\kappa ^{6}$.

Theorem 3.6

Let $\kappa $ be security parameter, n, k, p, q be parameters setting above, and $\chi $ be a $\beta $-bounded distribution over $\mathbb {Z}_{q}$ for $\beta =\sqrt{\kappa }$. Assume $\mathsf {LWE}_{\ell ,2n,q,\chi }$ is $(t, \varepsilon )$-hard where $\ell =\kappa $. Then the family $\mathcal {F}$ constructed above is a $(t^{'},Q, \varepsilon ^{'})$-$\mathsf {PRF} $, where $t^{'}=t-\mathsf {poly}(\kappa ), \varepsilon ^{'}\le 48kn\varepsilon +\frac{1}{2^{\kappa }}$ for sufficient large $\kappa $ and any $Q=\mathsf {poly}(\kappa )$.

Proof Sketch. As discussed in the introduction, the proof follows the steps $ \mathsf {LWE}\xrightarrow {(i)} n\text {-}\mathsf {LWE}\xrightarrow {(ii)} Q\text {-}\mathsf {LWR}' \xrightarrow {(iii)} \mathsf {PRF}$. Step (i) follows from a standard hybrid argument; Step (ii) follows from Corollary 3.4 in Sect. 3.1; Step (iii) is very similar to the classic proof $Q\text {-}\mathsf {PRG}\rightarrow \mathsf {PRF}$ (see [12, 31, 37]). For completeness, we present the formal arguments in full version of this paper.

We can further improve the result by applying the domain extension techniques by [26], resulting in the Corollary as follows:

Corollary 3.7

Let $\kappa $ be security parameter, $n=50\kappa , p=\kappa , q=\kappa ^{6}, k=\kappa , \ell = \kappa , \beta = \sqrt{\kappa }$ as our setting of parameters. We have the following:

Assume $n\text {-}\mathsf {LWE}_{\ell ,2n,q,\chi }$ is $(t, \varepsilon )$-hard where $\chi $ is a $\beta $-bounded distribution over $\mathbb {Z}_{q}$. Then there exists a $(t^{'}, Q, \varepsilon ^{'})$-$\mathsf {PRF} $, where $t^{'}=t-\mathsf {poly}(\kappa ), \varepsilon ^{'}\le \omega (\log \kappa )\varepsilon + 2^{-\varOmega (\kappa )}$ for sufficient large $\kappa $ and for any $Q=\mathsf {poly}(\kappa )$.
Assume $\mathsf {LWE}_{\ell ,2n,q,\chi }$ is $(t, \varepsilon )$-hard where $\chi $ is a $\beta $-bounded distribution over $\mathbb {Z}_{q}$. Then there exists a $(t^{'}, Q, \varepsilon ^{'})$-$\mathsf {PRF} $, where $t^{'}=t-\mathsf {poly}(\kappa ), \varepsilon ^{'}\le 48\kappa \omega (\log \kappa )\varepsilon $

$+ 2^{-\varOmega (\kappa )}$ for sufficient large $\kappa $ and any $Q=\mathsf {poly}(\kappa )$.

4 New Framework of Lattice-Based IBE with Tight Security Under $\mathsf {poly}$ Modulus

In this section, we propose a novel framework that integrates key homomorphic evaluation on the public matrices, homomorphic evaluation on leveled $\mathsf {HE} $ ciphertexts, bootstrapping, and our almost tight $\mathsf {PRF}$ in Sect. 3.2. By applying this technique, we construct an almost tight adaptively secure $\mathsf {IBE} $ from $\mathsf {LWE}$ with a polynomial modulus. Our technique can also apply to the lattice based signature scheme resulting an almost tight security under $\mathsf {poly}$ modulus. Due to the space, we put the construction in full version of this paper. We present our $\mathsf {IBE} $ construction in Sect. 4.1, and then show the tight security in Sect. 4.2, finally instantiate all the building blocks in Sect. 4.3.

4.1 $\mathsf {IBE}$ Construction

$\mathsf {Setup} (1^{\kappa })$ The setup algorithm takes as input a security parameter $\kappa $, It does the following:
1. 1.
  Sample a random matrix $\mathbf {A}\in \mathbb {Z}^{n\times m}_{q}$ along with a trapdoor basis $\mathbf {T}_{\mathbf {A}}\in \mathbb {Z}^{m\times m}$ of lattice $\varLambda ^{\perp }_{q}(\mathbf {A})$ by running $\mathsf {TrapGen} $.
2. 2.
  Select random matrices $\mathbf {A}_{0},\mathbf {A}_{1}\in \mathbb {Z}^{n\times m}_{q}$. Run $\mathsf {HE}.\mathsf {KeyGen} $ algorithm of a $\mathsf {HE} $ scheme . Set the random “$\mathsf {PRF} $ key” elements as where and set “bootstrapping key” element as . Select random “$\mathsf {PRF} $ input” elements
  uniformly at random. Select random matrices $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}\in \mathbb {Z}^{n\times m}_{q}$. Express the decryption algorithm $\mathsf {HE}.\mathsf {Dec} $ as a $\mathsf {NAND} $ Boolean circuit .
3. 3.
  Select a random vector $\varvec{u}\xleftarrow {\$} \mathbb {Z}^{n}_{q}$.
4. 4.
  Select a secure pseudorandom function $\mathsf {PRF}:\{0,1\}^{k_{1}}\times \{0,1\}^{\ell }\rightarrow \{0,1\}$, express it as a $\mathsf {NAND} $ Boolean circuit $C_{\mathsf {PRF}}$ with depth $d=d(\kappa )$, and select a $\mathsf {PRF} $ key $K=s_{1}s_{2}...s_{k_{1}}\xleftarrow {\$} \{0,1\}^{k_{1}}$.
5. 5.
  Set $\mathsf {msk} =(\mathbf {T}_{\mathbf {A}},K)$, and output
$\mathsf {KeyGen} (\mathsf {mpk},\mathsf {msk},\mathsf {id})$ The key generation algorithm take $\mathsf {mpk}, \mathsf {msk} $ and an identity $\mathsf {id}=x_{1}x_{2}...x_{\ell }\in \{0,1\}^{\ell }$ as input, and does the following:
1. 1.
  Compute $b=\mathsf {PRF} (K,id)$.
2. 2.
  Compute
3. 3.
  Compute , where is the i-bit of $\mathsf {ct} _{\mathsf {id}}$.
4. 4.
  Set $\mathbf {F}_{\mathsf {id},1-b}=[\mathbf {A}|\mathbf {A}_{1-b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}}]\in \mathbb {Z}^{n\times 2m}_{q}.$
5. 5.
  Run $\mathsf {SampleLeft} $ to sample $\varvec{d}_{\mathsf {id}}$ from the discrete Gaussian distribution $D_{\varLambda ^{\varvec{u}}_{q}(\mathbf {F}_{\mathsf {id},1-b}),s}$, then $\mathbf {F}_{\mathsf {id},1-b}\varvec{d}_{\mathsf {id}}=\varvec{u} (\mathrm {mod} ~q).$ Output $\mathsf {sk} _{\mathsf {id}}=(b,\varvec{d}_{\mathsf {id}}).$
$\mathsf {Enc} (\mathsf {mpk},\mathsf {id},\mu )$ To encrypt a message $\mu \in \{0,1\}$ with respect to an identity $\mathsf {id}=x_{1}x_{2}...x_{\ell }\in \{0,1\}^{\ell }$:
1. 1.
  Compute
2. 2.
  Compute
3. 3.
  Set $\mathbf {F}_{\mathsf {id},b}=[\mathbf {A}|\mathbf {A}_{b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}}]\in \mathbb {Z}^{n\times 2m}_{q}$ for $b=0,1$.
4. 4.
  Select two random vectors $\varvec{s}_{0},\varvec{s}_{1}\xleftarrow {\$} \mathbb {Z}^{n}_{q}$.
5. 5.
  Select two noise scalars $v_{0,0},v_{1,0}\leftarrow D_{\mathbb {Z},\sigma _{\mathsf {LWE}}}$ and two noise vectors $\varvec{v}_{0,1},\varvec{v}_{1,1}\leftarrow D_{\mathbb {Z}^{2m},\sigma }$, where $\sigma $ is a gaussian parameter lager than $\sigma _{\mathsf {LWE}}$.
6. 6.
  Compute the ciphertext $\mathsf {ct} _{\mathsf {id}}=(c_{0,0},\varvec{c}_{0,1},c_{1,0},\varvec{c}_{1,1})$ as:
  $$\begin{aligned} \left\{ \begin{aligned} c_{0,0}=(\varvec{s}^{t}_{0}\varvec{u}+v_{0,0}+\mu \lfloor q/2\rfloor )~\mathrm {mod} ~q \\ \varvec{c}^{t}_{0,1}=(\varvec{s}^{t}_{0}\mathbf {F}_{\mathsf {id},0}+\varvec{v}^{t}_{0,1})~\mathrm {mod} ~q \\ \end{aligned} \right. \end{aligned}$$
  
  $$\begin{aligned} \left\{ \begin{aligned} c_{1,0}=(\varvec{s}^{t}_{1}\varvec{u}+v_{1,0}+\mu \lfloor q/2\rfloor )~\mathrm {mod} ~q \\ \varvec{c}^{t}_{1,1}=(\varvec{s}^{t}_{1}\mathbf {F}_{\mathsf {id},1}+\varvec{v}^{t}_{1,1})~\mathrm {mod} ~q \\ \end{aligned} \right. \end{aligned}$$
$\mathsf {Dec} (\mathsf {mpk},\mathsf {sk} _{\mathsf {id}},\mathsf {ct} _{\mathsf {id}})$ The decryption algorithm uses the key $(b,\varvec{d}_{\mathsf {id}})$ to decrypt $(c_{b,0},\varvec{c}_{b,1})$. The decryption algorithm computes $\eta =(c_{b,0}-\varvec{c}^{t}_{b,1}\varvec{d}_{\mathsf {id}})~\mathrm {mod} ~q.$ If $\eta $ is closer to 0 that $\pm q/2$, then decryption algorithm outputs $\mu =0$, otherwise, outputs $\mu =1$.

Correctness analysis can be verified in the same way as [16]. We omit it here due to the space limit.

Parameter Setting. We now provide an instantiation that achieves both correctness a and security (Table 2).

Table 2. Parameter setting of IBE scheme

Full size table

To ensure the condition of $\mathsf {TrapGen} $ in Theorem 2.8 and achieve the statistical distance in Lemma 4.2, we set $m=O(n\log q)$, $n\ge \kappa +\log k_{2}+5$;
According to [3, 18, 21, 30], there exists an $\mathsf {HE} $ scheme such that the decryption circuit is in $\mathsf {NC}_{1}$, so we set $L=O(\log n)$;
To ensure that $\mathsf {SampleLeft} $ in the real scheme and $\mathsf {SampleRight} $ in the simulation game have the statistical distance within $2^{-(\kappa +2)}/3Q_{\mathsf {id}}$ per Theorem 2.8 and Theorem 2.9, we need
$$s>\Vert \tilde{\mathbf {T}}_{\mathbf {A}}\Vert \cdot \omega (\sqrt{\log 2m})~and~s>\Vert \tilde{\mathbf {T}}_{\mathbf {G}}\Vert \cdot \Vert \mathbf {R}\Vert \cdot \omega (\sqrt{\log m}),$$
where $\mathbf {R}=\mathbf {R}_{\mathbf {A}_{1-b}}-\mathbf {R}_{C_\mathsf {PRF},\mathsf {id}}$, and $n\ge \kappa +5+\log {Q_{\mathsf {id}}}$ ($Q_{\mathsf {id}}$ is number of key queries). According to Theorem 2.14 and the bootstrapping computation [3], the key-homomorphic evaluation algorithm of $\mathsf {HE} $ decryption circuit is $O(n^{2+\epsilon })$-compatible for any $\epsilon \in (0,1)$, which means that $\Vert \mathbf {R}_{C_\mathsf {PRF},\mathsf {id}}\Vert \le O(n^{2+\epsilon })$. To satisfy these conditions, we set $s=O(n^{3+\epsilon })$ and $n\ge 2\kappa +5$ (without loss of generality, we assume $Q_{\mathsf {id}}<2^{\kappa }$);
To ensure Regev’s quantum reduction to $\mathsf {LWE}$ [49], we need $\sigma _{\mathsf {LWE}}>2\sqrt{\kappa }$;
For $\mathsf {ReRand}$ algorithm to work with the statistical distance in Lemma 4.3, we need $\sigma ^{*}>\mathsf {s}_{1}([\mathbf {I}|\mathbf {R}])$, $\sigma _{\mathsf {LWE}}>max\{\eta _{\epsilon }(\mathbb {Z}^{m}),\eta _{\epsilon }(\mathbb {Z}^{\ell })\}$ and $\sigma =2\sigma ^{*}\cdot \sigma _{\mathsf {LWE}}$. According to the property of smoothing parameters (which can be found in full version of this paper) and Theorem 2.14, we set $\sigma _{\mathsf {LWE}}=O(\sqrt{\kappa +\log \kappa }), \sigma ^{*}=O(n^{2+\epsilon })$;
To ensure the correctness of decryption, we need $|c_{b,0}-\varvec{c}^{t}_{b,1}\varvec{d}_{\mathsf {id}}|<q/4,$ as a result $O(s\cdot m\cdot \sigma )<q/4$. We set $q=O(n^{8+\epsilon })$ (q is not necessarily a prime).

4.2 Security

The security of the $\mathsf {IBE} $ scheme above can be stated by the following theorem.

Theorem 4.1

Let the parameters be chosen as above, and $\chi $ be the distribution $\mathcal {D}_{\mathbb {Z}^{m},\sigma _\mathsf {LWE}}$. If the $\mathsf {LWE}_{n,m,q,\chi }$ problem is $(t_{\mathsf {LWE}},\varepsilon {}_{\mathsf {LWE}})$-hard, $\mathsf {HE} $ scheme is $(t_{\mathsf {HE}},k_{1},\varepsilon {}_{\mathsf {HE}})$-IND secure with decryption circuit in $\mathbf {NC}_{1}$ (e.g., $O(n^{2+\epsilon })$-compatible), and the $\mathsf {PRF} $ used in the $\mathsf {IBE} $ is a $(t_{\mathsf {PRF}},Q_{\mathsf {id}},\varepsilon {}_{\mathsf {PRF}})$-$\mathsf {PRF} $, then the $\mathsf {IBE} $ scheme constructed above is $(t^{*},Q_{\mathsf {id}},\varepsilon ^{*})$-adaptively secure such that $\varepsilon ^{*}\le 2(\varepsilon {}_{\mathsf {LWE}}+\varepsilon {}_{\mathsf {PRF}})+3\varepsilon {}_{\mathsf {HE}}+2^{-\kappa }$, and $t^{*}=\min \{T_{\mathsf {LWE}},T_{\mathsf {PRF}}, T_{\mathsf {HE}}\} - \mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q)$.

Proof

We prove the theorem by a sequence of hybrid games. Given a $\textsc {ppt}$ adversary $\mathcal {A} $, the first game is defined as the real adaptive security game. Then we will show that all the neighboring games are computationally/statistically indistinguishable. Finally we show that $\mathcal {A} $ has no advantage in the last game to complete the proof.

Before we present the hybrids, we first define the following simulation algorithms $\mathsf {Sim}.\mathsf {Setup} $, $\mathsf {Sim}.\mathsf {KeyGen} $ and $\mathsf {Sim}.\mathsf {Enc} $, making essential modifications of those in the work Boyen and Li [16]. We highlight the differences in boxes.

$\mathsf {Sim}.\mathsf {Setup} (1^{\kappa })$ The algorithm does the following:
1. 1.
  Select a matrix $\mathbf {A}\xleftarrow {\$} \mathbb {Z}^{n\times m}_{q}$. Run $\mathsf {HE}.\mathsf {KeyGen} $ algorithm of a $\mathsf {HE} $ scheme . Set ”bootstrapping key” element as . Select random “$\mathsf {PRF} $ input” elements
  uniformly at random. Express the decryption circuit $\mathsf {HE}.\mathsf {Dec} $ as a $\mathsf {NAND} $ Boolean circuit and express $\mathsf {dk} $ as .
2. 2.
  Select $k_{2}+2$ low-norm matrices
3. 3.
  Select a secure $\mathsf {PRF}:\{0,1\}^{k_{1}}\times \{0,1\}^{\ell }\rightarrow \{0,1\}$ and express it as a $\mathsf {NAND} $ Boolean circuit $C_{\mathsf {PRF}}$ with depth $d=d(\kappa )$.
4. 4.
  Select a uniformly random string $K=s_{1}s_{2}...s_{k_{1}}\xleftarrow {\$} \{0,1\}^{k_{1}}$.
5. 5.
  Set $\mathbf {A}_{b}=\mathbf {A}\mathbf {R}_{\mathbf {A}_{b}}+b\mathbf {G}$ for $b=0,1$ and for $i\in [k_{2}]$.
6. 6.
  Set the random “$\mathsf {PRF} $ key” elements as where
  
  .
7. 7.
  Set vector $\varvec{u}\xleftarrow {\$}\mathbb {Z}^{n}_{q}$, and publish
$\mathsf {Sim}.\mathsf {KeyGen} (\mathsf {mpk},\mathsf {msk},\mathsf {id})$ Upon an input identity $\mathsf {id}=x_{1}x_{2}...x_{\ell }\in \{0,1\}^{\ell }$, the algorithm uses $\mathsf {mpk}, \mathsf {msk} $ to do the following:
1. 1.
  Compute and
  where for each $i\in [k_3]$, $[0]_i$ denotes 0 matrix with dimension $m\times m$.
2. 2.
  Let $\mathsf {PRF} (K,\mathsf {id})=b\in \{0,1\}$. Set
  $$\mathbf {F}_{\mathsf {id},1-b} =[\mathbf {A}|\mathbf {A}_{1-b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}}] = [\mathbf {A}|\mathbf {A}(\mathbf {R}_{\mathbf {A}_{1-b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}})+(1-2b)\mathbf {G}].$$
3. 3.
  Run $\mathsf {SampleRight} $ to sample $\varvec{d}_{\mathsf {id}}\in D_{\varLambda ^{\varvec{u}}_{q}(\mathbf {F}_{\mathsf {id},1-b}),s}$, and output .
$\mathsf {Sim}.\mathsf {Enc} (\mathsf {mpk},\mathsf {id}^{*},\mu )$ The algorithm takes a message $\mu $, $\mathsf {mpk} $ and a challenge identity $\mathsf {id}^{*}$ as input, does the following:
1. 1.
  Compute $b=\mathsf {PRF} (K,\mathsf {id}^{*})$.
2. 2.
  Set $\mathbf {F}_{\mathsf {id}^{*},b} =[\mathbf {A}|\mathbf {A}_{b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}^{*}}] = [\mathbf {A}|\mathbf {A}(\mathbf {R}_{\mathbf {A}_{b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}^{*}})].$ and
  $$\mathbf {F}_{\mathsf {id}^{*},1-b} =[\mathbf {A}|\mathbf {A}_{1-b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}^{*}}] = [\mathbf {A}|\mathbf {A}(\mathbf {R}_{\mathbf {A}_{1-b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}^{*}})+(1-2b)\mathbf {G}].$$
3. 3.
  Select random vectors $\varvec{s}_{b}, \varvec{s}_{1-b}\xleftarrow {\$}\mathbb {Z}^{n}_{q}$.
4. 4.
  Select noise scalars $v_{b,0}, v_{1-b,0}\leftarrow D_{\mathbb {Z},\sigma _{\mathsf {LWE}}}$, and noise vectors .
5. 5.
  Let $\mathbf {R}=\mathbf {R}_{\mathbf {A}_{b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}^{*}}$, and set . Then invoke the $\mathsf {ReRand}$ algorithm to compute
6. 6.
  Select noise vectors $\varvec{v}_{1-b,1}\leftarrow D_{\mathbb {Z}^{2m},\sigma }$.
7. 7.
  Set the challenge ciphertext $\mathsf {ct} _{\mathsf {id}^{*}}=(c_{b,0},\varvec{c}_{b,1},c_{1-b,0},\varvec{c}_{1-b,1})$ as:
  $$\begin{aligned} \left\{ \begin{aligned} c_{b,0}=\left( \varvec{s}^{t}_{b}\varvec{u}+v_{b,0}+\mu \lfloor q/2\rfloor \right) ~\mathrm {mod} ~q \\ \varvec{c}^{t}_{b,1}=\left( \varvec{s}^{t}_{b}\mathbf {F}_{\mathsf {id}^{*},b} +\varvec{v}^{t}_{b,1}\right) ~\mathrm {mod} ~q\\ \end{aligned} \right. \end{aligned}$$
  
  $$\begin{aligned} \left\{ \begin{aligned} c_{1-b,0}=\left( \varvec{s}^{t}_{1-b}\varvec{u}+v_{1-b,0}+\mu \lfloor q/2\rfloor \right) ~\mathrm {mod} ~q \\ \varvec{c}^{t}_{1-b,1}=\left( \varvec{s}^{t}_{1-b}\mathbf {F}_{\mathsf {id}^{*},1-b}+\varvec{v}^{t}_{1-b,1}\right) ~\mathrm {mod} ~q \\ \end{aligned} \right. \end{aligned}$$

Now we present a sequence of games and prove that the neighboring games are indistinguishable. We follow the structure of the sequence from Boyen and Li [16], and add an additional step to incorporate the homomorphic encryption.

$\mathbf{Game} ~\mathbf 0 $: This is the real adaptive security game, and all the algorithms are the same as the real game.
$\mathbf{Game} ~\mathbf 1 $: This game is the same as $\mathbf{Game} ~\mathbf 0 $ except it runs $\mathsf {Sim}.\mathsf {Setup} $ and $\mathsf {Sim}.\mathsf {KeyGen} $ instead of $\mathsf {Setup} $ and $\mathsf {KeyGen} $.
$\mathbf{Game} ~\mathbf 2 $: This game is the same as $\mathbf{Game} ~\mathbf 1 $ except that the challenge ciphertext is generated by $\mathsf {Sim}.\mathsf {Enc} $ rather than $\mathsf {Enc} $.
$\mathbf{Game} ~\mathbf 3 $: This game is the same as $\mathbf{Game} ~\mathbf 2 $ except that during the generation of challenge ciphertext, it samples $(c_{b,0},\varvec{c}_{b,1})$ uniformly random from $\mathbb {Z}_{q}\times \mathbb {Z}^{2m}_{q}$ for $b=\mathsf {PRF} (K,\mathsf {id}^{*})$, and $(c_{1-b,0},\varvec{c}_{1-b,1})$ is computed by $\mathsf {Sim}.\mathsf {Enc} $ as in $\mathbf{Game} ~\mathbf 2 $.
$\mathbf{Game} ~\mathbf 4 $: This game is the same as $\mathbf{Game} ~\mathbf 3 $ except for $b=\mathsf {PRF} (K,\mathsf {id}^{*})$ it runs $\mathsf {Enc} $ to generate $(c_{1-b,0},\varvec{c}_{1-b,1})$ instead of using $\mathsf {Sim}.\mathsf {Enc} $.
$\mathbf{Game} ~\mathbf 5 $: This game is the same as $\mathbf{Game} ~\mathbf 4 $ except it runs $\mathsf {Setup} $ and $\mathsf {KeyGen} $ to generate $\mathsf {mpk} $ and $\mathsf {sk} _{\mathsf {id}^{*}}$.
$\mathbf{Game} ~\mathbf 6 $: This game is the same as $\mathbf{Game} ~\mathbf 5 $ except that for $b=\mathsf {PRF} (K,\mathsf {id}^{*})$, the challenge ciphertext part $(c_{b,0},\varvec{c}_{b,1})$ is generated by $\mathsf {Enc} $ rather than choosing it randomly, and $(c_{1-b,0},\varvec{c}_{1-b,1})$ is chosen randomly.
$\mathbf{Game} ~\mathbf 7 $: This game is the same as $\mathbf{Game} ~\mathbf 6 $ except that it runs $\mathsf {Sim}.\mathsf {Setup} $ and $\mathsf {Sim}.\mathsf {KeyGen} $ to generate $\mathsf {mpk} $ and $\mathsf {sk} _{\mathsf {id}^{*}}$.
$\mathbf{Game} ~\mathbf 8 $: This game is the same as $\mathbf{Game} ~\mathbf 7 $ except that for $b=\mathsf {PRF} (K,\mathsf {id}^{*})$, it computes the challenge ciphertext $(c_{b,0},\varvec{c}_{b,1})$ by $\mathsf {Sim}.\mathsf {Enc} $.
$\mathbf{Game} ~\mathbf 9 $: This game is the same as $\mathbf{Game} ~\mathbf 8 $ except that the whole challenge ciphertext is sampled uniformly at random. As the challenge ciphertext is independent of the adversary $\mathcal {A} $, clearly in $\mathbf{Game} ~\mathbf 9 $ the adversary has no advantage.

We let $W_{i}$ be the event that $\gamma ^{'}=\gamma $ at the end of the $\mathbf{Game} ~i$, and set the advantage’s advantage in $\mathbf{Game} ~i$ as $|\mathsf {Pr}[W_{i}]-1/2|$. We prove the following lemmas, which together imply Theorem 4.1.

Lemma 4.2

$\mathbf{Game} ~\mathbf 0 $ and $\mathbf{Game} ~\mathbf 1 $ are $(T_{1},\varepsilon {}_{\mathsf {HE}}+2^{-(\kappa +2)})$-indistinguishable, assuming the $\mathsf {HE} $ scheme is $(T_{\mathsf {HE}},\varepsilon {}_{\mathsf {HE}})$-CPA secure, where $T_{1}=T_{\mathsf {HE}}-\mathsf {poly}(n,k,m, Q_{\mathsf {id}},\log q)$.

Proof

We analyze the only four differences between $\mathbf{Game} ~\mathbf 0 $ and $\mathbf{Game} ~\mathbf 1 $:

1.
In $\mathbf{Game} ~\mathbf 0 $, the matrix $\mathbf {A}$ is generated by $\mathsf {TrapGen} $, and the matrix $\mathbf {A}$ is chosen uniformly at random in $\mathbf{Game} ~\mathbf 0 $. By Theorem 2.8, these two distributions of constructing matrix $\mathbf {A}$ are statistically close. More precisely, the statistical distance is within $2^{-(\kappa +2)}/3$ by our parameter setting.
2.
In $\mathbf{Game} ~\mathbf 0 $, the matrices $\{\mathbf {A}_{0},\mathbf {A}_{1}\}$ are chosen uniformly at random from $\mathbb {Z}^{n\times m}_{q}$. While in $\mathbf{Game} ~\mathbf 1 $, these matrices are computed as $\mathbf {A}_{b}=\mathbf {A}\mathbf {R}_{\mathbf {A}_{b}}+b\mathbf {G}$, for $b\in \{0,1\}$ for random low-norm matrices $\{\mathbf {R}_{\mathbf {A}_{b}}\}_{b\in \{0,1\}}$ from $\{0,1\}^{m\times m}$. By Theorem 3.1, the distributions of these matrices in the two games are statistically close. More precisely, the statistical distance is within $2^{-(\kappa +1)}/(3k_{2}+6)$ by our parameter setting.
3.
In $\mathbf{Game} ~\mathbf 0 $, the elements $\{\varvec{d}_{i}\}_{i\in [k_{1}]}$ are $k_{1}$ ciphertexts $\mathsf {HE}.\mathsf {Enc} (\mathsf {pk},0)$ and $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ are chosen uniformly at random from $\mathbb {Z}^{n\times m}_{q}$. In $\mathbf{Game} ~\mathbf 1 $, these elements are the ciphertexts $\mathsf {HE}.\mathsf {Enc} (\mathsf {pk},s_{i})$ and $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ are the matrices $\mathbf {D}_{i}=\mathbf {A}\mathbf {R}_{\mathbf {D}_{i}}+t_{i}\mathbf {G}$. We show the indistinguishability of the two cases by bybrid argument, we define a sequence of sub-hybirds:
- $H_{0}$: Sample $\{\mathbf {d}_{i}\}_{i\in [k_{1}]}$ and $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ as in $\mathbf{Game} ~\mathbf 0 $.
- $H_{1}$: Generate $\{\mathbf {d}_{i}\}_{i\in [k_{1}]}$ as in $\mathbf{Game} ~\mathbf 1 $. Set $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ as in $\mathbf{Game} ~\mathbf 0 $.
- $H_{2}$: Set $\{\mathbf {d}_{i}\}_{i\in [k_{1}]}$ and $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ as in $\mathbf{Game} ~\mathbf 1 $.
We first show that the neighboring games $H_{0}$ and $H_{1}$ are $(T^{'},\varepsilon {}_{\mathsf {HE}})$-indistinguishable by assuming that $\mathsf {HE} $ scheme is $(T_{\mathsf {HE}},\varepsilon {}_{\mathsf {HE}})$-secure, where $T^{'}=T_{\mathsf {HE}}-\mathsf {poly}(n,m,k,\log q)$. Then, we show that $H_{1}$ and $H_{2}$ are statistically close by Theorem 3.1.

Without loss of generality, if there exists a distinguisher $\mathcal {D}$ can distinguish $H_{0}$ from $H_{1}$ within running time $T_{\mathcal {D}} \le T'$ and with advantage $\varepsilon {}_{\mathcal {D}} \ge \varepsilon {}_{\mathsf {HE}}$, then we construct a reduction $\mathcal {B} $ that breaks $\mathsf {HE} $ as follows:
- $\mathcal {B} $ chooses $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ uniformly at random from $\mathbb {Z}^{n\times m}_{q}$.
- $\mathcal {B} $ sets $\varvec{m}_{0}= (s_{1},...,s_{k_{1}}), \varvec{m}_{1}=(0,...0)$ as its challenge messages, and forwards $\varvec{m}_{0},\varvec{m}_{1}$ to the challenger. $\mathcal {B} $ gets the challenge ciphertext $\mathsf {ct} ^{*}=\{\mathsf {ct} _{i}\}_{i\in [k_{1}]}$ from the challenger, and sets $\mathsf {ct} ^{*}=\{\varvec{d}_{i}\}_{i\in [k_{1}]}$.
- $\mathcal {B} $ simulates the hybrid game (either $H_{0}$ or $H_{1}$) with $\{\varvec{d}_{i}\}_{i\in [k_{1}]},\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ and then outputs the outcome of $\mathcal {D}$.
Clearly, if the challenger encrypts $\varvec{m}_{0}$, then $\mathcal {B} $ simulates the hybrid $H_{0}$, and otherwise, the hybrid $H_{1}$. Therefore, $\mathcal {B} $ has the same advantage as $\mathcal {D}$, i.e., $\varepsilon {}_{\mathcal {D}} \ge \varepsilon {}_{\mathsf {HE}}$, in breaking $\mathsf {HE}$, and the running time of $\mathcal {B} $ is within $T_{\mathcal {D}}+\mathsf {poly}(n,m,k,\log q) \le T_{\mathsf {HE}}$. This is a contradiction to the security of $\mathsf {HE}$.

The difference between $H_{1}$ and $H_{2}$ is the generation of the matrices $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$. By Theorem 3.1, $\{\mathbf {D}_{i}\}_{i\in [k_{2}]}$ in the two cases are statistically close, and more precisely, the statistical distance of $H_{1}$ and $H_{2}$ is within $k_{2} \times 2^{-(\kappa +2)}/(3k_{2}+6)$ by our setting of parameters.
4.
In both $\mathbf{Game} ~\mathbf 0 $ and $\mathbf{Game} ~\mathbf 1 $, the use of $\mathbf {A}_{0}$ or $\mathbf {A}_{1}$ in the key generation algorithms is decided by $b=\mathsf {PRF} (K,\mathsf {id})$. For a private key query on $\mathsf {id}$ in $\mathbf{Game} ~\mathbf 1 $, let
$$ \mathbf {F}_{\mathsf {id},1-b} =[\mathbf {A}|\mathbf {A}_{1-b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}}] = [\mathbf {A}|\mathbf {A}\cdot (\mathbf {R}_{\mathbf {A}_{1-b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}})+(1-2b)\mathbf {G}]. $$
Note that the trapdoor of $\varLambda ^{\perp }_{q}(\mathbf {G})$ is also a trapdoor of $\varLambda ^{\perp }_{q}((1-2b)\mathbf {G})$. In $\mathbf{Game} ~\mathbf 0 $, $\varvec{d}_{\mathsf {id}}$ is generated by $\mathsf {SampleLeft} $ with the trapdoor $\mathbf {T}_{\mathbf {A}}$. In $\mathbf{Game} ~\mathbf 1 $, $\varvec{d}_{\mathsf {id}}$ is generated by $\mathsf {SampleRight} $ with the trapdoor of $\varLambda ^{\perp }_{q}((1-2b)\mathbf {G})$. By Theorem 2.9 and our setting of parameters, the statistical distance between the distributions of a single key $\varvec{d}_{\mathsf {id}}$ in the two cases is bounded by $2^{-(\kappa +2)}/3Q_{\mathsf {id}}$. Therefore, from a simple union bound over $Q_{\mathsf {id}}$ keys, we conclude that the secret key distributions generated in these two ways are within a statistical distance up to $2^{-(\kappa +2)}/3$.

By combining the arguments above, we conclude that $\mathbf{Game} ~\mathbf 0 $ and $\mathbf{Game} ~\mathbf 1 $ are $(T_{1},\varepsilon {}_{\mathsf {HE}}+2^{-(\kappa +2)})$-indistinguishable, where $T_{1}=T_{\mathsf {HE}}-\mathsf {poly}(n,m,k,\log q)$. $\square $

Lemma 4.3

$\mathbf{Game} ~\mathbf 1 $ and $\mathbf{Game} ~\mathbf 2 $ are $(\infty , 2^{-(\kappa +2)}/2)$-indistinguishable.

Proof

The only difference between $\mathbf{Game} ~\mathbf 1 $ and $\mathbf{Game} ~\mathbf 2 $ is the way how the challenge ciphertext is generated. Particularly, in $\mathbf{Game} ~\mathbf 1 $, the challenge ciphertext is generated by $\mathsf {Enc} $, and the noise vectors are sampled from some discrete Gaussian distributions that are independent of $\mathsf {mpk} $. In $\mathbf{Game} ~\mathbf 2 $ the challenge ciphertext is generated by $\mathsf {Sim}.\mathsf {Enc} $.

By construction, $\mathsf {Enc} $ and $\mathsf {Sim}.\mathsf {Enc} $ generate $(c_{b,0},c_{1-b,0},\varvec{c}_{1-b,1})$ in the same way, so the distributions of $(c_{b,0},c_{1-b,0},\varvec{c}_{1-b,1})$ are identical for the two cases.

By the construction of $\varvec{c}_{b,1}$ in the challenge ciphertext in $\mathbf{Game} ~\mathbf 2 $,

$$\begin{aligned} \varvec{c}^{t}_{b,1}&=\Big (\varvec{s}^{t}_{b}\mathbf {F}_{\mathsf {id}^{*},b}+\varvec{v}^{t}_{b,1}\Big )~\mathrm {mod} ~q \\&=\Big (\varvec{s}^{t}_{b}[\mathbf {A}|\mathbf {A}(\mathbf {R}_{\mathbf {A}_{b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}^{*}})]+\mathsf {ReRand}([\mathbf {I}|\mathbf {R}],\varvec{s}^{t}_{b}\mathbf {A}+\varvec{v}^{'}_{b,1},\sigma _{\mathsf {LWE}},\sigma ^{*})\Big )~\mathrm {mod} ~q\\&=\Big (\varvec{s}^{t}_{b}[\mathbf {A}|\mathbf {A}\mathbf {R}]+\mathsf {ReRand}([\mathbf {I}|\mathbf {R}],\varvec{s}^{t}_{b}\mathbf {A}+\varvec{v}^{'}_{b,1},\sigma _{\mathsf {LWE}},\sigma ^{*})\Big )~\mathrm {mod} ~q. \end{aligned}$$

It is easy to see that the elements $\varvec{s}_{b}, \mathbf {A}, \mathbf {R}, \varvec{v}^{t}_{b,1}$ appearing in the ciphertext of $\mathbf{Game} ~\mathbf 2 $ have the same distributions as those in $\mathbf{Game} ~\mathbf 1 $. The only difference is the generation of $\varvec{v}_{b,1}$. In $\mathbf{Game} ~\mathbf 1 $, $\varvec{v}_{b,1}$ is sampled from $D_{\mathbb {Z}^{2m},\sigma }$. In $\mathbf{Game} ~\mathbf 2 $, $\varvec{v}_{b,1}$ is the output of $\mathsf {ReRand}([\mathbf {I}|\mathbf {R}],\varvec{s}^{t}_{b}\mathbf {A}+\varvec{v}^{'}_{b,1},\sigma _{\mathsf {LWE}},\sigma ^{*})$, resulting the output gaussian parameter $r=2\sigma _{\mathsf {LWE}}\cdot \sigma ^{*}=\sigma $. By Lemma 2.13 and our setting of parameters, the statistical distance between the distributions of $\varvec{v}_{b,1}$ in the two cases is bounded by $ 2^{-(\kappa +2)}/2$. Therefore, the statistical distance between $\mathbf{Game} ~\mathbf 1 $ and $\mathbf{Game} ~\mathbf 2 $ is bounded by $2^{-(\kappa +2)}/2$. $\square $

Lemma 4.4

$\mathbf{Game} ~\mathbf 2 $ and $\mathbf{Game} ~\mathbf 3 $ are $(T_{3},\varepsilon {}_{\mathsf {LWE}})$-indistinguishable, where $T_{3}=T_{\mathsf {LWE}}-\mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q)$, assuming $\mathsf {LWE}_{n,q,\chi }$ problem is $(T_{\mathsf {LWE}},\varepsilon {}_{\mathsf {LWE}})$-hard.

Proof

We show this by reduction. Assume that there exists a distinguisher $\mathcal {D}$ that distinguishes $\mathbf{Game} ~\mathbf 2 $ from $\mathbf{Game} ~\mathbf 3 $ within time $T_{\mathcal {D}} \le T_{3}$ and with advantage $\varepsilon {}_{\mathcal {D}} \ge \varepsilon {}_{\mathsf {LWE}}$, then we construct a $(T_{\mathsf {LWE}}, \varepsilon {}_{\mathsf {LWE}})$-reduction $\mathcal {B} $ that breaks the $\mathsf {LWE}$ assumption. This is a contradiction to the LWE assumption.

The reduction algorithm $\mathcal {B} $ leverages $\mathcal {D}$ to break the the LWE hardness as follows: at the beginning, $\mathcal {B} $ receives the $\mathsf {LWE}$ challenge $(\mathbf {A},\varvec{b})\in \mathbb {Z}^{n\times m}_{q}\times \mathbb {Z}^{m}_{q}$ and $(\varvec{a},b)\in \mathbb {Z}^{n}_{q}\times \mathbb {Z}_{q}$, which is either from $\mathcal {O}_{\$}$ or $\mathcal {O}_{\varvec{s}}$, where $\mathcal {O}_{\$}$ is the uniformly random distribution over $\mathbb {Z}^{n\times (m+1)}_{q}\times \mathbb {Z}^{m+1}_{q}$ and $\mathcal {O}_{\varvec{s}}$ is the distribution of $m+1$ $\mathsf {LWE}$ instances with same secret $\varvec{s}$. $\mathcal {B} $ does as follows:

$\mathsf {Setup} $: Set $\mathbf {A}$ as the public matrix in $\mathsf {mpk} $ and $\varvec{a}=\varvec{u}$. Set other public parameters as $\mathbf{Game} ~\mathbf 2 $.
$\mathsf {Phase} ~1$: $\mathcal {B} $ answers the secret key queries as $\mathbf{Game} ~\mathbf 2 $.
$\mathsf {Challenge} $: $\mathcal {B} $ computes the challenge ciphertext of $\mathsf {id}^{*}$ as follows.
1. 1.
  Let $b=\mathsf {PRF} (K,\mathsf {id}^{*})$. $\mathcal {B} $ sets
  $$\begin{aligned} \mathbf {F}_{\mathsf {id}^{*},1-b}&=[\mathbf {A}|\mathbf {A}_{1-b}-\mathbf {A}_{C_{\mathsf {PRF}},\mathsf {id}}] \\&= [\mathbf {A}|\mathbf {A}(\mathbf {R}_{\mathbf {A}_{1-b}}-\mathbf {R}_{C_{\mathsf {PRF}},\mathsf {id}^{*}})+(1-2b)\mathbf {G}]. \end{aligned}$$
2. 2.
  Let $\mathbf {R}=\mathbf {R}_{\mathbf {A}_{b}}-\mathbf {R}_{C_{\mathsf {PRF},\mathsf {id}^{*}}}$. Then constructs $(c_{b,0},\varvec{c}_{b,1})$ as
3. 3.
  $\mathcal {B} $ sets $(c_{1-b,0},\varvec{c}_{1-b,1})$ the same as $\mathbf{Game} ~\mathbf 2 $.
$\mathsf {Phase} ~2$: $\mathcal {B} $ replies the secret key queries as in $\mathbf{Game} ~\mathbf 2 $.
$\mathsf {Gauss}$: If $\mathcal {D}$ outputs “$\mathbf{Game} ~\mathbf 2 $”, $\mathcal {B} $ decides that the challenge is from $\mathcal {O}_{\varvec{s}}$. Otherwise, $\mathcal {B} $ decides that the challenge is from $\mathcal {O}_{\$}$.

If $\mathcal {B} $ gets an $\mathsf {LWE}$ instance from the oracle $\mathcal {O}_{\varvec{s}}$, then the distributions of the elements $c_{b,0},\varvec{c}_{b,1}$ in the challenge ciphertext are the same as in $\mathbf{Game} ~\mathbf 2 $. Therefore, $\mathcal {B} $ simulates $\mathbf{Game} ~\mathbf 2 $ for $\mathcal {D}$ in this case. On the other hand, if $\mathcal {B} $ gets an instance from the oracle $\mathcal {O}_{\$}$, then $c_{b,0},\varvec{c}_{b,1}$ are uniformly at random, which distribute as the case of $\mathbf{Game} ~\mathbf 3 $. Thus $\mathcal {B} $ simulates $\mathbf{Game} ~\mathbf 3 $ in this case. As a result, the advantage of $\mathcal {B} $ is the same as that of $\mathcal {D}$, i.e., $\varepsilon {}_{\mathcal {D}}\ge \varepsilon {}_{\mathsf {LWE}}$, and the running time of $\mathcal {B} $ is at most $=T_{\mathcal {D}} + \mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q) \le T_{\mathsf {LWE}}$. This completes the proof. $\square $

Lemma 4.5

$\mathbf{Game} ~\mathbf 3 $ and $\mathbf{Game} ~\mathbf 4 $ are identically distributed.

Proof

It is easy to see that the ways of generating the challenge ciphertext $c_{1-b,0},\varvec{c}_{1-b,1}$, from $\mathsf {Enc} $ and $\mathsf {Sim}.\mathsf {Enc} $, are identical. Thus, the advantages of the adversary in $\mathbf{Game} ~\mathbf 3 $ and $\mathbf{Game} ~\mathbf 4 $ are identical. $\square $

Lemma 4.6

$\mathbf{Game} ~\mathbf 4 $ and $\mathbf{Game} ~\mathbf 5 $ are $(T_{5},\varepsilon {}_{\mathsf {HE}}+2^{-(\kappa +2)})$-indistinguishable, assuming $\mathsf {HE} $ is $(T_{\mathsf {HE}},\varepsilon {}_{\mathsf {HE}})$-CPA secure, where $T_{5}=T_{\mathsf {HE}}-\mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q)$.

Proof

The proof is the same as Lemma 4.2. $\square $

Lemma 4.7

$\mathbf{Game} ~\mathbf 5 $ and $\mathbf{Game} ~\mathbf 6 $ are $(T_{6},2\varepsilon {}_{\mathsf {PRF}})$-indistinguishable, assuming the $\mathsf {PRF} $ is $(T_{\mathsf {PRF}},\varepsilon {}_{\mathsf {PRF}})$-secure, where $T_{6}=T_{\mathsf {PRF}}-\mathsf {poly}(n,m,k, Q_{\mathsf {id}},\log q)$.

Proof

Let $b=\mathsf {PRF} (K,\mathsf {id}^{*})$ for the challenge identity $\mathsf {id}^{*}$. Recall that in $\mathbf{Game} ~\mathbf 5 $, the ciphertext component $(c_{b,0},\varvec{c}_{b,1})$ is uniformly random and $(c_{1-b,0},\varvec{c}_{1-b,1})$ is generated by $\mathsf {Enc} $. In $\mathbf{Game} ~\mathbf 6 $, the ciphertext component $(c_{b,0},\varvec{c}_{b,1})$ is generated by $\mathsf {Enc} $ and $(c_{1-b,0},\varvec{c}_{1-b,1})$ is uniformly random. We prove the indistinguishability between $\mathbf{Game} ~\mathbf 5 $ and $\mathbf{Game} ~\mathbf 6 $ by three steps.

First we define $\mathbf{Game} ~\mathbf 5 ^{'}$, which is the same as $\mathbf{Game} ~\mathbf 5 $ except that it samples $b\xleftarrow {\$} \{0,1\}$ to generate the secret keys and challenge ciphertext instead of computing it by $\mathsf {PRF} $. We note that if the same identity is queried multiple times, the same b will be used. Clearly, a distinguisher between $\mathbf{Game} ~\mathbf 5 ^{'}$ and $\mathbf{Game} ~\mathbf 5 $ leads to an attacker for $\mathsf {PRF} $. So $\mathbf{Game} ~\mathbf 5 ^{'}$ and $\mathbf{Game} ~\mathbf 5 $ are $(T^{'}_{6},\varepsilon {}_{\mathsf {PRF}})$-indistinguishable.

Second, we define $\mathbf{Game} ~\mathbf 5 ^{''}$, which is the same as $\mathbf{Game} ~\mathbf 5 ^{'}$ except that for randomly sampled b for $\mathsf {id}^{*}$, it runs $\mathsf {Enc} $ to produce $(c_{b,0},\varvec{c}_{b,1})$ and samples $(c_{1-b,0},\varvec{c}_{1-b,1})$ uniformly at random. As b is uniformly at random, the advantages of the adversary in $\mathbf{Game} ~\mathbf 5 ^{''}$ and $\mathbf{Game} ~\mathbf 5 ^{'}$ are the same.

Finally, because $\mathbf{Game} ~\mathbf 5 ^{''}$ and $\mathbf{Game} ~\mathbf 6 $ are the same except that b is computed via $\mathsf {PRF} $, $\mathbf{Game} ~\mathbf 5 ^{''}$ and $\mathbf{Game} ~\mathbf 6 $ are $(T^{'}_{6},\varepsilon {}_{\mathsf {PRF}})$-indistinguishable.

The lemma follows directly by combining arguments in these three steps. $\square $

Lemma 4.8

$\mathbf{Game} ~\mathbf 6 $ and $\mathbf{Game} ~\mathbf 7 $ are $(T_{7},\varepsilon {}_{\mathsf {HE}}+2^{-(\kappa +2)})$-indistinguishable, assuming the $\mathsf {HE} $ scheme is $(T_{\mathsf {HE}},\varepsilon {}_{\mathsf {HE}})$-CPA secure, where $T_{7}=T_{\mathsf {HE}}-\mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q)$.

Proof

The proof is the same as the proof of Lemma 4.2. $\square $

Lemma 4.9

$\mathbf{Game} ~\mathbf 7 $ and $\mathbf{Game} ~\mathbf 8 $ are $(\infty ,2^{-(\kappa +2)}/2)$-indistinguishable.

Proof

The proof is the same as the proof for Lemma 4.3. $\square $

Lemma 4.10

$\mathbf{Game} ~\mathbf 8 $ and $\mathbf{Game} ~\mathbf 9 $ are $(T_{9},\varepsilon {}_{\mathsf {LWE}})$-indistinguishable, assuming $\mathsf {LWE}_{n,q,\chi }$ problem is $(T_{\mathsf {LWE}},\varepsilon {}_{\mathsf {LWE}})$-hard, where $T_{9}=T_{\mathsf {LWE}}-\mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q)$.

Proof

The proof is the same as the proof for Lemma 4.4. $\square $

By combining all the lemmas above with the composition property of (computational) indistinguishability, we conclude that

$$ |\mathsf {Pr}[W_{0}]-1/2|\le \sum _{i=0}^{8} |\mathsf {Pr}[W_{i}]- \mathsf {Pr}[W_{i+1}] | + |\mathsf {Pr}[W_{9}] - 1/2| \le 2(\varepsilon {}_{\mathsf {PRF}}+\varepsilon {}_{\mathsf {LWE}})+3\varepsilon {}_{\mathsf {HE}}+2^{-\kappa }, $$

and

$$\begin{aligned} \begin{aligned} t^{*}&= \min \{T_{1},T_{3},T_{5},T_{6},T_{7},T_{9}\} -\mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q)\\&= \min \{T_{\mathsf {LWE}},T_{\mathsf {PRF}}, T_{\mathsf {HE}}\} - \mathsf {poly}(n,m,k,Q_{\mathsf {id}},\log q). \end{aligned} \end{aligned}$$

$\square $

4.3 Instantiations of LWE-based PRF and HE

We point out that all the building blocks can be instantiated under LWE with a polynomial modulus and almost tight analyses. For the PRF, we can use our construction in this work (see Corollary 3.7 in Sect. 3.2). For the homomorphic encryption, we can use the schemes [3, 22] (which can be found in full version of this paper). Putting things together, we achieve the following corollary.

Corollary 4.11

For certain $n,m,q=\mathsf {poly}(\kappa ),\chi $ such that $\mathsf {LWE}_{n,m,q,\chi }$ is $(t_{\mathsf {LWE}},\varepsilon {}_{\mathsf {LWE}})$-hard, there exists a $(t^{*},Q_{\mathsf {id}},\varepsilon ^{*})$-adaptively secure $\mathsf {IBE} $, where $\varepsilon {}^{*}\le \kappa \omega (\log \kappa )\varepsilon {}_{\mathsf {LWE}}+\mathsf {negl} (\kappa )$ and $t^{*}=t_{\mathsf {LWE}} -\mathsf {poly}(n,m,Q_{\mathsf {id}},\log q)$, for any polynomial $Q_{\mathsf {id}}$.

5 ABM-LTF with Tight Security Under $\mathsf {poly}$ Modulus

In this section, we present a new construction of almost tight $\mathsf{ABM}\text {-}\mathsf{LTF}$ based on LWE with a polynomial modulus. This improves the work of Libert et al. [41], which requires a super-polynomial modulus. The crux of our improvement relies on our new insight as we described in Sect. 4.

Let $n, m, \ell , e, \kappa $ be integers, $q=p^e$ be a modulus such that $m\ge 2n\log q$ and $\ell <n$, where p is a large prime and $p>\kappa $. Let $\chi $ be a noise distribution, and let $\sigma _x,\sigma _e,\gamma _x,\gamma _e>0$ be parameters. The function evaluation sampling domain is $\mathsf{D}_{\kappa }^E=\mathsf{D}_x^E\times \mathsf{D}_{e}^E$, where $\mathsf {D}_{ x}^E$ (resp. $\mathsf{D}_e^E$) is the set of $\varvec{x}$ (resp. $\varvec{e}$) in $\mathbb {Z}^n$ (resp. $\mathbb {Z}^{2m}$) with $\Vert \varvec{x}\Vert \le \gamma _x\sqrt{n}\sigma _x$ (resp. $\Vert \varvec{e}\Vert \le \gamma _e\sqrt{2m}\sigma _e$). Its inversion domain is $\mathsf{D}_{\kappa }^D=\mathsf{D}_x^D\times \mathsf{D}_{e}^D$, where $\mathsf {D}_x^D$ (resp. $\mathsf{D}_e^D$) is the set of $\varvec{x}$ (resp. $\varvec{e}$) in $\mathbb {Z}^n$ (resp. $\mathbb {Z}^{2n}$) with $\Vert \varvec{x}\Vert \le \sqrt{n}\sigma _x$ (resp. $\Vert \varvec{e}\Vert \le \sqrt{2m}\sigma _e$), and its range is $\mathsf{{R}}=\mathbb {Z}_q^{2m}$. In this case, the function inputs are sampled from the distribution $D_{\mathsf{D}_{\kappa }^E}=D_{\mathbb {Z}^n,\sigma _x}^{\mathsf{D}_x^E}\times D_{\mathbb {Z}^{2m},\sigma _e}^{\mathsf{D}_e^E}$. We remark that $D_{\mathbb {Z}^n,\sigma _x}^{\mathsf{D}_x^E}$ (resp. $D_{\mathbb {Z}^{2m},\sigma _e}^{\mathsf{D}_e^E}$) is obtained by restricting the distribution $D_{\mathbb {Z}^n,\sigma _x}$ (resp. $D_{\mathbb {Z}^{2m},\sigma _e}$) to the support of ${\mathsf{D}_x^E}$ (resp. ${\mathsf{D}_e^E}$).

Furthermore, let $\mathsf {HE} =(\mathsf {HE}.\mathsf {KeyGen},\mathsf {HE}.\mathsf {Enc},\mathsf {HE}.\mathsf {Dec},\mathsf {HE}.\mathsf {Eval})$ be a leveled fully homomorphic encryption scheme that can homomorphically evaluate $\mathsf {PRF}$ presented in Sect. 4 with polynomial modulus. Let $(\mathsf {Eval} ^{\mathsf {Pub}},\mathsf {Eval} ^{\mathsf {Trap}})$ be a pair of deterministic algorithms that are $\delta $-compatible for $\mathsf {HE}.\mathsf {Dec} $. Specifically, this $\delta $ might be $4^dm^{3/2}$ or $\tilde{O}(n^{2+\epsilon })$ according to different homomorphic evaluation algorithms according to Theorem 2.14. Furthermore, we use $k_3\in \mathbb {N}$ to denote the output length of $\mathsf {HE}.\mathsf {Eval} $.

Construction. Below we present our construction of $\mathsf{ABM}\text {-}\mathsf{LTF}$. Our scheme modifies that of Libert et al. [41] in an essential way. To highlight our new insights, we describe our modifications in the boxes.

Key generation. $\mathsf {ABM.Gen}(1^{\kappa })$ does the following steps:
1. 1.
  Compute and output $\bar{\mathbf {A}}=\mathbf {C}\cdot \mathbf {B}+\mathbf {F}\in \mathbb {Z}_q^{n\times m}$ with $\mathbf {B}\xleftarrow {\$}U(\mathbb {Z}_q^{\ell \times m})$, $\mathbf {C}\xleftarrow {\$}U(\mathbb {Z}_q^{n\times \ell })$ and $\mathbf {F}\leftarrow \chi ^{n\times m}$.
2. 2.
  Select a secure pseudorandom function $\mathsf {PRF}:\{0,1\}^k\times \{0,1\}^{v}\rightarrow \{0,1\}^{\kappa }$ with input length $v\in \mathbb {N}$ and key length $k\in \mathbb {N}$. Choose $K\xleftarrow {\$}\{0,1\}^{k}$ as an independent key for $\mathsf {PRF}$. We denote by $s_i\in \{0,1\}$ the i-th bit of K.
3. 3.
  Run $\mathsf {HE}.\mathsf {KeyGen} $ algorithm of a $\mathsf {HE} $ scheme . Express the decryption algorithm $\mathsf {HE}.\mathsf {Dec} $ as a $\mathsf {NAND} $ Boolean circuit , and express its decryption key $\mathsf{hdk}$ as where $hdk_{i}\in \{0,1\}$ and $g\in \mathbb {N}$.
4. 4.
  Select g low-norm matrices $\{{R_{\mathbf {D}}}_i\}_{i\in [g]}\xleftarrow {\$}\{-1,1\}^{m\times m}$.
5. 5.
  Set for $b=0,1$.
6. 6.
  Set for $i\in [k]$.
7. 7.
  Set for $i\in [g]$.
8. 8.
  Output the evaluation key $\mathsf {ek}$, the inversion key $\mathsf {ik}$ and the lossy generation key $\mathsf{tk}$, which consist of
  $$\mathsf{{ek}}=\left( \mathsf {PRF}, C_\mathsf{{PRF}}, C_{\mathsf {Dec}}, \bar{\mathbf {A}}, \{\varvec{d}_i\}_{i\in [k]}, \{\mathbf {D}_{i}\}_{i\in [g]},\varvec{c}_0, \varvec{c}_1, \mathsf {hevk} \right) ,$$
  
  $$\mathsf{{ik}}=\left( \{\mathbf {R}_{\mathbf {D}_i}\}_{i\in [g]},\mathsf{hdk}, K \right) , \ \ \ \ \ \ \ \ \mathsf{{tk}}:=K.$$
Evaluation. $\mathsf {ABM.Eval}(ek,\mathsf {t},X)$ takes as inputs $\mathsf{X}:=(\varvec{x},\varvec{e})\in {\mathsf{{D}}_{\kappa }^E}$ and the tag $\mathsf{{t}}=(\mathsf{t}_\mathsf{{c}},\mathsf{t}_\mathsf{{a}})\in \{0,1\}^{\kappa }\times \{0,1\}^{v}$, and proceeds as follows.
1. 1.
  For each integer $j\in [\kappa ]$, let $C_{\mathsf {PRF},j}:\{0,1\}^k\times \{0,1\}^{v}\rightarrow \{0,1\}$ be the Boolean circuit, which evaluate the j-th bit of $\mathsf {PRF}$ $(K,\mathsf{t}_\mathsf{{a}})\in \{0,1\}^{\kappa }$. Run the homomorphic evaluation algorithm of $\mathsf {HE}$ to obtain
  where $\mathsf{t}_{\mathsf{a}}[i]$ denotes the i-th bit of $\mathsf{t}_\mathsf{a}$ for $i\in [\ell ]$. Furthermore, run the public evaluation algorithm to obtain
  where $\{(\mathsf {ct} _{j})_{i}\}_{i\in \mathbb {N}}$ denotes the bit representation of ciphertext $\mathsf {ct} _{j}$.
2. 2.
  Define the matrix
  $$\mathbf {A}_\mathsf{t}=\left( \begin{array}{l} \bar{\mathbf {A}}, \sum _{j\in [\kappa ]}\left( (-1)^{\mathsf{t_c}[j]}\mathbf {B}_{\mathsf {PRF},j}+\mathsf{t_c}[j]\mathbf {G}\right) \\ \end{array} \right) \in \mathbb {Z}_q^{n\times 2m}, $$
  and compute the output $\varvec{y}^t=\varvec{x}^t\cdot \mathbf {A}_\mathsf{t}+\varvec{e}^t\in \mathbb {Z}_q^{2m}$. Notice that after summation for all $j\in [\kappa ]$, the coefficient of matrix $\mathbf {G}$ in the right half part of $\mathbf {A}_\mathsf{t}$ is just the hamming distance between $\mathsf{t}_\mathsf{c}$ and $\mathsf {PRF} (K,\mathsf{t_a})$.
Inversion. ${\mathsf{ABM.Invert}}(\mathsf{ik},\mathsf{t},\mathsf{Y})$ takes as inputs the inversion key $\mathsf{ik}=\Big ( \{\mathbf {R}_{\mathbf {D}_i}\}_{i\in [g]}, K\Big )$, the tag $\mathsf{{t}=(t_\mathsf{{c}},t_\mathsf{{a}})}\in \{0,1\}^{\kappa }\times \{0,1\}^{\ell }$ and $\mathsf{Y}:=\varvec{y}\in \mathsf{R}$, and proceeds:
1. 1.
  Return $\bot $ if $\mathsf{{t_c}}=\mathsf {PRF} (K,\mathsf {t_a})$.
2. 2.
  Otherwise, for each $j\in [\kappa ]$, run the following two algorithms:
  and compute the matrix $\mathbf {R}_\mathsf{t}=\sum _{j\in [\kappa ]}(-1)^{\mathsf{t_c}[j]}\mathbf {R}_{\mathsf {PRF},j}\in \mathbb {Z}^{m\times m}$, where for each $i\in [k_3]$, $[0]_i$ denotes 0 matrix with dimension $m\times m$.
3. 3.
  Let $h_\mathsf{t}$ denote the hamming distance between $\mathsf{t}_\mathsf{c}$ and $\mathsf {PRF}$ $(K,\mathsf{t}_\mathsf{a})$. Then Compute and set $\mathbf {A}_\mathsf{t}=\left( \begin{array}{l} \bar{\mathbf {A}}, \bar{\mathbf {A}}\mathbf {R}_\mathsf{t}+h_\mathsf{t}\mathbf {G}\\ \end{array} \right) \in \mathbb {Z}_q^{n\times 2m},$ Use the $\mathbf {G}$-trapdoor $\mathbf {R}_\mathsf{t}$ of $\mathbf {A}$ with tag $h_\mathsf{t}$ to solve the unique $(\varvec{x},\varvec{e})\in \mathsf{{D}}_{\kappa }^D$ such that $\varvec{y}^t=\varvec{x}^t\cdot \mathbf {A}+\varvec{e}^t$. This can be done by applying the $\mathsf {LWE}$ inversion algorithm (which can be found in full version of this paper).
Lossy tag generation. $\mathsf{{ABM.LTag}}(\mathsf{tk})$ takes as input an auxiliary tag component $\mathsf{t_a}\in \{0,1\}^{\ell }$ and uses $\mathsf{tk}=K$ to compute and output $\mathsf{t_c}=\mathsf {PRF}(K,\mathsf{t_a})\in \{0,1\}^{\kappa }$.

Below we state a theorem that summarizes what we can achieve. Due to space limit, we present the syntax of $\mathsf {ABM}$-$\mathsf {LTF}$ and the security analysis in full version of this paper.

Theorem 5.1

Let $\kappa $ be the security parameter, $\chi =D_{\mathbb {Z},\beta /(2\sqrt{\kappa })}$ for some $\beta >4\kappa $. Let $n, m, \ell , e$ be functions of $\kappa $, $q=p^e$ be a modulus such that $m\ge 2n\log q$, $n=\varOmega (\ell \log q)$ and $\kappa<\ell <n$, where p is a large prime and $p>\kappa $. Let $\gamma _x\ge 3\sqrt{m/n}$, $\gamma _e\ge 3$, $\sigma _x>\varOmega (n)$, $\varOmega (m\sqrt{n}\kappa \delta \beta \sigma _x)\le \sigma _e\le q/(10\sqrt{2}\kappa \delta m)$. Then, our new construction is an l-lossy $\mathsf{ABM}\text {-}\mathsf{LTF}$ with $l=\varOmega (n\log n)$ based on $\mathsf {LWE}$ $_{\ell ,2m,q,\chi }$.

Notes

1.
We use the notation of $(t,\varepsilon {})$ to denote an algorithm that breaks a crypto system or solves a hard problem within running time t and with advantage $\varepsilon {}$.
2.
Q is the number of queries in the $\mathsf {PRF}$; $\mathsf {LWR}'$ is a variant of the $\mathsf {LWR}$ problem originally defined in the work [8]; $Q\text {-}\mathsf {LWR}'$ is a multi-secret variant of $\mathsf {LWR}'$ that includes inner products of Q secrets per sample.
3.
The original $\mathsf {LWR}$ problem [8] samples the secret uniformly at random from $\mathbb {Z}_{q}^{n}$.
4.
More precisely, we can prove that $\varvec{s}_{1},\cdots , \varvec{s}_{Q}$ have high min-entropy and form a block-source, conditioned on $\lfloor \varvec{s}_{1}^t \cdot \mathbf {\tilde{A}}\rceil _{q\rightarrow p}, \cdots , \lfloor \varvec{s}_{Q}^t\cdot \mathbf {\tilde{A}}\rceil _{q\rightarrow p}$.
5.
Actually a homomorphic encryption that supports evaluation of the $\mathsf {PRF}$ in (2) suffices.
6.
In prior work [4], the $\mathsf {wLWR}$ problem is originally defined with respect to the secret $\varvec{s}$ having sufficient min-entropy, and it is proved hard just for restricted moduli q.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Chapter MATH Google Scholar
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996
Google Scholar
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay and Gennaro [27], pp. 297–314
Google Scholar
Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited - new reduction, properties and applications. In: Canetti and Garay [23], pp. 57–74
Google Scholar
Attrapadung, N., Hanaoka, G., Yamada, S.: A framework for identity-based encryption with almost tight security. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 521–549. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_22
Chapter Google Scholar
Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_1
Chapter MATH Google Scholar
Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay and Gennaro [27], pp. 353–370
Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval and Johansson [48], pp. 719–737
Google Scholar
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34
Chapter Google Scholar
Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identity-based encryption from affine message authentication. In: Garay and Gennaro [27], pp. 408–425
Google Scholar
Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016-A, Part I. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9
Chapter MATH Google Scholar
Bogdanov, A., Rosen, A.: Pseudorandom functions: three decades later. Cryptology ePrint Archive, Report 2017/652 (2017). https://eprint.iacr.org/2017/652
Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Chapter Google Scholar
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Boneh, D., Lewi, K., Montgomery, H.W., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti and Garay [23], pp. 410–428
Google Scholar
Boyen, X., Li, Q.: Towards tightly secure lattice short signature and id-based encryption. In: Cheon and Takagi [25], pp. 404–434
Google Scholar
Boyen, X., Li, Q.: All-but-many lossy trapdoor functions from lattices and applications. In: Katz and Shacham [38], pp. 298–331
Google Scholar
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini and Canetti [50], pp. 868–886
Google Scholar
Brakerski, Z., Goldwasser, S.: Circular and leakage resilient public-key encryption under subgroup indistinguishability - (or: quadratic residuosity strikes back). In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_1
Chapter Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press, June 2013
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press (2011)
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Naor, M. (ed.) ITCS 2014, pp. 1–12. ACM, January 2014
Google Scholar
Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part I. LNCS, vol. 8042. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4
Book MATH Google Scholar
Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_25
Chapter Google Scholar
Cheon, J.H., Takagi, T. (eds.): ASIACRYPT 2016, Part II. LNCS, vol. 10032. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6
Book MATH Google Scholar
Döttling, N., Schröder, D.: Efficient pseudorandom functions via on-the-fly adaptation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 329–350. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_16
Chapter Google Scholar
Garay, J.A., Gennaro, R. (eds.): CRYPTO 2014, Part I. LNCS, vol. 8616. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2
Book MATH Google Scholar
Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCA-Secure Encryption Without Pairings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_1
Chapter Google Scholar
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher [44], pp. 169–178
Google Scholar
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti and Garay [23], pp. 75–92
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th FOCS, pp. 464–479. IEEE Computer Society Press, October 1984
Google Scholar
Gong, J., Chen, J., Dong, X., Cao, Z., Tang, S.: Extended nested dual system groups, revisited. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016, Part I. LNCS, vol. 9614, pp. 133–163. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_6
Chapter Google Scholar
Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini and Canetti [50], pp. 590–607
Google Scholar
Jager, T., Kurek, R., Pan, J.: Simple and more efficient PRFs with tight security from LWE and matrix-DDH. Cryptology ePrint Archive, Report 2018/826, to be appear in Asiacrypt 2018. https://eprint.iacr.org/2018/826
Joye, M., Libert, B.: Efficient cryptosystems from $2^k$-th power residue symbols. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 76–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_5
Chapter Google Scholar
Katsumata, S., Yamada, S.: Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and bilinear maps. In: Cheon and Takagi [25], pp. 682–712
Google Scholar
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)
Book Google Scholar
Katz, J., Shacham, H. (eds.): CRYPTO 2017, Part III. LNCS, vol. 10403. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9
Book MATH Google Scholar
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 155–164. ACM Press, New York (2003)
Google Scholar
Lewko, A.B., Waters, B.: Efficient pseudorandom functions from the decisional linear assumption and weaker variants. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM CCS 2009, pp. 112–120. ACM Press, New York (2009)
Google Scholar
Libert, B., Sakzad, A., Stehlé, D., Steinfeld, R.: All-but-many lossy trapdoor functions and selective opening chosen-ciphertext security from LWE. In: Katz and Shacham [38], pp. 332–364
Google Scholar
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_26
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval and Johansson [48], pp. 700–718
Google Scholar
Mitzenmacher, M. (ed.): 41st ACM STOC. ACM Press, May/June 2009
Google Scholar
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, pp. 458–467. IEEE Computer Society Press, October 1997
Google Scholar
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Chapter Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In Mitzenmacher [44], pp. 333–342
Google Scholar
Pointcheval, D., Johansson, T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4
Book MATH Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005
Google Scholar
Safavi-Naini, R., Canetti, R. (eds.): CRYPTO 2012. LNCS, vol. 7417. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5
Book MATH Google Scholar
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Chapter Google Scholar
Vadhan, S.P.: Pseudorandomness. Found. Trends Theor. Comput. Sci. 7(1–3), 1–336 (2012)
Article MathSciNet Google Scholar
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Chapter Google Scholar
Yamada, S.: Asymptotically compact adaptively secure lattice IBEs and verifiable random functions via generalized partitioning techniques. In: Katz and Shacham [38], pp. 161–193
Google Scholar

Download references

Acknowledgements

We would like to thank Bo Yang and Mingsheng Wang for their helpful discussions. We also thank the anonymous reviewers of PKC 2020 for their insightful advices. Qiqi Lai is supported by the National Key R&D Program of China (2017YFB0802000), the National Natural Science Foundation of China (61802241, 61772326, 61802242, 61802075), the Natural Science Basic Research Plan in Shaanxi Province of China (2019JQ-360) and the National Cryptography Development Foundation during the 13th Five-year Plan Period (MMJJ20180217). Feng-Hao Liu is supported by the NSF Award CNS-1657040. Zhedong Wang is supported by the NSF Award CNS-1657040 and the National Key R&D Program of China-2017YFB0802202. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsors.

Author information

Authors and Affiliations

School of Computer Science, Shaanxi Normal University, Xi’an, Shaanxi, China
Qiqi Lai
Florida Atlantic University, Boca Raton, FL, USA
Feng-Hao Liu & Zhedong Wang

Authors

Qiqi Lai
View author publications
You can also search for this author in PubMed Google Scholar
Feng-Hao Liu
View author publications
You can also search for this author in PubMed Google Scholar
Zhedong Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Qiqi Lai , Feng-Hao Liu or Zhedong Wang .

Editor information

Editors and Affiliations

University of Edinburgh, Edinburgh, UK
Aggelos Kiayias
University of Edinburgh, Edinburgh, UK
Markulf Kohlweiss
University of Edinburgh, Edinburgh, UK
Petros Wallden
University of Edinburgh, Edinburgh, UK
Vassilis Zikas

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Lai, Q., Liu, FH., Wang, Z. (2020). Almost Tight Security in Lattices with Polynomial Moduli – PRF, IBE, All-but-many LTF, and More. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) Public-Key Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12110. Springer, Cham. https://doi.org/10.1007/978-3-030-45374-9_22

Download citation

DOI: https://doi.org/10.1007/978-3-030-45374-9_22
Published: 29 April 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45373-2
Online ISBN: 978-3-030-45374-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Almost Tight Security in Lattices with Polynomial Moduli – PRF, IBE, All-but-many LTF, and More

Abstract

Similar content being viewed by others

Improved Constructions of PRFs Secure Against Related-Key Attacks

All-But-Many Lossy Trapdoor Functions from Lattices and Applications

Lattice-Based Programmable Hash Functions and Applications

1 Introduction

1.1 Our Results

1.2 Our Techniques

Theorem 1.1

Theorem 1.2

Theorem 1.3

2 Preliminaries

Definition 2.1

2.1 Learning with Error

Definition 2.2

2.2 Learning with Rounding

Definition 2.3

Definition 2.4

2.3 Pseudorandom Function and Identity-Based Encryption

Definition 2.5

Definition 2.6

Definition 2.7

2.4 Lattice Backgrounds

Theorem 2.8

Theorem 2.9

Lemma 2.10

Lemma 2.11

Definition 2.12

Lemma 2.13

Theorem 2.14

3 Almost Tight Lattice-Based PRF Under Poly Moduli

3.1 \(\mathsf {LWR}\) with a General Modulus q

Theorem 3.1

Definition 3.2

Theorem 3.3

Corollary 3.4

Corollary 3.5

3.2 Lattice-Based PRF with \(\mathsf {poly}\) Modulus

Theorem 3.6

Corollary 3.7

4 New Framework of Lattice-Based IBE with Tight Security Under \(\mathsf {poly}\) Modulus

4.1 \(\mathsf {IBE}\) Construction

4.2 Security

Theorem 4.1

Proof

Lemma 4.2

Proof

Lemma 4.3

Proof

Lemma 4.4

Proof

Lemma 4.5

Proof

Lemma 4.6

Proof

Lemma 4.7

Proof

Lemma 4.8

Proof

Lemma 4.9

Proof

Lemma 4.10

Proof

4.3 Instantiations of LWE-based PRF and HE

Corollary 4.11

5 ABM-LTF with Tight Security Under \(\mathsf {poly}\) Modulus

Theorem 5.1

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper