An Efficient Lattice-based Distributed IBE

This paper improves the lattice-based secret sharing method presented by Bansarkhani and Meziani and combines the method with the IBE based on the standard LWE problem constructing an efficient lattice-based distributed decryption IBE. Our construction avoids the weakness in the traditional method like Lagrange interpolation, Blakley`s space geometry method or Chinese remainder theorem method. Through theoretical analysis, compared with the bilinear pairing based distributed IBE, our scheme refrains from the complex pairing operation and has less calculation cost. A proof of security holds in the standard model.


Introduction
In 1984, Shamir proposed the concept of Identity-Based Cryptography(IBC) [1].The characteristic of IBC is that a user's public key can be calculated by an open algorithm according to some public information like the user's name, e-mail address or phone number, etc.The property simplifies public key distribution.In this aspect, the IBC has an advantage over traditional public key cryptosystem.Since the user's private key must be created by a trusted third party PKG, it results in the inherent key escrow problem and restricts the adoption of IBC.
In 2003, Boneh and Franklin designed the first practical Identity-Based Encryption scheme (IBE) [2] using bilinear maps on elliptic curves and proposed an approach to mitigate the key escrow problem.In this approach, the IBE system's master key is distributed to multiple PKGs using technique of Shamir (t, n) threshold secret sharing [3].The BasicIdent scheme is briefly described below: Let G 1 be an additive cyclic group of order p andG T be a multiplicative group of order p, P is a generator ofG 1 ,  , ))  where the λ i 's are the Lagrange coefficients.
In this scheme, each distributed PKG can either generate the decryption share ( , ) i id e s Q U  online or provide the partial private key id sQ for the user.Of course, the complete private key can be obtained when the collusion of more than t PKGs happens.Thus the honesty of these entities required in the application is comparable to PKG, which is the essential reason for these entities to be PKGs.Distributed PKGs required to be involved in the decryption online all the time, it violates the basic requirement of IBE, PKG can be offline after generating the private keys for the users in its domain, that Shamir proposed [1].
To solve this problem, in PKC 2004, Baek and Zheng Yuliang [4] gave a better approach to share a private key associated with an identity among n entities which appointed by user rather than sharing a master key.So these n entities are downgraded to pure decryption servers without the function of PKG.Because these servers have users' trust and the online/offline state controlled by the user, the problem of distributed PKGs online all the time in the decryption period can be solved.
However, due to the distributed decryption IBE in [4] is based on bilinear pairing and Shamir threshold secret sharing, considering the complex computation of pairing operation, it affects the overall efficiency of the protocol.In addition, from the point of view of security, their scheme is hard to resist quantum attacks.
In recent years, constructing IBE from some hard problems in lattice attracts much attention.In 2008, under the random oracle model Gentry, Peikert and Vaikuntanathan [5] constructed the first IBE based on the LWE problem in the lattice.Subsequently, Cash, Hofheinz and Kiltz [6], Agarwal, Boneh and Boyen [7] proposed lattice based IBE in the standard model.Since the operation on the lattice is mostly linear and the calculation speed is fast, so we combine the idea of distributed decryption presented by Baek and Zheng Yuliang [3] with efficient lattice IBE [7] to construct an efficient lattice-based distributed IBE.
If our construction follows the Lagrange polynomial interpolation used in Baek and Zheng Yuliang's scheme to distribute a secret n-dimensional vector, the communication cost will increase because the order of each vector component has to be recorded to recover the n-dimensional vector.Therefore, our construction uses the secret sharing approach presented by R. Bansarkhani and M. Meziani [8] to distribute the user's private key which is an n-dimensional vector in the lattice based IBE.However we argue that there is a scalability problem in the secret sharing construction of R. Bansarkhani and M. Meziani.We propose to employ a variable number of columns of a matrix to distribute the n-dimensional vector so that the number of decryption servers is available within a certain range.
The advantages of our lattice based distributed IBE are listed as follows: -In the distribution and decryption share construction/reconstruction stage, the new secret sharing technique based on the variable matrix mitigates the scalability problem and avoids the weakness of recording the order of each vector component while recovering the whole n-dimensional vector using traditional methods like Lagrange polynomial interpolation [2], Blakley's geometry of space scheme [9] or Chinese remainder theorem method [10], etc.
-The secret shares and the reconstructed private key can be verified by a lattice-based hash function.
-The user makes a decryption request to each decryption server after receiving the ciphertext, then the decryption servers calculate decryption shares associated with the ciphertext and secret shares they possess.Through a secure channel, the corresponding decryption shares are delivered to the user.The whole encryption and decryption process including secret shares distribution, the generation of decryption shares or recovering the plaintext uses simple matrix operations.Through the theoretical analysis, compared with the distributed bilinear pairing-based IBE, our construction can not only resist quantum attacks, and also reduce the cost of calculation.

Notation
The set of real numbers is defined as R and the integers as Z .We denote a vector x and the i th component of x is written as (i) x .
Let S be a set of vectors The statistical distance between two distributions X and Y over a finite set Ω is defined as: Two distributions are statistically close if (X; Y)

Integer Lattices
An integer lattice is a discrete subgroup of m Z .Our article will use the q-ary integer lattices to construct the lattice-based IBE.The q-ary integer lattices contain m qZ as a sublattice where q is some integer.Let q be a prime, A n m q × ∈ Z be arbitrary, n q u ∈ Z , define the full-rank q-ary lattice: The coset or shifted lattice is defined to be: ITA 2016

Discrete Gaussians
For any For any lattice Gentry etc. [5] proposed the Gaussian sampling algorithm that, given a basis of an arbitrary lattice, samples lattice points from a discrete Gaussian distribution.

Learning with Errors
For an integer q, a positive integern and a distribution χ on q Z , learning with errors problem , LWE q χ aims to distinguish between the distribution s, A χ ( n q s ∈ Z is some uniform secret value) and the uniform distribution on n q q × Z Z .The instance of LWE problem [7] truly random sampler whose output is some truly uniform random samples from Regev [11] proved that for certain Gaussian noise is as hard as using a quantum algorithm to solve the worst-case SIVP and GapSVP.

Trapdoor Generation Algorithm
In our construction, we use the TrapGen algorithm proposed by Alwen and Peikert [12] to generate a uniform matrix A, together with a good trapdoor basis T of (A) There is a probabilistic polynomial time algorithm TrapGen(q, n) outputs (A , )

SampleLeft and SampleRight Algorithm
Let matrixes A, . In our construction, we have to sample short vectors in (A) u ∈ Z as the user's private key using SampleLeft algorithm or SampleRight algorithm for security game.

Lattice-based Hash function
Definition [13] For security parameter λ , we choose a random matrix Let µ be polynomial in λ , denoted as ( ) poly . When the input {0,1,..., } m x µ ∈ , the LBH is collision-free and its security can be reduced to 14 GAPSVP π λβ .

Full-rank Differences Function
In our construction, we first use a collision resistant hash to convert the identity in  d ,d , ,d ) 3 The Main Construction

Description of Generic Distributed IBE
The standard IBE includes four algorithms: Setup, Extract, Encrypt and Decrypt.Our construction introduces three new algorithms Distribution, Construct Dec and VerS.
The PKG runs the algorithm Setup to generate the master key, public key and all the public parameters.
The PKG runs the Extract algorithm after it receives the user's private key extraction request to generate the private key related with user's identity.
In the application, the user can choose the number of decryption servers.Then the PKG or other authorized party that possesses the private key from PKG can run the Distribution algorithm to distribute the private key into k in our distributed IBE).The k decryption servers use a broadcast channel in common, each secret share is kept secretly by the decryption server.In the Distribution algorithm, an improved secret sharing method will be applied to generate shares of the private key and verify the validity of shares.
Thei th server i Γ receives its secret share and runs the algorithm VerS to verify the validity of the secret share.Any user who wants to send message to otherscan run the algorithm Encrypt after obtaining the public parameter and the receiver's identity.The legal receiver gets the ciphertext and sends a decryption request to the decryption servers.Then the decryption server i Γ implements the ConstructDec algorithm to generate corresponding decryption share and sends the decryption share to the user.The user can run the Decrypt algorithm combining the received valid decryption shares to recover the plaintext.

Our Distributed IBE
-Setup(n): On input n as a security parameter, set parameter, set , , , q m σ α (parameters set will be specified in the next section).Fist, this algorithm runs TrapGen(q,n) generating a uniformly random matrix 0 satisfies F (modq) id e u ⋅ = -Distribution(SK id ,k,q,2m): Given a private key SK id and the number of decryption servers k, this algorithm first uses function TrapGen by choosing n', q and 2m ≥ ⌈6n ′ logq⌉ as input to obtain a basis T ∈ ℤ 2m×2m .Then it selects arbitrary k linearly independent column-vectors of T forming a matrix Q ≔ {q 1 , … , q k } ∈ ℤ 2m×k satisfying Rank(Q) = Rank([Q SK id ]) .Then, it computes a vector v from SK id = Q ⋅ v and selects k linearly independent vectors It then computes each decryption server's secret share . Subsequently, it confidentially sends the secret share d i to decryption server Γ i .By selecting a random matrix M ∈ ℤ q ′ k×2m to pick a hash function h M (SK id ) .The distributer makes common parameter cp = (v, η, h M , h M (q i ), h M (SK id )) public and keeps Q and , then accepts the secret share d i and returns an acknowledgement, otherwise outputs "Invalid shares".

Correctness
, as follows: T is easily gotten,we have ω as follows: Setting (x − e id T � y z �) as the error term, the decryption operates successfully when the error term is less than q/ 5with high probability.By Lemma 22 in [8], the norm of error term is bounded by qσmαω(�logm + Ο�σm 3/2 �].

Parameters
To make the system work correctly, following conditions have to be satisfied: 1) Let m > 6 , so the function TrapGen can operate.
2 ) for the error term is less than q/5.
We assume that n δ > ⌈logq⌉ = O(logn) , n is the security parameter, we set the parameters (m, q, σ, α, μ, λ) as follows: We set λ and m to the nearest larger integer, q to the nearest larger prime.

Security Reduction
We define the security notion for our distributed IBE.INDr-sIDD-CPA is the notion of indistinguish ability of ciphertext under a selective identity chosen plaintext attack for the distributed IBE.INDr denotes indistinguishable from random, that means the challenge ciphertext is indistinguishable from random elements in the ciphertext space.
Definition.Let  be an INDr-sIDD-CPA PPT adversary.Consider the following Game 0 in which the adversary  interacts with the Chanllenger.
Initial: The adversary  outputs a target identity id * .Setup: Then Challenger runs algorithm Setup(n), n is a security parameter , and sends the resulting public system parameters PP = (A 0 , A 1 , B, u) to .However, it keeps the master key MK secretly.
Phase 1:  corrupts k − 1 decryption servers.Phase 2: The Challenger runs the Extract algorithm to obtain a private key d id * corresponding to the target identity id * .Subsequently, the Challenger runs the Distribution algorithm on d id * with the input parameter k.It then obtains a set of secret shares {d i |1 ≤ i ≤ k} and sends the k − 1 secret shares of corrupted decryption servers with the corresponding h M (d i ) to .Besides, the secret share of the uncorrupted server is kept secretly.
Phase 3:  issues adaptive private key extraction queries q 1 , … , q m , where q i denotes the i th query on id i (id i ≠ id * ).Then the Challenger runs Extract algorithm on id i to obtain a corresponding private key e i to respond the query q i .It sends e i to .Challenge: After  finishes the Phase 3, it outputs a plaintext ℳ to be challenged.The Challenger chooses a random bit r ∈ {0,1} and a random ciphertext  ∈ ℤ q × ℤ q 2m .If r = 0 it gives the challenge ciphertext  * = Encrypt(PP, id * , ℳ) to .If r = 1, it sends the random ciphertext  * =  to .
Phase 4:  issues arbitrary adaptive private key extraction queries q m +1 , … , q n , where q i denotes the i th query on id i ( id i ≠ id * ).The Challenger responds as in Phase 3.
Proof.Game 0. It is the original INDr-sIDD-CPA game as previously mentioned.
Game 1.In Game 1, we change slightly the way to generate A 1 which is one of public parameters in PP.Let the Challenger in Game 1 select a random matrix R * ∈ {−1,1} m×m at the Setup phase, id * is the target identity that  wants to attack.A 1 is constructed as A 1 = A 0 R * − H(id * )B.The Challenger use SampleRight algorithm to generate e id to respond to a private key extraction query.The rest of the game is the same as Game 0.
Game 2. We change the way to generate A 0 and B in PP.The Challenger chooses a random matrix in ℤ q n×m as A 0 and runs the TrapGen(q,n) to generate a uniformly random matrix B ∈ ℤ q n×m altogether with a trapdoor T B .The construction of A 1 is the same as Game 1.
The Challenger runs SampleRight(A 0 , (H(id) − H(id * )B, R * , T B , u, σ) to sample a vector e ∈ ℤ q 2m and sends SK id = e to  to respond to the private key query.
So Game 2 and Game 1 is statistically indistinguishable.Game 3. In Game 3, the challenge ciphertext  * = (c 0 * , c 1 * ) is selected by random independent elements in ℤ q × ℤ q 2m .The rest of Game 3 is the same as Game 2. The advantage of  in this game is zero.
We can refer to the reduction from the LWE problem in [7] to show Game 2 and Game 3 are indistinguishable for .
The reduction from the LWE problem shows as follows: We assume that 's advantage in distinguishing Game 2 and Game 3 is non-negligible and construct an LWE algorithm ℬ using  .ℬ receives LWE samples (u i , v i ) ∈ ℤ q n × ℤ q , i = 0, … , m from an oracle  as mentioned in Section 2.4.
Initial: The adversary  outputs a target identity id * to ℬ.
Challenge:  outputs a plaintext b * ∈ {0,1}, then ℬ sends a challenge ciphertext  * = (c 0 * , c 1 * ) for the target id * to .We set v When the LWE oracle  =  s (which is a pseudorandom sampler), then  * is distributed the same as the challenge ciphertext in Game 2. When  =  $ , the challenge ciphertext is the same as in Game 3.
Guess:  guesses if it interacts with a Game 2 Challenger or Game 3 Challenger after issuing arbitrary adaptive private key extraction queries q m +1 , … , q n .then ℬ outputs the guess of  to answer the LWE challenge.
The advantage of ℬ to solve LWE problem is the same as the advantage of  to distinguish Game 2 and Game 3.

Efficiency Analysis
We show the comparison of our lattice-based distributed IBE and Baek and Zheng Yulliang's pairing-based distributed IBE in calculation cost.The k represents the number of decryption servers, t represents the threshold.
Table II explains the meaning of the notations in Table I.For example, it shows that at private key distribution phase, Baek`s scheme costs kM 1 (k times point multiplication in G 1 ) and it costs (k+1) times matrix multiplication.The advantages in our scheme appears in secret share generation and verification of secret share phase.As we know, the pairing operation is much more complicate than simple matrix multiplication and addition.Our distributed IBE avoids the complex pairing operation, so our scheme reduces the calculation cost and improves the efficiency.

Conclusion
In this paper, we improve the lattice-based secret sharing method and propose a lattice-based distributed IBE provably secure against selective identity chosen-plaintext attack.Through theoretical analysis, compared with the Baek and Zheng Yuliang's scheme, our scheme reduces calculation cost.

e 1 F
id, MK, PP): Given an identity n q id ∈ Z , a mater key MK and public parameters PP, this algorithm uses ∈ Z as the private key SK id .H is a full-rank differences map.Let 0

Table1:Comparison of
Our Scheme And Bz Scheme comparison