1 Introduction

Lattice-based cryptographic constructions hold a great promise for cryptography, as they enjoy very strong security proofs, efficient implementations and great simplicity. Furthermore, lattice-based cryptography is believed to be secure against quantum computers. Ajtai and Dwork [1] constructed a public-key cryptosystem whose security is based on the worst-case hardness of a lattice problem, which was the first of its kind admitting a proof of security based on worst-case hardness assumptions on lattice problems, however, the cryptosystems is quite inefficient. The first version of the cryptosystem together with a security proof stemmed from a work of Regev [2], who proposed a very natural intermediate problem called learning with errors (LWE) and proved that it is at least as hard as worst-case hardness problems under a quantum reduction. Subsequently Peikert [3] gave a classical reduction from variants of the shortest vector problem to corresponding versions of the LWE problem and constructed a chosen ciphertext attack (CCA) secure public-key encryption scheme with a much simpler description based on the LWE problem, but whose public key size, private key size and expansion are large, which leads to its encryption efficiency is not high.

Since the LWE problem has been put forward, it has proved to be versatile for encryption schemes, serving as the basis for secure lattice-based encryption under various cases. Besides its first application in a public-key cryptosystem [2], it has also been applied to identity-based encryption [4, 5], hardness of learning results relating to half spaces [6], and others [79], however, the efficiency of the above schemes are not high enough. In order to resolve the intrinsic inefficiency, Lyubashevsky et al. [10] proposed LWE problem over rings (R-LWE) and proved that the R-LWE distribution is pseudorandom, assuming that the worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms.

R-LWE problem has a relatively simpler algebraic structure, which can be used to construct many kinds of cryptographic schemes, such as digital signature [11], encryption [1214], etc. Literation [11] proposes an efficient signature scheme from the R-LWE problem, which avoids sampling from discrete Gaussians and has the characteristics of the even simpler description. Based on the R-LWE problem, [12] and [13] present a fully homomorphic encryption scheme and a CPA-secure encryption scheme respectively, and [14] proposes a CCA-secure public key encryption from the same difficulty assumption. Compared to the corresponding schemes based on the LWE problem, the above scheme has obvious improvement in efficiency. Here we mainly focuses on CCA-secure encryption from R-LWE.

Security against adaptive chosen-ciphertext attacks (CCA) [15] is a strong and useful notion of security for public-key encryption schemes used in practice, where adversary can request decryption oracle under the limitation that it may not request the decryption of challenge ciphertext itself. This security level is appropriate for encryption schemes used in the presence of active attackers who may potentially modify messages in transit. However, only a few approaches are known for constructing CCA-secure encryption schemes. Naor [16] firstly achieved non-adaptive chosen-ciphertext security, later extended to the case of adaptive chosen-ciphertext security by Dolev [15] using as building blocks any CPA-secure encryption scheme along with any non-interactive zero-knowledge proof system for all of \(NP\) [17]. Instead of using the approach in previous schemes, Boneh [18] put forward a new approach for constructing CCA-secure encryption schemes, which is the approach adopting in this paper. Later, Peikert [3] firstly constructed a very natural LWE-based CCA-secure cryptosystem, which not only provides a different alternative to traditional constructions but also possesses the advantages of a much simpler description, analysis and tighter underlying approximation factors, as the scheme is designed based on the LWE problem, its efficiency is low, and whose public key and private key size is large. Yang et al. [14] proposed a CCA-secure public key encryption from R-LWE, which could support public ciphertext integrity verification and block encryption, and improves the method of generating trapdoor on ideal lattice, its efficiency has been greatly improved, however, whose public key, private key size and expansion are still large, which leads to its encryption efficiency is not high enough for practical applications.

In order to construct more efficient CCA-secure public-key encryption schemes from R-LWE, first of all, we present an efficient signature scheme and a identity-based encryption (IBE) scheme from the R-LWE. Analysis indicates that the efficiency of our scheme is more eximious to the RSA signature scheme, and the IBE scheme is CPA-secure. After that, on the basis of the signature scheme and the proposed IBE scheme, adopting the paradigm of Boneh et al., we construct a more efficient CCA-secure public-key encryption scheme from R-LWE, which is much better than [3, 14] in efficiency, and has the following new features:

  1. (1)

    could achieve batch encryption over rings;

  2. (2)

    has a low encryption expansion factor \(2\log q\), and it is invariable with the increase of the security parameter \(n\) and message size \(m\);

  3. (3)

    supports public ciphertext integrity verification;

  4. (4)

    builds security on the hardness of the shortest vector problem in the worst case on ideal lattices, and has a higher encryption/decryption speed.

The remainder of the paper is organized as follows. In Sect. 2, the preliminaries are introduced. In Sect. 3, an efficient signature scheme from R-LWE problem along with the analyses of the efficiency and security are given. Then the definition of IBE is introduced firstly, and an identity-based encryption scheme is put forward along with its security analysis in Sect. 4. In Sect. 5, a CCA-secure public key cryptosystem is constructed based on the IBE and signature schemes proposed above, furthermore, the efficiency and security analyses of the scheme are discussed in detail. Finally, Sect. 6 concludes the paper, and plans the future work.

2 Preliminaries

2.1 Learning with Errors Over Rings (R-LWE)

Let \(f(x) = x^{n} + 1 \in Z[x],\) where the security parameter \(n\) is a power of 2, making \(f(x)\) irreducible over the rationals, \(R = Z[x]/ < f(x) >\) be the ring of integer polynomials modulo \(f(x)\). Let \(q = 1\bmod 2n\) be a sufficiently large public prime modulus (bounded by a polynomial in \(n\)), and \(R_{q} = R/ < q > \, = Z_{q} [x]/ < f(x) >\) be the ring of integer polynomials modulo both \(f(x)\) and \(q\). Elements of \(R_{q}\) are typically represented by integer polynomials of degree less than \(n\), whose coefficients are from \(\{ 0,1,{ \ldots },q - 1\}\).

In the above-described ring, the R-LWE problem can be described as follows [10]. Let \(s \in R_{q}\) be a uniformly random ring element (secret), and define two distributions on \(R_{q} \times R_{q}\): (1) \((a,b = a \times s + e) \in R_{q} \times R_{q}\), where \(a \leftarrow R_{q}\) is uniformly random and \(e\) is some “small” random error term chosen from a certain distribution \(\chi\) over \(R_{q}\). (2)\((a,c)\), where \(a, \, c \leftarrow R_{q}\) are uniformly random. The goal of the R-LWE problem is to distinguish the two distributions described above. In other words, if R-LWE is hard, then the collection of ‘random noise equations’ \((a,a \times s + e)\) is pseudorandom, and all operations are performed in \(R_{q}\).

Lyubashevsky et al. [10] proved the hardness of the R-LWE problem under the worst case assumptions on ideal lattices (see Theorem 2).

Theorem 1

Suppose that it is hard for polynomial-time quantum algorithms to approximate the shortest vector problem (SVP) in the worst case on ideal lattices in \(R\) to within a fixed \(poly(n)\) factor. Then any \(poly(n)\) number of samples drawn from the R-LWE distribution are pseudorandom to any polynomialtime (even quantum) attacker.

2.2 Sampling from Discrete Gaussians

Lattice has useful cryptography application because of its natural trapdoor characteristic. Virtually, all kinds of lattice-based cryptography schemes show how to use a trapdoor in a theoretically sound and secure way. A short basis of the lattice is a trapdoor like this.

Theorem 2

(Generating a short basis [19]). There is a fixed constant \(C > 1\) and a probabilistic polynomial-time (PPT) algorithm \(TrapGen(q,n)\) that, for poly(n)-bounded \(m \ge Cn\lg q\), outputs \((A \in Z_{q}^{n \times m} ,T \in Z^{m \times m} )\) such that:

  • \(A\) is statistically close to a uniform matrix in \(Z_{q}^{n \times m}\),

  • \(T\) is a basis of \(\wedge_{q}^{ \bot } (A)\),

  • The Euclidean norm of all the rows in \(T\)(\(||T||\)) is bounded by \(O(n\log n)\).

Theorem 3

(Sampling from discrete Gaussians [4]). There is a PPT algorithm \(Sample\,{\text{ISIS}}(A,T,\sigma ,u)\), given a matrix \(A \in Z_{q}^{n \times m}\) , a basis \(T\) of \(\wedge^{ \bot } (A)\) , a parameter \(\sigma \ge ||T|| \cdot \omega (\sqrt {\log n} )\) , and a vector \(u \in Z_{{}}^{n}\) , outputs a sample from a distribution that is statistically close to \({\mathcal{D}}_{{ \wedge_{q}^{u} (A),\sigma }}\). \({\mathcal{D}}_{{ \wedge_{q}^{u} (A),\sigma }}\) is the discrete Gaussian distribution over \(\wedge^{ \bot } (A)\) with parameter \(\sigma\).

Theorem 4

([4]). The algorithm \(Sample\,{\text{ISIS}}(A,T,\sigma ,u)\) gives a collection of trapdoor one-way functions with preimage sampling, if inhomogeneous smallest integer solution (\(ISIS_{q,m,\sigma \sqrt m }\)) problem is hard on the average.

The \(ISIS_{q,m,\sigma \sqrt m }\) can be described as follows: Given an integer \(q\), a matrix \(A \in Z_{q}^{n \times m}\), a syndrome \(u \in Z_{q}^{n}\) and a real \(\beta\), find an integer vector \({\mathbf{e}} \in {\mathbf{\mathbb{Z}}}_{{}}^{m}\) such that \(A \cdot e = u\bmod q\) and \(||e|| \le \beta\).

3 Signature Scheme

3.1 Signature Scheme

First we give the probability distribution \(\chi\) which will be used in the following, and \(\chi\) is derived from a Gaussian. For any \(\beta > 0\), the density function of a Gaussian distribution over the real domain is given by \(D_{\beta } (x) = 1/\beta \cdot \exp ( - \pi (x/\beta )^{2} )\). For an integer \(q \ge 2\), define \(\bar{\psi }_{\beta } (q)\) to be the distribution on \(Z_{q}\) obtained by drawing \(y \leftarrow D_{\beta }\) and outputting \(\left\lfloor {q \cdot y + 1/2} \right\rfloor\) (\(\bmod q\)). Let \(\chi \subset R_{q}\) denotes the set of polynomials whose coefficients are chosen from \(\bar{\psi }_{\beta } (q)\).

Unlike GPV08 scheme that needs to generate a trapdoor and sample from discrete Gaussians, using the idea from Lyubashevsky [20], an efficient signature scheme \(\mathcal{S} = (KeyGen,Sign,Verify)\) from R-LWE problem can be constructed as follows:

Let \(n = 2^{k} (k \in Z)\), a prime number \(p < < q = 1\bmod (2n)\) (\(q\) be a sufficiently large public prime modulus), \(\chi \subset R_{q}\) be the error distribution and \(R_{q} = Z_{q} [x]/ < x^{n} + 1 >\) be the ring of integer polynomials modulo \(x^{n} + 1\) and \(q\).

  • \(KeyGen(1^{n} )\): Choose \(s \in R_{q}\) randomly as the private key. The public key is (\(a,b = a \cdot s + pe_{1}\)), where \(a \leftarrow R_{q}\) is uniformly random and error term \(e_{1}\) is chosen independently from a probability distribution \(\chi \subset R_{q}\). \(H:\{ 0,1\}^{*} \to Z_{q}^{n}\) is a random oracle that maps the space of message to \(Z_{q}^{n}\).

  • \(Sign(s,m)\): Compute \(c = H(m) \in Z_{q}^{n}\) (view it as an element of \(R_{q}\) by using its coordinates as the coefficients of a polynomial), and output the signature \(\sigma = s \cdot c + pe_{2}\), where \(e_{2}\) is chosen independently from a probability distribution \(\chi\).

  • \(Verify((a,b),m,\sigma )\): If \(\sigma \in R_{q}\) and \(a \cdot \sigma \equiv b \cdot H(m)(\bmod p)\), output 1. Else, output 0.

Polynomial addition is the usual coordinate-wise addition, and multiplication is the usual polynomial multiplication followed by reduction modulo \(x^{n} + 1\).

Claim 1

The signature scheme described above is correct.

Proof

Consider a signature \(\sigma = s \cdot c + pe_{2}\) of a message \(m\) under the public key (\(a,b = a \cdot s + pe_{1}\)), then the verification process can be computed as

$$\begin{aligned} [a \cdot \sigma - b \cdot H(m)]\bmod p & = [a \cdot (s \cdot c + pe_{2} ) - (a \cdot s + pe_{1} ) \cdot H(m)]\bmod p \\ \, & = [p(a \cdot e_{2} - e_{1} \cdot c)]\bmod p \\ \, & = 0 \\ \end{aligned}$$

3.2 Security Analysis

Claim 2

The scheme \(\mathcal{S}\) described above is secure against chosen-plaintext attacks (CPA) in the random oracle model, assuming that the R-LWE is hard and hash function \(H\) is secure.

Proof

Let adversary \(\mathcal{A}\) be a probabilistic polynomial-time (PPT) adversary that makes at most \(k\) signature queries. \(\mathcal{A}\) works as follows:

  • \(Setup\) Challenger runs \(KeyGen(1^{n} )\) to get { \(s\),(\(a,b = a \cdot s + pe_{1}\))}, and sends public key (\(a,b = a \cdot s + pe_{1}\)) to \(\mathcal{A}\).

  • \(Queries\) \(\mathcal{A}\) makes \(k\) queries to \(H\) on messages \(m_{i} (i = 1,{ \ldots },k)\) and challenger returns \(c_{i} = H(m_{i} )(i = 1,{ \ldots },k)\) to \(\mathcal{A}\). Following this, \(\mathcal{A}\) makes signature queries on \(c_{i} (i = 1,{ \ldots },k)\), the challenger chooses \(e_{1} ,e_{2} ,{ \ldots },e_{k} \in \chi\) at random, runs \(Sign\) to get \(\sigma_{i} (i = 1,{ \ldots },k)\) and sends them to \(\mathcal{A}\).

  • \(Output\) \(\mathcal{A}\) outputs a tuple of the public key, message and signature \(\{ (a^{*} ,b^{*} ),m^{*} ,\sigma^{*} \}\), where \(m^{*} \ne m_{i} (i = 1,{ \ldots },k)\).

If the challenger never responds signature queries on messages \(m_{i} (i = 1,{ \ldots },k)\), \(\mathcal{A}\) outputs the legal signature \(\sigma^{*}\) of \(m^{*}\) satisfying \(Verify\left( {(a,b),m^{*} ,\sigma^{*} } \right) = 1\), namely,

$$\begin{aligned} [a \cdot \sigma^{*} - b \cdot H(m^{*} )]\bmod p & = [a \cdot \sigma^{*} - (a \cdot s + pe_{1} ) \cdot H(m^{*} )]\bmod p \\ & = a \cdot [\sigma^{*} - s \cdot H(m^{*} )]\bmod \\ & = 0 \\ \end{aligned}$$

It can be seen that \(a = 0\bmod p\) or \(\sigma^{*} - s \cdot H(m^{*} ) = 0\bmod p\) from the formula described above for \(p\) is a prime number. As \(a\) is chosen from \(R_{q}\) randomly, the probability of \(a = 0\bmod p\) is close to \(1/p^{n}\), which is negligible. Hence it can be concluded that \(\sigma^{*} - s \cdot H(m^{*} ) = 0\bmod p\), and the private key \(s\) can be obtained. So R-LWE problem is solved successfully.

3.3 Efficiency Analysis

Because of the special algebraic structure of R-LWE, the signature scheme from the R-LWE problem has the advantages of much simpler description, analysis and very high efficiency. The efficiency analysis of the scheme is shown in Table 1.

Table 1 Efficiency analysis of the scheme from R-LWE
Full size table

In the following parts, the scheme from R-LWE is compared with the RSA scheme on the same parametric conditions and operation environment. We use the same usual personal computer to evaluate the implementation performance of the two schemes: Running them on a Microsoft Windows XP Professional 2002 System, featuring a Pentium (R) D CPU processor, running at 3.0 GHz, with 1.0 GB of RAM. The implementation uses Shoup’s NTL library [18] version 5.5.2 for high-level numeric algorithms, and the code is compiled using Microsoft Visual C++ 6.0 compiler.

Tables 2 and 3 show the simulation results of the two different schemes respectively. Each test is repeated ten times and the datum shown in the two tables are the means of these ten different repetitions. As can be seen from Tables 2 and 3, the runtime of the scheme from R-LWE is more efficient than the RSA scheme under the same conditions, especially the key generation time and signature time. Regardless of the inefficiency of the verification compared to RSA scheme, the total runtime of our scheme is much more efficient than that of the RSA scheme with the increase of security parameter \(n\).

Table 2 Implementation time of the scheme from R-LWE
Full size table
Table 3 Implementation time of the RSA scheme
Full size table

Modulus \(q\) takes the minimum integer satisfying corresponding conditions in the two schemes, and the length of messages encrypted in the two scheme is \(n\log q\) bit.

A more detailed simulation result of the two above-described schemes is given in Fig. 1. Figure 1a, b, c show the efficiency of the key generation, signature and verification in the two schemes respectively, and the comparison of the total implementation time of the two schemes is shown in Fig. 1d. At the same time, Fig. 1 also indicates the change tendencies of the implementation time of the two encryption schemes along with the change of the security parameter \(n\).

Fig. 1
figure 1

Efficiency comparison of the signature scheme from R-LWE and RSA scheme

Full size image

As can be seen from Fig. 1, the efficiency of the scheme from R-LWE is more eximious to the RSA signature scheme, and the increasing tendency of the scheme from R-LWE in runtime is much slower than that of the RSA scheme with the increase of security parameter \(n\). Furthermore, the scheme from R-LWE is believed to be secure against quantum computers.

4 Identity-Based Encryption

4.1 Definition

Definition 1

([ 18 ]) An identity-based encryption (IBE) scheme is a tuple of PPT algorithms \(( {\text{IBE}}Setup,{\text{IBE}}Der,{\text{IBE}}Enc,{\text{IBE}}Dec)\) such that:

  • \({\text{IBE}}Setup(1^{n} )\): Take as input a security parameter \(1^{n}\). Output a master public key \(PK\) and a master secret key \(msk\).

  • \({\text{IBE}}Der(msk,id)\): Take as input the master secret key \(msk\) and an identity \(id\). Return the corresponding decryption key \(SK_{id}\), and note \(SK_{id} \leftarrow {\text{IBE}}Der_{msk} (id)\).

  • \({\text{IBE}}Enc(PK,id,M)\): Take as input the master public key \(PK\), an identity \(id\) and a message \(M\) in some message space. Output a ciphertext \(C\), and note \(C \leftarrow {\text{IBE}}Enc_{PK} (id,M)\).

  • \({\text{IBE}}Dec(SK_{id} ,id,C)\): Take as input an identity \(id\), an associated decryption key \(SK_{id}\) and a ciphertext \(C\). Output a message \(M\) or the symbol \(\bot\) (which is not in the message space), and note \(M \leftarrow {\text{IBE}}Dec_{{SK_{id} }} (id,C)\).

It is required that for all \((PK,msk)\) output by \({\text{IBE}}Setup\), all \(id\), all \(SK_{id}\) output by \({\text{IBE}}Der\), all \(M\) in the message space and all \(C\) output by \({\text{IBE}}Enc\) we have \({\text{IBE}}Dec_{{SK_{id} }} (id,C) = M\).

4.2 Encryption Scheme

Let \(H_{1} :\{ 0,1,{ \ldots },q - 1\}^{*} \to Z_{q}^{n}\) be a random oracle that maps identities to the elements of \(Z_{q}^{n}\). Based on R-LWE problem, an efficient IBE scheme \(\mathcal{I}\mathcal{B}\mathcal{E}\) can be constructed as follows.

  • \({\text{IBE}}Setup(1^{n} )\): Take as input a security parameter \(1^{n}\), \(m \ge Cn\lg q\) (\(m = 2^{d} ,d \in Z\) and \(C > 1\) is a fixed constant) and a prime modulus \(q = 1\bmod (2{\text{m}})\). Run \(TrapGen(q,n)\) to get a matrix \(A \in Z_{\text{q}}^{{{\text{n}} \times {\text{m}}}}\) and a trapdoor \(T \subset \varLambda_{\text{q}}^{ \bot } (A)\), where \(T\) is master secret key.

  • \({\text{IBE}}Der(T,id)\): (1) If the pair \((id,SK_{id} )\) is in local storage, return \(SK_{id}\); (2) Otherwise, let \(u = H_{1} (id)\) and run \(Sample{\text{ISIS}}(A,T,\sigma , { }u)\)(\(\sigma \ge ||T|| \cdot \omega (\sqrt {\log n} )\)) to get a private key \(SK_{id}\). Store \((id,SK_{id} )\) locally and return \(SK_{id}\); (3) Let public key \(PK = (a,b) = (a,a \cdot SK_{id} + e)\), where \(a \leftarrow R_{q}\) is uniformly random and \(e\) is some “small” random error term chosen from a probability distribution \(\chi \subset R_{q}\) described in Sect. 3.

  • \({\text{IBE}}Enc(PK,id,M)\): To encrypt a message \(M \in \{ 0,1\}^{m} \subset R_{q}\) (view it as an element of \(R_{q}\) by using its bits as the 0–1 coefficients of a polynomial), choose a “small” \(t \in R_{q}\) at random (namely, the coefficient of \(t\) is small). Output the ciphertext \((c_{1} ,c_{2} ) = (a \cdot t + e_{1} ,b \cdot t + e_{2} + [q/2] \cdot M) \in R_{q} \times R_{q}\), where \(e_{1} ,e_{2}\) are “small” random error terms chosen from the distribution \(\chi\).

  • \({\text{IBE}}Dec(SK_{id} ,id,(c_{1} ,c_{2} ))\): Compute \(M^{{\prime }} = c_{2} - c_{1} \cdot SK_{id}\). Output 0 if the coefficient \(m_{i}^{{\prime }} (i = 0,1, \cdots ,m - 1)\) of \(M^{{\prime }}\) is closer to 0 than to \([q/2]\) modulo \(q\), otherwise output 1.

Where polynomial addition is the usual coordinate-wise addition, “\(\cdot\)” denotes the usual polynomial multiplication followed by reduction modulo \(x^{n} + 1\).

Claim 3

The IBE scheme \(\mathcal{I}\mathcal{B}\mathcal{E}\) is correct.

Proof

Consider a ciphertext

$$(c_{1} ,c_{2} ) = (a \cdot t + e_{1} ,b \cdot t + e_{2} + [q/2] \cdot M) \in R_{q} \times R_{q}$$

of an \(m\)-bit message \(M \in \{ 0,1\}^{m}\) under the public key \((a,b = a \cdot SK_{id} + e)\), then the decryption process can be computed as

$$\begin{aligned} M^{{\prime }} & = c_{2} - c_{1} \cdot SK_{id} \\ \, & = b \cdot t + e_{2} + [q/2] \cdot M - (a \cdot t + e_{1} ) \cdot SK_{id} \\ \, & = (a \cdot SK_{id} + e) \cdot t + e_{2} + M \cdot [q/2] - (a \cdot t + e_{1} ) \cdot SK_{id} \\ \, & = M \cdot [q/2] + (e \cdot t + e_{2} - e_{1} \cdot SK_{id} ) \\ \end{aligned}$$

Obviously the coefficient of private key \(SK_{id}\) is small as \(SK_{id}\) is obtained from algorithm \(Sample{\text{ISIS}}(A,T,\sigma , { }u)\), and \(e,e_{1} ,e_{2} ,t \in R_{q}\) are “small” polynomials. Hence it outputs the coefficient \(m_{i} (i = 0,1,{ \ldots },m - 1)\) of \(M\) if the coefficients of \((e \cdot t + e_{2} - e_{1} \cdot SK_{id} )\) are at distance at most \(q/5\) from 0 (modulo \(q\)) via choosing a big prime modulus \(q\).

4.3 Security Analysis

Claim 4

The IBE scheme \(\mathcal{I}\mathcal{B}\mathcal{E}\) is secure against chosen-plaintext attacks (denoted IND-ID-CPA) in the random oracle model, assuming that the R-LWE is hard.

Proof

Let \(\mathcal{A}\) be a PPT adversary that distinguishes between encryptions of messages of its choice on some identity with advantage є in a chosen-plaintext attack. The adversary \(\mathcal{A}\) works as follows:

  • \(Setup\) The challenger takes a security parameter \(1^{n}\) and runs \({\text{IBE}}Setup(1^{n} )\) to get a matrix \(A \in Z_{\text{q}}^{{{\text{n}} \times {\text{m}}}}\) and a trapdoor \(T \subset \varLambda_{\text{q}}^{ \bot } (A)\), where \(T\) is master secret key.

  • \(Queries1\) \(\mathcal{A}\) issues private key extraction queries \(q_{{id_{j} }} (j = 1,{ \ldots },{\text{s}})\). If the pair \((id_{j} ,SK_{{id_{j} }} )\) is in local storage, return \(SK_{{id_{j} }}\) and corresponding public key \(PK_{j} = (a,a \cdot SK_{{id_{j} }} + e)\) \((j = 1,{ \ldots },{\text{s}})\) to \(\mathcal{A}\). Otherwise, let \(u = H_{1} (id_{j} )\) and run \(Sample{\text{ISIS}}(A,T,\sigma , { }u)\) to get a private key \(SK_{{id_{j} }}\), and return \(SK_{{id_{j} }}\) and public key \(PK_{j} = (a,a \cdot SK_{{id_{j} }} + e)\).

  • \(Challenge\) After the queries, \(\mathcal{A}\) outputs two different plaintexts \(M_{0} ,M_{1} \in \{ 0,1\}^{m}\) and a “target” identity \(ID^{*}\), where the \(ID^{*}\) may not be be queried before. A bit \(b \in \{ 0,1\}\) is randomly chosen and the adversary is given a “challenge ciphertext”

    $$(a \cdot t + e_{1} ,b \cdot t + e_{2} + [q/2] \cdot M_{b} ) \leftarrow {\text{IBE}}Enc(PK^{*} ,ID^{*} ,M_{b} ).$$

  • \(Queries2\) \(\mathcal{A}\) may continue to issue more extraction queries \(q_{{id_{j} }} (j = s + 1,{ \ldots },t)\) to get corresponding private key and public key, where the only constraint is \(q_{{id_{j} }} \ne ID^{*} (j = s + 1,{ \ldots },t)\).

  • \(Output\) \(\mathcal{A}\) outputs a guess \(b^{{\prime }}\).

To prove the security of the scheme, we construct a distinguisher \(D\) between the two distributions

$$\left\{ {\left( {a,a \cdot SK_{{ID^{*} }} + e} \right):a \leftarrow R_{q} ,SK_{{ID^{*} }} \in R_{q} ,e \leftarrow \chi } \right\}\quad {\text{and}}\quad \left\{ {{\text{Unif}}\left( {R_{q} \times R_{q} } \right)} \right\}$$

\(D\) takes as input a pair of polynomials \(\left( {a \in R_{q} ,c \in R_{q} } \right)\), and runs the adversary \(\mathcal{A}\) with \((a,b)\) (\(b = a \cdot SK_{{ID^{*} }} + e\)) as the public key. Upon receiving messages \(M_{0} ,M_{1} \in \{ 0,1\}^{m}\) from the adversary, \(D\) chooses \(b \in \{ 0,1\}\) and \(t \in R_{q}\) at random, returns the challenge ciphertext \(\left( {a \cdot t + e_{1} ,c \cdot t + e_{2} + [q/2] \cdot M_{b} } \right)\), and then outputs 1 if \(\mathcal{A}\) guesses the right \(b\), and 0 otherwise.

On the one hand, if \(c\) is uniformly random, then the challenge ciphertext is also random, regardless of the multiplication and addition. Hence in this case \(D\) outputs 1 with probability at most 1/2. On the other hand, if \(c = a \cdot SK_{{ID^{*} }} + e\), then the challenge ciphertext is \(\left( {a \cdot t + e_{1} ,\left( {a \cdot SK_{{ID^{*} }} + e} \right) \cdot t + e_{2} + [q/2] \cdot M_{b} } \right)\). This is identical to the output distribution of \({\text{IBE}}Enc(PK^{*} ,ID^{*} ,M_{b} )\), by assumption \(\mathcal{A}\) will guess the right \(b\) with probability (1 + є)/2, which means that \(D\) outputs 1 with the same probability, hence \(D\) has advantage at least є/2. Therefore if \(\mathcal{A}\) can distinguish between encryptions of messages of its choice on the “target” identity \(ID^{*}\), then \(D\) can distinguish between the two distributions \((a,a \cdot SK_{{ID^{*} }} + e)\) and \(\left\{ {{\text{Unif}}\left( {R_{q} \times R_{q} } \right)} \right\}\), namely, \(D\) can solve R-LWE problem successfully.

The efficiency of the IBE scheme will be discussed in Sect. 5.

5 CCA-secure encryption from R-LWE

5.1 Definition

Definition 2

([22]) A public-key encryption scheme is secure against adaptive chosen-ciphertext attacks (CCA-secure) if the advantage of any PPT adversary \(\mathcal{A}\) in the following game is negligible in the security parameter \(n\):

  • Setup Challenger runs algorithm \(Setup(1^{n} )\) and outputs \((PK,SK)\). Adversary \(\mathcal{A}\) is given \(1^{n}\) and \(PK\).

  • Queries1 The adversary may make polynomially-many queries \(q_{1} ,{ \ldots },q_{s}\) to a decryption oracle \(Decry_{SK} ( \cdot )\).

  • Challenge At some point, \(\mathcal{A}\) outputs two messages \(M_{0} ,M_{1} \in \{ 0,1\}^{m}\). A bit \(b \in \{ 0,1\}\) is randomly chosen and \(\mathcal{A}\) is given a “challenge ciphertext” \(C^{*} \leftarrow Encry_{PK} (M_{b} )\).

  • Queries2 \(\mathcal{A}\) may continue to make queries \(q_{j} (j = s + 1,{ \ldots },t)\) to \(Decry_{SK} ( \cdot )\) except that it may not request the decryption of \(C^{*}\).

  • Output \(\mathcal{A}\) outputs a guess \(b^{{\prime }}\).

We say that \(\mathcal{A}\) succeeds if \(b^{{\prime }} = b\), and denote the probability of this event by \(\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ]\). The adversary’s advantage is defined as \(Adv_{{\mathcal{A},\mathcal{E}}}^{PKE} = |\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ] - 1/2|\).

5.2 Encryption Scheme

Adopting the construction paradigm of Boneh et al., based on the IBE scheme \(\mathcal{I}\mathcal{B}\mathcal{E} = ({\text{IBE}}Setup,{\text{IBE}}Der,{\text{IBE}}Enc,{\text{IBE}}Dec)\) in Sect. 4 and the signature scheme \(\mathcal{S} = (KeyGen,Sign,Verify)\) in Sect. 3, a CCA secure public-key encryption scheme \(\mathcal{E} = (Setup,Encry,Decry)\) is constructed as follows.

  • \(Setup\) Run \({\text{IBE}}Setup(1^{n} )\) to get a matrix \(A \in Z_{q}^{n \times m}\) and a trapdoor \(T \subset \varLambda_{\text{q}}^{ \bot } (A)\), where \(T\) is master secret key.

  • \(Encry\) To encrypt a message \(M \in \{ 0,1\}^{m}\), the sender performs the following operations:

    1. 1.

      Run \(KeyGen(1^{n} )\) to obtain verification key \(vk\) and signing key \(sk\).

    2. 2.

      Run \({\text{IBE}}Der(T,vk)\) (verification key \(vk\) is viewed as a identity) to obtain public key \((a,b)\) and encrypt \(M\) with respect to the \(vk\): \((c_{1} ,c_{2} ) \leftarrow {\text{IBE}}Enc(PK,vk,M)\), where \((c_{1} ,c_{2} ) \leftarrow (a \cdot t + e_{1} ,b \cdot t + e_{2} + [q/2] \cdot M)\).

    3. 3.

      Compute \((\sigma_{1} ,\sigma_{2} ) \leftarrow Sign(sk,(c_{1} ,c_{2} )) = (Sign(sk,c_{1} ),Sign(sk,c_{2} ))\) and output the ciphertext \((vk,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} ))\).

  • \(Decry\): After receiving ciphertext \((vk,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} ))\), the receiver first checks whether \(Verify(vk,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} ))\mathop = \limits^{?} 1\), if not, output \(\bot\). Otherwise, the receiver runs \({\text{IBE}}Der(T,vk)\) to obtain private key \(SK_{vk}\) and outputs \(M \leftarrow {\text{IBE}}Dec(SK_{vk} ,vk,(c_{1} ,c_{2} ))\).

Claim 5

The public-key encryption scheme \(\mathcal{E}\) is correct.

Proof

It is clear that the encryption scheme \(\mathcal{E}\) satisfies correctness from Claim 3.

5.3 Security Analysis

Claim 6

The public-key encryption scheme \(\mathcal{E}\) is CCA-secure in the random oracle model.

Proof

Let \(\mathcal{A}\) be a PPT adversary attacking the encryption scheme \(\mathcal{E}\) in an adaptive chosen-ciphertext attack. Define a ciphertext \((vk,C,\sigma )\) is valid if \(Verify(C,\sigma ) = 1\). Let \((vk^{*} ,C^{*} ,\sigma^{*} )\) be the challenge ciphertext received by \(\mathcal{A}\), and \(\varPhi\) denote the event that “\(\mathcal{A}\) submits a valid ciphertext \((vk^{*} ,C,\sigma )\) to the decryption oracle”, assuming \(vk^{*}\) is chosen at the beginning of the game. Then the following propositions are correct.

Proposition 1

\(\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ]\) is negligible.

Proposition 2

\(|\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ \wedge \bar{\varPhi }] + \frac{1}{2}\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ] - \frac{1}{2}|\) is negligible.

As

$$\begin{aligned} &\left|\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ] - 1/2\right| \hfill \\ &\quad\le \left|\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ \wedge \varPhi ] - \frac{1}{2}\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ]\right| + \left|\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ \wedge \bar{\varPhi }] + \frac{1}{2}\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ] - \frac{1}{2}\right| \hfill \\ &\quad\le \frac{1}{2}\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ] + \left|\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ \wedge \bar{\varPhi }] + \frac{1}{2}\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ] - \frac{1}{2}\right| \hfill \\ \end{aligned}$$

Hence the adversary’s advantage is negligible if the propositions described above are correct.

The correctness of Proposition 1 is straightforward. Let \(\mathcal{F}\) be a PPT forger who forges a signature with respect to the scheme \(\mathcal{S}\) with probability exactly \(\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ]\). Security of \(\mathcal{S}\) implies the Proposition 1 is correct from Claim 2 in Sect. 3.

Proof of Proposition 2

A PPT adversary \(\mathcal{A}^{{\prime }}\) attacking the IBE scheme \(\mathcal{I}\mathcal{B}\mathcal{E}\) can be constructed using \(\mathcal{A}\) as follows:

  1. 1.

    \(Setup\) \(\mathcal{A}^{{\prime }}\) runs \(KeyGen\) to get \((vk^{*} \in R_{q} \times R_{q} ,sk^{*} \in R_{q} )\) and outputs a “target” identity \(ID^{*} = vk^{*}\). \(\mathcal{A}^{{\prime }}\) is given the public key \(PK_{{vk^{*} }}\), then \(\mathcal{A}^{{\prime }}\) runs \(\mathcal{A}(1^{n} ,PK_{{vk^{*} }} )\) in turn.

  2. 2.

    \(Queries1\) When \(\mathcal{A}\) makes decryption oracle query \(Decry(vk,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} ))\), \(\mathcal{A}^{{\prime }}\) proceeds as follows:

    1. 1.

      If \(vk = vk^{*}\) then \(\mathcal{A}^{'}\) checks whether \(Verify(vk^{*} ,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} )) = 1\). If so, \(\mathcal{A}^{{\prime }}\) aborts and outputs a random bit. Otherwise, it outputs \(\bot\).

    2. 2.

      If \(vk \ne vk^{*}\) and \(Verify(vk,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} )) = 0\), \(\mathcal{A}^{{\prime }}\) outputs \(\bot\).

    3. 3.

      If \(vk \ne vk^{*}\) and \(Verify(vk,(c_{1} ,c_{2} ),(\sigma_{1} ,\sigma_{2} )) = 1\), \(\mathcal{A}^{{\prime }}\) makes the private key extraction query \({\text{IBE}}Der(T,vk)\) to get \(SK_{vk}\). It then computes \(m \leftarrow {\text{IBE}}Dec(SK_{vk} ,vk,(c_{1} ,c_{2} ))\) and returns \(m\) to \(\mathcal{A}\).

  3. 3.

    \(Challenge\) At some point, \(\mathcal{A}\) outputs two messages \(M_{0} ,M_{1} \in \{ 0,1\}^{m}\). After \(\mathcal{A}^{{\prime }}\) sends \(M_{0} ,M_{1}\) to challenger, A bit \(b \in \{ 0,1\}\) is randomly chosen and \(\mathcal{A}^{{\prime }}\) is given a “challenge ciphertext” \(\left( {c_{1}^{*} ,c_{2}^{*} } \right) \leftarrow {\text{IBE}}Enc\left( {PK_{{vk^{*} }} ,vk^{*} ,M_{b} } \right)\), \(\mathcal{A}^{'}\) then computes \(\left( {\sigma_{1}^{*} ,\sigma_{2}^{*} } \right) \leftarrow Sign\left( {sk^{*} ,\left( {c_{1}^{*} ,c_{2}^{*} } \right)} \right)\) and returns \(\left( {vk^{*} ,\left( {c_{1}^{*} ,c_{2}^{*} } \right),\left( {\sigma_{1}^{*} ,\sigma_{2}^{*} } \right)} \right)\) to \(\mathcal{A}\).

  4. 4.

    \(Queries2\) \(\mathcal{A}\) may continue to make queries to \(Decry_{SK} ( \cdot )\) except that it may not request the decryption of \(\left( {vk^{*} ,\left( {c_{1}^{*} ,c_{2}^{*} } \right),\left( {\sigma_{1}^{*} ,\sigma_{2}^{*} } \right)} \right)\), and \(\mathcal{A}^{{\prime }}\) answers them as before.

  5. 5.

    \(Output\) \(\mathcal{A}\) outputs a guess \(b^{{\prime }}\), and \(\mathcal{A}^{{\prime }}\) outputs the same guess \(b^{{\prime }}\).

As \(\mathcal{A}^{{\prime }}\) never requests the secret key corresponding to the “target” identity \(vk^{*}\), \(\mathcal{A}^{{\prime }}\) is a legal PPT adversary. When \(\mathcal{A}\) can not submit a valid ciphertext \((vk^{*} ,C,\sigma )\), \(\mathcal{A}^{{\prime }}\) provides a perfect simulation for \(\mathcal{A}\). It is easy to see that:

$$\begin{aligned} \left| {\Pr_{{\mathcal{A}^{{\prime }} ,\mathcal{E}^{{\prime }} }}^{IBE} [Succ] - \frac{1}{2}} \right| & = \left| {\Pr_{{\mathcal{A}^{{\prime }} ,\mathcal{E}^{{\prime }} }}^{IBE} [\bar{\varPhi } \wedge Succ] + \Pr_{{\mathcal{A}^{{\prime }} ,\mathcal{E}^{{\prime }} }}^{IBE} [\varPhi \wedge Succ] - \frac{1}{2}} \right| \\ \, & = \left| {\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ \wedge \bar{\varPhi }] + \Pr_{{\mathcal{A}^{{\prime }} ,\mathcal{E}^{{\prime }} }}^{IBE} [Succ] \cdot \Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ] - \frac{1}{2}} \right| \\ \, & \,=\, \left| {\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [Succ \wedge \bar{\varPhi }] + \frac{1}{2}\Pr_{{\mathcal{A},\mathcal{E}}}^{PKE} [\varPhi ] - \frac{1}{2}} \right| \\ \end{aligned}$$

Obviously \(\left| {\Pr_{{\mathcal{A}^{{\prime }} ,\mathcal{E}^{{\prime }} }}^{IBE} [Succ] - \frac{1}{2}} \right|\) is negligible from Claim 4 in Sect. 4, hence Proposition 2 is correct.

5.4 Efficiency Analysis

It is easy to see that the efficiency of the CCA-secure scheme \(\mathcal{E}\) is decided by the efficiency of the the IBE scheme \(\mathcal{I}\mathcal{B}\mathcal{E}\) and the signature scheme \(\mathcal{S}\) from its encryption process. Because of the special algebraic structure of R-LWE and the method of contribution, the schemes \(\mathcal{I}\mathcal{B}\mathcal{E}\) and \(\mathcal{S}\) from the R-LWE problem have the advantages of much simpler description, analysis and high efficiency.

Compared to the CCA-secure encryption schemes presented in [3] and [14], the efficiency improvement of the scheme \(\mathcal{E}\ominus\) is shown in Table 4. Where \(m\) denotes the message size in our scheme, and it denotes the number of the samples in [3] and [14]. \(q\) is a prime modulus and \(k\) is a security parameter.

Table 4 Efficiency comparison between the scheme \(\mathcal{E}\) and the schemes in [3] and [14]
Full size table

The datum in Table 4 shows that the encryption scheme \(\mathcal{E}\) is more efficient than other two cryptosystems, especially its expansion, private key, public key and ciphertext size are incomparable to the Peikert’s and Yang’s CCA-secure scheme. The expansion of our scheme is invariable with the increase of the security parameter \(n\) and message size \(m\) while other two schemes don’t have the property, and this property make it’s advantage is more obvious when security parameter is large.

6 Conclusion

Owing to the flexible structure and implementation simplicity of lattice cryptography, an efficient identity-based encryption (IBE) scheme from R-LWE are proposed, whose security is reducible to the hardness of the shortest vector problem (SVP) in the worst case on ideal lattices. Then we construct a CCA-secure public key cryptosystem based on the IBE scheme adopting the construction paradigm of Boneh et al. The scheme mainly uses modular addition and modular multiplication operations in the ring of integer polynomials, and which based on the special algebraic structure of R-LWE, hence it is more efficient than previous interrelated cryptosystems, and analysis also indicates the efficiency of the CCA-secure \(\mathcal{E}\) is more efficient.

Future work mainly includes optimization of the construction of the CCA-secure public key cryptosystem, in order to test the feasibility of the system in the practical application environment, further simulation and analysis of the system running efficiency will be implemented. We also plan to study the latticed-based signature and encryption schemes in the standard model.