KDM Security IBE Based on LWE beyond Affine Functions

Abstract

Key-dependent message (KDM) security identity-based encryption (IBE) schemes aim to solve the security risks caused by the dependency between plaintext and secret keys in traditional IBE schemes. However, current KDM-IBE schemes are only secure with respect to affine functions, which limits their security level when a message is derived from the evaluation of a polynomial function using the secret key. To address this issue, in this study, we propose a novel approach to construct a KDM-IBE scheme with respect to polynomial or even arbitrary functions that achieves maximum security based on the learning with errors (LWE) assumption. Our approach overcomes two major technical barriers to constructing KDM-IBE schemes with respect to polynomial functions. Compared to existing KDM-IBE schemes, our proposed scheme ensures the secrecy of the key-related plaintext, even when it is obtained using arbitrary functions, not just affine functions. Thus, our approach provides a more robust solution to the security risks inherent in traditional IBE schemes.

1. Introduction

The emergence of IBE solves the problem of frequent public key authentication methods in the traditional public key encryption scheme (PKE) and greatly improves its efficiency. In traditional IBE security reduction schemes, a plaintext and private key are required to be independent of each other [1]. However, in IBE, a secret key or secret key-related message is commonly used to encrypt the plaintext, which violates and undermines the security of the scheme, possibly leading to theoretical difficulties when proving its security [2].

This vulnerability can be mitigated by the key-dependent message (KDM) security method, which ensures that even if the plaintext is generated by calculating the secret key or a related message, the scheme still preserves the required secrecy. The concept of KDM security was originally proposed by Goldwasser and Micali for symmetric encryption in the year 1984 [1]. Later, Black, Rogaway, and Shrimpton used this concept in public-key encryption services in 2002 [3]. Since then, KDM security has been widely applied in various fields, such as computational security, fully homomorphic encryption, homomorphic secret sharing, obtaining chosen ciphertext attack (CCA)-safe public-key encryption schemes, and non-interactive zero-knowledge proofs [4,5,6,7,8,9]. It has proved to be an important security notion in a modern cryptography setting.

In KDM-IBE schemes, the challenge function ensemble plays a critical role in determining the level of security achieved. A challenge function ensemble $F$ specifies the set of functions that an adversary may use to generate related messages for a given secret key. Generally, if the adversary cannot distinguish the ciphertext of $f(s{k}_1,\cdots ,s{k}_l)$ under the $i$-th public key from the ciphertext of the constant message (such as all 0), where function $f\in F$, $i\in \left\{1,\cdots ,l\right\}$, we consider this scheme as KDM-chosen plaintext attack (CPA) security with respect to $F$. Additionally, this means that when the adversary uses a function $f\notin F$, the scheme cannot guarantee the security of the ciphertext of $f(s{k}_1,\cdots ,s{k}_l)$.

Therefore, the security of the scheme improves with the richness of the challenge function ensemble $F$, which can be typically classified into several categories, including selection, affine, polynomial, and arbitrary functions, with the corresponding security levels increasing in a hierarchical manner.

1.1. Motivation

The first KDM-IBE scheme was proposed by Alperin and Peikert et al. [2] in 2012, which was proven to be KDM-CPA-secure under the standard model based on the learning with errors (LWE) assumption. However, the efficiency of the scheme was suboptimal [10], and its challenge function ensemble was limited to the affine functions of the secret key, resulting in a weak security outcome.

Subsequent works [10,11,12,13,14,15] in the literature aimed to improve the KDM-IBE scheme by enhancing its different security attributes, such as selective opening, master key, and adaptive security methods. However, the challenge function ensembles in their schemes were restricted to affine functions. Only [16] was able to achieve a limited number of polynomial functions, and the construction presented in [16] was complex. For further details, see Related Works.

This represents a major vulnerability factor, as it implies that the existing KDM-IBE schemes cannot maintain the secrecy of the message $m=f\left(s{k}_1,\cdots ,s{k}_l\right)$, in the case where $f$ is a polynomial function. The security of current KDM-IBE schemes is, therefore, compromised.

Given this limitation, it is crucial to develop a novel KDM-IBE scheme that can achieve a higher level of security with respect to functions or even arbitrary functions.

In the context of a KDM-IBE scheme, the security proof and trapdoor function play pivotal roles. However, the existing schemes are limited to affine functions, and it is challenging to propose a universal security proof and trapdoor function that can apply to polynomials of different degrees. At present, no solutions to this problem have been proposed in the literature.

Therefore, to achieve KDM-IBE security with respect to polynomial functions or even arbitrary functions, it is necessary to address two major obstacles: (1) the need for intricate security proofs and (2) the development of a new suitable trapdoor function.

How do we address these two obstacles? We do not directly construct the KDM-IBE scheme with respect to polynomial functions, but by using the KDM-IBE scheme with respect to affine functions as a basis.

We applied the randomized encoding of functions technology to amplify its challenge function ensemble from affine to polynomial functions, or even the arbitrary function, to obtain a new and safer KDM-IBE scheme. The security of our KDM-IBE scheme can be reduced to the basis, thus avoiding intricate security proofs and the construction of new trapdoor functions.

To enable KDM-IBE with respect to polynomial or even arbitrary functions, the randomized encoding of functions technology was utilized in our scheme.

• We use $f\left(x\right)$ to perform the randomized encoding of $g\left(x\right)$, where $f\left(x\right)$ is an affine function and $g\left(x\right)$ is a polynomial function. This encoding step can generate mappings of $\mathit{S}\mathit{i}\mathit{m}$ and $\mathit{R}$ between $f\left(x\right)$and $g\left(x\right)$ via $\mathit{S}\mathit{i}\mathit{m}$ and $\mathit{R}$, such that $\mathit{S}\mathit{i}\mathit{m}\left(g\left(x\right)\right)=f\left(x\right)$ and $\mathit{R}\left(f\left(x\right)\right)=g\left(x\right)$.
• Suppose we can securely encrypt message $m=f\left(x\right)$ (since $f\left(x\right)$ is an affine function, this can be easily implemented).
• When we want to encrypt message $m=g\left(x\right)$, we can use $\mathit{S}\mathit{i}\mathit{m}\left(g\right(x\left)\right)$ to obtain $f\left(x\right)$, then encrypt $m^{\prime }=f\left(x\right)$.
• When we want to decrypt message $m=g\left(x\right)$, we will decrypt $m^{\prime }=f\left(x\right)$,then use $\mathit{R}\left(f\left(x\right)\right)=g\left(x\right)$ to obtain the original message $m=g\left(x\right)$.

This process enables us to use the KDM-IBE scheme with respect to affine functions as a basis and extend it to polynomial functions (or arbitrary functions) through the use of randomized encoding of functions technology.

1.2. Our Contributions

• We propose a novel approach to construct a KDM-IBE scheme with respect to polynomial or even arbitrary functions, which addresses the limitation of existing KDM-IBE schemes, which are unable to maintain the secrecy of the message $m=f\left(s{k}_1,\cdots ,s{k}_l\right)$ in the case where f is a polynomial function.
• Our proposed method circumvents the need for intricate security proofs and the development of new trapdoor functions, thereby affording the advantages of streamlined security proofs and a simpler construction.

Consequently, our KDM-IBE scheme mitigates the potential security threats encountered by the current KDM-IBE schemes and offers streamlined security proofs and simpler construction methods compared to other KDM-IBE schemes.

Table 1. Comparison with other major KDM-IBE schemes.

Scheme	AP12 [2]	He17 [10]	Chen19 [16]	Ours
Challenge function	Affine functions	Affine functions	Few polynomial functions	Polynomial functions (even arbitrary functions)
Underlying assumption	LWE	LWE	PUS+IO (with a complicated construction)	LWE
Anti-quantum attack	√	√	×	√

(‘√’ indicates that the function is supported, and ‘×’ indicates that the function is not supported).

presents a comparison of our scheme with other major KDM-IBE schemes that exist at present in the literature.

Organizations. In Section 2, we introduce the related works concerning KDM-IBE schemes. In Section 3, we introduce some notations, important lemmas, definitions, and previous results. In Section 4, we describe our basic KDM-IBE scheme with respect to affine functions, and prove it is a KDM scheme against plaintext attack (KDM-CPA) security. In Section 5, we introduce our entire KDM-IBE scheme with respect to polynomial functions; it is constructed by using the basic KDM-IBE scheme presented in Section 4. Additionally, we discuss the feasibility of our scheme with respect to arbitrary functions.

2. Related Works

We categorized the related works on KDM-IBE schemes into two groups based on the challenge function ensemble: affine and few polynomial functions.

KDM-IBE scheme with respect to affine functions. In 2012, Alperin and Peikert et al. [2] introduced KDM (key-dependent message) security into the IBE scheme for the first time, proposed the first lattice-based KDM-IBE scheme, and constructed a public key encryption system that satisfied KDM security based on the variant LWE assumption and the all-but-d trapdoor function. Finally, the scheme was proven to be KDM-selective ID CPA (KDM-sID-CPA)-secure under the standard model. However, the noise level with the use of this scheme increased following multiple rounds of encryption, and the efficiency of the scheme was insufficient. Its challenge function ensemble included the affine functions of the secret key, and the security level of the scheme was weak.

In 2017, He and Liu et al. [10] selected a shorter public key based on [2] and used an all-but-d trapdoor function to prove the KDM-sID-CPA security of the scheme under the standard model. They introduced selective opening, or selected to open (SO) security, to obtain a more efficient KDM-IBE scheme with more security attributes; however, the scheme retained a complex structure and the ciphertext was not compact enough. The challenge function ensemble included the affine functions of the secret key, and the security level of the scheme was weak. The abovementioned two schemes, as well as [10,11,12,13,14,15], presented this issue. These schemes obtained more secure schemes by improving different security attributes of the KDM-IBE scheme (such as master key and adaptive security functions); however, they did not solve the problem of the challenge function ensemble consisting of only affine functions, which is a “weak” secure property for an encryption scheme.

KDM-IBE scheme with respect to a few polynomial functions. In 2019, Chen et al. [16] constructed a KDM-IBE scheme with respect to polynomial functions based on IO and puncturable unique signatures. However, the scheme was complex in construction and only supported a few polynomial functions; the challenge function was still not advanced enough; and the underlying hard assumptions on which the scheme depended did not function well against quantum attacks.

3. Preliminaries

3.1. Notations

Definition 1. 

For $\mathit{f}\left(\mathit{n}\right),\mathit{g}\left(\mathit{n}\right)\in \mathbb{R},\mathit{n}\in {\mathbb{Z}}^{+}$,

(1)

The definition of $f\left(n\right)=\omega \left(g\right(n\left)\right)$ in formal notation is $f\left(n\right)=\omega \left(g\right(n\left)\right)$, and only if $\underset{n\to \infty }{\mathit{lim}}\frac{f\left(n\right)}{g\left(n\right)}=\infty$.

(2)

The definition of $f\left(n\right)=O\left(g\right(n\left)\right)$ in formal notation is the following: when a constant $c$ and positive integer $N$ exist, such that for all $n>N$, $f\left(n\right)<cg\left(n\right)$, it can be said that $f\left(n\right)=O\left(g\right(n\left)\right)$.

Definition 2. 

If a function $f$ vanishes more quickly than the inverse of any polynomial in $n$, we say it is negligible, denoted by

$$f=negl\left(n\right)$$

Definition 3. 

For integers $n\ge 1$, modulus $q\ge 2$, an m-dimensional lattice obtained from this family is defined by an “arity check” matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ so that:

$${\mathit{\Lambda }}^{\perp }\left(\mathbf{A}\right)=\{\mathbf{x}\in {\mathbb{Z}}_q^{\mathrm{m}}:\mathbf{A}\mathbf{x}=0\in {\mathbb{Z}}_q^{\mathrm{n}}\}\in {\mathbb{Z}}_q^{\mathrm{m}}$$

Definition 4. 

For any $\mathit{y}$ in the subgroup of ${\mathbb{Z}}_q^n$ generated by the columns of $\mathbf{A}$, we also define the coset as:

$${\mathit{\Lambda }}_{\mathbf{y}}^{\perp }\left(\mathbf{A}\right)=\left\{\mathbf{x}\in {\mathbb{Z}}_q^{\mathrm{m}}:\mathbf{A}\mathbf{x}=\mathbf{y} \mathrm{m}\mathrm{o}\mathrm{d} q\right\}={\mathit{\Lambda }}^{\perp }\left(\mathbf{A}\right)+\overline{\mathbf{x}}$$

where $\overline{\mathit{x}}\in {\mathbb{Z}}_q^m$ is an arbitrary solution to $\mathbf{A}\overline{\mathbf{x}}=\mathbf{y}$.

3.2. Randomized Encoding of Functions

The randomized encoding of functions allows us to achieve a “simpler” randomized function $\widehat{f}(x;r)$ to represent a “more complex” function $f\left(x\right)$, i.e., $f\left(x\right)$ encoded by the distribution of $\widehat{f}(x;r)$ without revealing any information about $x$:

Correctness: algorithm $D$ exists so that, for any input $x$ and any random coin $r$, we have $D\left(\widehat{f}\left(x;r\right)\right)=f\left(x\right)$.

Security$:\widehat{f}(x;r)$ reveals nothing about $x$, except $f\left(x\right)$. Formally, there is a simulator that, when only given $f\left(x\right)$, can perform sampling from a distribution indistinguishable from

$$\left\{\left(\widehat{f}\left(x;r\right)|rrandom\right)\right\}$$

For a random encoding to be useful, $\widehat{f}(x;r)$ must be simpler than directly computing $f\left(x\right)$ for a definition of “simpler” that depends on the application in mind.

3.3. Key-Dependent Message Security

In the definitions of key-dependent message security used for a chosen plaintext attack (KDM-CPA) for IBE, an adversary and challenger play an attack game where they can propose encryption queries for functions from $\mathit{F}$ of the users’ secret keys, where $\mathit{F}$ is termed the challenge function family of the users’ secret keys. The KDM security of the scheme depends on the advancement of the challenge function family; the richer the challenge function family, the higher the level of KDM security.

Our definition of KDM-CPA security for IBE follows [2]; the adversary declares $l$ target identities prior to observing the public key and remains unchanged until the end of the game. The challenger responds to the adversary’s encryption queries for functions of the secret key for identities obtained from $l$ target identities(see Figure 1).

If the advantage of the adversary is negligible for any probabilistic polynomial-time (PPT) adversary, where the games for $\beta =0/1$ are computationally indistinguishable, we can argue that the scheme is selective-identity KDM-CPA secure with respect to $\mathit{F}$.

3.4. Discrete Gaussians

For $s>0$ and dimension $m\ge 1$, the Gaussian function ${\rho }_s:{\mathbb{R}}^m\to \left(\mathrm{0,1}\right)$ is defined as: $\forall \mathbf{x}\in {\mathbb{R}}^n,{\rho }_s\left(\mathbf{x}\right)=\mathrm{e}\mathrm{x}\mathrm{p}(-\pi {‖\mathbf{x}‖}^2/s^2)$. For any $\mathbf{c}\in {\mathbb{R}}^n$, real number$s$ > 0, and $n$-dimensional lattice $\mathsf{\Lambda }$, there is a coset $\mathsf{\Lambda }+\mathbf{c}$ of lattice $\mathsf{\Lambda }$; the discrete Gaussian distribution ${\mathcal{D}}_{\mathit{\Lambda }+\mathit{c},s}$ (centered at zero) assigns a probability value proportional to ${\rho }_s\left(\mathbf{x}\right)$to each vector in the coset, and probability zero elsewhere. The following lemma states some properties of the discrete Gaussian distribution, we just need some relevant facts but not the precise definition, so for details see [17].

Lemma 1 ([2], Lemma 2.1).

Let $m\ge Cn\mathrm{l}\mathrm{g}q$ for some constant $C>1$.

1.

For any $\omega \left(\mathit{log}n\right)$ function, we have ${\eta }_{ϵ}\left({\mathbb{Z}}^n\right)\le \omega \left(\mathit{log}n\right)$ for some negligible $ϵ\left(n\right)=negl\left(n\right)$.

2.

With all but $negl\left(n\right)$ probability over the uniformly random choice of $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, the following holds: for $\mathit{e}\leftarrow {\mathcal{D}}_{{\mathbb{Z}}^m,r}$, where $r=\omega \left(\sqrt{\log n}\right)$, the distribution of $\mathbf{y}=\mathbf{A}\mathbf{e} \mathrm{m}\mathrm{o}\mathrm{d} q$ is at a $negl\left(n\right)$ statistical distance of the uniform value, and the conditional distribution of $\mathit{e}$ given yis ${\mathcal{D}}_{{\mathit{\Lambda }}_{\mathbf{y}}^{\perp }\left(\mathbf{A}\right),r}$.

3.

For any $m$-dimensional lattice $\mathit{\Lambda }$, any $\mathbf{c}\in {\mathbb{Z}}^m$, any $r\ge {\eta }_{ϵ}\left(\mathit{\Lambda }\right)$, where $\mathsf{ϵ}\left(\mathrm{n}\right)=\mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(n\right)$, we have $‖{\mathcal{D}}_{\mathsf{\Lambda }+\mathbf{c},r}‖\le r\sqrt{m}$ with all but the $negl\left(n\right)$ probability. In addition, for $\mathit{\Lambda }=\mathbb{Z}$,we have $\left|{\mathcal{D}}_{\mathbb{Z},r}\right|\le r\cdot \omega \left(\sqrt{\log n}\right)$,except for all but the $negl\left(n\right)$ probability.

4.

For any $r>0$ value, and for $\mathit{R}\leftarrow {\mathcal{D}}_{\mathbb{Z},r}^{n\times k}$, we have $s_1\left(\mathit{R}\right)\le r\cdot O\left(\sqrt{n}+\sqrt{k}\right)$, except for all but the $negl\left(n\right)$ probability.

3.5. Learning with Errors

The learning with errors (LWE) problem involves finding a secret key, given a set of public keys that are generated by adding small random noises to the secret key. The noise is selected from a certain probability distribution, which is assumed to be difficult to distinguish from random noise. LWE has been extensively studied in the literature due to its potential use in constructing post-quantum cryptographic schemes, which are resistant to attacks performed by quantum computers.

The parameters of the LWE problem are defined as follows [18]: let $m=m\left(n\right),q=q\left(n\right)$ be integers, and $\chi$ be an error distribution on ${\mathbb{Z}}_q$. Choose $\mathrm{A}\leftarrow {\mathbb{Z}}_q^{m\times n}$, $\mathrm{s}\leftarrow {\mathbb{Z}}_q^n$uniformly at random, and let $\mathit{e}\leftarrow {\chi }^m$. Additionally, two versions of the LWE problem exist: the decisional and search versions.

Decisional version: given $(\mathbf{A},\mathbf{b})$, decide whether $\mathbf{b}$ is distributed by $\mathbf{A}\mathbf{s}+\mathbf{e}$ or chosen uniformly at random over ${\mathbb{Z}}_q^m$.

Search version: given $(\mathbf{A},\mathbf{A}\mathbf{s}+\mathbf{e})$, recover $\mathbf{s}$.

Lemma 2 ([19],  Lemma 4.8).

For any $n,m\ge n+\omega \left(\log n\right),qand{\mathcal{D}}_{\mathbb{z},\alpha q}$, a polynomial time reduction exists from the problem inverting $\mathbf{L}\mathbf{W}\mathbf{E}(m,n,q,{\mathcal{D}}_{\mathbb{z},\alpha q})$ with probability $ϵ$ to the problem knapsack $\mathbf{L}\mathbf{W}\mathbf{E}(m,m-n,q,{\mathcal{D}}_{\mathbb{z},\alpha q})$ with probability ${ϵ}^{\prime }=ϵ+negl\left(\lambda \right)$.

3.6. All-but-d Trapdoor Construction

Similar to [20], we obtained a universal public “gadget” matrix $\mathbf{G}\in {\mathbb{Z}}_q^{n\times \omega }$, and we determined integer matrix $\mathbf{R}$ to be a “strong” trapdoor with tag $H$ for $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \mathrm{m}}$ if $\mathbf{A}\left[\begin{array}{c}\mathbf{R}\\ \mathbf{I}\end{array}\right]=H\left(\mathbf{G}\right)$ for some efficiently computable and invertible linear transformation $H$ over ${\mathbb{Z}}_q^n$, which was applied column-wise to $\mathbf{G}$.

Lemma 3 ([20], Theorem 5.1).

Let $\mathbf{R}$ be a strong trapdoor for $\mathbf{A}\in {\mathbb{Z}}_q^{n\times \mathrm{m}}$. There is an efficient randomized algorithm that, given $\mathbf{R}$, any $\mathbf{u}\in {\mathbb{Z}}_q^n$, and any $r\ge s_1\left(\mathit{R}\right)\cdot \omega \left(\sqrt{\log n}\right)\ge {\eta }_{ϵ}\left({\mathit{\Lambda }}^{\perp }\left(\mathbf{A}\right)\right)$ (for some $\mathsf{ϵ}\left(\mathrm{n}\right)=\mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(n\right)$), samples from a distribution with $\mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(n\right)$ distance of ${\mathcal{D}}_{{\mathit{\Lambda }}_{\mathrm{u}}^{\perp }\left(\mathbf{A}\right),r}$.

Lemma 4 ([2]). 

Given $P=\{u_1,\cdots ,u_d\}$, $I=\{u_1^{\ast },\cdots ,u_l^{\ast }\}$, where $l\le d$, a monic degree-$d$ polynomial $f\left(x\right)=x^{d-l}·\prod _{u_i^{\ast }\in I}\left(x-u_i^{\ast }\right)=c_0+c_{1}x+\cdots +c_{d-1}{x}^{d-1}+x^d,$ a matrix ${\mathbf{A}}^{\mathit{*}}\in {\mathbb{Z}}_q^{nd\times \overline{\mathrm{m}}}$ consists of d uniform random ${\mathbf{A}}_i^{\mathit{*}}\in {\mathbb{Z}}_q^{n\times \overline{\mathrm{m}}}$, and a short secret matrix $\mathbf{R}\in {\mathbb{Z}}_q^{\overline{m}\times \omega }$, there is a polynomial–time algorithm that outputs a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{nd\times (\overline{\mathrm{m}}+\omega )}$, which is statistically close to uniform, where ${\mathbf{A}}_i^{\ast }={\overrightarrow{u}}_i^t·\mathbf{A}$, ${\overrightarrow{u}}_i^t=\left(u_i^0,u_i^1,\cdots ,u_i^{d-1}\right)$.

4. Our Basic KDM-IBE Scheme

Based on the extended LWE assumption, we proposed a basic KDM-IBE scheme in which the challenge function ensemble included the affine functions of the user’s secret key and presented the parameter range, correctness analysis, and security proof values. Then, in the subsequent section, we used the challenge function ensemble amplification technique to amplify the relevant challenge function ensemble to the polynomial function of the user’s secret key.

The following presents our construction scheme:

$\mathit{S}\mathit{e}\mathit{t}\mathit{u}\mathit{p}(1^{\lambda },d)$

Choose $\mathbf{R}\leftarrow {\mathcal{D}}_{\mathbb{Z},\omega \left(\sqrt{\log n}\right)}^{md\times \omega }$, for $i=0,\cdots ,d-1$, choose ${\mathsf{A}}_i\leftarrow {\mathbb{Z}}_q^{n\times md}$, ${\mathbf{y}}_i\leftarrow {\mathbb{Z}}_q^n$ uniformly and at random; let ${\tilde{\mathsf{A}}}_i=-{\mathsf{A}}_i\mathbf{R}\in {\mathbb{Z}}_q^{n\times \omega }$: $\mathsf{A}≔\left[\begin{array}{c}{\mathsf{A}}_0\\ ⋮\\ {\mathsf{A}}_{d-1}\end{array}\right]$, $\tilde{\mathsf{A}}≔\left[\begin{array}{c}{\tilde{\mathsf{A}}}_0\\ ⋮\\ {\tilde{\mathsf{A}}}_{d-1}\end{array}\right]=-\mathsf{A}\mathbf{R}$, $\mathbf{y}=\left[\begin{array}{c}{\mathbf{y}}_0\\ ⋮\\ {\mathbf{y}}_{d-1}\end{array}\right]$ Return master public key $\mathrm{M}\mathrm{P}\mathrm{K}=(\mathsf{A},\tilde{\mathsf{A}},\mathbf{y})$; master secret key $\mathrm{M}\mathrm{S}\mathrm{K}=\mathbf{R}$.

$\mathit{E}\mathit{x}\mathit{t}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),\mathrm{M}\mathrm{S}\mathrm{K}=\mathbf{R},u)$

Let ${\overrightarrow{\mathrm{u}}}^{\mathrm{t}}≔({\mathrm{u}}^0,{\mathrm{u}}^1,\cdots ,{\mathrm{u}}^{d-1})ϵ{\mathbf{R}}^d$, ${\overline{\mathbf{A}}}_u={\overrightarrow{\mathrm{u}}}^{\mathrm{t}}$A, ${\mathbf{y}}_u={\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\mathbf{y}$, and        ${\mathbf{A}}_u=[{\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\mathbf{A}\left|{\mathrm{u}}^d·\mathbf{G}+{\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\tilde{\mathbf{A}}\right.]=\left[{\overline{\mathbf{A}}}_u\left|{\mathrm{u}}^d·\mathbf{G}-{\overline{\mathbf{A}}}_u\mathbf{R}\right.\right]$ By pre-image sample algorithm (Lemma 3), sample ${\mathbf{t}}_u\leftarrow {\mathcal{D}}_{{\mathit{\Lambda }}_{{\mathbf{y}}_u}^{\perp }\left({\mathbf{A}}_u\right),r}$ Let $\mathit{s}{\mathit{k}}_u={\mathit{t}}_u$; return secret key $\mathit{s}{\mathit{k}}_u$ for identity $u$.

$\mathit{E}\mathit{n}\mathit{c}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),u,\mu )$

Let ${\overrightarrow{\mathrm{u}}}^{\mathrm{t}}≔({\mathrm{u}}^0,{\mathrm{u}}^1,\cdots ,{\mathrm{u}}^{d-1})\in R^d$,${\mathbf{A}}_{\mathrm{u}}=[{\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\mathbf{A}\left|u^d·\mathbf{G}+{\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\tilde{\mathbf{A}}\right.]\in {\mathbb{Z}}_q^{n\times (md+\omega )}$,${\mathbf{y}}_{\mathrm{u}}={\overrightarrow{\mathrm{u}}}^{\mathrm{t}}\cdot \mathbf{y}$ Choose $\mathit{s}\leftarrow {\mathbb{Z}}_q^n$, ${\mathit{e}}^{\left(1\right)}\leftarrow {\mathcal{D}}_{\mathbb{Z},r}^{md},$ ${\mathit{e}}^{\left(2\right)}\leftarrow {\mathcal{D}}_{\mathbb{Z},r}^{\omega }$, $e^{\prime }\leftarrow {\mathcal{D}}_{\mathbb{Z},r}$. Let ${\mathit{c}}_1^t={\mathbf{s}}^t{\mathbf{A}}_u+\left[{\left({\mathbf{e}}^{\left(1\right)}\right)}^t\left|{\left({\mathbf{e}}^{\left(2\right)}\right)}^t\right.\right]$, $c_2={\mathbf{s}}^t{\mathbf{y}}_u+e^{\prime }+p·\mu$. Return ciphertext $\mathbf{C}=({\mathit{c}}_1,c_2)$.

$\mathit{D}\mathit{e}\mathit{c}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),s{k}_u,\mathbf{C}=({\mathit{c}}_1,c_2\left)\right)$

Let ${\mu }^{\prime }=c_2-{\mathit{c}}_1^t\mathit{s}{\mathit{k}}_u$. Let $\mu$ be the number in ${\mathbb{Z}}_p$, which is closer to $\left({\mu }^{\prime }\pm p/2\right)modq$. Return $\mu$.

Parameters. Let $n=poly\left(\lambda \right)$, $m\ge n\log q+2\lambda -2$, $q=p^2$, $p=\gamma$.$poly\left(n\right)$ as a sufficiently large $poly\left(n\right)$ item to ensure correctness,$\gamma =r^{\omega \left(1\right)}$, and $r\ge O\left(\sqrt{md}\right)·{\omega \left(\sqrt{\log n}\right)}^2$.

Correctness. Let ${\mathit{e}}^t=\left[{\left({\mathit{e}}^{\left(1\right)}\right)}^t\left|{\left({\mathit{e}}^{\left(2\right)}\right)}^t\right.\right]$. For identity $u$,message $\mu$,ciphertext $\mathbf{C}=({\mathit{c}}_1,c_2)$, and secret key $\mathit{s}{\mathit{k}}_u$, we obtain:

$c_2-{\mathit{c}}_1^t\mathit{s}{\mathit{k}}_u={\mathit{s}}^t{\mathbf{y}}_u+e^{\prime }+p·\mu -{\mathit{s}}^t{\mathit{A}}_u\mathit{s}{\mathit{k}}_u-{\mathit{e}}^t\mathit{s}{\mathit{k}}_u=p·\mu +e^{\prime }-{\mathit{e}}^t\mathit{s}{\mathit{k}}_u$. By Lemma 1, $\left|e^{\prime }+{\mathit{e}}^t\mathit{s}{\mathit{k}}_u\right|\le \left|e^{\prime }\right|+\left|{\mathit{e}}^t\mathit{s}{\mathit{k}}_u\right|\le \gamma ·\left(\omega \left(\sqrt{\log n}\right)+\omega \right)+r^{2}md<\frac{p}{2}$. Therefore, we obtain the correct message with overwhelming probability.

Theorem 1. 

For the abovementioned parameters, our basic KDM-IBE scheme was selective identity KDM-CPA-secure with respect to the affine functions over ${\mathbb{Z}}_p$, under the KDM-CPA security of the scheme described in Section 3.3 and the LWE assumption.

Proof of Theorem 1. 

Our proof started with game ${\mathbf{G}}_0$, it was the actual attack game we described in Section 3.3. In game ${\mathbf{G}}_1$, unlike ${\mathbf{G}}_0$, the master public key in ${\mathbf{G}}_1$ was not uniformly selected at random, but was generated using the all-but-trapdoor construction and was statistically indistinguishable from ${\mathbf{G}}_0$. In game ${\mathbf{G}}_2$, we played an actual KDM-CPA-secure PKE attack game obtained from [10], and used its outputs to simulate ${\mathbf{G}}_1$.

${\mathbf{G}}_0$: This was the actual attack game we described in Section 3.3. Similar to the abovementioned scheme, we selected the master public key uniformly at random. For KDM queriers $(f_0,f_1,i)$, $\beta \in \left\{\mathrm{0,1}\right\}$, where $i\in \left[l\right]$ and $f_0$, $f_1$ are affine functions, we let message $m=f_{\beta }(\mathit{s}{\mathit{k}}_1,\cdots ,\mathit{s}{\mathit{k}}_l)$, and encrypted $m$ under identity $u_i$. Then, we responded to the adversary with ciphertext $\mathbf{C}=({\mathit{c}}_1,c_2)$, where

$${\mathit{c}}_1^t={\mathbf{s}}^t[{\overrightarrow{u}}_i^t\cdot \mathbf{A}|{\overrightarrow{u}}_i^t\cdot \tilde{\mathbf{A}}]+[{\left({\mathit{e}}^{\left(1\right)}\right)}^t\left|{\left({\mathit{e}}^{\left(2\right)}\right)}^t\right.],c_2={\mathbf{s}}^t[{\overrightarrow{u}}_i^t\cdot \mathbf{y}]+e^{\prime }+p·m$$

${\mathbf{G}}_1$: In this game, we generated a master public key and punctured it at each of the challenge identities by using the all-but-d trapdoor construction we describe in Section 3.6. □

First, we chose $\mathit{R}\leftarrow {\mathcal{D}}_{\mathbb{Z},\omega \left(\sqrt{\log n}\right)}^{md\times \omega }$ as the master secret key and for $i=0tod-1$; we chose uniform random matrices ${\mathbf{A}}_i^{\ast }\leftarrow {\mathbb{Z}}_q^{n\times md}$, let the secret key of identity $u_i$ be ${\mathit{z}}_i\leftarrow {\mathcal{D}}_{\mathbb{Z},r}^{md+\omega }$, and sets ${\mathbf{y}}_i^{\ast }=\left[{\mathbf{A}}_i^{\ast }\left|-{\mathbf{A}}_i^{\ast }\mathbf{R}\right.\right]{\mathit{z}}_i$. By Lemma 1, ${\mathbf{y}}_i^{\ast }$ generated using this method was statistically indistinguishable from ${\mathbf{y}}_i^{\ast }$ generated by selections performed uniformly and at random; then, we sampled ${\mathit{z}}_i$ from ${\mathcal{D}}_{{\Lambda }_{{\mathbf{y}}_i^{\ast }}^{\perp }\left({[\mathbf{A}}_i^{\ast }\left|-{\mathbf{A}}_i^{\ast }\mathbf{R}\right.\right],r)}$.

Let $I=\{u_1^{\ast },\cdots ,u_l^{\ast }\}$ denote the list of target identities, where $l\le d$, and, as in [2], we defined the monic degree-d polynomial $f\left(x\right)=x^{d-l}·\prod _{u_i^{\ast }\in I}\left(x-u_i^{\ast }\right)=c_0+c_{1}x+\cdots +c_{d-1}{x}^{d-1}+x^d$. Then, we invoked the all-but-d trapdoor construction on ${\mathbf{A}}_i^{\ast }$, ${\mathbf{y}}_i^{\ast }$, $\mathbf{R}$, $f\left(x\right)$and identities $u_i$ for $i=0tod-1$, and received ${\mathbf{A}}_i$, ${\mathbf{y}}_i$. Let ${\tilde{\mathbf{A}}}_i=-{\mathbf{A}}_i\mathbf{R}+c_i\mathbf{G}$. Let $\mathbf{A}$ denote the stack of matrices ${\mathbf{A}}_i$, $\mathbf{y}$ denote the stack of matrices ${\mathbf{y}}_i$, and $\tilde{\mathbf{A}}$ denote the stack of matrices ${\tilde{\mathbf{A}}}_i$; then, $(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y})$ as the master public key was sent to the adversary, where ${\overrightarrow{u}}_i^t=\left(u_i^0,u_i^1,\cdots ,u_i^{d-1}\right)$, ${\mathbf{A}}_i^{\ast }={\overrightarrow{u}}_i^t·\mathbf{A}$, ${\mathbf{y}}_i^{\ast }={\overrightarrow{u}}_i^t·\mathbf{y}$. Therefore, $\mathbf{A}$, $\mathbf{y}$ were statistically uniformly random because ${\mathbf{A}}_i^{\ast }$, ${\mathbf{y}}_i^{\ast }$ were uniformly random (by Lemma 4).

Then, the user public key for identity u was ${\mathbf{A}}_{u_i}=\left[{\overrightarrow{u}}_i^t·\mathbf{A}\left|u_i^d\mathbf{G}+{\overrightarrow{u}}_i^t·\tilde{\mathbf{A}}\right.\right]=\left[{\mathbf{A}}_i^{\ast }\left|u_i^d\mathbf{G}+{\overrightarrow{u}}_i^t·\left(-\mathbf{A}\mathbf{R}+{\left[c_0,\cdots ,c_{d-1}\right]}^t\mathbf{G}\right)\right.\right]=\left[{\mathbf{A}}_i^{\ast }\left|-{\mathbf{A}}_i^{\ast }\mathbf{R}+f\left(u_i\right)\mathbf{G}\right.\right]$, if $u_i\in I$, $f\left(u_i\right)=0$, ${\mathbf{A}}_{u_i}=\left[{\mathbf{A}}_i^{\ast }\left|-{\mathbf{A}}_i^{\ast }\mathbf{R}\right.\right]$.

In this game, for the KDM query $(f_0,f_1,i)$, $\beta \in \left\{\mathrm{0,1}\right\}$, where $i\in \left[i\right]$ and $f_0$, $f_1$ are affine functions, we let message $m=f_{\beta }(\mathit{s}{\mathit{k}}_1,\cdots ,\mathit{s}{\mathit{k}}_l)$ and encrypted $m$ under identity $u_i$. We responded to the adversary with ciphertext $\mathbf{C}=({\mathit{c}}_1,c_2)$, where

$${\mathit{c}}_1^t={\mathit{s}}^t\left[{\mathbf{A}}_i^{\ast }\left|-{\mathbf{A}}_i^{\ast }\mathbf{R}\right.\right]+\left[{\left({\mathit{e}}^{\left(1\right)}\right)}^t\left|{\left({\mathit{e}}^{\left(2\right)}\right)}^t\right.\right],c_2={\mathit{s}}^t\left[{\mathbf{y}}_i^{\ast }\right]+e^{\prime }+p·m$$

Ciphertext $\mathit{c}$ in ${\mathbf{G}}_1$ was statistically indistinguishable from ${\mathbf{G}}_0$. Note that when $u_i\in I$, $f\left(u_i\right)=0$, ${\mathbf{A}}_{u_i}=\left[{\mathbf{A}}_i^{\ast }\left|-{\mathbf{A}}_i^{\ast }\mathbf{R}\right.\right]$, such that ${\mathbf{A}}_{u_i}·\left[\begin{array}{c}\mathbf{R}\\ \mathbf{I}\end{array}\right]=0$, then $\mathbf{R}$ is not the trapdoor for ${\mathbf{A}}_{u_i}$; we “puncture” the public key at target identities.

${\mathbf{G}}_2$: in game ${\mathbf{G}}_2$, we used the output values of the challenger in an actual KDM-CPA-secure PKE attack game from [10] to simulate game ${\mathbf{G}}_1$. Our IBE secret keys and ciphertexts had lager dimensions than the PKE scheme presented in [10] because of an additive term of $\omega$ (the width of “gadget” matrix $\mathbf{G}$). Therefore, when we constructed the IBE ciphertexts and secret keys from the PKE scheme, we needed to add the missing dimensions so that the ciphertexts and secret keys we constructed were statistically indistinguishable from those presented in ${\mathbf{G}}_1$. This created a super-polynomial modulus $q$. The filling technology we used in the study was similar to [2]; we omitted the details from this study. Therefore, ${\mathbf{G}}_1$ was statistically indistinguishable from ${\mathbf{G}}_2$; the KDM security of our basic IBE scheme was reduced to the KDM security of the PKE scheme obtained from [2].

Limited by the challenge function ensemble of the PKE scheme presented in [2], which only consisted of affine functions, and the filling technique we used, the challenge function ensemble of our basic IBE scheme only consisted of affine functions.

5. Our Full KDM-IBE Scheme

In the previous section, we obtained a basic KDM-IBE scheme with respect to affine functions. Then, we presented how we obtained the KDM-IBE scheme with respect to polynomial functions through this basic scheme.

We denoted the challenge function ensemble of the basic scheme as $F_{aff}$; then, we used randomized encoding of functions technology to add a random coin $r$ for $f\in F_{aff}$, denoting it as $\widehat{f}(x;r)$. Each $\widehat{f}(x;r)$ encoded a polynomial function $g\left(x\right)$; then, according to the randomized encoding of functions, as described in Section 3.2, for each pair: $\widehat{f}(x;r)$ and $g\left(x\right)$:

Algorithm $D$ exists so that, for any input $x$ and any random coin $r$, we have $D\left(\widehat{f}\left(x;r\right)\right)=g\left(x\right)$.

A simulator that presents only $g\left(x\right)$ can perform samplings from a selected distribution indistinguishable from $\left\{\widehat{f}\left(x;r\right)\right|r random\}$, i.e., $Sim\left(g\left(x\right)\right)=\widehat{f}\left(x;r\right)$.

We denoted the function ensemble composed of $g\left(x\right)$ encoded by each distinct $\widehat{f}\left(x;r\right)$ as $G_{poly}$.

We then used the base scheme to construct our full KDM-IBE scheme, as follows:

${\mathit{S}\mathit{e}\mathit{t}\mathit{u}\mathit{p}}_{full}(1^{\lambda },d)$

Choose $\mathbf{R}\leftarrow {\mathcal{D}}_{\mathbb{Z},\omega \left(\sqrt{\log n}\right)}^{md\times \omega }$, for $i=0,\cdots ,d-1$, choose${\mathsf{A}}_i\leftarrow {\mathbb{Z}}_q^{n\times md}$, ${\mathbf{y}}_i\leftarrow {\mathbb{Z}}_q^n$ uniformly and at random; let ${\tilde{\mathsf{A}}}_i=-{\mathsf{A}}_i\mathbf{R}\in {\mathbb{Z}}_q^{n\times \omega }$: $\mathsf{A}≔\left[\begin{array}{c}{\mathsf{A}}_0\\ ⋮\\ {\mathsf{A}}_{d-1}\end{array}\right]$, $\tilde{\mathsf{A}}≔\left[\begin{array}{c}{\tilde{\mathsf{A}}}_0\\ ⋮\\ {\tilde{\mathsf{A}}}_{d-1}\end{array}\right]=-\mathsf{A}\mathbf{R}$, $\mathbf{y}=\left[\begin{array}{c}{\mathbf{y}}_0\\ ⋮\\ {\mathbf{y}}_{d-1}\end{array}\right]$ Return master public key $\mathrm{M}\mathrm{P}\mathrm{K}=(\mathsf{A},\tilde{\mathsf{A}},\mathbf{y})$; master secret key $\mathrm{M}\mathrm{S}\mathrm{K}=\mathbf{R}$.

${\mathit{E}\mathit{x}\mathit{t}}_{full}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),\mathrm{M}\mathrm{S}\mathrm{K}=\mathbf{R},u)$

Let ${\overrightarrow{\mathrm{u}}}^{\mathrm{t}}≔({\mathrm{u}}^0,{\mathrm{u}}^1,\cdots ,{\mathrm{u}}^{d-1})ϵ{\mathbf{R}}^d$, ${\overline{\mathbf{A}}}_u={\overrightarrow{\mathrm{u}}}^{\mathrm{t}}$A, ${\mathbf{y}}_u={\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\mathbf{y}$, and        ${\mathbf{A}}_u=[{\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\mathbf{A}\left|{\mathrm{u}}^d·\mathbf{G}+{\overrightarrow{\mathrm{u}}}^{\mathrm{t}}·\tilde{\mathbf{A}}\right.]=\left[{\overline{\mathbf{A}}}_u\left|{\mathrm{u}}^d·\mathbf{G}-{\overline{\mathbf{A}}}_u\mathbf{R}\right.\right]$ By pre-image sample algorithm (Lemma 3), sample ${\mathbf{t}}_u\leftarrow {\mathcal{D}}_{{\mathit{\Lambda }}_{{\mathbf{y}}_u}^{\perp }\left({\mathbf{A}}_u\right),r}$ Let $\mathit{s}{\mathit{k}}_u={\mathit{t}}_u$; return secret key $\mathit{s}{\mathit{k}}_u$ for identity $u$.

${\mathit{E}\mathit{n}\mathit{c}}_{full}\left(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),u,\mu =g\left(\mathit{s}\mathit{k}\right)\right),g\left(x\right)\in G_{poly}$

Let ${\mu }^{\prime }=Sim\left(g\left(\mathit{s}\mathit{k}\right)\right)=\widehat{f}\left(\mathit{s}\mathit{k};r\right)$, invoke $\mathit{E}\mathit{n}\mathit{c}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),u,{\mu }^{\prime })$ (encryption algorithm in basic scheme) Let $\mathbf{C}=\mathit{E}\mathit{n}\mathit{c}\left(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),u,{\mu }^{\prime }\right)$ Return ciphertext $\mathbf{C}$.

${\mathit{D}\mathit{e}\mathit{c}}_{full}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),\mathit{s}{\mathit{k}}_{\mathit{u}},\mathbf{C})$

Invoke $\mathbf{D}\mathbf{e}\mathbf{c}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),\mathit{s}{\mathit{k}}_u,\mathbf{C})$ (decryption algorithm in basic scheme), so that ${\mu }^{\prime }=\mathbf{D}\mathbf{e}\mathbf{c}(\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right),\mathit{s}{\mathit{k}}_u,\mathbf{C})=\widehat{f}\left(\mathit{s}\mathit{k};r\right)$ Invoke algorithm ${D(\mu }^{\prime })=\mu =g(\mathit{s}\mathit{k})$ Return $\mu$.

In the full KDM-IBE scheme, only the encryption and decryption algorithms differ from the basic scheme.

In the basic scheme, we can preserve secrecy when the message $\mu =f\left(\mathit{s}\mathit{k}\right)$, where $f\in F_{aff}$. When the message $\mu =g\left(\mathit{s}\mathit{k}\right),functiong\in G_{poly}$, the basic scheme will fail to work. Therefore, we use a randomized encoding simulator to convert $g\left(\mathit{s}\mathit{k}\right)$ to $\widehat{f}\left(\mathit{s}\mathit{k};r\right)$, i.e., ${\mu }^{\prime }=Sim\left(g\left(\mathit{s}\mathit{k}\right)\right)=\widehat{f}\left(\mathit{s}\mathit{k};r\right)$, when $r$ is determined, function$\widehat{f}\in F_{aff}$. The basic scheme will work on ${\mu }^{\prime }$.

In encryption algorithm, we encrypt ${\mu }^{\prime }$. Upon decryption and obtaining ${\mu }^{\prime }$, we invoke algorithm ${D(\mu }^{\prime })=\mu =g(\mathit{s}\mathit{k})$.

Theorem 2. 

Our full KDM-IBE scheme is selective identity KDM-CPA-secure with respect to $G_{poly}$ over ${\mathbb{Z}}_p$, under the KDM-CPA security of our basic IBE scheme and the security of randomized encoding of functions; the parameters in the full KDM-IBE scheme are the same as those of the basic IBE scheme.

Proof of Theorem 2. 

Our formal proof starts with the game ${\mathbf{G}}_0$, which we prove in Section 4 to be KDM-CPA-secure. The game ${\mathbf{G}}_1$ is the actual attack game from our full KDM-IBE scheme; we use its outputs to simulate ${\mathbf{G}}_0$, and prove ${\mathbf{G}}_1$was statistically indistinguishable from ${\mathbf{G}}_0$.

${\mathbf{G}}_0$: This is the actual attack game we described in Section 4. We generated a master public key and punctured it at each of the challenge identities by using the all-but-d trapdoor construction we describe in Section 3.5.

For master public key $\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right)$, KDM queriers $(f_0,f_1,i)$, $\beta \in \left\{\mathrm{0,1}\right\}$, where $i\in \left[l\right]$ and $f_0$, $f_1\in F_{aff}$, we let message $\mu =f_{\beta }(\mathit{s}{\mathit{k}}_1,\cdots ,\mathit{s}{\mathit{k}}_l)$, and encrypted $\mu$ under identity $u_i$. Then, we responded to the adversary with ciphertext $\mathbf{C}=({\mathit{c}}_1,c_2)$, where

$${\mathit{c}}_1^t={\mathbf{s}}^t[{\overrightarrow{u}}_i^t\cdot \mathbf{A}|{\overrightarrow{u}}_i^t\cdot \tilde{\mathbf{A}}]+[{\left({\mathit{e}}^{\left(1\right)}\right)}^t\left|{\left({\mathit{e}}^{\left(2\right)}\right)}^t\right.],c_2={\mathbf{s}}^t[{\overrightarrow{u}}_i^t\cdot \mathbf{y}]+e^{\prime }+\mu ·m$$

${\mathbf{G}}_1$: In ${\mathbf{G}}_1$, the parameters are the same as ${\mathbf{G}}_0$. □

For master public key $\mathrm{M}\mathrm{P}\mathrm{K}=\left(\mathbf{A},\tilde{\mathbf{A}},\mathbf{y}\right)$, KDM queriers $(g_0,g_1,i)$, $\beta \in \left\{\mathrm{0,1}\right\}$, where $i\in \left[l\right]$ and $g_0$, $g_1\in G_{poly}$, we let message $\mu =g_{\beta }(\mathit{s}{\mathit{k}}_1,\cdots ,\mathit{s}{\mathit{k}}_l)$, and encrypted $\mu$ under identity $u_i$.

Frist, we invoke $Sim\left(\mu =g_{\beta }(\mathit{s}{\mathit{k}}_1,\cdots ,\mathit{s}{\mathit{k}}_l)\right)={\mu }^{\prime }={\widehat{f}}_{\beta }(\mathit{s}{\mathit{k}}_1,\cdots ,\mathit{s}{\mathit{k}}_l;r)$. When $r$ is determined, ${\widehat{f}}_{\beta }\in F_{aff}$.

Then, we responded to the adversary with ciphertext $\mathbf{C}=({\mathit{c}}_1,c_2)$, where

$${\mathit{c}}_1^t={\mathbf{s}}^t[{\overrightarrow{u}}_i^t\cdot \mathbf{A}|{\overrightarrow{u}}_i^t\cdot \tilde{\mathbf{A}}]+[{\left({\mathit{e}}^{\left(1\right)}\right)}^t\left|{\left({\mathit{e}}^{\left(2\right)}\right)}^t\right.]$$

Despite the differing encrypted messages in ${\mathbf{G}}_0$ and ${\mathbf{G}}_1$, the ciphertext remains statistically indistinguishable. This is because both games employ the cryptographic scheme derived from ${\mathbf{G}}_0$, and ${\mathbf{G}}_0$ is proven to be KDM-CPA security; therefore, it guarantees the indistinguishability of the ciphertext.

Finally, our focus shifts to ensuring the security of the message transformation process between $\mu$ and ${\mu }^{\prime }$ in ${\mathbf{G}}_1$. The security of the transformation process depends on the security of the randomized encoding of functions technology. This technology is used in many cryptographic fields, and its security has also been proven in many papers. The detailed proof process can be found in [21,22,23].

The challenge function ensemble has successfully expanded from the affine function ensemble of the basic scheme to the polynomial function ensemble.

Theoretically, randomized encoding of functions technology can be used to encode arbitrary functions in terms of affine functions. This means that our full KDM-IBE scheme can be used to encrypt and decrypt messages that are arbitrary functions. However, the efficiency of this approach may depend on the complexity of the original function and the accuracy of the encoding process. In practice, there may be limits to the complexity of the functions that can be encoded and efficiently encrypted using this scheme.

The Efficiency Analysis

Our proposed KDM-IBE scheme, based on the LWE assumption, is comparable to other existing KDM-IBE [2,10] schemes in terms of the public key size, ciphertext size, secret key size, and encryption and decryption times. Due to the different underlying hard assumptions, we could not compare the abovementioned parameters to [18]. Here, we present

Table 2. Table comparing our scheme to other schemes in terms of parameters.

Scheme	AP12 [2]	He17 [10]	Ours
Public key size	$n\times (md+\omega )$	$n\times (md+\omega )$	$n\times (md+\omega )$
Secret key size	$md+\omega$	$md+\omega$	$md+\omega$
Ciphertext size	$md+\omega$	$md+\omega$	$md+\omega$
Encryption time	$O\left(n^2\right)$	$O\left(n^2\right)$	$O\left(n^2\right)$
Decryption time	$O\left(nlogq\right)$	$O\left(nlogq\right)$	$O\left(n^2\right)$

comparing our scheme to other schemes in terms of the relevant parameters.

The distinguishing feature of our full scheme is an additional step that converts affine functions to polynomial functions during the encryption and decryption processes. We utilized the randomized encoding of functions technology to perform the conversion (as described above).

The complexity of randomized encoding is typically considered to be polynomial, denoted as $O\left(poly\left(n\right)\right)$, with the degree of the polynomial generally restricted to a constant or quadratic level [21]. This implies that the complexity of randomized encoding is typically $O\left(n\right)$, or $O\left(n^2\right)$. Therefore, the actual running time of our encryption and decryption algorithm is $O\left(n^2\right)+O\left(poly\left(n\right)\right)=O\left(n^2\right)$ and $O\left(nlogq\right)+O\left(poly\left(n\right)\right)=O\left(n^2\right)$.

It is worth noting that as the degree of polynomial functions increases, such as for degrees higher than 6, the complexity of randomized encoding exceeds $O\left(n^2\right)$. This significantly affects the efficiency of our scheme. Therefore, as we aim to achieve arbitrary functions to be the challenge function ensemble, the efficiency of the scheme will be reduced.

6. Conclusions

In this study, we applied randomized encoding of functions technology to construct a KDM-IBE scheme with respect to polynomial functions; it is a novel approach in the field that circumvents the need for intricate security proofs and the development of new trapdoor functions. Compared to other schemes that only support affine functions or a limited set of polynomial functions, our scheme shows a significant improvement in the KDM security of IBE. Additionally, our challenge function ensemble can be arbitrary functions.