Efficient Multi-Identity Full Homomorphic Encryption Scheme on Lattice

Abstract

Aiming at the problem that the fully homomorphic encryption scheme based on single identity cannot satisfy the homomorphic operation of ciphertext under different identities, as well as the inefficiency of trapdoor function and the complexity of sampling algorithm, an improved lattice MIBFHE scheme was proposed. Firstly, we combined MP12 trapdoor function with dual LWE algorithm to construct a new IBE scheme under the standard model, and prove that the scheme is IND-sID-CPA security under the selective identity. Secondly, we used the eigenvector method to eliminate the evaluation key, and transform the above efficient IBE scheme into a single identity IBFHE scheme to satisfy the homomorphic operation. Finally, we improved the ciphertext extension method of CM15 and constructed a new Link-mask system that supports the transformation of IBFHE scheme under the standard model, and then, converted the above IBFHE scheme into MIBFHE scheme based on this system. The comparative analysis results showed that the efficiency of this scheme is improved compared with similar schemes in the trapdoor generation and preimage sampling, and the dimension of lattice and ciphertext size are significantly shortened.

1. Introduction

With the continuous development of cloud computing, cloud computing faces the security problem of how to ensure data privacy in the process of implementing applications. In 1978, Rivest et al. [1] proposed the idea of homomorphic encryption to protect data security. Homomorphic encryption has special properties that it can perform effective operations on ciphertext without decryption in the phase of processing data ciphertext, which is equivalent to encrypting the plaintext after corresponding operations. Therefore, how to construct a scheme with homomorphic properties became a difficult problem for cryptographers. Until 2009, Gentry [2] proposed the first FHE (full homomorphic encryption) scheme based on ideal lattice. Since then, FHE became a research hotspot in the field of cryptography. Cryptographers proposed a series of FHE schemes based on different theoretical foundations, including integer-based FHE schemes (such as [DGHV10] scheme [3]), RLWE-based (Ring Learning with Errors, RLWE) FHE schemes (such as [BV11a] scheme [4]), LWE-based FHE schemes (such as [BV11b, BGV12] scheme [5,6]) and FHE scheme with eigenvector (such as [GSW13] scheme [7]).

As an important extension of the public key encryption systems, FHE needs to consider the problem of identity authentication in the cloud computing environment. The general method is to introduce public key certificates for authentication. However, the existence of public key certificates brought additional costs to the entire cryptosystem in all aspects such as computing, storage, communication and management. Additionally, the existing FHE systems generally have the problem of large public key size.

In 1984, Shamir [8] first proposed the IBE (identity-based encryption) scheme. Its central idea is to generate a public key from the user’s unique identity (such as e-mail address, mobile phone number, etc.) and public parameters, so that there is no need to issue an additional public key for each user. The user’s secret key can be generated by the trusted third party center (Key Generate Center, KGC) using the identity and the system’s master secret key. It eliminates the additional overhead associated with public key certificates and can manage keys more efficiently. Therefore, scholars began to study how to combine homomorphic encryption and identity-based encryption to construct the scheme of IBFHE (identity-based full homomorphic encryption), which has the advantages of FHE and IBE at the same time. It can not only perform access control and homomorphic operation on identity ciphertext, but also effectively manage the key. In 2010, Naccache [9] first proposed the open issue of how to construct identity-based full homomorphic encryption scheme at the CRYPTO’2010 conference. In 2013, Gentry et al. [7] constructed the first IBFHE scheme based on the LWE problem with the method of eigenvectors, and also proposed a transformation mechanism that can transform the IBE scheme satisfying the corresponding conditions into the related IBFHE scheme, which solved the above open problem to some extent. However, it is only applicable to single-identity encryption scenarios. It can only perform homomorphic operations on ciphertext encrypted under the same identity, and cannot perform homomorphic operations on ciphertext encrypted based on different identities. However, in many real-world scenarios, homomorphic-encrypted ciphertexts are usually encrypted under different identities.

In 2014, Clear and McGoldrick [10] constructed a multi-identity based full homomorphic encryption (MIBFHE) scheme. However, the construction largely depended on indistinguishable obfuscation [11]. Since it is difficult to realize indistinguishable obfuscation at present, the current efficiency is very low, and the security of the scheme cannot be based on a recognized computational problem. In 2015, Clear and McGoldrick [12] extended the FHE scheme constructed by Gentry et al. [7] to the first MIBFHE scheme based on the standard LWE problem (this scheme is called CM15 scheme), but the process of ciphertext expansion is complex and the noise growth is too fast. In 2019, TU et al. [13] made use of the transformation mechanism of [12] and combined with the hierarchical identity-based encryption scheme proposed by Cash et al. [14] to construct a hierarchical multi-identity full homomorphic encryption scheme. In the same year, Shen et al. [15] proposed a hierarchical multi-identity fully homomorphic encryption scheme based on the multi-key scheme of Mukherjee et al. [16]. In 2020, Pal and Dutta [17] constructed a multi-identity multi-attribute MIBFHE scheme with chosen ciphertext security on the basis of multi-key full homomorphism, but their extension process uses Witness Pseudorandom Function (WPRF), which is a non-standard assumption. In 2021, Shen et al. [18] constructed a compressible multi-key and multi-identity fully homomorphic encryption based on the compressible FHE scheme proposed by Gentry et al. [19]. In 2022, Liu et al. [20] constructed a hierarchical multi-hop MIBFHE scheme based on the IBE scheme proposed by Gentry et al. [21] and the hierarchical multi-hop multi-key FHE scheme proposed by Peikert et al. [22].

The trapdoor generation of the above scheme is quite complex and too inefficient in terms of both operation and output’s quality, which is not suitable for practice. It mainly used the trapdoor generation algorithm of [23,24], which involves the calculation of complex HNF (Hermite Normal Forms) and matrix inversion operations. Although the dimension and quality of its output are asymptotically optimal, the hidden constant factor is quite large. In addition, the preimage sampling algorithm of [21] needs to perform high-precision real number orthogonalization iterative operation during the sampling process, resulting in high complexity of the preimage sampling.

In 2012, Micciancio et al. [25] proposed a new trapdoor generation algorithm and corresponding preimage sampling algorithm (this scheme is called MP12 scheme). Compared with the structure of [23,24], it is essentially equivalent to one-time multiplication operation of two random matrices, which does not involve the calculation of complex HNF and matrix inversion operations. Its terms are chosen independently in the appropriate probability distribution, so it is more efficient. At the same time, Micciancio also pointed out that MP12 trapdoor can be used to optimize all lattice-based IBE schemes, but no specific scheme is given.

Our Contribution. In view of the above problems, in order to make the lattice MIBFHE scheme more practical, solving the problem of inefficient trapdoor generation must be considered. In this paper, we proposed an improved scheme using the transformation mechanism of [12]. First, based on the trapdoor function designed by Micciancio et al. [25] and the IBE scheme of Agrawal et al. [26], we proposed a new IBE scheme under the standard model, and proved that the scheme is IND-sID-CPA security under selective identity. Then, based on the above efficient IBE scheme and the eigenvector method proposed by Gentry et al. [7], which eliminate the evaluation key, the IBE scheme in this paper is transformed into a single-identity IBFHE scheme that satisfies homomorphic operation. Finally, a Link–Mask system was reconstructed based on the ciphertext extension method of [12], and IBFHE was converted into MIBFHE using the reconstructed extended ciphertext method and the masking scheme.

Organization. The second chapter introduces some notation we need to use throughout the paper, and reviews important definitions, including the trapdoor generation algorithm and LWE hardness problem. The third chapter firstly constructs an efficient IBE scheme, and proves the correctness and security of the IBE scheme. The parameter setting of the scheme and the parameter comparison of other schemes are introduced. The fourth chapter introduces how to use the approximate eigenvector to transform the IBE scheme constructed in the third chapter into the IBFHE scheme, and proves the correctness and security of the scheme. The fifth chapter uses the $Link–Mask$ algorithm constructed in this paper to transform the IBFHE scheme in the fourth chapter into MIBFHE scheme, and also gives the correctness and security proof of the scheme, as well as the efficiency comparison analysis of the scheme. The sixth chapter is a summary.

2. Preliminaries

Notation. There are some notations that we will use throughout this paper. We denote $\mathbb{Z}/q\mathbb{Z}$ as ${\mathbb{Z}}_q$ and its elements are in the range of $\left(-q/2\right.,\left. q/2\right]$. We use bold uppercase letters (e.g., $\mathit{A},\mathit{B}$) to represent matrices, and bold lowercase letters (e.g., $\mathit{a},\mathit{b}$) to represent vectors. All vectors in this paper are default column vectors. For a vector $\mathit{a}=\left({\mathit{a}}_1,{\mathit{a}}_2,\dots ,{\mathit{a}}_n\right)\in {\mathbb{Z}}_q^n$, ${\mathit{a}}_i$ denotes the i-th component scalar. For a matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$, $\mathit{A}\left[i,j\right]$ denotes the $i$-th row and the $j$-th column element of $\mathit{A}$. Let denote the Euclidean norm of a vector $\mathit{a}$ as $\Vert \mathit{a}\Vert =\sqrt{\sum {\mathit{a}}_i^2}$ and ${\mathit{s}}_1\left(\mathit{R}\right)$ represent the maximum singular value of matrix $\mathit{R}$. We denote $\left[\mathit{A}|\mathit{B}\right]$ as the concatenation of two matrices.

Let $n$ denote the security parameter. We define $\left[n\right]=\left\{1,2,\dots ,n\right\}$ for any positive integer $n$. Let $negl\left(n\right)$ denote a negligible function that grows slower than $n^{-\mathrm{c}}$ for any constant $\mathrm{c}>0$ and any sufficiently large value of $n$. We say that an event happens with overwhelming probability if it happens with probability at least $1-negl\left(n\right)$ for some negligible $negl\left(·\right)$. Let $\omega \left(\cdot \right)$ denotes the degree of asymptotic when $f\left(n\right)=\omega \left(\mathrm{g}\left(n\right)\right)$. That is $\underset{n\to \infty }{\lim }\frac{f\left(n\right)}{\mathrm{g}\left(n\right)}=\infty$ for any positive integer $\mathit{c}$ and a positive integer $d$ satisfy $n>d$, $0\le \mathit{c}\cdot \mathrm{g}\left(n\right)<f\left(n\right)$.

2.1. Relevant Definitions of Lattice

Definition 1.

(Lattice) Let $\left\{{\mathit{b}}_1,{\mathit{b}}_2,\dots ,{\mathit{b}}_m\right\}\in {ℝ}^n$ be $m$ linearly independent vectors on the n-dimensional Euclidean space ${ℝ}^n$. Set $\mathit{B}=\left\{{\mathit{b}}_1|{\mathit{b}}_2\left|\dots \right|{\mathit{b}}_m\right\}\in {ℝ}^{n\times m}$, and lattice $\Lambda \left(\mathit{B}\right)$ can be expressed linearly by the integer coefficients of all these vectors of ${\mathit{b}}_1,{\mathit{b}}_2,\dots ,{\mathit{b}}_m$, as defined follows:

$$\mathsf{\Lambda }\left(\mathit{B}\right)=\left\{\mathit{y}\in {ℝ}^n: \exists \mathit{s}\in {\mathbb{Z}}^m,\mathit{y}=\mathit{B}\mathit{s}={\displaystyle \sum }_{i=1}^m{\mathit{s}}_i{\mathit{b}}_i\right\}$$

where the linear independent vector $\left\{{\mathit{b}}_1,{\mathit{b}}_2,\dots ,{\mathit{b}}_m\right\}$ which is a basis of the lattice form a lattice space, with dimension $n$ and rank $m$, for $m>n$. When $n=m$, the $\mathsf{\Lambda }\left(\mathit{B}\right)$ is a full-rank lattice, the scheme is usually constructed with the full-rank lattice. Here, we are interested in integer lattices, i.e., when $\mathit{s}$ is contained in ${\mathbb{Z}}^m$.

Definition 2.

($q$-Module Lattice) For $n,m,q\in \mathbb{Z}$, where $q$ is prime, $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ and $\mathit{u}={\mathbb{Z}}_q^n$, define:

$${\mathsf{\Lambda }}_q\left(\mathit{A}\right)=\left\{\mathit{y}\in {\mathbb{Z}}_q^m: \exists \mathit{s}\in {\mathbb{Z}}_q^n,{\mathit{A}}^{\mathrm{T}}\cdot \mathit{s}=\mathit{y}\left(\mathrm{mod} q\right)\right\}$$

$${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)=\left\{\mathit{x}\in {\mathbb{Z}}_q^m: \mathit{A}\mathit{x}=0\left(\mathrm{mod} q\right)\right\}$$

$${\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right)=\left\{\mathit{x}\in {\mathbb{Z}}_q^m: \mathit{A}\mathit{x}=\mathit{u}\left(\mathrm{mod} q\right)\right\}$$

where ${\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right)$ is the coset of ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$. ${\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right)$ is a shift of ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$ which satisfies $\mathit{t}+{\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)={\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right)$, for $\mathit{t}\in {\mathsf{\Lambda }}_q^{\mathit{u}}\left(\mathit{A}\right)$.

2.2. Discrete Gaussian Distribution

Definition 3.

(Gaussian-Shaped Function [27]) For any real number $\sigma >0$, any vector $\mathit{c}\in {ℝ}^n$, and the standard deviation $\sigma$, where $\forall \mathit{x}\in {ℝ}^n$. Gaussian-shaped function is defined as

$${\rho }_{\sigma ,\mathit{c}}\left(\mathit{x}\right)=\exp \left(\frac{-\pi \parallel \mathit{x}-\mathit{c}{\parallel }^2}{{\sigma }^2}\right)$$

Definition 4.

(Discrete Gaussian Distribution [27]) Let lattice  $\Lambda \in {ℝ}^{n\times m}$, for any real number  $\sigma >0$, any vector  $\mathit{c}\in {ℝ}^n$, the standard deviation  $\sigma$, where  $\forall \mathit{x}\in \Lambda$. The discrete Gaussian distribution with distribution center $\mathit{c}$  is defined as

$${\mathcal{D}}_{\mathsf{\Lambda },\sigma ,\mathit{c}}\left(\mathit{x}\right)=\frac{{\rho }_{\sigma ,\mathit{c}}\left(\mathit{x}\right)}{{\rho }_{\sigma ,\mathit{c}}\left(\mathsf{\Lambda }\right)}=\frac{{\rho }_{\sigma ,\mathit{c}}\left(\mathit{x}\right)}{{\sum }_{\mathit{v}\in \mathsf{\Lambda }}{\rho }_{\sigma ,\mathit{c}}\left(\mathit{v}\right)}$$

For convenience, we abbreviate ${\rho }_{\sigma ,0}$ and ${\mathcal{D}}_{\mathsf{\Lambda },\sigma ,0}$ as ${\rho }_{\sigma }$ and ${\mathcal{D}}_{\mathsf{\Lambda },\sigma }$ . When $\sigma =0$ , we use $\rho$ to express ${\rho }_1$. Distribution ${\mathcal{D}}_{\mathsf{\Lambda },\sigma ,\mathit{c}}$ is usually defined over the lattice $\mathsf{\Lambda }={\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$ for a matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ or over a coset $\mathsf{\Lambda }=\mathit{t}+{\mathsf{\Lambda }}_q^{\perp }\left(\mathit{A}\right)$ , where $\mathit{t}\in {\mathbb{Z}}^m$ .

2.3. LWE Hardness Problem

The security of all our structures is reduced to the LWE problem, which was first defined by Regev [27] in 2005. It proved to be a non-deterministic polynomial (NP) problem with polynomial complexity.

Definition 5.

(LWE Hardness Problem [27]) Consider a positive integer n, a prime q, a noise distribution $\chi$ over ${\mathbb{Z}}_q$, and uniformly random secret key $\mathit{s}\in {\mathbb{Z}}_q^n$. An $\left({\mathbb{Z}}_q,n,\chi \right)-\mathit{LWE}$ problem include accessing an unspecified challenge oracle $\mathcal{O}$ , that is, the oracle can be a noisy pseudo-random sampler ${\mathcal{O}}_s$ with some constant random secret key $\mathit{s}\in {\mathbb{Z}}_q^n$, or it can be a truly random sampler ${\mathcal{O}}_{\$}$. The behaviors of the two kinds of samplers are as follows.

${\mathcal{O}}_s$: outputs sample of the form $({\mathit{u}}_i,{\mathit{v}}_i)=\left({\mathit{u}}_i,\langle {\mathit{u}}_i,\mathit{s}\rangle +{\mathit{x}}_i\right)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$, where $\mathit{s}\in {\mathbb{Z}}_q^n$ is a randomly uniform and invariant secret vector, ${\mathit{u}}_i\in {\mathbb{Z}}_q^n$ is a randomly uniformly selected vector, and ${\mathit{x}}_i\in {\mathbb{Z}}_q$ is fresh sample from $\chi$.

${\mathcal{O}}_{\$}$: outputs truly uniform random samples from ${\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$.

The $\left({\mathbb{Z}}_q,n,\chi \right)-\mathrm{LWE}$ problem allows repeated queries to the challenge oracle $\mathcal{O}$. For a random $\mathit{s}\in {\mathbb{Z}}_q^n$, if $\mathrm{LWE}-\mathit{a}d\mathit{v}\left[\mathcal{A}\right]=|\mathrm{Pr}\left[{\mathcal{A}}^{{\mathcal{O}}_{\mathit{s}}}=1\right]-\mathrm{Pr}\left[{\mathcal{A}}^{{\mathcal{O}}_{\$}}=1\right]$ is non-negligible, we say that algorithm $\mathcal{A}$ can solve the $\left({\mathbb{Z}}_q,n,\chi \right)-\mathrm{LWE}$ problem, where $\mathrm{LWE}-\mathit{a}d\mathit{v}\left[\mathcal{A}\right]$.represents the advantage of algorithm $\mathcal{A}$ in solving the $\left({\mathbb{Z}}_q,n,\chi \right)-\mathrm{LWE}$ problem.

Regev [27] showed that for some noise distributions $\chi$, denoted ${\overline{\mathsf{\Psi }}}_{\alpha }$. The LWE problem is as difficult as the worst-case SIVP and GapSVP under quantum reduction (see also [28]).

Definition 6.

([27]) Consider a positive integer $n$, a real parameter $\alpha =\alpha \left(n\right)\in \left(0,1\right)$, and a prime $q$. Denote ${\Psi }_{\alpha }$ as the normal distribution on ${\mathbb{Z}}_q$ with the mean 0 as the Gaussian center and the standard deviation $\frac{\alpha }{\sqrt{2\pi }}$, whose corresponding discrete distribution is ${\overline{\Psi }}_{\alpha }$.

Lemma 1.

([27]) Consider positive integer $n,q$ and $\alpha \in \left(0,1\right)$, if there is an efficient, possibly quantum, algorithm to solve the $\left({\mathbb{Z}}_q,n,{\overline{\Psi }}_{\alpha }\right)-\mathit{LWE}$ problem for $\alpha q>2\sqrt{n}$, then in the worst case, there is an efficient polynomial quantum algorithm to solve the SIVP and the GapSVP problems with an approximate factor of $\tilde{O}\left(n/\alpha \right)$.

2.4. Preimage Matrix

Lemma 2.

([25]) Consider an odd prime $q$ and a positive integer $n,m,m^{\prime }$. For any $m\ge n\log q$, there exists a fixed efficiently computable preimage matrix $\mathit{M}\in {\mathbb{Z}}_q^{n\times m}$ and an efficiently computable deterministic “short preimage” function ${\mathit{M}}^{-1}\left(·\right):{\mathbb{Z}q}_{n\times m^{\prime }}^{\to }·{\mathbb{Z}}_q^{m\times m^{\prime }}$ that satisfies the following conditions. For any $m^{\prime }$, when matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m^{\prime }}$ is input, the function ${\mathit{M}}^{-1}\left(\mathit{A}\right)$ outputs a bit-matrix ${\mathit{M}}^{-1}\left(\mathit{A}\right)\in {\left\{0,1\right\}}^{m\times m^{\prime }}$ such that $\mathit{M}{\mathit{M}}^{-1}\left(\mathit{A}\right)=\mathit{A}$.

We can regard $\mathit{M}$ as a special matrix. For those familiar with GSW13 [7] encryption, multiplication $\mathit{M}$ is the ${\mathrm{BitDecomp}}^{-1}$ operation, and the function ${\mathit{M}}^{-1}\left(·\right)$ is called $\mathrm{BitDecomp}$. Note that ${\mathit{M}}^{-1}\left(·\right)$ itself is not a matrix, but rather an efficiently computable function.

Let $\mathit{x},\mathit{y}$ be vectors of some dimension $n$ over ${\mathbb{Z}}_q$. Let $k=\lceil \log q\rceil$ and $w=nk$. Let $\mathrm{BitDecomp}\left(\mathit{x}\right)$ be the $w$-dimension vector ${\mathit{x}}^{\prime }=\left({\mathit{x}}_{1,0},\dots ,{\mathit{x}}_{1,k-1},\dots ,{\mathit{x}}_{n,0},\dots ,{\mathit{x}}_{n,k-1}\right)$, where ${\mathit{x}}_{i,j}$ is the $j$-th bit in ${\mathit{x}}_i$’s binary representation. bits ordered least significant to most significant. Let ${\mathrm{BitDecomp}}^{-1}\left({\mathit{x}}^{\prime }\right)=\left(\sum 2^j\cdot {\mathit{x}}_{1,j},\dots ,\sum 2^j\cdot {\mathit{x}}_{n,j}\right)=$𝒙 be the inverse of $\mathrm{BitDecomp}$, but well-defined even when the input is not a $0/1$ vector. Let $\mathrm{Flatten}\left({\mathit{x}}^{\prime }\right)=\mathrm{BitDecomp}\left({\mathrm{BitDecomp}}^{-1}\left({\mathit{x}}^{\prime }\right)\right)$, a $w$-dimension vector with $0/1$ coefficients. $\mathrm{BitDecomp}\left(\mathit{A}\right)$, ${\mathrm{BitDecomp}}^{-1}\left(\mathit{A}\right)$, or $\mathrm{Flatten}\left(\mathit{A}\right)$ be the matrix formed by applying the operation to each column of $\mathit{A}$ separately. Finally, let $\mathrm{Powersof}2\left(\mathit{y}\right)=\left({\mathit{y}}_1,2{\mathit{y}}_1,\dots ,2^{k-1}{\mathit{y}}_1,\dots ,{\mathit{y}}_n,2{\mathit{y}}_n,\dots ,2^{k-1}{\mathit{y}}_n\right)$. Has the following properties:

(1)

$\langle \mathrm{BitDecomp}\left(\mathit{x}\right),\mathrm{Powersof}2\left(\mathit{y}\right)\rangle =\langle \mathit{x},\mathit{y}\rangle$.

(2)

$\langle {\mathit{x}}^{\prime },\mathrm{Powersof}2\left(\mathit{y}\right)\rangle =\langle {\mathrm{BitDecomp}}^{-1}\left({\mathit{x}}^{\prime }\right),\mathit{y}\rangle =\langle \mathrm{Flatten}\left({\mathit{x}}^{\prime }\right),\mathrm{Powersof}2\left(\mathit{y}\right)\rangle$.

2.5. Trapdoor Function and Trapdoor Generation Algorithm

Definition 7.

(MP12 Trapdoor [25]) For any integer $n>1$, $q\ge 2$, $m=O\left(n\mathit{log}q\right)$, $k=\lceil \log q\rceil$, $\overline{m}=m-nk$, $w=nk$, $m\ge w\ge n$. Set matrices $\mathit{A}\in {\mathbb{Z}}^{n\times m}$ and $\mathit{G}\in {\mathbb{Z}}_q^{n\times w}$, and the corresponding $\mathit{G}$-trapdoor matrix of $\mathit{A}$ is $\mathit{R}\in {\mathbb{Z}}^{\overline{m}\times w}$, which satisfies $\mathit{A}\left[\begin{array}{c}\mathit{R}\\ {\mathit{I}}_{nk}\end{array}\right]=\mathit{H}\mathit{G}$, where $\mathit{H}\in {\mathbb{Z}}_q^{n\times n}$ is an invertible matrix, and $\mathit{H}$ is called label of the trapdoor. The trapdoor’s quality depends on the maximum singular value ${\mathit{s}}_1\left(\mathit{R}\right)$.

Lemma 3.

(Trapdoor Generation Algorithm [25]) For $n\ge 1$,$q\ge 2$,$m=O\left(n\mathit{log}q\right)\approx 2n\mathit{log}q$,$\overline{m}=m-nk$,$w=nk$,$k=\lceil \mathit{log}q\rceil$, modulus $q=q\left(n\right)$, invertible matrix $\mathit{H}\to {\mathbb{Z}}_q^{n\times n}$, construct a gadget matrix $\mathit{G}={\mathit{I}}_n\otimes {\mathit{g}}^T\in {\mathbb{Z}}^{n\times nk}$, where ${\mathit{g}}^T=\left[1,2^1,2^2,\dots ,2^{k-1}\right]\in {\mathbb{Z}}_q^k$. Randomly choose uniform matrix $\overline{\mathit{A}}\in {\mathbb{Z}}_q^{n\times \overline{m}}$. There exists a trapdoor generation algorithm $Tr\mathit{a}p\mathit{G}\mathit{e}n\left(1^n,1^m,q\right)$, outputs matrix $\mathit{A}=\left[\overline{\mathit{A}}|\mathit{H}\mathit{G}-\overline{\mathit{A}}\mathit{R}\right]\in {\mathbb{Z}}_q^{n\times m}$ and its trapdoor matrix $\mathit{R}\in {\mathbb{Z}}^{\overline{m}\times w}$ where $\mathit{A}$ is statistically indistinguishable from ${\mathbb{Z}}_q^{n\times m}$ and the size of trapdoor is ${\mathit{s}}_1\left(\mathit{R}\right)\le \sqrt{m}\omega \left(\sqrt{\mathit{log}n}\right)$.

Lemma 4.

(Sampling Algorithm [25]) As same as the parameter of Lemma 3, let  $\mathit{u}\in {\mathbb{Z}}_q^n$ be an $n$-dimensional random vector, Gaussian parameter $\sigma \ge {\mathit{s}}_1\left(\mathit{R}\right)·\omega \left(\sqrt{\mathit{log}n}\right)$, and there exists a PPT (probability polynomial time) algorithm  $SampleD\left(\mathit{A},\mathit{R},\mathit{u},\sigma \right)$, output a vector $\mathit{t}\in {\mathbb{Z}}_q^m$ closing to the discrete Gaussian distribution ${\mathcal{D}}_{{·}_q^{\mathit{u}}\left(\mathit{A}\right),\sigma \omega \left(\sqrt{\mathit{log}n}\right)}$, satisfying $\mathit{A}·\mathit{t}=\mathit{u} mod q$, where $Pr\left[\mathit{t}\leftarrow {\mathcal{D}}_{{·}_q^{\mathit{u}}\left(\mathit{A}\right),\sigma \omega \left(\sqrt{\mathit{log}n}\right)}:\mathit{t}>\sigma \sqrt{m}\right]\le negl\left(n\right)$.

3. Identity-Based Encryption Scheme

In order to construct a more efficient IBFHE scheme, we first need to construct an IBE scheme with better performance. Next, we improve the IBE scheme of Agrawal et al. [26] based on the MP12 trapdoor generation algorithm and sampling algorithm to make the parameters of the scheme more compact.

3.1. Construction

The basic parameter definition of the scheme: Let $n$ as security parameter, $q=q\left(n\right)$ as modulus, $m=O\left(n\log q\right)$, randomly uniform matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ and its corresponding trapdoor $\mathit{R}\in {\mathbb{Z}}^{\overline{m}\times w}$, where $\overline{m}=m-nk,w=nk,k=\lceil \log q\rceil ,m^{\prime }=m+1$; Construct a gadget matrix $\mathit{G}={\mathit{I}}_n\otimes {\mathit{g}}^{\mathrm{T}}\in {\mathbb{Z}}^{n\times w}$ for ${\mathit{g}}^T=\left[1,2^1,2^2,\dots ,2^{k-1}\right]\in {\mathbb{Z}}_q^k$ and ${\mathit{I}}_n$ is an $n\times n$ identity matrix; encoding function with FRD (full-rank differences) $\mathit{H}:{\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$.

-

$IBE.Setup\left(1^n\right):$ Input the security parameter $n$ and generate the basic parameter $q=q\left(n\right),m=O\left(n\log q\right)$. Randomly and uniformly choose a matrix $\overline{\mathit{A}}\in {\mathbb{Z}}_q^{n\times \overline{m}}$ and an n-dimensional vector $\mathit{u}\in {\mathbb{Z}}_q^n$. Run the trapdoor generation algorithm $TrapGen\left(1^n,1^m,q\right)$ to generate matrix $\mathit{A}=\left[\overline{\mathit{A}}|-\overline{\mathit{A}}\mathit{R}\right]\in {\mathbb{Z}}_q^{n\times m}$ and its trapdoor matrix $\mathit{R}\in {\mathbb{Z}}^{\overline{m}\times w}$. Output master public key $MPK=\left(\mathit{A},\mathit{u}\right)$ and master secret key $MSK=\mathit{R}$.

-

$IBE.Extract\left(MPK,MSK,id\right):$ Input the master public key $MPK$, master secret key $MSK$, and user’s identity vector $id\in {\mathbb{Z}}_q^n$. Using FRD encoding function $\mathit{H}:{\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$, map each user’s $id$ to an invertible matrix ${\mathit{H}}_{id}\in {\mathbb{Z}}_q^{n\times n}$. Let ${\mathit{A}}_{id}=\mathit{A}+\left[0|{\mathit{H}}_{id}\mathit{G}\right]=\left[\overline{\mathit{A}}|{\mathit{H}}_{id}\mathit{G}-\overline{\mathit{A}}\mathit{R}\right]\in {\mathbb{Z}}_q^{n\times m}$, run the sampling algorithm $SampleD\left({\mathit{A}}_{id},\mathit{R},\mathit{u},\sigma \right)$ to generate secret key ${\mathit{t}}_{id}\in {\mathbb{Z}}_q^m$ corresponding to each user’s $id$, satisfying ${\mathit{A}}_{id}{\mathit{t}}_{id}=\mathit{u} mod q$. Set ${\mathit{A}}_{id}^{\prime }=[\mathit{u}|{\mathit{A}}_{id}]\in {\mathbb{Z}}_q^{n\times m^{\prime }}$. Output secret key ${\mathit{s}}_{id}=\left(1,-{\mathit{t}}_{id}\right)\in {\mathbb{Z}}_q^{m^{\prime }}$, satisfying ${\mathit{A}}_{id}^{\prime }{\mathit{s}}_{id}=0 mod q$.

-

$IBE.Enc\left(MPK,id,\mathit{b}\right):$ Input the master public key $MPK$, user’s identity vector $id\in {\mathbb{Z}}_q^n$ and encrypted plaintext message $\mathit{b}\in \left\{0,1\right\}$. Let $\mu =\left(\mathit{b}\frac{q}{2},0,\dots ,0\right)\in {\mathbb{Z}}_q^{m^{\prime }}$. Randomly choose a uniform vector $\mathit{y}\stackrel{\$}{\leftarrow }{\left\{0,1\right\}}^n$ and an error vector $\mathit{e}\stackrel{\$}{\leftarrow }{\chi }_{{\overline{\Psi }}_{\alpha }}^{m^{\prime }}$ according to the LWE error distribution. Output ciphertext vector ${\mathit{c}}_{id}={\mathit{A}}_{id}^{{\prime }^{\mathrm{T}}}\mathit{y}+\mu +\mathit{e}\in {\mathbb{Z}}_q^{m^{\prime }}$.

-

$IBE.Dec\left(\mathit{M}PK,{\mathit{s}}_{id},{\mathit{c}}_{id}\right):$ Input the master public key $\mathit{M}PK$, user’s secret key ${\mathit{s}}_{id}$ and ciphertext ${\mathit{c}}_{id}$ to decrypt. Compute ${\mathit{b}}^{\prime }={\mathit{s}}_{id}^{\mathrm{T}}\cdot {\mathit{c}}_{id}\in {\mathbb{Z}}_q$. If $\Vert {\mathit{b}}^{\prime }-\left|\frac{q}{2}\right|\Vert <\left|\frac{q}{4}\right|$, output $\mathit{b}=1$; If $\Vert {\mathit{b}}^{\prime }\Vert <\left|\frac{q}{4}\right|$, output $\mathit{b}=0$.

3.2. Correctness and Parameters

Theorem 1.

([21]) When $m\ge 2n\mathit{log}q$, $\alpha \le {\left(\sigma \sqrt{m+1}·\omega \left(\sqrt{\mathit{log}n}\right)\right)}^{-1}$, $q\ge 5\sigma \left(m+1\right)$, the IBE scheme constructed in Section 3.1 is successfully decrypted with great probability.

Proof. 

It can be obtained from the decryption formula

$$\begin{array}{ll}{\mathit{s}}_{id}^{\mathrm{T}}\cdot {\mathit{c}}_{id}& ={\mathit{s}}_{id}^{\mathrm{T}}\left({\mathit{A}}_{id}^{{\prime }^T}\mathit{y}+\mu +\mathit{e}\right)\\ & ={\mathit{s}}_{id}^T{\mathit{A}}_{id}^{{\prime }^T}\mathit{y}+\langle {\mathit{s}}_{id}^T,\mu \rangle +\langle {\mathit{s}}_{id}^T,\mathit{e}\rangle \\ & =\mathit{b}\lfloor \frac{q}{2}\rfloor +{\mathit{s}}_{id}^T,\mathit{e} \end{array}$$

According to [21], when $\alpha \le {\left(\sigma \sqrt{m+1}·\omega \left(\sqrt{\log n}\right)\right)}^{-1}$, $q\ge 5\sigma \left(m+1\right)$ can satisfy $\langle {\mathit{s}}_{id}^T,\mathit{e}\rangle \le \frac{q}{5}$ with a great probability. Due to $\langle {\mathit{s}}_{id}^T,\mathit{e}\rangle \le \frac{q}{5}<\frac{q}{4}$, when $\langle {\mathit{s}}_{id}^T,\mathit{e}\rangle <\frac{q}{4}$, if $\mathit{b}=1$, then $\Vert \langle {\mathit{s}}_{id}^T,{\mathit{c}}_{id}\rangle -\frac{q}{2}\Vert <\frac{q}{4}$; If $\mathit{b}=0$, then $\Vert \langle {\mathit{s}}_{id}^T,{\mathit{c}}_{id}\rangle \Vert <\frac{q}{4}$, obviously the decryption algorithm can successfully decrypt with great probability.

According to the above analysis and Lemma 1, when $\alpha$ and $q$ reach the extreme value, respectively, there is $\alpha ·q=\frac{5\sqrt{m+1}}{\omega \left(\sqrt{\log n}\right)}>\frac{5\sqrt{2n\log q}}{\omega \left(\sqrt{\log n}\right)}>2\sqrt{n}$, satisfying the security requirements of LWE problem, that is $\alpha q>2\sqrt{n}$. To meet the above requirements, set scheme parameter $\left(m,q,\sigma ,\alpha \right)$: $m=2n\log q$,$q=m^{\frac{3}{2}}\sqrt{n}\omega \left(\log n\right)$,$\sigma =\sqrt{m}\omega \left(\log n\right)$,$\alpha <{\left(m\omega \left({\log }^{2}n\right)\right)}^{-1}$.□

3.3. Security Reduction

Theorem 2.

When $m\ge 2n\log q$, if the $\left({\mathbb{Z}}_q,n,{\overline{\Psi }}_{\alpha }\right)-LWE$ hardness assumption holds, the basic IBE scheme given in this section is IND-sID-CPA (Indistinguishable from Random, Select-Identity, Chosen-Plaintext Attachment) security.

Proof. 

For the IBE scheme proposed in this paper, we use a series of IND-sID-CPA security games proposed by Agrawal et al. [26] under the standard model to prove the security. The security model is established by a sequence game between adversary $\mathcal{A}$ and challenger $\mathcal{C}$.The steps are as follows:

Game0 Game0 is a standard original IND-sID-CPA game between adversary $\mathcal{A}$ and challenger $\mathcal{C}$.

Game1 Let $i{d}^{\ast }$ be the identity of adversary $\mathcal{A}$ who plans to attack. Compared with Game0, the challenger changes the way to generate matrix $\mathit{A}$, and randomly generates $\mathit{A}=\left[\overline{\mathit{A}}|-{\mathit{H}}_{i{d}^{\ast }}\mathit{G}-\overline{\mathit{A}}\mathit{R}\right]$. From lemma 3, we can see that $GenTrap$ algorithm in Game0 generates matrix $\mathit{A}=\left[\overline{\mathit{A}}|{\mathit{H}}_{id}\mathit{G}-\overline{\mathit{A}}\mathit{R}\right]$. From the Left over Hash lemma [29], distribution $\left(\overline{\mathit{A}},\overline{\mathit{A}}\mathit{R}\right)$ and distribution $\left(\overline{\mathit{A}},\mathit{B}\right)$ are statistically indistinguishable, for $\mathit{B}\in {\mathbb{Z}}_q^{n\times \mathrm{w}}$. Therefore, in the view of adversary $\mathcal{A}$, the matrix in Game0 and in Game1 are statistically indistinguishable, and adversary $\mathcal{A}$ cannot distinguish Game0 and Game1 with negligible advantages.

Game2 The difference between Game2 and Game1 is that Challenger $\mathcal{C}$ changes the corresponding way to query $id\ne i{d}^{\ast }$ secret key. Game2 uses $GenTrap$ algorithm to generate matrix $\mathit{G}$ and lattice ${\mathsf{\Lambda }}_q^{\perp }\left(\mathit{G}\right)$ trapdoor matrix ${\mathit{R}}_{\mathit{G}}$. Keeping the form of $\mathit{A}=\left[\overline{\mathit{A}}|-{\mathit{H}}_{i{d}^{\ast }}\mathit{G}-\overline{\mathit{A}}\mathit{R}\right]$ in Game1. According to the definition of FRD encoding function, $\left({\mathit{H}}_{id}-{\mathit{H}}_{i{d}^{\ast }}\right)$ is nonsingular. Challenger $\mathcal{C}$ can respond to the secret key query of adversary $\mathcal{A}$ through the trapdoor matrix ${\mathit{R}}_{\mathit{G}}$ to sample the preimage. Run sampling algorithm ${\mathit{t}}_{id}\leftarrow SampleD\left({\mathit{A}}_{id},{\mathit{R}}_{\mathit{G}},\mathit{u},\sigma \right)$ and output secret key ${\mathit{s}}_{id}=\left(1,-{\mathit{t}}_{id}\right)$ to adversary $\mathcal{A}$. If $id=i{d}^{\ast }$, then $\left({\mathit{H}}_{id}-{\mathit{H}}_{i{d}^{\ast }}\right)$ is a singular matrix, and the game ends. The distribution ${\mathcal{D}}_{{·}_q^{\mathit{u}}\left({\mathit{A}}_{id}\right),\sigma \omega \left(\sqrt{\log n}\right)}$ of ${\mathit{s}}_{id}$ in Game2 and ${\mathit{s}}_{id}$ in Game1 are statistically indistinguishable, so adversary $\mathcal{A}$ cannot distinguish Game1 and Game2 with negligible advantages.

Game3 The difference between Game3 and Game2 is that the challenge ciphertext is always selected as a random independent element of ${\mathbb{Z}}_q^{m^{\prime }}$ in the ciphertext space, so the advantage of adversary $\mathcal{A}$ is zero.

For PPT adversary $\mathcal{A}$, it is still necessary to prove that the adversary cannot distinguish Game2 and Game3 in computation through the hardness of the LWE problem. Assuming adversary $\mathcal{A}$ has non-negligible advantage in distinguishing Game2 and Game3, we use adversary $\mathcal{A}$ to construct an LWE algorithm $\mathcal{E}$. Recall from definition 5 that an LWE problem instance is provided as a sampling $\mathcal{O}$ which can be either truly random ${\mathcal{O}}_{\$}$ or noise pseudo-random ${\mathcal{O}}_{\mathit{s}}$. Challenger $\mathcal{C}$ uses the adversary $\mathcal{A}$ to distinguish the two. The steps are as follows:

Instance Challenger $\mathcal{C}$ requests from $\mathcal{O}$ and receives $\overline{m}+1$ samples $\left({\mathit{u}}_i,{\mathit{v}}_i\right)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$, for $i=0,1,\dots ,\overline{m}+1$.

Target Adversary $\mathcal{A}$ declares to challenger $\mathcal{C}$ the target identity of the planned attack $i{d}^{\ast }$.

Setup Challenger $\mathcal{C}$ sets $MPK$ according to the target identity $i{d}^{\ast }$.

(1)

Challenger $\mathcal{C}$ uses the known samples to construct matrix $\overline{\mathit{A}}=\left({\mathit{u}}_1,{\mathit{u}}_2,\dots ,{\mathit{u}}_{\overline{m}}\right)\in {\mathbb{Z}}_q^{n\times \overline{m}}$.

(2)

Take ${\mathit{u}}_0$ as a common random vector $\mathit{u}={\mathit{u}}_0\in {\mathbb{Z}}_q^n$.

(3)

Select $\mathit{R}\leftarrow {\mathcal{D}}^{\overline{m}\times w}$ from the distribution $\mathcal{D}$ and construct the matrix ${\mathit{A}}_1=-{\mathit{H}}_{i{d}^{\ast }}\mathit{G}-\overline{\mathit{A}}\mathit{R}$.

(4)

Send the common parameter $\left\{\mathit{u},\overline{\mathit{A}},{\mathit{A}}_1\right\}$ to the adversary $\mathcal{A}$.

From Left over Hash lemma [29], for an adversary $\mathcal{A}$, matrix ${\mathit{A}}_1$ is uniformly indistinguishable.

Queries1 Similar to Game2, Challenger $\mathcal{C}$ responds to each secret key query of adversary $\mathcal{A}$.

Challenge The adversary submits challenge plaintext ${\mathit{b}}^{\ast }\in \left\{0,1\right\}$ to challenger $\mathcal{C}$, and challenger $\mathcal{C}$ outputs challenge ciphertext ${\mathit{c}}_{id}^{\ast }$ for target identity $i{d}^{\ast }$:

(1)

Let ${\mathit{v}}^{\ast }={\left({\mathit{v}}_1,\dots ,{\mathit{v}}_{\overline{m}}\right)}^{\mathrm{T}}\in {\mathbb{Z}}_q^{\overline{m}}$.

(2)

Hide plaintext message ${\mathit{b}}^{\ast }$ through constructing ${\mathit{c}}_0^{\ast }={\mathit{v}}_0+{\mathit{b}}^{\ast }\frac{q}{2}$.

(3)

Let ${\mathit{c}}_1^{\ast }=\left[\begin{array}{c}{\mathit{v}}^{\ast }\\ -{\mathit{R}}^{\mathrm{T}}{\mathit{v}}^{\ast }+{\mathit{e}}^{\prime }\end{array}\right]\in {\mathbb{Z}}_q^m$,for ${\mathit{e}}^{\prime }\stackrel{{\overline{\Psi }}_{\alpha }}{\leftarrow }{\mathbb{Z}}_q^w$.

(4)

Select random bit $r\stackrel{\$}{\leftarrow }\left\{0,1\right\}$. When $r=0$, send ${\mathit{c}}^{\ast }=\left({\mathit{c}}_0^{\ast },{\mathit{c}}_1^{\ast }\right)$ to the adversary $\mathcal{A}$; when $r=1$, randomly and uniformly select ${\mathit{c}}_{id}\in {\mathbb{Z}}_q^{m^{\prime }}$ to pass to the adversary $\mathcal{A}$.

Attention: When $\mathcal{O}={\mathcal{O}}_{\mathit{s}}$, the distribution of ${\mathit{c}}^{\ast }$ is indistinguishable from the challenge ciphertext in Game2. From the definition of the LWE problem, we can know that ${\mathit{v}}^{\ast }={\overline{\mathit{A}}}^{\mathrm{T}}\mathit{s}+\mathit{e}$ ${\mathit{A}}_{i{d}^{\ast }}=\left[\overline{\mathit{A}}|\left({\mathit{H}}_{i{d}^{\ast }}-{\mathit{H}}_{i{d}^{\ast }}\right)\mathit{G}-\overline{\mathit{A}}\mathit{R}\right]=\left[\overline{\mathit{A}}|-\overline{\mathit{A}}\mathit{R}\right]$.Thus

$${\mathit{c}}_1^{\ast }=\left[\begin{array}{c}{\mathit{v}}^{\ast }\\ -{\mathit{R}}^{\mathrm{T}}{\mathit{v}}^{\ast }+{\mathit{e}}^{\prime }\end{array}\right]=\left[\begin{array}{c}{\overline{\mathit{A}}}^{\mathrm{T}}\mathit{s}+\mathit{e}\\ -{\mathit{R}}^{\mathrm{T}}\left({\overline{\mathit{A}}}^{\mathrm{T}}\mathit{s}+\mathit{e}\right)+{\mathit{e}}^{\prime }\end{array}\right]={\mathit{A}}_{i{d}^{\ast }}^{\mathrm{T}}\mathit{s}+\left[\begin{array}{c}\mathit{e}\\ -{\mathit{R}}^{\mathrm{T}}\mathit{e}+{\mathit{e}}^{\prime }\end{array}\right]$$

The right side of the equation is the challenge ciphertext ${\mathit{c}}_1$ in Game 2; ${\mathit{c}}_0^{\ast }={\mathit{u}}_0^T\mathit{s}+{\mathit{e}}^{″}+{\mathit{b}}^{\ast }\left|\frac{q}{2}\right|$ is the challenge ciphertext ${\mathit{c}}_0$ in Game2, for ${\mathit{e}}^{″}\stackrel{{\overline{\Psi }}_{\alpha }}{\leftarrow }{\mathbb{Z}}_q$. Thus ${\mathit{c}}^{\ast }$ is a valid ciphertext of ${\mathit{b}}^{\ast }$ corresponding to identity $i{d}^{\ast }$.

When $\mathcal{O}={\mathcal{O}}_{\$}$, ${\mathit{v}}_0\in {\mathbb{Z}}_q$ and ${\mathit{v}}^{\ast }\in {\mathbb{Z}}_q^{\overline{m}}$ are then uniformly selected. According to the Left over Hash lemma [29], $-{\mathit{R}}^{\mathrm{T}}{\mathit{v}}^{\ast }$ obeys the discrete random distribution, so the ${\mathit{R}}^{\mathrm{T}}{\mathit{v}}^{\ast }+{\mathit{e}}^{\prime }$ also obeys the discrete random distribution. Therefore, the distribution of challenge ciphertext ${\mathit{c}}^{\ast }$ is indistinguishable from Game3, and is randomly selected by the challenger $\mathcal{C}$ from ${\mathbb{Z}}_q^{m^{\prime }}$. Queries2 The adversary $\mathcal{A}$ can continue to query the secret key in the same way as Queries1.

Guess The adversary $\mathcal{A}$ distinguishes whether the ciphertext is a random independent vector on ${\mathbb{Z}}_q^{m^{\prime }}$ or a valid ciphertext of plaintext message ${\mathit{b}}^{\ast }$, and the challenger $\mathcal{C}$ answers whether the samples in the LWE problem are from ${\mathcal{O}}_{\mathit{s}}$ or ${\mathcal{O}}_{\$}$ according to the guess results.

In summary, when $\mathcal{O}={\mathcal{O}}_{\mathit{s}}$, the view of the adversary $\mathcal{A}$ is the same as Game2; when $\mathcal{O}={\mathcal{O}}_{\$}$, adversary $\mathcal{A}$ has the same view as Game3. Because the advantage of algorithm $\mathcal{E}$ in solving the LWE problem is the same as that of adversary $\mathcal{A}$ in distinguishing Game2 and Game3, and because there is no PPT algorithm that can effectively solve the LWE problem; thus, the scheme is IND-sID-CPA secure, and the proof is over. □

3.4. Efficiency Analysis of IBE Scheme

We compared the parameters of the proposed IBE scheme with the ABB-IBE scheme proposed by Agrawal et al. [26] with the same security as this scheme. See

Table 1. Comparison of main parameters of IBE scheme.

Scheme	Dimension	Ciphertext	Public Key	Secret Key	Gaussian Parameter
[26]	$6n\log q$	$2m+1$	$n\times \left(3m+1\right)$	$m\times m$	$m\omega \left(\log n\right)$
Ours-IBE	$2n\log q$	$m+1$	$n\times \left(m+1\right)$	$\left(m\times m\right)/4$	$\sqrt{m}\omega \left(\log n\right)$

for comparison results.

From the analysis in Table 1, it can be seen that the main efficiency parameters of the IBE scheme in this paper were significantly optimized. Compared with the ABB10-IBE trapdoor generation algorithm based on [23], this scheme uses the MP12 trapdoor generation algorithm to reduce the lattice security dimension from $6n\log q$ to $2n\log q$, and the size of the master secret keys is selected from a short vector in a reasonable Gaussian distribution, so the scale of the public parameters, key size, and ciphertext size of this scheme are reduced.

4. Identity-Based Full Homomorphic Encryption Scheme

Based on the efficient IBE scheme proposed above, a new identity-based fully homomorphic encryption scheme was further constructed. We used the gadget matrix to replace Powersoft2, BitDecomp and Flatten to obtain new encryption and decryption forms. At the same time, we use the “approximate eigenvector” technology to eliminate the evaluation key in homomorphic encryption to obtain a more concise identity-based full homomorphic encryption scheme.

4.1. Construction

The basic parameter definition of the scheme: Let $n$ as security parameter, $\mathit{L}$ represents the maximum depth of homomorphic calculation allowed for the circuit, $q=q\left(n,\mathit{L}\right)$ is a sufficiently large prime, and $m,m^{\prime },\overline{m},w,k$ and FRD encoding function $\mathit{H}$ are the same as the definitions in the above IBE encryption scheme. Define $N=\left(m+1\right)k$. We construct another gadget matrix $\mathit{M}={\mathit{I}}_{m^{\prime }}\otimes {\mathit{g}}^{\mathrm{T}}\in {\mathbb{Z}}^{m^{\prime }\times N}$, where ${\mathit{g}}^T=\left[1,2^1,2^2,\dots ,2^{k-1}\right]\in {\mathbb{Z}}_q^k$ and ${\mathit{I}}_{m^{\prime }}$ is a $m^{\prime }\times m^{\prime }$ identity matrix. According to Lemma 2, for any matrix $\mathit{A}\in {\mathbb{Z}}_q^{m^{\prime }\times N}$, there exists a function ${\mathit{M}}^{-1}\left(·\right)$ such that ${\mathit{M}}^{-1}\left(\mathit{A}\right)\in {\left\{0,1\right\}}^{N\times N}$, satisfying $\mathit{M}{\mathit{M}}^{-1}\left(\mathit{A}\right)=\mathit{A}$.

-

$IBFHE.Setup\left(1^n,1^{\mathit{L}}\right):$ Input the security parameter $n$ and the maximum depth $\mathit{L}$ that the circuit allows homomorphic operations. Run the $IBE.Setup$ algorithm to generate matrix $\mathit{A}=\left[\overline{\mathit{A}}|-\overline{\mathit{A}}\mathit{R}\right]\in {\mathbb{Z}}_q^{n\times m}$. Output the master public key $\mathit{M}PK=\left(\mathit{A},\mathit{u}\right)$ and the master secret key $\mathit{M}SK=\mathit{R}$.

-

$IBFHE.Extract\left(\mathit{M}PK,\mathit{M}SK,id\right):$ Input the master public key $\mathit{M}PK$, master secret key $\mathit{M}SK$, and user’s identity vector $id\in {\mathbb{Z}}_q^n$. Run the $IBE.Extract$ algorithm to generate matrix ${\mathit{A}}_{id}^{\prime }=[\mathit{u}|{\mathit{A}}_{id}]\in {\mathbb{Z}}_q^{n\times m^{\prime }}$. Output secret key ${\mathit{s}}_{id}=\left(1,-{\mathit{t}}_{id}\right)\in {\mathbb{Z}}_q^{m^{\prime }}$, satisfying ${\mathit{A}}_{id}^{\prime }{\mathit{s}}_{id}=0 mod q$.

-

$IBFHE.Enc\left(\mathit{M}PK,id,\mu \right):$ Input the master public key $\mathit{M}PK$, user’s identity vector $id\in {\mathbb{Z}}_q^n$ and encrypted plaintext message $\mu \in \left\{0,1\right\}$. Randomly choose uniform vectors ${\mathit{y}}_i\stackrel{\$}{\leftarrow }{\left\{0,1\right\}}^n$ and error vectors ${\mathit{e}}_i\stackrel{\$}{\leftarrow }{\chi }_{{\overline{\Psi }}_{\alpha }}^{m^{\prime }}$ according to the LWE error distribution. N vectors ${\mathit{y}}_i$ are connected to form the matrix $\mathit{Y}=\left[{\mathit{y}}_1,\dots ,{\mathit{y}}_N\right]\in {\mathbb{Z}}^{n\times N}$, and N vectors ${\mathit{e}}_i$ are connected to form the matrix $\mathit{E}=\left[{\mathit{e}}_1,\dots ,{\mathit{e}}_N\right]\in {\mathbb{Z}}_q^{m^{\prime }\times N}$, where $i\in \left[N\right]$. Output the ciphertext matrix $\mathit{C}={\mathit{A}}_{id}^{{\prime }^{\mathrm{T}}}\mathit{Y}+\mu \mathit{M}+\mathit{E}\in {\mathbb{Z}}_q^{m^{\prime }\times N}$.

-

$IBFHE.Eval\left(\mathit{M}PK,f,\left({\mathit{C}}_1,\dots ,{\mathit{C}}_{\mathit{t}}\right)\right):$ Input the master public key $\mathit{M}PK$, Boolean circuit $f$, and ciphertext ${\mathit{C}}_1,\dots ,{\mathit{C}}_{\mathit{t}}$ which are the different ciphertext of the same $id$ with secret key ${\mathit{s}}_{id}$. Output the operation ciphertext $\mathit{C}=f\left({\mathit{C}}_1,\dots ,{\mathit{C}}_{\mathit{t}}\right)$, where the homomorphic addition is ${\mathit{C}}_{\mathit{A}dd}={\mathit{C}}_1+{\mathit{C}}_2$ and the homomorphic multiplication is ${\mathit{C}}_{\mathit{M}\mathit{u}l\mathit{t}}={\mathit{C}}_1{\mathit{M}}^{-1}\left({\mathit{C}}_2\right)$. According to the definitions of addition and multiplication, the homomorphic NAND gate operation is defined as ${\mathit{C}}_{N\mathit{A}ND}=\mathit{M}-{\mathit{C}}_1{\mathit{M}}^{-1}\left({\mathit{C}}_2\right)$.

-

$IBFHE.Dec\left(\mathit{M}PK,{\mathit{s}}_{id},\mathit{C}\right):$ Input the master public key $\mathit{M}PK$, user’s secret key ${\mathit{s}}_{id}$ and ciphertext $\mathit{C}$ to decrypt. Set the vector $\omega =\left[\left|\frac{q}{2}\right|,0,\dots ,0\right]\in {\mathbb{Z}}_q^{m^{\prime }}$.Compute ${\mu }^{\prime }={\mathit{s}}_{id}^{\mathrm{T}}·\mathit{C}·{\mathit{M}}^{-1}\left(\omega \right)$ and output $\lfloor \frac{2{\mu }^{\prime }}{q}\rfloor$.

4.2. Correctness and Parameters

Theorem 3.

 When $q=\sqrt{Nn}{m}^{\frac{3}{2}}\omega \left(\mathit{log}n\right)$,$\sigma =\sqrt{m}\omega \left(\mathit{log}n\right)$,$\alpha <{\left(\sqrt{N}m\omega \left(lo{\mathit{g}}^{2}n\right))\right)}^{-1}$, the IBFHE scheme constructed in Section 4.1 is successfully decrypted with great probability.

Proof. 

For the initial ciphertext $\mathit{C}\in {\mathbb{Z}}_q^{m^{\prime }\times N}$ and secret key ${\mathit{s}}_{id}\in {\mathbb{Z}}_q^{m^{\prime }}$ of the $\mathrm{id}$, there are

$$\begin{array}{ll}{\mathit{s}}_{id}^{\mathrm{T}}·\mathit{C}& ={\mathit{s}}_{id}^{\mathrm{T}}\left({\mathit{A}}_{id}^{{\prime }^{\mathrm{T}}}\mathit{Y}+\mu \mathit{M}+\mathit{E}\right)\\ & ={\mathit{s}}_{id}^{\mathrm{T}}{\mathit{A}}_{id}^{{\prime }^{\mathrm{T}}}\mathit{Y}+\mu {\mathit{s}}_{id}^{\mathrm{T}}\mathit{M}+{\mathit{s}}_{id}^{\mathrm{T}}\mathit{E}\\ & =\mu {\mathit{s}}_{id}^{\mathrm{T}}\mathit{M}+{\mathit{s}}_{id}^{\mathrm{T}}\mathit{E}\\ & =\mu {\mathit{s}}_{id}^{\mathrm{T}}\mathit{M}+{\mathit{e}}^{\prime }\end{array}$$

(1)

It can be obtained from Equation (1) and decryption formula

$$\begin{array}{l}{\mu }^{\prime }={\mathit{s}}_{id}^{\mathrm{T}}·\mathit{C}·{\mathit{M}}^{-1}\left(\mathbf{\omega }\right)\\ =\left(\mu {\mathit{s}}_{id}^{\mathrm{T}}\mathit{M}+{\mathit{e}}^{\prime }\right){\mathit{M}}^{-1}\left(\mathbf{\omega }\right)\\ =\mu {\mathit{s}}_{id}^{\mathrm{T}}\mathbf{\omega }+{\mathit{e}}^{\prime }{\mathit{M}}^{-1}\left(\mathbf{\omega }\right)\\ =\mu \lfloor \frac{q}{2}\rfloor +{\mathit{E}}^{\prime }\end{array}$$

In order to enable the decryption effective, it is necessary to ensure the ciphertext’s noise $\parallel {\mathit{E}}^{\prime }{\parallel }_{\infty }\le \sqrt{N}\left(q\sigma \sqrt{m}\alpha \mathbf{\omega }\left(\sqrt{\log n}\right)\right)<\frac{q}{5}$, where $\alpha <{\left(\sqrt{N}\sigma \sqrt{m+1}\mathbf{\omega }\left(\sqrt{\log n}\right)\right)}^{-1}$, that is $\frac{2{\mu }^{\prime }}{q}=\frac{2\mu \lfloor \frac{q}{2}\rfloor +2\Vert {\mathit{E}}^{\prime }\Vert }{q}<\mu +\frac{2}{5}$, satisfying $\frac{2\lfloor {\mu }^{\prime }\rfloor }{q}=\mu$. The ciphertext can be successfully decrypted. To meet the above requirements, set scheme parameters $\left(m,q,\sigma ,\alpha \right)$: $m=2n\log q$,$q=\sqrt{Nn}{m}^{\frac{3}{2}}\omega \left(\log n\right)$,$\sigma =\sqrt{m}\omega \left(\log n\right)$,$\alpha <{\left(\sqrt{N}m\omega \left({\log }^{2}n\right))\right)}^{-1}$.□

4.3. Homomorphic Property

Definition 8.

Let $\mathit{C}\in {\mathbb{Z}}_q^{m^{\prime }\times N}$ be the ciphertext matrix corresponding to plaintext $\mu$ of the identity $id$, and the secret key is $\mathit{s}\in {\mathbb{Z}}_q^{m^{\prime }}$. If ${\mathit{s}}^T\mathit{C}=\mu {\mathit{s}}^T\mathit{M}+\mathit{e}$ where $\Vert \mathit{e}{\Vert }_{\infty }\le \beta$, $\mathit{C}$ is called the $\beta$-noise ciphertext of plaintext $\mu$.

Proof. 

Let ${\mathit{C}}_1$ and ${\mathit{C}}_2$ be the ciphertexts of identity $id$ corresponding to plaintexts ${\mu }_1$ and ${\mu }_2$ respectively, namely ${\mathit{s}}^T{\mathit{C}}_1={\mu }_1{\mathit{s}}^T\mathit{M}+{\mathit{e}}_1$, ${\mathit{s}}^T{\mathit{C}}_2={\mu }_2{\mathit{s}}^T\mathit{M}+{\mathit{e}}_2$, where ${\mu }_1,{\mu }_2\in \left\{0,1\right\}$, $\Vert {\mathit{e}}_1\Vert {}_{\infty }\le {\beta }_1$, $\Vert {\mathit{e}}_2{\Vert }_{\infty }\le {\beta }_2$.

(1)

Homomorphic addition: ${\mathit{C}}_{\mathit{A}dd}={\mathit{C}}_1+{\mathit{C}}_2$, satisfy ${\mathit{s}}^{\mathrm{T}}{\mathit{C}}_{\mathit{A}dd}={\mathit{s}}^{\mathrm{T}}\left({\mathit{C}}_1+{\mathit{C}}_2\right)=\left({\mathit{u}}_1+{\mu }_2\right){\mathit{s}}^{\mathrm{T}}\mathit{M}+{\mathit{e}}^{+}$, where ${\mathit{e}}^{+}={\mathit{e}}_1+{\mathit{e}}_2$. Obviously ${\mathit{C}}_{Add}$ is ${\beta }_1+{\beta }_2$ noise ciphertext, that is, after one-time homomorphic addition, the error increases by two times the factor.

(2)

Homomorphic multiplication: ${\mathit{C}}_{Mult}={\mathit{C}}_1{\mathit{M}}^{-1}\left({\mathit{C}}_2\right)$, satisfy ${\mathit{s}}^{\mathrm{T}}{\mathit{C}}_{Mult}={\mathit{s}}^{\mathrm{T}}{\mathit{C}}_1{\mathit{M}}^{-1}\left({\mathit{C}}_2\right)=\left({\mu }_1{\mu }_2\right){\mathit{s}}^{\mathrm{T}}\mathit{M}+{\mathit{e}}^{\times }$, where ${\mathit{e}}^{\times }={\mathit{e}}_1{\mathit{M}}^{-1}\left({\mathit{C}}_2\right)+{\mu }_1{\mathit{e}}_2$. Obviously $\parallel {\mathit{e}}^{\times }{\parallel }_{\infty }\le \left(\sqrt{N}{\beta }_1+{\beta }_2\right)$, ${\mathit{C}}_{Mult}$ is $\left(\sqrt{N}{\beta }_1+{\beta }_2\right)$ noise ciphertext. The same calculation is also applicable to NAND gates.□

4.4. Security Reduction

Theorem 4.

If the $\left({\mathbb{Z}}_q,n,{\overline{\Psi }}_{\alpha }\right)-LWE$ hardness assumption holds, the IBFHE scheme given in this section is IND-sID-CPA secure.

Proof. 

The security of the IBFHE scheme proposed in this section can be proved based on the IBE scheme constructed in the previous section, because the homomorphic $IBFHE.Eval$ algorithm in the IBFHE scheme is public and has no effect on the security of the scheme. Under the LWE assumption, let $\mathit{C}={\mathit{A}}_{id}^{{\prime }^T}\mathit{Y}+\mu \mathit{M}+\mathit{E}\in {\mathbb{Z}}_q^{m^{\prime }\times N}$ be the ciphertext obtained by encrypting the plaintext message 0 in the IBFHE scheme, which can be regarded as the concatenation of the N ciphertexts of a bit 0 in the IBE scheme. It can be seen from theorem 2 that $\mathit{C}$ and any random uniform matrices in ${\mathbb{Z}}_q^{m^{\prime }\times N}$ are indistinguishable. Therefore, according to the definition of the IND-sID-CPA security model, the IBFHE scheme proposed in this section is IND-sID-CPA security.□

5. Multi-Identity Based Full Homomorphic Encryption Scheme

5.1. Link-Mask Scheme

Based on the above IBFHE scheme, we constructed an efficient multi-identity fully homomorphic encryption scheme by using the extended ciphertext method and the masking scheme, which is denoted as mIBFHE.

Firstly, we introduce the general method of converting single identity IBFHE scheme into multi identity scheme. For the convenience of description, we describe our scheme as a simple example. Assuming that there are two parties $\left(D=2\right)$, any polynomial number of parties $D$ can be extended by this method.

Let ${\mathit{C}}_1$ and ${\mathit{C}}_2$ be the ciphertexts of the plaintext messages ${\mu }_1$ and ${\mu }_2$ corresponding to the parties’ identities $i{d}_1$ and $i{d}_2$ in the IBFHE scheme, respectively, and the identities $i{d}_1$ and $i{d}_2$ correspond to the secret keys ${\mathit{s}}_1$ and ${\mathit{s}}_2$, respectively, which satisfy ${\mathit{s}}_1^{\mathrm{T}}{\mathit{C}}_1={\mu }_1{\mathit{s}}_1^{\mathrm{T}}\mathit{M}+{\mathit{e}}_1$,${\mathit{s}}_2^{\mathrm{T}}{\mathit{C}}_2={\mu }_2{\mathit{s}}_2^{\mathrm{T}}\mathit{M}+{\mathit{e}}_2$. By extending ciphertext ${\mathit{C}}_1,{\mathit{C}}_2\in {\mathbb{Z}}_q^{m^{\prime }\times N}$ according to the number of parties $D$ to “extended” ciphertext ${\widehat{\mathit{C}}}_1,{\widehat{\mathit{C}}}_2\in {\mathbb{Z}}_q^{2m^{\prime }\times 2N}$, those satisfy

$$\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]{\widehat{\mathit{C}}}_1={\mu }_1\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]\left[\begin{array}{cc}\mathit{M}& 0\\ 0& \mathit{M}\end{array}\right]+small error$$

$$\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]{\widehat{\mathit{C}}}_2={\mu }_2\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]\left[\begin{array}{cc}\mathit{M}& 0\\ 0& \mathit{M}\end{array}\right]+small error$$

In this paper, the general method of converting single-identity IBFHE scheme into multi-identity mIBFHE scheme is to convert the encrypted ciphertext matrix under single identity into a $D{m}^{\prime }\times DN$-dimensional general extended matrix, and the scale of extended ciphertext is expanded by $D^2$. In this way, ciphertexts ${\widehat{\mathit{C}}}_1$ and $\widehat{\mathit{C}}$ corresponding to different identities $id$ can be input into the same Boolean circuit $f\in ℂ$ for homomorphic operation.

In order to perform the above ciphertext expansion, we need to construct a masking scheme: this scheme allows each party $\left(D_1,D_2\right)$ to independently generate key pairs, which are $\left({\mathit{s}}_1,p{k}_1\right),\left({\mathit{s}}_2,p{k}_2\right)$ respectively. $D_1$ Run the $IBFHE.Enc$ algorithm to encrypt plaintext message ${\mu }_1$ under $p{k}_1$, and then use $p{k}_2$ and its own randomness to extend its ciphertext. In the ciphertext expansion step, $D_1$ runs the masking algorithm twice (the number of parties) to use $p{k}_1,p{k}_2$ to create matrices $X_1^j,{\overline{X}}_1^2$, where $j\in \left[2\right]$, ${\mathit{s}}_1^{\mathrm{T}}{X}_1^1\approx 0,{\mathit{s}}_2^{\mathrm{T}}\left({\mathit{C}}_1-X_1^2\right)\approx {\mu }_1\mathit{M}$, and ${\mathit{s}}_2^{\mathrm{T}}{\overline{X}}_1^2\approx 0$. Then, we randomly chose a matrix $\mathit{Q}$ and set a matrix ${\mathit{Q}}_2$ such that ${\mathit{s}}_2^{\mathrm{T}}{\mathit{Q}}_2\approx {\mathit{s}}_1^{\mathrm{T}}\mathit{Q}$. Therefore, the final multi-identity extended ciphertext form of $D_1$ is

$${\widehat{\mathit{C}}}_1=\left[\begin{array}{cc}{\mathit{C}}_1^1& \mathit{Q}\\ 0& {\mathit{C}}_1^2\end{array}\right]$$

where ${\mathit{C}}_1$ is a single identity IBFHE ciphertext of $D_1$, ${\mathit{C}}_1^1={\mathit{C}}_1-X_1^1$ and ${\mathit{C}}_1^2={\mathit{C}}_1-X_1^2+{\overline{X}}_1^2-{\mathit{Q}}_2$. There is

$$\begin{array}{l}\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]{\widehat{\mathit{C}}}_1=\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]\left[\begin{array}{cc}{\mathit{C}}_1^1& \mathit{Q}\\ 0& {\mathit{C}}_1^2\end{array}\right]\\ =\left[{\mathit{s}}_1^{\mathrm{T}}{\mathit{C}}_1^1,{\mathit{s}}_1^{\mathrm{T}}\mathit{Q}+{\mathit{s}}_2^{\mathrm{T}}{\mathit{C}}_1^2\right]\approx {\mu }_1\left[{\mathit{s}}_1^{\mathrm{T}},{\mathit{s}}_2^{\mathrm{T}}\right]\left[\begin{array}{cc}\mathit{M}& 0\\ 0& \mathit{M}\end{array}\right]\end{array}$$

Similarly, the ciphertext ${\mathit{C}}_2$ is extended to ${\widehat{\mathit{C}}}_2$, which can perform homomorphic operations on ciphertext ${\widehat{\mathit{C}}}_1$ and ${\widehat{\mathit{C}}}_2$ encrypted under different identities.

Before constructing a specific masking scheme, we need to reconstruct the ciphertext extension of CM15 on the basis of [30]. The operation is as follows.

Link–Mask. Let $\mathit{Y}\in {\left\{0,1\right\}}^{n\times N}$ be a 0-1 matrix, and ${\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}$ be a IBFHE ciphertext of $\mathit{Y}\left[\mathit{x},\mathit{t}\right]$ ($\mathit{x}$-th row and $\mathit{t}$-th column of $\mathit{Y}$, $\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]$) under $\left(pk,\mathit{s}k\right)=\left(\mathit{A},\mathit{s}\right)$. Let $\left(p{k}^{\prime },\mathit{s}{k}^{\prime }\right)=\left({\mathit{A}}^{\prime },{\mathit{s}}^{\prime }\right)$ be another IBFHE key pair. There exists a polynomial-time deterministic algorithm $Link–Mask\left(p{k}^{\prime },\left({\mathit{V}}^{1,1},\dots ,{\mathit{V}}^{n,N}\right)\right)$, input $p{k}^{\prime }$ and encryptions ${\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}$, return a matrix $X\in {\mathbb{Z}}_q^{m^{\prime }\times N}$, satisfying ${\mathit{s}}^{\mathrm{T}}X={\mathit{s}}^{\mathrm{T}}{{\mathit{A}}^{\prime }}^{\mathrm{T}}\mathit{Y}+\mathit{e}$, where $\parallel \mathit{e}{\parallel }_{\infty }\le n{\left(m+1\right)}^2\beta$. The algorithm is as follows (Algorithm 1).

Algorithm 1 $\mathit{L}ink–\mathit{M}\mathit{a}\mathit{s}k$.

Input: $p{k}^{\prime }$ and ${\left\{{\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]}$ Output: $X\in {\mathbb{Z}}_q^{m^{\prime }\times N}$ (1) Define ${\mathit{L}}_{\mathit{x},\mathit{t}}\in {\mathbb{Z}}_q^{m^{\prime }\times N}$, for $\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]$ by             ${\mathit{L}}_{\mathit{x},\mathit{t}}\left[\mathit{a},\mathit{b}\right]=\left\{\begin{array}{c}{{\mathit{A}}^{\prime }}^{\mathrm{T}}\left[\mathit{a},\mathit{x}\right] \mathit{t}=\mathit{b}\\ 0 \mathrm{other}\end{array}\right.$ (2) Output $X={\sum }_{\mathit{x}=1}^n\sum _{\mathit{t}=1}^N{\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}{\mathit{M}}^{-1}\left({\mathit{L}}_{\mathit{x},\mathit{t}}\right)\in {\mathbb{Z}}_q^{m^{\prime }\times N}$.

Proof. 

Since ${\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}$ is a IBFHE ciphertext of $\mathit{Y}\left[\mathit{x},\mathit{t}\right]$ under $\left(pk,\mathit{s}k\right)=\left(\mathit{A},\mathit{s}\right)$, we have ${\mathit{s}}^{\mathrm{T}}{\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}=\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{s}}^{\mathrm{T}}\mathit{M}+{\mathit{e}}_{\mathit{x},\mathit{t}}$. Hence, it holds that

$$\begin{array}{cc}\hfill {\mathbf{s}}^{\mathrm{T}}\mathit{X}& ={\mathit{s}}^{\mathrm{T}}{\displaystyle {\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}}{\mathit{V}}^{\left(\mathit{x},\mathit{t}\right)}{\mathit{M}}^{-1}\left({\mathit{L}}_{\mathit{x},\mathit{t}}\right)\hfill \\ \hfill & ={\displaystyle {\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}}\left(\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{s}}^{\mathrm{T}}\mathit{M}+{\mathit{e}}_{\mathit{x},\mathit{t}}\right){\mathit{M}}^{-1}\left({\mathit{L}}_{\mathit{x},\mathit{t}}\right)\hfill \\ \hfill \\ \hfill & ={\displaystyle {\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}}\left(\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{s}}^{\mathrm{T}}{\mathit{L}}_{\mathit{x},\mathit{t}}+{\mathit{e}}_{\mathit{x},\mathit{t}}{\mathit{M}}^{-1}\left({\mathit{L}}_{\mathit{x},\mathit{t}}\right)\right)\hfill \\ \hfill & ={\displaystyle {\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}}\left(\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{s}}^{\mathrm{T}}{\mathit{L}}_{\mathit{x},\mathit{t}}+{\mathit{e}}_{\mathit{x},\mathit{t}}^{\prime }\right)\hfill \\ \hfill & ={\mathit{s}}^{\mathrm{T}}{\displaystyle {\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{L}}_{\mathit{x},\mathit{t}}+{\displaystyle {\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}}{\mathit{e}}_{\mathit{x},\mathit{t}}^{\prime }\hfill \end{array}$$

where ${\mathit{e}}_{\mathit{x},\mathit{t}}^{\prime }={\mathit{e}}_{\mathit{x},\mathit{t}}{\mathit{M}}^{-1}\left({\mathit{L}}_{\mathit{x},\mathit{t}}\right)$ has a norm $\Vert {\mathit{e}}_{\mathit{x},\mathit{t}}^{\prime }{\Vert }_{\infty }\le \left(m+1\right)\beta$.

Now it suffices to show that $\sum _{\mathit{x},\mathit{t}}^{n,N}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{L}}_{\mathit{x},\mathit{t}}={{\mathit{A}}^{\prime }}^{\mathrm{T}}\mathit{Y}$. Note that ${\mathit{L}}_{\mathit{x},\mathit{t}}$ has $\mathit{x}$-th column of ${{\mathit{A}}^{\prime }}^{\mathrm{T}}$ on the $\mathit{t}$-th column and 0 elsewhere.

$$\begin{array}{c}{\displaystyle \sum _{\mathit{x}=1}^{\mathit{n}}}{\displaystyle \sum _{\mathit{t}=1}^{\mathit{N}}}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{L}}_{\mathit{x},\mathit{t}}={\displaystyle \sum _{\mathit{x}=1}^{\mathit{n}}}{\displaystyle \sum _{\mathit{t}=1}^{\mathit{N}}}\left[\begin{array}{cc}\begin{array}{ccc}0& \cdots & \mathit{Y}\left[\mathit{x},\mathit{t}\right]{{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\left[1,\mathit{x}\right]\end{array}& \begin{array}{cc}\cdots & 0\end{array}\\ \begin{array}{ccc}\begin{array}{c}⋮\\ ⋮\\ 0\end{array}& \begin{array}{c}\ddots \\ ⋮\\ \cdots \end{array}& \begin{array}{c}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\left[2,\mathit{x}\right]\\ ⋮\\ \mathit{Y}\left[\mathit{x},\mathit{t}\right]{{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\left[\mathit{n},\mathit{x}\right]\end{array}\end{array}& \begin{array}{c}\begin{array}{cc}\cdots & 0\end{array}\\ \begin{array}{cc}\cdots & ⋮\end{array}\\ \begin{array}{cc}\cdots & 0\end{array}\end{array}\end{array}\right]\hfill \\ \hfill ={\displaystyle \sum _{\mathit{t}=1}^{\mathit{N}}}\left[\begin{array}{cc}\begin{array}{ccc}0& \cdots & {\sum }_{\mathit{x}=1}^{\mathit{n}}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\left[1,\mathit{x}\right]\end{array}& \begin{array}{cc}\cdots & 0\end{array}\\ \begin{array}{ccc}\begin{array}{c}⋮\\ ⋮\\ 0\end{array}& \begin{array}{c}\ddots \\ ⋮\\ \cdots \end{array}& \begin{array}{c}{\sum }_{\mathit{x}=1}^{\mathit{n}}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\left[2,\mathit{x}\right]\\ ⋮\\ {\sum }_{\mathit{x}=1}^{\mathit{n}}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\left[\mathit{n},\mathit{x}\right]\end{array}\end{array}& \begin{array}{c}\begin{array}{cc}\cdots & 0\end{array}\\ \begin{array}{cc}\cdots & ⋮\end{array}\\ \begin{array}{cc}\cdots & 0\end{array}\end{array}\end{array}\right]\\ \hfill ={\displaystyle \sum _{\mathit{t}=1}^{\mathit{N}}}\left[\begin{array}{cc}\begin{array}{ccc}0& \cdots & 〈{\mathit{A}}_1^{{}^{\prime }{\mathit{T}}_{\mathit{row}}},{\mathit{Y}}_{\mathit{t}}^{\mathit{col}}〉\end{array}& \begin{array}{cc}\cdots & 0\end{array}\\ \begin{array}{ccc}\begin{array}{c}⋮\\ ⋮\\ 0\end{array}& \begin{array}{c}\ddots \\ ⋮\\ \cdots \end{array}& \begin{array}{c}〈{\mathit{A}}_2^{{}^{\prime }{\mathit{T}}_{\mathit{row}}},{\mathit{Y}}_{\mathit{t}}^{\mathit{col}}〉\\ ⋮\\ 〈{\mathit{A}}_{\mathit{n}}^{{}^{\prime }{\mathit{T}}_{\mathit{row}}},{\mathit{Y}}_{\mathit{t}}^{\mathit{col}}〉\end{array}\end{array}& \begin{array}{c}\begin{array}{cc}\cdots & 0\end{array}\\ \begin{array}{cc}\cdots & ⋮\end{array}\\ \begin{array}{cc}\cdots & 0\end{array}\end{array}\end{array}\right]={{\mathit{A}}^{{}^{\prime }}}^{\mathit{T}}\mathit{Y}\end{array}$$

where ${\mathit{A}}_l^{{\prime }^{{\mathrm{T}}_{row}}}$ denotes the $l$-th row of ${{\mathit{A}}^{\prime }}^{\mathrm{T}}$ and ${\mathit{Y}}_l^{\mathit{c}ol}$ denotes the $l$-th column of $\mathit{Y}$.

To sum up,

$${\mathit{s}}^{\mathrm{T}}X={\mathit{s}}^{\mathrm{T}}{\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}\mathit{Y}\left[\mathit{x},\mathit{t}\right]{\mathit{L}}_{\mathit{x},\mathit{t}}+{\displaystyle \sum }_{\mathit{x},\mathit{t}}^{n,N}{\mathit{e}}_{\mathit{x},\mathit{t}}^{\prime }={\mathit{s}}^{\mathrm{T}}{{\mathit{A}}^{\prime }}^{\mathrm{T}}\mathit{Y}+\mathit{e}$$

where $\mathit{e}=\sum _{\mathit{x},\mathit{t}}^{n,N}{\mathit{e}}_{\mathit{x},\mathit{t}}^{\prime }$ has norm $\parallel \mathit{e}{\parallel }_{\infty }\le n{\left(m+1\right)}^2\beta$. □

5.2. Construction

The basic parameter definition of the scheme: Let $n$ as security parameter, $\mathit{L}$ denote the maximum depth of homomorphic calculation allowed for the circuit, $q=q\left(n,\mathit{L}\right)$ be a sufficiently large prime, $D$ denote the maximum number of distinct identities supported by the scheme, $m,m^{\prime },\overline{m},w,k,N=\left(m+1\right)k$ and FRD encoding function $\mathit{H}$ are the same as the definitions in the above IBFHE encryption scheme. According to the notation in [16], the gadget matrix $\mathit{M}\in {\mathbb{Z}}^{m^{\prime }\times N}$ is extended to $\widehat{\mathit{M}}\in {\mathbb{Z}}_q^{D{m}^{\prime }\times DN}$. According to lemma 2, it is known that for any matrix $\mathit{A}\in {\mathbb{Z}}_q^{D{m}^{\prime }\times DN}$, there exists a function ${\widehat{\mathit{M}}}^{-1}\left(·\right)$ such that ${\widehat{\mathit{M}}}^{-1}\left(\mathit{A}\right)\in {\left\{0,1\right\}}^{DN\times DN}$, satisfying $\widehat{\mathit{M}}{\widehat{\mathit{M}}}^{-1}\left(\mathit{A}\right)=\mathit{A}$.

-

$mIBFHE.Setup\left(1^n,1^{\mathit{L}},1^D\right):$ Input the security parameter $n$, the maximum depth $\mathit{L}$ that the circuit allows homomorphic operations, and the maximum number of different identities $D$ supported by the scheme. Run the $IBFHE.Setup$ algorithm and output the master public key $\mathit{M}PK=\left(\mathit{A},\mathit{u}\right)$ and the master secret key $\mathit{M}SK=\mathit{R}$.

-

$mIBFHE.Extract\left(\mathit{M}PK,\mathit{M}SK,{\left[i{d}_j\right]}_{j\in \left[D\right]}\right):$ Input the master public key $\mathit{M}PK$, master secret key $\mathit{M}SK$, and user’s identity vector ${\left[i{d}_j\right]}_{j\in \left[D\right]}\in {\mathbb{Z}}_q^n$. Run the $IBFHE.Extract$ algorithm to generate secret key ${\mathit{s}}_{i{d}_1},\dots ,{\mathit{s}}_{i{d}_D}$ corresponding to identity $i{d}_1,\dots ,i{d}_D$ and the related public key ${\mathit{A}}_{i{d}_1}^{\prime },\dots ,{\mathit{A}}_{i{d}_D}^{\prime }$, and construct the joint secret key by horizontally appending all the secret-keys in sequence $\widehat{\mathit{s}}=\left[{\mathit{s}}_{i{d}_1},\dots ,{\mathit{s}}_{i{d}_D}\right]\in {\mathbb{Z}}_q^{D{m}^{\prime }}$. Output the public key ${\mathit{A}}_{i{d}_1}^{\prime },\dots ,{\mathit{A}}_{i{d}_N}^{\prime }$ and the joint secret key vector $\widehat{\mathit{s}}$.

-

$mIBFHE.Enc\left(\mathit{M}PK,{\left[i{d}_j\right]}_{j\in \left[D\right]},{\left[{\mathit{A}}_{i{d}_j}^{\prime }\right]}_{j\in \left[D\right]},\mu ,i\right):$ Input the master public key $\mathit{M}PK$, the user’s identity vector ${\left[i{d}_j\right]}_{j\in \left[D\right]}$ and its corresponding public key ${\left[{\mathit{A}}_{i{d}_j}^{\prime }\right]}_{j\in \left[D\right]}$, the encrypted plaintext message $\mu \in \left\{0,1\right\}$ and the identity $i\in \left[D\right]$ that needs to be extended. Run the algorithm to output the extended ciphertext ${\widehat{\mathit{C}}}_i$ corresponding to identity $i{d}_i$. The specific operation steps are as follows:

1.

Single identity encryption step: Run $IBFHE.Enc\left(\mathit{M}PK,i{d}_i,\mu \right)$ to generate identity $i{d}_i$ single identity IBFHE ciphertext $\mathit{C}={\mathit{A}}_{id}^{{\prime }^{\mathrm{T}}}\mathit{Y}+\mu \mathit{M}+\mathit{E}$. In this step, the party (here the $i$-th party) keeps its $\mathit{Y}$ for the next step;

2.

Multi-identity ciphertext expansion step: Input a single-identity ciphertext $\mathit{C}$, the public keys of the other parties, and a randomness $\mathit{Y}$ selected from $IBFHE.Enc$. Execute steps (a)–(d) as follows:

(a)

${\left\{{\mathit{V}}_{i,j}^{\left(\mathit{x},\mathit{t}\right)}\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]}\leftarrow {\left\{IBFHE.Enc\left(\mathit{M}PK,i{d}_j,\mathit{Y}\left[\mathit{x},\mathit{t}\right]\right)\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]}$ for $j\in \left[D\right]$.

${\left\{{\overline{\mathit{V}}}_{i,j}^{\left(\mathit{x},\mathit{t}\right)}\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]}\leftarrow {\left\{IBFHE.Enc\left(MPK,i{d}_j,\overline{\mathit{Y}}\left[\mathit{x},\mathit{t}\right]\right)\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]}$ for $j\in \left[D\right]\backslash \left\{i\right\}$, where $\mathit{Y}$ was chosen in the single identity encryption step and $\overline{\mathit{Y}}$ is randomly chosen from ${\left\{0,1\right\}}^{n\times N}$.

(b)

Compute

$X_i^j\leftarrow Link–Mask\left({\left\{{\mathit{V}}_{i,j}^{\left(\mathit{x},\mathit{t}\right)}\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]},{\mathit{A}}_{i{d}_i}^{\prime }\right),j\in \left[D\right]$.

${\overline{X}}_i^j\leftarrow Link–Mask\left({\left\{{\overline{\mathit{V}}}_{i,j}^{\left(\mathit{x},\mathit{t}\right)}\right\}}_{\mathit{x}\in \left[n\right],\mathit{t}\in \left[N\right]},{\mathit{A}}_{i{d}_j}^{\prime }\right),j\in \left[D\right]\backslash \left\{i\right\}$.

(c)

Choose $\mathit{Q}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{m^{\prime }\times N}$. Set the matrix ${\mathit{Q}}_h\in {\mathbb{Z}}_q^{m^{\prime }\times N}$ having the last row ${\mathit{s}}_{i{d}_i}\mathit{Q}+{\overline{\mathit{e}}}_h$ and the rest rows zero, where ${\mathit{s}}_{i{d}_i}$ is the secret key of the party $i$, ${\overline{\mathit{e}}}_h$ is chosen from ${\chi }^N$, $\forall h\in \left[D\right]\backslash \left\{i\right\}$.

(d)

Define the extended ciphertext matrix ${\widehat{\mathit{C}}}_i\in {\mathbb{Z}}_q^{D{m}^{\prime }\times DN}$ of the initial ciphertext $\mathit{C}$ as

$${\widehat{\mathit{C}}}_{\mathit{i}}\left[\begin{array}{cc}\begin{array}{cc}{\mathit{C}}_{\mathit{i}}^1& 0\\ 0& {\mathit{C}}_{\mathit{i}}^2\end{array}& \begin{array}{ccc}\cdots & 0& 0\\ \cdots & 0& 0\end{array}\\ \begin{array}{cc}⋮& ⋮\\ \mathit{Q}& \cdots \end{array}& \begin{array}{ccc}⋮& ⋮& ⋮\\ {\mathit{C}}_{\mathit{i}}^{\mathit{i}}& \cdots & \mathit{Q}\end{array}\\ \begin{array}{cc}⋮& ⋮\\ 0& 0\end{array}& \begin{array}{ccc}⋮& ⋮& ⋮\\ \cdots & 0& {\mathit{C}}_{\mathit{i}}^{\mathit{D}}\end{array}\end{array}\right]$$

Which is concatenated by $D^2$ number of $m^{\prime }\times N$ sub-matrices. The diagonal sub-matrices of ${\widehat{\mathit{C}}}_i$ are ${\mathit{C}}_i^j=\mathit{C}-X_i^j+{\overline{X}}_i^j-{\mathit{Q}}_j$ for $j\in \left[D\right]\backslash \left\{i\right\}$ and the $i$-th diagonal sub-matrix is $\mathit{C}-X_i^i$. Lastly, $\mathit{Q}$ is on the $i$-th row and zero matrix $0^{m^{\prime }\times N}$ is elsewhere.

-

$mIBFHE.Eval\left(MPK,\left({\widehat{\mathit{C}}}_1,\dots ,{\widehat{\mathit{C}}}_{\mathit{t}}\right),f\right):$ Input the master public key $MPK$, Boolean circuit $f$, and the extended ciphertext ${\widehat{\mathit{C}}}_1,\dots ,{\widehat{\mathit{C}}}_{\mathit{t}}$ which are the ciphertext encrypted under different identities $id$. Output the operation ciphertext $\widehat{\mathit{C}}=f\left({\widehat{\mathit{C}}}_1,\dots ,{\widehat{\mathit{C}}}_{\mathit{t}}\right)$, where the homomorphic addition is ${\widehat{\mathit{C}}}_{\mathit{A}dd}={\widehat{\mathit{C}}}_1+{\widehat{\mathit{C}}}_2$ and the homomorphic multiplication is ${\widehat{\mathit{C}}}_{Mult}={\widehat{\mathit{C}}}_1{\mathit{M}}^{-1}\left({\widehat{\mathit{C}}}_2\right)$. According to the definitions of addition and multiplication, the homomorphic NAND operation is defined as ${\widehat{\mathit{C}}}_{N\mathit{A}ND}=\widehat{\mathit{M}}-{\widehat{\mathit{C}}}_1{\widehat{\mathit{M}}}^{-1}\left({\widehat{\mathit{C}}}_2\right)$.

-

$mIBFHE.Dec\left(MPK,\widehat{\mathit{s}},\widehat{\mathit{C}}\right)$: Input the master public key $MPK$, the joint secret key $\widehat{\mathit{s}}$ and the extended ciphertext $\widehat{\mathit{C}}$ to be decrypted. Set a vector $\widehat{\omega }=\left[\left|\frac{q}{2}\right|,0,\dots ,0\right]\in {\mathbb{Z}}_q^{D{m}^{\prime }}$, compute ${\mu }^{\prime }={\widehat{\mathit{s}}}^{\mathrm{T}}·\widehat{\mathit{C}}·{\widehat{\mathit{M}}}^{-1}\left(\widehat{\omega }\right)$, and output $\mu =\lfloor \frac{2{\mu }^{\prime }}{q}\rfloor$.

Correctness. Let ${\widehat{\mathit{C}}}_i$ be the multi-identity ciphertext of a bit $\mu$ by $i$-th user from the $mIBFHE.Enc$ algorithm:

$${\widehat{\mathit{C}}}_i\leftarrow \mathrm{mIBFHE}.\mathrm{Enc}\left(MPK,{\left[i{d}_j\right]}_{j\in \left[D\right]},{\left[{\mathit{A}}_{i{d}_j}^{\prime }\right]}_{j\in \left[D\right]},\mu ,i\right)$$

where $\mathit{C}$ is a single identity IBFHE ciphertext. For the joint secret key $\widehat{\mathit{s}}=\left[{\mathit{s}}_{i{d}_1},\dots ,{\mathit{s}}_{i{d}_D}\right]\in {\mathbb{Z}}_q^{D{m}^{\prime }}$ and the gadget matrix $\widehat{\mathit{M}}\in {\mathbb{Z}}_q^{D{m}^{\prime }\times DN}$, if ${\widehat{\mathit{C}}}_i$ satisfies the relation ${\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_i\approx \mu {\widehat{\mathit{s}}}^{\mathrm{T}}\widehat{\mathit{M}}$, then we can naturally generalize the arguments of the scheme in [7]. The correctness of encryption and evaluation can be realized, and an effective mIBFHE scheme can be obtained.

Now, we are ready to prove the correctness of multi-identity ciphertext. We recall that for a valid output $X$ from $\mathit{L}ink–Mask\left(p{k}^{\prime },\left({\mathit{V}}^{1,1},\dots ,{\mathit{V}}^{n,N}\right)\right)$ with respect to a 0-1 matrix $\mathit{Y}$, we have ${\mathit{s}}^{\mathrm{T}}X={\mathit{s}}^{\mathrm{T}}{{\mathit{A}}^{\prime }}^{\mathrm{T}}\mathit{Y}+\mathit{e}$ for ${\mathit{e}}_{\infty }\le n{\left(m+1\right)}^2\beta$. By the definition, we have

$$\begin{gathered} {\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_i=\left[{\mathit{s}}_{i{d}_1}^{\mathrm{T}}{\mathit{C}}_i^1+{\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{Q},\dots ,{\mathit{s}}_{i{d}_i}^{\mathrm{T}}{\mathit{C}}_i^i,\dots ,{\mathit{s}}_{i{d}_D}^{\mathrm{T}}{\mathit{C}}_i^D+{\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{Q}\right] \\ =\left[{\mathit{s}}_{i{d}_1}^{\mathrm{T}}\left(\mathit{C}-X_i^1+{\overline{X}}_i^1-{\mathit{Q}}_1\right)+{\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{Q},\dots ,{\mathit{s}}_{i{d}_i}^{\mathrm{T}}\left(\mathit{C}-X_i^i\right)\right., \\ \left.\dots ,{\mathit{s}}_{i{d}_D}^{\mathrm{T}}\left(\mathit{C}-X_i^D+{\overline{X}}_i^D-{\mathit{Q}}_D\right)+{\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{Q}\right] \end{gathered}$$

Let’s see how the bit message $\mu$ is correctly recovered and check the error bound by using the following properties.

(1)

${\mathit{s}}_{i{d}_j}^{\mathrm{T}}\mathit{C}={\mathit{s}}_{i{d}_j}^{\mathrm{T}}\left({\mathit{A}}_{i{d}_i}^{{\prime }^{\mathrm{T}}}{\mathit{Y}}_i+\mu \mathit{M}+\mathit{E}\right)={\mathit{s}}_{i{d}_j}^{\mathrm{T}}{\mathit{A}}_{i{d}_i}^{{\prime }^{\mathrm{T}}}{\mathit{Y}}_i+\mu {\mathit{s}}_{i{d}_j}^{\mathrm{T}}\mathit{M}+{\mathit{e}}^{\prime },\mathrm{where} \parallel {\mathit{e}}^{\prime }{\parallel }_{\infty }\le \left(m+1\right)\beta$;

(2)

${\mathit{s}}_{i{d}_j}^{\mathrm{T}}{X}_i^j={\mathit{s}}_{i{d}_j}^{\mathrm{T}}{\mathit{A}}_{i{d}_i}^{{\prime }^{\mathrm{T}}}{\mathit{Y}}_i+{\mathit{e}}_j^{\prime \prime }, \mathrm{where} \parallel {\mathit{e}}_j^{\prime \prime }{\parallel }_{\infty }\le n{\left(m+1\right)}^4\beta$;

(3)

${\mathit{s}}_{i{d}_i}^{\mathrm{T}}{X}_i^i={\mathit{s}}_{i{d}_i}^{\mathrm{T}}{\mathit{A}}_{i{d}_i}^{{\prime }^{\mathrm{T}}}{\mathit{Y}}_i+{\mathit{e}}_j^{\prime \prime }={\tilde{\mathit{e}}}_i, \mathrm{where} \parallel {\tilde{\mathit{e}}}_i{\parallel }_{\infty }\le n\left[{\left(m+1\right)}^4+m+1\right]\beta$;

(4)

${\mathit{s}}_{i{d}_j}^{\mathrm{T}}{\overline{X}}_i^j={\mathit{s}}_{i{d}_j}^{\mathrm{T}}{\mathit{A}}_{i{d}_j}^{{\prime }^{\mathrm{T}}}\overline{\mathit{Y}}+{\overline{\mathit{e}}}_j^{\prime \prime }={\tilde{\mathit{e}}}_j, \mathrm{where} \parallel {\tilde{\mathit{e}}}_j{\parallel }_{\infty }\le n\left[{\left(m+1\right)}^4+m+1\right]\beta$;

(5)

${\mathit{s}}_{i{d}_j}^{\mathrm{T}}{\mathit{Q}}_j={\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{Q}+{\overline{\mathit{e}}}_j, \mathrm{where} \parallel {\overline{\mathit{e}}}_j{\parallel }_{\infty }\le \left(m+1\right)\beta$;

$$\begin{gathered} \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\therefore {\mathit{s}}_{i{d}_j}^{\mathrm{T}}\left(\mathit{C}-X_i^j+{\overline{X}}_i^j-{\mathit{Q}}_j\right)+{\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{Q}=\mu {\mathit{s}}_{i{d}_j}^{\mathrm{T}}\mathit{M}+{\widehat{\mathit{e}}}_j \\ {\mathit{s}}_{i{d}_i}^{\mathrm{T}}\left(\mathit{C}-X_i^i\right)=\mu {\mathit{s}}_{i{d}_i}^{\mathrm{T}}\mathit{M}+{\widehat{\mathit{e}}}_i \end{gathered}$$

Therefore, we have ${\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_i=\mu {\widehat{\mathit{s}}}^{\mathrm{T}}\widehat{\mathit{M}}+\widehat{\mathit{e}}$ where $\widehat{\mathit{e}}=\left[{\widehat{\mathit{e}}}_1,\dots ,{\widehat{\mathit{e}}}_i,\dots ,{\widehat{\mathit{e}}}_D\right]\in {\mathbb{Z}}_q^{D\times N}$ and $\Vert \widehat{\mathit{e}}{\Vert }_{\infty }\le \left[2n{\left(m+1\right)}^4+\left(n+1\right)\left(m+1\right)\beta \right]$. In the decryption procedure, this error is multiplied by $\sqrt{DN. }$ By our choice of the parameter, $\sqrt{DN }\left[2n{\left(m+1\right)}^4+\left(n+1\right)\left(m+1\right)\beta \right]<\frac{q}{4}$.

Homomorphic property. The homomorphic property of the mIBFHE scheme follows directly from the IBFHE scheme in the fourth chapter, because the $mIBFHE.Eval$ algorithm is basically the same as the $IBFHE.Eval$ algorithm except for the dimension expansion, the matrix $\widehat{\mathit{M}}$ and the randomization function ${\widehat{\mathit{M}}}^{-1}\left(·\right)$. The following is the homomorphism analysis of the mIBFHE scheme:

Definition 9.

Let ${\widehat{\mathit{C}}}_1,{\widehat{\mathit{C}}}_2$ be an extended ciphertext matrix corresponding to plaintext ${\mu }_1,{\mu }_2$, respectively, and the secret key is $\widehat{\mathit{s}}\in {\mathbb{Z}}_q^{D{m}^{\prime }}$, satisfying ${\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_1={\mu }_1{\widehat{\mathit{s}}}^{\mathrm{T}}\widehat{\mathit{M}}+{\widehat{\mathit{e}}}_1$, ${\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_2={\mu }_2{\widehat{\mathit{s}}}^{\mathrm{T}}\widehat{\mathit{M}}+{\widehat{\mathit{e}}}_2$, where ${\mu }_1,{\mu }_2\in \left\{0,1\right\}$, $\Vert {\widehat{\mathit{e}}}_1\Vert {}_{\infty }\le {\widehat{\beta }}_1$, $\Vert {\widehat{\mathit{e}}}_2\Vert {}_{\infty }\le {\widehat{\beta }}_2$.

(1)

Homomorphic addition: ${\widehat{\mathit{C}}}_{\mathit{A}dd}={\widehat{\mathit{C}}}_1+{\widehat{\mathit{C}}}_2$, satisfy ${\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_{\mathit{A}dd}={\widehat{\mathit{s}}}^{\mathrm{T}}\left({\widehat{\mathit{C}}}_1+{\widehat{\mathit{C}}}_2\right)=\left({\mathit{u}}_1+{\mu }_2\right){\widehat{\mathit{s}}}^{\mathrm{T}}\widehat{\mathit{M}}+{\widehat{\mathit{e}}}^{+}$,where ${\widehat{\mathit{e}}}^{+}={\widehat{\mathit{e}}}_1+{\widehat{\mathit{e}}}_2$. Obviously ${\widehat{\mathit{C}}}_{\mathit{A}dd}$ is ${\widehat{\beta }}_1+{\widehat{\beta }}_2$ noise ciphertext, that is, after one-time homomorphic addition, the error increases by 2 times the factor.

(2)

Homomorphic multiplication: ${\widehat{\mathit{C}}}_{\mathit{M}\mathit{u}l\mathit{t}}={\widehat{\mathit{C}}}_1{\widehat{\mathit{M}}}^{-1}\left({\widehat{\mathit{C}}}_2\right)$, satisfy ${\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_{\mathit{M}\mathit{u}l\mathit{t}}={\widehat{\mathit{s}}}^{\mathrm{T}}{\widehat{\mathit{C}}}_1{\mathit{M}}^{-1}\left({\widehat{\mathit{C}}}_2\right)=\left({\mu }_1{\mu }_2\right){\widehat{\mathit{s}}}^{\mathrm{T}}\widehat{\mathit{M}}+{\widehat{\mathit{e}}}^{\times }$, where ${\widehat{\mathit{e}}}^{\times }={\widehat{\mathit{e}}}_1{\widehat{\mathit{M}}}^{-1}\left({\widehat{\mathit{C}}}_2\right)+{\mu }_1{\widehat{\mathit{e}}}_2$. Obviously $\parallel {\widehat{\mathit{e}}}^{″}{\parallel }_{\infty }\le \left(\sqrt{DN}{\widehat{\beta }}_1+{\widehat{\beta }}_2\right)$, ${\widehat{\mathit{C}}}_{Mult}$ is $\left(\sqrt{DN}{\widehat{\beta }}_1+{\widehat{\beta }}_2\right)$ noise ciphertext. The same calculation is also applicable to NAND gates.

Multi-identity ciphertext security. If the IBE scheme constructed in this paper is IND-sID-CPA secure, then the mIBFHE scheme proposed in this paper is also IND-sID-CPA secure.

By using constructive proof, the masking scheme constructed by $LinkMask$ algorithm is IND-sID-CPA security. From theorem 2, it can be seen that the IBFHE scheme is IND-sID-CPA security. In summary, the mIBFHE scheme is also IND-sID-CPA security.

5.3. Efficiency Analysis of MIBFHE Scheme

The mIBFHE scheme proposed in this paper is compared with the CM15 scheme proposed by Clear et al. [12]. The comparison results are shown in

Table 2. Comparison of main parameters of mIBFHE scheme.

Scheme	Dimension	$\mathit{q}$	$\mathbf{Size} \mathbf{of} \widehat{\mathit{s}}$	$\mathbf{Size} \mathbf{of} \widehat{\mathit{C}}$	Noise Rate
[12]	$6n\log q$	$8\omega \beta {\left(DN+1\right)}^{\mathit{L}}$	$ND$	$DN\times DN$	$DN+1$
Ours	$2n\log q$	$5\omega \beta {\left(\sqrt{DN}+1\right)}^{\mathit{L}}$	$m^{\prime }D$	$D{m}^{\prime }\times DN$	$\sqrt{DN}+1$

.

From the analysis in Table 2, it can be seen that compared with the CM15 scheme based on the trapdoor generation algorithm in [21], the mIBFHE scheme in this paper used the MP12 trapdoor generation algorithm and the preimage matrix for encryption. The scheme is more concise and the encryption algorithm is simpler. Therefore, the main efficiency parameters of the mIBFHE scheme in this paper are significantly optimized. The lattice security dimension $m$ is reduced from $6n\log q$ to $2n\log q$, the size of the joint secret key $\widehat{\mathit{s}}$ is reduced from $ND$ to $m^{\prime }D$, and the size of extended ciphertext is reduced from $DN\times DN$ to $m^{\prime }D\times DN$.

6. Conclusions

Aiming at the problem that low efficiency of trapdoor function and sampling algorithm in lattice-based multi-identity fully homomorphic encryption scheme, this paper first constructed an efficient and transformable IBE scheme based on MP12 trapdoor, which solves the problem that the trapdoor of IBE scheme is difficult to realize and the preimage sampling is complex. Based on the LWE hardness problem, it is proved that the scheme is IND-sID-CPA security under the standard model. Then, the IBE scheme is transformed into IBFHE scheme by using the approximate eigenvector to eliminate the evaluation key and the preimage matrix. This IBFHE scheme satisfies the homomorphism operation. Finally, the constructed masking scheme and the extended ciphertext method are used to transform the IBFHE scheme into mIBFHE scheme. Compared with similar schemes, our scheme is more concise and efficient, and the parameters are more compact.