Table 5 DRE _ABB scheme

\(\mathsf {CGen}_{\mathsf {DRE}}(1^{\lambda }): \mathbf {U} \overset {\$}{\leftarrow } \mathbb {Z}^{n \times n}_{q}\), output crs=U.

\(\mathsf {Gen}_{\mathsf {DRE}}(\mathsf {crs})\!:\! (\mathbf {A}_{i}, \mathbf {T}_{\mathbf {A}_{i}})\! \overset {\$}{\leftarrow }\! \mathsf {TrapGen}(1^{n}, 1^{m}, q)\), \(\mathbf {B}_{i} \overset {\$}{\leftarrow } \mathbb {Z}^{n \times m}_{q}\) for i = 1,2. Output

pk_i=(A_i,B_i), \(sk_{i} = \mathbf {T}_{\mathbf {A}_{i}}\phantom {\dot {i}\!}\).

Enc_DRE(crs,pk₁,pk₂,m∈{0,1}ⁿ):

1. Generate (vk,sk)←Gen_OTS(1^λ).

2. Compute C₁=(A₁|B₁+H_n,q(vk)·G), C₂=(A₂|B₂+H_n,q(vk)·G)).

3. Pick \(\mathbf {s} \overset {\$}{\leftarrow } \mathbb {Z}_{q}^{n}\), \(\widetilde {\mathbf {e}}_{0} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{n},\alpha q}\), and \(\mathbf {e}_{1,1}, \mathbf {e}_{2,1}, \mathbf {e}_{1,2}, \mathbf {e}_{2,2} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\),

compute and return the ciphertext c = (vk,c₀,c₁,c₂,ρ), where

ρ=Sig_OTS(sk,(c₀,c₁,c₂)) and

\(\mathbf {c}_{0} = \mathbf {U}^{\top }\mathbf {s} + \widetilde {\mathbf {e}}_{0} + \mathbf {m} \cdot \left \lceil \frac {q}{2}\right \rceil \in \mathbb {Z}_{q}^{n}\),

\({\begin {aligned} &\mathbf {c}_{1} = \mathbf {C}_{1}^{\top }\mathbf {s} + \left [ \begin {array}{c} \mathbf {e}_{1,1}\\ \mathbf {e}_{1,2} \end {array} \right ] \in \mathbb {Z}_{q}^{2m},& \mathbf {c}_{2} = \mathbf {C}_{2}^{\top }\mathbf {s} + \left [ \begin {array}{c} \mathbf {e}_{2,1}\\ \mathbf {e}_{2,2} \end {array} \right ] \in \mathbb {Z}_{q}^{2m}. \end {aligned}}\)

Dec_DRE(crs,pk₁,pk₂,sk₁,c):

1. Run Vrf_OTS(vk,(c₀,c₁,c₂),ρ), outputs ⊥ if Vrf_OTS rejects;

2. \((\mathbf {E}_{1})_{i} \leftarrow \mathsf {SampleLeft}(\mathbf {A}_{1},\mathbf {B}_{1} + H_{n,q}(\mathsf {vk})\cdot \mathbf {G}, (\mathbf {U})_{i}, \mathbf {T}_{\mathbf {A}_{1}},\sigma)\), i∈[n], to obtain

\(\mathbf {E}_{1} \in \mathbb {Z}_{q}^{2m \times n}\) such that C₁·E₁=U;

3. Compute \(\mathbf {b} = \mathbf {c}_{0}-\mathbf {E}_{1}^{\top }\mathbf {c}_{1} = ((\mathbf {b})_{1},\cdots,(\mathbf {b})_{n})^{\top } \in \mathbb {Z}^{n}\).

Set (m)_i=1 if \(\left |(\mathbf {b})_{i} - \lceil \frac {q}{2}\rceil \right |< \lceil \frac {q}{4}\rceil \), else (m)_i=0, i∈[n].

4. Return the plaintext m=((m)₁,⋯,(m)_n)^⊤.