Table 6 IB-DRE _ABB scheme

\(\mathsf {Setup}_{\mathsf {ID}}(1^{\lambda }): (\mathbf {A}, \mathbf {T_{A}}) \overset {\$}{\leftarrow } \mathsf {TrapGen}(1^{n}, 1^{m}, q)\), \(\mathbf {U}\overset {\$}{\leftarrow } \mathbb {Z}^{n \times n}_{q}\), \(\mathbf {A}^{1}_{i}, \mathbf {A}^{2}_{i} \overset {\$}{\leftarrow } \mathbb {Z}^{n \times m}_{q}\)

for \(i \in [\ell ].\ \text {Output}\ PP = \left (\mathbf {A}, \{\mathbf {A}^{1}_{i}\}_{i \in \ell }, \{\mathbf {A}^{2}_{i}\}_{i \in \ell }, \mathbf {U}\right)\) and Msk=T_A.

\(\mathsf {KeyGen}_{\mathsf {ID}}(PP, Msk,\mathbf {id}_{1st},\mathbf {id}_{2nd}\in \mathcal {ID}):\)

1. Compute \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}_{1}} = \mathbf {G} + \sum ^{l}_{i = 1} (\mathbf {id}_{1st})_{i}\mathbf {A}^{1}_{i}\), \(\phantom {\dot {i}\!}\mathbf {A}_{\mathbf {id}_{2}}\) = \(\mathbf {G} + \sum ^{l}_{i = 1} (\mathbf {id}_{2nd})_{i}\mathbf {A}^{2}_{i}\).

2. \(\left (\mathbf {E}_{\mathbf {id}_{1}}\!\right)_{i} \!\!\leftarrow \!\! \mathsf {SampleLeft}\!\left (\mathbf {A},\mathbf {A}_{\mathbf {id}_{1}}, (\mathbf {U})_{i},\mathbf {T}_{\mathbf {A}},\sigma \!\right)\)for i∈[n] and set\(sk_{\mathbf {id}_{1st}}\,=\,\mathbf {E}_{\mathbf {id}_{1}}\phantom {\dot {i}\!}\).

Similarly, it obtain \(\phantom {\dot {i}\!}sk_{\mathbf {id}_{2nd}}\) = \(\phantom {\dot {i}\!}\mathbf {E}_{\mathbf {id}_{2}}\) such that \(\left [\mathbf {A}|\mathbf {A}_{\mathbf {id}_{2}}\right ]\cdot \mathbf {E}_{\mathbf {id}_{2}}=\mathbf {U}\).

3. Output the secret key \(\phantom {\dot {i}\!}sk_{\mathbf {id}_{1st}}\,=\,\mathbf {E}_{\mathbf {id}_{1}} \in \mathbb {Z}_{q}^{2m\times n}\)and\(\phantom {\dot {i}\!}sk_{\mathbf {id}_{2nd}}\) = \(\phantom {\dot {i}\!}\mathbf {E}_{\mathbf {id}_{2}} \in \mathbb {Z}_{q}^{2m\times n}\).

Enc_ID(PP,id_1st,id_2nd,m):

Compute \(\mathbf {A}_{\mathbf {id}_{1}},\mathbf {A}_{\mathbf {id}_{2}}\phantom {\dot {i}\!}\) as above. Pick \(\mathbf {s} \overset {\$}\!{\leftarrow }\! \mathbb {Z}_{q}^{n}\), \(\mathbf {e}_{0} \overset {\$}\!{\leftarrow }\! \mathcal {D}_{\mathbb {Z}^{n},\alpha q}\), e_1,1,e_1,2,

\(\mathbf {e}_{1,3} \overset {\$}{\leftarrow } \mathcal {D}_{\mathbb {Z}^{m},\alpha ^{\prime } q}\).

\(\mathbf {c}_{0} = \mathbf {U}^{\top }\mathbf {s} + \mathbf {e}_{0} + \left \lceil \frac {q}{2}\right \rceil \cdot \mathbf {m}\in \mathbb {Z}_{q}^{n},\)

\(\mathbf {c}_{1} = \left [ \begin {array}{c} \mathbf {c_{1,1}}\\ \mathbf {c_{1,2}}\\ \mathbf {c_{1,3}} \end {array} \right ]= \left [ \begin {array}{c} \mathbf {A}^{\top }\\ (\mathbf {A}_{\mathbf {id}_{1}})^{\top }\\ (\mathbf {A}_{\mathbf {id}_{2}})^{\top } \end {array} \right ]\mathbf {s} +\left [ \begin {array}{c} \mathbf {e_{1,1}}\\ \mathbf {e_{1,2}}\\ \mathbf {e_{1,3}}\\ \end {array} \right ]\in \mathbb {Z}_{q}^{3m}.\)

\(\mathsf {Dec}_{\mathsf {ID}}(PP,sk_{\mathbf {id}_{j}},\mathbf {c})\phantom {\dot {i}\!}\): Compute \(\mathbf {b} = \mathbf {c}_{0}-\mathbf {E}_{\mathbf {id}_{1}}^{\top }\cdot \left [ \begin {array}{c} \mathbf {c}_{1,1}\\ \mathbf {c}_{1,2}\\ \end {array} \right ] \)

\(= ((\mathbf {b})_{1},\cdots, (\mathbf {b})_{n})^{\top } \in \mathbb {Z}^{n}\). Set

(m)_i=1 if \(\left |(\mathbf {b})_{i} - \lceil \frac {q}{2}\rceil \right | < \lceil \frac {q}{4}\rceil \); otherwise sets (m)_i=0

where i∈[n]. Finally, output a plaintext m=((m)₁,⋯,(m)_n)^⊤.