Provably Secure Identity-Based Encryption and Signature over Cyclotomic Fields

Identity-based cryptography is a type of public key cryptography with simple key management procedures. To our knowledge, till now, the existing identity-based cryptography based on NTRU is all over power-of-2 cyclotomic rings. Whether there is provably secure identity-based cryptography over more general elds is still open. In this paper, with the help of the results of collision resistance preimage sampleable functions (CRPSF) over cyclotomic elds, we give concrete constructions of provably secure identity-based encryption schemes (IBE) and identity-based signature schemes (IBS) based on NTRU over any cyclotomic eld. Our IBE schemes are provably secure under adaptive chosen-plaintext and adaptive chosen-identity attacks, meanwhile, our IBS schemes are existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks for any probabilistic polynomial time (PPT) adversary in the random oracle model. e securities of both schemes are based on the worst-case approximate shortest independent vectors problem (SIVPc) over corresponding ideal lattices. e secret key size of our IBE (IBS) scheme is short—only one (two) ring element(s). e ciphertext (signature) is also short—only two (three) ring elements. Meanwhile, as the case of NTRUEncrypt, our IBE scheme could encrypt n bits in each encryption process. ese properties may make our schemes have more advantages for some IoT applications over postquantum world in theory.


Introduction
Nowadays, Internet of things (IoT) plays an extremely important role by comprising millions of smart and connected devices to o er bene ts in a wide range of situations, for example, smart cities, smart grads, smart tra c, and smart buildings.e corresponding techniques have been unprecedentedly developed and adopted due to the quick evolution of smart devices and the continuous investment of leading communities.In a smart IoT system, data collected by mote devices will be transferred to gateway/cloud; the cloud will perform data analysis and send the results to the particular management system which takes suitable action.How to protect this complete network against malicious events, as well as the privacy and authenticity of data, is one of the toughest challenges for the deploying IoT technology.Several considerations and solutions are discussed in [1][2][3][4].Due to the constrained resources (i.e., the size of memory, CPU speed, and network bandwidth), we could not directly use the traditional public key system, since the key management is complicated and the computations and storages may consume large amount of resources.
Identity-based cryptography is a type of public key cryptography in which the public key of a user is some unique information about the identity of the user (e.g., a user's e-mail address and the MAC address of devices).
is means that a sender who has access to the public parameters of the system can encrypt a message (verify a signature) by using the receiver's (signer's) identity as a public key.e receiver (signer) obtains its decryption (signing) key from a central authority, which needs to be trusted as it generates secret keys for every user.Such cryptographic primitives signi cantly simplify the key management procedures of certi cated-based public key infrastructures.
IBE and IBS were proposed by Shamir [5]; from then on, a large number of papers have been published in this area, including IBE [6][7][8][9][10][11][12], IBS [13][14][15][16][17], and identity-based signcryption (sign-then-encrypt a message) schemes [13,18,19].Till now, the fully practical identity-based cryptographic primitives are based on bilinear pairings.With the rapid development of quantum computation, in a not-so-distant future, quantum computers are expected to break such systems, and it is urgent to design quantumimmune IBE and IBS schemes.Cryptographic primitives based on hard lattice problems are good candidates, and many such identity-based schemes were designed [6,9,10,16].However, the efficiency of these schemes is not very satisfactory, especially in the IoT applications.As we all know, cryptographic primitives based on NTRU usually have high efficiency [20] and are good candidates of lightweight cryptographic systems in the postquantum world.erefore, IBE and IBS schemes based on NTRU may enjoy the advantages of high efficiency and quantum-immune at the same time.
To the best of our knowledge, the existing IBE [21] and IBS [17] based on NTRU are all over power-of-2 cyclotomic rings, in which NTT algorithm can be implemented and calculations can be done very fast.However, there are too many subfields in the corresponding cyclotomic fields, making these settings more sensitive to subfield attacks [22,23,24].So, seeking constructions of IBE and IBS over more general fields is a meaningful work.Meanwhile, strictly speaking, both of the schemes [17,21] lack a security proof in the following two senses: (1) e PPT key generation algorithm [21] is heuristic and the CPA security of the schemes is guaranteed by a key-encapsulation mechanism designed in the process of encryption and is measured by the Kullback-Leibler "distance"-not statistical distance.en, security is estimated in the aspect of attacks.So, the magnitude of module q is small and the schemes are practical.(2) Parameter settings of IBS [17] were referred to [25]; while the main lemma for proving the PPT trapdoor generation algorithm of CRPSF in [25] had some deficiencies, making the parameter choices in [17] could not achieve the desired result.

Our Contributions and Technique
Overview.Motivated by the above reasons, we construct provably secure IBE and IBS schemes over any cyclotomic field.
Compared with [21], our IBE scheme is strictly provably secure under adaptive chosen-plaintext and adaptive chosen-identity attacks.So, at a high level, our result implies that we can heuristically design IBE scheme by using similar parameters as [21] in any cyclotomic field.Since we use the modified algorithms of CRPSF proposed in [26], our IBS scheme is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks in theory.
ough the efficiency of our IBE and IBS schemes may be not satisfactory when we set parameters to achieve the provably security, our results give a high-level implication that we can heuristically design IBE and IBS over any cyclotomic field with small parameters (for example, settings of the classical NTRU-based cryptography [20]) and construct a lightweight cryptosystem, which can be used in some IoT applications.
Next, we give a brief review of constructions.
e construction of our IBE scheme is inspired by [21] and followed the route of [10].e setup algorithm uses the key generation algorithm of CRPSF constructed in [26] to generate some public parameters PP, including a cyclotomic field K and an element h ∈ R × q .Here, R � O K is the ring of integers of K and R × q is the set of invertible elements of R q � R/qR.Meanwhile, the key generation algorithm of CRPSF also outputs a short trapdoor basis of the NTRU lattice Λ q h � (x, y) ∈ R 2 : y � hx mod qR  . e secret key of an identity (we map an identity to R q by using a random oracle H : 0, 1 { } * ↦ R q ) is the element in Λ q h outputted by the SamplePre algorithm of CRPSF by using the trapdoor basis.e encryption and decryption follow the idea of [10].We embed the message in a Ring-LWE instance in the encryption process and the outputted ciphertext consists of two Ring-LWE instances (only the b-component) (u, v) with the "implied" relation that v − u • sk is short.
en, the decryption process only need to remove the errors by rounding (⌊ • ⌉).Security (indistinguishability) is based on the hardness of corresponding decision Ring-LWE problems, and we do not need to use the key-encapsulation mechanism in the encryption process.
e construction of IBS follows the route of [17], which is a combination of techniques shown in [10,27].We also use the key generation algorithm of CRPSF to generate Msk.
e signing and verification follow the idea of [27] by using a rejection sampling algorithm.e signature of a message μ contains a triple (z 1 , z 2 , u) with y i ↩ D R,s , z i � y i + σ i • u, and u � H ′ (hy 1 − y 2 mod qR, μ).
e rejection sampling algorithm could make it seem that z i is independent of y i , in particular, z i ↩ D R,s .en, to verify a signature, one only needs to make sure that z i is short and u � H ′ (hz 1 − z 2 − H(id) • u mod qR, μ).Unforgeability of our scheme can be reduced to the corresponding Ring-SIS problems.
Finally, we remark that techniques used in [28] are also vital to bound the decryption error of our IBE scheme.
ough we design our IBE schemes in R ∨ , the dual ideal of R, we can convert it to work in an integral ideal of R or we can directly design the IBE scheme in R by using the hardness result shown in [29] (with larger parameter c and q).Also, we can discuss the practicability under the Kullback-Leibler "distance" by using the same method as in [21].Meanwhile, our construction provides an important support for designing IBE and IBS over general cyclotomic rings with relative small parameters (with no provably secure guarantee, but the key generation algorithm is PPT by our results) and analyzing the security from the view of attacks.How to reduce the magnitudes of parameters of provably secure identity-based cryptographic primitives and improve the efficiency of these schemes are important and meaningful open problems.

Organization.
In Section 2, we will introduce some notations and basic results we need in our discussion.In Section 3, we shall discuss the IBE schemes, including the basic definitions, security models, constructions, and 2 Wireless Communications and Mobile Computing security analysis.Discussions of IBS schemes are put in Section 4.

Preliminaries
In this section, we introduce some background results and notations.
2.1.Notations.We use [n] to denote the set 1, 2, . . ., n { }. ‖ • ‖ represents the l 2 norm corresponding to the canonical embedding.For two random variables X and Y, Δ(X, Y) stands for their statistic distance.When we write X ↩ ξ, we mean that the random variable X obeys to a distribution ξ.If S is a finite set, then |S| is its cardinality and U(S) is the uniform distribution over S. Symbols Z + and R + stand for the sets of positive integers and positive reals.Symbol logx represents log 2 x for x ∈ R + .Functions φ(n) and μ(n) stand for the Euler function and the Möbius function.

Cyclotomic Fields, Space H, and Ideal Lattices.
roughout this paper, we only consider cyclotomic fields.For a cyclotomic field and use the canonical embedding σ on K, which maps x ∈ K to a space σ i (x) H is isomorphic to R n as an inner product space via the orthonormal basis h i∈ [n] defined as follows: for 1 ≤ j ≤ r, where e j ∈ C n is the vector with 1 in its j-th coordinate and 0 elsewhere and i is the imaginary number such that i 2 � − 1.
For any element x ∈ K, we can define its norm by ‖x‖ ≔ ‖σ(x)‖ and its infinity norm by We define a lattice as a discrete additive subgroup of H. e dual lattice of Λ ⊆ H is defined as One can check that this definition is actually the complex conjugate of the dual lattice as usually defined in C n .All of the properties of the dual lattice that we use also hold for the conjugate dual.Any fractional ideal I of K is a free Z module of rank n.So, σ(I) is a lattice of H, and we call σ(I) an ideal lattice and identify I with this lattice and associate with I all the usual lattice quantities.Meanwhile, its dual is defined as I ∨ � a ∈ K : { Tr(a • I) ⊆ Z}. en, it is easy to verify that (I ∨ ) ∨ � I, I ∨ is a fractional ideal, and I ∨ embeds under σ as the dual lattice of I as defined above.

Gaussian Distributions, Ring-SIS Problems, and Ring-LWE Problems.
e Gaussian distribution is defined as usual.For any s > 0, c ∈ H, which is taken to be s � 1 or c � 0 when omitted, define the Gaussian function ρ s,c : H ⟶ (0, 1] as ρ s,c (x) � e − π(‖x− c‖ 2 /s 2 ) .By normalizing this function, we obtain the continuous Gaussian probability distribution D s,c of parameter s, whose density function is given by s − n • ρ s,c (x).For a real vector r � (r 1 , . . ., r n ) ∈ (R + ) n , we define the elliptical Gaussian distributions in the basis h i   i ≤ n as follows: a sample from D r is given by  i∈ [n] x i h i , where x i is chosen independently from the Gaussian distribution D r i over R. Note that if we define a map φ : For a lattice Λ ⊆ H, σ > 0 and c ∈ H, we define the lattice Gaussian distribution of support Λ, deviation σ, and center c by D Λ,σ,c (x) � (ρ σ,c (x)/ρ σ,c (Λ)) for any x ∈ Λ.For δ > 0, we define the smoothing parameter η δ (Λ) as the smallest σ > 0 such that ρ 1/σ (Λ ∨ \0) ≤ δ.
e following theorem comes from [10,30].Here we use  B to represent the Gram-Schmidt orthogonalization of B and regard the columns of B as a set of vectors.
ere is a probabilistic polynomial time algorithm that, given a basis B of an n-dimensional lattice ), and a c ∈ H, outputs a sample whose distribution is statistically close to D Λ,σ,c .

Lemma 1. For any full-rank lattice Λ and positive real ε
e following useful rejection sampling theorem comes from [27].We state an adapted version, corresponding to the canonical embedding and space H.Its proof is essentially the same as that in [27], so we put it in Appendix with a remark that the constant M can be effectively calculated in practice.

Theorem 2. Let Λ ⊆ H be an arbitrary lattice, V ⊆ H be a set in which all elements have norms less than T, σ be some elements in
), and h : V ↦ [0, 1] be a probability distribution.en, there exists an absolute constant M such that the distribution of the output of the following algorithm A: Wireless Communications and Mobile Computing is within statistical distance 2 − ω(log n) /M of the distribution of the output of the following algorithm F: Moreover, the probability p that A outputs something satisfies e hard lattice problems we use are Ring-SIS and Ring-LWE problems.For an element z � (z 1 , . . ., z m ) ∈ R m , let us define ‖z‖ ≔ ( m i�1 ‖z i ‖ 2 ) 1/2 .We first introduce the Ring-SIS problem.e definition is as follows.
Definition 1.Let R be the ring of integers of K, q and m be positive integers, and β be a real number.e small integer solution problem over For appropriate parameters, the following theorem comes from [32], which shows that the Ring-SIS problem is hard.
√ with high probability in polynomial time in the worst case to solving R-SIS q, m, β with nonnegligible probability in polynomial time, for any m, q, β, e Ring-LWE problem is defined as follows.Let T � H/R ∨ .Definition 2. For s ∈ R ∨ q and an error distribution ψ over H, the Ring-LWE distribution A ∨ s,ψ over R q × T is sampled by independently choosing a uniformly random a ↩ U(R q ) and an error term e ↩ ψ and outputting (a, b � (a • s/q) + e mod R ∨ ).Definition 3. Let Ψ be a family of distributions over H. e average-case Ring-LWE decision problem, denoted R− DLWE ∨ q,Ψ , is to distinguish (with nonnegligible advantage) between independent samples from A ∨ s,ψ for a random choice of (s, ψ) ↩ U(R ∨ q ) × Ψ and the same number of uniformly random and independent samples from R q × T.
In [33], a reduction from Ideal-SIVP c to decision Ring-LWE problem over any algebraic number field is given.

Theorem 4. Let K be an algebraic number field and
, and let q ≥ 2 be an integer such that αq ≥ ω (1).en there is a polynomial time quantum reduction from Ideal-SIVP c (in the worst case) to R − DLWE ∨ q,D ξ , where ξ � α(nk/log(nk)) 1/4 with k the number of samples to be used and c � ω( We can modify the sample (a, b) of Ring-LWE distribution to R q × R ∨ q as in [28].We scale the b component by a factor of q, so that it is an element in H/(qR ∨ ).e corresponding error distribution is D qξ with ξ � α • (nk/log(nk)) 1/4 and k the number of samples.en, we discretize the error, by taking e ↩ ⌊D qξ ⌉ R ∨ .
e decision version of Ring-LWE becomes to distinguish between the modified distribution of A ∨ s,⌊D qξ ⌉ R ∨ and the uniform samples from R q × R ∨ q .Notice that by using the same method proposed in [34], we can change the secret s to obey the error distributions, i.e., s ↩ ⌊D qξ ⌉ R ∨ .We will use the symbol R − DLWE q,⌊D qξ ⌉ R ∨ to denote this problem.Meanwhile, note that, if we constrain a ↩ U(T) for some T ⊆ R q , where |T| � c • |R q | and c ≠ negl(n), the hardness of the corresponding problem does not decrease.We will use the symbol R − DLWE × q,⌊D qξ ⌉ R ∨ to denote this problem.For more details, one can refer to [28,34].

Key Generation Algorithm and Regularity Result.
In this subsection, we shall introduce some useful algorithms and results we need.e following algorithm plays a key role in our constructions of IBE and IBS.It is a modified version of key generation algorithm of traditional NTRU signatures.For simplicity, we denote it by N-KeyGen.
e following theorem comes from [26] (Algorithm 1).Note that in the case of cyclotomic fields, it was shown in [26] that the value of Dedekind zeta function at 2 (i.e.ζ K (2)) has a relatively small absolute upper bound.
be a prime such that q ∤ Δ K and the prime ideal decomposition of qR in R is qR � B 1 , . . ., B g such that f • g � n, ε > 0 be an arbitrary positive number.Assume that σ ≥ max 8n 3.6 ln n, ω(n ln 0.5 n) • q 1/g ,  ω(n 0.25 q 0.5 l − 0.25 )}.en, the key generation algorithm proposed in this section terminates in polynomial time, and the output ))ε , the distribution of h is rejected with probability c < 1 for some absolute constant c from a distribution whose statistical distance from Based on the N-KeyGen algorithm, Wang and Wang [26] gave a detailed construction of CRPSF, which was first proposed in [10], over any cyclotomic field.e preimage sampling algorithm of CRPSF is useful for us to design our IBE and IBS.We also use NTRUCRPSF (n, q, σ, s) to represent the CRPSF and only describe the results we need.For more details, one can refer to [26].
e construction of CRPSF is as follows: (1) TrapGen (1 n , q, σ): by running the N-KeyGen algorithm, we get a public key h .
We also need the following regularity theorem.For more details, one can refer to [26,28,29].

Theorem 7. Let K be a cyclotomic field with [K
q is a positive prime such that q ∤ Δ K and the prime ideal decomposition of qR in R is qR � B 1 , . . ., B g , δ ∈ (0, (1/2)), ε > 0, and ( As in [28], we only use the powerful basis p We mainly use the following definition and arrangements.More details can be found in [28]. Set  l � l when l is odd and  l � (l/2) when l is even.If l �  m i�1 p α i i for primes p i , then we define rad(l) �  m i�1 p i .If we represent x ∈ R (or R ∨ ) with respect to the powerful basis (or decoding basis), we have We will omit the subscripts σ( d → ) and σ( p → ) in the following applications when it does not cause ambiguities.
When we write x mod qR ∨ , we use the representative element of the coset x + qR ∨ as  N i�1 x i d and any element of R can also be represented as a Z-linear combination of the decoding basis.

Identity-Based Encryption Schemes
In this section, we shall give the definition of IBE schemes and then construct a provably secure IBE scheme based on NTRU over any cyclotomic field.

Basic Definition and Security Model.
We give the definition of IBE system first.e security model of IBE is defined through the following game between an adversary A and a challenger B. For a security parameter λ, let M λ be the plaintext space and , e.g., using a Hermite normal form algorithm. (6) Use Babai rounding nearest plane algorithm to approximate (F q , G q ) in the lattice spanned by (f, g), let r(f, g) be the output, set (F, G) � (F q , G q ) − r(f, g) for some r ∈ R.

Wireless Communications and Mobile Computing
C λ be the ciphertext space.e game, which appraises the indistinguishability of plaintext under adaptive chosenplaintext and adaptive chosen-identity attack (IND-ID-CPA), is defined as follows: (i) Setup: B runs the algorithm Setup (λ) to get the public parameters PP and the master secret key Msk; then, it sends PP to A and keeps the master secret key Msk.
(v) Guess: A outputs an element b ′ ∈ 0, 1 { } and wins if and only if b ′ � b.
We refer to such an adversary A as an IND-ID-CPA adversary and define the advantage (in the security parameter λ) of A in attacking an IBE scheme E as Adv E,A (λ) � |Pr(b ′ � b) − (1/2)|.Definition 6.For a security parameter λ, we say that an IBE scheme E is adaptively IND-ID-CPA secure if for any PPT adversary A that takes at most Q � poly(λ) private key queries, Adv E,A (λ) ≤ negl(λ).

Constructions of IBE Based on NTRU. Now, we can give the construction of IBE system over any cyclotomic field.
e construction is inspired by [21], which follows the route of [10] and could be regarded as a generalization from power of 2 cyclotomic field to arbitrary cyclotomic field.e detailed construction is as follows, where Δ K denotes the discriminant of K and qR � B 1 , . . ., B g .(i) Setup (λ): given a security parameter λ, first construct a set of parameters (K, R, q, σ, s) such that and q ≥ 64nζ K (2) such that q ∤ Δ K .Meanwhile, σ ≥ max 8n 3.6 ln n, ω(n ln 0.5 n) • q (1/g) , ω(n 0.25  q 0.5 l − 0.25 ), en, call the N-KeyGen algorithm to generate a public key h and a secret key , where q with coefficients m i ∈ 0, 1 { }, the encryption process is as follows: (1) Sample r, e 1 , e 2 ↩ χ ≔ ⌊D ξ•q ⌉ R ∨ with ξ � α • (nk/log(nk)) (1/4) , where ∞ < q/10, then we get that w has the representation of the form , we can conclude that for any q > 40, erefore, the decryption process succeeds in recovering the encrypted message m whenever ‖e 2 − rσ 2 − e 1 σ 1 ‖ c ∞ < (q/10).Now, we bound the probability that ‖e 2 − rσ 2 − e 1 σ 1 ‖ c ∞ ≥ (q/10).Here, ‖ • ‖ c ∞ represents the basis-coefficient norm under the decoding basis with respect to the l ∞ norm.Lemma 4. Assume that α ∈ (0, 1) such that α ≤ ������� � (log n/n)  and let q ≥ 2 be an integer such that αq ≥ ω(1); meanwhile, ω(n Proof.Lemma 5.1 of [28] implies that Pr • s; we have 6 Wireless Communications and Mobile Computing erefore, we get with probability at least 1 , where we have used that ).Overall, we get the following lemma.□ Lemma 5. Assume that α ∈ (0, 1) such that α ≤ ������� � (log n/n)  and let q ≥ 2 be an integer such that αq ≥ ω(1); meanwhile, ω(n ); then, the decryption algorithm of the IBE scheme succeeds in recovering the encrypted message with probability at least We can prove that our IBE scheme is secure, assuming that R − DLWE q,⌊D qξ ⌉ R ∨ problem and R − DLWE × q,⌊D qξ ⌉ R ∨ problem are hard.We first give a IND-CPA secure public key encryption scheme (denoted by BasicPub).Note that Lemma 5 is suitable for BasicPub as well.
Proof.Note that, by the property of SampleDom algorithm, the distribution of pk is statistically close to U(R q ).en, for a ciphertext (u, v) of either m 0 or m 1 , by our choices of parameters, the entire view of the adversary is indistinguishable from the uniform distribution, assuming the hardness of R − DLWE q,⌊D qξ ⌉ R ∨ problem and R − DLWE × q,⌊D qξ ⌉ R ∨ problem.Hence, the adversary could not distinguish the ciphertexts of 0 and 1.We get the results, as desired.

□
Theorem 8. Suppose that Lemma 6 holds, i.e., the BasicPub is correct and IND-CPA secure in the standard model; then, the IBE scheme is adaptively IND-ID-CPA secure in the random oracle model.
Proof.Let A be a PPT adversary that attacks the IBE scheme with advantage δ by using Q � poly(n) distinct H queries.We shall construct an algorithm B to attack the BasicPub scheme with advantage (δ/Q).e algorithm B works as follows: (1) B calls an oracle (or the challenger) to get the public parameters PP ′ � (K, R, q, σ, R q , R ∨ q , h) and a public key pk.en, it sends the public parameters PP � (K, R, q, σ, R q , R ∨ q , h, H) to A. Here, B simulates the random oracle H; meanwhile, B chooses an i ∈ [Q] uniformly at random.
(2) B simulates the view of A as follows: (i) Hash queries: on A's jth distinct query id j to H, if j � i, then store the tuple (id i , pk, ⊥) and return pk to A. Otherwise, j ≠ i, A runs the BasicPub.KeyGen (PP ′ ) to generate a public/ secret key pair (sk j , pk j ), locally store the tuple (id j , pk j , sk j ), and return sk j to A. (ii) KeyGen queries: when A asks for a secret key for an identity id, assume without loss of generality that A has already queried H on id.
Retrieve the unique tuple (id, pk, sk) from local storage.If sk � ⊥, then output a random bit and abort.Otherwise, return sk to A.
(3) When A produces a challenge identity id * which is distinct from all its secret key queries and two messages m 0 , m 1 , assume without loss of generality that A has already queried H on id * .If id * ≠ id i , output a random bit and abort.Otherwise, return When A terminates with some output, B terminates with the same output.
Assume A makes N distinct KeyGen queries for some N ≤ Q.Notice that the probability that B does not abort is

Wireless Communications and Mobile Computing
Meanwhile, conditioned on B not aborting, the view it provides to A is statistically close to the view of the real IBE scheme.Hence, the advantage that B attacks the IND-CPA secure of BasicPub is (δ/Q), as desired.
Overall, we conclude the following theorem.
Remark 1.If we choose αq � ω(1), then s �  O(n 7.5 ), q �  O(n 9 ) and c �  O(n 9.5 ).As remarked in [28], we can also convert our constructions to work in an ideal of R, or we can directly design our schemes in R (with larger c and q).Moreover, when we require that q � 1 mod l with l having some special cases (for example, l � p α , 2 α p or 2 α pq for some prime p, q), we can use the hardness results shown in [35] and techniques shown in [36] to reduce the magnitude of the parameters q and c.Usually, the module q is far away from practicality.A heuristic practical choice of parameters (with respect to coefficient embedding) is shown in [21].How to reduce the size of q and c is a hard problem which is worth studying.

Identity-Based Signature Schemes
In this section, we shall give the definition of IBS schemes and then construct a provably secure IBS scheme based on NTRU over any cyclotomic field.

Basic Definition and Security Model.
We give the definition of IBS system first.Definition 7.An identity-based signature system consists of four PPT algorithms: Setup, KeyGen, Sign, and Verification.
(i) Setup (λ): this algorithm takes as input a security parameter λ and generates public parameters PP and a master secret key Msk.(ii) KeyGen (id, Msk, PP): this algorithm uses the master secret key Msk to generate an identity private key sk id corresponding to an identity id.(iii) Sign (PP, id, sk id , μ): this algorithm takes the public parameters PP, a message μ, an identity id, and the secret key sk id to generate a signature Sig of μ. (iv) Verification (PP, μ, Sig, id): on input of the identity id, the message μ, the parameters PP, and a signature Sig, this algorithm outputs 1 when the verification is correct (i.e., the signature is valid) and outputs 0 otherwise.e security model of IBS is defined through the following game between an adversary A and a challenger B. For a security parameter λ, let M λ be the message space and S λ be the signature space.e game, which appraises the property of existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks, is defined as follows: (i) Setup: B runs the algorithm Setup (λ) to get the public parameters PP and the master secret key Msk; then, it sends PP to A and keeps the master secret key Msk.(ii) Phase 1: A adaptively issues private key queries q 1 , . . ., q k for identity id 1 , . . ., id k .In each query q i for i � 1, . . ., k, B runs KeyGen to generate sk idi and sends it to A. (iii) Challenge: once A decides the Phase 1 is over, it outputs an identity id * , which has not been queried during Phase 1. (iv) Phase 2: A adaptively issues more queries q k+1 , . . ., q Q where each query q i is one of the following: ( (i) Setup (λ): given a security parameter λ, first construct a set of parameters (K, R, q, σ, s) such that K � Q(ζ l ) with n � φ(l) ≥ λ, R � O K , and q ≥ 64nζ K (2) such that q ∤ Δ K .Meanwhile, σ ≥ max 8n 3.6 ln n, ω(n ln 0.5 n) • q 1/g , ω(n 0.25 q 0.5 l − 0.25 ), en, call the N-KeyGen algorithm to generate a public key h and a secret key •s .Also, note that in order to give a valid forge, A needs to find 2 implies that we can regard z * i ↩ D R,s .eorem 2.7 implies that w ↩ U(R q ).For any w ∈ R q , the solutions of the equation hx 1 − x 2 � w mod qR form a lattice Λ ′ � (z * 1 , z * 2 ) + Λ q h .Hence, for the parameter choices of s and σ, Lemma 3 indicates that the probability that z � 0 is negligible.erefore, except with some negligible probability ε . By the conditions in eorem 4.1, we can take s �  O(n 7 ), q �  O(n 8 ) and c �  O(n 8 ).Also, the module q is far away from practicality.How to reduce the size of q and c is a hard problem which is worth studying.
One may note that the trapdoor generation algorithms used in IBE and IBS schemes are the same, so as the case of IBE in power-of-2 cyclotomic rings; we can also use the parameter choices (with respect to coefficient embedding) as in [21], together with the parameter choices of rejection sampling as in [27] to give a practical implementation of our schemes.A more heuristic implementation with respect to coefficient embedding in power-of-2 cyclotomic rings is also shown in [17] with probability at least 1 − 2e − (1/4π)ω(log n) � 1 − 2 − ω′(log n) .We conclude the desired result.

□
Proof of eorem 2. We can let the set V in Lemma 8 be all vectors v ∈ Λ of length at most T, the function f be D Λ,σ , and the functions g v be D Λ,σ,v .Lemma 10 implies that there is an absolute constant M, which satisfies the requirements of Lemma 8. We get the result we need. □

Definition 5 .
An identity-based encryption system consists of four PPT algorithms: Setup, KeyGen, Encrypt, and Decrypt.(i) Setup (λ): this algorithm takes as input a security parameter λ and generates public parameters PP and a master secret key Msk.(ii) KeyGen (id, Msk, PP): this algorithm uses the master secret key Msk to generate an identity private key sk id corresponding to an identity id.(iii) Encrypt (PP, id, m): this algorithm takes the public parameters PP to encrypt a message m for any given identity id.(iv) Decrypt (c, sk id ): this algorithm decrypts ciphertext c by using the identity private key sk id if the identity of the ciphertext matches the identity of the private key.

(
iii) Challenge: once A decides the Phase 1 is over, it outputs a challenge identity id * , which has not been queried during Phase 1, and two plaintext message m 0 , m 1 ∈ M λ .B chooses a random element b ∈ 0, 1 { } uniformly and sends c b � Encrypt (PP, id * , m b ) to A.
(iii) Encrypt (PP, id, m): 1) Private key query for id i ≠ id For a security parameter λ, we say that an IBS scheme E is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks if for any PPT adversary A that takes at most Q � poly(λ) queries, Adv E,A (λ) ≤ negl(λ).Constructions of IBS Based on NTRU.Now, we can give the construction of IBS system over any cyclotomic field.e detailed construction is as follows: * : B responds as in * , sk * id , μ) and sends Sig to A. (v) Forge: A outputs a forge Sig * for a message μ under identity id * .It wins if and only if one of the following two cases happens: (1) If μ is queried in Phase 2, then we require that Sig * ≠ Sig, where Sig is the signature of μ that A got in Phase 2. Meanwhile, Verification (PP, μ, Sig * , id * ) � 1. * , id * ) � 1.