Novel efficient lattice-based IBE schemes with CPK for fog computing

The data security of fog computing is a key problem for the Internet of things. Identitybased encryption (IBE) from lattices is extremely suitable for fog computing. It is able to not only simplify certificate management, but also resist quantum attacks. In this paper, firstly, we construct a novel efficient lattice-based IBE scheme with Combined Public Key (CPK) technique by keeping from consumptive trapdoor generation algorithm and preimage sampling algorithm, which is required by the existing lattice-based IBE schemes based on learning with errors (LWE). In addition, its key storage cost is lower and it is IND-ID-CPA secure in the random oracle model. Furthermore, based on this, an enhanced lattice-based IBE scheme with IND-ID-CCA security is developed by employing strong one-time signature. Our schemes only need O(n3/ log n) additions of vectors, while the existing schemes need at least O(n3) of additions and multiplications in Setup and Extract phase.


Introduction
Cloud computing is a mode of centralized processing of big data. Many cryptography technologies, such as homomorphic encryption [1], searchable encryption [2] and so on, have been widely applied in cloud computing [1]. Powered by the advent of the Internet of things, especially the increase of multimedia data [3][4][5], the constraints of cloud computing center load and transmission bandwidth become more and more prominent. As an emerging technology, fog computing could mitigate the serious burden on cloud-central process of the huge amount of IoT data [6,7]. In fog computing, data security for distributed nodes is a significant problem [8][9][10][11][12]. Public Key Infrastructure (PKI), is widely used in fog computing applications [13,14]. However, the communication cost of certificate transmission and the computation cost of verifying CA signature is too high.
To deal with the shortcomings of certification management in traditional public key cryptosystems, Shamir proposed identity-based encryption (IBE) [15]. In identity based cryptosytstems, the sender is able to utilize the receiver's identification as the public key to encrypt messages. Thus, the receiver's public key certification is not need to be transmitted to the sender. Boneh et al., put forward the primary efficient IBE scheme based on bilinear maps [16]. IBE is greater suitable for fog computing scenarios, such as [17][18][19][20].
In what way, the emergence of quantum computers threatens the routine IBE primarily from traditional RSA or DLP prbolem. For this, lattice-based encryption, as the maximum crucial quantum-resistant cryptology is starting to catch on. Exceptionally, as Micciancio et al.'s affectation, even for quantum adversary, lattice problems are still hard [21]. Fortunately, even in terms of performance, the practical feasibility of lattice operations is proved in implementations.
The first IBE from a lattice problem is proposed by Gentry et al., which is IND-ID-CPA secure based upon learning with errors (LWE) assumption in the random oracle model [22]. Since then, more lattice-based IBE solutions improved it in security or performance [23][24][25][26][27][28]. It' a pity that the present LWE-based IBE constructions don't seem to be efficient sufficient. Mainly in Setup and Extract phase, it costs too much for trapdoor generation algorithm and preimage sampling algorithm. For this reason, Micciancio et al., presented more efficient trapdoor generation algorithm and preimage sampling algorithm [29]. Furthermore, Ye et al., developed them in performance by means of the implicit extension technique [27] and they are the most efficient algorithms so far. Unfortunately, their solutions can be nonetheless not practical sufficient since they still would like O(n 3 ) times of multiplication and addition.
Our contributions: There are three main contributions in this paper: (1) Firstly, we present a variant of LWE assumption, as Twins-Decision-LWE (TDLWE) assumption, and show that it is equivalent to Decision-LWE (DLWE) assumption.
(2) Secondly, based on TDLWE assumption, we construct a novel more practical lattice-based IBE. Our main idea is to utilize Combined Public Key (CPK) technique to keep off the expensive trapdoor generation and preimage sampling algorithm. So it solely desires O(n 3 / log n) additions of vectors in Setup and Extract phase, which are even parallelizable. In addition, in our scheme, Public Key Generator (PKG) solely needs to store little-scale key "seeds" instead of large-scale keys.Our scheme can be shown its IND-ID-CPA security based on TDLWE assumption in the random oracle model. Of course, for balance, the size of public system parameters is larger.
(3) Furthermore, based on this basic scheme, we develop it to an enhanced lattice-based IBE scheme with its IND-ID-CCA security.

Identity-based encryption (IBE)
Identity-based encryption (IBE) is consisted of following algorithms: Setup: Private key Generator (PKG) initializes the public system parameters denoted via PP, alone with a master secret key. PP is public whereas solely PKG is aware of the master secret key.
Extract: Taking the identity < ID i > of a user, PKG extracts the private key for < ID i > with the master secret key.
Encrypt: Taking the public system parameters PP and an identity < ID i > as input, the sender encrypts messages for < ID i >.
Decrypt: Taking the public system parameters PP and the private key as input, the receiver decrypts the ciphertext.
The IND-ID-CPA security model for IBE can be defined as an interactive game played by an adversary and a challenger. [30] Setup: Given a security parameter n as input, the challenger runs Setup(1 n ) and sends the result public system parameters PP to the adversary. Meanwhile, it keeps the master secret key.
Phase 1: Momentarily, the adversary could send the private key queries < ID i > for i = 1, 2, ...l. Then the challenger runs Extract to get the corresponding private key for the queries.
Challenge: Firstly, the adversary outputs a target identity ID * which was not queried for the private key in Phase 1. Secondly, it outputs two equal-length messages-M 0 and M 1 . Thirdly, the challenger picks a random bit σ ∈ {0, 1}, computes C = Encrypt(PP, ID, M σ ), and sends C as the challenge to the adversary.

Phase 2:
The adversary continues to make more private key queries as in Phase 1, on condition that the target identity ID * 's private key can't be queried.
Guess: At last, the adversary returns a guess σ of σ, and wins if σ = σ.
We signify the advantage of that the adversary wins in attacking the IBE scheme as: Pr adv = |Pr[σ = σ] − 1/2|. Definition 2.1. (IND-ID-CPA secure). An IBE scheme is (k, ε)-semantically secure against IND-ID-CPA if all probabilistic polynomial time (PPT) adversaries making at most k private key queries have at most ε advantage in breaking the scheme [16].
The IND-ID-CCA game played by an adversary and a challenger is similar to IND-ID-CPA game, except that in both Phase 1 and Phase 2, the adversary can not only query private key extraction queries, but also make ciphertext queries < ID i , C i > . When receiving a ciphertext query, the challenger answers with the corresponding plaintext.

Combined public key
In 2004, Nan et al., presented a novel key management technology called Combined Public Key (CPK) to improve efficiency and save storage space. After that, CPK is employed in a variety of different applications [31,32].
The basic idea for CPK is as follows [33]: Suppose that there're two matrixes-a public key matrix (y 1 , y 2 , ..., y n ) together with the corresponding private key matrix (x 1 , ..., x n ), where y i = f (x i ), and a collision-resistance hash function h(·) : {0, 1} * → {0, 1} n . That's to mention, if the identity of a user is id, his/her public key is y id = n i=1 y i h i and private key is h(id) = h 1 , ..., h n .

Lattices
The formal definition for n-dimensional lattice of rank m is: Distinctly, L is included in Z m . The special lattice Z m is principally used in this paper [22].

Statistically distance
It is defined that two random variables X and Y in a finite set Ω are statistically close if the statistical distance is a negligible function of λ [23].

Discrete gaussians distribution
Assuming that for a subset L of Z m , a positive parameter r ∈ R and a vector c, a Gaussian-shaped function on R m is defined as: where · is an representation of Euclidean l 2 norm. It is with mean 0 and variance r 2 ; The sum of ρ r,c on L can be defined as ρ r,c (L) = x∈L ρ r,c (x). Then, the discrete Gaussian distribution on L can be described as: ρ r,c (L) . In this paper, we are going to utilize a special case of discrete Gaussian distribution D Z m ,r , that is, L = Z m and c = 0.
In [22], there is a sampling algorithm-SampleD shown as follows: Given a certain n-dimensional basis B ∈ Z n×m , with a mean c ∈ R n and an adequate large Gaussian parameter r, get samples from D L(B),r,c .
In our constructions, we utilize SampleD to sample random values from D Z m ,r [22].

DLWE assumption
In this paper, our schemes are constructed from a variant of decision learning with errors (DLWE) assumption, equivalent to the standard LWE assumption [34]. Here, we tend to introduce DLWE problem. Definition 2.3. (DistributionΨ α ). Take into account a prime q and a real parameter α = α(n) ∈ (0, 1). T = R/Z represents the group of reals [0, 1) with mod 1 addition. x = x + 1/2 (x ∈ R) is denoted as a nearest integer to x. Ψ α represents a distribution over T of a normal variable with mean 0 and standard deviation α/ √ 2π then reduced modulo 1.Ψ α represents the discrete distribution over Z q of the random variable qX mod q, where variable X ∈ T is selected randomly from distribution Ψ α [23].
Definition 2.4. (Decision − LWE q,α (DLWE q,α ) problem).(All operations are performed in Z q .) Take into account a positive integer n, a large prime modulus q ≤ poly(n), an arbitrary integer m ≤ poly(n), together with a distributionΨ α (χ) over Z q , all public. The challenger independently and uniformly selects a matrix A ∈ Z n×m q , a secret vector s ∈ Z n q , and a bit τ ∈ {0, 1}.
where d ∈ Z m is chosen randomly. Given a tuple, the adversary returns a guess τ of τ.
We define the adversary's advantage in solving DLWE q,α problem as [34] If the advantage in solving DLWE q,α problem for any PPT adversary is negligible, we say that DLWE q,α assumption holds.
Theorem 2.1. For a prime number q, a positive integer n, and m ≥ 2n lg q, the distribution for u = Ae mod q is statistically close to uniform distribution over Z n , where e ← D Z m ,r , for any r ≥ ω( log m) and all but a 2q −n fraction of all A ∈ Z n×m q . Notice that ω(·) is a function: if g(n) = ω( f (n)), increment speed of g(n) is faster than any c f (n)(c > 1) [21].

TDLWE assumption
It is shown that for certain parameters α and q, DLWE q,α assumption holds. Based on it, we propose a variant of DLWE q,α problem and exhibit that it's equivalent to DLWE q,α problem.
m,n,r,α (T DLWE q,m,n,r,α ) problem). (All operations are performed in Z q .)Take into consideration a positive integer n, a large prime modulus q ≤ poly(n), a arbitrary integer m ≤ poly(n), and a distributionΨ α (χ) over Z q , all public. Firstly, the challenger selects a matrix A ∈ Z n×m q , a vector e from discrete Gaussian distribution D Z m ,r , together with a secret vector s ∈ Z n q at random. Next, the challenger alternatives a bit τ ∈ {0, 1} independently and uniformly. If τ = 1, it returns (A, Ae , where x ∈ χ m and d is selected from Z q at random. At last, the adversary returns a guess τ of τ.
We define the adversary's advantage in solving T DLWE q,m,n,r,α as If Pr adv (T DLWE q,m,n,r,α ) is negligible for any PPT adversary, we say that T DLWE q,m,n,r,α assumption holds.
We tend to analyze the relationship between DLWE q,α assumption and T DLWE q,m,n,r,α assumption. Firstly, the parameters m, n, q, r, α are adjusted to satisfy: (1) DLWE q,α assumption holds. (2) For e ← D Z m ,r , Ae is statistically close to uniform over Z n q .
Proof. For some parameters m ≥ 2n lg q and r ≥ ω( log m), as known in Theorem 2.1, Ae is statistically close to uniform B. Thus, TDLWE assumption tuple (A, Ae , where C is randomly and uniformly selected from Z m q . Since both A and C are independent from (B, B T s + x), which is equivalent to DLWE assumption. Therefore, for certain parameters, T DLWE q,m,n,r,α assumption holds if DLWE q,α assumption holds.

A novel efficient lattice-based IBE construction with CPK
We put forward TDLWE assumption-a variant of DLWE assumption, and then analyzed its reasonableness. In the subsequent part, we'll present a new efficient lattice-based IBE construction using CPK from TDLWE assumption.

Construction
Setup (1 λ ) £ Taking n as a security parameter, PKG sets q, m, r, α as described in Section 4.2. Then it arbitrarily chooses a common matrix A ∈ Z n×m q randomly. Notice that all operations are performed over Z q . PKG selects n secret vectors e i (i = 1, 2, ..., n ) from the discrete Gaussian D Z m ,r randomly.
Then PKG sets the master secret key as and the corresponding public key as Moreover, PKG opts for H : {0, 1} * → {0, 1} n as a collision-resistance hash function. Finally PKG makes PP = (n , q, A, U, H) as the public system parameters.
PKG returns the private key as e id = n i=1 h i e i for an identity id .
Encrypt (PP, id, b) £ Given the public system parameters PP, the receiver's identification id, and a bit b ∈ {0, 1}, the sender works: Decrypt (PP, e id , C) £ Given the public system parameters PP, the receiver's private key e id and a ciphertext C = (c 1 , c 2 ), the receiver will do: . If b is closer to 0 than to q/2 modulo q, output 0; Else, output 1.
(2) T DLWE q,m,n,r,α assumption holds. (3) The ciphertext is decrypted properly with the receiver's private key. (It will be shown in Section 4.3)

Completeness
The correctness is similar to that in [22]. It is known that the linear combination of independent normal variables is still a normal variable, [22]. Since x ∼ χ, By the tail inequality on normal variables, we knows that the probability for |y Tẽ id | > 1/10 is negligible. Thus, |x Tẽ id | ≤ |(x − qy) Tẽ id | + q|y Tẽ id | ≤ q/10 + q/10 = q/5, in other words,x − e T id x is at distance is no more than q/5 from 0 (mod q).

Multi-bit encryption
In common with [22,23], It's able to reuse the same ephemeral encryption randomness s to encrypt more than one bits message. Assume that the same ephemeral s ∈ Z n q is used for encrypting a K-bit message, throughout, the overall ciphertext size is (2m + 1 × K = 2m + K) elements of Z q .

Efficiency analysis
This scheme is rather more efficient by means of keeping off complex trapdoor generation algorithm and preimage sampling algorithm. Specifically, in step with Section 4.2, we will set q ≈ n 3 and n = O(n 3 / log n). In Setup phase, it just runs SampleD algorithm once to supply n samples from D Z m ,r . Meanwhile, in [22,23,27], both the public system parameters and the master secret key must be created by complex trapdoor generation algorithm. Furthermore, in Extract phase of our new solution, for every id, it solely requries parallelizable n /2 additions of vectors on the average, whereas in [22,23], complex preimage sampling algorithm that is with projection and orthogonalization in time O(m 2 ) * length(msk, H(id)) is requried, and in [27], for each id, O(n 3 ) times of addition and multiplication are needed.
Moreover, thanks to the low computing cost of keys, PKG only needs to storage little-scale key "seeds" instead of large-scale keys.

Security
As shown in Section 3, for certain parameters, T DLWE q,m,n,r,α problem is hard. During the following part, it will prove the security for our scheme based on T DLWE q,m,n,r,α problem. Proof. Assume that there is a probabilistic polynomial time (PPT) adversary A in the IND-ID-CPA game. It makes not more than k queries and gets a minimum of advantage ε. If we're able to build a PPT simulator B,given (A, B = Ae , C = A T s +x , Z) by the challenger in T DLWE q,m,n,r,α game, playing the IND-ID-CPA game with A and T DLWE q,m,n,r,α game with the challenger, can get a minimum of advantage ε(1 − 1/e − 2 k−n )/2 to guess τ in T DLWE q,m,n,r,α game, the proof is completed.
Suppose that: Next, the IND-ID-CPA game will be introduced in detail. Based on it, the advantage of B guessing τ will be exhibited.
Setup Firstly, B selects n vectors v 1 , v 2 , ..., v n from D Z m ,r severally. And then it selects k n -dimensional binary vectors V i = (h 1i , h 2i , ..., h n i ) T , i = 1, 2, ..., k at random, where each V i is selected independently and uniformly.
Then B selects one of tuples (w 1 , w 2 , ..., w n ), w i ∈ Z, which satisfies as follows: (w 1 , w 2 , ..., w n ) Then the simulator B sets the public key as U = (u 1 , u 2 , ..., u n ), where u i = w i B + Av i . Here we have a tendency to guarantee ( w i ) 2 + 1r ≤ q 5(m+1) in order that the distribution of e i and e id is as same as our IBE scheme above.
Clearly, the corresponding master secret key is E = (e 1 , e 2 , ..., e n ) implicitly, where e i = w i e + v i . Finally, B sends the public system parameters (n , q, A, U, H) to the adversary A. Private key extraction queries A is permitted to additionally query different private keys for < ID 1 >, < ID 2 >, ..., < ID l >, where l ≤ k. B will answer it according to the following three cases for each query < ID i >(i = 1, 2, ..., l): (2) If ID i is already in H-list and ξ i 1, or ID i is not in H-list and all of V j s (which are generated during Setup phase) have already been utilized for answering queries, the IND-ID-CPA game will be restarted by B. As it should be, in the rebooted game, B must re-select the set V H ∈ {1, 2, ..., q H }. Nevertheless, it should be aware that the game can be restarted up to C k q H − 1 times. If the number of restarts is over C k q H − 1, B will abort and output a random bit as τ uniformly. Challenge Firstly, the adversary A selects a target identity ID * , never queried in Phase 1. It sends (ID * , b 0 = 0, b 1 = 1) to the simulator B. Secondly, B queries Random Oracle for ID * to obtain the binary string h * 1, 2, ..., k). If it is, B aborts and returns an bit as τ uniformly and randomly.
, and sends it as a challenge to A.
Notice that < ID * > can not be directly be queried by A. Also, B responds the queries similar to that in Phase 1.
We tend to give the analysis for security of our scheme above. Firstly, we discuss when the event abort does not occur, how much advantage the simulator B has. Then the probability abort occurs will be analyzed.
Thus, there's no difference between C * and the real ciphertext of IBE scheme. Suppose that A's advantage of breaking our IBE scheme is ε, i.e. |Pr[σ = σ |τ = 1 abort]| = 1 2 + ε (2) If τ = 0, i.e.Z = d, C * is a random element from Z q . Thus, |Pr[σ σ |τ = 0 abort]| = 1 2 . Consequently, the simulator B's advantage is However, the event abort perhaps occurs within the IND-ID-CPA game. Thus the probabilities of abort should be investigated. Clearly, B may abort with two reasons: (1) In Phase 1 or Phase 2, B restarts the game more than C k q H − 1 times ; (2) In the Challenge phase, the binary vector V * = (V * 1 , ..., V * n ) T is a linear combination of V i (i = 1, 2, ..., k). Claim 4.2. The probability that the simulator B aborts due to reason (1) is not more than 1 e . Proof. For our selected V H , a private key query resulting in the IND-ID-CPA Game restarting is with the probability not more than 1 − 1 . Since the simulator B can restart not more than 1/t times, all of t choices of V H giving rise to restarting is with the probability not more than (1 − t) 1/t ≈ 1 e . Thus, that B aborts due to reason(1) has the probability not more than 1 e . Claim 4.3. The probability that the simulator B aborts for reason (2) is not more than 2 k−n .
Proof. We construct a matrix M n k = (V 1 , V 2 , ..., V k ) with the rank k ≤ k , where k < n . Obviously, there are k linearly independent rows of M n k . For convenience, here we assume the first k rows of M n k are linearly independent. M k k denotes as a matrix consisting of k linearly independent vectors, and each vector is composed of k linearly independent elements of V i . Denote V i as the k -dimensional vector composed of the first k elements of V i . Therefore, there are not more than 2 k choices of V * which may be a linear combination of combination of V i (i = 1, 2, ..., k), where 2 k ≤ 2 k . And because there are a total of 2 n n -dimensional binary vectors. For this reason, B aborts due to reason (2) with the probability at most 2 k 2 n . Consequently, in combination with the above two claims, that the simulator B aborts has the probability no more than 1 e + 2 k−n . That's to say, the PPT simulator's advantage in solving T DLWE q,m,n,r,α problem is at least ε 2 (1 − 1 e − 2 k−n ). By now, Theorem 4.1 has been proved completely.

An enhanced CCA-secure lattice-based IBE construction with CPK
On the basis of the above scheme, we utilize strong one-time signature to develop an enhanced IND-ID-CCA secure construction.

Strong one-time signature
Strong one-time signature is defined by the game played by an adversary A and a challenger as follows: Step 1: The challenger executes G(1 k ) and outputs (vk, sk), then sends 1 k and vk to A Step 2:A may do one of following steps: (1) Output a pair(C * , θ * ) and terminate.
Definition 5.1. (Strong one-time signature):A signature scheme Sig is a strong one-time signature scheme if the probability that any PPT adversary A succeeds in above game is negligible [37].
Extract (PP, E, id, vk) Assume that h i is the ith bit of H(id||vk), i = 1, 2, ..., n ; Encrypt (PP, id, b) 1). Run G(1 k ) of Sig(a strong one-time signature scheme) and generate the signing key sk and the corresponding verification key vk.
2). Run Extract(PP, E, id, vk) and get e id||vk , compute b = c 2 − e T id||vk c 1 ∈ Z q . Output 0 if b is closer to 0 than to q/2 modulo q; Otherwise output 1. If the ciphertext is valid, the Decrypt algorithm is the same as our IND-ID-CPA secure construction. So this construction is also completeness.

Correctness and efficiency
The correctness and efficiency analysis are similar to Sections 4.3 and 4.5.

Multi-bit encryption
Multi-bit encryption scheme construction is as same as that of the basic scheme. We can reuse the randomness s ∈ Z n q throughout, then if a K-bit message is encrypted, the ciphertext size is 2m + K elements of Z q addition to len(vk) + len(θ).
Proof. The proof of Theorem 5.1 is similar to Theorem 4.1. Assuming that there is a PPT adversary A in the IND-ID-CCA game. It makes not more than k queries and gets a minimum of advantage ε. Based on this, if we're able to build a PPT simulator B, given (A, B = Ae , C = A T s + x , Z) by the challenger in T DLWE q,m,n,r,α game, playing the IND-ID-CCA game with A and T DLWE q,m,n,r,α game with the challenger, can get a minimum of advantage ε(1 − 2/e − 2 k−n − )/2 to guess τ, then the theorem is completed.
Same as Theorem 4.1, the IND-ID-CCA game will be introduced in detail. Based on it, we exhibit the advantage of B guessing τ.
Setup Same as in theorem 4.1.

Phase 1:
Random oracle queries Same as in theorem 4.1 except that we replace < ID i > with < ID i ||vk i >.
Private key extraction queries Same as in theorem 4.1 except that A makes l(l ≤ k) different queries Decryption queries For each decryption query < ID i , vk i , C i , θ i > issued by adversary A, B answers as follows: Challenge Firstly, the adversary A selects a target identity ID * ∈ {0, 1} l , never queried for private key in Phase 1. Secondly, it sends (ID * , b 0 = 0, b 1 = 1) to B. B runs G(1 k ) of the strong one-time signature scheme to produce the signing key sk * and the corresponding verification key vk * . Then it queries Random Oracle for < ID * ||vk * > to obtain the binary string h * 1, 2, ..., k), B aborts and returns a bit as τ uniformly at random; Else, h * i v i and u ID * ||vk * = wB + Av = A(we + v). After that, B uniformly selects a random bit σ ∈ {0, 1}, and obtains C * = (c * 1 , c * 2 ) = (C, wZ + v T C + b σ q 2 ). Then, it signs (C * ) using sk * and sends (vk * , C * , θ * = S ign sk * (C * )) as the challenge to A.

Phase 2:
Random oracle queries Same as in Phase 1.
Private key extraction queries A can continue to make queries < ID i , vk i > where i = l + 1, ..., m (m ≤ k).
Decryption queries For each decryption query < ID i , vk i , C i , θ i > ( < ID * , vk * , C * , θ * >) issued by adversary A, B answers as follows: If Veri f y vk i (C i , θ i ) 1, it responds with ⊥. If Veri f y vk i (C i , θ i ) = 1 and (ID i ||vk i ) = (ID * ||vk * ), B aborts and returns a random bit τ . If Veri f y vk i (C i , θ i ) = 1 and (ID i ||vk i ) (ID * ||vk * ), (1) If (ID i ||vk i ) is already in H-list and ξ i = 1, B calculates e ID i ||vk i , decrypts C i using e ID i ||vk i , and replies the answer to A.
(2) If (ID i ||vk i ) is already in H-list and ξ i = 0, or (ID i ||vk i ) is not in H-list and all of V j (1 ≤ j ≤ k)s (which are generated in the Setup) have already been utilized for answering queries, the IND-ID-CCA game will be restarted by the simulator B. Noted that B must re-select V H . Same as private key extraction queries phase, the game can be restarted up to C k q H − 1 times. If the number of restarting is over C k q H − 1, B aborts and returns a random bit as τ uniformly. Guess Same as in theorem 4.1.
In the next part, the security of our enhanced scheme is analyzed as Theorem 4.1.
Firstly, same as Claim 4.1, we know that under the condition the event abort does not occur, B's advantage in solving T DLWE q,m,n,r,α problem is not less than 1 2 ε. Next, we investigate the probabilities that abort occurs. Observed that, the simulator B may abort in three situations: (1) In phase 1 or Phase 2, private key extraction query may cause aborting if the times of restarting exceeds C k q H − 1; (2) In phase 1 or phase 2, decryption query may cause aborting if the times of restarting is over C k q H − 1; (3) In phase 1 or phase 2, decryption query may cause aborting if the adversary makes a query < ID i , vk i , C i , θ i > such that (ID i ||vk i ) = (ID * ||vk * ) and Veri f y vk i (C i , θ i ) = 1; (4) In challenge phase, the binary vector V * = (h * 1 , ..., h * n ) T is a linear combination of V i (i = 1, 2, ..., k).
Same as Claim 4.2 and Claim 4.3, the probability that the simulator B aborts due to reason (1) is not more than 1 e and aborts due to reason (4) is not more than 2 k−n . Claim 5.1. The simulator B aborts for reason (2) with the probability not more than 1 e . The proof is similar to that of Claim 4.2.
Claim 5.2. The simulator B aborts for reason (3) with probability not more than .
Proof. Firstly, we show that in Phase 2, the probability that A makes a query (ID i , vk i , C i , θ i ) such that (ID i ||vk i ) = (ID * ||vk * ) and Veri f y vk i (C i , θ i ) = 1 is negligible ( ). Suppose the adversary's target identity is ID * ||vk * , and the target ciphertext is (vk * , C * , θ * ). Because for ID ∈ {0, 1} l , (ID i ||vk i ) = (ID * ||vk * ) if and if only ID i = ID * and vk i = vk * . However, according to the definition of strong one-time signature, when (C i , θ i ) (C * , θ * ), the adversary can forge the valid ciphertext such that Veri f y vk * (vk i ) (C i , θ i ) = 1  [22] O(n 4 ) additions and multipications IND-ID-CPA LWE Agrawal et al.'s scheme [23] O(n 4 ) additions and multipications IND-sID-CPA LWE Ye et al.'s scheme [27] O(n 3 ) additions and multipications IND-sID-CPA DLWE with negligible probability . That's to say, the simulator B aborts for reason (3) with probability not more than .

Comparisons
In sections 4.5 and 5.3, we evaluated the asymptotic complexities of Setup and Extract phase for our schemes. Here, we list the complexities, security properties and security assumptions for our schemes and related schemes in the literature in Table 1. Notice that all of the operations are over Z q . We denote our IND-ID-CPA secure solution as "Scheme1" and our IND-ID-CCA secure solution as "Scheme2".
As shown in Table1, n is the security parameter, n = O(n 3 / log n). In Setup phase, It just supplies n samples from D Z m ,r . and in Extract phase, it solely requries n As we have analyzed, our schemes are much more practical than the existing lattice-based IBE constructions based on LWE(or its variant).

Conclusions
In this paper, for data security in fog computing, a novel efficient lattice-based IBE construction with CPK is proposed. It is shown IND-ID-CPA secure in the random oracle model under a variant of DLWE assumption-TDLWE assumption. Based on this, we developed an enhanced construction with strong one-time signature, and showed its IND-ID-CCA security in the random oracle model. Moreover, how to develop CPK to fit the ideal lattice constrution is still an open problem.