In (STOC, 2008), Gentry, Peikert, and Vaikuntanathan proposed the first identity-based encryption (GPV-IBE) scheme based on a post-quantum assumption, namely the learning with errors assumption. Since their proof was only made in the random oracle model (ROM) instead of the quantum random oracle model (QROM), it remained unclear whether the scheme was truly post-quantum or not. In (CRYPTO, 2012), Zhandry developed new techniques to be used in the QROM and proved security of GPV-IBE in the QROM, hence answering in the affirmative that GPV-IBE is indeed post-quantum. However, since the general technique developed by Zhandry incurred a large reduction loss, there was a wide gap between the concrete efficiency and security level provided by GPV-IBE in the ROM and QROM. Furthermore, regardless of being in the ROM or QROM, GPV-IBE is not known to have a tight reduction in the multi-challenge setting. Considering that in the real-world an adversary can obtain many ciphertexts, it is desirable to have a security proof that does not degrade with the number of challenge ciphertext. In this paper, we provide a much tighter proof for the GPV-IBE in the QROM in the single-challenge setting. In addition, we show that a slight variant of the GPV-IBE has an almost tight reduction in the multi-challenge setting both in the ROM and QROM, where the reduction loss is independent of the number of challenge ciphertext. Our proof departs from the traditional partitioning technique and resembles the approach used in the public key encryption scheme of Cramer and Shoup (CRYPTO, 1998). Our proof strategy allows the reduction algorithm to program the random oracle the same way for all identities and naturally fits the QROM setting where an adversary may query a superposition of all identities in one random oracle query. Notably, our proofs are much simpler than the one by Zhandry and conceptually much easier to follow for cryptographers not familiar with quantum computation. Although at a high level, the techniques used for the single- and multi-challenge setting are similar, the technical details are quite different. For the multi-challenge setting, we rely on the Katz–Wang technique (CCS, 2003) to overcome some obstacles regarding the leftover hash lemma.

中文翻译：

---

量子随机 Oracle 模型中更严格的 GPV-IBE 安全证明

在 (STOC, 2008) 中，Gentry、Peikert 和 Vaikuntanathan 提出了第一个基于后量子假设的基于身份的加密 (GPV-IBE) 方案，即错误学习假设。由于他们的证明仅在随机预言模型（ROM）中进行，而不是在量子随机预言模型（QROM）中进行，因此尚不清楚该方案是否真的是后量子。在 (CRYPTO, 2012) 中，Zhandry 开发了用于 QROM 的新技术，并证明了 QROM 中 GPV-IBE 的安全性，因此肯定地回答 GPV-IBE 确实是后量子。但是，由于Zhandry开发的通用技术存在较大的还原损失，因此在ROM和QROM中GPV-IBE提供的具体效率和安全水平存在较大差距。此外，无论是在 ROM 还是 QROM 中，不知道 GPV-IBE 在多挑战设置中有严格的减少。考虑到在现实世界中，对手可以获得许多密文，因此希望拥有不随挑战密文数量而降低的安全性证明。在本文中，我们为 QROM 中单挑战设置中的 GPV-IBE 提供了更严格的证明。此外，我们表明 GPV-IBE 的一个轻微变体在 ROM 和 QROM 中的多挑战设置中几乎严格减少，其中减少损失与挑战密文的数量无关。我们的证明不同于传统的分区技术，类似于 Cramer 和 Shoup (CRYPTO, 1998) 的公钥加密方案中使用的方法。我们的证明策略允许缩减算法以相同的方式为所有身份对随机预言机进行编程，并且自然适合 QROM 设置，其中对手可以在一个随机预言机查询中查询所有身份的叠加。值得注意的是，我们的证明比 Zhandry 的证明简单得多，而且对于不熟悉量子计算的密码学家来说，在概念上更容易理解。虽然在高层次上，用于单挑战和多挑战设置的技术相似，但技术细节却大不相同。对于多挑战设置，我们依靠 Katz-Wang 技术（CCS，2003）来克服有关剩余哈希引理的一些障碍。我们的证明比 Zhandry 的证明简单得多，而且对于不熟悉量子计算的密码学家来说，从概念上讲更容易理解。虽然在高层次上，用于单挑战和多挑战设置的技术相似，但技术细节却大不相同。对于多挑战设置，我们依靠 Katz-Wang 技术（CCS，2003）来克服有关剩余哈希引理的一些障碍。我们的证明比 Zhandry 的证明简单得多，而且对于不熟悉量子计算的密码学家来说，从概念上讲更容易理解。虽然在高层次上，用于单挑战和多挑战设置的技术相似，但技术细节却大不相同。对于多挑战设置，我们依靠 Katz-Wang 技术（CCS，2003）来克服有关剩余哈希引理的一些障碍。