\section{Syntax and Definitions of Group Encryption}\label{GE-model}
We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}.
The group encryption (\textsf{GE}) primitive involves a sender, a verifier, a group manager~(\textsf{GM}) that manages the group of receivers and an opening
authority~(\textsf{OA}) which is capable of identifying ciphertexts' recipients.
In the syntax of \cite{KTY07}, a $\GE$ scheme is specified by the description of a
\mathcal{P},\mathcal{V}\rangle\bigr)$ of algorithms or protocols.
In details, $\mathsf{SETUP}$ is a set of initialization procedures that all take (implicitly or explicitly) a security parameter $1^\lambda$ as input. We call them
$\mathsf{SETUP}_{\mathsf{init}}(1^\lambda)$,
$\mathsf{SETUP}_{\mathsf{GM}}(\param)$ and
$\mathsf{SETUP}_{\mathsf{OA}}(\param)$. The first one of these procedures
generates a set of public parameters $\param$ (like the KTY construction \cite{KTY07}, we rely on a common reference string even when using interaction between
provers and verifiers). The latter two procedures are used to produce key pairs
$(\pk_{\GM},\sk_{\GM})$, $(\pk_{\OA},\sk_{\OA})$ for the $\GM$ and the
$\OA$. In the following, $\param$ is incorporated in the inputs of all algorithms although we sometimes omit to explicitly write it.
$\mathsf{JOIN}=(\mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM})$ is an interactive protocol between the $\GM$ and the prospective user.
After the execution of $\mathsf{JOIN}$, the $\GM$ stores the public key $\pk$ and its certificate $\crt_{\pk}$ in a public directory
$\mathsf{database}$.
As in \cite{KY05}, we will restrict this
protocol to have minimal interaction and consist of only two messages: the first one is the user's public key $\pk$ sent by $\mathsf{J}_{\mathsf{user}}$ to $\mathsf{J}_{\GM}$
and the latter's response is a certificate $\crt_{\pk}$ for $\pk$ that makes the user's group membership effective. We do not require the user to prove
knowledge of his private key $\sk$ or anything else about it. In our construction, valid keys will be publicly recognizable and users will not have to prove
their validity. By avoiding proofs of knowledge of private keys, the security proof never has to
rewind the adversary to extract those private keys, which allows supporting concurrent joins as
advocated by Kiayias and Yung \cite{KY05}. If applications demand it, it is possible to add
proofs of knowledge of private keys in a modular way but our security proofs do not require
rewinding the adversary in executions of $\mathsf{JOIN}$. \\
\indent
Algorithm $\mathsf{sample}_{R}$ allows sampling pairs $(x,w)\in R$ (made of a public value $x$ and a witness $w$) using keys $(\pk_{R},\sk_{R})$ produced by
$\mathcal{G}_r(1^\lambda)$ which samples public/secret parameters for the relation $R$. Depending on the relation, $\sk_{R}$ may be the empty string (as in the scheme \cite{KTY07} and ours which both involve publicly samplable relations). The testing procedure $R(x,w)$ uses $\pk_{R}$ to
return $1$ whenever $(x,w)\in R$. To encrypt a witness $w$ such that $(x,w)\in R$ for some public $x$, the sender fetches the pair $(\pk,\crt_{\pk})$
from $\mathsf{database}$ and runs the randomized encryption algorithm. The latter takes as input $w$, a label $L$, the receiver's pair $(\pk,\crt_{\pk})$ as
well as public keys $\pk_{\GM}$ and $\pk_{\OA}$. Its output is a ciphertext
On input of the same elements, the certificate $\crt_{\pk}$, the ciphertext $\Psi$ and the random coins $coins_{\Psi}$ that were used to produce $\Psi$, the
non-interactive algorithm $\mathsf{PP}$ generates a proof $\pi_{\Psi}$ that there exists a certified receiver whose public key was registered in $\mathsf{database}$ and
who is able to decrypt $\Psi$ and obtain a witness $w$ such that $(x,w)\in R$. The verification algorithm $\mathcal{V}$ takes as input $\Psi$, $\pk_{\GM}$,
$\pk_{\OA}$, $\pi_{\Psi}$ and the description of $R$ and outputs $0$ or $1$. Given $\Psi$, $L$ and the receiver's private key $\sk$, the output of
$\mathsf{DEC}$ is either a witness $w$ such that $(x,w)\in R$ or a rejection symbol $\bot$. Finally,
$\mathsf{OPEN}$ takes as input a ciphertext/label pair $(\Psi,L)$ and the OA's secret key $\sk_{\OA}$ and returns a receiver's public key $\pk$.\\
\indent
The model of \cite{KTY07} considers four properties termed correctness, message security, anonymity and soundness.
In the security definitions, stateful oracles capture the adversary's
interaction with the system. In the soundness game, the KTY model requires
that pk belongs to the language of valid public keys. Here, we are implicitly assuming that the space
of valid public keys is dense (all matrices are valid keys, as is the case in our scheme).
In the upcoming definitions, we sometimes use the notation
In the experiment modeling the anonymity property, the adversary
controls the entire system except the opening authority and two well-behaved users.
The challenger thus introduces two honest users' public keys $\pk_0,\pk_1$ in $\mathsf{database}$ and thus obtains certificate for both $\pk_0,\pk_1$ from the adversarially-controlled $\GM$.
For a pair $(x,w)\in R$ of its choice, the adversary obtains an encryption of $w$ under $\pk_b$ for some $b\in\bit$ chosen by the challenger.
The adversary is provided with decryption oracles w.r.t. both keys $\pk_0,\pk_1$. In addition, it has the following oracles at disposal:
\begin{itemize}
\item[-]$\mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L)$: is a
challenge oracle that is only queried once by the adversary. It
returns a pair $(\Psi,coins_{\Psi})$ consisting of a ciphertext
$\Psi\leftarrow
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},w,L)$ and the
coin tosses $coins_{\Psi}$ that were used to generate $\Psi$.
\item[-]
$\mathsf{USER}(\pk_{\GM})$: is a stateful oracle that obtains certificates from the adversary by simulating two
executions of $\mathsf{J}_{\mathsf{user}}$ to introduce two honest users
in the group. It uses a string $\mathsf{keys}$ where the outputs $(\pk_0,\sk_0,\crt_{\pk_0})$, $(\pk_1,\sk_1,\crt_{\pk_1})$ of honest users
are written as long as the adversarially-supplied certificates $\{\crt_{\pk_d}\}_{d=0}^1$ are valid w.r.t. $\pk_{\GM}$ (i.e., invalid certificates are ignored
by the oracle and no entry is introduced in $\mathsf{keys}$ for them).
\item[-]
$\mathsf{OPEN}(\sk_{\OA},.)$: is a stateless oracle that simulates
the opening algorithm and, on input of a $\GE$
ciphertext, returns the receiver's public key.
\end{itemize}
The reason why
the $\mathsf{USER}$ oracle is needed is that both honest users' public keys $\pk_0, \pk_1$ must have been properly
certified by the adversarially-controlled $\mathsf{GM}$ before the challenge phase because the adversary subsequently obtains
proofs generated using $(\pk_b,\crt_{\pk_b})$.
\begin{definition}\label{anonymity-def}
A $\GE$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
with a probability not exceeding $1/2+\mathsf{negl}(\lambda)$.
An IBE scheme is a tuple of efficient algorithms $(\mathsf{Setup}, \mathsf{Extract}_\mathsf{PP}, \mathsf{Encrypt}_\mathsf{PP},$$\mathsf{Decrypt}_\mathsf{PP})$ such that
\begin{description}
\item[\textsf{Setup}$(1^\lambda)$:] On security parameter $\lambda$, this algorithm outputs public parameters $\mathsf{PP}$ and a master secret key $\textsf{msk}$.
\item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Takes as input a master secret key $\textsf{msk}$ and an identity $\ID$ and outputs a secret key $\sk_\ID$.
\item[\textsf{Encrypt}$_\mathsf{PP}(\ID, M)$:] Given an identity $\ID$ and a message $M$, it outputs a ciphertext $C$.
\item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, C)$:] Given a secret key $\sk_\ID$ and a ciphertext $C$, outputs either a decryption error symbol $\bot$, or a message $M$.
\end{description}
\noindent Correctness requires that, for any pair $(\mathsf{PP}, \textsf{msk})\gets\Setup(1^\lambda)$, any $\ID$ and any message $M$, we have
Our proofs rely on the semantic security of the scheme against selective adversaries (\textsf{IND-sID-CPA})
but also on the stronger property of ciphertext pseudo-randomness. %in Lemma~\ref{ABB-deux}.
Informally, this notions demands that the adversary be unable to distinguish an
encryption of a message of its choice from a random element of the ciphertext space $\mathcal{C}$. Notice that this property implies \textsf{IND-sID-CPA} security.
\begin{definition}
\label{de:pseudorand-cipher}
An IBE scheme has pseudo-random-ciphertexts if no PPT adversary $\adv$ with access to private key extraction oracle \textsf{Extract$_\mathsf{PP}(\textsf{msk}, \cdot)$} has non-negligible advantage
$\advantage{\mathrm{ROR}}{\adv}{\lambda}= | \Pr\bigl[\mathbf{Expt}_{\adv}^\mathrm{ROR}=1\bigr]-\frac12 | $ in the game described in Figure~\ref{fig:expt-ror}
\item Define $\mathbf{G}=\mathbf{I}_n \otimes[1|2|\ldots |2^{k-1}]\in\ZZ_q^{n \times\bar{m}}$. Sample matrices $\mathbf B \sample U(\ZZ_q^{ n \times\bar{m}})$,
$\mathbf U \sample U(\Zq^{n \times m})$.
\item Let $\mathsf{FRD}: \Zq^n \to\Zq^{n \times n}$ be the full-rank difference mapping from~\cite{ABB10}.
\end{enumerate} Output
$
\mathsf{PP}= \bigl(\bar{\mathbf A}, \mathbf B, \mathbf U \bigr)$ and $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$.
\item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Given $\textsf{msk}=\mathbf{T}_{\bar{\mathbf A}}$ and an identity $\ID\in\Zq^n$, do as follows: \smallskip
\begin{enumerate}
\item Define the matrix $\mathbf B_\ID=\mathbf B +\mathsf{FRD}(\ID)\cdot\mathbf G \in\Zq^{n \times\bar{m}}$.
%\item Use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the dual lattice of the matrix $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right]$.
\item Let $\mathbf B_{\mathbf A, \ID}=\left[\mathbf A \mid\mathbf B_\ID\right]\in\ZZ_q^{n \times(m +\bar{m})}$, use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the lattice $\Lambda^\perp(\mathbf B_{\mathbf A, \ID})$.
\item Use $\mathbf T_\ID$ to sample a small-norm matrix $\mathbf E_\ID\in\ZZ^{(m+\bar{m})\times m}$ satisfying the equality $\mathbf B_{\mathbf A, \ID}\cdot\mathbf E_\ID=\mathbf U \bmod q$.
