Towards Practical RBE | Jan Niklas Siemer

Registration-Based Encryption (RBE) (Garg et al., 2018) is a public-key encryption mechanism which allows users to register their identity (e.g. an email address) and a self-generated public key with a key curator (e.g. an organisation). The key curator aggregates all public keys into a small digest, called state. Using only this state and a recipient’s identity, anyone can encrypt a message to any registered user.

The task of the key curator is only to maintain a registry of public keys, which can be publicly audited. As the key curator is not entrusted with any secrets, RBE presents a solution to the key escrow problem, which impedes the adoption of Identity-Based Encryption (Shamir, 1984). This makes RBE an attractive solution for secure communication with and among members of an organisation while preserving user privacy.

Pictogram of Registration-Based Encryption

A visualised comparison between RBE with a key curator and IBE with a private key generator.

Practical Applications

In practice, RBE could largely eliminate the key-management problem inherent in our current public-key infrastructure, as a state acts as a universal public key for all registered recipients. Consequently, this removes the requirement for individual certificates and their transmission. A practical deployment could therefore bypass the complex, error-prone infrastructure required for certificate generation and validation – a goal closely related to the study of certificateless public-key cryptography (Al-Riyami & Paterson, 2003).

Constructions

Early RBE constructions relied on obfuscation or recursive garbled circuits, rendering them purely theoretical even after extensive optimisation. Recent works proposed fully algebraic constructions with near-practical efficiency albeit with various limitations (Glaeser et al., 2023)(Döttling et al., 2023)(Fiore et al., 2023). These limitations include a small maximum number of registered users, a lack post-quantum security, ciphertext sizes scaling in the order of GB, or a combination thereof. The papers (Glaeser et al., 2023) and (Döttling et al., 2023) both construct an RBE from two primitives: a vector commitment and public-key encryption. (Fiore et al., 2023) provides a compiler from RBE with small identity space (e.g. $[N]$ for $N \in \mathsf{poly}(\lambda)$) to an RBE with arbitrary identity space (e.g. email addresses) using witness encryption for vector commitments and secret sharing.

In our work (Klooß et al., 2026), we build upon the blueprint from (Döttling et al., 2023) – the only post-quantum candidate that naturally extends to arbitrary identity spaces, albeit at the cost 7.2 GB ciphertexts. Furthermore, it provides transparent setup and its security is based on LWE. Our work improves on this construction in several ways, but the most notable differences are:

We observe that a large portion of the ciphertext is dominated by multi-instances of the vector commitment. By sharing the randomness for this component across all public-key encryption instances, we avoid redundant transmissions and significantly reduce the ciphertext size.
Instead of relying on a naive gadget matrix and bit decomposition, we choose a near-optimal base for these operations and utilise approximate gadgets rather than exact ones.
We replace statistical arguments such as the leftover hash lemma by computational assumptions. More specifically, our security proof relies on Leaky LWE rather than error-leakage LWE, which also enables some leakage of the secret key and provides a tighter reduction from LWE.
We pick parameters based on the hardness of LWE and utilise bit-dropping for the ciphertext.

These and several other optimisations reduce the ciphertext of our constructions to 7.0 MB for 128-bit secure parameters.

Our analysis essentially exhausts the known techniques for the optimisation of LWE-based encryption schemes. The only real optimisation factor not considered in our analysis is the deterministic LWR error introduced via bit-dropping of the ciphertext. Therefore, we claim that a structural change, namely a replacement of the underlying vector commitment scheme is required to significantly reduce the ciphertext size further.

This hypothesis was validated by independent work (Zhang et al., 2026), which achieves a size reductions by replacing the underlying vector commitment.

References

TCC

Registration-Based Encryption: Removing Private-Key Generator from IBE

Sanjam Garg, Mohammad Hajiabadi, Mohammad Mahmoody, and Ahmadreza Rahimi

In Theory of Cryptography - 16th International Conference, TCC 2018, Panaji, India, November 11-14, 2018, Proceedings, Part I, 2018

DOI PDF
CRYPTO

Identity-Based Cryptosystems and Signature Schemes

Adi Shamir

In Advances in Cryptology, Proceedings of CRYPTO ’84, Santa Barbara, California, USA, August 19-22, 1984, Proceedings, 1984

DOI
ASIACRYPT

Certificateless Public Key Cryptography

Sattam S. Al-Riyami and Kenneth G. Paterson

In Advances in Cryptology - ASIACRYPT 2003, 9th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, November 30 - December 4, 2003, Proceedings, 2003

DOI PDF
CCS

Efficient Registration-Based Encryption

Noemi Glaeser, Dimitris Kolonelos, Giulio Malavolta, and Ahmadreza Rahimi

In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, November 26-30, 2023, 2023

DOI PDF
EUROCRYPT

Efficient Laconic Cryptography from Learning with Errors

Nico Döttling, Dimitris Kolonelos, Russell W. F. Lai, Chuanwei Lin, Giulio Malavolta, and Ahmadreza Rahimi

In Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part III, 2023

DOI PDF
ASIACRYPT

Cuckoo Commitments: Registration-Based Encryption and Key-Value Map Commitments for Large Spaces

Dario Fiore, Dimitris Kolonelos, and Paola de Perthuis

In Advances in Cryptology - ASIACRYPT 2023 - 29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou, China, December 4-8, 2023, Proceedings, Part V, 2023

DOI PDF
S&P
Scalable Registration-Based Encryption from Lattices

Michael Klooß, Russell W. F. Lai, Jan Niklas Siemer, and Monisha Swarnakar

IACR Cryptol. ePrint Arch., 2026

Abs Bib PDF Code Poster

Registration-Based Encryption (RBE) is a public-key encryption mechanism which allows a user to register their identity (e.g. email address) and self-generated public key with a key curator (e.g. an organisation). The key curator aggregates these keys into a compact digest. Using only this digest and the recipient’s identity, anyone can encrypt messages to any registered user. As the key curator is not entrusted with any secrets, RBE presents a solution to the key escrow problem, which impedes the adoption of Identity-Based Encryption. This makes RBE an attractive solution for secure communication with and among members of an organisation while preserving user privacy. Despite recent advances [Döttling-Kolonelos-Lai-Lin-Malavolta-Rahimi, EUROCRYPT’23; Fiore-Kolonelos-de-Perthuis, ASIACRYPT’23], practical constructions of RBE are still limited to a small number of registered users (e.g. 1024), lack post-quantum security, or have ciphertext sizes scaling in the order of GB. The predominant way towards constructing practical RBE is a generic transformation from Laconic Encryption (LE). In this work, we identify an efficiency bottleneck in this transformation and present a new primitive called Batched Laconic Encryption (BLE) which admits a more succinct transformation to RBE. Our resulting RBE scheme is the first post-quantum construction that simultaneously supports a large number of registered users and asymptotically outperforms all comparable RBE schemes. Concretely, for at most 2^30 registered users at 128-bit security, our scheme achieves a ciphertext size of 7 MB, improving on previously reported results by three orders of magnitude. We confirm our results through an open-source prototype implementation demonstrating that all algorithms execute within a few milliseconds. The post-quantum security of our construction is based on the standard Learning with Errors assumption, and our analysis enables several tweaks to significantly reduce ciphertext sizes in practical deployments.
@article{EPRINT:KLSS26, author = {Klooß, Michael and Lai, Russell W. F. and Siemer, Jan Niklas and Swarnakar, Monisha}, title = {Scalable Registration-Based Encryption from Lattices}, journal = {{IACR} Cryptol. {ePrint} Arch.}, year = {2026}, url = {https://eprint.iacr.org/2026/717}, badges = {sp-available.svg|S&P - Artifacts Available, sp-functional.svg|S&P - Artifacts Functional, sp-reproduced.svg|S&P - Results reproduced} }
Preprint

Fast and Compact Lattice-Based Registration-Based Encryption

Tianwei Zhang, Xiuquan Ding, Giulio Malavolta, and Nico Döttling

IACR Cryptol. ePrint Arch., 2026

PDF