Efficient Lattice-Based Signcryption in Standard Model

Yan, Jianhua; Wang, Licheng; Wang, Lihua; Yang, Yixian; Yao, Wenbin

doi:https://doi.org/10.1155/2013/702539

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2013 | Article ID 702539 | https://doi.org/10.1155/2013/702539

Efficient Lattice-Based Signcryption in Standard Model

Jianhua Yan,^1,2Licheng Wang ,¹Lihua Wang,³Yixian Yang,¹and Wenbin Yao¹

Academic Editor: Wang Xing-yuan

Received25 Jun 2013

Revised26 Aug 2013

Accepted27 Aug 2013

Published28 Nov 2013

Abstract

Signcryption is a cryptographic primitive that can perform digital signature and public encryption simultaneously at a significantly reduced cost. This advantage makes it highly useful in many applications. However, most existing signcryption schemes are seriously challenged by the booming of quantum computations. As an interesting stepping stone in the post-quantum cryptographic community, two lattice-based signcryption schemes were proposed recently. But both of them were merely proved to be secure in the random oracle models. Therefore, the main contribution of this paper is to propose a new lattice-based signcryption scheme that can be proved to be secure in the standard model.

1. Introduction

In many situations, we need to simultaneously realize confidentiality, integrity, authentication, and non-repudiation. There are generally two approaches to accomplish this task: the signature-then-encryption approach and signcryption proposed by Zheng [1]. Compared with the former, signcryption can perform both signature and encryption simultaneously at a lower cost. Hence, the signcryption scheme is more appropriate in many environments such as smart cards, mobile communications, and electronic commerce. Up to date, many efficient signcryption schemes [2–6] have been designed based on various assumptions in number theory. However, the cryptography based on number theory has been seriously challenged due to the booming of quantum computation. Under this situation, many researchers make efforts to probe new cryptosystems based on new security fundamentals, such as quantum cryptography [7–9], chaos cryptography [10, 11], DNA cryptography [12], and so forth. However, as far as we know, there is no efficient signcryption schemes based on these new fundamentals. Therefore, we have to pay our attention to another new upsurging branch of modern cryptography—post-quantum cryptography, including lattice-based cryptography, code-based cryptography, hash-based cryptography, and multivariate cryptography [13].

Recently, Li et al. [14] (LMK12) and Wang et al. [15] (WHW12) have succeeded in designing signcryption schemes based on lattice. Lattice-based cryptography has been regarded as the most attractive option for resisting quantum attacks. Meanwhile, it has many important advantages. Firstly, the security of lattice-based cryptography is based on worst-case hardness of lattice problems, while the previous cryptography constructed on number theory is based on average-case hardness. Secondly, the main operations in a lattice-based cryptographic scheme are addition and multiplications over a moderate modulus (say not larger than). Thus, taking a long-term look, lattice-based cryptosystems can be performed extremely rapid, compared to the currently used cryptosystems (such as RSA) in which the exponentiations over a huge modulus (say not less than) are always involved.

However, both of Li et al.’s scheme and Wang et al.’s scheme are merely proved to be secure in the random oracle model. After the publication of Canetti’s critical statement on provable security reduction based on random oracles (ROMs) [16], it is always an interesting practice to design/prove cryptographic schemes that are not based on ROMs. In this paper, we construct a lattice-based signcryption scheme and present its security reductions without using ROMs. Our original ideas can be formulated as follows. The lattice generated by [17] has advantages in small trapdoor and small public key, but its public key encryption scheme can only achieve CCA1 security. The challenger cannot reply the decryption queries for the ciphertext with the first tupleidentical to the first tuplein the challenge ciphertext in phase two. Moreover, the ciphertext of [17] is malleable. One of the typical methods for transforming an encryption scheme from CCA1 to CCA2 is to make use of a one time strongly unforgeable signature to ensure the nonmalleability of ciphertexts. However, this method will increase the ciphertext length and encryption/decryption time. We setto be the hash valuewhereis a random number butis the signature generated in the signcryption process. The domain ofis big enough such that the probability that the first tuple in the ciphertext generated normally is equal tois negligible. Hence, the challenger can reply the decryption queries in phase two. Further, we use CCA security of the symmetric encryption and collision resistance of hash functionto prevent the malleability of ciphertext. In the proving process, the hash functioncan be replaced with a chameleon hash function, so the challenger can generateto form challenge ciphertext. If there exists an adversary who can forge a valid ciphertext, he/she can find a collision of. The probability for the above event is negligible according to [18], so our signcryption scheme can achieve CCA2 security. The strong unforgeability of the signcryption can be obtained by the strong unforgeability of the original signature. In summary, the proposed scheme is(i)indistinguishable against inner adaptively chosen ciphertext attacks (IND-CCA2) under the learning with errors (LWE) assumption in the standard model,(ii)strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA) under small integer solution (SIS) assumption in the standard model.

Here, the term “inner” means that in the IND-CCA2 (resp., SUF-CMA) game, the sender (resp., receiver) who possesses the signing (resp., decryption) key is allowed to launch the corresponding attacks. Apparently, an “inner” attacker is much stronger than outer ones. Thus, the inner security of our proposal also implies its outer security. In addition, our scheme has the advantages both in computational cost and in public/private keys size. That is, our main contribution can be summarized in Table 1. In order to make the trapdoors to be consistent, we construct a chameleon hash function by using the new trapdoor technique of [17], that may be of independent interest. In fact, our chameleon hash function is similar with the one in [19]. Although the chameleon hash function in [19] can be used in our scheme, it will lead to use two different kinds trapdoors technique and reduce efficiency.

The rest of this paper is organized as follows. In Section 2, the necessary preliminaries on lattice-based cryptographic assumptions and algorithms are introduced. In Section 3, the security models of signcryption, including the IND-CCA2 game and SUF-CMA game, are reviewed. In Section 4, the main contribution, that is, the proposed lattice-based signcryption scheme is presented in detail, followed by the proof on its consistency. The security proofs are given in Section 5 and the performance comparisons are given in Section 6. Finally, the concluding remarks are given in Section 7.

2. Preliminaries

Throughout this paper, we denote the set of integers by, residue classby, the real numbers byand real intervalby. The expression(resp.,) denotes vectors space on(resp.,) in which every vector haselements. Similarly, the expression(resp.,) denotes matrice space on(resp.,) in which every matrix hasrows andcolumns. We denote the setby, for an integer. The symbol “” denotes strings concatenation operators and “” denotes matrice concatenation operators. The vectors are denoted by lower-case and bold letters (e.g.,), matrices by upper-case and bold letters (e.g.,), and the Gram-Schmidt orthogonalization ofby. The order for a matrix’s column vectors can be interchangeable. The functiondenotes the largest singular value of a matrix. For a given distributionover space, we useto denote thatis picked at random from the spaceaccording to the distribution. If the sampling spaceis specified from the context, we also simply useorto denote the same meaning. Also, we useto denote thatis picked at random from the spaceaccording to the uniform distribution.

2.1. Lattice and Gaussian Distribution

Definition 1 (Lattice). An-dimensional latticeis a discrete additive subgroup of(). Formally, letbelinearly independent vectors. The lattice generated byis whereis called a basis for. In many cryptographic applications, a particular family which is called-ary integer lattices is frequently used. For positive integers(=) andand matrix, the-ary lattices are defined by

For integersand, some probability distributionoverand a vector,is defined as the distribution ofon, whereandare chosen uniformly fromand, respectively.

Definition 2 (Learning with Errors (LWE) [23]). For an integerand a distributionon, the target of learning with errorsis to distinguish with nonnegligible probability between the distributionand the uniform distribution onby accessing the oracle for the given distribution, where.

For,is defined as the distribution onof a normal variable with meanand standard deviation, reduced modulo. When normal variableobeys distribution,is the discretized normal distribution onof random variable, wheredenotes rounding.

Proposition 3 (hardness of LWE [23]). Letandbe a prime to satisfy. If there is an efficient (possibly quantumn) algorithm that can solve, then there is an efficient quantum algorithm for approximatingwithinfactors (referring to [24] for its hardness) in the worst case.

Definition 4 (Small Integer Solution (SIS) [18]). Given an integer, a realand a matrix, the goal ofis to find a nonzero integer vectorto satisfyand.

Proposition 5 (hardness of SIS Theorem 5.16 [18]). For any polybounded,and for any prime, the average-case problemis as hard as approximating the SIVP problem (among others) in the worst case to within certainfactors.

Definition 6 (Gaussian measure [18]). Given any vector, and real, let be a Gaussian function aroundwith parameter. Its total measure is. The probability density function of the corresponding continuous Gaussian distribution is defined as When, it is always omitted.

Definition 7 (discrete Gaussian distribution [18]). For any vector, real, and lattice, the distribution is called discrete Gaussian distribution over.

Proposition 8 (Claim 5.3 [23]). Letbe a constant, and letbe an integer. The columns of a uniformly randomgenerate all of, except withprobability.

Proposition 9. Letbe a basis of, whereand the columns ofgenerate. Let.(1)(Theorem 3.1 [20]) Let ; the distribution of is -far from the uniform distribution over , and the conditional distribution of given is . (2)(Lemma 4.4 [18])

According to nonasymptotic theory of random matrices [25], we have the following lemma.

Proposition 10 (Lemma 2.9 [17]). For any-sub-Gaussian with parameterrandom matrixand any real, there is a constant, such thatwith at least probability.

2.2. Universal Hashes and Chameleon Hashes

In general, we hope a hash function used in cryptographic schemes to be collision resistant. But in our construction, we need further assumptions on involved hashes. One is universal property and another is the so-called Chameleon property.

Definition 11 (universal hash functions [26]). We say that a family of hash functionsis universal if for every distinct pair,holds.

In addition, a kind of specifical hash named chameleon hash introduced by Krawczyk and Rabin [27] is used in our work. The chameleon hash functions have the following four properties: (1) efficient forward computation, (2) standard collision-resistance property, (3) uniformity property, and (4) chameleon property. We will construct a chameleon hash family based on the lattice-trapdoor technique given in [17] and prove it has the above properties in Section 4.1; hence we do not describe these properties here in detail.

2.3. Related Algorithms for Inverting and Sampling

Micciancio and Peikert [17] proposed new, simpler, easy-to-implement and more efficient methods to generate and utilize “strong trapdoors” in cryptographic lattices. These methods include specialized algorithms for inverting LWE, which are important for encryption and signature.

Firstly, we introduce the related matrices. Let,. Define matrixas The matrixcan be easily constructed in the following two cases: (1) whenis a power of 2, let,forand; (2) whenis not a power of 2,is theth bit of. In the former,and in the latterby Lemma 4.3 of [17]. It can be verified thatis a basis for.

Let. Giventhere exist efficient algorithms to findandsuch that, when. There are two cases for:is a power ofor not. In the former case, Algorithm 1 can finish this task.

Input:
Vector , where .
Output:
Scalar and a vector .
(1) ;
(2) for ; ; step do
(3) if then
(4) ;
(5) else
(6) ;
(7) end if
(8) ;
(9) ;
(10) end for
(11) Output and .

In the latter case, the above algorithm can work, but the interval for error vectorneeds to be changed into. For convenience, the algorithm for the latter case is also called InvertG.

The primitive vectorand the corresponding latticebasiscan be used to construct parity-check matrixand matrixas follows. It follows thatis a primitive matrix, andis a basis for lattice:

Definition 12. Given matricesandand invertible matrixfor positive integers, ifandis small enough,is called a-trapdoor ofcorresponding to.

Given a functionwith suitably small, an efficient oraclefor invertingcan be achieved by calling Algorithm 1 fortimes.

Given an LWE instancewith suitably smalland the-trapdoorwith corresponding matrix, Algorithm 2 can recoverand.

Input:
Parity-check matrix A ;
G-trapdoor T of A and corresponding invertible tag ;
Vector = (s, e) for suitably small e .
Output:
Vectors s and e.
(1) Compute = ;
(2) Obtain (, ) by calling ;
(3) Returns s = and e = b − s.

Finally, we recall the algorithms, denoted by SampleD and due to Peikert [28], for sampling from Gaussian distribution with short basis.

The mechanism of [17] for generating a trapdoor is different from that of [29]. As a result, it uses a new algorithm but also named SampleD to sample from a discrete Gaussian overin [17], in which Algorithm 3 is called. It is used in signature and delegation. For distinction, let us call it SampleDG. The reader can refer to Theorem 5.5 of [17] for the correctness (Algorithm 4).

Input:
Offline phase: Basis of a -ary integer ; rounding parameter ;
positive definite covariance matrix ;
Online phase: a vector ;
Output:
Vector drawn from a distribution within statistical distance of ;
Offline phase:
(1) Compute ;
(2) Let = , let = − ≥ , and compute some M;
(3) Choose from by letting ;
Online phase:
(4) Return .

Input:
Offline phase:
(i) Trapdoor matrix ;
(ii) Partial parity-check matrix ;
(iii) Positive definite , for example, any .
Online phase:
(i) Invertible tag defining ;
(ii) Syndrome .
Output:
A vector , which is statistically close to .
Offline phase:
(1) Compute , choose vector ;
(2) Parse where , . Compute and ;
Online phase:
(3) Compute ;
(4) Choose by calling SampleD see Algorithm 3;
(5) Return .

3. Signcryption: Primitive and Security Models

Signcryption was invented in 1996 but was first disclosed to the public at CRYPTO 1997 [1]. Signcryption is a public key cryptographic method that achieves unforgeability and confidentiality simultaneously with significantly smaller overhead than that required by “digital signature followed by public key encryption.” It does this by signing and encrypting a message in a single step, fulfilling a cryptographer’s dream to “kill two birds with one stone” [1, 3]. Signcryption techniques are now a global standard for data protection [30].

The primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver. It is clear that the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional. In particular, if an intended receiver can forge a signature on behalf of some signer, he/she can plant some false evidence against the signer and then encrypt the signature for himself/herself. By doing so, the singer is incriminated. Therefore, in considering the security of signcryption, we should take into account the orthogonal combination of two kinds of attackers (i.e., inner attackers and outer attackers) and two protection goals (i.e., unforgeability and confidentiality). In 2005, Dent [31, 32] gave comprehensive elaborations on the inner security and outer security of signcryption. With the purpose of providing a handy consult for the security reduction given latter, we give a review on the security models of signcryption from LMK12 [14], in which we merely formulated the security models against inner attacker because in general an inner attacker is much stronger than an outer ones.

Definition 13 (signcryption). A signcryption scheme consists of the following four algorithms.(i): this is an initialization algorithm that should be executed only once by any honest user in the system. It takes as input the security parameterand outputs the public parametersthat are shared by all users in the system.(ii): this is a key generation algorithm that should be executed by each user only once. It takes as inputs the security parameteras well as the public parametersand outputs the public/private key pairwherewill be published publicly whilewill be kept known only to the user himself/herself. (In sequel, let us assume that the sender’s public/private key pair is, while the receiver’s is.)(iii): this is a signcryption algorithm that should be executed by a senders whenever he/she wants to send a message to someone. It takes as inputs a message, the intended receiver’s public keyand the sender’s public/private key pairand outputs a signcryption ciphertext.(iv): this is a unsigncryption algorithm that should be executed by a receiver. It takes as inputs a signcryption ciphertextand the receiver’s public/private key pair, as well as the sender’s public key, and outputs a plaintextor.

Definition 14 (consistency of signcryption). We say that a signcryption scheme defined above is consistent if the following probability is exponentially close to 1; that is,is negligible with respect to.

To capture the confidentiality of a signcryption defined above, we need to introduce a game, denoted by Game IND-CCA2, between a challengerand an adversaryas follows.

Game IND-CCA2(i)Initial:runsalgorithm to produce public parameterand then generates his/her own public/private keysby runningalgorithm. Finally,givesandto.(ii)Phase??1:can perform polynomially bounded unsigncryption queries in an adaptive manner andresponds accordingly. More precisely,’s query is specified by a tripleand’s responds with the corresponding plaintextifis a valid signcryption ciphertext with respect to the receiver’s public keyand sender’s public keyorotherwise.(iii)Challenge:chooses two equal length plaintextsand sendsto, andtosses a fair coinand sets. Finally,sendsthe challenged signcryption ciphertext.(iv)Phase??2: phase 1 is repeated with the restriction thatis not allowed to ask unsigncryption query on triple.(v)Guess:outputs a bitas his/her guessing on.

Then, the advantage ofto win Game IND-CCA2 is defined as.

Definition 15 (confidentiality of signcryption). A signcryption scheme is said to be indistinguishable against inner chosen ciphertext attacks (IND-CCA2), if there is no probabilistic polynomial time adversary that can win Game IND-CCA2 with nonnegligible advantage.

To capture the (strong) unforgeability of a signcryption defined above, we need to introduce another game, denoted by Game SUF-CMA, between a challengerand a forgeryas follows.

Game SUF-CMA(i)Initial:runsalgorithm to produce public parameterand then generates his/her own public/private keysby runningalgorithm. Finally,givesandto.(ii)Singcrypt query:can perform polynomially bounded signcryption queries in an adaptive manner. More precisely,’s query is specified by a pairand’s responds with. (Here,is the intended receiver’s public key and the corresponding private keyis known to. Furthermore,is allowed to either obtainby calling the algorithmor pick them randomly.)(iii)Forgery:outputs a tuplewith the restriction thatnever responds towithfor answering’s signcryption query on.

Then, the advantage ofto win Game SUF-CMA is defined as

Definition 16 (strong unforgeability of signcryption). A signcryption scheme is said to be strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA), if no probabilistic polynomial time adversary can win Game SUF-CMA with nonnegligible advantage.

4. Proposed Lattice-Based Signcryption Scheme

In this section, we firstly present a chameleon hash function based on the lattice-trapdoor technique given in [17]. Next, based on the signature scheme and the encryption scheme given in [17], we propose a signcryption scheme. Finally, we prove the consistency of the proposed scheme. Note that, the matricesused in this section are as in Section 2.3.

4.1. Building Block: Lattice-Based Chameleon Hash Functions

According to [33, 34], we know that by using a chameleon hash function, one can transfer an SUF-SMA secure signature scheme to an SUF-CMA secure one. To guarantee the consistency of the proposed scheme, we need to construct a chameleon hash function based on lattice-based trapdoors of given in [17]. In fact, it is a analogue to the scheme based on the trapdoors given in [29].

Let,,, andbe integers. Let integerbe message length. For matrices,, andand invertible matrixconstructand. Letbe a Gaussian parameter satisfyingsuggested by [17]. Define a message spaceand random space(then, for,holds with overwhelming probability according to Proposition 9 items (2)) and. Forand, using matrixdefine hash functionas

Lemma 17. The family(under the uniform distribution over) is a family of chameleon hash functions, assuming the hardness offor.

Proof. It is enough to prove the hash familyhas the four properties described in Section 2.2.
For efficient forward computation. Clearly, given a messageand, eachis efficiently computable.
For collision-resistance property. Assuming that it is easy to find a collisionfor, thenis a solution for, and according to the triangle inequality, we have that. It implies thatis also a solution for the instanceof. This contradicts the hardness offor. Therefore, the hash family is collision-resistant.
For uniformity property, we first show the matrixis uniform. The matrixis uniform, sois also uniform whenis-far from uniform (cf. Section 6.2 of [17]). On the other hand, the matrixis fixed whenis fixed. Consequently, the matrixis-far from uniform. On the other hand,is uniform; henceis-far from uniform. It is clear that given anyandand each matrixgenerated as above, the distribution ofis negligible far from the uniform distribution overby Proposition 9 items (1).
For chameleon property. Givenand, one with-trapdoorcan easily findsatisfyingas follows: compute, and then sample preimage.

Lemma 18. The above chameleon hash family is universal; for every distinctand distinct,

Proof. Assuming that, it follows that. Whenis fixed, the vectoris a fixed element in.
The matrixis uniform as described above. For,, the columns ofgeneratewith overwhelming probability by Proposition 8. In addition,and, whereis as in Section 2.3.
It follows thatis uniform over(up to negligible statistical distance) by Proposition 9 items (1). Consequently,. In other words,.

4.2. Signcryption Scheme

In [17], Micciancio and Peikert gave a special collector (MP collector) that maps elements from a certain ringinto matricesas required by their trapdoor construction. Let us call it MP Collector and denote it by. Given a monic degree-irreducible polynomial, a ring can be defined asand the elements ofcan be represented as vectors inrelative to the standard basis of monomials. Now, given a ring element,can be constructed as follows: for, whereis theth column of. Clearly,has the following properties. Firstly,is a ring homomorphism, namely,for. Secondly, multiplication by a ring elementcan be represented by the matrix; furthermore, the product coefficients vector equals, whereis theth column ofandis theth coefficient of ring element. Thirdly,if and only ifis a unit of, whereis a group composed of the invertible elements in. Finally, the ringhas “units difference” property, namely, for anydenotes the units set in,.

Our signcryption scheme consists of the following four algorithms. Note that we also adopt a symmetrical encryption scheme(with keyspace, encryption algorithmand decryption algorithm) in our construction.(i): Suppose the security parameter is. Then, the the public parametersfor the system can be specified as follows.(1)is the matrix as defined in Section 2.3, whereis a prime power and is large enough (cf. [17]).(2).(3),,and suitable.(4)is an LWE error rate, such that.(5).(6)A monic degree-irreducible polynomialand a ring defined as.(7)4 hash functions:(a)is a collision-resistant hash function, where;(b)is a universal hash function;(c)is chosen from a universal family, whereis a matrix in. More precisely,, and(resp.,) has the same distribution with(resp.,) described in Section 4.1 (note that the elements incan be represented by vectors in);(d)is a universal hash function with suitably specified.(8)An ordered matrix setwherefor.(9)is the Gaussian parameter for signature.(10)An arbitary basisfor.(11)MP Collector.(ii): any user can generate his/her public keyand private keyas follows.(a)Sampleand;(b)Evaluate;(c)Letand.(iii): a sender with public/private key paircan send a signcryption ciphertexton some messageto a receiver with public keyas follows.(1)Sign messageto obtain, as follows.(a)Compute,and then build ?whereis the binary representation of.(b)Construct chameleon hash function according to the method in Section 4.1. Concretely, replacewith, arbitrarycolumns of,, respectively. The others are invariant. The hash function is denoted as.(c)Sample.(d)Compute.(e)Sampleand compute.(f)SampleSampleDG, whereis identity matrix.(g)Let.(2)Parsesuch thatand denote the remainder as.(3)Compute.(4)Encryptas follows.(a)Sampleand evaluate.(b)Sample, and let.(c)Sample, then computeand construct.(d)Encodeas.(e)Choose a vectoruniformly and let (5)Encryptas follows.(a)Let.(b)Let(6)Output the signcryption ciphertext.(iv): upon receiving a signcryption ciphertextfrom a sender with the public key, the receiver with the private keyperforms the following steps.(1)Decryptto achieveas follows.(a)If, outputand then abort; otherwise continue.(b)Callto obtain, whereand.(c)Iforoutputand abort; otherwise continue.(d)Letand then parseas.(e)If, outputand abort; otherwise, continue.(f)Let.(2)Decryptas follows.(a)Compute.(b)Compute.(3)Check the integrity of ciphertext as follows.(a)Obtainby composing, and then compute.(b)Ifoutputand abort; otherwise, continue.(c)Ifoutputand abort; otherwise, continue.(4)Verifying the sender’s authenticity as follows.(a)Computeand then build, whereis the binary representation of.(b)Ifoutputand abort; otherwise, continue.(c)Compute.(d)Ifthen output; otherwise, output.

4.3. Consistency and Unsigncryption Error

Theorem 19 (consistency). The above signcryption scheme can unsigncrypt correctly withprobability.

Proof. We analyze the procedure along the unsigncryption algorithm, when a valid ciphertextis input to the unsigncryption.
Firstly, we demonstrate that the correctcan be obtained with overwhelming probability in step (1) of unsigncryption.(i)Firstly, let us prove that after calling, the probability ofis overwhelming, whereis the vector used in Signcrypt algorithm. At first, we need to show that this calling can work; that is,is a-trapdoor for. For convenience, let. Becauseis a basis of, there must exist a matrixsuch that. As a result, ?Clearly, theis the form offor some; namely,is a-trapdoor for. As a result, a vectorcan be returned. We next demonstrate the probability that the probability foris overwhelming by calling(Algorithm 2). Clearly, if theincan return desired value,can obtain desired. The oracleis realized by calling InvertG (Algorithm 1); consequently, it only needs to prove the constraint condition is satisfied, that is, the error vector, referring to Section 2.3 for the definition of. Because,for, it follows thatandexcept with probabilityby Proposition 9 items (2). When the parameters are set as in Setup and the sender’s public/private keys are produced as in KeyGen, it follows that the maximum singular value forsatisfiesexcept probabilityaccording to Proposition 10. Let; it follows thatexcept probability, becauseis large enough.(ii)Secondly, when the correctis obtained, the test in step (c) can be passed and the analysis is included in the above proof.(iii)Thirdly, in step (e), for, it follows thatas desired.(iv)Finally, in step (f),; as a result,andare in the identical coset, so the decryption can obtainexactly.
Next, after obtaining correctandvia step (1), we get the correct key used for symmetrical encryption, so we can obtain correctin step (2), and the verification for hash values in step (3) can be passed.
Finally, let us analyze step (4). Specifically, we prove that the signature verification can be passed with overwhelming probability. By now, we have got correctthat is a signature for, and we only need to prove that it is valid. First, we evaluate the probability for., whereis obtained by calling the algorithm SampleDG. It is known by SampleDG thatandwith probabilityby Proposition 9 items (2). On the other hand,with probabilityby the same lemma. Therefore,with probability. Second, Consequently, the signature is valid with probability.

5. Security Proofs

Before giving the proofs on the confidentiality and unforgeability of the proposed scheme, we need at first to prove the following lemma.

Lemma 20. For a given unit, if,, andis a signature obtained in step (1) of the Signcrypt algorithm, then the probability foris negligible. More precisely,.

Proof. We first evaluate the number of units in the above ring. As defined in [17], the monic degree-polynomialis irreducible modulo every primedividing. Becauseis irreducible,is maximum ideal andis a field according to Chinese remainder theorem. An elementis a unit if and only if it is nonzero modulo any primedividing. Assume thathas prime factors. The amount of elements which are zero modulo prime factoris. By inclusion-exclusion principle, the amount of units inis where the approximating from (17) to (18) is implied by thatis large enough. In the proposed scheme,and. On the other hand, the hash functionsandare both universal. Based on the above two reasons, this lemma holds.

Theorem 21 (confidentiality). The proposed signcryption is indistinguishable against inner adaptively chosen ciphertext attack (IND-CCA2) assuming the decision-problem (for) is intractable.

Proof. At first, let us define the following game sequence between a challengerand an adversary.(i)The gameis exactly the IND-CCA2 attack with the system as described in Section 3.(ii)In game, the challenger change the way to construct the receiver’s public keyand the way to answer unsigncryption queries. The receiver’s public keyis produced as follows. At the start of the game, chooseas in gameand let, next choose, and then construct. The challenger gives the adversaryas the sender’s public key. Wheneverinvokes a unsigncryption query on,responds as normal except that in step (1) of Unsigncrypt algorithm, the decryption foris changed as follows.(1)Decryptto achieveas follows.(a')Ifor, outputand then abort; otherwise continue.(b')Callto obtain, whereand.(c)Iforoutputand abort; otherwise continue.(d)Letand then parseas.(e)If, outputand abort; otherwise, continue.()Letwhereis an arbitrary solution of.(ii)In game, the challenger only changes hash functionand the method to produce challenge ciphertextas follows. The change for hash functionis as follows. The challenger replaces the hash functionwith a chameleon hash functionwithout revealing the trapdoor, where the matrixand(resp.,) has the same distribution with(resp.,). The challenge ciphertext is produced as follows. The adversary provides two equal length messagesand the sender’s public/private keys. The challenger tosses a fair coin, and then signcryptswith a slightly change. The challenger signsnormally to obtain, next chooses, and then choosessuch that(can do this since he/she knows the trapdoor of the chameleon hash). The subsequent signcryption operation is the same as.(iii)In game, the challenger continues to change the how the challenge ciphertextis created. Concretely, only the way to produceis changed as follows. The challenger normally chooses,and let. Next, chooseand let. Let. All the others are same as in game.(iv)In game, the challenger continues to change the challenge ciphertext. The challenger choosesuniformly. All the others are identical to.
Then, this theorem is implied by the indistinguishability between two successive gamesand() that are presented in Lemmas 22, 23, 24, and 25, respectively.

Lemma 22. The adversary’s views in gameand gameare statistically indistinguishable. Meanwhile,can unsigncrypt correctly (with overwhelming probability).

Proof. We first prove the indistinguishability for public key. Given,is a fixed matrix. On the other hand,is-uniform by leftover hash lemma. Therefore,is-uniform. Consequently, the value ofis statistically hidden from the adversary and the distribution of public key inandis statistically indistinguishable.
Next, we illustrate the challengerin the gamecan unsigncrypt correctly and’s unsigncryption behavior inandis indistinguishable from the view of the adversary. When the ciphertext queried is not valid, both games will abort. Therefore, we only need to analyze the case for a valid ciphertext. In the unsigncryption process of game, only the decryption for(i.e., public key decryption process) is changed. Therefore, it is enough to prove the correctness of public key decryption. At first, if, both games will output. Otherwise, there are two cases for:or not.
We firstly analyze the former. In this case, both games callto obtainsuch that(refer to Section 4.3). In game, Clearly, conditioned on,is invertible according to the “unit differences” on, which is necessary for calling. It also follows thatis the-trapdoor forcorresponding to invertible tag. Therefore, the challenger needs to replacewithwhen calling. In step (c), if there isobtained from step (b') that satisfies the constraint condition, it follows thatin both games, wherehas been defined in Section 2.3. Therefore, thiscan be obtained by callingin both games; otherwise, if there is no such an, both games will output. In step (e), if, both games output; otherwise, there existandsuch that In step (f) of game,computes while in step (f') of game,does as follows: first, find anysuch that, and then, compute Clearly,in,inandare in the same cosetthereforeandcan both decrypt the desired value.
We next discuss the latter case; that is,. In this case, gamecannot unsigncrypt becauseis not invertible, but sinceis unknown to the adversary in, the probability foris negligible according to Lemma 20. Based on the above analysis, the gamesandare indistinguishable.

Lemma 23. The adversary’s views in gameand gameare statistically indistinguishable.

Proof. At first, because the matrices used for constructing hash functionsandhave identical distribution, the gamesandare statistically indistinguishable when the hash function is replaced. Although the way for producing the challenge ciphertextinis changed, the adversary cannot distinguishfromwithout knowingin advance, considering thatis universal andis random selected.

Lemma 24. The adversary’s views in gameand gameare statistically indistinguishable.

Proof. The key idea of this lemma’s proof is similar to a section in Theorem 6.3 of [17]. The change of challenge ciphertext inis only at the public encryption section, more precisely, only the componentas described above. The distribution ofin both games is identical. With respect to, in game, where, for. In game, It only needs to prove that the statistical distance betweenandis negligible. Expressas, where. On the other hand. It follows that for fixed,is-far fromforaccording to Corollary 3.10 of [23] and Theorem 3.1 of [28]. In other words,inhas distribution-far fromin. Consequently, the challenge ciphertextin both gamesandis statistically indistinguishable.

Lemma 25. The adversary’s views in gameand gameare computationally indistinguishable and the adversary’s advantage inis negligible, assuming that the decision-problem (for) is intractable.

Proof. The idea of this lemma’s proof is similar to a section in Theorem 6.3 of [17]. In order to show the indistinguishability, a method to discretize LWE is needed. Concretely,is a LWE instance over. Thesamples (for)can be transformed toby mapping, forandaccording to Theorem 3.1 of [28]. Clearly, by the above mapping, the uniform instanceoveris mapped to the uniform distribution over.
In game,is in fact an instance of. In game,is an uniform random instanceover. Because LWE is pseudorandom, the above discretized distribution is also pseudorandom under the constraint condition for. Therefore, under discretized LWE assumption, the gamesandare computationally indistinguishable.
Next, we analyze the adversary’s advantage in the game. According to leftover hash lemma,is-uniform, when choosingas in. Therefore, the challenge ciphertext has at most-far distribution when encrypting any different messages. Consequently, the adversary’s advantage inis negligible.

Theorem 26 (unforgeability). In standard model, the proposed signcryption is strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA) assuming thatfor large enoughis hard.

Proof. We prove it by contradiction. If an adversarycan forge a signcryption in the proposed scheme, then the simulator can forge a signature of the above SUF-CMA signature scheme used in the proposed scheme.
Initial:gets public parameterand his/her public/private keysby running successively the algorithms Setup and KeyGen and thengivesandto.
Singcrypt query: in this phase, the adversarycan perform polynomially bounded signcryption queries as follows. Whensubmits a message (and a intended receiver’s public key) for querying. (For convenience, we denote the intended receiver’s private key by).gets a signcryption value byand givesto.
Forgery:outputs a receivers public/private keysand a fresh ciphertextunder the sender’s public keyand the receiver’s private key. Becauseis a valid ciphertext,does what follows.(1)Decryptwithto obtain.(2)Decryptwithto obtain.(3)Combineandto obtain.
In the proposed scheme, we use the signature scheme of [17]. However the syndromein the signature scheme is replaced by a chameleon hash value of the messageand some random. For convenience, the signature scheme involving a chameleon hash function is calledsignature scheme. The signature scheme of [17] is SUF-SMA in the standard model assuming the hardness offor large enoughtherefore thesignature scheme is SUF-CMA in the standard model according to [33, Lemma 2.3] or [34, Lemma 2.1].
Becauseis a valid ciphertext,is a validsignature on message. Now, we have got a contradiction. Consequently, the proposed signcryption scheme is also SUF-CMA assuming the hardness offor.

6. Performance Analysis and Simulations

This section compares the ciphertext length, computational cost, key size, and so forth in the proposed scheme with that in the normal signature-then-encryption diagram and the existing signcryption schemes based on lattice.

The dimension of public keysneed to be declared firstly. Assuming that the security parameteris the same in LMK12 [14], WHW12 [15], and ours. In LMK12 [14] and WHW12 [15], the public/private keys for signature and encryption are all generated by the approach in [29], and the dimensionmeets. In our scheme, the trapdoor generation algorithm is the approach proposed in [17]. In order to meet the conditions: statistically close to uniform and computationally pseudorandom, let dimensionfor public key in. For convenience, the modulois assumed to be same in the three schemes, although thein our scheme might be smaller than that in LMK12 [14] and WHW12 [15]. It needs to be illustrated that the signature scheme used in ours is that proposed in [17]. The matrix used in it is in, wherefor.

6.1. Comparison with Signature-Then-Encryption Diagram

First, we compare on ciphertext length. When we send an-bit length message, the normal signature-then-encryption diagram uses [17] to sign, and the signature length is approximatelybits. It uses [17] to encrypt the plaintext, and the ciphertext length is but this can only achieve CCA1 security. Aiming to achieve CCA2 security, a good candidate is to produce one time signature (OTS) for the ciphertext. For efficiency, it can achieve this target to sign for the hash value of ciphertext. The signature length of OTS is also. In this way, the total sum of bits is about In our scheme, the form of ciphertext is. In a ciphertext,is the ciphertext forwith a symmetric encryption scheme whose plaintext and ciphertext are of equal length. The length foris (ablout),, and, respectively. In the following discussion, we assume that the bits need for representing a variable nearly equals to its min-entropy. Because(see Section 4.2), its min-entropy is aboutby Proposition 9 items (2). As a result, the length ofis aboutbits. In a similar way, the length ofis about. Consequently, the ciphertext length of our scheme is about The ciphertext length of ours is shorter than that of the signature-then-encryption diagram. Furthermore, the longer the length of the plaintext is, the larger our advantage is.

Second, we compare on the computational cost. We first compare on signcryption. The computational cost of the signature-then-encryption diagram mainly consists of the cost of signature and that of public key encryption. The cost of signature is two pre-image sampling by using Algorithm 4. The public key encryption needs roughlytimes. The main computational cost of our scheme consists of the following: the cost of signature, the cost of public key encryption, and the cost of symmetrical encryption. Because the cost of symmetrical encryption (resp., decryption) is much smaller than the public key encryption (resp., decryption) and signature (resp., verification for signature), it can be ignored. The cost of signature is also a preimage sampling by using Algorithm 4. The public key encryption is one time. Clearly, the computational cost of Signcrypt is far less than that of the signature-then-encryption diagram. With the growth of plaintext length, the advantage in the total computational cost of our Signcrypt becomes larger.

Next, we compare on Unsigncrypt. Our public decryption and signature verification are both one time, while the signature-then-encryption diagram needstimes and two times, respectively. From the above analysis, the computational cost of Signcrypt and the ciphertext length are much lower those of than the signature-then-encryption diagram, in particular for long plaintext.

6.2. Comparison with the Schemes of LMK12 [14] and WHW12 [15]

Due to employing simpler, tighter, and more efficient trapdoors, our scheme inherits some advantages from the technique suggested by [17]. Now, let us compare the ciphertext length, computational cost, public key size, private key size, security model and security, and so forth among our scheme and the existing lattice-based signcryption schemes such as LMK12 [14] and WHW12 [15].

Firstly, we compare on ciphertext length. The ciphertext of WHW12 [15] is the formwhereis big enough (say,) such thatis negligible. The length ofisfor. Consequently, the total length of ciphertext is. The ciphertext of LMK12 [14] is the form of. The length ofcan be omitted since its length is much smaller than the length ofor. The length ofisand the length ofis equal to the length of plaintext. As a result, the ciphertext length of LMK12 [14] is about. Our ciphertext length is also(see Section 6.1).

Secondly, we compare the public parameter size. Since in WHW12 [15] scheme and our proposal, the public parameters include several matrices, while in LMK12 [14] scheme the public parameters just include some scales such as,and, it is convenient to merely count the representation size for the involved matrices. The role of the parameterin the proposed scheme is the same asin WHW12 [15], and we replace it withfor convenience. Then, the public parameter sizes of WHW12 [15] and ours areand, respectively, while the public parameter size of LMK12 [14] can be neglected. Thirdly, we compare the public/private keys size, that is, the bits number needed for representing the keys. The public key size of WHW12 [15] is, and the private key size is. The public key size of LMK12 [14] isand the private key size is. The public key size of ours is, and the private key size is, where(see Section 4.2).

Finally, let us compare on computational cost. Without loss of generality, the cost of all hash calculation in WHW12 [15] and LMK12 [14] and general hashes,, andin our scheme are not considered. However, the hashes in our scheme with special structures, such asand, are taken into account. In detail, our analysis is given below.(i)First, we compare on the computational cost of Signcrypt. In WHW12 [15], the signature cost is one time preimage sampling (PIS) with complexity[17]; in addition, the cost of its public key encryption ismultiplication operations over,addition operations overplusdiscrete Gaussian samples (DGS); moreover, the cost of symmetric encryption is. In LMK12 [14], the cost of its signature is also one time preimage sampling. However, his scheme used preimage obtained from signature as Gaussian error of public key encryption by utilizing the technique in [35] and need not discrete Gaussian sample. As a result, the cost of its public key encryption ismultiplication operations overandaddition operations over. In addition, his symmetric encryption realized by XOR operation and the corresponding cost can be neglected. In our scheme, the cost of the signature is one time preimage sampling by using Algorithm 4 with complexity[17], and the cost of symmetric encryption is. The cost of public key encryption is aboutmultiplications overplusadditions overandDGS.(ii)Next, we compare on the computational cost of Unsigncrypt. In the three schemes, all algorithms Unsigncrypt involve the multiplications over, additions overand symmetric decryption operations. The unsigncryption cost of WHW12 [15] ismultiplications overplusadditions over. The unsigncryption cost of LMK12 [14] ismultiplications overplusadditions over. The cost of our unsigncryption is aboutmultiplications overandadditions over. The symmetric decryption in WHW12 [15] and ours is unspecified and in LMK12 [14] is XOR operation. Although the involved symmetric decryption is apparently more expensive than the involved XOR operation in LMK12 [14] scheme, the experiments show that this cost is very small.

To summarize, the above comparisons can be collected in Table 2. An overview of this table can also be abstracted in Table 1.

6.3. Simulations

Our simulation environments are given below:(i)CPU: Intel(R) Core(TM) i7 860 @CPU 2.79?GHz;(ii)RAM: 8?G;(iii)OS: Win 7, 64 bit;(iv)programming platform: Visual Studio 2008.

We conduct 7 simulations with different parameter settings. These settings, given in Table 3, are suggested from [21], [22], and [17], respectively. In particular, under the suggestion of [17], to break a related lattice-based cryptosystem, one needs aboutcore-year computation time by using the state-of-the-art in lattice basis reduction [36, 37] on a 64-bit 1.86?GHz Xeon platform. Note that with the purpose to achieve the same security level, the lattice dimensionss are different by using different lattice generation techniques.

Then, for each setting, we perform random signcryption and unsigncryption 100 times and then collect the average time cost for signcryption and unsigncryption. The results are given in Table 4 and illustrated in Figures 1 and 2. Note that in these figures, we adopt logarithmic coordinates with the purpose to give visible changes on those data that are different hugely.

From Tables 2, 4, 5, and 6 and Figures 1, 2, 3, 4, 5, and 6, we can see that our improvements are observably as follows.(i)Under the settings 1~6, the average signcryption time of our scheme increases slowly from 0.489?s to 3.476?s, about 3 times and 5~13 times faster than Li’s scheme and Wang’s scheme, respectively. Under these settings, the average unsigncryption time of our scheme increases slowly from 0.454?s to 3.48?s, about 3 times and 260 times faster than Li’s scheme and Wang’s scheme, respectively.(ii)Under the setting 7, the average signcryption time of our scheme is 9.309?s, about 580 times faster than Li’s scheme and Wang’s scheme. Under this setting, the average unsigncryption time of our scheme is 10.954?s, about 400 times and 33000 times faster than Li’ scheme and Wang’s scheme, respectively.

To understand the above huge difference on the performance of our scheme, Li’s scheme, and Wang’s scheme, we would like to give the following further explanations. The time cost of signcryption is mainly occupied by three categories of computation:(1)matrix operations, including modular addition between matrices and modular multiplication among matrices and vectors,(2)preimage sampling,(3)discrete Gaussian sampling.

First, in our signcryption process, the time cost of matrix operations is mainly occupied in step 4(d) and 1(a) (see Section 4.2). Since step 1(a) is directly related to messages that are to be signcrypted, this is not an easy method to optimize this step; say by using precomputation. However, step 4(d) can be optimized since the matrixhas nonzero entries merely in the main and the second diagonals. By utilizing this feature, we reduce the computation cost of step 4(d) frommultiplications tomultiplications. The performance comparisons on average matrix computation cost in signcryption and unsigncryption are given in Table 5 and Figures 3 and 4, respectively. Second, both Li and Wang use the preimage sampling technique given in [20] and its complexity is, while we use the preimage sampling technique given in [17], where the sample oracle is instantiated by the technique given in [28], and its complexity is reduced to. Third, our signcryption process needs to performtimes Gaussian sampling, while Wang’s signcryption needs to perform in totaltimes Gaussian sampling, whereshould enableto be negligible; say. Note that Li’s signcryption reuses preimages as Gaussian error vectors and thus does not need further Gaussian sampling. The performance comparisons on average sampling cost, including the cost for preimage sampling and the cost for discrete Gaussian sampling, are collected in Table 6 and depicted in Figures 5 and 6. Note that in unsigncryption process, there is no sampling cost.

7. Conclusions

In this paper, we proposed a signcryption scheme in the standard model based on lattice hard problems. The scheme is proven to be indistinguishable against inner adaptively chosen ciphertext attacks under LWE assumption and strongly unforgeable against inner adaptively chosen message attacks under SIS assumption. Moreover, by using simpler, tighter, and more efficient trapdoors suggested by Micciancico and Perkeit, the cost of our scheme is much lower than existing lattice-based signcryption schemes. Another attractive problem is designing an efficient identity-based signcryption scheme in the standard model.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (NSFC) (nos. 61370194, 61103198, 61121061, and 61070251), the NSFC A3 Foresight Program (no. 61161140320), and the JSPS A3 Foresight Program. The third author was also partially supported by JSPS KAKENHI Grant (no. 23500031).

References

Y. Zheng, “Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption),” in Proceedings of the Advances in Cryptology: 17th Annual International Cryptology Conference (CRYPTO '97), Santa Barbara, California, USA, 1997, vol. 1294 of Lecture Notes in Computer Science, pp. 17165–21179, Springer, 1997.
View at: Publisher Site | Google Scholar
R. Steinfeld and Y. A. Zheng, “signcryption scheme based on integer factorization,” in Information Security, G. Goos, J. Hartmanis, J. Leeuwen, J. Pieprzyk, J. Seberry, and E. Okamoto, Eds., vol. 1975 of Lecture Notes in Computer Science, pp. 308–322, Springer, Berlin, Germany, 2000.
View at: Google Scholar
J. Malone-Lee and W. Mao, “Two birds one stone: signcryption using RSA,” in Topics in cryptology ł CT-RSA 2003, M. Joye, Ed., vol. 2612 of Lecture Notes in Computer Science, pp. 211–225, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
X. Boyen, “Multipurpose identity-based signcryption: a Swiss Army knife for identity-based cryptography,” in Proceedings of the Annual International Cryptology Conference (CRYPTO '03), vol. 2729, pp. 383–399, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
L. Chen and J. Malone-Lee, “Improved identity-based signcryption,” in Public Key Cryptography (PKC '05), vol. 3386 of Lecture Notes in Computer Science, pp. 362–379, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
P. S. L. M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, “Efficient and provably-secure identity-based signatures and signcryption from bilinear maps,” in Advances in Cryptology (ASIACRYPT '05), vol. 3788 of Lecture Notes in Computer Science, pp. 515–532, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of the IEEE International Conference on ComputersSystems and Signal Processing, pp. 175–179, IEEE Press, New York, NY, USA, 1984.
View at: Google Scholar
A. K. Ekert, “Quantum cryptography based on Bell's theorem,” Physical Review Letters, vol. 67, no. 6, pp. 661–663, 1991.
View at: Publisher Site | Google Scholar | MathSciNet
A. K. Ekert, J. G. Rarity, P. R. Tapster, and G. Massimo Palma, “Practical quantum cryptography based on two-photon interferometry,” Physical Review Letters, vol. 69, no. 9, pp. 1293–1295, 1992.
View at: Publisher Site | Google Scholar
X. Wang and D. Luan, “A novel image encryption algorithm using chaos and reversible cellular automata,” Communications in Nonlinear Science and Numerical Simulation, vol. 18, no. 11, pp. 3075–3085, 2013.
View at: Google Scholar
X. Y. Wang and X. M. Bao, “A novel block cryptosystem based on the coupled chaotic map lattice,” Nonlinear Dynamics, vol. 72, no. 4, pp. 707–715, 2013.
View at: Google Scholar
H. Liu, X. Wang, and A. Kadir, “Image encryption using DNA complementary rule and chaotic maps,” Applied Soft Computing Journal, vol. 12, no. 5, pp. 1457–1466, 2012.
View at: Publisher Site | Google Scholar
D. J. Bernstein, J. Buchmann, and E. Dahmen, Post Quantum Cryptography, Springer, New York, NY, USA, 1st edition, 2008.
F. Li, F. T. B. Muhaya, M. K. Khan, and T. Takagi, Lattice-Based Signcryption, John Wiley & Sons, New York, NY, USA, 2012.
View at: Publisher Site
F. Wang, Y. Hu, and C. Wang, “Post-Quantum secure hybrid signcryption from lattice assumption,” Applied Mathematics and Information Sciences, vol. 6, no. 1, pp. 23–28, 2012.
View at: Google Scholar
R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from identity-based encryption,” in Advances in Cryptology (EUROCRYPT '04), vol. 3027, pp. 207–222, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Advances in Cryptology (EUROCRYPT '12), D. Pointcheval and T. Johansson, Eds., vol. 7237 of Lecture Notes in Computer Science, pp. 700–718, Springer, Berlin, Germany, 2012.
View at: Google Scholar | MathSciNet
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” Journal of Cryptology, vol. 25, no. 4, pp. 601–639, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, ACM, New York, NY, USA, May 2008.
View at: Google Scholar
R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE-based encryption,” in Proceedings of the 11th International Conference on Topics in Cryptology (CT-RSA '11), pp. 319–339, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
D. Micciancio and O. Regev, “Lattice-based cryptography,” in Post-Quantum Cryptography, D. Bernstein, J. Buchmann, and E. Dahmen, Eds., pp. 147–191, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), pp. 84–93, ACM, New York, NY, USA, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective, vol. 671, Springer, New York, NY, USA, 2002.
View at: Publisher Site | MathSciNet
Y. Eldar and G. Kutyniok, Eds., Compressed Sensing, Theory and Applications, chapter 5, Cambridge University Press, New York, NY, USA, 2012.
M. N. Wegman and J. L. Carter, “New hash functions and their use in authentication and set equality,” Journal of Computer and System Sciences, vol. 22, no. 3, pp. 265–279, 1981.
View at: Publisher Site | Google Scholar | MathSciNet
H. Krawczyk and T. Rabin, “Chameleon hashing and signatures,” IACR Eprint archive, March 1998, http://eprint.iacr.org/1998/010.
View at: Google Scholar
C. Peikert, “An efficient and parallel Gaussian sampler for lattices,” in Advances in Cryptology (CRYPTO '10), T. Rabin, Ed., vol. 6223 of Lecture Notes in Computer Science, pp. 80–97, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp. 535–553, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Yuliang, “Signcryption,” http://www.signcryption.org/.
View at: Google Scholar
A. W. Dent, “Hybrid signcryption schemes with insider security,” in Information Security and Privacy, C. Boyd and J. Gonzlez Nieto, Eds., pp. 253–266, Springer, Berlin, Germany, 2005.
View at: Google Scholar
A. W. Dent, “Hybrid signcryption schemes with outsider security,” in Information Security, J. Zhou, J. Lopez, R. Deng, and F. Bao, Eds., vol. 3650 of Lecture Notes in Computer Science, pp. 203–217, Springer, Berlin, Germany, 2005.
View at: Google Scholar
S. Hohenberger and B. Waters, “Short and stateless signatures from the RSA assumption,” in Advances in Cryptology (CRYPTO '09), S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 654–670, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
M. Rückert, “Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles,” in Post-Quantum Cryptography, N. Sendrier, Ed., vol. 6061 of Lecture Notes in Computer Science, pp. 182–200, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
S. D. Gordon, J. Katz, and V. Vaikuntanathan, “A group signature scheme from lattice assumptions,” in Advances in Cryptology (ASIACRYPT '10), M. Abe, Ed., vol. 6477 of Lecture Notes in Computer Science, pp. 395–412, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
N. Gama and P. Q. Nguyen, “Predicting lattice reduction,” in Advances in Cryptology (EUROCRYPT '08), N. Smart, Ed., vol. 4965 of Lecture Notes in Computer Science, pp. 31–51, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Chen and P. Q. Nguyen, “BKZ 2.0: better lattice security estimates,” in Advances in Cryptology C (ASIACRYPT '11), D. Lee and X. Wang, Eds., vol. 7073 of Lecture Notes in Computer Science, pp. 1–20, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2013 Jianhua Yan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1715

Downloads

2099

Citations