Lattice Based Mix Network for Location Privacy in Mobile System

Singh, Kunwar; Rangan, C. Pandu; Banerjee, A. K.

doi:https://doi.org/10.1155/2015/963628

Mobile Information Systems

On this page

Abstract Introduction Preliminaries Conclusion Acknowledgments References Copyright Related Articles

Special Issue

Innovative Mobile Internet Services and Applications

View this Special Issue

Research Article | Open Access

Volume 2015 | Article ID 963628 | https://doi.org/10.1155/2015/963628

Lattice Based Mix Network for Location Privacy in Mobile System

Kunwar Singh,¹C. Pandu Rangan,²and A. K. Banerjee³

Academic Editor: Ilsun You

Received01 Sept 2014

Accepted01 Sept 2014

Published23 Mar 2015

Abstract

In 1981, David Chaum proposed a cryptographic primitive for privacy called mix network (Mixnet). A mixnet is cryptographic construction that establishes anonymous communication channel through a set of servers. In 2004, Golle et al. proposed a new cryptographic primitive called universal reencryption which takes the input as encrypted messages under the public key of the recipients not the public key of the universal mixnet. In Eurocrypt 2010, Gentry, Halevi, and Vaikunthanathan presented a cryptosystem which is an additive homomorphic and a multiplicative homomorphic for only one multiplication. In MIST 2013, Singh et al. presented a lattice based universal reencryption scheme under learning with error (LWE) assumption. In this paper, we have improved Singh et al.’s scheme using Fairbrother’s idea. LWE is a lattice hard problem for which till now there is no polynomial time quantum algorithm. Wiangsripanawan et al. proposed a protocol for location privacy in mobile system using universal reencryption whose security is reducible to Decision Diffie-Hellman assumption. Once quantum computer becomes a reality, universal reencryption can be broken in polynomial time by Shor’s algorithm. In postquantum cryptography, our scheme can replace universal reencryption scheme used in Wiangsripanawan et al. scheme for location privacy in mobile system.

1. Introduction

In 1981, Chaum [1] proposed a cryptographic primitive for privacy called mix network (Mixnet). A mixnet is cryptographic construction that establishes anonymous communication channel through a set of servers. One type of mixnets accepts encrypted messages under the public keys of all intermediate mixnet nodes and outputs randomly permuted corresponding plaintexts. Sender encrypts the message using public keys of the mixnet nodes in some order. Ciphertext is concatenation of -encryptions which can be seen as building up of a layered onion. Mixnet receives these ciphertexts from many senders. Mixnet nodes decrypt the ciphertexts using its private keys (remove outer layer of the onion) in reverse order of the encryption and permute them before forwarding to the next mixnet node. Finally, the th mixnet node sends the messages to the respective receivers. In this way, adversary like eavesdropper (external) and mail server (internal) will find it hard to guess who is communicating. Mixnet preserves anonymous communication even with one honest mixnet node. A drawback of decryption type of mixnet is that if one server fails then mixnet fails.

Choonsik et al. [2] proposed a reencryption mixnet which is robust. A reencryption mixnet accepts the encrypted massages under the public key of the mixnet. Mixnet node reencrypts the encrypted message and broadcasts this reencrypted to other mixnet nodes. There is no order of reencryption. Any mixnet node can reencrypt first and broadcast reencrypted to other nodes. Also it is not required that reencryption has to be done by all the mixnet nodes. The private key corresponding to the public key of the mixnet is distributed among all reencryption mixnet nodes [3]. Set of ciphertexts produced by last reencryption mixnet node is decrypted by group of nodes using a threshold scheme [3]. For privacy, it is required that adversary cannot distinguish between the reencrypted ciphertext and a random ciphertext with size being the same as the size of the reencrypted ciphertext.

Both the mixnets discussed above accept encrypted messages under the public key of the mixnet. In 2004, Golle et al. [4] proposed a new cryptographic primitive called universal reencryption which takes the input as encrypted messages under the public key of the recipients not the public key of the universal mixnet. So it dispenses with the complexities of the key generation, key distribution, and key maintenance of the public key of mixnet. A mixnet based on universal reencryption is called universal mixnet. Universal mixnet takes the input as encrypted messages under the public key of the recipients. These encrypted messages are universally reencrypted and permuted by each universal mixnet node before forwarding them to the next node. Finally the output from a universal mixnet is set of universal reencrypted ciphertexts. Potential recipient must perform to decrypt all the ciphertexts to identify messages sent for them. This is a disadvantage of the universal reencryption.

Lattice based cryptography has bloomed in recent years because of the following advantages.(i)Once quantum computer comes into reality, all the cryptosystem based on prime factorization and discrete logarithm problem can be solved in polynomial time by Shor’s algorithm [5]. But till now there is no polynomial time quantum algorithm for lattice hard problems.(ii)Security of the cryptosystem depends on the hardness of the problem in the average case. Ajtai in his seminal result [6] has shown that lattice based cryptosystems are secure on the assumption of lattice based hard problems in the worst case. It gives strong hardness guarantee.(iii)Lattice based cryptosystems are efficient and parallelizable.(iv)Powerful primitives like fully homomorphic encryption [7] and multilinear maps [8] are realized using lattices.

A drawback of lattice based cryptosystem is that it has large key size and ciphertext size. Recently Regev [9] defined the learning with error (LWE) problem and proved that it also enjoys similar average case/worst case equivalence hardness properties under a quantum reduction.

Location privacy is the ability to prevent adversaries from knowing one’s current or past location [10]. Advances in mobile networks have made location information a useful information in many applications. However location information can be used to know about person’s medical condition, alternating lifestyle, and so forth. This information can be used for blackmail by malicious user. Wiangsripanawan et al. [11] proposed a protocol for location privacy in mobile system using universal reencryption [4] whose security is reducible to Decision Diffie-Hellman assumption. Once quantum computer becomes a reality, universal reencryption can be broken in polynomial time by Shor’s algorithm [5].

Our Contributions. Universal reencryption has simple idea. In an additive homomorphic cryptosystem, a new ciphertext (encryption of zero) can be appended to the ciphertext. The new ciphertext can be used to reencrypt (change the encryption factor) the ciphertext such that the reencrypted ciphertext and the ciphertext decrypt to the same plaintext because, in an additive homomorphic, .

In Eurocrypt 2010 Gentry, Gentry et al. [12] presented a cryptosystem which is an additive homomorphic and a multiplicative homomorphic for only one multiplication. In MIST 2013, Singh et al. [13] presented lattice based universal reencryption scheme using learning with error (LWE) problem based on [12]. In this paper, we have improved Singh et al.’s scheme [13] in terms of ciphertext size and computational cost using Fairbrother’s idea [14]. The idea is simple: ciphertext in scheme [13] has two parts and second part of the ciphertext is encryption of zero. Larger files can be split into many segments and the second part of the ciphertext (encryption of zero) can be made the same for all the segments. By this way, size of the ciphertext is reduced by approximately half and it also reduces the computational cost.

In post quantum cryptography, our scheme can replace universal reencryption scheme used in Wiangsripanawan et al. [11] protocol for location privacy in mobile system.

Paper Outline. Rest of the paper is organized as follows. In Section 2, we give some preliminaries including security models and hard problems. In Section 3, we describe different types of mixnet. We describe GHV public key cryptosystem [12] in Section 4. In Section 5, we review Singh et al.’s scheme [13]. In Section 6, we give our improved construction and in Section 7 we give conclusion and related open problems.

2. Preliminaries

2.1. Notation

We denote , set of real numbers by and the set of integers by . We assume vectors to be in column form which are written using small letters, for example, . Matrices are written as capital letters, for example, . We denote as matrix whose elements are chosen from the Gaussian distribution over and as matrix whose elements are chosen uniformly over . denotes the Euclidean norm of the longest (maximum Euclidean norm) vector in matrix ; that is, for .

We say that is a negligible function in if it is smaller than the inverse of any polynomial function in for sufficiently large .

2.2. Universal Reencryption Scheme (URe)

Universal Reencryption Scheme consists of four algorithms [4]. We denote , , and as message space, ciphertext space, and set of encryption factors, respectively.

Universal KeyGen. On the input of a security parameter , this algorithm outputs the public key pk and secret key sk pair.

Universal Encryption. On the input of public key pk, a message , and an encryption factor , this algorithm outputs a ciphertext .

Universal Decryption. On the input of a secret key sk and a ciphertext , this algorithm outputs message .

Universal Reencryption. On the input of a ciphertext and reencryption factor , but no public key, this algorithm outputs ciphertext where .

2.3. Universal Semantic Security Model for Universal Reencryption Scheme (IND-URe-CPA)

Universal security model is variant of semantic security model and is adapted from [4]. In this model, adversary is allowed to construct universal ciphertexts under randomly generated public key pk. The challenger reencrypts the ciphertext. The goal of the adversary is to distinguish between the reencrypted ciphertext and the random ciphertext with the size of the random ciphertext being the same as size of the universally reencrypted ciphertext. Here, security model is defined using the following game played between the challenger and an active adversary.

KeyGen. The challenger runs the key generation algorithm and gives public parameters to the adversary.

Challenger. The adversary submits messages and (adversary can construct ciphertext). Challenger sets and chooses a random bit and a random ciphertext with the size of the random ciphertext being the same as size of the universally reencrypted ciphertext. If , it assigns the challenge ciphertext to . If , it assigns the challenge ciphertext to . Challenger sends challenge ciphertext to the adversary.

Guess. The adversary outputs a guess and wins the game if .

An IND-URe-CPA adversary is referred to as an adversary . We define the advantage of the adversary in attacking universal reencryption scheme as .

Definition 1. One says that universal reencryption scheme is universal semantic secure if for all probabilistic polynomial time adversaries , one has which is a negligible function.

2.3.1. Semantically Secure Elgamal Cryptosystem [15]

Semantically secure Elgamal cryptosystem consists of three algorithms.

Setup. Two primes and are randomly selected such that . Pick a random generator and set . is generator of subgroup (Schnorr group) of size . Message is also element of subgroup . Since so (Quadratic residue modulo ). Pick a random number as private key and public key .

Encryption. To encrypt a message , sender picks a random number and computes a ciphertext pair as follows:and . Output ciphertext .

Decryption. To decrypt a ciphertext , receiver computes .

2.3.2. Homomorphic Encryption

A encryption scheme is multiplicative homomorphic encryption scheme if encryption of is equal to encryption of into encryption of ; that is, .

A encryption scheme is additive homomorphic encryption scheme if .

It can be easily proved that Elgamal encryption scheme is multiplicative homomorphic encryption.

2.4. Integer Lattices [16, 17]

Let consist of linearly independent -dimensional vectors as column vectors; the lattice generated by the matrix is

The column vectors of matrix are called a basis for the lattice. and are called the rank and dimension of the lattice, respectively. When , the lattice is called full-rank lattice but generally . The determinant of a lattice is the absolute value of the determinant of the basis matrix .

-Ary Lattices. Generally cryptographic constructions based on lattices use -ary lattices. Lattice which satisfies the condition for some prime is called -ary lattices. In other words, any vector if and only if , where is a -ary lattices.

For prime , , and , three -dimensional -ary lattices are defined as follows:Since first -ary lattices are generated by rows of matrix and second is set of vectors orthogonal to rows of matrix so these two -ary lattices are dual to each other:

2.5. Gram Schmidt Orthogonalization

denotes the Gram-Schmidt orthogonalization of the set of linearly independent vectors , which is defined as follows:In other words, and is the component of orthogonal to span where . Since is the component of so for all .

We refer to as the Gram-Schmidt norm of .

2.6. Discrete Gaussians

Let be a subset of . For any vector and any positive parameter , define: : a Gaussian-shaped function on with center and parameter , : over , : the discrete Gaussian distribution over with parameters and ,

Theorem 2 (see [6, 18]). Let be odd and .
There is PPT algorithm TrapGen() that generates a pair () such that is a basis for and is statistically close to a uniform matrix in satisfyingwith overwhelming probability in .

2.7. Decision Diffie-Hellman Problem

Let us consider a finite cyclic group with generator , where is a prime number. , , and are given for some random . The goal of the adversary is to decide whether or not.

2.8. The LWE Hardness Assumption [9, 19]

In 2004, Regev [9] proposed the LWE hard problem.

Definition 3. For a security parameter , let , modulus , and a Gaussian distribution over . For a uniformly chosen vector , let be the distribution on of the variable where a vector is chosen uniformly at random and is chosen according to .
Search LWE. The search problem is to find with probability exponentially close to one, given samples from .
Decision LWE. Decision LWE is to distinguish with nonnegligible probability between the distribution for some uniform and a random distribution on .

In above, is uniformly chosen from the random distribution. Even, if is chosen from the Gaussian distribution still decision LWE is hard [20, 21].

Gaussian Distribution . For , the distribution on is obtained by sampling a Gaussian distribution with mean and variance and reducing the result modulo . The probability density function is given by the following equation:

In other words, distribution is obtained by “folding” a Gaussian distribution on into the interval [22].

Discrete Gaussian Distribution . This distribution is obtained by “folding” a Gaussian distribution on into the interval . It is a discrete distribution over of the random variable where the random variable has distribution .

The following theorem shows that LWE problem is reducible to some lattice problems in the worst case using the quantum algorithm.

Theorem 4 (see [9]). For security parameter , Let and be a prime integer such that . If there exists an efficient, possibly quantum algorithm for deciding the -LWE problem for , then there exists an efficient quantum algorithm for approximating the SIVP and GapSVP problems, to within factors in the norm, in the worst case.

3. Mix Network

A mix network is a multistage system that offers anonymous communication. Here, we describe three types of mixnets: decryption mixnet, reencryption mixnet, and universal reencryption mixnet.

3.1. Decryption Mixnet [1, 23]

Each mixnet node has its own public key and private key. We denote public and private key of th mixnet node by .

Encryption. Sender first encrypts the message using public key of the th mixnet node. First encryption iswhere is the address of the receiver and is the random number concatenated with the encryption. Similarly, sender again encrypts with the public key of th mixnet node. Second encryption isFinally, sender sends the ciphertext to the mixnet asAbove ciphertext is concatenation of -encryptions which can be seen as building up of a layered onion.

Decryption. First mixnet node receives ciphertext from many senders. It will decrypt all the ciphertexts using its private key (remove outer layer of the onion) and permute them before forwarding to the second mixnet node. Finally, the th mixnet node sends the messages to the respective receivers.

Chaum’s mixnet [1] preserves anonymous communication even with one honest mixnet node. But it has the following disadvantages.(1)Mixnet is not robust because if one mixnet node fails, whole mixnet fails.(2)Encryption cost is very high which grows with the number of mixnet nodes.(3)Decryption has to be performed in reverse order of the encryption.

3.2. Reencryption Mixnet [2, 23]

All three weaknesses of the decryption mixnet are removed in reencryption mixnet. Reencryption mixnet node is based on Elgamal cryptosystem [24] and Shamir’s secret sharing [3].

Secret key of the mixnet is and public key is . Secret key is distributed among mixnet nodes in such a way that, at least, mixnet nodes are required to compute secret key but no group of nodes can compute secret key .

Encryption. Sender encrypts the using public key of the mixnet. Ciphertext isSender sends the ciphertext to the mixnet.

Reencryption. Mixnet node reencrypts the encrypted message as follows:where is random number. Mixnet node broadcasts this reencrypted to other mixnet nodes. There is no order of reencryption. Any mixnet node can reencrypt first and broadcast reencrypted to other nodes. It is also not required that reencryption has to be done by all the mixnet nodes.

Decryption. Now, in decryption phase, any mixnet nodes can participate to compute secret key :where and is address of the receiver.

3.3. Universal Reencryption Mixnet [4]

In 2004, Golle et al. [4] presented a new primitive called universal reencryption based on the Elgamal public key cryptosystem [24]. Universal mixnet is a mixnet based on universal reencryption which takes the input as encrypted messages under the public key of the recipients not the public key of the universal mixnet. Even, there is no term like the public key of the universal mixnet. So it dispenses with cost of establishing public key infrastructure for mixnet nodes.

The idea for universal reencryption is simple. In an additive homomorphic cryptosystem, we append a second ciphertext (encryption of zero) to the ciphertext. Since, in an additive homomorphic, , we can use the second ciphertext to reencrypt (change the encryption factor) the first ciphertext such that the reencrypted ciphertext and the ciphertext decrypt the same plaintext.

Key Generation. It is the same as key generation algorithm in Elgamal cryptosystem.

Universal Encryption. On the input of a message , a public key , and a random encryption factor , ciphertext is computed as follows:Here ciphertext is for message .

Universal Decryption. Here, the decryption is done by the receiver. Compute and . If , then the output is . Otherwise, decryption fails.

Universal Reencryption. On the input of a and a random reencryption factor , reencrypted ciphertext is computed as follows:

4. Gentry, Halevi, and Vaikunthanathan (GHV) Cryptosystem [12]

GHV cryptosystem [12] is an additive homomorphic and multiplicative homomorphic for only one multiplication. Here, message space (the set of binary -by- matrices) and ciphertex space (the set of -by- matrices). Here, we briefly describe the GHV homomorphic cryptosystem because our scheme is based on it.

KeyGen. On the input of a security parameter , set the parameters and and a Gaussian distribution with Gaussian error parameter . Uniform matrix together with the trapdoor is obtained by running algorithm TrapGen of Theorem 2. The public key is and the secret key is .

Encrypt. To encrypt message , do the following steps.(1)A random matrix and an error matrix are chosen uniformly.(2)Output the ciphertext

Decrypt. To decrypt , do the following steps.(1)Set .(2)Output the matrix .

Correctness. Since , therefore . Now, if is equal to , then . So for correct decryption, one has to set the parameter small enough so that all the entries of are smaller than with high probability.

Additive Homomorphic. Let and be ciphertexts for messages and under public key . Then,would be decrypted to as long as all the entries in are smaller than .

Multiplicative Homomorphic. The product of and isProduct ciphertext has the form . Ciphertext would be decrypted to as long as all the entries in are smaller than .

For our scheme, we will use variant of GHV cryptosystem which is only additive homomorphic. For this variant, decryption algorithm will not have right multiplication of .

5. Lattice Based Universal Reencryption [13]

Singh et al.’ scheme [13] is based on GHV cryptosystem which is explained in Section 4 (Table 1).

The idea for universal reencryption is to append a new ciphertext (encryption of zero) to the GHV cryptosystem ciphertext. The new ciphertext can be used to reencrypt (change the encryption factor) the ciphertext such that the reencrypted ciphertext and the ciphertext decrypt the same plaintext because the GHV public key cryptosystem is additive homomorphic; that is, ().

Universal KeyGen. On the input of a security parameter , we set the parameters and and a Gaussian distribution with Gaussian error parameter . Uniform matrix together with the trapdoor is obtained by running algorithm TrapGen of Theorem 2. The public key is and the secret key is .

Universal Encryption. To encrypt message , we do the following steps.(i)We choose random matrices and error matrices .(ii)Compute and .(iii)Output the ciphertext .

Universal Decryption. To decrypt , we do the following steps.(i)Set .(ii)Compute .(iii)Similarly, set .(iv)Compute .(v)If (), then output message . Otherwise, decryption fails and output is .

Universal Reencryption. To reencrypt ciphertext without using public key, we do the following steps.(i)Choose two matrices . We also choose error matrices .(ii)Compute (iii)Compute(iv)Output the ciphertext .

It is required that above universal reencryption scheme has the correctness property; that is, decryption of and decryption of give the same message . It is only possible when all the entries in and are less than . Since , and are small, we can set parameter small enough so that, with the probability exponentially close to , all the entries in and are less than .

Theorem 5. Lattice based universal reencryption scheme is IND-URe-CPA (semantic) secure assuming that the is hard or .

Proof. It is the same as proof of [13].

6. Lattice Based Efficient Universal Reencryption

We use Fairbrother’s idea [14] to reduce the size of the ciphertext by half. It also reduces the computational cost. The idea is that larger files can be split into segments and size of each segment is bits. In Singh et al.’s universal reencryption scheme [13], size of the plaintext is and second part of the ciphertext is encryption of zero. In this scheme, size of the plaintext is and, for all these segments, second part of the ciphertext (encryption of zero) is made the same.

In [13], size of the ciphertext for plaintext of size bits is bits. With our efficient universal reencryption scheme size of the ciphertext for plaintext of size bits is bits. Since second part of the ciphertext is same for all the segments, there is also some improvement in computation cost. Now, we describe our efficient scheme which is similar to [13].

Universal KeyGen. It is same as Universal KeyGen algorithm of our scheme given in Section 5.

Universal Encryption. To encrypt message , we do the following steps.(i)We choose random matrices and error matrices .(ii)For to , compute .(iii)Compute .(iv)Output the ciphertext .

Universal Decryption . To decrypt , we do the following steps.(i)For to , set .(ii)For to , compute .(iii)Similarly, set .(iv)Compute .(v)If (), then output message . Otherwise, decryption fails and output is .

Universal Reencryption. To reencrypt ciphertext without using public key, we do the following steps.(i)Choose matrices . We also choose error matrices .(ii)Compute(iii)Compute(iv)Output the ciphertext .

Correctness property is similar to correctness of previous scheme [13].

Theorem 6. The lattice based improved universal reencryption scheme is IND-URe-CPA (semantic) secure assuming that the is hard or .

Proof. We now show universal semantic security of the universal reencryption scheme. We will show that if there exists a PPT adversary that breaks universal reencryption scheme with nonnegligible probability then there must exist a PPT challenger that solves decision LWE hard problem with nonnegligible probability by simulating views of .
Adversary constructs the ciphertext for message and sends to the challenger . Ciphertext is statistically close to uniform.
For to , {challenger obtains samples (for vector ), samples (for vector ) samples (for vector ) where vectors are from Gaussian (error) distribution and matrix . It parsed as and then challenger computes .
Similarly, challenger again obtains samples (for vector ), samples (for vector ) samples (for vector ) where vectors are from Gaussian (error) distribution and matrix . It parsed as , and then challenger assigns . Here, matrices .
Challenger sends to the adversary .
When Oracle is a pseudorandom LWE oracle, then is a valid universal reencryption of ciphertext . When Oracle is a random oracle, then is a uniform. Finally, adversary terminates with some output; challenger terminates with same output and ends the simulation. So if adversary breaks the scheme, then there exists challenger which solves decision LWE hard problem.
. Hence, our scheme is universal semantic secure.

7. Conclusion

We have presented an improved construction for lattice based universal reencryption. Disadvantage of universal reencryption is that receiver has to decrypt all the ciphertexts to identify message for him. A lattice based universal reencryption scheme improving this cost in the receiver side is an open problem.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank one of the anonymous reviewers of the MIST 2013 for pointing out a mistake in our scheme. This paper is extended version of our paper published in MIST 2013.

References

D. L. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, vol. 24, no. 2, pp. 84–88, 1981.
View at: Publisher Site | Google Scholar
P. Choonsik, I. Kouichi, and K. Kurosawa, “Efficient anonymous channel and all/nothing election scheme,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 185–194, Springer, New York, NY, USA, 2007.
View at: Google Scholar
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
View at: Publisher Site | Google Scholar
P. Golle, M. Jakobsson, A. Juels, and P. Syverson, “Universal re-encryption for mixnets,” in Topics in Cryptology—CT-RSA 2004: Proceedings of the Cryptographers' Track at the RSA Conference 2004, San Francisco, CA, USA, February 23–27, 2004, vol. 2964 of Lecture Notes in Computer Science, pp. 163–178, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar | MathSciNet
M. Ajtai, “Generating hard instances of lattice problems (extended abstract),” in Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC '96), pp. 99–108, ACM, 1996.
View at: Google Scholar
C. Gentry, A fully homomorphic encryption scheme [Ph.D. thesis], Stanford University, 2009.
S. Garg, C. Gentry, and S. Halevi, “Candidate multilinear maps from ideal lattices,” in Advances in Cryptology—EUROCRYPT 2013: Proceedings of the 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013, vol. 7881 of Lecture Notes in Computer Science, pp. 1–17, Springer, Berlin, Germany, 2013.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), pp. 84–93, ACM, 2005.
View at: Google Scholar
A. R. Beresford and F. Stajano, “Location privacy in pervasive computing,” IEEE Pervasive Computing, vol. 2, no. 1, pp. 46–55, 2003.
View at: Publisher Site | Google Scholar
R. Wiangsripanawan, R. Safavi-Naini, and W. Susilo, “Location privacy in mobile IP,” in Proceedings of the IEEE 7th Malaysia International Conference on Communication and the 13th IEEE International Conference on Networks, pp. 16–18, IEEE, 2005.
View at: Google Scholar
C. Gentry, S. Halevi, and V. Vaikuntanathan, “A simple BGN-type cryptosystem from LWE,” in Advances in Cryptology—EUROCRYPT 2010, Lecture Notes in Computer Science, pp. 506–522, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
K. Singh, C. Pandu Rangan, and A. K. Banerjee, “Lattice based universal re-encryption for mixnet,” in Proceedings of the 5th International Workshop on Managing Insider Security Threats (MIST '13), pp. 1–11, Pukyung National University, Busan, South Korea, 2013.
View at: Google Scholar
P. Fairbrother, “An improved construction for universal re-encryption,” in Privacy Enhancing Technologies: 4th International Workshop, PET 2004, Toronto, Canada, May 26–28, 2004. Revised Selected Papers, vol. 3424 of Lecture Notes in Computer Science, pp. 79–87, Springer, Berlin, Germany, 2004.
View at: Google Scholar
W. Mao, Modern Cryptography Theory and Practice, Pearson Education, Upper Saddle River, NJ, USA, 2002.
D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective, The Springer International Series in Engineering and Computer Science, Kluwer Academic, 2002.
View at: Publisher Site | MathSciNet
V. Vaikunthanathan, Topics in Applied Discrete Mathematics: Lattices in Computer Science, Lecture Series, CSC2414, 2011.
J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,” in Proceedings of the International Symposium on Theoretical Aspects of Computer Science (STACS '09), IBFI Schloss Dagstuhl, pp. 75–86, 2009.
View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Advances in Cryptology—EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 553–572, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
B. Applebaum, D. Cash, C. Peikert, and A. Sahai, “Fast cryptographic primitives and circular-secure encryption based on hard learning problems,” in Advances in Cryptology—CRYPTO 2009, vol. 5677 of Lecture Notes in Computer Science, pp. 595–618, Springer, Germany, Berlin, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE-based encryption,” in Topics in Cryptology—CT-RSA 2011, vol. 6558 of Lecture Notes in Computer Science, pp. 319–339, Springer, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
K. Xagawa, Cryptography with lattices [Ph.D. thesis], Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, 2010.
K. Sampigethaya and R. Poovendran, “A survey on mix networks and their secure applications,” Proceedings of the IEEE, vol. 94, no. 12, pp. 2142–2180, 2006.
View at: Publisher Site | Google Scholar
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2015 Kunwar Singh et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1092

Downloads

1535

Citations