A Fuzzy Identity-Based Signature Scheme from Lattices in the Standard Model

Yang, Chunli; Zheng, Shihui; Wang, Licheng; Tian, Miaomiao; Gu, Lize; Yang, Yixian

doi:https://doi.org/10.1155/2014/391276

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2014 | Article ID 391276 | https://doi.org/10.1155/2014/391276

A Fuzzy Identity-Based Signature Scheme from Lattices in the Standard Model

Chunli Yang,^1,2Shihui Zheng ,^1,2Licheng Wang,^1,2Miaomiao Tian,³Lize Gu,^1,2and Yixian Yang^1,2

Academic Editor: Antonina Pirrotta

Received14 May 2014

Revised24 Jul 2014

Accepted28 Jul 2014

Published14 Aug 2014

Abstract

A fuzzy identity-based signature (FIBS) scheme allows a user with identity to issue a signature that could be verified with identity if and only if and lie within a certain distance. To obtain an FIBS scheme that can resist known quantum attacks, we use the double-trapdoor technique from ABB10a for secret key extracting and the vanishing trapdoor technique from Boyen10 for message signing. In addition, in order to reflect the functionality of fuzziness, Shamir secret sharing scheme is also used in our construction. In this paper, we propose an FIBS scheme from lattices and prove that this new scheme achieves strong unforgeability under selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) in the standard model. To the best of our knowledge, our scheme is not only the first FIBS scheme from lattices without random oracles but also the first FIBS scheme that achieves strong unforgeability.

1. Introduction

In order to overcome certificates management problem in traditional public key cryptography, Shamir first put forward the concept of identity-based public key cryptography [1] in 1985; that is, the public key of an identity can be easily computed from his identity information. The first efficient and secure identity-based public key encryption (IBE) scheme was given by Boneh and Franklin in [2]. However, identity string for each identity is not unique, while biometric characteristics (e.g., fingerprints, faces, irises, etc.) are unique. Therefore, identity’s biometric characteristics can be used as public keys. Biometric keys have many advantages: hard to guess, forget, copy, share, and forge. However, biometric measurements are noisy, and there are many different measurements to the same biometric.

Sahai and Waters first introduced the concept of fuzzy identity-based encryption (FIBE) [3] in 2005. In an FIBE scheme, a user using the secret key, which the identity described as an attribute set , can decrypt a ciphertext encrypted with the public key if and only if and lie within a certain distance judged by some metric. Thus, an FIBE scheme involves an error tolerance parameter between the identities. In 2007, Baek et al. [4] put forward two FIBE schemes; these new schemes provided public parameters whose size was independent of the number of attributes in each identity and had beautiful structures, which made the key extraction and encryption more efficient than the scheme [3]. In [5], Goyal et al. showed that FIBE can also be regarded as a type of application of attribute based encryption (ABE).

Yang et al. [6] first introduced the concept of fuzzy identity-based signature (FIBS) and constructed an FIBS scheme based on scheme [3]. A fuzzy identity-based signature (FIBS) scheme allows a user with identity to issue a signature that could be verified with identity if and only if and lie within a certain distance judged by some metric. A number of FIBS schemes have been put forward in recent years, such as [7–11]. However, all of these schemes not only are based on hard number theoretical problems (e.g., integer factorization, discrete logarithm, and bilinear pairings), which are vulnerable to quantum computer attacks [12], but also achieved existential unforgeability. Existential unforgeability is only a basic requirement for a signature scheme; it means that an adversary is allowed to forge a new different signature of the same message. Strong unforgeability means that it prevents forging of signatures on messages that could have been signed previously. Cryptologists prefer to design digital signature schemes that can achieve strong unforgeability.

In recent years, lattice-based cryptographic systems have attained a great interest for postcryptography, as the systems have the ability to resist the known quantum analysis (e.g., Shor algorithm analysis [12]). Furthermore, the systems also enjoy great promise because of having a very strong security proof based on worst-case hardness, relatively efficient implementations, and great simplicity due to the structure and linearity of lattices. Many cryptographic schemes are based on the learning with errors (LWE) problem and small integer solution (SIS) problem, for example, public key encryption schemes [13, 14], digital signatures [15, 16], identity-based encryption [17, 18], fully homomorphic encryption [19, 20], and so on.

Meanwhile, researchers are always concerned with fuzzy identity-based signature (FIBS) scheme from lattices. An FIBS scheme from lattices was first proposed by Yao and Li [21] in 2013. The paper pointed out the defect of security model in [6] and put forward a more reasonable security model for FIBS scheme. In addition, authors also presented an FIBS scheme based on the SIS problem hardness assumption. However, the scheme could only achieve the standard of existentially unforgeable against adaptively chosen message and identity (EU-ACMIA) attacks in the random oracles. However, considering Canetti’s critical statement on provable security reduction based on random oracles [22] and the risk of random oracle model [23], it is a meaningful and relatively safe direction to design cryptographic schemes that are not in the random oracle model.

Based on the security model of [21], we use the double-trapdoor technique from ABB10a for secret key extracting, the vanishing trapdoor technique from Boyen10 for message signing, and Shamir secret sharing scheme [24]. We propose a new FIBS scheme that achieves strong unforgeability against selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) in the standard model. To the best of our knowledge, our scheme is the first FIBS scheme from lattices without random oracles and achieves strong unforgeability.

The rest of this paper is organised as follows. In Section 2, we introduce some preliminaries about SIS problem and some algorithms that will be used in our construction and security proof. The model of FIBS and security notations are given in Section 3. In Section 4, we present our main result that is an FIBS scheme from SIS. The security proof and parameters analysis are presented in Section 5. We give the performance analysis and simulations in Section 6. In Section 7, we present the conclusions and open problem for the future.

2. Preliminaries

2.1. Notation

We denote the set of integers and real numbers by and , respectively. For a positive integer , denotes the set . The vectors are denoted by lower-case bold letters (e.g., ), matrices by upper-case bold letters (e.g., ), and the Gram-Schmidt orthogonalization of by . We write for the Euclidean norm of and for the length of a matrix . We use standard , for denoting the growth of functions. The notation poly denotes a function for some constant . negl denotes some unspecified function such that for constant , and describing such a function is negligible. We also describe that a probability is overwhelming if it is . The base of logarithm function is 2.

2.2. Lattice and Small Integer Solution (SIS) Problem

Definition 1 (see [25]). An -dimensional lattice is a discrete additive subgroup of . Formally, let consist of linearly independent vectors. The lattice generated by is Here is called a basis for the lattice .
For any basis , let denote its Gram-Schmidt orthogonalization of basis . It is iteratively defined as follows: , and is the component of orthogonal to span for .

Definition 2 (see [25]). Given a matrix for some , , , its -ary lattice is defined as follows: We also define the coset for any that is generated by the columns of as

Definition 3 (see [26]). Given any vector and real , a Gaussian function on centered at with parameter is defined by
For any vector , real , and -dimensional lattice , the discrete Gaussian distribution over is defined as follows: where .

Definition 4 (small integer solution (SIS) problem [26]). Given an integer , a real , and a matrix , the goal of is to find a vector for satisfying and , where .

Proposition 5 (hardness of SIS problem [26]). Given security parameter , any poly-bounded , , and any prime , the average-case problem is as hard as approximating the SIVP problem in the worst case to within certain factors.

2.3. Some Algorithms

We recall some algorithms for our construction and security proof later.

Lemma 6 (see [27]). Let be odd and . There is a probabilistic polynomial time algorithm that outputs a pair such that is statistically close to a uniform matrix in and is a basis for satisfying with all but negligible probability in .
For simplicity, we let denote the maximum Gram-Schimidt norm of a basis produced by .

Lemma 7 (see [15, 26]). Let and be a matrix in with . Let be a basis for and . Then for any ,(1);(2)there is a probabilistic polynomial time algorithm that returns sampled from a distribution statistically close to .

Lemma 8 (see [18]). Let , , and . There exists a polynomial time algorithm that takes a matrix , a rank matrix , a matrix , and a short basis of as inputs and outputs a vector distributed statistically close to , where and .

Lemma 9 (see [18]). There exists a polynomial time algorithm that takes a matrix , a matrix , and a short basis of as inputs and outputs a basis of with and , where .

Lemma 10 (see [18]). There exists a polynomial time algorithm that takes matrices , , and and a short basis of as inputs and outputs a basis of with and , where .

3. The Model of FIBS

We recall the notation of FIBS scheme and security model from [21] in this section. A fuzzy identity-based signature scheme consists of four algorithms as follows.(i): this probabilistic algorithm takes a security parameter as an input and outputs the public parameters that contain an error tolerance parameter and master key .(ii): this probabilistic algorithm takes the master key and an identity as inputs and outputs a secret key for identity .(iii): this probabilistic algorithm takes public parameters , a private key associated with , and a message as inputs and outputs the signature on message for identity .(iv): this deterministic algorithm takes identity such that , the message , and the corresponding signature as inputs and returns a bit , where means that the signature is valid.

For correctness purposes, for any fixed , and arbitrary such that , it holds that

We consider the security model of FIBS scheme as strong unforgeable against selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA). Strong unforgeability under adaptive chosen message attacks (SU-CMA) is stronger than existential unforgeability (EU-CMA) in the sense that the adversary is not restricted by the security model artificially. In EU-CMA, the adversary is only allowed to output a signature for a fresh message , where the signature of was known by adversary, while, the SU-CMA adversary is also allowed to output a fresh signature for one of the .

Let be an adversary assumed to be a probabilistic turing machine taking a security parameter as an input. Consider the following game in which interacts with a challenger .(i)Init: the adversary declares the target identity .(ii)Setup: the challenger runs the Setup phase of the algorithm and tells the public parameters to adversary .(iii)Queries: the adversary launches a number of different queries for the challenger .(1)Extract query: the adversary issues private key queries for any identities , where .(2)Sign query: the adversary can ask for the signature of any identities on any message .(iv)Forgery: the adversary outputs . succeeds if the following conditions hold:(1)Verify: ;(2)for any tuple that is generated during the Sign queries, we have (a) and or (b) .

We define s success probability by

A fuzzy identity-based signature (FIBS) scheme is said to be SU-sID-CMA secure if is negligible in the security parameter .

More stronger security model, strong unforgeability against adaptive chosen-identity and adaptive chosen-message attacks (SU-aID-CMA), can be obtained from SU-sID-CMA by a generic transformation that uses Chameleon hash function [28].

4. The FIBS Construction

Our construction is made of four algorithms as follows. In Section 5.1, we will further analyse the parameters.(i): this is a probabilistic algorithm that takes security parameter as an input and sets the parameters , where is the identity size, () is the error tolerance parameters, is the length of message, is a prime, is the dimension of lattice, and and are Gaussian parameters; then the algorithm performs the following steps.(1)Use algorithm TrapGen for generating matrices and corresponding trapdoors , where , , and .(2)Select uniformly random matrices , from , where . Draw independent matrices from for . Select a random nonzero vector .(3)Let be the full rank differences map as defined in [18].(4)Output public parameters , and master secret key .(ii): this is a probabilistic algorithm that takes the master key and an identity as inputs and then performs the following steps.(1)Call algorithm for all (the can be first expanded to , hashing it to using a collision resistant hash). Let ; then .(2)Output the secret key for identity .(iii): this is a probabilistic algorithm that takes public parameters , a private key associated with , and a message as inputs and then performs the following steps.(1)For every coordinate of , construct shares of independently using a Shamir secret-sharing scheme. Namely, for each , choose a uniformly random polynomial of degree such that . Construct the th share vector . Thus for all satisfying , we can compute fractional Lagrangian coefficients such that .(2)For message , let , where .(3)For , randomly choose .(4)Run algorithm . Let .(5)Output signature .(iv): this is a deterministic algorithm that takes identity , a message , and a signature as inputs and then performs the following steps.(1)Let denote the set of matching bits in and .(2)If , output .(3)Otherwise, compute for all and . If (a) for all and (b) , where is the corresponding fractional Lagrangian coefficient, then accept the signature . Otherwise, reject the signature .

Remark 11. In the verification equality, the only role of is to compute the subset . The equals instead of . This can be explained that the identity is a part of the signature . Designing a more graceful scheme such that the verification equality needs neither nor directly (like scheme based on pairing [6]) is our further research direction.

5. Correctness and Security

5.1. Correctness and Parameters

For proving the consistency of the scheme, we only consider the case , where is the matching bits set of and . First, we give the correctness of our scheme.

According to Lemma 7, we know that, for every , and . Thus, .

On the other hand, for every , vector satisfies from Lemma 7. In other words, . Therefore, for subset , .

Secondly, for the scheme working correctly, we must satisfy the following conditions.(i)Algorithm TrapGen can operate, so .(ii)Algorithm SampleBasisLeft used in Extract phase can operate; that is, , where .(iii)Algorithm SamplePre used in Sign phase can operate; that is, , where .

Taking as a security parameter, let satisfy . The parameters are set as follows: , .

5.2. Security

Theorem 12. The FIBS scheme is SU-sID-CMA in the standard model under the hardness assumption SIS problem. Let be an adversary that makes at most extract queries and signature queries and produces a successful forgery against our FIBS scheme with probability ; then there exists an algorithm that solves the problem with probability , where .

Proof. We prove this theorem by playing the classical provable secure game between an adversary and a challenger .(i) Init: let be the identity that intends to attack. The challenger is invoked on a random SIS instance and is asked to return an admissible solution such that and .(ii) Setup: the challenger generates the public parameters as follows. (a)Parse SIS instance as matrix ; choose randomly uniformly random matrices . (b)Let , for . (c)Choose randomly vectors from . Let and regard as th share vector of . According to Shamir secret-sharing scheme, there exist fractional Lagrangian coefficients for recovering ; that is, for all satisfying . (d)Run the algorithm TrapGen for generating the matrices and corresponding trapdoors , . Let be a matrix chosen at random from for , and let be a matrix sampling each column from for independently. (e)Pick uniformly random scalars and fix . Set and , where .(iii)Extract queries: the adversary issues private key queries for any identity satisfying . Considering a query for the private key of an identity , does not know the master key . For responding to a private key query for , the challenger uses the trapdoors to produce short basis for , where + . For , is nonsingular and therefore is also a trapdoor for , where . The challenger can now respond to the private key query by running and sending to the adversary .(iv) Sign queries: the adversary asks signature for any identities on any message. Consider a query for a signature of on message .(a)If , that is, , then the challenger will try to construct a signature as aforementioned for extracting query using trapdoors . Then, for every , = . Compute the matrix and the scalar . Note that . If , abort the simulation. Otherwise, compute the matrix and run the algorithm , . Finally, respond to the adversary with the signature . Now, we prove that the signature is a valid signature and the distribution is identical to the real one. First, according to lemma 8, we have for all and is with negligible statistical distance from the distribution , where . Therefore, due to the assumptions that and . In addition, for all from Lemma 7(1). Therefore, is a valid signature.(b)If , the challenger uses the secret key from extract query for responding the signature query by the signature algorithm.(c)If , the challenger will firstly compute the secret key for identity like the extract query. Then, respond with the signature query as aforementioned.(v) Forgery: the adversary outputs a valid forgery signature for the target identity . Then the challenger computes the matrix , . If , he aborts the simulation. According to whether the message is queried or not, there are two different cases that need to be considered.(a)The message is queried in the Sign queries. Assume that the challenger responded for message in the Sign queries. Then for all , parse , , where is the first rows of matrix and is the last rows of matrix . Let + ; then . The challenger returns as solution to and . In addition, According to Lemma of [16], ; therefore, the probability of is at least .(b)The message is not queried in the Sign queries. For every , separate into ; then and ≤ , where is the first rows of matrix and is the last rows of matrix . Let , and the challenger returns as solution to and ≤ . In addition, according to Lemma of [15], with overwhelming probability; therefore, with overwhelming probability.
Furthermore, according to Lemma of [16], the simulation completes both the Queries and the Forgery phases without aborting with probability of at least . Therefore, the probability that the challenger can return a SIS solution is .

Remark 13. In fact, there is a weakness in the above security proof. Specifically, in the forge phase, the adversary outputs a signature signed by instead of . If we change it into that satisfies and the signature can be verified correctly, the SIS hardness problem could not be embedded and the SIS solution will not be found. In addition, there is a similar question in the security proof of [21]. We think this problem is the bottleneck of constructing fuzzy attribute-based signature from lattices, and we will solve this problem as a long-term research direction.

6. Performance Analysis and Simulations

6.1. Comparison with the Scheme of [21]

The efficiency and security of our scheme and the scheme of [21] are summarized in Table 1, where the efficiency includes the size of storage space, the communication cost, and computation cost.

Firstly, we consider the size of storage space and the communication cost. Specifically, we compare the length of public parameters , the master secret key , and the private key of identity , which affect the the size of storage space. We also compare the length of the signature, which affects the communication cost.(i)As for the size of the public parameters , the scheme of [21] needs matrices in ; the size is about . Our scheme needs matrices in and a vector in ; the size is about .(ii)As for the size of the master secret key , the scheme of [21] needs matrices in ; the size is about . Our scheme needs matrices in ; the size is about .(iii)As for the size of the private key of identity , the scheme of [21] needs matrices in ; the size is about . Our scheme needs matrices in ; the size is about .(iv)As for the size of the signature , the signature of the scheme of [21] is made of vectors in ; the size is about . Our signature is made of vectors in ; the size is about .

Secondly, we compare sign cost and verify cost of our scheme and the scheme of [21], which affects the computation cost.(i)Sign cost: in the scheme of [21], the process of signing is made of times of Shamir secret-sharing operations (SSS) and times of preimage sampling algorithms (PS) with module . In our scheme, the process of signing is made of times of Shamir secret-sharing operations (SSS), times of discrete Gaussian sampling algorithms (DGS) with module , and times of preimage sampling algorithms (PS) with module .(ii)Verify cost: in the scheme of [21], the process of verifying is made of times of matrix and vector products in (MVP) (where the matrix form is and the vector form is -row), times of scalar multiplications in (SMP). In our scheme, the process of verifying is made of times of matrix and vector products in (MVP) (where the matrix form is and the vector form is -row), times of scalar multiplication in (SMP), and times of matrix and matrix additions (MMA) in .

Finally, we compare the security that these two schemes achieved. Improving the security of the scheme of [21] is our motivation of this paper. Specifically, our scheme can achieve strong unforgeability instead of existential unforgeability. Meanwhile, we prove the security proof in the standard model instead of in the random oracle model. Therefore, our scheme seems safer than the scheme of [21]. To the best of our knowledge, our scheme is the first FIBS scheme from lattices without random oracles and achieves strong unforgeability.

6.2. Simulations

The scheme of [21] and our scheme are implemented in Visual Studio 2008 in Windows 7 Service Pack1 64-bit operating system. We use a desktop which has a 4-core Intel(R) Core (TM) i7-860 processor running at 2.79 GHz and 8 GB of RAM.

We carry out 6 simulations with different parameter settings that are given in Table 2 (it is suggested from [26, 29]). As for other parameters, we set the length of identity string , the error tolerance parameter , and the length of message . We use the same parameter settings and choose another module in [21]. We let in the simulation, but in fact, the module is larger than . The average sign time and verify time are listed in Table 3 and illustrated in Figure 3. The length of public parameters and master secret key is illustrated in Figure 1. The length of private key of identity and signature is illustrated in Figure 2.

(a) Length of public parameters

(b) Length of master secret key

(a) Length of private key of identity

(b) Length of signature

(a) Average sign time

(b) Average verify time

Remark 14. In fact, in the simulation of signing, we only count the time of times preimage sampling algorithms (PS) with module in the scheme of [21], and we count the time of times discrete Gaussian sampling algorithms (DGS) with module and times preimage sampling algorithms (PS) with module in our scheme. The time of times Shamir secret-sharing operations (SSS) is not included because it is the same in these two schemes.

Remark 15. In the simulation of verifying, we count the time of times matrix and vector products in (MVP) (where the matrix form is and the vector form is -row) in the scheme of [21]; the additional one time MVP in is derived from times scalar multiplications (SMP) in . We count the time of times matrix and vector products in (MVP) (where the matrix form is and the vector form is -row); the additional one time MVP in is derived from times scalar multiplications in (SMP) and times matrix and matrix additions (MMA).

From Figures 1, 2, and 3, we may draw the following conclusions. (1) In the aspect of storage space, the length of our scheme’s public parameters is longer than the one of [21], while the length of the master secret key and the length of identity’s private key are shorter than the ones of [21]. So, the storage space of PKG and identities is broadly flat in these two schemes. (2) The sign time in these two schemes is approximately the same, while the verify time of our scheme is longer than the one of [21]. Therefore, the computation cost of our scheme is larger than the scheme of [21]. (3) The length of signature of our scheme is shorter than the one of [21], which leads to the result that the communication cost is smaller the scheme of [21]. In general, in the personal computer, the storage space is large and the computational ability is strong enough, while the bandwidth becomes a main factor of restricting the communication. The signature size of our scheme is shorter, which is good for communication.

7. Conclusions and Open Problems

In this paper, we present an FIBS scheme from lattices and prove the strong unforgeability of our scheme under selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) in the standard model. In addition, complexity analysis and simulations are given in the end of the paper.

Attribute-based signature (ABS) scheme extends (fuzzy) identity-based signature in which a signer is defined by a set of attributes instead of a single string representing the signer’s identity. For further research, we aim for constructing a fuzzy attribute-based signature scheme from lattices. In addition, we can also use other secret sharing schemes [30] to construct FIBS scheme.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors are grateful to the reviewers for their helpful advices. This work is partially supported by the National Natural Science Foundation of China (NSFC) (nos. 61121061, 61202082, and 61370194), the NSFC A3 Foresight Program (no. 61161140320), and the Fundamental Research Funds for the Central Universities (BUPT2012RC0219).

References

A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in Cryptology, vol. 196 of Lecture Notes in Computer Science, pp. 47–53, Springer, Berlin, Germany, 1985.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Advances in Cryptology—CRYPTO, pp. 213–229, Springer, Berlin, Germany, 2001.
View at: Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology—CEUROCRYPT 2005, pp. 457–473, Springer, Berlin, Germany, 2005.
View at: Google Scholar
J. Baek, W. Susilo, and J. Zhou, “New constructions of fuzzy identity-based encryption,” in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS '07), pp. 368–370, ACM, March 2007.
View at: Publisher Site | Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, ACM, November 2006.
View at: Publisher Site | Google Scholar
P. Yang, Z. Cao, and X. Dong, “Fuzzy identity based signature,” Report 2008/002, IACR Cryptology ePrint Archive, 2008.
View at: Google Scholar
P. Yang, Z. Cao, and X. Dong, “Fuzzy identity based signature with applications to biometric authentication,” Computers and Electrical Engineering, vol. 37, no. 4, pp. 532–540, 2011.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
L. Zhang, Q. Wu, and Y. Hu, “Fuzzy biometric identity-based signature in the standard model,” Applied Mechanics and Materials, vol. 44-47, pp. 3350–3354, 2011.
View at: Publisher Site | Google Scholar
C. Wang, “A provable secure fuzzy identity based signature scheme,” Science China: Information Sciences, vol. 55, no. 9, pp. 2139–2148, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
C. Wang and J. Kim, “Two constructions of fuzzy identity based signature,” in Proceedings of the 2nd International Conference on Biomedical Engineering and Informatics (BMEI '09), pp. 1–5, October 2009.
View at: Publisher Site | Google Scholar
C. Wang, W. Chen, and Y. Liu, “A fuzzy identity based signature scheme,” in Proceedings of the International Conference on E-Business and Information System Security (EBISS '09), pp. 1–5, Wuhan, China, May 2009.
View at: Publisher Site | Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar | MathSciNet
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, article 34, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
D. Micciancio and C. Peikert, “Trapdoors for lattices: Simpler, tighter, faster, smaller,” in Proceedings of the Advances in Cryptology (EUROCRYPT '12), pp. 700–718, Springer, Berlin, Germany, 2012.
View at: Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, ACM, May 2008.
View at: Google Scholar
X. Boyen, “Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more,” in Public Key Cryptography—PKC 2010, vol. 6056 of Lecture Notes in Computer Science, pp. 499–517, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” Journal of Cryptology, vol. 25, no. 4, pp. 601–639, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H) IBE in the standard model,” in Advances in Cryptology—EUROCRYPT 2010, pp. 553–572, Springer, Berlin, Germany, 2010.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS '11), pp. 97–106, 2011.
View at: Publisher Site | Google Scholar
Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homomorphic encryption without bootstrapping,” in Proceeding of the 3rd Conference on Innovations in Theoretical Computer Science (ITCS '12), pp. 309–325, New York, NY, USA, January 2012.
View at: Publisher Site | Google Scholar
Y. Yao and Z. Li, “A novel fuzzy identity based signature scheme based on the short integer solution problem,” Computers and Electrical Engineering, 2013.
View at: Publisher Site | Google Scholar
R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” Journal of the ACM, vol. 51, no. 4, pp. 557–594, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
G. Leurent and P. Nguyen, “How risky is the random-oracle model?” in Advances in Cryptology-CRYPTO 2009, pp. 445–464, Springer, Berlin, Germany, 2009.
View at: Google Scholar
A. Shamir, “How to share a secret,” Communications of the Association for Computing Machinery, vol. 22, no. 11, pp. 612–613, 1979.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective, Springer, New York, NY, USA, 2002.
View at: Publisher Site | MathSciNet
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp. 535–553, 2011.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
H. Krawczyk and T. Rabin, “Chameleon signatures,” in Proceedings of the Network and Distributed System Security Symposium (NDSS '00), pp. 143–154, San Diego, Calif, USA, 2000.
View at: Google Scholar
R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE-based encryption,” in Topics in Cryptology CCT-RSA, pp. 319–339, Springer, Berlin, Germany, 2011.
View at: Google Scholar
D. Zhao, H. Peng, C. Wang, and Y. Yang, “A secret sharing scheme with a short share realizing the (t, n) threshold and the adversary structure,” Computers & Mathematics with Applications, vol. 64, no. 4, pp. 611–615, 2012.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2014 Chunli Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

998

Downloads

945

Citations