Revocable ID-Based Signature with Short Size over Lattices

Hung, Ying-Hao; Tseng, Yuh-Min; Huang, Sen-Shan

doi:https://doi.org/10.1155/2017/7571201

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 7571201 | https://doi.org/10.1155/2017/7571201

Revocable ID-Based Signature with Short Size over Lattices

Ying-Hao Hung,¹Yuh-Min Tseng,¹and Sen-Shan Huang¹

Academic Editor: Muhammad Khurram Khan

Received10 Aug 2016

Revised28 Nov 2016

Accepted19 Dec 2016

Published11 Jan 2017

Abstract

In the past, many ID-based signature (IBS) schemes based on the integer factorization or discrete logarithm problems were proposed. With the progress on the development of quantum technology, IBS schemes mentioned above would become vulnerable. Recently, several IBS schemes over lattices were proposed to be secure against attacks in the quantum era. As conventional public-key settings, ID-based public-key settings have to offer a revocation mechanism to revoke misbehaving or malicious users. However, in the past, little work focuses on the revocation problem in the IBS schemes over lattices. In this article, we propose a new revocable IBS (RIBS) scheme with short size over lattices. Based on the short integer solution (SIS) assumption, we prove that the proposed RIBS scheme provides existential unforgeability against adaptive chosen-message attacks. As compared to the existing IBS schemes over lattices, our RIBS scheme has better performance in terms of signature size, signing key size, and the revocation mechanism with public channels.

1. Introduction

The perception of identity-based cryptography (IBC) was first proposed by Shamir [1] in 1984. In IBC, a user’s public key can be derived from her/his identity such as email address and physical IP address. The private keys of users are generated by a trusted private key generator, named PKG. The private keys are, respectively, given to the corresponding users using secure channels. As contradicted to conventional public-key settings, IBC removes the need of certificate management. By following Shamir’s perception, Boneh and Franklin [2] proposed a practical identity- (ID-) based encryption (IBE) scheme based on bilinear pairings.

The public key of a user is legal before its intended expiration date, but several circumstances must force to revoke it. So a public-key setting should offer a revocation method or mechanism to revoke the associated public keys of misbehaving or malicious users. Indeed, Boneh and Franklin [2] proposed not only a practical IBE scheme but also a revocation method for ID-based public-key setting. In their revocation method, the PKG periodically generates the new private keys for all nonrevoked users and securely sends the periodic private keys to these users, respectively. In such a case, a secure channel between the PKG and each nonrevoked user must be established to send the periodic private key. However, the size of the PKG’s key update equals the amount of all nonrevoked users. Afterward, Boldyreva et al. [3] employed a tree structure to propose a new revocable IBE (RIBE) scheme. In the RIBE scheme, the size of the PKG’s key update is reduced to the logarithm of the amount of all nonrevoked users, but the private key size of each user will increase from constant to the logarithm of the amount of all nonrevoked users. Nevertheless, two mentioned revocation mechanisms above still require encryption/decryption to send periodic private keys to users. Thus, the required periodic encryption/decryption will raise the workloads of both the PKG and users. To eliminate the requirement of encryption/decryption, Tseng and Tsai [4] proposed a new RIBE scheme with a public channel. In their RIBE scheme, the PKG and users do not need to encrypt/decrypt the periodic private keys. It provides an alternative which is more practical than the previously proposed revocation solutions.

The security of today’s universally used public-key cryptographies (including the mentioned IBC above) is based on the prime factoring assumption or the hardness of the discrete logarithm problem. With the progress on the development of quantum technology, the computational power of quantum computers would cause instant threat to these public-key cryptographies [5]. Accordingly, this has motivated the era of postquantum cryptography (PQC). Among several postquantum research areas, lattice-based public-key cryptography has received the most significant attention from researchers. When compared with other (PQC) cryptographies, lattice-based public-key cryptography can provide more efficiency in public-key encryption and digital signature schemes. In the past five years, there has been a tremendous growth in lattice-based public-key cryptography and its related schemes have become viable.

Related Work. To combine the advantages of IBC and lattices, Ruckert [6] proposed the first two ID-based signature (IBS) schemes over lattice assumptions. To improve the efficiency and security, several lattice-based IBS schemes [7–10] have been proposed. In [7, 8], they employed Gentry et al.’s signature scheme [11] with a user’s identity to generate the corresponding signing key. By the signing key, the user can run a preimage sampling algorithm (i.e., lattice basis delegation) [12] to obtain a signature. According to Gentry et al.’s signature scheme, the user’s signing key is a short basis of a lattice. In such a case, two lattice-based IBS schemes [7, 8] would be inefficient in practice since the signing key size and the signature size will increase dramatically after lattice basis delegation.

Based on the lattice-based IBS scheme in [8], Tian and Huang [9] replaced the preimage sampling algorithm with the rejection sampling technique [13] to generate a signature. Their signature scheme can be viewed as an identity-based version of Lyubashevsky’s signature scheme [13]. The advantage of Tian and Huang’s lattice-based IBS scheme is to reduce the signature size and computation overhead of generating a signature. In 2016, inspired by the IBE scheme over NTRU lattice proposed by Ducas et al. [14], Xie et al. [10] employed their key extract algorithm to further improve the size of a user’s signing key. However, these lattice-based IBS schemes mentioned above did not address the revocation problem. Indeed, these lattice-based IBS schemes would use Boneh and Franklin’s periodic revocation mechanism [2] to achieve revocation functionality. However, in the revocation mechanism, the PKG and nonrevoked users require encryption/decryption to send periodic signing keys to users.

Recently, Xiang [15] adopted the binary tree structure used in [3] to construct a revocable IBS (RIBS) scheme over lattices. As the advantage of Boldyreva et al.’s scheme [3], the size of the PKG’s key update is reduced to the logarithm of the amount of all nonrevoked users. Indeed, Xiang’s scheme also inherits the disadvantages that occurred in Boldyreva et al.’s scheme [3], namely, the private key size of a user increases from constant to the logarithm of the number of users, and encryption/decryption are required to securely send the users’ periodic signing keys. Meanwhile, the signing key size, signature size, and computational cost in Xiang’s scheme turn out to be inefficient.

Contribution. In this article, we employ the revocation idea of Tseng and Tsai [4] to propose an efficient RIBS scheme over lattices while the size of a user’s signing key remains constant. In our RIBS scheme, a user’s signing key consists of two components, namely, initial key and time update key. The initial key is fixed and unchanged, while the time update key is changed along with time-period. The PKG periodically generates new time update keys and then sends them to nonrevoked users using a public channel. If the PKG would like to revoke misbehaving users, the PKG just stops issuing the new time update keys for those users. Thus, a RIBS scheme must address two kinds of adversaries: an inside adversary (or a revoked user) and an outside adversary. Based on the short integer solution (SIS) assumption over lattices [16], we prove that the proposed RIBS scheme provides existential unforgeability against adaptive chosen-message attacks for a revoked user and an outside adversary. As compared to the existing lattice-based RIBS schemes, our scheme possesses the following properties:(i)Both the initial key and time update key of a user are generated using the Gaussian sampling technique over NTRU lattice. The point is that both keys are small and independent of the number of users in the system.(ii)We employ the rejection sampling technique [13] to generate a signature while the signature size is lesser than that of the signature scheme using the preimage sampling algorithm.(iii)The PKG and nonrevoked users do not need to encrypt/decrypt the periodic time update keys.

In summary, as compared with previously proposed IBS and RIBS schemes over lattices, our scheme possesses better performance in terms of signing key size, signature size, and the revocation mechanism.

Organization. The rest of this article is arranged as follows. Section 2 presents several important preliminaries. In Section 3, the syntax and adversary models of RIBS schemes are given. The proposed RIBS scheme over lattices is presented in Section 4. In Section 5, the security of the proposed RIBS scheme is formally analyzed. In Section 6, performance analysis and comparisons are made to demonstrate the advantages of the proposed scheme. In Section 7, conclusions are given.

2. Preliminaries

Here, we review several fundamental concepts and assumptions of lattices.

2.1. Notations

Throughout this article, let be the set of real numbers, be an integer with the type power-of-two, be the set of integers, and, for , be the set of integers in the set . denotes the Euclidean norm of a vector . represents the norm of a matrix which is defined as the largest norm of its columns. Let be the ring of polynomials modulo with coefficients in . For and in , let and denote, respectively, the addition and multiplication in , defined by

Here, the coefficients of and are reduced modulo into the set . For convenience, an element in will be written as a polynomial or a vector .

For any set of linearly independent vectors, let denote its Gram-Schmidt orthogonalization, defined iteratively in the following way: , and for each , is the component of orthogonal to span . Clearly, .

2.2. Lattice

A lattice is a set of points in -dimensional space with a periodic structure [16]. Let be linearly independent vectors in . These linearly independent vectors can generate a (-dimensional) lattice that is denoted by , namely, the set . The set is viewed as a basis of the lattice .

2.3. Anticirculant Matrices

Anticirculant matrices have become one of the most important and active research fields in recent years since they possess a special structure and nice properties.

Definition 1. An -dimensional anticirculant matrix with is represented as in the following Toeplitz matrix:For convenience, we denote as in this article. Anticirculant matrices possess the following important property.

Lemma 2 (see [14]). and , where .

2.4. NTRU Lattices

NTRU [17] is a lattice-based cryptosystem that relied on a particularly efficient class of convolution modular lattices, called NTRU lattices. We briefly review the concept of NTRU lattices on which our scheme is based.

Definition 3. Assume that is a positive integer and is a power-of-two integer while and . By using and , a NTRU full-rank lattice of is represented as Indeed, the NTRU full-rank lattice is generated by the matrixwhere and are, respectively, the unit matrix and null matrix.
However, if is uniformly distributed in , then the basis is unsuitable for solving the closed lattice vector problem. To compensate this, Hoffstein et al. [18] constructed an appropriate basisfor while satisfying , where . Indeed, it can be computed efficiently to find such and . Moreover, provides a short basis for due to the fact by Lemma 4 below.

Lemma 4 (see [14]). Assume that satisfy and . Then, and are both bases of the NTRU lattice and .

Gentry et al. [11] proposed the Gaussian sampling technique as the trapdoor generation algorithm to produce a trapdoor of a one-way function. Ducas et al. [14] proposed a special distribution over the NTRU lattices to improve the performance of the trapdoor generation algorithm in Gentry et al.’s scheme. In this article, we adopt Ducas et al.’s scheme as the trapdoor generation algorithm as follows.

Lemma 5 (see [14]). Let be a prime, be a power-of-two integer, and . Then, we can construct a probabilistic polynomial-time (PPT) algorithm which generates two polynomials and to output and a matrix such that is statistically close to uniform in and is a short basis of .

2.5. Gaussian (Normal) Distribution

Gentry et al. [11] proposed the Gaussian sampling technique as the trapdoor generation algorithm which produces a trapdoor without leaking any information of the short basis. Before we introduce Gentry et al.’s method, we define Gaussian distributions.

Definition 6. The continuous Gaussian distribution over centered at with the standard deviation is defined by the function , where .

For any lattice , represents .

Definition 7. The discrete Gaussian distribution over centered at with the standard deviation is defined as , where .

In this sequel, we can curtail as and as , respectively. On the other hand, Lyubashevsky [13] proposed an interesting fact of , the discrete normal distribution in dimension with standard deviation at center .

Lemma 8 (see [13]). For any and , we have the following properties. If , then . If , then . According to Lemma 8, there is real such that for all [9].

2.6. Sampling Algorithms

Micciancio and Regev [19] defined a lattice parameter to determine the amount of Gaussian noise that one has to add to a lattice in order to get close to a uniform distribution. By Micciancio and Regev’s method, Gentry et al. [11] proposed a sampling algorithm as follows.

Lemma 9 (see [11]). Let be a prime and be a short basis of an -dimensional lattice . If and , then, for any , we have the following properties:(1), where .(2)There is a PPT algorithm that can output a sample in from a distribution which is statistically close to .

2.7. Rejection Sampling Algorithm

Lyubashevsky [13] adopted the rejection sampling technique to sign a message. When a user with ID would like to sign a message with a signing key , she/he first chooses a vector . And then the user sets a candidate signature as where is a hash value of message. Let be the target distribution of the signature which is independent of . If is a probability distribution and while satisfying for all , then the candidate signature can be output successfully with probability , and is the expected number of times required for outputting a signature.

2.8. Hardness Assumptions

In the following, we present a mathematical problem, namely, the short integer solution (SIS) problem, which has at least the same difficulty with the worst case of short independent vector problem (SIVP) up to a polynomial approximation factor [16].

Definition 10 ( problem). The small integer solution (SIS) problem on a ring with parameters , , , and is defined as follows. Given chosen uniformly and independently from , the associated SIS problem is to find such that mod and , where .

Stehle and Steinfeld [20] presented the idea that the statistical distance between the distribution of and the uniform distribution of is negligible. If we take an NTRU public key , the problem on the NTRU lattices is to find a pair that satisfies the conditions and .

3. Syntax and Adversary Model of RIBS

In the following, we define the syntax and adversary model of RIBS schemes.

Definition 11. A RIBS scheme includes five algorithms:(i)Setup. The algorithm takes a system parameter and the amount of all time-periods as input and publishes public parameters Parms and sets a system secret key in secret.(ii)Initial Key Extract. Given a user’s and the system secret key , it computes and sends the initial key to the user.(iii)Time Key Update. Given a time-period , a user’s ID, and the system secret key , this algorithm computes and sends the time update key to the user.(iv)Signing. This algorithm takes a message , a user’s signing key , and a time-period as input. It then returns a signature on .(v)Verification. This algorithm takes a message , a signature , a user’s ID, and a time-period as input. It returns “accept” if is valid and “reject” otherwise.By the framework of the RIBS scheme, a user’s signing key consists of two components, namely, initial key and time update key. Thus, the associated adversary model consists of two kinds of adversaries: an inside adversary (or a revoked user) and an outside adversary.

Definition 12. For a RIBS scheme, if there exists no PPT adversary (a revoked user or an outside adversary) who has nonnegligible probability to forge a valid signature under adaptive chosen-message attacks, we say that the RIBS scheme is existentially unforgeable or RID-UF-ACMA secure. In the following RID-UF-ACMA game, the adversary may interact with a challenger to obtain some useful information.(i)Initialization. performs the setup algorithm to set Parms and . The PKG sends Parms to the adversary and keeps in secret.(ii)Queries. can adaptively request a number of different queries as follows.(a)Initial Key Extract Query. Upon receiving an identity ID, performs the initial key extract algorithm to generate . then sends to .(b)Time Key Update Query. Upon receiving a user’s and a time-period , performs the time key update algorithm to generate . then sends to .(c)Signing Query. Upon receiving a message , an identity , and a time-period , uses to perform the algorithm to obtain a signature . then sends to .(iii)Forgery. If with nonnegligible probability can forge a signature tuple that fulfills three following conditions, we call that with nonnegligible probability wins the game. We define the nonnegligible probability as the advantage of in the game.(1)For , the verification algorithm outputs “accept.”(2)The tuple is not issued during the signing query.(3)If is an outside adversary, is not issued during the initial key extract query.(4)If is a revoked user (inside adversary), is not issued during the time key update query.

4. Efficient RIBS Scheme over NTRU Lattices

The proposed RIBS scheme over NTRU lattices includes five algorithms.(i)Setup. Given a system parameter , the PKG chooses a prime , , and . Then the PKG runs the algorithm presented in Lemma 5 to obtain such that , , and while generating a short basis The PKG generates public parameters Parms and a system secret key as follows:(1)Set three hash functions , , and , where the vectors can be viewed as polynomials with coefficients in the set and denotes the number of nonzero components of .(2)Finally, the PKG sets and , where is the system public key.(ii)Initial Key Extract. Given a user’s , the PKG first calculates and then uses the system secret key to run the algorithm in Lemma 9 to output a sample such that and . Then, the PKG sets the initial key and sends the user with using secure channel. In fact, if one knows and chooses from a Gaussian distribution instead of a uniform one, then recovering is as hard as solving worst-case lattice problems [21].(iii)Time Key Update. Upon receiving a time-period and a user’s , the PKG first calculates and uses the system secret key to run the algorithm to output a sample such that and . Then, the PKG sets the time update key and sends the user with using public channel. Meanwhile, the user sets the signing key . In fact, if one knows and chooses from a Gaussian distribution instead of a uniform one, then recovering is as hard as solving worst-case lattice problems [21].(iv)Signing. Given a message and a time-period , the user with first chooses , from the distribution and computes , , and , where . Finally, the user can generate a signature with probability , where . If nothing is generated by the user, the user repeats this algorithm.(v)Verification. Given a signature on a message for a user’s at a time-period , a verifier validates the signature by checking the following equality: If the equality holds, the Verification algorithm returns “accept” and “reject” otherwise. Here, the correctness of the equality follows from

5. Security Analysis

In this section, we demonstrate the security of the proposed RIBS scheme. In our RIBS scheme, a user’s signing key includes two parts, namely, the initial key and time update key. To revoke a user, the PKG simply stops issuing the user’s periodic time update key. As the RID-UF-ACMA game presented in Definition 12, the adversary may get either the time update key or the initial key, but not both. Hence, there are two kinds of adversaries to be concerned with, namely, revoked user and outside adversary. An outside adversary cannot access the target’s initial key, but it may get all time update keys. Since a revoked user has already owned the associated initial key, the user cannot get the periodic time update key.

Firstly, we adopt the key extract algorithm in Ducas et al. [14, Algorithm ] to generate both initial keys and time update keys. Based on Ducas et al. [14], Lemma 13 demonstrates that our scheme is secure against the ID forgery attacks. Moreover, Theorem 14 demonstrates that the proposed RIBS scheme is secure for an outside adversary and a revoked user.

Lemma 13. Our RIBS scheme is secure against ID forgery attack.

Proof. In our scheme, we adopt the key extract algorithm in Ducas et al. [14] to generate initial keys. Let be the public key andbe a short basis of the NTRU, where , , , and . The initial key is generated by to output a sample as the first component of the initial key and determine the second component such that . By the security analysis of [14], no PPT adversary may find with nonnegligible advantage. Therefore, the proposed RIBS scheme is secure against forgery attacks.

Theorem 14. Assume that there exists a PPT adversary (an outsider or a revoked user) who can break the proposed RIBS scheme with nonnegligible probability in the random oracle model. Based on the adversary , we then construct a PPT algorithm to compute the problem with nonnegligible probability , where is the system parameter.

Proof. Here, we demonstrate only the case when is an outside adversary since the other case when is a revoked user can be proved similarly. Without loss of generality, an algorithm receives a random instance of the problem, where is a prime, is a positive integer, and , , . We will show how can make use of the adversary to output the solution which is nonzero vector . The algorithm plays the challenger and interacts with the adversary as follows.(i)Initialization. Given the system parameter , the challenger randomly chooses a polynomial . Then, sets the public parameters , where the hash functions , , and are viewed as random oracles controlled by . Finally, returns Parms to .(ii)Queries. The challenger responds to these queries issued by the adversary as follows.(a) Query. At any time, can issue the query along with . To respond to the query, maintains an initially empty list of tuples of the form . When queries the oracle with , responds to with according to the following rules.(1)If appears in a tuple in , then responds with .(2)Otherwise, the challenger randomly chooses , such that . Then computes the polynomial and adds the tuple in . responds to with .(b) Query. At any time, can issue the query along with . To respond to the query, maintains an initially empty list of tuples of the form . When queries the oracle , responds to with according to the following rules.(1)If appears in a tuple in , then responds with .(2)Otherwise, the challenger randomly chooses such that . The challenger sets the user’s time update key and computes . Then adds the tuple in . responds to with .(c) Query. At any time, can issue the query along with . To respond to the query, maintains an initially empty list of tuples of the form . When queries oracle , responds to with according to the following rules.(1)If appears in a tuple in , then responds with .(2)Otherwise, randomly chooses . Then, adds the tuple to the list . Finally, the challenger responds to with .(d)Initial Key Extract Query. When issues the query along with , first looks up the list to find the tuple containing associated with and send it to . If no such tuple is found in , obtains by issuing the query and responds to with .(e)Time Key Update Query. When issues the query along with , first looks up the list to find the tuple containing associated with and send it to . If no such tuple is found in , obtains by issuing the query and responds to with .(f)Sign Query. Upon receiving this query on , the challenger performs the following steps to generate a valid signature. First, looks up the lists and to obtain, if there exist, the associated tuples and , respectively. Then, randomly chooses and computes . adds in the list and returns the signature on . Even though the challenger does not hold the associated initial key and time update key, the generated tuple is still a valid signature. The reason is that the signature can pass the verification (g)Forgery. Finally, the adversary forges a valid signature tuple on message for identity at the period with nonnegligible probability. Note that is not issued during the initial key extract query or is not issued during the time key update query. When the adversary successfully forges a valid signature , we then use the Forking lemma in [22] to generate another valid signature of the message such that and . Since and are two valid signatures for , we have the equalitywhich implies that Since we have and , we obtain We set and .
As and with overwhelming probability, we can see that . Since and by Lemma 13, we can obtain . According to [13], the probability that challenger can solve the on the NTRU lattice is at least .

6. Comparisons

Table 1 presents the comparisons among Tian and Huang’s IBS scheme [9], Xiang’s RIBS scheme [15], and our RIBS scheme in terms of lattice type, signing key size, signature size, computation cost of signing phase, computation cost of verifying phase, revocable functionality, and security property under the same system parameter .

Both Tian and Huang’s IBS and Xiang’s RIBS schemes adopted the GPV lattice in [11] to generate a user’s signing key. In our scheme, we adopted the NTRU lattice in [14] to generate a user’s signing key. It is obvious that both the signing key and signature sizes of our scheme are less than those of both Tian and Huang’s IBS and Xiang’s RIBS schemes. For the computation cost of the signing phase, both Tian and Huang’s IBS scheme and ours use the rejection sampling technique to generate a signature, in which the rejection sampling technique would repeat the signing phase at average 7 times so that their total computation costs are, respectively, and , where is the cost of executing a multiplication operation in . In Xiang’s RIBS scheme [15], a user runs the Samplepre algorithm in [12] to obtain a signature so that it requires , where is the cost of executing the Samplepre algorithm. For the computation cost of the verifying phase, three schemes, respectively, require , , and . Since , it is clear that our scheme has better performance in terms of the computation costs for the signing and verifying phases. For the revocable functionality, Xiang’s scheme uses secure channels to send periodic signing keys to nonrevoked users, which causes enormous computation workload to encrypt/decrypt the periodic signing keys for the PKG and users. In contract, our revocation mechanism adopts public channels to send the periodic time update keys. Based on the short integer solution (SIS) assumption over lattices, we proved that the proposed RIBS scheme provides existential unforgeability against adaptive chosen-message attacks (RID-UF-ACMA) for a revoked user and an outside adversary. Since Tian and Huang’s IBS scheme did not provide a revocation mechanism, it was proven to be only ID-UF-ACMA secure.

Table 2 lists comparisons of the signing key and signature sizes under the parameters , , , , , and . It turns out, in both sizes, that our scheme performs much better than the other two schemes.

7. Conclusions

In the article, we proposed a new RIBS scheme over NTRU lattice with a public channel. As compared to the existing IBS schemes over lattices, our RIBS scheme has better performance in terms of signature size, signing key size, and the revocation mechanism. Security analysis is made to prove that our RIBS scheme is existentially unforgeable under adaptive chosen-message attacks based on the SIS assumption in the random oracle model.

Competing Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research was partially supported by Ministry of Science and Technology, Taiwan, under Grant no. MOST105-2221-E-018-013.

References

A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques (CRYPTO '84), vol. 196 of Lecture Notes in Computer Science, pp. 47–53, Springer, Santa Barbara, Calif, USA, 1984.
View at: Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Annual International Cryptology Conference: CRYPTO 2001: Advances in Cryptology—CRYPTO 2001, pp. 213–229, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar
A. Boldyreva, V. Goyal, and V. Kumart, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS '08), pp. 417–426, ACM, Alexandria, Va, USA, October 2008.
View at: Publisher Site | Google Scholar
Y.-M. Tseng and T.-T. Tsai, “Efficient revocable ID-based encryption with a public channel,” Computer Journal, vol. 55, no. 4, pp. 475–486, 2012.
View at: Publisher Site | Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
M. Ruckert, “Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles,” in Post-Quantum Cryptography: Third International Workshop, PQCrypto 2010, Darmstadt, Germany, May 25–28, 2010. Proceedings, vol. 6061 of Lecture Notes in Computer Science, pp. 182–200, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Liu, Y. Hu, X. Zhang, and F. Li, “Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model,” Security and Communication Networks, vol. 6, no. 1, pp. 69–77, 2013.
View at: Publisher Site | Google Scholar
M. Tian, L. Huang, and W. Yang, “Efficient hierarchical identity-based signatures from lattices,” International Journal of Electronic Security and Digital Forensics, vol. 5, no. 1, article 110, 2013.
View at: Publisher Site | Google Scholar
M. Tian and L. Huang, “Efficient identity-based signature from lattices,” IFIP Advances in Information and Communication Technology, vol. 428, pp. 321–329, 2014.
View at: Publisher Site | Google Scholar
J. Xie, Y.-P. Hu, J.-T. Gao, and W. Gao, “Efficient identity-based signature over NTRU lattice,” Frontiers of Information Technology and Electronic Engineering, vol. 17, no. 2, pp. 135–142, 2016.
View at: Publisher Site | Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, May 2008.
View at: Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques EUROCRYPT 2010: Advances in Cryptology—EUROCRYPT 201, vol. 6110 of Lecture Notes in Computer Science, pp. 523–552, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Advances in Cryptology—EUROCRYPT 2012. EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pp. 738–755, Springer, 2012.
View at: Publisher Site | Google Scholar
L. Ducas, V. Lyubashevsky, and T. Prest, “Efficient identitybased encryption over NTRU lattices,” in Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT '14), vol. 8874 of Lecture Notes in Computer Science, pp. 22–41, Springer, Kaoshiung, Taiwan, December 2014.
View at: Google Scholar
X. Xiang, “Adaptive secure revocable identity-based signature scheme over lattices,” Computer Engineering, vol. 41, no. 10, pp. 126–129, 2015.
View at: Google Scholar
M. Ajtai, “Generating hard instances of lattice problems (extended abstract),” in Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pp. 99–108, Philadelphia, Pa, USA, May 1996.
View at: Publisher Site | Google Scholar
J. Hoffstein, J. Pipher, and J. H. Silverman, “Ntru: a new high speed public key cryptosystem,” in Proceedings of the 3rd International Symposiun on Algorithmic Number Theory (Crypto '96), Lecture Notes in Computer Science, pp. 267–288, Springer, Portland, Ore, USA, June 1998.
View at: Google Scholar
J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silveman, and W. Whyte, “Ntrusign: digital signatures using the ntru lattice,” in Proceedings of the Cryptographers' Track at the RSA Conference 2003, Lecture Notes in Computer Science, pp. 122–140, Springer, San Francisco, Calif, USA, April 2003.
View at: Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
D. Stehle and R. Steinfeld, “Making NTRUEnrypt and NTRUSign as secure as standard worst-case problems over ideal lattices,” IACR Cryptology ePrint Archive 2013/4, 2013.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” in Proceedings of the EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 1–23, Springer, 2010.
View at: Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH

Copyright

Copyright © 2017 Ying-Hao Hung et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1117

Downloads

1003

Citations