Deterministic Identity-Based Encryption from Lattice-Based Programmable Hash Functions with High Min-Entropy

Zhang, Daode; Li, Jie; Li, Bao; Lu, Xianhui; Xue, Haiyang; Jia, Dingding; Liu, Yamin

doi:https://doi.org/10.1155/2019/1816393

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 1816393 | https://doi.org/10.1155/2019/1816393

Deterministic Identity-Based Encryption from Lattice-Based Programmable Hash Functions with High Min-Entropy

Daode Zhang,^1,2,3Jie Li,^1,2,3Bao Li,^1,2,3Xianhui Lu,^1,2,3Haiyang Xue ,^1,2,3Dingding Jia,^1,2,3and Yamin Liu^1,2,3

Academic Editor: Salvatore D’Antonio

Received18 Jan 2018

Accepted03 Dec 2018

Published13 Jan 2019

Abstract

There only exists one deterministic identity-based encryption (DIBE) scheme which is adaptively secure in the auxiliary-input setting, under the learning with errors (LWE) assumption. However, the master public key consists of basic matrices. In this paper, we consider to construct adaptively secure DIBE schemes with more compact public parameters from the LWE problem. (i) On the one hand, we gave a generic DIBE construction from lattice-based programmable hash functions with high min-entropy. (ii) On the other hand, when instantiating our generic DIBE construction with four LPHFs with high min-entropy, we can get four adaptively secure DIBE schemes with more compact public parameters. In one of our DIBE schemes, the master public key only consists of basic matrices.

1. Introduction

A DIBE scheme is an identity-based encryption (IBE) scheme [1] whose encryption algorithm is deterministic. This primitive was proposed by Bellare et al. [2] via extending the security definition under high min-entropy into the identity-based setting. In order to construct DIBE schemes, Bellare et al. [2] first defined a notion of identity-based lossy trapdoor functions (IB-LTDFs). And they obtained a DIBE scheme by constructing an IB-LTDF with a universal property, based on the DLIN assumption. However, due to the inherent limitation of IB-LTDFs, their scheme can only achieve a selective security; i.e., the adversary must commit an challenge identity before getting the master public key from the challenger.

In SCN12, Xie et al. [3] gave a more efficient secure DIBE scheme in the auxiliary-input setting, based on the hardness of the LWE problem. In their scheme, there exists only 3 matrices in the master public key. However, the scheme only satisfies a selective security same as the scheme in [2]. The more significant contribution of Xie et al. [3] is that they proposed the first DIBE scheme with a much more realistic adaptive security (or equivalently, full security) in the auxiliary-input setting, based on the same assumption. To the best of our knowledge, their scheme is the only DIBE scheme that achieves an adaptive security. However, their scheme requires basic matrices in the master public key so that it is less efficient than their selectively secure scheme, where is the bit length of the identity and .

Our Contributions. In this paper, we consider to construct adaptively secure DIBE schemes with more compact public parameters from the LWE problem.(i)We gave a generic DIBE construction from lattice-based programmable hash functions (LPHFs) with high min-entropy [4]. Note that the adaptively secure DIBE in [3] is in our framework.(ii)We present more instantiations of LPHFs with high min-entropy. In fact, most of these instantiations are already implicit in recent works. Following the works of Zhang et al. [4] who proved that the IBE schemes in [4–6] imply instantiations of LPHFs with high min-entropy, we show that LPHFs with high min-entropy can be constructed from partitioning functions with compatible algorithms [7]. And we show that the IBE schemes in [8–10] naturally imply instantiations of LPHFs with high min-entropy. Combining with the result of Zhang et al., we conclude that the adaptively secure and anonymous IBE schemes in [4–10] naturally imply instantiations of LPHFs with high min-entropy (note that Boyen and Li [11] constructed an adaptively secure and anonymous IBE scheme with tight security. However, their construction does not imply a LPHF and is not in our framework).(iii)When instantiating our generic DIBE construction with four LPHFs with high min-entropy in [4, 7, 8], we can get four adaptively secure DIBE schemes with more compact public parameters. In our DIBE schemes, the master public key, respectively, consists of number of basic matrices, where denotes the number of key extraction queries. Please see more details in Table 1.

Related Works. In [2], Bellare et al. extended the notion of lossy trapdoor function (LDTF) to identity-setting and introduced the notion of identity-based LTDF (IB-LTDF). And they used IB-LTDF to construct DIBE scheme with a selective security from pairings. Soon afterwards, Escala et al. [12] extended the notion of IB-LTDF [2] and introduced the notion of hierarchical identity-based trapdoor functions (HIB-TDFs). With HIB-TDFs, they could construct deterministic hierarchical identity-based schemes (DHIBE). They instantiated HIB-TDFs from pairings so that they constructed a pairing-based DHIBE scheme. Fang et al. [13] constructed a DHIBE scheme with a selective security based on the hardness of the learning with rounding problem over small modulus [14]. In fact, a DHIBE with a selective security implies a selectively secure DIBE. In SCN12, Xie et al. [3] gave a more efficient DIBE scheme with a security. Additionally, they also proposed the first and the only DIBE scheme with an adaptive security in the auxiliary-input setting.

Remarks. This work is very relevant to [15] in which we constructed the DIBE schemes , , and directly from the works of Yamada [7, 8]. As our growing understanding, we find that all adaptively secure DIBE schemes in [3, 15] can be explained by using LPHFs with high min-entropy (note that the adaptively secure DIBE scheme in [3] is constructed from the LPHF with high min-entropy in [5, 6].). So, in this paper, we present a generic DIBE construction from LPHFs with high min-entropy.

2. Preliminaries

Notations. Let be the security parameter, and all other quantities are implicitly dependent on . Let denote a negligible function and denote an unspecified function for some constant . A function is -hard-to-invert with respect to the distribution , if, given with , there exists no PPT algorithm that can find with probability better than . For , we use to denote a set . And, for integer , denotes the quotient ring of integer modulo . We use bold capital letters to denote matrices, such as , and bold lowercase letters to denote column vectors, such as , . The notations and denote the transpose of the matrix and the matrix of concatenating and , respectively.

For , we use to denote a set . For integer , denotes the quotient ring of integer modulo . For integers and , a rounding function is defined by .

2.1. Deterministic Identity-Based Encryption and Its Security

A deterministic identity-based encryption scheme with the identity space can be defined by a tuple of PPT algorithms . The algorithm takes a security parameter as input and outputs a master secret key and a master secret key . The algorithm takes as input and outputs a private key . The deterministic algorithm takes and a message , outputs a ciphertext . The deterministic algorithm decrypts ciphertexts using the private key . We require that, for all , all , and all in the specified message space, .

Definition 1 (see [3]). We say that a DIBE scheme is ---secure with respect to -hard-to-invert auxiliary inputs if for any PPT algorithm , for any efficiently sampled distribution , and for any efficiently computable , that is, -hard-to-invert with respect to , the advantage of in the following game is negligible. . At the outset of the game, the challenger runs which outputs a pair and gives to . . When adaptively makes key-extraction queries to the challenger, the challenger returns , for all in the key-extraction queries. . At some point, outputs an identity , on which it wishes to be challenged. Then, the challenger picks a random coin , a message , a random ciphertext from the ciphertext space , and a function . If , it runs and gives the challenge ciphertext to . If , it gives to . . can also adaptively make key-extraction queries to the challenger, with the restriction . . Finally, makes a guess for . The advantage of is defined as

2.2. LPHFs with High Min-Entropy [4]

Let be some polynomials in the security parameter . By we denote the set of invertible matrices in . A hash function consists of two algorithms . Given the security parameter , the probabilistic polynomial time (PPT) key generation algorithm outputs a key ; i.e., . For any input , the efficiently deterministic evaluation algorithm outputs a hash value ; i.e., .

Definition 2 (LPHFs). A hash function is a -LPHF if there exist a PPT trapdoor key generation algorithm and a PPT deterministic trapdoor evaluation algorithm such that given a uniformly random matrix and a (public) trapdoor matrix the following properties hold: : the PPT algorithm outputs a key together with a trapdoor . Moreover, for any input , the deterministic algorithm returns and such that and hold with overwhelming probability over the trapdoor that is produced along with . : for all possible , all , and its corresponding , we have : for all and , the statistical distance between and is at most . : for all , any inputs such that for any , we have that , where and .

Definition 3 (LPHFs with high min-entropy). Let be a -LPHF with and noticeable . Let be the key space of , and let and be a pair of trapdoor generation and trapdoor evaluation algorithms for . We say that is a revised LPHF with high min-entropy if, for uniformly random matrix and a (public) trapdoor matrix , the following condition holds(i) For any , any and its corresponding , the statistical distance between and is negligible in , where , .

Remark 4. Note that this definition of LPHFs with min-high-entropy is much weaker than Zhang et al.’s definition of LPHFs with min-high-entropy which includes another one requirement. In [9], Katsumata and Yamada found that this requirement is not necessary; i.e., we can define this weaker version of LPHFs with min-high-entropy while keeping their functionality–constructing IBE schemes.

3. Generic DIBE Construction

Here, we construct an adaptively secure DIBE scheme in the auxiliary-input setting by using a LPHF with high min-entropy from to , where is negligible and is noticeable. Let and be a pair of trapdoor generation and trapdoor evaluation algorithm of that satisfies the condition in Definition 3, where integers are polynomials in the security parameter . Additionally, let integers . We assume and , where is the user identity space and is the message space. Our generic DIBE scheme is defined as follows.(i)Setup. Algorithm takes as input, and generates a pair , where and . Then, it obtains . Finally, it outputs(ii) Key Generation. Algorithm takes and as inputs. It first computes and then generates by running . It finally outputs .(iii) Encryption. Algorithm takes , , as inputs. It first computes and, then, it outputs the ciphertext .(iv) Decryption. To decrypt a ciphertext with a private key , the algorithm computes . Then, if it outputs , and otherwise it outputs .

3.1. Correctness and Parameter Selection

In order to be sure of the correctness of the DIBE scheme and make the security proof follow through, we need the following to satisfy.(i) in Lemma A.2 (Item 1) can work (), and it returns satisfying .(ii) in Lemma A.2 (Item 2) can operate .(iii) in Lemma A.2 (Item 3) can operate .(iv)In order to keep the correctness of the DIBE scheme, i.e., in Lemma A.2 (Item 4) can work , where given by both and .(v) (Lemma A.3) in the security proof can operate (, and , where (vi)Lemma A.1 holds ( is super-polynomial and ).(vii), where .

To satisfy the above requirements, we set the parameters in Table 2. The private key size, ciphertext siz,e and ciphertext expansion factor in our scheme are , , and , respectively. To optimize the ciphertext expansion factor, we can choose , which makes the ciphertext expansion factor to be .

3.2. Security of DIBE

Theorem 5. If is a LPHF with high min-entropy from to , where is negligible, is noticeable and independent of the modulus , and large enough . Then, the above DIBE scheme is ---secure with respect to -hard-to-invert auxiliary inputs, assuming is hard.

According to Lemma A.1, it is easy for us to get the following corollary.

Corollary 6. If is a -LPHF with high min-entropy from to , where is negligible, is noticeable and independent of the modulus and large enough . Then, the above DIBE scheme is ---secure with respect to -hard-to-invert auxiliary inputs, assuming is hard, where .

Proof of Theorem 5. Let be a PPT adversary that breaks the ---security with auxiliary inputs of the scheme. Moreover, let and be its advantage and the upper bound of the number of queries, respectively. And let denote the challenge ID along with the queried IDs. For any distribution over , let be a set of -hard-to-invert functions with respect to .
In order to prove the security of this scheme, we define a sequence of games. In each game, the challenger selects a uniform bit , while the adversary finally returns a guess bit to the challenger. The challenger sets in the first game; these values might be different in the latter games. In the following, we define as the event that .
: this game is the original -- game with auxiliary inputs. By definition, we have: this game is identical to except that the challenger changes the setup and challenge phase as below. . It first generates a pair , where and . Then, it computes . Finally, it outputs and keeps the trapdoor private. . The challenger directly uses to generate the challenge ciphertext. According to the property of , we have .
: this game is identical to except that the challenger performs the following additional step at the end of the game. The challenger first defineswhere and . Then, the challenger proceeds the following steps: : in the setup phase, the challenger generates a pair of . If , the challenger aborts the game and sets ignoring the output of . Otherwise, the following equation holds: : Fix ; let be the probability over the random choice of . Then, the challenger samples times the probability by independently running and evaluating to compute an estimate . Then if , the challenger will abort with probability and sets ignoring the output of . Finally, when receiving from , the challenger sets .
For , let be the probability that the challenger does not abort in the abort check stage in , and let be the probability in the artificial abort stage of defined by . Since the adversary might obtain some information of from the challenge ciphertext, the probability might not be equal to the probability . Formally, let be the absolute difference between and (i.e., ). As we show in Lemma 8, we haveSo as not to interrupt the proof of Theorem 5, we intentionally skip the proof for the time being.
: this game is identical to except that the challenger changes setup, phases and , and challenge phase as below. . It first selects a random matrix . Then, it computes . Finally, it outputs and keeps the trapdoor private. When receiving the private key query with identity , the challenger first computes . If is not invertible, the challenger aborts the game and sets . Otherwise, it computes and sends to . The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , we have Then, the challenger computes . Finally, the challenger returns to the adversary . The challenger responds as in , when receiving the private key query with identity . It is easy to see that: in this game, the challenger changes the way that the challenge ciphertext is created when The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger first picks and chooses and computes Then, the challenger computes . Finally, the challenger returns to the adversary . Before analyzing the difference between and , we first define a “bad event” as follows: , where .
If does not occur for some , then we have It immediately follows that for any adversary : in this game, the challenger changes the way that the challenge ciphertext is created when The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger first picks and and computes . It runs the algorithm to get ; i.e., in the Lemma A.3, where is the unit matrix of size . According to the property of the algorithm , we have: in this game, the challenger changes the way that the challenge ciphertext is created when The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger first picks and sets . Then, it computes We construct an algorithm against the problem as follows. Given the problem instance of LWE , where . The task of is to distinguish whether for or . This subtle change from the standard is done only for convenience of the proof. simulates the security game for the adversary . If , the view of corresponds to ; otherwise, the view of corresponds to . As a result, we get that: in this game, the challenger changes the way that the challenge ciphertext is created when . The challenger computes . If , the challenger aborts the game and sets . Otherwise, when , the challenger computes instead of running the algorithm , where , , . According to the property of the algorithm , we haveBecause for the statistical distance between and is negligible in , where , is statistically close to uniform distribution over , therefore for uniform ,by assumption on and . In the meantime, because is statistically close to uniform distribution over , we can get thatSumming up (6), (8), (11), (13), (15), (17), (18), and (19), we can get

In order to prove Theorem 5, we should prove that (6) holds. We will use Lemma 28 in the full version of the work [5], which is described as follows.

Lemma 7 (see [5]). Let be a -ID tuple denoting the challenge ID along with the queried IDs, and define the probability that an abort does not happen in . Let and . For , we set as the event that at the end of . Then,

Lemma 8. If is a -LPHF with high min-entropy and , then

Proof. According to Lemma 7, we only need to compute , , and . By the definition of and in , we have , where is an estimate of . Since the challenger always samples times the probability to compute , according to the Chernoff bounds, we have and . As a result, the following equations hold:Finally, we have

4. Constructions of LPHFs with High Min-Entropy

In [4], Zhang et al. proved that the IBE schemes in [4–6] imply instantiations of LPHFs with high min-entropy. In fact, the IBE scheme in [10] also implies an instantiation of LPHF with high min-entropy.

In this section, we show that LPHFs with high min-entropy can be constructed from partitioning functions with compatible algorithms [7]. Moreover, we prove that the adaptively secure and anonymous IBE schemes in [8, 9] naturally imply instantiations of LPHFs with high min-entropy. In a word, the adaptively secure and anonymous IBE schemes in [4–10] naturally imply instantiations of LPHFs with high min-entropy.

4.1. From Partitioning Functions with Compatible Algorithms [7]

Let be a partitioning function with associating -compatible algorithms (see the Appendix). We assume . Now, we show how to construct a -LPHF with high min-entropy defined by us from the partitioning function .

A hash function consists of two algorithms which are defined as follows:(i) it first computes . Then, it gets by operating the algorithm . Finally, it randomly chooses matrices , , and returns these matrices; i.e., (ii) for , it first gets by running the algorithm . Then, it returns .

The associating algorithms and are defined as follows.(i): it first computes . Then, it gets by operating the algorithm . Finally, it randomly chooses matrices and returns and .(ii) for , it defines and , where denotes the identity matrix of . In this case, .

Now, we show that this construction satisfies the following properties:(i)Correctness: .(ii)Statistically close trapdoor keys: according to the Leftover Hash Lemma, the statistical distance between the distributions and is negligible. As a result, the statistical distance between and is negligible; i.e., .(iii)Well-distributed hidden matrices: for all , any inputs such that for any . Then,

In a word, this construction is -LPHF. Finally, we show that this LPHF possesses Property 1, i.e., with high min-entropy.(i)For any , any , and its corresponding , the following distributions are statistically close: where . It can been seen that the second and the third distributions are -close, by applying Leftover Hash Lemma for and .

In [7], Yamada elaborately constructed two partitioning functions based on modified admissible hash function [16] and based on affine function. As a result, we can get two LPHFs with high min-entropy from both and , which are denoted by and , respectively.

4.2. From Yam16 [8] and KY16 [9]

In [8], Yamada proposed an adaptively secure and anonymous IBE with asymptotically short parameters. In particular, the master public key consists of basic matrices. In this part, we show that their construction implies a LPHF with high min-entropy. For simplicity, we denotes it by , where . In their construction, there exists an efficiently computable injective map that maps an element to a subset of , where . The algorithms are defined as below.(i) it picks random matrices for and returns (ii) for all , the algorithm is defined as follows:

The associating algorithms and are defined as(i): it first selects random elements and , where and satisfy that and . Then, it randomly chooses matrices . Finally, it computes and returns and .(ii) for , In this case, .

Now, we show that this construction satisfies the following properties:(i)Correctness: it is easy to verify that .(ii)Statistically close trapdoor keys: according to the Leftover Hash Lemma, the statistical distance between the distributions and is negligible.(iii)Well-distributed hidden matrices: for all , any inputs such that for any . Then, where .

In a word, this construction is -LPHF. Then, we show that is a LPHF which possesses Property 1, i.e., with high min-entropy.(i) Property. For any , any and its corresponding , the following distributions are statistically close: where , , , . The second and the third distributions are -close, by applying the Leftover Hash Lemma for and .

Remark 9. The subsequent work by Katsumata and Yamada [9] showed that, for the ring version of Yamada’s scheme [8], it is possible to reduce the magnitude of (which influences the selection of modulus ). We do not see any obstacle preventing us from constructing a programmable hash function with high min entropy from ideal lattices, according to the IBE scheme of [9].

5. Instantiations of Generic DIBE Construction

As mentioned in Section 4, there are many LPHFs with high min-entropy in [4–10]. However, except the LPHF with high min-entropy used in [3], there only exist other four LPHFs with high min-entropy which satisfy the requirement that is independent of the modulus , under the LWE assumption. These four LPHFs with high min-entropy are briefly described in the following.(i) in ZCZ16 [4]: a LPHF with high min-entropy, where and . Additionally, the key of only consists of matrices.(ii) in Yam17 [7]: a LPHF with high min-entropy, where , is an arbitrary polynomial in and is the constant satisfying , where is the relative distance of the underlying error correcting code. We can take as close to as one wants. In addition, the key of only consists of matrices.(iii) in Yam17 [7]: a LPHF with high min-entropy, where is an arbitrary polynomial in . Furthermore, the key of only consists of matrices.(iv) in Yam16 [8] (our Section 4.2): a LPHF with high min-entropy, where is an arbitrary polynomial in and , satisfy that and . Moreover, the key of only consists of matrices.

Embedding these four LPHFs with high min-entropy into our generic DIBE construction, we can obtain four ---secure DIBE schemes in the auxiliary-input setting, under the lWE assumption. Please see more details in Table 3.

Appendix

Preliminaries

Lattice Background. For positive integers , and a matrix , the -dimensional integer lattices are defined as

Let be a set of vectors in . We use to denote the Gram-Schmidt orthogonalization of the vectors in that order and to denote the length of the longest vector in . For a real-valued matrix , let (respectively, ) denote the operator norm (respectively, infinity norm) of .

For , define the Gaussian function over centered at with parameter as . Let , and define the discrete Gaussian distribution over as , where . For simplicity, and are abbreviated as and , respectively.

Learning with Errors Assumption. The learning with errors (LWE) problem, denoted by , was first proposed by Regev [17]. For integer , a prime integer , an error rate , the LWE problem is to distinguish the following pairs of distributions: and , where and . Regev [17] showed that solving decisional (denoted by ) for is (quantumly) as hard as approximating the SIVP and GapSVP problems to within factors in the worst case.

Lemma A.1 (see [18], Theorem 5; [3], Lemma 7). Let . Let be any distribution over and be the class of all functions that are hard to invert with respect to the distribution . For any super-polynomial , any , and any such that , then the following pairs of distributions: and are hard to distinguish, where and . Assume the (standard) assumption, where .

For simplicity, we use to denote the problem of distinguishing the above two distributions: and . According to Lemma A.1, assuming the , then the problem is also intractable, where . In the following, we describe some useful facts that will be used in our generic DIBE construction.

Gadget Matrix. As mentioned by [6], for , there exists a full-rank matrix such that the lattice has a public known basis with . Moreover, there exists a deterministic PPT algorithm which takes the input and outputs such that and .

Lemma A.2. Let be positive integers with and prime. There exists PPT algorithms such that (1)([19, 20]): a randomized algorithm that, when , outputs a pair such that is statistically close to uniform in and is a basis of , satisfying with overwhelming probability.(2)([21]): a randomized algorithm that, given a full rank matrix , a matrix , a basis of , and a parameter , then outputs a basis of for with .(3)([5]): a randomized algorithm that, given a full rank matrix , a matrix , an invertible matrix , a vector , and , then outputs a basis of for with .(4)([13]): that, given a full rank matrix , a basis of with , and , outputs , where with .(5)(Generalized Leftover Hash Lemma [5, 22]): for and prime , let and and be uniformly random matrices. Then the distribution is -close to the distribution for all vector . When is always , this lemma is called Leftover Hash Lemma.

In [9], Katsuamta and Yamada introduced the “Noise Rerandomization” lemma which plays an important role in the security proof because of creating a well distributed challenge ciphertext.

Lemma A.3 (noise rerandomization [9]). Let be positive integers and a positive real number with . For arbitrary column vector , vector chosen from , any matrix , and positive real number , there exists a PPT algorithm that outputs where is distributed statistically close to .

Partitioning Functions with Compatible Algorithms. In [7], Yamada defined the notion of partitioning functions by slightly generalizing the balanced admissible hash function [16] and used this notion to construct compact adaptively secure lattice IBE schemes. Furthermore, in order to construct IBE from lattices, the underlying partitioning function should be compatible with the structure of lattices.

Definition A.4 (see [7]). Let be an ensemble of function families. We say that is a partitioning function, if there exists an efficient algorithm , which takes as input polynomially bounded and noticeable and outputs such that (1)there exists such that for all . Here, may depend on functions and (2)for , there exists and that depend on and such that for all with ; the following holds And the function defined as is noticeable. The probability is taken over the choice of .

The deterministic algorithms are called -compatible with a function family if they are efficient and satisfy the following properties:(i).(ii).(iii). We require that the following holds: where is the -th bit of . Furthermore, if for all , we have .

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

We thank the anonymous Security and Communication Networks’ reviewers for their helpful comments. Yamin Liu was supported by the National Natural Science Foundation of China 61502480. This work was also supported by the National Natural Science Foundation of China (no. 61772515, no. 61602473, no. 61572495, and no. 61502484) and the National Cryptography Development Fund MMJJ20170116.

References

A. Shamir, “Identity-based cryptosystems and signature schemes,” in CRYPTO 1984, pp. 47–53, 1984.
View at: Google Scholar | MathSciNet
M. Bellare, E. Kiltz, C. Peikert, and B. Waters, “Identity-based (lossy) trapdoor functions and applications,” in EUROCRYPT 2012, vol. 7237, pp. 228–245, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
X. Xie, R. Xue, and R. Zhang, “Deterministic public key encryption and identity-based encryption from lattices in the auxiliary-input setting,” in SCN 2012, pp. 1–18, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
J. Zhang, Y. Chen, and Z. Zhang, “Programmable hash functions from lattices: Short signatures and ibes with small key sizes,” in CRYPTO 2016, pp. 303–332, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in EUROCRYPT 2010, pp. 553–572, 2010.
View at: Google Scholar | MathSciNet
D. Micciancio and C. Peikert, “Trapdoors for lattices: Simpler, tighter, faster, smaller,” in EUROCRYPT 2012, pp. 700–718, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
S. Yamada, “Asymptotically compact adaptively secure lattice IBEs and verifiable random functions via generalized partitioning techniques,” in CRYPTO 2017, pp. 161–193, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
S. Yamada, “Adaptively secure identity-based encryption from lattices with asymptotically shorter public parameters,” in EUROCRYPT 2016, pp. 32–62, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
S. Katsumata and S. Yamada, “Partitioning via non-linear polynomial functions: More compact ibes from ideal lattices and bilinear maps,” in ASIACRYPT 2016, pp. 682–712, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
D. Apon, X. Fan, and F. Liu, “Compact identity based encryption from lwe,” Cryptology ePrint Archive, vol. 2016, article 125, 2016.
View at: Google Scholar
X. Boyen and Q. Li, “Towards tightly secure lattice short signature and id-based encryption,” in ASIACRYPT 2016, pp. 404–434, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
A. Escala, J. Herranz, B. Libert, and C. Ràfols, “Identity-based lossy trapdoor functions: new definitions, hierarchical extensions, and implications,” in PKC 2014, pp. 239–256, 2014.
View at: Google Scholar | MathSciNet
F. Fang, B. Li, X. Lu, Y. Liu, D. Jia, and H. Xue, “(Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus,” in AsiaCCS 2016, pp. 907–912, 2016.
View at: Google Scholar
A. Bogdanov, S. Guo, D. Masny, S. Richelson, and A. Rosen, “On the hardness of learning with rounding over small modulus,” in TCC 2016-A, vol. 9562, pp. 209–224, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
D. Zhang, F. Fang, B. Li, and X. Wang, “Deterministic identity-based encryption from lattices with more compact public parameters,” in IWSEC 2017, pp. 215–230, 2017.
View at: Google Scholar
T. Jager, “Verifiable random functions from weaker assumptions,” in Theory of cryptography, pp. 121–143, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, article 40, pp. 1–34, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, “Robustness of the learning with errors assumption,” in ICS 2010, pp. 230–240, 2010.
View at: Google Scholar
M. Ajtai, “Generating hard instances of the short basis problem,” in ICALP 1999, pp. 1–9, 1999.
View at: Google Scholar | MathSciNet
J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp. 535–553, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” Journal of Cryptology, vol. 25, no. 4, pp. 601–639, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” SIAM Journal on Computing, vol. 38, no. 1, pp. 97–139, 2008.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2019 Daode Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

949

Downloads

933

Citations