Security Threats and Defenses for Connected VehiclesView this Special Issue
Efficient Identity-Based Broadcast Encryption Scheme on Lattices for the Internet of Things
In an identity-based broadcast encryption (IBBE) scheme, the ciphertext is usually appended with a set of user identities to specify intended recipients. However, as IBBE is adopted in extensive industries, the demand of anonymity for specific scenarios such as military applications is urgent and ought no more to be ignored. On the contrary, how to optimize computation and communication is an unavoidable challenge in the IBBE scheme construction, especially in the large-scaled resource-limited wireless networks such as the Internet of Things (IoT), where the cost of computation and communication should be mitigated as much as possible since other functions including connectivity and privacy should be given the top priority. Thus, we present an IBBE scheme from the lattice, in which we employ the Chinese remainder theorem and lattice basis delegation in fixed dimensions to obtain several desirable characteristics, such as constant-size public parameter, private key, and ciphertext. In addition, our encryption and decryption algorithms are more efficient than broadcast encryption (BE) schemes based on number-theoretic problems. To be noticed, our scheme can simultaneously achieve confidentiality and outsider anonymity against the chosen-plaintext attack under the hardness of the learning with error (LWE) problem.
IoT is a network of interconnected things/devices, in which sensors, software, network connections, and necessary electronic devices are integrated to collect and exchange information and respond to real-time data requests. IoT allows data accumulation from and exchange between the physical world and computer systems through existing network infrastructures. With these connected tiny and smart devices, one’s life can be of higher quality, safer, smarter, more convenient, comfortable, and timely informed than ever before. Security is one of the main concerns mentioned by cybersecurity experts. They believe that even end device connectivity and information sharing can be exploited to have a negative impact on a person safety and well-being. Besides hacking IoT devices to compromise online data and privacy, it can also become the entry point of invading the entire network [1, 2].
Remote terminal unit (RTU)  is an electronic device, which is installed in a remote site (generally, few people supervise the distant site). It is used to monitor and control sensors and equipment remotely and widely adopted in the supervisory control and data acquisition (SCADA) system. RTU usually converts the measured state or signal into a data format that can be sent on the communication medium by using the Modbus protocol. It can also receive commands sent by the central monitor computer to execute functional control of the equipment. As the Modbus protocol does not apply data encryption mechanism, the data flow between the monitor center and RTU is in plaintext. As a consequence, the data transmitted in the open network may be eavesdropped or tampered with. What is worse, the data tampering may cause disorder in the automated production process or even serious accidents of equipment damage. To keep the confidentiality of data transmission, cryptographic modules can be embedded in data collection equipment such as RTU/DTU and effectively help prevent data theft and command tampering . Once the concern of confidentiality is got rid of, such devices can be safely applied to industrial control industries such as oil and gas exploitation, environmental monitoring, power transmission and transformation, oil and gas pipeline networks, and hydrological monitoring.
Fiat and Naor  first introduced broadcast encryption, which allows a sender to send an encrypted message to a large number of receivers via public channels, and only authorized users can obtain the message, as shown in Figure 1. Compared with the public key encryption for a single recipient, BE significantly saves computing and communication costs. Therefore, BE has been promoted to numerous applications, such as key distributing , encrypted file sharing , satellite TV subscription , digital right management , and social network service . Take pay service as an example. As shown in Figure 2, nonpaying user cannot enjoy the service or just is able to enjoy limited service, while paying users can enjoy entire and high-quality service. There are a large number of related works that can be classified into the conventional BE [6, 9–13] since they are based on number-theoretic problems, such as big integer factoring and discrete logarithm problem, and rarely meet the requirements of industrial applications.
With the advent of quantum cryptography, the security of conventional BE schemes is heavily threatened. In FOCS′94, Shor  proposed a quantum algorithm to solve the problem of discrete logarithm and factorization in polynomial time. Thereafter, it becomes one of the most urgent topics to design BE schemes against quantum attacks.
Lattice cryptography can resist quantum-computing attacks  and has multiple advantages over the conventional cryptography. Firstly, lattice is a vector space composed of linearly independent vectors in , which only request lightweight operations such as modular addition and matrix multiplication. Thus, it is suitable for devices with limited computational ability such as smart cards. Secondly, lattice cryptography enjoys pretty strong security guaranteed by the worst-case hardness assumptions [16, 17], such as shortest vector problem (SVP)  and closest vector problem (CVP) . Thirdly, lattice cryptography can be adopted to comparable extensive industries as its conventional cryptography was, given almost all conventional public key encryption (PKE) schemes based on big integer factoring or discrete logarithm problems can also be realized in lattice cryptography.
A desirable BE scheme on lattices should keep not only confidentiality but also anonymity as anonymity is an extremely favourable characteristic for diverse BE systems . To distinguish authorized receivers from the unauthorized, BE ciphertext usually includes the intended recipients’ identities. This means users’ identity information is revealed. Specifically, such identity exposure is expected to be avoided when users’ identities are sensitive. For instance, in the military field, the set of broadcast receiver identities undoubtedly implies specific military objectives or personnel. Meanwhile, to support a large number of receivers in a BE system, the public key of every receiver can be conveniently chosen as a meaningful string, which is their unique identification, such as a passport number or an e-mail address. This is exactly the motivation of proposing an IBBE system that is capable to support exponential user scale.
1.1. Our Results
Each BE system involves multiple recipients. Thus, it is intricate to construct a BE scheme in a lattice context. Our main contributions include the construction of an anonymous IBBE from the lattice and the security reduction to the LWE problem. Our design is inspired by the lattice-based BE scheme of Wang et al. , which depends on the Chinese remainder theorem to achieve the dynamic anonymity. In this work, we rely on the Chinese remainder theorem to construct an IBBE scheme, and the core idea is as follows.
The Chinese remainder theorem offers one-dimensional linear congruence equation that has and only has one solution . In order to construct a BE scheme on lattices, we combine the Chinese remainder theorem with the LWE hardness assumption.(i)Firstly, we extend the Chinese remainder theorem to a matrix form, such as and are extended to matrices and with dimension , respectively. Thus, the system of linear congruence equations has the similar solution; that is, , where is close to uniform distribution  if is a random matrix over .(ii)Then, choose a random vector , which is to blind . Blind results are used to encapsulate symmetric keys , e.g., , where and are receiver ’s public keys and is an error vector. Since the key encapsulation is constructed by the Chinese remainder theorem, its distribution is indistinguishable from the uniform distribution .(iii)Thirdly, when authorized receiver decrypts the ciphertext, he does not need to know the other users’ identities. He firstly computes C2 mod qi, where qi is his public key. and then is transformed to a LWE instance vector related to his public key , i.e., . Now, authorized receiver uses his private key to decrypt to obtain the symmetric key and then gets the broadcast message.(iv)To obtain an IBBE scheme, we need to connect users’ public keys and to identity . Firstly, we use an encoding function to map identities to matrices , i.e., , and a division intractable hash function to map identities to integer . Note that integer is a prime with an overwhelming probability  so that user ’s public key and user ’s public key are ensured mutually prime.(v)Lattice basis delegation mechanisms were proposed by Cash et al.  and Agrawal et al. . Given a matrix and a lattice basis of , a matrix from and a random basis for can be generated. However, in [21, 23], the dimension of matrix is larger than the dimension of the given matrix . So, the ciphertext and private key sizes of their HIBE schemes increase as the hierarchy deepens. Thus, in terms of private key generation of our scheme, we employ lattice basis delegation with constant dimension technology  to generate the user private key, where and has the same dimension as . Thence, the private key size of our scheme is constant, and the size of the ciphertext has nothing to do with the number of recipients.
1.2. Related Work
Identity-based encryption (IBE)  is a special kind of BE. There is one receiver set specifying intended receivers, and in an IBE scheme, the user public key can be any string as long as the string can be a uniquely identified user, such as a passport number and e-mail address. In 2008, Craig et al.  proposed the technology of lattice-based one-way trapdoor function and constructed an IBE scheme whose security is based on the LWE problem  in the random oracle model. In their scheme, trapdoor sampling algorithm  is used for generating the master public key and master secret key. Then, the preimage sampler  takes the master secret key as the input to generate the user’s secret key. Finally, both the master public key and the user’s identity are used to generate two separate pseudorandom LWE instances as the ciphertexts.
Hierarchical identity-based encryption (HIBE) [28, 29] is also a special kind of BE. Users in the broadcast set have a hierarchical structure, and the lower-level users’ keys are generated by the higher-level users. In 2010, Cash et al. [23, 30] proposed a new concept of cryptography, called bonsai tree, and constructed an HIBE scheme based on the LWE problem by utilizing the lattice basis delegation technique, which allows one to use a short basis of a certain integer lattice to generate a short random basis for a new lattice derived from . However, in their HIBE scheme, the dimension of the child lattice is greater than that of the parent lattice for the reason that, as the hierarchical structure increases, the private key and ciphertext also become longer. Shweta Agrawal and Boyen  proposed a lattice basis delegation technique which does not increase the dimension of the lattices involved and presented two HIBE schemes with shorter ciphertext and private keys with and without the random oracle based on the LWE problem, respectively.
Attribute-based encryption (ABE)  and BE are both one kind of one-to-many encryption. In the ABE system, the private key and the ciphertext are related to the attributes; when the attributes owned by the user match the ciphertext attributes, the user can obtain the ciphertext. Boyen  proposed an efficient ABE scheme and proved its security in the selective sense from LWE hardness assumption in the standard model. Nevertheless, BE needs to specify which users are authorized receivers.
Fiat and Naor first introduced BE . In 2005, Boneh et al.  proposed the first fully collusion-resistant BE scheme with static security, and both the size of ciphertexts and private keys are constant, but the size of the public key is proportional to the number of receivers. In 2009, Craig and Waters  proposed a BE scheme with adaptive security in the random oracle model. In 2007, Delerablée  proposed the first IBBE scheme, which obtains adaptive chosen-ciphertext attack (CCA) in the random oracle model, as well as has constant-size ciphertexts and private keys. In 2009, Craig and Waters  presented the first IBBE scheme, which is against adaptively chosen-plaintext secure in the standard model. In 2014, Boneh et al.  proposed the first IBBE scheme, which obtains selectively CCA-secure from multilinear maps and has constant-size ciphertexts. In 2015, Jongkil Kim et al.  proposed an IBBE scheme, which is adaptively CCA-secure in the standard model, but uses dual encryption technique. In 2016, Dan and Zhandry  proposed a BE scheme, which obtains adaptive security by using indistinguishability obfuscation technique and has short ciphertexts, secret keys, and public keys.
Anonymity is a good security property; however, the aforementioned scheme cannot be obtained because the recipients’ identities are broadcasted as ciphertext. Thus, the identities’ information is exposed. In 2006, Adam et al.  presented two fully anonymous BE constructions; both of them obtain CCA security. The first one is a generic construction, and the decryption cost has a linear relationship with the number of receivers. The second is a specific construction, requiring a certain number of decryption operations, and the security proof relies on a random oracle model. In 2012, Libert et al.  proposed some fully anonymous BE schemes, which are fully anonymous and have adaptive CCA security in the standard model; at the same time, the formal security definition of the anonymous BE scheme is given. In 2012, two anonymous BE schemes with outsider anonymous were proposed by Fazio and Milinda Perera , and the two BE schemes have sublinear-size ciphertexts. In 2016, two anonymous BE schemes were proposed by He et al. ; the first one is the general scheme , and the second one is the specific scheme . Both of these schemes are proven to be adaptive CCA-secure. However, all the aforementioned traditional BE/IBBE schemes cannot resist quantum attacks.
In 2010, Wang and Bi  proposed a secure lattice-based IBBE scheme using the basis delegation technique , and their scheme can be easily extended to a hierarchical IBBE. However, their lattice basis delegation technique increases the dimension of users’ identity matrix. In 2013, Georgescu  used a tag-based hint system which is secure based on ring-LWE hardness and an IND-CCA-secure public key encryption scheme from LWE to construct a CCA-secure lattice-based anonymous BE scheme. In 2015, Wang et al.  used the Chinese remainder theorem to construct a dynamical and outsider-anonymous BE scheme over the lattice, which is proven semantic secure in the standard model under the hardness of the LWE problem. In 2020, Brakerski and Vaikuntanathan  proposed a lattice-based BE scheme where the size of the key and ciphertext has a logarithmic correlation with the number of users. However, their BE construction is based on a heuristic that allows to “invert” the key succinctness of the BGG + KP-ABE scheme  and does not have a security reduction for this heuristic; its security is an open problem. In 2020, Agrawal and Yamada  improved Boneh et al.’s  BE scheme which used multilinear maps by using LWE and bilinear mapping, and the parameters of the improved solution were also very small. Thus, in this paper, we construct an anonymous IBBE scheme on the lattice. We make a detailed function comparison between our scheme and other schemes in Table 1.
Let us briefly introduce some of the symbols and definitions used throughout the paper.
2.1. Collision Intractability 
is a family of hash functions. If it is difficult to find two inputs that hash to the same output, is collision intractable. Formally, for every probability polynomial-time (PPT) adversary , there is a negligible function negl() such that
2.2. Division Intractability 
is a hashing family; if it is division intractable, it is hard to find distinct inputs such that divides . Formally, for every PPT adversary , there is a negligible function negl() such that
It is not difficult to see that a hash family that is division intractable must also be collision intractable, but the reverse is not true. Such a function is easy to obtain by setting (or only the lowest bit of ) to be one.
2.3. Lattice and Lattice Problems
2.3.1. Lattice 
Lattice is generated by a set of linearly independent vectors such that
2.3.2. -ary Lattices 
are some integers, is a parity check matrix, and -ary lattices are defined as
In fact, all vectors in lattice are orthogonal modulo to the matrix row vector.
2.3.3. Gaussian over Lattices 
Gaussian function is defined asfor any and dimension . The discrete Gaussian distribution over the coset , , whose probability is proportional to , and probability is zero elsewhere.
2.3.4. LWE Problem [26, 45]
Let , , the error distribution be over , and be distributed according to . Given , the decision variant LWE problem is to distinguish from uniform distribution.
2.3.5. Gaussian Error Distributions 26
The standard error distribution is the Gaussian distribution on , and the deviation is . According to the distribution , the error vector can be effectively sampled, as shown in the following:(i)Sample comes from the Gaussian distribution on (ii)Let where is used to represent the integer closest to (iii)Let be the error vector in the LWE problem instance
2.3.6. Trapdoor Sampling Algorithm 
Let be odd and . There exists a PPT algorithm (TrapGen) , and it outputs a matrix A and a full rank set , where ’s distribution is statistically close to a uniform distribution, is a lattice basis of , which satisfies , and with almost negligible probability.
The trapdoor can be utilized to solve the LWE problem; that is, given where is any “short enough” vector, it can be used to recover as follows :(i)Calculate and . Now, since both and contain small entries, each entry of the vector is less than , so .(ii)LWE secret can be recovered via .
2.3.7. Algorithm Basis Delegation 
The basic delegation algorithm BasisDel will not increase the dimension of the basic matrix . On inputting a rank matrix in , a -invertible matrix in sampled from , a basis of , and the parameter , output a basis of , where in .
2.3.8. Algorithm Sample R21
Our security proof uses algorithm sample R. The sample matrix in comes from a distribution that is statistically close to . On the canonical basis of the lattice , run for . If is invertible, then output ; otherwise, run the sample Gaussian algorithm repeatedly.
Algorithm sample R with basis is used in our security proof, which gives a random rank matrix in and generates a “low-norm” matrix from and the short base of as follows.
2.3.9. Algorithm Sample R with Basis 21
are the columns of the matrix .(i)Run TrapGen(q, n) to generate a matrix with random rank , as well as lattice base , where(ii)For , do(1)Sample ri by running SamplePre, and we have , , where is sampled from a distribution statistically close to (2)Repeat Step (1) until is linearly independent of (iii)Let be the matrix with columns . Then, has rank . Output and .
2.3.10. Chinese Remainder Theorem 
If and are integers, , and are arbitrary integers, a system of linear congruenceequations has only one solution:where , , and for .
We can also extend the Chinese remainder theorem to a matrix form, such as and are extended to matrices and with dimension , respectively; the system of linear congruence has the same solution; that is,where is close to uniform distribution .
3. Identity-Based Broadcast Encryption
(i)Init: adversary outputs two receiver subsets and that he wants to attack; it is required that in order to avoid trivial attacks(ii)Setup: challenger first runs Setup to generate the public parameters and a master secret key , then gives to adversary , and keeps to itself(iii)Phase 1: adversary adaptively issues the private key for identity query, and challenger runs Extract and returns to adversary (iv)Challenge: adversary selects two equal-length messages and sends to challenger , and challenger flips a random coin and returns the challenge ciphertext Encrypt to adversary (v)Phase 2: adversary continues to adaptively issue queries as in Phase 1(vi)Guess: adversary outputs a guess
Definition 1. An IBBE scheme consists of four algorithms (, , , ) [19, 34] as follows:(i)Setup: intake a security parameter , and output the public parameters and a master secret key (ii)Extract: intake a master secret key and an identity , and output a private key for identity (iii)Enc: intake the public parameters , a receiver set , and a message , and output a ciphertext (iv)Dec: intake a private key and a ciphertext , and output either a message or an error symbol The correctness property requires that, for all , if (, ) , , ), and , , ), then , with overwhelming probability.
In the above definition, the set is not required to intake the decryption algorithm which keeps the anonymity of an IBBE system.
We now present the security requirements for an IBBE scheme to be outsider anonymous against the chosen-plaintext attack (CPA). In an outsider-anonymous IBBE scheme, when the adversary receives a ciphertext of which he is not a legal recipient, he will be unable to learn anything about the identities of the legal recipients, but for those ciphertexts for which the adversary is in the authorized set of recipients, he might also learn the identities of some other legal recipients. First, we define the CPA of an outsider-anonymous IBBE scheme as a game, which we term oAIBBE-IND-CPA, played between a probabilistic polynomial-time (PPT) adversary and a challenger . Meanwhile, we present a selective indistinguishable chosen-plaintext security game (sIND-CPA), where selective security is a weaker notion which forces the adversary to announce ahead of time the identities it will target.
Definition 2. The oAIBBE-sIND-CCA game defined for an oAIBBE scheme = (Setup, Extract, Enc, Dec), a PPT adversary , and a challenger is as follows:
Definition 3. Define adversary ’s advantage in the above oAIBBE-sIND-CPA game as . We say that an IBBE scheme is oAIBBE-sIND-CPA secure if for any PPT adversary , the advantage is negligible in the above oAIBBE-sIND-CPA game.
Our lattice-based IBBE scheme is designed by translating the lattice-based BE scheme of Wang et al.  into an identity-based environment. The private key generation depends on the lattice basis delegation without increasing the dimension .(i)Setup: intake a secure parameter , set to be odd and , and let be a division intractability hash function and be a hash function. Invoke trapdoor sampling algorithm TrapGen to generate a uniformly random matrix with a basis satisfying such that . Output public parameters and a master key .(ii)Extract: intake public parameters , a master key , and an identity , and compute and . Evaluate to obtain a short random basis for . Output identity ’s private key .(iii)Encrypt: intake public parameters , a broadcast set , and message , and compute = for . Moreover, to ensure the correctness of decryption, we need . According to the Chinese remainder theorem, it needs to compute and , where . Calculate for , choose random vector and and a symmetric key , and compute the ciphertext as follows:(iv)Decrypt: user with identity in the broadcast set uses his private key to decrypt ciphertext as follows:
5. Analysis of the Proposed Anonymous IBBE Construction
5.1. Parameters and Correctness
Given the security parameter , the analysis of parameters and correctness for our scheme is as follows.(i)To ensure that TrapGen can operate, the following requirements should be met: and .(ii)To guarantee the decryption of the ciphertext, the error term should be less than , and let be set as [23, 47](iii)Parameters should always satisfy and .
To ensure that decryption works, we first note that is designed according to the Chinese remainder theorem, and recall that and ; then, and for . Hence, it would be valid.
By the properties of basis delegation, , where ; therefore,
Finally, we know ,
Theorem 1. The above scheme is oAIBBE-sIND-CPA secure if the LWE problem is hard and is simulated as a random oracle.
Proof. Suppose there exists a PPT adversary that is able to distinguish the above scheme’s ciphertext from random elements with advantage . Then, there is a challenger with advantage at least that distinguishes between the two distributions(i)Init: adversary outputs two different subsets and that he wants to distinguish. Challenger samples random matrices by running (described in Section 3.1), where all are invertible mod q.(ii)Setup: challenger chooses two collision-intractable hash functions and . is a division intractability hash function, and is simulated as a random oracle. Let be the number of queries made by . Let the master public key be , and the master secret key is unknown to . The system parameters are given to .(iii)Phase 1: adversary adaptively issues queries as follows:(iv)Random oracle hash queries: may adaptively query the random oracle on any identity of its choice at any time. answers the query as follows.If , define , return to adversary , and save the tuple in a list .
If , sample a random matrix , where is invertible mod , compute , and then run sample R with basis (described in Section 3.1) to obtain a random matrix and a short basis forSave the tuple in a list for future use, and return to adversary .(i)Secret key queries: makes interactive key extraction queries on arbitrary identity . answers a query on as follows: If , aborts and fails. If , retrieves the saved tuple from the hash oracle query list ; else, it runs the random oracle hash query on . Let and be a short basis for , and return to adversary . Notice that is exactly the encryption matrix for , and therefore, is a trapdoor for . Challenge: adversary chooses two equal-length messages and sends to challenger . Challenger chooses at random a symmetric key and a random bit ; challenger computes , where and , and then returns the challenge ciphertext to adversary .(ii)Phase 2: adversary adaptively issues queries as Phase 1.(iii)Guess: adversary outputs a guess bit , and wins the game if .(iv)Analysis: in the following, we analyse the correctness of the challenge ciphertext.(v)On the one hand, if is a uniformly random matrix, then the challenge ciphertext is also uniformly random, regardless of the choice of . Hence, in this case, outputs 1 with probability at most .(vi)On the other hand, if , then the challenge ciphertext is is uniformly distributed (since and 2 are relatively prime). This is identical to the output distribution of the real ciphertext.
Hence, if adversary succeeds in guessing the right and with probability , then challenger will correctly guess the nature of the LWE oracle with probability at least . This concludes the proof of the security reduction.
Remark. The above scheme cannot achieve the anonymity for the insider attacker. Because any authorized receiver can obtain the private information s, e, and K, he/she uses s, e, and K to decrypt C2. The decryption process is similar to Thrapdoor Sampling Algorithm of Section 2.1 Therefore, in order to ensure whether or not is an authorized receiver, adversary only needs to calculate whether and are equal. If yes, is an authorized receiver; otherwise, is not an authorized receiver.
We propose a lattice-based anonymous IBBE scheme employing the Chinese remainder theorem and lattice basis delegation in fixed dimensions. Our scheme achieves chosen-plaintext security in the random oracle model and is with multiple attractive properties, such as constant-size private/public key and ciphertext and constant encryption/decryption overhead.
All the data included in this study are available upon request by contact with the corresponding author.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was partially supported by the National Science Foundation of China (NSFC) (Grant nos.61902067 and 62102166), Foundation for Young Innovative Talents in Ordinary Universities of Guangdong (2018KQNCX255), Opening Project of Guangdong Province Key Laboratory of Information Security Technology (Grant no.2020B1212060078), Dongguan Science and Technology of Social Development Program (2020507140146), Dongguan University of Technology (2021KTSCX134), Key-Area Research and Development Program of Guangdong Province (Grant no. 2020B0101360001), Guangdong Basic and Applied Basic Research Foundation (Grant no. 2020A1515111175), and Guangdong Natural Science Key Field Project (2019KZDZX1008).
A. Lekbich, A. Belfqih, C. Zedak, J. Boukherouaa, and F. El Mariami, “A secure wireless control of remote terminal unit using the internet of things in smart grids,” in Proceedings of the 6th International Conference on Wireless Networks and Mobile Communications, WINCOM 2018, pp. 1–6, IEEE, Marrakesh, Morocco, October 2018.View at: Publisher Site | Google Scholar
N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “Demystifying iot security: an exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale iot exploitations,” IEEE Communications Surveys & Tutorials, vol. 21, no. 3, pp. 2702–2733, 2019.View at: Publisher Site | Google Scholar
A. Fiat and M. Naor, “Broadcast encryption,” in Proceedings of the Advances in Cryptology - CRYPTO ’93, 13th Annual International Cryptology Conference, pp. 480–491, Santa Barbara, CA, USA, August 1993.View at: Google Scholar
X. Du, Y. Wang, J. Ge, and Y. Wang, “An id-based broadcast encryption scheme for key distribution,” IEEE Transactions on Broadcasting, vol. 51, no. 2, pp. 264–266, 2005.View at: Publisher Site | Google Scholar
B. Malek and M. Ali, “Adaptively secure broadcast encryption with short ciphertexts,” International Journal Network Security, vol. 14, no. 2, pp. 71–79, 2012.View at: Google Scholar
C Delerablée, P. Pascal, and D. Pointcheval, “Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys,” in Proceedings of the Pairing-Based Cryptography - Pairing 2007, 1st International Conference, pp. 39–59, Tokyo, Japan, July 2007.View at: Google Scholar
X. Xiaodong Lin, X. Xiaoting Sun, P.-H. Pin-Han Ho, and X. Xuemin Shen, “GSIS: a secure and privacy-preserving protocol for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442–3456, 2007.View at: Publisher Site | Google Scholar
Y. Jung, Y. Nam, J. Kim, W. Jeon, H. Lee, and D. Won, “Key management scheme using dynamic identity-based broadcast encryption for social network services,” Lecture Notes in Electrical Engineering, vol. 279, pp. 435–443, 2014.View at: Publisher Site | Google Scholar
D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Proceedings of the Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, pp. 41–62, Santa Barbara, CA, USA, August 2001.View at: Google Scholar
Y. Dodis and N. Fazio, “Public key broadcast encryption for stateless receivers,” in Proceedings of the Security And Privacy In Digital Rights Management, ACM CCS-9 Workshop, DRM 2002, pp. 61–80, Springer, Washington, DC, USA, November 2002.View at: Google Scholar
D. Boneh, G. Craig, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys,” in Proceedings of the Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, pp. 258–275, Santa Barbara, CA, USA, August 2005.View at: Google Scholar
B. Adam, D. Boneh, and B. Waters, “Privacy in encrypted content distribution using private broadcast encryption,” in Proceedings of the Financial Cryptography and Data Security, 10th International Conference, FC 2006, pp. 52–64, Anguilla, West Indies, February 2006.View at: Google Scholar
G. Craig and B. Waters, “Adaptive security in broadcast encryption systems (with short ciphertexts),” in Proceedings of the Advances in Cryptology - EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 171–188, Cologne, Germany, April 2009.View at: Google Scholar
W. Peter, “Shor. Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134, Santa Fe, NM, USA, November 1994.View at: Google Scholar
R. Bendlin, “Lattice-based cryptography,” Lecture Notes in Computer Science, vol. 4117, no. 1-2, pp. 131–141, 2013.View at: Google Scholar
M. Ajtai, “Generating hard instances of lattice problems (extended abstract),” in Proceedings of the 28th Annual ACM Symposium on the Theory of Computing, pp. 99–108, Philadelphia, PA, USA, May 1996.View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 84–93, Baltimore, MD, USA, May 2005.View at: Google Scholar
D. Micciancio and S. Goldwasser, “Complexity of lattice problems: a cryptographic perspective,” Kluwer International Series in Engineering and Computer Science, Kluwer Academic Publishers, Boston, MA, USA, 2002.View at: Google Scholar
B. Libert, K. G. Paterson, and E. A. Quaglia, “Anonymous broadcast encryption: adaptive security and efficient constructions in the standard model,” in Proceedings of the Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, pp. 206–224, Darmstadt, Germany, May 2012.View at: Google Scholar
F. Wang, A. Wang, and C. Wang, “Lattice-based dynamical and anonymous broadcast encryption scheme,” in Proceedings of the 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015, pp. 853–858, Krakow, Poland, November 2015.View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 553–572, Monaco, French Riviera, May 2010.View at: Google Scholar
R. Gennaro, S. Halevi, and T. Rabin, “Secure hash-and-sign signatures without the random oracle,” in Proceedings of the Advances in Cryptology - EUROCRYPT ’99, International Conference on the Theory and Application of Cryptographic Techniques, J. Stern, Ed., pp. 123–139, Springer, Prague, Czech Republic, May 1999.View at: Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 523–552, French Riviera, France, May 2010.View at: Google Scholar
Adi Shamir, “Identity-based cryptosystems and signature schemes,” Lecture Notes in Computer Science, vol. 196, no. 2, pp. 47–53, 1985.View at: Google Scholar
G. Craig, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 197–206, Victoria, Canada, May 2008.View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, pp. 1–40, 2009.View at: Publisher Site | Google Scholar
M. Ajtai, “Generating hard instances of the short basis problem,” in Proceedings of the Automata, Languages and Programming, 26th International Colloquium, ICALP’99, pp. 1–9, Prague, Czech Republic, July 1999.View at: Google Scholar
G. Craig and Alice Silverberg, “Hierarchical id-based cryptography,” in Proceedings of the Advances in Cryptology - ASIACRYPT 2002, 8th International Conference on the Theory and Application of Cryptology and Information Security, pp. 548–566, Queenstown, New Zealand, December 2002.View at: Google Scholar
J. Horwitz and B. Lynn, “Toward hierarchical identity-based encryption,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, pp. 466–481, Amsterdam, The Netherlands, April 2002.View at: Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” in Advances in Cryptology –EUROCRYPT, pp. 523–552, Springer Berlin Heidelberg, Berlin, Germany, 2010.View at: Publisher Site | Google Scholar
D. B. Shweta Agrawal and X. Boyen, “Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE,” in Proceedings of the Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, pp. 98–115, Santa Barbara, CA, USA, August 2010.View at: Google Scholar
S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, R. Cramer, Ed., pp. 457–473, Springer, Aarhus, Denmark, May 2005.View at: Google Scholar
X. Boyen, “Attribute-based functional encryption on lattices,” in Proceedings of the Theory Of Cryptography - 10th Theory Of Cryptography Conference, TCC 2013, S. Amit, Ed., pp. 122–142, Springer, Tokyo, Japan, March 2013.View at: Publisher Site | Google Scholar
C. . Delerablée, “Identity-based broadcast encryption with constant size ciphertexts and private keys,” in Proceedings of the Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2007.View at: Google Scholar
D. Boneh, B. Waters, and M. Zhandry, “Low overhead broadcast encryption from multilinear maps,” in Proceedings of the Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 2014.View at: Google Scholar
J. Jongkil Kim, W. Susilo, and J. Seberry, “Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 679–693, 2015.View at: Publisher Site | Google Scholar
B. Dan and M. Zhandry, “Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation,” Algorithmica, vol. 8616, no. 4, pp. 1–53, 2016.View at: Google Scholar
N. Fazio and I. Milinda Perera, “Outsider-anonymous broadcast encryption with sublinear ciphertexts,” in Proceedings of the Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 2012.View at: Google Scholar
K. He, J. Weng, M. H. Au, Y. Mao, R. H. Deng, and Deng, “Generic anonymous identity-based broadcast encryption with chosen-ciphertext security,” in Information Security and Privacy, pp. 207–222, Springer International Publishing, Berlin, Germany, 2016.View at: Publisher Site | Google Scholar
J. Wang and J. Bi, “Lattice-based identity-based broadcast encryption scheme,” IACR Cryptology ePrint Archive, vol. 288, 2010.View at: Google Scholar
A. Georgescu, “Anonymous lattice-based broadcast encryption,” in Proceedings of the Information and Communicatiaon Technology - International Conference, ICT-EurAsia 2013, Yogyakarta, Indonesia, March 2013.View at: Publisher Site | Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Lattice-inspired broadcast encryption and succinct ciphertext-policy ABE,” IACR Cryptol. ePrint Arch., vol. 191, 2020.View at: Google Scholar
D. Boneh, G. Craig, S. Gorbunov et al., “Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, P. Q. Nguyen and E. Oswald, Eds., Copenhagen, Denmark, May 2014.View at: Google Scholar
S. Agrawal and S. Yamada, “Optimal broadcast encryption from pairings and LWE,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, A. Canteaut and Yuval Ishai, Eds., Zagreb, Croatia, May 2020.View at: Google Scholar
D. Micciancio and S. Goldwasser, “Complexity of lattice problems - a cryptograhic perspective,” Kluwer International Series in Engineering and Computer Science, Springer, Berlin, Germany, 2002.View at: Google Scholar
W. Mao, Modern Cryptography: Theory and Practice, Prentice Hall, Hoboken NJ, USA, 2003.
G. Craig, S. Halevi, and V. Vaikuntanathan, “A simple bgn-type cryptosystem from lwe,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 506–522, French Riviera, France, June 2010.View at: Google Scholar