Fuzzy Identity-Based Ring Signature from Lattices

Cao, Chengtang; You, Lin; Hu, Gengran

doi:https://doi.org/10.1155/2021/6692608

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6692608 | https://doi.org/10.1155/2021/6692608

Fuzzy Identity-Based Ring Signature from Lattices

Chengtang Cao,¹Lin You,¹and Gengran Hu¹

Academic Editor: Clemente Galdi

Received07 Oct 2020

Revised17 Feb 2021

Accepted06 Mar 2021

Published16 Mar 2021

Abstract

In this paper, a construction of a fuzzy identity-based ring signature scheme (LFIBRS) is proposed. Our LFIBRS combines the characteristics of both the fuzzy identity-based signature (FIBS) and the ring signature. On the one hand, a signature issued under an identity can be verified by any identity that is “close enough” to the identity . Since biometric identification is the well-known most popular and reliable identification method, our LFIBRS can be applied in such a situation whenever it is required for official audit or supervision that the signer’s real identity is needed to be authenticated. On the other hand, LFIBRS provides anonymity under the random oracle model. In addition, LFIBRS provides unforgeability under the small integer solution (SIS) lattice hardness assumption which can resist large-scale quantum computer attacks in the future.

1. Introduction

Ring signatures, which were first suggested by Rivest, Shamir, and Tauman [1], allow signing a message on behalf of a spontaneous set of signers, without breaking the anonymity of the signatory. Recently, many versions of ring signature schemes based on this concept have been constructed.

Nevertheless, numerous ring signature schemes concern classical number theory or algebraic mathematical assumptions, such as large integer factoring problem [1, 2], discrete logarithm problem [3–5], and bilinear pairing problems [6–10]. None of the schemes are secure with the onset of powerful quantum computers. Among the current postquantum cryptographic candidates, lattice-based cryptography has attracted significant attention of cryptographers recently. In 2008, the first ring signature scheme on lattice was constructed by Gentry et al. [11] and then a lot of ring signature schemes have been constructed [12–14]. Shamir [15] introduced an identity-based cryptosystem. Later, Sahai and Waters [16] put forward the concept of fuzzy identity-based encryption (FIBE), and they regarded identities as a set of biometric attributes rather than any string. Since then, many kinds of fuzzy identity-based signature schemes have been constructed [17–21]. As one of the most promising research alternatives of postquantum cryptography, lattice-based cryptography has attracted great attention due to its several potential advantages: asymptotic efficiency, the worst-case hardness hypothesis, and the security against quantum computing.

How to design a secure and efficient lattice-based cryptosystem is a very interesting and challenging problem. In this manuscript, based on the work of [21, 22], a fuzzy identity ring signature scheme based on the computational difficulty problem on lattices is constructed by combining the characteristics of fuzzy identity signature and ring signature.

1.1. Related Work

Wang et al. [23] proposed a lattice-based ring signature scheme in the Bonsai tree model, which was based on the hard assumption of SIS problem; meanwhile, unforgeability had been proved in both the random oracle and standard model. Wang [24] and Jia et al. [22] proposed identity-based ring signature scheme from lattice which was based on the hard assumption of SIS problem. As we know, Yao and Li [19] constructed the first FIBS scheme based on the hard assumption of SIS problem. By using the Bonsai tree techniques, they proved that their scheme was secure in the random oracle model. Recently, Zhang et al. [21] proposed an extended version of Yao and Li’s FIBS scheme and claimed that it could capture more expressive attributes in a large universe. Besides, their version was proved to be strongly unforgeable against selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) secure in the standard model.

1.2. Contributions

In this paper, we propose a fuzzy identity-based ring signature scheme (LFIBRS) based on the hard assumption of SIS problem and prove that it is unforgeable in the random oracle model. In this work, we focus on combining the characteristics of ring signature and the fuzzy identity-based signature from lattices, and it makes our scheme be able to provide biometric authentication and maintain anonymity at the same time.

1.3. Structure of the Paper

In Section 2, some mathematical symbols, integer lattices, and statistical distance are defined. Section 3 gives the framework of the signature scheme. The construction of our signature scheme is described in Section 4. The security of our LFIBRS is proved in Section 5. Finally, some comparisons with some other referred works and conclusion remarks are given.

2. Preliminaries

2.1. Notations

In this section, we make use of the following notations: : The set : is sampled uniformly at random from the set : The Euclidean norm of : The norm of as the norm of its longest column : The matrix after Gram-Schmidt orthogonalization of matrix : If : If

2.2. Integer Lattices

Definition 1. Let be a matrix with m linearly independent vectors. The m-dimensional lattice generated by is as follows:

Definition 2. For prime and matrix , defineFor , define the Gaussian function on with center , . For m-dimensional lattice , define . For and , define the discrete Gaussian distribution over as follows: . For convenience, if , we denote as .

2.3. Lattice-Related Algorithms

How to obtain a matrix with a low Gram-Schmidt norm basis for was introduced by Ajtai [25], and two improved algorithms were proposed by [26, 27], respectively.

Lemma 1 (see [26]). Let integers be odd, , and . There exists a PPT algorithm that outputs and such that is statistically close to a uniform matrix in and is a short basis for , satisfying with all but a negligible probability in n.

In this subsection, we recall several useful facts on lattices in the literatures [1, 28], in order to generate another short basis for a lattice which contains a sublattice isomorphic to the original.

Lemma 2 (Lemma 3.2 of [28]). On input , whose columns generate the entire group and an arbitrary , given a basis of , there is a deterministic polynomial-time algorithm that outputs a basis for such that . Moreover, this statement holds even for any given permutation of the columns of .

Lemma 3 (Lemma 3.3 of [28]). On input , . Given a basis of , there is a PPT algorithm that outputs a basis for such that and no information specific to is leaked.

We adopt the preimage sampling lemma from the discrete Gaussian distribution over lattices, which is shown in [11].

Lemma 4 (see [11]). Assume integer , and real . Let be a short basis for ; parameter . Then, for ,(1)(2)A PPT algorithm returns drawn from a distribution statistically close to (3)A PPT algorithm returns sampled from a distribution statistically close to

In [22], Lemma 4 is extended to the matrix sampling algorithm, which is repeated as follows.

Lemma 5 (see [22]). On input , . Given a short basis for and arbitrary matrix , there is a polynomial-time algorithm , which outputs a matrix , so that , and are statistically close, and holds with overwhelming probability.

Rejection sampling is an important technology of lattice-based signature scheme, which is proposed by Lyubashevsky in [29]. In the signing process, we output the candidate signature in a certain probability without using a preimage sampling algorithm; hence, the distribution of the output signature is independent of the private key of the signer. With regard to the technique of rejecting sampling, we use the two following results.

Lemma 6 (Lemma 4.4 of [29]). For any and integer , the following inequalities hold:(1)(2)For any and , holds(3)

Theorem 1 (Theorem 4.6 of [29]). Let be a subset of in which all elements have norms less than , let be some element in such that , and let be a probability distribution. Then there exists a constant such that the distribution of the following algorithm ,(1)(2)(3)output with probability is within the statistical distance of the distribution of the following algorithm :(1)(2)(3)output with probability Moreover, the probability that A outputs something is at least .

2.4. Statistical Distance

The statistical distance measures how different two probability distributions are. In order to be employed in the anonymity of our scheme, we recall it as follows.

Definition 3 (Definition 8.5 of [30]). Let and be two random variables over a countable set . The statistical distance between and is defined byThe following lemmas show that the statistical distance cannot be increased by a randomized algorithm.

Lemma 7 (Proposition 8.9 of [30]). Let and be two lists of totally independent random variables. Then,

Lemma 8 (Proposition 8.10 of [30]). Assume that and are two random variables over set . For any (possibly randomized) function with domain , the statistical distance between and is at most

2.5. The SIS Problem

The SIS problem is as hard as the worst-case lattice problem; it was proved by Ajtai [25] for the first time,and then by Micciancio and Regev [31] and Gentry et al. [11]. We recall it as follows.

Definition 4. The SIS problem in the Euclidean norm is that, given an integer , a matrix , and a positive real , the goal is to find a nonzero vector satisfying , and .

Lemma 9 (Theorem 5.16 of [31]). For poly-bounded , , and prime , the average-case problem is as hard as approximating the shortest independent vector problem to within certain factor.

3. System Framework and Security Model of LFIBRS Scheme

A fuzzy identity-based ring signature scheme consists of the following four probabilistic polynomial-time (PPT) algorithms: : The Private Key Generator (PKG) runs a PPT algorithm that takes the security parameter as input and generates the system parameters , an error tolerance parameter , and master keys . The system parameters are made public and master keys are kept secret. : It is a PPT algorithm that takes an identity , the public parameters , and the master keys as input and outputs secret keys and public key associated with the . (: It is a PPT algorithm that takes the public parameters , the public keys corresponding to the identities of ring members, the secret keys associated with an identity , and a message as input and outputs a signature . : It is a deterministic algorithm that takes the public parameters , an fuzzy identity s, the message , the public keys , and the corresponding signature as input and outputs “1” or “0.”

The correctness of a ring signature scheme with fuzzy identity means that the verification algorithm always outputs “1” for a legal signature and “0” for an illegal signature.

3.1. Security Properties

A security ring signature must satisfy anonymity and unforgeability. The formal definition of the security model is given as follows.

Definition 6 (anonymity). If there is no polynomial-time adversary to win the following games with an advantage that cannot be ignored, the LFIBRS scheme is signer-ambiguous.(1): input system parameters and to generate and send public parameter and the maximum possible user set to .(2): performs a polynomially bounded number of queries.(3): selects the message , , and uses the master key to generate the secret key and which corresponds to and . randomly selects and then calls the signature algorithm to generate the signature .(4): outputs bit as a guess of . If , then wins the game.The advantage is defined as .

Definition 7 (unforgeability). If there is no polynomial time adversary to win the following games with an advantage that cannot be ignored, then the LFIBRS scheme is said to be unforgeable.(1): exposes parameters and identity set and sends them to .(2): adversary can perform polynomial query: Private key query: calls the private key extraction algorithm, obtains the secret key corresponding to the identity , and returns it to Signature query: calls the signature algorithm to get the signature of the message and returns it to (3): the adversary submits , if the following conditions are true:(1) is a legal signature(2) did not query the private key of (3) did not query and ; then won the gameThe advantage is defined as .

4. Construction of LFIBRS

In this part, we present our construction of LFIBRS from lattice. The LFIBRS consists of four probability polynomial-time algorithms , , , and . We have incorporated different notations of the proposed LFIBRS scheme in the following.

4.1. LFIBRS Setup

This phase can be described as follows: Step 1. For , run to generate a uniformly random matrix together with a short basis for , such that . Step 2. Run to generate a uniformly random matrix together with a short basis for , such that. Step 3. For , randomly choose matrix in . Step 4. Randomly choose matrices in and in . Step 5. Select hash functions , , , and . Step 6. Select an error tolerance parameter such that . Step 7. Output public parameters and master keys :

and . Public parameters are made public and master keys are kept secret.

4.2. LFIBRS-KeyExt

Input a user whose identify ; and . Let us do the steps as follows: Step 1. For , compute , . Step 2. For , compute matrix using algorithm . Step 3. Compute , . We remark that plays the role of the associated public key. Step 4. Compute the matrix using algorithm . Step 5. Run to generate and , such that . Step 6. Output and . is the ’s public key and are the corresponding secret keys.

4.3. LFIBRS-Sign

Input a message and the public keys corresponding to the identities of ring members where the identity of the real signer is related to the public key and the secret keys . The signing process is as follows: Step 1. Compute . Step 2.. The Shamir’s secret sharing scheme is applied to every coordinate of , that is, when , the polynomial with degree is constructed in , such that . Step 3. Construct the a-th share vector, . Thus, for and , there are fractional Lagrangian coefficients such that . Step 4. For , call algorithm to calculate . Step 5. Compute . Step 6. Let , and call algorithm in Theorem 1; if there is output, output ; otherwise, reselect the public key and go to the first step. Step 7. For , let . Step 8. Output .

4.4. LFIBRS-Verify

Input the fuzzy identity , public parameters , message , the public keys , and the signature . The verification process is given as follows: Step 1. For , verify . If it is true, continue to the next step. Otherwise, stop. Step 2. For , calculate . Step 3. Let and ; if there is such that , , continue to the next step. Otherwise, stop. Step 4. If , output “1.” Otherwise, output “0.”

4.5. LFIBRS-Parameters

The safety parameter of scheme FIBRS is , and other parameters are set as follows:(1)Since is called, is set by Lemma 1.(2)To ensure the difficulty of SIS problem, set , , by Lemma 9(3)Because is called, by Lemmas 2 and 3, set (4)Because is called, by Lemma 5, set (5)Because the signature algorithm needs Lemma 4 and Theorem 1, set (6)Due to call , set

4.6. LFIBRS-Correctness

The correctness analysis is briefly described as follows:(1)According to Theorem 1 and Lemma 6, the signature will output with overwhelming probability.(2)According to Lemma 4, when the real identity can pass the verification in step 1 of the verification process, the next step can be continued.(3)The following formula is established:

5. Security Analysis

Next, we will prove that the above LFIBRS scheme satisfies anonymity and unforgeability as required.

Theorem 2 (anonymity). For prime , , and , are the outputs of the algorithm -, where is the public parameter, is the identity, is the secret key of the corresponding signature, and is the message of the corresponding signature. For any polynomial-time adversary, when and are unknown, the following formula holds:

Therefore, the proposed LFIBRS scheme is computationally anonymous under the random oracle model.

Proof. The adversary is a probabilistic polynomial-time Turing machine, which is allowed to make queries to the following oracles: : performs the following operations to generate the public parameter and all user identities and sends them to .(1)Determine the maximum possible user set (2)Randomly select matrices in and in (3)Output public parameters and : adversary can send the following query to , and will return the query result to . Without losing generality, let not repeat the query. performs the following operations: Hash query:(1) submits a user to , and, for , selects to return it to (2) submits the user to , and selects to return it to (3) submits a message and the public keys corresponding to the identities of ring members, where the identity to and selects to return it to (4) submits a message and the public keys corresponding to the identities of ring members, and selects to return it to Extract query: adaptively selects a user to . returns the secret key of the corresponding user . Sign query: submits message , the identity subset , and the user to . operates as follows:(1) runs the algorithm to get the corresponding public keys subring corresponding to the identities of ring members, where the identity (2)Input the message , public keys subring , and secret key ; runs the algorithm and returns the signature of the user : selects and the identity subset and uses the master key to generate the secret keys and corresponding to , where . randomly selects and then calls the signature algorithm to generate the signature . : outputs bit .Suppose that the signature with secret key outputs and the signature with secret key outputs . is abbreviated as . is abbreviated as .
To get anonymity, we just need to prove that the signatures and are statistically indistinguishable. From Lemmas 7 and 8 and trigonometric inequality, we can getFrom Theorem 1, we can get and , soTherefore, the proposed LFIBRS scheme is computationally anonymous under the random oracle model.

Theorem 3 (Unforgeability). For prime and , in time , if there is a polynomial-time adversary that can forge the effective signature of LFIBRS scheme with the probability of , then there is a polynomial-time algorithm that can solve the problem with the probability of in time , where and .

Proof. The proof process is similar to literature [21, 22]. The analysis is as follows.
Suppose that there is a polynomial-time adversary that forges the signature of LFIBRS scheme with the probability of . Next, the polynomial-time algorithm is constructed to solve the problem by using the ability of adversary to forge signature.
gives an example of problem and uses the ability of to give a solution.(1) selects randomly matrix in (2) finds a nonzero vector to make mod and First of all, creates three empty lists to store the queries of adversary , and , and secret key. The interaction between and is as follows: : performs the following operations to generate the public parameter and all user identities and sends them to .(1)Determine the maximum possible user set and a challenge user , (2)For , run to output a matrix together with a short basis for (3) calls and outputs and (4)Randomly select matrices in . The user’s secret key is and his corresponding public key is (5)Output public parameters and : Adversary can send the following query to , and will return the query result to . For the identity subset , performs the following operations: Hash query 1:(1) queries the list first. If has already been queried, returns (2)Otherwise, let and is sent to . computes , and add to the list Hash query 2:(1) submits message to . For , randomly selects . queries the list and returns the same result if they already have been checked(2)Otherwise, randomly selects and sends to and adds to the list Extract query: adaptively selects a user to . checks list to find and then uses to run . Output , satisfying , and . Add to the list . Sign query: submits message , the identity subset , and the user to . operates as follows:(1) checks the list . If was not recorded, go to hash query 2 and record in the list (2) checks the list . If was not recorded, go to extract query and record in the list (3) checks the lists and . looks for the corresponding record in and the record in (4)Let and ; returns the signature of the user Forgery: submits message , the identity subset , and forged signature by the user to , meeting the following conditions:(1) has not asked for the private key of the user (2) did not ask for ’s signatureThe signature is used in the following, which is an example of the identity subset ’s legal signature of message to solve the problem given at the beginning. first queries to find . If does not exist, then the game is terminated immediately. Otherwise, since is a legal signature, we obtain extracts the key of in Table , and let (if ) and (if ). It is easy to see that is also a legal signature, soFrom (10) and (11), we obtain .
If , then the game is terminated immediately.
If , let , where . If , then the game is terminated immediately. Otherwise, . Because and , it follows that ; namely, . Because , let ; it is easy to check that is the solution of the problem that is put forward at the beginning.
In the following analysis, can successfully find the probability of . will give up the game in the three following situations, which implies that the game fails.(1)When is not in , the probability that passing the signature verification is (2)When , due to and , (3)When , namely, and , the statistical distance between and satisfying From the above analysis, we can see that .

6. Efficiency Analysis

In Table 1, we set the following: : public parameters size : master key size : secret key size : signature size

From Table 1, we may conclude that the communication and time cost of our scheme are larger than those of the scheme in [22], and only the size of private key is smaller than that of [21].

In Table 2, we set the following: : secret key extraction cost : signing cost : verification cost : the cost of RandBasis(ExtBasis) : the cost of Shamir’s secret sharing operation : the cost of SampleMatpre : the cost of SamplePre : the cost of matrix product : the cost of scalar multiplication : the cost of BasisDel : the cost of matrix inversion

From Table 2, we may conclude that our scheme has higher verification cost than those in [21, 22].

7. Conclusions

In this paper, we construct a fuzzy identity ring signature scheme based on SIS problem and prove its unforgeability in random oracle model. In particular, this scheme requires that the number of ring members be equal to the number of fuzzy identity coordinates. When the number of the components of the identity vector is greater than the number of the ring members, a certain number of temporary identities can be added as the ring members, so that the number of the ring members is equal to the number of the components of the identity vector. When the number of the ring members is more than the number of the components of the identity vector, a certain number of vector components will be randomly selected from to expand the number of components of the identity vector. A signature issued under an identity can be verified by any identity that is “close enough” to the identity . This property allows our signature scheme to have an application in biometric authentication. Compared with the existing signature scheme of fuzzy identity, the scheme has the anonymity of ring signature which fuzzy identity signature does not have, so the efficiency of verification operation is lower. As the third step in the verification process, the worst case is to calculate times, so when the signature scheme is used and is too large in this paper, the verification efficiency will be very low. In the future, we hope to improve the algorithm of FIBRS to improve the efficiency of verification signature algorithm.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

This research was partially supported by the Key Program of the Natural Science Foundation of Zhejiang Province of China (no. LZ17F020002) and the National Natural Science Foundation of China (no. 61772166).

References

R. L. Rivest, Adi Shamir, and Y. Tauman, “How to leak a secret,” in Advances in Cryptology, vol. 565, p. 552, Springer, Berlin, Germany, 2001.
View at: Google Scholar
Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup, “Anonymous identification in ad hoc groups,” in Advances in Cryptology, vol. 626, p. 609, Springer, Berlin, Germany, 2004.
View at: Google Scholar
J. Liu, K. Victor, and S. W. Duncan, “Linkable spontaneous anonymous group signature for ad hoc groups,” in Information Security and Privacy, pp. 325–335, Springer, Berlin, Germany, 2004.
View at: Google Scholar
J. Herranz and G. Sáez, “Forking lemmas for ring signature schemes,” in Progress in Cryptology, pp. 266–279, Springer, Berlin, Germany, 2003.
View at: Google Scholar
J. Cha Choon and J. Hee Cheon, “An identity-based signature from gap diffie-hellman groups,” in Public Key, pp. 18–30, Springer, Berlin, Germany, 2002.
View at: Google Scholar
H. Shacham and B. Waters, “Efficient ring signatures without random oracles,” in Public Key Cryptography, pp. 166–180, Springer, Berlin, Germany, 2007.
View at: Google Scholar
F. Zhang, R. Safavinaini, and W. Susilo, “An efficient signature scheme from bilinear pairings and its applications,” in Public Key Cryptography, pp. 277–290, Springer, Berlin, Germany, 2004.
View at: Google Scholar
S. H. Islam, A. K. Das, and M. K. Khan, “Design of a provably secure identity-based digital multi-signature scheme using biometrics and fuzzy extractor,” Security and Communication Networks, vol. 9, no. 16, pp. 3229–3238, 2016.
View at: Publisher Site | Google Scholar
L. Deng and J. Zeng, “Two new identity-based threshold ring signature schemes,” Theoretical Computer Science, vol. 535, pp. 38–45, 2014.
View at: Publisher Site | Google Scholar
L. Deng, Y. Jiang, and B. Ning, “Identity-based linkable ring signature scheme,” IEEE Access, vol. 7, pp. 153969–153976, 2019.
View at: Publisher Site | Google Scholar
G. Craig, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th annual ACM symposium on theory of computing, pp. 197–206, Cambridge MA USA, 2008.
View at: Google Scholar
F. Xu and X. Lv, “A new identity-based threshold ring signature scheme,” in Proceedings of the 2011 IEEE International Conference on Systems, Man, and Cybernetics, pp. 2646–2651, IEEE, Anchorage, AK, USA, 2011.
View at: Google Scholar
P. L. Cayrel, R. Lindner, M. Rückert, and R. Silva, “A lattice-based threshold ring signature scheme,” in Progress in Cryptology, pp. 255–272, Springer, Berlin, Germany, 2010.
View at: Google Scholar
C. Aguilar Melchor, S. Bettaieb, X. Boyen, L. Fousse, and P. Gaborit, “Adapting lyubashevsky’s signature schemes to the ring signature setting,” in Progress in Cryptology, pp. 1–25, Springer, Berlin, Germany, 2013.
View at: Google Scholar
Adi Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in Cryptology, pp. 47–53, Springer, Berlin, Germany, 1985.
View at: Google Scholar
S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology, pp. 457–473, Springer, Berlin, Germany, 2005.
View at: Google Scholar
C. Wang and J. Kim, “Two constructions of fuzzy identity based signature,” in Proceedings of the 2009 2nd International Conference on Biomedical Engineering and Informatics, pp. 1–5, IEEE, Tianjin, China, 2009.
View at: Google Scholar
P. Yang, Z. Cao, and X. Dong, “Fuzzy identity based signature with applications to biometric authentication,” Computers & Electrical Engineering, vol. 37, no. 4, pp. 532–540, 2011.
View at: Publisher Site | Google Scholar
Y. Yao and Z. Li, “A novel fuzzy identity based signature scheme based on the short integer solution problem,” Computers & Electrical Engineering, vol. 40, no. 6, pp. 1930–1939, 2014.
View at: Publisher Site | Google Scholar
X. Zhang, C. Xu, and Y. Zhang, “Fuzzy identity-based signature scheme from lattice and its application in biometric authentication,” Ksii Transactions on Internet and Information Systems, vol. 11, no. 5, pp. 2762–2777, 2017.
View at: Google Scholar
Y. Zhang, Y. Hu, Y. Gan, Y. Yin, and H. Jia, “Efficient fuzzy identity-based signature from lattices for identities in a small (or large) universe,” Journal of Information Security and Applications, vol. 47, pp. 86–93, 2019.
View at: Publisher Site | Google Scholar
X. Jia, D. He, Z. Xu, and Q. Liu, “An efficient identity-based ring signature over a lattice (in Chinese),” Journal of Cryptologic Research, vol. 4, no. 4, pp. 392–404, 2017.
View at: Google Scholar
F.-h. Wang, Y.-p. Hu, and C.-x. Wang, “A lattice-based ring signature scheme from bonsai trees,” Journal of Electronics & Information Technology, vol. 32, no. 10, pp. 2400–2403, 2010.
View at: Publisher Site | Google Scholar
J. Wang and B. Sun, “Ring signature schemes from lattice basis delegation,” in Proceedings of the international conference on information and communications security (ICICS 2011), pp. 15–28, Beijing, China, 2011.
View at: Google Scholar
M. Ajtai, “Generating hard instances of lattice problems (extended abstract),” in Proceedings of the twenty-eighth annual ACM symposium on the theory of computing, pp. 99–108, New York, NY, USA, 1996.
View at: Google Scholar
J. Alwen and C. Peikert, “Generating shorter bases for hard random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp. 535–553, 2011.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Advances in Cryptology, pp. 700–718, Springer, Berlin, Germany, 2012.
View at: Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” in Advances in Cryptology, pp. 523–552, Springer, Berlin, Germany, 2010.
View at: Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Advances in Cryptology, pp. 738–755, Springer, Berlin, Germany, 2011.
View at: Google Scholar
D. Micciancio and S. Goldwasser, “Complexity of lattice problems: a cryptographic perspective,” Kluwer International Series in Engineering and Computer Science, vol. 671, 2002.
View at: Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” in Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 267–302, IEEE, Rome, Italy, 2007.
View at: Google Scholar

Copyright

Copyright © 2021 Chengtang Cao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

498

Downloads

737

Citations