Advanced
Scalable Hierarchical Identity-based Signature Scheme from Lattices
Scalable Hierarchical Identity-based Signature Scheme from Lattices
KSII Transactions on Internet and Information Systems (TIIS). 2013. Dec, 7(12): 3261-3273
Copyright © 2013, Korean Society For Internet Information
  • Received : August 17, 2013
  • Accepted : November 20, 2013
  • Published : December 30, 2013
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Geontae Noh
Ik Rae Jeong

Abstract
In the paper, we propose a novel adaptively secure hierarchical identity-based signature scheme from lattices. The size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. Our scheme is motivated by Gentry et al.'s signature scheme and Agrawal et al.'s hierarchical identity-based encryption scheme.
Keywords
1. Introduction
I n 1984, Shamir introduced the concept of identity-based cryptography and proposed an identity-based signature scheme [1] . In an identity-based signature scheme, a trusted third party, called KGC (key generation center), only issues a signer's secret key, because the signer's public key is the signer's identity such as an email address and a phone number related to the signer. That is, the public key distribution problem (or the certification management problem) is eliminated. When a verifier wants to verify a signature, therefore, the verifier does not need to ask the KGC for the signer's public key, because the verifier can easily deduce the signer's public key from the signer's identity. Actually, many identity-based signature schemes have been studied [2] [3] [4] .
The concept of hierarchical identity-based signatures is the hierarchical extension of identity-based signatures. Like an identity-based signature scheme, the KGC issues a signer's secret key. In addition, the signer can delegate the secret keys of the signer's child identities in an identity hierarchy using its own secret key.
In 2002, Gentry and Silverberg proposed the first hierarchical identity-based signature scheme from bilinear pairings, but the security is not formally proved [5] . Since then, Chow et al. proposed the first provably secure hierarchical identity-based signature scheme from bilinear pairings [6] . However, these schemes are not resistant to quantum analysis [7] .
So far, lattice-based cryptography is believed to be resistant to quantum analysis. Lattice-based cryptography is also asymptotically efficient because it requires only linear operations.
In 2010, Ruckert proposed two binary tree signature 1 schemes from lattices, but both of them increase the size of the signatures by the level of hierarchy [8] . In 2012 & 2013, Tian et al. and Liu et al. proposed hierarchical identity-based signature schemes from lattices, but their schemes are insecure against adaptive identity attacks [9] [10] . In 2013, Tian et al. proposed another hierarchical identity-based signature scheme from lattices [11] . In Tian et al.'s hierarchical identity-based signature scheme, however, the size of signatures depends on both the security parameter and the dimension of the lattices. We compare our scheme and existing hierarchical identity-based signature schemes from lattices in Table 1 . The size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices.
Comparison of security and efficiency
PPT Slide
Lager Image
Comparison of security and efficiency
ROM means the scheme is probably secure in the random oracle model and STM means the scheme is probably secure in the standard model. DoS is the dimension of the signatures, n is the security parameter, m is the dimension of the lattices, l is the depth of the identities, and h is the bit length of the hash values for messages. SI means the scheme is secure against selective identity attacks and AI means the scheme is secure against adaptive identity attacks. BTS means the scheme is a binary tree signature scheme and HIBS means the scheme is a hierarchical identity-based signature scheme.
- 1.1 Our Contribution
In this paper, we propose a hierarchical identity-based signature scheme from lattices. Our scheme is adaptively secure and the size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. Our scheme is motivated by Gentry et al.'s signature scheme and Agrawal et al.'s hierarchical identity-based encryption scheme [12] [13] . The security of our scheme is based on the SIS problem on lattices in the random oracle model.
- 1.2 Organization
The remainder of this paper is organized as follows: Some preliminaries such as the properties of the lattices and the definitions for hierarchical identity-based signatures are presented in Section 2. Our hierarchical identity-based signature scheme is given in Section 3. We analyze our hierarchical identity-based signature scheme in Section 4. Finally, Section 5 draws the conclusion.
Binary tree signature is the special case of hierarchical identity-based signature with identity space {0,1}.
2. Preliminaries
- 2.1 Notations
We let Z and R denote the integers and the real numbers, respectively. For any positive integer q ≥2 , we let Z q denote the ring of integers modulo q . For any positive integer k , we let [ k ]={1,⋯, k } . We use upper-case letters (e.g., A ) to denote matrices and lower-case letters (e.g., v ) to denote vectors. We let 0 denote a zero vector.
We let ║ v ║ denote the Euclidean norm of v . We let
PPT Slide
Lager Image
denote the Gram-Schmidt orthogonalization of S . The statistical distance between two distributions X and Y over a countable domain D is
PPT Slide
Lager Image
. If v is chosen uniformly at random from D , we denote v ←D .
We use standard big- O notation. For sufficiently large n , if f ( n ) is smaller than all polynomial fractions, then we say that a function f :R + →R + is negligible. Pr[an event] is the probability that the event occurs.
- 2.2 Lattices
First, we define m -dimensional full-rank integer lattices. An m -dimensional full-rank integer lattice Λ for m linearly independent basis vectors B ={ b 1 ,⋯, b m }⊂Z m is defind as follows:
PPT Slide
Lager Image
We define the dual lattice Λ * of Λ as follows:
PPT Slide
Lager Image
In this paper, we use an m -dimensional q -ary integer lattice which is one of m -dimensional full-rank integer lattices. Let n ≥1 and q ≥2 be positive integers. An m -dimensional q -ary integer lattice Λ ( A ) for a uniformly random matrix
PPT Slide
Lager Image
is defined as follows:
PPT Slide
Lager Image
We define the coset
PPT Slide
Lager Image
of Λ ( A ) for syndrome
PPT Slide
Lager Image
as follows:
PPT Slide
Lager Image
- 2.2.1 Hard Problems
We define the SIS (short integer solution) problem which is used to analyze the security of our construction.
Definition 2.1. An instance of the SIS q,β problem is a uniformly random matrix
PPT Slide
Lager Image
Then, the SIS q,β problem is to find a non-zero vector z ∈Z m such that
PPT Slide
Lager Image
and ║ z ║≤ β .
In case of
PPT Slide
Lager Image
the classic average-case SIS q,β problem is reduced to the worst-case SIVP (shortest independent vectors problem) [12] [14] [15] .
- 2.2.2 Gaussian Distributions
We recall Gaussian distributions [12] [15] .
Definition 2.2. For any positive integer s ∈R , a Gaussian function ρs with center 0 is defined as follows:
PPT Slide
Lager Image
Definition 2.3. Let Λ⊂Z m be an m -dimensional full-rank integer lattice. For any positive integer s ∈R, the discrete integral of ρs over Λ is defined as follows:
PPT Slide
Lager Image
Definition 2.4. Let Λ⊂Z m be an m -dimensional full-rank integer lattice. For any positive integer s ∈R and all x ∈Λ , discrete Gaussian distribution over Λ with center 0 is defined as follows:
PPT Slide
Lager Image
Definition 2.5. Let Λ⊂Z m be an m -dimensional full-rank integer lattice and Λ * a dual lattice of Λ. For any positive real number ε ∈R , a Gaussian parameter ηε (Λ) is the smallest s such that ρ 1/s * \{0})≤ ε .
  • Next, we recall the following useful facts.
Fact 2.1 [12] [15] [16] . Let S ∈ Z m×m be a basis for Λ ( A ) and
PPT Slide
Lager Image
a uniformly random matrix. For any
PPT Slide
Lager Image
and any syndrom
PPT Slide
Lager Image
, the probability that
PPT Slide
Lager Image
is negligible for n , where
PPT Slide
Lager Image
Fact 2.2 [12] [15] [16] . Let S ∈ Z m×m be a basis for Λ ( A ) and
PPT Slide
Lager Image
a uniformly random matrix. For any
PPT Slide
Lager Image
, the probability that x is a zero vector is negligible for n , where x ←D Λ(A),s .
Fact 2.3 [13] [17] . Let
PPT Slide
Lager Image
be a uniformly random matrix, q a prime, and
PPT Slide
Lager Image
a Z q -invertible matrix. For any
PPT Slide
Lager Image
, two matrices
PPT Slide
Lager Image
and
PPT Slide
Lager Image
are also uniformly random.
- 2.2.3 Basic Algorithms
We review basic algorithms which are used to construct our construction and to analyze the security of our construction.
Lemma 2.1 [18] . For positive integers n ≥1 , q ≥2 , and m = O ( n log q ) , a probabilistic polynomial time algorithm BasisGen(1 n ,1 m , q ) outputs a pair
PPT Slide
Lager Image
of a uniformly random matrix anda short basic for Λ ( A ) such that
PPT Slide
Lager Image
Lemma 2.2 [13] . Let
PPT Slide
Lager Image
be a uniformly random matrix, S ∈ Z m×m a basis for Λ ( A ) , and
PPT Slide
Lager Image
a Z q -invertible matrix. For any
PPT Slide
Lager Image
, a probabilistic polynomial time algorithm BasisDel( A , R , S , s ) outputs a basis S Z m×m for Λ ( B ) such that
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
.
Lemma 2.3 [12] . Let m be a positive integer. For any Gaussian parameter s , a probabilistic polynomial time algorithm SampleDom(1 m , s ) outputs a vector
PPT Slide
Lager Image
.
Lemma 2.4 [12] . Let
PPT Slide
Lager Image
be a uniformly random matrix, S Z m×m a basic for Λ ( A ) , and
PPT Slide
Lager Image
a syndrome. For any
PPT Slide
Lager Image
a probabilistic polynomial time algorithm SampleD( A , S , u , s ) outputs a vector
PPT Slide
Lager Image
.
Lemma 2.5 [13] . Let m be a positive integer. For any
PPT Slide
Lager Image
, a probabilistic polynomial time algorithm SampleR(1 m , s ) outputs a Z q -invertible matrix
PPT Slide
Lager Image
.
Lemma 2.6 [13] . Let
PPT Slide
Lager Image
be a uniformly random matrix. For any
PPT Slide
Lager Image
, a probabilistic polynomial time algorithm SampleRwithBasis( A , s ) outputs a Z q -invertible matrix
PPT Slide
Lager Image
and a short basis SB ∈ Z m×m for Λ ( A ) such that
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
.
- 2.3 Definitions for Hierarchical Identity-based Signatures
We define hierarchical identity-based signatures. A hierarchical identity-based signature scheme HIBS= {HIBS.Setup,HIBS.Extract,HIBS.Sign,HIBS.Vrfy} is defined as follows:
  • HIBS.Setup(1n,1d) : On input of a security parameternand the maximum hierarchy depthd, this algorithm outputs a set params of public parameters and a master secret key msk .
  • HIBS.Extract(params,,id) : On input of a set params of public parameters, a secret keyof a parent identity, and a child identity id = (id1, ⋯, idl, ⋯, idc) , this algorithm outputs a secret keyskidof id . In case ofl=0 ,.
  • HIBS.Sign(params,id,skid,m) : On input of a set params of public parameters, an identity id with its secret keyskid, and a message m , this algorithm outputs a signatureσ.
  • HIBS.Vrfy(params,id,m,σ) : On input of a set params of public parameters, an identity id , a message m , and a signatureσ, this algorithm outputs 1 ifσis valid and 0 otherwise.
Correctness. A hierarchical identity-based signature scheme HIBS is correct if, for any valid signature σ on any message m corresponding to any identity id , the HIBS.Vrfy(params,id,m, σ ) algorithm outputs 1 with an overwhelming probability.
Unforgeability. A hierarchical identity-based signature scheme HIBS is strongly unforgeable under chosen message and adaptive identity attacks if, in the following game
PPT Slide
Lager Image
for a forger F , the advantage
PPT Slide
Lager Image
of F is negligible.
  • Setup: F is given params , where (params,msk)←HIBS.Setup(1n,1d) . Note that params is a set of public parameters and msk is a master secret key.
  • Extract queries: F queries an identity idi, adaptively. Then, F receives a secret keyof idi.
  • Sign queries: F queries an identity idiand a message mi, adaptively. Then, F receives a signatureσi←HIBS.Sign(params,idσi,, mi) .
  • Output: F outputs (id*,m*,σ*) such that
  • - for alli, idiis not a prefix of id*in theExtract queriesand
  • - σ*is not made for (id*,m*) through theSign queries.
If the HIBS.Vrfy(params,id * ,m * * ) algorithm outputs 1 , F wins the game
PPT Slide
Lager Image
.
The advantage
PPT Slide
Lager Image
of F is defined as follows:
PPT Slide
Lager Image
3. Our Construction
We propose an adaptively secure hierarchical identity-based signature scheme SHIBS without increasing the dimension of the signatures. Our construction SHIBS uses the following parameters:
  • n≥1 is a security parameter.
  • m=O(nlogq) is the dimension of the lattices.
  • is a positive integer.
  • d≥1 is the maximum hierarchy depth.2
  • The followings are Gaussian parameters:
PPT Slide
Lager Image
PPT Slide
Lager Image
PPT Slide
Lager Image
PPT Slide
Lager Image
In our construction SHIBS , a message space is {0,1} k . Then, our construction SHIBS= {SHIBS.Setup,SHIBS.Extract,SHIBS.Sign,SHIBS.Vrfy} consists of the following algorithms:
  • SHIBS.Setup(1n,1d): On input of a security parameternand the maximum hierarchy depthd:
  • - Run the BasisGen(1n,1m,q) algorithm to obtain a pairof a uniformly random matrix and a short basis for Λ⊥(A)
  • - Choose two hash functions H1:{0,1}*→ DZm×m,sand, where the hash values of H1are Zq-invertible[13][19].
  • - Output a set params = (A,H1,H2)of public parameters and a master secret key msk =S.
  • SHIBS.Extract(params,, id) : On input of a set params of public parameters, a secret keyof a parent identity, and a child identity id =(id1,⋯,idl,⋯,idc):
  • - Computeand. In case of l=0 ,and
  • - Computeand
  • - Run the BasisDelalgorithm to obtain a short basisS'∈Zm×mfor Λ⊥(Fid) , whereis a short basis for
  • - Output a secret keyskid=S'of id .
  • SHIBS.Sign(params,id,skid,m) : On input of a set params of public parameters, an identity id at depth |id|=lwith its secret keyskid, and a messagem∈{0,1}k:
  • - Compute
  • - Computeand.
  • - Run the SampleDalgorithm to obtain a vectorwhereskidis a short basis for Λ⊥(Fid) .
  • - Output a signatureσ
  • SHIBS.Vrfy(params,id,m,σ) : On input of a set params of public parameters, an identity id at depth |id|=l, a messagem∈{0,1}k, and a signatureσ:
  • - Computeand.
  • - Output 1, ifand. Otherwise, output 0 .
In case of d=1, we call it an identity-based signature scheme IBS instead of HIBS
4. Analysis
- 4.1 Correctness
We show that our construction SHIBS is correct.
Theorem 4.1. Our hierarchical identity-based signature scheme SHIBS is correct.
Proof of Theorem 4.1. Suppose |id|= i . The SHIBS.Extract(params, sk id ,id) algorithm can generate a short basis sk id for Λ ( F id ) . Then, the id SHIBS.Sign(params,id, sk id ,m) algorithm can sample
PPT Slide
Lager Image
such that
PPT Slide
Lager Image
and
PPT Slide
Lager Image
with an overwhelming probability using the SampleD
PPT Slide
Lager Image
algorithm. Therefore, our hierarchical identity-based signature scheme SHIBS is correct.
- 4.2 Unforgeability
We show that our construction SHIBS is strongly unforgeable under chosen message and adaptive identity attacks.
Theorem 4.2. In the random oracle model [20] , our hierarchical identity-based signature scheme SHIBS is strongly unforgeable under chosen message and adaptive identity attacks if the SIS q,β problem for
PPT Slide
Lager Image
is hard.
Proof of Theorem 4.2. Suppose the hash functions H 1 and H 2 are random oracles controlled by an algorithm A . Then, our construction SHIBS is strongly unforgeable under chosen essage and adaptive identity attacks assuming the SIS q,β problem for
PPT Slide
Lager Image
is hard. That is, if there exists a forger F mounting strong forgery attacks on SHIBS , then we can construct A solving the
PPT Slide
Lager Image
. A simulates the strong unforgeability game for F as follows:
  • Setup: A takes an instanceof the SISq,βproblem as an input. A proceeds as follows:
  • - A choosesdpositive integers. Suppose F sends at mostidentities to A in the H1queriesat each depth of the hierarchy.
  • - A runs the SampleR(1m,s) algorithmdtimes to obtaindmatrices.
  • - A chooses a positive integerw←[d] .
  • - A computesNote thatis uniformly random byFact 2.3.
  • - A sends params =Ato F .
  • H1queries: After receiving theq-th identity id = (id1,⋯,idi) from F , A proceeds as follows:
  • - IfA setsand sends H1(id) to F .
  • - Otherwise, A computes. In case ofi=1, A setsAi=A. A runs the SampleRwithBasis(Ai,s) algorithm to obtain a matrixand a short basisSB∈ Zm×mfor Λ⊥(A) , where. A set H1(id)=R, send H1(id)=Rto F , and adds a tuple (i,id,R,B,SB) to the H1list.
  • H2queries: After receiving thei-th message miof to A from F , A proceeds as follows:
  • - A runs the SampleDom(1m,s) algorithm to obtain a vector, computes, sendhito F, and adds a tuple (mi,vi,hi) to the H2list.
  • Extract queries: After receiving an identity id = (id1,⋯,idc) at depth |id|=cfrom F , A proceeds as follows:
  • - We assume that all prefixes of id already appears on the H1list. Otherwise, A sends the others to the H1queries.
  • - A findsj∈[c] which is the shallowest level such thatIn case ofj∉[c], A aborts.
  • - A looks upin the H1list, whereandSBis a short basis for Λ⊥(b)
If j = c , A sets sk id = SB . Otherwise, A runs the SHIBS.Extract(params, SB ,id) algorithm to obtain a secret key sk id of to id .
  • - A sendsskidto F .
  • Sign queries: After receiving an identity id = (id1,⋯,idc) at depth |id|=cand a message mi, from F, A proceeds as follows:
  • - If for allj∈[c],, A looks up(mi,vi,hi) in the H2list. If midoes not appear on the H2list, A sends mi to the H2queries. A computesand sendsσi
  • - Otherwise, A sends id to theExtract queriesto obtainskid, run the SHIBS.Sign(params,id,skid,mi) algorithm to obtainσi, and sendsσi.
  • Output: Assume that F outputs (id*,m*,σ*) .
  • - In case ofw≠|id*|, A aborts. Note that the probability ofw≠|id*| issincewis randomly selected from [d] .
  • - A findsj∈[w] which is the shallowest level such that. In case ofj∈[w], A aborts. Note that the probability of.
  • - A outputsas a solution to the SISq,βproblem.
We can assume that (m i =m * , vi , hi = H 2 (m * )) is in the H 2 list. Then, z is a solution to the SIS q,β problem, because
PPT Slide
Lager Image
where
PPT Slide
Lager Image
and
PPT Slide
Lager Image
To reduce the SIS problem to the SIVP , we set q as follows:
PPT Slide
Lager Image
The advantage
PPT Slide
Lager Image
of F is computed as follow:
PPT Slide
Lager Image
5. Conclusion
In this paper, we have proposed a hierarchical identity-based signature scheme from lattices. Our scheme is adaptively secure and the size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. We proved the security of our scheme based on the SIS problem on lattices in the random oracle model. The question of constructing an adaptively secure hierarchical identity-based signature scheme from lattices without increasing the dimension of the signatures in the standard model still remains open.
BIO
Geontae Noh received the B.S. degree in Industrial Systems and Information Engineering from Korea University, Seoul, Korea, in 2008. He received the M.S. degree in Information Management and Security from Korea University, Seoul, Korea, in 2010. Currently, he is Ph.D. course in the Graduate School of Information Security, Korea University, Seoul, Korea. His research interests include cryptographic protocols, lattice-based cryptosystem, and privacy-preserving technologies.
Ik Rae Jeong received the B.S. and M.S. degrees in Computer Science from Korea University, Korea, in 1998 and 2000, respectively. He received the Ph.D. degree in Information Security from Korea University in 2004. From June 2006 to Feb. 2008, he was a senior engineer at ETRI (Electronics and Telecommunications Research Institute) in Korea. Currently, he is a member of the faculty in the Graduate School of Information Security, Korea University, Seoul, Korea. His current research areas include cryptography and theoretical computer science and Cryptology (ICISC 2005). His research interests are on cryptology and information security.
References
Shamir Adi 1985 “Identity-based cryptosystems and signature schemes” in Proc. of Advances in Cryptology - Crypto 1984, LNCS 0196 August 19-22 Article (CrossRef Link) 47 - 53
Hess Florian 2002 “Efficient identity based signature schemes based on pairings” in Proc. of 9th Annual International Workshop on Selected Areas in Cryptology - SAC 2002, LNCS 2595 August 15-16 Article (CrossRef Link) 310 - 324
Jae Choon Cha , Jung Hee Cheon 2002 “An identity-based signature from gap Diffie-Hellman groups” in Proc. of 6th International Workshop on Theory and Practice in Public Key Cryptography - PKC 2003, LNCS 2567 January 6-8 Article (CrossRef Link) 18 - 30
Barreto Paulo S. L. M. , Libert Benoit , McCullagh Noel , Quisquat Jean-Jacques 2005 “Efficient and provably-secure identity-based signatures and signcryption from bilinear maps” in Proc. of Advances in Cryptology - Asiacrypt 2005, LNCS 3788 December 4-8 Article (CrossRef Link) 513 - 532
Gentry Craig , Silverberg Alice 2002 “Hierarchical ID-based cryptography” in Proc. of Advances in Cryptology - Asiacrypt 2002, LNCS 2501 December 1-5 Article (CrossRef Link) 548 - 566
Chow Sherman S.M. , Hui Lucas C.K. , Yiu Siu Ming , Chow K.P. 2004 “Secure hierarchical identity based signature and its application” in Proc. of 6th International Conference on Information and Communications Security - ICICS 2004, LNCS 3269 October 27-29 Article (CrossRef Link) 480 - 494
Shor Peter W. 1997 “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer” SIAM Journal on Computing Article (CrossRef Link) 26 (5) 1484 - 1509    DOI : 10.1137/S0097539795293172
Ruckert Markus 2010 “Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles” in Proc. of Third International Workshop on Post-quantum Cryptography - PQCrypto 2010, LNCS 6061 May 25-28 Article (CrossRef Link) 182 - 200
Tian Miaomiao , Huang Liusheng , Yang Wei 2012 “A new hierarchical identity-based signature scheme from lattices in the standard model” International Journal of Network Security Article (CrossRef Link) 14 (6) 310 - 315
Liu Zhenhua , Hu Yupu , Zhang Xiangsong , Li Fagen 2013 “Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model” Security and Communication Networks Article (CrossRef Link) 6 (1) 69 - 77    DOI : 10.1002/sec.531
Tian Miaomiao , Huang Liusheng , Yang Wei 2013 “Efficient hierarchical identity-based signatures from lattices” International Journal of Electronic Security and Digital Forensics Article (CrossRef Link) 5 (1) 1 - 10    DOI : 10.1504/IJESDF.2013.054403
Gentry Craig , Peikert Chris , Vaikuntanathan Vinod 2008 “Trapdoors for hard lattices and new cryptographic constructions” in Proc. of 40th Annual ACM Symposium on Theory of Computing - STOC 2008 May 17-20 Article (CrossRef Link) 197 - 206
Agrawal Shweta , Boneh Dan , Boyen Xavier 2010 “Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE” in Proc. of Advances in Cryptology - Crypto 2010, LNCS 6223 August 15-19 Article (CrossRef Link) 98 - 115
Ajtai Miklos 1996 “Generating hard instances of lattice problems” in Proc. of 28th ACM Symposium on the Theory of Computing -STOC 1996 May 22-24 Article (CrossRef Link) 99 - 108
Micciancio Daniele , Regev Oded 2007 “Worst-case to average-case reductions based on Gaussian measures” SIAM Journal on Computing Article (CrossRef Link) 37 (1) 267 - 302    DOI : 10.1137/S0097539705447360
Peikert Chris , Rosen Alon 2006 “Efficient collision-resistant hashing from worst-case assumptions on cyclic lattcies” in Proc. of 3rd Theory of Cryptography Conference - TCC 2006, LNCS 3876 March 4-7 Article (CrossRef Link) 145 - 166
Boyen Xavier 2010 “Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more” in Proc. of 13th International Conference on Practice and Theory in Public Key Cryptography - PKC 2010, LNCS 6056 May 26-28 Article (CrossRef Link) 499 - 517
Alwen J Joel , Peikert Chris 2011 “Generating shorter bases for hard random lattices” Theory of Computing Systems Article (CrossRef Link) 48 (3) 535 - 553    DOI : 10.1007/s00224-010-9278-3
Cash David , Hofheinz Dennis , Kiltz Eike , Peikert Chris 2010 “Bonsai trees, or how to delegate a lattice basis” in Proc. of Advances in Cryptology - Eurocrypt 2010, LNCS 6110 May 30-June 3 Article (CrossRef Link) 523 - 552
Bellare Mihir , Rogaway Phillip 1993 “Random oracles are practical: A paradigm for designing efficient protocols” in Proc. of 1st ACM Conference on Computer and Communications Security CCS 1993 November 3-5 Article (CrossRef Link) 62 - 73