Scalable Hierarchical Identity-based Signature Scheme from Lattices

KSII Transactions on Internet and Information Systems (TIIS).
2013.
Dec,
7(12):
3261-3273

- Received : August 17, 2013
- Accepted : November 20, 2013
- Published : December 30, 2013

Download

PDF

e-PUB

PubReader

PPT

Export by style

Share

Article

Metrics

Cited by

TagCloud

In the paper, we propose a novel adaptively secure hierarchical identity-based signature scheme from lattices. The size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. Our scheme is motivated by Gentry et al.'s signature scheme and Agrawal et al.'s hierarchical identity-based encryption scheme.
I
n 1984, Shamir introduced the concept of identity-based cryptography and proposed an identity-based signature scheme
[1]
. In an identity-based signature scheme, a trusted third party, called KGC (key generation center), only issues a signer's secret key, because the signer's public key is the signer's identity such as an email address and a phone number related to the signer. That is, the public key distribution problem (or the certification management problem) is eliminated. When a verifier wants to verify a signature, therefore, the verifier does not need to ask the KGC for the signer's public key, because the verifier can easily deduce the signer's public key from the signer's identity. Actually, many identity-based signature schemes have been studied
[2]
[3]
[4]
.
The concept of hierarchical identity-based signatures is the hierarchical extension of identity-based signatures. Like an identity-based signature scheme, the KGC issues a signer's secret key. In addition, the signer can delegate the secret keys of the signer's child identities in an identity hierarchy using its own secret key.
In 2002, Gentry and Silverberg proposed the first hierarchical identity-based signature scheme from bilinear pairings, but the security is not formally proved
[5]
. Since then, Chow et al. proposed the first provably secure hierarchical identity-based signature scheme from bilinear pairings
[6]
. However, these schemes are not resistant to quantum analysis
[7]
.
So far, lattice-based cryptography is believed to be resistant to quantum analysis. Lattice-based cryptography is also asymptotically efficient because it requires only linear operations.
In 2010, Ruckert proposed two binary tree signature
1
schemes from lattices, but both of them increase the size of the signatures by the level of hierarchy
[8]
. In 2012 & 2013, Tian et al. and Liu et al. proposed hierarchical identity-based signature schemes from lattices, but their schemes are insecure against adaptive identity attacks
[9]
[10]
. In 2013, Tian et al. proposed another hierarchical identity-based signature scheme from lattices
[11]
. In Tian et al.'s hierarchical identity-based signature scheme, however, the size of signatures depends on both the security parameter and the dimension of the lattices. We compare our scheme and existing hierarchical identity-based signature schemes from lattices in
Table 1
. The size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices.
Comparison of security and efficiency
ROM means the scheme is probably secure in the random oracle model and STM means the scheme is probably secure in the standard model. DoS is the dimension of the signatures,
n
is the security parameter,
m
is the dimension of the lattices,
l
is the depth of the identities, and
h
is the bit length of the hash values for messages. SI means the scheme is secure against selective identity attacks and AI means the scheme is secure against adaptive identity attacks. BTS means the scheme is a binary tree signature scheme and HIBS means the scheme is a hierarchical identity-based signature scheme.
1 Binary tree signature is the special case of hierarchical identity-based signature with identity space {0,1}.
q
≥2 , we let Z
_{q}
denote the ring of integers modulo
q
. For any positive integer
k
, we let [
k
]={1,⋯,
k
} . We use upper-case letters (e.g.,
A
) to denote matrices and lower-case letters (e.g.,
v
) to denote vectors. We let 0 denote a zero vector.
We let ║
v
║ denote the Euclidean norm of
v
. We let
denote the Gram-Schmidt orthogonalization of
S
. The statistical distance between two distributions
X
and
Y
over a countable domain D is
. If
v
is chosen uniformly at random from D , we denote
v
←D .
We use standard big-
O
notation. For sufficiently large
n
, if
f
(
n
) is smaller than all polynomial fractions, then we say that a function
f
:R
^{+}
→R
^{+}
is negligible. Pr[an event] is the probability that the event occurs.
m
-dimensional full-rank integer lattices. An
m
-dimensional full-rank integer lattice Λ for
m
linearly independent basis vectors
B
={
b
_{1}
,⋯,
b
_{m}
}⊂Z
^{m}
is defind as follows:
We define the dual lattice Λ
^{*}
of Λ as follows:
In this paper, we use an
m
-dimensional
q
-ary integer lattice which is one of
m
-dimensional full-rank integer lattices. Let
n
≥1 and
q
≥2 be positive integers. An
m
-dimensional
q
-ary integer lattice Λ
^{⊥}
(
A
) for a uniformly random matrix
is defined as follows:
We define the coset
of Λ
^{⊥}
(
A
) for syndrome
as follows:
Definition 2.1.
An instance of the SIS
_{q,β}
problem is a uniformly random matrix
Then, the SIS
_{q,β}
problem is to find a non-zero vector
z
∈Z
^{m}
such that
and ║
z
║≤
β
.
In case of
the classic average-case SIS
_{q,β}
problem is reduced to the worst-case SIVP (shortest independent vectors problem)
[12]
[14]
[15]
.
Definition 2.2.
For any positive integer
s
∈R , a Gaussian function
ρ_{s}
with center 0 is defined as follows:
Definition 2.3.
Let Λ⊂Z
^{m}
be an
m
-dimensional full-rank integer lattice. For any positive integer
s
∈R, the discrete integral of
ρ_{s}
over Λ is defined as follows:
Definition 2.4.
Let Λ⊂Z
^{m}
be an
m
-dimensional full-rank integer lattice. For any positive integer
s
∈R and all
x
∈Λ , discrete Gaussian distribution over Λ with center 0 is defined as follows:
Definition 2.5.
Let Λ⊂Z
^{m}
be an
m
-dimensional full-rank integer lattice and Λ
^{*}
a dual lattice of Λ. For any positive real number
ε
∈R , a Gaussian parameter
η_{ε}
(Λ) is the smallest
s
such that
ρ
_{1/s}
(Λ
^{*}
＼{0})≤
ε
.
Fact 2.1
[12]
[15]
[16]
. Let
S
∈ Z
^{m×m}
be a basis for Λ
^{⊥}
(
A
) and
a uniformly random matrix. For any
and any syndrom
, the probability that
is negligible for
n
, where
Fact 2.2
[12]
[15]
[16]
. Let
S
∈ Z
^{m×m}
be a basis for Λ
^{⊥}
(
A
) and
a uniformly random matrix. For any
, the probability that
x
is a zero vector is negligible for
n
, where
x
←D
_{Λ⊥(A),s}
.
Fact 2.3
[13]
[17]
. Let
be a uniformly random matrix,
q
a prime, and
a Z
_{q}
-invertible matrix. For any
, two matrices
and
are also uniformly random.
Lemma 2.1
[18]
. For positive integers
n
≥1 ,
q
≥2 , and
m
=
O
(
n
log
q
) , a probabilistic polynomial time algorithm BasisGen(1
^{n}
,1
^{m}
,
q
) outputs a pair
of a uniformly random matrix anda short basic for Λ
^{⊥}
(
A
) such that
Lemma 2.2
[13]
. Let
be a uniformly random matrix,
S
∈ Z
^{m×m}
a basis for Λ
^{⊥}
(
A
) , and
a Z
_{q}
-invertible matrix. For any
, a probabilistic polynomial time algorithm BasisDel(
A
,
R
,
S
,
s
) outputs a basis
S
∈
Z
^{m×m}
for Λ
^{⊥}
(
B
) such that
, where
.
Lemma 2.3
[12]
. Let
m
be a positive integer. For any Gaussian parameter
s
, a probabilistic polynomial time algorithm SampleDom(1
^{m}
,
s
) outputs a vector
.
Lemma 2.4
[12]
. Let
be a uniformly random matrix,
S
∈
Z
^{m×m}
a basic for Λ
^{⊥}
(
A
) , and
a syndrome. For any
a probabilistic polynomial time algorithm SampleD(
A
,
S
,
u
,
s
) outputs a vector
.
Lemma 2.5
[13]
. Let
m
be a positive integer. For any
, a probabilistic polynomial time algorithm SampleR(1
^{m}
,
s
) outputs a Z
_{q}
-invertible matrix
.
Lemma 2.6
[13]
. Let
be a uniformly random matrix. For any
, a probabilistic polynomial time algorithm SampleRwithBasis(
A
,
s
) outputs a Z
_{q}
-invertible matrix
and a short basis
S_{B}
∈ Z
^{m×m}
for Λ
^{⊥}
(
A
) such that
, where
.
Correctness.
A hierarchical identity-based signature scheme HIBS is correct if, for any valid signature
σ
on any message m corresponding to any identity id , the HIBS.Vrfy(params,id,m,
σ
) algorithm outputs 1 with an overwhelming probability.
Unforgeability.
A hierarchical identity-based signature scheme HIBS is strongly unforgeable under chosen message and adaptive identity attacks if, in the following game
for a forger F , the advantage
of F is negligible.
If the HIBS.Vrfy(params,id
^{*}
,m
^{*}
,σ
^{*}
) algorithm outputs 1 , F wins the game
.
The advantage
of F is defined as follows:
In our construction SHIBS , a message space is {0,1}
^{k}
. Then, our construction SHIBS= {SHIBS.Setup,SHIBS.Extract,SHIBS.Sign,SHIBS.Vrfy} consists of the following algorithms:
2 In case of d =1, we call it an identity-based signature scheme IBS instead of HIBS
Theorem 4.1.
Our hierarchical identity-based signature scheme SHIBS is correct.
Proof of Theorem 4.1.
Suppose |id|=
i
. The SHIBS.Extract(params,
sk
_{id}
,id) algorithm can generate a short basis
sk
_{id}
for Λ
^{⊥}
(
F
_{id}
) . Then, the id SHIBS.Sign(params,id,
sk
_{id}
,m) algorithm can sample
such that
and
with an overwhelming probability using the SampleD
algorithm. Therefore, our hierarchical identity-based signature scheme SHIBS is correct.
Theorem 4.2.
In the random oracle model
[20]
, our hierarchical identity-based signature scheme SHIBS is strongly unforgeable under chosen message and adaptive identity attacks if the SIS
_{q,β}
problem for
is hard.
Proof of Theorem 4.2.
Suppose the hash functions H
_{1}
and H
_{2}
are random oracles controlled by an algorithm A . Then, our construction SHIBS is strongly unforgeable under chosen essage and adaptive identity attacks assuming the SIS
_{q,β}
problem for
is hard. That is, if there exists a forger F mounting strong forgery attacks on SHIBS , then we can construct A solving the
. A simulates the strong unforgeability game for F as follows:
If
j
=
c
, A sets
sk
_{id}
=
S_{B}
. Otherwise, A runs the SHIBS.Extract(params,
S_{B}
,id) algorithm to obtain a secret key
sk
_{id}
of to id .
We can assume that (m
_{i}
=m
^{*}
,
v_{i}
,
h_{i}
= H
_{2}
(m
^{*}
)) is in the H
_{2}
list. Then,
z
is a solution to the SIS
_{q,β}
problem, because
where
and
To reduce the SIS problem to the SIVP , we set
q
as follows:
The advantage
of F is computed as follow:
Geontae Noh received the B.S. degree in Industrial Systems and Information Engineering from Korea University, Seoul, Korea, in 2008. He received the M.S. degree in Information Management and Security from Korea University, Seoul, Korea, in 2010. Currently, he is Ph.D. course in the Graduate School of Information Security, Korea University, Seoul, Korea. His research interests include cryptographic protocols, lattice-based cryptosystem, and privacy-preserving technologies.
Ik Rae Jeong received the B.S. and M.S. degrees in Computer Science from Korea University, Korea, in 1998 and 2000, respectively. He received the Ph.D. degree in Information Security from Korea University in 2004. From June 2006 to Feb. 2008, he was a senior engineer at ETRI (Electronics and Telecommunications Research Institute) in Korea. Currently, he is a member of the faculty in the Graduate School of Information Security, Korea University, Seoul, Korea. His current research areas include cryptography and theoretical computer science and Cryptology (ICISC 2005). His research interests are on cryptology and information security.

Hierarchical identity-based signatures
;
adaptive identity security
;
strong unforgeability
;
lattice-based cryptography
;
provable security

1. Introduction

Comparison of security and efficiency

PPT Slide

Lager Image

- 1.1 Our Contribution

In this paper, we propose a hierarchical identity-based signature scheme from lattices. Our scheme is adaptively secure and the size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. Our scheme is motivated by Gentry et al.'s signature scheme and Agrawal et al.'s hierarchical identity-based encryption scheme
[12]
[13]
. The security of our scheme is based on the SIS problem on lattices in the random oracle model.
- 1.2 Organization

The remainder of this paper is organized as follows: Some preliminaries such as the properties of the lattices and the definitions for hierarchical identity-based signatures are presented in Section 2. Our hierarchical identity-based signature scheme is given in Section 3. We analyze our hierarchical identity-based signature scheme in Section 4. Finally, Section 5 draws the conclusion.
2. Preliminaries

- 2.1 Notations

We let Z and R denote the integers and the real numbers, respectively. For any positive integer
PPT Slide

Lager Image

PPT Slide

Lager Image

- 2.2 Lattices

First, we define
PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- 2.2.1 Hard Problems

We define the SIS (short integer solution) problem which is used to analyze the security of our construction.
PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- 2.2.2 Gaussian Distributions

We recall Gaussian distributions
[12]
[15]
.
PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- Next, we recall the following useful facts.

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- 2.2.3 Basic Algorithms

We review basic algorithms which are used to construct our construction and to analyze the security of our construction.
PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- 2.3 Definitions for Hierarchical Identity-based Signatures

We define hierarchical identity-based signatures. A hierarchical identity-based signature scheme HIBS= {HIBS.Setup,HIBS.Extract,HIBS.Sign,HIBS.Vrfy} is defined as follows:
- HIBS.Setup(1n,1d) : On input of a security parameternand the maximum hierarchy depthd, this algorithm outputs a set params of public parameters and a master secret key msk .
- HIBS.Extract(params,,id) : On input of a set params of public parameters, a secret keyof a parent identity, and a child identity id = (id1, ⋯, idl, ⋯, idc) , this algorithm outputs a secret keyskidof id . In case ofl=0 ,.
- HIBS.Sign(params,id,skid,m) : On input of a set params of public parameters, an identity id with its secret keyskid, and a message m , this algorithm outputs a signatureσ.
- HIBS.Vrfy(params,id,m,σ) : On input of a set params of public parameters, an identity id , a message m , and a signatureσ, this algorithm outputs 1 ifσis valid and 0 otherwise.

PPT Slide

Lager Image

PPT Slide

Lager Image

- Setup: F is given params , where (params,msk)←HIBS.Setup(1n,1d) . Note that params is a set of public parameters and msk is a master secret key.
- Extract queries: F queries an identity idi, adaptively. Then, F receives a secret keyof idi.
- Sign queries: F queries an identity idiand a message mi, adaptively. Then, F receives a signatureσi←HIBS.Sign(params,idσi,, mi) .
- Output: F outputs (id*,m*,σ*) such that

- - for alli, idiis not a prefix of id*in theExtract queriesand
- - σ*is not made for (id*,m*) through theSign queries.

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

3. Our Construction

We propose an adaptively secure hierarchical identity-based signature scheme SHIBS without increasing the dimension of the signatures. Our construction SHIBS uses the following parameters:
- n≥1 is a security parameter.
- m=O(nlogq) is the dimension of the lattices.
- is a positive integer.
- d≥1 is the maximum hierarchy depth.2
- The followings are Gaussian parameters:

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- SHIBS.Setup(1n,1d): On input of a security parameternand the maximum hierarchy depthd:

- - Run the BasisGen(1n,1m,q) algorithm to obtain a pairof a uniformly random matrix and a short basis for Λ⊥(A)
- - Choose two hash functions H1:{0,1}*→ DZm×m,sand, where the hash values of H1are Zq-invertible[13][19].
- - Output a set params = (A,H1,H2)of public parameters and a master secret key msk =S.

- SHIBS.Extract(params,, id) : On input of a set params of public parameters, a secret keyof a parent identity, and a child identity id =(id1,⋯,idl,⋯,idc):

- - Computeand. In case of l=0 ,and
- - Computeand
- - Run the BasisDelalgorithm to obtain a short basisS'∈Zm×mfor Λ⊥(Fid) , whereis a short basis for
- - Output a secret keyskid=S'of id .

- SHIBS.Sign(params,id,skid,m) : On input of a set params of public parameters, an identity id at depth |id|=lwith its secret keyskid, and a messagem∈{0,1}k:

- - Compute
- - Computeand.
- - Run the SampleDalgorithm to obtain a vectorwhereskidis a short basis for Λ⊥(Fid) .
- - Output a signatureσ

- SHIBS.Vrfy(params,id,m,σ) : On input of a set params of public parameters, an identity id at depth |id|=l, a messagem∈{0,1}k, and a signatureσ:

- - Computeand.
- - Output 1, ifand. Otherwise, output 0 .

4. Analysis

- 4.1 Correctness

We show that our construction SHIBS is correct.
PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- 4.2 Unforgeability

We show that our construction SHIBS is strongly unforgeable under chosen message and adaptive identity attacks.
PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

- Setup: A takes an instanceof the SISq,βproblem as an input. A proceeds as follows:

- - A choosesdpositive integers. Suppose F sends at mostidentities to A in the H1queriesat each depth of the hierarchy.
- - A runs the SampleR(1m,s) algorithmdtimes to obtaindmatrices.
- - A chooses a positive integerw←[d] .
- - A computesNote thatis uniformly random byFact 2.3.
- - A sends params =Ato F .

- H1queries: After receiving theq-th identity id = (id1,⋯,idi) from F , A proceeds as follows:

- - IfA setsand sends H1(id) to F .
- - Otherwise, A computes. In case ofi=1, A setsAi=A. A runs the SampleRwithBasis(Ai,s) algorithm to obtain a matrixand a short basisSB∈ Zm×mfor Λ⊥(A) , where. A set H1(id)=R, send H1(id)=Rto F , and adds a tuple (i,id,R,B,SB) to the H1list.

- H2queries: After receiving thei-th message miof to A from F , A proceeds as follows:

- - A runs the SampleDom(1m,s) algorithm to obtain a vector, computes, sendhito F, and adds a tuple (mi,vi,hi) to the H2list.

- Extract queries: After receiving an identity id = (id1,⋯,idc) at depth |id|=cfrom F , A proceeds as follows:

- - We assume that all prefixes of id already appears on the H1list. Otherwise, A sends the others to the H1queries.
- - A findsj∈[c] which is the shallowest level such thatIn case ofj∉[c], A aborts.
- - A looks upin the H1list, whereandSBis a short basis for Λ⊥(b)

- - A sendsskidto F .

- Sign queries: After receiving an identity id = (id1,⋯,idc) at depth |id|=cand a message mi, from F, A proceeds as follows:

- - If for allj∈[c],, A looks up(mi,vi,hi) in the H2list. If midoes not appear on the H2list, A sends mi to the H2queries. A computesand sendsσi
- - Otherwise, A sends id to theExtract queriesto obtainskid, run the SHIBS.Sign(params,id,skid,mi) algorithm to obtainσi, and sendsσi.

- Output: Assume that F outputs (id*,m*,σ*) .

- - In case ofw≠|id*|, A aborts. Note that the probability ofw≠|id*| issincewis randomly selected from [d] .
- - A findsj∈[w] which is the shallowest level such that. In case ofj∈[w], A aborts. Note that the probability of.
- - A outputsas a solution to the SISq,βproblem.

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

PPT Slide

Lager Image

5. Conclusion

In this paper, we have proposed a hierarchical identity-based signature scheme from lattices. Our scheme is adaptively secure and the size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. We proved the security of our scheme based on the SIS problem on lattices in the random oracle model. The question of constructing an adaptively secure hierarchical identity-based signature scheme from lattices without increasing the dimension of the signatures in the standard model still remains open.
BIO

Shamir Adi
1985
“Identity-based cryptosystems and signature schemes”
in Proc. of Advances in Cryptology - Crypto 1984, LNCS 0196
August 19-22
Article (CrossRef Link)
47 -
53

Hess Florian
2002
“Efficient identity based signature schemes based on pairings”
in Proc. of 9th Annual International Workshop on Selected Areas in Cryptology - SAC 2002, LNCS 2595
August 15-16
Article (CrossRef Link)
310 -
324

Jae Choon Cha
,
Jung Hee Cheon
2002
“An identity-based signature from gap Diffie-Hellman groups”
in Proc. of 6th International Workshop on Theory and Practice in Public Key Cryptography - PKC 2003, LNCS 2567
January 6-8
Article (CrossRef Link)
18 -
30

Barreto Paulo S. L. M.
,
Libert Benoit
,
McCullagh Noel
,
Quisquat Jean-Jacques
2005
“Efficient and provably-secure identity-based signatures and signcryption from bilinear maps”
in Proc. of Advances in Cryptology - Asiacrypt 2005, LNCS 3788
December 4-8
Article (CrossRef Link)
513 -
532

Gentry Craig
,
Silverberg Alice
2002
“Hierarchical ID-based cryptography”
in Proc. of Advances in Cryptology - Asiacrypt 2002, LNCS 2501
December 1-5
Article (CrossRef Link)
548 -
566

Chow Sherman S.M.
,
Hui Lucas C.K.
,
Yiu Siu Ming
,
Chow K.P.
2004
“Secure hierarchical identity based signature and its application”
in Proc. of 6th International Conference on Information and Communications Security - ICICS 2004, LNCS 3269
October 27-29
Article (CrossRef Link)
480 -
494

Shor Peter W.
1997
“Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer”
SIAM Journal on Computing
Article (CrossRef Link)
26
(5)
1484 -
1509
** DOI : 10.1137/S0097539795293172**

Ruckert Markus
2010
“Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles”
in Proc. of Third International Workshop on Post-quantum Cryptography - PQCrypto 2010, LNCS 6061
May 25-28
Article (CrossRef Link)
182 -
200

Tian Miaomiao
,
Huang Liusheng
,
Yang Wei
2012
“A new hierarchical identity-based signature scheme from lattices in the standard model”
International Journal of Network Security
Article (CrossRef Link)
14
(6)
310 -
315

Liu Zhenhua
,
Hu Yupu
,
Zhang Xiangsong
,
Li Fagen
2013
“Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model”
Security and Communication Networks
Article (CrossRef Link)
6
(1)
69 -
77
** DOI : 10.1002/sec.531**

Tian Miaomiao
,
Huang Liusheng
,
Yang Wei
2013
“Efficient hierarchical identity-based signatures from lattices”
International Journal of Electronic Security and Digital Forensics
Article (CrossRef Link)
5
(1)
1 -
10
** DOI : 10.1504/IJESDF.2013.054403**

Gentry Craig
,
Peikert Chris
,
Vaikuntanathan Vinod
2008
“Trapdoors for hard lattices and new cryptographic constructions”
in Proc. of 40th Annual ACM Symposium on Theory of Computing - STOC 2008
May 17-20
Article (CrossRef Link)
197 -
206

Agrawal Shweta
,
Boneh Dan
,
Boyen Xavier
2010
“Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE”
in Proc. of Advances in Cryptology - Crypto 2010, LNCS 6223
August 15-19
Article (CrossRef Link)
98 -
115

Ajtai Miklos
1996
“Generating hard instances of lattice problems”
in Proc. of 28th ACM Symposium on the Theory of Computing -STOC 1996
May 22-24
Article (CrossRef Link)
99 -
108

Micciancio Daniele
,
Regev Oded
2007
“Worst-case to average-case reductions based on Gaussian measures”
SIAM Journal on Computing
Article (CrossRef Link)
37
(1)
267 -
302
** DOI : 10.1137/S0097539705447360**

Peikert Chris
,
Rosen Alon
2006
“Efficient collision-resistant hashing from worst-case assumptions on cyclic lattcies”
in Proc. of 3rd Theory of Cryptography Conference - TCC 2006, LNCS 3876
March 4-7
Article (CrossRef Link)
145 -
166

Boyen Xavier
2010
“Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more”
in Proc. of 13th International Conference on Practice and Theory in Public Key Cryptography - PKC 2010, LNCS 6056
May 26-28
Article (CrossRef Link)
499 -
517

Alwen J Joel
,
Peikert Chris
2011
“Generating shorter bases for hard random lattices”
Theory of Computing Systems
Article (CrossRef Link)
48
(3)
535 -
553
** DOI : 10.1007/s00224-010-9278-3**

Cash David
,
Hofheinz Dennis
,
Kiltz Eike
,
Peikert Chris
2010
“Bonsai trees, or how to delegate a lattice basis”
in Proc. of Advances in Cryptology - Eurocrypt 2010, LNCS 6110
May 30-June 3
Article (CrossRef Link)
523 -
552

Bellare Mihir
,
Rogaway Phillip
1993
“Random oracles are practical: A paradigm for designing efficient protocols”
in Proc. of 1st ACM Conference on Computer and Communications Security CCS 1993
November 3-5
Article (CrossRef Link)
62 -
73

Citing 'Scalable Hierarchical Identity-based Signature Scheme from Lattices
'

@article{ E1KOBZ_2013_v7n12_3261}
,title={Scalable Hierarchical Identity-based Signature Scheme from Lattices}
,volume={12}
, url={http://dx.doi.org/10.3837/tiis.2013.12.017}, DOI={10.3837/tiis.2013.12.017}
, number= {12}
, journal={KSII Transactions on Internet and Information Systems (TIIS)}
, publisher={Korean Society for Internet Information}
, author={Noh, Geontae
and
Jeong, Ik Rae}
, year={2013}
, month={Dec}