#### DMCA

## Efficient lattice (H)IBE in the standard model (2010)

### Cached

### Download Links

Venue: | In EUROCRYPT 2010, LNCS |

Citations: | 96 - 15 self |

### Citations

2166 | Probability inequalities for sums of bounded random variables - Hoeffding - 1963 |

1696 | Identity-based Encryption from the WeilPairing
- Boneh, Franklin
- 1987
(Show Context)
Citation Context ... (PKG) who has knowledge of a master secret. Identity-based encryption was first proposed by Shamir [28], however, it is only recently that practical implementations were proposed. Boneh and Franklin =-=[8]-=- define a security model for identity-based encryption and give a construction based on the Bilinear Diffie-Hellman (BDH) problem. Cocks [13] describes a construction using quadratic residues modulo a... |

1090 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1984
(Show Context)
Citation Context ...r a telephone number. The corresponding private key can only be generated by a Private-Key Generator (PKG) who has knowledge of a master secret. Identity-based encryption was first proposed by Shamir =-=[37]-=-, however, it is only recently that practical implementations were proposed. Boneh and Franklin [10] define a security model for identity-based encryption and give a construction based on the Bilinear... |

853 | Pseudorandom generators from any oneway function", 21st STOC
- Levin, Luby
- 1989
(Show Context)
Citation Context ...e in Y . The “classic” left-over-hash-lemma states that when h is uniform in H and independent of T , the distribution (h, h(T )) is statically close to (h, UY ), assuming γ(T ) is sufficiently small =-=[24]-=- (see also [38, Theorem 8.37]). The following lemma shows that about the same holds, even if a few bits of T are “leaked.” Lemma 14 (Generalized left-over hash lemma). Let H = {h : X → Y }h∈H be a uni... |

525 | Fuzzy extractors: How to generate strong keys from biometrics and other noisy data
- Dodis, Ostrovsky, et al.
(Show Context)
Citation Context ... LWE problem is hard when n/α is polynomial in n. 3 Randomness Extraction We will need the following lemma which follows directly from a generalization of the left over hash lemma due to Dodis et al. =-=[15]-=-. Lemma 4. Suppose that m > (n + 1) log2 q + ω(log n) and that q is prime. Let A, B be matrices chosen uniformly in Zn×m q and let R be an m×m matrix chosen uniformly in {1, −1} m×m mod q. Then, for a... |

359 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2009
(Show Context)
Citation Context ...aper we focus on lattice-based IBE. Cash et al. [12], Peikert [24] and Agrawal et al. [3] recently showed how to construct secure IBE in the standard model from the learning with errors (LWE) problem =-=[27]-=-. Their constructions view an identity as a sequence of bits and then assign a matrix to each bit. The resulting systems, while quite elegant, are considerably less efficient than the underlying rando... |

334 | Efficient identity-based encryption without random oracles
- Waters
- 2005
(Show Context)
Citation Context ...e systems requires cryptographic hash functions that are modeled as random oracles. For pairing-based systems, the structure of pairing groups enabled several secure IBE systems in the standard model =-=[11, 6, 7, 31, 17, 32]-=-. For systems based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. [12], Peikert [24] and Agra... |

278 | An identity based encryption scheme based on quadratic residues
- Cocks
(Show Context)
Citation Context ...practical implementations were proposed. Boneh and Franklin [8] define a security model for identity-based encryption and give a construction based on the Bilinear Diffie-Hellman (BDH) problem. Cocks =-=[13]-=- describes a construction using quadratic residues modulo a composite (see also [9]) and Gentry et al. [16] give a construction using lattices. The security of all these systems requires cryptographic... |

273 | Chosen-ciphertext security from identity-based encryption
- Canetti, Halevi, et al.
- 2004
(Show Context)
Citation Context ... in the random oracle system. This construction also gives an efficient chosen ciphertext secure lattice-based public-key encryption (PKE) system via a generic selective-IBE to CCA-PKE transformation =-=[14, 12, 9]-=-. Lattices in our system are built from two parts called “right” and “left” lattices. A trapdoor for the left lattice is used as the master secret in the real system and enables one to generate privat... |

253 | Hierarchical ID-based cryptography
- Gentry, Silverberg
- 2002
(Show Context)
Citation Context ... identity. The encryption algorithm encrypts messages for a given identity (using the system parameters) and the decryption algorithm decrypts ciphertexts using the private key. In a Hierarchical IBE =-=[20, 18]-=-, identities are vectors, and there is a fifth algorithm called Derive. A vector of dimension ℓ represents an identity at depth ℓ. Algorithm Derive takes as input an identity id = (I1, . . . , Iℓ) at ... |

247 | A forward-secure public-key encryption scheme
- Canetti, Halevi, et al.
- 2003
(Show Context)
Citation Context ...e systems requires cryptographic hash functions that are modeled as random oracles. For pairing-based systems, the structure of pairing groups enabled several secure IBE systems in the standard model =-=[11, 6, 7, 31, 17, 32]-=-. For systems based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. [12], Peikert [24] and Agra... |

216 | Efficient selective-id secure identity-based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...e systems requires cryptographic hash functions that are modeled as random oracles. For pairing-based systems, the structure of pairing groups enabled several secure IBE systems in the standard model =-=[11, 6, 7, 31, 17, 32]-=-. For systems based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. [12], Peikert [24] and Agra... |

187 | Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert, et al.
- 2008
(Show Context)
Citation Context ...encryption and give a construction based on the Bilinear Diffie-Hellman (BDH) problem. Cocks [13] describes a construction using quadratic residues modulo a composite (see also [9]) and Gentry et al. =-=[16]-=- give a construction using lattices. The security of all these systems requires cryptographic hash functions that are modeled as random oracles. For pairing-based systems, the structure of pairing gro... |

175 |
Complexity of Lattice Problems, A Cryptographic Perspective
- Micciancio, Goldwasser
- 2002
(Show Context)
Citation Context ... := {˜s1, . . . , ˜sk} ⊂ R m denotes the Gram-Schmidt orthogonalization of the vectors s1, . . . , sk taken in that order. We refer to ‖ ˜ S‖ as the Gram-Schmidt norm of S. Micciancio and Goldwassser =-=[22]-=- showed that a full-rank set S in a lattice Λ can be converted into a basis T for Λ with an equally low Gram-Schmidt norm. Lemma 1 ([22, Lemma 7.1]). Let Λ be an m-dimensional lattice. There is a dete... |

163 | A computational introduction to number theory and algebra. Available at shoup.net/ntb
- Shoup
- 2004
(Show Context)
Citation Context ...we have that v0 is uniform in Zq and v∗ is uniform in Zm q . Therefore c∗ 1 as defined in step (3) above is uniform and independent in Z2m q by the standard left over hash lemma (e.g. Theorem 8.38 of =-=[29]-=-) where the hash function is defined by the matrix (A⊤ 0 |v∗). Consequently, the challenge ciphertext is always uniform in Zq × Z2m q , as in Game 3. 17Guess. After being allowed to make additional q... |

152 | Public-key cryptosystems from the worst-case shortest vector problem - Peikert - 2009 |

139 | Practical identity-based encryption without random oracles
- Gentry
- 2006
(Show Context)
Citation Context |

139 | Toward hierarchical identity-based encryption
- Horwitz, Lynn
- 2002
(Show Context)
Citation Context ... identity. The encryption algorithm encrypts messages for a given identity (using the system parameters) and the decryption algorithm decrypts ciphertexts using the private key. In a Hierarchical IBE =-=[20, 18]-=-, identities are vectors, and there is a fifth algorithm called Derive. A vector of dimension ℓ represents an identity at depth ℓ. Algorithm Derive takes as input an identity id = (I1, . . . , Iℓ) at ... |

136 | Secure identity based encryption without random oracles
- Boneh, Boyen
(Show Context)
Citation Context |

128 | Worst-case to average-case reductions based on gaussian measures
- Micciancio, Regev
(Show Context)
Citation Context ...×m q or over a coset L = t + Λ ⊥ q (A) where t ∈ Z m . Properties. The following lemma from [33] captures standard properties of these distributions. The first two properties follow from Lemma 4.4 of =-=[32]-=- and Corollary 3.16 of [36] respectively (using Lemma 3.1 from [22] to bound the smoothing parameter). We state in property (2) a stronger version of Regev’s Corollary 3.16 found in [2]. The last two ... |

121 | Bonsai trees, or how to delegate a lattice basis
- Cash, Hofheinz, et al.
- 2010
(Show Context)
Citation Context ...odel [15, 7, 8, 40, 21, 41]. For systems based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. =-=[17, 16, 33]-=-, and Agrawal et al. [3] recently showed how to construct secure IBE in the standard model from the learning with errors (LWE) problem [36]. Their constructions view an identity as a sequence of bits ... |

95 |
Vinod Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert
- 2008
(Show Context)
Citation Context ...ncryption and give a construction based on the Bilinear Diffie-Hellman (BDH) problem. Cocks [18] describes a construction using quadratic residues modulo a composite (see also [11]) and Gentry et al. =-=[22]-=- give a construction using lattices. The security of all these systems requires cryptographic hash functions that are modeled as random oracles. For pairing-based systems, the structure of pairing gro... |

88 | Smallest singular value of random matrices and geometry of random polytopes
- Litvak, Pajor, et al.
(Show Context)
Citation Context ...) /2 which is negl(n), as required. 3.1 The Norm of a Random Matrix Recall that the norm of a matrix R ∈ R k×m is defined as ‖R‖ := sup ‖u‖=1 ‖Ru‖. We will need the following lemma from Litvak et al. =-=[29]-=- to bound the norm of a random matrix in {−1, 1} m×m . A similar lemma is also stated in [5, Lemma 2.2]. Lemma 15. Let R be a k×m matrix chosen at random from {−1, 1} k×m . Then there is a universal c... |

86 | Improved efficiency for CCA-secure cryptosystems built using identity based encryption
- Boneh, Katz
- 2005
(Show Context)
Citation Context ... in the random oracle system. This construction also gives an efficient chosen ciphertext secure lattice-based public-key encryption (PKE) system via a generic selective-IBE to CCA-PKE transformation =-=[14, 12, 9]-=-. Lattices in our system are built from two parts called “right” and “left” lattices. A trapdoor for the left lattice is used as the master secret in the real system and enables one to generate privat... |

67 | Generating shorter bases for hard random lattices. Cryptology ePrint Archive, Report 2008/521, 2008. http://eprint.iacr.org/. Joël Alwen and Chris Peikert. Generating shorter bases for hard random lattices
- Alwen, Peikert
- 2009
(Show Context)
Citation Context ...ai [4] showed how to sample an essentially uniform matrix A ∈ Z n×m q with an associated basis SA of Λ ⊥ q (A) with low Gram-Schmidt norm. We use an improved sampling algorithm from Alwen and Peikert =-=[5]-=-. The following follows from Theorem 3.2 of [5] taking δ := 1/3. 5Theorem 1. Let q ≥ 3 be odd and m := ⌈6n log q⌉. There is a probabilistic polynomial-time algorithm TrapGen(q, n) that outputs a pair... |

63 |
Generating hard instances of the short basis problem
- Ajtai
- 1999
(Show Context)
Citation Context ...eterministic polynomial-time algorithm that, given an arbitrary basis of Λ and a full-rank set S = {s1, . . . , sm} in Λ, returns a basis T of Λ satisfying ‖ ˜ T ‖ ≤ ‖ ˜ S‖ and ‖T ‖ ≤ ‖S‖ √ m/2 Ajtai =-=[4]-=- showed how to sample an essentially uniform matrix A ∈ Z n×m q with an associated basis SA of Λ ⊥ q (A) with low Gram-Schmidt norm. We use an improved sampling algorithm from Alwen and Peikert [5]. T... |

60 | Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices
- Peikert, Rosen
- 2006
(Show Context)
Citation Context ...iplication by a constant in the number field K = F[X]/(f) and is therefore invertible when the matrix is non-zero. We note that similar matrix encodings of ring multiplication were previously used in =-=[26, 21]-=-. Theorem 5. Let F be a field and f a polynomial in F[X]. If f is irreducible in F[X] then the function H defined in (3) is an encoding with full-rank differences (or FRD encoding). (3) 12An example.... |

57 | Generalized compact knapsacks are collision resistant
- Lyubashevsky, Micciancio
- 2006
(Show Context)
Citation Context ...iplication by a constant in the number field K = F[X]/(f) and is therefore invertible when the matrix is non-zero. We note that similar matrix encodings of ring multiplication were previously used in =-=[26, 21]-=-. Theorem 5. Let F be a field and f a polynomial in F[X]. If f is irreducible in F[X] then the function H defined in (3) is an encoding with full-rank differences (or FRD encoding). (3) 12An example.... |

51 | Space-ecient identity based encryption without pairings
- Boneh, Gentry, et al.
- 2007
(Show Context)
Citation Context ...del for identity-based encryption and give a construction based on the Bilinear Diffie-Hellman (BDH) problem. Cocks [13] describes a construction using quadratic residues modulo a composite (see also =-=[9]-=-) and Gentry et al. [16] give a construction using lattices. The security of all these systems requires cryptographic hash functions that are modeled as random oracles. For pairing-based systems, the ... |

50 | Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE
- Agrawal, Boneh, et al.
(Show Context)
Citation Context ... these distributions. The first two properties follow from Lemma 4.4 of [23] and Corollary 3.16 of [27] respectively (using Lemma 3.1 from [16] to bound the smoothing parameter). We state in property =-=(2)-=- a stronger version of Regev’s Corollary 3.16 found in [2]. The last two properties are algorithms from [16]. Lemma 3. Let q ≥ 2 and let A be a matrix in Zn×m q with m > n. Let TA be a basis for Λ⊥ q ... |

41 |
Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measures
- Daniele
- 2007
(Show Context)
Citation Context ... q or over a coset L = t + Λ ⊥ q (A) where t ∈ Z m . 6Properties. The following lemma from [24] captures standard properties of these distributions. The first two properties follow from Lemma 4.4 of =-=[23]-=- and Corollary 3.16 of [27] respectively (using Lemma 3.1 from [16] to bound the smoothing parameter). We state in property (2) a stronger version of Regev’s Corollary 3.16 found in [2]. The last two ... |

38 | Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and
- Boyen
- 2010
(Show Context)
Citation Context ...able to the performance of the random-oracle system from [22]. In particular, we process identities as one chunk ∗ This paper combines preliminary results that appeared in Eurocrypt’10 [1] and PKC’10 =-=[13]-=-. † Supported by NSF and the Packard Foundation. 1rather than bit-by-bit resulting in lattices whose dimension is similar to those in the random oracle system. This construction also gives an efficie... |

30 | Programmable hash functions and their applications
- Hofheinz, Kiltz
- 2008
(Show Context)
Citation Context ... (Q, αmin, αmax) abort-resistant if for all ¯x = (x0, x1, . . . , x Q) ∈ X Q+1 with x0 ∈ {x1, . . . , x Q} we have α(¯x) ∈ [αmin, αmax]. We will use the following abort-resistant hash family used in =-=[40, 26, 6]-=-. For a prime q let (Z ℓ q) ∗ := Z ℓ q \ {0 ℓ } and define the family HWat : { Hh : (Z ℓ q) ∗ → Zq } h∈Z ℓ q Hh(id) := 1 + ℓ∑ hibi ∈ Zq where id = (b1, . . . , bℓ) ∈ (Z ℓ q) ∗ and h = (h1, . . . , hℓ)... |

27 |
Simulation without the artificial abort: Simplified proof and improved concrete security for Waters’ IBE scheme
- Bellare, Ristenpart
(Show Context)
Citation Context ... (Q, αmin, αmax) abort-resistant if for all ¯x = (x0, x1, . . . , x Q) ∈ X Q+1 with x0 ∈ {x1, . . . , x Q} we have α(¯x) ∈ [αmin, αmax]. We will use the following abort-resistant hash family used in =-=[40, 26, 6]-=-. For a prime q let (Z ℓ q) ∗ := Z ℓ q \ {0 ℓ } and define the family HWat : { Hh : (Z ℓ q) ∗ → Zq } h∈Z ℓ q Hh(id) := 1 + ℓ∑ hibi ∈ Zq where id = (b1, . . . , bℓ) ∈ (Z ℓ q) ∗ and h = (h1, . . . , hℓ)... |

24 |
Efficient public key encryption based on ideal lattices. Cryptology ePrint Archive, Report 2009/285
- Stehl, Steinfeld, et al.
- 2009
(Show Context)
Citation Context ...e scheme to provide full adaptive-ID security, and to support a delegation mechanism to make it hierarchical. It would be interesting to improve these constructions by adapting them to ideal lattices =-=[30]-=-. Another open problem is to construct an adaptively secure lattice-based IBE in the standard model where all the data is short (including the public parameters). Acknowledgments We are grateful to Ch... |

19 | V.: On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations (2010) (manuscript
- Cramer, Damgaard, et al.
(Show Context)
Citation Context ...vertible. We present an encoding function H that has this property and expect this encoding to be useful in other lattice-based constructions. A similar function H was developed by Cramer and Damgard =-=[14]-=- in an entirely different context. Full IBE. In the full version of the paper [1] we show that our base construction extends to an adaptively-secure IBE using a lattice analog of the Waters IBE [31]. ... |

14 |
Identity-based encryption from lattices in the standard model
- Agrawal, Boyen
- 2009
(Show Context)
Citation Context ...ms based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. [12], Peikert [24] and Agrawal et al. =-=[3]-=- recently showed how to construct secure IBE in the standard model from the learning with errors (LWE) problem [27]. Their constructions view an identity as a sequence of bits and then assign a matrix... |

12 | Bonsai trees (or, arboriculture in lattice-based cryptography). Cryptology ePrint Archive, Report 2009/359
- Peikert
- 2009
(Show Context)
Citation Context ..., 31, 17, 32]. For systems based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. [12], Peikert =-=[24]-=- and Agrawal et al. [3] recently showed how to construct secure IBE in the standard model from the learning with errors (LWE) problem [27]. Their constructions view an identity as a sequence of bits a... |

8 |
How to delegate a lattice basis. Cryptology ePrint Archive, Report 2009/351
- Cash, Hofheinz, et al.
- 2009
(Show Context)
Citation Context ...odel [15, 7, 8, 40, 21, 41]. For systems based on quadratic residuosity it is still not known how to build a secure IBE in the standard model. In this paper we focus on lattice-based IBE. Cash et al. =-=[17, 16, 33]-=-, and Agrawal et al. [3] recently showed how to construct secure IBE in the standard model from the learning with errors (LWE) problem [36]. Their constructions view an identity as a sequence of bits ... |

4 |
Dual key encryption: Realizing fully secure IBE and HIBE under simple assumption
- Waters
- 2009
(Show Context)
Citation Context |

2 |
X.: Efficient lattice (H)IBE in the standard model (2010
- Agrawal, Boneh, et al.
(Show Context)
Citation Context ...t. The resulting systems, while quite elegant, are considerably less efficient than the underlying random-oracle system of [16] on which they are built. ⋆ A full version of this paper is available at =-=[1]-=-. ⋆⋆ Supported by NSF and the Packard Foundation.1.1 Our Results We construct a lattice-based IBE in the standard model whose performance is comparable to the performance of the random-oracle system ... |

2 |
Lattices Niçoises and vanishing trapdoors : A framework for fully secure short signatures and more
- Boyen
- 2006
(Show Context)
Citation Context ...ase construction requires that the underlying field Zq satisfy q > Q where Q is the number of private key queries issued by the adversary. This requirement can be relaxed using the framework of Boyen =-=[10]-=-. Hierarchical IBE (HIBE). In the full version of the paper [1] we show how to extend our base IBE to an HIBE using the basis delegation technique from [12, 24]. The construction assigns a matrix to e... |