Abstract
Constructing short signatures with tight security from standard assumptions is a long-standing open problem. We present an adaptively secure, short (and stateless) signature scheme, featuring a constant security loss relative to a conservative hardness assumption, Short Integer Solution (SIS), and the security of a concretely instantiated pseudorandom function (PRF). This gives a class of tightly secure short lattice signature schemes whose security is based on SIS and the underlying assumption of the instantiated PRF.
Our signature construction further extends to give a class of tightly and adaptively secure “compact” Identity-Based Encryption (IBE) schemes, reducible with constant security loss from Regev’s vanilla Learning With Errors (LWE) hardness assumption and the security of a concretely instantiated PRF. Our approach is a novel combination of a number of techniques, including Katz and Wang signature, Agrawal et al. lattice-based secure IBE, and Boneh et al. key-homomorphic encryption.
Our results, at the first time, eliminate the dependency between the number of adversary’s queries and the security of short signature/IBE schemes in the context of lattice-based cryptography. They also indicate that tightly secure PRFs (with constant security loss) would imply tightly, adaptively secure short signature and IBE schemes (with constant security loss).
Xavier Boyen—Research conducted with generous support from the Australian Research Council under Discovery Project grant ARC DP-140103885.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
Short signatures are useful and desirable for providing data authenticity in low-bandwidth and/or high-throughput applications where many signatures have to be processed very quickly. Most digital signature schemes are based on computationally hard problems on specific algebraic groups, e.g., finite fields, curves, and lattices. A signature is “short” if the signature consists in a (small) constant number of group elements (e.g., field elements or lattice points).
Although bare-bones signatures can be obtained from very weak assumptions (e.g., collision-resistant hash functions), constructing efficient short signatures satisfying standard security requirements (e.g., existential unforgeability under adaptively chosen-message attacks), from reasonable assumptions, appears to be a challenging task. Some of the existing short signature schemes use random oracles, e.g., [10, 19, 36, 48, 50], or rely on non-standard computational assumptions (strong, interactive assumptions, and/or q-type parametric assumptions), e.g., [16, 26, 30, 33, 34], or require signers to maintain state across signatures, e.g., [45].
The first short signature scheme from a reasonable and non-parametric assumption without random oracles was proposed by Waters [56]. Hohenberger and Waters later proposed a short signature scheme from standard RSA [46]. Lattice-based short signatures from the very mild SIS assumption in the standard model were proposed in [20, 51]. Recently, the “confined guessing” technique developed by Böhl et al. [13] has produced short signatures from standard RSA and bilinear-group CDH assumptions, and also from the ring-SIS/SIS assumption in combination with lattice techniques [4, 32] with very loose reductions.
Despite these elegant constructions, signature schemes that are short and enjoy tight security reductions to standard assumptions in the standard model (without random oracle), remain unknown. Existing tightly secure signature schemes either have large signature size, e.g., [1, 11, 43], or merely have heuristic security arguments based on random oracles, e.g., [39, 48]. We have not been able to ascertain the earliest occurrence of this long-standing folklore problem in cryptography, but here [11] is one recent formulation:
Open Problem #1—Tightly Secure Short Signatures
“Construct a tightly secure and short (in the sense that the signature contains constant number of group elements or vectors and the security loss is a constant) signature scheme from standard assumptions.” —Blazy, Kakvi, Kiltz, Pan (2015)
1.1 Tight Security
The reductionist approach to cryptographic security algorithms seeks to prove theorems along the lines of: “If a t-time adversary attacks the scheme with successful probability \(\epsilon \), then a \(t'\)-time algorithm can be constructed to break some computational problem with success probability \(\epsilon ' = \epsilon /\theta \) and \(t' =k\cdot t + o(t)\).”. The parameters \(\theta \ge 1\) and \(k\ge 1\), or more simply the product \(k\cdot \theta \), measures how tightly the security of the cryptographic scheme is related to the hardness of the underlying computational problem. Alternatively, when \(k\approx 1\) as is the case in many reductions, \(\theta \) measures the security loss of the security reduction of our cryptographic scheme from the underlying assumption. A cryptographic scheme is tightly secure if \(\theta \) is a small constant that in particular does not depend on parameters under the adversary’s control, such as the adversary’s own success probability \(\epsilon \), the number of queries it chooses to make, and even the scheme’s security parameter. The reduction phrases “almost tight security” from the literature refers to the case where \(\theta \) is a polynomial of the security parameter.
Tight reduction is an elegant notion from a theoretical point of view. A tight reductionist proof (with respect to a well-defined security model) indicates that the security of a cryptographic scheme is (extremely) closely related to the hardness of the underlying hard problem, which is the optimal case we expect from provable security theory. On the other hand, it is also a determinant factor to the practicality of real-world security. Its opposite, loose security, means that in order to realise a desired “real” target security level, one has to increase the “apparent” security level inside the construction to compensate for the loose reduction. This inflates the size of data atoms by some polynomial, with in turn increases the running time of cryptographic operations by another polynomial, combining multiplicatively.
1.2 Identity-Based Encryption with Tight Security
Digital signatures and identity-based encryption (IBE) are closely connected, which suggests that techniques that improve upon the security of signatures might also improve upon the security of IBE. In this work, we also investigate the problem of constructing tightly secure IBE from standard assumptions (without random oracles).
In an IBE system, any random string that uniquely represents a user’s identity, such as email address or driver license number, can act as a public key (within a certain domain or realm). Encryption uses this identity, together with some common domain-specific public parameters, to encrypt messages. Users are issued private decryption keys corresponding to their public identities, by a trusted authority (or distributed authorities) called Private Key Generator (PKG) which hold(s) (shares of) the master secret key for a domain. Decryption succeeds if the identity associated with the ciphertext matches the identity associated with the private key, in the same domain.
The strongest, most natural and most widely accepted notion of security for IBE is the adaptive security model or full security model, formally defined in [17]. In this model, the adversary is able to announce its target (the challenge identity it wants to attack) at any time during the course of its adaptive interaction with the system. Without the luxury of random oracles, an easier security model to achieve was the selective security model, where the adversary must announce its target identity at the onset of its interaction with the system.
In the last fifteen years, a great many IBE schemes have been proposed, with varying efficiency, security models, hardness assumptions, and other features. In the standard model (i.e., without random oracles or other idealised oracles), we mention several notable IBE schemes which have been constructed from bilinear maps in the selective model [14, 27] and the adaptive model [12, 15, 29, 35, 56, 57], and from lattices in the adaptive model [2, 5, 28]. It is fair to say that, by now, the art of selectively secure IBE has been well honed. However, adaptively secure IBE schemes from standard assumptions with tight security (in the sense that the security loss is a small constant) remain unknown. The best known adaptively secure IBE schemes in terms of tight reduction are based on linear assumptions over pairings and achieve almost tight security (e.g., [6, 12, 29, 44]). Waters [56] states this open problem as follows:
Open Problem #2—Tight Adaptively Secure IBE
“Construct a tightly, adaptively secure IBE scheme from standard computational hardness assumptions without random oracles.” —Waters (2005)
Furthermore, for all known directly constructed adaptively secure IBE scheme from standard post-quantum assumption (specifically the LWE assumption), i.e. [2, 5, 28], their security loss during reduction depends on the number adversary’s of queries. That is there is current no even “almost tightly” secure adaptive IBE scheme based on standard computational problems which are conjectured to be hard under quantum attacks. The following problem is still open.
Open Problem #3—“Almost” Tight Adaptively Secure, Post-Quantum IBE
“Construct an “almost” tightly, adaptively secure IBE scheme from standard post-quantum assumptions without random oracles.”
1.3 Our Results
Our work uses pseudorandom functions (PRFs). Recall a PRF is a (deterministic) function: \(\textsf {PRF}: \mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) with the following security property. For random secret key K from \( \mathcal {K}\), \(\textsf {PRF}(K,\cdot )\) is computationally indistinguishable from a random function \(\varOmega : \mathcal {D}\rightarrow \mathcal {R}\), given oracle access to either \(\textsf {PRF}(K,\cdot )\) or \(\varOmega (\cdot )\). PRFs can be constructed from general assumptions (e.g., the existence of pseudo-random number generators [40]), number-theoretic assumptions (e.g., the DDH/k-LIN assumption [31, 47, 53]), and lattice assumption LWE [8, 9].
Our contribution is a construction of a class of adaptively secure short signature schemes/IBE schemes in the standard model. The schemes’ security is tightly related to SIS/LWE and the security of an instantiated PRF PRF in the sense that the security loss is a nearly optimal constant factor. More precisely, let \(\epsilon \) and \(\epsilon '\) be the advantage of an adversary in attacking our signature and IBE schemes respectively, \(\epsilon _{\textsf {SIS}}\) and \(\epsilon _{\textsf {LWE}}\) be the security level of the SIS and LWE assumptions on which our schemes are based, and \(\epsilon _\textsf {PRF}\) is the security level of the PRF instantiation PRF. Our constructions provide the following: \(\epsilon \approx 2(\epsilon _\textsf {SIS}+ \epsilon _\textsf {PRF})\), \(\epsilon ' \approx 2(\epsilon _\textsf {LWE}+ \epsilon _\textsf {PRF})\), and the (polynomial) runtime of reduction is approximately the same as attacker’s runtime. Depending on the underlying hardness assumption and the reduction of PRF, underlying assumptions and tightness of our signature/IBE scheme vary.
Our work indicates that tightly secure PRFs, which are based on standard assumptions and computable by polynomial size Boolean circuits, are sufficient for us to build tightly, adaptively secure lattice signature/IBE schemes. Ideally, it is better if the PRF instantiations assume weak assumptions and have shallow Boolean circuits implementations. In particular, by instantiating the ‘almost” tightly secure PRFs from [8, 9], (which are based on LWE assumption with super-polynomial modulus) we obtain the first “almost” tightly secure short signature/IBE schemes from LWE with super-polynomial modulus whose security does not depend on the number of adversarial queries.Footnote 1 This, at the first time, eliminates the dependency between the number of adversary’s queries and the security of lattice-based short signature scheme/IBE scheme, and allows us to answer the Open Problem #3.
While constructing low-depth (e.g. circuits in \(\textsf {NC}^1\)), tightly secure PRFs from standard assumptions with constant security loss in the black-box senseFootnote 2 remains an open problem, any progress made in such direction will improve our work toward solving Open Problem #1 and #2 (under SIS/LWE assumption). For instance, if the DDH/k-LIN-based PRFs from [47] achieve security loss \(O(\log ^2\lambda )\) for security parameter \(\lambda \), we obtain signature/IBE schemes enjoy the same security loss under the combined assumptions.
Table 1 provides a comparison between our signature scheme with a LWE-based PRF instantiation (from [9]) and a representative sample of the prominent lattice-based (quantum-safe) signature schemes from the literature. Note, Katz and Wang did not propose a SIS-based signature scheme in [48]. The scheme we refer to is a straightforward application of Katz-Wang’s proof technique to GPV’08 signature scheme. Table 2 provides a comparison between our signature scheme with DDH-based PRF instantiation from [47] and the representative signature schemes from traditional number-theoretic assumptions, including (strong) RSA, Dlog and linear assumptions over pairings. Our signature scheme loses a factor of \(O(\log ^2{\lambda })\) in security proof if the DDH-based PRF instantiation achieves the same security loss. All of those assumptions are not conjectured to be quantum-safe. In each case, the two tables refer to conjectured quantum safe and quantum-unsafe constructions respectively. Table 3 gives a comparison between our IBE scheme (with both direct LWE-based PRF instantiation from [9] and DDH-based instantiation from [47]) and a representative selection of existing IBE schemes from the literature.
It needs to mention that the bit length of PRF secret key determines the number of public matrices in our constructions. In the SIS-based signature scheme from [20] and LWE-based IBE schemes from [2, 28], the number of public matrices are determined by the bit length of messages and identities respectively. For the provably secure PRFs, the bit length of secret key is usually significantly larger than the bit length of messages and identities needed in [2, 20, 28]. So our constructions have larger concrete size of verification key than the signature scheme in [20] and larger concrete size of public parameters than the IBE schemes in [2, 28].
Efficiency Consideration. Though we focus on tightness of reduction in the context of short signature and IBE, we do not hide the inefficiency of our schemes, particularly with comparison to the adptively secure lattice-based signature/IBE scheme obained from the “complexity leveraging” [14] of efficient selectively secure lattice-based signature/IBE scheme such as [2]. Although complexity leveraging is not very satisfactory from a theoretical perspective, it indeed often leads to the most practical secure cryptographic schemes. In the context of IBE, we have seen that the adaptively secure IBE scheme leveraged from selective DBDH-based IBE scheme in [14] has higher real-world efficiency than the adaptively secure Waters IBE scheme [56] (as well as the subsequent adaptive IBE schemes from similar standard pairing assumptions without random oracles) for the same security level. This may seem counter-intuitive, but to design adaptively secure IBE schemes one needs to carefully embed some specially crafted complex structures into the scheme, to provide enough freedom for the security reduction. This makes directly constructed adaptive IBE schemes rather bulky and sometimes require even stronger assumptions (in the lattice setting). Therefore, our current results are of more theoretical value. One the other hand, directly constructing adaptively secure schemes from standard assumptions usually requires new proof ideas and techniques which advance the state-of art and lead to further applications. Trying to get tighter reduction for the directly constructed adaptively secure schemes should be always welcome as it remains a very promising way of bridging the efficiency gap.
1.4 Overview of Our Approach
Construction Outline. Our constructions use a PRF \(\textsf {PRF}:\{0,1\}^k\times \{0,1\}^t \rightarrow \{0,1\}\) which takes as input a truly random secret key from \(\{0,1\}^k\) and a string from \(\{0,1\}^t\), and deterministically outputs a bit which is computationally indistinguishable from a random bit. In our signature scheme, \(5+k\) random matrices are chosen from \(\mathbb {Z}_q^{n\times m}\), comprising: a “left” matrix \(\mathbf {A}\), two “signature subspace selection” matrices \(\mathbf {A}_0,\mathbf {A}_1\), k “PRF secret key” matrices \(\{\mathbf {B}_i\}_{i\in [k]}\), and two “message representation” matrices \(\mathbf {C}_0,\mathbf {C}_1\). The key generation algorithm further expresses PRF as a NAND Boolean circuit, which serves as a part of the public parameters or perhaps a common reference string. The signing key consists of a “short” basis \(\mathbf {T}_{\mathbf {A}}\)of \(\mathbf {A}\) and a PRF key \(K\in \{0,1\}^k\) for PRF.
The signer takes three steps to generate the signature of message \(\textsf {M} = x_1x_2\dots x_t\in \{0,1\}^t\). Firstly, it uses the key-homomorphic evaluation algorithm developed from [18, 24, 38] to compute the unique matrix \(\mathbf {A}_{\textsf {PRF},\textsf {M}}\) from the circuit of PRF and the \(k+t\) matrices \(\{\mathbf {B}_i\}_{i\in [k]}\), \(\mathbf {C}_{x_1}\), \(\mathbf {C}_{x_2},\dots ,\mathbf {C}_{x_t}\).Footnote 3 Then it computes \(b = \textsf {PRF}(K,\textsf {M})\) and sets the matrix \(\mathbf {F}_{\textsf {M},1-b} = [\mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{\textsf {PRF},\textsf {M}}]\in \mathbb {Z}_q^{n\times 2m}\). Finally, it applies the trapdoor \(\mathbf {T}_{\mathbf {A}}\) to generate the signature: a low-norm non-zero vector \(\mathbf {d}_\textsf {M}\in \mathbb {Z}^{2m}\) such that \(\mathbf {F}_{\textsf {M},1-b}\cdot \mathbf {d}_\textsf {M} = \mathbf {0}\pmod q\). The verification algorithm checks whether the signature is a non-zero vector in \(\mathbb {Z}^{2m}\) and has low-norm, and whether \(\mathbf {F}_{\textsf {M},b}\cdot \mathbf {d}_\textsf {M} = \mathbf {0}\pmod q\) or \(\mathbf {F}_{\textsf {M},1-b}\cdot \mathbf {d}_\textsf {M} = \mathbf {0}\pmod q\). If all these conditions are satisfied, the signature is accepted.
Our IBE scheme works as follows. The public parameters contain matrices \(\mathbf {A}\), \(\mathbf {A}_0\), \(\mathbf {A}_1\), \(\{\mathbf {B}_i\}_{i\in [k]}\), \(\mathbf {C}_0,\mathbf {C}_1\), a secure PRF PRF represented as a NAND Boolean circuit, and a random vector \(\mathbf {u}\in \mathbb {Z}_q^n\) which is used to hide messages. The trapdoor basis \(\mathbf {T}_{\mathbf {A}}\) and a secret PRF key \(K\in \{0,1\}^k\) serve as master secret key. In private key generation for identity \(\textsf {id}= x_1x_2\dots x_t\in \{0,1\}^t\), the key-homomorphic evaluation algorithm is invoked to compute the unique matrix \(\mathbf {A}_{\textsf {PRF},\textsf {id}}\) from the circuit of PRF and the \(k+t\) matrices \(\{\mathbf {B}_i\}_{i\in [k]},\mathbf {C}_{x_1},\mathbf {C}_{x_2},\dots ,\mathbf {C}_{x_t}\). It then sets the “function” matrix to \(\mathbf {F}_{\textsf {id},1-b} = [\mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{\textsf {PRF},\textsf {id}}]\in \mathbb {Z}_q^{n\times 2m}\) for \(b = \textsf {PRF}(K,\textsf {M})\), and uses \(\mathbf {T}_{\mathbf {A}}\) to sample a Gaussian vector \(\mathbf {d}_\textsf {id}\in \mathbb {Z}^{2m}\) as private identity key where \(\mathbf {F}_{\textsf {id},1-b}\cdot \mathbf {d}_\textsf {id}= \mathbf {u}\pmod q\).
To encrypt a message \(\textsf {Msg}\in \{0,1\}\) with an identity id, the encryptor computes \(\mathbf {A}_{\textsf {PRF},\textsf {id}}\) and sets two “function” matrices \(\mathbf {F}_{\textsf {id},b} = [\mathbf {A}\ |\ \mathbf {A}_{b} - \mathbf {A}_{\textsf {PRF},\textsf {id}}]\) and \(\mathbf {F}_{\textsf {id},1-b} = [\mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{\textsf {PRF},\textsf {id}}]\). It generates two independent GPV-style ciphertexts [36]. The first one uses \(\mathbf {F}_{\textsf {id},b}\):
and the second is based on \(\mathbf {F}_{\textsf {id},1-b}\):
for random vectors \(\mathbf {s}_b,\mathbf {s}_{1-b}\xleftarrow {\$}\mathbb {Z}_q^n\), two small noise scalars \(\nu _{b,0},\nu _{1-b,0}\), and two low-norm noise vectors \(\varvec{\nu }_{b,1},\varvec{\nu }_{1-b,1}\).
The decryption algorithm uses \(\mathbf {d}_{\textsf {id}}\) to try both ciphertexts; one of them should work. Here as a technical caveat, we need some redundant information in the messages in order to check whether a recovered message is well-formed. To this end, one option is to apply the standard way of encrypting multiple bits in GPV-style ciphertexts without affecting the security analysis. That is, instead of using just a vector \(\mathbf {u}\in \mathbb {Z}_q^n\) in the public key, we use a matrix \(\mathbf {U}\in \mathbb {Z}_q^{n\times z}\) allowing us to encrypt z bits. A second option, which costs nothing if hybrid encryption is being used, is to use multi-bit GPV-style encryption to encrypt a symmetric session key without redundancy, again using a matrix \(\mathbb {Z}_q^{n\times z}\) and rely on downstream symmetric integrity checks or MACs to weed out the incorrect ciphertexts.
Proof Outline. The security reduction of our signature scheme uses an efficient adversary to solve a of SIS problem instance \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\): a short non-zero vector \(\mathbf {e}\in \mathbb {Z}^m\) such that \(\mathbf {Ae} = \mathbf {0}\pmod q\). The reduction embeds a randomly picked secret key K for PRF in verification key. More specifically, the reduction selects low-norm matrices \(\mathbf {R}_{\mathbf {A}_0}\), \(\mathbf {R}_{\mathbf {A}_1}\), \(\{ \mathbf {R}_{\mathbf {B}_i}\}_{i\in [k]}\), \(\mathbf {R}_{\mathbf {C}_0}\), \(\mathbf {R}_{\mathbf {C}_1}\) from \(\{1,-1\}^{m\times m}\), a PRF secret key \(K=s_1s_2\dots s_k\in \{0,1\}^k\) and sets \(\mathbf {A}_0 = \mathbf {AR}_{\mathbf {A}_0}\), \(\mathbf {A}_1 = \mathbf {AR}_{\mathbf {A}_1} + \mathbf {G} \), \(\{ \mathbf {B}_i = \mathbf {AR}_{\mathbf {B}_i} + s_i\mathbf {G} \}_{i\in [k]}\), \(\mathbf {C}_0= \mathbf {AR}_{\mathbf {C}_0} \) and \(\mathbf {C}_1= \mathbf {AR}_{\mathbf {C}_1} +\mathbf {G} \). Here, K is completely hidden from adversary’s view. For answering a signing query on message \(\textsf {M}\), the reduction computes \(\mathbf {A}_{\textsf {PRF},\textsf {M}} = \mathbf {AR}+ \textsf {PRF}(K,\textsf {M})\mathbf {G}\) for some known low-norm \({m\times m}\) matrix \(\mathbf {R}\) that depends on \(\mathbf {R}_{\mathbf {A}_0},\mathbf {R}_{\mathbf {A}_1},\{ \mathbf {R}_{\mathbf {B}_i}\}_{i\in [k]},\mathbf {R}_{\mathbf {C}_0},\mathbf {R}_{\mathbf {C}_1}\), K and \(\textsf {M}\). Let \(\textsf {PRF}(K,\textsf {M}) = b\), the reduction sets \(\mathbf {F}_{\textsf {M},1-b} = [\mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{\textsf {PRF},\textsf {M}} ] = [\mathbf {A}\ |\ \mathbf {AR} + (1-2b)\mathbf {G}]\) and uses the trapdoor from \(\mathbf {G}\) to compute the decryption key. Note, we use PRF to select the matrix \(\mathbf {A}_b\) which is the same as the real scheme. For a valid forgery \((\textsf {M}^*,\mathbf {d}_{\textsf {M}^*})\), since \(b= \textsf {PRF}(K,\textsf {M}^*)\) is unpredictable to the adversary, \(\mathbf {F}_{\textsf {M}^*, b}\cdot \mathbf {d}_{\textsf {M}^*} = \mathbf {0}\pmod q\) happens with essentially probability 1 / 2 leading to a valid SIS solution.
The security reduction for our IBE scheme is similar to the reduction of the signature scheme. Basically, the reduction answers key generation queries in the same way as answering signing queries in the signature scheme reduction. To construct the challenge ciphertext for a challenge identity \(\textsf {id}^*\), the LWE challenge is embedded in the function matrix \(\mathbf {F}_{\textsf {id}^*,b} = [\mathbf {A}\ |\ \mathbf {AR} ]\) for which the simulator cannot produce private key. Another ciphertext based on \( \mathbf {F}_{\textsf {id}^*,1-b} = [\mathbf {A}\ |\ \mathbf {AR} + (1-2b)\mathbf {G}]\) is generated as in the real scheme. With essentially half probability, the adversary will choose the ciphertext under \(\mathbf {F}_{\textsf {id}^*,b}\) to attack giving out useful information for solving the LWE challenge.
Related Works. In the related and concurrent work by Brakerski and Vaikuntanathan [25], a similar idea of embedding PRFs into encryption schemes has been used to construct the first semi-adaptively secure attribute-based encryption scheme from lattices supporting an a priori unbounded number of attributes. The recent work by Bai et al. [7] addresses the problem of improving efficiency of lattice-based cryptographic schemes via a different but novel way. Their proposal is about using Rényi divergence instead of statistical distance in the context of lattice-based cryptography which leads to (sometimes simpler) security proofs for more efficient lattice-based schemes.
2 Preliminaries
Notation. ‘PPT’ abbreviates “probabilistic polynomial-time”. If S is a set, we denote by \(a\xleftarrow {\$}S\) the uniform sampling of a random element of S. For a positive integer n, we denote by [n] the set of positive integers no greater than n. We use bold lowercase letters (e.g. \(\mathbf {a}\)) to denote vectors and bold capital letters (e.g. \(\mathbf {A}\)) to denote matrices. For a positive integer \(q\ge 2\), let \(\mathbb {Z}_q\) be the ring of integers modulo q. We denote the group of \(n\times m\) matrices in \(\mathbb {Z}_q\) by \(\mathbb {Z}_q^{n\times m}\). Vectors are treated as column vectors. The transpose of a vector \(\mathbf {a}\) (resp. a matrix \(\mathbf {A}\)) is denoted by \(\mathbf {a}^\top \) (resp. \(\mathbf {A}^\top \)). For \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) and \(\mathbf {B}\in \mathbb {Z}_q^{n\times m'}\), let \([\mathbf {A}|\mathbf {B}] \in \mathbb {Z}_q^{n\times (m+m')}\) be the concatenation of \(\mathbf {A}\) and \(\mathbf {B}\). We denote the Gram-Schmidt ordered orthogonalization of a matrix \(\mathbf {A}\in \mathbb {Z}^{m\times m}\) by \(\tilde{\mathbf {A}}\). The inner product of two vectors \(\mathbf {x}\) and \(\mathbf {y}\) is written \(\langle \mathbf {x},\mathbf {y}\rangle \). For a security parameter \(\lambda \), a function \(\textsf {negl}(\lambda )\) is negligible in \(\lambda \) if it is smaller than all polynomial fractions for a sufficiently large \(\lambda \).
We recall the following generalisation of left-over hash lemma.
Lemma 1
([2], Lemma 4). Suppose that \(m > (n+1)\log q+ \omega (\log n)\) and that \(q > 2\) is prime. Let \(\mathbf {R}\) be an \(m \times k\) matrix chosen uniformly in \(\{1, -1\}^{m\times k} \mod q\) where \(k = k(n)\) is polynomial in n. Let \(\mathbf {A}\) and \(\mathbf {B}\) be matrices chosen uniformly in \(\mathbb {Z}_q^{n\times m}\) and \(\mathbb {Z}_q^{n\times k}\) respectively. Then, for all vectors \(\mathbf {w}\in \mathbb {Z}_q^m\), the distribution \((\mathbf {A}, \mathbf {AR}, \mathbf {R}^\top \mathbf {w})\) is statistically close to the distribution \((\mathbf {A}, \mathbf {B}, \mathbf {R}^\top \mathbf {w})\).
For a vector \(\mathbf {u}\), we let \(\left\| \mathbf {u}\right\| \) and \(\left\| \mathbf {u}\right\| _\infty \) denote its \(\ell _2\) norm and \(\ell _\infty \) norm, respectively. For a matrix \(\mathbf {R}\in \mathbb {Z}^{k\times m}\), we define two matrix norms:
-
\(\left\| \mathbf {R}\right\| \) denotes the \(\ell _2\) length of the longest column of \(\mathbf {R}\).
-
\(\left\| \mathbf {R}\right\| _2\) is the operator norm of \(\mathbf {R}\) defined as \(\left\| \mathbf {R}\right\| _2 = \sup _{\mathbf {x}\in \mathbb {R}^{m+1}} \Vert \mathbf {R}\cdot \mathbf {x}\Vert \).
Lemma 2
([2], Lemma 5). Let \(\mathbf {R}\) be a random chosen matrix from \(\{1,-1\}^{m\times m}\), then \(\Pr [\left\| \mathbf {R}\right\| _2> 12 \sqrt{2m}] < e^{-m}\).
2.1 Lattice Background
Lattice Definitions
Definition 1
Let a basis \(\mathbf {B} = [\mathbf {b}_1\ |\dots | \mathbf {b}_m]\in (\mathbb {R}^{m})^{m}\) of linearly independent vectors. The lattice generated by \(\mathbf {B}\) is defined as \(\mathrm {\Lambda } = \left\{ \mathbf {y}\in \mathbb {R}^m : \exists s_i\in \mathbb {Z}, \mathbf {y} = \sum _{i=1}^m s_i\mathbf {b}_i \right\} \). The dual lattice \(\mathrm {\Lambda }^*\) of \(\mathrm {\Lambda }\) is defined as \(\mathrm {\Lambda }^* = \left\{ \mathbf {z}\in \mathbb {R}^m\ : \forall \mathbf {y}\in \mathrm {\Lambda },\ \langle \mathbf {z}, \mathbf {y}\rangle \in \mathbb {Z} \right\} \).
Definition 2
For q prime, \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) and \(\mathbf {u}\in \mathbb {Z}_q^{n}\), we define the m-dimensional (full-rank) random integer lattice \(\mathrm {\Lambda }_q^\bot (\mathbf {A}) = \left\{ \mathbf {e}\in \mathbb Z^m\ : \mathbf {Ae}=\mathbf {0}\pmod q\right\} \), and the “shifted lattice” as the coset \(\mathrm {\Lambda }_q^\mathbf {u}(\mathbf {A}) = \left\{ \mathbf {e}\in \mathbb Z^m\ : \mathbf {Ae}=\mathbf {u}\pmod q\right\} \).
Trapdoors of Lattices and Discrete Gaussians. It is shown in [3, 51] how to sample a “nearly” uniform random matrix \(\mathbf {A}\in \mathbb {Z}^{n\times m}\) along with a trapdoor matrix \(\mathbf {T}_{\mathbf {A}}\in \mathbb {Z}^{m\times m}\) which is a short or low-norm basis of the induced lattice \(\mathrm {\Lambda }_q^\bot (\mathbf {A})\). We refer to this procedure as TrapGen.
Lemma 3
There is a PPT algorithm TrapGen that takes as input integers \(n\ge 1\), \(q\ge 2\) and a sufficiently large \(m = O(n\log {q})\), outputs a matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) and a trapdoor matrix \(\mathbf {T}_{\mathbf {A}}\in \mathbb {Z}^{m\times m}\), such that \(\mathbf {A} \cdot \mathbf {T}_{\mathbf {A}} = 0\), the distribution of \(\mathbf {A}\) is statistically close to the uniform distribution over \(\mathbb {Z}_q^{n\times m}\) and \(\Vert \tilde{\mathbf {T}}_{\mathbf {A}}\Vert = O(\sqrt{n\log q})\).
Discrete Gaussians. Let \(m\in \mathbb Z_{>0}\) be a positive integer and \(\mathrm {\Lambda }\subset \mathbb Z^m\). For any real vector \(\mathbf {c}\in \mathbb {R}^m\) and positive parameter \(\sigma \in \mathbb R_{>0}\), let the Gaussian function \(\rho _{\sigma ,\mathbf {c}}(\mathbf {x}) = \exp \left( -\pi \Vert \mathbf {x}- \mathbf {c}\Vert ^2 / \sigma ^2 \right) \) on \(\mathbb R^m\) with center \(\mathbf {c}\) and parameter \(\sigma \). Define the discrete Gaussian distribution over \(\mathrm {\Lambda }\) with center \(\mathbf {c}\) and parameter \(\sigma \) as \(D_{\mathrm {\Lambda },\sigma }= \rho _{\sigma ,\mathbf {c}}(\mathbf {y}) / \rho _{\sigma }(\mathrm {\Lambda })\) for \(\forall \mathbf {y}\in \mathrm {\Lambda }\), where \(\rho _{\sigma }(\mathrm {\Lambda }) = \sum \nolimits _{\mathbf {x}\in \mathrm {\Lambda }} \rho _{\sigma ,\mathbf {c}}(\mathbf {x})\). For notational convenience, \(\rho _{\sigma ,\mathbf {0}}\) and \(D_{\mathrm {\Lambda },\sigma , \mathbf {0}}\) are abbreviated as \(\rho _{\sigma }\) and \(D_{\mathrm {\Lambda },\sigma }\).
The following lemma bounds the length of a discrete Gaussian vector with sufficiently large Gaussian parameter.
Lemma 4
([52]). For any lattice \(\mathrm {\Lambda }\) of integer dimension m with basis \(\mathbf {T}\), \(\mathbf {c}\in \mathbb {R}^m\) and Gaussian parameter \(\sigma \ge \Vert \tilde{\mathbf {T}}\Vert \cdot \omega (\sqrt{\log {m}})\), we have \( \Pr [\left\| \mathbf {x} - \mathbf {c}\right\| > \sigma \sqrt{m} : \mathbf {x}\leftarrow D_{\mathrm {\Lambda },\sigma ,\mathbf {c}}] \le \textsf {negl}(n).\)
Smoothing Parameter. We recall the very important notion of smoothing parameter of a lattice \(\mathrm {\Lambda }\). It is the smallest value of s such that the discrete Gaussian \(D_{\mathrm {\Lambda },s}\) “behaves” like a continuous Gaussian.
Definition 3
([52]). For any lattice \(\mathrm {\Lambda }\) and positive real tolerance \(\epsilon > 0\), the smoothing parameter \(\eta _{\epsilon }(\mathrm {\Lambda })\) is the smallest real \(s>0\) such that \(\rho _{1/s}(\mathrm {\Lambda }^*\setminus \{\mathbf {0}\}) < \epsilon \).
We will make use of the following lemma, which is a special case of Corollary 3.10 from [55].
Lemma 5
(special case of Corollary 3.10 of [55]). Let \(\mathbf {r}\in \mathbb {Z}^m\) be a vector and \(r,\alpha > 0\) be reals. Assume that \(1/\sqrt{1/r^2 + (\Vert \mathbf {r}\Vert /\alpha )^2} \ge \eta _\epsilon (\mathbb {Z}^m)\) for some \(\epsilon <1/2\). Let \(\mathbf {y}\) be a vector with distribution \(D_{\mathbb {Z}^m,r}\) and e be a scalar with distribution \(D_{\mathbb {Z},\alpha }\). The distribution of \(\langle \mathbf {r},\mathbf {y}\rangle + e\) is statistically close to \(D_{\mathbb {Z}, \sqrt{(r\Vert \mathbf {r}\Vert )^2+ \alpha ^2}}\).
Lattice Sampling Algorithms. Our constructions make use of the “two-sided trapdoor” framework from [2, 20] which consists of two sampling algorithms SampleLeft and SampleRight.
-
Inputs: a full-rank matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) and a short basis \(\mathbf {T}_{\mathbf {A}}\) of \( \mathrm {\Lambda }_q^\bot (\mathbf {A})\), a matrix \( \mathbf {B}\in \mathbb {Z}_q^{n\times m_1}\), a vector \(\mathbf {u}\in \mathbb {Z}_q^{n}\), and a Gaussian parameter s.
-
Output: Let \(\mathbf {F} = \begin{bmatrix} \mathbf {A}\ |\ \mathbf {B} \end{bmatrix}\). The algorithm outputs a vector \(\mathbf {d}\in \mathbb {Z}^{m+m_1}\) in the set \(\mathrm {\Lambda }_{q}^\mathbf {u}(\mathbf {F})\).
Theorem 1
([2, 28]). Let \(q > 2\), \(m > n\) and \(s > \Vert \tilde{\mathbf {T}}_{\mathbf {A}}\Vert \cdot \omega (\sqrt{\log (m + m_1)})\). Then the algorithm \(\textsf {SampleLeft}(\mathbf {A}, \mathbf {B},\mathbf {T}_{\mathbf {A}}, \mathbf {u}, s)\) taking inputs as in (1), outputs a vector \(\mathbf {d}\in \mathbb {Z}^{m+m_1}\) distributed statistically close to \(D_{\mathrm {\Lambda }_{q}^\mathbf {u}(\mathbf {F}),s}\).
-
Inputs: matrices \(\mathbf {A}\in \mathbb {Z}_q^{n\times k}\) and \(\mathbf {R}\in \mathbb {Z}^{k\times m}\), a full-rank matrix \(\mathbf {B}\in \mathbb {Z}_q^{n\times m}\), a short basis \(\mathbf {T}_{\mathbf {B}}\) of \(\mathrm {\Lambda }_q^\bot (\mathbf {B})\), a vector \(\mathbf {u}\in \mathbb {Z}_q^{n}\), and a Gaussian parameter s.
-
Output: Let \(\mathbf {F} = \begin{bmatrix} \mathbf {A}\ |\ \mathbf {AR} + \mathbf {B} \end{bmatrix}\); the algorithm outputs a vector \(\mathbf {d} \in \mathbb {Z}^{m+m_1}\) in the set \(\mathrm {\Lambda }_{q}^\mathbf {u}(\mathbf {F})\)
Theorem 2
([2], Theorem 19). Let \(q > 2\), \(m > n\). Let \(s > \Vert \tilde{\mathbf {T}}_{\mathbf {B}}\Vert \cdot \left\| \mathbf {R}\right\| _2 \cdot \omega (\sqrt{\log m})\). Then \(\textsf {SampleRight}(\mathbf {A}, \mathbf {B}, \mathbf {R}, \mathbf {T}_{\mathbf {B}}, \mathbf {u}, s)\) taking inputs as in (2), outputs a vector \(\mathbf {d}\in \mathbb {Z}^{m+k}\) distributed statistically close to \(D_{\mathrm {\Lambda }_{q}^\mathbf {u}(\mathbf {F}), s}\).
Gadget Matrix. The “gadget matrix” \(\mathbf {G}\) defined in [51]. We recall the following two facts.
Lemma 6
([51], Theorem 1). Let q be a prime, and n, m be integers with \(m = n\log q\). There is a fixed full-rank matrix \(\mathbf {G}\in \mathbb {Z}_q^{n\times m}\) such that the lattice \(\mathrm {\Lambda }_q^\bot (\mathbf {G})\) has a publicly known trapdoor matrix \(\mathbf {T}_{\mathbf {G}}\in \mathbb {Z}^{n\times m}\) with \(\Vert \tilde{\mathbf {T}}_{\mathbf {G}}\Vert \le \sqrt{5}\).
Lemma 7
([18], Lemma 2.1). There is a deterministic algorithm, denoted \(\mathbf {G}^{-1}(\cdot ):\mathbb {Z}_q^{n\times m} \rightarrow \mathbb {Z}^{m\times m}\), that takes any matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) as input, and outputs the preimage \(\mathbf {G}^{-1}(\mathbf {A})\) of \(\mathbf {A}\) such that \(\mathbf {G\cdot G^{-1}(A)} = \mathbf {A}\pmod q\) and \(\Vert \mathbf {G}^{-1}(\mathbf {A})\Vert \le m \).
Computational Assumptions. We recall the two most mainstream and conservative average-case computational assumptions for lattice problems.
The learning with errors problem was first proposed by Regev [55]. For a vector \(\mathbf {s}\xleftarrow {\$}\mathbb {Z}_q^n\) and a noise distribution \(\chi \) over \(\mathbb {Z}_q\), let \(A_{\mathbf {s},\chi }\) be the distribution over \(\mathbb {Z}_q^{n}\times \mathbb {Z}_q\) by taking \(\mathbf {a}\xleftarrow {\$}\mathbb {Z}_q^{n}\) and \(x\leftarrow \chi \), and outputting \((\mathbf {a}, \mathbf {s}^\top \mathbf {a} + x) \pmod q\). Usually, \(\chi \) is a discrete Gaussian \(D_{\mathbb {Z},\alpha q}\) for some \(\alpha <1\), reduced modulo q. We refer to [55] for further details.
Definition 4
For a security parameter \(\mathrm {\Lambda }\), let a positive integer \(n=n(\lambda )\), a prime \(q=q(\lambda )\), and a distribution \(\chi \) over \(\mathbb {Z}_q\). The learning with errors problem \(\text {LWE}_{n,q,\chi }\) is to distinguish the oracle \(\mathcal {O}_{\mathbf {s}}\), which outputs samples from the distribution \(A_{\mathbf {s},\chi }\), from the oracle \(\mathcal {O}_{\$}\), which outputs samples from the uniform distribution over \(\mathbb {Z}_q^n \times \mathbb {Z}_q\), for an unspecified polynomial number of queries. We define the advantage (in the security parameter \(\lambda \)) of an algorithm \(\mathcal {A}\) in solving the \(\text {LWE}_{n,q,\chi }\) problem as
We say that the \((t,\epsilon _{\textsf {LWE}})\)-\(\textsf {LWE}_{n,q,\chi }\) assumption holds if no t-time algorithm \(\mathcal {A}\) that has advantage at least \(\epsilon _{\textsf {LWE}}\) in solving the \(\textsf {LWE}_{n,q,\chi }\) problem.
For polynomial size q in \(\lambda \), there are known quantum [55] and classical [22] reductions from the average-case \(\text {LWE}_{n,q,\chi }\) assumption to many standard worst-case lattice problems (e.g., GapSVP).Footnote 4 Peikert [54] also gave a classic reduction that applies (only) for exponential moduli q in \(\lambda \). These reductions further strengthen the appeal of the LWE assumption.
The security of our adaptively secure signature scheme is based on the SIS problem, which can be seen as an average-case approximate shortest vector problem on random integer lattices. In a sense, SIS is the computational counterpart to the decisional LWE.
Definition 5
For a security parameter \(\lambda \), let \(n=n(\lambda )\), \(m=m(\lambda )\), and \(\beta =\beta (\lambda )\). Let q be a prime integer. The short integer solution problem \(\textsf {SIS}_{n,q,\beta ,m}\) is as follows. Given a uniform random matrix \(\mathbf {A}\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\), find a non-zero vector \(\mathbf {e}\in \mathbb {Z}^{m}\) such that \(\mathbf {Ae}=\mathbf {0}\pmod q\) and \(\left\| \mathbf {e}\right\| \le \beta \). We define the advantage (function of the security parameter \(\lambda \)) of an algorithm \(\mathcal {A}\) in solving the \(\textsf {SIS}_{n,q,\beta ,m}\) problem as
We say the \((t,\epsilon _{\textsf {SIS}})\)-\(\textsf {SIS}_{n,q,\beta ,m}\) assumption holds if no t-time algorithm \(\mathcal {A}\) that has advantage at least \(\epsilon _{\textsf {SIS}}\) in solving the \(\textsf {SIS}_{n,q,\beta ,m}\) problem.
It has been shown in [52] that solving the average-case instances of the \(\textsf {SIS}_{n,q,\beta ,m}\) problem for certain parameters is as hard as solving worst-case instances of the approximate Shortest Independent Vector Problem (SIVP).
2.2 Pseudorandom Functions
Definition 6
(Pseudorandom Functions). Let \(\lambda >0\) be the security parameter, and let \(k=k(\lambda )\), \(t=t(\lambda )\) and \(l=l(\lambda )\). A pseudorandom function \(\textsf {PRF}:\{0,1\}^k\times \{0,1\}^t \rightarrow \{0,1\}^l\) is an efficiently computable, deterministic two-input function where the first input, denoted by K, is the key. Let \(\varOmega \) be the set of all functions that map t bits strings to l bits strings. We define the advantage (in the security parameter \(\lambda \)) of an adversary \(\mathcal {A}\) in attacking the PRF as
where the probability is taken over a uniform choice of key \(K\xleftarrow {\$}\{0,1\}^k\) and \(F\xleftarrow {\$} \varOmega \), and the randomness of \(\mathcal {A}\). We say that \(\textsf {PRF}\) is \((t_\textsf {PRF},\epsilon _\textsf {PRF})\)-secure if for all \(t_\textsf {PRF}\)-time adversaries \(\mathcal {A}\), \(\textsf {Adv}_{\textsf {PRF},\mathcal {A}}(\lambda ) \le \epsilon _\textsf {PRF}\).
2.3 Key-Homomorphic Evaluation Algorithm
Recall the matrix key-homomorphic evaluation algorithm, which is developed by Gentry et al. [38], Boneh et al. [18] and Brakerski and Vaikuntanathan [24] in the context of fully homomorphic encryption and attribute-based encryption, works generally in the following. Given a fan-in-2 Boolean NAND circuits \(C:\{0,1\}^\ell \rightarrow \{0,1\}\), \(\ell \) different matrices \(\{\mathbf {A}_i = \mathbf {AR}_i + x_i\mathbf {G} \in \mathbb {Z}_q^{n\times m}\}_{i\in [\ell ] }\) which correspond to each input wire of C where \(\mathbf {A}\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\), \(\mathbf {R}_i\xleftarrow {\$}\{1,-1\}^{m\times m}\), \(x_i\in \{0,1\}\) and \(\mathbf {G}\in \mathbb {Z}_q^{n\times m } \) is the gadget matrix, the key-homomorphic evaluation algorithm deterministically computes \(\mathbf {A}_C = \mathbf {A}\mathbf {R}_C + C(x_1,\dots ,x_\ell )\mathbf {G} \in \mathbb {Z}_q^{n\times m}\) where \(\mathbf {R}_C\in \mathbb {Z}^{m\times m}\) has low norm and \(C(x_1,\dots ,x_\ell )\in \{0,1\}\) is the output bit of C on the arguments \(x_1,\dots ,x_\ell \). This is done, in general, by inductively evaluating each NAND gate. For a NAND gate g(u, v; w) with input wires u, v and output wire w, matrices \(\mathbf {A}_u = \mathbf {AR}_{u} + x_u\mathbf {G} \) and \(\mathbf {A}_v = \mathbf {AR}_{v} + x_v\mathbf {G}\) where \(x_u\) and \(x_v\) are input bits of u and v respectively, the evaluation algorithm computes
where \(1-x_ux_v {\mathop {=}\limits ^{\small \mathsf def}}\textsf {NAND}(x_u,x_v)\), and \(\mathbf {R}_g = -\mathbf {R}_u \cdot \mathbf {G}^{-1}(\mathbf {A}_v) - x_u\mathbf {R}_v \) has low-norm if \(\mathbf {R}_u,\mathbf {R}_v\) have low-norm.
In this paper, we consider evaluating circuits of PRFs. Most of the well-known PRFs from number-theoretic assumptions (e.g. [47, 53]) and lattice assumptions (e.g. [8, 9]) can be computed by circuits in class \(\textsf {NC}^1\) (i.e. with polynomial size, logarithmic depth \(O(\log \ell )\) in input length \(\ell \) and fan-in 2). For circuits in \(\textsf {NC}^1\), by applying above procedure in a general tree-fashion, the norm of \(\mathbf {R}_C\) in the matrix \(\mathbf {A}_C\) is roughly bounded by \(m^{O(\log \ell )}\), which in turn usually results in superpolynomial or sub-exponential LWE/SIS modulus q (in the security parameter) in certain applications.
In [24], Brakerski and Vaikuntanathan observed that the norm of \(\mathbf {R}_C\) matrix in above homomorphic evaluation is accumulated in an asymmetric way. They exploited this feature to design a special evaluation algorithm that evaluates \(\textsf {NC}^1\) circuits with moderately increasing the norm of \(\mathbf {R}_C\). Specifically, the observation is that any circuit with depth d can be simulated by a length-\(4^d\) and width-5 branching program, through the Barrington’s theorem. Such a branching program can be computed by multiplying \(4^d\) 5-by-5 permutation matrices. It is showed in [24] that homomorphically evaluating the multiplication of permutation matrices using above homomorphic evaluation procedure and the asymmetrical noise-growth feature only increases the noise by a polynomial factor and, therefore, allows us to use polynomial size LWE/SIS modulus q in the security parameter. Such result has been used to construct efficient ABE scheme for branching programs (with bounded length) from LWE with polynomial modulus [42]. In our constructions, we particularly use the Brakerski and Vaikuntanathan’s evaluation algorithm [24] and denote it by \(\textsf {Eval}_{\textsf {BV}}\).
We recall the Barrington’s Theorem.
Theorem 3
(Barrington’s Theorem). Every Boolean \(\textsf {NAND}\) circuit C that acts on \(\ell \) inputs and has depth d can be computed by a width-5 permutation branching program \(\varPi \) of length \(4^d\). Given the description of the circuit \(\Psi \), the description of the branching program C can be computed in \(\text {poly}(\ell , 4^d)\) time.
The following theorem follows from the Claim 3.4.2 and Lemma 3.6 of [24] and the Barrington’s Theorem.
Lemma 8
Let \(C:\{0,1\}^\ell \rightarrow \{0,1\}\) be a NAND Boolean circuit. Let \(\{\mathbf {A}_i = \mathbf {AR}_i + x_i\mathbf {G} \in \mathbb {Z}_q^{n\times m}\}_{i\in [\ell ] }\) be \(\ell \) different matrices correspond to each input wire of C where \(\mathbf {A}\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\), \(\mathbf {R}_i\xleftarrow {\$}\{1,-1\}^{m\times m}\), \(x_i\in \{0,1\}\) and \(\mathbf {G}\in \mathbb {Z}_q^{n\times m } \) is the gadget matrix. There is an efficient deterministic algorithm \(\textsf {Eval}_{\textsf {BV}}\) that takes as input C and \(\{\mathbf {A}_i\}_{i\in [\ell ]}\) and outputs a matrix \(\mathbf {A}_C = \mathbf {AR}_C+ C(x_1,\dots ,x_\ell )\mathbf {G} = \textsf {Eval}_{\textsf {BV}}(C,\mathbf {A}_1,\dots ,\mathbf {A}_\ell ) \) where \(\mathbf {R}_C\in \mathbb {Z}^{m\times m}\) and \(C(x_1,\dots ,x_\ell )\) is the output of C on the arguments \(x_1,\dots ,x_\ell \). \(\textsf {Eval}_{\textsf {BV}}\) runs in time \(\text {poly}(4^d, \ell ,n,\log q)\).
Let \(\left\| \mathbf {R}_{\text {max}} \right\| _2= \text {max}\left\{ \left\| \mathbf {R}_i \right\| _2 \right\} _{i\in [\ell ] }\), the norm of \(\mathbf {R}_C\) in \(\mathbf {A}_C\) output by \(\textsf {Eval}_{\textsf {BV}}\) can be bounded,with overwhelming probability, by
where L is the length of the width-5 branching program which simulates C and \(\left\| \mathbf {R}_i\right\| _2 \le 12\sqrt{2m}\) for \(i\in [\ell ]\) with overwhelming probability, by Lemma 2.
Particularly, if C has depth \(d = c\log \ell \) for some constant c, i.e. C is in \(\textsf {NC}^1\), we have \(L = 4^d =\ell ^{2c}\) and \(\Vert \mathbf {R}_C\Vert _2 \le O( \ell ^{2c} \cdot m^{3/2})\).
2.4 Digital Signatures
A digital signature scheme consists of three PPT algorithms: \(\textsf {KeyGen}\), Sign, and Ver. The algorithm KeyGen takes as input a security parameter and generates a public verification key Vk and a private signing key \(\textsf {Sk}\). The signing algorithm Sign takes as input the signing key Sk and a massage \(\textsf {M}\), and outputs the signature \(\textsf {Sig}\) of M. The verification algorithm Ver takes as input a signature-message pair \((\textsf {Sig}, \textsf {M})\) as well as the verification key Vk. It outputs 1 if \(\textsf {Sig}\) is valid, or 0 if \(\textsf {Sig}\) is invalid.
We review the standard security notion of digital signature schemes. The existential unforgeability under chosen-message attack (EUF-CMA) of a digital signature scheme \(\varPi \) is defined through the following security game between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {B}\).
-
Setup. \(\mathcal {B}\) runs \(\textsf {Setup}(1^\lambda )\rightarrow (\textsf {Sk},\textsf {Vk})\), and passes \(\textsf {Vk}\) to \(\mathcal {A}\).
-
Query. \(\mathcal {A}\) adaptively selects messages \(\textsf {M}_1,\dots ,\textsf {M}_{q_s}\) to ask for the corresponding signatures under \(\textsf {Vk}\) from \(\mathcal {B}\). For the query \(\textsf {M}_i\), \(\mathcal {B}\) responds with a signature \(\textsf {Sig}_i \leftarrow \textsf {Sign}(\textsf {Sk},\textsf {M}_i)\).
-
Forge. \(\mathcal {A}\) outputs a pair \((\textsf {Sig}^*,\textsf {M}^*)\) and wins if
-
1.
\(\textsf {M}^*\notin \{\textsf {M}_1,\dots ,\textsf {M}_{q_s} \}\), and
-
2.
\(\textsf {Ver}(\textsf {Vk}, \textsf {Sig}^*, \textsf {M}^*)\rightarrow 1\).
-
1.
We refer to such an adversary \(\mathcal {A}\) as EUF-CMA adversary. We define the advantage (in the security parameter \(\lambda \)) \(\textsf {Adv}_{\varPi ,\mathcal {A}}(\lambda )\) of \(\mathcal {A}\) in attacking a digital signature scheme \(\varPi \) to be the probability that \(\mathcal {A}\) wins above game.
Definition 7
For a security parameter \(\lambda \), let \(t=t(\lambda )\), \(q_s=q_s(\lambda )\) and \(\epsilon =\epsilon (\lambda )\). We say that a digital signature scheme \(\varPi \) is \((t,q_s,\epsilon )\textsf {-EUF-CMA}\) secure if for any t time EUF-CMA adversary \(\mathcal {A}\) that makes at most \(q_s\) signing queries and has \(\textsf {Adv}_{\varPi ,\mathcal {A}}(\lambda ) \le \epsilon \).
2.5 Identity-Based Encryption
An Identity-Based Encryption system (IBE) consists of four PPT algorithms: Setup, KeyGen, Encrypt, and Decrypt. The algorithm Setup takes as input a security parameter and generates public parameters Pub and a master secret key Msk. The algorithm KeyGen uses the master secret key Msk to produce an identity private key \(\textsf {Sk}_\textsf {id}\) corresponding to an identity id. The algorithm Encrypt takes the public parameters Pub to encrypt messages for any given identity id. The algorithm Decrypt decrypts ciphertexts using the identity private key if the identity of the ciphertext matches the identity of the private key.
We review the adaptive (full) security under chosen-plaintext attack (IND-ID-CPA) of IBE system. The IND-ID-CPA security of IBE is defined through the following game between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {B}\). For a security parameter \(\lambda \), let \(\mathcal {M}_{\lambda }\) be the message space and \(\mathcal {C}_{\lambda }\) be the ciphertext space.
-
Setup. \(\mathcal {B}\) runs \(\textsf {Setup}(1^\lambda )\rightarrow (\textsf {Pub},\textsf {Msk})\), passes the public parameters \(\textsf {Pub}\) to \(\mathcal {A}\), and keeps the master secret \(\textsf {Msk}\).
-
Phase 1. \(\mathcal {A}\) adaptively requests keys for any identity \(\textsf {id}\) of its choice. \(\mathcal {B}\) responds with the corresponding private key \(\textsf {Sk}_{\textsf {id}}\) by running algorithm \(\textsf {KeyGen}\).
-
Challenge. When \(\mathcal {A}\) decides the Phase 1 is over, it outputs a challenge identity \(\textsf {id}^*\), which is not been queried during Phase 1, and two equal length messages \(\textsf {Msg}_0, \textsf {Msg}_1\in \mathcal {M}_\lambda \). \(\mathcal {B}\) flips a fair coin \(\gamma \xleftarrow {\$}\{0,1\}\) and sets \(\textsf {Ctx}_{\textsf {id}^*} \leftarrow \textsf {Encrypt}(\textsf {Pub},\textsf {Msg}_{\gamma },\textsf {id}^*)\). Finally \(\mathcal {A}\) passes \(\textsf {Ctx}_{\textsf {id}^*}\) to \(\mathcal {A}\).
-
Phase 2. \(\mathcal {A}\) continues to make key quires for any identity \(\textsf {id}\ne \textsf {id}^*\).
-
Guess. \(\mathcal {A}\) outputs \(\gamma '\in \{0,1\}\) and it wins if \(\gamma ' = \gamma \).
We refer to such an adversary \(\mathcal {A}\) as an IND-ID-CPA adversary. We define the advantage (in the security parameter \(\lambda \)) of \(\mathcal {A}\) in attacking an IBE scheme \(\mathcal {E}\) as \(\textsf {Adv}_{\mathcal {E},\mathcal {A}}(\lambda ) =\left| \Pr [\gamma ' = \gamma ] -1/2\right| \).
Definition 8
For a security parameter \(\lambda \), let \(t=t(\lambda )\), \(q_{\textsf {id}} = q_{\textsf {id}}(\lambda )\), and \(\epsilon =\epsilon (\lambda )\). We say that an IBE system \(\mathcal {E}\) is \((t,q_{\textsf {id}}, \epsilon )\) -IND-ID-CPA secure if for any t-time IND-ID-CPA adversary \(\mathcal {A}\) that makes at most \(q_{\textsf {id}}\) private key queries, we have \(\textsf {Adv}_{\mathcal {E},\mathcal {A}}(\lambda ) \le \epsilon \).
3 Signature Scheme with Tight Security
3.1 Constructions
KeyGen \((1^\lambda )\) The key generation algorithm does the following.
-
1.
Sample a matrix \(\mathbf {A}\) along with a trapdoor basis of lattice \(\mathrm {\Lambda }_q^\bot (\mathbf {A})\) by \(\textsf {TrapGen}\).
-
2.
Select matrices \(\mathbf {A}_0\), \(\mathbf {A}_1\), “PRF key” matrices \(\mathbf {B}_1\), \(\dots \), \(\mathbf {B}_k\), and “PRF input” matrices \(\mathbf {C}_0\), \(\mathbf {C}_1\) from \(\mathbb {Z}_q^{n\times m}\) uniformly at random.
-
3.
Select a secure pseudorandom function \(\textsf {PRF}: \{0,1\}^k \times \{0,1\}^t\rightarrow \{0,1\}\), express it as a NAND Boolean circuit \(C_{\textsf {PRF}}\) with depth \(d= d(\lambda )\), and select a PRF key \(K = s_1s_2\dots s_k\xleftarrow {\$}\{0,1\}^k\).
-
4.
Select a Gaussian parameter \(s>0\).
-
5.
Output the verification key and signing key as:
$$\begin{aligned} \textsf {Vk}= \left( \mathbf {A}, \{\mathbf {A}_0,\mathbf {A}_1\}, \{\mathbf {B}_i\}_{i\in [k]}, \{\mathbf {C}_0,\mathbf {C}_1\}, s, \textsf {PRF}, C_\textsf {PRF}\right) ,\quad \textsf {Sk}= ( \mathbf {T}_{\mathbf {A}}, K) \end{aligned}$$
Sign \((\textsf {Vk},\textsf {Sk},\textsf {M})\) The signing algorithm takes as input the public verification key \(\textsf {Vk}\), the signing key \(\textsf {Sk}\) and a message \(\textsf {M} = {m_1m_2\dots m_t}\in \{0,1\}^t\). It does:
-
1.
Compute \(\mathbf {A}_{C_\textsf {PRF},\textsf {M}} = \textsf {Eval}_{\textsf {BV}} (C_\textsf {PRF}, \{\mathbf {B}_i\}_{i\in [k]}, \mathbf {C}_{m_1},\mathbf {C}_{m_2},\dots ,\mathbf {C}_{m_t}) \in \mathbb {Z}_q^{n\times m}\).Footnote 5
-
2.
Compute bit value \(b = \textsf {PRF}(K,\textsf {M})\) and set \(\mathbf {F}_{\textsf {M},1-b} = \begin{bmatrix} \mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{C_\textsf {PRF},\textsf {M}} \end{bmatrix}\).
-
3.
Run \(\textsf {SampleLeft}\) to sample \(\mathbf {d}_{\textsf {M}}\in \mathbb {Z}^{2m}\) with distribution \(D_{\mathrm {\Lambda }_q^\bot ({\mathbf {F}_{\textsf {M},1-b}}),s}\).
-
4.
Output the signature \(\textsf {Sig}= \mathbf {d}_\textsf {M}\).
Ver \((\textsf {Vk},\textsf {M},\textsf {Sig})\) The verification algorithm takes as input the verification key Vk, message \(\textsf {M}\) and the signature of \(\textsf {M}\), verifies as follows:
-
1.
Assume \(\textsf {Sig}= \mathbf {d}\). It checks if \(\mathbf {d}\in \mathbb {Z}^{2m}\), \(\mathbf {d}\ne \mathbf {0}\), and \(\left\| \mathbf {d}\right\| \le s\sqrt{2m}\).
-
2.
Compute \(\mathbf {A}_{C_\textsf {PRF},\textsf {M}} = \textsf {Eval}_{\textsf {BV}} (C_\textsf {PRF}, \{\mathbf {B}_i\}_{i\in [k]}, \mathbf {C}_{m_1},\mathbf {C}_{m_2},\dots ,\mathbf {C}_{m_t}) \in \mathbb {Z}_q^{n\times m}\). Check if \(\mathbf {F}_{\textsf {M},b}\mathbf {d} = \begin{bmatrix} \mathbf {A}\ |\ \mathbf {A}_{b} - \mathbf {A}_{C_\textsf {PRF},\textsf {M}} \end{bmatrix} \mathbf {d} = \mathbf {0}\pmod q\) for \(b=0\) or 1.
-
3.
If all above verifications pass, accept the signature; otherwise, reject.
3.2 Parameters Selection and Discussion
Let \(\lambda \) be the security parameter, we set \(n = n(\lambda )\), let the message length be \(t = t(\lambda )\) and the secret key length of PRF be \(k=k(\lambda )\). For the most general case, let the circuit depth of \(C_\textsf {PRF}\) be \(d =d(\lambda )\). To ensure we can run TrapGen in the Lemma 3, we set \(m = n^{1+\eta }\) for some \(\eta \) (we assume \(n^\eta > O(\log {q})\)). To run SampleLeft and SampleRight in the real scheme and simulation per Theorem 2, we set s sufficiently large such that \(s > \Vert \tilde{\mathbf {T}}_\mathbf {G}\Vert \cdot \left\| \mathbf {R}\right\| _2 \cdot \omega (\sqrt{\log m})\) for \(\mathbf {R} = \mathbf {R}_{\mathbf {A}_b} - \mathbf {R}_{C_\textsf {PRF},\textsf {M}}\) (see the security proof below). By Lemma 8 we set \(s = O(4^d\cdot m^{3/2} )\cdot \omega (\sqrt{\log m}) \). For the SIS parameter \(\beta \), we need \(\beta \ge O(4^d\cdot m^{3/2}\cdot s\sqrt{2m})\). So we set \(\beta = O(16^d\cdot m^{7/2})\cdot \omega (\sqrt{\log m})\). To ensure the applicability of the average-case to worst-case reduction for SIS, we need \(q \ge \beta \cdot \omega (\sqrt{n\log n})\). So we set \(q = {O}(16^d\cdot m^{4})\cdot (\omega (\sqrt{\log m}))^2\).
Particularly, if we choose PRF from the well-known efficient and provably secure candidates of PRFs like the ones from [8, 9, 31, 47, 53] can be computed by \(\textsf {NC}^1\) circuits, let \(\ell = t + k\) be the input length of PRF (which is a polynomial in the security parameter), the circuit depth of \(C_\textsf {PRF}\) will be \(d = c\log \ell \) for some constant c. In this case we can set \(\beta = O(\ell ^{4c}\cdot m^{7/2})\cdot \omega (\sqrt{\log m})\) and \(q ={O}(\ell ^{4c}\cdot m^{4})\cdot (\omega (\sqrt{\log m}))^2\) which are polynomial in the security parameter.
It needs to mention that if we instantiate PRF by the (direct) LWE-based PRF from [9] or by the LWE-based PRF from [8] whose security relies on LWE assumption with super-polynomial modulus, the security of our signature scheme has to rely on LWE assumption with super-polynomial modulus. Such LWE assumption is stronger than the SIS assumption with polynomial modulus (as we set above) from which we make the proof for the following theorem.
3.3 Security of the Signature Scheme
The security of our signature scheme is stated by the following theorem.
Theorem 4
Let \(\lambda \) be a security parameter. The parameters n, m, and q are chosen as the Sect. 3.2. If the \((t_\textsf {SIS},\epsilon _\textsf {SIS})\)-\(\textsf {SIS}_{n,q,\beta ,m}\) assumption holds and the PRF used in the signature scheme is \((t_\textsf {PRF},\epsilon _\textsf {PRF})\)-secure, the signature scheme is \((t,q_s,\epsilon )\) -EUF-CMA secure where \(\epsilon _\textsf {SIS}\ge \epsilon /2 - \epsilon _\textsf {PRF}- \textsf {negl}(\lambda ) \), for some negligible statistical error \(\textsf {negl}(\lambda )\), and \(\max (t_\textsf {PRF},t_\textsf {SIS}) \le t+ O(q_s\cdot (T_S + T_E))\) where \(q_s\) is the number of signing query, \(T_S\) is the maximum running time of SampleRight, and \(T_E\) is the maximum running time of \(\textsf {Eval}_{\textsf {BV}}\) for one input message.
Proof
Consider the following security game between an adversary \(\mathcal {A}\) and a simulator \(\mathcal {B}\). Upon receiving a \(\textsf {SIS}_{n,q,\beta ,m}\) challenge \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\), the challenger \(\mathcal {B}\) prepares \(\textsf {Vk}\) as follows:
-
1.
Select \(k+4\) matrices \(\mathbf {R}_{\mathbf {A}_0}\), \(\mathbf {R}_{\mathbf {A}_1}\), \(\{ \mathbf {R}_{\mathbf {B}_i}\}_{i\in [k]}\), \(\mathbf {R}_{\mathbf {C}_0}\), \(\mathbf {R}_{\mathbf {C}_1} \xleftarrow {\$}\{1,-1\}^{m\times m}\).
-
2.
Select a secure pseudorandom function \(\textsf {PRF}: \{0,1\}^k \times \{0,1\}^t\rightarrow \{0,1\}\) and express it as a NAND Boolean circuit \(C_\textsf {PRF}\) with depth d.
-
3.
Select a PRF key \(K = s_1 s_2 \dots s_k\xleftarrow {\$} \{0,1\}^{k}\).
-
4.
Set \(\mathbf {A}_b = \mathbf {AR}_{\mathbf {A}_b} + b \mathbf {G} \) and \(\mathbf {C}_b = \mathbf {AR}_{\mathbf {C}_b} + b \mathbf {G} \) for \(b=0,1\).
-
5.
Set \(\mathbf {B}_i = \mathbf {A} \mathbf {R}_{\mathbf {B}_i} + s_i\mathbf {G}\) for \(i\in [k]\).
-
6.
Select a Gaussian parameter \(s>0\).
-
7.
Publish \(\textsf {Vk}= \left( \mathbf {A}, \{\mathbf {A}_0,\mathbf {A}_1\}, \{\mathbf {B}_i\}_{i\in [k]}, \{\mathbf {C}_0,\mathbf {C}_1\},\textsf {PRF},C_\textsf {PRF}\right) \).
In the query phase, the adversary \(\mathcal {A}\) adaptively issues messages for inquiring the corresponding signatures. Consider a message \(\textsf {M} = m_1m_2\dots m_t\in \{0,1\}^t\). \(\mathcal {B}\) does the following to prepare the signature:
-
1.
Compute \(\mathbf {A}_{C_\textsf {PRF}} = \mathbf {A}\mathbf {R}_{C_\textsf {PRF},\textsf {M}} + \textsf {PRF}(K,\textsf {M})\mathbf {G}\in \mathbb {Z}_q^{n\times m}\) by \(\textsf {Eval}_{\textsf {BV}}\) \((C_\textsf {PRF}\), \(\{\mathbf {B}_i\}_{i\in [k]}\), \(\mathbf {C}_{m_1}\), \(\mathbf {C}_{m_2}\), \(\dots \), \(\mathbf {C}_{m_t}) \).
-
2.
Let \(b = \textsf {PRF}(K,\textsf {M})\), it sets
$$\begin{aligned} \mathbf {F}_{\textsf {M},1-b}&= \begin{bmatrix} \mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{C_\textsf {PRF},\textsf {M}} \end{bmatrix} \\&= \begin{bmatrix} \mathbf {A}\ |\ \mathbf {A} (\mathbf {R}_{\mathbf {A}_{1-b}} - \mathbf {R}_{C_\textsf {PRF},\textsf {M}}) + (1-2b)\mathbf {G} \end{bmatrix} \end{aligned}$$and runs \(\textsf {SampleRight}\) to generate the signature \(\textsf {Sig}=\mathbf {d}_{\textsf {M}} \sim D_{\Lambda _q^\bot (\mathbf {F}_{\textsf {M},1-b}),s}\).
Finally, \(\mathcal {A}\) output a forgery \((\mathbf {d}^*,\textsf {M}^*)\). Let \(\textsf {PRF}(K,\textsf {M}^*) = b\). If \(\left\| \mathbf {d}\right\| > s\sqrt{2m}\) or \(\begin{bmatrix} \mathbf {A}\ |\ \mathbf {A}_{1-b} - \mathbf {A}_{C_\textsf {PRF},\textsf {M}^*} \end{bmatrix}\mathbf {d}^* =\mathbf {0} \pmod q\), \(\mathcal {B}\) aborts. Otherwise, we have \(\begin{bmatrix} \mathbf {A}\ |\ \mathbf {A}_{b} - \mathbf {A}_{C_\textsf {PRF},\textsf {M}^*} \end{bmatrix}\mathbf {d}^* =\mathbf {0} \pmod q\). Let \(\mathbf {d}^* = [\mathbf {d}_1^\top \ |\ \mathbf {d}_2^\top ]^\top \in \mathbb {Z}^{2m}\). \(\mathcal {B}\) outputs \(\mathbf {e} = \mathbf {d}_1 + (\mathbf {R}_{\mathbf {A}_b} - \mathbf {R}_{C_\textsf {PRF},\textsf {M}^*})\mathbf {d}_2\) where \(\left\| \mathbf {e}\right\| \le \beta \) as a solution for the \(\textsf {SIS}_{n,q,\beta ,m}\) problem instance.
We show that Vk output by \(\mathcal {B}\) has the correct distribution. In the real scheme, the matrix \(\mathbf {A}\) is generated by TrapGen. In the simulation, \(\mathbf {A}\) has uniform distribution in \(\mathbb {Z}_q^{n\times m}\) as it comes from the SIS challenge. By the Lemma 3, \(\mathbf {A}\) generated in the simulation has right distribution except a negligibly small statistical error. Secondly, the matrices \(\mathbf {A}\), \(\{\mathbf {A}_0,\mathbf {A}_1\}\), \(\{\mathbf {B}_i\}_{i\in [k]}\), and \(\{\mathbf {C}_0,\mathbf {C}_1\}\) computed in the simulation have distribution that is statistically close to uniform distribution in \(\mathbb {Z}_q^{n\times m}\) by the Lemma 1. In particular, the PRF secret key \(\{s_i\}_{i\in [k]}\) is information-theoretically concealed by \(\{\mathbf {B}_i\}_{i\in [k]}\).
Now we show that given \(\{\mathbf {A}_0,\mathbf {A}_1\}\), \(\{\mathbf {B}_i\}_{i\in [k]}\), and \(\{\mathbf {C}_0,\mathbf {C}_1\}\), it is hard to find two messages \(\textsf {M}\ne \textsf {M}'\) such that \(\mathbf {A}_{C_\textsf {PRF},\textsf {M}} = \mathbf {A}_{C_\textsf {PRF},\textsf {M}'}\). Assume an efficient adversary finds \(\textsf {M}\ne \textsf {M}'\) such that \(\mathbf {A}_{C_\textsf {PRF},\textsf {M}} = \mathbf {A}_{C_\textsf {PRF},\textsf {M}'}\). With the public parameters set up above, we have
If \(\textsf {PRF}(K,\textsf {M})\ne \textsf {PRF}(K,\textsf {M}')\), which will happen essentially 1/2 probability if PRF is secure, we have \(\mathbf {R}_{C_\textsf {PRF},\textsf {M}}\ne \mathbf {R}_{C_\textsf {PRF},\textsf {M}'}\) and \(\mathbf {A}(\mathbf {R}_{C_\textsf {PRF},\textsf {M}}- \mathbf {R}_{C_\textsf {PRF},\textsf {M}'}) \pm \mathbf {G} = 0\pmod q\). By Lemma 6 and Algorithm 1, a low-norm vector \(\bar{\mathbf {d}}\in \mathbb {Z}^{m\times m}\) can be efficiently found such that \(\mathbf {G}\bar{\mathbf {d}} = \mathbf {0}\pmod q\) where \(\bar{\mathbf {d}}\ne \mathbf {0}\) and \(\left\| \bar{\mathbf {d}}\right\| \le s'\sqrt{m}\) for some Gaussian parameter \(s'\ge \sqrt{5}\cdot \omega (\sqrt{\log m})\). Then \((\mathbf {R}_{C_\textsf {PRF},\textsf {M}}- \mathbf {R}_{C_\textsf {PRF},\textsf {M}'})\cdot \bar{\mathbf {d}}\) will be a non-zero vector with all but negligible probability and, therefore, a valid the SIS solution for \(\mathbf {A}\).
In the query phase, the signatures replied to \(\mathcal {A}\) have the correct distribution under the predefined conditions. Indeed, by the Theorem 2, for sufficient large Gaussian parameter s, the the distribution of signatures generated in the simulation by \(\textsf {SampleRight}\) is statistically close to \(D_{\mathrm {\Lambda }_q^\bot ({\mathbf {F}}_{\textsf {M},1-b}),s}\) where the distribution of signatures generated in the real scheme by \(\textsf {SampleLeft}\) is also statistically close to \(D_{\mathrm {\Lambda }_q^\bot ({\mathbf {F}}_{\textsf {M},1-b}),s}\).
In the forge phase, \(\mathcal {A}\) will have at most advantage \(\epsilon _\textsf {PRF}\) in predicting the bit value b with respect to the message it wants to forge. Therefore, if \(\mathcal {A}\) can not distinguish PRF from random functions, it will randomly pick either of the matrices \(\mathbf {A}_0\) or \(\mathbf {A}_1\) to make a forgery. With \(\frac{1}{2}\) chance it will pick the one that \(\mathcal {B}\) will be able to use to solve the SIS problem. So we have \(\epsilon _{\textsf {SIS}} \ge \epsilon /2 - \epsilon _\textsf {PRF}- \textsf {negl}(\lambda )\) where \(\textsf {negl}(\lambda )\) stands for negligible statistical error in the simulation.
To argue that \(\mathbf {e} = \mathbf {d}_1 + (\mathbf {R}_{\mathbf {A}_1} - \mathbf {R}_{C_\textsf {PRF},\textsf {M}^*})\mathbf {d}_2\) is a valid solution of the \(\textsf {SIS}_{n,q,\beta ,m}\) problem instance, we need to show \(\mathbf {e}\) is sufficiently short, and non-zero except with negligible probability. First of all, we have
where \(\mathbf {R} = \mathbf {R}_{\mathbf {A}_b}-\mathbf {R}_{C_\textsf {PRF},\textsf {M}^*}\). Since \(\mathbf {d}_1,\mathbf {d}_2\) have distribution \(D_{\mathbb {Z}^m,s}\) with condition \(\mathbf {d}\in \mathrm {\Lambda }_q^\bot (\mathbf {F}_{\textsf {M},b})\), by the Lemma 4, \(\mathbf {d}_1,\mathbf {d}_2 \le s\sqrt{m}\). By Lemma 8, we have \(\Vert \mathbf {e}\Vert \le \Vert \mathbf {d}_1\Vert + \left\| \mathbf {R}\right\| _2 \cdot \Vert \mathbf {d}_2\Vert \le O (4^d\cdot m^{3/2})\cdot s\sqrt{m}\). Let \(\beta \ge O (4^d\cdot m^{3/2})\cdot s\sqrt{m}\) is sufficient.
It remains to show that \(\mathbf {e}=\mathbf {d}_1 + \mathbf {R}\cdot \mathbf {d}_2 \ne \mathbf {0}\). Suppose \(\mathbf {d}_2 \ne \mathbf {0}\), we have \(\mathbf {e} \ne \mathbf {0}\) since \(\mathbf {d}\ne \mathbf {0}\). On the other hand, we have \(\mathbf {d}_2 = (d_1,\dots ,d_m)^\top \ne \mathbf {0}\) and, thus, at least one coordinate of \(\mathbf {d}_2 \), say \(d_j\), is not 0. We write \(\mathbf {R}= (\mathbf {r}_1,\dots , \mathbf {r}_m)\) and so
Observe that for the fixed message \(\textsf {M}^*\) on which \(\mathcal {A}\) made the forgery, \(\mathbf {R}\) (therefore \(\mathbf {r}_j\)) depends on the low-norm matrices \(\mathbf {R}_{\mathbf {A}_0},\mathbf {R}_{\mathbf {A}_1},\{ \mathbf {R}_{\mathbf {B}_i}\}_{i\in [k]}, \mathbf {R}_{\mathbf {C}_0},\mathbf {R}_{\mathbf {C}_1}\) and the secret key of PRF. The only information about \(\mathbf {r}_j\) for \(\mathcal {A}\) is from the public matrices in \(\textsf {Vk}\), i.e. \(\{\mathbf {A}_0,\mathbf {A}_1\}, \{\mathbf {B}_i\}_{i\in [k]}, \{\mathbf {C}_0,\mathbf {C}_1\}\). So by the pigeonhole principle there is a (exponentially) large freedom to pick a value to \(\mathbf {r}_j\) which is compatible with \(\mathcal {A}\)’s view, i.e. \(\mathbf {Ar}_j' = \mathbf {Ar}_j'' \pmod q\) for admissible (low-norm) \(\mathbf {r}_j',\mathbf {r}_j'' \) where \(\mathbf {r}_j' \ne \mathbf {r}_j''\). (In fact, here we have more freedom than the case in [20] where \(\mathbf {R}\) is picked from \(\{1,-1\}^{m\times m}\)).
Finally, to answer one signing query, \(\mathcal {B}\)’s running time is bounded by \(O(T_S + T_E)\). So the total running time of \(\mathcal {B}\) in the simulation is bounded by \(O( q_s(T_S + T_E))\). This concludes the proof. \(\square \)
4 IBE Scheme with Tight Security
4.1 Construction with CPA Security
Setup \((1^\lambda )\). The setup algorithm takes as input a security parameter \(\lambda \) and does:
-
1.
Sample a random matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) along with a trapdoor basis \(\mathbf {T}_{\mathbf {A}}\in \mathbb {Z}^{m\times m}\) of lattice \(\mathrm {\Lambda }_q^\bot (\mathbf {A})\) by running \(\textsf {TrapGen}\).
-
2.
Select random matrices \(\mathbf {A}_0\), \(\mathbf {A}_1\), random “PRF key” matrices \(\mathbf {B}_1\), \(\dots \), \(\mathbf {B}_k\), and random “PRF input” matrices \(\mathbf {C}_0\), \(\mathbf {C}_1\) from \(\mathbb {Z}_q^{n\times m}\) uniformly at random.
-
3.
Select a random vector \(\mathbf {u}\xleftarrow {\$} \mathbb {Z}_q^n\).
-
4.
Select a secure pseudorandom function \(\textsf {PRF}: \{0,1\}^k \times \{0,1\}^t\rightarrow \{0,1\}\), express it as a NAND Boolean circuit \(C_\textsf {PRF}\) with depth \(d= d(\lambda )\), and select a PRF key \(K = s_1s_2\dots s_k\xleftarrow {\$}\{0,1\}^k\).
-
5.
Output the public parameters
$$\textsf {Pub}= \left( \mathbf {A}, \{\mathbf {A}_0,\mathbf {A}_1\}, \{\mathbf {B}_i\}_{i\in [k]}, \{\mathbf {C}_0,\mathbf {C}_1\}, \mathbf {u}, \textsf {PRF}, C_\textsf {PRF}\right) $$and the master secret key \(\textsf {Msk}= (\mathbf {T}_{\mathbf {A}},K) \).
KeyGen \((\textsf {Pub},\textsf {Msk},\textsf {id})\). Upon an input identity \(\textsf {id}\) \(=\) \(x_1x_2\dots x_t\) \(\in \{0,1\}^t\), the key generation algorithm does the following:
-
1.
Compute \(b = \textsf {PRF}(K, \textsf {id})\).
-
2.
Compute \(\mathbf {A}_{{C_\textsf {PRF},\textsf {id}}} = \textsf {Eval}_{\textsf {BV}}({C_\textsf {PRF}}, \{\mathbf {B} \}_{i\in [k]}, \mathbf {C}_{x_1},\mathbf {C}_{x_2},\dots , \mathbf {C}_{x_t} )\in \mathbb {Z}_q^{n\times m}\).
-
3.
Set \(\mathbf {F}_{\textsf {id},1-b} = \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A}_{1-b} - \mathbf {A}_{{C_\textsf {PRF}},\textsf {id}}\end{bmatrix} \in \mathbb {Z}_q^{n\times 2m}\).
-
4.
Run SampleLeft to sample \(\mathbf {d}_{\textsf {id}}\) from the discrete Gaussian distribution \(D_{\mathrm {\Lambda }_q^\mathbf {u} ({\mathbf {F}}_{\textsf {id},1-b}), s}\) hence \(\mathbf {F}_{\textsf {id},1-b} \mathbf {d}_{\textsf {id}} = \mathbf {u}\pmod q\). Output \(\textsf {Sk}_\textsf {id}= \mathbf {d}_\textsf {id}\).
Encrypt \((\textsf {Pub},\textsf {id},\textsf {Msg})\). To encrypt a message \(\textsf {Msg}\in \{0,1\}\) with respect to an identity \(\textsf {id}=x_1x_2\dots x_t\) \(\in \{0,1\}^t\):
-
1.
Compute \(\mathbf {A}_{C_\textsf {PRF},\textsf {id}} = \textsf {Eval}_{\textsf {BV}}({C_\textsf {PRF}}, \{\mathbf {B}_{i}\}_{i\in [k]}, \mathbf {C}_{x_1},\mathbf {C}_{x_2},\dots , \mathbf {C}_{x_t} ) \).
-
2.
Set \(\mathbf {F}_{\textsf {id},b} = \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A}_b - \mathbf {A}_{{C_\textsf {PRF}},\textsf {id}}\end{bmatrix}\in \mathbb {Z}_q^{n\times 2m}\) for \(b=0,1\).
-
3.
Select two random vectors \(\mathbf {s}_0,\mathbf {s}_1\xleftarrow {\$}\mathbb {Z}_q^{n}\).
-
4.
Select two noise scalars \(\nu _{0,0}, \nu _{1,0} \leftarrow D_{\mathbb {Z},\sigma _\textsf {LWE}}\) and four noise vectors \(\hat{\varvec{\nu }}_{0,1},\hat{\varvec{\nu }}_{1,1}\leftarrow D_{\mathbb {Z}^{m},\sqrt{2}\sigma _\textsf {LWE}}\), \(\check{\varvec{\nu }}_{0,1},\check{\varvec{\nu }}_{1,1}\leftarrow D_{\mathbb {Z}^{m},\sigma }\) where \(\sigma \) is sufficiently larger than \(\sigma _\textsf {LWE}\).Footnote 6
-
5.
Compute the ciphertext \(\textsf {Ctx}_{\textsf {id}} = (c_{0,0}, \mathbf {c}_{0,1},c_{1,0}, \mathbf {c}_{1,1})\) as:
$$\begin{aligned} \left\{ \begin{array}{lcl} c_{0,0} &{} = &{} \left( \mathbf {s}_0^{\top }\mathbf {u} + \nu _{0,0} + \textsf {Msg}\lfloor q/2\rfloor \right) \bmod q \\ \\ \mathbf {c}_{0,1}^\top &{} = &{} \left( \mathbf {s}_0^{\top } \mathbf {F}_{\textsf {id},0} + [\hat{\varvec{\nu }}_{0,1}^\top \ |\ \check{\varvec{\nu }}_{0,1}^\top ] \right) \bmod q \end{array} \right. \end{aligned}$$$$\begin{aligned} \left\{ \begin{array}{lcl} c_{1,0} &{} = &{} \left( \mathbf {s}_1^{\top }\mathbf {u} + \nu _{1,0} + \textsf {Msg}\lfloor q/2\rfloor \right) \bmod q\\ \\ \mathbf {c}_{1,1}^\top &{} = &{} \left( \mathbf {s}_1^{\top } \mathbf {F}_{\textsf {id},1} + [\hat{\varvec{\nu }}_{1,1}^\top \ |\ \check{\varvec{\nu }}_{1,1}^\top ] \right) \bmod q \end{array} \right. \end{aligned}$$
Decrypt \((\textsf {Pub},\textsf {Sk}_{\textsf {id}},\textsf {Ctx}_{\textsf {id}})\). The decryption algorithm uses the key \(\mathbf {d}_\textsf {id}\) to try to decrypt both \((c_{0,0}, \mathbf {c}_{0,1})\) and \((c_{1,0}, \mathbf {c}_{1,1})\) Footnote 7. W.l.o.g., assume that \((c_{b,0}, \mathbf {c}_{b,1})\) is the correct ciphertext. The decryption algorithm computes
View \(\tau \) as an integer in \((-q/2,q/2]\). If \(\tau \) is closer to 0 than \(\pm q/2\), the output is \(\textsf {Msg}=0\). Otherwise, it is \(\textsf {Msg}=1\).
4.2 Correctness
Following the decryption algorithm, let \(\mathbf {d}_\textsf {id}=[\mathbf {d}_1^\top \ |\ \mathbf {d}_2^\top ]^\top \). We have
Recall, the norm of \(\mathbf {d}_1\) and \(\mathbf {d}_2\) is bounded by \(s\sqrt{m}\), and the norm of \(\hat{\varvec{\nu }}_{b,1}\) and \(\check{\varvec{\nu }}_{b,1}\) is bounded by \(\sigma _\textsf {LWE}\sqrt{m}\) and \(\sigma \sqrt{m}\) respectively, by Lemma 4. To ensure correctness of decryption, we need
Accordingly, it is enough to set q such that \(O(s\cdot m \cdot (\sigma _\textsf {LWE}+ \sigma ) ) \le q/4\).
4.3 Parameter Selection and Discussion
We now discuss a consistent parameter instantiation that achieves both correctness and security. Let \(\lambda \) be the security parameter, \(t = t(\lambda )\) be the identity length, \(k=k(\lambda )\) be the secret key length of PRF, and let \(\ell = t+ k\) be the input length of PRF. Let, for the most general case, the circuit depth of PRF be \(d=d(\lambda )\). To ensure we can run TrapGen in the Lemma 3, we set \(m = n^{1+\eta }\) for some \(\eta >0\) (we assume \(n^\eta > O(\log {q})\)). To make sure SampleLeft in the real scheme and SampleRight in the simulation algorithm \(\textsf {Sim}.\textsf {KeyGen}\) (see section) 4.4 have the same output distribution per Theorem 2, we set a sufficiently large Gaussian parameter \(s = \Vert \tilde{\mathbf {T}}_\mathbf {G}\Vert \cdot O(4^d\cdot m^{3/2}) \cdot \omega (\sqrt{\log m})\). To ensure the applicability of Regev’s [55] and Peikert’s [54] LWE reductions from worst-case lattice problems, we set the Gaussian parameter of LWE noise distribution to be \(\sigma _\textsf {LWE}= \sqrt{n}\). So the LWE noise distribution is \((D_{\mathbb {Z},\sqrt{n}}) \bmod q\). For the security proof (specifically for the proofs of Lemmas 10 and 16), we set \(\sigma = O(4^d\cdot m^{3/2})\cdot \omega (\sqrt{\log m}) \cdot \sigma _\textsf {LWE}\). Finally, to ensure correctness condition of decryption, we set \(q = O(16^d \cdot m^{9/2})\cdot (\omega \sqrt{\log m})^2 \).
As for our signature scheme, if we the PRF can be computed by a \(\textsf {NC}^1\) NAND circuit with depth \(d = c\log \ell \) for some constant \(c>1\), we can set the LWE modulus \(q = O(\ell ^{4c} \cdot m^{9/2})\cdot (\omega \sqrt{\log m})^2 \), which is polynomial in the security parameter \(\lambda \).
Tight Reduction and Hardness of LWE. It is known that larger modulus results in stronger LWE assumption, if the standard deviation of the noise distribution stays unchanged. More precisely, let B be the maximum magnitude of the LWE noise, and q be the LWE modulus. The hardness of the LWE problem depends on the ratio q / B. The LWE problem becomes easier when this ratio grows. In this regard, the appeal of our tight reduction varies: tight reduction to harder LWE problem is more preferable than tight reduction to easier LWE problem. This is true particularly when one considers the average-case hardness of LWE to worst-case hardness of classic lattice problems, e.g. GapSVP and SIVP, reductions [22, 54, 55] where ratio q / B is smaller, the solutions for classic lattice problems are better.
One feature of our IBE scheme (and the signature scheme it induces) is that depending on different circuits instantiations, the assumptions we make for our tight reduction may vary. In addition, if we use a LWE-based PRF, our IBE scheme relies on the stronger one of two LWE assumptions: one is made for the PRF and another one is made for our construction, which uses a polynomial modulus q as we chose above. Currently, basing our IBE scheme solely on LWE needs to assume the LWE assumption with super-polynomial modulus. This is because the state-of-art PRFs from LWE (from [8, 9]) in terms of efficiency and provable security require super-polynomial LWE modulus.
On the other hand, we believe that our tight reduction is still very valuable even for large ratio q / B. Firstly, it shows that, at the first time, we actually can eliminate the dependency between the number of adversary’s queries and the security of lattice-based IBE scheme (as well as short lattice signature scheme). This is very important since the number of adversary’s queries can be quite large, which will negatively impact the schemes’ security seriously. Secondly, the average-case to worst-case reduction does provide some security confidence for the LWE assumption, but this is not the whole story. For certain parameters, many classic lattice problems are NP-hard. However, those parameters have no direct connection to lattice-based cryptography. (There is even evidence that the classic lattice problems with parameters relevant cryptography are not NP-hard.) On the other hand, the LWE problem (with various parameters) could be assured to be a hard problem in its own right. It has shown robustness against various attacks in a relatively long-term period. This has made LWE widely accepted as standard assumption and for use in cryptography. For instance, even for sub-exponentially large ratios \(q/B = 2^{O(n^c)}\) where n is the LWE dimension and \(0<c<1/2\), the LWE problem is still believed to be hard and leads to powerful cryptographic schemes which we were not able to obtain by other means, including fully homomorphic encryption, e.g. [23], attribute-based encryption for circuits, e.g. [18, 25, 37], and predicate encryption for circuits [41].
4.4 Proof of Security
The security of our IBE scheme with respect to the Definition 8 can be stated by the following theorem.
Theorem 5
Let \(\lambda \) be a security parameter. The parameters n, q are chosen as the Sect. 4.3. Let \(\chi \) be the distribution \(D_{\mathbb {Z}^m,\sqrt{n}}\). If the \((t_\textsf {LWE}, \epsilon _\textsf {LWE})\)-\(\textsf {LWE}_{n,q,\chi }\) assumption holds and the PRF used in the IBE scheme is \((t_\textsf {PRF},\epsilon _\textsf {PRF})\)-secure, then the IBE scheme is \((t, q_\textsf {id},\epsilon )\)-IND-ID-CPA secure such that \(\epsilon \le 2( \epsilon _\textsf {PRF}+ \epsilon _\textsf {LWE}) + \textsf {negl}(\lambda ) \) for some negligible function \(\textsf {negl}(\lambda )\), and \(\max (t_\textsf {PRF}, t_\textsf {LWE}) \le t + O\left( q_\textsf {id}\cdot ( T_S + T_E) \right) \) where \(T_S\) is the maximum running time of SampleRight and \(T_E\) is the maximum running time of \(\textsf {Eval}_{\textsf {BV}}\) for one input identity.
We prove above theorem through a sequence of indistinguishable security games. The first game is identical to the IND-ID-CPA game. In the last game, the adversary has no advantage. We will show that a PPT adversary will not be able to distinguish the neighbouring games which will prove that the adversary has only negligibly small advantage in wining the first (real) game.
Firstly, we define the following simulation algorithms \(\textsf {Sim}.\textsf {Setup}\), \(\textsf {Sim}.\textsf {KeyGen}\) and \(\textsf {Sim}.\textsf {Encrypt}\).
Sim.Setup \((1^{\lambda })\). The algorithm does the following:
-
1.
Select matrix \(\mathbf {A}\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\).
-
2.
Select \(k+4\) random low-norm matrices \(\mathbf {R}_{\mathbf {A}_0}\), \(\mathbf {R}_{\mathbf {A}_1}\), \(\{ \mathbf {R}_{\mathbf {B}_i}\}_{i\in [k]}\), \(\mathbf {R}_{\mathbf {C}_0}\), \(\mathbf {R}_{\mathbf {C}_1}\) from \(\{1,-1\}^{m\times m}\).
-
3.
Select a secure pseudorandom function \(\textsf {PRF}: \{0,1\}^k \times \{0,1\}^t\rightarrow \{0,1\}\) and express it as a NAND Boolean circuit \(C_\textsf {PRF}\) with depth \(d = d(\lambda )\).
-
4.
Select a uniformly random string \(K = s_1 s_2 \dots s_k\xleftarrow {\$} \{0,1\}^{k}\).
-
5.
Set \(\mathbf {A}_b = \mathbf {AR}_{\mathbf {A}_b} + b \mathbf {G} \) and \(\mathbf {C}_b = \mathbf {AR}_{\mathbf {C}_b} + b \mathbf {G} \) for \(b=0,1\).
-
6.
Set \(\mathbf {B}_i = \mathbf {A} \mathbf {R}_{\mathbf {B}_i} + s_i\mathbf {G}\) for \(i\in [k]\).
-
7.
Select vector \(\mathbf {u}\xleftarrow {\$}\mathbb {Z}_q^{n}\).
-
8.
Publish \(\textsf {Pub}= \left( \mathbf {A}, \{\mathbf {A}_0,\mathbf {A}_1\}, \{\mathbf {B}_i\}_{i\in [k]}, \{\mathbf {C}_0,\mathbf {C}_1\}, \mathbf {u}, \textsf {PRF}, C_\textsf {PRF}\right) \)
Sim.KeyGen \((\textsf {Pub},\textsf {Msk},\textsf {id})\). Upon an input identity \(\textsf {id}=x_1x_2\dots x_t\in \{0,1\}^t\), the algorithm uses the parameters generated from Sim.Setup to do the following:
-
1.
Compute \(\mathbf {A}_{\textsf {PRF},\textsf {id}} = \mathbf {AR}_{C_\textsf {PRF},\textsf {id}} + \textsf {PRF}(K,\textsf {id})\mathbf {G} \leftarrow \textsf {Eval}_{\textsf {BV}} (C_\textsf {PRF}, \{\mathbf {B}_i\}_{i\in [k]}, \mathbf {C}_{x_1},\dots ,\mathbf {C}_{x_t})\).
-
2.
Let \(\textsf {PRF}(K,\textsf {id}) = b\in \{0,1\}\). Set
$$\begin{aligned} \mathbf {F}_{\textsf {id},1-b}&= \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A}_{1-b} - \mathbf {A}_{C_\textsf {PRF},\textsf {id}} \end{bmatrix} \\&= \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A} ( \mathbf {R}_{\mathbf {A}_{1-b}} - \mathbf {R}_{C_\textsf {PRF},\textsf {id}} ) + (1-2b)\mathbf {G}\end{bmatrix} . \end{aligned}$$ -
3.
Run \(\textsf {SampleRight}\) to sample \(\mathbf {d}_{\textsf {id}}\in D_{\mathrm {\Lambda }_q^\mathbf {u} ({\mathbf {F}}_{\textsf {id},1-b}), s}\) as the private key \(\textsf {Sk}_\textsf {id}\).
Sim.Encrypt \((\textsf {Pub},\textsf {id}^*,\textsf {Msg})\). To encrypt a message \(\textsf {Msg}^*\in \{0,1\}\) with respect to an identity \(\textsf {id}^*\):
-
1.
Compute \(b = \textsf {PRF}(K,\textsf {id}^*)\).
-
2.
Set
$$\begin{aligned} \mathbf {F}_{\textsf {id}^*,{b}}&= \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A}_b - \mathbf {A}_{C_\textsf {PRF},\textsf {id}^*} \end{bmatrix} \\&= \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A} ( \mathbf {R}_{\mathbf {A}_b} - \mathbf {R}_{C_\textsf {PRF},\textsf {id}^*} )\end{bmatrix} \end{aligned}$$and
$$\begin{aligned} \mathbf {F}_{\textsf {id}^*,{1-b}}&= \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A}_{1-b} - \mathbf {A}_{C_\textsf {PRF},\textsf {id}^*} \end{bmatrix} \\&= \begin{bmatrix} \mathbf {A} \ |\ \mathbf {A} ( \mathbf {R}_{\mathbf {A}_{1-b}} - \mathbf {R}_{C_\textsf {PRF},\textsf {id}^*} ) + (1-2b)\mathbf {G}\end{bmatrix}. \end{aligned}$$ -
3.
Select random vectors \(\mathbf {s}_b,\mathbf {s}_{1-b}\xleftarrow {\$}\mathbb {Z}_q^{n}\).
-
4.
Select noise scalars \(\nu _{b,0}, \nu _{1-b,0} \leftarrow D_{\mathbb {Z},\sigma _\textsf {LWE}}\).
-
5.
Sample noise vectors \(\mathbf {x},\mathbf {y} \leftarrow D_{\mathbb {Z}^m,\sigma _\textsf {LWE}}\) for sufficiently large Gaussian parameter \(\sigma _\textsf {LWE}\) (\(\sigma _\textsf {LWE}\ge \eta _\varepsilon (\mathbb {Z}^m)\) for some small \(\varepsilon >0\)). Set \(\hat{\varvec{\nu }}_{b,1} = \mathbf {x} + \mathbf {y}\).
-
6.
Let \(\mathbf {R} = \mathbf {R}_{\mathbf {A}_{b}} - \mathbf {R}_{\textsf {PRF},\textsf {id}^*} \) and \(\mathbf {r}_i\) be the i-th column of \(\mathbf {R}\). We sample the noise vector \(\mathbf {z} = (z_1,z_2,\dots ,z_m)\in \mathbb {Z}^m\) with \(z_i\leftarrow D_{\mathbb {Z},\sigma _{1,i}}\) for the sufficiently large Gaussian parameter \(\sigma _{1,i} = \sqrt{\sigma ^2 - 2 (\Vert \mathbf {r}_i\Vert \cdot \sigma _\textsf {LWE})^2 }\).Footnote 8 Set \(\check{\varvec{\nu }}_{b,1} = \mathbf {R} ^\top \cdot (\mathbf {x}-\mathbf {y})+\mathbf {z}\).
-
7.
Select noise vectors \(\hat{\varvec{\nu }}_{1-b,1}\leftarrow D_{\mathbb {Z}^{m},\sqrt{2}\sigma _{\textsf {LWE}}}\), \(\check{\varvec{\nu }}_{1-b,1}\leftarrow D_{\mathbb {Z}^{m},\sigma }\).
-
8.
Set the challenge ciphertext \(\textsf {Ctx}_{\textsf {id}^*} =\) \((c_{b,0},\) \(\mathbf {c}_{b,1}\), \(c_{1-b,0}\), \(\mathbf {c}_{1-b,1})\) as:
$$\begin{aligned} {\left\{ \begin{array}{ll} c_{b,0} = \left( \mathbf {s}_b^{\top }\mathbf {u} + \nu _{b,0} + \textsf {Msg}\lfloor q/2\rfloor \right) \bmod q \\ \mathbf {c}_{b,1}^\top = \left( \mathbf {s}_b^{\top } \mathbf {F}_{\textsf {id}^*,b} + [\hat{\varvec{\nu }}_{b,1}^\top \ |\ \check{\varvec{\nu }}_{b,1}^\top ] \right) \bmod q \end{array}\right. } \end{aligned}$$$$\begin{aligned} {\left\{ \begin{array}{ll} c_{1-b,0} = \left( \mathbf {s}_{1-b}^{\top }\mathbf {u} + \nu _{1-b,0} + \textsf {Msg}\lfloor q/2\rfloor \right) \bmod q \\ \mathbf {c}_{1-b,1}^\top = \left( \mathbf {s}_{1-b}^{\top } \mathbf {F}_{\textsf {id}^*,{1-b}} + [\hat{\varvec{\nu }}_{1-b,1}^\top \ |\ \check{\varvec{\nu }}_{1-b,1}^\top ] \right) \bmod q \end{array}\right. } \end{aligned}$$
Now we define a series of games and prove that the neighbouring games are either statistically indistinguishable, or computationally indistinguishable.
Game 0. This is the real IND-ID-CPA game from the definition. All the algorithms are the same as the real scheme.
Game 1. This game is the same as Game 0 except it runs \(\textsf {Sim}.\textsf {Setup}\) and \(\textsf {Sim}.\textsf {KeyGen}\) instead of \(\textsf {Setup}\) and \(\textsf {KeyGen}\).
Game 2. This game is the same as Game 1 except that the challenge ciphertext is generated by Sim.Encrypt instead of Encrypt.
Game 3. This game is the same as Game 2 except that during preparation of the challenge ciphertext for identity \(\textsf {id}^*\), it samples \((c_{b,0},\mathbf {c}_{b,1})\) uniformly random from \(\mathbb {Z}_q \times \mathbb {Z}_q^{2m}\) for \(b = \textsf {PRF}(K,\textsf {id}^*)\). Another part of the challenge ciphertext \((c_{1-b,0},\mathbf {c}_{1-b,1})\) is computed by \(\textsf {Sim}.\textsf {Encrypt}\) as in Game 2.
Game 4. This game is the same as Game 3 except for \(b = \textsf {PRF}(K,\textsf {id}^*)\) it runs real encryption algorithm Encrypt to generate \((c_{1-b,0},\mathbf {c}_{1-b,1})\) of the challenge ciphertext instead of using Sim.Encrypt.
Game 5. This game is the same as Game 4 except it runs Setup and KeyGen to generate Pub and private identity keys.
Game 6. This game is the same as Game 5 except that for \(b = \textsf {PRF}(K,\textsf {id}^*)\), the challenge ciphertext part \((c_{b,0},\mathbf {c}_{b,1})\) is generated by Encrypt instead of choosing it randomly, and \((c_{1-b,0},\mathbf {c}_{1-b,1})\) is chosen randomly.
Game 7. This game is the same as Game 6 except that it runs Sim.Setup and Sim.KeyGen to generate Pub and private identity keys.
Game 8. This game is the same as Game 7 except that for the bit value \(b = \textsf {PRF}(K,\textsf {id}^*)\), it computes the challenge ciphertext \((c_{b,0},\mathbf {c}_{b,1})\) by \(\textsf {Sim}.\textsf {Encrypt}\).
Game 9. This game is the same as Game 8 except that the whole challenge ciphertext is sampled uniformly at random from the ciphertext space. Therefore, in Game 5 the adversary has no advantage in wining the game.
In Game i , we let \(S_i\) be the event that \(\gamma ' = \gamma \) at the end of the game. The adversary’s advantage in Game i is \(\vert \Pr [S_i] - \frac{1}{2} \vert \). The following lemmas are used to prove Theorem 5. We refer to the full version of this paper ([21]) for the proofs of these lemmas.
Lemma 9
Game 1 and Game 0 are statistically indistinguishable, so \(\vert \Pr [S_0] - \Pr [S_1] \vert \le \textsf {negl}(\lambda )\) for some negligible function \(\textsf {negl}(\lambda )\).
Lemma 10
Game 2 and Game 1 are statistically indistinguishable, so \(\vert \Pr [S_1] - \Pr [S_2] \vert \le \textsf {negl}(\lambda )\) for some negligible function \(\textsf {negl}(\lambda )\).
Lemma 11
If \((t,\epsilon _{\textsf {LWE}})\)-\(\textsf {LWE}_{n,q,\chi }\) assumption holds where \(\chi \) stands for the distribution \(D_{\mathbb {Z},\sigma _{\textsf {LWE}}}\) reduced modulo q, then \(\vert \Pr [S_2] - \Pr [S_3] \vert \le \epsilon _{\textsf {LWE}}\).
Lemma 12
\(\vert \Pr [S_3] - \Pr [S_4] \vert = 0\).
Lemma 13
Game 5 and Game 4 are statistically indistinguishable, so \(\vert \Pr [S_4] - \Pr [S_5] \vert \le \textsf {negl}(\lambda )\) for some negligible function \(\textsf {negl}(\lambda )\).
Lemma 14
If the PRF PRF is \((t,\epsilon _\textsf {PRF})\)-secure, then \(\vert \Pr [S_5] - \Pr [S_6] \vert \le 2\epsilon _{\textsf {PRF}}\).
Lemma 15
Game 7 and Game 6 are statistically indistinguishable, so \(\vert \Pr [S_6] - \Pr [S_7] \vert \le \textsf {negl}(\lambda )\) for some negligible function \(\textsf {negl}(\lambda )\).
Lemma 16
Game 8 and Game 7 are statistically indistinguishable, so \(\vert \Pr [S_7] - \Pr [S_8] \vert \le \textsf {negl}(\lambda )\) for some negligible function \(\textsf {negl}(\lambda )\).
Lemma 17
If \((t,\epsilon _{\textsf {LWE}})\)-\(\textsf {LWE}_{n,q,\chi }\) assumption holds where \(\chi \) stands for the distribution \(D_{\mathbb {Z},\sigma _{\textsf {LWE}}}\) reduced modulo q, then \(\vert \Pr [S_8] - \Pr [S_9] \vert \le \epsilon _{\textsf {LWE}}\).
Now we prove the Theorem 5 by the established lemmas.
Proof
Based on the lemmas that show the difference between the sequence of games, we have \(\epsilon = \vert \Pr [S_0] - 1/2 \vert \le 2(\epsilon _\textsf {PRF}+ \epsilon _\textsf {LWE}) + \textsf {negl}(\lambda )\) for some negligibly small statistical error \(\textsf {negl}(\lambda )\). The running time of \(\mathcal {B}\) is dominated by answering \(q_\textsf {id}\) private key generation queries from \(\mathcal {A}\). For answering one such query, \(\mathcal {B}\) needs to apply the key-homomorphic algorithm on the circuit of PRF. This requires time \(T_E\). Besides that, \(\mathcal {B}\) needs to run SampleRight to sample Gaussian vectors for constructing the private keys, which requires at most time \(T_S\). Therefore, for one query, \(\mathcal {B}\) roughly runs \(O(T_S + T_E)\) time. For all \(q_\textsf {id}\) queries and constructing the challenge ciphertext, the total time is bounded by \(O\left( q_\textsf {id}\cdot ( T_S + T_E) \right) \). So if an adversary \(\mathcal {A}\) has running time t, \(\max (t_\textsf {LWE}, t_\textsf {PRF}) \le t + O(q_\textsf {id}\cdot (T_S + T_E) )\). \(\square \)
5 Conclusions
In this paper, we propose a short adaptively secure lattice signature scheme and a “compact” adaptively secure IBE scheme in the standard model. Our constructions make use of PRFs in a novel way by combining several recent techniques in the area of lattice-based cryptography. The security of our signature and IBE scheme is tightly related to the conservative lattice assumptions SIS and LWE, respectively, and the security of an instantiated PRF, with a constant loss factor. By instantiating the existing efficient PRFs from lattice and number-theoretic assumptions which can be implemented by shallow circuits, we obtain the first “almost” tightly secure lattice-based short signature/IBE scheme whose security is based on LWE assumption with super-polynomial modulus, and an adaptively secure IBE scheme with the tightest security reduction so far, i.e. with only \(O(\log ^2{\lambda })\) factor of security loss for the security parameter \(\lambda \), based on a novel combination of lattice and number-theoretic assumptions.
The problem of constructing a tightly and adaptively secure IBE scheme from standard assumptions (in the sense that the security loss of reduction is a constant) remains open. Our work suggests that constructing tightly secure PRFs, which is another important open problem left by [31, 47], would solve it. We leave as a fascinating open problem the question of employing similar (or different) techniques to construct compact and (almost) tightly secure signature and encryption schemes with increased expressiveness, such as hierarchical and attribute-based encryption scheme, or homomorphic signatures. Another interesting open question is to construct an efficient PRF from LWE assumption with polynomial modulus.
Notes
- 1.
- 2.
The security reduction does not require a priori information about a given adversary.
- 3.
It can be shown that for different massages \(\textsf {M}_0\ne \textsf {M}_2\) \(\mathbf {A}_{\textsf {PRF},\textsf {M}_0} \ne \mathbf {A}_{\textsf {PRF},\textsf {M}_1}\) with all but negligible probability. See Sect. 3.3 for details.
- 4.
Equivalently, this is to say that many classic worst-case lattice problems reduce to the average-case LWE problem, for suitable parameters.
- 5.
It turns out that if PRF is secure, an efficient SIS algorithm can be tightly reduced to an efficient algorithm that finds \(\textsf {M} \ne \textsf {M}'\) such that \(\mathbf {A}_{C_\textsf {PRF},\textsf {M}} =\mathbf {A}_{C_\textsf {PRF},\textsf {M}'} \). We prove this in the Sect. 3.3.
- 6.
For instance we set \(\sigma = O(4^d\cdot m^{3/2})\cdot \omega (\sqrt{\log m}) \cdot \sigma _\textsf {LWE}\).
- 7.
To ensure correct decryption, the message should contain some redundancy to weed out the incorrect ciphertext. It is a standard technique to encrypt multiple bits in GPV-style encryption, by replacing \(\mathbf {u}\) with a matrix \(\mathbf {U}\in \mathbb {Z}_q^{n\times z}\) in \(\textsf {Pub}\) with which we can now independently encrypt \(z>1\) bits without change to the security analysis. If hybrid encryption is used, the multiple bits can be used to encrypt a symmetric key without redundancy, deferring the integrity check to the symmetric realm where it can be performed at minimal cost.
- 8.
In Sect. 4.3, the \(\sigma \) is set large enough such that \(\sigma _{1,i}\) can be larger than \(\left\| \mathbf {R}\right\| \cdot \eta _\varepsilon (\mathbb {Z}^m)\).
References
Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged one-time signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36362-7_20
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_28
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC 1996, pp. 99–108. ACM (1996)
Alperin-Sheriff, J.: Short signatures with short public keys from homomorphic trapdoor functions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 236–255. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_11
Apon, D., Fan, X., Liu, F.H.: Fully-secure lattice-based IBE as compact as PKE. Cryptology ePrint Archive, Report 2016/125 (2016)
Attrapadung, N., Hanaoka, G., Yamada, S.: A framework for identity-based encryption with almost tight security. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 521–549. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_22
Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_1
Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 353–370. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_20
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_42
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS 1993, pp. 62–73. ACM (1993)
Blazy, O., Kakvi, S.A., Kiltz, E., Pan, J.: Tightly-secure signatures from chameleon hash functions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 256–279. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_12
Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identity-based encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_23
Böhl, F., Hofheinz, D., Jager, T., Koch, J., Seo, J.H., Striecks, C.: Practical signatures from standard assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 461–485. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_28
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_27
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_4
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_13
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit abe and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_30
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. J. Cryptology 17(4), 297–319 (2004)
Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13013-7_29
Boyen, X., Li, Q.: Towards tightly secure short signature and ibe. Cryptology ePrint Archive, Report 2016/498 (2016)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC 13, pp. 575–584. ACM (2013)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS 2011. pp. 97–106. IEEE (2011)
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS 2014, pp. 1–12. ACM (2014)
Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: Unbounded attributes and semi-adaptive security. Cryptology ePrint Archive, Report 2016/118 (2016)
Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_4
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_16
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptology 25(4), 601–639 (2012)
Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_25
Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000)
Döttling, N., Schröder, D.: Efficient pseudorandom functions via on-the-fly adaptation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 329–350. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_16
Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 335–352. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_19
Fischlin, M.: The cramer-shoup strong-rsa signature scheme revisited. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 116–129. Springer, Heidelberg (2003). doi:10.1007/3-540-36288-6_9
Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_9
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006). doi:10.1007/11761679_27
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC 2013, pp. 545–554. ACM (2013)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_5
Goh, E.-J., Jarecki, S.: A signature scheme as secure as the diffie-hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_25
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48000-7_25
Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: efficient ABE for branching programs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 550–574. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_23
Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_35
Hofheinz, D., Koch, J., Striecks, C.: Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 799–822. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_36
Hohenberger, S., Waters, B.: Realizing hash-and-sign signatures under standard assumptions. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_19
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_38
Jager, T.: Tightly-secure pseudorandom functions via work factor partitioning. Cryptology ePrint Archive, Report 2016/121 (2016)
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: CCS 2003, pp. 155–164. CCS 2003, ACM (2003)
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_12
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_43
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_41
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004)
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC 2009, pp. 333–342. ACM (2009)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93. ACM (2005)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). doi:10.1007/11426639_7
Waters, B.: Dual system encryption: realizing fully secure ibe and hibe under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_36
Acknowledgements
We would like to thank Jacob Alperin-Sheriff and Josef Pierpzyk as well as the anonymous reviewers for useful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Boyen, X., Li, Q. (2016). Towards Tightly Secure Lattice Short Signature and Id-Based Encryption. In: Cheon, J., Takagi, T. (eds) Advances in Cryptology – ASIACRYPT 2016. ASIACRYPT 2016. Lecture Notes in Computer Science(), vol 10032. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53890-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-662-53890-6_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53889-0
Online ISBN: 978-3-662-53890-6
eBook Packages: Computer ScienceComputer Science (R0)