Results 1 
7 of
7
Publickey cryptosystems from the worstcase shortest vector problem
, 2008
"... We construct publickey cryptosystems that are secure assuming the worstcase hardness of approximating the length of a shortest nonzero vector in an ndimensional lattice to within a small poly(n) factor. Prior cryptosystems with worstcase connections were based either on the shortest vector probl ..."
Abstract

Cited by 84 (18 self)
 Add to MetaCart
We construct publickey cryptosystems that are secure assuming the worstcase hardness of approximating the length of a shortest nonzero vector in an ndimensional lattice to within a small poly(n) factor. Prior cryptosystems with worstcase connections were based either on the shortest vector problem for a special class of lattices (Ajtai and Dwork, STOC 1997; Regev, J. ACM 2004), or on the conjectured hardness of lattice problems for quantum algorithms (Regev, STOC 2005). Our main technical innovation is a reduction from certain variants of the shortest vector problem to corresponding versions of the “learning with errors” (LWE) problem; previously, only a quantum reduction of this kind was known. In addition, we construct new cryptosystems based on the search version of LWE, including a very natural chosen ciphertextsecure system that has a much simpler description and tighter underlying worstcase approximation factor than prior constructions.
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 65 (5 self)
 Add to MetaCart
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
Efficient lattice (H)IBE in the standard model
 In EUROCRYPT 2010, LNCS
, 2010
"... Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors ..."
Abstract

Cited by 52 (10 self)
 Add to MetaCart
Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptivelysecure IBE and a Hierarchical IBE. 1
Lattice mixing and vanishing trapdoors – a framework for fully secure short signatures and more
 In Public Key Cryptography—PKC 2010, volume 6056 of LNCS
, 2010
"... Abstract. We propose a framework for adaptive security from hard random lattices in the standard model. Our approach borrows from the recent AgrawalBonehBoyen families of lattices, which can admit reliable and punctured trapdoors, respectively used in reality and in simulation. We extend this idea ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
Abstract. We propose a framework for adaptive security from hard random lattices in the standard model. Our approach borrows from the recent AgrawalBonehBoyen families of lattices, which can admit reliable and punctured trapdoors, respectively used in reality and in simulation. We extend this idea to make the simulation trapdoors cancel not for a speci c target but on a nonnegligible subset of the possible challenges. Conceptually, we build a compactly representable, large family of inputdependent mixture lattices, set up with trapdoors that vanish for a secret subset wherein we hope the attack occurs. Technically, we tweak the lattice structure to achieve naturally nice distributions for arbitrary choices of subset size. The framework is very general. Here we obtain fully secure signatures, and also IBE, that are compact, simple, and elegant. 1
An efficient and parallel Gaussian sampler for lattices
, 2010
"... At the heart of many recent latticebased cryptographic schemes is a polynomialtime algorithm that, given a ‘highquality’ basis, generates a lattice point according to a Gaussianlike distribution. Unlike most other operations in latticebased cryptography, however, the known algorithm for this ta ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
At the heart of many recent latticebased cryptographic schemes is a polynomialtime algorithm that, given a ‘highquality’ basis, generates a lattice point according to a Gaussianlike distribution. Unlike most other operations in latticebased cryptography, however, the known algorithm for this task (due to Gentry, Peikert, and Vaikuntanathan; STOC 2008) is rather inefficient, and is inherently sequential. We present a new Gaussian sampling algorithm for lattices that is efficient and highly parallelizable. At a high level, the algorithm resembles the “perturbation” heuristic proposed as part of NTRUSign (Hoffstein et al., CTRSA 2003), though the details are quite different. To our knowledge, this is the first algorithm and rigorous analysis demonstrating the security of a perturbationlike technique.
PublicKey Encryption with NonInteractive Opening: New Constructions and Stronger Definitions
"... Abstract. Publickey encryption schemes with noninteractive opening (PKENO) allow a receiver to noninteractively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been prop ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Publickey encryption schemes with noninteractive opening (PKENO) allow a receiver to noninteractively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been proposed so far, starting from either identitybased encryption or publickey encryption with witnessrecovering decryption (PKEWR). We show that the known transformation from PKEWR to PKENO fails to provide chosenciphertext security; only the transformation from identitybased encryption remains thus valid. Next, we prove that PKENO can be built out of robust noninteractive threshold publickey cryptosystems, a primitive seemingly weaker than identitybased encryption. Using the new transformation, we construct two efficient PKENO schemes: one based on the Decisional DiffieHellman assumption (in the Random Oracle Model) and one based on the Decisional Linear assumption (in the standard model). Last but not least, we propose new applications of PKENO in protocol design. Motivated by these applications, we reconsider proof soundness for PKENO and put forward new definitions that are stronger than those considered so far. We give a taxonomy of all definitions and demonstrate them to be satisfiable.
Generic Constructions of Parallel KeyInsulated Encryption: Stronger Security Model and Novel Schemes ∗
"... Exposure of a secret key is a significant threat in practice. As a notion of security against key exposure, Dodis et al. advocated keyinsulated security, and proposed concrete keyinsulated encryption (KIE) schemes in which secret keys are periodically updated by using a physically “insulated ” hel ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Exposure of a secret key is a significant threat in practice. As a notion of security against key exposure, Dodis et al. advocated keyinsulated security, and proposed concrete keyinsulated encryption (KIE) schemes in which secret keys are periodically updated by using a physically “insulated ” helper key. For significantly reducing possibility of exposure of the helper key, Hanaoka et al. further proposed the notion of parallel KIE (PKIE) in which multiple helper keys are used in alternate shifts. They also pointed out that in contrast to the case of the standard KIE, PKIE cannot be straightforwardly obtained from identitybased encryption (IBE). In this paper, we first discuss that previous security models for PKIE are somewhat weak, and thus reformalize stronger security models for PKIE. Then we clarify that PKIE can be generically constructed (even in the strenghthened security models) by using a new primitive which we call onetime forward secure public key encryption (OTFSPKE) and show that it is possible to construct OTFSPKE from arbitrary IBE or hierarchical IBE (without degenerating into IBE). By using our method, we can obtain various new PKIE schemes which yield desirable properties. For example, we can construct first PKIE schemes from lattice or quadratic residuosity problems (without using bilinear maps), and PKIE with short ciphertexts and cheaper computational cost for both encryption and decryption. Interestingly, the resulting schemes can be viewed as the partial solutions to the open problem left by Libert, Quisquarter and Yung in PKC’07.