DOI QR코드

DOI QR Code

Transitive Signature Schemes for Undirected Graphs from Lattices

  • Noh, Geontae (Department of Information Security, Seoul Cyber University) ;
  • Jeong, Ik Rae (CIST (Center for Information Security Technologies), Korea University)
  • Received : 2017.09.13
  • Accepted : 2019.01.27
  • Published : 2019.06.30

Abstract

In a transitive signature scheme, a signer wants to authenticate edges in a dynamically growing and transitively closed graph. Using transitive signature schemes it is possible to authenticate an edge (i, k), if the signer has already authenticated two edges (i, j) and (j, k). That is, it is possible to make a signature on (i, k) using two signatures on (i, j) and (j, k). We propose the first transitive signature schemes for undirected graphs from lattices. Our first scheme is provably secure in the random oracle model and our second scheme is provably secure in the standard model.

Keywords

1. Introduction

 In 2002, Silvio Micali and Ronald L. Rivest introduced the concept of transitive signatures [1]. In a transitive signature scheme, a signer wants to authenticate edges in a dynamically growing and transitively closed graph. The signer with the knowledge of a secret key can generate two signatures σi,j on (i, j) and σj,k on an edge (j, k), then anyone without the knowledge of the secret key can derive a signature σi,k on (i, k) from σi,j and σj,k. This property of transitive signatures could be useful in applications such as a military chain-of-command (for directed graphs) and administrative domains (for undirected graphs).

 Constructing a transitive signature scheme for directed graphs still remains an open problem. In 2003, Susan Rae Hohenberger even showed that constructing a transitive signature scheme for directed graphs may be very hard [2]. Actually, there exist only transitive signature schemes for directed trees (not for directed graphs) [3][4][5][6][7]. In this paper, we only take an interest in constructing a transitive signature scheme for undirected graphs.

 In an undirected graph, we assume that there are k nodes. Then we observe that there may exist O(k2) edges. With a standard signature scheme, naturally, a signer has to generate O(k2) signatures. With a transitive signature scheme, however, a signer only needs to generate O(k) signatures [1]. Therefore, the transitive signature scheme can be efficient and useful in the environmen1ts.

1.1 Related Works

1.1.1 Transitive Signatures

 In 2002, Silvio Micali and Ronald L. Rivest proposed the first transitive signature scheme for undirected graphs [1]. In 2004, Siamak Fayyaz Shahandashti et al. proposed a transitive signature scheme for undirected graphs [8]. Their scheme is based on bilinear maps. Since then, Mihir Bellare and Gregory Neven proposed transitive signature schemes for undirected graphs [9][10]. The securities of their schemes are based on the hardness of RSA assumption, factoring, DLP, GDH (Gap Diffie-Hellman) assumption, respectively. Mihir Bellare and Gregory Neven also constructed a simple generic transformation from a stateful transitive signature scheme to a stateless transitive signature scheme with a pseudorandom function [10]. The signing algorithm in the transformed stateless transitive signature scheme is deterministic because the pseudorandom function is used.

1.1.2 Lattice-based Cryptosystems

 To date, there exist many transitive signature schemes for undirected graphs, but there exists no transitive signature scheme for undirected graphs from lattices. Lattice-based cryptosystems have some advantages compared to other cryptosystems based on the hardness of factoring, DLP, and so on. First, lattice-based cryptosystems are based on the worst-case hardness assumptions, but other cryptosystems are based on the average-case hardness assumptions. Next, lattice-based cryptosystems have the potential to resist quantum computing attacks, but other cryptosystems are insecure against quantum computing attacks [11]. Finally, lattice-based cryptosystems require less computational cost than other cryptosystems. With these in mind, there are proposed many lattice-based cryptosystems such as standard signatures [12][13][14][15][16], (hierarchical) identity-based signatures [15][17], group signatures [18], ring signatures [19][20], designated verifier signatures [21], homomorphic signatures [22][23], public key encryptions [16], (hierarchical) identity-based encryptions [12][13][24][25][26], homomorphic encryptions [27], and so on.

1.1.3 Homomorphic Signatures

 Transitive signatures are related to homomorphic signatures formalized by Robert Johnson et al. in 2002 [28]. In a homomorphic signature scheme, a signer wants to authenticate data and anyone without the knowledge of the secret can generate a valid signature for computing on signed data. In 2011, Dan Boneh and David Mandell Freeman proposed two linearly homomorphic signature schemes from lattices [22][23].

1.2 Our Contributions

 We propose two transitive signature schemes for undirected graphs from lattices. The first scheme is provably secure in the random oracle model and the second scheme is provably secure in the standard model.

 Our transitive signature schemes are stateful. In 2012, Abhishek Banerjee et al. proposed pseudorandom functions from lattices [29]. With the pseudorandom functions from lattices, our stateful transitive signature schemes can be transformed into stateless transitive signature schemes [10].

 All existing transitive signature schemes are insecure against quantum computing attacks. Therefore, we propose the first transitive signature schemes that have the potential to resist quantum computing attacks. Our first transitive signature scheme which is motivated by Craig Gentry et al.’s signature scheme from lattices [12] is provably secure in the random oracle model. To design our transitive signature scheme, we use a signature value in Craig Gentry et al.’s signature scheme that has a particular coset of q -ary lattices [12]. Our second transitive signature scheme is provably secure in the standard model. To make our transitive signature scheme secure in the standard model, we use the idea of the k -time signature scheme from lattices by Dan Boneh and David Mandell Freeman [22] and a signature value that has a particular coset of q -ary lattices [12].

2. Preliminaries

2.1 Notations

 Let n be a security parameter. We denote integers, real numbers, the ring of integers modulo q ≥ 2 by \(\mathbb{Z}\), \(\mathbb{R}\) , and  \(\mathbb{Z}_q\), respectively. We denote matrices by upper-case letters (e.g., A ) and vectors by lower-case letters (e.g., v ). We denote the Euclidean norms of v by ||v||. We use standard big- O notation. For all integer c > 0 , we say that a function \(f(n)=O\left(n^{-c}\right): \mathbb{Z} \rightarrow \mathbb{R}^{+}\) is negligible in n . If \(q \in \Theta\left(n^{c}\right)\), for all integer c > 0 , we say q = poly(n). If v is selected from a distribution \(\mathcal{D}\) at random, we denote \(v \leftarrow \mathcal{D}\). We denote a concatenation of v1 and v2 by \(v_{1} \mid v_{2}\). Let Round(v) be the function that rounds the coordinates of its argument vector v to the nearest integers.

2.2 Lattices

 In this paper, we will be interested in m -dimensional integer lattices which are defined as follows:

 Definition 2.1. Given any basis \(B=\left\{b_{1}, \cdots, b_{m}\right\} \subset \mathbb{Z}^{m}\), an m -dimensional integer lattice Λ and a dual lattice Λ* of Λ are defined as follows:

\(\Lambda=\left\{B \cdot z=\sum_{i=1}^{m} z_{i} b_{i}: z \in \mathbb{Z}^{m}\right\} \subseteq \mathbb{Z}^{m}\),       (1)

\(\Lambda^{*}=\left\{x \in \mathbb{Z}^{m}: \forall y \in \Lambda,\langle x, y\rangle \in \mathbb{Z}\right\} \subseteq \mathbb{Z}^{m}\).       (2)

 In particular, we will use q -ary lattices and their cosets which are defined as follows:

 Definition 2.2. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), a zero vector \(0 \in \mathbb{Z}_{q}^{n}\), and any syndrome \(u \in \mathbb{Z}_{q}^{n}\), a q -ary lattice \(\Lambda_{q}^{\perp}(A)\) and a coset \(\Lambda_{q}^{u}(A)\) of \(\Lambda_{q}^{\perp}(A)\) are defined as follows:

\(\Lambda_{q}^{\perp}(A)=\left\{v \in \mathbb{Z}^{m}: A \cdot v=0(\bmod q)\right\} \subseteq \mathbb{Z}^{m}\),       (3)

\(\Lambda_{q}^{u}(A)=\left\{v \in \mathbb{Z}^{m}: A \cdot v=u(\bmod q)\right\} \subseteq \mathbb{Z}^{m}\).       (4)

2.2.1 Gaussian Distributions

 We recall Gaussian distributions.

 Definition 2.3 (Gaussian function). Let \(\mathcal{H}\) be a d -dimensional subspace of \(\mathbb{R}^{m}\). For m ≥1, s > 0 , x∈\(\mathcal{H}\) , and c∈\(\mathcal{H}\) , a Gaussian function \(\rho_{\mathcal{H}, s, c}(x)\) is defined as follows:

\(\rho_{\mathcal{H}, s, c}(x)=\exp \left(-\pi\|x-c\|^{2} / s^{2}\right)\).       (5)

Definition 2.4 (Continuous distribution). Let \(\mathcal{H}=\operatorname{span}(\Lambda \subset \mathcal{H})\). For x∈Λ , a continuous distribution \(\mathcal{D}_{\mathcal{H}, s, c}(x)\) with density function is defined as follows:

\(\mathcal{D}_{\mathcal{H}, s, c}(x)=\frac{\rho_{\mathcal{H}, s, c}(x)}{\int_{x \in \mathcal{H}} \rho_{\mathcal{H}, s, c}(x) d x} \).       (6)

 Definition 2.5 (Discrete distribution). Let \(\mathcal{H}=\operatorname{span}(\Lambda \subset \mathcal{H})\). For x∈Λ , a discrete distribution \(\mathcal{D}_{\Lambda, s, c}(x)\) with density function over Λ is defined as follows:

\(\mathcal{D}_{\Lambda, s, c}(x)=\frac{\mathcal{D}_{\mathcal{H , s}, c}(x)}{\mathcal{D}_{\mathcal{H}, s, c}(\Lambda)}\).       (7)

 For convenience, \(\rho_{\mathcal{H}, s, 0}(x)\) and \(\mathcal{D}_{\mathcal{H}, s, 0}(x)\) are abbreviated as \(\rho_{\mathcal{H}, s}(x)\) and \(\mathcal{D}_{\mathcal{H}, s}(x)\), respectively.

 Definition 2.6 (Gaussian parameter). Let Λ* be a dual lattice of Λ . For ε > 0∈\(\mathbb{R}\) , a Gaussian parameter \(\eta_{\varepsilon}(\Lambda)\) is the smallest s such that \(\rho_{\mathcal{H}, 1 / s}\left(\Lambda^{*} \backslash\{0\}\right) \leq \varepsilon\).

2.2.2 Trapdoor Generation

 We will use the trapdoor generation algorithm GenTrap\(\left(1^{n}, 1^{m}, q\right)\) which is as follows:

 Theorem 2.7 (Trapdoor generation) [16]. Given any integers n ≥1, \(m=O(n \log q)\), and q ≥ 2 , the trapdoor generation algorithm GenTrap\(\left(1^{n}, 1^{m}, q\right)\) outputs a uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\) and a trapdoor matrix \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\) of \(\Lambda_{q}^{\perp}(A)\), where \(m=\bar{m}+n l\), \(\bar{m}=O(n l)\), \(l=O(\log n)\), and the rank of A is n .

2.2.3 Gaussian Pre-image Sampling

 We will use the Gaussian pre-image sampling algorithm SampleD( , , , ) AT u s which is as follows:

 Theorem 2.8 (Gaussian pre-image sampling) [16]. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), any trapdoor matrix  \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\) of \(\Lambda_{q}^{\perp}(A)\), any syndrome \(u \in \mathbb{Z}_{q}^{n}\), and large enough \(s=O(\sqrt{n \log q})\), the Gaussian pre-image sampling algorithm SampleD(A, T, u, s) outputs a vector v . The statistical distance between the distribution of v and \(\mathcal{D}_{\Lambda_{q}^{u}(A), s \cdot \omega(\sqrt{\log n})}\) is negligible in n .

2.2.4 Gaussian Domain Sampling

 We will use the Gaussian domain sampling algorithm SampleDom(1m, s) which is as follows:

 Theorem 2.9 (Gaussian domain sampling) [12]. Given any positive integer m and large enough s, the Gaussian domain sampling algorithm SampleDom(1m, s) outputs a vector \(v \leftarrow \mathcal{D}_{\mathbb{Z}, s}^{m}\).

2.2.5 Hard Problems

 The securities of our constructions are based on the SIS problem and k - SIS problem, respectively. The SIS problem is defined as follows:

 Definition 2.10 (SIS problem) [30][12]. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), the \(\mathrm{SIS}_{q, m, \beta}\) problem is to find a non-zero vector \(v \in \mathbb{Z}^{m}\) such that \(A \cdot v=0(\bmod q)\) and \(\|v\| \leq \beta\).

 The advantage \(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{SIS}}(n)\) of an algorithm \(\mathcal{A}\) in the \(\mathrm{SIS}_{q, m, \beta}\) problem is the probability that \(\mathcal{A}\) solves the \(\mathrm{SIS}_{q, m, \beta}\) problem.

 The k -SIS problem is defined as follows:

 Definition 2.11 ( k -SIS problem) [22]. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\) and k vectors \(v_{1}, \cdots, v_{\mathrm{k}} \leftarrow \mathcal{D}_{\Lambda_{q}^{\perp}(A), s}\) such that \(A \cdot v_{1}=\cdots=A \cdot v_{\mathrm{k}}=0(\bmod q)\), the k -\(\mathrm{SIS}_{q, m, \beta}\) problem is to find a non-zero vector \(v \in \mathbb{Z}^{m}\) such that \(A \cdot v=0(\bmod q),\|v\| \leq \beta\), and v is not in \(\mathbb{Q}\) -span (\(\left\{v_{1}, \cdots, v_{k}\right\}\)).

 The advantage \(\operatorname{Adv}_{A}^{\mathrm{k}-\mathrm{SIS}}(n)\) of an algorithm \(\mathcal{A}\) in the k - \(\mathrm{SIS}_{q, m, \beta}\) problem is the probability that \(\mathcal{A}\) solves the k -\(\mathrm{SIS}_{q, m, \beta}\) problem.

 The SIS problem for \(q \geq \beta \cdot \sqrt{n} \cdot \omega(\sqrt{\log n})\) is hard assuming worst-case hardness of approximating the SIVP on lattices [30][12]. The k -SIS problem for \(\mathrm{k}=O(n / \log n)\) is hard assuming average-case hardness of the SIS problem [22][31].

2.2.6 Useful Lemmas

 In this paper, we will use the following lemmas:

 Lemma 2.12 [30][13][16]. For \(\varepsilon \in\{0,1\}, s \geq \eta_{\varepsilon}\left(\Lambda_{q}^{\perp}(A)\right)\) for some uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), \(c \in \operatorname{span}\left(\Lambda_{q}^{\perp}(A)\right)\), and \(x \leftarrow \mathcal{D}_{\Lambda, s, c}\), the probability of \(\|x\| \geq s \cdot \sqrt{m}\) is negligible in n and the probability of x = c is negligible in n .

 Lemma 2.13 [22]. Let q be an odd prime, let \(m \geq O(n \log q)\), and let \(s>\omega(\sqrt{\log m})\). Given an instance \(\left(A, v_{1}, \cdots, v_{\mathrm{k}}\right) \in \mathbb{Z}_{q}^{n \times m} \times \mathbb{Z}^{m \times \mathrm{k}}\) of the k - \(\mathrm{SIS}_{q, m, \beta, s}\) problem for any β , \(\left(A, v_{1}(\bmod 2), \cdots, v_{\mathrm{k}} \quad(\bmod 2)\right) \in \mathbb{Z}_{q}^{n \times m} \times \mathbb{Z}_{2}^{m \times \mathrm{k}}\) is statistically indistinguishable from uniform.

 Lemma 2.14 [22]. Let m be an integer and k < m an integer. The probability that the rank of a uniformly random matrix \(V \in \mathbb{Z}_{2}^{m \times \mathrm{k}}\) is not k is at most \(1 / 2^{m \ k }\).

 Lemma 2.15 [22]. Let \(m \geq O(n \log q)\), let \(\mathrm{k} \cdot \omega(\log n)<\min \left(s, m^{1 / 4}\right)\), and let \(\left(A, v_{1}, \cdots, v_{\mathrm{k}}\right) \in \mathbb{Z}_{q}^{n \times m} \times \mathbb{Z}^{m \times k}\) be an instance of the k -\(\mathrm{SIS}_{q, m, \beta, s}\) problem for any β . There exist only \(\left(\pm v_{1}, \cdots, \pm v_{\mathrm{k}}\right)\) such that the non-zero vectors of length at most \(1.1 \cdot s \cdot \sqrt{m / 2 \pi}\) in \(\mathbb{Q}\) -span \(\left(\left\{v_{1}, \cdots, v_{k}\right\}\right)\).

2.3 Definitions for Transitive Signatures

 We define transitive signatures. A transitive signature scheme TS = {TS.Gen, TS.Sign,TS.Vrfy,TS.Comp} is specified as follows:

 • TS.Gen(1n) : On input the security parameter 1n, output a public key pk and a secret key sk .

 • TS.Sign(\(s k,(i, j)\)) : On input the secret key sk and the edge (i,j), output a signature σi,j, on the edge (i,j).

 • TS.Vrfy(\(p k,(i, j), \sigma_{i, j}\)) : On input the public key pk , the edge (i,j), and the signature σi,j, on the edge (i,j), output a bit 1 if σi,j is valid and output a bit 0 otherwise.

 • TS.Comp(\(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\)) : On input the public key pk , the signature σi,j, on (i,j), the signature σj,k on (j,k), output a valid signature σi,k on (j,k).

 Transitive signatures basically have to satisfy correctness, transitivity, and transitive unforgeability under chosen-edge attacks. First, we define that a transitive signature scheme TS is correct if, for any valid signature σi,k on the edge (i, k) (generated with the TS.Sign(\(s k,(i, k)\)) algorithm) or for any valid combined signature σi,k on (i,k) (generated with the TS.Comp\(\left(p k,(i, j, k), \quad \sigma_{i, j}, \sigma_{j, k}\right)\)  algorithm), the TS.Vrfy\(\left(p k,(i, k), \sigma_{i, k}\right)\) algorithm outputs a bit 1 with all but negligible probability.

 Next, we define that a transitive signature scheme TS is transitive if, for two signatures σi,j on (i,j) and σj,k on the edge (j,k) , anyone without the knowledge of the secret key can derive a signature σi,k on (i,k) which is indistinguishable from another signature σ′i,k on (i,k) (generated with the TS.Sign(\(s k,(i, k)\)) algorithm).

 Finally, we define that a transitive signature scheme TS is transitively unforgeable under chosen-edge attacks if, in the following game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\) between an algorithm \(\mathcal{A}\) and a forger \(\mathcal{F}\), the advantage \(\operatorname{Adv}_{\mathrm{Ts}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{A}\) is negligible.

  • Setup: \(\mathcal{A}\) runs the TS.Gen(1n) algorithm to get (pk, sk). \(\mathcal{A}\) sends pk to \(\mathcal{F}\) .
  • Signing queries: \(\mathcal{F}\) sends the edge (i,j) to \(\mathcal{A}\) . \(\mathcal{A}\) runs the TS.Sign\((s k,(i, j))\) algorithm to get σi,j and sends it to \(\mathcal{F}\) .
  • Output: \(\mathcal{F}\) outputs the edge \(\left(i^{*}, j^{*}\right)\) and the signature \(\sigma_{i^*, j^*}\) . If the TS.Vrfy\(\left(p k,\left(i^{*}, j^{*}\right), \sigma_{i, j^{*}}\right)\) algorithm outputs a bit 1 and the edge \(\left(i^{*}, j^{*}\right)\) is not in the transitive closure of previously signed edges, then \(\mathcal{F}\) wins the game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\).

 The advantage \(\operatorname{Adv}_{\mathrm{Ts}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{F}\) in the game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\) is the probability that \(\mathcal{F}\) wins the game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\).

2.4 Chameleon Hash Function

 In the Proof of Theorem 4.3, we will use a chameleon hash function proposed by David Cash et al. in 2010 [13]. David Cash et al.’s chameleon hash function \(\mathrm{H}(\cdot, \cdot):\{0,1\}^{*} \times\{0,1\}^{m} \rightarrow\{0,1\}^{n}\) has the following properties:

  1. Trapdoor property: Given \(\mathrm{H}\left(i, r_{i}\right)\) and j ≠ i, one with the knowledge of the trapdoor information can sample rj such that \(\mathrm{H}\left(i, r_{i}\right)=\mathrm{H}\left(j, r_{j}\right)\).
  2. Collision-resistance property: It is hard to compute two pairs \(\left(i, r_{i}\right)\) and \(\left(j, r_{j}\right)\) without the knowledge of the trapdoor information such that \(\mathrm{H}\left(i, r_{i}\right)=\mathrm{H}\left(j, r_{j}\right)\) and \(\left(i, r_{i}\right) \neq\left(j, r_{j}\right)\).

 David Cash et al.’s chameleon hash function H(⋅,⋅) is collision-resistant assuming the \(\mathrm{SIS}_{q, m, \beta}\) problem.

3. Our Construction for Undirected Graphs in the Random Oracle Model

 We construct a transitive signature scheme for undirected graphs in the random oracle model. Our scheme involves the following parameters:

  • A security parameter is n .
  • The dimension of signatures is \(m=\bar{m}+n l\), where \(\bar{m}=O(n l)\) and \(l=O(\log n)\).
  • \(q=\operatorname{poly}(n)\).
  • A Gaussian parameter is \(s=O\left(n^{c} \sqrt{\log n}\right) \cdot \omega(\sqrt{\log n})\), where c is constant.

 We construct our scheme \(\mathrm{TS}_{1}=\left\{\mathrm{TS}_{1} \cdot \mathrm{Gen}, \mathrm{TS}_{1} \cdot \operatorname{Sign}, \mathrm{TS}_{1} \cdot \mathrm{Vrfy}, \mathrm{TS}_{1} \cdot \mathrm{Comp}\right.\) as follows:

  • \(\mathrm{TS}_{1} \cdot \operatorname{Gen}\left(1^{n}\right)\) : On input the security parameter 1n :
  1. Compute (A, T) using the GenTrap algorithm, where \(A \in \mathbb{Z}_{q}^{n \times m}\) and \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\).
  2. Choose a hash function \(\mathrm{H}(\cdot):\{0,1\}^{*} \rightarrow \mathbb{Z}_{q}^{n}\).
    i. Note that the security analysis will view H(⋅) as a random oracle.
  3. Output a public key \(p k=(A, \mathrm{H}(\cdot))\) and a secret key sk = T.
  • \(\mathrm{TS}_{1} \cdot \operatorname{Sign}(s k,(i, j))\) : On input the secret key sk = T and the edge (i,j) :
  1. If state St(i) is empty, compute \(h_{i}=\mathrm{H}(i) \in \mathbb{Z}_{q}^{n}\), sample \(v_{i} \leftarrow \mathcal{D}_{\Lambda_{q}^{i_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(i)=v_{i}\).
  2. If state St(j) is empty, compute \(h_{j}=\mathrm{H}(j) \in \mathbb{Z}_{q}^{n}\), sample \(v_{j} \leftarrow \mathcal{D}_{\Lambda_{q}^{i_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(j)=v_{j}\).
  3. Compute \(\sigma_{i, j}=v_{i}-v_{j}\) with states \(S t(i)=v_{i}\) and \(S t(j)=v_{j}\).
  4. Output a signature σi,j.
  • \(\mathrm{TS}_{1} . \mathrm{Vrfy}\left(p k,(i, j), \sigma_{i, j}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot))\), the edge (i,j) , and the signature σi,j:
  1. Compute \(h_{i}=\mathrm{H}(i) \in \mathbb{Z}_{q}^{n}\) and \(h_{j}=\mathrm{H}(j) \in \mathbb{Z}_{q}^{n}\).
  2. Output a bit 1 if \(\left\|\sigma_{i, j}\right\| \leq s \cdot \sqrt{2 m}\) and \(A \cdot \sigma_{i, j}=h_{i}-h_{j}(\bmod q)\), and output a bit 0 otherwise.
  • \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot))\), the signature σi,j on (i,j) , the signature σj,k on (j,k) :
  1. Compute \(\sigma_{i, k}=\sigma_{i, j}+\sigma_{j, k}\).
  2. Output a signature σi,k.

3.1 Correctness

 We show that our scheme TS1 is correct.

 Theorem 3.1. Our scheme TS1 is correct.

 Proof of Theorem 3.1. The \(\mathrm{TS}_{1} \cdot \operatorname{Sign}(s k,(i, j))\) algorithm can sample vi and vj such that \(\left\|v_{i}\right\| \leq s \cdot \sqrt{m},\left\|v_{j}\right\| \leq s \cdot \sqrt{m}, A \cdot v_{i}=h_{i}(\bmod q)\), and \(A \cdot v_{j}=h_{j}(\bmod q)\). That is, \(A \cdot \sigma_{i, j}=A \cdot\left(v_{i}-v_{j}\right)=h_{i}-h_{j}(\bmod q)\) and \(\left\|\sigma_{i, j}\right\|=\left\|v_{i}-v_{j}\right\| \leq s \cdot \sqrt{2 m}\).

 The \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm can compute \(\sigma_{i, j}+\sigma_{j, k}=\left(v_{i}-v_{j}\right)+\left(v_{j}-v_{k}\right)=v_{i}-v_{k}\) such that \(\left\|v_{i}\right\| \leq s \cdot \sqrt{m},\left\|v_{k}\right\| \leq s \cdot \sqrt{m}\), \(A \cdot v_{i}=h_{i}(\bmod q)\), and \(A \cdot v_{k}=h_{k}(\bmod q)\). That is, \(A \cdot \sigma_{i, k}=A \cdot\left(v_{i}-v_{k}\right)=h_{i}-h_{k}(\bmod q)\) and \(\left\|\sigma_{i, k}\right\|=\left\|v_{i}-v_{k}\right\| \leq s \cdot \sqrt{2 m}\).

 Therefore, our scheme TS1 is correct.

3.2 Transitivity

 We show that our scheme TS1 is transitive for undirected graphs.

 Theorem 3.2. Our scheme TS1 is transitive for undirected graphs.

 Proof of Theorem 3.2. The \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm computes as follows:

\(\sigma_{i, k}=\sigma_{i, j}+\sigma_{j, k}=v_{i}-v_{j}+v_{j}-v_{k}=v_{i}-v_{k}\).       (8)

 A combined signature σi,k on the edge (i,k) generated with the \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) is indistinguishable from σ′i,k on the edge (i,k) generated with the \(\mathrm{TS}_{1} \cdot \operatorname{Sign}(s k,(i, k))\).

 On the other hand, σi,j can be easily made from σj,i as follows:

\(\sigma_{i, j}=-\sigma_{j, i}=-\left(v_{j}-v_{i}\right)=v_{i}-v_{j}\).       (9)

 Therefore, our scheme TS1 is transitive for undirected graphs.

3.3 Transitive Unforgeability

 We show that our scheme TS1 is transitively unforgeable under chosen-edge attacks in the random oracle model.

 Theorem 3.3. Our scheme TS1 is transitively unforgeable under chosen-edge attacks in the random oracle model if the \(\mathrm{SIS}_{q, m, \beta}\) problem for \(\beta=s \cdot \sqrt{4 m}\) is hard.

 Proof of Theorem 3.3. Let H(⋅) be a random oracle controlled by \(\mathcal{A}\) . Then we can construct \(\mathcal{A}\) attacking the \(\mathrm{SIS}_{q, m, \beta}\) problem for \(\beta=s \cdot \sqrt{4 m}\) if there exists a forger \(\mathcal{F}\) mounting transitive forgery attacks on TS1 as follows:

  • Setup: On input an instance \(A \in \mathbb{Z}_{q}^{n \times m}\) of the \(\mathrm{SIS}_{q, m, \beta}\) problem:
  1. \(\mathcal{A}\) sends pk = A to \(\mathcal{F}\) .
  • H-queries: On input the i -th node i :
  1. \(\mathcal{A}\) samples, \(v_{i} \leftarrow \mathcal{D}_{\mathbb{Z}, s}^{m}\) using the SampleDom(1m, s) algorithm.
  2. \(\mathcal{A}\) computes \(h_{i}=A \cdot v_{i} \in \mathbb{Z}_{q}^{n}\).
  3. \(\mathcal{A}\) sends \(h_{i}\) to \(\mathcal{F}\) .
  4. \(\mathcal{A}\) adds a tuple \(\left\{i, v_{i}, h_{i}\right\}\) to the hash table.
  • Signing queries: On input the edge (i,j) :
  1. If i already appears on the hash table, \(\mathcal{A}\) looks up \(\left\{i, v_{i}, h_{i}\right\}\) in the hash table. Otherwise, \(\mathcal{A}\) queries i to the H -queries phase to get \(\left\{i, v_{i}, h_{i}\right\}\).
  2. If j already appears on the hash table, \(\mathcal{A}\) looks up \(\left\{j, v_{j}, h_{j}\right\}\) in the hash table. Otherwise, \(\mathcal{A}\) queries j to the H -queries phase to get \(\left\{j, v_{j}, h_{j}\right\}\).
  3. \(\mathcal{A}\) computes \(\sigma_{i, j}=v_{i}-v_{j}\).
  4. \(\mathcal{A}\) sends σi,j to \(\mathcal{F}\) .
    i. Note that the number of signing queries is \(Q=\operatorname{poly}(n)\).
  • Output: Assume that \(\mathcal{F}\) output a forged signature \(\sigma_{i^{*}, j^{*}}\) on the edge \(\left(i^{*}, j^{*}\right)\). \(\mathcal{A}\) proceeds as follows:
  1. \(\mathcal{A}\) takes \(\left\{i^{*}, v_{i^{*}}, h_{i^*}\right\}\) and \(\left\{j^{*}, v_{j^{*}}, h_{j^*}\right\}\) from the hash table.
  2. \(\mathcal{A}\) computes \(z=\sigma_{i^{*}, j^{*}}-v_{i^{*}}+v_{j^{*}}\).
    i. Note that the probability of \(\sigma_{i^{*}, j^{*}}=v_{i^{*}}-v_{j^{*}}\) is negligible in n by Lemma 2.12.
    ii. The Euclidean norm of z is \(\|z\| \leq s \cdot \sqrt{4 m}=\beta\)
  3. \(\mathcal{A}\) outputs z as a solution to the \(\mathrm{SIS}_{q, m, \beta}\) problem.

 The advantage \(\operatorname{Adv}_{\mathrm{TS}_{1}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{F}\) in the \(\operatorname{Game}_{\mathrm{TS}_{1}, \mathcal{F}}^{\mathrm{TU}}(n)\) is computed as follows:

\(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{SIS}} \geq \mathrm{Adv}_{\mathrm{TS}_{1}, \mathcal{F}}^{\mathrm{TU}}\).       (10)

4. Our Construction for Undirected Graphs in the Standard Model

 We construct a transitive signature scheme for undirected graphs in the standard model. Our scheme involves the following parameters:

  • A security parameter is n .
  • The dimension of signatures is \(m=\bar{m}+n l\), where \(\bar{m}=O(n l)\) and \(l=O(\log n)\).
  • q = poly(n) is an odd prime.
  • A Gaussian parameter is\(s=O\left(n^{c} \sqrt{\log n}\right) \cdot \omega(\sqrt{\log n})\), where c is constant.
  • The number of nodes is \(\mathrm{k}=O(n / \log n)\).

 We construct our scheme \(\mathrm{TS}_{2}=\left\{\mathrm{TS}_{2} \cdot \mathrm{Gen}, \mathrm{TS}_{2} \cdot \operatorname{Sign}, \mathrm{TS}_{2} \cdot \mathrm{Vrfy}, \mathrm{TS}_{2} \cdot \operatorname{Comp}\right\}\) as follows:

  • \(\mathrm{TS}_{2} \cdot \operatorname{Gen}\left(1^{n}\right)\) : On input the security parameter 1n :
  1. Compute (A, T) using the GenTrap algorithm, where 2 n m \(A \in \mathbb{Z}_{q}^{n \times m}\) and \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\).
  2. Choose a hash function \(\mathrm{H}(\cdot, \cdot):\{0,1\}^{*} \times\{0,1\}^{m} \rightarrow\{0,1\}^{n}\).
  3. Output a public key \(p k=(A, \mathrm{H}(\cdot, \cdot))\) and a secret key sk = T .
  • \(\mathrm{TS}_{2} \cdot \operatorname{Sign}(s k,(i, j))\) : On input the secret key sk = T and the edge (i,j) : 
  1. If state St(i) is empty, choose \(r_{i} \leftarrow\{0,1\}^{m}\), compute \(h_{i}=\mathrm{H}\left(i, r_{i}\right) \in\{0,1\}^{n}\), sample \(v_{i} \leftarrow \mathcal{D}_{\Lambda_{2 q}^{q \cdot h_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(i)=\left(v_{i}, r_{i}\right)\).
  2. If state St(j) is empty, choose \(r_{j} \leftarrow\{0,1\}^{m}\), compute \(h_{j}=\mathrm{H}\left(j, r_{j}\right) \in\{0,1\}^{n}\), sample \(v_{i} \leftarrow \mathcal{D}_{\Lambda_{2 q}^{q \cdot h_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(i)=\left(v_{i}, r_{i}\right)\).
  3. Compute \(v_{i, j}=v_{i}-v_{j}\) with states \(S t(i)=\left(v_{i}, r_{i}\right)\) and \(S t(i)=\left(v_{i}, r_{i}\right)\).
  4. Output a signature \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\).
  • \(\mathrm{TS}_{2} \cdot \operatorname{Vrfy}\left(p k,(i, j), \sigma_{i, j}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot, \cdot))\), the edge (i, j), and the signature \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) :
  1. Compute \(h_{i}=\mathrm{H}\left(i, r_{i}\right) \in\{0,1\}^{n}\) and \(h_{j}=\mathrm{H}\left(j, r_{j}\right) \in\{0,1\}^{n}\).
  2. Output a bit 1 if \(\left\|v_{i, j}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}\) and \(\), and output a bit 0 otherwise.
  • \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot, \cdot))\), the signature \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) on the edge (i,j) , the signature \(\sigma_{j, k}=\left(v_{j, k}, r_{j}, r_{k}\right)\) on the edge (j,k) :
  1. Compute \(v_{i, k}=v_{i, j}+v_{j, k}\).
  2. Output a signature \(\sigma_{i, k}=\left(v_{i, k}, r_{i}, r_{k}\right)\).

4.1 Correctness

 We show that our scheme TS2 is correct.

 Theorem 4.1. Our scheme TS2 is correct.

 Proof of Theorem 4.1. The \(\mathrm{TS}_{2} \cdot \operatorname{sign}(s k,(i, j))\) algorithm can sample vi and vj such that \(\left\|v_{i}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi} \quad, \quad\left\|v_{j}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi} \quad, \quad A \cdot v_{i}=q \cdot h_{i}(\bmod 2 q)\), and \(A \cdot v_{j}=q \cdot h_{j}(\bmod 2 q)\). That is, \(A \cdot v_{i, j}=A \cdot\left(v_{i}-v_{j}\right)=q \cdot h_{i}-q \cdot h_{j}(\bmod 2 q)\) and \(\left\|v_{i, j}\right\|=\left\|v_{i}-v_{j}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}\).

 The \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm can compute \(v_{i, j}+v_{j, k}=\left(v_{i}-v_{j}\right)+\left(v_{j}-v_{k}\right)=v_{i}-v_{k}\) such that \(\left\|v_{i}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi}\)\(\left\|v_{k}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi}, A \cdot v_{i}=q \cdot h_{i}(\bmod 2 q)\),  and \(A \cdot v_{k}=q \cdot h_{k}(\bmod 2 q)\). That is,\(A \cdot v_{i, k}=A \cdot\left(v_{i}-v_{k}\right)=q \cdot h_{i}-q \cdot h_{k}(\bmod 2 q)\) and \(\left\|v_{i, k}\right\|=\left\|v_{i}-v_{k}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}\).

 Therefore, our scheme TS2 is correct.

4.2 Transitivity

 We show that our scheme TS2 is transitive for undirected graphs.

 Theorem 4.2. Our scheme TS2 is transitive for undirected graphs.

 Proof of Theorem 4.2. The \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm computes as follows:

\(v_{i, k}=v_{i, j}+v_{j, k}=v_{i}-v_{j}+v_{j}-v_{k}=v_{i}-v_{k}\).       (11)

 A combined signature σi,k on (i,k) generated with the \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) is indistinguishable from σ′i,k on the edge (i,k) generated with the \(\mathrm{TS}_{2} \cdot \operatorname{Sign}(s k,(i, k))\).

\(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) can be easily made from \(\sigma_{j, i}=\left(v_{j, i}, r_{j}, r_{i}\right)\) as follows:

\(v_{i, j}=-v_{j, i}=-\left(v_{j}-v_{i}\right)=v_{i}-v_{j} \).       (12)

 Therefore, our scheme TS2 is transitive for undirected graphs.

4.3 Transitive Unforgeability

 We show that our scheme TS2 is transitively unforgeable under chosen-edge attacks in the standard model.

 Theorem 4.3. Our scheme TS2 is transitively unforgeable under chosen-edge attacks in the standard model if the k -\(\mathrm{SIS}_{q, m, \beta, s}\) problem for \( \beta=1.1 \cdot s \cdot \sqrt{m / \pi}\) is hard.

 Proof of Theorem 4.3. We can construct an algorithm \(\mathcal{A}\) attacking the k -\(\mathrm{SIS}_{q, m, \beta, s}\) problem for \( \beta=1.1 \cdot s \cdot \sqrt{m / \pi}\) if there exists a forger \(\mathcal{F}\) mounting transitive forgery attacks on TS2 as follows:

  • Setup: On input an instance \(\left(B, v_{1}, \cdots, v_{\mathrm{k}}\right)\) of the k - \(\mathrm{SIS}_{q, m, \beta, s}\) problem, where \(B \in \mathbb{Z}_{q}^{n \times m}\) and \(v_{1}, \cdots, v_{\mathrm{k}} \leftarrow \mathcal{D}_{\Lambda_{q}^{\perp}(B), s}\)
  1. \(\mathcal{A}\) chooses a chameleon hash function \(\mathrm{H}(\cdot, \cdot):\{0,1\}^{*} \times\{0,1\}^{m} \rightarrow\{0,1\}^{n}\).
  2. \(\mathcal{A}\) chooses \(h_{1}, \cdots, h_{\mathrm{k}} \leftarrow\{0,1\}^{n}\).
  3. \(\mathcal{A}\) lets \(V=\left[v_{1}|\cdots| v_{\mathrm{k}}\right] \in \mathbb{Z}^{m \times \mathrm{k}}\).
  4. \(\mathcal{A}\) lets \(H=\left[h_{1}|\cdots| h_{\mathrm{k}}\right] \in\{0,1\}^{n \times k}\).
  5. \(\mathcal{A}\) chooses \(A_{2} \leftarrow\{0,1\}^{n \times m}\) such that \(A_{2} \cdot V=H(\bmod 2)\).
    i. Note that V (mod 2) is uniformly random by Lemma 2.13.
    ii. Note that the rank of \(V \in \mathbb{Z}_{2}^{m \times \mathrm{k}}\) is k with all but negligible probability by Lemma 2.14.
  6. \(\mathcal{A}\) computes \(A \in \mathbb{Z}_{2q}^{n \times m}\) such that A=A2 (mod 2) and A = B (mod q) using the Chinese remainder theorem.
    i. Note that A (mod 2q) is uniformly random by Lemma 2.13.
  7. \(\mathcal{A}\) sends \(p k=(A, \mathrm{H}(\cdot, \cdot))\) to \(\mathcal{F}\).
  • Signing queries: On input the edge (i,j) :
  1. \(\mathcal{A}\) samples \(r_{i}, r_{j} \leftarrow\{0,1\}^{m}\) such that \(h_{i}=\mathrm{H}\left(i, r_{i}\right)\) and \(h_{j}=\mathrm{H}\left(j, r_{j}\right)\).
  2. \(\mathcal{A}\) computes \(v_{i, j}=v_{i}-v_{j}\).
  3. \(\mathcal{A}\) sends \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) to \(\mathcal{F}\).
    i. Note that the number of signing queries is poly( ) n .
  • Output: Assume that \(\mathcal{F}\) output a forged signature \(\sigma_{i^*, j^*}=\left(v_{i^*, j^*}, r_{i^*}, r_{j^*}\right)\) on the edge \(\left(i^{*}, j^{*}\right)\). \(\mathcal{A}\) proceeds as follows:
  1. \(\mathcal{A}\) outputs \({v}_{i^{*}, j^{*}}\) as a solution to the k - \(\mathrm{SIS}_{q, m, \beta, s}\) problem.
    i. Note that the following equation is correct:

\(A \cdot v_{i^{*}, j^{*}}=q \cdot \mathrm{H}\left(i^{*}, r_{i^{*}}\right)-q \cdot \mathrm{H}\left(j^{*}, r_{j^{*}}\right)(\bmod 2 q)=B \cdot v_{i^{*}, j^{*}}(\bmod q)=0(\bmod q)\)(13)

ii. By Lemma 2.15, \({v}_{i^{*}, j^{*}}\) is not in \(\mathbb{Q}\) -span \(\left(\left\{v_{1}, \cdots, v_{\mathrm{k}}\right\}\right)\) and the Euclidean norm of \({v}_{i^{*}, j^{*}}\) is as follows:

\(\left\|v_{i, j^{*}}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}=\beta\).       (14)

 The advantage \(\mathrm{Adv}_{\mathrm{TS}_{2}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{F}\) in the game \(\operatorname{Game}_{\mathrm{TS}_{2}, \mathcal{F}}^{\mathrm{TU}}(n)\) is computed as follows:

 \(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{k-SIS}} \geq \mathrm{Adv}_{\mathrm{TS}_{_{2}}, \mathcal{F}}^{\mathrm{TU}}\).       (15)

5. Conclusion

 We have proposed the first transitive signature schemes for undirected graphs from lattices. The first scheme is provably secure in the random oracle model and the second scheme is provably secure in the standard model. The question of constructing a transitive signature scheme for directed graphs still remains open.

References

  1. Silvio Micali and Ronald L. Rivest, "Transitive signature schemes," in Proc. of The Cryptographers' Track, RSA Conference - CT-RSA 2002, LNCS 2271, pp. 236-243, February 18-22, 2002.
  2. Susan Rae Hohenberger, "The cryptographic impact of groups with infeasible inversion,"Master's Thesis, Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2003.
  3. Hidenori Kuwakado and Hatsukazu Tanaka, "Transitive signature scheme for directed trees," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E86-A, no. 5, pp. 1120-1126, May 1, 2003.
  4. Xun Yi, Chik-How Tan, and Eiji Okamoto, "Security of Kuwakado-Tanaka transitive signature scheme for directed trees," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E87-A, no. 4, pp. 955-957, April 1, 2004.
  5. Xun Yi, "Directed transitive signature scheme," in Proc. of The Cryptographers' Track, RSA Conference - CT-RSA 2007, LNCS 4377, pp. 129-144, February 5-9, 2007.
  6. Gregory Neven, "A simple transitive signature scheme for directed trees," Theoretical Computer Science, vol. 396, no. 1-3, pp. 277-282, May 10, 2008. https://doi.org/10.1016/j.tcs.2008.01.042
  7. Philippe Camacho and Alejandro Hevia, "Short transitive signatures for directed trees," in Proc. of The Cryptographers' Track, RSA Conference - CT-RSA 2012, LNCS 7178, pp. 35-50, February 27-March 2, 2012.
  8. Siamak Fayyaz Shahandashti, Mahmoud Salmasizadeh, and Javad Mohajeri, "A Provably Secure Short Transitive Signature Scheme from Bilinear Group Pairs," in Proc. of 4th International Conference on Security in Communication Networks - SCN 2004, LNCS 3352, pp. 60-76, September 8-10, 2004.
  9. Mihir Bellare and Gregory Neven, "Transitive signatures based on factoring and RSA," Advances in Cryptology - Asiacrypt 2002, LNCS 2501, pp. 397-414, December 1-5, 2002.
  10. Mihir Bellare and Gregory Neven, "Transitive signatures: new schemes and proofs," IEEE Transactions on Information Theory, vol. 51, no. 6, pp. 2133-2151, May 31, 2005. https://doi.org/10.1109/TIT.2005.847697
  11. Peter W. Shor, "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer," SIAM Journal on Computing, vol. 26, no. 5, pp. 1484-1509, October, 1997. https://doi.org/10.1137/S0097539795293172
  12. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan, "Trapdoors for hard lattices and new cryptographic constructions," in Proc. of 40th Annual ACM Symposium on Theory of Computing -STOC 2008, pp. 197-206, May 17-20, 2008.
  13. David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert, "Bonsai trees, or how to delegate a lattice basis," Advances in Cryptology - Eurocrypt 2010, LNCS 6110, pp. 523-552, May 30-June 3, 2010.
  14. Xavier Boyen, "Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more," in Proc. of 13th International Conference on Practice and Theory in Public Key Cryptography - PKC 2010, LNCS 6056, pp. 499-517, May 26-28, 2010.
  15. Markus Ruckert, "Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles," in Proc. of Third International Workshop on Post-quantum Cryptography - PQCrypto 2010, LNCS 6061, pp. 182-200, May 25-28, 2010.
  16. Daniele Micciancio and Chris Peikert, "Trapdoors for lattices: simpler, tighter, faster, smaller," Advances in Cryptology - Eurocrypt 2012, LNCS 7237, pp. 700-718, April 15-19, 2012.
  17. Geontae Noh and Ik Rae Jeong, "Scalable Hierarchical Identity-based Signature Scheme from Lattices," KSII Transactions on Internet and Information Systems, vol. 7, no. 12, pp. 3261-3273, December 27, 2013. https://doi.org/10.3837/tiis.2013.12.017
  18. S. Dov Gordon, Jonathan Katz, and Vinod Vaikuntanathan, "A group signature scheme from lattice assumptions," in Advances in Cryptology - Asiacrypt 2010, LNCS 6477, pp. 395-412, December 5-9, 2010.
  19. Jin Wang and Bo Sun, "Ring signature schemes from lattice basis delegation," in Proc. of 13th International Conference on Information and Communications Security - ICICS 2011, LNCS 7043, pp. 15-28, Nobember 23-26, 2011.
  20. Geontae Noh, Ji Young Chun, and Ik Rae Jeong, "Strongly Unforgeable Ring Signature Scheme from Lattices in the Standard Model," Journal of Applied Mathematics, vol. 2014, pp. 1-12, May 5, 2014.
  21. Geontae Noh and Ik Rae Jeong, "Strong designated verifier signature scheme from lattices in the standard model," Security and Communication Networks, vol. 9, no. 18, pp. 6202-6214, March 30, 2017. https://doi.org/10.1002/sec.1766
  22. Dan Boneh and David Mandell Freeman, "Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures," in Proc. of 14th International Conference on Practice and Theory in Public Key Cryptography - PKC 2011, LNCS 6571, pp. 1-16, March 6-9, 2011.
  23. Dan Boneh and David Mandell Freeman, "Homomorphic signatures for polynomial functions," in Advances in Cryptology - Eurocrypt 2011, LNCS 6632, pp. 149-168, May 15-19, 2011.
  24. Shweta Agrawal, Dan Boneh, and Xavier Boyen, "Efficient lattice (H)IBE in the standard model," in Advances in Cryptology - Eurocrypt 2010, LNCS 6110, pp. 553-572, May 30-June 3, 2010.
  25. Shweta Agrawal, Dan Boneh, and Xavier Boyen, "Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE," in Advances in Cryptology - Crypto 2010, LNCS 6223, pp. 98-115, August 15-19, 2010.
  26. Shota Yamada, "Adaptively Secure Identity-Based Encryption from Lattices with Asymptotically Shorter Public Parameters," Advances in Cryptology - Eurocrypt 2016, LNCS 9666, pp. 32-62, May 8-12, 2016.
  27. Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan, "A simple BGN-type cryptosystem from LWE," Advances in Cryptology - Eurocrypt 2010, LNCS 6110, pp. 506-522, May 30-June 3, 2010.
  28. Robert Johnson, David Molnar, Dawn Song, and David Wagner, "Homomorphic signature schemes," in Proc. of The Cryptographers' Track, RSA Conference - CT-RSA 2002, LNCS 2271, pp. 244-262, February 18-22, 2002.
  29. Abhishek. Banerjee, Chris Peikert, and Alon Rosen, "Pseudorandom functions and lattices," in Advances in Cryptology - Eurocrypt 2012, LNCS 7237, pp. 719-737, April 15-19, 2012.
  30. Daniele Micciancio and Oded Regev, "Worst-case to average-case reductions based on Gaussian measures," SIAM Journal on Computing, vol. 37, no. 1, pp. 267-302, April 2007. https://doi.org/10.1137/S0097539705447360
  31. San Ling, Duong Hieu Phan, Damien Stehle, and Ron Steinfeld, "Hardness of k -LWE and Applications in Traitor Tracing," Advances in Cryptology - Crypto 2014, LNCS 8616, pp. 315-334, August 17-21, 2014.