Abstract
Signcryption is a scheme that achieves both functionalities of public key encryption and digital signatures, and hence it is an important and fundamental protocol in cryptography. On the other hand, it is interesting to efficiently construct a signcryption scheme based on lattice-based problems, since lattice-based construction is expected to have resistance against quantum computing. The contribution of this paper is to construct an efficient lattice-based signcryption satisfying strong security without random oracles. We propose such a construction based on the problems of the learning with errors (LWE) and small integer solution (SIS). The public-key size and ciphertext size in our construction are shorter than any other schemes, and there is no disadvantage for ours in other parameters compared to other ones in terms of public/secret-key and ciphertext sizes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Although a construction of lattice-based signcryption without random oracles was proposed in [34], we confirmed that this construction didn’t meet MU-sUF-iCMA security.
- 2.
We say that a DEM meets one-to-one if for a message \(\mu \) and a symmetric-key K, there is only one ciphertext c such that \(\mu = \text {DEM.Dec}(K,c)\).
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74(2), 325–354 (2015)
An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_6
Baek, J., Steinfeld, R., Zheng, Y.: Formal proofs for the security of signcryption. J. Cryptol. 20(2), 203–235 (2007)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)
Böhl, F., Hofheinz, D., Jager, T., Koch, J., Striecks, C.: Confined guessing: new signatures from standard assumptions. J. Cryptol. 28(1), 176–208 (2015)
Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)
Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_29
Boyen, X., Li, Q.: Towards tightly secure lattice short signature and Id-based encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 404–434. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_14
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)
Chiba, D., Matsuda, T., Schuldt, J.C.N., Matsuura, K.: Efficient generic constructions of signcryption with insider security in the multi-user setting. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 220–237. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_13
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 335–352. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_19
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)
Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 3, no. 42 (1996)
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_23
Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_30
Libert, B., Quisquater, J.-J.: Efficient signcryption with key privacy from gap Diffie-Hellman groups. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 187–200. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_14
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_3
Matsuda, T., Matsuura, K., Schuldt, J.C.N.: Efficient constructions of signcryption schemes and signcryption composability. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 321–342. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10628-6_22
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Nakano, R., Shikata, J.: Constructions of signcryption in the multi-user setting from identity-based encryption. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 324–343. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45239-0_19
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC 2009, pp. 333–342. ACM (2009)
Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC 2008, pp. 187–196. ACM (2008)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)
Rückert, M.: Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 182–200. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_14
Tan, C.H.: Signcryption scheme in multi-user setting without random oracles. In: Matsuura, K., Fujisaki, E. (eds.) IWSEC 2008. LNCS, vol. 5312, pp. 64–82. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89598-5_5
Yamada, S.: Adaptively secure identity-based encryption from lattices with asymptotically shorter public parameters. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 32–62. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_2
Yan, J., Wang, L., Wang, L., Yang, Y., Yao, W.: Efficient lattice-based signcryption in standard model. Math. Prob. Eng. 2013 (2013)
Zhang, J., Chen, Y., Zhang, Z.: Programmable hash functions from lattices: short signatures and IBEs with small key sizes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 303–332. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_11
Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) \({\ll }\) cost(signature) + cost(encryption). In: Kaliski B.S. (eds) Advances in Cryptology – CRYPTO 1997, CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052234
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A: Deta Encapsulation Mechanism (DEM)
A DEM consists of a two-tuple of polynomial-time algorithms DEM = (Enc, Dec) as follows: Let \(\mathcal {MSP}\) be a message-space, and let \(\mathcal {KSP}\) be a key-space.
-
\(\text {Enc}(K,\mu )\): Enc is a randomised encryption algorithm that on input a symmetric-key \(K \in \mathcal {KSP}\) and a message \(\mu \in \mathcal {MSP}\), outputs a ciphertext C.
-
\(\text {Dec}(K,C)\): Dec is a deterministic decryption algorithm that on input a secret-key K and a ciphertext C, outputs a message \(\mu \) or invalid \(\bot \).
IND-OT security against DEM = (Enc, Dec) is defined as follows: Let \(\mathcal {A}\) be a PPT adversary in the following game.
-
Setup: The challenger generates a symmetric-key \(K \overset{U}{\leftarrow }\mathcal {KSP}\).
-
Challenge: When \(\mathcal {A}\) submits \((\mu _0,\mu _1)\), the challenger chooses \(b \in \{ 0,1 \}\) uniformly at random and returns \(C^* \leftarrow \text {Enc}(K,\mu _b)\).
-
Output: \(\mathcal {A}\) outputs \(b^\prime \in \{ 0,1 \}\), and wins if \(b = b^\prime \).
Let \(Adv_{\mathcal {A}}^{\text {IND-OT}}(k) := |\Pr [b=b^\prime ] - \frac{1}{2}|\) be the advantage of \(\mathcal {A}\). DEM is IND-OT secure if \(Adv_{\mathcal {A}}^{\text {IND-OT}}(k) \le \mathrm{negl}(k)\) for any PPT adversary \(\mathcal {A}\).
Appendix B: Lattice-Based Tag-Based Encryption and Tag-Based KEM
IND-sTag-CCA secure TBE based on LWE can be easily constructed from lattice-based tag-based trapdoor functions [23], where IND-sTag-CCA means indistinguishability against selective tag chosen ciphertext attack (cf. [17]). Hence, we obtain the following lattice-based construction of TBE = (Setup, Kg, Enc, Dec):
-
\(prm \leftarrow \text {Setup}(1^n)\): Take a security parameter n as input and then set public parameters prm as follows: a prime \(q = \mathrm{poly}(n)\), integers \(\bar{m} = O(n \log {q})\), \(m = \bar{m} + n \log {q}\), \(\alpha ^{-1} = O(n \log {q})^2 \cdot \omega (\sqrt{\log {n}})\), a matrix \(\varvec{G} \in \mathbb {Z}_q^{n \times n \log {q}}\) is as the definition in Sect. 2.2.
Output \(prm = (n, q, \bar{m}, m, \alpha , \varvec{G})\).
-
\((pk, sk) \leftarrow \text {Kg}(prm)\): To generate a public-key pk and a secret-key sk, do the following:
-
1.
\(\bar{\varvec{A}} \overset{U}{\leftarrow }\mathbb {Z}_q^{n \times \bar{m}}, \varvec{T} \leftarrow D_{\log {n}}^{\bar{m} \times n \log {q}}\), \(\varvec{U} \overset{U}{\leftarrow }\mathbb {Z}_q^{n \times \ell }\), \(\varvec{A} = \left[ \bar{\varvec{A}} | - \bar{\varvec{A}}\varvec{T} \right] \in \mathbb {Z}_q^{n \times m}\),
-
2.
Output \(pk = (\varvec{A}, \varvec{U}), sk = \varvec{T}\).
-
1.
-
\(C \leftarrow \text {Enc}(pk, tag, \mu )\): To encrypt a message \(\mu \in \{ 0,1 \}^\ell \), do the following:
-
1.
\(\varvec{s} \overset{U}{\leftarrow }\mathbb {Z}_q^n, \varvec{x}_0 \leftarrow D_{\alpha q}^m, \varvec{x}_1 \leftarrow D_{\alpha q}^{\ell }\), \(\varvec{A}_{tag} = \left[ \bar{\varvec{A}} | H(tag)\varvec{G} - \bar{\varvec{A}}\varvec{T} \right] \in \mathbb {Z}_q^{n \times m}\),
-
2.
\(\varvec{c}_0 = \varvec{s}^T \varvec{A}_{tag} + \varvec{x}_0^T \in \mathbb {Z}_q^m\), \(\varvec{c}_1 = \varvec{s}^T \varvec{U} + \varvec{x}_1^T + \mu \cdot \lfloor q/2 \rfloor \in \mathbb {Z}_q^\ell \),
-
3.
Output a ciphertext \(C = (\varvec{c}_0, \varvec{c}_1)\).
-
1.
-
\(\mu \leftarrow \text {Dec}(sk, tag, C)\): To decrypt \(C = (\varvec{c}_0,\varvec{c}_1)\), do the following:
-
1.
\(\varvec{A}_{tag} = \left[ \bar{\varvec{A}} | H(tag) \varvec{G} - \bar{\varvec{A}}\varvec{T} \right] \), \((\varvec{s}, \varvec{x}_0) = \textsf {Invert}(\varvec{T}, \varvec{A}_{tag}, \varvec{c}_0)\),
-
2.
\(\varvec{d} = \varvec{c}_1 - \varvec{s}^t \varvec{U} \in \mathbb {Z}_q^\ell \), let \(\varvec{d} = (d_1, \ldots , d_{\ell })\), and for each \(i \in [\ell ]\), \(k_i = 0\) if \(d_i\) is closer to 0 than to \(\lfloor \frac{q}{2} \rfloor \), otherwise let \(k_i = 1\).
-
3.
Output a message \(\mu = (k_1, \ldots , k_{\ell }) \in \{ 0,1 \}^\ell \).
-
1.
Note that the above construction is based on LWE, and we can obtain the lattice-based (IND-sTag-CCA secure) TB-KEM from the TBE above by replacing a message with a random key.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Sato, S., Shikata, J. (2018). Lattice-Based Signcryption Without Random Oracles. In: Lange, T., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2018. Lecture Notes in Computer Science(), vol 10786. Springer, Cham. https://doi.org/10.1007/978-3-319-79063-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-79063-3_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-79062-6
Online ISBN: 978-3-319-79063-3
eBook Packages: Computer ScienceComputer Science (R0)