USRE48643E1 - Cryptographic system using pairing with errors - Google Patents

Cryptographic system using pairing with errors Download PDF

Info

Publication number
USRE48643E1
USRE48643E1 US16/678,335 US201316678335A USRE48643E US RE48643 E1 USRE48643 E1 US RE48643E1 US 201316678335 A US201316678335 A US 201316678335A US RE48643 E USRE48643 E US RE48643E
Authority
US
United States
Prior art keywords
matrix
interval
key
entry
party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US16/678,335
Inventor
Jintai Ding
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US16/678,335 priority Critical patent/USRE48643E1/en
Application granted granted Critical
Publication of USRE48643E1 publication Critical patent/USRE48643E1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/34Encoding or coding, e.g. Huffman coding or error correction

Definitions

  • This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, which are based on essentially the same mathematical principle, pairing with errors.
  • KE key exchange
  • KD key distribution
  • IBE identity-based-encryption
  • KD key distribution
  • KD key distribution
  • Shamir proposed another kind of public key encryption system [SHA].
  • a person or an entity's public key is generated with a public algorithm from the information that can identify the person or the entity uniquely.
  • the information may include the person's name, residential address, birthday, finger print information, e-mail address, social security number and etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
  • IBE identity-based encryption
  • IBE Identity-based-encryption
  • a sender encrypts a message for a given receiver using the receiver's public key based on the identity of the receiver.
  • the receiver decrypts the message using the receiver's private key.
  • the receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely.
  • An IBE system does not demand the sender to search for the receiver's public key, but rather, a sender in an IBE system derives any receiver's corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information.
  • Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO]. There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW]. Therefore it is important and desirable that we have secure and efficient IBE systems.
  • This invention first contains a novel method for two parties A and B to perform an secure KE over an open communication channel.
  • This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors.
  • each users will choose a private matrix S A , S B respectively with small entries following certain error distributions secretly and a public matrix M randomly.
  • each user will compute the multiplication of the user's secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of S A and S B over the same bilinear form based on M in two different ways but each with different small errors.
  • This kind of mathematical computation is called pairing with errors.
  • the shared key is derived from the pairings with a rounding technique.
  • This invention second contains a novel method to build a KD system with a central server or authority.
  • the central server or authority assigns each user i a public ID as a matrix A i with small entries or establish the ID of each user as a matrix A i with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority's secret master key M, another matrix, but with small errors.
  • any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique.
  • This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg].
  • the security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
  • This invention third contains a novel method to build a IBE system with a central server or authority.
  • the central server or authority assigns each user i a public ID A i as a matrix with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely.
  • Each user is given by the central server or authority a private key S i based on certain multiplication of this ID matrix with the central server or authority's master private key S, another matrix, but with errors related to one part of the master public key M, another matrix.
  • the central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M 1 .
  • any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and A i of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key S i to decrypt the message.
  • This method can be viewed as an extension of the idea of the learning with error problem discovered by REGEV in 2005.
  • the security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
  • a LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution n on the finite ring (field) F q with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
  • each element is represented by the set ⁇ (q ⁇ 1)/2, . . . , 0, . . . , (q ⁇ 1)/2 ⁇ .
  • an error distribution
  • we mean a distribution we mean a distribution such that there is a high probability we will select an element, which is small. There are many such selections and the selection directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.
  • ⁇ S, ⁇ , on F q be the probability distribution obtained by selecting an element A in F q n randomly and uniformly, choosing e ⁇ F q according to ⁇ , and outputting (A, ⁇ A, S>+e), where + is the addition that is performed in F q .
  • A is a square matrices of the size n ⁇ n and, S and e of the size n ⁇ 1.
  • ⁇ S, ⁇ n over F q be the probability distribution obtained by selecting an n ⁇ n matrix A, whose each entry are chosen in F q uniformly and independently, choosing e as a n ⁇ 1 vector over F q with entries chosen according to certain error distribution ⁇ n , for example, each entries follows an error distribution n independently, and outputting (A, A ⁇ S+e), where + is the addition that is performed in F q n .
  • An algorithm that solves a LWE with modulus q and error distribution ⁇ n , if, for any vector S in F q n , with any number of independent sample(s) from ⁇ S, ⁇ n , it outputs S (with high probability).
  • ⁇ S, ⁇ n 2 over F q be the probability distribution obtained by selecting an n ⁇ n matrix A, whose each entry are chosen in F q uniformly and independently, choosing e as a n ⁇ n matrix over F q with entries following certain error distribution ⁇ n 2 , for example, an distribution chosen according to the error distribution n independently, and outputting (A, A ⁇ S+e), where + is the addition that is performed in F q n 2 .
  • An algorithm that solves a LWE with modulus q and error distribution ⁇ n 2 if, for any n ⁇ n matrix S in F q n , with any number of independent sample(s) from ⁇ S, ⁇ n 2 , it outputs S (with a high probability).
  • Any element in R q is represented by a degree n polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries.
  • q to be even positive number and things need slight modification.
  • the RLWE f,q, ⁇ problem is parameterized by an polynomial f(x) of degree n, a prime number q and an error distribution X over R q . It is defined as follows.
  • the secret s be an element in R q , a uniformly chosen random ring element.
  • this system can be very efficient due to the possibility doing fast multiplication over the ring R q using FFT type of algorithms.
  • the system can be essentially understood as that the master key of a central server is a symmetric matrix M of size n ⁇ n and each user's identity can be seen as a row vector H i of size n.
  • the central server gives each user the secret H i ⁇ M.
  • two users can derive the shared key as H i ⁇ M ⁇ H j t .
  • large number of users can collaborate to derive the master key. If one can collect enough (essentially n) H i ⁇ M, which then can be used to find the master key M and therefore break the system.
  • the key distribution system is set up step by step as follows.
  • the RLWE problem can be viewed as a specialized commutative version of matrix-based LWE since an element in the ring can be view as a homomorphism on the ring.
  • A, B, e i can follow different error distributions.
  • S i is a solution to a MLWE problem with the pair (A i , B i ) as the problem input. Therefore S i is indeed a secret key that could be used for decryption. Therefore the construction works. We need to choose parameters properly to ensure security.
  • the small elements like S, A i , e, e i can follow different error distributions.

Abstract

Using the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, this invention gives constructions of a new key exchanges system, a new key distribution system and a new identity-based encryption system. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
More than one reissue application has been filed for the reissue of U.S. Pat. No. 9,246,675. The reissue applications are U.S. application Ser. No. 16/678,335 (the present application and a divisional reissue), Ser. No. 16/678,838 (a divisional reissue), and Ser. No. 15/881,531 (granted as U.S. Pat. No. RE 47,841E1), all of which are reissue applications of U.S. Pat. No. 9,246,675.
U.S. Pat. No. 9,246,675, which issued on Jan. 26, 2016, is the National Stage of International Application No. PCT/CN2013/074053 filed on Apr. 11, 2013, which claims benefit under 35 U.S.C. § 119(e) of Provisional U.S. Patent Application No. 61/623,272, filed on Apr. 12, 2012, the disclosures of which are hereby incorporated by reference in their entireties.
The present disclosure claims priority to the U.S. provisional patent application with Ser. No. 61/623,272, entitled “New methods for secure communications and secure information systems”, filed Apr. 12, 2012 and PCT application with the same title and the PCT number PCT/CN2013/074053 filed on Apr. 11, 2013, which is incorporated herein by reference in its entirety and for all purposes.
BACKGROUND
This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, which are based on essentially the same mathematical principle, pairing with errors.
In our modern communication systems like Internet, cell phone, and etc, to protect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communication, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and scalable key distribution (KD) system such that any two users can derive a shared key via the key distribution (KD) system established by the central server. Therefore it is important and desirable that we have secure and efficient KE systems and KD systems. The first KE system was proposed by Diffie and Hellman [DiHe], whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO]. There are many key-distribution systems including the system using pairing over quadratic forms [BSHKVY], and the one based on bilinear paring over elliptic curves by Boneh and Boyen (in U.S. Pat. No. 7,590,236). But the existing systems have either the problem of computation efficiency or scalability. For instance, the bilinear paring over elliptic curves is very computationally intensive.
In the second case, we use asymmetric systems, namely public key cryptographic systems, for encryption, where the receiver has a set of a public key and a private key, and the sender has only the public key. The sender uses the public key to encrypt messages, the receiver uses the private key to decrypt the messages and only the entity who has the private key can decrypt the messages. In an usual public key system, we need to make sure the authenticity of the public keys and therefore each public key needs to have a certificate, which is a digital signature provided by a trusted central authority. The certificate is used to verify that the public key belongs to the legitimate user, the receiver of a message. To make public key encryption system fully work, we need to use such a system, which is called a public key infrastructure (PKI) system.
In 1984, Shamir proposed another kind of public key encryption system [SHA]. In this new system, a person or an entity's public key is generated with a public algorithm from the information that can identify the person or the entity uniquely. For example, in the case of a person, the information may include the person's name, residential address, birthday, finger print information, e-mail address, social security number and etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
There are a few Identity-based-encryption (IBE) public key cryptosystems, and currently, the (best) one being practically used is the IBE system based on bilinear paring over elliptic curves invented by Boneh and Franklin (in U.S. Pat. No. 7,113,594). In IBE systems, a sender encrypts a message for a given receiver using the receiver's public key based on the identity of the receiver. The receiver decrypts the message using the receiver's private key. The receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely. An IBE system does not demand the sender to search for the receiver's public key, but rather, a sender in an IBE system derives any receiver's corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information. Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO]. There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW]. Therefore it is important and desirable that we have secure and efficient IBE systems.
Clearly, there are still needs for more efficient and secure KE, KD and IBE systems for practical applications.
BRIEF SUMMARY OF THE INVENTION
This invention first contains a novel method for two parties A and B to perform an secure KE over an open communication channel. This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors. In the KE process, each users will choose a private matrix SA, SB respectively with small entries following certain error distributions secretly and a public matrix M randomly. Then each user will compute the multiplication of the user's secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of SA and SB over the same bilinear form based on M in two different ways but each with different small errors. This kind of mathematical computation is called pairing with errors. The shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg]. The security of this system depends the hardness of certain lattice problem, which can be mathematically proven hard [DiLi]. This system involves only matrix multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.
This invention second contains a novel method to build a KD system with a central server or authority. In this system, the central server or authority assigns each user i a public ID as a matrix Ai with small entries or establish the ID of each user as a matrix Ai with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority's secret master key M, another matrix, but with small errors. Then any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique. This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg]. The security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
This invention third contains a novel method to build a IBE system with a central server or authority. In this system, the central server or authority assigns each user i a public ID Ai as a matrix with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely. Each user is given by the central server or authority a private key Si based on certain multiplication of this ID matrix with the central server or authority's master private key S, another matrix, but with errors related to one part of the master public key M, another matrix. The central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M1. Then any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and Ai of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key Si to decrypt the message. This method can be viewed as an extension of the idea of the learning with error problem discovered by REGEV in 2005. The security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
In our constructions, we can replace matrices by elements in ideal lattice, and we can also use other type of rounding techniques. We can also build the system in a distributed way where several servers can work together to build KD and IBE systems.
In short, we use the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, to build secure and more efficient KE, KD and IBE systems.
Though this invention has been described with specific embodiments thereof, it is clear that many variations, alternatives, modifications will become apparent to those who are skilled in the art of cryptography. Therefore, the preferred embodiments of the invention as set forth herein, are intended to be illustrative, not limiting. Various changes may be made without departing from the scope and spirit of the invention as set forth herein and defined in the claims. The claims in this invention are based on the U.S. provisional patent application with Ser. No. 61/623,272, entitled “New methods for secure communications and secure information systems”, filed Apr. 12, 2012, only more technical details are added.
DETAILED DESCRIPTION OF THE INVENTION
1.1 The Basic Idea of Pairing with Errors
The learning with errors (LWE) problem, introduced by Regev in 2005 [Reg], and its extension, the ring learning with errors (RLWE) problem [LPR] have broad application in cryptographic constructions with some good provable secure properties. The main claim is that they are as hard as certain worst-case lattice problems and hence the related cryptographic constructions.
A LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution n on the finite ring (field) Fq with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
In Fq, each element is represented by the set {−(q−1)/2, . . . , 0, . . . , (q−1)/2}. In this exposition, by “an error” distribution, we mean a distribution we mean a distribution such that there is a high probability we will select an element, which is small. There are many such selections and the selection directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.
Let ΠS,κ, on Fq be the probability distribution obtained by selecting an element A in Fq n randomly and uniformly, choosing e ϵFq according to κ, and outputting (A, <A, S>+e), where + is the addition that is performed in Fq. An algorithm that solves the LWE problem with modulus q and error distribution κ, if, for any S in Fq n, with an arbitrary number of independent samples from ΠS,κ, it outputs S (with high probability).
To achieve the provable security of the related cryptographic constructions based on the LWE problem, one chooses q to be specific polynomial functions of n, that is q is replaced by a polynomial functions of n, which we will denote as q(n), κ to be certain discrete version of normal distribution centered around 0 with the standard deviation σ=αq≥√{square root over (n)}, and elements of Fq are represented by integers in the range [−(q 1)/2, (q 1)/2)], which we denote as κσ.
In the original encryption system based on the LWE problem, one can only encrypt one bit a time, therefore the system is rather inefficient and it has a large key size. To further improve the efficiency of the cryptosystems based on the LWE problem, a new problem, which is a LWE problem based on a quotient ring of the polynomial ring Fq[x] [LPR], was proposed. This is called the ring LWE (RLWE) problem. In the cryptosystems based on the RLWE problem, their security is reduced to hard problems on a subclass of lattices, the class of ideal lattices, instead of general lattices.
Later, a new variant of LWE was proposed in [ACPS]. This variant of the LWE problem is based on the LWE problem. We will replace a vector A with a matrix A of size m×n, and S also with a matrix of size n×1, such that they are compatible to perform matrix multiplication A×S. We also replace e with a compatible matrix of size m×1. We will work on the same finite field with q elements.
To simplify the exposition, we will only present, in detail, for the case where A is a square matrices of the size n×n and, S and e of the size n×1.
Let ΠS,κ n , over Fq be the probability distribution obtained by selecting an n×n matrix A, whose each entry are chosen in Fq uniformly and independently, choosing e as a n×1 vector over Fq with entries chosen according to certain error distribution κn, for example, each entries follows an error distribution n independently, and outputting (A, A×S+e), where + is the addition that is performed in Fq n. An algorithm that solves a LWE with modulus q and error distribution κn, if, for any vector S in Fq n, with any number of independent sample(s) from ΠS,κ n , it outputs S (with high probability).
For the case that we choose a small S, namely entries of S are chosen independently according to also the error distribution κn, we call this problem a small LWE problem (SLWE). If we further impose the condition A to be symmetric, we call it a small symmetric LWE problem (SSLWE). If we choose the secret S randomly and independently from the set −z, . . . , 0, 1 . . . , z with z a fixed small positive integer, we call such a problem uniformly small LWE problem (USLWE).
For practical applications, we can choose S and e with different kind of error distributions.
Due to the results in [ACPS], we know If the secret S's coordinates and the error e's entries are sampled independently from the LWE error distribution κσ, the corresponding LWE problem is as hard as LWE with a uniformly random secret S. This shows that the SLWE problem is as hard as the corresponding LWE problem. The same is true for the case of the RLWE problem that if one can solve the Ring LWE problem with a small secret namely the element S being small, then one can solve it with an uniform secret.
We further extend the problem to a full matrix form.
Let ΠS,κ n 2 over Fq be the probability distribution obtained by selecting an n×n matrix A, whose each entry are chosen in Fq uniformly and independently, choosing e as a n×n matrix over Fq with entries following certain error distribution κn 2 , for example, an distribution chosen according to the error distribution n independently, and outputting (A, A×S+e), where + is the addition that is performed in Fq n 2 . An algorithm that solves a LWE with modulus q and error distribution κn 2 , if, for any n×n matrix S in Fq n, with any number of independent sample(s) from ΠS,κ n 2, it outputs S (with a high probability).
We call this problem matrix LWE problem (MLWE). For the case where we choose a small S, namely entries of S also follows the error distribution κn 2 , we call this problem a small MLWE problem (SMLWE). If we further impose the condition A to be symmetric, we call it a small symmetric MLWE problem (SSMLWE). If we choose the secret S randomly and independently from the set −z, . . . , 0, 1 . . . , z with z a fixed small positive integer, we call such a problem uniformly small MLWE problem (USMLWE). It is clear the MLWE problem is nothing but put n LWE problem together and sharing the same matrices. Therefore it is as hard as the corresponding LWE problem.
We can use different error distributions for S and e.
The mathematical principle behind our construction comes from the fact of associativity of matrices multiplications of three matrices A, B and C:
A×B×C=(A×B)×C=A×(B×C).
Such a product can be mathematically viewed as computing the bilinear paring of the row vectors of A with column vectors of C.
For two matrices A and B with small entries following certain error distributions, for example, with entries following some error distributions, instead of computing this product directly, we can first compute
AB+Ea,
then compute
(AB+EA)C or (AB+EA)C+EAC,
or we will compute
BC+EC,
then compute
A(BC+Ec) or (AB+EA)C+EBC,
where EA, EB, EAC, EBC are matrices with small entries following the same (or different) error distributions. Then we have two way to compute the product ABC with small errors or differences between these two matrices. We call such a computation pairing with errors. All our constructions depends on such a paring with errors and on the fact that the two different paring are close to each other if A and C are also small.
We can mathematically prove the theorem that an MLWE problem is as hard as the corresponding LWE problem with the same parameters. This provides the foundation of the provable security of our constructions
1.2 The Construction of the New KE Systems Based on Paring with Errors
Two parties Alice and Bob decide to do a key exchange (KE) over an open channel. This means that the communication of Alice and Bob are open to anyone including malicious attackers. To simplify the exposition, we will assume in this part all matrices involves are n×n matrices. But they do not have to be like this, and they can be matrices of any sizes except that we need to choose the compatible sizes such that the matrix multiplications performed are well defined.
Their key change protocol will go step by step as follows.
    • (1) Alice and Bob will first publicly select Fq, n and a n×n matrix M over Fq uniformly and randomly, where q is of size of a polynomial of n, for example q≈n3, and an error distribution κn 2 to be a distribution over n×n matrices over Fq, for example, a distribution that each component are independent and each component follow certain error distribution like the discrete error distribution κσ as in the case of LWE, namely a discrete normal distribution over Fq center around 0 with standard deviation approximately √{square root over (n)}. All the information above is public. They jointly and publicly choose a small (prime) integer t (t<<n).
    • (2) Then each party chooses its own secret Si (i=A, B) as a n×n matrix chosen according to the error distribution κn 2 , ei also as a n×n matrix following the error distribution. For Alice, she computes
      MA=MSA+teA,
      • where t is a small integer (t<<n).
        • For Bob, he computes
          MB=MtSB+teB.
    • (3) Both parties exchange Mi in the open communication channel. This means both Mi (i=A, B) are public, but keep Si and ei (i=A, B), secret.
    • (4) Alice computes:
      KA=St A×MB=St AMtSB+tSt AeB.
      • Bob computes:
        KB=Mt A×SB=St AMtSB+tet ASB.
    • (5) Both of them will perform a rounding technique to derive the shared key as follows:
      • (a) Bob will make a list T1 of all positions of the entries of KB such that these entries are in the range of [−(q−1)/4, (q−1)/4] and a list T2 of all positions which are not in the range of [−(q−1)/4, (q−1)/4]. Then Bob will send to Alice the list T1.
      • (b) Then each party will compute the residues of these entries modular t in T1, and for the entries not in T1, which is in T2, they will add (q−1)/2 to each entry and compute the residue modular q first (into the range of [−(q−1)/4, (q−1)/4]) then the residue modular t. That gives a shared key between these two users.
The reason that Alice and Bob can derive from KA and KB a shared secret to be the exchanged key via certain rounding techniques as in the case above is exactly that ei and Si are small, therefore KA and KB are close. We call this system a SMLWE key exchange protocol. We can derive the provable security of this more efficient system [Dili].
In term of both communication and computation efficiency, the new system is very good. The two parties need to exchange n2 entries in Fq, and each perform 2n2.8 computations (with Strassen fast matrix multiplication [STR]) to derive n2 bits if t=2.
Si and ei can follow different kind of error distributions.
We can prove the theorem that if we choose the same system parameters, namely n and q, the matrix SLWE key exchange protocol is provably secure if the error distribution is properly chosen [DiLi]. The proof relies on the mathematical hardness of the following pairing with error problem.
Assume that we are given
    • (1) an n×n matrix M, a prime integer q, a small positive integer t, and an error distribution κn and;
      M′A=MS′A+teA
      and
      M′B=MtS′B+teB,  (2)
      • where ei, a n×1 vector follows the error distribution κn and the entries of n×1 vectors also follows the same error distribution;
    • (3) and the fact that
      K′B=Mt A×S′B=(S′A)tMtS′B+t<eA,S′B>
      • is in the range of [−(q−1)/4, (q−1)/4] or not;
        the problem is to find an algorithm to derive
        K′A=(S′A)t×MB=(S′A)tMtS′B+t<S′A,eB>
        modular t if K′B is in the range of [−(q−1)/4, (q−1)/4], otherwise K′A+(q−1)/2 first modular q then modular t, with a high probability. We call such a problem a pairing with error problem (PEP).
The proof follows from the fact that the SMLWE problem is as hard as the SLWE problem, since the matrix version can be viewed as just assembling multiple SLWE samples into one matrix SLWE sample.
We note here that we can choose also rectangular matrix for the construction as long as we make sure the sizes are matching in terms of matrix multiplications, but parameters need to be chosen properly to ensure the security.
Similarly we can build a key exchange system based on the ring learning with errors problem (RLWE) [LPR], we will a variant of the RLWE problem described in [LNV].
For the RLWE problem, we consider the rings R=Z[x]/f(x), and Rq=R/qR, where f(x) is a degree n polynomial in Z[x], Z is the ring of integers, and q is a prime integer. Here q is an odd (prime) and elements in Zq=Fq=Z/q are represented by elements: −(q−1)/2, . . . , −1, 0, 1, . . . , (q−1)/2, which can be viewed as elements in 2 when we talk about norm of an element. Any element in Rq, is represented by a degree n polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries. For an element
a(x)=a0+a1x+ . . . +an-1xn-1,
we define
∥a∥=max|ai|,
the lnorm of the vector (a0, a1, . . . , an-1) and we treat this vector as an element in Zn and ai an element in Z. We can also choose q to be even positive number and things need slight modification.
The RLWEf,q,χ problem is parameterized by an polynomial f(x) of degree n, a prime number q and an error distribution X over Rq. It is defined as follows.
Let the secret s be an element in Rq, a uniformly chosen random ring element. The problem is to find s, given any polynomial number of samples of the pair
(ai,bi=ai×s+ei),
where ai is uniformly random in Rq and ei is selected following certain error distribution X.
The hardness of such a problem is based on the fact that the bi are computationally indistinguishable from uniform in Rq. One can show [LPR] that solving the RLWEf,q,χ problem above is known to give us a quantum algorithm that solves short vector problems on ideal lattices with related parameters. We believe that the latter problem is exponentially hard.
We will here again use the facts in [ACPS], [LPR] that the RLWEf,q,χ problem is equivalent to a variant where the secret s is sampled from the error distribution X rather than being uniform in Rq and the error element ei are multiples of some small integer t.
To derive the provable security, we need consider the RLWE problem with specific choices of the parameters.
    • We choose f(x) to be the cyclotomic polynomial xn+1 for n=2u, a power of two;
    • The error distribution χ is the discrete Gaussian distribution DZ n for some n>>σ>ω(√{square root over (log n)})>1;
    • q=1 (mod 2n) and q a polynomial of n and q≈n3;
    • t a small prime and t<<n<<q.
      We can also use other parameters for practical applications.
There are two key facts in the RLWEf,q,χ setting defined above, which are needed for our key exchange system.
    • (1) The length of a vector drawn from a discrete Gaussian of with standard deviation a is bounded by σn, namely,
      Pr(∥X∥>σn)≤2−n+1,
      • for X chosen according to X.
    • (2) The multiplication in the ring Rq increases from the norms of the constituent elements in a reasonable scale, that is,
      ∥X×Y(mod f(x))∥≤n∥X∥∥Y∥,
      • for X, Y ϵ Rq and the norm is the lnorm defined above.
With the RLWEf,q,χ setting above, we are now ready to have two parties Alice and Bob to do a key exchange over an open channel. It goes step by step as follows.
    • (1) Alice and Bob will first publicly select all the parameters for the RLWEf,q,χ including q(≈n3 or similar polynomial functions of n), n, f(x) and χ. In addition, they will select a random element M over Rq uniformly. All the information above is public.
    • (2) Then each party chooses its own secret si as an element in Rq according to the error distribution χ, and ei independently also as an element following the error distribution χ, but jointly choose a small prime integer t (t<<n) For Alice, she computes
      MA=MsA+teA,
    • where t is a small integer (t<<n).
      • For Bob, he computes
        MB=MsB+teB.
    • (3) Both parties exchange Mi. This means both Mi are public, but certainly keep si and ei secret.
    • (4) Alice computes:
      KA=sA×MB=sAMsB+teBsA.
      • Bob computes:
        KB=MA×sB=sAMsB+teAsB.
    • (5) Both of them will perform a rounding technique to derive the shared key as follows:
      • (a) Bob will then make a list of size n, and this list consists of pairs in the form of (i, j), where i=0, . . . , n−1, and j=1 if the xi coefficient of KB is in the range of [−(q−1)/4, (q−1)/4], otherwise j=0.
      • (b) Then Bob will send this list to Alice. Then each will compute the residue of the corresponding entries modular t in the following way:
        • for an element of the list (i, j),
        • 1) if j=1, each will compute the i-th entry of KA and KB modular t respectively;
        • 2) if j=0, each will add (q−1)/2 to the i-th entry of KA and KB modular q back to range of [−(q−1)/4, (q−1)/4], then compute the residues modular t.
We can use different distributions for si and ei.
That will give a shared key between these two users. We call this system a RLWE key exchange system. We can deduce that there is a very low probability of failure of this key exchange system. We note here that the commutativity and the associativity of the ring Rq play a key role in this construction.
In terms of security analysis, we can show the provable security of the system following the hardness of the RLWEf,q,χ problem by using a similar PEP over the ring Rq [DiLi].
Assume that we are given
    • a random element M in Rq, prime integers t, q and the error distribution X with parameters selected as in the RLWEf,q,χ above;
    • MA=MsA+teA and MB=MsB+teB, where ei follows the error distribution X and si also follows the error distribution χ;
    • and the fact that (KB)i, the coefficients xi of KB=MA×sB=sAMsB+teAsB is in the range of [−(q−1)/4, (q−1)/4] or not;
      the problem is to find an algorithm to derive KB (or KA) modular t or KB+(q−1)/2 (or KA+(q−1)/2) modular q (into the range of [−(q−1)/4, (q−1)/4]) and then modular t with a high probability. We call such a problem a pairing with error problem over a ring (RPE).
It is nearly a parallel extension of the proof of the provable security of the case of SLWE key exchange system to the RLWE key exchange system. We conclude that the RLWE key exchange system is provable secure based on the hardness of the RLWEf,q,χ problem.
With the same parameters q and n, this system can be very efficient due to the possibility doing fast multiplication over the ring Rq using FFT type of algorithms.
1.3 The Construction of the New KD Systems Based on Paring with Errors
Over a large network, key distribution among the legitimate users is a critical problem. Often, in the key distribution systems, a difficult problem is how to construct a system, which is truly efficient and scalable. For example, in the case of the constructions of [BSHKVY], the system can be essentially understood as that the master key of a central server is a symmetric matrix M of size n×n and each user's identity can be seen as a row vector Hi of size n. The central server gives each user the secret Hi×M. Then two users can derive the shared key as Hi×M×Hj t. The symmetric property of M ensures that
Hi×M×Hj t=Hj t×M×Hi.
However, large number of users can collaborate to derive the master key. If one can collect enough (essentially n) Hi×M, which then can be used to find the master key M and therefore break the system.
We will build a truly scalable key distribution system using the pairing with error with a trusted central server, which can be viewed as a combination of the idea above and the idea of the LWE.
We work again over the finite field Fq, whose elements are represented by −(q−1)/2, . . . , 0, . . . , (q−1)/2. We choose q≈n3 or other similar polynomial function of n, we choose again κn 2 to be an error distribution over the space of n×n matrices, for example, an distribution each component are independent, and each component follows error distribution κσ, the discrete distribution as in the case of LWE, namely a discrete normal distribution over Fq centered around 0 with standard deviation approximately √{square root over (n)}. The choice of these parameters can be modified.
The key distribution system is set up step by step as follows.
    • (1) We have a central server, which will select a symmetric randomly chosen n×n matrix S, as a master key, whose entries are in Fq:
      S=St.
    • (2) For each user index as i, the central server gives it a (in general not symmetric) matrix At (as an ID) with small entries following error distribution κn 2 . The ID matrix of each user is public and it can also be generated with information that can identify the user like email address, name and etc.
    • (3) For each user, the central server distribute securely a secret:
      Ei=AiS+tei,
    • where ei is a matrix (not symmetric) selected following certain error distribution, such as κn 2 . This is kept private for each user.
To obtain a secret key shared between the user i and the user j, the user i computes
Ki=Ei×Aj t=AiSAj t+teiAj t;
and the user j computes
Kj=Ai×(Ej)t=AiStAj t+tAiej t=AiSAj t+tAiej t.
This is possible because the IDs are public. They then can use the following simple rounding method to derive a shared key between the two users.
    • When the user j wants to establish a shared key with the user i, the user j will collect all the entries (including their positions in the matrix) in Kj that are in the range of (−(q−1)/4, (q−1)/4), namely those entries which are closer to 0 than (q−1)/2. Then user j will send to the user i a list of the positions of the entries in the matrix (only the position not the values of the entries themselves) that are randomly selected from the collection, which is tagged by 0, and a list of entries not in the list tagged by 0. Then the user i will select the same entries in its own matrix Ei×Aj. Now they have a shared list of common entry positions, therefore the corresponding entries of the matrix. Then each user will compute the residue of these entries modular t tagged by 1 and compute the residue of the sum of each of these entries tagged by 0 with (q−1)/2 to build a new identical ordered list of values, which will be their shared secret key.
Because S symmetric, we have that
AiSAj t=AiStAj t,
therefore the user j derives
AiSAj t+tAiAiej t.
The difference between the results computed by the two users is:
Ei×At j−Ai×Et J=AiSAt j+teiAt j−(AiSAt j+tAiet j)
=teiAt j−tAiet j.
This difference is small since t is small and eiAj t and Aiej t are small, which is due to the fact that ei, ej, Ai and Aj are all small. This allows us to get a common key for i and j by certain rounding techniques and therefore build a key distribution system.
Since the error terms for both matrices, teiAj and tej tAi, are small, the corresponding selected entries with tag 1 in AiSAj (without the error terms) are essentially within the range of [(−(q−1)/4, (q−1)/4] or very close. Therefore the error terms will not push those selected terms in AiSAj over either (−(q−1)/2 or (q−1)/2), that is when added the error terms, those selected entries will not need any further modular q operation but just add them as integers, since each element is represented as an integer in the range of [(−(q−1)/2(q−1)/2)]. The same argument goes with entries tagged by 0. These ensures that the process give a shared key between these two users.
From the way matrices Ki, Kj are constructed, we know that each entry of Ki and Kj follows uniform distribution. Therefore we expect that each time the size of the first list selected by the user j from the matrix Kj should be around n2. Therefore this system can provide the shared secret with enough bits if we choose proper n.
Also we can build a version of this system with none symmetric matrices, in this case, the central serve needs to compute more matrices like AiS+e and Ai tS+e′. Then it is possible, we can do the same kind of key distribution. This system again is less efficient.
On the other hand, since the RLWE problem can be viewed as a specialized commutative version of matrix-based LWE since an element in the ring can be view as a homomorphism on the ring. We can use the RLWE to build a key distribution in the same way.
Now let us look at why this key distribution is scalable. Clearly each user will have a pair A, and Ei=AiS+tei, and many users together can get many pairs, then to find the secret master key S is to solve the corresponding MLWE problem, except that, in this case, we impose the symmetric condition on the secret S. It is not difficult to argue again that this problem is as hard as a LWE problem, since given a LWE problem, we can convert it also into such a MLWE problem with symmetric secret matrix. Therefore, it is easy to see that this system is indeed scalable.
In terms of the provable security of the system, the situation is similar to the work done in the paper [DiLi]. We can give a provable security argument along the same line.
As we said before, since RLWE can be viewed as a special case MLWE, we will use the RLWE to build a very simple key distribution system.
We will choose the ring Rq to be Fq[x]/xn+1. To ensure the provable security, we need to choose parameter properly n, q, properly, for example n=2k, q=1 mod(2n)[LPR]. For provable secure systems, we assume that we will follow the conventional assumptions on these parameters, and the assumption on the error distribution like χ in [LPR].
This construction is essentially based on the systems of above. We assume that we have a ring Rq with a properly defined learning with error problem on the ring Rq with error distribution X. The problem is defined as follows:
We are given a pair (A, E), where
E=A×S+te′,
A, S where e′ are elements in R, t is small integer, e′ is an error element following the distribution of χ, S is a fixed element and A is select randomly following uniform distribution, and the problem is to find the secret S.
With a central server, we can build a simple key distribution system as follows.
    • (1) The central server will also select a random element M in Rq following uniform distribution.
    • (2) For each user, the central server will assign an public ID as Ai, where Ai should be in the form of a chosen small element in Rq, namely following an error distribution like χ.
    • (3) Each member is given a secret key by the central server:
      Si=MAS+tee,
      • where ei follows an error distribution χ.
    • (4) If two user i and j wants to build a shared key, one user, say i can use the ID matrix of j, namely Ai, the its secret key to build a shared key with j by computing
      Ki=Aj×Si=AjMAi+tAjei,
      • and j can use its secret key to build a shared key with i by computing
        Kj=Ai×Sj=AjMAi+tAiej,
      • then derive the shared key with the rounding technique as follows:
        • (a) i will then make a list of size n, and this list consists of pairs in the form of (a, b), where a=0, . . . , n−1, and b=1 if the xa coefficient of Ki is in the range of [−(q−1)/4, (q−1)/4], otherwise b=0.
        • (b) i will send this list to j. Then each will compute the residue of the corresponding entries modular t in the following way:
          • for an element of the list (a, b),
          • 1) if b=1, each will compute the a-th entry of Ki and Kj modular t respectively;
          • 2) if b=0, each will add (q−1)/2 to the a-th entry of Ki and Kj modular q back to range of [−(q−1)/4, (q−1)/4], then compute the residues modular t.
Since Ai and ei are small elements in Rq, we have Ai×ei is also small. This ensures that we indeed have a shared secret key. This, therefore, gives an key-distribution system.
Here we use very much the fact that in a RLWE problem that the multiplication is commutative. The key feature of our construction is that it is simple and straight forward. The provable security of the system is also straightforward.
1.4 the Construction of the New IBE Systems Based on Paring with Errors
We will first build a new public key encryption based on MLWE. To build an encryption system, we choose similar parameter q≈n3 or n4 or similar polynomial functions of n, we choose again κn 2 to be an error distribution, for example the error distribution with each component are independent, and each component follow the same discrete distribution κσ as in the case of LWE, namely a discrete normal distribution over Fq center around 0 with standard deviation approximately √{square root over (n)}. Surely we can also select high dimensional Gaussian distribution, which should be very convenient for the purpose to provable security. We select this simple distribution to simplify the argument concerning the validity of the encryption system. We can surely choose other parameters.
With such a setting, we can build an encryption system as in the case of the MLWE problem as follows:
    • (1) We select an n×n matrix S, whose entries are small following an error distribution κn 2 , for example, each entries independently and randomly follows the distribution κσ.
    • (2) In the setting of the MLWE, we will derive one output pair (A, E), where
      E=A×S+e,
      or
      E=A×S+te,
      • and t is small, t<<n, and they form the public key of our encryption system. Here e follow certain error distributions, for example the distribution we use above.
    • (3) S is the private key of the cryptosystem.
    • (4) A message in is represented as n×n matrix with binary entries of 0, 1 or n×n matrix with entries in the range modular t, namely 0, 1 . . . , t−1.
    • (5) A sender chooses a n×n small matrix B similar to S namely following an error distribution κn 2 , for example, each entries independently and randomly follows the distribution κσ. Then the sender compute the encrypted message as:
      (D1,D2)=(B×A+e1,B×E+e2+m (q/2)),
      or
      ((D1,D2)=(B×A+te1,B×E+te2+m,
      • where e1 and e2 are error matrices selected independently following some error distribution like e.
    • (6) To decrypt, the legitimate, in the first case, computes
      D2−D1×S=(BE+e2+m(q/2)−(BA+e1)S)=eE+e2−e1S+m(q/2),
      • where everything is done in Fq, and we can check on each entry of the matrix, if it is near 0, we output 0, and if it is near (q−1)/2, we output 1, or we divide them by (q−1)/2 performed as a real number division and round them to 0 or 1 and the output will be the plaintext m; or in the second case, the legitimate user computes
        D2−D1×S=(BE+te2+m−(BA+te1)S)=,teE+te2−te1S+m,
      • then modular t. This will be the plaintext m.
A, B, ei can follow different error distributions.
With large n, the output can give us the right plaintext with as high probability as demanded. The reason we could decrypt with high probability comes from the following.
D2−D1×S=BE+e2+m(q/2)−(BA+e)S
=B×(A×S+e)+e2+m(q/2)−(BA+e1)×S
=B×e+e2−e1×S+m(q/2)
B×e+e2−e1×S can be viewed as a error terms, which is determined by the distribution of the following random variable. With proper choice of parameters, like in the case of KE or KD systems, the decryption process will surely return the right answer when n is large enough. The same argument goes with the second case.
One key point of this new method is that on average, we can do the encryption much faster in terms of per bit speed because we can use fast matrix multiplication [CW] to speed up the computation process.
We note here that since matrix multiplication is not commutative, when we multiply two elements, the order is very important, unlike the case of the RLWE related systems.
We can also use the same idea in the ring LWE (RLWE)[LPR] to do encryption, where all the elements are in the ring Rq, and we have
E=A×S+te,
t is small positive integer and the entries of S is also small following error distribution κn 2 . We encrypt a message as
(D1,D2)=(BA+te1,BE+te2+m).
Then we decrypt by computing
(BE+te2+m−B(AS+te1))(mod t).
This works because
D2−D1×S=BE+te2+m−(BA+t1e1)S
=B×(A×S+te)+te2+m−(BA+te1)×S
=tB×e+te2−te1×S+m
Since the error terms are small, by modular t, we certainly should get back the original plaintext.
For the MLWE problem, we surely need to choose the distribution accordingly when we need to obtain the provable security of the system.
There are several versions of identity-based encryption systems based on lattice related problems including the LWE problem [ABB], [ABVVW], [BKPW]. But they all look rather complicated. We can use the MLWE to build an identity-based encryption system.
With a central server, we can build a simple identity-based encryption system as follows.
    • (1) The central server will first select a secret n×n matrix S as the secret master key, where S is selected as a small element following certain error distribution κn 2 like error distributions like in KE and KD systems.
    • (2) The central server will also select a random element M following uniform distribution or similar distribution, but make sure that M has an inverse. If we could not find one first time, we will try again till we find one. We have a high probability of success to find such a M when q is large. Then the central serve will compute
      M1=MS+te,
      • where e is small following certain error distribution κn 2 .
    • (3) Then the central server will publicize M and M1 as the master public key.
    • (4) For each user, the central server will assign an public ID as Ai, where Ai is small following certain error distribution κn 2 , and it can be generated from information that can identify the user.
    • (5) Each member is given a secret key:
      Si=SAi+tM−1ei,
      • where ei's entries are small following the error distribution n. Surely this is the same as given
        MSi=MSAi+tei,
      • since M is public.
    • (6) Anyone can use the ID, namely Ai, and the master public key to build a new public key for the user with ID Ai, which is given as the pair (Ai, Bi), where
      Ai=M
      and
      Bi=M1Ai=MSAi+teAi,
      • and it is used as the public key to encrypt any message use the MLWE encryption system above.
        This gives an identity based encryption system.
S, Ai, ei, e can also follow different error distributions.
Since Ai and e are small, we have Ai×e is also small. W also have that
MSi−Bi=MSi−Bi
=M(SAi+tM−1ei)−MSAi+teAi
=MSAi+tMM−1ei)−MSAi+teAi
=tei−teAi,
Since e, Ai and ei are small, e−Aiei is also small and tei−tAiei is also small. Therefore Si is a solution to a MLWE problem with the pair (Ai, Bi) as the problem input. Therefore Si is indeed a secret key that could be used for decryption. Therefore the construction works. We need to choose parameters properly to ensure security.
The key feature of our construction is that it is simple and straight forward. The provable security of the system is also straightforward.
we can extend this construction using the RLWE problem. We will choose the ring R to be Fq[x]/xn+1. To ensure the provable security, we need to choose parameter properly n, q, properly, namely n=2k, q=1 mod(2n)[LPR]. But we can select other parameters for secure applications.
This construction is directly based on the encryption systems of the RLWE[LPR], namely, we assume that we have a ring R with a properly defined learning with error problem on the ring R. The problem is defined as follows: we are given a pair (A, E), where
E=A×S+te′,
A, S where e′ are elements in Rq, t is small integer, e′ is an error element following an error distribution X, S is a fixed element and A is select randomly following uniform distribution, and the problem is to find the secret S. We also know that one can build a public key encryption systems using the RLWE problem[LPR], where A, and E serve as the public key, and the secret S, which needs to be small, serves as the private key. We can use the fact that in a ring-LWE problem that the multiplication is commutative.
With a central server, we can build a simple identity-based encryption system as follows.
    • (1) The central server will first select a secret S in R as the secret master key, where S is a selected small element follow certain error distributions χ.
    • (2) The central server will also select a random element M in R following uniform distribution and make sure that M has an inverse. If we could not find one first time, we will try again till we find one. We have a high probability of success to find such a M when q is large. Then the central serve will computer
      M1−MS−te,
      • where e is small and follows error distribution χ.
    • (3) Then the central server will publicize M and M1 as the master public key.
    • (4) For each user, the central server will assign an public ID as Ai, where A, is a small element in Rq, and it follows error distribution χ.
    • (5) Each member is given a secret key:
      Si=SAi+tM−1ei,
      • where ei small element in R, and it follow certain error distribution X. Surely this is the same as given
        MSi=MSAi+tei,
      • since M is public.
    • (6) Anyone can use the ID, namely Ai, and the master public key to build a new public key for the user with ID Ai, which is given as the pair (Ai, Bi), where
      Ai=M
      and
      Bi=AiM1=AiMS+tAie=MSAi+tAie,
      • and it is used as the public key to encrypt any message.
        This gives an identity based encryption system.
The small elements like S, Ai, e, ei can follow different error distributions.
Since Ai and e are small elements in R, we have Ai×e is also small. We have that
SiAi−Bi=SiM−Bi
=M(SAi+iM−1ei)−MSAi+Aite
=MSAi+tMM−1ei)−MSAi+Aite
=te−tAiei,
which is due to the fact that this is a commutative ring. Since e, Ai and ei are small, e−Aiei is also small and te−tAiei is also small. Therefore Si is a solution to a ring LWE problem with the pair (Ai, Bi) as the problem input. Therefore Si is indeed a secret key that could be used for decryption.
We can build easily a hierarchical IBE system using similar procedure, where each user can server as a central server.
The key feature of our construction is that it is simple, straight forward and efficient. The provable security of the system is also straightforward.
In the all the systems above using pairing with errors over the ring, one may use polynomials in the form of
f(x)=Πfi(x)+g(x),
where each fi, g(x) is a extremely sparse matrix with very few terms, for example, 2 or 3 terms none-zero. Using this kind of polynomial can speed up the encryption and decryption computations.
LITERATURE CITED
  • [ABB] S. Agrawal, D. Boneh, X. Boyen: Efficient Lattice (H)IBE in the Standard Model. In proceedings of Eurocrypt 2010, Lecture Notes in Computer Science, Volume 6110, pp. 553-572, 2010.
  • [ABVVW] S. Agrawal, X. Boyen, V. Vaikuntanathan, P. Voulgaris, H. Wee: Fuzzy Identity Based Encryption from Lattices. IACR Cryptology ePrint Archive 2011: 414 (2011)
  • [ACPS] B. Applebaum, D. Cash, C. Peikert, A. Sahai; Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. Advances in Cryptology-CRYPTO 2009, Lecture Notes in Computer Science, Volume 5677 pp 595-618, 2009
  • [BKPW] M. Bellare, E. Kiltz, C. Peikert, B. Waters: Identity-Based (Lossy) Trapdoor Functions and Applications. In Proceedings of EUROCRYPT 2012, Lecture Notes in Computer Science, Volume 7237, pp 228-245 2012.
  • [BSHKVY] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, M. Yung: Perfectly-Secure Key Distribution for Dynamic Conferences. in Advances in Cryptology Crypto 92, Lecture Notes in Computer Science, Volume 740, pp 471-486, 1993
  • [BKW] A. Blum, A. Kalai, and H. Wasserman. Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 50(4), pp 506-19, 2003.
  • [COP] D. Coppersmith, Shmuel Winograd, Matrix multiplication via arithmetic progressions, Journal of Symbolic Computation—Special issue on computational algebraic complexity archive 9 (3), pp 251-280, 1990
  • [DiHe] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6), pp 644-54, 1976.
  • [DiLi] J. Ding, X. Lin, A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem, Cryptology ePrint Archive, Report 688, 2012
  • [LNV] K. Lauter, M. Naehrig, V. Vaikuntanathan, Can Homomorphic Encryption be Practical?, Cryptology ePrint Archive, Report 2011/405, 2011, http://eprint.iacr.org,
  • [LPR] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings In Eurocrypt 2010
  • [REG] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in Proceedings of the 37th Annual ACM Symposium on Theory of Computing STOC05, ACM, pp 84-93, 2005
  • [SHA] A. Shamir, Identity-based cryptosystems and signature schemes, in Advances in CryptologyCrypto '84, Lecture Notes in Computer Science, Vol. 196, Springer-Verlag, pp. 47-53, 1984
  • [SHO] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal of Computing 26, pp. 1484-1509, 1997.
  • [STR] V. Strassen, Gaussian Elimination is not Optimal, Numer. Math. 13, p. 354-356, 1969

Claims (72)

The invention claimed is:
1. Method for establishing a key exchange over an open channel between a first party A and a second party B, comprising:
(1) openly selecting, by Party A and Party B together, parameters, n, q and small whole number t, (t<<n), where q is an odd prime, and an error distribution κn 2 to be a distribution over n×n matrix over Fq, a n×n matrix M over Fq uniformly and randomly, where q is of size of a polynomial of n like n3, and elements of Fq are represented by integers in the range [−(q−1)/2, (q−1)/2)];
(2) choosing, by each of the parties privately, its own secret matrix Si (i=A, B) a n×n matrix chosen according to the error distribution κn 2 , and error matrix ei, (i=A, B) as a n×n matrix following the error distribution κn 2 ;
computing by a processor of the Party A

MA=MSA+teA,
where t is a small integer (t<<n);
computing by the Party B

MB=MtSB+teB,
(3) Both of the parties exchange Mi in the open communication channel;
(4) computing by the Party A:

KA=St A×MB=St AMtSB+tSt AeB;
computing by the Party B:

KB=Mt A×SB=St AMtSB+tet ASB;
(5) performing by both the Party A and the Party B a rounding technique to derive the shared key, comprising:
(a) making by the Party B a list T1 of all positions of the entries of KB such that these entries are in the range of [−(q−1)/4, (q−1)/4] and a list T2 of all positions which are not in the range of [−(q−1)/4, (q−1)/4], then sending by the Party B to the Party A the list T1,
(b) computing by each of the parties privately the residues of these entries modular t in T1, and for the entries not in T1, which is in T2, adding (q−1)/2 to each entry and computing the residue modular q first (into the range of [−(q−1)/4, (q−1)/4]) then the residue modular t, which gives a shared key between the two parties.
2. The method according to claim 1, wherein q is a polynomial function of degree 2 or higher, or a similar function, and κn 2 is the a distribution that each component are independent and each component follow certain error distribution like the discrete error distribution κσ, namely a discrete normal distribution over Fq center around 0 with standard deviation approximately √{square root over (n)}, or a similar distribution.
3. The method according to claim 1, wherein the matrices is rectangular as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
4. The method according to claim 1, wherein the matrices are replaced with elements of the ring Rq=Fq[x]/f(x) with f(x)=xn+1 and the parameters is adjusted accordingly.
5. The method according to claim 1, wherein the rounding technique is replaced with a similar technique.
6. The method according to claim 1, wherein the matrices are replaced with elements of the ring Rq=Fq[x]/f(x) with f(x)=xn+1, the parameters is adjusted accordingly, and the polynomial elements used are selected in the form of f(x)=Πfi(x)+g(x), where each fi, g(x) is a sparse matrix with very few terms terms none-zero.
7. Method, for a central server, building a key distribution (KD) system, comprising:
(1) selecting, by the central server, parameters select parameters, n, q and small whole number t, (t<<n), where q is an odd prime, q is of size of a polynomial of n like n3 and elements of Fq are represented by integers in the range [−(q−1)/2, (q−1)/2)], an error distribution κn 2 a distribution over n×n matrix over Fq; and selecting by the central server a symmetric randomly chosen n×n matrix S over Fq as a master key;
(2) giving, by the central server, to each user index as i, a general matrix Ai as an ID with small entries following error distribution κn 2 , where the ID matrix of each user is public and the central server have also a choice to generate the ID with information that can identify the user;
(3) distributing, by the central server, for each user securely a secret:

Ei=AiS+tei,
where ei is a matrix selected following error distribution κn 2 and this is kept private for each user;
obtaining a secret key shared between the User i and the User j comprising:
computing by a process of the User i:

Ki=Ei×Aj t=AiSAj t+teiAj t;
and computing by a processor of the User j

Kj=Ai×(Ej)t=AiStAj t+tAiej t=AiSAj t+tAiej t;
then the two users deriving a shared key between the two users using the following simple rounding method, comprising:
when the User j wants to establish a shared key with the user i, collecting by the user j all the entries (including their positions in the matrix) in Kj that are in the range of (−(q−1)/4, (q−1)/4), namely those entries which are closer to 0 than (q−1)/2; sending by the User j to the user i a list of the positions of the entries in the matrix (only the position not the values of the entries themselves) that are randomly selected from the collection, which is tagged by 0, and a list of entries not in the list tagged by 0; then selecting by the user i the same entries in its own matrix Ei×Aj, which gives them a shared list of common entry positions, therefore the corresponding entries of the matrix; then computing by each of the users the residue of the entries modular t lagged by 1 and compute the residue of the sum of each of the entries tagged by 0 with (q−1)/2, which build a new identical ordered list of values, their shared secret key.
8. The method according to claim 7, wherein q is a polynomial function of degree 2 or higher, or a similar function, κn 2 is the a distribution that each component are independent and each component follow certain error distribution like the discrete error distribution κσ, namely a discrete normal distribution over Fq center around 0 with standard deviation approximately √{square root over (n)} or a similar distribution.
9. The method according to claim 7, wherein the matrices are replaced with elements of the ring Rq=Fq[x]/f(x) with f(x)=xn+1 and the parameters is adjusted accordingly.
10. The method according to claim 7, wherein the procedure for two users i and j to derive a shared key is modified such that the roles of i and j and exchanged.
11. The method according to claim 7, wherein several central servers to work together to build a distributed KD system.
12. The method according to claim 7, wherein the matrices are replaced with elements of the ring Rq=Fq[x]/f(x) with f(x)=xn+1, the parameters is adjusted accordingly, and the polynomial elements used are selected in the form of f(x)=Πfi(x)+g(x), where each fi, g(x) is a sparse matrix with very few terms terms none-zero.
13. Method, for a central, building an identity-based encryption system, comprising:
(1) selecting by the central server parameters, n, q and small whole number t, (t<<n), where q is an odd prime, q is of size of a polynomial of n like n3 and elements of Fq are represented by integers in the range [−(q−1)/2, (q−1)/2)], and an error distribution κn 2 to be a distribution over n×n matrix over Fq; and selecting by the central server a secret n×n matrix S as the secret master key, where S is selected as a small element following certain error distribution κn 2 ;
(2) selecting by the central server a random element M following uniform distribution, but making sure that M has an inverse: when the central server could not find one first time, it tries again till it finds one; then computing by the central server

M1=MS+te,
where e is small following certain error distribution κn 2 ;
(3) then publicizing by the central server M and M1 as the master public key;
(4) assigning by the central server for each user indexed by i an public ID as Ai, where Ai is small following certain error distribution κn 2 , and the central server has can generate Ai from information that can identify the user i;
(5) processing by a processor and giving by the central server for each user, namely, the User i, a secret key:

Si=SAi+tM−1ei,
where ei's entries are small following the error distribution κ;
(6) then establishing by anyone using the ID, Ai, and the master public key, a new public key for the user with ID Ai, which is given as the pair (Ai, Bi), where

Ai=M

and

Bi=M1Ai=MSAi+teAi,
and using by anyone as the public key to encrypt any message use the MLWE encryption system.
14. The method according to claim 13, wherein q is a polynomial function of degree 2 or higher, or a similar function, κn 2 is the a distribution that each component are independent and each component follow certain error distribution like the discrete error distribution κσ, namely a discrete normal distribution over Fq center around 0 with standard deviation approximately √{square root over (n)} or a similar distribution.
15. The method according to claim 7, wherein the matrices is rectangular as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
16. The method according to claim 13, wherein the matrices are replaced with elements of the ring Rq=Fq[x]/f(x) with f(x)=xn+1 and the parameters is adjusted accordingly.
17. The method according to claim 13, wherein several central servers to work together to build a distributed IBE system.
18. The method according to claim 13, wherein the procedure is extended further to build a hierarchical IBE system, where each user servers as a lower level central server.
19. The method according to claim 13, wherein the matrices are replaced with elements of the ring Rq=Fq[x]/f(x) with f(x)=xn+1, the parameters is adjusted accordingly, and the polynomial elements used are selected in the form of f(x)=Πfi(x)+g(x), where each fi, g(x) is a sparse matrix with very few terms terms none-zero.
20. A method for establishing a shared key between two parties, Party A and Party B, over an open communication channel, comprising:
selecting, by Party A and Party B, a matrix row size r, a matrix column size c and a finite field F comprising a first prime number q of elements, wherein the first prime number q comprises a value approximately equal to a polynomial of the matrix row size or column size;
selecting, by Party A and Party B, an error distribution K over the finite field F;
generating, by Party A and Party B, a public matrix M comprising values of random elements of the finite field F in accordance with a uniform distribution, wherein a size of the public matrix M comprises the matrix row size r rows by the matrix column size c columns;
selecting, by Party A and Party B, a whole number t, wherein the whole number t is less than the matrix row size r or matrix column size c;
generating, at Party A, entries of a private matrix S comprising values of elements in the finite field F chosen according to the selected error distribution K, wherein a size of the private matrix S comprises the matrix column size c rows by a selected number Sc columns;
selecting, at Party A, entries of an error matrix e comprising values of elements in the finite field F chosen according to the selected error distribution K, wherein a size of the error matrix e comprises the matrix row size r rows by the selected number Sc columns;
determining, at Party A, a product matrix resulting from multiplying the public matrix M times the private matrix;
determining, at Party A, a scalar error matrix resulting from multiplying the whole number t times the error matrix e;
determining, at Party A, a first exchange matrix Ma resulting from adding the scalar error matrix to the product matrix;
sending the first exchange matrix Ma to Party B in exchange for a second exchange matrix Mb;
determining, at Party A, a key matrix Ka resulting from multiplying a transpose of the private matrix S times the second exchange matrix Mb; and
applying, at Party A, a rounding method to each entry of the key matrix Ka to generate the shared key.
21. The method of claim 20, wherein the error matrix e comprises values of elements in the finite field F chosen according to a second error distribution that is not the selected error distribution K.
22. The method of claim 20, wherein the rounding method comprises:
determining an interval matrix according to values of the entries of the key matrix Ka by:
determining a plurality of numbered intervals of elements of the finite field F;
determining, for each entry of the key matrix Ka, a numbered interval of the plurality of numbered intervals the value of the entry belongs to; and
assigning, for each entry of the key matrix Ka, each respective determined numbered interval to an entry of the interval matrix corresponding to the entry of the key matrix Ka; and
sending, to the networked computer, the interval matrix; and
applying each entry in the interval matrix to round each corresponding entry of the key matrix Ka to generate the shared key.
23. The method of claim 20, wherein the rounding method comprises:
determining a plurality of numbered intervals of elements of the finite field F;
receiving an interval matrix from the networked computer; and
applying each entry in the interval matrix to round each corresponding entry of the key matrix Ka to generate the shared key.
24. The method of claim 20, wherein the rounding method comprises, at Party A:
determining an interval matrix according to values of the entries of the key matrix Ka by:
determining a plurality of numbered intervals of elements of the finite field F;
determining, for each entry of the key matrix Ka, a numbered interval of the plurality of numbered intervals the value of the entry of the key matrix Ka belongs to; and
assigning, for each entry of the key matrix Ka, each respective determined numbered interval to an entry of the interval matrix corresponding to the entry of the key matrix Ka; and
for the entry of the key matrix Ka, if an interval value in the corresponding entry of the interval matrix does not correspond to a first numbered interval of the plurality of numbered intervals:
adding, to the value of the entry in the key matrix Ka, a fixed value V of elements of a numbered interval, of the plurality of numbered intervals, corresponding to the interval value to form a sum;
determining a first residue of the sum modulo the first prime number q; and
determining a second residue of the first residue modulo the whole number t;
for the entry of the key matrix Ka, if the corresponding value in the interval matrix does correspond to the first number of the interval numbers:
determining a second residue of the first residue modulo the whole number t.
25. The method of claim 24, wherein each numbered interval assigned to the interval matrix comprises a value of zero or one.
26. The method of claim 24, wherein the first numbered interval comprises an interval of approximately half of the elements of the finite field F.
27. The method of claim 24, wherein the first numbered interval comprises elements comprising values in the range [−(the first prime number q−1)/4, (the first prime number q−1)/4].
28. The method of claim 24, wherein the fixed value V comprises (the first prime number q−1)/2.
29. The method of claim 20, wherein the rounding method comprises:
determining a plurality of numbered intervals of elements of the finite field F;
receiving an interval matrix from the networked computer;
for the entry of the key matrix Ka, if an interval value in the corresponding entry of the interval matrix does not correspond to a first numbered interval of the plurality of numbered intervals:
adding, to the value of the entry in the key matrix Ka, a fixed value V of elements of a numbered interval, of the plurality of numbered intervals, corresponding to the interval value to form a sum;
determining a first residue of the sum modulo the first prime number q; and
determining a second residue of the first residue modulo the whole number t;
for the entry of the key matrix Ka, if the corresponding value in the interval matrix does correspond to the first number of the interval numbers:
determining a second residue of the first residue modulo the whole number t.
30. The method of claim 29, wherein each numbered interval assigned to the interval matrix comprises a value of zero or one.
31. The method of claim 29, wherein the first numbered interval comprises an interval of approximately half of the elements of the finite field F.
32. The method of claim 29, wherein the first numbered interval comprises elements comprising values in the range [−(the first prime number q−1)/4, (the first prime number q−1)/4].
33. The method of claim 29, wherein the fixed value V comprises (the first prime number q−1)/2.
34. The method of claim 20, wherein the first prime number q comprises a value approximately equal to a cube of the matrix row size r or the matrix column size c.
35. The method of claim 20, wherein the error distribution K comprises a discrete normal distribution over the finite field F having a standard deviation approximately equal to a square root of the matrix row size r or the matrix column size c.
36. The method of claim 20, wherein the error distribution K comprises a Gaussian distribution.
37. The method of claim 20, wherein the finite field F comprises elements with values comprising [−(the first prime number q−1)/2, (the first prime number q−1)2].
38. The method of claim 20, wherein the matrix row sizer equals the matrix column size c.
39. The method of claim 38, wherein each matrix comprises an element of a ring of the form Rq=Fq[x]/f(x), wherein f(x)=xr+1.
40. The method of claim 39, wherein polynomial elements are selected in the form of [IIfi(x)]+g(x), wherein g(x) and each fi(x) comprise a sparse polynomial with few non-zero terms.
41. The method of claim 20, wherein the first prime number q is a polynomial function of degree two or higher of the matrix row size r or the matrix column size c, and
wherein the error distribution K is a distribution such that each matrix entry is independent and each matrix entry follows a discrete normal distribution over the finite field F, centered around zero, with a standard deviation of approximately a square root of the matrix row sizer or the matrix column size c.
42. A method for establishing a shared key between two parties, Party A and Party B, over an open communication channel, comprising:
selecting, by Party A and Party B, a matrix row size r, a matrix column size c and a finite field F comprising a first prime number q of elements, wherein the first prime number q comprises a value approximately equal to a polynomial of the matrix row size or column size:
selecting, by Party A and Party B, an error distribution K over the finite field F;
generating, by Party A and Party B, a public matrix M comprising values of random elements of the finite field F in accordance with a uniform distribution, wherein a size of the public matrix M comprises the matrix row size r rows by the matrix column size c columns;
selecting, by Party A and Party B, a whole number t, wherein the whole number t is less than the matrix row size r or matrix column size c;
generating, at Party A, entries of a private matrix S comprising values of elements chosen according to the selected error distribution K, wherein a size of the private matrix S comprises the matrix row size r rows by a selected number Sc columns;
selecting, at Party A, entries of an error matrix e comprising values of elements chosen according to the selected error distribution K, wherein a size of the error matrix e comprises the matrix column size c rows by the selected number Sc columns;
determining, at Party A, a product matrix resulting from multiplying a transpose of the public matrix M times the private matrix S;
determining, at Party A, a scalar error matrix resulting from multiplying the whole number t times the error matrix e;
determining, at Party A, a first exchange matrix Ma resulting from adding the scalar error matrix to the product matrix;
sending the first exchange matrix Ma to Party B, in exchange for a second exchange matrix Mb;
determining, at Party A, a key matrix Ka resulting from multiplying the second exchange matrix Mb times the private matrix S;
applying, at Party A, a rounding method to each entry of the key matrix Ka to generate the shared key.
43. The method of claim 42, wherein the error matrix e comprises values of elements in the finite field F chosen according to a second error distribution that is not the selected error distribution K.
44. The method of claim 42, wherein the rounding method comprises:
determining an interval matrix according to values of the entries of the key matrix Ka by:
determining a plurality of numbered intervals of elements of the finite field F;
determining, for each entry of the key matrix Ka, a numbered interval of the plurality of numbered intervals the value of the entry belongs to; and
assigning, for each entry of the key matrix Ka, each respective determined numbered interval to an entry of the interval matrix corresponding to the entry of the key matrix Ka; and
sending, to the networked computer, the interval matrix; and
applying each entry in the interval matrix to round each corresponding entry of the key matrix Ka to generate the shared key.
45. The method of claim 42, wherein the rounding method comprises:
determining a plurality of numbered intervals of elements of the finite field F;
receiving an interval matrix from the networked computer; and
applying each entry in the interval matrix to round each corresponding entry of the key matrix Ka to generate the shared key.
46. The method of claim 42, wherein the rounding method comprises, at Party A:
determining an interval matrix according to values of the entries of the key matrix Ka by:
determining a plurality of numbered intervals of elements of the finite field F;
determining, for each entry of the key matrix Ka, a numbered interval of the plurality of numbered intervals the value of the entry of the key matrix Ka belongs to; and
assigning, for each entry of the key matrix Ka, each respective determined numbered interval to an entry of the interval matrix corresponding to the entry of the key matrix Ka; and
for the entry of the key matrix Ka, if an interval value in the corresponding entry of the interval matrix does not correspond to a first numbered interval of the plurality of numbered intervals:
adding, to the value of the entry in the key matrix Ka, a fixed value V of elements of a numbered interval, of the plurality of numbered intervals, corresponding to the interval value to form a sum;
determining a first residue of the sum modulo the first prime number q; and
determining a second residue of the first residue modulo the whole number t;
for the entry of the key matrix Ka, if the corresponding value in the interval matrix does correspond to the first number of the interval numbers:
determining a second residue of the first residue modulo the whole number t.
47. The method of claim 46, wherein each numbered interval assigned to the interval matrix comprises a value of zero or one.
48. The method of claim 46, wherein the first numbered interval comprises an interval of approximately half of the elements of the finite field F.
49. The method of claim 46, wherein the first numbered interval comprises elements comprising values in the range [−(the first prime number q−1)/4, (the first prime number q−1)/4].
50. The method of claim 46, wherein the fixed value V comprises (the first prime number q−1)/2.
51. The method of claim 42, wherein the rounding method comprises, at Party A:
determining a plurality of numbered intervals of elements of the finite field F;
receiving an interval matrix from the networked computer;
for the entry of the key matrix Ka, if an interval value in the corresponding entry of the interval matrix does not correspond to a first numbered interval of the plurality of numbered intervals:
adding, to the value of the entry in the key matrix Ka, a fixed value V of elements of a numbered interval, of the plurality of numbered intervals, corresponding to the interval value to form a sum;
determining a first residue of the sum modulo the first prime number q; and
determining a second residue of the first residue modulo the whole number t;
for the entry of the key matrix Ka, if the corresponding value in the interval matrix does correspond to the first number of the interval numbers:
determining a second residue of the first residue modulo the whole number t.
52. The method of claim 51, wherein each numbered interval assigned to the interval matrix comprises a value of zero or one.
53. The method of claim 51, wherein the first numbered interval comprises an interval of approximately half of the elements of the finite field F.
54. The method of claim 51, wherein the first numbered interval comprises elements comprising values in the range [−(the first prime number q−1)/4, (the first prime number q−1)/4].
55. The method of claim 51, wherein the fixed value V comprises (the first prime number q−1)/2.
56. The method of claim 42, wherein the first prime number q comprises a value approximately equal to a cube of the matrix row size r or the matrix column size c.
57. The method of claim 42, wherein the error distribution K comprises a discrete normal distribution over the finite field F having a standard deviation approximately equal to a square root of the matrix row size r or the matrix column size c.
58. The method of claim 42, wherein the error distribution K comprises a Gaussian distribution.
59. The method of claim 42, wherein the finite field F comprises elements with values comprising [−(the first prime number q−1)/2, (the first prime number q−1)/2].
60. The method of claim 42, wherein the matrix row sizer equals the matrix column size c.
61. The method of claim 60, wherein each matrix comprises an element of a ring of the form Rq=Fq[x]/f(x), wherein f(x)=xr+1.
62. The method of claim 61, wherein polynomial elements are selected in the form of [IIfi(x)]+g(x), wherein g(x) and each fi(x) comprise a sparse polynomial with few non-zero terms.
63. The method of claim 42, wherein the first prime number q is a polynomial function of degree two or higher of the matrix row size r or the matrix column size c, and
wherein the error distribution K is a distribution such that each matrix entry is independent and each matrix entry follows a discrete normal distribution over the finite field F, centered around zero, with a standard deviation of approximately a square root of the matrix row sizer or the matrix column size c.
64. A key distribution system for generating a shared key between users, comprising:
a central server in open communication with a plurality of users,
the central server comprising at least one processor, and a non-transitory computer-readable storage medium in operable communication with the processor, wherein the computer-readable storage medium comprising computer-executable instructions that, when executed, cause the at least one processor to:
select a matrix size n and a finite field F comprising a first prime number q of elements, and an error distribution K over the finite field F, wherein the first prime number q comprises a value approximately equal to a polynomial of the matrix size;
generate a master key matrix S comprising values of random elements of the finite field F in accordance with a uniform distribution, wherein the master key matrix S is selected to be a symmetric matrix and wherein a size of the master key matrix S comprises the matrix size n rows by the matrix size n columns;
select a whole number t, wherein the whole number t is less than the matrix size n;
generate a respective ID matrix for each of a plurality of users, wherein each respective ID matrix comprises values of elements in the finite field F chosen according to the selected error distribution K, wherein a size of the ID matrix comprises the matrix size n rows by the matrix size n columns;
generate a respective error matrix e for each of the plurality of users, wherein each respective error matrix e comprises values of elements in the finite field F chosen according to the selected error distribution K, wherein a size of the respective error matrix e comprises the matrix size n rows by the matrix size n columns;
determine a respective product matrix for each of the plurality of users resulting from multiplying the respective ID matrix by the master key matrix S;
determine a respective scalar error matrix for each of the plurality of users resulting from multiplying the whole number t times the respective error matrix e;
determine a respective exchange matrix E for each of the plurality of users resulting from adding the respective scalar error matrix to the respective product matrix;
send to each of the plurality of users the respective exchange matrix E, such that a User A and a User B of the plurality of users each generate the shared key based on the respective exchange matrices for each user.
65. The system of claim 64, wherein each matrix comprises an element of a ring of the form Rq=Fq[x]/f(x), wherein f(x)=xn+1.
66. The system of claim 65, wherein polynomial elements are selected in the form of [IIfi(x)]+g(x), wherein g(x) and each fi(x) comprise a sparse polynomial with few non-zero terms.
67. The system of claim 64, wherein the first prime number q is a polynomial function of degree two or higher of the matrix size n, and wherein the error distribution K is a distribution such that each matrix entry is independent and each matrix entry follows a discrete normal distribution over the finite field F, centered around zero, with a standard deviation of approximately a square root of the matrix size n.
68. The system of claim 64, wherein the error matrix e comprises values of elements in the finite field F chosen according to a second error distribution that is not the selected error distribution K.
69. The system of claim 64, wherein the first prime number q comprises a value approximately equal to a cube of the matrix size n.
70. The system of claim 64, wherein the error distribution K comprises a discrete normal distribution over the finite field F having a standard deviation approximately equal to a square root of the matrix size n.
71. The system of claim 64, wherein the error distribution K comprises a Gaussian distribution.
72. The system of claim 64, wherein the finite field F comprises elements with values comprising [−(the first prime number q−1)/2, (the first prime number q−1)/2].
US16/678,335 2012-04-12 2013-04-11 Cryptographic system using pairing with errors Active USRE48643E1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/678,335 USRE48643E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US201261623272P 2012-04-12 2012-04-12
PCT/CN2013/074053 WO2013152725A1 (en) 2012-04-12 2013-04-11 New cryptographic systems using pairing with errors
US16/678,335 USRE48643E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors
US14/491,992 US9246675B2 (en) 2012-04-12 2013-04-11 Cryptographic systems using pairing with errors
US201815881531A 2018-01-26 2018-01-26

Publications (1)

Publication Number Publication Date
USRE48643E1 true USRE48643E1 (en) 2021-07-13

Family

ID=49327117

Family Applications (4)

Application Number Title Priority Date Filing Date
US16/678,335 Active USRE48643E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors
US14/491,992 Ceased US9246675B2 (en) 2012-04-12 2013-04-11 Cryptographic systems using pairing with errors
US16/678,383 Active USRE48644E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors
US15/881,531 Active USRE47841E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors

Family Applications After (3)

Application Number Title Priority Date Filing Date
US14/491,992 Ceased US9246675B2 (en) 2012-04-12 2013-04-11 Cryptographic systems using pairing with errors
US16/678,383 Active USRE48644E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors
US15/881,531 Active USRE47841E1 (en) 2012-04-12 2013-04-11 Cryptographic system using pairing with errors

Country Status (6)

Country Link
US (4) USRE48643E1 (en)
EP (1) EP2837128B1 (en)
KR (1) KR102116877B1 (en)
CN (1) CN104396184B (en)
TW (1) TWI502947B (en)
WO (1) WO2013152725A1 (en)

Families Citing this family (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015184991A1 (en) * 2014-06-04 2015-12-10 Jintai Ding Improvements on cryptographic systems using pairing with errors
US9438422B2 (en) * 2014-06-26 2016-09-06 Intel Corporation Chaotic-based synchronization for secure network communications
WO2017041669A1 (en) * 2015-09-08 2017-03-16 Jintai Ding Password based key exchange from ring learning with er-rors
CN105281914B (en) * 2015-09-24 2018-11-02 西安电子科技大学 A kind of secret handshake method based on lattice password
AU2016353324B2 (en) * 2015-11-13 2022-03-03 Badge Inc. Public/private key biometric authentication system
KR101880517B1 (en) * 2016-11-10 2018-07-20 서울대학교산학협력단 Public Key Crypto-Method Based on LWE
CN107566121B (en) * 2016-11-18 2020-03-10 上海扈民区块链科技有限公司 Efficient secret consensus method
KR101905689B1 (en) * 2016-11-18 2018-12-05 서울대학교산학협력단 Calculating apparatus for encrypting message by public key and method thereof
US10133603B2 (en) 2017-02-14 2018-11-20 Bank Of America Corporation Computerized system for real-time resource transfer verification and tracking
CN106685663B (en) * 2017-02-15 2019-07-19 华中科技大学 The encryption method and circuit of error problem concerning study in a kind of annulus
EP3364596A1 (en) * 2017-02-15 2018-08-22 Koninklijke Philips N.V. Key exchange devices and method
US10454892B2 (en) 2017-02-21 2019-10-22 Bank Of America Corporation Determining security features for external quantum-level computing processing
US10447472B2 (en) * 2017-02-21 2019-10-15 Bank Of America Corporation Block computing for information silo
US10243976B2 (en) 2017-02-24 2019-03-26 Bank Of America Corporation Information securities resource propagation for attack prevention
US10489726B2 (en) 2017-02-27 2019-11-26 Bank Of America Corporation Lineage identification and tracking of resource inception, use, and current location
US10440051B2 (en) 2017-03-03 2019-10-08 Bank Of America Corporation Enhanced detection of polymorphic malicious content within an entity
US10284496B2 (en) 2017-03-03 2019-05-07 Bank Of America Corporation Computerized system for providing resource distribution channels based on predicting future resource distributions
US10270594B2 (en) 2017-03-06 2019-04-23 Bank Of America Corporation Enhanced polymorphic quantum enabled firewall
US10437991B2 (en) 2017-03-06 2019-10-08 Bank Of America Corporation Distractional variable identification for authentication of resource distribution
EP3373505A1 (en) * 2017-03-06 2018-09-12 Koninklijke Philips N.V. Device and method for sharing a matrix for use in a cryptographic protocol
US10412082B2 (en) 2017-03-09 2019-09-10 Bank Of America Corporation Multi-variable composition at channel for multi-faceted authentication
US11120356B2 (en) 2017-03-17 2021-09-14 Bank Of America Corporation Morphing federated model for real-time prevention of resource abuse
US10440052B2 (en) 2017-03-17 2019-10-08 Bank Of America Corporation Real-time linear identification of resource distribution breach
US11055776B2 (en) 2017-03-23 2021-07-06 Bank Of America Corporation Multi-disciplinary comprehensive real-time trading signal within a designated time frame
US10476854B2 (en) 2017-04-20 2019-11-12 Bank Of America Corporation Quantum key distribution logon widget
US10798086B2 (en) 2017-05-08 2020-10-06 Amazon Technologies, Inc. Implicit certificates using ring learning with errors
US10516543B2 (en) 2017-05-08 2019-12-24 Amazon Technologies, Inc. Communication protocol using implicit certificates
US10511591B2 (en) * 2017-05-08 2019-12-17 Amazon Technologies, Inc. Generation of shared secrets using pairwise implicit certificates
US10630655B2 (en) * 2017-05-18 2020-04-21 Robert Bosch Gmbh Post-quantum secure private stream aggregation
CN111492616A (en) * 2017-10-17 2020-08-04 皇家飞利浦有限公司 Configurable device for lattice-based cryptography
EP3474484A1 (en) * 2017-10-17 2019-04-24 Koninklijke Philips N.V. Cryptographic device with updatable shared matrix
WO2019111513A1 (en) * 2017-12-08 2019-06-13 ソニー株式会社 Information processing device, registration device, information processing method, registration method, and program
WO2019231392A1 (en) 2018-05-30 2019-12-05 华为国际有限公司 Key exchange system, method, and apparatus
CN108923907B (en) * 2018-06-20 2021-01-29 中国科学院重庆绿色智能技术研究院 Homomorphic inner product method based on modular fault-tolerant learning problem
EP3624391A1 (en) * 2018-09-12 2020-03-18 Koninklijke Philips N.V. Public/private key system with decreased encrypted message size
DE102018122278A1 (en) * 2018-09-12 2020-03-12 Infineon Technologies Ag Perform a cryptographic operation
CN109861821B (en) * 2019-02-26 2020-10-30 清华大学 Error coordination method for LWE public key password
US11310045B2 (en) 2019-05-09 2022-04-19 Google Llc Compression and oblivious expansion of RLWE ciphertexts
WO2020242614A1 (en) 2019-05-30 2020-12-03 Kim Bong Mann Quantum safe cryptography and advanced encryption and key exchange (aeke) method for symmetric key encryption/exchange
WO2021061833A1 (en) * 2019-09-26 2021-04-01 Visa International Service Association Lattice based signatures with uniform secrets
KR102418016B1 (en) * 2019-11-28 2022-07-07 서울대학교산학협력단 Identity-based encryption mtthod based on lattices
US11366897B1 (en) * 2020-01-17 2022-06-21 Wells Fargo Bank, N.A. Systems and methods for layered quantum computing detection
US11334667B1 (en) 2020-01-17 2022-05-17 Wells Fargo Bank, N.A. Systems and methods for disparate quantum computing threat detection
CN113541933B (en) * 2020-04-17 2023-07-25 赵运磊 Efficient compact encryption method based on grids
CN113541952B (en) * 2020-04-17 2023-07-25 赵运磊 Digital signature method based on lattice
US11637700B2 (en) 2020-08-14 2023-04-25 Samsung Electronics Co., Ltd. Method and apparatus with encryption based on error variance in homomorphic encryption

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6263437B1 (en) * 1998-02-19 2001-07-17 Openware Systems Inc Method and apparatus for conducting crypto-ignition processes between thin client devices and server devices over data networks
US20030081774A1 (en) 2001-10-26 2003-05-01 Paul Lin Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US20060034457A1 (en) * 2004-08-12 2006-02-16 Damgaard Ivan B Key derivation functions to enhance security
US20070271606A1 (en) * 2006-05-17 2007-11-22 Amann Keith R Apparatus and method for establishing a VPN tunnel between a wireless device and a LAN
US20080044028A1 (en) * 2006-07-25 2008-02-21 National Tsing Hua University Pair-wise key pre-distribution method for wireless sensor network
US20080046732A1 (en) 2006-08-15 2008-02-21 Motorola, Inc. Ad-hoc network key management
US20080069344A1 (en) * 2006-08-30 2008-03-20 Samsung Electronics Co., Ltd. Method and apparatus for key agreement between devices using polynomial ring
US20080112596A1 (en) * 2006-01-23 2008-05-15 Rhoads Geoffrey B Sensing Data From Physical Objects
US20090154711A1 (en) 2007-12-18 2009-06-18 Jho Namsu Multi-party key agreement method using bilinear map and system therefor
US20090204823A1 (en) * 2008-02-07 2009-08-13 Analog Devices, Inc. Method and apparatus for controlling system access during protected modes of operation
US20090208019A1 (en) * 2006-06-30 2009-08-20 Koninklijke Philips Electronics N.V. Method and apparatus for encrypting/decrypting data
US7603554B2 (en) * 2003-06-12 2009-10-13 Panasonic Corporation Encryption communication system
US20090327141A1 (en) * 2007-04-18 2009-12-31 Rabin Michael O Highly efficient secrecy-preserving proofs of correctness of computation
US20100077462A1 (en) * 2008-09-24 2010-03-25 Neustar, Inc. Secure domain name system
US8107397B1 (en) * 2006-06-05 2012-01-31 Purdue Research Foundation Protocol for secure and energy-efficient reprogramming of wireless multi-hop sensor networks
US20120166809A1 (en) 2010-12-28 2012-06-28 Authernative, Inc. System and method for cryptographic key exchange using matrices
US20120236968A1 (en) * 2011-03-17 2012-09-20 Georgia Tech Research Corporation Enhanced lattice reduction systems and methods
US8297510B1 (en) * 2011-06-30 2012-10-30 Vladimir Yakshtes Mathematical method of 2D barcode authentication and protection for embedded processing

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590236B1 (en) 2004-06-04 2009-09-15 Voltage Security, Inc. Identity-based-encryption system
CN101099328B (en) * 2004-11-11 2011-05-18 塞尔蒂卡姆公司 Custom static Diffie-Hellman groups
CN1870499B (en) * 2005-01-11 2012-01-04 丁津泰 Method for generating multiple variable commom key password system
US7864952B2 (en) * 2006-06-28 2011-01-04 Voltage Security, Inc. Data processing systems with format-preserving encryption and decryption engines
TWI351207B (en) * 2007-10-29 2011-10-21 Inst Information Industry Key management system and method for wireless networks
TWI428002B (en) * 2010-06-29 2014-02-21 Univ Vanung Key exchange systems and methods for remote mutual identification

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6263437B1 (en) * 1998-02-19 2001-07-17 Openware Systems Inc Method and apparatus for conducting crypto-ignition processes between thin client devices and server devices over data networks
US20030081774A1 (en) 2001-10-26 2003-05-01 Paul Lin Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US7603554B2 (en) * 2003-06-12 2009-10-13 Panasonic Corporation Encryption communication system
US20060034457A1 (en) * 2004-08-12 2006-02-16 Damgaard Ivan B Key derivation functions to enhance security
US20080112596A1 (en) * 2006-01-23 2008-05-15 Rhoads Geoffrey B Sensing Data From Physical Objects
US20070271606A1 (en) * 2006-05-17 2007-11-22 Amann Keith R Apparatus and method for establishing a VPN tunnel between a wireless device and a LAN
US8107397B1 (en) * 2006-06-05 2012-01-31 Purdue Research Foundation Protocol for secure and energy-efficient reprogramming of wireless multi-hop sensor networks
US20090208019A1 (en) * 2006-06-30 2009-08-20 Koninklijke Philips Electronics N.V. Method and apparatus for encrypting/decrypting data
US20080044028A1 (en) * 2006-07-25 2008-02-21 National Tsing Hua University Pair-wise key pre-distribution method for wireless sensor network
US20080046732A1 (en) 2006-08-15 2008-02-21 Motorola, Inc. Ad-hoc network key management
US20080069344A1 (en) * 2006-08-30 2008-03-20 Samsung Electronics Co., Ltd. Method and apparatus for key agreement between devices using polynomial ring
US20090327141A1 (en) * 2007-04-18 2009-12-31 Rabin Michael O Highly efficient secrecy-preserving proofs of correctness of computation
US20090154711A1 (en) 2007-12-18 2009-06-18 Jho Namsu Multi-party key agreement method using bilinear map and system therefor
US20090204823A1 (en) * 2008-02-07 2009-08-13 Analog Devices, Inc. Method and apparatus for controlling system access during protected modes of operation
US20100077462A1 (en) * 2008-09-24 2010-03-25 Neustar, Inc. Secure domain name system
US20120166809A1 (en) 2010-12-28 2012-06-28 Authernative, Inc. System and method for cryptographic key exchange using matrices
US20120236968A1 (en) * 2011-03-17 2012-09-20 Georgia Tech Research Corporation Enhanced lattice reduction systems and methods
US8297510B1 (en) * 2011-06-30 2012-10-30 Vladimir Yakshtes Mathematical method of 2D barcode authentication and protection for embedded processing

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Damgard et al.; "A Quantum Cipher with Near Optimal Key-Recycling"; Dept. of Computer Science; University of Arhus; Sep. 2005; 17 pages.
Du et al., "A Pairwise Key Management Scheme Based on Hash Function for Wireless Sensor Networks", 2010 Second International Workshop on Education Technology and Computer Science. *
International Patent Application No. PCT/CN2013/074053; Int'l Written Opinion and Search Report; dated Jul. 18, 2013; 9 pages.
Vadim Lyubashevsky et al., "On Ideal Lattices and Learning with Errors Over Rings", Journal of the ACM, vol. 60, No. 6, Article 43, Publication date: Nov. 2013. *

Also Published As

Publication number Publication date
EP2837128A1 (en) 2015-02-18
TW201404106A (en) 2014-01-16
KR20150032928A (en) 2015-03-31
EP2837128A4 (en) 2015-04-08
US9246675B2 (en) 2016-01-26
KR102116877B1 (en) 2020-06-03
USRE47841E1 (en) 2020-02-04
WO2013152725A1 (en) 2013-10-17
USRE48644E1 (en) 2021-07-13
CN104396184A (en) 2015-03-04
EP2837128B1 (en) 2019-02-27
CN104396184B (en) 2017-12-01
US20150067336A1 (en) 2015-03-05
TWI502947B (en) 2015-10-01

Similar Documents

Publication Publication Date Title
USRE48643E1 (en) Cryptographic system using pairing with errors
WO2015184991A1 (en) Improvements on cryptographic systems using pairing with errors
Li et al. Indentity-based broadcast signcryption
Lv et al. Group key agreement for secure group communication in dynamic peer systems
WO2017041669A1 (en) Password based key exchange from ring learning with er-rors
Dutta et al. Overview of key agreement protocols
Hafizul Islam et al. Leakage-free and provably secure certificateless signcryption scheme using bilinear pairings
Kalyani et al. Survey on identity based and hierarchical identity based encryption schemes
Mikhail et al. Extension and application of El-Gamal encryption scheme
Wang et al. New identity-based key-encapsulation mechanism and its applications in cloud computing
Wang et al. Full secure identity-based encryption scheme over lattices for wireless sensor networks in the standard model
Kalyani et al. New Hierarchical Identity Based Encryption with maximum hierarchy.
Yi et al. ID-based key agreement for multimedia encryption
El-Yahyaoui et al. A Like ELGAMAL Cryptosystem But Resistant To Post-Quantum Attacks
Li et al. Chosen-ciphertext secure multi-use unidirectional attribute-based proxy re-encryptions
Dehkordi et al. Certificateless identification protocols from super singular elliptic curve
Han et al. Attribute-based data transfer with filtering scheme in cloud computing
Chen et al. A novel k-out-of-n oblivious transfer protocols based on bilinear pairings
Tso et al. An id-based non-interactive tripartite key agreement protocol with K-resilience.
Jizhong et al. Full secure identity-based encryption scheme over lattices in the standard model
Lv et al. ID-based authenticated group key agreement from bilinear maps
Maftei et al. A Note on IBE Performance of a Practical Application
Wang et al. An efficient construction of quantum attack resistant proxy re-encryption based on (Semi) group factorization problems
Tian et al. Security of a biometric identity-based encryption scheme
Sahu et al. A Novel Attribute based Encryption with implicit user authentication for Cloud

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 8