WO2015184991A1 - Improvements on cryptographic systems using pairing with errors - Google Patents
Improvements on cryptographic systems using pairing with errors Download PDFInfo
- Publication number
- WO2015184991A1 WO2015184991A1 PCT/CN2015/080697 CN2015080697W WO2015184991A1 WO 2015184991 A1 WO2015184991 A1 WO 2015184991A1 CN 2015080697 W CN2015080697 W CN 2015080697W WO 2015184991 A1 WO2015184991 A1 WO 2015184991A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- party
- key
- computes
- sig
- rlwe
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3093—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
Definitions
- This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, and authenticated key exchange systems which are based on essentially the same mathematical principle, pairing with errors.
- KE key exchange
- KD key distribution
- IBE identity-based-encryption
- KD key distribution
- KD key distribution
- Shamir proposed another kind of public key encryption system [SHA] .
- a person or an entity’s public key is generated with a public algorithm from the information that can identify the person or the entity uniquely.
- the information may include the person’s name, residential address, birthday, finger print information, e-mail address, social security number, etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
- IBE identity-based encryption
- IBE Identity-based-encryption
- a sender encrypts a message for a given receiver using the receiver’s public key based on the identity of the receiver.
- the receiver decrypts the message using the the receiver’s private key.
- the receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely.
- An IBE system does not demand the sender searches for the receiver’s public key, but rather, a sender in an IBE system derives any receiver’s corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information.
- Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO] . There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW] . Therefore it is important and desirable that we have secure and efficient IBE systems.
- the PWE invention contains a novel method for two parties A and B to perform an secure KE over an open communication channel. This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors.
- each users will secretly choose a private matrix (S A and S B , respectively) with small entries following certain error distributions and a public matrix M randomly. Then each user will compute the multiplication of the user’s secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of S A and S B over the same bilinear form based on M in two different ways but each with different small errors.
- This kind of mathematical computation is named pairing with errors.
- the shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] .
- LWE learning with errors
- the security of this system depends the hardness of certain lattice problem, which can be mathematically proven hard [DiLi] . This system involves only matrix multiplication and therefore is very efficient. Such a system can also resist future quantum computer attacks.
- the PWE invention contains a novel method to build a KD system with a central server or authority.
- the central server or authority assigns to each user i as a public ID a matrix A i with small entries or establishes the ID of each user as a matrix A i with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority’s secret master key M, another matrix, but with small errors.
- any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique.
- This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg] .
- the security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
- This PWE invention contains a novel method to build a IBE system with a central server or authority.
- the central server or authority assigns to each user i as a public ID a matrix A i with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely.
- Each user is given by the central server or authority a private key S i based on certain multiplication of this ID matrix with the central server or authority’s master private key S, another matrix, but with errors related to one part of the master public key M, another matrix.
- the central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M 1 .
- any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and A i of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key S i to decrypt the message.
- This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005.
- the security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
- the PWE invention uses the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, to build secure and more efficient KE, KD and IBE systems.
- the rounding technique could cause a small bias in the distribution of the derived keys.
- the shared keys may have a slightly higher probability to be 0 then to be 1, or the other way around. This is a property, though not necessarily bad in terms of security, which we would like to avoid.
- a key construction is the case where people built Authenticated Key Exchange (AKE) , a class of KE protocols where each party is able to verify the other’s identity, so that an adversary cannot impersonate one party in the conversation.
- AKE Authenticated Key Exchange
- a key construction is the HMQV construction by Krawczyk, which is completely based on the Diffie–Hellman KE [Kraw] .
- This invention firstly contains a new robust (and randomized) extractor (RE) as a rounding technique that will ensure the final keys have no bias and therefore provide the highest security.
- RE can be applied to the KE schemes, the KD schemes in the PWE invention. It is applicable for both RLWE and LWE cases.
- This invention secondly contains a construction of AKE, which is a direct improve-ment of the PWE invention of Ding along the same line of the HMQV construction over the Diffie–Hellman KE.
- This construction eliminates the man in the middle attack with an au-thentication mechanism without using digital signature, and therefore provide the highest security.
- RLWE LWE
- a LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution ⁇ on the finite ring (field) F q with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
- each element is represented by amember of the set ⁇ - (q-1) /2, ..., 0, ..., (q-1) /2 ⁇ .
- error distribution we mean a distribution such that there is a high probability we will select an element which is small. There are many such selections and the selection directly affects the security of the system. One should select a good error distribution to make sure the system works well and securely.
- ⁇ S, ⁇ on F q be the probability distribution obtained by selecting an element A in randomly and uniformly, choosing e ⁇ F q according to ⁇ , and outputting (A, ⁇ A, S> +e) , where+is the addition that is performed in F q .
- An algorithm solves the LWE problem with modulus q and error distribution ⁇ , if, for any S in with an arbitrary number of independent samples from ⁇ S, ⁇ , it outputs S (with high probability) .
- q to be specific polynomial functions of n, that is q is replaced by a polynomial functions of n, which we will denote as q (n) , ⁇ to be certain discrete versions of the normal distribution centered around 0 with the standard deviation which we denote as ⁇ ⁇ , and elements of F q are represented by integers in the range [- (q-1) /2, (q-1) /2] .
- F q be the probability distribution obtained by selecting an n ⁇ n matrix A, whose entries are each chosen in F q uniformly and independently, choosing e as a n ⁇ 1 vector over F q with entries chosen according to certain error distribution ⁇ n , for example, each entries follows an error distribution ⁇ independently, and outputting (A, A ⁇ S+e) , where+is the addition that is performed in An algorithm solves a LWE with modulus q and error distribution ⁇ n , if, for any vector S in with any number of independent sample (s) from it outputs S (with high probability) .
- Such a product can be mathematically viewed as computing the bilinear paring of the row vectors of A with column vectors of C.
- E A , E B , E AC , E BC are matrices with small entries following the same (or different) error distributions. Then we have two way to compute the product ABC with small errors or differences between these two matrices. We call such a computation pairing with errors. All our constructions depends on such a paring with errors and on the fact that the two different paring are close to each other if A and C are also small.
- Alice and Bob will first publicly select F q , n and a n ⁇ n matrix M over F q uniformly and randomly, where q is of size of a polynomial of n, for example q ⁇ n 3 , and an error distribution to be a distribution over n ⁇ n matrices over F q , for example, a distribution that each component are independent and each component follow cer-tain error distribution like the discrete error distribution ⁇ ⁇ as in the case of LWE, namely a discrete normal distribution over F q center around 0 with standard devia-tion approximately All the information above is public. They jointly and publicly choose a small (prime) integer t (t ⁇ n) .
- t is a small integer (t ⁇ n) .
- M B M t S B +te B .
- each party will compute the residues of these entries modular t in T 1 , and for the entries not in T 1 , which is in T 2 , they will add (q-1) /2 to each entry and compute the residue modular q first (into the range of [- (q-1) /4, (q-1) /4] ) then the residue modular t. That gives a shared key between these two users.
- Bob will make apply randomly either signal function ⁇ 0 or ⁇ 1 to all the entries of K B and make a list T 1 of all positions of the entries of K B such that these entries have value 0 and a list of T 2 which are the entries with value 1. Then Bob will send to Alice the list T 1 .
- f (x) is a degree n polynomial in is the ring of integers
- q is a prime integer
- elements in are represented by elements: - (q-1) /2, ..., -1, 0, 1, .., (q-1) /2, which can be viewed as elements in when we talk about norm of an element.
- Any element in is represented by a degree n-1 polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries.
- a (x) a 0 +a 1 x+...+a n-1 x n-1 ,
- the RLWE f, q, ⁇ problem is parameterized by an polynomial f (x) of degree n, a prime number q and an error distribution ⁇ over It is defined as follows.
- the error distribution ⁇ is the discrete Gaussian distribution for some
- Alice and Bob will first publicly select all the parameters for the RLWE f, q, ⁇ including q ( ⁇ n 3 or similar polynomial functions of n) , n, f (x) and ⁇ . In addition, they will select a random element M over R q uniformly. All the information above is public.
- each party chooses its own secret s i as an element in R q according to the error distribution ⁇ , and e i independently also as an element following the error distribution ⁇ ,but jointly choose a small prime integer t (t ⁇ n)
- t is a small integer (t ⁇ n) .
- M B Ms B +te B .
- n be a power of 2, and the finite ring (or field) and let and analogously.
- y (x) in R (or R q ) we identify y with its coefficient vector in (or ) .
- the discrete Gaussian distribution is defined as the distribution of where Y is distributed according to a Gaussian distribution with standard deviation ⁇ centered on c.
- For the spherical discrete Gaussian distribution over is defined as the distribution where the ith coordinate is distributed according to If the center c is zero, we denote the distribution as ⁇ ⁇ .
- x ⁇ r ⁇ ⁇ means we sample the vector x from the distribution ⁇ ⁇ ; for an element y ⁇ R, by y ⁇ r ⁇ ⁇ , we mean that we sample an element of R whose coefficient vector is distributed according to ⁇ ⁇ .
- the AKE can be described as follows:
- n be a power of 2
- H 2 ⁇ 0, 1 ⁇ * ⁇ ⁇ 0, 1 ⁇ ⁇ be the key derivation function, where ⁇ is the bit-length of the final shared key.
- ⁇ ⁇ , ⁇ ⁇ be two discrete Gaussian distributions with parameters There are 2 parties in our AKE: Party i and Party j.
- the quantities c and d are the same as computed by party j.
- the distribution of the public keys can be done by a central party like the pub-lic key infrastructure, or it can be generated by each user with way such that others can authenticate it by digital signature or similar mechanism.
- the multiple of 2 on the error terms can be replaced by a small integer t.
- the error terms g i can be removed or replace by terms with other error distribu-tions.
- the procedure for two users i and j to derive a shared key can be modified such that the roles of i and j are exchanged.
- the rounding technique in derived the shared key can be replaced by similar method with a similar signal function.
Abstract
Description
Claims (18)
- Claim 1. Method for an improved key exchange based on LWE over an open channel between a first party A and a second party B using a RE rounding technique, comprising:(1) openly selecting, by Party A and Party B together, parameters, n, q and small whole number t, (t<<n) , where q is an odd prime, and an error distributionto be a distribution over n×n matrix over Fq, an×n matrix M over Fq uniformly and randomly, where q is of size of a polynomial of n like n3, and elements of Fq are represented by integers in the range [- (q-1) /2, (q-1) /2) ] ;(2) choosing, by each party privately, its own secret matrix Si (i=A, B) an×n matrix chosen according to the error distributionand error matrix ei , (i=A, B) as a n×n matrixfollowing the error distributioncomputing by Party AMA=MSA+teA,where t=2 is a small integer (t<<n) ;computing by Party BMB=MtSB+teB.(3) Both parties exchange Mi in the open communication channel;(4) computing by Party A:computing by Party B:(5) performing by both Party A and Party B a RE rounding technique to derive the shared key, comprising:(a) Bob will make apply randomly either signal function σ0 or σ1 to all the entries of KB and make a list T1 of all positions of the entries of KB such that these entries have value 0 and a list of T2 which are the entries with value 1. Here σ0(x) , σ1 (x) from Fq to {0, 1} are de fined as as follows.Then Bob will send to Alice the list T1.(b) Then each party will compute the residues of these entries modulo t=2 in T1, and for the entries not in T1, which is in T2, they will add (q-1) /2 to each entry and compute the residue modulo q first then the residue modulo t. That gives a shared key between these two users.
- Claim 2. Method, for two parties Alice and Bob to do a improved key exchange based on RLWE with RE rounding technique, comprising(1) Alice and Bob will first publicly select all the parametersfor the RLWEf, q, χ as de fined in the description including q (≈n3 or similar polynomial functions of n) , n, f (x) and χ. In addition, they will select a random element M overuniformly. All the information above is public.(2) Then each party chooses its own secret si as an element inaccording to the error distribution χ, and ei independently also as an element following the error distribution χ, but jointly choose a small prime integer t=2 (t<<n) For Alice, she computesMA=MsA+teA,where t is a small integer (t<<n) .For Bob, he computesMB=MsB+teB.(3) Both parties exchange Mi. This means both Mi are public, but certainly keep si and ei secret.(4) Alice computes:KA=sA×MB=sAMsB+teBsA.Bob computes:KB=MA×sB=sAMsB+teAsB.(5) Both ofthem willperform a RE rounding technique to derive the shared key asfollows:(a) Bob will then make a list of size n, and this list consists ofpairs in the form of (i, j) , where i=0, ... , n-1, and j=σb (ai) , where ai is the the xi coeffcient of KB, b is randomly chosen to be 0 or 1, and Sig0 and Sig1 are defined in Claim 1.(b) Then Bob will send this list to Alice. Then each will compute the residue of the corresponding entries modulo t in the following way:for an element of the list (i, j) ,1) if j=0, each will compute the i-th entry of KA and KB modulo t=2 respectively;2) ifj=1, each will add (q-1) /2 to the i-th entry of KA and KB modulo q back to range of [- (q-1) /4, (q-1) /4] , then compute the residues modulo t.
- Claim 3. Method, for an authenticated key exchange for party i and party j base on RLWE, comprising:Setup Step: Both parties choose n be a power of 2, and q=2ω (logn) be an odd prime such that q mod 2n=1. SelectandFor select H1:be a hash function with output distribu-tion χγ. For example, one can take a function such as SHA-2 to obtain a uniformly random string, and then use that to sample from) Select H2: {0, 1} *→ {0, 1} k be the key derivation function, where k is the bit-length of the final shared key. Se-lect χα, χβ be two discrete Gaussian distributions with parameters α,Party i selects pi=asi+2ei∈Rq be party i’s static public key, where si is the corresponding static secret key; both si and ei are taken from the distribution χα and Party j has static public key pj=asj+2ej and static secret key sj.Initiation Step: Party i randomly samples ri, fi, gi←r χβ and computes xi=ari+2fi, which he sends to party j.Response Step: Party j receives xi from party i, randomly samples rj, fj, gj←r χβ and computes yj=arj+2fj, similar to xi. Party j also computes c=H1 (i, j, xi) , d=H1 (j, i, yj, xi) , and kj= (pic+xi) (sjd+rj) +2gj using xi. Note c and d are both distributed according to χγ. Next, party j computes wj=Sig (kj) ∈ {0, 1} n and sends the pair (kj, wj) to party i. Lastly, party j computes σj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) . Here Sig to be the characteristic function over the polynomial ring by applying on each coefficient asFinish Step: Party i receives the pair (yj, wj) , and uses it compute c=H1 (i, j, xi) , d=H1 (j, i, yj, xi) , and ki= (pjd+yj) (sic+ri) +2gi. The quantities c and d are the same as computed by party j. Finally, party i computes σi=Mod2 (ki, wj) and derives the session key ski=H2 (i, j, xi, yj, wj, σi) .
- Claim 4. The method according to Claim 1, wherein t can a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
- Claim 5. The method according to Claim 2, wherein wherein t can a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
- Claim 6. The method for a new KD by apply the RE rounding technique to the KD in the original KD in the original PWE invention in the U. S. provisional patent application with Ser. No. 61623272, entitled “New methods for secure communications and secure information systems” , filed April 12, 2012 and PCT application with the same title and the PCT number PCT/CN2013/074053 filed on April 11, 2013.
- Claim 7. The method according to Claim 3, wherein we can apply the RE rounding technique to the AKE by replacing the Sig function with the random selection of Sig0 and Sig1 as defined in Claim 1.
- Claim 8. The method according to Claim 3, wherein wherein t can be a different small integer than 2.
- Claim 9. The method according to Claim 3, wherein t can be a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
- Claim 10. The method according to Claim 3, wherein we can use the LWE instead of RLWE, and/or we can use a small integer t other than 2.
- Claim 11. The method according to Claim 3, wherein we can use the LWE in-stead of RLWE, and t can be a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
- Claim 12. The method according to Claim 3, wherein we can use the LWE instead of RLWE, and we can apply the RE rounding technique to the AKE by replacing the Sig function with the random selection of Sig0 and Sig1.
- Claim 13. The method according to Claim 3, wherein the procedure for two users i and j to derive a shared key is modified such that the roles of i and j are exchanged.
- Claim 14. The method according to Claim 3, wherein the rounding technique is replaced with a another rounding technique using a signal function.
- Claim 15. The method according to Claim 1, 2, 3, wherein the intervals used to define the signal function can be modified slightly such as making it slightly bigger or smaller or shift to the left or the right slightly.
- Claim 16. The method according to Claim 3, wherein the selection of error dis-tributions and parameters can be replaced by similar distributions and parameters with the necessary basic property to make the system work.
- Claim 17. The method according to Claim 3, wherein the error terms gi and gj can be removed or replace by terms with other error distributions.
- Claim 18. The method according to Claim 3, wherein the rounding technique in deriving the shared key can be replaced by similar method with a similar signal function.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201461997523P | 2014-06-04 | 2014-06-04 | |
US201461997524P | 2014-06-04 | 2014-06-04 | |
US61/997,523 | 2014-06-04 | ||
US61/997,524 | 2014-06-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015184991A1 true WO2015184991A1 (en) | 2015-12-10 |
Family
ID=54766169
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/080697 WO2015184991A1 (en) | 2014-06-04 | 2015-06-03 | Improvements on cryptographic systems using pairing with errors |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2015184991A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106685663A (en) * | 2017-02-15 | 2017-05-17 | 华中科技大学 | Encryption method for error learning problem in ring domain and circuit |
CN108599923A (en) * | 2018-02-26 | 2018-09-28 | 华南师范大学 | The implementation method of data efficient safe transmission between cloud computing server |
WO2018208546A1 (en) * | 2017-05-08 | 2018-11-15 | Amazon Technologies, Inc. | Generation of shared secrets using pairwise implicit certificates |
WO2018213875A1 (en) * | 2017-05-22 | 2018-11-29 | Commonwealth Scientific And Industrial Research Organisation | Asymmetric cryptography and authentication |
WO2019018049A1 (en) * | 2017-07-17 | 2019-01-24 | Hrl Laboratories, Llc | Reusable fuzzy extractor based on the learning-with-error assumption secure against quantum attacks |
CN109474425A (en) * | 2018-12-25 | 2019-03-15 | 国科量子通信网络有限公司 | A method of length derivative key is arbitrarily designated based on the acquisition of multiple shared keys |
EP3474484A1 (en) * | 2017-10-17 | 2019-04-24 | Koninklijke Philips N.V. | Cryptographic device with updatable shared matrix |
US10511591B2 (en) | 2017-05-08 | 2019-12-17 | Amazon Technologies, Inc. | Generation of shared secrets using pairwise implicit certificates |
US10516543B2 (en) | 2017-05-08 | 2019-12-24 | Amazon Technologies, Inc. | Communication protocol using implicit certificates |
US10798086B2 (en) | 2017-05-08 | 2020-10-06 | Amazon Technologies, Inc. | Implicit certificates using ring learning with errors |
CN115276984A (en) * | 2022-07-29 | 2022-11-01 | 山东大学 | Secret key exchange method and system based on GR-LWE problem |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030229789A1 (en) * | 2002-06-10 | 2003-12-11 | Morais Dinarte R. | Secure key exchange with mutual authentication |
US20090154711A1 (en) * | 2007-12-18 | 2009-06-18 | Jho Namsu | Multi-party key agreement method using bilinear map and system therefor |
CN102412971A (en) * | 2011-11-30 | 2012-04-11 | 西安西电捷通无线网络通信股份有限公司 | SM2 key exchange protocol based key agreement method and device |
WO2013152725A1 (en) * | 2012-04-12 | 2013-10-17 | Jintai Ding | New cryptographic systems using pairing with errors |
-
2015
- 2015-06-03 WO PCT/CN2015/080697 patent/WO2015184991A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030229789A1 (en) * | 2002-06-10 | 2003-12-11 | Morais Dinarte R. | Secure key exchange with mutual authentication |
US20090154711A1 (en) * | 2007-12-18 | 2009-06-18 | Jho Namsu | Multi-party key agreement method using bilinear map and system therefor |
CN102412971A (en) * | 2011-11-30 | 2012-04-11 | 西安西电捷通无线网络通信股份有限公司 | SM2 key exchange protocol based key agreement method and device |
WO2013152725A1 (en) * | 2012-04-12 | 2013-10-17 | Jintai Ding | New cryptographic systems using pairing with errors |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106685663A (en) * | 2017-02-15 | 2017-05-17 | 华中科技大学 | Encryption method for error learning problem in ring domain and circuit |
CN106685663B (en) * | 2017-02-15 | 2019-07-19 | 华中科技大学 | The encryption method and circuit of error problem concerning study in a kind of annulus |
US10511591B2 (en) | 2017-05-08 | 2019-12-17 | Amazon Technologies, Inc. | Generation of shared secrets using pairwise implicit certificates |
CN110999203B (en) * | 2017-05-08 | 2021-09-07 | 亚马逊技术有限公司 | Method and system for generating shared secret key |
WO2018208546A1 (en) * | 2017-05-08 | 2018-11-15 | Amazon Technologies, Inc. | Generation of shared secrets using pairwise implicit certificates |
US10798086B2 (en) | 2017-05-08 | 2020-10-06 | Amazon Technologies, Inc. | Implicit certificates using ring learning with errors |
CN110999203A (en) * | 2017-05-08 | 2020-04-10 | 亚马逊技术有限公司 | Generating shared secrets using paired implicit certificates |
US10516543B2 (en) | 2017-05-08 | 2019-12-24 | Amazon Technologies, Inc. | Communication protocol using implicit certificates |
WO2018213875A1 (en) * | 2017-05-22 | 2018-11-29 | Commonwealth Scientific And Industrial Research Organisation | Asymmetric cryptography and authentication |
WO2019018049A1 (en) * | 2017-07-17 | 2019-01-24 | Hrl Laboratories, Llc | Reusable fuzzy extractor based on the learning-with-error assumption secure against quantum attacks |
US10778423B2 (en) | 2017-07-17 | 2020-09-15 | Hrl Laboratories, Llc | Reusable fuzzy extractor based on the learning-with-error assumption secure against quantum attacks |
WO2019076737A1 (en) * | 2017-10-17 | 2019-04-25 | Koninklijke Philips N.V. | Cryptographic device with updatable shared matrix |
EP3474484A1 (en) * | 2017-10-17 | 2019-04-24 | Koninklijke Philips N.V. | Cryptographic device with updatable shared matrix |
US11212099B2 (en) | 2017-10-17 | 2021-12-28 | Koninklijke Philips N.V. | Cryptographic device with updatable shared matrix |
CN108599923A (en) * | 2018-02-26 | 2018-09-28 | 华南师范大学 | The implementation method of data efficient safe transmission between cloud computing server |
CN109474425A (en) * | 2018-12-25 | 2019-03-15 | 国科量子通信网络有限公司 | A method of length derivative key is arbitrarily designated based on the acquisition of multiple shared keys |
CN109474425B (en) * | 2018-12-25 | 2021-06-25 | 国科量子通信网络有限公司 | Method for obtaining derived key with any specified length based on multiple shared keys |
CN115276984A (en) * | 2022-07-29 | 2022-11-01 | 山东大学 | Secret key exchange method and system based on GR-LWE problem |
CN115276984B (en) * | 2022-07-29 | 2024-03-29 | 山东大学 | Key exchange method and system based on GR-LWE problem |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
USRE48643E1 (en) | Cryptographic system using pairing with errors | |
WO2015184991A1 (en) | Improvements on cryptographic systems using pairing with errors | |
US10764042B2 (en) | Password based key exchange from ring learning with errors | |
Lv et al. | Group key agreement for secure group communication in dynamic peer systems | |
Ezhilmaran et al. | Key exchange protocol using decomposition problem in near-ring | |
Kalyani et al. | Survey on identity based and hierarchical identity based encryption schemes | |
Ren et al. | Provably secure aggregate signcryption scheme | |
Wang et al. | New identity-based key-encapsulation mechanism and its applications in cloud computing | |
Gupta et al. | Security weakness of a lattice-based key exchange protocol | |
Gupta et al. | Identity-based/attribute-based cryptosystem using threshold value without shamir's secret sharing | |
Nithya et al. | Survey on asymmetric key cryptography algorithms | |
Wade et al. | The Iso-ElGamal Cryptographic Scheme | |
Yi et al. | ID-based key agreement for multimedia encryption | |
Zhang et al. | A new construction of threshold cryptosystems based on RSA | |
El-Yahyaoui et al. | A Like ELGAMAL Cryptosystem But Resistant To Post-Quantum Attacks | |
Bassous et al. | Ambiguous asymmetric schemes | |
Gupta et al. | Revocable key identity based cryptography without key escrow problem | |
Anbhuvizhi et al. | A Study On Cipher-Text Attribute Based Encryption Using Secret Sharing Schemes | |
Lv et al. | ID-based authenticated group key agreement from bilinear maps | |
Liu et al. | On the fundamental difference between encryption and key establishment | |
Lizama-Pérez et al. | Non-Commutative Key Exchange Protocol | |
Tian et al. | Security of a biometric identity-based encryption scheme | |
Elhao et al. | Towards Quantum Resistant Key Agreement Schemes Using Unpredictability | |
Gao et al. | Improving user's privacy for multi-authority ABE using privacy homomorphism | |
Töbke et al. | A Practical Approach to Quantum Resilient Cloud Usage Obtaining Data Privacy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15803200 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15803200 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 019.06.2017) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15803200 Country of ref document: EP Kind code of ref document: A1 |