Journal of Cryptology

, Volume 25, Issue 4, pp 601–639 | Cite as

Bonsai Trees, or How to Delegate a Lattice Basis

  • David Cash
  • Dennis Hofheinz
  • Eike Kiltz
  • Chris PeikertEmail author


We introduce a new lattice-based cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include an efficient, stateless ‘hash-and-sign’ signature scheme in the standard model (i.e., no random oracles), and the first hierarchical identity-based encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional number-theoretic cryptography.


Lattices Hierarchical identity-based encryption Digital signatures Bonsai trees 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, H. Shi, Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. J. Cryptol. 21(3), 350–391 (2008). Preliminary version in CRYPTO 2005 MathSciNetzbMATHCrossRefGoogle Scholar
  2. [2]
    S. Agrawal, X. Boyen, Identity-based encryption from lattices in the standard model. Manuscript. July 2009 Google Scholar
  3. [3]
    S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in EUROCRYPT (2010), pp. 553–572 Google Scholar
  4. [4]
    M. Ajtai, Generating hard instances of the short basis problem, in ICALP (1999), pp. 1–9 Google Scholar
  5. [5]
    M. Ajtai, Generating hard instances of lattice problems. Quad. Mat. 13, 1–32 (2004). Preliminary version in STOC 1996 MathSciNetGoogle Scholar
  6. [6]
    J. Alwen, C. Peikert, Generating shorter bases for hard random lattices, in STACS (2009), pp. 75–86 Google Scholar
  7. [7]
    M. Bellare, A. Boldyreva, A. Desai, D. Pointcheval, Key-privacy in public-key encryption, in ASIACRYPT (2001), pp. 566–582 Google Scholar
  8. [8]
    D. Boneh, X. Boyen, Efficient selective-ID secure identity-based encryption without random oracles, in EUROCRYPT (2004), pp. 223–238 Google Scholar
  9. [9]
    D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in CRYPTO (2004), pp. 443–459 Google Scholar
  10. [10]
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003). Preliminary version in CRYPTO 2001 MathSciNetzbMATHCrossRefGoogle Scholar
  11. [11]
    D. Boneh, G.D. Crescenzo, R. Ostrovsky, G. Persiano, Public key encryption with keyword search, in EUROCRYPT (2004), pp. 506–522 Google Scholar
  12. [12]
    D. Boneh, R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007) MathSciNetCrossRefGoogle Scholar
  13. [13]
    D. Boneh, C. Gentry, M. Hamburg, Space-efficient identity based encryption without pairings, in FOCS (2007), pp. 647–657 Google Scholar
  14. [14]
    X. Boyen, Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more, in Public Key Cryptography (2010), pp. 499–517 Google Scholar
  15. [15]
    X. Boyen, B. Waters, Anonymous hierarchical identity-based encryption (without random oracles), in CRYPTO (2006), pp. 290–307 Google Scholar
  16. [16]
    R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme. J. Cryptol. 20(3), 265–294 (2007) Preliminary version in EUROCRYPT 2003 MathSciNetzbMATHCrossRefGoogle Scholar
  17. [17]
    D. Cash, D. Hofheinz, E. Kiltz, How to delegate a lattice basis. Cryptology ePrint Archive, Report 2009/351, July 2009.
  18. [18]
    C. Cocks, An identity based encryption scheme based on quadratic residues, in IMA Int. Conf (2001), pp. 360–363 Google Scholar
  19. [19]
    G.D. Crescenzo, V. Saraswat, Public key encryption with searchable keywords based on Jacobi symbols, in INDOCRYPT (2007), pp. 282–296 Google Scholar
  20. [20]
    Y. Dodis, N. Fazio, Public key broadcast encryption for stateless receivers, in ACM Workshop on Digital Rights Management (2002), pp. 61–80 Google Scholar
  21. [21]
    C. Gentry, Practical identity-based encryption without random oracles, in EUROCRYPT (2006), pp. 445–464 Google Scholar
  22. [22]
    C. Gentry, S. Halevi, Hierarchical identity based encryption with polynomially many levels, in TCC (2009), pp. 437–456 Google Scholar
  23. [23]
    C. Gentry, A. Silverberg, Hierarchical ID-based cryptography, in ASIACRYPT (2002), pp. 548–566 Google Scholar
  24. [24]
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in STOC (2008), pp. 197–206 Google Scholar
  25. [25]
    O. Goldreich, S. Goldwasser, S. Halevi, Public-key cryptosystems from lattice reduction problems, in CRYPTO (1997), pp. 112–131 Google Scholar
  26. [26]
    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988). Preliminary version in FOCS 1984 MathSciNetzbMATHCrossRefGoogle Scholar
  27. [27]
    J. Hoffstein, J. Pipher, J.H. Silverman, NTRU: a ring-based public key cryptosystem, in ANTS (1998), pp. 267–288 Google Scholar
  28. [28]
    J. Hoffstein, N. Howgrave-Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUSIGN: digital signatures using the NTRU lattice, in CT-RSA (2003), pp. 122–140 Google Scholar
  29. [29]
    S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in CRYPTO (2009), pp. 654–670 Google Scholar
  30. [30]
    J. Horwitz, B. Lynn, Toward hierarchical identity-based encryption, in EUROCRYPT (2002), pp. 466–481 Google Scholar
  31. [31]
    H. Krawczyk, T. Rabin, Chameleon signatures, in NDSS (2000) Google Scholar
  32. [32]
    G. Leurent, P.Q. Nguyen, How risky is the random-oracle model, in CRYPTO (2009), pp. 445–464 Google Scholar
  33. [33]
    V. Lyubashevsky, D. Micciancio, Generalized compact knapsacks are collision resistant, in ICALP (2) (2006), pp. 144–155 Google Scholar
  34. [34]
    V. Lyubashevsky, D. Micciancio, Asymptotically efficient lattice-based digital signatures, in TCC (2008), pp. 37–54 Google Scholar
  35. [35]
    V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT (2010), pp. 1–23 Google Scholar
  36. [36]
    D. Micciancio, Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002 MathSciNetzbMATHCrossRefGoogle Scholar
  37. [37]
    D. Micciancio, S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671 (Kluwer Academic, Dordrecht, 2002) zbMATHCrossRefGoogle Scholar
  38. [38]
    D. Micciancio, O. Regev, Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004 MathSciNetzbMATHCrossRefGoogle Scholar
  39. [39]
    D. Micciancio, B. Warinschi, A linear space algorithm for computing the Hermite normal form, in ISSAC (2001), pp. 231–236 Google Scholar
  40. [40]
    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in STOC (1989), pp. 33–43 Google Scholar
  41. [41]
    C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem, in STOC (2009), pp. 333–342 Google Scholar
  42. [42]
    C. Peikert, Bonsai trees (or, arboriculture in lattice-based cryptography). Cryptology ePrint Archive, Report 2009/359, July 2009.
  43. [43]
    C. Peikert, An efficient and parallel Gaussian sampler for lattices, in CRYPTO (2010), pp. 80–97 Google Scholar
  44. [44]
    C. Peikert, A. Rosen, Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices, in TCC (2006), pp. 145–166 Google Scholar
  45. [45]
    C. Peikert, A. Rosen, Lattices that admit logarithmic worst-case to average-case connection factors, in STOC (2007), pp. 478–487 Google Scholar
  46. [46]
    C. Peikert, V. Vaikuntanathan, B. Waters, A framework for efficient and composable oblivious transfer, in CRYPTO (2008), pp. 554–571 Google Scholar
  47. [47]
    M.O. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science (1979) Google Scholar
  48. [48]
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005 MathSciNetCrossRefGoogle Scholar
  49. [49]
    M. Rückert, Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles, in PQCrypto (2010), pp. 182–200 Google Scholar
  50. [50]
    A. Shamir, Identity-based cryptosystems and signature schemes, in CRYPTO (1984), pp. 47–53 Google Scholar
  51. [51]
    A. Shamir, Y. Tauman, Improved online/offline signature schemes, in CRYPTO (2001), pp. 355–367 Google Scholar
  52. [52]
    D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in ASIACRYPT (2009), pp. 617–635 Google Scholar
  53. [53]
    B. Waters, Efficient identity-based encryption without random oracles, in EUROCRYPT (2005), pp. 114–127 Google Scholar
  54. [54]
    B. Waters, Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions, in CRYPTO (2009), pp. 619–636 Google Scholar
  55. [55]
    D. Yao, N. Fazio, Y. Dodis, A. Lysyanskaya, ID-based encryption for complex hierarchies with applications to forward security and broadcast encryption, in ACM Conference on Computer and Communications Security (2004), pp. 354–363 Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • David Cash
    • 1
  • Dennis Hofheinz
    • 2
  • Eike Kiltz
    • 3
  • Chris Peikert
    • 4
    Email author
  1. 1.IBM T.J. Watson Research CenterHawthorneUSA
  2. 2.Karlsruhe Institute of TechnologyKarlsruheGermany
  3. 3.Department of MathematicsRuhr-Universität BochumBochumGermany
  4. 4.Georgia Institute of TechnologyAtlantaUSA

Personalised recommendations