Abstract
In this paper, we propose a lattice-based HIBE scheme in the standard model with faster trapdoor delegation. It is proven secure under the Learning With Errors assumption. Inspired by Canetti et al.’s transformation (Eurocrypt’03), an HIBE can be converted into a forward-secure public-key encryption (FS-PKE) scheme, and the efficiency of key update relies on the efficiency of trapdoor delegation. For applications, our HIBE with faster delegation can be used to generate a lattice-based FS-PKE with faster key update. Furthermore, we also obtain a lattice-based forward-secure signature (FSS) scheme combining HIBE-like key-update technique with Zhang et al.’s short signature construction in the standard model (Crypto’16).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_10
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT. LNCS, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS, pp. 75–86. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009)
Anderson, R.: Invited lecture. In: Fourth Annual Conference on Computer and Communications Security, ACM. Am Psychiatric Assoc (1997)
Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Boyen, X., Shacham, H., Shen, E., Waters, B.: Forward-secure signatures with untrusted update. In: CCS, pp. 191–200. ACM (2006)
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. J. Cryptology 265–294 (2007)
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_27
Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_32
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM (2008)
Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_34
Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_20
Katsumata, S., Matsuda, T., Takayasu, A.: Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 441–471. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_15
Libert, B., Yung, M.: Dynamic fully forward-secure group signatures. In: ASIACCS, pp. 70–81. ACM (2010)
Ling, S., Nguyen, K., Wang, H., Xu, Y.: Forward-secure group signatures from lattices. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 44–64. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_3
Malkin, T., Micciancio, D., Miner, S.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_27
Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems - a Cryptographic Perspective, vol. 671. Springer, Heidelberg (2002). https://doi.org/10.1007/978-1-4615-0897-7
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Nakanishi, T., Hira, Y., Funabiki, N.: Forward-secure group signatures from pairings. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 171–186. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_12
Peikert, C.: A decade of lattice cryptography. Found. Trends Theoret. Comput. Sci. 283–424 (2016)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 34:1–34:40 (2009)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Song, D.X.: Practical forward secure group signature schemes. In: CCS, pp. 225–234. ACM (2001)
Zhang, J., Chen, Y., Zhang, Z.: Programmable hash functions from lattices: short signatures and IBEs with small key sizes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 303–332. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_11
Acknowledgments
The authors would like to thank the anonymous reviews of ICICS 2020 for helpful comments. This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000 and No. 2017YFB0802500).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Some Formal Definitions
We give a formal definition of the security notion for a FS-PKE scheme called FS-INDr-CPA.
Definition 6
A forward-secure public-key encryption scheme is secure in the sense of FS-INDr-CPA if the advantage of any PPT adversary in the following game is negligible in the security parameter \(\kappa \).
-
Setup. The experiment generates a fresh key pair \((PK,SK_0)\), and hands PK to the adversary.
-
Attack. The adversary issues one \( \textsf {Break{-}in}(t) \) query. On input \(t\le T\), the key \(SK_{t} \) is computed via \(\textsf {Upd}(PK,t-1,\cdots \textsf {Upd}(PK,0,SK_0)\cdots )\) and then given to the adversary.
-
Challenge. The adversary \(\mathcal {A}\) outputs a challenge plaintext \(M^*\) and time period \(t^*<t \). The experiment chooses a uniformly random ciphertext \(C_0\) from the ciphertext space, and computes \(C_1\leftarrow \textsf {Enc}(PK,t^*,M^*)\). Then it randomly chooses a bit \(b\leftarrow \{0,1\}\), and gives \(C^*= C_{b}\) to the adversary \(\mathcal {A}\).
-
Guess. The adversary outputs a guess \(b'\in \{0,1\}\), it succeeds if \(b'=b\). The adversary’s advantage is the absolute the value of the difference between its success probability and 1/2.
We then present a formal definition of the security notion for a FSS scheme called FS-EUF-CMA.
Definition 7
We say a FSS is secure in the sense of FS-EUF-CMA if the success probability of any PPT adversary is negligible in the following game. The adversary \(\mathcal {A}\) is given PK and access to the following oracles:
- \(\mathsf {Break}\)-\(\mathsf {in}\)::
-
On input \( t'\le T \), this oracle computes the key \( SK_{t'}\), and then returns it to the adversary.
- \(\mathsf {Signing}\)::
-
On input a message M and a period t,this oracle runs \( \sigma \leftarrow \textsf {Sig}(PK,SK_t,M) \), and returns \(\sigma \). Let \( \mathcal {O}_{t} \) be the set of queried messages for a time period t. Set \( \mathcal {O}_{t}=\mathcal {O}_{t}\cup \{M\} \).
Oracle \(\textsf {Break{-}in}\) is queried only once. At the end of the game, the adversary outputs its forgery \((t^*,M^*,\sigma ^*)\). We determine the adversary wins the game if \( t^*<t' \), \( \textsf {Ver}(PK,t^*,M^*,\sigma ^*)=1 \) and \( M^*\notin \mathcal {O}_{t^*} \).
B Proof of Theorem 1
Proof
In the following, we use a sequence of games from Game 0 to Game 3. In particular, we note that the main difference between our and Agrawal-Boneh-Boyen HIBE’s security proofs is the way of answering \(\mathcal {A}\)’s secret-key queries in Game 2.
-
Game 0. This is the original INDr-sID-CPA game from Definition 3 between an adversary \(\mathcal {A}\) against our scheme and a challenger \(\mathcal {S}\).
-
Game 1. This game is identical to Game 0 except that the challenger \(\mathcal {S}\) changes the setup and the challenge phases as follows.
-
Setup. Recall that the identity that \(\mathcal {A}\) intends to attack is \(\textsf {ID}^*=(id_1^*,\cdots , id_j^*)\). Instead of choosing \(\mathbf {A}_1,\cdots ,\mathbf {A}_L\) randomly, \(\mathcal {S}\) chooses \(\mathbf{R} _i\leftarrow D_{\mathbb {Z},\bar{s}}^{2nk\times nk}\) with Gaussian parameter \(\bar{s}\ge \omega _n\) and sets \( \mathbf {A}_i=\mathbf{A} {} \mathbf{R} _i-H(id_i^*)\mathbf{G} \) where we define \(H(id_i^*)=\mathbf{0} \) for \(i>j\).
-
Challenge. This is identical to Game 0 except that the challenger \(\mathcal {S}\) uses \(\bar{\mathbf{R }}_j=\left[ \mathbf{R} _1|\mathbf{R} _1|\cdots |\mathbf{R} _j|\mathbf{R} _j\right] \) when generating the challenge ciphertext, instead of sampling a random \( \bar{\mathbf{R }}_j\leftarrow D_{\mathbb {Z},\bar{s}}^{2nk\times 2jnk}\).
For appropriate distribution of \(\mathbf{R} _i\), the matrix \( \mathbf{A} _i \) is uniformly random up to \(\textsf {negl}(n)\) statistical distance for \(i=1,\cdots , L\). Observe that \(\bar{\mathbf{R }}_j\) in Game 1 is distributed identically to that in Game 0. Thus \(\mathcal {A}\)’ views in Game 0 and 1 are indistinguishable statistically.
-
-
Game 2. We now change the way of generating \(\mathbf{A} \) and the users’ private keys.
-
Setup. The challenger \(\mathcal {S}\) generates \(\mathbf{A} \) as a random matrix in \(\mathbb {Z}_q^{n\times 2nk}\).
-
Phase 1 and Phase 2. To respond to a private key query for \(\textsf {ID}=(id_1,\cdots ,id_l)\) which is not a prefix of \(\textsf {ID}^*\), the challenger \(\mathcal {S}\) works as follows.
-
1.
Build \(\mathbf{F} _\textsf {ID}=\left[ \mathbf{A} |\mathbf{A} _{1,id_1}|\cdots |\mathbf{A} _{l,id_l}\right] \), for each \(i\in [1,l]\),
$$\begin{aligned} \mathbf{A} _{i,id_i}= \left[ \mathbf{AR} _i+(H(id_i)-H(id_i^*))\mathbf{G} |\mathbf{AR} _i+(H(id_i)-H(id_i^*))\mathbf{G} \right] . \end{aligned}$$ -
2.
Find the largest \(x\in [1,l]\) such that \(H(id_x)\ne H(id_x^*)\). If \(x=l\), rewrite \( \mathbf{F} _\textsf {ID}=\left[ \bar{\mathbf {F}}_\textsf {ID}|\mathbf{AR} _l+(H(id_l)-H(id_l^*))\mathbf{G} \right] \). Then we have \(\left[ -\mathbf{R} _l^{\textsf {T}}| \mathbf{0} |\cdots |\mathbf{0} \right] ^{\textsf {T}} \) is a \( \mathbf{G} \)-trapdoor for \( \bar{\mathbf {F}}_{\textsf {ID}}\) with tag \(H(id_l)-H(id_l^*)\). Else, rewrite \( \mathbf{F} _\textsf {ID}=\left[ \bar{\mathbf {F}}_\textsf {ID}|\mathbf{A} _{x+1,id_{x+1}}|\cdots \right] \), then \(\left[ -\mathbf{R} _x^{\textsf {T}}| \mathbf{0} |\cdots |\mathbf{0} \right] ^{\textsf {T}} \) is a \( \mathbf{G} \)-trapdoor for \( \bar{\mathbf {F}}_{\textsf {ID}}\) with tag \(H(id_x)-H(id_x^*)\). Denote \(\bar{\mathbf {R}}_\textsf {ID}=\left[ -\mathbf{R} _x^{\textsf {T}}| \mathbf{0} |\cdots |\mathbf{0} \right] ^{\textsf {T}}\in \mathbb {Z}^{m_x\times nk}\) where
$$\begin{aligned} m_x=\left\{ \begin{aligned} 2nk+(2x-1)nk&{x<l}\\ 2nk+2(l-1)nk&{x=l } \end{aligned} \right. \end{aligned}$$Run \(\mathbf{R} _\textsf {ID}\leftarrow \textsf {DelTrap}(\mathbf{F} _\textsf {ID},\bar{\mathbf {R}}_\textsf {ID},H(id_x)-H(id_x^*),\mathbf{I} _n,s_l)\). Give \(\mathbf{R} _\textsf {ID}\) to \(\mathcal {A}\).
-
1.
For any identity \(\textsf {ID}\), the corresponding secret key \(\mathbf{R} _\textsf {ID}\) is generated from the algorithm \(\textsf {DelTrap}\) with same Gaussian parameter both in Games 1 and 2. Thus the adversary’s advantage in Game 2 is at most negligibly different from its advantage in Game 1.
-
-
Game 3. We now modify the challenge phase as follows.
-
Challenge. \(\mathcal {S}\) chooses random vectors \(b_0\leftarrow \mathbb {Z}_q\), \(\mathbf{b} _1\leftarrow \mathbb {Z}_q^{m}\) uniformly, and compute \(c_0^*=b_0+\frac{q}{2}M^*\), \(\mathbf{c} _1^*=\left[ \begin{array}{c} \mathbf{b} _1\\ \bar{\mathbf{R }}_j^{\textsf {T}}{} \mathbf{b} _1 \end{array}\right] \) where \( \bar{\mathbf{R }}_j=\left[ \mathbf{R} _1|\mathbf{R} _1|\cdots |\mathbf{R} _j|\mathbf{R} _j\right] \).
Since the challenge ciphertext is always a fresh random element in the ciphertext space, \(\mathcal {A}\)’s advantage in Game 3 is zero. Lemma 2 shows that \( \mathcal {A} \)’s advantage in distinguishing Game 2 and 3 is the same as \(\mathcal {B}\)’s advantage in solving LWE problem.
-
In conclusion, if there exists a PPT adversary \(\mathcal {A}\) breaking the INDr-sID-CPA security of our HIBE scheme, then we can construct an algorithm \(\mathcal {B}\) solving the LWE\(_{q,\alpha }\) problem, which completes the proof.\(\square \)
Lemma 2
If there exists a PPT adversary \(\mathcal {A}\) who has non-negligible advantage \( \epsilon \) in distinguishing Games 2 and 3, then there exists an algorithm \(\mathcal {B}\) solving the LWE\(_{q,\alpha }\) problem with advantage \( \epsilon \).
Proof
We construct an algorithm \(\mathcal {B}\) for the LWE\(_{q,\alpha }\) problem as follows. Given the LWE\(_{q,\alpha }\) instance \((\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] ,\left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] )\in \mathbb {Z}_q^{n\times (2nk+1)}\times \mathbb {Z}_q^{2nk+1}\). \(\mathcal {B}\) simulates Game 3 for \(\mathcal {A}\) except that it replaces \((\mathbf{A} ,\mathbf{u} )\) in the setup phase and \( (\mathbf{b} _1,b_0) \) in the challenge phase with \( (\hat{\mathbf{A }},\hat{\mathbf{u }}) \) and \((\hat{\mathbf{b }}_1,\hat{b}_0)\), respectively.
Observe that if \((\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] ,\left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] )\) are valid LWE\(_{q,\alpha }\) tuples, we have \( \left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] =\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] ^{\textsf {T}}{} \mathbf{s} +\left[ \mathbf{x} _1|x_0\right] \) for some uniformly random vector \( \mathbf{s} \leftarrow \mathbb {Z}_q^n \) and random noise vector \( \left[ \mathbf{x} _1|x_0\right] \leftarrow D_{\mathbb {Z},\alpha q}^{2nk+1}\). Therefore, the ciphertext \(C_1=(c_0^*,\mathbf{c} _1^*)\) is defined as \( c_0^*=\hat{\mathbf{u }}^{\textsf {T}}{} \mathbf{s} +x_0+\frac{q}{2}M^* \) and \(\mathbf{c} _1^*=\mathbf{F} _{\textsf {ID}^*}^{\textsf {T}}{} \mathbf{s} +\left[ \begin{array}{c} \mathbf{x} _1\\ \bar{\mathbf{R }}_j^{\textsf {T}}{} \mathbf{x} _1 \end{array}\right] \), and thus \(C_1\) is distributed exactly as in Game 2. If \(\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] \) is uniform in \( \mathbb {Z}_q^{n\times (2nk+1)} \) and \(\left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] \) is uniform in \( \mathbb {Z}_q^{2nk+1} \), we have \(C_1=(c_0^*,\mathbf{c} _1^*)\) is distributed exactly as in Game 3.
If \(\mathcal {A}\) succeeds in guessing if it is interacting with a Game 2 or Game 3 challenger, then \(\mathcal {B}\) outputs \(\mathcal {A}\)’s guess as the answer to the LWE\(_{q,\alpha }\) challenge instance. \(\square \)
C Proof of Theorem 3
Proof
If there exists a PPT adversary \( \mathcal {A} \) who can break forward-secure unforgeability, then we can construct an ISIS solver \(\mathcal {B}\) by invoking \(\mathcal {A}\). The solver \(\mathcal {B}\) first obtains an input sample \( (\mathbf{A} ,\mathbf{u} ) \) of ISIS problem, then it picks a random time period \(t^*\) and hopes that \(\mathcal {A}\) produces a forgery pertaining to \(t^*\). It constructs each \( \mathbf{A} _i=\mathbf{A} {} \mathbf{R} _i-H(id_i^*)\mathbf{G} \) for short random \(\mathbf{R} _i\) with \( \textsf {ID}_{t^*}=(id_1^*,\cdots ,id_j^*)\) where we define \( H(id_k^*)=\mathbf{0} \) for \(k>j\). It also runs the trapdoor generation algorithm of PHF to generate a key K together with a trapdoor td. Then \(\mathcal {B}\) gives the public key \( PK=(\mathbf{A} ,\mathbf{A} _1,\cdots ,\mathbf{A} _L,\mathbf{u} ,K) \) to \(\mathcal {A}\) and stores td.
For \(t>t^*\), we have \( \textsf {ID}_t \) and each right sibling of the nodes on the path from root to \(\textsf {ID}_t\) are not prefixes of \(\textsf {ID}_{t^*} \). To respond to any secret-key query for t with \(t>t^*\), from the proof of Theorem 1, \(\mathcal {B}\) can generate \(\mathbf{R} _{\textsf {ID}_t}\) and \(S_t\), and thus it can output \(SK_t=(\mathbf{R} _{\textsf {ID}_t},S_t)\).
For a signing query with input (M, t), \(\mathcal {B}\) computes \(\mathcal {H}_K(M)=\mathbf{AR} _M+\mathbf{H} _M\mathbf{G} \) using the trapdoor td. By programmability of PHF, we have that \( \mathbf{H} _M \) is invertible with a certain probability. Thus \(\mathcal {B}\) knows \(\mathbf{R} _{\textsf {ID}_t|M}=\left[ -\mathbf{R} _{M}^\textsf {T}|\mathbf{0} |\cdots |\mathbf{0} \right] \) as a \(\mathbf{G} \)-trapdoor for \(\mathbf{F} _{\textsf {ID}_t|M}\) with tag \(\mathbf{H} _M\), and then it samples \( \mathbf{e} \leftarrow \textsf {SampleD}(\mathbf{R} _{\textsf {ID}_t|M},\mathbf{F} _{\textsf {ID}_t|M}, \mathbf{H} _M,\mathbf{u} ,s) \) as a signature on message M pertaining to t.
Finally \(\mathcal {A}\) outputs a valid signature \( \mathbf{e} ^* \) on a new message \( M^* \) for the time period \(t^*\) with the probability \(\frac{1}{T}\). From the properties of PHF (Definition 2 of [29]), we have \( \mathcal {H}_K(M^*)=\mathbf{AR} _{M^*} +\mathbf{H} _{M^*}{} \mathbf{G} \) with \(\mathbf{H} _{M^*}=\mathbf{0} \) with non-negligible probability. With \(\mathbf{F} _{\textsf {ID}_{t^*}|M^*}{} \mathbf{e} ^*=\left[ \mathbf{A} |\mathbf{AR} _1|\mathbf{AR} _1|\cdots |\mathbf{AR} _j|\mathbf{AR} _j|\mathbf{AR} _{M^*}\right] \mathbf{e} ^*=\mathbf{u} \), we have a short vector \( \mathbf{x} =\left[ \mathbf{I} _{2nk}|\mathbf{R} _1|\mathbf{R} _1|\cdots |\mathbf{R} _j|\mathbf{R} _j|\mathbf{R} _{M^*}\right] \mathbf{e} ^* \) such that \(\mathbf{Ax} =\mathbf{u} \), solving the ISIS problem.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Tang, G., Qiu, T. (2020). Lattice HIBE with Faster Trapdoor Delegation and Applications. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-61078-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61077-7
Online ISBN: 978-3-030-61078-4
eBook Packages: Computer ScienceComputer Science (R0)