Patent Grant
RE48643
This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, which are based on essentially the same mathematical principle, pairing with errors.
In our modern communication systems like Internet, cell phone, and etc, to protect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communication, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and scalable key distribution (KD) system such that any two users can derive a shared key via the key distribution (KD) system established by the central server. Therefore it is important and desirable that we have secure and efficient KE systems and KD systems. The first KE system was proposed by Diffie and Hellman [DiHe], whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO]. There are many key-distribution systems including the system using pairing over quadratic forms [BSHKVY], and the one based on bilinear paring over elliptic curves by Boneh and Boyen (in U.S. Pat. No. 7,590,236). But the existing systems have either the problem of computation efficiency or scalability. For instance, the bilinear paring over elliptic curves is very computationally intensive.
In the second case, we use asymmetric systems, namely public key cryptographic systems, for encryption, where the receiver has a set of a public key and a private key, and the sender has only the public key. The sender uses the public key to encrypt messages, the receiver uses the private key to decrypt the messages and only the entity who has the private key can decrypt the messages. In an usual public key system, we need to make sure the authenticity of the public keys and therefore each public key needs to have a certificate, which is a digital signature provided by a trusted central authority. The certificate is used to verify that the public key belongs to the legitimate user, the receiver of a message. To make public key encryption system fully work, we need to use such a system, which is called a public key infrastructure (PKI) system.
In 1984, Shamir proposed another kind of public key encryption system [SHA]. In this new system, a person or an entity's public key is generated with a public algorithm from the information that can identify the person or the entity uniquely. For example, in the case of a person, the information may include the person's name, residential address, birthday, finger print information, e-mail address, social security number and etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
There are a few Identity-based-encryption (IBE) public key cryptosystems, and currently, the (best) one being practically used is the IBE system based on bilinear paring over elliptic curves invented by Boneh and Franklin (in U.S. Pat. No. 7,113,594). In IBE systems, a sender encrypts a message for a given receiver using the receiver's public key based on the identity of the receiver. The receiver decrypts the message using the receiver's private key. The receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely. An IBE system does not demand the sender to search for the receiver's public key, but rather, a sender in an IBE system derives any receiver's corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information. Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO]. There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW]. Therefore it is important and desirable that we have secure and efficient IBE systems.
Clearly, there are still needs for more efficient and secure KE, KD and IBE systems for practical applications.
This invention first contains a novel method for two parties A and B to perform an secure KE over an open communication channel. This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors. In the KE process, each users will choose a private matrix SA, SB respectively with small entries following certain error distributions secretly and a public matrix M randomly. Then each user will compute the multiplication of the user's secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of SA and SB over the same bilinear form based on M in two different ways but each with different small errors. This kind of mathematical computation is called pairing with errors. The shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg]. The security of this system depends the hardness of certain lattice problem, which can be mathematically proven hard [DiLi]. This system involves only matrix multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.
This invention second contains a novel method to build a KD system with a central server or authority. In this system, the central server or authority assigns each user i a public ID as a matrix Ai with small entries or establish the ID of each user as a matrix Ai with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority's secret master key M, another matrix, but with small errors. Then any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique. This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg]. The security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
This invention third contains a novel method to build a IBE system with a central server or authority. In this system, the central server or authority assigns each user i a public ID Ai as a matrix with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely. Each user is given by the central server or authority a private key Si based on certain multiplication of this ID matrix with the central server or authority's master private key S, another matrix, but with errors related to one part of the master public key M, another matrix. The central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M1. Then any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and Ai of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key Si to decrypt the message. This method can be viewed as an extension of the idea of the learning with error problem discovered by REGEV in 2005. The security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
In our constructions, we can replace matrices by elements in ideal lattice, and we can also use other type of rounding techniques. We can also build the system in a distributed way where several servers can work together to build KD and IBE systems.
In short, we use the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, to build secure and more efficient KE, KD and IBE systems.
Though this invention has been described with specific embodiments thereof, it is clear that many variations, alternatives, modifications will become apparent to those who are skilled in the art of cryptography. Therefore, the preferred embodiments of the invention as set forth herein, are intended to be illustrative, not limiting. Various changes may be made without departing from the scope and spirit of the invention as set forth herein and defined in the claims. The claims in this invention are based on the U.S. provisional patent application with Ser. No. 61/623,272, entitled “New methods for secure communications and secure information systems”, filed Apr. 12, 2012, only more technical details are added.
1.1 The Basic Idea of Pairing with Errors
The learning with errors (LWE) problem, introduced by Regev in 2005 [Reg], and its extension, the ring learning with errors (RLWE) problem [LPR] have broad application in cryptographic constructions with some good provable secure properties. The main claim is that they are as hard as certain worst-case lattice problems and hence the related cryptographic constructions.
A LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution n on the finite ring (field) Fq with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
In Fq, each element is represented by the set {−(q−1)/2, . . . , 0, . . . , (q−1)/2}. In this exposition, by “an error” distribution, we mean a distribution we mean a distribution such that there is a high probability we will select an element, which is small. There are many such selections and the selection directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.
Let ΠS,κ, on Fq be the probability distribution obtained by selecting an element A in Fqn randomly and uniformly, choosing e ϵFq according to κ, and outputting (A, <A, S>+e), where + is the addition that is performed in Fq. An algorithm that solves the LWE problem with modulus q and error distribution κ, if, for any S in Fqn, with an arbitrary number of independent samples from ΠS,κ, it outputs S (with high probability).
To achieve the provable security of the related cryptographic constructions based on the LWE problem, one chooses q to be specific polynomial functions of n, that is q is replaced by a polynomial functions of n, which we will denote as q(n), κ to be certain discrete version of normal distribution centered around 0 with the standard deviation σ=αq≥√{square root over (n)}, and elements of Fq are represented by integers in the range [−(q 1)/2, (q 1)/2)], which we denote as κσ.
In the original encryption system based on the LWE problem, one can only encrypt one bit a time, therefore the system is rather inefficient and it has a large key size. To further improve the efficiency of the cryptosystems based on the LWE problem, a new problem, which is a LWE problem based on a quotient ring of the polynomial ring Fq[x] [LPR], was proposed. This is called the ring LWE (RLWE) problem. In the cryptosystems based on the RLWE problem, their security is reduced to hard problems on a subclass of lattices, the class of ideal lattices, instead of general lattices.
Later, a new variant of LWE was proposed in [ACPS]. This variant of the LWE problem is based on the LWE problem. We will replace a vector A with a matrix A of size m×n, and S also with a matrix of size n×1, such that they are compatible to perform matrix multiplication A×S. We also replace e with a compatible matrix of size m×1. We will work on the same finite field with q elements.
To simplify the exposition, we will only present, in detail, for the case where A is a square matrices of the size n×n and, S and e of the size n×1.
Let ΠS,κ
For the case that we choose a small S, namely entries of S are chosen independently according to also the error distribution κn, we call this problem a small LWE problem (SLWE). If we further impose the condition A to be symmetric, we call it a small symmetric LWE problem (SSLWE). If we choose the secret S randomly and independently from the set −z, . . . , 0, 1 . . . , z with z a fixed small positive integer, we call such a problem uniformly small LWE problem (USLWE).
For practical applications, we can choose S and e with different kind of error distributions.
Due to the results in [ACPS], we know If the secret S's coordinates and the error e's entries are sampled independently from the LWE error distribution κσ, the corresponding LWE problem is as hard as LWE with a uniformly random secret S. This shows that the SLWE problem is as hard as the corresponding LWE problem. The same is true for the case of the RLWE problem that if one can solve the Ring LWE problem with a small secret namely the element S being small, then one can solve it with an uniform secret.
We further extend the problem to a full matrix form.
Let ΠS,κ
We call this problem matrix LWE problem (MLWE). For the case where we choose a small S, namely entries of S also follows the error distribution κn
We can use different error distributions for S and e.
The mathematical principle behind our construction comes from the fact of associativity of matrices multiplications of three matrices A, B and C:
A×B×C=(A×B)×C=A×(B×C).
Such a product can be mathematically viewed as computing the bilinear paring of the row vectors of A with column vectors of C.
For two matrices A and B with small entries following certain error distributions, for example, with entries following some error distributions, instead of computing this product directly, we can first compute
AB+Ea,
then compute
(AB+EA)C or (AB+EA)C+EAC,
or we will compute
BC+EC,
then compute
A(BC+Ec) or (AB+EA)C+EBC,
where EA, EB, EAC, EBC are matrices with small entries following the same (or different) error distributions. Then we have two way to compute the product ABC with small errors or differences between these two matrices. We call such a computation pairing with errors. All our constructions depends on such a paring with errors and on the fact that the two different paring are close to each other if A and C are also small.
We can mathematically prove the theorem that an MLWE problem is as hard as the corresponding LWE problem with the same parameters. This provides the foundation of the provable security of our constructions
1.2 The Construction of the New KE Systems Based on Paring with Errors
Two parties Alice and Bob decide to do a key exchange (KE) over an open channel. This means that the communication of Alice and Bob are open to anyone including malicious attackers. To simplify the exposition, we will assume in this part all matrices involves are n×n matrices. But they do not have to be like this, and they can be matrices of any sizes except that we need to choose the compatible sizes such that the matrix multiplications performed are well defined.
Their key change protocol will go step by step as follows.
The reason that Alice and Bob can derive from KA and KB a shared secret to be the exchanged key via certain rounding techniques as in the case above is exactly that ei and Si are small, therefore KA and KB are close. We call this system a SMLWE key exchange protocol. We can derive the provable security of this more efficient system [Dili].
In term of both communication and computation efficiency, the new system is very good. The two parties need to exchange n2 entries in Fq, and each perform 2n2.8 computations (with Strassen fast matrix multiplication [STR]) to derive n2 bits if t=2.
Si and ei can follow different kind of error distributions.
We can prove the theorem that if we choose the same system parameters, namely n and q, the matrix SLWE key exchange protocol is provably secure if the error distribution is properly chosen [DiLi]. The proof relies on the mathematical hardness of the following pairing with error problem.
Assume that we are given
The proof follows from the fact that the SMLWE problem is as hard as the SLWE problem, since the matrix version can be viewed as just assembling multiple SLWE samples into one matrix SLWE sample.
We note here that we can choose also rectangular matrix for the construction as long as we make sure the sizes are matching in terms of matrix multiplications, but parameters need to be chosen properly to ensure the security.
Similarly we can build a key exchange system based on the ring learning with errors problem (RLWE) [LPR], we will a variant of the RLWE problem described in [LNV].
For the RLWE problem, we consider the rings R=Z[x]/f(x), and Rq=R/qR, where f(x) is a degree n polynomial in Z[x], Z is the ring of integers, and q is a prime integer. Here q is an odd (prime) and elements in Zq=Fq=Z/q are represented by elements: −(q−1)/2, . . . , −1, 0, 1, . . . , (q−1)/2, which can be viewed as elements in 2 when we talk about norm of an element. Any element in Rq, is represented by a degree n polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries. For an element
a(x)=a0+a1x+ . . . +an-1xn-1,
we define
∥a∥=max|ai|,
the l∞ norm of the vector (a0, a1, . . . , an-1) and we treat this vector as an element in Zn and ai an element in Z. We can also choose q to be even positive number and things need slight modification.
The RLWEf,q,χ problem is parameterized by an polynomial f(x) of degree n, a prime number q and an error distribution X over Rq. It is defined as follows.
Let the secret s be an element in Rq, a uniformly chosen random ring element. The problem is to find s, given any polynomial number of samples of the pair
(ai,bi=ai×s+ei),
where ai is uniformly random in Rq and ei is selected following certain error distribution X.
The hardness of such a problem is based on the fact that the bi are computationally indistinguishable from uniform in Rq. One can show [LPR] that solving the RLWEf,q,χ problem above is known to give us a quantum algorithm that solves short vector problems on ideal lattices with related parameters. We believe that the latter problem is exponentially hard.
We will here again use the facts in [ACPS], [LPR] that the RLWEf,q,χ problem is equivalent to a variant where the secret s is sampled from the error distribution X rather than being uniform in Rq and the error element ei are multiples of some small integer t.
To derive the provable security, we need consider the RLWE problem with specific choices of the parameters.
There are two key facts in the RLWEf,q,χ setting defined above, which are needed for our key exchange system.
With the RLWEf,q,χ setting above, we are now ready to have two parties Alice and Bob to do a key exchange over an open channel. It goes step by step as follows.
We can use different distributions for si and ei.
That will give a shared key between these two users. We call this system a RLWE key exchange system. We can deduce that there is a very low probability of failure of this key exchange system. We note here that the commutativity and the associativity of the ring Rq play a key role in this construction.
In terms of security analysis, we can show the provable security of the system following the hardness of the RLWEf,q,χ problem by using a similar PEP over the ring Rq [DiLi].
Assume that we are given
It is nearly a parallel extension of the proof of the provable security of the case of SLWE key exchange system to the RLWE key exchange system. We conclude that the RLWE key exchange system is provable secure based on the hardness of the RLWEf,q,χ problem.
With the same parameters q and n, this system can be very efficient due to the possibility doing fast multiplication over the ring Rq using FFT type of algorithms.
1.3 The Construction of the New KD Systems Based on Paring with Errors
Over a large network, key distribution among the legitimate users is a critical problem. Often, in the key distribution systems, a difficult problem is how to construct a system, which is truly efficient and scalable. For example, in the case of the constructions of [BSHKVY], the system can be essentially understood as that the master key of a central server is a symmetric matrix M of size n×n and each user's identity can be seen as a row vector Hi of size n. The central server gives each user the secret Hi×M. Then two users can derive the shared key as Hi×M×Hjt. The symmetric property of M ensures that
Hi×M×Hjt=Hjt×M×Hi.
However, large number of users can collaborate to derive the master key. If one can collect enough (essentially n) Hi×M, which then can be used to find the master key M and therefore break the system.
We will build a truly scalable key distribution system using the pairing with error with a trusted central server, which can be viewed as a combination of the idea above and the idea of the LWE.
We work again over the finite field Fq, whose elements are represented by −(q−1)/2, . . . , 0, . . . , (q−1)/2. We choose q≈n3 or other similar polynomial function of n, we choose again κn
The key distribution system is set up step by step as follows.
To obtain a secret key shared between the user i and the user j, the user i computes
Ki=Ei×Ajt=AiSAjt+teiAjt;
and the user j computes
Kj=Ai×(Ej)t=AiStAjt+tAiejt=AiSAjt+tAiejt.
This is possible because the IDs are public. They then can use the following simple rounding method to derive a shared key between the two users.
Because S symmetric, we have that
AiSAjt=AiStAjt,
therefore the user j derives
AiSAjt+tAiAiejt.
The difference between the results computed by the two users is:
Ei×Atj−Ai×EtJ=AiSAtj+teiAtj−(AiSAtj+tAietj)
=teiAtj−tAietj.
This difference is small since t is small and eiAjt and Aiejt are small, which is due to the fact that ei, ej, Ai and Aj are all small. This allows us to get a common key for i and j by certain rounding techniques and therefore build a key distribution system.
Since the error terms for both matrices, teiAj and tejtAi, are small, the corresponding selected entries with tag 1 in AiSAj (without the error terms) are essentially within the range of [(−(q−1)/4, (q−1)/4] or very close. Therefore the error terms will not push those selected terms in AiSAj over either (−(q−1)/2 or (q−1)/2), that is when added the error terms, those selected entries will not need any further modular q operation but just add them as integers, since each element is represented as an integer in the range of [(−(q−1)/2(q−1)/2)]. The same argument goes with entries tagged by 0. These ensures that the process give a shared key between these two users.
From the way matrices Ki, Kj are constructed, we know that each entry of Ki and Kj follows uniform distribution. Therefore we expect that each time the size of the first list selected by the user j from the matrix Kj should be around n2. Therefore this system can provide the shared secret with enough bits if we choose proper n.
Also we can build a version of this system with none symmetric matrices, in this case, the central serve needs to compute more matrices like AiS+e and AitS+e′. Then it is possible, we can do the same kind of key distribution. This system again is less efficient.
On the other hand, since the RLWE problem can be viewed as a specialized commutative version of matrix-based LWE since an element in the ring can be view as a homomorphism on the ring. We can use the RLWE to build a key distribution in the same way.
Now let us look at why this key distribution is scalable. Clearly each user will have a pair A, and Ei=AiS+tei, and many users together can get many pairs, then to find the secret master key S is to solve the corresponding MLWE problem, except that, in this case, we impose the symmetric condition on the secret S. It is not difficult to argue again that this problem is as hard as a LWE problem, since given a LWE problem, we can convert it also into such a MLWE problem with symmetric secret matrix. Therefore, it is easy to see that this system is indeed scalable.
In terms of the provable security of the system, the situation is similar to the work done in the paper [DiLi]. We can give a provable security argument along the same line.
As we said before, since RLWE can be viewed as a special case MLWE, we will use the RLWE to build a very simple key distribution system.
We will choose the ring Rq to be Fq[x]/xn+1. To ensure the provable security, we need to choose parameter properly n, q, properly, for example n=2k, q=1 mod(2n)[LPR]. For provable secure systems, we assume that we will follow the conventional assumptions on these parameters, and the assumption on the error distribution like χ in [LPR].
This construction is essentially based on the systems of above. We assume that we have a ring Rq with a properly defined learning with error problem on the ring Rq with error distribution X. The problem is defined as follows:
We are given a pair (A, E), where
E=A×S+te′,
A, S where e′ are elements in R, t is small integer, e′ is an error element following the distribution of χ, S is a fixed element and A is select randomly following uniform distribution, and the problem is to find the secret S.
With a central server, we can build a simple key distribution system as follows.
Since Ai and ei are small elements in Rq, we have Ai×ei is also small. This ensures that we indeed have a shared secret key. This, therefore, gives an key-distribution system.
Here we use very much the fact that in a RLWE problem that the multiplication is commutative. The key feature of our construction is that it is simple and straight forward. The provable security of the system is also straightforward.
1.4 the Construction of the New IBE Systems Based on Paring with Errors
We will first build a new public key encryption based on MLWE. To build an encryption system, we choose similar parameter q≈n3 or n4 or similar polynomial functions of n, we choose again κn
With such a setting, we can build an encryption system as in the case of the MLWE problem as follows:
A, B, ei can follow different error distributions.
With large n, the output can give us the right plaintext with as high probability as demanded. The reason we could decrypt with high probability comes from the following.
D2−D1×S=BE+e2+m(q/2)−(BA+e)S
=B×(A×S+e)+e2+m(q/2)−(BA+e1)×S
=B×e+e2−e1×S+m(q/2)
B×e+e2−e1×S can be viewed as a error terms, which is determined by the distribution of the following random variable. With proper choice of parameters, like in the case of KE or KD systems, the decryption process will surely return the right answer when n is large enough. The same argument goes with the second case.
One key point of this new method is that on average, we can do the encryption much faster in terms of per bit speed because we can use fast matrix multiplication [CW] to speed up the computation process.
We note here that since matrix multiplication is not commutative, when we multiply two elements, the order is very important, unlike the case of the RLWE related systems.
We can also use the same idea in the ring LWE (RLWE)[LPR] to do encryption, where all the elements are in the ring Rq, and we have
E=A×S+te,
t is small positive integer and the entries of S is also small following error distribution κn
(D1,D2)=(BA+te1,BE+te2+m).
Then we decrypt by computing
(BE+te2+m−B(AS+te1))(mod t).
This works because
D2−D1×S=BE+te2+m−(BA+t1e1)S
=B×(A×S+te)+te2+m−(BA+te1)×S
=tB×e+te2−te1×S+m
Since the error terms are small, by modular t, we certainly should get back the original plaintext.
For the MLWE problem, we surely need to choose the distribution accordingly when we need to obtain the provable security of the system.
There are several versions of identity-based encryption systems based on lattice related problems including the LWE problem [ABB], [ABVVW], [BKPW]. But they all look rather complicated. We can use the MLWE to build an identity-based encryption system.
With a central server, we can build a simple identity-based encryption system as follows.
S, Ai, ei, e can also follow different error distributions.
Since Ai and e are small, we have Ai×e is also small. W also have that
MSi−Bi=MSi−Bi
=M(SAi+tM−1ei)−MSAi+teAi
=MSAi+tMM−1ei)−MSAi+teAi
=tei−teAi,
Since e, Ai and ei are small, e−Aiei is also small and tei−tAiei is also small. Therefore Si is a solution to a MLWE problem with the pair (Ai, Bi) as the problem input. Therefore Si is indeed a secret key that could be used for decryption. Therefore the construction works. We need to choose parameters properly to ensure security.
The key feature of our construction is that it is simple and straight forward. The provable security of the system is also straightforward.
we can extend this construction using the RLWE problem. We will choose the ring R to be Fq[x]/xn+1. To ensure the provable security, we need to choose parameter properly n, q, properly, namely n=2k, q=1 mod(2n)[LPR]. But we can select other parameters for secure applications.
This construction is directly based on the encryption systems of the RLWE[LPR], namely, we assume that we have a ring R with a properly defined learning with error problem on the ring R. The problem is defined as follows: we are given a pair (A, E), where
E=A×S+te′,
A, S where e′ are elements in Rq, t is small integer, e′ is an error element following an error distribution X, S is a fixed element and A is select randomly following uniform distribution, and the problem is to find the secret S. We also know that one can build a public key encryption systems using the RLWE problem[LPR], where A, and E serve as the public key, and the secret S, which needs to be small, serves as the private key. We can use the fact that in a ring-LWE problem that the multiplication is commutative.
With a central server, we can build a simple identity-based encryption system as follows.
The small elements like S, Ai, e, ei can follow different error distributions.
Since Ai and e are small elements in R, we have Ai×e is also small. We have that
SiAi−Bi=SiM−Bi
=M(SAi+iM−1ei)−MSAi+Aite
=MSAi+tMM−1ei)−MSAi+Aite
=te−tAiei,
which is due to the fact that this is a commutative ring. Since e, Ai and ei are small, e−Aiei is also small and te−tAiei is also small. Therefore Si is a solution to a ring LWE problem with the pair (Ai, Bi) as the problem input. Therefore Si is indeed a secret key that could be used for decryption.
We can build easily a hierarchical IBE system using similar procedure, where each user can server as a central server.
The key feature of our construction is that it is simple, straight forward and efficient. The provable security of the system is also straightforward.
In the all the systems above using pairing with errors over the ring, one may use polynomials in the form of
f(x)=Πfi(x)+g(x),
where each fi, g(x) is a extremely sparse matrix with very few terms, for example, 2 or 3 terms none-zero. Using this kind of polynomial can speed up the encryption and decryption computations.
More than one reissue application has been filed for the reissue of U.S. Pat. No. 9,246,675. The reissue applications are U.S. application Ser. No. 16/678,335 (the present application and a divisional reissue), Ser. No. 16/678,838 (a divisional reissue), and Ser. No. 15/881,531 (granted as U.S. Pat. No. RE 47,841E1), all of which are reissue applications of U.S. Pat. No. 9,246,675. U.S. Pat. No. 9,246,675, which issued on Jan. 26, 2016, is the National Stage of International Application No. PCT/CN2013/074053 filed on Apr. 11, 2013, which claims benefit under 35 U.S.C. § 119(e) of Provisional U.S. Patent Application No. 61/623,272, filed on Apr. 12, 2012, the disclosures of which are hereby incorporated by reference in their entireties. The present disclosure claims priority to the U.S. provisional patent application with Ser. No. 61/623,272, entitled “New methods for secure communications and secure information systems”, filed Apr. 12, 2012 and PCT application with the same title and the PCT number PCT/CN2013/074053 filed on Apr. 11, 2013, which is incorporated herein by reference in its entirety and for all purposes.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CN2013/074053 | 4/11/2013 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2013/152725 | 10/17/2013 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6263437 | Liao | Jul 2001 | B1 |
| 7603554 | Futa | Oct 2009 | B2 |
| 8107397 | Bagchi | Jan 2012 | B1 |
| 8297510 | Yakshtes | Oct 2012 | B1 |
| 20030081774 | Lin et al. | May 2003 | A1 |
| 20060034457 | Damgaard | Feb 2006 | A1 |
| 20070271606 | Amann | Nov 2007 | A1 |
| 20080044028 | Sun | Feb 2008 | A1 |
| 20080046732 | Fu et al. | Feb 2008 | A1 |
| 20080069344 | Yao | Mar 2008 | A1 |
| 20080112596 | Rhoads | May 2008 | A1 |
| 20090154711 | Jho et al. | Jun 2009 | A1 |
| 20090204823 | Giordano | Aug 2009 | A1 |
| 20090208019 | Celik | Aug 2009 | A1 |
| 20090327141 | Rabin | Dec 2009 | A1 |
| 20100077462 | Joffe | Mar 2010 | A1 |
| 20120166809 | Barton et al. | Jun 2012 | A1 |
| 20120236968 | Zhou | Sep 2012 | A1 |
| Entry |
|---|
| Vadim Lyubashevsky et al., “On Ideal Lattices and Learning with Errors Over Rings”, Journal of the ACM, vol. 60, No. 6, Article 43, Publication date: Nov. 2013. |
| Du et al., “A Pairwise Key Management Scheme Based on Hash Function for Wireless Sensor Networks”, 2010 Second International Workshop on Education Technology and Computer Science. |
| International Patent Application No. PCT/CN2013/074053; Int'l Written Opinion and Search Report; dated Jul. 18, 2013; 9 pages. |
| Damgard et al.; “A Quantum Cipher with Near Optimal Key-Recycling”; Dept. of Computer Science; University of Arhus; Sep. 2005; 17 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 61623272 | Apr 2012 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 15881531 | Jan 2018 | US |
| Child | 14491992 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 14491992 | Apr 2013 | US |
| Child | 16678335 | US | |
| Parent | 14491992 | Apr 2013 | US |
| Child | 15881531 | US |
