Design And Analysis Of Several Lattice-Based Cryptographic Schemes

Cryptography is one of the theoretical bases and core contents of network security.In order to realize information transmission,secure storage,identity authentication and so on in the open internet environment,some cryptographic key technologies must be used to provide the security.Under a dual-threat from a high-efficiency quantum computer in a future and a stronger adversary in reality,to seek more secure public-key cryptosystems that can thwart quantum attacks has become an urgent task for cryptographers.As a typical representative of post-quantum cryptography,lattice-based cryptography has attracted significant interest due to several potential benefits compared with other post-quantum cryptographies,such as the worst-case hardness assumptions,linear structure and linear operation and supporting a higher cryptographic service such as fully homomorphic encryption and multilinear maps.However,no matter in theoretical or practical side,lattice-based cryptography still has a lot of problems to be solved.According to the problems that some existing lattice-based cryptographic schemes are with weak security,low efficiency and no constructions could support certain special properties,this thesis conducts a corresponding research and analysis,and obtains several main results as follows:(1)According to a weak security problem in the first lattice-based revocable identity-based encryption(RIBE)scheme,we construct a lattice-based adaptive-ID secure RIBE scheme.User revocation and key update are crucial to the practical application of IBE.This scheme adopts the complete subtree and binary tree structure,it obtains a simper construction and a shorter user secret key.In particular,it satisfies the adaptive-ID security and solves an open problem on how to construct an adaptive-ID secure RIBE scheme from lattices proposed in the original scheme.(2)According to a low space efficiency problem in lattice-based group signature schemes,we construct a new lattice-based verifier-local revocation(VLR)group signature scheme.To support the member revocation is a desirable feature for group signatures.This scheme adopts VLR and obtains shorter group public key,member secret key and group signature.In particular,it is proven secure in the random oracle model and solves an open problem on how to construct a simple and efficient group signature with membership revocation from lattices proposed in the original scheme.(3)According to a low space efficiency problem in lattice-based ring signature schemes,we construct two ring signature schemes over NTRU lattices.Unconditional anonymity is an excellent characteristic of ring signatures.Based on the extended NTRU problem,these two schemes satisfy the security requirements of anonymity against key exposure attacks and unforgeability against fixed-ring attacks in the random oracle model and standard model,respectively.The efficiency comparison shows that these two constructions obtain a shorter ring signature and more efficient operations.(4)According to a weak security and a low efficiency problems in lattice-based verifiably encrypted signature(VES)schemes,we construct a new lattice-based VES scheme.VES is an important method to ensure the fairness of the internet exchange process.This scheme adopts the technique of basis delegation in fixed dimension and obtains shorter public key,private key,verifiable encryption signature and higher efficiency.In particular,it is proven secure in the random oracle model and satisfies strong unforgeability,strong opacity and extractability.(5)According to a problem that there does not exist sequential aggregate signature scheme with lazy verification(SAS-LV)from lattices,we construct the first lattice-based SAS-LV that is proven to be existential unforgeable against adaptive chosen-message attacks in the random oracle model.The support of “Batch Processing” and “Compression” for signature is an excellent characteristic of aggregate signatures.In the chain of sequential signature,it does not need a signer to gain the keys of previous signers or verify the aggregate-so-far before producing its own signature.The signer will produce a new aggregate signature to an unverified aggregate signature and send it along to the next signer,then the verification can be postponed,thus,the construction can improve the operation efficiency of the entire system.