量子计算机的快速发展对密码技术的研究提出新挑战，为应对量子计算技术对当前公钥密码体制的致命威胁，研究后量子安全的密码方案势在必行。格公钥密码作为后量子密码的典型代表，具有运算简单、易于并行、渐近复杂度低等优势。格上带差错学习（Learning with Errors，LWE）问题不但可以用来设计公钥加密、数字签名等基础密码原语，还可以构造属性基加密（Attribute Based Encryption，ABE）及全同态加密等高级密码算法。

       基于LWE问题的密码方案几乎能够实现各种安全功能需求，但现有基于LWE问题的ABE方案的安全性仍需进一步分析。此外，为满足应用场景的新需求，本文也将设计后量子安全的不经意传输（Oblivious Transfer，OT）协议及密钥封装机制（Key Encapsulation Mechanism，KEM）作为研究目标，已完成的主要工作如下：

      1. 针对首个基于LWE问题的支持算术电路的BGG⁺14 AB方案的安全性问题，进行了三方面的分析。首先，BGG⁺14 ABE方案存在弱属性问题，每个弱属性伴随对应的“解密密钥”，当密文以该弱属性为标签时，使用对应的“解密密钥”能够恢复明文的一个比特；其次，为了减小BGG+14 ABE方案中的密钥尺寸，本文采用不同的“自然简化”预抽样矩阵，得到方案的三个简化变体，分析得到这三种简化变体在共谋攻击下是不安全的；最后，分析了该方案中模数不能为合数的原因，如果模数有一个小因数，则没有解密权限的解密者可以成功得到明文。

      2. 针对基于传统数论困难假设的OT协议不具有抗量子计算攻击的问题，利用经典的双模式加密系统，基于LWE问题和不可区分混淆，提出在通用可组合（Universal Composability，UC）安全模型下的OT协议。将双模式加密系统中的两个模式分别进行混淆，保持功能不变且达到不可区分性，证明两个模式被混淆后的方案仍然具有双模式加密系统的性质，从而在此基础上推导出的OT协议是UC安全的。与Yuan等人提出的OT协议相比，由于本文设计的OT协议基于LWE问题，从而提高了后量子安全性。

      3. 针对Quach提出的基于LWE问题的双模式加密系统只能处理1比特明文，导致由此推导出的OT协议需要重复使用多次才能实现多比特输出的问题，采用基于LWE问题的Jiang式密钥协调机制作为关键技术，将单比特对称加密密钥扩展至多比特，构造了基于LWE问题的多比特输出双模式加密系统，进而得到多比特输出的OT协议。通过综合性能比对分析，该基于LWE问题的多比特输出OT协议能够达到UC安全性且相对高效。

      4. 针对多用户场景下后量子安全KEM的设计需求，构造了基于LWE问题的KEM方案。首先，基于格上首个密钥交换协议，构造一个选择明文攻击下具有不可区分性的公钥加密方案；其次，利用显式拒绝的FO（Fujisaki-Okamoto）通用变换的变体，设计了多用户场景下基于LWE问题的KEM方案；最后，证明该KEM方案在选择密文攻击下具有不可区分安全性。

The development of quantum computers poses significant new challenges for the research of cryptography. In response to the mortal threat of quantum computing technology to public key cryptographic systems, it is imperative to research cryptographic schemes that are resistant to quantum computing attacks. Lattice-based public key cryptography is a typical representative of post-quantum cryptography, with advantages such as simple and parallel operations, low asymptotic complexity. The learning with errors (LWE) problem on lattices can not only be used to design basic cryptographic primitives such as public key encryption and digital signature, but also can be used to construct advanced cryptographic algorithms such as attribute-based encryption (ABE) and fully homomorphic encryption.

Although cryptographic schemes based on the LWE problem can achieve various security requirements, the security and implementation efficiency of existing ABE schemes still need to be further analyzed. In addition, to meet the new requirements of application scenarios, the thesis also aims at designing post-quantum secure oblivious transfer (OT) protocols and key encapsulation mechanisms (KEM). The main research works are as follows:

1. Regarding the BGG⁺14 ABE scheme, the first ABE scheme supporting arithmetic circuit based on the LWE problem, we conduct security analysis from three aspects. Firstly, the BGG⁺14 ABE scheme has the problem of weak attributes. An associated “decryption key” is accompanied by a weak attribute, and whenever a ciphertext is labeled with this weak attribute, the corresponding “decryption key” can recover one bit of the plaintext. Secondly, to reduce the key size of the BGG⁺14 ABE scheme, three different “naturally simplified” pre-sampling matrices are proposed to obtain three simplified variants, and the security of these three simplified variants under a collusion attack is analyzed. Finally, the main reason why the modulus in the scheme cannot be composite is analyzed. If the modulus has a small factor, an adversary without decryption permission can successfully obtain the plaintext.

2. To address the issue that OT protocols based on classical number-theoretic assumptions are not resistant to quantum computing attacks, an OT protocol based on LWE and indistinguishability obfuscation is proposed under the Universal Composability (UC) security model using a classical dual-mode encryption system. The two modes in the dual-mode encryption system are separately obfuscated while maintaining the same functionality and achieving indistinguishability. We prove that the scheme obtained by obfuscating the two modes still has the properties of a dual-mode encryption system, and the OT protocol derived from it is UC secure. Compared with the OT protocol proposed by Yuan et al., our protocol has a higher post-quantum security, since our design builds upon the LWE problem.

 3. The double-mode encryption system based on the LWE problem proposed by Quach can only handle plaintexts of one bit, resulting in the problem that the derived OT protocol needs to be repeated multiple times to achieve multi-bit output. To solve this problem, the Jiang-style key coordination mechanism based on the LWE problem is used as the key technology to extend the single-bit symmetric encryption key to multiple bits, and a multi-bit output double-mode encryption system based on the LWE problem is constructed and an OT protocol with multi-bit output is obtained. Through comprehensive performance comparison analysis, the multi-bit output OT protocol based on the LWE problem can achieve UC security and relatively high efficiency.

 4. Aiming at the design requirement of post-quantum secure KEMs in multi-user scenarios, a KEM scheme based on the LWE problem is constructed. Firstly, a public key encryption scheme with indistinguishability under chosen plaintext attack is constructed based on the first key exchange protocol on lattices. Secondly, using a variant of the Fujisaki-Okamoto (FO) universal transform with explicit rejection, a KEM based on the LWE problem is designed in the multi-user scenario. Finally, it is proved that the proposed KEM scheme achieves indistinguishability under chosen ciphertext attack.

[1] SHANNON C E. Communication theory of secrecy systems[J]. Bell System Technical Journal, 1949, 28(4) : 656 – 715.
[2] DIFFIE W, HELLMAN M E. New directions in cryptography[J]. IEEE Transactions on Information Theory, 1976, 22(6) : 644 – 654.
[3] RIVEST R L, SHAMIR A, ADLEMAN L M. A method for obtaining digital signatures and publickey cryptosystems[J]. Communications of the ACM, 1978, 21(2) : 120 – 126.
[4] SHOR P W. Algorithms for quantum computation: Discrete logarithms and factoring[C] // The 35th Annual Symposium on Foundations of Computer Science. Santa Fe, New Mexico, USA : IEEE Computer Society, 1994 : 124 – 134.
[5] NIST. Post-quantum cryptography: Round 3 submissions[EB/OL]. [2023-6-29]. https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions,2020.
[6] NIST. Post-quantum cryptography: Selected algorithms 2022[EB/OL]. [2023-6-29]. https://csrc. nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022.
[7] 中国密码学会. 全国密码算法设计竞赛：进入第二轮公钥算法[EB/OL]. [2023-6-29]. http://sfjs.cacrnet.org.cn/site/term/list 77 1.html,2020.
[8] REGEV O. On lattices, learning with errors, random linear codes, and cryptography[C]
// Proceedings of the 37th Annual ACM Symposium on Theory of Computing. Baltimore, MD, USA : ACM, 2005 : 84 – 93.
[9] APPLEBAUM B, CASH D, PEIKERT C, et al. Fast cryptographic primitives and circular-secure encryption based on hard learning problems[C] // Advances in Cryptology – CRYPTO 2009. Santa Barbara, CA, USA : Springer, 2009 : 595 – 618.
[10] LINDNER R, PEIKERT C. Better key sizes (and attacks) for LWE-based encryption[C]
// Proceedings of the CT–RSA 2011. San Francisco, CA, USA : Springer, 2011 : 319 – 339.
[11] DUCAS L, DURMUS A, LEPOINT T, et al. Lattice signatures and bimodal gaussians[C]
// CANETTI R, GARAY J A. Advances in Cryptology – CRYPTO 2013. Santa Barbara, CA, USA : Springer, 2013 : 40 – 56.
[12] LYUBASHEVSKY V. Lattice signatures without trapdoors[C] // Advances in Cryptology – EUROCRYPT 2012. Cambridge, UK : Springer, 2012 : 738 – 755.
[13] GORDON S D, KATZ J, VAIKUNTANATHAN V. A group signature scheme from lattice assumptions[C] // Advances in Cryptology – ASIACRYPT 2010. Singapore : Springer, 2010 : 395 – 412.
[14] GENTRY C, SAHAI A, WATERS B. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based[C] // Advances in Cryptology –CRYPTO 2013. Santa Barbara, CA, USA : Springer, 2013 : 75 – 92.
[15] LYUBASHEVSKY V, PEIKERT C, REGEV O. On ideal lattices and learning with errors over rings[C] // Advances in Cryptology – EUROCRYPT 2010. Monaco, French : Springer, 2010 : 1 –23.
[16] LANGLOIS A, STEHLE D. Worst-case to average-case reductions for module lattices[J]. Designs, Codes Cryptography, 2015, 75(3) : 565 – 599.
[17] SHAMIR A. Identity-based cryptosystems and signature schemes[C] // Advances in Cryptology –CRYPTO 1984. Santa Barbara, CA, USA : Springer, 1984 : 47 – 53.
[18] DAN B, MATT F. Identity-based encryption from the weil pairing[C] // Advances in Cryptology– CRYPTO 2001. Santa Barbara, CA, USA : Springer, 2001 : 213 – 229.
[19] GENTRY C, PEIKERT C, VAIKUNTANATHAN V. Trapdoors for hard lattices and new cryptographic constructions[C] // Proceedings of the STOC 2008. Victoria, British Columbia, Canada : ACM, 2008 : 197 – 206.
[20] CASH D, HOFHEINZ D, KILTZ E, et al. Bonsai trees, or how to delegate a lattice basis[C]
// Advances in Cryptology – EUROCRYPT 2010. Monaco , French Riviera : Springer, 2010 : 523 –552.
[21] AGRAWAL S, Dan Boyen BONEH X. Lattice basis delegation in fixed dimension and shorterciphertext hierarchical IBE[C] // Advances in Cryptology – CRYPTO 2010. Santa Barbara, CA, USA : Springer, 2010 : 98 – 115.
[22] YAMADA S. Adaptively secure identity-based encryption from lattices with asymptotically shorter public parameters[C] // Advances in Cryptology – EUROCRYPT 2016. Vienna, Austria : Springer, 2016 : 32 – 62.
[23] DAN B, XAVIER B. Efficient selective-ID secure identity-based encryption without random oracles[C] // Advances in Cryptology – EUROCRYPT 2004. Interlaken, Switzerland : Springer, 2004 : 223 – 238.
[24] DAN B, XAVIER B. Secure identity based encryption without random oracles[C] // Advances in Cryptology – CRYPTO 2004 : Vol 3152. Santa Barbara, California, USA : Springer, 2004 : 443 –459.
[25] BRENT W. Efficient identity-based encryption without random oracles[C] // Advances in Cryptology – EUROCRYPT 2005. Aarhus, Denmark : Springer, 2005 : 114 – 127.
[26] CRAIG G. Practical identity-based encryption without random oracles[C] // Advances in Cryptology – EUROCRYPT 2006. St. Petersburg, Russia : Springer, 2006 : 445 – 464.
[27] SAHAI A, WATERS B. Fuzzy identity-based encryption[C] // CRAMER R. Advances in Cryptol-ogy -EUROCRYPT 2005. arhus, Denmark : Springer, 2005 : 457 – 473.
[28] HERRANZ J. Attribute-based encryption implies identity-based encryption[J]. IET Information Security, 2017, 11(6) : 332 – 337.
[29] AMBROSIN M, ANZANPOUR A, CONTI M, et al. On the feasibility of attribute-based encryption on internet of things devices[J]. IEEE Micro, 2016, 36(6) : 25 – 35.
[30] PREMKAMAL P K, PASUPULETI S K, ALPHONSE P J A. Attribute based encryption in cloud computing: A survey, gap analysis, and future directions[J]. Journal of Network and Computer Applications, 2018, 108 : 37 – 52.
[31] NING J, CAO Z, DONG X, et al. Auditable σ-time outsourced attribute-based encryption for access control in cloud computing[J]. IEEE Transactions on Information Forensics and security, 2018, 13(1) : 94 – 105.
[32] VIPUL G, OMKANT P, SAHAI A, et al. Attribute-based encryption for fine-grained access control of encrypted data[C] // Proceedings of the 13th ACM conference on Computer and communications security. Alexandria, VA, USA : ACM, 2006 : 89 – 98.
[33] BETHENCOURT J, SAHAI A, WATERS B. Ciphertext-policy attribute-based encryption[C] // 2007 IEEE Symposium on Security and Privacy. Oakland, California, USA : IEEE Computer Society, 2007 : 321 – 334.
[34] OSTROVSKY R, SAHAI A, WATERS B. Attribute-based encryption with non-monotonic access structures[C] // Proceedings of the 2007 ACM Conference on Computer and Communications Security. Alexandria, Virginia, USA : ACM, 2007 : 195 – 203.
[35] CHASE M. Multi-authority attribute based encryption[C] // Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007. Amsterdam, The Netherlands : Springer, 2007 : 515 – 534.
[36] LEWKO A, OKAMOTO T, SAHAI A, et al. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption[C] // Advances in Cryptology - EUROCRYPT 2010. Monaco, French Riviera : Springer, 2010 : 62 – 91.
[37] LEWKO A B, WATERS B. Unbounded HIBE and attribute-based encryption[C] // Advances in Cryptology - EUROCRYPT 2011. Tallinn, Estonia : Springer, 2011 : 547 – 567.
[38] LEWKO A B, WATERS B. Decentralizing attribute-based encryption[C] // Advances in Cryptology - EUROCRYPT 2011. Tallinn, Estonia : Springer, 2011 : 568 – 588.
[39] WATERS B. Ciphertext-policy attribute-based encryption: An Expressive, efficient, and provably secure realization[C] // Public-Key Cryptography - PKC 2011. Taormina, Italy : Springer, 2011 : 53 – 70.
[40] OKAMOTO T, TAKASHIMA K. Fully secure unbounded iInner-product and attribute-based encryption[C] // Advances in Cryptology – ASIACRYPT 2012. Beijing, China : Springer, 2012 : 349 – 366.
[41] SAHAI A, SEYALIOGLU H, WATERS B. Dynamic credentials and ciphertext delegation for attribute-based encryption[C] // Advances in Cryptology - CRYPTO 2012. Santa Barbara, CA, USA : Springer, 2012 : 199 – 217.
[42] GORBUNOV S, VAIKUNTANATHAN V, WEE H. Attribute-based encryption for circuits[C] // Symposium on Theory of Computing Conference, STOC’13. Palo Alto, CA, USA : ACM, 2013 : 545 – 554.
[43] BONEH D, GENTRY C, GORBUNOV S, et al. Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits[C] // Advances in Cryptology - EUROCRYPT 2014. Copenhagen, Denmark : Springer, 2014 : 533 – 556.
[44] BRAKERSKI Z, VAIKUNTANATHAN V. Circuit-ABE from LWE: Unbounded Attributes and Semi-adaptive Security[C] // Advances in Cryptology - CRYPTO 2016. Santa Barbara, CA, USA : Springer, 2016 : 363 – 384.
[45] WANG G, LIU Z, GU D. Ciphertext policy attribute-based encryption for circuits from LWE Assumption[C] // Information and Communications Security - 21st International Conference, ICICS 2019. Beijing, China : Springer, 2019 : 378 – 396.
[46] TSABARY R. Fully secure attribute-based encryption for t-CNF from LWE[C] // Advances in Cryptology - CRYPTO 2019. Santa Barbara, CA, USA : Springer, 2019 : 62 – 85.
[47] AGRAWAL S, YAMADA S. CP-ABE for circuits (and More) in the symmetric key setting[C] // Theory of Cryptography - 18th International Conference, TCC 2020. Durham, NC, USA : Springer, 2020 : 117 – 148.
[48] RABIN M O. How to exchange secrets with oblivious transfer[C] // Proceedings of the technical report, TR-81. 1981.
[49] YAO A C. How to generate and exchange secrets (extended abstract)[C] // The 27th Annual Symposium on Foundations of Computer Science. Toronto, Canada : IEEE Computer Society, 1986 : 162 – 167.
[50] GOLDREICH O, MICALI S, WIGDERSON A. How to play any mental game or a completeness theorem for protocols with honest majority[C] // Proceedings of the 19th Annual ACM Symposium on Theory of Computing. New York, USA : ACM, 1987 : 218 – 229.
[51] PINKAS B, SCHNEIDER T, ZOHNER M. Scalable private set intersection based on OT Extension[J]. ACM Transactions on Privacy and Security, 2018, 21(2) : 7:1 – 7:35.
[52] DOWSLEY R, van de GRAAF J, MULLER-QUADE J, et al. Efficient oblivious transfer protocols[C] // Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms, SODA 2001. Washington D.C. USA : PAUnited States, 2001 : 448 – 457.
[53] AIELLO W, ISHAI Y, REINGOLD O. Priced oblivious transfer: How to sell digital goods[C] // Advances in Cryptology - EUROCRYPT 2001. Innsbruck, Austria : Springer, 2001 : 119 – 135.
[54] CAMENISCH J, NEVEN G, SHELAT A. Simulatable adaptive oblivious transfer[C] // Advances in Cryptology - EUROCRYPT 2007. Barcelona, Spain : Springer, 2007 : 573 – 590.
[55] GREEN M, HOHENBERGER S. Blind identity-based encryption and simulatable oblivious transfer[C] // Advances in Cryptology - ASIACRYPT 2007. Kuching, Malaysia : Springer, 2007 : 265 – 282.
[56] KALAI Y T. Smooth projective hashing and two-message oblivious transfer[C] // Advances in Cryptology - EUROCRYPT 2005. Aarhus, Denmark : Springer, 2005 : 78 – 95.
[57] KOBARA K, MOROZOV K, OVERBECK R. Coding-based oblivious transfer[C] // Proceedings of the MMICS 2008. Karlsruhe, Germany : Springer, 2008 : 142 – 156.
[58] DOWSLEY R, van de GRAAF J, MULLER-QUADE J, et al. Oblivious transfer based on the ¨ McEliece assumptions[C] // Information Theoretic Security, Third International Conference. Calgary, Canada : Springer, 2008 : 107 – 117.
[59] MATHEW K P, VASANT S, VENKATESAN S, et al. A code-based 1-out-of-N oblivious transfer based on McEliece assumptions[C] // Proceedings of the ISPEC 2012. Hangzhou, China : Springer, 2012 : 144 – 157.
[60] DAVID B M, NASCIMENTO A C A, de SOUSA JR. R T. Efficient fully simulatable oblivious transfer from the McEliece assumptions[J]. IEICE Transactions, 2012, 95-A(11) : 2059 – 2066.
[61] DAVID B M, NASCIMENTO A C A, MULLER-QUADE J. Universally composable oblivious ¨ transfer from lossy encryption and the McEliece assumptions[C] // Proceedings of the ICITS 2012. Montreal, QC, Canada : Springer, 2012 : 80 – 99.
[62] ZENG B, TANG X, HSU C. A framework for fully-simulatable h-out-of-n oblivious transfer[J/OL]. IACR Cryptology ePrint Archive, 2010. http://eprint.iacr.org/2010/199.
[63] 王凤和，胡予濮，刘振华. 格基不经意传输协议[J]. 通信学报, 2011, 32(3) : 125 – 130.
[64] BLAZY O, CHEVALIER C. Generic construction of uc-secure oblivious transfer[C]
// Proceedings of the ACNS 2015. New York, NY, USA : Springer, 2015 : 65 – 86.
[65] BRAKERSKI Z, DOTTLING N. Two-Message statistically sender-private OT from LWE[C] ¨ // Theory of Cryptography - 16th International Conference, TCC 2018, Part II. Panaji, India : Springer, 2018 : 370 – 390.
[66] PEIKERT C, VAIKUNTANATHAN V, WATERS B. A framework for efficient and composable oblivious transfer[C] // Advances in Cryptology - CRYPTO 2008. Santa Barbara, CA, USA : Springer, 2008 : 554 – 571.
[67] QUACH W. UC-secure OT from LWE, sevisited[C] // Proceedings of the Security and Cryptog raphy for Networks - 12th International Conference, SCN 2020. Amalfi, Italy : Springer, 2020 : 192 – 211.
[68] BRANCO P, DING J, GOULAO M, et al. Universally composable oblivious transfer protocol based on the RLWE assumption[J/OL]. IACR Cryptology ePrint Archive, 2018. http://eprint.iacr. org/2018/1155.
[69] LIU M, HU Y. Universally composable oblivious transfer from ideal lattice[J]. Frontiers Computer Science, 2019, 13(4) : 879 – 906.
[70] CANETTI R. Universally composable security: a new paradigm for cryptographic protocols[C] // Proceedings of the FOCS 2001. Las Vegas, Nevada, USA : IEEE Computer Society, 2001 : 136 – 145.
[71] DOTTLING N, GARG S, HAJIABADI M, et al. Two-round oblivious transfer from CDH or LP- ¨ N[C] // Advances in Cryptology - EUROCRYPT 2020. Zagreb, Croatia : Springer, 2020 : 768 – 797.
[72] SHOUP V. Using hash functions as a hedge against chosen ciphertext attack[C] // Advances in Cryptology - EUROCRYPT 2000. Bruges, Belgium, : Springer, 2000 : 275 – 288.
[73] CRAMER R, SHOUP V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J]. SIAM Journal on Computing, 2003, 33(1) : 167 – 226.
[74] DENT A W. A designer’s guide to KEMs[C] // Proceeding of the 9th IMA International Conference on Cryptography and Coding. Cirencester, UK : Springer, 2003 : 133 – 151.
[75] GROZA B. An extension of the RSA trapdoor in a KEM/DEM framework[C] // Proceedings of SYNASC 2007. Timisoara, Romania : IEEE Computer Society, 2007 : 182 – 187.
[76] HARALAMBIEV K, JAGER T, KILTZ E, et al. Simple and efficient public-key encryption from computational Diffie-Hellman in the standard model[C] // Proceedings of the PKC 2010. Paris, France : Springer, 2010 : 1 – 18.
[77] GUO M, DENG D. Centralised conference key mechanism with elliptic curve cryptography and lagrange interpolation for sensor networks[J]. IET Communications, 2011, 5(12) : 1727 – 1731.
[78] DING J. A simple provably secure key exchange scheme based on the learning with errors problem[J/OL]. IACR Cryptology ePrint Archive, 2012 : 688. http://eprint.iacr.org/2012/688.
[79] PEIKERT C. Lattice cryptography for the internet[C] // Proceedings of the PQCrypto 2014. Waterloo, ON, Canada : Springer, 2014 : 197 – 219.
[80] BOS J W, COSTELLO C, NAEHRIG M, et al. Post-quantum key exchange for the TLS protocol from the ring learning with errors problem[C] // Proceeding of the SP 2015. San Jose, CA, USA : IEEE Computer Society, 2015 : 553 – 570.
[81] ALKIM E, DUCAS L, POPPELMANN T, et al. Post-quantum key exchange - a new hope[C] // Proceedings of the USENIX Security 2016. Austin, TX, USA : USENIX Association, 2016 : 327 – 343.
[82] BOS J W, COSTELLO C, DUCAS L, et al. Frodo: take off the ring! practical, quantum-secure key exchange from LWE[C] // Proceedings of the SIGSAC 2016. Vienna, Austria : ACM, 2016 : 1006 – 1018.
[83] BOS J W, DUCAS L, KILTZ E, et al. CRYSTALS - Kyber: A CCA-secure module-lattice-based KEM[C] // Proceeding of the EuroS&P 2018. London, United Kingdom : IEEE, 2018 : 353 – 367.
[84] FUJISAKI E, OKAMOTO T. Secure integration of asymmetric and aymmetric encryption
schemes[C] // Advances in Cryptology - CRYPTO 1999. Santa Barbara, California, USA :
Springer, 1999 : 537 – 554.
[85] FUJISAKI E, OKAMOTO T. Secure integration of asymmetric and symmetric encryption
schemes[J]. Journal of Cryptology, 2013, 26(1) : 80 – 101.
[86] HOFHEINZ D, HOVELMANNS K, KILTZ E. A modular analysis of the Fujisaki-Okamoto transformation[C] // Proceeding of the TCC Part I 2017. Baltimore, MD, USA : Springer, 2017 : 341 – 371.
[87] ZHANG J, YU Y, FAN S, et al. Tweaking the asymmetry of asymmetric-key cryptography on lattices: KEMs and Signatures of Smaller Sizes[C] // Proceeding of the PKC 2020. Edinburgh, UK : Springer, 2020 : 37 – 65.
[88] DUMAN J, HOVELMANNS K, KILTZ E, et al. Faster lattice-based KEMs via a generic Fujisaki Okamoto transform using prefix hashing[C] // Proceeding of the CCS 2021. Virtual Event, Republic of Korea : ACM, 2021 : 2722 – 2737.
[89] YUAN Z, WANG M, FENG X. Secure oblivious transfer protocol from indistinguishability obfuscation[J]. The Journal of China Universities of Posts and Telecommunications, 2016, 23(3) : 1 – 10.
[90] JIANG S, GONG G, HE J, et al. PAKEs: New framework, new techniques and more efficient lattice-based constructions in the standard model[C] // Public-Key Cryptography - PKC 2020. Edinburgh, UK : Springer, 2020 : 396 – 427.
[91] KATA J, LINDELL Y. Introduction to modern cryptography[M]. New York : CRC Press, 2007.
[92] AJTAI M. Generating hard instances of lattice problems (extended abstract)[C] // Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing. Philadelphia, Pennsylvania, USA : ACM, 1996 : 99 – 108.
[93] AJTAI M. Generating hard instances of the short basis problem[C] // Automata, Languages and Programming, 26th International Colloquium. Prague, Czech Republic : Springer, 1999 : 1 – 9.
[94] AJTAI M. The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)[C] // Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing. Dallas, Texas, USA : ACM, 1998 : 10 – 19.
[95] KHOT S. Hardness of approximating the shortest vector problem in lattices[J]. Journal of the ACM, 2005, 52(5) : 789 – 808.
[96] GOLDREICH O, GOLDWASSER S. On the limits of nonapproximability of lattice problems[J]. Journal of Computer and System Sciences, 2000, 60(3) : 540 – 563.
[97] AJTAI M, KUMAR R, SIVAKUMAR D. A sieve algorithm for the shortest lattice vector problem[C] // Proceedings on 33rd Annual ACM Symposium on Theory of Computing. Heraklion, Crete, Greece : ACM, 2001 : 601 – 610.
[98] MICCIANCIO D, MOL P. Pseudorandom knapsacks and the sample complexity of LWE searchto-decision reductions[C] // Advances in Cryptology - CRYPTO 2011. Santa Barbara, CA, USA : Springer, 2011 : 465 – 484.
[99] KIRCHNER P, FOUQUE P. An improved BKW algorithm for LWE with applications to cryptography and lattices[C] // Advances in Cryptology - CRYPTO 2015. Santa Barbara, CA, USA : Springer, 2015 : 43 – 62.
[100] MICCIANCIO D, REGEV O. Worst-case to average-case reductions based on gaussian measures[C] // The 45th Symposium on Foundations of Computer Science. Rome, Italy : IEEE Computer Society, 2004 : 372 – 381.
[101] PEIKERT C. Limits on the hardness of lattice problems in lp norms[J]. Computational Complexity, 2008, 17(2) : 300 – 351.
[102] ALWEN J, PEIKERT C. Generating shorter bases for hard random lattices[J]. Theory of Computing System, 2011, 48(3) : 535 – 553.
[103] MICCIANCIO D, PEIKERT C. Trapdoors for lattices: Simpler, tighter, faster, smaller[C]
// Advances in Cryptology - EUROCRYPT 2012. Cambridge, UK : Springer, 2012 : 700 – 718.
[104] BARAK B, GOLDREICH O, IMPAGLIAZZO R, et al. On the (im)possibility of obfuscating programs[C] // Advances in Cryptology - CRYPTO 2001. Santa Barbara, California, USA : Springer, 2001 : 1 – 18.
[105] GOLDWASSER S, KALAI Y T. On the impossibility of obfuscation with auxiliary input[C] // Proceeding of the FOCS 2005. Pittsburgh, PA, USA : IEEE Computer Society, 2005 : 553 – 562.
[106] DODIS Y, KALAI Y T, LOVETT S. On cryptography with auxiliary input[C] // Proceedings of the 41st Annual ACM Symposium on Theory of Computing. Bethesda, MD, USA : ACM, 2009 : 621 – 630.
[107] GARG S, GENTRY C, HALEVI S, et al. Candidate indistinguishability obfuscation and functional encryption for all circuits[C] // Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science. Berkeley, CA, USA : IEEE Computer Society, 2013 : 40 – 49.
[108] BONEH D, ZHANDRY M. Multiparty key exchange, Efficient traitor tracing, and more from indistinguishability obfuscation[C] // Advances in Cryptology - CRYPTO 2014. Santa Barbara, CA, USA : Springer, 2014 : 480 – 499.
[109] SAHAI A, WATERS B. How to use indistinguishability obfuscation: deniable encryption, and more[C] // Proceedings of the STOC 2014. New York, NY, USA : ACM, 2014 : 475 – 484.
[110] GARG S, POLYCHRONIADOU A. Two-round adaptively secure MPC from indistinguishability obfuscation[C] // Proceedings of the TCC 2015. Warsaw, Poland : Springer, 2015 : 614 – 637. [111] LEE H T, SEO J H. Security analysis of multilinear maps over the integers[C] // Advances in Cryptology - CRYPTO 2014. Santa Barbara, CA, USA : Springer, 2014 : 224 – 240.
[112] CORON J, LEE M S, LEPOINT T, et al. Cryptanalysis of GGH15 multilinear maps[C] // Advances in Cryptology - CRYPTO 2016. Santa Barbara, CA, USA : Springer, 2016 : 607 – 628. [113] HU Y, JIA H. Cryptanalysis of GGH map[C] // Advances in Cryptology - EUROCRYPT 2016. Vienna, Austria : Springer, 2016 : 537 – 565.
[114] PASS R, SETH K, TELANG S. Indistinguishability obfuscation from semantically-secure multilinear encodings[C] // Advances in Cryptology - CRYPTO 2014. Santa Barbara, CA, USA : Springer, 2014 : 500 – 517.
[115] ANANTH P, JAIN A. Indistinguishability obfuscation from compact functional encryption[C] // Advances in Cryptology - CRYPTO 2015. Santa Barbara, CA, USA : Springer, 2015 : 308 – 326.
[116] LIN H. Indistinguishability obfuscation from constant-degree graded encoding schemes[C] // Advances in Cryptology - EUROCRYPT 2016. Vienna, Austria : Springer, 2016 : 28 – 57.
[117] LIN H, TESSARO S. Indistinguishability obfuscation from trilinear maps and block-wise local PRGs[C] // Advances in Cryptology - CRYPTO 2017. Santa Barbara, CA, USA : Springer, 2017 : 630 – 660.
[118] LIN H. Indistinguishability obfuscation from SXDH on 5-linear maps and mocality-5 PRGs[C] // Advances in Cryptology - CRYPTO 2017. Santa Barbara, CA, USA : Springer, 2017 : 599 – 629.
[119] AGRAWAL S. Indistinguishability obfuscation without multilinear maps: New methods for bootstrapping and instantiation[C] // Advances in Cryptology - EUROCRYPT 2019. Darmstadt, Germany : Springer, 2019 : 191 – 225.
[120] JAIN A, LIN H, SAHAI A. Indistinguishability obfuscation from well-founded assumptions[C] // Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing. Virtual Event, Italy : ACM, 2021 : 60 – 73.
[121] GAY R, JAIN A, LIN H, et al. Indistinguishability obfuscation from simple-to-state hard problems: New assumptions, new techniques, and simplification[C] // Advances in Cryptology - EUROCRYPT 2021. Zagreb, Croatia : Springer, 2021 : 97 – 126.
[122] JAIN A, LIN H, SAHAI A. Indistinguishability obfuscation from LPN over Fp, DLIN, and PRGs in NC0[C] // Advances in Cryptology - EUROCRYPT 2022. Trondheim, Norway : Springer, 2022 : 670 – 699.
[123] MILES E, SAHAI A, ZHANDRY M. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over GGH13[C] // Advances in Cryptology - CRYPTO 2016. Santa Barbara, CA, USA : Springer, 2016 : 629 – 658.
[124] APON D, DOTTLING N, GARG S, et al. Cryptanalysis of indistinguishability obfuscations of circuits over GGH13[C] // Proceedings of the 44th International Colloquium on Automata, Languages, and Programming. Warsaw, Poland : Schloss Dagstuhl - Leibniz-Zentrum fur Informatik, 2017 : 1 – 16.
[125] CHEON J H, HHAN M, KIM J, et al. Cryptanalyses of branching program obfuscations over GGH13 multilinear map from the NTRU problem[C] // Advances in Cryptology - CRYPTO 2018. Santa Barbara, CA, USA : Springer, 2018 : 184 – 210.
[126] AGRAWAL S, PELLET-MARY A. Indistinguishability obfuscation without maps: Attacks and fixes for noisy linear FE[C] // Advances in Cryptology - EUROCRYPT 2020. Zagreb, Croatia : Springer, 2020 : 110 – 140. [127] ANANTH P V, GUPTA D, ISHAI Y, et al. Optimizing obfuscation: Avoiding Barrington’s theorem[C] // Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Scottsdale, AZ, USA : ACM, 2014 : 646 – 658.
[128] BADRINARAYANAN S, MILES E, SAHAI A, et al. Post-zeroizing obfuscation: New mathematical tools, and the case of evasive circuits[C] // Advances in Cryptology - EUROCRYPT 2016. Vienna, Austria : Springer, 2016 : 764 – 791.
[129] EVEN S, GOLDREICH O, LEMPEL A. A randomized protocol for signing contracts[C]
// Advances in Cryptology- CRYPTO 1982. Santa Barbara, California, USA : Plenum Press, New York, 1982 : 205 – 210.
[130] BRASSARD G, CREPEAU C, ROBERT J. All-or-nothing disclosure of secrets[C] // ODLYZKO ´ A M. Advances in Cryptology - CRYPTO 1986. Santa Barbara, California, USA : Springer, 1986 : 234 – 238.
[131] FERNANDO R, RASMUSSEN P M R, SAHAI A. Preventing CLT attacks on obfuscation with linear overhead[C] // Advances in Cryptology - ASIACRYPT 2017. Hong Kong, China : Springer, 2017 : 242 – 271.
[132] CHEN Y, GENTRY C, HALEVI S. Cryptanalyses of candidate branching program obfuscators[C] // Advances in Cryptology - EUROCRYPT 2017. 2017 : 278 – 307.
[133] ASHAROV G, JAIN A, LOPEZ-ALT A, et al. Multiparty computation with low communication, computation and interaction via threshold FHE[C] // Advances in Cryptology – EUROCRYPT 2012. Cambridge, UK : Springer, 2012 : 483 – 501.
[134] BENHAMOUDA F, BLAZY O, DUCAS L, et al. Hash proof systems overlattices revisited[C] // Public-Key Cryptography - PKC 2018. Rio de Janeiro, Brazil : Springer, 2018 : 644 – 674.
[135] BELLARE M, BOLDYREVA A, MICALI S. Public-key encryption in a multi-
user setting: Security proofs and improvements[C] // Advances in Cryptology - EUROCRYPT 2000. Bruges, Belgium : Springer, 2000 : 259 – 274.