INFORMATICAInformatica1822-88440868-49520868-4952Vilnius UniversityINFO122610.15388/Informatica.2019.220Research ArticleEfficient Certificate-Based Signature with Short Key and Signature Sizes from LatticesTsengYuh-Minymtseng@cc.ncue.edu.tw∗
Y.-M. Tseng is currently a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. He is a member of IEEE Computer Society, IEEE Communications Society and the Chinese Cryptology and Information Security Association (CCISA). He has published over one hundred scientific journal and conference papers on various research areas of cryptography, security and computer network. His research interests include cryptography, network security, computer networks and mobile communications. He serves as an editor of several international journals.
TsaiTung-Tso
T.-T. Tsai is currently a senior engineer in HON HAI Technology Group, Taiwan. His research interests include applied cryptography and pairing-based cryptography. He received the PhD degree from the Department of Mathematics, National Changhua University of Education, Taiwan, in 2014 under the Professor Yuh-Min Tseng.
WuJui-Di
J.-D. Wu received the BS degree from the Department of Mathematics, National Changhua University of Education, Taiwan, in 2006. He received the MS degree from the Department of Mathematics, National Changhua University of Education, Taiwan, in 2008. He is currently a PhD candidate in the Department of Mathematics, National Changhua University of Education, Taiwan. His research interests include applied cryptography and pairing-based cryptography.
HUANGSen-Shan
S.-S. Huang is currently a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. His research interests include number theory, cryptography, and network security. He received his PhD from the University of Illinois at Urbana-Champaign in 1997 under the supervision of professor Bruce C. Berndt.
Certificate-based cryptography (CB-PKC) is an attractive public key setting, which reduces the complexity of public key infrastructure in traditional public key settings and resolves the key escrow problem in ID-based public key settings. In the past, a large number of certificate-based signature and encryption schemes were proposed. Nevertheless, the security assumptions of these schemes are mainly relied on the difficulties of the discrete logarithm and factorization problems. Unfortunately, both problems will be resolved when quantum computers come true in the future. Public key cryptography from lattices is one of the important candidates for post-quantum cryptography. However, there is little work on certificate-based cryptography from lattices. In the paper, we propose a new and efficient certificate-based signature (CBS) scheme from lattices. Under the short integer solution (SIS) assumption from lattices, the proposed CBS scheme is shown to be existential unforgeability against adaptive chosen message attacks. Performance comparisons are made to demonstrate that the proposed CBS scheme from lattices is better than the previous lattice-based CBS scheme in terms of private key size and signature size.
latticecertificate-based signaturepost-quantum cryptographyshort integer solutionMinistry of Science and Technology, TaiwanMOST106-2221-E-018-007-MY2This research was partially supported by Ministry of Science and Technology, Taiwan, under contract no. MOST106-2221-E-018-007-MY2. Introduction
In traditional public key settings (Rivest et al., 1978; ElGamal, 1985), a public key infrastructure (PKI) is required to manage users’ certificates, which are issued by a trusted certificate authority (CA) to offer the link relationships between users’ identities and the associated public keys. When a party would like to use the other party’s public key, she/he must first inquire and validate the certificate of the other party using the public key infrastructure. Typically, certificate management in such a public key infrastructure is pricey.
To simplify certificate management in traditional public key settings, Shamir (1984) presented the notion of identity (ID)-based public key settings while Boneh and Franklin (2001) realized the ID-based public key setting from the Weil pairing and presented the first ID-based encryption scheme. For the cryptographic schemes (Tseng et al., 2016; Tsai et al., 2017) under ID-based public key settings, a trusted private key generator (PKG) is responsible to generate private keys of all users, but such settings suffer from the key escrow problem. To solve the key escrow problem, Al-Riyami and Paterson (2003) proposed a new public key paradigm, namely, certificateless public key setting. Nevertheless, both ID-based and certificateless public key settings did not employ public key certificates so that both public key settings must offer extra revocation mechanisms to revoke compromised users from the public key settings. Fortunately, several studies (Tseng and Tsai, 2012; Tsai and Tseng, 2015; Hung et al., 2016b; Tseng et al., 2018; Wu et al., 2018) have well addressed the revocation problem of ID-based and certificateless public key settings.
The other solution resolving the key escrow problem in ID-based public key settings is the notion of certificate-based public key settings, which is presented by Gentry (2003). In the meantime, it also simplifies certificate management and the complexity of public key infrastructure, in traditional public key settings. In Gentry’s certificate-based public key setting, a user independently generates the associated private/public keys while sending the public key to a certificate authority (CA). By the user’s public key and identity information, the CA generates a certificate and sends it to the user. For the revocation problem, the CA may update non-revoked users’ certificates periodically without requiring extra revocation mechanisms. When a user would like to decrypt a ciphertext or sign a message, the user must own both private key and valid certificate. Numerous certificate-based cryptographic studies have been proposed, such as certificate-based encryption schemes (Galindo et al., 2008; Lu and Li, 2014; Gao et al., 2015) and certificate-based signature schemes (Li et al., 2007; Wu et al., 2009; Li et al., 2012; Hung et al., 2016a).
As we all know, the security of cryptographic mechanisms must be based on the difficulties or assumptions of some hard problem. Typically, most of the existing cryptographic schemes/protocols under aforementioned public key settings are mainly relied on the difficulties of the discrete logarithm and factorization problems with large prime numbers. Unfortunately, both problems will be resolved when quantum computers come true in the future. In such a case, those cryptographic schemes/protocols based on both hard problems would become insecure (Shor, 1997). Recently, researchers have constructed several new mathematical approaches to withstand quantum attacks. Lattice-based cryptography is one of the main candidates for post-quantum cryptography because of its efficiency and security (Bernstein, 2009).
Related Work
Under traditional public key settings, Goldreich et al. (1997) proposed the first signature and encryption schemes from lattices. Afterward, several lattice-based signature schemes (Gentry et al., 2008; Lyubashevsky, 2009, 2012) were proposed to enhance security and performance. Gentry et al. (2008) adopted the Gaussian sampling technique to generate a user’s private key while employing the hash-and-sign approach to sign a message. In such a case, the size of the resulting private key is too large while the computation cost of the signing process is inefficient. To improve the signing performance, Lyubashevsky (2009) employed the Fiat-Shamir transformation technique to generate signatures. Furthermore, Lyubashevsky (2012) proposed the other lattice-based signature scheme which uses the rejection sampling technique to sign a message while reducing the signature size.
By employing Gentry et al.’s private key generation method (Gentry et al., 2008), Ruckert (2010) presented two ID-based signature schemes from lattices. Both schemes were, respectively, proved to be secure in the random oracle model and the standard model. However, the sizes of private key and the resulting signature are still lengthy. To improve the security and performance, lattice-based IBS schemes (Liu et al., 2013; Tian and Huang, 2014) were proposed. For the revocation problem of ID-based public key settings, Xiang (2015) adopted the binary tree structure to construct a revocable ID-based signature scheme from lattices. In addition, by the revocation technique in Tseng and Tsai (2012), Tseng et al. (2018), Hung et al. (2017a) employed the NTRU lattices in Ducas et al. (2014) to shorten the private key and signature sizes.
Tian and Huang (2015) proposed the first lattice-based certificateless signature scheme. They also employed Gentry et al.’s method (Gentry et al., 2008) to generate users’ private keys so that the sizes of private key and the resulting signature turn out to be lengthy. Very recently, Hung et al. (2017b) employed the revocation technique of certificateless public key setting in Tsai and Tseng (2015), Hung et al. (2016b) to present the first lattice-based revocable certificateless signature scheme while improving the performance of Tain and Huang’s scheme.
In the past, there is little work on the design of certificate-based signature (CBS) scheme over lattices. Indeed, Tian and Huang (2015) also presented the first CBS scheme from lattices. The proposed scheme was proved to be existential unforgeability against adaptive chosen message attacks in the random oracle model. In addition, as Tain and Huang’s lattice-based certificateless signature scheme, their CBS scheme from lattices also employs the same method in Gentry et al. (2008) to generate private key. The form of a user’s private key generated in Gentry et al. (2008) consists of two matrices M1∈Zqn1×k and M2∈Zqn2×k, where n1,n2>5klogq5k\log q$]]> and q is a prime number. Hence, in Tain and Huang’s CBS scheme, the size of the resulting signature is also lengthy. In such a case, their scheme is inefficient.
Contribution and Organization
In the paper, a new and efficient certificate-based signature (CBS) scheme from lattices is proposed. In our scheme, a user’s certificate and private key are generated by using Ducas et al.’s key extract algorithm over NTRU lattices in Ducas et al. (2014). Instead of Gentry et al.’s key extract algorithm over GPV lattices Gentry et al., 2008, Ducas et al.’s key extract algorithm employed a particular sampling algorithm to produce short trapdoor (private key or certificate). Furthermore, we employ the rejection sampling technique to sign a message. The size of the resulting signature is also shortened. Hence, our CBS scheme from lattices has shorter private key and signature sizes than Tain and Huang’s CBS scheme from lattices (Tian and Huang, 2015). Under the short integer solution (SIS) assumption from lattices (Micciancio and Regev, 2007), the proposed CBS scheme is shown to be existential unforgeability against adaptive chosen message attacks for two adversaries, namely, Type I (general attacker) and Type II (malicious CA). Performance comparisons are made to demonstrate that the proposed CBS scheme from lattices is better than the previous lattice-based CBS schemes.
The rest of the paper is organized as follows. In Section 2, we present several preliminaries. The framework and security notions for CBS schemes are given in Section 3. A new and efficient CBS scheme from lattices is presented in Section 4. In Section 5, the security of the proposed CBS scheme is demonstrated. In Section 6, we present performance comparisons. In Section 7, conclusions are given.
Preliminaries
Here, we present several preliminaries that include notations, concepts of lattices, Gaussion distribution, Gaussion sampling algorithm, rejection sampling algorithm, and security assumptions over lattices.
Notations
Several parameters throughout this article are defined as follows:
N: a specific power-of-two integer.
Z: the set of integers.
R: the set of real values.
Zq: the set of integers in the interval [−q/2,q/2), where q is a positive integer.
Rq: Rq=Zq[X]/(XN+1), which is a ring of polynomials with coefficients in Zq modulo XN+1.
RN,ZN,ZqN,RqN: a N-vector (or N elements) of R,Z,Zq and Rq, respectively.
x: a vector.
X: a matrix.
‖x‖: ‖x‖=∑xi2 denotes the Euclidean norm of a vector x.
‖X‖∞: ‖X‖∞=max[‖Xi‖] denotes the maximum norm of all columns of a matrix X.
Anticirculant Matrices
Here, we introduce the definition (Definition 1) of an anticirculant matrix and its properties (Lemma 1) as follows.
An N×N anticirculant matrix of f∈Rq is a Toeplitz matrix represented by
CN(f)=(f)(x·f)⋮(xN−1·f)=f0f1f2⋯fN−1−fN−1f0f1⋯fN−2⋮⋮⋮⋮⋮−f1−f2⋯⋯f0,
where f=∑i=0N−1fixi∈Rq. In the sequel, CN(f) is abbreviated as C(f).
(See Ducas <italic>et al.</italic>, <xref ref-type="bibr" rid="j_info1226_ref_005">2014</xref>).
LetCN(f)andCN(g)be anticirculant matrices, we haveCN(f)+CN(g)=CN(f+g)andCN(f)·CN(g)=CN(f·g), wheref,g∈Rq.
Lattice and NTRU Lattice
A lattice is a full-rank subgroup of Rn and an NTRU lattice is convolution modular lattices with a particularly efficient class, which are defined as follows.
Let B={v1,v2,…,vn} be the basis of the n-dimensional lattice Λ, where v1,v2,…,vn∈Rn and n are linearly independent vectors. The lattice Λ generated by the basis B is defined as below:
Λ=L(v1,v2,…,vn)={∑i=1nxivi:xi∈Rn}.
Let f, g ∈Rq, h=g∗f−1 and q is a positive integer. The NTRU lattice Λh,q={(u,v)∈Rq2|u+v∗h=0} is a full-rank lattice of Zq2N. Indeed, the lattice Λh,q may be generated by these rows (vectors) of
Ah,q=−CN(h)INqINON,
where ON is the N×N null matrix and IN is the N×N unit matrix.
Indeed, the basis Ah,q is not well suitable to solve the general lattice problem when h is a uniform distribution in Rq. Thus, Hoffstein et al. (2003) constructed the other appropriate basis of Λh,q as
Bf,g=C(g)−C(f)C(G)−C(F),
where F,G∈Rq such that f∗G−g∗F=q. Indeed, Bf,g is a short basis for Λh,q and has the following properties. (See Ducas <italic>et al.</italic>, <xref ref-type="bibr" rid="j_info1226_ref_005">2014</xref>).
Iff,g,F,G∈Rqsuch thatf∗G−g∗F=qandh=g∗f−1, the short basis,Bf,gmay generate the same NTRU latticeΛh,qgenerated by the basis ,Ah,qwhile satisfying‖Bf,g‖⩽‖Ah,q‖.
(See Ducas <italic>et al.</italic>, <xref ref-type="bibr" rid="j_info1226_ref_005">2014</xref>).
Let N and q be a power-of-two integer and a prime, respectively. There exists a probabilistic polynomial-time (PPT) algorithmTrapGen(q,N)that may generate two polynomials f and g while computingh=g∗f−1, and output a short trapdoor basisBf,gofΛh,q. It is worth mentioning that h is statistically close to be uniform inRqand publicly published.
Gaussian Distribution and Sampling Technique
In this section, we define the Gaussian distributions and sampling technique, which are useful tools for lattice-based cryptography.
The continuous Gaussian distribution over RN with the centre c∈RN and the standard deviation s>00$]]>, is defined as
ρc,sN(x)=(1s2π)Ne−∥x−c∥222s2,wherex∈RN.
For any lattice Λ∈ZN, the discrete Gaussian distribution over ZN with the standard deviation s>00$]]> and the centre c∈ZN, is defined as Dc,sN(x)=ρc,sN(x)/ρc,sN(Λ), where x∈ZN and ρc,sN(Λ)=∑x∈Λρc,sN(x). In the sequel, ρ0,sN and D0,sN are abbreviated as ρsN and DsN respectively.
For the discrete Gaussian distribution Dc,σN(x), Lyubashevsky (2012) gave two properties as follows.
(See Lyubashevsky, <xref ref-type="bibr" rid="j_info1226_ref_022">2012</xref>).
Letc∈ZN.
Ifσ=ω(‖c‖logN), we have Pr[x∈DσN;DσN(x)/Dc,σN(x)=O(1)]=1−2−ω(logN).
Ifα>00$]]>andσ=α‖c‖, we have Pr[x∈DσN;DσN(x)/Dc,σN(x)<e12/α+1/(2σ2)]=1−2−100.
In the following, let us introduce the Gaussian sampling technique over general lattices. Indeed, one takes a noise vector from a Gaussian distribution and adds this noise vector to a lattice, she/he may obtain a distribution which is very close to uniform distribution (Micciancio and Regev, 2007). Based on this fact, Gentry et al. (2008) proposed a trapdoor (private key) generation algorithm by using the Gaussian sampling technique from lattices. Furthermore, Ducas et al. (2014) improved Gentry et al.’s trapdoor generation algorithm to propose a specific sampling algorithm over NTRU lattices to reduce the private key size by using a short basis Bf,g generated in Lemma 2. Ducas et al.’s trapdoor generation algorithm has the following property. (See Ducas <italic>et al.</italic>, <xref ref-type="bibr" rid="j_info1226_ref_005">2014</xref>).
LetBf,gbe a short basis of an N-dimensional lattice Λ. LetB˜f,gbe the Gram–Schmidt orthogonalization ofBf,g. Ifs⩾‖B˜f,g‖ω(logN)and0<ε<1, we havePr[‖x−c‖>sN]⩽1+ε1−ε2−Nfor anyc∈ZNandx∈Dc,sN.s\sqrt{N}\big]\leqslant \frac{1+\varepsilon }{1-\varepsilon }{2^{-N}}\hspace{1em}\textit{for any}\hspace{2.5pt}\mathbf{c}\in {Z^{N}}\hspace{2.5pt}\textit{and}\hspace{2.5pt}\mathbf{x}\in {D_{\mathbf{c},s}^{N}}.\]]]>And there exists an PPT algorithmGauSample(Bf,g,s,c)that produces a distribution statistically close toDc,sN.
Rejection Sampling Technique
In our CBS scheme from lattices, we employ the rejection sampling technique to sign a message. The rejection sampling technique was proposed by Lyubashevsky (2012). Its idea is to make the distribution of a resulting signature be independent of the signing key. In addition, the rejection sampling technique requires just a few matrix-vector multiplications and rejection samplings so that it is simple and efficient. The idea of the rejection sampling technique works as follows. If a signer with the signing key S would like to generate a signature σ on a message m, the signer first chooses a random vector y from some distribution (i.e. Gaussian distribution) and computes the candidate signature z. Namely, the signer first uses the signing key S to multiply the resulting vector c of some function with inputting message m and then adds the random vector y, denoted as z=Sc+y. Without loss of generality, let the distribution DσN(x) be the target distribution and the signature is the distribution vector DSc,σN(x). If DσN(x)⩽M·DSc,σN(x) for all x, then the candidate signature z may be generated with probability DσN(z)/M·DSc,σN(z). If the resulting signature does not satisfy the above condition, then the signature z will be rejected. The expected number of times that the process generates a valid signature is M.
SIS Assumption from Lattices
Here, we present a mathematical assumption, called the short integer solution (SIS) assumption from lattices. The difficulty of the SIS problem is equal to that of the worst-case of short independent vector problem (SIVP) up to a polynomial approximation factor (Ajtai, 1996). The SIS problem and assumption are defined as follows.
SISq,N,β problem: let q be a positive integer, β be a real number, and f1,f2,…,fN be polynomials chosen uniformly and independently from Rq. The SISq,N,β problem is to find non-zero integers r1,r2,…,rN such that ∑i=1Nrifi=0 mod q and ‖(r1,r2,…,rN)‖⩽β.
SISq,N,β assumption: for the SISq,N,β problem defined above, there exists no probabilistic polynomial-time adversary A with non-negligible probability who can find such non-zero integers r1,r2,…,rN.
By Ducas et al. (2014), the SIS problem on NTRU lattices is to find a pair (z1,z2) such that z1+h∗z2=0 and ‖(z1,z2)‖⩽β. The statistical distance between the distribution of h=g/f and the uniform distribution of Rq is negligible (Stehle and Steinfeld, 2013).
Framework and Adversary Model of CBS
In this section, the framework and adversary model of certificate-based signature (CBS) schemes are defined here. They are identical to the framework and adversary model in Li et al. (2007), Wu et al. (2009), Li et al. (2012), Hung et al. (2016a).
In a CBS scheme, there are two kinds of roles, namely, users (signers/verifiers) and a trusted certificate authority (CA). A user independently generates her/his private/public key pair and sends the public key to the CA. And, the CA uses a system private key to generate and send the associated certificate to the user. An CBS scheme consists of five algorithms, namely, Setup, User key generation, Certificate extract, Sign and Verify algorithms defined as follows.
A certificate-based signature (CBS) scheme consists of five algorithms:
Setup algorithm is probabilistic, which is performed by the CA. It takes as input a security parameter and returns the system private key SCA and public parameters PP. The system private key SCA is kept secret by the CA itself.
User key generation algorithm is probabilistic, which is performed by users. It takes as input the identity ID of a user and returns the associated private key SID and public key PID. In addition, it also publishes the public key PID in a public directory.
Certificate extract algorithm is deterministic, which is performed by the CA. It takes as input the system private key SCA, the public parameters PP and a user’s identity ID with public key PID, and returns the associated certificate CID to the user.
Sign algorithm is probabilistic, which is performed by users. It takes as input a message m, her/his private key SID and certificate CID, and returns a signature ρ.
Verify algorithm is deterministic, which is performed by users. It takes as input a signature ρ, a message m and a user’s identity ID with the public key PID, and outputs either “accept” or “reject”.
In the following, we define the existential unforgeability of CBS schemes against adaptive chosen-message attacks (EUF-CBS-ACMA). The EUF-CBS-ACMA attacks consist of two types of adversaries, namely, Type I and Type II adversaries.
Type I adversary (uncertified entity): This adversary is a general attacker (uncertified entity) who can obtain secret key of any entity. Meanwhile, it is allowed to acquire certificate of any entity, except the certificate of an attacking target entity.
Type II adversary (honest-but-curious CA): This adversary acts as the honest-but-curious CA so that it holds the system private key SCA and can generate certificate of any entity. Meanwhile, it is allowed to acquire secret key of any entity, except the secret key of an attacking target entity.
In the following, an adversary model of CBS schemes against the EUF-CBS-ACMA attacks is presented.
An CBS scheme provides existential unforgeability against adaptive chosen-messageattacks (EUF-CBS-ACMA) if no probabilistic polynomial-time (PPT) adversary A has a non-negligible advantage in the following game played between a challenger C and the adversary A.
Setup. The challenger C runs the Setup algorithm to generate the system private key SCA and public parameters PP. In addition, PP is sent to A. If A is of Type I adversary, SCA is kept secret by C. If A is of Type II adversary, C sends the system private key SCA to A.
Queries. The adversary A may adaptively issue the following queries to the challenger C. It is worth mentioning that if A is of Type II adversary, it does not need to issue the certificate extract query since Type II adversary knows the system private key SCA and may compute the certificates of all the users.
User key generation query(ID). C performs the User key generation algorithm to return the associated private key SID and public key PID of the user with identity ID to A.
Certificate extract query(ID, PID). C performs the Certificate extract algorithm to return the associated certificate CID of the user with identity ID to A.
Corruption query(ID). C returns the associated private key SID of the user with identity ID to A.
Public key replacement query(ID, PID′). The adversary A chooses a new public key PID′ for the user with identity ID. C records this public key replacement in a public directory. Meanwhile, it denotes that A knows the associated private key SID of the user with identity ID.
Sign query(m, ID). Given a message m and identity ID with the public key PID, C generates a valid signature ρ and returns it to A.
Forgery. Finally, the adversary A produces a signature tuple (ρ∗, m∗, ID∗,PID∗). The advantage of A is defined as the probability that A wins the game. We say that A wins the game if the following conditions hold.
The response of the Verify algorithm on (ρ∗, m∗, ID∗,PID∗) is “accept”.
(m∗,ID∗) has never been issued in the sign query.
If A is of Type I adversary, ID∗ has never been issued in the Certificate extract query.
If A is of Type II adversary, it does not know the private key of the attacking target entity ID∗, namely, ID∗ has never been issued in the User key generation, Public key replacement and Corruption queries.
An Efficient CBS Scheme from Lattices
Here, we propose a new and efficient CBS scheme from lattices. By the framework defined in Section 3, the proposed CBS scheme consists of five algorithms as below.
Setup algorithm: Assume that N, q and λ are, respectively, a security parameter, a large prime and a positive integer while setting two standard deviations s>00$]]> and σ>00$]]>. The CA runs TrapGen(q,N) in Lemma 3 to produce two polynomials f and g and compute h=g∗f1, where f,g∈Rq and ‖f‖, ‖g‖<sN while h is statistically close to be uniform in Rq. In the meantime, the CA also produces is a short trapdoor basis Bf,g of the lattice Λh,q, which is viewed as the system private key SCA. The CA chooses two values p1, p2∈ZqN and sets the system public key as (h, p1, p2). In addition, the CA selects two hash functions H1:{0,1}∗×ZqN→ZqN and H2:{0,1}∗×ZqN×ZqN→{v:v∈{−1,0,1}N,‖v‖1⩽λ}, where ‖v‖1 denotes the amount of non-zero elements of v. Finally, the CA sets the public parameters PP=⟨N,λ,s,σ,q,h,p1,p2,H1,H2⟩.
User key generation algorithm: The user with identity ID sets her/his private key SID=(s1,s2), which is randomly and uniformly chosen from {−d,…,0,…,d}N, where 1⩽d⩽31. Meanwhile, the user computes the associated public key PID=p1∗s1+p2∗s2.
Certificate extract algorithm: Upon receiving the identity ID and public key PID of a user, the CA computes TID = H1(ID,PID)∈zqN and generates the user’s certificate CID=(s3,s4) such that s3+h∗s4=TID and ‖(s3,s4)‖<s2N by running GauSample(B,s,(TID,0)) in Lemma 5. The CA returns the certificate CID=(s3,s4) to the user via a secure channel.
Sign algorithm: Given a message m∈{0,1}∗, the user with the private key SID=(s1,s2) and certificate CID=(s3,s4) randomly selects y1,y2,y3 and y4 from the distribution DσN, and computes the following values:
c=H2(m,p1∗y1,p2∗y2,y3+h∗y4);z1=y1+s1∗c;z2=y2+s2∗c;z3=y3+s3∗c;z4=y4+s4∗c,
where ‖(z1,z2,z3,z4)‖⩽2σ4N. If ‖(z1,z2,z3,z4)‖⩽2σ4N does not hold, the user reruns this algorithm. By (Lyubashevsky, 2012), there exists a constant M=O(1) such that the user can produce such a signature ρ=(z1,z2,z3,z4,c) with probability min(Dσ4N(z)/MDv,σ4N(z),1), where
z=[z1T‖z2T‖z3T‖z4T]T
and
v=[(s1∗c)T‖(s2∗c)T‖(s3∗c)T‖(s4∗c)T]T.
Verify algorithm: Given a signature ρ=(z1,z2,z3,z4,c), a message m and a user’s identity ID with public key PID, a verifier validates the signature by the equality
c=H2(m,p1∗z1+p2∗z2−PID∗c,z3+h∗z4−TID∗c).
If the equality holds, the algorithm returns “accept”. Otherwise, the algorithm returns “reject”. The correctness of the equality follows by
H2(m,p1∗z1+p2∗z2−PID∗c,z3+h∗z4−TID∗c)=H2(m,p1∗(y1+s1∗c)+p2∗(y2+s2∗c)−(p1∗s1+p2∗s2)∗c,y3+s3∗c+h∗(y4+s4∗c)−(s3+h∗s4)∗c)=H2(m,p1∗y1+p2∗y2,y3+h∗y4).
Security Analysis
According to the framework and adversary model of CBS schemes, the signing key of a user with identity ID include two components, namely, the private key SID and the associated certificate CID. By the EUF-CBS-ACMA game aforementioned in Definition 9, there are two kinds of adversaries, namely, Type I adversary (uncertified entity) and Type II adversary (honest-but-curious CA). Type I adversary is a general attacker without knowing the system private key SCA so that it did not compute the certificate of an attacking target entity. Type II adversary acts as the honest-but-curious CA so that it holds the system private key SCA, but does not know the private key of the attacking target entity.
The security analysis of the proposed CBS scheme is formally proved as follows. In Theorem 1, we prove that our CBS scheme from lattices is secure against Type I adversary (uncertified entity). Theorem 2 shows that the proposed CBS scheme is secure against Type II adversary (honest-but-curious CA).
Let two hash functionsH1andH2be random oracles controlled by a challenger in the EUF-CBS-ACMA game. If there exists a probabilistic polynomial-time (PPT) adversary A (Type I adversary, general attacker) with non-negligible probability who can break our CBS scheme over lattices, an algorithm C can be constructed to solve the SIS problem from lattices with non-negligible probability(1−2−ω(logN))ε, where N is the security parameter.
Assume that N, q and λ are, respectively, a security parameter, a large prime and a positive integer while setting two standard deviations s>00$]]> and σ>00$]]>. Assume that the algorithm C be a challenger in the EUF-CBS-ACMA game while receiving a random instance (q,2N,2λs2N+4σ2N) of the SIS problem. In the following, we demonstrate that the challenger C may obtain a non-zero vector solution (u1,u2)∈Rq2 of the SIS problem if the adversary A with non-negligible probability ε who can break our CBS scheme.
Setup. As the Setup algorithm in the proposed CBS scheme, C randomly chooses p1,p2∈ZqN and h∈Rq while controlling the random oracles H1 and H2. C sets the public parameters PP=⟨N,λ,s,σ,q,h,p1,p2,H1,H2⟩ and sends them to A. Initially, C constructs three empty lists L1, L2 and LS.
Queries. A may issue several queries to C adaptively as below:
H1query: Let L1 consist of tuples of the form ⟨IDi,PIDi,CIDi,TIDi⟩. For the query along with (IDi,PIDi), C returns a response to this query by the following procedures.
Search (IDi,PIDi) in L1. If the tuple is found, it means that this query has been already issued and the same answer TIDi is sent to A.
Otherwise, randomly select si3,si4∈DsN such that ‖(si3,si4)‖<s2N, and compute TIDi=si3+h∗si4. Finally, C adds ⟨IDi,PIDi,CIDi=(si3,si4),TIDi⟩ in L1 and sends TIDi to A.
H2query: Let L2 consist of tuples of the form ⟨mj,vj,wj,cj⟩. For the query along with (mj,vj,wj), C returns a response to this query by the following procedures.
Search (mj,vj,wj) in L2. If the tuple is found, it means that this query has been already issued and the same answer cj is sent to A.
Otherwise, randomly select cj∈ZqN. Finally, C adds ⟨mj,vj,wj,cj⟩ in L2 and sends cj to A.
User key generation query: Let LS consist of tuples of the form ⟨IDi,SIDi,PIDi⟩. For the query along with IDi, C returns a response to this query by the following procedures.
Search IDi in LS. If the tuple is found, it means that this query has been already issued and the same answer SIDi=(si1,si2) is sent to A.
Otherwise, randomly select si1,si2∈{−d,…,0,…,d}N, where 1⩽d⩽31, and compute the public key PIDi=(p1∗si1+p2∗si2) Finally, C adds ⟨IDi,SIDi,PIDi⟩ in LS and sends SIDi=(si1,si2) to A.
Certificate extract query: For the query along with (IDi,PIDi), C returns a response to this query by the following procedures.
Search (IDi,PIDi) in L1. If the tuple is found, it means that this query has been already issued and the same answer CIDi is sent to A.
Otherwise, issue the H1 query to obtain the tuple ⟨IDi,PIDi,CIDi,TIDi⟩ and return CIDi to A.
Corruption query: For the query along with IDi, C returns a response to this query by the following procedures.
Search IDi in LS. If the tuple is found, it means that this query has been already issued and the same answer SIDi is sent to A.
Otherwise, issue the User key generation query to obtain the tuple ⟨IDi,SIDi,PIDi⟩ and return SIDi to A.
Public key replacement query: A issues this query along with a new public key PIDi′ of IDi to replace the old public key PIDi, C replaces the PIDi of ⟨IDi,SIDi,PIDi⟩ in LS with PIDi′.
Sign query: For the query along with a message mj and (IDi,PIDi), the challenger C performs the following procedures to generate a valid signature.
Respectively search IDi in L1 and LS to get the tuples ⟨IDi,PIDi,CIDi,TIDi⟩ and ⟨IDi,SIDi,PIDi⟩
Randomly choose cj∈{v:v∈{−1,0,1}N,‖v‖1⩽λ} and z1,z2,z3, z4∈DσN such that ‖(z1,z2,z3, z4)‖⩽2σ4N, and compute vj = p1∗z1 + p2∗z2 - PIDi∗cj and wj = z3 + h∗z4 - TIDi∗cj.
Send the signature ρ=(z1,z2,z3, z4,cj) to A while adding ⟨mj,vj,wj,cj⟩ in L2. Note that the signature ρ is valid because the following equality holds:
cj=H2(mj,p1∗z1+p2∗z2−PIDi∗cj,z3+h∗z4−TIDi∗cj)=H2(mj,vj,wj)
Forgery. Finally, the adversary A generates a signature tuple (z1∗,z2∗,z3∗, z4∗,c∗) on some message m∗ for some ID∗.
Assume that A may generate a valid signature ρ∗ = (z1∗,z2∗,z3∗, z4∗,c∗). By the Forking lemma (Pointcheval and Stern, 2000), the challenger C can generate the other valid signature (z1′,z2′,z3′, z4′,c′) such that c∗≠c′ by the same random tape with different hash value of H2query. Because (z1∗,z2∗,z3∗, z4∗,c∗) and (z1′,z2′,z3′, z4′,c′) are two valid signatures on the message m∗ for (ID∗, PID∗), we can obtain the equality
H2(m∗,p1∗z1∗+p2∗z2∗−PID∗∗c∗,z3∗+h∗z4∗−TID∗∗c∗)=H2(m∗,p1∗z1′+p2∗z2′−PID∗∗c′,z3′+h∗z4′−TID∗∗c′),
which reduces to
z3∗+h∗z4∗−TID∗∗c∗=z3′+h∗z4′−TID∗∗c′.
Since TID∗=s3+h∗s4, we have
z3∗+h∗z4∗−(s3+h∗s4)∗c∗=z3′+h∗z4′−(s3+h∗s4)∗c′;z3∗−z3′−s3(c∗−c′)+h∗(z4∗−z4′−s4(c∗−c′))=0;(1,h)∗(z3∗−z3′−s3(c∗−c′),z4∗−z4′−s4(c∗−c′))=0.
Afterward, C sets (u1,u2)=(z3∗−z3′−s3(c∗−c′),z4∗−z4′−s4(c∗−c′)).
If we have ‖(z3∗−z3′,z4∗−z4′)‖⩽4σ2N and ‖(s3,s4)‖ ⩽ s2N with overwhelming probability, we can obtain ‖(u1,u2)‖⩽2λs2N + 4σ2N. As stated in Lemma 3, the distribution of h=g/f is statistically close to the uniform distribution of Rq (Stehle and Steinfeld, 2013). The SIS problem on NTRU lattice is to find a pair (u1,u2)∈Rq2 such that u1+h∗u2=0 and ‖(u1,u2)‖ ⩽ β, where β is 2λs2N + 4σ2N. According to the same probability analysis in Lyubashevsky (2012), since A can break our CBS scheme with non-negligible probability ε, we may construct the challenger C to solve the SIS problem with non-negligible probability(1−2−ω(logN))ε. □
Let two hash functionsH1andH2are random oracles controlled by a challenger in the EUF-CBS-ACMA game. If there exists an PPT adversary A (Type II adversary, honest-but-curious CA) with non-negligible probability ε who can break our CBS scheme from lattices, an algorithm C can be constructed to resolve the SIS problem from lattices with non-negligible probability(1−2−ω(logN))ε, where N is the security parameter.
Assume that N, q and λ are, respectively, a security parameter, a large prime and a positive integer while setting 1⩽d⩽31 and two standard deviations s>00$]]> and σ>00$]]>. Assume that the algorithm C be a challenger in the EUF-CBS-ACMA game while receiving a random instance (q,2N,2λd2N+4σ2N) of the SIS problem. In the following, we demonstrate that the challenger C may obtain a non-zero vector solution (u1,u2)∈Rq2 of the SIS problem if the adversary A with non-negligible probability ε who can break our CBS scheme.
Setup. As the Setup algorithm in the proposed CBS scheme, C sets the public parameters PP=⟨N,λ,s,σ,q,h,p1,p2,H1,H2⟩, where H1 and H2 are random oracles. C also produces a short trapdoor basis B of the lattice Λh,q, which is viewed as the system private key SCA. In the meantime, the system private key SCA and the public parameters PP=⟨N,λ,s,σ,q,h,p1,p2,H1,H2⟩ are sent to A. Initially, C constructs three empty lists L1, L2 and LS.
Queries. A may issue several queries to C adaptively as below:
H1query: Let L1 consist of tuples of the form ⟨IDi,PIDi,CIDi,TIDi⟩. For the query along with (IDi,PIDi), C returns a response to this query by the following procedures.
Search (IDi,PIDi) in L1. If the tuple is found, it means that this query has been already issued and the same answer TIDi is sent to A.
Otherwise, randomly select TIDi∈ZqN and perform GauSample(B,s,(TID,0)) to get si3,si4∈DsN such that ‖(si3,si4)‖<s2N. Finally, the challenger C adds ⟨IDi,PIDi,CIDi=(si3,si4),TIDi⟩ in L1 and sends TIDi to A.
H2query: As the response of H2 query in Theorem 1.
User key generation query: Let LS consist of tuples of the form ⟨IDi,SIDi,PIDi⟩. For the query along with IDi, C returns a response to this query by the following procedures.
Search IDi in LS. If the tuple is found, it means that this query has been already issued and the same answer SIDi=(si1,si2) is sent to A.
Otherwise, randomly select si1,si2∈{−d,…,0,…,d}N, where 1⩽d⩽31, and compute the public key PIDi=(p1∗si1+p2∗si2) Finally, C adds ⟨IDi,SIDi,PIDi⟩ in LS and sends SIDi=(si1,si2) to A.
Certificate extract query: As the response of User key generation query in Theorem 1.
Corruption query: As the response of User key generation query in Theorem 1.
Public key replacement query: A issues this query along with a new public key PIDi′ of IDi to replace the old public key PIDi, C replaces the PIDi of ⟨IDi,SIDi,PIDi⟩ in LS with PIDi′.
Sign query: As the response of User key generation query in Theorem 1.
Forgery. Finally, the adversary A generates a signature tuple (z1∗,z2∗,z3∗, z4∗,c∗) on some message m∗ for some ID∗.
Assume that A may generate a valid signature ρ∗=(z1∗,z2∗,z3∗, z4∗,c∗). By the Forking lemma (Pointcheval and Stern, 2000), the challenger C can generate the other valid signature (z1′,z2′,z3′,z4′,c′) such that c∗≠c′ by the same random tape with different hash value of H2query. Because (z1∗,z2∗,z3∗,z4∗,c∗) and (z1′,z2′,z3′,z4′,c′) are two valid signatures on the message m∗ for (ID∗, PID∗), we can obtain the equality
H2(m∗,p1∗z1∗+p2∗z2∗−PID∗∗c∗,z3∗+h∗z4∗−TID∗∗c∗)=H2(m∗,p1∗z1′+p2∗z2′−PID∗∗c′,z3′+h∗z4′−TID∗∗c′),
which reduces to
p1∗z1∗+p2∗z2∗−PID∗∗c∗=p1∗z1′+p2∗z2′−PID∗∗c′.
Since PIDi=p1∗si1+p2∗si2, we have
p1∗z1∗+p2∗z2∗−(p1∗si1+p2∗si2)∗c∗=p1∗z1′+p2∗z2′−(p1∗si1+p2∗si2)∗c′;p1∗(z1∗−z1′)+p2∗(z2∗−z2′)−p1∗si1(c∗−c′)−p2∗si2(c∗−c′)=0;p1∗(z1∗−z1′−si1(c∗−c′))+p2∗(z2∗−z2′−si2(c∗−c′))=0;(p1,p2)∗(z1∗−z1′−si1(c∗−c′),z2∗−z2′−si2(c∗−c′))=0.
Afterward, C sets (u1,u2)=(z1∗−z1′−si1(c∗−c′),z2∗−z2′−si2(c∗−c′)).
If we have ‖(z1∗−z1′,z2∗−z2′)‖⩽4σ2N and ‖(s1,s2)‖⩽2dλ2N with overwhelming probability, we can obtain ‖(u1,u2)‖⩽2dλ2N+4σ2N. As stated in Lemma 3, the distribution of h=g/f is statistically close to the uniform distribution of Rq (Stehle and Steinfeld, 2013). The SIS problem on NTRU lattice is to find a pair (u1,u2)∈Rq2 such that u1+h∗u2=0 and ‖(u1,u2)‖⩽beta, where β is 2dλ2N+4σ2N. According to the same probability analysis in Lyubashevsky (2012), since A can break our CBS scheme with non-negligible probability ε, we may construct the challenger C to solve the SIS problem with non-negligible probability (1−2−ω(logN))ε. □
Comparisons
Table 1 lists the comparisons between Tian and Huang’s CBS scheme (Tian and Huang, 2015) and our CBS scheme in terms of lattice type, private key size/bit-length and signature size/bit- length. For the generation of a user’s private key, Tian and Huang’s CBS scheme adopted the GPV lattice in Gentry et al. (2008), instead, our proposed CBS scheme employed Ducas et al.’s sampling algorithm over NTRU lattices (Ducas et al., 2014). For both the private key size and signature size under the same security parameters N=512, q≈226, k=512, λ=14 and d=31, our scheme is better than those of Tian and Huang’s CBS scheme. By Lyubashevsky (2012), we have n1>2Nlogq2N\log q$]]>, n2>64+Nlogq64+N\log q$]]>, s1=n1ω(logN), s2=n2ω(logN), σ1=12s1λn1, σ2=12s2λn2, s=N5/22qω(logN), σ=12sλN while choosing n1=38400 and n2=25600. According to Table 1, our scheme is much better than Tian and Huang’s CBS scheme in terms of private key and signature sizes.
Comparisons between Tian and Huang’s CBS scheme and ours.
Tian and Huang’s CBS scheme (Tian and Huang, 2015)
Our CBS scheme
Lattice type
GPV lattice
NTRU lattice
Private key size
2n1klog(s1n1)+2n2klog(s2n2)
4Nlog(sN)
Private key bit-length
595222811
85166
Signature size
n1log(12σ1)+n2log(12σ2)+λ(logk+1)
4Nlog(12σ)+λ(logN+1)
Signature bit-length
675496
87161
Conclusions
Lattice-based cryptography is an important candidate for post-quantum cryptography. In the paper, a new and efficient CBS scheme from lattices was proposed, which possesses the merits of both CBS scheme and lattice-based cryptography. Based on the SIS assumption from lattices and in the random oracle model, we formally demonstrated the security of our lattice-based CBS scheme against Type I adversary (general attackers) and Type II adversary (the honest-but-curious CA), namely, achieving existential unforgeability against adaptive chosen message attacks for both adversaries. Comparisons with the previous CBS schemes from lattices were given to demonstrate the merits of our proposed CBS scheme in terms of private key size and signature size.
ReferencesAjtai, M. (1996). Generating hard instances of lattice problems. In: Proceedings of STOC’96. ACM, pp. 99–108.Al-Riyami, S.S., Paterson, K.G. (2003). Certificateless public key cryptography. In: Proceedings of ASIACRYPT’03, LNCS, Vol. 2894, pp. 452–473.Bernstein, D.J. (2009). Introduction to post-quantum cryptography. In: Post-Quantum Cryptography. Springer-Verlag, Berlin, Germany, pp. 1–14.Boneh, D., Franklin, M. (2001). Identity-based encryption from the Weil pairing. In: Proceedings of CRYPTO’01, LNCS, Vol. 2139, pp. 213–229.Ducas, L., Lyubashevsky, V., Prest, T. (2014). Efficient identity-based encryption over NTRU lattices. In: Proceedings of ASIACRYPT’14, LNCS, Vol. 8874, pp. 22–41.ElGamal, T. (1985). A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4), 469–472.Galindo, D., Morillo, P., Rafols, C. (2008). Improved certificate-based encryption in the standard model. Journal of Systems and Software, 81(7), 1218–1226.Gao, W., Wang, G., Wang, X., Chen, K. (2015). Generic construction of certificate-based encryption from certificateless encryption revisited. The Computer Journal, 58(10), 2747–2757.Gentry, C. (2003). Certificate-based encryption and the certificate revocation problem. In: Proceedings of EURORYPT’03, LNCS, Vol. 2656, pp. 272–293.Gentry, C., Peikert, C., Vaikuntanathan, V. (2008). How to use a short basis: trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC’08. ACM, pp. 197–206.Goldreich, O., Goldwasser, S., Halevi, S. (1997). Public-key cryptosystems from lattice reduction problems. In: Proceedings of CRYPTO’97, LNCS, Vol. 1294, pp. 112–131.Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J., Whyte, W. (2003). Ntrusign: digital signatures using the ntru lattice. In: Proceedings of CT-RSA’03, LNCS, Vol. 2612, pp. 122–140.Hung, Y.H., Huang, S.S., Tseng, Y.M. (2016a). A short certificate-based signature scheme with provable security. Information Technology and Control, 45(3), 243–253.Hung, Y.H., Tseng, Y.M., Huang, S.S. (2016b). A revocable certificateless short signature scheme and its authentication application. Informatica, 27(3), 549–572.Hung, Y.H., Tseng, Y.M., Huang, S.S. (2017a). Revocable ID-based signature with short size over lattices. Security and Communication Networks. Article ID-7571201.Hung, Y.H., Tseng, Y.M., Huang, S.S. (2017b). Lattice-based revocable certificateless signature. Symmetry, 9. Article ID-242.Li, J., Huang, X., Mu, Y., Susilo, W., Wu, Q. (2007). Certificate-based signature: security model and efficient construction. In: Proceedings of EUROPKI’07, LNCS, Vol. 4582, pp. 110–125.Li, J., Huang, X., Zhang, Y., Xu, L. (2012). An efficient short certificate-based signature scheme. Journal of Systems and Software, 85(2), 314–322.Liu, Z.H., Hu, Y.P., Zhang, X.S., Li, F. (2013). Efficient and strongly unforgeable identity-based signature scheme over lattices in the standard model. Security and Communication Networks, 6(1), 69–77.Lu, Y., Li, J. (2014). Efficient certificate-based encryption scheme secure against key replacement attacks in the standard model. Journal of Information Science and Engineering, 30(5), 1553–1568.Lyubashevsky, V. (2009). Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Proceedings of ASIACRYPT’09, LNCS, Vol. 5912, pp. 598–616.Lyubashevsky, V. (2012). Lattice signatures without trapdoors. In: Proceedings of EUROCRYPT’12, LNCS, Vol. 7237, pp. 738–755.Micciancio, D., Regev, O. (2007). Worst-case to average-case reductions based on Gaussian measure. SIAM Journal on Computing, 37(1), 267–302.Pointcheval, D., Stern, J. (2000). Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13, 361–396.Rivest, R.L., Shamir, A., Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126.Ruckert, M. (2010). Strongly unforgeable signatures and hierarchical identity-based signatures over lattices without random oracles. In: Proceedings of PQC’10, LNCS, Vol. 6061, pp. 182–200.Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In: Proceedings of Crypto’84, LNCS, Vol. 196, pp. 47–53.Shor, P.W. (1997). Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5), 1484–1509.Stehle, D., Steinfeld, R. (2013). Making NTRUEnrypt and NTRUSign as Secure as Standard Worst-Case Problems over Ideal Lattices. Cryptology ePrint Archive, Report 2013/4. Available source file from http://eprint.iacr.org/2013/004.Tian, M., Huang, L. (2014). Efficient identity-based signature over lattices. In: Proceedings of SEC’14, IFIP, Vol. 428, pp. 321–329.Tian, M., Huang, L. (2015). Certificateless and certificate-based signatures from lattices. Security and Communication Networks, 8(8), 1575–1586.Tsai, T.T., Tseng, Y.M. (2015). Revocable certificateless public key encryption. IEEE Systems Journal, 9(3), 824–833.Tsai, T.T., Huang, S.S., Tseng, Y.M. (2017). SIBSC: separable identity-based signcryption for resource-constrained devices. Informatica, 28(1), 193–214.Tseng, Y.M., Tsai, T.T. (2012). Efficient revocable ID-based encryption with a public channel. The Computer Journal, 55(4), 475–486.Tseng, Y.M., Huang, S.S., Tsai, T.T., Ke, J.H. (2016). List-free ID-based mutual authentication and key agreement protocol for multi-server architectures. IEEE Transactions on Emerging Topics in Computing, 4(1), 102–122.Tseng, Y.M., Tsai, T.T., Huang, S.S., Huang, C.P. (2018). Identity-based encryption with cloud revocation authority and its applications. IEEE Transactions on Cloud Computing, 6(4), 1041–1053.Wu, W., Mu, Y., Susilo, W., Huang, X. (2009). Certificate-based signatures revisited. Journal of Universal Computer Science, 15(8), 1659–1684.Wu, J.D., Tseng, Y.M., Huang, S.S., Chou, W.C. (2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155.Xiang, X. (2015). Adaptive secure revocable identity-based signature scheme over lattices. Computer Engineering, 41(10), 126–129.