An Efficient Identity-Based Forward Secure Signature Scheme from Lattices ()
1. Introduction
1.1. Background of This Study
The identity-based signature scheme (IBS) was first proposed by Shamir [1] in 1984 and is a public key encryption system. So far, most traditional identity-based signature schemes [2] - [7] have been proposed based on the bilinear or quadratic residual assumption.
Although the existing traditional identity-based signature schemes are very efficient and the types can basically meet the needs of most applications, such signature schemes have obvious security flaws. Shor [8] pointed out that the prime number decomposition and discrete logarithm problems based on traditional cryptography can be broken by quantum computers in polynomial time. This means that once quantum computers become a reality, the existing public key cryptography will be compromised and will no longer be secure. Ajtai [9] proved that the difficulty of the difficult problem on the lattice under the random instance is equivalent to the difficulty under the worst instance; in addition, the grid public key cryptographic algorithm is simple, efficient, and suitable for low-power devices. There are no effective algorithms, including quantum algorithms, which can solve difficult problems on the grid. In recent years, lattice-based cryptosystems have achieved fruitful results in applications such as digital signatures [10] [11] [12], hierarchical identity-based encryption schemes (HIBE) [13], and fully homomorphic encryption [14].
In 1997, Anderson et al. [15] first proposed the idea of forward secure signature, Bellare and Miner [16] further proposed more practical algorithms, and gave a formal definition of forward-secure digital signature and its security. More forward secure digital signature algorithms [17] [18] are proposed. However, there are few researches on identity-based forward security digital signature algorithms. Liu proposed the first identity-based forward secure digital signature algorithm in [19], however, he did not give a formal definition and formal security proof. Yu et al. gave the formal definition and security proof of an identity-based forward secure digital signature algorithm in literature [20], but the algorithm required a large number of bilinear pairing operations and was not suitable for mobile devices with limited computing power. Ebri [21] gave the general construction algorithm of forward secure digital signature algorithm based on identity, and simplified the definition of security. However, all of the above are based on the assumptions of difficult problems in traditional cryptography and cannot resist quantum computer attacks.
Zhang [22] proposed the first identity-based forward secure digital signature scheme (FSIBS), whose main idea is based on the layered identity-based signature scheme of Ruckert [23].
1.2. Contributions of This Article
In this paper, in the random oracle model, based on the assumption of small integers to solve difficult problems, we prove that our scheme is unforgeable against adaptive identity selection and selection message attacks. In addition, Zhang’s scheme uses the lattice proxy algorithm of literature [24] to update the signature key, keeping the dimensionality unchanged. In our research, we combine the trapdoor-free signature with the trapdoor base to realize the identity-based signature design that does not rely on the expansion of the lattice dimension, which will not bring large calculation, communication or storage overhead, and is more efficient. Our signature key size and signature size are much shorter. In this way, our scheme can be applied to post-quantum communication more efficiently.
1.3. The Structure of the Organization
The rest of this paper is arranged as follows: In the second section, we give the prerequisite knowledge to be used in this paper; in the third section, the formal definition and security model of our FSIBS scheme are given. In the fourth section, the algorithm description and security proof of our scheme are given. In the fifth section, the performance comparison of the scheme is given. Finally, we conclude our work in section 6.
2. Prerequisite Knowledge
2.1. Description of Related Symbols
For a positive integer n, use [n] to represent the set
. For any character string a and b, |a| represents the bit length of a, and a‖b represents the concatenation of two characters a and b, and
represents their exclusive OR operation.
2.2. Definitions and Tools Related to Cryptography
Definition 2.1 (Hash function) Hash function is a one-way function with compression characteristics. Its input is a string of arbitrary length, and its output is a string of fixed length, namely
. It is mainly used for message authentication and digital signature.
A common tool used in cryptography is: Random Oracle. At present, in the provable security discussion of many cryptographic algorithms, the hash function is regarded as a random oracle. This basic idea comes from the literature [25]. Fiat and Shamir [26] first transformed an identification algorithm into a signature algorithm under a random oracle model. Later, Bellare and Rogaway formally proposed a random oracle model in [27], and constructed a general proof framework for cryptographically provable security statements under the random oracle model.
2.3. Theoretical Basis of Lattice Cipher
Definition 2.2 (integer lattice), let
is an
-dimensional invertible matrix. It consists of m linearly independent vectors
. The m-dimensional integer lattice generated by matrix B is:
(1)
2.4. Discrete Gaussian Distribution
Definition 2.3 for any real parameter
as the center, the discrete Gaussian distribution density function of lattice
is defined as:
(2)
Let
, the discrete Gaussian distribution on Λ is defined as:
(3)
Lemma 2.1 (Properties of Discrete Gaussian Distribution on Lattice [11] [28] ). Let prime number
, integer
, T is a set of basis of lattice
, Gaussian parameter
. Then for any vector
, there are the following results:
1)
;
2) For a randomly selected matrix
, if
, then we have a statistical distribution of
close to the uniform distribution on
.
2.5. Difficult Questions on Grid
Definition 2.4 (Small integer solution problem) Let the parameters n and m be positive integers, q be prime numbers, and given a small real number
. A is a randomly selected matrix on
. The SIS problem is to find a short vector v on the lattice
, namely
, so that its norm satisfies
.
2.6. Basic Algorithm on Grid
Lemma 2.2 (TrapGen generation algorithm, TrapGen [29] ) There is a probability polynomial time algorithm TrapGen. The algorithm inputs integers
and
, and outputs a matrix
and a short basis
of lattice
in polynomial time. Make A statistically close to the uniform distribution
, and the short basis
satisfies
.
In 2008, scholars such as Gentry constructed the pre-image sampling function (PSF) in the literature [11]. This technology plays an important role in the construction of the lattice encryption algorithm.
Lemma 2.3 (Original image sampling algorithm) Let the integer
, q be a prime number, and
is a lattice defined by the matrix
. The matrix
is a short basis of the lattice
. If the parameter
, then there is a polynomial time algorithm
for all
. It can output a vector
drawn from a distribution statistically close to
.
According to Lemma 2.1, we know that an original image v corresponding to the vector
extracted by the original image sampling algorithm SamplePre will satisfy
with an overwhelming probability.
The above SamplePre algorithm is only for the case of a vector. In many cases, we need to calculate a pre-image with a smaller norm corresponding to a matrix. Therefore, we need to extend the algorithm to a more general situation. Here we refer to the definition of the general Gaussian distribution given by Tian [30].
Definition 2.5 (General Discrete Gaussian Distribution) Let the integer
, q be a prime number, and k is a positive integer, we define
, so that the matrix U satisfies the smaller norm. For any real number s > 0 and matrix
and
, define the distribution
.
According to Lemma 2.1, we know that a vector x randomly selected from the distribution
will satisfy
with an overwhelming probability. Therefore, it is not difficult to obtain that the matrix X randomly selected from the distribution
will also satisfy
with an overwhelming probability. If we can find an algorithm, it can output a matrix V for any input matrix U, so that
and the distribution statistics of matrix V are close to
, according to our analysis of the distribution
, this algorithm is the general pre-image sampling algorithm we require. This algorithm is recorded as the SampleMat algorithm.
Lemma 2.4 (General Original Image Sampling Algorithm) Let the integer
, q be a prime number, and k is a positive integer. Here we define
so that the matrix U satisfies the smaller norm.
is a lattice defined by matrix A, and matrix
is a short basis of lattice
. Parameter
, then for any matrix
, there is a polynomial time algorithm
, it can extract a matrix
from a distribution statistically close to
to satisfy
.
Definition 2.6 (Discrete normal distribution) Let the parameter
and the center
, then the continuous normal distribution in the space
is
. Let
. Define the discrete normal distribution with
as the center and
parameter in
as
. For the convenience of notation, we abbreviate
and
as
and
, respectively.
Literature [29] [31] on two basic properties of discrete normal distribution:
Lemma 2.5. For any real number
and integer
, we have:
1)
;
2)
;
Lemma 2.6. For any vector
and positive real number
, if
, we have:
More specifically, if
, then
In view of the complicated calculation of the sampling technique of Genntry et al. [11], Lyubashevsky [31] proposed a signature algorithm that does not require sampling operations on the grid. The technique used in this algorithm is called the non-sampling technique. At present, the non-sampling technology has gradually become an important technology of the social lattice signature scheme. Its core idea is to force the distribution of the output signature to be independent of the signature key
of the signer by outputting candidate signatures probabilistically.
This paper needs to use the general bifurcation lemma when proving the security of the signature scheme. Bellare and Neven [32] gave the following general bifurcation lemma.
Lemma 2.7 (General Bifurcation Lemma) Let q be a positive integer, and H is a set with
elements. Let
be a parameter generation algorithm, B is a random algorithm, the input of B is
, and the output is (J, σ), where
. Let the acceptance probability acc of Algorithm B be the probability of
in the experiment
.
3. Formal Definition and Security Model
This article first provides a formal definition of an identity-based forward secure digital signature algorithm. According to the literature [21], this paper also sets the time period to be associated with the signature private key information, which can be determined by each signing user, and the algorithm is more flexible. In order to set the initial signature private key, PKG needs to set the time period and the signer’s identity information in advance. The identity-based forward secure digital signature algorithm consists of the following five sub-algorithms:
FSIBSSetup: The key generation algorithm is a probabilistic polynomial time algorithm, the input is the security parameter κ, the output is the system master key msk, and the public parameter mpk;
FSIBSExtract: The identity-based key proposal algorithm is a probabilistic polynomial time algorithm. The input is the public parameter mpk, the master key msk, and the user’s identity information
, where
, ID is the user’s real identity, and T is the time period preset by the system. The output of the algorithm is the initial private key
corresponding to the identity information id, which is transmitted to the user through a secure channel.
FSIBSUpdate: The key update algorithm is a probabilistic polynomial time algorithm. The input is the current time i, the user’s identity information id, and the user’s private key at this moment
, and the output is the next time i + 1 private key
.
FSIBSSign: The signature algorithm is a probabilistic polynomial time algorithm. The input is the current time i, the user’s identity information id, and the user’s private key at this time
, the message M, the digital signature of the output message M sig.
FSIBSVerify: The verification algorithm is a deterministic algorithm. Input the user’s identity information id, time i, information M, and digital signature sig. If sig is valid, the algorithm output is 1, otherwise the output is 0.
The correctness of the scheme: If the signature sig is a valid signature of message M, then
.
The following introduces the security model of the identity-based forward secure digital signature algorithm. The FSIBS algorithm defined in this article is unforgeability in the case of adaptive identity selection and adaptive selection message attacks.
Setup: Challenger C sets the system public parameters mpk, and sends mpk to opponent F.
Queries: At this stage, opponent F makes the following queries:
UserKeyExt: Adversary F makes an inquiry about identity information
. Challenger C generates a signature private key for identity information id
, and sends it to opponent F;
Breaking oracle: When receiving an inquiry (id, j) from the opponent F. Where
,
, challenger C returns the signature private key at time j
to opponent F;
Signing oracle: When receiving an inquiry
from adversary F, using the signature private key at time i
, challenger C generates a digital signature sig about message M.
After each moment, the adversary F can choose to execute the signature query at the next moment, or execute the corresponding forgery.
Forgery phase: In this phase, after polynomial time, the adversary F ends the above-mentioned inquiry phase, and then uses the knowledge he has acquired to forge a signature of the user whose identity is
to the message
, the opponent F can win the game if and only if the following conditions are true:
1)
;
2) The adversary F has never asked about the identity
;
3) The opponent F has never signed
.
4. Description of Forward Secure Digital Signature Algorithm Based on Identity on Grid
In this section, we present the forward secure digital signature algorithm (FSIBS) based on the identity on the grid. Set the required parameters of the program: Prime number
, positive real number
, positive integer
, real number
, Gaussian parameter
and real number
. The system defines two secure hash functions
;
. Below we give an identity-based forward secure digital signature algorithm under the random oracle model:
FSIBSSetup: Based on the security parameter n, PKG runs the algorithm
to generate a matrix
, and a short basis
of the lattice
, and satisfy
. The system outputs public parameters
, and keeps the secret master key
.
FSIBSExtract: the received user’s identity information
, where ID is the user’s real identity, and T is the preset time period associated with the signature private key. PKG uses its own master key msk to generate the user’s original private key
.
1) Let
, calculate
;
2) PKG runs the algorithm
to generate
as the user’s original private key, and then secretly sends it to the user through a secure channel. According to the nature of the algorithm SampleMat, we know that the key
satisfies
and
.
FSIBSUpdate: Given
, where
, i is this moment.
is the signature private key of i − 1 at the previous moment, the user performs the following steps:
For i = 1 to T, the execution is as follows:
1) If i = 1, set
as the user’s original signature private key;
2) Calculate
,
as the public key at time i − 1.
3) Let
, calculate
.
4) Output
.
FSIBSSign: Given
, where
, i is the moment, M is the message to be signed, the user performs the following operations:
1) First choose a
;
2) Calculate
and
;
3) With the probability
, output the signature
. If there is no signature output, the algorithm is repeated until there is a signature output.
FSIBSVerify: Given
, enter the system’s public parameters mpk, message M, signature
, and identity
, if
and
, then output Accept.
Theorem 4.1 the identity-based forward secure digital signature scheme proposed in this section satisfies the correctness.
Proof: According to the construction of the above signature scheme, we know
So we have
. In addition, according to Lemma 2.6 of the unsampling technique, we know that the distribution of
is very close to
. Therefore, according to Lemma 2.5, we know that
will satisfy
with a probability of not less than
.
5. Proof of Safety
In this section, we mainly prove that under the random oracle model, the identity-based forward secure digital signature algorithm on the lattice can resist the unforgeability in the case of adaptive identity selection and adaptive selection message attacks.
Theorem 5.1 under the random oracle model, if the adversary F breaks the security of the identity-based forward secure digital signature scheme on the lattice with a non-negligible probability ε. Then there is an algorithm C to solve the SIS difficult problem with a non-negligible probability ε’.
Proof: Assuming that there is an opponent F that forges a digital signature with a non-negligible probability ε, below we construct an algorithm C to solve the SIS difficulty problem by running the opponent F as a subroutine and with a non-negligible probability ε’. Assume as follows:
1) For each time
, the adversary F adaptively performs a polynomial H1 query about the user’s identity.
2) When the adversary F performs the H1 query about the identity at time i, we assume that it has performed the H1 query before the time i.
When adversary F executes an inquiry about the user’s signature private key, we assume that it has executed the related H1 inquiry.
Setup: Algorithm C sets the corresponding public parameters, and sends the system public parameters
to the adversary F, and the secret master key
.
Attack Phase: First, algorithm C randomly guesses
as the forged signature of opponent F at this moment. Without loss of generality, suppose that the adversary F has made an H query about
before asking about the digital signature of
. C creates four lists,
, respectively, and the initial values of the four lists are all empty.
H1 query: For any
, C maintains a list of H1 queries
(where Qi represents the H1 hash function value of
. The initial value of the list is empty. Adversary F makes H1 query to
. If
is in the list, C will pass Qi as the result of responding to H1 query to opponent F. Otherwise, C randomly selects a
, sends Ri as the result of the response to the H1 query to the opponent F, and adds
to the list L1.
UserkeyExt: Adversary F randomly selects
, where Q is defined as the maximum number of queries about UserkeyExt. Algorithm C performs the following steps:
Adversary F makes H1 query on
, and C queries the list to find
,
. C runs the algorithm
to generate
as the user’s original private key, and then secretly sends it to the adversary F through a secure channel. And separately store
in list L2 for subsequent use.
If id is the
query, C terminates the operation.
Signing secret key queries: When the adversary F executes the enquiry about the signature private key of (id, i), C provides the adversary F with the signature private key at time i in the following manner
.
If id is not in the
query, the execution steps are as follows: For each time
, assume in advance that the H1 query about
before time i has been responded, where
. For each inquiry about the signature private key of
, C calculates
, let
. Calculate
, as the user signature private key at time i, the user public key at time i is specifically expressed as follows:
. Finally, C returns
to opponent F, and stores
to list L3.
If id is the
query, C executes as follows:
If
, then C chooses a random uniform matrix
to the opponent F.
If
, C runs the trapdoor generation algorithm
to generate a matrix
, and the corresponding trapdoor short base
. Then C returns
to opponent F, and finally C stores
, to list L3.
If
, then C executes the same steps as if id was not in the
query.
H query: For a different
, C first verifies whether it has been asked before, and if it has been asked, it returns the corresponding value. Otherwise, C queries the lists L_1 and L_3 to see if it can find
and
. If they can all be found, randomly select a vector
, and C runs the algorithm:
and
, C with probability
output the signature
to the opponent F. Store
to list L4. If none of them are found, C generates and stores the corresponding values in the lists L1 and L3 as before, and then continues with the above steps.
Sign queries: Adversary F makes a signature query about each information
, and C answers the query as follows:
If id is not in the
query, the steps are as follows: C query list L4 to see if
can be found, if it can be found in the list, C returns the digital signature sig of message M at time i. Otherwise, C queries lists L1 and L3 respectively to see if it can find
and
. If not found, C generates these values as before, and finally C runs the algorithm:
and
. C outputs the signature
to the opponent F with probability
. And store
to list L4.
If id is the
query, the execution steps are as follows: if
, then C generates the corresponding digital signature as before. Otherwise, C terminates the operation.
Breaking queries: The adversary asks about the signature private key of a specific identity and time (id, j). If id is not in the
query, C queries list L3 and provides the signature private key
at time j to opponent F. If id is the
query and
, then C terminates the operation.
Forgery Phase: At this stage, adversary F outputs identity
, time t*, message M*, signature sig*, and the forgery of adversary F is successful if and only if the following conditions are met simultaneously:
1)
;
2) The adversary F has never asked about the identity
;
3) Rival F has never signed
.
Once the adversary F outputs the forged digital signature, C performs the following steps:
First check whether
is the
query, and check whether
holds. If any of the conditions are not met, C terminates the operation.
The SIS problem that Algorithm C hopes to solve is to find a non-zero vector
that satisfies
so that
. C calls opponent F again and runs the above simulation process again. According to the general bifurcation lemma [32], the adversary F outputs a new forged digital signature
about the identity
and the message M* with a non-negligible probability. Make
, and
. Substituting
into the above formula, and combining similar terms, we can get:
According to the legality of the signature, we know that
,
. At the same time, according to the above simulation parameter generation process, we also know that
,
holds with overwhelming probability.
Obviously, if
, we get one of the above SIS problems solution. Therefore, we need to prove that the probability of
is not negligible.
Because
, there is
. In addition, according to the minimum entropy property of the original image given in the literature [32]. We know that there is a high probability that there is a signature private key
, so that in addition to the i-th column,
and
is exactly the same. And
.
Table 1. Scheme performance comparison.
Because
. Therefore, if
, then
must be true. In addition, we know that the signature keys
and
play exactly the same role in the simulation process. Therefore, the adversary F does not know which signature key algorithm C uses in the simulation process. Therefore,
, and we have completed the proof of the theorem.
Here we compare with the classic algorithm in literature [22] [23], in which literature [22] constructs the first identity-based forward secure digital signature algorithm on the grid. Literature [23] proposed the most famous lattice identity-based hierarchical identity signature algorithm so far. Define UPK as the size of the user’s public key, and USK as the size of the user’s private key. The bit length of the elements in
is expressed as
. In these algorithms, the master public key and the master private key are respectively
,
, and no more comparison between them. Table 1 shows the performance comparison between the programs.
According to the definition 2.5, we know that
, so the signature private key and signature length in our scheme are smaller than those in [22] [23]. In addition, the cumbersome Samplepre algorithm and lattice delegation technology used in the literature [22] require large calculation, communication, and storage costs, and are less efficient. Therefore, our program has certain advantages.
6. Conclusion
This paper combines Lyubashevsky [31] ’s trap-free signature and extended pre-image sampling function technology to design an efficient (FSIBS) scheme. Under the random oracle model, the hypothesis based on small integers to solve difficult problems proves that our scheme is unforgeable against adaptive selection identity and adaptive selection message attacks, without the cumbersome Samplepre algorithm and lattice delegation technology. Compared with the existing scheme, the signature private key and signature length are shorter, which has certain practicability. How to extend our program to the standard model is our next research goal.
Acknowledgements
The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of the paper. This work is supported by the National Natural Science Foundation of China (No. 6206070270).